Re: [Full-disclosure] Bank of the West security contact?

[Jeffrey Walton]

On Mon, Mar 17, 2014 at 12:37 PM, Jeffrey Walton  wrote:
> On Mon, Mar 17, 2014 at 12:15 PM, Kristian Erik Hermansen
>  wrote:
>> Just wanted to post a follow-up to this and provide some context to
>> make it known:
>>
>> * Bank of the West was contacted in 2011 to report a security issue
>>
>> * No response for 2 years
>>
>> * In late 2013, I receive a breach notification saying my own
>> sensitive personal information was compromised via the EXACT SAME
>> ISSUES I REPORTED. I also am led to believe employee information was
>> compromised, which may include Social Security Number (SSN) details.
>>
>> Conclusions?
>>
>> * Bank of the West has NO WORKING SECURITY REPORTING MECHANISM for
>> outside researchers and NO BUG BOUNTY PROGRAM
>>
>> * Bank of the West does not seem to take security and privacy
>> seriously enough, as far as I can tell
>>
>> You should know this if you are an existing or potential customer /
>> employee of Bank of the West...
> The risk equations favor "do nothing". Its cost effective to simply
> persue profits and not spend money on data security.
>
> If (when) they are breached, it only costs them the cost of a
> notification. In the US, that's the cost of bulk mail [0]. 46 states,
> DC, and Territories have Data Breach laws, and nearly none (none?)
> have any useful provisions for damages. [1]
>
> You can't recover for your time lost or services like credit
> monitoring. Every class action get tossed out [2]. I've never seen one
> go to court, and I've been watching them for years.
I might just stand corrected here (if it withstands appeal):

http://www.slyck.com/story2351_Data_Breach_Settlement_Class_Action_Lawsuit_Wins_Appeal_in_Court:

With so many recent data breaches and lacking security measures in
place, we know that there are likely to be many more lawsuits
forthcoming. However, in what’s believed to be a first win for a class
action lawsuit as a result of a data breach where none of the
plaintiffs suffered identify theft or direct losses, AvMed, a
Florida-based health insurer, lost its case in court to the tune of a
$3 million settlement agreement. On February 21, 2014, a federal judge
in the Southern District of Florida approved an Order granting motion
for final approval of a Class Action Settlement Agreement, and filed a
motion for attorneys' fees and expenses, as well as for incentive
awards.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Bank of the West security contact?

[Jeffrey Walton]

On Mon, Mar 17, 2014 at 12:15 PM, Kristian Erik Hermansen
 wrote:
> Just wanted to post a follow-up to this and provide some context to
> make it known:
>
> * Bank of the West was contacted in 2011 to report a security issue
>
> * No response for 2 years
>
> * In late 2013, I receive a breach notification saying my own
> sensitive personal information was compromised via the EXACT SAME
> ISSUES I REPORTED. I also am led to believe employee information was
> compromised, which may include Social Security Number (SSN) details.
>
> Conclusions?
>
> * Bank of the West has NO WORKING SECURITY REPORTING MECHANISM for
> outside researchers and NO BUG BOUNTY PROGRAM
>
> * Bank of the West does not seem to take security and privacy
> seriously enough, as far as I can tell
>
> You should know this if you are an existing or potential customer /
> employee of Bank of the West...
The risk equations favor "do nothing". Its cost effective to simply
persue profits and not spend money on data security.

If (when) they are breached, it only costs them the cost of a
notification. In the US, that's the cost of bulk mail [0]. 46 states,
DC, and Territories have Data Breach laws, and nearly none (none?)
have any useful provisions for damages. [1]

You can't recover for your time lost or services like credit
monitoring. Every class action get tossed out [2]. I've never seen one
go to court, and I've been watching them for years.

In the US, the risk equations must be unbalanced (or swayed to favor
of the consumer, who is the ultimate victim). That will take a policy
change. However, that likely won't happen as long as corporate america
and special interest purchase and trade politicians like sports
trading cards.

(I've been watching data breaches and responses for years because I
got burned somehow and it cost me over 10K to fix in the 1990s. I
never got a notification. I found out after I got sued for unpaid
bills and the collection agencies contacted me).

Jeff

[0] http://pe.usps.com/businessmail101/rates/welcome.htm
[1] State Security Breach Notification Laws,
http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx
[2] Once Again, Clapper Defeats Data Breach Class Action,
http://www.mondaq.com/unitedstates/x/294324/Data+Protection+Privacy/Once+Again+Clapper+Defeats+Data+Breach+Class+Action

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Re: Bank of the West security contact?

[Jeffrey Walton]

On Sun, Feb 9, 2014 at 5:34 PM, Justin Ferguson  wrote:
> Ftr record folks, this is the level that booz Allen et al and the RCMP are
> at as a failed entrapment attempt.
Surely you can do better than that...

> On Feb 9, 2014 11:53 AM,  wrote:
>>
>> Justin - I think we're all pretty tired of your lack of maturity.  There's
>> a reason why you're no longer at IOActive, and I think its about time
>> everyone knew the real you.  Doing a Google search on you turned up quite a
>> bit of interesting information, including this dox on you by the people you
>> burned a few years back when you were trying to become a member of Anonymous
>> with all your conspiracy theories:
>>
>> http://dumpz.org/218006/text/
>>
>> Oh, and I think we will all get a kick out of your photos:
>> http://s1306.photobucket.com/user/doxingtheidiots/library/
>>

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Bank of the West security contact?

[Jeffrey Walton]

On Sat, Feb 8, 2014 at 11:32 AM, Daniel Wood  wrote:
> Keep this list professional guys. I hate seeing it turn into an IRC chat room.
>
> Justin, you should really stop this type of behavior, you're not doing 
> yourself any favors. I let it go when you decided you wanted to repeatedly 
> bash me privately over one of my CVE's posted here, however I can see it's 
> starting to look like a pattern for you.
>
http://www.collegehumor.com/video/5817726/internet-bridge-troll

Jeff

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Bank of the West security contact?

[Jeffrey Walton]

On Sat, Feb 8, 2014 at 7:17 AM, Justin Ferguson  wrote:
>> That's not what I said when you were trolling offline. You could cite
>> it if you'd like.
>
> its cool, i actually didnt click reply-all for a reason. you elected
> to go for group consensus, old one.
I thought it was selfish keeping your cornucopia of knowledge to
myself. Hence the reason I suggested Kristian engage you.

Jeff

> On Sat, Feb 8, 2014 at 7:14 AM, Jeffrey Walton  wrote:
>> On Sat, Feb 8, 2014 at 7:11 AM, Justin Ferguson  wrote:
>>>> ...
>>>> You'll have to forgive me. I'm a slow learner at times.
>>>
>>> probably because, per you, you dont read webpages due to evil ToS' ..
>> That's not what I said when you were trolling offline. You could cite
>> it if you'd like.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Bank of the West security contact?

[Jeffrey Walton]

On Sat, Feb 8, 2014 at 7:11 AM, Justin Ferguson  wrote:
>> ...
>> You'll have to forgive me. I'm a slow learner at times.
>
> probably because, per you, you dont read webpages due to evil ToS' ..
That's not what I said when you were trolling offline. You could cite
it if you'd like.

Jeff

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Bank of the West security contact?

[Jeffrey Walton]

On Sat, Feb 8, 2014 at 7:05 AM, Justin Ferguson  wrote:
>> Google does not allow you to search for the '@' symbol.
>
> funny, there is a marked difference between when you search for
> "domain.com" and "@domain.com", one of which is that it includes a lot
> of email addresses. Google is even so kind as to link in common email
> address distortions.
>
> Try before you speak please, turbo.
Oh, got it. Google's policies and rules don't apply to you. Silly me.

You'll have to forgive me. I'm a slow learner at times.

Jeff

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Bank of the West security contact?

[Jeffrey Walton]

On Sat, Feb 8, 2014 at 6:05 AM, Justin Ferguson  wrote:
> well, not to be outdone by the RFC parroting and amazing whois. If you
> google "@bankofthewest.com" ...
Google does not allow you to search for the '@' symbol.
https://productforums.google.com/forum/#!topic/websearch/Dj-lKNCKK8o.

That's why there are email harvesters out there.

Perhaps you were using the amphora symbol, or you meant "bankofthewest.com".

Jeff

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Bank of the West security contact?

[Jeffrey Walton]

On Sat, Feb 8, 2014 at 6:05 AM, Justin Ferguson  wrote:
> well, not to be outdone by the RFC parroting and amazing whois. If you
> google "@bankofthewest.com" or "(at)bankofthewest(dot)com" you'll pull
> a bazillion email addresses that you can spam. Alternatively
> c...@bankofthewest.com c...@bankofthewest.com or
> kirsten.ga...@bankofthewest.com or duke.da...@bankofthewest.com as
> firstname.lastn...@bankofthwest.com is the apparent format.
>
> That said, unlike turbo here, I recognize you're looking for confirmed
> contacts, and I don't have any there. He thought you possibly didn't
> know how to whois, I suggested to him that he could also look up their
> CSR number in the phone book, because perhaps you didn't know how to
> do that either; of course, American banks don't actually get that +1
> is a country code.. so, yeah.
You should also provide some of that crack legal advice, too.

Jeff

> On Sat, Feb 8, 2014 at 5:45 AM, Jeffrey Walton  wrote:
>> On Sat, Feb 8, 2014 at 12:27 AM, Kristian Erik Hermansen
>>  wrote:
>>> Anyone have security contact at Bank of the West?
>>
>> You might also try reaching out to Justin Ferguson. The impression I
>> got is he is masterful at infosec; and he can probably put you in
>> touch with someone in about 3 degrees - perhaps even 1 (that beats the
>> snot out of six degrees for other famous people).
>>

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Bank of the West security contact?

[Jeffrey Walton]

On Sat, Feb 8, 2014 at 12:27 AM, Kristian Erik Hermansen
 wrote:
> Anyone have security contact at Bank of the West?

You might also try reaching out to Justin Ferguson. The impression I
got is he is masterful at infosec; and he can probably put you in
touch with someone in about 3 degrees - perhaps even 1 (that beats the
snot out of six degrees for other famous people).

Jeff

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Bank of the West security contact?

[Jeffrey Walton]

RFC 2142 offers a number of well known mailboxes that should be
monitored. Tyr secure@, security@, and support@.

WHOIS offers technical and administrative contacts.

$ whois bankofthewest.com

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

   Domain Name: BANKOFTHEWEST.COM
   Registrar: NETWORK SOLUTIONS, LLC.
   Whois Server: whois.networksolutions.com
   Referral URL: http://www.networksolutions.com/en_US/
   Name Server: A1.VERISIGNDNS.COM
   Name Server: A2.VERISIGNDNS.COM
   Name Server: A3.VERISIGNDNS.COM
   Name Server: DNS1.BANKOFTHEWEST.COM
   Name Server: DNS2.BANKOFTHEWEST.COM
   Name Server: DNS3.BANKOFTHEWEST.COM
   Name Server: DNS4.BANKOFTHEWEST.COM
   Status: clientTransferProhibited
   Updated Date: 13-jul-2013
   Creation Date: 23-jan-1996
   Expiration Date: 24-jan-2020

>>> Last update of whois database: Sat, 08 Feb 2014 09:19:03 UTC <<<

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar.  Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.

TERMS OF USE: You are not authorized to ...

The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.

Domain Name: BANKOFTHEWEST.COM
Registry Domain ID:
Registrar WHOIS Server: whois.networksolutions.com
Registrar URL: http://www.networksolutions.com/en_US/
Updated Date: 2011-01-04T00:00:00Z
Creation Date: 1996-01-23T00:00:00Z
Registrar Registration Expiration Date: 2020-01-25T00:00:00Z
Registrar: NETWORK SOLUTIONS, LLC.
Registrar IANA ID: 2
Registrar Abuse Contact Email: ab...@web.com
Registrar Abuse Contact Phone: 800-333-7680
Reseller:
Domain Status: clientTransferProhibited
Registry Registrant ID:
Registrant Name: the West, Bank of
Registrant Organization: Bank of the West / William Scanlin
Registrant Street: 2527 Camino Ramon
Registrant City: San Ramon
Registrant State/Province: CA
Registrant Postal Code: 94583
Registrant Country: US
Registrant Phone: (925) 843-2358
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: regist...@bankofthewest.com
Registry Admin ID:
Admin Name: the West, Bank of
Admin Organization: Bank of the West / William Scanlin
Admin Street: 2527 Camino Ramon
Admin City: San Ramon
Admin State/Province: CA
Admin Postal Code: 94583
Admin Country: US
Admin Phone: (925) 843-2358
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: regist...@bankofthewest.com
Registry Tech ID:
Tech Name: the West, Bank of
Tech Organization: Bank of the West / William Scanlin
Tech Street: 2527 Camino Ramon
Tech City: San Ramon
Tech State/Province: CA
Tech Postal Code: 94583
Tech Country: US
Tech Phone: (925) 843-2358
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: regist...@bankofthewest.com
Name Server: DNS1.BANKOFTHEWEST.COM
Name Server: DNS2.BANKOFTHEWEST.COM
Name Server: DNS3.BANKOFTHEWEST.COM
Name Server: DNS4.BANKOFTHEWEST.COM
Name Server: A1.VERISIGNDNS.COM
Name Server: A2.VERISIGNDNS.COM
Name Server: A3.VERISIGNDNS.COM
DNSSEC: not signed
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of whois database: Sat, 08 Feb 2014 09:19:03 UTC <<<

The data in Networksolutions.com's WHOIS database ...

On Sat, Feb 8, 2014 at 12:27 AM, Kristian Erik Hermansen
 wrote:
> Anyone have security contact at Bank of the West?
> --
> Kristian Erik Hermansen
> https://www.linkedin.com/in/kristianhermansen
> https://profiles.google.com/kristian.hermansen
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] EE BrightBox router hacked - bares all if you ask nicely

[Jeffrey Walton]

On Wed, Jan 15, 2014 at 3:28 PM, Scott Helme  wrote:
> The BrightBox router is the standard equipment issued by UK ISP Everything
> Everywhere (EE) to its subscribers.
>
> The device not only leaks sensitive data but is remotely exploitable too. An
> attacker even has the ability to take control of your account as the router
> leaks your ISP account credentials.
>
> You can read the full article here:
> https://scotthelme.co.uk/ee-brightbox-router-hacked/
To add insult to injury, they are probably using a hard code public
key pair, and its probably in the littleblackbox
(http://code.google.com/p/littleblackbox/).

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] EE BrightBox router hacked - bares all if you ask nicely

[Jeffrey Walton]

On Thu, Jan 16, 2014 at 12:44 PM,   wrote:
> On Thu, 16 Jan 2014 11:30:18 +, Dan Ballance said:
>
>> So your point is that there should be legislation to require companies to
>> adhere to certain security standards? I'd support that - particularly in an
>> ISP market which is clearly defined by national boundaries and law.
>
> OK.. What standard do you want to hoist as a legal mandate?
No standards are needed. Attach a nominal dollar amount to the data.
That will unbalance the risk equations and the industry will act on
its own.

For example, if it takes 2 hours to reset  to all your passwords
(password reuse is rampant), then allow a consumer to recover $250 for
their time. If PII is lost allow them damages of 7 years of credit
reporting (about $150) plus actual damages from any loss.

Hell, I had to overnight a credit card last summer while on business
that was cancelled due to a breach. That cost me $75.00. Perhaps
triple damages are in order, too.

> Bonus points for finding a standard that provides enough *actual* security
> that it is worth doing...
+1

> ... but yet won't bankrupt the industry.
Computing is a privilege, not a right.

Should Sony continue to be allowed to compute when they suffered at
least 50 incidents, including dataloss
(http://attrition.org/security/rants/sony_aka_sownage.html)? Hell,
Sony suffered 7 different incidents in one month
(http://www.thetechherald.com/article.php/201121/7185/Seven-security-incidents-in-two-months-Sony-s-nightmare-grows).

How much time an aggravation have they caused to institutions and consumers?

That's driving drunk on the information superhighway.

Jeff

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Where are you guys standing re: the (full) disclosure

[Jeffrey Walton]

On Fri, Dec 13, 2013 at 12:28 PM, Gary Baribault  wrote:
> Rather harsh don't you think? I'm all for OSS but I have expenses and
> need to make money. Yes M$ makes money, but I think their ethical just
> as much as any other company .. is IBM ethical? Is HP ethical? Is Dell
> (the company) ethical? They all are to some degree.
Try Apple. They withhold security updates until the press release for
their latest iOS version. See, for example, the hundred of fixes in
https://lists.apple.com/archives/security-announce/2012/Sep/msg3.html.

At least Microsoft patches on a regular basis.

Jeff

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Seems like Coinbase Security Team doesn't know how their cookie works

[Jeffrey Walton]

> While i don't see the point of saving the csrf token in a cookie i must say
> that in every fucking programming book there is written that tokens should
> be regenerated after logins.
>
> Or maybe i am just crazy or there are some other factors i did not
> considered?
Cookies don't completely remediate Injections and CSRF (as you can see).

You really only have two defenses: fix the injection or
re-authenticate the user during high value transactions. For the
later, challenge them with their password to ensure they initiated the
transaction.

Jeff

On Fri, Nov 29, 2013 at 11:24 AM,   wrote:
> During last summer i wrote them a report with the following content. I was
> not expecting a reward because my poc could work only in Man In The Middle
> scenarios and only under certain circumstances, but at least i was expecting
> a good reply and a fix.
> Here is what i wrote them
>
>> Hi,
>> i do not know if this type of vulnerability may qualify for your bug
>> bounty but it's in someway exploitable and it was funny to think on.
>> Firstly please excuse me if i'm not so clear as you may hope because
>> english is not my native language.
>
>
>> This proof of concept works in a scenario where a malicious attacker can
>> perform a man in the middle attack on the victim (like a public hotspot, a
>> university network etc.).
>> Here is an example of attack:
>>
>> 1) Attacker visit conibase.com and grab a normal session cookie
>> (_coinbase_session), which is base64 encoded and contains both a
>> 'session_id' and a '_csrf_token' values.
>>
>> 2) Attacker start a webserver on localhost which set the cookie grabbed
>> before for coinbase.com domain.
>>
>> 3) Attacker start DNS poisoning trough ARP spoofing on the victim pointing
>> coinbase.com to his own box.
>>
>> 4) Attacker start a code injection trough ARP spoofing and inject an
>> hidden iframe that point to coinbase.com which now resolve to his box.
>>
>> 5) The victim visits any random non-SSL website and the _coibase_session
>> is set by the attacker.
>>
>> 6) As soon as the victim visit a non-SSL website at least one time the
>> attacker stops DNS Spoofing and point coinbase.com to its original server.
>>
>> 7) The victim logs in (or logs in again if he was previously logged).
>>
>> 8) The attacker can now inject perfectly crafted post or get requests
>> using the csrf_token he previously set for the victim.
>>
>> 9) As soon as the victim visit a random non-SSL website and is still
>> logged in the attacker can perfom the actions he wants on his account.
>>
>> The advantage is a sort of 'SSL bypass' since the user in theory has no
>> why to defend or notice this attack.
>>
>> I know and understand that is really tricky to do but i worked on this and
>> at least i wanted to share it :)
>>
>> 0A simple fix would just be to regenerate the csrf_token once the user
>> logs
>> in but i'm sure you'll find a better why.
>
>
> The only thing that i didn't mention here is that they have an HSTS policy
> so this may have worked only with users with haven't visit coinbase with the
> browser they're using before.
>
> I got this response
>
>> Thank you for the disclosure, we appreciate it.
>>
>> I have only looked at it briefly by now but doesn't the secure flag on the
>> session cookie prevent from leaking the csrf token or any injection at
>> all.
>>
>> kind regards,
>> [removed]
>
>
>
> and replied with
>
>> Hi,
>> I think that's not true.
>> Actually the point is that we are impersonating the domain in order to set
>> an already known _coinbase_session.
>> It is possible to set cookie with 'secure' flag trough HTTP while as you
>> said is not obviously possible to read it, but since we're defining it we
>> already know it.
>>
>> I hope now is more clear.
>> Thank you.
>
>
>
> They replied
>>
>> interesting.
>>
>> and how would you get around the browsers cert warning if you mitm arp/dns
>> spoof the domain?
>
>
>
> Replies:
>
>> Writing a script that detect when the user start browsing a non-SSL
>> website and when it returns true it starts dns spoofing and injecting the
>> iframe which load http://coinbase.com, which set the cookie. As soon as
>> the user load the iframe at least one time the dns poisoning stops and
>> user shouldn't notice anything.
>> I'm actually writing a tool to automatize this process because most sites
>> seems vulnerable.
>> So yes, if the victim browse only coinbase.com and do nothing else before
>> login or before signing out this doesn't work but i think in most cases
>> this won't happen.
>
>
>
> Their reply
>
>> so what you are really saying is that the csrf token is shared among
>> secure
>> and non secure cookie our app sets. because if the user browser
>> coinbase.com(http) it would not net the same cookie with the secure
>> flag like it does
>> when you get redirected to https
>
>
>
> Actually i did not completely undertood that statement, probably because of
> my english, anyway i replied with
>
>> Normally a session fixation consist

Re: [Full-disclosure] iCloud and privacy...last word

[Jeffrey Walton]

And don't forget Apple's own lawyers tell us it can't be trusted:

A layman’s analysis of License Agreements and Terms and Conditions
reveals how little security is afforded to your documents in cloud
storage and backup to the cloud. For those who don’t read them, one
popular platform has 142 separate documents covering Terms of
Conditions for its cloud alone.[1] The documents discuss your rights
if the company (1) gives away your data, (2) shares you data with
partners, (3) looses your data, (4) provides your data to authorities
(sometimes without an order or warrant), (5) does not provide
reasonable skill or care, (6) commits willful misconduct or fraud, and
(7) acts with negligence or gross negligence. “Your rights” is
misleading since it is consent, and the document effectively states
you indemnify the company: “You agree to defend, indemnify and hold
Apple, its affiliates, subsidiaries, directors, officers, employees,
agents, partners, contractors, and licensors harmless from any claim
or demand, including reasonable attorneys’ fees, made by a third
party.”[2]

[1] iCloud Terms and Conditions,
https://www.apple.com/legal/internet-services/icloud/ww/

[2] iCLOUD TERMS AND CONDITIONS,
https://www.apple.com/legal/internet-services/icloud/en/terms.html

On Thu, Nov 28, 2013 at 8:21 AM,   wrote:
> Apple Discussions has a large portion of people dead set on making sure
> everyone knows that iCloud data is different then your "other" data.  I
> disagree...follow you're data:
>
> http://www.apple.com/privacy
> "Here are some examples of the types of personal information Apple may
> collect and how we may use it."
>
> What:
> "we may collect a variety of information, including your name, mailing
> address, phone number, email address, contact preferences, and credit card
> information."
> "When you share your content with family and friends using Apple products,
> send gift certificates and products, or invite others to join you on Apple
> forums, Apple may collect the information you provide about those people
> such as name, mailing address, email address, and phone number."
>
> Somy info and any info about friends...gotcha.
>
> How they use/share:
> "It also helps us to improve our services, content, and advertising."
> "You may be asked to provide your personal information anytime you are in
> contact with Apple or an Apple affiliated company. Apple and its affiliates
> may share this personal information with each other and use it consistent
> with this Privacy Policy. They may also combine it with other information to
> provide and improve our products, services, content, and advertising."
>
> iCloud:
> http://support.apple.com/kb/HT4865
>
> the Pièce de résistance:
> "This article explains how iCloud keeps your personal information and data
> secure. In addition to this article, you should also review Apple’s Privacy
> Policy, which covers iCloud."
>
> Yea last word on thisuse iCloud, share your stuff with Apple and their
> affiliates...and done!
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Another Apple Security Failure (Apple Mail on the iPhone)....

[Jeffrey Walton]

On Fri, Nov 15, 2013 at 12:23 AM, Caspian Kilkelly
 wrote:
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> What version of IOS was this? I'm looking into something similar on
> other apple platforms, but it doesn't seem consistently repeatable.
iOS 7.0.3 (11B511) on a iPhone 4 (MD146LL/A).

Jeff

> On 13-11-11 6:41 PM, Jeffrey Walton wrote:
>> My iPhone does not store sensitive information. Its a phone an music
>> player only. (I'm not sure it could save sensitive information if I
>> needed it, as the following demonstrates).
>>
>> About 6 weeks ago, a colleague was having trouble adding an email
>> account to his iPhone and sending email. I allowed him to add his
>> account to my iPhone for testing. After testing, we deleted the
>> account.
>>
>> My colleague was having trouble with Apple iPhone mail again this
>> week. This time, I added my account to the phone. I used my account
>> because he's remote and I don't want his password. Note: we use the
>> same incoming and outgoing email servers.
>>
>> After running the setup wizard, my outgoing server was populated with
>> his email credentials - both username and password.
>>
>> So much for deleting that username and password about 6 weeks ago.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Another Apple Security Failure (Apple Mail on the iPhone)....

[Jeffrey Walton]

My iPhone does not store sensitive information. Its a phone an music
player only. (I'm not sure it could save sensitive information if I
needed it, as the following demonstrates).

About 6 weeks ago, a colleague was having trouble adding an email
account to his iPhone and sending email. I allowed him to add his
account to my iPhone for testing. After testing, we deleted the
account.

My colleague was having trouble with Apple iPhone mail again this
week. This time, I added my account to the phone. I used my account
because he's remote and I don't want his password. Note: we use the
same incoming and outgoing email servers.

After running the setup wizard, my outgoing server was populated with
his email credentials - both username and password.

So much for deleting that username and password about 6 weeks ago.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cloud Questions

[Jeffrey Walton]

On Sat, Nov 9, 2013 at 9:51 AM,   wrote:
> On 11/09/2013 at 7:32 AM, "David Miller"  wrote:
>
> I’ve been lurking here for some months now and have seen plenty of
> vulnerabilities go by for applications, and the occasional OS level exploit.
>
> I don’t think I’ve seen a single post about cloud security.
>
> Is ‘the cloud’, AWS in particular, believed to be secure? Is it simply not
> targeted? Or would it be covered by some other list? Inquiring minds are,
> uh, inquiring.
>
>
> TIA,
>
> — David
>
> There is no such thing as "cloud security" (to me at least).  Companies may
> transfer/store encrypted, but if the NSA/law enforcement ask for it, they
> give it up.  That's not secure to me..that's more"data held hostage
> (iCloud anyone?)".
I think you are right in that "good" bad guys (law enforcement) "bad"
bad guys (cyber-criminals) attack the node. In this case, the node is
the cloud provider.

But it also depends on what the data is. I have no faith in CloudHSM,
HighCloud or other low level machinery. That's the unattended key
storage problem, and its a problem without a solution. Plus, the data
becomes available as soon as the VM is powered on.

Objects in storage (Amazon S3 or OpenStack Swift) can be encrypted
using standard crypto methods with minimal risk. The encryption
function will act like a PRP, and the cipher text will be
indistinguishable from random.

Minimal risk would include leaking the origin (LE probably has that
through the account) and leaking file size (unless specific measures
are taken). If the owner of the document wants anonymity, they should
probably use a Tor hidden service.

Other higher level services, like SaaS and DaaS, probably won't fair
so well. Those tokenization schemes used for database field encryption
by CipherCloud do not live up to expectations. It probably wanders
near false/misleading and fraud, and the FTC should investigate some
of their claims (unless CipherCloud have a homomorphic encryption
system that no one knows about). As a matter of fact, when an informal
security analysis was performed and posted to StackExchange,
CipherCloud issued a DRM takedown!
https://www.google.com/search?q=ciphercloud+drm+takedown.

Jeff

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cloud Questions

[Jeffrey Walton]

> The first problem is TCO. Cloud services are easy to set up (both as a
> vendor and as a user), and have little to no "hard" start-up costs.
> (costs that initially are billed as startup costs, before the service
> payments start).
Also see http://www.gossamer-threads.com/lists/openstack/dev/32772,
where some are considering charging you for the I/O to securely delete
a VM!

Jeff

On Sat, Nov 9, 2013 at 9:50 AM, Yvan Janssens  wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> Hello,
>
> I will split my answer in two parts, as they represent both views I
> regularly experience. They aren't all related to security.
>
> The first problem is TCO. Cloud services are easy to set up (both as a
> vendor and as a user), and have little to no "hard" start-up costs.
> (costs that initially are billed as startup costs, before the service
> payments start). This results in decisions which aren't really thinked
> throughly about in a lot of cases, resulting in poor setups both by
> the vendor and by the end-user/customer. Being able to ship fast also
> means that you can make mistakes fast - several providers have been
> caught in the past while I was using them on blatant mistakes.
>
> Another problem is that you trust a service to a third party provider,
> which has full access to the data. I know, there are ways to prevent
> this/make this difficult, but in the end it will not be feasible on
> the long term to employ such techniques. Targeted attacks will always
> succeed, but are easier on cloud services to my opinion. Support
> services are useful sources for social engineering (check some of the
> last cases of DNS hijacking), since they are used to handle requests
> for all customers, and not only internal employees.
>
> The other problem is that you share a physical computer with someone
> you don't know and cannot trust. Information leakage techniques have
> been discovered [1] and it wouldn't be the first time that someone
> finds a clever way to break out of the VM. [2]
>
> It is also more feasible to DoS your application if the physical
> hardware is shared with others if they aren't trustworthy. Most
> providers monitor extensive resource usage, but try a cheap one, put a
> VM on full RAM capacity, disk I/O requests and CPU usage and see how
> long it takes to get a notice to ask you to inspect the machine.
>
> There is also a huge thing to tell about stuff which used to be
> conspiracy theories about surveillance, but this is out of scope for
> this response to avoid indulging trolling. To my opinion cloud
> services are good for a temporarily burst of CPU resources, not to
> store data, and not to be used permanently nor as a SPOF. I sometimes
> use cloud services to launch a build of a large source tree, and then
> dispose the machine, but I would never put ownCloud on it to store PGP
> private keys without a password or my credit card numbers and bank PINs.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cloud Questions

[Jeffrey Walton]

On Fri, Nov 8, 2013 at 9:08 AM, David Miller  wrote:
> ...
> I don’t think I’ve seen a single post about cloud security.
>
> Is ‘the cloud’, AWS in particular, believed to be secure?  Is it simply not 
> targeted?
>
Stallman has a term for it: Careless Computing.
http://techcrunch.com/2010/12/14/stallman-cloud-computing-careless-computing/.

> Or would it be covered by some other list?  Inquiring minds are, uh, 
> inquiring.
The only list I've seen so far is OpenStack's security list.
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security.

From what I've seen, cloud security seems to have three broad tracks
(in addition to all the secure coding and HTML app stuff). First is
low-level security that acts on block devices, like Amazon's CloudHSM
and other who focus on VM security. Second is high level security that
attempts to secure databases (table fields) and object stores (Amazon
S3 and OpenStack Swift), like CipherClod and Armor-Cloud. And third is
identity management, like the federated and single sign-on
integrations.

Jeff

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Mavericks...less then a bargin?

[Jeffrey Walton]

On Mon, Oct 28, 2013 at 4:49 PM, Joel Esler  wrote:
> Obviously they expect you to surrender the info in the sake of simplicity
> and usefulness.
>
> They swear the can't read your stuff:
> http://www.apple.com/apples-commitment-to-customer-privacy/
:)

Their own legal department tells us they are not trustworthy. Who do
we believe: their legal department, or their press release?

Jeff


> On Oct 28, 2013, at 03:30 PM, PuNkErX w  wrote:
>
> I usually lurk the list but here's my take on it.  Using iCloud to sync
> everything is stupid if you care about privacy.  Unless you don't mind all
> your info (especially now that you can sync the keychain) being out
> there.
>
> As an old Apple "fanboy" Im disgusted but not surprised with the direction
> they went.  Thats why i got out of the Apple work when 10.7 dropped.
>
> I host an old macbook with 10.6 server that has iCal and address book
> services to sync stuff between 10.9 laptop, 10.6 laptop, iphone and ipad.
> It works for what i need but obviously it isnt for everyone.
>
> Im looking at other alternatives for all in one type deals but it seems
> every "cloud" service pretty much sells your info in one shape way or form.
>
> So you dont need to use icloud at all but it appears you will need a third
> party server to sync stuff.  Yet another step back asswards for the
> industry.
>
>
>
>
>
> On Oct 28, 2013, at 10:43, silence_is_b...@hushmail.com wrote:
>
> The functionality of syncing contacts/calendar is MISSING in
> iTunes...gone...poof...Casper...out of luckplug in your iDevice on the
> latest, then check it out...you can sync photos and music, but nothing
> else...it's a bad scene.
>
> On Monday, October 28, 2013 at 8:34 AM, "Joel Esler" 
> wrote:
>
> What happens when you refuse to sign up for iCloud?
>
> 
>
> --
> Joel Esler
>
>
> On Oct 28, 2013, at 08:09 AM, silence_is_b...@hushmail.com wrote:
>
> A warning (disclosure) to you Apple peopleif you're planning to sync
> your shiny iDevice with Mavericks, you will be FORCED to use iCloud (syncing
> from your iDevice to your iPuter is now gone).  I suspect this is one of the
> reasons why Mavericks was a "free" upgrade.  Apple probably figured the $40
> they'd get from the sale of the OS is less then when they'd get with have
> your calendar and your contacts within easy reach.  Per their policy:
>
> What personal information we collect
>
> When you create an Apple ID, register your products, apply for commercial
> credit, purchase a product, download a software update, register for a class
> at an Apple Retail Store, or participate in an online survey, we may collect
> a variety of information, including your name, mailing address, phone
> number, email address, contact preferences, and credit card information.
>
> When you share your content with family and friends using Apple products,
> send gift certificates and products, or invite others to join you on Apple
> forums, Apple may collect the information you provide about those people
> such as name, mailing address, email address, and phone number.
>
>
> How we use your personal information
>
> The personal information we collect allows us to keep you posted on Apple’s
> latest product announcements, software updates, and upcoming events. It also
> helps us to improve our services, content, and advertising.
>
>
> Nice not to have choices ;)
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Mavericks...less then a bargin?

[Jeffrey Walton]

> A warning (disclosure) to you Apple people
Perhaps even better for the government spooks is the keychain:
http://blogs.computerworld.com/mobile-security/23030/apple-gets-pat-back-mavericks-icloud-keychain.
As Gutmann said, if it was MS, then headlines would be screaming
"Microsoft steals user's passwords".

> How we use your personal information
> ..
> How we use your personal information
It gets even better -  you did not even touch upon misuse. For those
who have not read Apple obscene Terms of Service, here's from a paper
decrying use of cloud services:

A layman’s analysis of License Agreements and Terms and Conditions
reveals how little security is afforded to your documents in cloud
storage and backup to the cloud. For those who don’t read them, one
popular platform has 142 separate documents covering Terms of
Conditions for its cloud alone.[1]  The documents discuss your rights
if the company (1) gives away your data, (2) shares you data with
partners, (3) looses your data, (4) provides your data to authorities
(sometimes without an order or warrant), (5) does not provide
reasonable skill or care, (6) commits willful misconduct or fraud, and
(7) acts with negligence or gross negligence. “Your rights” is
misleading since it is consent, and the document effectively states
you indemnify the company: “You agree to defend, indemnify and hold
[company], its affiliates, subsidiaries, directors, officers,
employees, agents, partners, contractors, and licensors harmless from
any claim or demand, including reasonable attorneys’ fees, made by a
third party.” [2]

[1] iCloud Terms and Conditions,
https://www.apple.com/legal/internet-services/icloud/ww/
[2] iCLOUD TERMS AND CONDITIONS,
https://www.apple.com/legal/internet-services/icloud/en/terms.html


On Mon, Oct 28, 2013 at 8:09 AM,   wrote:
> A warning (disclosure) to you Apple peopleif you're planning to sync
> your shiny iDevice with Mavericks, you will be FORCED to use iCloud (syncing
> from your iDevice to your iPuter is now gone).  I suspect this is one of the
> reasons why Mavericks was a "free" upgrade.  Apple probably figured the $40
> they'd get from the sale of the OS is less then when they'd get with have
> your calendar and your contacts within easy reach.  Per their policy:
>
> What personal information we collect
>
> When you create an Apple ID, register your products, apply for commercial
> credit, purchase a product, download a software update, register for a class
> at an Apple Retail Store, or participate in an online survey, we may collect
> a variety of information, including your name, mailing address, phone
> number, email address, contact preferences, and credit card information.
>
> When you share your content with family and friends using Apple products,
> send gift certificates and products, or invite others to join you on Apple
> forums, Apple may collect the information you provide about those people
> such as name, mailing address, email address, and phone number.
>
> How we use your personal information
>
> The personal information we collect allows us to keep you posted on Apple’s
> latest product announcements, software updates, and upcoming events. It also
> helps us to improve our services, content, and advertising.
>
> Nice not to have choices ;)

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Slightly OT: What SSL cert do you consider strongest?

[Jeffrey Walton]

On Wed, Oct 23, 2013 at 11:59 AM, Fabian Wenk  wrote:
>
> There are steps you could do to protect your customers in the future, as the
> use of such services from the client side is not fully supported yet. Sign
> your DNS zone with DNSSEC and let add the corresponding entries to your
> upstream TLD. But the clients (e.g. customers computers) need also to use
> and check DNSSEC when resolving (this also depends on the upstream name
> server, e.g. from your ISP). And then also add DANE [1] entries into your
> DNS zone for the hostnames which provide SSL or TLS services.
Utilizing DNS just moves the key distribution problem around. Instead
of trusting a CA you're now trusting DNS. In either case, you're still
likely trusting someone (CA or DNS) external to your organization.

Dr. Bernstein has a good time with DNSSEC in his talks. See, for
example, Cryptography Worst Practices,
http://secappdev.org/lectures/144. The entire talk is good, but his
DNSSEC bashing occurs around 14:40 (min:sec).

Jeff

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] darpa to automatically patch flaws

[Jeffrey Walton]

On Wed, Oct 23, 2013 at 10:03 AM, J. Oquendo  wrote:
> ...
> 3) System would have to EXPLOIT vuln to fix it
Like the worm wars back in the early 2000s? Nachia patching for
Blaster? 
http://www.sophos.com/en-us/press-office/press-releases/2003/08/va_nachi.aspx

I thought it was kind of the Nachia folks to patch vulnerable
workstations and servers since SysAdmins were doing such a poor job.

Jeff

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Slightly OT: What SSL cert do you consider strongest?

[Jeffrey Walton]

On Tue, Oct 22, 2013 at 4:14 PM, David Miller  wrote:
> After the PRISM and other Snowden leaks, inquiring minds want to know: whose 
> SSL certs are to be trusted?
There is no short answer because the protocols, models and clients are broken.

Consider Browsers and HTTP/HTTPS: plain HTTP is good (no visual queues
to a user); while opportunistic HTTPS is bad (self signed certificates
invoke the red danger bar). But "trusted" certificate issuers get the
green bar irregardless of anything, even though they have varying
degrees of "quality" (for some definition of what it means). For
example, Trustwave, gets the green HTTPS bar even though its known
they issue MitM certificates to attack users.

But what happens if the adversary circumvents the Mail Server
certificate all together? For example, its easier for a government to
attack a node within its jurisdiction, and the SSL/TLS certificate on
the server just does not matter. So its easier to go to an email or
web provider and say "give me all the information". This happened to
Lavabit, and they closed their doors rather than comply. Silent Circle
dropped their email service due to the concerns. Sometimes, its best
to avoid the protocols all together.

> Is a self-signed cert likely to be stronger?
Peter Gutmann goes into this in great detail. Read Chapters 1 and 6
from his Engineering Security book
(http://www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf). He's got a
whitty sense of humor, so its not boring reading (its actually quite
hilarious because he has documented so many failures from the PKI
industry).

Self signed certificates are OK, but you need a different model to use
them. The new model would employ security diversification techniques.
For example, if there is an 'a priori' or existing relationship (think
enterprise app), then there is no reason to trust any third parties
since the app knows what to expect. In this case, the enterprise app
could pin the server's public key.

If there's no pre-existing relationship, then you need to employ a
Perspectives like system (in addition to other diversification
techniques). This system is basically Trust On First Use (TOFU), and
its used by SSH when StrictHostKeyChecking is enabled.

Jeff

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Advantages of Stack Guard over Stack Shield

[Jeffrey Walton]

On Sun, Oct 20, 2013 at 9:33 AM, Jaydeep Solanki  wrote:
> Hi,
>
> I would like to know why nowadays Stack Guard is used everywhere (example:
> ProPolice in GCC, /GS in Visual Studio) instead of Stack Shield.
>
> Both the approaches (i.e. Stack Guard & Stack Shield) provide an equal level
> of security.
>
> Any specific advantages of Stack Guard over Stack Shield ?
I believe Hiroaki Etoh work on Stack Smashong Protection (SSP) was
based upon his work on IBM's ProPolice. One of the changes made was
the rearrangement of the variables in the stack frame to make it more
difficult to avoid or circumvent the protection.

There were some other benefits too, but I don't recall them now. You
can find Hiroaki Etoh's patch submission here:
http://gcc.gnu.org/ml/gcc-patches/2001-06/msg01753.html.

You can see how "fine grained" the SSP being used is with:

$ gcc -dumpspecs

...

*link_ssp:
%{fstack-protector:}

*ssp_default:
%{!fno-stack-protector:%{!fstack-protector-all:
%{!ffreestanding:%{!nostdlib:-fstack-protector}} }}

-fstack-protector guards vulnerable objects such as C-strings; while
-fstack-protector-all guards all objects in a stack frame. You would
use -fstack-protector-all on high risk source files, such as those
that parse input from the internet.

Related, you also want to see -Wl,-z,noexecstack during an audit. If
you are dealing with a PaX enabled kernel like Gentoo, you should also
desire -Wl,-z,noexecheap.

Finally, Debian has a pretty good page that discusses some of these
things at https://wiki.debian.org/Hardening.

Jeff

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] glibc 2.5 <= reloc types to crash bug

[Jeffrey Walton]

>   switch (r_type)
> {
>
> case R_386_GLOB_DAT:
> case R_386_JMP_SLOT:
>   // *reloc_addr(*relocation addr) = value(relative addr calculated
> at above codes.)
>  *reloc_addr = value;
>  break;
> }
> // XXX BUG: 'defaults:' label not exists!
I believe the lack of a 'default' label is legal C99 (6.8.4.2.5).

> the symbol relocation time. It means the ELF object 4bytes
> altered with unspecified reloc types to crash.
How, precisely, are you writing to those 4 bytes? Or are you saying
they are garbage (which leads to a crash)?

Jeff

On Sun, Oct 20, 2013 at 7:05 AM, x90c  wrote:
> +-+
> | XADV-2013002 glibc 2.5 <= reloc types to crash bug   |
> +-+
>
>  Vulnerable versions:
>  - glibc 2.5 <=
>  Not vulnerable versions:
>  - glibc 2.6 >=
>  Testbed: linux distro
>  Type: Local
>  Impact: crash
>  Vendor: https://www.gnu.org/software/libc
>  Author: x90c 
>  Site: x90c.org
>
>
> =
> ABSTRACT:
> =
>
> [Unspecified reloc types bug]
> 'defaults:' label codes on If not defined RTLD_BOOTSTRAP, glibc 2.5
> defined RTLD_BOOTSTRAP default. The elf_machine_rel() of the
> vulnerable glibc 2.5 ld-2.5.so doesn't process 'defaults:' In
> the symbol relocation time. It means the ELF object 4bytes
> altered with unspecified reloc types to crash.
> ('defaults:' label process unspecified reloc types to
>   calc reloc addr)
>
> The vulnerable function sets *reloc_addr_arg as 5rd argument
> (to reloc addr). and calc reloc addr. The unspecified reloc types
> passed Improper value(on elf binary) on reloc_addr. An elf binary
> with altered unspecified reloc_types to crash. BUG!
>
> The bug can be used for rootkit technique via altering the ELF object.
>
> =
> DETAILS:
> =
>
> glibc-2.5/dl-machine.h
> 
> auto inline void
> __attribute ((always_inline))
> elf_machine_rel (struct link_map *map, const Elf32_Rel *reloc,
> const Elf32_Sym *sym, const struct r_found_version *version,
> void *const reloc_addr_arg)
> {
>   // reloc_addr = reloc_addr_arg(5rd argument as relative jump)
>   Elf32_Addr *const reloc_addr = reloc_addr_arg;
>
> ...
>
>   switch (r_type)
> {
>
> case R_386_GLOB_DAT:
> case R_386_JMP_SLOT:
>   // *reloc_addr(*relocation addr) = value(relative addr calculated
> at above codes.)
>  *reloc_addr = value;
>  break;
> }
> // XXX BUG: 'defaults:' label not exists!
> ...
>
> }
> #endif /* !RTLD_BOOTSTRAP */
> 
>
>
> ===
> EXPLOIT CODES:
> ===
> Altering reloc types on the ELF binary.
>
> =
> PATCH CODES:
> =
> add 'defaults:' label on above relocation code
> If RTLD_BOOTSTRAP defined.
>
>
> ===
> VENDOR STATUS:
> ===
> 2012/09/04 - The bug Discovered.
> 2013/10/20 - Advisory released on full-disclosure, bugtraq, exploit-db.
>
> ...

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Going beyond vulnerability rewards

[Jeffrey Walton]

http://googleonlinesecurity.blogspot.com/2013/10/going-beyond-vulnerability-rewards.html?m=1

We all benefit from the amazing volunteer work done by the open source
community. That’s why we keep asking ourselves how to take the model
pioneered with our Vulnerability Reward Program - and employ it to
improve the security of key third-party software critical to the
health of the entire Internet.

We thought about simply kicking off an OSS bug-hunting program, but
this approach can easily backfire. In addition to valid reports, bug
bounties invite a significant volume of spurious traffic - enough to
completely overwhelm a small community of volunteers. On top of this,
fixing a problem often requires more effort than finding it.

So we decided to try something new: provide financial incentives for
down-to-earth, proactive improvements that go beyond merely fixing a
known security bug. Whether you want to switch to a more secure
allocator, to add privilege separation, to clean up a bunch of sketchy
calls to strcat(), or even just to enable ASLR - we want to help!

We intend to roll out the program gradually, based on the quality of
the received submissions and the feedback from the developer
community. For the initial run, we decided to limit the scope to the
following projects:

Core infrastructure network services: OpenSSH, BIND, ISC DHCP
Core infrastructure image parsers: libjpeg, libjpeg-turbo, libpng, giflib
Open-source foundations of Google Chrome: Chromium, Blink
Other high-impact libraries: OpenSSL, zlib
Security-critical, commonly used components of the Linux kernel (including KVM)

We intend to soon extend the program to:

Widely used web servers: Apache httpd, lighttpd, nginx
Popular SMTP services: Sendmail, Postfix, Exim
Toolchain security improvements for GCC, binutils, and llvm
Virtual private networking: OpenVPN

How to participate?

Please submit your patches directly to the maintainers of the
individual projects. Once your patch is accepted and merged into the
repository, please send all the relevant details to
security-patc...@google.com. If we think that the submission has a
demonstrable, positive impact on the security of the project, you will
qualify for a reward ranging from $500 to $3,133.7.

Before participating, please read the official rules posted on this
page; the document provides additional information about eligibility,
rewards, and other important stuff.

Happy patching!

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Microsoft Pays Security Researcher James Forshaw $100, 000 For Windows 8 Flaw

[Jeffrey Walton]

It looks like Microsoft might be one of the better corporations to do
free security work for (or maybe you have to be a Microsoft employee
for the big payouts).

What's Yahoo up to now? A free coffee mug and t-shirt plus a pair of boxers?

http://pulse2.com/2013/10/10/microsoft-james-forshaw-bounty-program-94944/

Microsoft has put together a pot of $150,000 to pay prizes to security
researchers that that find vulnerabilities in Windows and Internet
Explorer and reporting them.  This is known as a “bounty program” and
Microsoft uses this information to fix issues before malware hackers
go after it.  On Tuesday, Microsoft gave James Forshaw $100,000 for
helping them improve their platform-wide security by leaps.

“Coincidentally, one of our brilliant engineers at Microsoft, Thomas
Garnier, had also found a variant of this class of attack technique.
Microsoft engineers like Thomas are constantly evaluating ways to
improve security, but James’ submission was of such high quality and
outlined some other variants such that we wanted to award him the full
$100,000 bounty,” stated Microsoft Security Response Center senior
security strategist Katie Moussouris in a blog post [0].

Over the last couple of months, Microsoft has paid out $128,000 to
security researchers that have found flaws in Windows and Internet
Explorer.  Forshaw was paid another $9,400 for finding bugs in the
latest version of Internet Explorer.

[0] 
http://blogs.technet.com/b/bluehat/archive/2013/10/08/congratulations-to-james-forshaw-recipient-of-our-first-100-000-bounty-for-new-mitigation-bypass-techniques.aspx

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] How many .gov sites did the usa government ddosed/nearly defaced?

[Jeffrey Walton]

On Tue, Oct 8, 2013 at 9:29 AM, Georgi Guninski  wrote:
> Just noticed http://www.nist.gov/ is not alive due to the
> usa government.
>
> Approximately how many .gov websites are in such a condition?
Department of Commerce is also down. (I need to file for an export
license, and the SNAP-R system is not available).

Probably Department of State, Department of Interior, and the rest of them.

Jeff

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] PRISM

[Jeffrey Walton]

On Sat, Oct 5, 2013 at 11:15 AM,   wrote:
> On Wed, 02 Oct 2013 09:52:41 +0100, 
> catsandd0gz.dinosaursandwh0...@hushmail.com said:
>
>> Is anyone else super mad?
>
> You're obviously new here.  Some of us were super mad 10-12 years ago
> when this shit started big time.
:)

Its ironic catsandd0gz is using Hushmail. That service was backdoored
for law enforcement years ago. Encrypted E-Mail Company Hushmail
Spills to Feds,
http://www.wired.com/threatlevel/2007/11/encrypted-e-mai/.

Jeff

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [Django] Cookie-based session storage session invalidation issue

[Jeffrey Walton]

> Again, the behavior is a surprise to most developers.

If it surprises developers, then what do you think it does to
unsuspecting users?

It's akin to a builder installing a lock on a house that does not
work, and the builder not telling the home owner.

Its already game over, whether its documented or not. Perhaps the
Django developers should take time to read Peter Gutmann's Engineering
Security (www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf) or Ross
Anderson's Security Engineering (www.cl.cam.ac.uk/~rja14/book.html‎).

Jeff

On Thu, Oct 3, 2013 at 10:39 AM, G. S. McNamara  wrote:
> Hi Paul,
>
> The documentation you linked to was updated yesterday to reflect the issue I
> brought up with cookie-stored sessions.
>
> Again, the behavior is a surprise to most developers.
>
>
> Thanks!
>
> G. S. McNamara
>
>
> On Wed, Oct 2, 2013 at 3:04 PM, Paul McMillan  wrote:
>>
>> G. S. McNamara:
>>
>> Perhaps next you will disclose that if an attacker obtains a user's
>> password, they can log in as that user. Seriously, "full disclosure"
>> of well documented behavior is not particularly impressive.
>>
>>
>> https://docs.djangoproject.com/en/1.5/topics/http/sessions/#using-cookie-based-sessions
>>
>> Cheers,
>> -Paul
>>
>> > From: "G. S. McNamara" 
>> > To: 
>> > Subject: [Full-disclosure] [Django] Cookie-based session storage session
>> > invalidation issue
>> >
>> > FD,
>> >
>> > I’m back!
>> >
>> > Django versions 1.4 – 1.7 offer a cookie-based session storage option
>> > (not the default > this time) that is afflicted by the same issue I posted
>> > about previously concerning Ruby > on Rails:
>> >
>> > If you obtain a user’s cookie, even if they log out, you can still log
>> > in as them.
>> >
>> > The short write-up is here, if needed:
>> > http://maverickblogging.com/security-vulnerability-with-django-cookie-based-sessions/
>> >
>> > Cheers,

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] iOS: List of available trusted root certificates

[Jeffrey Walton]

From "iOS: List of available trusted root certificates",
http://support.apple.com/kb/HT5012.

There's no reason to allow some of this to occur in 2013. As a
proxy-relying-party, Apple is responsible for this stuff because users
are not allowed to make the decisions or modify the Trust Store.

For reference:
Peter Gutmann, Engineering Security,
www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf‎
Baseline Certificate Requirements:
https://www.cabforum.org/Baseline_Requirements_V1_1_6.pdf
Extended Validation Certificate Requirements:
https://www.cabforum.org/Guidelines_v1_4_3.pdf

Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c)
1999 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 4
Public Primary Certification Authority - G3
Serial Number: ec:a0:a7:8b:6e:75:6a:01:cf:c4:7c:cc:2f:94:5e:d7
Missing Critical Basic Constraint and CA=TRUE

Subject: C=DK, O=TDC Internet, OU=TDC Internet Root CA
Serial Number: 986490188 (0x3acca54c)
Missing Critical Basic Constraint

Subject: CN=T\xC3\x9CRKTRUST Elektronik Sertifika Hizmet
Sa\xC4\x9Flay\xC4\xB1c\xC4\xB1s\xC4\xB1, C=TR, L=ANKARA, O=(c) 2005
T\xC3\x9CRKTRUST Bilgi \xC4\xB0leti\xC5\x9Fim ve Bili\xC5\x9Fim
G\xC3\xBCvenli\xC4\x9Fi Hizmetleri A.\xC5\x9E.
Serial Number: 1 (0x1)
Missing Critical Basic Constraint

Subject: C=US, O=Entrust.net, OU=www.entrust.net/CPS incorp. by ref.
(limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Secure
Server Certification Authority
Serial Number: 927650371 (0x374ad243)
Missing Critical Basic Constraint

Subject: C=CN, O=UniTrust, CN=UCA Root
Serial Number: 9 (0x9)
Missing Critical Basic Constraint

Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary
Certification Authority
Serial Number: 70:ba:e4:1d:10:d9:29:34:b6:38:ca:7b:03:cc:ba:bf
Missing Critical Basic Constraint and CA=TRUE

Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary
Certification Authority
Serial Number: 3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be
Missing Critical Basic Constraint and CA=TRUE

Subject: L=ValiCert Validation Network, O=ValiCert, Inc., OU=ValiCert
Class 2 Policy Validation Authority,
CN=http://www.valicert.com//emailAddress=i...@valicert.com
Serial Number: 1 (0x1)
Missing Critical Basic Constraint and CA=TRUE

Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary
Certification Authority - G2, OU=(c) 1998 VeriSign, Inc. - For
authorized use only, OU=VeriSign Trust Network
Serial Number: 7d:d9:fe:07:cf:a8:1e:b7:10:79:67:fb:a7:89:34:c6
Missing Critical Basic Constraint and CA=TRUE

Subject: C=US, O=VeriSign, Inc., OU=Class 4 Public Primary
Certification Authority - G2, OU=(c) 1998 VeriSign, Inc. - For
authorized use only, OU=VeriSign Trust Network
Serial Number: 32:88:8e:9a:d2:f5:eb:13:47:f8:7f:c4:20:37:25:f8
Missing Critical Basic Constraint and CA=TRUE

Subject: C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing,
CN=StartCom Certification Authority
Serial Number: 1 (0x1)
Missing Critical Basic Constraint

Subject: L=ValiCert Validation Network, O=ValiCert, Inc., OU=ValiCert
Class 1 Policy Validation Authority,
CN=http://www.valicert.com//emailAddress=i...@valicert.com
Serial Number: 1 (0x1)
Missing Critical Basic Constraint and CA=TRUE

Subject: C=US, O=VeriSign, Inc., OU=Class 1 Public Primary
Certification Authority
Serial Number: cd:ba:7f:56:f0:df:e4:bc:54:fe:22:ac:b3:72:aa:55
Missing Critical Basic Constraint and CA=TRUE

Subject: C=US, O=VeriSign, Inc., OU=Class 1 Public Primary
Certification Authority
Serial Number: 3f:69:1e:81:9c:f0:9a:4a:f3:73:ff:b9:48:a2:e4:dd
Missing Critical Basic Constraint and CA=TRUE

Subject: C=CN, O=UniTrust, CN=UCA Global Root
Serial Number: 8 (0x8)
Missing Critical Basic Constraint

Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c)
1999 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 2
Public Primary Certification Authority - G3
Serial Number: 61:70:cb:49:8c:5f:98:45:29:e7:b0:a6:d9:50:5b:7a
Missing Critical Basic Constraint and CA=TRUE

Subject: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DoD CLASS 3 Root CA
Serial Number: 4 (0x4)
Missing Critical Basic Constraint

Subject: C=KR, O=KISA, OU=Korea Certification Authority Central,
CN=KISA RootCA 3
Serial Number: 2 (0x2)
Missing Critical Basic Constraint and CA=TRUE

Subject: C=US, O=VeriSign, Inc., OU=Class 2 Public Primary
Certification Authority - G2, OU=(c) 1998 VeriSign, Inc. - For
authorized use only, OU=VeriSign Trust Network
Serial Number: b9:2f:60:cc:88:9f:a1:7a:46:09:b8:5b:70:6c:8a:af
Missing Critical Basic Constraint and CA=TRUE

Subject: C=TW, O=Chunghwa Telecom Co., Ltd., OU=ePKI Root
Certification Authority
Serial Number: 15:c8:bd:65:47:5c:af:b8:97:00:5e:e4:06:d2:bc:9d
Missing Critical Basic Constraint

Subject: C=US, O=GTE Corporation, OU=GTE CyberTrust Solutions, Inc.,
CN=GTE CyberTrust Global Ro

[Full-disclosure] iOS: List of available trusted root certificates (iOS 7)

[Jeffrey Walton]

iOS: List of available trusted root certificates,
http://support.apple.com/kb/HT5012.

Lots of goodies in that list of 200+, including use of MD2 and MD5.
The usual suspects are also present, including CNNIC (or if you're
from China, the U.S. bloat).

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Internet has vuln.

[Jeffrey Walton]

On Fri, Sep 13, 2013 at 2:45 PM,   wrote:
> On Thu, 12 Sep 2013 18:23:53 -0400, Jeffrey Walton said:
>
>> They ignored my comments on fixed size arrays based on MAX_PATH and
>> the subsequent overflows and silent truncations due to use of sprintf
>> and snprintf
>
> Which "they" was it?
>
> If you're referring to this:
>
> http://comments.gmane.org/gmane.comp.security.selinux/16844
There were many more than just that one.

> Note that the guy you were replying to was a Japanese software engineer
> employed by NEC.  If you want to argue the guy was an NSA plant trying to get 
> a
> backdoor in, feel free. But don't expect to be taken seriously without some
> additional evidence.
The code was accepted into the project
> And it counted as "underhanded", how, exactly?
I did not claim that.

> In other words - under what conditions can you make a truncation to MAX_PATH
> cause an actual hole? And to count as "underhanded" rather than merely 
> "buggy",
> you'd need at least a whiff of evidence that it was intentional.
What's the difference if its exploitable in practice?

There's no need to consciously add backdoors when developers are
checking in shit code. They serve the same purpose add add a level of
deniability.

> Or as Kohei replied to you:
>
> "The selinux_mnt is not a variable given by external one, unless
> application does not update it by itself.
>
> It is not difficult to modify this part to return ENAMETOOLONG
> when snprintf() returns larger or equal with PATH_MAX."
>
> In the Linux community, this would count as '-ENOPATCH', as I'm not
> finding where you ever submitted a patch to fix the issue.
The more eyes the better, right

Crowd sourcing security is a myth.

Jeff

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Internet has vuln.

[Jeffrey Walton]

On Thu, Sep 12, 2013 at 3:23 PM,   wrote:
> On Thu, 12 Sep 2013 08:57:55 +0800, Steve Wray said:
>
>> In some cases it could be quite difficult to disengage from NSA-influenced
>> projects, eg selinux. So far as I can tell this is pretty much everywhere
>> now. Redhat embraced it ages ago, its been integrated in the kernel since
>> 2.6, so how do we opt out of selinux?
>
> Well, given that SELinux *did* come out of the NSA, but has had tons of code
> review of the base code (which isn't really all that much) and the actual
> policy files (which is where I'd hide a backdoor, they're a lot more obscure
> than the actual kernel code), by lots of people who would have *loved* to be
> the one who caught the NSA doing something underhanded, I think you're barking
> up an entirely incorrect tree.
They ignored my comments on fixed size arrays based on MAX_PATH and
the subsequent overflows and silent truncations due to use of sprintf
and snprintf

Jeff

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] possible backdoor in OpenSSL X509 verification

[Jeffrey Walton]

> Can someone take a look on this shady X.509 certificate verification code
> (fails open in case of out-of-memory error):
>
> http://rt.openssl.org/Ticket/Display.html?id=2924
Well, I know Dr. Henson, Steve Marquess, Andy Poyakov, Tim Hudson, and
few others (to varying degrees). I can tell you its not an intentional
back door along the lines of http://cryptome.org/2012/01/0032.htm.

OpenSSL has one full time developer dedicated to maintaining the
library. Often times, he's busy consulting for the Foundation so he
does not have the opportunities to maintain the code like folks want.

> http://rt.openssl.org/Ticket/Display.html?id=2924
Keep in mind that OpenSSL recently migrated bug trackers (from an old
RT to a new RT), so that bug may be older than November, 2012.

And it might be fixed in the sources, too. The best I can tell, no one
really maintains that list (when's the last time you saw something
acknowledged?). Its more like a scratch pad.

> Noone from OpenSSL team has commented whether this is exploitable or
> should it be rewritten in safer manner.
OpenSSL is a open project, and it lack a solid engineering process.
What you are seeing is the effects of an ad hoc process, donated
developer time, and open source development.

> This is because "for" loop later does not require to find even a single
> issuer certificate from trust store and will happily break loop if last
> certificate is actually self signed."
Its just another bug that slipped through the cracks. No one is trying
to hide a back door.

I've tried to get the Foundation to address these problems with policy
("everything must have positive and negative test cases"). No one
really cared. Then I tried to get them to address it by accepting my
negative test cases (which broke things in practice). No one really
cared. Until the project improves their engineering process, things
won't change.

If you can put together a test case showing any certificate is
accepted (and subject to tampering or MitM), then that's a security
defect. You should probably get a CVE for it so it can be tracked.

Jeff

On Fri, Sep 6, 2013 at 10:28 AM, Arnis  wrote:
> Can someone take a look on this shady X.509 certificate verification code
> (fails open in case of out-of-memory error):
>
> http://rt.openssl.org/Ticket/Display.html?id=2924
>
> "Certificate chain verification in crypto/x509/x509_vfy.c
> X509_verify_cert() fails badly and may allow verification bypass if
> check_issued() on line 259 returns false negative on check whether the last
> certificate in chain is self signed. For example, check_issued() may
> return false negative in case of memory allocation failure (although could
> not find how to force that).
>
> 253 /* Examine last certificate in chain and see if it
> 254 * is self signed.
> 255 */
> 256
> 257 i=sk_X509_num(ctx->chain);
> 258 x=sk_X509_value(ctx->chain,i-1);
> 259 if (ctx->check_issued(ctx, x, x))
>
> This is because "for" loop later does not require to find even a single
> issuer certificate from trust store and will happily break loop if last
> certificate is actually self signed."
>
>
> Noone from OpenSSL team has commented whether this is exploitable or
> should it be rewritten in safer manner.
>
> P.S. Subject field inspired by latest NSA stories ;)

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Defense in depth -- the Microsoft way (part 8): execute everywhere!

[Jeffrey Walton]

Hi Stefan,

> ... administrative rights for every user account
Hmmm... XP/x64 appears to have a bug such that the second user also
needs to be admin (perhaps XP/x86, too). XP does not recognize the
first account as admin, so the second account cannot be limited (at
least on my test box).

Vista and above make the first user admin, but others users default to standard.

Jeff

On Sat, Aug 24, 2013 at 5:32 PM, Stefan Kanthak  wrote:
> Hi,
>
> since it's start about 20 years ago Windows NT supports (fine grained)
> ACLs, including the permission "execute file".
>
> In their very finite wisdom Microsoft but decided back then to have
> this permission set on EVERY file a user creates (and assumes it is
> set on local and remote file systems which dont support ACLs).
>
> The result: on Windows, malware can run everywhere (and since CWD
> alias "." is in the path, can be started everywhere)!
>
>
> These fundamental errors, combined with two other fundamental errors
> (NO ACLs on %SystemRoot% and %ProgramFiles% to prevent write access
> for non-administrative user accounts, and administrative rights for
> every user account) turned Windows NT into the same unsafe, insecure
> and vulnerable system its predecessors MS-DOS and Windows 3.x were
> and enabled miscreants to abuse internet-connected Windows systems
> to distribute SPAM, launch DDoS attacks, spread malware, etc.
>
>
> For a company that puts "compatibility" above all other criteria this
> decision might have looked reasonable ... BUT: it was NOT!
>
>
> Windows NT introduced the Win32-API, which is/was INCOMPATIBLE to the
> existing DOS- and Win16-API. To run existing applications written for
> the old APIs Windows NT introduced NTVDM (the "Virtual DOS Machine")
> and WoW (the "Windows on Windows" subsystem); only these Windows NT
> components had to be made compatible (and "unsafe" enough to run old
> applications).
>
> There was ABSOLUTELY no need to sacrifice the safety and security of
> Windows NT and the Win32-API for the sake of "compatibility": the
> Win32-API was new, no existing applications had to be supported!
>
>
> Then sloppy developers started to build their applications for the
> Win32-API of this unsafe/insecure environment ... and expected their
> unsuspecting victims^Wusers to have write access to %SystemRoot% and/or
> %ProgramFiles% to write their *.INI files, for example, or to run their
> crapware with administrative or power-user rights.
>
>
> JFTR: since many years Microsoft makes many (almost futile) attempts
> to mitigate the effect of their wrong design decision(s), for example:
>
> *  alias
>   
>
> * 
>
> * 
>
> *  alias
>   
>
> *  alias
>   
>
> * 
>
> *  alias
>    PLUS the
>   28(!) security bulletins listed there
>
> but NEVER tackled the source of the problem!
>
>
> Instead they introduced things like the "security theatre" UAC: with
> Windows 8 the user account(s) created during setup still have
> administrative rights. And Windows 7 introduced the "silent" elevation
> for about 70 of Microsoft own programs...
>
>
> stay tuned
> Stefan Kanthak
>
>
> PS: if you want to mitigate the wrong design decision that every file
> is "executable": add and propagate an inheritable-only "deny" ACE
> with "execute file" permission for the user group "WORLD\Everyone"
> alias "S-1-1-0", "(D;OIIO;WP;;;WD)" in SDDL notation, at least for
> "%USERPROFILE%" and "%ALLUSERSPROFILE%" alias "%ProgramData%".
>
> On Windows NT 6.x, consider to add another "deny" ACE which prevents
> the directories/objects owner from changing/removing that permission:
> "(D;;WDAC;;;OW)" in SDDL notation.
>
> Since this mitigation will stop "Administrators" and "LocalSystem"
> to run files in their user profiles (to be precise: in "%TEMP%"
> alias "%USERPROFILE%\Local Settings\Application Data\TEMP" resp.
> "%USERPROFILE%\AppData\TEMP" where self-extracting installers will
> typically unpack and execute their payload) you'll have to remove
> the user environment variables TEMP and TMP of these user accounts
> (setting the system environment variables TEMP and TMP which point
> to %SystemRoot%\TEMP into effect).
>
>
> See the script 
> for a POC (targetting Windows NT 5.x). It sets the "deny" ACE also
> on subordinate directories which are exempt from ACL inheritance,
> as well as some of the user-writable subdirectories of %SystemRoot%
> 

Re: [Full-disclosure] Who's behind limestonenetworks.com AKA DDoS on polipo(8123)

[Jeffrey Walton]

On Fri, Aug 16, 2013 at 4:30 PM, Jann Horn  wrote:
> On Fri, Aug 16, 2013 at 01:37:54PM -0400, Jeffrey Walton wrote:
>> On Fri, Aug 16, 2013 at 1:31 PM, Jann Horn  wrote:
>> > On Thu, Aug 15, 2013 at 05:29:52PM -0300, Luther Blissett wrote:
>> >> Hello dear companions,
>> >>
>> >> Two days ago one of my tor exit nodes experienced something I'm now
>> >> calling "limestonenetworks DDoS on polipo" ( $WAN_IP:8123 ), since all
>> >
>> > DDoS? So you mean your systems were impacted by that?
>> He may be running an exit node for the benefit of others on a low
>> bandwidth connection.
>>
>> Forgive me if you were joking with an old friend, or I missed something.
>
> Let's check how massive that "attack" is.
I didn't claim it was massive. I simply said he may be bandwidth limited.

What other traffic is on that line? Or do all Tor folks purchase a
second internet connection for their Tor services?

Jeff

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Who's behind limestonenetworks.com AKA DDoS on polipo(8123)

[Jeffrey Walton]

On Fri, Aug 16, 2013 at 1:31 PM, Jann Horn  wrote:
> On Thu, Aug 15, 2013 at 05:29:52PM -0300, Luther Blissett wrote:
>> Hello dear companions,
>>
>> Two days ago one of my tor exit nodes experienced something I'm now
>> calling "limestonenetworks DDoS on polipo" ( $WAN_IP:8123 ), since all
>
> DDoS? So you mean your systems were impacted by that?
He may be running an exit node for the benefit of others on a low
bandwidth connection.

Forgive me if you were joking with an old friend, or I missed something.

Jeff

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: [cryptography] Paypal phish using EV certificate

[Jeffrey Walton]

On Tue, Aug 13, 2013 at 7:22 AM, Julius Kivimäki
 wrote:
> All of the domains involved just happen to be registered on markmonitor by
> PayPal. Really doubt this has anything to do with phishing.
According to http://www.linuxevolution.net/?p=12 (referenced in the
original email), Paypal stated the site "paypal-communication.com" was
a phishing site.

> 2013/8/13 Jeffrey Walton 
>>
>> It looks like Paypal has suffered a break-in and phishing attempts are
>> being made on its users.
>>
>> Time to sell you stock (or buy it short) for the immediate future.
>>
>> -- Forwarded message --
>> From: Jeffrey Walton 
>> Date: Tue, Aug 13, 2013 at 5:25 AM
>> Subject: Re: [cryptography] Paypal phish using EV certificate
>> To: Peter Gutmann 
>> Cc: cryptogra...@randombit.net
>>
>> On Tue, Aug 13, 2013 at 5:10 AM, Peter Gutmann
>>  wrote:
>> > I recently got a another of the standard phishing emails for Paypal,
>> > directing
>> > me to https://email-edg.paypal.com, which redirects to
>> > https://view.paypal-communication.com, which has a PayPal EV certificate
>> > from
>> > Verisign.  According to this post
>> > http://www.onelogin.com/a-paypal-phishing-attack/ it may or may not be a
>> > phishing attack (no-one's really sure), and this post
>> > http://www.linuxevolution.net/?p=12 says it is a phishing attack and the
>> > site
>> > will be shut down by Paypal... back in May 2011.
>> >
>> > Can anyone explain this?  It's either a really clever phish (or the CAs
>> > are
>> > following their historically lax levels of checking), or Paypal has
>> > joined the
>> > ranks of US banks in training their users to become phishing victims.
>> If that's true, I think the more interesting fact is: it appears
>> email-edg.paypal.com is controlled by the attacker. Why else would
>> Paypal redirect from a host in their domain to a host not in their
>> domain controlled by the adversary? (Its a bit different than standard
>> phishing training where both hosts/domains are controlled by Paypal).
>>
>> Has Paypal fess'ed up to any break-ins or  breaches?

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Fwd: [cryptography] Paypal phish using EV certificate

[Jeffrey Walton]

It looks like Paypal has suffered a break-in and phishing attempts are
being made on its users.

Time to sell you stock (or buy it short) for the immediate future.

-- Forwarded message --
From: Jeffrey Walton 
Date: Tue, Aug 13, 2013 at 5:25 AM
Subject: Re: [cryptography] Paypal phish using EV certificate
To: Peter Gutmann 
Cc: cryptogra...@randombit.net

On Tue, Aug 13, 2013 at 5:10 AM, Peter Gutmann
 wrote:
> I recently got a another of the standard phishing emails for Paypal, directing
> me to https://email-edg.paypal.com, which redirects to
> https://view.paypal-communication.com, which has a PayPal EV certificate from
> Verisign.  According to this post
> http://www.onelogin.com/a-paypal-phishing-attack/ it may or may not be a
> phishing attack (no-one's really sure), and this post
> http://www.linuxevolution.net/?p=12 says it is a phishing attack and the site
> will be shut down by Paypal... back in May 2011.
>
> Can anyone explain this?  It's either a really clever phish (or the CAs are
> following their historically lax levels of checking), or Paypal has joined the
> ranks of US banks in training their users to become phishing victims.
If that's true, I think the more interesting fact is: it appears
email-edg.paypal.com is controlled by the attacker. Why else would
Paypal redirect from a host in their domain to a host not in their
domain controlled by the adversary? (Its a bit different than standard
phishing training where both hosts/domains are controlled by Paypal).

Has Paypal fess'ed up to any break-ins or  breaches?

Jeff

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] CALEA & Re: XKeyscore

[Jeffrey Walton]

On Mon, Aug 12, 2013 at 9:07 AM, Pedro Luis Karrasquillo
 wrote:
> ...
>
> On slide 7 they show a red dot over Venezuela. You think Chavez let the
> spooks tap into the fiber there too? Where does the fiber tap connect to? Oh
> wait, there is a red dot over Moscow too...
>
One of my former college instructors (Dr. Henry Katz) headed this
program while he was at the NSA:
https://en.wikipedia.org/wiki/Operation_Ivy_Bells. Dr. Katz could talk
about it because it was eventually reported in the press after all the
dust settled.

Jeff

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure

[Jeffrey Walton]

On Mon, Aug 12, 2013 at 1:28 PM, Coderaptor  wrote:
> I have been a silent spectator to this drama, and could not resist adding a 
> few thoughts of my own:
>
> 1. All software, especially webservers, should ship with secure defaults. 
> Period. It is a fundamental mistake to assume all admins who roll out web 
> apps and maintain servers RTFM before rolling out. The key idea here is "time 
> to market", and there is huge amount of data to prove this.
>
+1. All software should be shipped "secure out of the box". Its
amazing so many folks keep making the same mistakes from the 1980s and
1990s.

> ...
> Huge amount of software today is turd polishing, open source no exception 
> (though it is supposed to have better track record). The blame lies squarely 
> on everyone.
>
The "more eyes the better" theory is hogwash. I cringe when I hear
anyone discussing the security of crowd sourcing. There's two problems
with their arguments: first is Cognitive Biases, and second is the
Bystander Effect. The biases are being demonstrated by NB and RH, and
its results are typical (no offense NB and RH). The Bystander Effect
ensures that the more people see a bug, the less likely they are going
to do anything about it because they believe someone else has already
done something.

They are well known problems in Security Engineering. See Peter
Gutmann's Engineering Security
(www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf‎) or Ross Anderson's
Security Engineering (http://www.cl.cam.ac.uk/~rja14/book.html).

Jeff

> On Aug 11, 2013, at 3:30 PM, Reindl Harald  wrote:
>
>> Am 11.08.2013 23:56, schrieb Stefan Kanthak:
>>> "Reindl Harald"  wrote:
 again:
 symlinks are to not poision always and everywhere
 they become where untrusted customer code is running
 blame the admin which doe snot know his job and not
 the language offering a lot of functions where some
 can be misused
>>>
>>> Again: symlinks are well-known as attack vector for years!
>>
>> and that's why any admin which is not clueless
>> disables the symlink function - but there exists
>> code which *is* secure, runs in a crontrolled
>> environment and make use of it for good reasons
>>
>>> It's not the user/administrator who develops or ships insecure code!
>>
>> but it's the administrator which has the wrong job if
>> create symlinks is possible from any random script
>> running on his servers
>>
>> anyways, i am done with this thread
>>
>> the topic is *not* "Apache suEXEC privilege elevation" it
>> is "admins not secure their servers" - period
>>
>>

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure

[Jeffrey Walton]

On Sat, Aug 10, 2013 at 6:10 AM, Gichuki John Chuksjonia
 wrote:
> One thing u gotta remember most of the Admins who handle webservers in
> a network are also developers since most of the organizations will
> always need to cut on expenses, and as we know, most of the developers
> will just look into finishing work and making it work. So if something
> doesn't run due to httpd.conf, you will find these guys loosening
> server security, therefore opening holes to the infrastructure.
Cognitive Bias and Dissonance are well known problems in security
engineering. NB's comments are a testament to the disconnect between
the creators of the system and the users of the system. (No offense to
NB).

See, for example, Peter Gutmann's Engineering Security
(www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf‎) or Ross Anderson's
Security Engineering (http://www.cl.cam.ac.uk/~rja14/book.html).

Jeff

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] XKeyscore sees 'nearly EVERYTHING you do online

[Jeffrey Walton]

On Thu, Aug 1, 2013 at 6:36 PM, Gary Baribault  wrote:
> I think the NSA could twist arms in the U.S. and I think that they could
> have a deal with the U.K. and maybe Canada, what I have HUGE doubts about is
> how they transport all of that data back to their data centres, unless they
> have a massive quantity of dark (private) fibre that no one knows about.
It does not appear to be a centralized architecture. According to
slides, they have servers situated all around the world. Per slide 5,
there are 500+ servers. According to slide 7, there are 700+ servers
at 150 sites throughout the world. The reason for the difference in
numbers of servers is not readily apparent.

When an analysts performs a query, the servers return the appropriate data.

Jeff

> On 08/01/2013 04:46 PM, XF wrote:
>
> So you think this is real ? All Tiers 1 would be partner with NSA ? Even in
> Europ ? This sound crazy
>
>
>
> Le 1 août 2013 à 22:19, Gary Baribault  a écrit :
>
> Don't forget that they also have to back haul that data to their data
> centres !! They would have to have secret agreements with all of the Tier 1
> carriers. Sure sounds far fetched!
>
> Gary B
>
>
> On 08/01/2013 03:51 PM, XF wrote:
>
> Right. But where are their tap ? In Internet Exchange Point ? In AS ? And
> how can they do that ? "Hello, I'm NSA, can I get a TAP on your network" :-)
> This would say that ISP agree and the amount of data to transfer would be so
> vast . How can they transfer all this amount of data into their system ??
>
>
> Le 1 août 2013 à 20:56, Gary Baribault  a écrit :
>
> Optically tapping ALL of the submarine cable going into and out of the U.S.
> would still not give them ALL of the claimed data. They have to be tapping
> all of the major traffic exchange sites in the U.S. to get this kind of
> data.
>
> Gary B
>
>  On 08/01/2013 11:31 AM, XF wrote:
>> Did you understood how they collect data ? This is not clear for me...ISP
>> backdoor ? Optical tap on sub marine wire ?
>>
>> Le 1 août 2013 à 16:26, Georgi Guninski  a écrit :
>>
>>> it will be interesting to me what will remain of the nsa
>>> when the chinese comrades stop giving fresh money to the usa.
>>>
>>> Detroit news are not very pink.
>>>
>>> On Thu, Aug 01, 2013 at 11:20:27PM +1200, Hugh Davenport wrote:
 meanwhile, in new zealand, prime minister suggests that we aren't
 the slaves for nsa...

 On 2013-08-01 19:23, Georgi Guninski wrote:
> XKeyscore sees 'nearly EVERYTHING you do online
>
>
> http://www.theregister.co.uk/2013/07/31/prism_put_in_the_shade_by_leak_about_even_more_powerful_snoop_tool/
> New NSA tool exposed: XKeyscore sees 'nearly EVERYTHING you do online'
>
> From the presentation:
> * Show me all the exploitable machines in country X
>
> * How do I find a cell of terrorust that has no
> connection to known strong-selectors
> **Anomalous events
> ***Someone who is using encryption

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] XKeyscore sees 'nearly EVERYTHING you do online

[Jeffrey Walton]

On Thu, Aug 1, 2013 at 2:56 PM, Gary Baribault  wrote:
> Optically tapping ALL of the submarine cable going into and out of the U.S.
> would still not give them ALL of the claimed data. They have to be tapping
> all of the major traffic exchange sites in the U.S. to get this kind of
> data.
The US does that.

In 'The Spy Factory' (http://video.pbs.org/video/1051968443/) from
2009, the producers interviewed the AT&T technicians who worked at the
COs where the taps occur. They also interviewed a US Army analyst who
listen in on the calls.

Since the video, there's been a number of documents circulating about
the practice. See, for example,
http://en.wikipedia.org/wiki/Stellar_Wind_(code_name).

Jeff

>  On 08/01/2013 11:31 AM, XF wrote:
>> Did you understood how they collect data ? This is not clear for me...ISP
>> backdoor ? Optical tap on sub marine wire ?
>>
>> Le 1 août 2013 à 16:26, Georgi Guninski  a écrit :
>>
>>> it will be interesting to me what will remain of the nsa
>>> when the chinese comrades stop giving fresh money to the usa.
>>>
>>> Detroit news are not very pink.
>>>
>>> On Thu, Aug 01, 2013 at 11:20:27PM +1200, Hugh Davenport wrote:
 meanwhile, in new zealand, prime minister suggests that we aren't
 the slaves for nsa...

 On 2013-08-01 19:23, Georgi Guninski wrote:
> XKeyscore sees 'nearly EVERYTHING you do online
>
>
> http://www.theregister.co.uk/2013/07/31/prism_put_in_the_shade_by_leak_about_even_more_powerful_snoop_tool/
> New NSA tool exposed: XKeyscore sees 'nearly EVERYTHING you do online'
>
> From the presentation:
> * Show me all the exploitable machines in country X
>
> * How do I find a cell of terrorust that has no
> connection to known strong-selectors
> **Anomalous events
> ***Someone who is using encryption

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Trustlook Found Hundreds of Malicious Applications in the Google Play Store

[Jeffrey Walton]

On Fri, Jul 26, 2013 at 11:13 AM, bugfree  wrote:
> Here is the article.
>
> http://blog.trustlook.com/news/trustlook-found-hundreds-of-malicious-applications-in-the-google-play-store/
>
Peter Gutmann has a lot of fun with over-permissioned battery apps in
his book Engineering Security
(www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf).

As you've learned, allowing naive users to give invasive apps too many
permissions is not perceived as a threat. Its a shame AOSP is still
making the same engineering mistakes from the 1980s and 1990s. Users
are not going to miraculously wake up tomorrow with additional
security-IQ points.

Jeff

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Flush+Reload: a High Resolution, Low Noise, L3 Cache Side-Channel Attack

[Jeffrey Walton]

On Fri, Jul 26, 2013 at 3:37 PM,   wrote:
> On Fri, 26 Jul 2013 07:31:09 +0100, Hurgel Bumpf said:
>> Just found this online.. might be of interest
>
>> Direct PDF: http://eprint.iacr.org/2013/448.pdf
>
> From the fine PDF:
>
> "The Flush+Reload attack is a variant of the Prime+Probe attack that relies on
> sharing pages between the spy and the victim programs. With shared pages, the
> spy program can ensure that a specic memory line is evicted from the whole
> cache hierarchy. The spy uses this to monitor access to the memory line."
>
> The fact you need to get gnupg to share the pages in question with you
> does mean that this isn't, by itself, a knockout blow.
>
> Still quite the interesting attack.  And attacks always improve.  Maybe
> somebody will find a way to do better...
Dr. Bernstein puts a lot of effort into defending against timing
attacks and other side channels in his NaCl library. I'm not aware of
any other libraries which go to the same depths. On the downside, NaCl
is not easy to work with (for example, change compilers or
cross-compile for iOS or Android); its not really portable (lots of C
language violations); nor is it easy to get analysis tools on it.

Recently, he presented an OWASP talk that included the subject matter
(including lots of other practical crypto failures).
  * Slides: 
http://www.secappdev.org/handouts/2012/Dan%20J.%20Bernstein/worst%20practices.pdf
  * Talk: https://www.owasp.org/download/jmanico/owasp_podcast_95.mp3
  * Video: http://secappdev.org/lectures/144

For DNSSEC fans, he beats the hell out of DNSSEC for its amplification
attacks and other info leaks.

Jeff

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [SE-2012-01] New Reflection API affected by a known 10+ years old attack

[Jeffrey Walton]

On Sat, Jul 20, 2013 at 5:27 PM, Bob iPhone Kim  wrote:
> Guys... can we keep personal discussions personal???
>
I'm not sure questioning the engineering process is off-topic in this
case (http://lists.grok.org.uk/full-disclosure-charter.html):

- Acceptable Content -

Any information pertaining to vulnerabilities is acceptable, for
instance announcement and discussion thereof, exploit techniques and
code, related tools and papers, and other useful information.

If it is, then please accept my apologies.

Jeff

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [SE-2012-01] New Reflection API affected by a known 10+ years old attack

[Jeffrey Walton]

On Thu, Jul 18, 2013 at 12:50 AM, Security Explorations
 wrote:
>
> Hello All,
>
> We discovered yet another indication that new Reflection API introduced
> into Java SE 7 was not a subject to a thorough security review (if any).
I'm kind or surpised some of these bugs exist for so long. Allowing
them to fester and rot can't be good (I have not been able to come up
with a use case where it is desired or preferred).

Does anyone know anything about Oracle's engineering process? What is
Oracle doing to ensure issues are tracked and remediated in reasonable
time? What does the process include for code scanning to catch low
hanging fruit? Are they using Find Bugs or Coverity (I checked
scan.coverity.com, and I did not see Oracle Java or OpenJDK listed, so
I wonder if they are doing it internally). What is the QA process
doing to ensure items with negative impact are not allowed to pass?

Jeff

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [Newbie] How to search in all full-disclos...@lists.grok.org.uk

[Jeffrey Walton]

On Fri, Jun 21, 2013 at 10:38 AM, JOSE DAMICO  wrote:
> Hi,
>
> Is there a way to make full search by keyword in all
> full-disclosure@lists.grok.org.uk archive of messages?
In Google:

 site:seclists.org/fulldisclosure

Jeff

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Happy Birthday FreeBSD! Now you are 20 years old and your security is the same as 20 years ago... :)

[Jeffrey Walton]

On Fri, Jun 21, 2013 at 7:48 AM, Georgi Guninski  wrote:
> On Thu, Jun 20, 2013 at 03:57:20PM -0700, Kurt Buff wrote:
>> ...
>
> i won moderate amount of beer from bets on "when will freebsd ditch
> gcc from base?". fanatics took the bait and get mad at the
> observation "freebsd wouldn't exist in its current form without gcc".
>
> since at least recently clang can't compile some stuff g++ can
> (almost sure gnu extensions).
Clang has caused a lot of pain and misery because it claims to be GCC,
but it can't digest programs with GCC extensions.

https://www.google.com/#q=clang+__GNUC__+bug

Jeff

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Microsoft Outlook Vulnerability: S/MIME Loss of Integrity

[Jeffrey Walton]

On Mon, Jun 17, 2013 at 9:32 AM, Patrick Dunstan
 wrote:
> Completely agree with your sentiments here, Valdis.
>
> The error messages given to everyday users are completely ridiculous in most
> cases. I feel though with the padlocks and green bars in browsers nowadays,
> there has at least been some effort made to make security understandable for
> the average user out there. But you're right in saying so much more is
> needed/could be done.
The browsers are just confusing users. Consider:

No encryption (plain HTTP) - good, no indicators
Opportunistic encryption (self signed, HTTPS) - bad, red bar
Encryption (CA, HTTPS) - good, green bar

As Peter Gutmann, puts it, getting a certificate for a website is like
getting one from a vending machine (race to the bottom, FTW), so a CA
certificate has no more value than a self signed certificate used in
opportunistic encryption. Yet users are told opportunistic encryption
is bad, and plain text HTTP is good. And CA's keep making money while
disavowing all warranties and liability for the certificates they
issue.

And don't get me started on the security dialogs written by geeks for
geeks (or more correctly, INTP's and INTJ's from the Myers-Briggs Type
Indicator (MBTI)).

> What bewilders me in 2013 is that email has been completely left behind.
> ...
> Case in point: Google don't even offer support for S/MIME in GMail and it's
> probably the most widely used online email service available today.
+1 (I'd love to give you more).

Jeff

> On Mon, Jun 17, 2013 at 10:23 PM,  wrote:
>>
>> On Sun, 16 Jun 2013 00:51:10 +0930, Defence in Depth said:
>>
>> > Microsoft Outlook (all versions) suffers from an S/MIME loss of
>> > integrity
>> > issue.
>> > Outlook does not warn against a digitally signed MIME message whose X509
>> > EmailAddress attribute does not match the mail's "From" address.
>>
>> Congrats on the technical side, for spotting this.
>>
>> On the flip side, there are a number of cases where the signer address
>> legitimately does not match the From: address. For instance - if the
>> signer is
>> listed in Sender: instead of From:, if it has passed through a mailing
>> list
>> that rewrites the From: line, or some combinations of resends and
>> forwards. And
>> yes, a lot of this sort of crap is only semi-legit because it's coming
>> from
>> misconfigured servers - but operational reality dictates that you have to
>> deal with the fact that there's a *lot* of  (And we'll overlook the
>> additional
>> fun and games available due to the distinction between an RFC821 MAIL
>> FROM:
>> and and RFC822 From: line).
>>
>> I suppose it could be worse - it's been a few years since I last saw a
>> %-hacked
>> address in an e-mail.
>>
>> A few operational notes regarding alerts in user-facing software:
>>
>> 1) A lot of browsers used to display broken padlocks when SSL failed. They
>> don't do this anymore because users *will not* look at that sort of subtle
>> warning.
>>
>> 2)  They'll look at a big pop-up that obstructs their view - but only if
>> it
>> happens so rarely that they have to call somebody and ask "wtf is this?".
>> If it
>> becomes a "oh it does this once every week or two" click-through, it's now
>> become "worse than useless".
>>
>> As you noted, most browsers will notify the user if the browser detects a
>> CN
>> mismatch.
>>
>> What you gloss over is that browsers *totally suck* at presenting that
>> warning
>> in a way that is both understandable and actionable to a general user.
>> Just
>> yesterday I had Firefox alert on a SLL certificate mismatch, and it gave
>> me the
>> helpful info that the certificate presented was only valid for
>> *.akamai.net.
>> Now, *I* know exactly what happened there, and *you* know, and the guy who
>> pushed some content to Akamai without looking to see if there were https:
>> links
>> pointing at the content will go "D'Oh!" when he finds out - but if you're
>> Joe
>> Sixpack and don't know if Akamai is a box in your ISP's server room or a
>> box in
>> a server roomin the Ukraine, you got nothing.  And if you get enough of
>> these
>> totally annoying pop ups, you'll just learn to click through without
>> thinking.
>>
>> Bottom line:  yes, it would be nice if all this sort of stuff was more
>> widely
>> deployed and enforced.  But given that we've tried this with dismal
>> results
>> with Windows UAC alerts, firewall alerts, browser alerts, and A/V alerts,
>> there's no real reason to expect that *this* time we'll actually get it
>> right
>> for MUA alerts.
>>
>> Bonus points for the most creative suggestion for how to leverage a *fake*
>> From:/signature mismatch alert into a compromise (a la fake AV alerts that
>> get
>> you to download actual malware).
>>
>> Really - Outlook may do this wrong, but I don't think we as an industry
>> have
>> a frikking clue how to actually do this right.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/f

Re: [Full-disclosure] Apple and Wifi Hotspot Credentials Management Vulnerability

[Jeffrey Walton]

On Mon, Jun 17, 2013 at 3:35 PM, Jeffrey Walton  wrote:
>
> ...
> It appears Apple Wifi hotspot passwords are generated using a wordlist
> consisting of 1842 words. The authors built a customer cracker to aide
> in recovery of the Wifi hotspot passwords.
My bad. The application estimates the time to crack the password used.
It does not attempt to recover the password.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Apple and Wifi Hotspot Credentials Management Vulnerability

[Jeffrey Walton]

This vulnerability was published to the OWASP Mobile Security list as
a research paper by Andreas Kurtz, Daniel Metz and Felix Freiling. See
"Cracking iOS personal hotspots using a Scrabble crossword game word
list," 
http://lists.owasp.org/pipermail/owasp-mobile-security-project/2013-June/000640.html.

It appears Apple Wifi hotspot passwords are generated using a wordlist
consisting of 1842 words. The authors built a customer cracker to aide
in recovery of the Wifi hotspot passwords.

The paper's homepage can be found at https://www1.cs.fau.de/hotspot.
The paper does not offer a CWE classification or CVE at this point in
time.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Microsoft Outlook Vulnerability: S/MIMELossof Integrity

[Jeffrey Walton]

On Mon, Jun 17, 2013 at 2:49 PM, Daniël W. Crompton <
daniel.cromp...@gmail.com> wrote:

>
> how would that work? AKAIK S/MIME is public key cryptography, how would
> you decrypt a message which is not encrypted with your public key?
>

Exactly. How does one decrypt when they don't hold the private key.  That
magic button would come in handy for a lot of folks.

Jeff


On 17 June 2013 20:17, Jeffrey Walton  wrote:

> On Mon, Jun 17, 2013 at 11:19 AM, ACROS Security Lists 
> wrote:
> > Valdis,
> >
> >> No, that's how to do it *hardline*.  There's many in the
> >> security industry that will explain to you that it's also
> >> doing it *wrong*.  Hint - the first time that HR sends out a
> >> posting about a 3-day window next week to change your
> >> insurance plan without penalty, signs it with something that
> >> doesn't match the From:, and the help desk is deluged by
> >> phone calls from employees who can't read the mail, the guy
> >> who put "You shall not pass" in place will be starting a job hunt.
> >
> > If there was an industry standard specifying the you-shall-not-pass for
> all web
> > browsers, it wouldn't be the guy (developer) who put this roadblock in
> place that
> > would start a job hunt but someone within the company whose job was to
> avoid the
> > roadblock by making sure the cert that HR is using was okay. That would
> happen a
> > couple of times, and then not any more, as people have great capacity
> for learning.
> >
> > 
> > ... If I get an encrypted
> > message that was mistakenly not encrypted with my key, it would be very
> productive to
> > have a "Just decrypt anyway" button but we obviously don't have that. ...
> A lot of folks would like to have that button ;)
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Microsoft Outlook Vulnerability: S/MIMELossof Integrity

[Jeffrey Walton]

On Mon, Jun 17, 2013 at 11:19 AM, ACROS Security Lists  wrote:
> Valdis,
>
>> No, that's how to do it *hardline*.  There's many in the
>> security industry that will explain to you that it's also
>> doing it *wrong*.  Hint - the first time that HR sends out a
>> posting about a 3-day window next week to change your
>> insurance plan without penalty, signs it with something that
>> doesn't match the From:, and the help desk is deluged by
>> phone calls from employees who can't read the mail, the guy
>> who put "You shall not pass" in place will be starting a job hunt.
>
> If there was an industry standard specifying the you-shall-not-pass for all 
> web
> browsers, it wouldn't be the guy (developer) who put this roadblock in place 
> that
> would start a job hunt but someone within the company whose job was to avoid 
> the
> roadblock by making sure the cert that HR is using was okay. That would 
> happen a
> couple of times, and then not any more, as people have great capacity for 
> learning.
>
> 
> ... If I get an encrypted
> message that was mistakenly not encrypted with my key, it would be very 
> productive to
> have a "Just decrypt anyway" button but we obviously don't have that. ...
A lot of folks would like to have that button ;)

Jeff

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] PAYPAL BUG BOUNTY PROGRAM 2013 - UPDATES & TRANSPARENCY

[Jeffrey Walton]

On Thu, Jun 13, 2013 at 3:54 PM, Vulnerability Lab
 wrote:
> Today is a great day! All the wishes around the bug bounty program came up
> yesterday with a cool update.
> PayPal Inc splitted the bug bounty program in 2 transparent information
> categories. Its available to list researchers in each of the 4 quarters of
> the year. The policy and details of the program became a full update. Check
> it out ;)
>
> Honorable Mention: 2013-Q1
> PayPal would like to recognize everyone else who contributed a valid
> submission in Quarter 1, 2013. We appreciate all efforts and contributions
> to our Bug Bounty Program.
>
> URL:
> https://www.paypal.com/webapps/mpp/security-tools/wall-of-fame-honorable-mention
>
> &
>
> Bug Bounty Wall of Fame: 2013-Q1
>
> PayPal would like to recognize our top 10 researchers for Quarter 1, 2013.
> We will update this page quarterly to reflect the efforts of our researcher
> community.
> We have listed our top 10 researchers below in alphabetical order along with
> their specified organization. Thank you for all of your efforts in keeping
> PayPal the safer way to pay online.
>
> URL: https://www.paypal.com/webapps/mpp/security-tools/wall-of-fame
Robert Kugler did not make the top ten list or the honorable mention
list. Kugler is the fellow who was denied a bounty because he was too
young.

Transparent lies have no value. Transparency or not, PayPal has no credibility.

Jeff

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Why PRISM kills the cloud | Computerworld Blogs

[Jeffrey Walton]

On Mon, Jun 10, 2013 at 9:15 PM, laurent gaffie
 wrote:
> Why is the Prims program such a big deal today?  Most of us  knew about
> echelon and the patriot act didn't we? This program was unconstitutional at
> the first place and should have raised indignation when it was approved at
> that time...
+1.

Below is my standard verbiage on clouds and backups to clouds.

Jeff

clouds and drop boxes. If you don’t want your data analyzed,
inspected, shared, or mishandled, then don’t provide it in the first
place. Data migration includes backups, so ensure you are using the
proper attributes on your files. For Apple systems, the file should
have kCFURLIsExcludedFromBackupKey file property or
com.apple.MobileBackup extended attribute (see Technical Q&A QA1719
for details). Android applications should add android:allowBackup on
the application tag and set it to false in AndroidManifest.xml.
Windows’ integrated cloud backup is new, and there’s currently no way
for an application to back up to the cloud (and hence, no way to stop
it).

A layman’s analysis of License Agreements and Terms and Conditions
will reveal how little security is afforded to your documents in cloud
storage. For those who don’t read them, one popular platform has 142
separate documents covering Terms of Conditions for its cloud
alone.[18] The documents discuss your rights if the company (1) gives
away your data, (2) shares you data with partners, (3) looses your
data, (4) provides your data to authorities (sometimes without an
order or warrant), (5) does not provide reasonable skill or care, (6)
commits willful misconduct or fraud, and (7) acts with negligence or
gross negligence. “Your rights” is misleading since it is consent, and
the document effectively states you indemnify the company: “You agree
to defend, indemnify and hold [company], its affiliates, subsidiaries,
directors, officers, employees, agents, partners, contractors, and
licensors harmless from any claim or demand, including reasonable
attorneys’ fees, made by a third party.”[19]

[18] iCloud Terms and Conditions,
https://www.apple.com/legal/internet-services/icloud/ww/
[19] iCLOUD TERMS AND CONDITIONS,
https://www.apple.com/legal/internet-services/icloud/en/terms.html

> Le 2013-06-10 19:46, "Ivan .Heca"  a écrit :
>>
>> http://m.blogs.computerworld.com/cloud-storage/22305/why-prism-kills-cloud
>>

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] PayPal.com XSS Vulnerability

[Jeffrey Walton]

Hi James,

> I guess the email from ebay sorta makes it all moot anyway.
Its interesting how the reason code changed. On May 24 the reason was
Kugler was too young; and then on May 29 the reason was the flaw was
previously reported.

It sounds like PayPal is lying to bring this to an end; and they've
lost more credibility.

Jeff

On Wed, May 29, 2013 at 9:22 AM, James Condron
 wrote:
> Ah, but then don't forget that in a contract (which this most certainly is 
> not- but the parallels are there) ambiguity benefits the party which didn't 
> draft the document.
>
> If its reasonable to infer a payment, and reasonable to fail to infer an age 
> range, I think its reasonable to get paid for it.
>
> I guess the email from ebay sorta makes it all moot anyway.
>
> On 29 May 2013, at 13:33, Julius Kivimäki  wrote:
>
>> Well, they don't exactly state that they're going to pay you either.
>>
>>
>> 2013/5/29 Źmicier Januszkiewicz 
>>
>>> Hmm, interesting.
>>>
>>> For some reason I fail to find the mentioned "age requirements" at the
>>> official bug bounty page located at
>>> https://www.paypal.com/us/webapps/mpp/security/reporting-security-issues
>>> Am I looking in the wrong direction? Can someone please point to where
>>> this is written?
>>>
>>> With kind regards,
>>> Z.
>>>
>>>
>>> 2013/5/29 Robert Kugler 
>>>
>>>>
>>>>
>>>>
>>>> 2013/5/29 Jeffrey Walton 
>>>>
>>>>> On Fri, May 24, 2013 at 12:38 PM, Robert Kugler
>>>>>  wrote:
>>>>>> Hello all!
>>>>>>
>>>>>> I'm Robert Kugler a 17 years old German student who's interested in
>>>>> securing
>>>>>> computer systems.
>>>>>>
>>>>>> I would like to warn you that PayPal.com is vulnerable to a Cross-Site
>>>>>> Scripting vulnerability!
>>>>>> PayPal Inc. is running a bug bounty program for professional security
>>>>>> researchers.
>>>>>>
>>>>>> ...
>>>>>> Unfortunately PayPal disqualified me from receiving any bounty payment
>>>>>> because of being 17 years old...
>>>>>>
>>>>>> ...
>>>>>> I don’t want to allege PayPal a kind of bug bounty cost saving, but
>>>>> it’s not
>>>>>> the best idea when you're interested in motivated security
>>>>> researchers...
>>>>> Fortunately Microsoft and Firefox took a more reasonable positions for
>>>>> the bugs you discovered with their products.
>>>>>
>>>>> PCWorld and MSN picked up the story:
>>>>>
>>>>> http://www.pcworld.com/article/2039940/paypal-denies-teenager-reward-for-finding-website-bug.html
>>>>> and
>>>>> http://now.msn.com/paypal-denies-reward-to-robert-kugler-teen-who-found-bug-in-code
>>>>> .
>>>>> It is now news worthy to Wikipedia, where it will live forever under
>>>>> Criticisms (unfortunately, it appears PayPal does a lot of
>>>>> questionable things so its just one of a long list).
>>>>>
>>>>> Jeff
>>>>>
>>>>
>>>> Today I received an email from PayPal Site Security:
>>>>
>>>> "Hi Robert,
>>>>
>>>> We appreciate your research efforts and we are sorry that our
>>>> age requirements restrict you from participating in our Bug Bounty Program.
>>>> With regards to your specific bug submission, we should have also mentioned
>>>> that the vulnerability you submitted was previously reported by another
>>>> researcher and we are already actively fixing the issue. We hope that you
>>>> understand that bugs that have previously been reported to us are not
>>>> eligible for payment as we must honor the original researcher that provided
>>>> the vulnerability.
>>>>
>>>> I would also mention that in general, PayPal has been a consistent
>>>> supporter of what is known as “responsible disclosure”.  That is, ensuring
>>>> that a company has a reasonable amount of time to fix a bug from
>>>> notification to public disclosure.  This allows the company to fix the bug,
>>>> so that criminals cannot use that knowledge to exploit it, but still gives
>>>> the researchers the ability to draw attention to 

Re: [Full-disclosure] PayPal.com XSS Vulnerability

[Jeffrey Walton]

On Fri, May 24, 2013 at 12:38 PM, Robert Kugler
 wrote:
> Hello all!
>
> I'm Robert Kugler a 17 years old German student who's interested in securing
> computer systems.
>
> I would like to warn you that PayPal.com is vulnerable to a Cross-Site
> Scripting vulnerability!
> PayPal Inc. is running a bug bounty program for professional security
> researchers.
>
> ...
> Unfortunately PayPal disqualified me from receiving any bounty payment
> because of being 17 years old...
>
> ...
> I don’t want to allege PayPal a kind of bug bounty cost saving, but it’s not
> the best idea when you're interested in motivated security researchers...
Fortunately Microsoft and Firefox took a more reasonable positions for
the bugs you discovered with their products.

PCWorld and MSN picked up the story:
http://www.pcworld.com/article/2039940/paypal-denies-teenager-reward-for-finding-website-bug.html
and  
http://now.msn.com/paypal-denies-reward-to-robert-kugler-teen-who-found-bug-in-code.
It is now news worthy to Wikipedia, where it will live forever under
Criticisms (unfortunately, it appears PayPal does a lot of
questionable things so its just one of a long list).

Jeff

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] PayPal.com XSS Vulnerability

[Jeffrey Walton]

On Tue, May 28, 2013 at 10:47 AM, Kirils Solovjovs
 wrote:
> I suppose PayPal just wants to stay clear of any possible legal
> trouble/issues/complications. It's easier that way.
Well, I suppose they are going to fix the issue pointed out by Kugler
(and the additional issues from Parker).

Do you think PayPal trolls lemonade stands run by children and takes
their lemonade without paying to avoid possible legal problems?

Jeff

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] PayPal.com XSS Vulnerability

[Jeffrey Walton]

On Tue, May 28, 2013 at 8:26 AM, Dan Kaminsky  wrote:
>So there's this pile of law around the world around work and kids; it's a
> rather recent development that <18 year olds can find problems that
> multibillion dollar interests are willing to pay bounties for.
I'm probably splitting hairs here, but there appears to be a cultural
bias built in. At 17+, Robert would have been of age if he was
Japanese under "Kazoe" year-counting.

> The laws
> are all trying to protect you from being made to pick berries or sew
> t-shirts instead of going to class and playing outside.
The humor was not lost upon me that politicians and lawyers are trying
to legislate morality. How ironic!

FTW: https://www.google.com/search?q=teenage+science+competition?

Jeff

> On Fri, May 24, 2013 at 9:38 AM, Robert Kugler 
> wrote:
>>
>> Hello all!
>>
>> I'm Robert Kugler a 17 years old German student who's interested in
>> securing computer systems.
>>
>> I would like to warn you that PayPal.com is vulnerable to a Cross-Site
>> Scripting vulnerability!
>> PayPal Inc. is running a bug bounty program for professional security
>> researchers.
>>
>> https://www.paypal.com/us/webapps/mpp/security/reporting-security-issues
>>
>> XSS vulnerabilities are in scope. So I tried to take part and sent my find
>> to PayPal Site Security.
>>
>> The vulnerability is located in the search function and can be triggered
>> with the following javascript code:
>>
>>
>> ';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";
>>
>> alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--
>> >">'>alert(String.fromCharCode(88,83,83))
>>
>> https://www.paypal.com/de/cgi-bin/searchscr?cmd=_sitewide-search
>>
>> Screenshot: http://picturepush.com/public/13144090
>>
>> Unfortunately PayPal disqualified me from receiving any bounty payment
>> because of being 17 years old...
>>
>> PayPal Site Security:
>>
>> "To be eligible for the Bug Bounty Program, you must not:
>> ... Be less than 18 years of age.If PayPal discovers that a researcher
>> does not meet any of the criteria above, PayPal will remove that researcher
>> from the Bug Bounty Program and disqualify them from receiving any bounty
>> payments."
>>
>> I don’t want to allege PayPal a kind of bug bounty cost saving, but it’s
>> not the best idea when you're interested in motivated security
>> researchers...

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] PayPal.com XSS Vulnerability

[Jeffrey Walton]

Hi Robert,

> Unfortunately PayPal disqualified me from receiving any bounty payment
> because of being 17 years old...
Interesting. The Bug Bounty page
(https://www.paypal.com/us/webapps/mpp/security/reporting-security-issues)
does not state there's an age restriction or minimum.

It appears PayPal is sending the message that its best to sell the bug
privately, rather than participate in responsible disclosure (despite
what their Bug Bounty page states).

Has anyone written about the issue? For example, an established
researcher? I'd like to see homage paid on PayPal's wikipedia page
(wikipedia has some rules about citing sources, so the person writing
would have to meet criteria).

Sorry to hear about the crappy treatment.

Jeff

On Fri, May 24, 2013 at 12:38 PM, Robert Kugler
 wrote:
> Hello all!
>
> I'm Robert Kugler a 17 years old German student who's interested in securing
> computer systems.
>
> I would like to warn you that PayPal.com is vulnerable to a Cross-Site
> Scripting vulnerability!
> PayPal Inc. is running a bug bounty program for professional security
> researchers.
>
> https://www.paypal.com/us/webapps/mpp/security/reporting-security-issues
>
> XSS vulnerabilities are in scope. So I tried to take part and sent my find
> to PayPal Site Security.
>
> The vulnerability is located in the search function and can be triggered
> with the following javascript code:
>
> ';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";
> alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--
>>">'>alert(String.fromCharCode(88,83,83))
>
> https://www.paypal.com/de/cgi-bin/searchscr?cmd=_sitewide-search
>
> Screenshot: http://picturepush.com/public/13144090
>
> Unfortunately PayPal disqualified me from receiving any bounty payment
> because of being 17 years old...
>
> PayPal Site Security:
>
> "To be eligible for the Bug Bounty Program, you must not:
> ... Be less than 18 years of age.If PayPal discovers that a researcher does
> not meet any of the criteria above, PayPal will remove that researcher from
> the Bug Bounty Program and disqualify them from receiving any bounty
> payments."
>
> I don’t want to allege PayPal a kind of bug bounty cost saving, but it’s not
> the best idea when you're interested in motivated security researchers...
>
> Best regards,
>
> Robert Kugler

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] On Skype URL eavesdropping

[Jeffrey Walton]

On Thu, May 16, 2013 at 5:41 PM, Kirils Solovjovs
 wrote:
> You may have read about this in another list.
> http://lists.randombit.net/pipermail/cryptography/2013-May/004224.html
> http://financialcryptography.com/mt/archives/001430.html
>
>
> I'd like to give out some observations and point out some not so obvious
> risks (as if Microsoft Skypying™ on your conversations is not enough).
>
> Requests always come from the same IP 65.52.100.214.
> They have referrer and user agent set to a dash "-".
> They are always HEAD requests which immediately follow 302 redirects.
> They access both http and https links despite some speculations saying that
> they do it one way or the other.
> This is a relatively new phenomena that by my accounts is happening since
> the end of April 2013.
...
> Back to the point. Now that it's clear that [at least] links from users'
> private chats somehow magically end up at Redmond, it's obviously a privacy
> issue of having some usernames/password/sessions/whatever embedded in the
> URL.
There could be legal concerns here too (if a prosecutor takes interest
if folks besides the Swartz's of the world).

I can't wait to see the first CFAA violation brought against
interception services like these. Consider: the owner of the remote
server surely did not authorize the interception service to access the
site with a user's username and password. That's a clear violation of
exceeding one's authority under the CFAA since the interception
service had no authority from the server's owners.

Jeff

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Q: CVE Database with Programming Language and Failure Classification?

[Jeffrey Walton]

Hi All,

Does anyone know where to find an augmented CVE database with: (1)
programming language and (2) failure classification?

For example, CVE-2013-3301 is the Linux kernel, written in C, and the
failure is lack of parameter validation. As another example,
CVE-2013-3302 would also be the Linux kernel, written in C, with a
failure of race condition.

(I'm very interested in aggregated data on all programs/modules
written in C/C++/Objective C).

Jeff

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] How do I contact Vodafone Security?

[Jeffrey Walton]

On Mon, Apr 22, 2013 at 9:10 AM, Jann Horn  wrote:
> does anyone know how I can contact Vodafone Security (preferably a
> Germany-specific group because I have no idea whether the issue
> affects people in other countries, too)?
>
> I sent a mail to secur...@vodafone.de and it didn't bounce (in case
> someone from Vodafone is reading this...
I usually use both sec...@example.com and secur...@example.com. One is
specified in an RFC (see below), the other was popularized by
Microsoft around the same time the RFC was being assembled.

There are few other addresses published in RFC2142
(http://www.ietf.org/rfc/rfc2142.txt). I usually try them too for good
measure.

You also have the Technical and Administrative contacts from the WHOIS
database (http://whois.domaintools.com/vodafone.de).

> Well, I tried phoning them first (01721212), but the helpdesk person told
> me she'd need my password for that (of which I currently don't know
> where exactly it is).
That sounds like Dell and their call routing system (Dell did the same
to me a few years ago when trying to report some issues). Are they
using the same outsourcing firm???

I think the extra effort to contact the company through well known
email addresses and WHOIS contact is a courtesy and due diligence, so
good job on that. But face it - if Vodafone were going to acknowledge
or respond, it would have happened by now. So you get the 0-day effect
with a free conscious.

Jeff

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] VUPEN Security Research - Adobe Flash Player RTMP Data Processing Object Confusion (CVE-2013-2555)

[Jeffrey Walton]

On Sat, Apr 20, 2013 at 7:37 PM, Benji  wrote:
> Because security engineers are different to a QA department you originally
> suggested, and you seem to be very ideologist about the scenarios. As we've
> seen, Oracle's Java product has security engineers and this has not
> prevented flaws.
Oracle is probably not a good example since it leaves known flaws in
the code base.

http://www.h-online.com/security/news/item/Java-7-Update-21-closes-security-holes-and-restricts-applets-1843558.html:

The warnings for Java applets now come in two types: an applet that
has a valid certificate generates a warning dialog with the Java logo
in it and details of the applet's certificate, but an applet that is
signed with an invalid certificate, is unsigned or self-signed, will
generate a warning with a yellow shield and warning triangle which is
designed to recommend that the applet should not be run. There is a
problem though with the certificate checking; as The H reported in
March, criminals were using revoked certificates as part of their
attacks and the Java runtime was doing nothing to check the validity
of certificates. On the latest update of Java, this has not changed
either; online validation and revocation checks are still off by
default.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Allegro.pl XSS [0-day]

[Jeffrey Walton]

On Thu, Apr 11, 2013 at 2:33 PM, Swair Mehta  wrote:
> Well try the "search" on plantronics website.http://www.plantronics.com/us/
>
> No body notified, I couldnt see the contact us link
> On the first page.
Stay away from the web based stuff since their could be an obscene
EULA festering there.

You have well known mailboxes from RFC 2142 (as Henri pointed out) and
the WHOIS database information which will provide technical and
administrative contacts.

Jeff

> On 11-Apr-2013, at 9:28 AM, Kacper Szczesniak  wrote:
>
> Hi All!
>
> I was looking for a 19" rack mount today and found this XSS instead:
> http://allegro.pl/listing/listing.php?string=%22%3E%3Cscript%3Ealert%28document.cookie%29%3B%3C%2Fscript%3E
>
> it turns out to be a custom data-headline attribute that is not properly
> escaped
>
> tested on Firefox 20, Chrome and others need an xss filter bypass

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [ MDVSA-2013:101 ] lynx

[Jeffrey Walton]

On Wed, Apr 10, 2013 at 1:36 PM, Peter Thoeny  wrote:
> How about a sensible middle ground? Daily batches of MDVSA vulnerabilities?
Sounds like a good idea - perhaps prepare one bulletin with affected
components and provide links to the detailed article.

I imagine the folks who prepare and send the bulletins would not mind
a reduction in workload (preparing/signing/sending one bulletin vs
many bulletins).

> On Apr 10, 2013, at 9:48 AM, Alex wrote:
>
>> I agree! I hate those MDVSA spam!!
>>
>> On Wed, 10 Apr 2013 17:36:59 +0200, Fabian Wenk 
>> wrote:
>>>
>>> Hello Erik
>>>
>>> On 10.04.2013 17:16, Erik Falor wrote:

 On Wed, Apr 10, 2013 at 11:44:22AM +0100, Peter W-S wrote:
>
> Is it really necessary to spam the list with a separate email for every
> issue you want to report? Perhaps one email a week with a link to the full
> report would suffice?


 It is necessary.

 Waiting a week for a batched email to find out my software has
 vulnerabilities is not acceptable just because some people insist on
 reading email on their telephone.
>>>
>>>
>>> If you are using Mandriva, then you could and should subscribe
>>> directly to the announce or security mailing list there.
>>>
>>> I really prefer the step e.g. Ubuntu (and also some other Linux
>>> distribution I do not remember) have taken about 2 years ago. They
>>> stopped sending out their security announces to Bugtraq and
>>> Full-Disclosure. I would be happy if other distributions or projects,
>>> with such high volume of announces, would do the same.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] GitHub Login Cookie Failure

[Jeffrey Walton]

On Mon, Apr 8, 2013 at 12:19 PM, Chris Roussel  wrote:
>
> I installed the "Import Cookies" & "Export Cookies" plugins in my
> firefox 20, then I signed in at github and exported my cookies, then I
> signed out, I cleaned all the cookies in my browser and I started it
> again, then I imported the cookies and I am login in without typing my
> passwords, I've tried this with my google account, but there is clear
> that when I signed out the info in the cookies was annulled, then it
> appears like I am signed while I am searching, but if I want to check my
> mail/drive I have to type my password.
You might also check to see if the session identifier changes between
sessions. If not, GitHub may be using static session IDs, which means
they could be guessable.

Jeff

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] petition to remove Aaron Swartz prosecutor

[Jeffrey Walton]

On Fri, Mar 29, 2013 at 10:48 AM, Steve Wray  wrote:

> I'm not a moderator (OBVIOUSLY) but I'll just leave this here, from the
> list charter:
>
> 
> Acceptable Content
>
> Any information pertaining to vulnerabilities is acceptable, for instance
> announcement and discussion thereof, exploit techniques and code, related
> tools and papers, and other useful information.
>
> Gratuitous advertisement, product placement, or self-promotion is
> forbidden. Disagreements, flames, arguments, and off-topic discussion
> should be taken off-list wherever possible.
>
> Humour is acceptable in moderation, providing it is inoffensive. Politics
> should be avoided at all costs.
> 
>
> I'm thinking mainly "Self promotion" and "POLITICS... avoided... all costs"
>
Its hard to avoid politics at times, especially when it involves your
privacy (or lack thereof) and well being.

Jeff
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] petition to remove Aaron Swartz prosecutor

[Jeffrey Walton]

On Fri, Mar 29, 2013 at 9:05 AM, Jerry dePriest  wrote:
> and this is pertinent to the list? another asshole that psts to the list
> with bullshit (in my eyes) then you go off on me for what I think is
> important.
It appears you did not have your bowl of Cheerio's this morning

Who was the young lady? Perhaps a close friend or relative?

Jeff

> - Original Message -
> From: Gary Baribault
> To: full-disclosure@lists.grok.org.uk
> Sent: Monday, January 14, 2013 3:46 PM
> Subject: Re: [Full-disclosure] petition to remove Aaron Swartz prosecutor
>
> I didn't know the gentleman, but have known some depressive people. There
> may have been other problems bothering him in his life, but spending a
> fortune on a lawyer to try and avoid 30 - 50 years in prison and the
> reputation that he would have if he ever got out is probable quite near the
> top of the list of things setting his mind frame and causing this
> unfortunate decision. The powers that be have blood on their hands and
> hopefully are having rather poor nights sleep these days. Personally I would
> be having trouble looking in the mirror for my daily shave.
>
> Gary Baribault
>
> On 01/14/2013 03:35 PM, valdis.kletni...@vt.edu wrote:
>
> On Mon, 14 Jan 2013 11:02:26 -0500, Jeffrey Walton said:
>
> On Mon, Jan 14, 2013 at 10:34 AM,   wrote:
>
> https://petitions.whitehouse.gov/petition/remove-united-states-district-attorney-carmen-ortiz-office-overreach-case-aaron-swartz/RQNrG1Ck
>
> Above link to remove this prosecutor needs to have signatures by
> February 11.
>
> Its unfortunate Schwartz committed suicide over the incident.
>
> >From the fine article:
>
> "On his blog, Swartz had written of his history of depression."
>
> Given that, and the fact that the article doesn't mention a suicide note
> stating Aaron's reasons, it's not entirely clear that he in fact committed
> suicide over the incident.  It may have been one factor out of many.
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fw: Fw: Justice for Molly (cops killingcivillians)

[Jeffrey Walton]

> Go do illegal activities such as reverse engineering
The DMCA (PUBLIC LAW 105–304) has exceptions for reverse engineering and
security testing and evaluation. The RE exemption is in Section 1205 (f)
REVERSE ENGINEERING). The ST&E exemption is in Section 1205 (i) SECURITY
TESTING.

Jeff

On Fri, Mar 29, 2013 at 8:00 AM, Jerry dePriest  wrote:

> **
> who made you the boss of FD? Ive seen similiar posts and bullshit like
> April fools jokes posing as 0-day and such. if you dont like it, move
> along. Go do illegal activities such as reverse engineering for 0-day
> exploits or holes in facebook so you can scare the rubes.
>
> man, try to do something good and I get blasted... Bryan, there is a short
> bridge waiting for you to take a long walk... By the looks of your myspace
> page you're anti social and a troll... We'll you got me. I forogt New
> Zeland is just another offshoot of the penal colony Austrailia used to be.
> You can't help it, it's in your genes...
>
> Spamming? UCE my mailings were not. They were informative, like this list
> is supposed to be. You liken my postings to the likes of Netdev and other
> assholes who truley UCE'd this list to death.
>
> btw this is the PERFECT place for this type of discussion. Who made you
> the fucking moderator of fd? You do a horrible job...
> I have been on this list since 2005... My postings are gold compared to
> the viri and other 'spolits people try to con people into.
>
> 1. Let's discuss how his facebook account was hacked along with others so
> no forensics are available. (Feds, gotta love em)
> 2. Let's discuss how her facebook account was hacked to say she took a
> bunch of pills THEN shot herself.
> 3. Let's discuss what a douchebag you are for downplaying something
> by putting it into the scope of a chain letter? That's confirmation you are
> in fact a true douchebag...
>
> FOAD
>
> Antisocial troll... Go remove your myspace page and maybe you wont look
> like such an ass, whole.
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Owning Samsung Android devices

[Jeffrey Walton]

[web page] ...
[web page] Two different vulnerabilities can be exploited
[web page] to silently install highly-privileged applications
[web page] with no user interaction. The privileged
[web page] applications to be installed can be embedded
[web page] right inside the unprivileged application package,
[web page] or downloaded "on the fly" from an on-line
[web page] market.
[web page] Another issue, different from the previous ones,
[web page] allows attackers to send SMS messages without
[web page] requiring any Android privilege (normally,  Android
[web page] applications are required to have the
[web page] android.permission.SEND_SMS permission to
[web page] perform this task).

You might consider getting Android security involved since both appear
to have remediation at the platform level. For example, Google Play
may be able to do something about the first issue since its a trusted
channel and should not be distributing hidden apps with malicious
intent; and a confused deputy might be in play with the second.

Android security can be reached through a well known email address,
and Android Security Discussions
(http://groups.google.com/group/android-security-discuss).

My apologies if the remediations are not available at the platform.
Its tough to discern when folks use Full Disclosure, Bugtraq, et al to
generate traffic and press releases.

Jeff

On Tue, Mar 19, 2013 at 5:20 PM, Roberto Paleari  wrote:
> Folks,
>
> I recently found some security vulnerabilities affecting Samsung
> Android phones. The bugs lie in Samsung-specific customizations and
> not in the Android code base.
>
> While waiting for Samsung security patches, I published an overview of
> the issues here:
> http://randomthoughts.greyhats.it/2013/03/owning-samsung-phones-for-fun-but-with.html
>
> Possible consequences are quite interesting, as the vulnerabilities
> allow an *unprivileged* application to perform several nefarious
> tasks, ranging from sending SMS messages to installing APK packages,
> but also including some denial-of-services and info leaks.
>
> I hope I will be able to disclose the technical details soon.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Port scanning /0 using insecure embedded devices

[Jeffrey Walton]

> Many of them are based on Linux and allow
> login to standard BusyBox with empty or
> default credentials.
Forgive my ignorance, but what does the authentication problem (or
lack thereof) have to do with linux/uclibc/busybox? It seems to be a
manufacturer problem (for example, Actiontec) or an  integrator
problem (such as Verizon or Comacast), unless I am missing something.

Jeff

On Sun, Mar 17, 2013 at 7:54 PM, internet census
 wrote:
> -  Internet Census 2012  -
>
>  Port scanning /0 using insecure embedded devices 
>
> -  Carna Botnet  -
>
>
> While playing around with the Nmap Scripting Engine we discovered an amazing
> number of open embedded devices on the Internet. Many of them are based on
> Linux and allow login to standard BusyBox with empty or default credentials.
> From March to December 2012 we used ~420 Thousand insecure embedded devices
> as a distributed port scanner to scan all IPv4 addresses.
> These scans include service probes for the most common ports, ICMP ping,
> reverse DNS and SYN scans. We analyzed some of the data to get an estimation
> of the IP address usage.
>
> All data gathered during our research is released into the public domain for
> further study. The full 9 TB dataset has been compressed to 565GB using ZPAQ
> and is available via BitTorrent. The dataset contains:
> - 52 billion ICMP ping probes
> - 10.5 billion reverse DNS records
> - 180 billion service probe records
> - 2.8 billion sync scan records for 660 million IPs with 71 billion ports 
> tested
> - 80 million TCP/IP fingerprints
> - 75 million IP ID sequence records
> - 68 million traceroute records
>
>
> This project is, to our knowledge, the largest and most comprehensive
> IPv4 census ever. With a growing number of IPv6 hosts on the Internet, 2012
> may have been the last time a census like this was possible. A full 
> documention,
> including statistics and images, can be found on the project page.
>
> We hope other researchers will find the data we have collected useful and that
> this publication will help raise some awareness that, while everybody is 
> talking
> about high class exploits and cyberwar, four simple stupid default telnet
> passwords can give you access to hundreds of thousands of consumer as well as
> tens of thousands of industrial devices all over the world.
>
> No devices were harmed during this experiment and our botnet has now ceased 
> its
> activity.
>
>
>
> Project Page:
>  http://internetcensus2012.bitbucket.org/
>  http://internetcensus2012.github.com/InternetCensus2012/
>  http://census2012.sourceforge.net/
>
> Torrent MAGNET LINK:
>  
> magnet:?xt=urn:btih:7e138693170629fa7835d52798be18ab2fb847fe&dn=InternetCensus2012&tr=udp%3a%2f%2ftracker.openbittorrent.com%3a80%
>  
> 2fannounce&tr=udp%3a%2f%2ftracker.ccc.de%3a80%2fannounce&tr=udp%3a%2f%2ftracker.publicbt.com%3a80%2fannounce

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Arbitrary command execution and trivial password guessing on Brother printers

[Jeffrey Walton]

On Thu, Feb 28, 2013 at 12:55 PM,   wrote:
> Confirmation that Brother aware of vulnerabilities no fixes planned for any 
> printer   Can find about a few tens of of thousands of Brothers printers on 
> just Google Search ...
>
They do it because its cost effective to "do nothing" for a defective product.

The risk analysis equations need to be unbalanced.

Jeff

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] test

[Jeffrey Walton]

On Wed, Feb 27, 2013 at 11:05 PM, coderman  wrote:
> On Wed, Feb 27, 2013 at 3:13 AM, imipak  wrote:
>> SMTP_ECHO_REQUEST
>
> ICMP_SOURCE_QUENCH
+1

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] #warning -- DICE.COM insecure passwords

[Jeffrey Walton]

On Tue, Feb 12, 2013 at 5:58 PM, Travis Biehn  wrote:
> What Tim said. I think warning was writing about the public shame from
> having a massive pw dump not having some neckbeard expose them over using
> crypt on some random industry mailing list (shudders).
>
> Here is a long article on secure password storage. It is extremely exciting:
> http://www.cigital.com/justice-league-blog/2012/06/11/securing-password-digests-or-how-to-protect-lonely-unemployed-radio-listeners/
I got to attend that talk given at OWASP in Northern Virginia
(https://www.owasp.org/index.php/Virginia, JULY 2012).

John Steven and did a great job.

Jeff

> On Tue, Feb 12, 2013 at 5:14 PM, Tim 
> wrote:
>>
>> > That's assuming that they didn't do the risk analysis and decide that
>> > the effort required to fix the problem (which will probably require,
>> > among other things, having every single user change their password)
>> > is worth the effort.  Given that so many places have gotten hacked and
>> > pwned that the user community response is usually "Meh. Another one",
>> > they may rightfully have concluded that risking public shaming is
>> > in fact a good business decision...
>>
>>
>> Here's a bit of pseudocode for you Valdis:
>>
>> for each user:
>>   let user.new_hash = scrypt(user.old_crypt_hash)
>>
>> # now update authentication routine to use user.new_hash with new
>> # nested hashing algorithm
>>
>>
>> So really, there's actually not a good reason to keep a crappy hash
>> database around.  Just add a layer of good salted hashing on top.
>>
>> With that said, the unusual quirk of crypt being limited to 7
>> characters is an additional challenge, but you can start with the
>> above steps (which immediately improves security), and then slowly
>> transition to using scrypt alone or some variant that supports longer
>> passwords.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] ifIndex overflow (Linux Kernel - net/core/dev.c) [maybe offtopic]

[Jeffrey Walton]

>  The former requiring too much effort
I'm not sure I agree with this statement. When Sony pissed off folks
over the Playstation, countless hours were spent on the breaks and
breach. Confer:
http://thehackernews.com/2012/10/sony-playstation-3-hacked-with-custom.html
and 
http://www.nbcnews.com/technology/ingame/hackers-stole-personal-data-playstation-network-123618.

It does not hurt that Sony chronically drives drunk on the information
superhighway. Confer:
http://attrition.org/security/rants/sony_aka_sownage.html.

Don't under estimate an attackers will or resolve.

Jeff

On Fri, Feb 8, 2013 at 6:05 AM, Daniel Corbe  wrote:
>
> That would require that you have sufficient access to create pseudo-eth
> devices in the first place.  A vector of attack which requires previous
> privilege escalation or which is carried out by an individual in a
> position of trust is wholly uninteresting.   The former requiring too
> much effort and the latter requiring a reexamination of your
> interpersonal relationships.
>
> -Daniel
>
> Daniel Preussker  writes:
>
>> Hi,
>>
>> I was looking into the net/core/dev.c from the current Kernel
>> (previous also have this) and found out that ifIndex gets incremented
>> by an endless loop.
>>
>> After creating 4 billion pseudo-eth devices I finally got it to
>> overflow and endless loop, had to kill the kernel - fun right?
>>
>>
>>
>> General question, is this known?
>>
>>
>> Daniel Preussker
>>
>> [ Security Consultant, Network & Protocol Security and Cryptography
>> [ LPI & Novell Certified Linux Engineer and Researcher
>> [ +49 178 600 96 30
>> [ dan...@preussker.net
>> [ http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x87E736968E490AA1

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] petition to remove Aaron Swartz prosecutor

[Jeffrey Walton]

[Sorry about the crummy copy/paste].

Here's the link to the forfeiture article:
http://bostonherald.com/news_opinion/local_coverage/2013/01/ortiz_motel_owner_we’re_not_done_yet

On Sat, Feb 2, 2013 at 2:58 PM, Jeffrey Walton  wrote:
> On Mon, Jan 14, 2013 at 10:34 AM,   wrote:
>> https://petitions.whitehouse.gov/petition/remove-united-states-district-attorney-carmen-ortiz-office-overreach-case-aaron-swartz/RQNrG1Ck
>>
>> Above link to remove this prosecutor needs to have signatures by
>> February 11.
> http://www.amazon.com/Three-Felonies-Day-Target-Innocent/dp/1594035229,
> http://www.amazon.com/Three-Felonies-Day-Target-Innocent/dp/1594035229
>
> The prosecutor has a history of abusing her power. See, for example,
> http://news.ycombinator.com/item?id=5126017.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] petition to remove Aaron Swartz prosecutor

[Jeffrey Walton]

On Mon, Jan 14, 2013 at 10:34 AM,   wrote:
> https://petitions.whitehouse.gov/petition/remove-united-states-district-attorney-carmen-ortiz-office-overreach-case-aaron-swartz/RQNrG1Ck
>
> Above link to remove this prosecutor needs to have signatures by
> February 11.
http://www.amazon.com/Three-Felonies-Day-Target-Innocent/dp/1594035229,
http://www.amazon.com/Three-Felonies-Day-Target-Innocent/dp/1594035229

The prosecutor has a history of abusing her power. See, for example,
http://news.ycombinator.com/item?id=5126017.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Ubuntu, Linux Mint, and the Guest Account

[Jeffrey Walton]

It appears the Guest account is still allowed to wander around a
'stock' install of Ubuntu. Below are some examples of information
leakage due to the account.

Surely I'm not the only person who thinks its a bad idea to allow
LightDM (a desktop manager) be a user manager or security manager.

And I can't be the only fellow who thinks its a bad idea that the
account is created in a non-standard way. For example, the account is
not in the standard /etc/passwd or /etc/shadow database; and it cannot
be disabled or removed with `usermod` or `userdel`.

Finally, I can't be the only person who thinks adding the account
surreptitiously is a bad idea. For example, grep'ing 'Guest' returns 0
hits because the lightdm config file lacks a comment on the guest
account (and its enabled by default).

Below is from a fresh Ubuntu Server install:
guest-XuxS7j@utility:/$ uname -a
Linux utility.home.pvt 3.2.0-36-generic-pae #57-Ubuntu SMP Tue Jan 8
22:01:06 UTC 2013 i686 i686 i386 GNU/Linux
guest-XuxS7j@utility:/$ whoami
guest-XuxS7j

Information leak follows:
guest-XuxS7j@utility:/$ cd /home/jeffrey
guest-XuxS7j@utility:/home/jeffrey$ pwd
/home/jeffrey
guest-XuxS7j@utility:/home/jeffrey$ cd Documents
guest-XuxS7j@utility:/home/jeffrey/Documents$

Information leak follows:
guest-XuxS7j@utility:/home/jeffrey/Documents$ $ cat foo-bar.txt
cat: foo-bar.txt: No such file or directory
guest-XuxS7j@utility:/home/jeffrey/Documents$ cat Financial-Results-2012.txt
cat: Financial-Results-2012.txt: Permission denied

Root looks clamped:
guest-XuxS7j@utility:/home/jeffrey/Documents$$ cd /root/
bash: cd: /root/: Permission denied

Perhaps Ubuntu should offer an option to *not* enable the Guest
account at install? Perhaps Ubuntu should encrypt all home directories
by default since the Guest account is allowed to wander the file
system?

And fix the path hack
(https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/868363).
There's no reason this program should be on path. Was this program
acceptance tested? The alternative - removing lightdm - creates an
installation that won't boot properly.

On Sat, May 5, 2012 at 7:42 PM, Jeffrey Walton  wrote:
> I know there's not much new here, but I am amazed that Ubuntu, Linux
> Mint and friends ship with a Guest account present and enabled.
>
> The Guest account is surreptitiously added through a lightdm
> configuration file, and is not part of the standard user database.
> Because its not part of the standard user database, it can't be
> disabled through /etc/shadow, nor disable it through familiar tools
> such as userdel and usermod. Additionally, the damn account does not
> show up in distribution provided tools such as User Accounts applet.
>
> To make matters worse, grepping for guest returns 0 results because
> lightdm.conf does not mention one must add the following to disable
> the guest account (nothing is required to enable the account):
>
> allow-guest=false
>
> To add insult to injury, the Guest account is not sandboxed and user
> home directories lack sufficient ACLs, so the guest account is able to
> wander through user's home directories:
>
> guest-dojMxl@vb-mint-12-x64 ~ $ pwd
> /tmp/guest-dojMxl
> guest-dojMxl@vb-mint-12-x64 ~ $ whoami
> guest-dojMxl
> guest-dojMxl@vb-mint-12-x64 /home/jwalton $ cd /home/
> guest-dojMxl@vb-mint-12-x64 /home $ ls -al
> total 12
> drwxr-xr-x  3 rootroot4096 2012-05-05 16:29 .
> drwxr-xr-x 23 rootroot4096 2012-05-05 16:32 ..
> drwxr-xr-x  5 jwalton jwalton 4096 2012-05-05 16:35 jwalton
> guest-dojMxl@vb-mint-12-x64 ~ $ cd /home/jwalton/
> guest-dojMxl@vb-mint-12-x64 /home/jwalton $ ls -al
> total 28
> drwxr-xr-x 5 jwalton jwalton 4096 2012-05-05 16:35 .
> drwxr-xr-x 3 rootroot4096 2012-05-05 16:29 ..
> -rw-r--r-- 1 jwalton jwalton  220 2012-05-05 16:29 .bash_logout
> drwx-- 3 jwalton jwalton 4096 2012-05-05 16:35 .cache
> drwxr-xr-x 3 jwalton jwalton 4096 2012-05-05 16:29 .config
> drwxr-xr-x 4 jwalton jwalton 4096 2012-05-05 16:29 .mozilla
> -rw-r--r-- 1 jwalton jwalton  675 2012-05-05 16:29 .profile
> ...
>
>  Is there any reason a KIOSK-like account is enabled by default? Do
> KIOSKs really dominate the desktop market to warrant the account out
> of the box?

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Student expelled from Montreal college after finding vulnerability that compromised security of 250, 000

[Jeffrey Walton]

On Fri, Jan 25, 2013 at 12:07 PM,   wrote:
> On Fri, 25 Jan 2013 09:57:51 +, Dan Ballance said:
>
>> ...
>
> Doesn't matter if he ends up a corporate knob or a freedom fighter.  If
> he says "I promise to XYZ" you want him to be trustworthy on said promise.
>
> You might want to ask the guys in Anonymous who got ratted out by one
> of their own how they feel about the word "trustworthy" regarding the
> rat who said "I promise not to rat you out".
:)

There is no honor among thieves (or corporations, or lawyers, or...)

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Student expelled from Montreal college after finding vulnerability that compromised security of 250, 000

[Jeffrey Walton]

On Thu, Jan 24, 2013 at 2:22 PM,   wrote:
> On Thu, 24 Jan 2013 19:59:53 +0100, Stefan Weimar said:
>
>> > 1) The kid, as part of his major, signed an ethics document.
>
>> A better solution would have been to not do the steps 1 and 2 but make
>> an NDA ("Ok, we know and you know but that's enough by now.") instead.
>> I mean, some kind of responsible disclosure.
>>
>> By proposing this "ethics document" it was the college being
>> unprofessional and not the kid.
>
> I think you misunderstand - the ethics document was signed *when he
> applied as a student".  If you think that's "unprofessional", you
> might want to consider that doctors, lawyers, and other professions
> have ethics standards as well.  As does anybody who has a CISSP:
That has not stopped lawyers and judges from perverting the legal
system in the US. Judge James Ware FTW!
http://en.wikipedia.org/wiki/James_Ware_(judge).

> https://www.isc2.org/ethics/default.aspx
TLDR;

Just kidding. Its actually quite short. I wonder of the college gave
him a contract, and called it a code of ethics.

> I'd say anybody who persisted in doing something after they promised
> not to would be running afoul of the "necessary public trust and confidence"
> clause of the CISSP code of ethics?
Well, there could be a lot of wiggle room. How much of it is subjective?

Is it like Christianity, where the 10 Commandments are taken as 10 Suggestions?

Jeff

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Student expelled from Montreal college after finding vulnerability that compromised security of 250, 000

[Jeffrey Walton]

On Mon, Jan 21, 2013 at 8:06 PM, Nick FitzGerald
 wrote:
> Jeffrey Walton wrote:
>
>> On Mon, Jan 21, 2013 at 5:42 PM, Philip Whitehouse  wrote:
>> > Moreover, he ran it again after reporting it to see if it was still there.
>> > Essentially he's doing an unauthorised pen test having alerted them that
>> > he'd done one already.
>> If his personal information is in the proprietary system, I believe he
>> has every right to very the security of the system.
>
> BUT how can he "verify" (I assume that was the word you meant?") proper
> security of _his_ personal details?  He would have to test using
> someone _else's_ access credentials.  That is "unauthorized access" by
> most relevant legislation in most jurisdictions.
Yes, my bad. Autocorrect has turned my bad spelling into bad grammar.

> Alternately, he could try accessing someone else's data from his login,
> and that is equally clearly unauthorized access.
>
> He and his colleague who originally discovered the flaw may have used
> each other's access credentials to access their own data, or used their
> own credentials to access the other's data _in agreement between
> themselves_ BUT in so doing most likely broke the terms of service of
> the system/their school/etc, _equally_ putting them afoul of most
> unauthorized access legislation.
>
>> Is he allowed to "opt-out" of the system (probably not)? If not, he
>> has a responsibility to check.
>
> BUT he has no responsibility to check on anyone _else's_ data and no
> _authority_ to use anyone else's credentials to check on his own.
I would argue that's part of testing the system. If I log in and get a
token back, I'm going to try a simple increment (and other
transformations on the token) to see if its predictable. If I happen
to get another's record, that demonstrates the flaw in the system and
not 'testing on behalf of another'.

What did he do with the other records he retireived? I suspect he used
them as proof of concept; and did not use them for a work visa or
credit card. But I could be wrong.

> So, what "responsibility" does he really have?
We have the responsibility to protect our own data, because class-A
fuckups like Omnivox don't do it. Once the data is lost, you can't get
it back - the genie is out of the bottle.

That's coming from a guy who was part of a breach in the 1990s. It
cost me about $10,000 to fix it back then. It started again in the
mid-2000's. I'm not fixing it this time.

> It sounds like he should have left well alone once he had reported this
> to the university and the vendors.  That he did not have the sense or
> moral compass to recognize that tells us something important about him.
Does that sword cut both ways? How about Nokia/Opera and their
destrucion of the secure channel? How about Trustwave and their
fraudulent certifcates that destroyed the secure channel?

Or do these things (law and moral compasses) only apply to individuals?

Jeff

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Student expelled from Montreal college after finding vulnerability that compromised security of 250, 000 students personal data

[Jeffrey Walton]

On Mon, Jan 21, 2013 at 7:44 PM, Julius Kivimäki
 wrote:
> How is Omnivox's security relevant when this kid is running DoS tools on
> their sites? (Acunetix is a nice database heavy HTTP flood tool.)
I don't know.

Could Acunetix be used to find a 250,000 record information leak
(injection?)? If not, perhaps it was exaggerated by the site's owner
in order to deflect bad press and tip the scales of justice.

Manipulating the justice system is nothing new. Ma Bell did it with
Mitnick. They claimed millions in losses due to Mitnick, but failed to
list it in their SEC filings (required by law at the time). They would
not answer questions pertaining to the 'accounting irregularities'
when cross examined during tial.

Jeff

> 2013/1/22 Jeffrey Walton 
>>
>> On Mon, Jan 21, 2013 at 5:42 PM, Philip Whitehouse 
>> wrote:
>> > Moreover, he ran it again after reporting it to see if it was still
>> > there.
>> > Essentially he's doing an unauthorised pen test having alerted them that
>> > he'd done one already.
>> If his personal information is in the proprietary system, I believe he
>> has every right to very the security of the system.
>>
>> Is he allowed to "opt-out" of the system (probably not)? If not, he
>> has a responsibility to check.
>>
>> Open question: does Canada have Security Testing and Evaluation (ST&E)
>> and Reverse Engoneering (ER) exemptions in its laws? Even the United
>> States' DMCA has them. For reference for others in the US who may be
>> subject to bullying (companies have tried it on me):
>>
>> DMCA (PUBLIC LAW 105–304). It has exceptions for reverse engineering
>> and security testing and evaluation. The RE exemption is in Section
>> 1205 (f) REVERSE ENGINEERING. The ST&E exemption is in Section 1205
>> (i) SECURITY TESTING.
>>
>> > a class A moron.
>> What does that make Omnivox, which appears to have done no testing?
>>
>> Jeff
>>
>> > On 21 Jan 2013, at 21:10, Benji  wrote:
>> >
>> > He found the vulnerability by running Acunetix against the system. He is
>> > what most be would describe as, a class A moron.
>> >
>> > On Mon, Jan 21, 2013 at 8:43 PM, Frank Bures 
>> > wrote:
>> >>
>> >> A student has been expelled from Montreal’s Dawson College after he
>> >> discovered a flaw in the computer system used by most Quebec CEGEPs
>> >> (General and Vocational Colleges), one which compromised the security
>> >> of
>> >> over 250,000 students’ personal information.
>> >>
>> >> Ahmed Al-Khabaz, a 20-year-old computer science student at Dawson and a
>> >> member of the school’s software development club, was working on a
>> >> mobile
>> >> app to allow students easier access to their college account when he
>> >> and a
>> >> colleague discovered what he describes as “sloppy coding” in the widely
>> >> used Omnivox software which would allow “anyone with a basic knowledge
>> >> of
>> >> computers to gain access to the personal information of any student in
>> >> the
>> >> system, including social insurance number, home address and phone
>> >> number,
>> >> class schedule, basically all the information the college has on a
>> >> student.”
>> >>
>> >> http://tinyurl.com/bcdrelh

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Student expelled from Montreal college after finding vulnerability that compromised security of 250, 000 students personal data

[Jeffrey Walton]

On Mon, Jan 21, 2013 at 5:57 PM, Ian Hayes  wrote:
> On Mon, Jan 21, 2013 at 2:54 PM, Jeffrey Walton  wrote:
>> On Mon, Jan 21, 2013 at 5:42 PM, Philip Whitehouse  wrote:
>>> a class A moron.
>> What does that make Omnivox, which appears to have done no testing?
>
> The two conditions are not mutually exclusive.
Hence the reason for "appears to have done no testing."

Developer driven security is some of the worst security I have seen.
Its the reason for this (and few other) list. Obvious flaws (obvious
to a security professional) tells me Omnivox has problems with their
engineering process (perhaps incomplete testing, perhaps no testing).

Jeff

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Student expelled from Montreal college after finding vulnerability that compromised security of 250, 000 students personal data

[Jeffrey Walton]

On Mon, Jan 21, 2013 at 5:42 PM, Philip Whitehouse  wrote:
> Moreover, he ran it again after reporting it to see if it was still there.
> Essentially he's doing an unauthorised pen test having alerted them that
> he'd done one already.
If his personal information is in the proprietary system, I believe he
has every right to very the security of the system.

Is he allowed to "opt-out" of the system (probably not)? If not, he
has a responsibility to check.

Open question: does Canada have Security Testing and Evaluation (ST&E)
and Reverse Engoneering (ER) exemptions in its laws? Even the United
States' DMCA has them. For reference for others in the US who may be
subject to bullying (companies have tried it on me):

DMCA (PUBLIC LAW 105–304). It has exceptions for reverse engineering
and security testing and evaluation. The RE exemption is in Section
1205 (f) REVERSE ENGINEERING. The ST&E exemption is in Section 1205
(i) SECURITY TESTING.

> a class A moron.
What does that make Omnivox, which appears to have done no testing?

Jeff

> On 21 Jan 2013, at 21:10, Benji  wrote:
>
> He found the vulnerability by running Acunetix against the system. He is
> what most be would describe as, a class A moron.
>
>
> On Mon, Jan 21, 2013 at 8:43 PM, Frank Bures 
> wrote:
>>
>> A student has been expelled from Montreal’s Dawson College after he
>> discovered a flaw in the computer system used by most Quebec CEGEPs
>> (General and Vocational Colleges), one which compromised the security of
>> over 250,000 students’ personal information.
>>
>> Ahmed Al-Khabaz, a 20-year-old computer science student at Dawson and a
>> member of the school’s software development club, was working on a mobile
>> app to allow students easier access to their college account when he and a
>> colleague discovered what he describes as “sloppy coding” in the widely
>> used Omnivox software which would allow “anyone with a basic knowledge of
>> computers to gain access to the personal information of any student in the
>> system, including social insurance number, home address and phone number,
>> class schedule, basically all the information the college has on a
>> student.”
>>
>> http://tinyurl.com/bcdrelh

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] White Paper: Detecting System Intrusions

[Jeffrey Walton]

On Fri, Jan 18, 2013 at 3:21 PM,   wrote:
> On Wed, 16 Jan 2013 12:39:18 -0500, Almaz said:
>
>> How to detect system intrusions? What are the techniques? Can one character
>> difference in the output be an indicator of compromise?
>
> Paging Cliff Stoll.. Cliff Stoll to the courtesy phone...
Damn You can only get "The KGB, the Computer, and Me" on VHS!

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] petition to remove Aaron Swartz prosecutor

[Jeffrey Walton]

On Mon, Jan 14, 2013 at 10:34 AM,   wrote:
> https://petitions.whitehouse.gov/petition/remove-united-states-district-attorney-carmen-ortiz-office-overreach-case-aaron-swartz/RQNrG1Ck
>
> Above link to remove this prosecutor needs to have signatures by
> February 11.
Congratulations. It looks like you exceeded the threshold required by
a factor of nearly two.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] How to prevent HTTPS MitM

[Jeffrey Walton]

On Thu, Jan 17, 2013 at 3:56 PM, Luigi Rosa  wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> If this message is offtopic, please excuse me.
>
> I was reading about Nokia HTTPS MitM. Many corporate firewall can MitM HTTPS
> for content inspection and many governments do this for their reasons.
>
> I was thinking: could it be possible to create a fake HTTPS stream to DoS the
> MitM attempt?
Stop conferring trust.

Pin the certifcate or public key. Google used it to vet out the
Diginotar compromise in Chrome (all other browsers suffered). Its
similar to SSH's StrictHostKeyChecking option. Its also on track for
internet standards:
http://tools.ietf.org/html/draft-ietf-websec-key-pinning-04.

Use Secure Remote Password (SRP). SRP is basically Diffei-Hellman
using the password as an exponent (lots of handwaiving).

Don't trust browsers. That includes Mozilla (Trustwave and the closed
door, back room deals) or Opera (Nokia and its 'Acceleration
Interception').

Jeff

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] how to sell and get a fair price

[Jeffrey Walton]

On Wed, Jan 16, 2013 at 5:19 AM,   wrote:
> On 15-Jan-2013 06:28:53 -0500, Jeffrey Walton wrote:
>
> ...
>  > > Is it really necessary to stay anonymous? Writing hmmm... articles
>  > > about vulnerabilities for some (very specific) media and getting a
>  > > hmmm... fee for that is mostly legal.
>  > > Opposed to the use of that information...
>  > I think its a slippery slope in the US.
>
> I'm happy to reside outside of the US...
>
>  > On one hand, you have, for example, Computer Fraud and Abuse Act
>  > (FCAA), Digital Millennium Copyright Act (DMCA), and Unlawful
>  > Intercept. US corporations are rarely prosecuted under the law
>  > [...] but individuals are regularly prosecuted
>
> That means, all these activities should not be performed in the US
> (and other countries with similar Draconian laws)...
Its not so much Draconian laws as it is greedy politicians who take
bribes from corporate america to grow their wealth, and then spend the
rest of their careers performing fellatio on industry and their
special interests (just an observation :).

> In general, this problem may be solved using the international division
> of labour, when people do only what is legal in their country. Example:
> reverse engineering is legal in Russia (unless it is used to create the
> competing product), so I can perform it and share the results. Someone
> else may then find suspicious code, other people may prove that code is
> vulnerable by writing an exploit... In this case, everyone performs in
> legal manner - except, obviously, the script kiddies who will use the
> ready tool to break something.
Its legal in the US, too. Dr. Jon Callas (one of PGP's co-founders)
was fortunate (persistent?) enough to have the provisions added to
DMCA (PUBLIC LAW 105–304). It has exceptions for reverse engineering
and security testing and evaluation. The RE exemption is in Section
1205 (f) REVERSE ENGINEERING. The ST&E exemption is in Section 1205
(i) SECURITY TESTING.

Jeff

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] how to sell and get a fair price

[Jeffrey Walton]

On Tue, Jan 15, 2013 at 3:07 PM, Nick FitzGerald
 wrote:
> Jeffrey Walton wrote:
>
>> Sometimes the publisher cannot protect the identity of an anonymous
>> author.  ...
>
> That may be true -- I don't know...
>
>> ...  The real Rex Feral was dragged into court.
>>
>> http://en.wikipedia.org/wiki/Hit_Man:_A_Technical_Manual_for_Independent_Contractors
>
> ...but that claim is not supported by your reference.
>
> The Wikipedia article simply does not address whether the pseudonymous
> author's real identity was exposed in the legal preceedings or not.
> Note that the case was "Rice v Paladin Enterprises" and the legal claim
> was that Paladin (the _publishers_) aided and abetted a murder.
Oh, my bad. That was the book which caused the subsequent court
actions, and not a normative reference to loss of anonymity.

> Presumably (again, IANAL) they could have brought a similar suit
> against the author, but saw the publisher as having deeper pockets (and
> perhaps reasonably assumed, or even knew, that the publisher would have
> extensive commercial insurance to cover any damages ruling they may
> receive if their case prevailed).

I seem to recall two or three things from the Montgomery County
murders (its a county close to where I live, so I watched the American
Justice episode).

The publisher indemnified the author. The publisher was not able to
retain anonymity for Rex Feral. In fact, I seem to recall an excerpt
of the court proceedings with the lady on the stand.

Jeff

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] how to sell and get a fair price

[Jeffrey Walton]

On Tue, Jan 15, 2013 at 10:40 AM, Mikhail A. Utin
 wrote:
> In general practice, where ever you would like to publish, the publisher
> will ask for copyright rights. Thus, a site publishing exploits can do the
> same and thus may protect rights of the author, well, together with its
> ones.
>
> After all, my idea was about fare sale, and that could require release of
> rights to the mediator/auctioneer.
>
> Somebody I would bet is having a fair thought “buddy, would you do your
> idea?” I need to say frankly that I do not plan. I’m stretched by my current
> www.201cmr1700ma.com and its very likely extension. But feeling unfairness,
> will be glad to support and devout some time.
Sometimes the publisher cannot protect the identity of an anonymous
author. The real Rex Feral was dragged into court.

http://en.wikipedia.org/wiki/Hit_Man:_A_Technical_Manual_for_Independent_Contractors

Jeff

> From: Christian Sciberras [mailto:uuf6...@gmail.com]
> Sent: Monday, January 14, 2013 4:17 PM
> To: Valdis Kletnieks
> Cc: Mikhail A. Utin; full-disclosure@lists.grok.org.uk
> Subject: Re: [Full-disclosure] how to sell and get a fair price
>
> Valdis, we've had spam companies suing blacklist/antispam companies
> before...
>
> Surely an anonymous person legitimately and legally enforcing copyright
> can't be harder?
>
> On Mon, Jan 14, 2013 at 9:39 PM,  wrote:
>
> On Thu, 10 Jan 2013 12:03:03 -0500, "Mikhail A. Utin" said:
>
>>  After all,a  vulnerability and an exploit are intellectual products. Not
>> sure copyright could be claimed, but why not?
>
> Actually, claimed or not, if the exploit was coded in a Berne signatory
> country, it's almost always automatically copyrighted at creation (most
> likely
> to the coder, or to their employer if it was a work-for-hire).  In the US,
> there's a exemption for work product of federal employees - that's one of
> the few ways for US-produced material to become public domain (expiration of
> term is the other one, but with ever-increasing copyright terms, it's
> unclear
> that anything will ever actually expire in the US).
>
> More interesting is the question of how to enforce a copyright claim
> while remaining anonymous...

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] how to sell and get a fair price

[Jeffrey Walton]

On Tue, Jan 15, 2013 at 2:48 AM,   wrote:
> On 14-Jan-2013 15:39:53 -0500, valdis.kletni...@vt.edu wrote:
>
>  > > After all, a vulnerability and an exploit are intellectual
>  > > products. Not sure copyright could be claimed, but why not?
>
>  > Actually, claimed or not, if the exploit was coded in a Berne
>  > signatory country, it's almost always automatically copyrighted
>  > at creation (most likely to the coder, or to their employer if
>  > it was a work-for-hire). [...]
>  > More interesting is the question of how to enforce a copyright
>  > claim while remaining anonymous...
>
> Is it really necessary to stay anonymous? Writing hmmm... articles
> about vulnerabilities for some (very specific) media and getting a
> hmmm... fee for that is mostly legal.
>
> Opposed to the use of that information...
I think its a slippery slope in the US.

On one hand, you have, for example, Computer Fraud and Abuse Act
(FCAA), Digital Millennium Copyright Act (DMCA), and Unlawful
Intercept. US corporations are rarely prosecuted under the law
(confer, Trustwave [1], Nokia [2]); but individuals are regularly
prosecuted (confer, Weev (et al) [3], Wise Guys [4], Dmitry Sklyarov
[5]).

I'm amazed at how federal law is 'opt-in' for US corporations, but
individuals such as Weev/Goatse and Sklyarov must endure politically
motivated judicial heavy handedness. In Goatse's case, they aggregated
public data (names and email addresses) from a public server offering
public services hanging off a public internet. In Sklyarov case, he
demonstrated flaws in Adobe's PDF DRM scheme. Note that for Sklyarov,
the DMCA (PUBLIC LAW 105–304) has exceptions for reverse engineering
and security testing and evaluation. The RE exemption is in Section
1205 (f) REVERSE ENGINEERING). The ST&E exemption is in Section 1205
(i) SECURITY TESTING.

If I had copyright over material used for security testing and
evaluations, I would probably assert my copyright. If I wrote malware,
I would likely want to stay anonymous (confer, David L. Smith and
Melissa macro-virus [6]).

Jeff

[1] 
http://www.computerworld.com/s/article/9224082/Trustwave_admits_issuing_man_in_the_middle_digital_certificate_Mozilla_debates_punishment
[2] 
http://www.zdnet.com/nokia-hijacks-mobile-browser-traffic-decrypts-https-data-709655/
[3] http://en.wikipedia.org/wiki/Weev
[4] https://www.eff.org/deeplinks/2010/07/cfaa-prosecution-wiseguys-not-so-smart
[5] http://en.wikipedia.org/wiki/Dmitry_Sklyarov
[6] http://en.wikipedia.org/wiki/Melissa_(computer_virus)

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] petition to remove Aaron Swartz prosecutor

[Jeffrey Walton]

On Mon, Jan 14, 2013 at 3:35 PM,   wrote:
> On Mon, 14 Jan 2013 11:02:26 -0500, Jeffrey Walton said:
>> On Mon, Jan 14, 2013 at 10:34 AM,   wrote:
>> > https://petitions.whitehouse.gov/petition/remove-united-states-district-attorney-carmen-ortiz-office-overreach-case-aaron-swartz/RQNrG1Ck
>> >
>> > Above link to remove this prosecutor needs to have signatures by
>> > February 11.
>> Its unfortunate Schwartz committed suicide over the incident.
>
> From the fine article:
>
> "On his blog, Swartz had written of his history of depression."
>
> Given that, and the fact that the article doesn't mention a suicide note
> stating Aaron's reasons, it's not entirely clear that he in fact committed
> suicide over the incident.  It may have been one factor out of many.
Perhaps. In the absence of a note, all we have to go on is the family
and girlfriends experience with his personality: "On Saturday, his
family and girlfriend called his death "the product of a criminal
justice system rife with intimidation and prosecutorial overreach" and
blamed decisions by the Massachusetts U.S. attorney's office and MIT
for contributing to his death."

Jeff

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] petition to remove Aaron Swartz prosecutor

[Jeffrey Walton]

On Mon, Jan 14, 2013 at 10:34 AM,   wrote:
> https://petitions.whitehouse.gov/petition/remove-united-states-district-attorney-carmen-ortiz-office-overreach-case-aaron-swartz/RQNrG1Ck
>
> Above link to remove this prosecutor needs to have signatures by
> February 11.
Its unfortunate Schwartz committed suicide over the incident.

http://www.latimes.com/news/obituaries/la-me-0113-aaron-swartz-20130113,0,5232490.story

Jeff

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/