Re: [Full-disclosure] - CALL FOR PAPERS -
-ahem First off, if you're going to have a n+1 ring circus, you need to start your Cirque de 0day process in Ring 0. You can have the audience standing around in Ring 3. Joel From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Micheal Chatner Sent: Wednesday, April 23, 2008 10:28 PM To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] - CALL FOR PAPERS - .o88b. d88b db. .d88b. dbdb d8b db. dbdb d8P Y8 `88' 88 `8D .8P Y8. 8888 88' 88 `8D 8888 8P 8888oobY' 8888 8888 88o 88 88 8888 8b 8888`8b 8888 8888 88~ 88 88 8888 Y8b d8 .88. 88 `88. `8P d8' 88b d88 88. 88 .8D 88b d88 `Y88P' Y88P 88 YD `Y88'Y8 ~YP' Y8P YD' ~YP' .d88b. db. .d8b. dbdb .8P 88. 88 `8D d8' `8b `8b d8' 88 d'88 88 88 88ooo88 `8bd8' 88 d' 88 88 88 88~~~8888 `88 d8' 88 .8D 88 8888 `Y88P' YD' YP YPYP Cirque du 0day C A L L F O R P A R T I C I P A T I O N ===( What is it? )=== ! ! ! S P E C T A C L E ! ! ! ... like you've never before seen ... A two-ring Circus at the most infamous Hacker Conference known to man! Gaze in amazement as 0day is dropped before your very eyes in Ring One while simultaniously in Ring Two acts of spectacle and wonder are performed! Wonderous 0day such as the oldest 0day ever dropped and acts of specatcle such as tumbling 'little people' and sword eaters will fill your eager eyes with the show that they so truly desire... DEFCON 16 will be held at the Riviera Hotel Casino in FABULOUS Las Vegas, Nevada, August 8th - 10th 2008. ===( What we need! )= The Cirque du 0day logistics staff are seeking two very different types of content to make our Circus happen: ===( 0day )=== What would Cirque du 0day be without 0day? If you would like to participate, and are both willing and able to drop an 0day on stage at DEFCON 16, we invite you to submit your vulnerability! Full details of the vulnerability are not required, we simply need to know some basic facts such as: 1. What software or hardware the vulnerability is in. 2. Some general properties such as whether it's pre-auth or post-auth, Denial of Service or Code Execution, Local or Remote, etc. 3. Who you are or what persona/handle you will be presenting the vulnerability as. (Anonymous is fine, see below) Depending on the amount of time we are alotted at DEFCON 16 for our event, we will select the top vulnerabilities submitted that we can cram into our time slot. Each presenter will be given 10 minutes during which to disclose their 0day to the audience. Slides for doing so must be made available to the Cirque du 0day logistics staff in PowerPoint (.ppt) format as we will be using a shared laptop and slide deck during the presentation in order to save time and reduce hassle while switching presenters. Donations are also accepted! If you are neither willing nor able to participate yourself, but have an 0day you'd like dropped, simply note that fact in your submission and if your vulnerability is chosen we will get the full details from you and have someone else present it, perhaps while wearing a black hood and an ANONYMOUS t-shirt. Please send all 0day vulnerability submissions to [EMAIL PROTECTED] for consideration by the Cirque du 0day review board. ===( Cirque )=== What would Cirque du 0day be without the Cirque? If you are a performance artist in the general Las Vegas, Nevada area and specialize in circus, carnival, or freak show, and can perform your act within a ten minute time slot, we want to hear from you! We are specifically looking for the following acts: 1. Tumbling Little People 2. Sword and/or Glass Eaters 3. Contortionist Depending on the amount of time we are alotted at DEFCON 16 for our event, we will choose from the available acts the ones that we feel will be most entertaining to the audience or has a particular synergy with a selected 0day vulnerability. Acts will be performed during a 10 minute time window alongside the presentation of an 0day vulnerability to the DEFCON conference audience, therefore we will not be able to have audible accompanyment to the act other than announcement by the Ring Master before and immediately after the act; during the act the audience must be able to hear the 0day vulnerability presentation. Acts may or may not be compensated, depending on how things work out with the conference, however your place in history will be secured,
Re: [Full-disclosure] Wiretapping
If your company is a criminal enterprise, then yes. If you fund or support terrorism, you stand a pretty good chance. If you are like the 99.999% of the companies out there that do their thing, trying to make an honest buck, you have nothing to fear. Joel Helgeson From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kelly Robinson Sent: Saturday, November 10, 2007 7:47 PM To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Wiretapping I just finished reading a book Corporate Computer and Network Security - Raymond R. Panko. He states that the CSI/FBI surveys suggest that wiretapping is rare. Should companies still be concerned with Wiretapping? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] .NET REMOTING on port 31337
Stand there and risk come confidential data being compromised! Yes. Stand there. Monitor traffic. Do nothing to stop or impede. The moment you change ANYTHING you immediately start losing evidence. Right now there is an IF involved. If I reacted to every strange service I found running on the manifold networks I've audited. You monitor, go to the machine in question and investigate the service running that is servicing that port. If it is hacked, it is up to the customer to call upon their Emergency Response Plan. I have found a service running on a Win2k3 server that the admin wanted me to just simply clean it off. I advised against it. They agreed and I gathered information about the intrusion (doing nothing to clean it off) and found that it was just the tip of the iceberg, that the server had acted as a gateway to the infection of six servers on their network, each with a different piece of the hack and info gathering done on each server. On a separate server, I saw where they used IPv4toIPv6 mapping tool to redirect an IPv4 to IPv4 port mapping, so windows remote desktop admin could be accessed using port 443. The simple removing of the initial infection would have left the rest of the breach unnoticed.This hack also included setting up windows task scheduler to request updates from a list of domains, to re-establish hacker access should we cut them off.. which we did. They were good, damn good. -joel From: Fabrizio [mailto:[EMAIL PROTECTED] Sent: Friday, September 28, 2007 1:42 PM To: Joel R. Helgeson Subject: Re: [Full-disclosure] .NET REMOTING on port 31337 Yeah! Stand there and risk come confidential data being compromised! Monitor and Capture them stealing our customer info! Then try and get it back! Come on man. It's a pen-test, and there are NDA's in order. Don't take the chance. Fabrizio On 9/28/07, Joel R. Helgeson [EMAIL PROTECTED] wrote: I disagree, don't block access to the port. Monitor and capture it. Joel's First rule of forensics: Don't just do something, stand there! Watch it, monitor it. If it is a crafty backdoor, there are dozens of others to enable bad guys to regain entry. Blocking lets the hacker know you might be on to them. IF it is legit, then it could cause a problem. Telnet to the port, see what it says on connection; run fport or sysinternals utilities on the box to see the stack the program uses. -joel From: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fabrizio Sent: Friday, September 28, 2007 1:31 PM To: Full-Disclosure Subject: Re: [Full-disclosure] .NET REMOTING on port 31337 If you think it's that critical, (i think it's that critical) start by blocking any connections from anywhere to that machine/port. See if anyone complains. Check any old firewall logs for that port while you're at it. Then continue your investigation!! Fabrizio On 9/28/07, Simon Smith [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Got output... and it was... no idea what it was... can't paste it due to confidentiality though. Fabrizio wrote: .NET Remoting is a generic system for different applications to use to communicate with one another. It's part of the .NET framework, obviously. (not trying to be a smart ass) I'm gonna take a wild guess and say it's not a good thing.. Connect to it, and see if you get any output, if you haven't already done so. Fabrizio On 9/28/07, * Simon Smith* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Has anyone ever heard of .NET REMOTING running on port 31337? If so, have you ever seen it legitimate? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html http://lists.grok.org.uk/full-disclosure-charter.html http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ - -- - - simon - -- http://www.snosoft.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (Darwin) iD8DBQFG/UY+f3Elv1PhzXgRAs/BAJ42Vwk5+cvWfoYo4wUl74LDnUtz7wCgzW9s O/+SDoZYgZ1r1oDjKpKzZIo= =n54j -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] .NET REMOTING on port 31337
Yes, I have seen similar hacks that have come primarily from French hackers. They utilize legitimate network administration tools to remotely administer your network for you. GO to that box and run the fport.exe util and handle.exe, or use sysinternals tools to find the app and its stack that were used to open the port. -joel -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Simon Smith Sent: Friday, September 28, 2007 12:59 PM To: The Security Community Cc: Full-Disclosure Subject: Re: [Full-disclosure] .NET REMOTING on port 31337 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Right, It set off alarms with all of my penetration testers hence why we're researching it. The question I have is, has anyone seen port 31337 respond with the .NET REMOTING banner? Our nmap -A claims that it is .NET REMOTING... just seems weird... Anyone know of any backdoors that do that? The Security Community wrote: The last time I saw anything on port 31337 (ELEET) it was during a vulnerability assessment. We shut it down and stopped the assessment. Management wouldn't let us investigate, then blew the cover on the assessment a week or two later. It's almost always bad, but you may just have an admin with a stupid sense of humor. 31337 should always throw a red flag. On 9/28/07, Simon Smith [EMAIL PROTECTED] wrote: Has anyone ever heard of .NET REMOTING running on port 31337? If so, have you ever seen it legitimate? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ - -- - - simon - -- http://www.snosoft.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (Darwin) iD8DBQFG/UDef3Elv1PhzXgRAjZZAJ4mwrJ0WyvGBUznwbrRu4+/JBd0owCdHcgr aKOuZul4pgLcu4H3Aoo1HuU= =X1Ya -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] .NET REMOTING on port 31337
I disagree, don't block access to the port. Monitor and capture it. Joel's First rule of forensics: Don't just do something, stand there! Watch it, monitor it. If it is a crafty backdoor, there are dozens of others to enable bad guys to regain entry. Blocking lets the hacker know you might be on to them. IF it is legit, then it could cause a problem. Telnet to the port, see what it says on connection; run fport or sysinternals utilities on the box to see the stack the program uses. -joel From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fabrizio Sent: Friday, September 28, 2007 1:31 PM To: Full-Disclosure Subject: Re: [Full-disclosure] .NET REMOTING on port 31337 If you think it's that critical, (i think it's that critical) start by blocking any connections from anywhere to that machine/port. See if anyone complains. Check any old firewall logs for that port while you're at it. Then continue your investigation!! Fabrizio On 9/28/07, Simon Smith [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Got output... and it was... no idea what it was... can't paste it due to confidentiality though. Fabrizio wrote: .NET Remoting is a generic system for different applications to use to communicate with one another. It's part of the .NET framework, obviously. (not trying to be a smart ass) I'm gonna take a wild guess and say it's not a good thing.. Connect to it, and see if you get any output, if you haven't already done so. Fabrizio On 9/28/07, * Simon Smith* mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Has anyone ever heard of .NET REMOTING running on port 31337? If so, have you ever seen it legitimate? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ - -- - - simon - -- http://www.snosoft.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (Darwin) iD8DBQFG/UY+f3Elv1PhzXgRAs/BAJ42Vwk5+cvWfoYo4wUl74LDnUtz7wCgzW9s O/+SDoZYgZ1r1oDjKpKzZIo= =n54j -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Gadi Evron strikes again
Everyone knows who Gadi is, so by definition, Gadi *is* high profile. I happen to agree with Gadi, that a 0day is the day an EXPLOIT is RELEASED, where such exploit also serves as the ONLY vendor notification of a bug being discovered. Every adult on this list understands the definition, but the kids can't seem to grasp the not-so-subtle nuance between a 0day and the discovery of a bug in someone else's code. This supposedly serious disclosure you refer to is a non-event, there was a press release about a supposedly serious flaw in PDF, there were no details, so therefore it doesn't even count as disclosure of a vulnerability. -joel From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of worried security Sent: Saturday, September 22, 2007 8:11 AM To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Gadi Evron strikes again Who seen Gadi Evron on the mailing lists trolling about what a 0day is and what a 0day isn't, in the middle of a serious disclosure about a PDF flaw? Hilarious. Well, just incase you missed it, here it is again... http://seclists.org/bugtraq/2007/Sep/0229.html And this guy wants to be a high profile guy at the forefront of information security discussion? lolzers. Script kiddos unite behind the big man Evron. He leads, where the rest of us follow. And he comes on the lists complaining people are mimicing his e-mail addresses and calling him a dick. *I wonder why?* Its funny, he strongly keeps an eye on Funsec mailing list and keeps everyone in check,Yet, he has a total disregard for quality control else where, especially on Bugtraq My question is Who is Gadi Evron?. This guy you would think would add something special to a discussion, but he doesn't, and you know what I know his excuse is? He is keeping his knowledge secret so bad guys can't learn from his knowledge. lolzers Gadi Evron. The truth is, Gadi just wants to make sure his name and e-mail address is in every major flaw disclosure, no matter how lame the comment is, just as long as his name and e-mail is in high profile disclosures, then Gadi Evron can sleep at night. Thanks Gadi!!! My hero. Bugtraq is moderated for a reason, so Bugtraq moderators, start moderating it!!! Symantec arsewipes. Securityfocus, no really, why are you allowing Gadi Evron troll on such a high profile respected moderated list? Gadi's comment mentioned above was a true breach of the rules, so start moderating his comments more in future. Leave the trolling for F-D Gadi, Bugtraq readers don't want to see your shit in future, and Bugtraq moderators, actually read what Gadi Evron is posting in future, instead of just reading the name and sender and approving the message without actually reading the body. *Oh its Gadi, its automatically approved* Lets look at Bugtraq's description: BugTraq is a full disclosure moderated mailing list for the *detailed* discussion and announcement of computer security vulnerabilities: what they are, how to exploit them, and how to fix them. http://www.securityfocus.com/archive/1/description#0.1.1 lolzers, Bugtraq moderators don't read thier own shit or inforce it! Someone snip a bit of that description that gives Gadi right of way to troll on Bugtraq in the middle of serious flaw disclosures! Gadi, seriously f**king learn about the stuff you read , so you can actually input into the threads and help with the topic infront of you, instead of random off-topic messages about what defines a 0-day and what doesn't. Why didn't you start your own thread on Bugtraq about what is a 0-day?, because they wouldn't let you Instead you sneak your shit into high profile threads, to get a name for yourself. Your conversation, as always Gadi, is best suited for Full-Disclosure or security-basics, so get the f*** off Bugtraq you idiot. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [Dailydave] Hacking software is lame -- try medical research...
Actually; If you find the cure, you can make a buck -- ONLY IF YOU CAN PATENT IT! People are not interested in researching diseases that are not profitable... for those patients, treating the symptoms is more profitable. You, the patient, or the family member must become the doctor. Fortunately, I have possibly your answer, and if not, at least a direction to take. Go to www.vitaganza.com and purchase WOBENZYM It is THE BEST NUTRITIONAL SUPPLEMENT in existence, don't even bother with substitutes. This is an enzyme supplement that has 5 top-tier enzymes that when ingested, they proceed to break down longer protein chains and turn them into enzymes. This ultimately creates a cascading effect of creating over 2000 separate enzymes that then go through your body and fix damage, so back pain, muscle pain, knots in your back, surgery... this helps fix ALL DAMAGE in your body (Damage that is possible to repair). Every cell in your body, every nerve fiber, everything requires enzymes to function. The Cartilage in your body is the largest avascular, aneural and alymphatic tissue in your body. It is kept alive by being bathed in enzymes (anyhow, I digress). Kristian, I have hacked problems like this before, Wobenzym will help both your brother and your friend. It may not be the silver bullet but it will definitely help, no question about that. Gaucher's Disease: Enzyme Replacement Therapy (WOBENZYM) Enzyme replacement therapy for lysosomal storage diseases did not become a reality until the early 1990s when its safety and effectiveness were demonstrated in type 1 Gaucher disease. Today, ERT is a reality for Gaucher disease, Fabry disease and mucopolysaccharidosis type I (MPS I), and clinical trials with recombinant human enzymes are ongoing in Pompe disease. LCH: Wobenzym will help, but what may help even more is Guaifenesin tablets. THIS IS NOT A REPLACEMENT FOR TRADITIONAL THERAPY, keep going to the doc, and take this stuff. http://www.guaifenesin.com/guaishop.htm If you want to hack the problem, you need to be willing to be the guinea pig, the lab rat. Seek the care of licensed, trained doctors as you normally would, but don't listen to the pooh-poohing they give on natural, nutritional, or over-the-counter remedies. I personally take both Wobenzym and Guaifenesin to overcome some serious ailments that were uncurable by modern medicine, and was forced to medicate the symptoms. I hope this information helps you, and helps other people on the list who see this. -joel -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Simon Smith Sent: Friday, September 21, 2007 1:18 PM To: M. Shirk Cc: full-disclosure@lists.grok.org.uk; [EMAIL PROTECTED] Subject: Re: [Full-disclosure] [Dailydave] Hacking software is lame -- try medical research... Just like technology research (hacking)... but... if you are the one that finds a cure, you'll make your buck too. M. Shirk wrote: There is more money to be made in the treatment of a disease, then actually finding a cure. Remind you of anything? Shirkdog ' or 1=1-- http://www.shirkdog.us Date: Fri, 21 Sep 2007 10:37:20 -0700 From: [EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk; [EMAIL PROTECTED] Subject: [Dailydave] Hacking software is lame -- try medical research... Some interesting discussion came up on some security lists this week and it got me to thinking. Yes, hacking software is lame. Cool, so you found some vulnerabilities in some widely distributed application, service, or OS and it is patched just as quickly. Why don't we spend our time and valuable energy researching cures for rare or popular diseases instead? For instance, my brother (Jon Hermansen) has a very rare disease called Langerhans Cell Histiocytosis. It is also better known as LCH. It can be identified as causing such further diseases as Diabetes Insipidus, which is also uncommon (not sugar diabetes). Have you heard of these diseases before? Let me educate you. General Information: http://en.wikipedia.org/wiki/Langerhans_cell_histiocytosis http://en.wikipedia.org/wiki/Diabetes_insipidus Seven Part Video Series: http://youtube.com/watch?v=KkBRqZS8nfM http://youtube.com/watch?v=w1h6ZjxF-To http://youtube.com/watch?v=0ojbJpERlt8 http://youtube.com/watch?v=dzUqdYofMCQ http://youtube.com/watch?v=lNhzwNYhi0M http://youtube.com/watch?v=nY9DDEhShcE http://youtube.com/watch?v=5_8SEYyEZGI And even worse than this, a friend of mine who is a PhD student in Math at Berkeley has an even rarer disease known as Gaucher's Disease. This costs $550,000 / year to treat. That's a hefty bill every year (you make that much doing security vulns?), and some insurance companies might refuse to accept you due to pre-existing conditions. So guess what, my friend does not have health insurance and has not been treated for two years. A genius might die. That's ludicrous. http://en.wikipedia.org/wiki/Gaucher's_disease
Re: [Full-disclosure] Symantec Contact?
Symantec is notoriously slow to release AV updates, because while they may have the AV signature available within the hour, they hold it back until they have the signature configured and working for all versions of all their products running on all platforms, which at last count was over 2.45 gazillion (and counting). They state that they don't want to issue partial releases for different products, which makes sense. If you have version xxx..z of the definition file, then you're covered against the FOO variant of the BAR virus, irrespective of whatever Symantec application, platform, or version you're running. The downside is that they take a LONG time to release signatures, as you have now seen. I do not use Symantec, as too often they have been the single point of failure in the enterprise, and one should not underestimate the system slowdown brought on by 15 years of code bloat. -joel -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Beauchamp, Brian Sent: Monday, September 17, 2007 12:28 PM To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Symantec Contact? That's where I submitted our file to yesterday. It's funny that less then 5 minutes ago I received an email that the defs had been updated to include this variant. From: Theodore Pham [mailto:[EMAIL PROTECTED] Sent: Mon 9/17/2007 1:13 PM To: Beauchamp, Brian Subject: Re: [Full-disclosure] Symantec Contact? Submit the sample to Symantec via http://www.symantec.com/avcenter/submit.html They've been pretty responsive in the past, though I haven't needed to submit a sample in over a year. Ted Pham Information Security Office Carnegie Mellon University Beauchamp, Brian wrote: Does anyone have a contact within symantec? We have numerous infections of the W32/Sdbot-DHS worm (http://www.sophos.com/virusinfo/analyses/w32sdbotdhs.html). Most major AV vendors are updating their definitions to block it, one of them isn't Symantec. We have created a removal kit but the machines keep being reinfected since they cannot all be disinfected at once (limited network access). We have submitted a virus sample last week and have contacted our sales rep neither are giving a helpful response. Aside from cutting over to sophos AV client, Any ideas? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] What do you guys make of this?
Not sure if it came across in the email, but for the record: I love Russia, always have. Growing up in the cold war, I never figured out why we were supposed to fear them. I loved the USSR Military hardware, admired how well it worked, the elegant simplicity. The MIG-29 Fulcrum was astounding. My favorite plane though was the F-15. -Original Message- From: Timo Schoeler [mailto:[EMAIL PROTECTED] Sent: Thursday, September 06, 2007 6:17 PM To: Joel R. Helgeson; full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] What do you guys make of this? thus Joel R. Helgeson spake: There was a time in foreign policy where no country, no diplomat would make a foreign policy decision without first asking what does Russia think of this?. No. It was 'Soviet Union', not 'Russia'. So what, America, USA, you know what I'm talking about Well, Russia is no longer a super power, Well, actually, it is. It has thousands of nuclear warheads, it has more advanced fighter jets and bombers than the US, it has more advanced space technology and ICBMs, submarines, education healthcare... It has _plenty_ of ressources the US has to go to war for (natural gas, oil, etc). Overly simplistic thinking. Nations don't go to war over natural resources anymore. In the 1930's, yes, a country was the sum total of its natural resources - including people which were used for manual labor. Now, it is the PEOPLE who create value now. the fall from which left Putin feeling excluded. He's always wanted to get Russia back to superpower status, he wants his Mother Russia to be significant again. Propaganda. LOL, no, it's called reality. For years, the Russian economy was cash strapped. No. It suffered from a few people that stole what the people's was. It had no exports, no economy. The tax system was crazy so people simply did not pay. This bankrupted the government. Just recently Putin revamped the entire tax system and implemented a 12% flat tax. For the first time since the collapse, the tax revenues are POURING in. They now have enough gas to fuel a plane, and now they want to get back into being viewed as a superpower, to be 'feared', they desperately want to matter again, to be important. I see you have no response to this. So, they're acting out in an aggressive manner - using tried and true cold war era tactics. It comes across to me as childish, throwing a fit just to get attention. If _that_ is childish, what is the US's behaviour then? Oh, sorry, I forgot: Children usually don't rape, kill and spread war^H^H^Hdemocracy. America is doing what it has always done. Fighting for the freedom of others. War is always ugly, but not as ugly as standing by and letting evil flourish. It is not propaganda, Russia is just trying to say We're BAACK! And this time, we've got 31337 H4x0rz! Blah. Blahblah. :) Joel Helgeson 952-858-9111 9/11? Yup ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] What do you guys make of this?
There was a time in foreign policy where no country, no diplomat would make a foreign policy decision without first asking what does Russia think of this?. Well, Russia is no longer a super power, the fall from which left Putin feeling excluded. He's always wanted to get Russia back to superpower status, he wants his Mother Russia to be significant again. For years, the Russian economy was cash strapped. Just recently Putin revamped the entire tax system and implemented a 12% flat tax. For the first time since the collapse, the tax revenues are POURING in. They now have enough gas to fuel a plane, and now they want to get back into being viewed as a superpower, to be 'feared', they desperately want to matter again, to be important. So, they're acting out in an aggressive manner - using tried and true cold war era tactics. It comes across to me as childish, throwing a fit just to get attention. It is not propaganda, Russia is just trying to say We're BAACK! And this time, we've got 31337 H4x0rz! Joel Helgeson 952-858-9111 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Simon Smith Sent: Thursday, September 06, 2007 11:47 AM To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] What do you guys make of this? So, whats up with Russia these days? I'm hearing more and more about Russia on the news. Is this just propaganda or is something really going on? http://news.bbc.co.uk/2/hi/uk_news/6957589.stm - simon -- http://www.snosoft.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] What do you guys make of this?
Short answer, no. The Russia of today has little resemblance of the Cold War Russia. Putin is Ex-KGB and is somewhat waxing nostalgic for the way it used to be. He wants to show the world that he deserves attention without acting like a lunatic (like N. Korea). Putin knows that his government will be viewed by history as being a transitional government. It is Putin's goal to be remembered as the man who saved Russia, to prove that the Russian people are a proud people, worthy of respect and not to be underestimated. And if Putin fails? Well, at least the Vodka is still cheap! He won't fail though. The world is a better place having them participate in the global economy. The circumstances that begat the cold war are no longer around. Remember, it was the fax machine that caused Russia to collapse. Once the government controlled newspapers lost their grip on the flow of information, they could no longer manage the country. To counter the fax machine, Gorbachev implemented Perestroika, which enabled the Russians to see how depraved their economy was, and the regime collapsed shortly thereafter. A friend colleague who received his PhD in Russian studies was visiting the USSR in the early 80's. He said that he was in a park throwing a Frisbee when he was approached by a police officer who told him he was breaking the law and should stop if he didn't want to get arrested. He answered in perfect Russian, How am I breaking the law? Where is the law stating I cannot throw a Frisbee in the park on a warm sunny day. To which the officer replied Comrade, there is no law that states that you CAN throw a Frisbee in the park. He would further relate that in public, his friends would talk about this-and-that, but in private, they all wanted to know Is the United States really going to nuke us? He couldn't believe it because in the USSR, the number one fear on the minds of every Russian was fear of nuclear annihilation, while at the same time in the USA, the number one fear on the minds of every American was public speaking... Literally! So, no, this does not concern me. In fact, I think it's kinda cute. That silly Putin! Regards, Joel Helgeson -Original Message- From: Simon Smith [mailto:[EMAIL PROTECTED] Sent: Thursday, September 06, 2007 3:04 PM To: Joel R. Helgeson Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] What do you guys make of this? I agree with what you said for the most part. I also know that most Russian people are very happy with what Putin is doing. Thus far, in their eyes, he's one of the best leaders that they've had in ages. Do you think that Russia is actually going to become a threat again? Do you think this will go back to the cold-war like times? Joel R. Helgeson wrote: There was a time in foreign policy where no country, no diplomat would make a foreign policy decision without first asking what does Russia think of this?. Well, Russia is no longer a super power, the fall from which left Putin feeling excluded. He's always wanted to get Russia back to superpower status, he wants his Mother Russia to be significant again. For years, the Russian economy was cash strapped. Just recently Putin revamped the entire tax system and implemented a 12% flat tax. For the first time since the collapse, the tax revenues are POURING in. They now have enough gas to fuel a plane, and now they want to get back into being viewed as a superpower, to be 'feared', they desperately want to matter again, to be important. So, they're acting out in an aggressive manner - using tried and true cold war era tactics. It comes across to me as childish, throwing a fit just to get attention. It is not propaganda, Russia is just trying to say We're BAACK! And this time, we've got 31337 H4x0rz! Joel Helgeson 952-858-9111 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Simon Smith Sent: Thursday, September 06, 2007 11:47 AM To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] What do you guys make of this? So, whats up with Russia these days? I'm hearing more and more about Russia on the news. Is this just propaganda or is something really going on? http://news.bbc.co.uk/2/hi/uk_news/6957589.stm - simon -- http://www.snosoft.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- - simon -- http://www.snosoft.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] New virus - possible rootkit
THis is actually a rootkit that is as serious as I had feared. I am gathering up more information. If you have the files in the directories specified, you have a problem. The file is http://www.appiant.net/infected.zip password is infected If you are infected with the rootkit, it does not alarm on any of the files... Joel - Original Message - From: Joel R. Helgeson [EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk Sent: Wednesday, September 20, 2006 3:30 PM Subject: [Full-disclosure] New virus - possible rootkit Virus Alert - Possible Rootkit -- The files ARE NOT detected by ANY current AV Scanning signature engine. I do not have the time to write a report on the entire analysys but I wanted to get the data out to everyone ASAP so that you can detect this running on your computers. I'm finding that this is pretty widespread here on my customers' network. This appears to be an IRC bot that encrypts its traffic to fly beneath the radar. What makes it more interesting is that the directories it creates have SYSTEM ownership and only system and creator/owner can access the files. Changing permissions on the files or directorys will only be changed back. It also appears that if you remove the file, it will start revoking permissions on all files and will remove everyones but SYSTEM's permission to all files. This is very, very early prelim info. and I am trying to both quarrantine the damage, investigate the infection on top of trying to get the word out. (I know what the cygwin files are, but they came with the infection so I include them here.) I've uploaded the .zip file with all the programs in their respective directories recursed to my web site, I'll have it up there by 21 Sep, 2006. http://www.appiant.net The files and locations: c:\windows\system32\cygcrypt-0.dll (linux crypto) c:\windows\system32\cygwin1.dll (linux command) c:\windows\system32\dntus26.exe(used for remote admin) c:\windows\system32\javadebug.dll (actually a text file) c:\windows\system32\rundl32.exe(ircbot interface) c:\windows\system32\zonedown.bat (batch file that launches rundl32.exe with the text from javadebug.dll I dont know what else it does yet) c:\windows\system32\scardsvrs.exe (the device that appears to launch the zonedown.bat file... still working) c:\windows\system32\wbem\svchost.exe (Serv-u ftp service - modified -) c:\windows\system32\wbem\wbem.exe (workin on what this one does)... it also placed files in a hidden directory with only system priviledges: c:\windows\system32\DirectX\Dinput\Others\ The file placed in there was a snippet of a movie, divx encoded... the filename was Min2 (no extension). Below is what the AVERT labs reported when I submitted the file. Joel Helgeson Appiant, Inc. 952-858-9111 --- AVERT Labs - Beaverton Current Scan Engine Version:4.4.00 Current DAT Version:4855 Thank you for your submission. Analysis ID: 2533501 NameFindingsDetectionTypeExtra cygcrypt-0.dllno malwaren cygwin1.dllno malwaren dntus26.exeheuristic detectionremadm-dwrcApplicationn javadebug.dllinconclusiveno rundl32.execurrent detectionirofferApplicationno scardsvrs.exeheuristic detectionsrvanyApplicationno svchost.execurrent detectionservu-daemonApplicationno wbem.exeheuristic detectionsrvanyApplicationno zonedown.batinconclusiveno current detection [ rundl32.exe svchost.exe ] Our analysis detected a potentially unwanted program file or joke program with our current DAT files and engine. It is recommended that you update your DAT and engine files and scan your computer again. You may not want this program installed. If you do not want it installed, we recommend that you use the Add/Remove Program in the Windows Control Panel to completely uninstall the detected program. You can also contact the Virus Information Library for information about manually uninstalling potentially unwanted programs. If you are not seeing this with the product you are using, please speak with technical support so that they can help you determine the cause of this discrepancy. If you use the McAfee VirusScan Online or VirusScan Retail products, and do not have the Dat File Version specified, please visit http://www.webimmune.net/extra/getextra.aspx and use the detection name supplied in this message to receive an extra.dat file for detection. inconclusive [ javadebug.dll zonedown.bat ] Upon analysis the file submitted does not appear to contain one of the 100,000 known threats in the AutoImmune database. The file may contain a new malware threat, or no code capable of being infected. Your submission is being forwarded to an AVERT Researcher for further analysis. You will be contacted by AVERT through e-mail with the results of that analysis. heuristic
[Full-disclosure] New virus - possible rootkit
Virus Alert - Possible Rootkit -- The files ARE NOT detected by ANY current AV Scanning signature engine. I do not have the time to write a report on the entire analysys but I wanted to get the data out to everyone ASAP so that you can detect this running on your computers. I'm finding that this is pretty widespread here on my customers' network. This appears to be an IRC bot that encrypts its traffic to fly beneath the radar. What makes it more interesting is that the directories it creates have SYSTEM ownership and only system and creator/owner can access the files. Changing permissions on the files or directorys will only be changed back. It also appears that if you remove the file, it will start revoking permissions on all files and will remove everyones but SYSTEM's permission to all files. This is very, very early prelim info. and I am trying to both quarrantine the damage, investigate the infection on top of trying to get the word out. (I know what the cygwin files are, but they came with the infection so I include them here.) I've uploaded the .zip file with all the programs in their respective directories recursed to my web site, I'll have it up there by 21 Sep, 2006. http://www.appiant.net The files and locations: c:\windows\system32\cygcrypt-0.dll (linux crypto) c:\windows\system32\cygwin1.dll (linux command) c:\windows\system32\dntus26.exe(used for remote admin) c:\windows\system32\javadebug.dll (actually a text file) c:\windows\system32\rundl32.exe(ircbot interface) c:\windows\system32\zonedown.bat (batch file that launches rundl32.exe with the text from javadebug.dll I dont know what else it does yet) c:\windows\system32\scardsvrs.exe (the device that appears to launch the zonedown.bat file... still working) c:\windows\system32\wbem\svchost.exe (Serv-u ftp service - modified -) c:\windows\system32\wbem\wbem.exe (workin on what this one does)... it also placed files in a hidden directory with only system priviledges: c:\windows\system32\DirectX\Dinput\Others\ The file placed in there was a snippet of a movie, divx encoded... the filename was Min2 (no extension). Below is what the AVERT labs reported when I submitted the file. Joel Helgeson Appiant, Inc. 952-858-9111 --- AVERT Labs - Beaverton Current Scan Engine Version:4.4.00 Current DAT Version:4855 Thank you for your submission. Analysis ID: 2533501 NameFindingsDetectionTypeExtra cygcrypt-0.dllno malwaren cygwin1.dllno malwaren dntus26.exeheuristic detectionremadm-dwrcApplicationn javadebug.dllinconclusiveno rundl32.execurrent detectionirofferApplicationno scardsvrs.exeheuristic detectionsrvanyApplicationno svchost.execurrent detectionservu-daemonApplicationno wbem.exeheuristic detectionsrvanyApplicationno zonedown.batinconclusiveno current detection [ rundl32.exe svchost.exe ] Our analysis detected a potentially unwanted program file or joke program with our current DAT files and engine. It is recommended that you update your DAT and engine files and scan your computer again. You may not want this program installed. If you do not want it installed, we recommend that you use the Add/Remove Program in the Windows Control Panel to completely uninstall the detected program. You can also contact the Virus Information Library for information about manually uninstalling potentially unwanted programs. If you are not seeing this with the product you are using, please speak with technical support so that they can help you determine the cause of this discrepancy. If you use the McAfee VirusScan Online or VirusScan Retail products, and do not have the Dat File Version specified, please visit http://www.webimmune.net/extra/getextra.aspx and use the detection name supplied in this message to receive an extra.dat file for detection. inconclusive [ javadebug.dll zonedown.bat ] Upon analysis the file submitted does not appear to contain one of the 100,000 known threats in the AutoImmune database. The file may contain a new malware threat, or no code capable of being infected. Your submission is being forwarded to an AVERT Researcher for further analysis. You will be contacted by AVERT through e-mail with the results of that analysis. heuristic detection [ dntus26.exe scardsvrs.exe wbem.exe ] The file received may contain a potentially unwanted program file or joke program. This potential threat was identified with our most powerful set of heuristic DAT drivers. Heuristic drivers can make false-positive identifications, as such, this issue is being escalated to AVERT for a thorough review. In the meantime, it is recommended that you update your DAT and engine files and scan your computer again. You will be contacted through e-mail with the results of our analysis. Warning: McAfee products do not clean potentially unwanted program files or joke programs. The
[Full-disclosure] Newest Phishing Technique:
Joel Helgeson ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Application Security Hacking Videos
Mr. King, On the contrary, I am not trying to besmirch Microsoft. I want people to understand that the Microsoft SQL video is proof positive that the Web Applications MUST provide the protection to the database and all back end services. If your web application wasn't written to protect the back end, then it is facilitating the attack on the back end. At which point, you have two choices, re-write the web application or put an application firewall in front of it. I have made the video's and my website content available to all so that everyone, including management and non-technical people can better understand and appreciate these vulnerabilities, especially how easy they are to discover and to exploit. Yes, I was hired to do a security audit for the college, part of which included the web server security assessment. I performed the web assessment on day 1 of the audit, I showed the video to the college on day two, and by lunch time we had installed the WebScurity web application firewall and it is protecting the site to this day. They have agreed to be a reference for both Appiant and WebScurity. Joel - Original Message - From: Dave King [EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk Sent: Saturday, May 27, 2006 12:14 PM Subject: Re: [Full-disclosure] Application Security Hacking Videos I'm not sure what the clips from Microsoft are trying to show. To me it seems like they're intended to show that microsoft doesn't have a good fix for the problem at hand. From what I gathered from the training they were trying to show some ways to seriously lock down a SQL Server 2000, which would help mitigate some risks, while causing some usability problems. Microsoft has been an advocate of strong server side input validation (ASP.Net even has some nice features to help you with this). The video was just showing another layer in a good layered security approach. Lastly, I'm of the opinion that ticks should be allowed in a password. I don't like restricting characters in a password. However best practices should be followed. If for example, in the video the college had been storing the password as a secure hash, then hashing the password that was input and comparing them (preferably using a stored proc to do the sql stuff), then the attack would have failed. Dave King http://www.thesecure.net http://www.remotecheckup.com Joel R. Helgeson wrote: With college campuses being hacked into on a seemingly daily basis, and student information being stolen and used for Identity Theft; I thought you might like to see how the hacks are being done, and how astoundingly easy they are. I have produced a video of a security audit I performed on a local college website that shows how easy these exploits are. There is also a brief training on the homepage that introduces non-experts to SQL injection concepts in a fashion that makes it easy to understand. Below is the link to the video of me hacking into the college web site using SQL injection: http://www.appiant.net/exploit.wmv Other videos related to application security can be viewed from the home page as well: www.appiant.net http://www.appiant.net/ It’s not available from the web page, but if you want to see the video of Microsoft’s response to application security by securing the database: http://www.appiant.net/sql_security.wmv No, that video is not a fake; the entire video can be accessed from Microsoft’s website – the original is over an hour long, I just edited it down to ~5 minutes so you could get the point in a shorter timeframe. http://www.microsoft.com/emea/itsshowtime/sessionh.aspx?videoid=31 Any questions, feel free to ask… Regards, Joel R. Helgeson President Appiant, Inc. 1402 County Road C2 W Saint Paul, MN 55113 (952) 858-9111 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Application Security Hacking Videos
With college campuses being hacked into on a seemingly daily basis, and student information being stolen and used for Identity Theft; I thought you might like to see how the hacks are being done, and how astoundingly easy they are. I have produced a video of a security audit I performed on a local college website that shows how easy these exploits are. There is also a brief training on the homepage that introduces non-experts to SQL injection concepts in a fashion that makes it easy to understand. Below is the link to the video of me hacking into the college web site using SQL injection:http://www.appiant.net/exploit.wmv Other videos related to application security can be viewed from the home page as well: www.appiant.net Its not available from the web page, but if you want to see the video of Microsofts response to application security by securing the database:http://www.appiant.net/sql_security.wmv No, that video is not a fake; the entire video can be accessed from Microsofts website the original is over an hour long, I just edited it down to ~5 minutes so you could get the point in a shorter timeframe.http://www.microsoft.com/emea/itsshowtime/sessionh.aspx?videoid=31 Any questions, feel free to ask Regards,Joel R. HelgesonPresidentAppiant, Inc.1402 County Road C2 WSaint Paul, MN 55113(952) 858-9111 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Microsoft AntiSpyware attacks Norton AV?
Is anyone else seeing/experiencing this? A customer of mine stated that Microsoft AntiSpyware updated its signature files between 2/9 and 2/10 to signature version 5805. When it scanned each system it found a Trojan called PWS.Bancos.A (Password Stealer) - Level: Severe When it quarantined the bug, it also rendered the Symantec Anti-Virus helpless. The Rtvscan.exe kicks up to 100% CPU utilization. The only way to stop it is try to end process in task master or reboot the computer system. Either will release the CPU however, how the Symantec Antivirus is corrupt and not usable. My take on what has happened: speculation The PWS.Bancos.A virus was apparently distributed with the Bagle worm, it attacked and shut down Microsoft AntiSpyware as well as deleted executable files and killed running processes for anti-virus software. It appears that MS AntiSpyware incorrectly identified some parts of Symantec's AntiVirus as being the trojan and then went to delete the infection. Once deleted, It threw Symantec AV into a tailspin causing 100% CPUutilization wherein upon reboot or killing the offending task, SAV was rendered useless and needing to be reinstalled. /speculation Microsoft very quickly released signature version 5807 tocorrect the mistake. Anyone else seeing this? Joel ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/