Re: [Full-disclosure] Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002)

[Kurt Dillard]

So far I agree with Thor. Did I miss something? Has anyone demonstrated
using the locally cached credentials to access resources across the network?
So far I haven't seen anything new or interesting in this thread:

1. StenoPlasma claims that a local admin can access and reuse the cached
credentials of other users.
2. Stefan, Thor, et al yawn.
3. Joyce, Andrea, and perhaps others seem to be conflating local access
(what StenoPlasma was talking about) with gaining domain admin privileges on
domain controllers and other resources on separate machines (which nobody
appears to have shown is possible using locally cached credentials).

If I've missed something obvious please educate me.

Regards,

Kurt Dillard 




-Original Message-
From: katt...@gmail.com [mailto:katt...@gmail.com] On Behalf Of Andrea Lee
Sent: Monday, December 13, 2010 2:12 PM
To: Thor (Hammer of God)
Cc: George Carlson; bugt...@securityfocus.com;
full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Flaw in Microsoft Domain Account Caching
Allows Local Workstation Admins to Temporarily Escalate Privileges and Login
as Cached Domain Admin Accounts (2010-M$-002)

I hope I'm not just feeding the troll...

A local admin is an admin on one system. The domain admin is an admin on all
systems in the domain, including mission critical Windows servers. With
temporary domain admin privs, the local admin could log into the AD and
change permissions / passwords for another user or another user, thus
getting full admin rights on all systems for a long period of time. Plus
whatever havoc might be caused by having the ability to change rights on
fileshares to allow the new domain admin to see confidential files..

I would expect that the intent is to use another flaw for a normal user to
become a local admin, and then jump to domain admin via this.

So yes. In an enterprise environment, the "domain administrator" is
"bigger".

Cheers,

On Fri, Dec 10, 2010 at 4:15 PM, Thor (Hammer of God) 
wrote:
> Wow.  I guess you didn't read the post either.  I'm a bit surprised that a
Sr. Network Engineer thinks that Group Policies "differentiate between local
and Domain administrators."  You're making it sound like you think Group
Policy application has some "magic permissions" or something, or that a
"domain administrator" is a "bigger" administrator than the local
administrator.
>
> Group Policy loads from the client via the Group Policy Client service.  
If I'm a local admin, I can just set my local system to not process group
policy via the GPExtensions hive.  Done.  If I take the domain admin out of
my local administrators, they can't do anything.  Done.
>
> How exactly do you think this is problematic for "shops that differentiate
between desktop support and AD support"?  (whatever that means).
>
> t
>
>>-Original Message-
>>From: full-disclosure-boun...@lists.grok.org.uk 
>>[mailto:full-disclosure- boun...@lists.grok.org.uk] On Behalf Of 
>>George Carlson
>>Sent: Friday, December 10, 2010 10:12 AM
>>To: bugt...@securityfocus.com; full-disclosure@lists.grok.org.uk
>>Subject: Re: [Full-disclosure] Flaw in Microsoft Domain Account 
>>Caching Allows Local Workstation Admins to Temporarily Escalate 
>>Privileges and Login as Cached Domain Admin Accounts (2010-M$-002)
>>
>>Your objections are mostly true in a normal sense.  However, it is not 
>>true when Group Policy is taken into account.  Group Policies 
>>differentiate between local and Domain administrators and so this 
>>vulnerability is problematic for shops that differentiate between 
>>desktop support and AD support.
>>
>>
>>George Carlson
>>Sr. Network Engineer
>>(804) 423-7430
>>
>>
>>-Original Message-
>>From: Stefan Kanthak [mailto:stefan.kant...@nexgo.de]
>>Sent: Friday, December 10, 2010 11:30 AM
>>To: bugt...@securityfocus.com; full-disclosure@lists.grok.org.uk
>>Cc: stenopla...@exploitdevelopment.com
>>Subject: Re: Flaw in Microsoft Domain Account Caching Allows Local 
>>Workstation Admins to Temporarily Escalate Privileges and Login as 
>>Cached Domain Admin Accounts (2010-M$-002)
>>
>>"StenoPlasma @ www.ExploitDevelopment.com" wrote:
>>
>>Much ado about nothing!
>>
>>> TITLE:
>>> Flaw in Microsoft Domain Account Caching Allows Local Workstation 
>>> Admins to Temporarily Escalate Privileges and Login as Cached Domain 
>>> Admin Accounts
>>
>>There is NO privilege escalation. A local administrator is an 
>>admistrator is an administrator...
>>
>>> SUMMARY AND IMPACT:
>>> All versions of Microsoft Windows operating systems allow re

Re: [Full-disclosure] bloginfosec.com: We're looking for a few good columnists!

[Kurt Dillard]

How much do you pay?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kenneth F.
Belva
Sent: Wednesday, July 09, 2008 10:24 PM
To: full-disclosure@lists.grok.org.uk
Subject: [Full-disclosure] bloginfosec.com: We're looking for a few good
columnists!

Table of Contents
-
1. Introduction
2. Reasons to Write on bloginfosec.com
3. bloginfosec.com Magazine Philosophy
4. bloginfosec.com Writing Commitment
5. Contact bloginfosec.com
6. Newsletter


Introduction

We are expanding in size and are looking for a few qualified writers.
The project has developed substantially and we are looking to take it to
the next level!

Why write? See below! Also, please pass this opportunity to other
colleagues that may have an interest in writing for (or reading)
bloginfosec.com!


Reasons to Write on bloginfosec.com
---
* Graced the cover of computerworld.com over 10 times
* Have a readership in over 110 countries
* Website can be translated into over 36 languages
* Partnerships with major industry players
* Ranked as a top influencers for 2007
* Have a daily and constant growing readership who interact with
material
* Syndicated across various web channels to increase readership
* Join Outstanding Columnists


bloginfosec.com Magazine Philosophy
---
Our core philosophy is that working, "in the trenches" industry experts
know best. That's why each columnist determines the subject matter on
which they wish to write. bloginfosec.com believes in a laissez-faire
editorial style: editorial interference in content selection is kept to
a minimum.

Our core values include:
1. Have the best content written by top people
2. Expose content to the widest audience through network affiliates
3. Create synergy with other information security organizations


bloginfosec.com Writing Commitment
--
Our requirement will be one column a month for the next twelve months on
any information security topic of your choice.

Please see columnist agreement for more information:
http://www.bloginfosec.com/columnists/columnist-agreement/


Contact bloginfosec.com
---
1. Email: [EMAIL PROTECTED]
2. Website: http://www.bloginfosec.com/contact/

Newsletter
--
Have bloginfosec.com information delivered directly to your inbox! See
the top right of the magazine for the subscription box. 


Thanks for your time. I look forward to hearing from you.

Kenneth F. Belva
Publisher & Editor-in-Chief, bloginfosec.com

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Need some help with management

[Kurt Dillard]

If your team isn't going to be managing this server who is? 

Ask him this: would it be ok for your penpal from Russia to bring his family 
over and move into your boss' spare bedroom for a few months until they find 
their own place? Come on, it will be fine, you've been trading emails with this 
guy for a couple of years now. He told you he has a job lined up over here so 
he won't be a financial burden or anything. His kids sound like fun too, your 
boss' family will love them!

You don't just want to try to shoot down the idea without having alternatives 
prepared. If all you do is try to negate business initiatives you'll find all 
of the managers trying to bypass you in the future. You need to be seen as a 
strategic enabler rather than a blocker. I suggest you determine what the 
business reasons are for this decision and then try to find a better solution 
that protects your organization's sensitive data and systems while addressing 
the original requirements. Do they want to share data with a key partner? Do 
they want to outsource some work? What purpose will the system serve?

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Schmehl
Sent: Thursday, May 22, 2008 2:25 PM
To: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Need some help with management

--On Thursday, May 22, 2008 09:51:01 -0700 Daniel Sichel 
<[EMAIL PROTECTED]> wrote:

>
>
> My management here wants to put a server on our LAN, not administered by us
> (the IT department) and use a share on it to serve files and data to our
> workstations.  They do not understand why having a server with a file share
> that is NOT part of our secure infrastructure represents a threat to the
> computers accessing it. Keep in mind this is an all Windows network. Sooo, if
> you guys can succinctly explain why having a trusted computer trust an
> untrusted computer is a problem, that would be helpful. Keep in mind we are
> talking to management here. It’s kind of like trying to explain why, when
> you are in the United States, it’s a bad idea to drive on the left hand
> side of the road. It’s just so basic it’s not documented anywhere. So,
> please help me explain why netbios and file shares on machines not within
> your network are bad ideas.
>

OK.

So, Mr. PHB, why is it that your chauffeur stays with your limo when you're not 
there?  Because you don't want to trust your limo to just anybody?

:-)

-- 
Paul Schmehl
As if it wasn't already obvious,
my opinions are my own and not
those of my employer.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [NANOG] IOS rootkits

[Kurt Dillard]

Apparently Gadi  doesn't understand either.  Rootkits don't need to exploit
vulnerabilities in an OS, they leverage the design of the OS or the
underlying hardware platform. You don't 'patch' the design of something. You
want to stop rootkits in IOS? Don't allow it to run arbitrary code, run the
OS in firmware rather than from writable storage. Go study up on rootkits
for a few weeks before you complain about someone demonstrating one. Unlike
you guys I happen to know what I am talking about as I've been studying
malware including rootkits for over 10 years. By studying I mean taking them
apart, figuring out how they work, and finding tools to deal with them; not
reading some half-assed article on CNET or Ziff-Davis full of technical
errors. 

Over the past few years Cisco, Apple, and Oracle have behaved an awful lot
like Microsoft did 10 years ago, trying to pretend that their platforms are
immune to malware and refusing to approach vulnerabilities head-on with an
attitude of rational pragmatism. Dave Litchfield and his team have dragged
Oracle kicking and screaming to the world of reality, the same has yet to
happen with the other two firms.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of n3td3v
Sent: Sunday, May 18, 2008 12:50 PM
To: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] [NANOG] IOS rootkits

On Sun, May 18, 2008 at 4:37 PM, Kurt Dillard <[EMAIL PROTECTED]> wrote:
> NETDOVE,
> Obviously you have no idea how a rootkit works much less how to defend
> against them, your rants make no sense.
>
> Kurt

Dude,

Gadi Evron is punching into this guy as well, check this out:

-- Forwarded message --
From: Gadi Evron <[EMAIL PROTECTED]>
Date: Sun, May 18, 2008 at 3:48 PM
Subject: Re: [NANOG] IOS rootkits
To: Dragos Ruiu <[EMAIL PROTECTED]>
Cc: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED],
[EMAIL PROTECTED]


On Sun, 18 May 2008, Dragos Ruiu wrote:
>
> On 17-May-08, at 3:12 AM, Suresh Ramasubramanian wrote:
>
>> On Sat, May 17, 2008 at 12:47 PM, Matthew Moyle-Croft
>> <[EMAIL PROTECTED]> wrote:
>>> If the way of running this isn't out in the wild and it's actually
>>> dangerous then a pox on anyone who releases it, especially to gain
>>> publicity at the expensive of network operators sleep and well being.
>>> May you never find a reliable route ever again.
>>
>> This needs fixing. It doesnt need publicity at security conferences
>> till after cisco gets presented this stuff first and asked to release
>> an emergency patch.
>
> Bullshit.
>
> There is nothing to patch.
>
> It needs to be presented at conferences, exactly because people will
> play ostrich and stick their heads in the sand and pretend it can't
> happen to them, and do nothing about it until someone shows them, "yes
> it can happen" and here is how
>
> Which is exactly why we've accepted this talk. We've all known this is
> a possibility for years, but I haven't seen significant motion forward
> on this until we announced this talk. So in a fashion, this has
> already helped make people more realistic about their infrastructure
> devices. And the discussions, and idea interchange that will happen
> between the smart folks at the conference will undoubtedly usher forth
> other related issues and creative solutions.  Problems don't get fixed
> until you talk about them.

Dragus, while I hold full disclosure very close and it is dear to my
heart, I admit the fact that it can be harmful. Let me link that to
network operations.

People forget history. A few years back I had a chat with Aleph1 on the
first days of bugtraq. He reminded me how things are not always black and
white.

Full disclosure, while preferable in my ideology, is not the best solution
for all. One of the reasons bugtraq was created is because vendors did not
care about security, not to mention have a capability to handle security
issues, or avoid them to begin with.

Full disclosure made a lot of progress for us, and while still a useful
tool, with some vendors it has become far more useful to report to them
and let them provide with a solution first.

In the case of routers which are used for infrastructure as well as
critical infrastructure, it is my strong belief that full disclosure is,
at least at face value, a bad idea.

I'd like to think Cisco, which has shown capability in the past, is as
responsible as it should be on these issues. Experience tells me they have
a ways to go yet even if they do have good processes in place with good
people to employ them.

I'd also like to think tier-1 and tier-2 providers get patches first
before such releases. This used to somewhat be the case, last I checked it
no longer is 

Re: [Full-disclosure] [NANOG] IOS rootkits

[Kurt Dillard]

NETDOVE, 
Obviously you have no idea how a rootkit works much less how to defend
against them, your rants make no sense.

Kurt

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of n3td3v
Sent: Sunday, May 18, 2008 12:00 PM
To: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] [NANOG] IOS rootkits

On Sat, May 17, 2008 at 9:39 PM, n3td3v <[EMAIL PROTECTED]> wrote:
> On Sat, May 17, 2008 at 7:38 PM, n3td3v <[EMAIL PROTECTED]> wrote:
>> -- Forwarded message --
>> From: n3td3v <[EMAIL PROTECTED]>
>> Date: Sat, May 17, 2008 at 12:08 PM
>> Subject: Re: [NANOG] IOS rootkits
>> To: [EMAIL PROTECTED]
>>
>>
>> On Sat, May 17, 2008 at 11:12 AM, Suresh Ramasubramanian
>> <[EMAIL PROTECTED]> wrote:
>>> On Sat, May 17, 2008 at 12:47 PM, Matthew Moyle-Croft
>>> <[EMAIL PROTECTED]> wrote:
 If the way of running this isn't out in the wild and it's actually
 dangerous then a pox on anyone who releases it, especially to gain
 publicity at the expensive of network operators sleep and well being.
 May you never find a reliable route ever again.
>>>
>>> This needs fixing. It doesnt need publicity at security conferences
>>> till after cisco gets presented this stuff first and asked to release
>>> an emergency patch.
>>
>> Agreed,
>>
>> You've got to remember though that a security conference is a
>> commercial venture, it makes business sense for this to be publically
>> announced at this security conference.
>>
>> I think security conferences have become something that sucks as its
>> all become money making oriented and the people who run these things
>> don't really have security in mind, just the £ signs reflecting on
>> their eye balls.
>>
>>> --srs
>>> --
>>> Suresh Ramasubramanian ([EMAIL PROTECTED])
>>>
>>
>> All the best,
>>
>> n3td3v
>>
>
> Full-Disclosure,
>
> I fully believe British Intelligence are the best in the world and
> that they will pull the plug on this presentation without hesitation
> before it gets to go ahead.
>
> I don't see anyone disagreeing how wrong it is for this presentation
> to go ahead as a business decision.
>
> I know the national security boys at MI5 are listening, so I suggest
> this gets priority and this presentation doesn't go ahead.
>
> What I want is a high profile pulling the plug of this presentation to
> act as a deterrent to any other security conferences across the world
> who think they are going to capitalise through high risk
> vulnerabilities as this one is.
>
> I want UK government officials to walk on stage as this presnetation
> is about to start, infront of the media, infront of everybody,
> including the money makers who thought they were going to use this
> presentation as a way to sell tickets and make money and put UK
> national security at risk.
>
> I don't want a behind the scenes pulling the plug of this
> presentation, I want it to be high profile, infront of the worlds
> media to show that in Britian we don't fuck about with crappy security
> conferences trying to become rich by getting high risk talkers to come
> to their security conference to guarantee a sell out and thousands of
> pounds made, at a cost to UK national security.
>
> I will be talking with my private contacts to try and get this to
> happen, as many of you know I already had a grudge with EUSecWest
> spamming the mailing lists, instead of buying advertisement banners on
> websites, so the announcement of a IOS rootkit presentation is the
> final insult to injury, and the UK national security boys are likely
> to pull the plug on this without hesitation to make an example to
> these security conference owners to say that national security becomes
> before profit and how dare you try to profit and not giving a shit
> about the consequences of this presentation.
>
> Trust me and mark my words EUSecWest, you upset a lot of people
> spamming the mailing lists, this is just the worst possible thing you
> could have done to keep people on side, you've lost any respect I may
> have had for your conference and I guarantee UK government officials
> will pull the plug on your business venture of a security conference.
>
> Blackhat conference with Michael Lynn was under the control of the
> American authorities and they were light weight in response to what
> was going on, trust me, the British authorities will be coming down a
> lot tougher and won't be thinking twice about pulling this
> presentation, but will do it on a grand scale infront of the media, to
> send a clear signal that these security conferences and their money
> making agenda isn't going to get in the way of our national security.
>
> This is a subject I feel strongly and passionate about because if this
> presentation went ahead it would fuck up a lot of ISPs and would put
> national security at risk.
>
> If the British authorites don't pull the plug on this presentation you
> will have let your country down and let your British taxpayers down
> who fun

Re: [Full-disclosure] HD Moore

[Kurt Dillard]

You are a laughable prepubescent troll. As if you, who are currently jobless
and never have had a job in info-security, could offer anyone on this list
useful professional advice. Every post you send to this list leaves me
rolling painfully on the floor in uncontrollable fits of guffaws and
chortles. Makes me wonder which is lower: your IQ or your age. Your petty,
whining posts attacking researchers who could not care less about your theme
day illustrate perfectly why it was entirely appropriate for them to ignore
it and for us to mock you. By all means, keep us entertained by continuing
to post your pointless, prattling claptrap. 

Don't forget to have my buddies at CESG come after me and everyone else.
That is, if you know what the hell CESG actually is over there. You drop the
names of secretive government agencies but you probably have no idea which
one is actually responsible for protecting the information systems in your
country. 

With all due sincerity and respect,

Mr. Dillard

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of n3td3v
Sent: Sunday, May 04, 2008 2:19 PM
To: full-disclosure@lists.grok.org.uk; n3td3v
Subject: Re: [Full-disclosure] HD Moore

On Sun, May 4, 2008 at 4:40 PM, str0ke <[EMAIL PROTECTED]> wrote:
> Come on n3td3v leave the man alone, how do you go from love to hate on
> the guy in a weeks time?

If Metasploit is some way of keeping tabs on script kids then i'm all
for it, if its just a sheer evil hacking tool for shits and giggles
then I stand by my words.

I see no evidence that there is any government connection, so I stand
by my words.

If its a covert government project then I will retract the comments
when evidence is forecoming.

To me this is just a private project that HD Moore created when he was
immature.

He should grow out of Metasploit now and focus on something else...
like a theme day on the mailing lists.

All the best,

n3td3v

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] A New Class of Vulnerability in Oracle: Lateral SQL Injection

[Kurt Dillard]

I wouldn't use such harsh language as Malix, but he's correct. David has
done a lot of ground-breaking research over the past decade and he's had a
major impact on how Microsoft and Oracle create, test, and patch their
products. You are unemployed and note that you were in some Yahoo chat
groups on your CV. Sarcastically whining at David only reaffirms what we all
think of you.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of n3td3v
Sent: Thursday, April 24, 2008 5:53 PM
To: full-disclosure@lists.grok.org.uk; n3td3v
Subject: Re: [Full-disclosure] A New Class of Vulnerability in Oracle:
Lateral SQL Injection

On Thu, Apr 24, 2008 at 9:47 PM,  <[EMAIL PROTECTED]> wrote:
> And here I thought you were canceling that piece of shit.
>  That you even presume to believe that David Litchfield of all
>  people gives the slightest fuck about what you have to say simply
>  blows my mind.
>  As always, please (and let me spell it out for you), SHUT THE FUCK
>  UP.

What have you ever contributed to the security community apart from
this bullshit?

All the best,

n3td3v

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: n3td3v has a fan

[Kurt Dillard]

Every new post further reveals the depth of your stunning intellect.

- Bad guys would never think to, you know, go to the campus and look around?
- Car tags are personally identifiable information and therefore should
remain private, right? Oh, except they are prominently displayed on your
car's bumpers and they better stay that way, according to the law.
- Yahoo 'failed' to take down the site because 'intelligence services' are
using the data? Did you forget your Thorazine again? Maybe they don't care?
Maybe they think the site provides value by embarrassing those who endanger
other employees by parking in fire lanes?

Eternally grateful and sincerely yours,

Kurt

P.S. Congratulations on figuring out how to post comments at CNET!!!

P.S.S. I recognize that I am now a marked man:( Well, assuming you
accurately parse this note:) C'est la vie. 

P.S.S.S. Does this mean you're going to dig up every paper, article, and
book I published in order to systematically tear apart my life's work? I
can't wait! 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of n3td3v
Sent: Monday, April 14, 2008 4:05 PM
To: full-disclosure@lists.grok.org.uk; n3td3v
Subject: Re: [Full-disclosure] Fwd: n3td3v has a fan

I have to contest, at Yahoo--- Mark Seiden and others said Sunnyvale
isn't MI5/MI6 and that people shouldn't be stopped on premises without
permission for taking photos.

And I was angry that Mark Seiden and others at Yahoo weren't going to
take my e-mail seriously, athough later on it turns out that Yahoo
non-cyber staff who patrol the grounds of Sunnyvale have stopped photo
taking without permission, this has to be a good thing.

The case of mine was highlighted by "ycantpark". of which flickr
photos were published of the parking lots of Yahoo of employees who
couldn't park, although that sent off triggers for me to send the
multiple e-mail to their cyber security e-mail address to stop this
happening.

There are many ways the parking setup could be used against Yahoo
adversaries, think car bomb, or truck bomb? It was hugely
irresponsible of Yahoo to allow such photos to be taken by on-the-fly
employees.

The photos ended up being a major publicity event on employee blogs
who thought it was funny to make fun and take photographs of the
carpark, and employees number plates of those cars without the
explicit permission of the owners of those cars or automobiles.

However---n3td3v had other ideas, n3td3v was straight on the e-mail to
Yahoo's cyber security team to make sure policy was changed in the
real world ground staff team, so that, cameras and mobile phone snaps
were taken more seriously as a threat towards the corporation of
Yahoo.

The identify of cars belonging to employees, partners and others
connected could be used against them, be followed off-site for thier
devices to be technically eavesdropped on, or company documentation to
be obtained, by stolen laptop, by breaking into car, by breaking into
personal home space of employee.

Mark Seiden thinks Yahoo campus known as Sunnyvale isn't MI5/6 but
that doesn't say such agencies wouldn't find that kind of photography
useful to plan and carry out surveillance operations to determine
what's going on, especially in times of big business deals between
Microsoft and Yahoo.

Through my protests of the Ycantpark, Yahoo has taken photography and
other suspicious activity more seriously, although they have failed to
rip down Ycantpark. This is probably because the intelligence services
and state enemies have probably obtained and capatured the
intelligence electronically and fed it back to their operation center,
so it would make no difference if the information is publically
available, although it _still_ offers insight to amateur hackers and
terrorists who stumble upon it through casual or purpose built
reconnaissance operations.

http://www.flickr.com/photos/ycantpark

n3td3v

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] n3td3v agenda & Solid Information Security State Release 0012a

[Kurt Dillard]

Whether or not the vulnerability exists as described this email is
laughable. Addressing it to "world leaders" shows everyone you're a
self-deceiving egomaniac. Complaining that the NSA, CIA, and FBI didn't
respond to your ravings makes perfect sense for 3 reasons: first, nobody
takes such poorly written rants seriously. Second, those agencies don't to
collect vulnerability data, that's the job of DHS and NIST with their NVD
and US-CERT projects. Third, I've worked with a lot of federal agencies and
none of them use this software, why would they when a perfectly usable
remote assistance technology is already built into Windows? Oh, and by the
way, employees at those agencies can't install the software themselves
because their desktops are locked down and they don't have admin privileges.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Micheal
Turner
Sent: Friday, April 04, 2008 11:48 AM
To: full-disclosure@lists.grok.org.uk
Subject: [Full-disclosure] n3td3v agenda & Solid Information Security State
Release 0012a

  n3td3v agenda & Cyber Security group
  

 Solid Information Security State Release #0012a

MARKING: RESTRICTIONS APPLY.
FAO: WORLD LEADERS

== Introduction ==
Serious high-risk ultra critical vulnerability has
been identified in Remote Help application that maybe
used by CIA, NSA and FBI employees when helping
colleagues on anti-terror campaigns.RemoteHelp is a
minimal http server that allows to view and control a
remote pc running a 32-bits version of Microsoft
Windows.
current version is 0.0.6 and runs stand-alone or
installs as a service.

== URL ==
http://sourceforge.net/projects/remotehelp/ 

== HISTORY ==
After n3td3v agenda emailed the NSA, SANS and all
information security groups and was found not to be
taken seriously. High risk proof of concept exploit
code has been authored for severe vulnerability in
Remote Help application which maybe used by any number
of Yahoo!, Google!, Ebay! or NSA employees. This
vulnerability gives rise to serious national
infrastructure risk and should not be under estimated!

== Proof of Concept ==
I found a vulnerability in the pages.c file which
generates the login page dialog and authenticates a
user after it checks if your "user" and "pass"
parameter match the defaults
(user/default) it does this:

   strncpy(cookie,"user=default; path=/; expires=Sun,
11-May-2030 22:11:40 GMT",1024);

for a valid login and for an invalid login it sets an
expired cookie like so;
   strncpy(cookie,"user=default; path=/; expires=Sun,
11-May-1970 22:11:40 GMT",1024);

all you have to do is add "Cookie: user=default;
path=/; expires=Sun, 11-May-2030 22:11:40 GMT" to your
HTTP request and you can bypass
authentication to the Remote Help server and access
the filesystem/exec commands/view the webcam of the
hosts running it.

== Credit ==

n3td3v & documentation help by Michael Turner.

"Never trust your employees."


  ___ 
Yahoo! For Good helps you make a difference  

http://uk.promotions.yahoo.com/forgood/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] sans handler gives out n3td3v e-mail to public

[Kurt Dillard]

Thanks Paul! I wasn't looking forward to reading that wall of text!!!

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Paul Schmehl
Sent: Friday, March 21, 2008 11:38 AM
To: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] sans handler gives out n3td3v e-mail to
public

To sum it all up nicely:

Bozo with incredibly inflated sense of self-worth waits with bated breath
for 
the world's media to pick up a story that no one but himself would ever care

about.

News at 11.  Meanwhile, Britney Spears was spotted entering a grocery store
in 
West Hollywood with kid in tow

-- 
Paul Schmehl ([EMAIL PROTECTED])
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] IE8 beta is available - Challenge

[Kurt Dillard]

Breaking pre-release software doesn't sound all that impressive but I'm sure
Microsoft would appreciate more people helping them to find bugs;)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jay
Sent: Friday, March 07, 2008 3:39 PM
To: full-disclosure@lists.grok.org.uk
Subject: [Full-disclosure] IE8 beta is available - Challenge

Who can be the one to find and publish the first exploit?

http://www.microsoft.com/windows/products/winfamily/ie/ie8/readiness/Install
htm

Jay


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Chinese backdoors "hidden in router firmware"

[Kurt Dillard]

The assertions in the article and some of the comments in this thread sure
look racist and xenophobic to me. Why is it more risky that a product is
produced in China than if its made in Seattle, WA; Arlington, VA; Mexico
City; London; or Berlin? The Chinese may have the skill and motivation to do
this, but so does the USA, Russia, France, and most of the first world
countries. You read about China breaking into US government computers, what
you don't read about so much is the industrial espionage facilitated by
Israeli and European governments to help firms within their countries to
compete much less all of the spying the US does against the entire world.
The risk is there, the risk may be higher with certain products and specific
open source projects, but its there regardless of where the product is made.
On top of that, a very large portion of the designers, engineers, and
programmers for high-tech products made in the USA are foreign nationals.
Why would the Chinese government need to slip a back door into a router
where all they could do is pick up encrypted network traffic when instead
they could turn a kernel programmer at Apple, Sun, or Microsoft and get a
backdoor slipped into the encryption algorithms and the kernel itself?


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [Professional IT Security Reviewers - Exposed] SecReview ( A + )

[Kurt Dillard]

I agree with Nate. It's odd how you dismiss any critics as 'trolls,' and
only believe that people who compliment your efforts are 'legitimate
readers.' As an author and public speaker I know that I get the most value
from people who critique my work because they help me to improve. Sure,
being slapped on the back feels good, but having someone point out my
mistakes helps me to fix them.

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Nate
McFeters
Sent: Friday, December 21, 2007 2:08 PM
To: SecReview
Cc: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] [Professional IT Security Reviewers -
Exposed] SecReview ( A + )

 

Unless I missed something, these seemed like legitimate responses.  They may
not have all been delivered with tact, but I mean, you are on FD, what did
you expect?

 

I think some valid points are brought up about your credentials and your
process.

 

Nate

 

On 12/21/07, SecReview <[EMAIL PROTECTED]> wrote: 

PaulM:

You'd be right only if you weren't wrong. That being said, we're
not going to talk to the trolls any more. While it might be amusing 
it's a waste of our time, and our readers time.

We will continue to write reviews and will continue to be as honest
and truthful as possible during our reviews. Likewise, if any of
our legitimate readers have any questions or comments about our 
blog, we'd very much appreciate them. We especially want people to
comment if they have worked with a vendor that we have assessed, we
want to know your experience. Other than that, thanks for your time
and thanks for reading! 



On Fri, 21 Dec 2007 07:00:40 -0500 Paul Melson <[EMAIL PROTECTED]>
wrote:
>On Dec 20, 2007 7:19 PM, SecReview < [EMAIL PROTECTED]
 > wrote:
>> > 1.) What are your qualifications for reviewing these
>companies?
>>
>> We are a team of security professionals that have been
>performing a 
>> wide array of penetration tests, vulnerability assessments, web
>> application security services etc. One of our team members has
>> founded two different security companies both of which have been 
>> very successful and have offered high quality services. Yes we
>have
>> all sorts of pretty little certifications, but those don't
>really
>> matter.
>
>So this is basically a tacit admission that every one of your 
>"team"
>has something to gain by smearing the competition.  At this point,
>I'm
>inclined to believe that the firms you've scored favorably are
>your
>employers.  You're not only incompetent, it seems that you're 
>unethical as well.  Not that I'm surprised.
>
>PaulM
Regards,
 The Secreview Team
 http://secreview.blogspot.com

--
Click for free information on accounting careers, $150 hour potential. 
http://tagline.hushmail.com/fc/Ioyw6h4dCaRmEr952Q9rDz2W8lHgc6veIDv3aadT6aNuL
UwzQUCOfu/
 Professional IT Security Service Providers - Exposed 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html 
Hosted and sponsored by Secunia - http://secunia.com/

 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [Professional IT Security Reviewers - Exposed] SecReview ( F - )

[Kurt Dillard]

No, go read Secreview's responses to negative comments on his amusing blog.
He won't change a review based on an opposing opinion. The emails, blog, and
his small cadre of fans  remind me of Steve Gibson lol. He has nothing on
the blog to suggest he has any qualifications. When asked what his scoring
system is he responded 'its just like school, A is great, F fails.' What a
system, its so well articulated and unbiased that anyone who reviews one of
the security companies Secreview surfs will come up with the same score.

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mike Vasquez
Sent: Thursday, December 20, 2007 8:17 PM
To: Sec Review Sucks
Cc: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] [Professional IT Security Reviewers -
Exposed] SecReview ( F - )

 

What I really want to know, is if a past customer (err - reader?) of sec
review surfaces with a negative opinion of them, will you adjust your grade
accordingly?  



On Dec 20, 2007 1:20 PM, Sec Review Sucks < [EMAIL PROTECTED]>
wrote:

This rating is based entirely off my personal feelings after reading several
of the emails you've sent out to the Full Disclosure list.  I bring up the
following as my reasoning: 

1.) What are your qualifications for reviewing these companies? 
2.) Your criteria for review is clearly flawed.  Reviewing marketing
material, websites, etc. is just ridiculous.  Typically these are not
created by the security team itself, but instead the marketing department
for a company.  You only just mentioned that you started reviewing sample
reports, and that not all companies are willing to provide these.  How could
you possibly review a company WITHOUT a sample report at the minimum? 
3.) What is your scoring system?  Do you even have one?
4.) If company A does not submit themselves for review, and therefore will
not provide you with the information you need to review them, do they get a
lower score? 

In any case, a consulting company provides far more then simply a marketing
site and sample deliverables.  Unless you can survey a companies customers,
I don't see how you could ever make a reasonably accurate assumption.
Therefore, I rate SecReview as an F-. 


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 
Hosted and sponsored by Secunia - http://secunia.com/

 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [Professional IT Security Providers -Exposed] Cybertrust ( C + )

[Kurt Dillard]

Because its absurd to write a review for a service without actually
experiencing the service. The original poster's messages have only had
entertainment value, they've had no value from an information security
perspective. If you'd like to provide a link to your MSN profile and
facebook pages I'll write up a resume for you. Does that sound like a good
idea?

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Epic
Sent: Thursday, December 20, 2007 11:56 AM
To: c0redump
Cc: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] [Professional IT Security Providers -Exposed]
Cybertrust ( C + )

 

Isn't ANY review subjective to opinion?I do not understand the basis of
this flame.  It appears to me that a lot of the reviews on this site offer
some great insight into the companies being presented.   Granted it is an
opinion, but that is what a blog is isn't it? 

On 12/20/07, c0redump <[EMAIL PROTECTED]> wrote: 

Exactly.  Your 'grading' is based on your personal opinion.

Do us all a favour and get a proper job. 

- Original Message -
From: "guiness.stout" <[EMAIL PROTECTED]>
To: 
Sent: Thursday, December 20, 2007 2:05 PM
Subject: Re: [Full-disclosure] [Professional IT Security Providers -Exposed]
Cybertrust ( C + )


> I'm not really clear on how you are grading these companies.  I've had 
> no personal experience with them but I don't decide a companies
> quality of work simply by their website and what information I get
> from some customer support person.  These "grades" seem pointless and 
> frankly unfounded.  You should reword your grading system to specify
> the ease of use of their websites and not the service they provide.
> Especially if you haven't ordered any services from them.  I'm not 
> defending anyone here just pointing out some flaws in this "grading."
>
> On Dec 20, 2007 12:11 AM, secreview <[EMAIL PROTECTED]> wrote: 
>> One of our readers made a request that we review Cybertrust
>> ("http://www.cybertrust.com";). Cybertrust was recently acquired by
>> Verizon 
>> and as a result this review was a bit more complicated and required a lot
>> more digging to complete (In fact its now Cybertrust and Netsec). Never
>> the
>> less, we managed to dig information specific to Cybertrust out of Verizon

>> representatives. We would tell you that we used the website for
>> information
>> collection, but in all reality the website was useless. Not only was it
>> horribly written and full of marketing fluff, but the services were not 
>> clearly defined.
>>
>> As an example, when you view the Cybertrust services in their drop down
>> menu
>> you are presented with the following service offerings: Application 
>> Security, Assessments, Certification, Compliance/Governance, Consulting,
>> Enterprise Security, Identity Management Investigative Response
>> /Forensics,
>> Managed Security Services, Partner Security Program Security Management 
>> Program, and SSL Certificates. The first thing you think is "what the
>> hell?"
>> the second is "ok so they offer 12 services".
>>
>> Well as you dig into each service you quickly find out that they do not 
>> offer 12 services, but instead they have 12 links to 12 different pages
>> full
>> of marketing fluff. As you read each of the pages in an attempt to wrap
>> your
>> mind around what they are offering as individually packaged services 
>> you're
>> left with more questions than answers. So again, what the hell?
>>
>> Here's an example. Their "Application Security" service page does not
>> contain a description about a Web Application Security service. In fact, 
>> it
>> doesn't even contain a description about a System Software/Application
>> security service. Instead it contains a super high level, super vague and
>> fluffy description that covers a really general idea of "Application" 
>> security services. When you really read into it you find out that their
>> Application Security service should be broken down into multiple
>> different
>> defined service offerings. 
>>
>> Even more frustrating is that their Application Security service is a
>> consulting service and that they have a separate service offering called
>> Consulting. When you read the description for Consulting, it is also 
>> vague
>> and mostly useless, but does cover the "potential" for Application
>> Security.
>>
>> So, trying to learn anything about Cybertrust from their web page is like

>> trying to pull teeth out of a possessed chicken. We decided that we would
>> move on and call Cybertrust to see what we could get out of them with a
>> conversation. That proved to be a real pain in the ass too as their 
>> website
>> doesn't list any telephone numbers. We ended up calling verizon and after
>> talking to 4 people we finally found a Cybertrust representative.
>>
>> At last, a human being that could provide us with useful information and 
>> answers to our questions about their services. We did receive about 2mb
>> of
>> materials from our contact 

Re: [Full-disclosure] Marc Vilanova Vilasero está au sente de la oficina.

[Kurt Dillard]

Apparently you’re not bright enough to read or write English either, much
less Spanish.

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
lulzlulzluzluz
Sent: Friday, October 19, 2007 4:50 PM
To: Marc Vilanova Vilasero
Cc: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Marc Vilanova Vilasero está ausente de la
oficina.

 

i dont speak ___.

On 10/19/07, Marc Vilanova Vilasero <[EMAIL PROTECTED]> wrote:


Estaré ausente de la oficina desde el  19/10/2007 y no volveré hasta el
26/10/2007.

Responderé a su mensaje cuando regrese.

___
Full-Disclosure - We believe in it. 
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/ 




-- 
-BEGIN PGP SIGNATURE-
Note: This signature can be verified at https://www.hushtools.com/verify
Charset: UTF8 
Version: Hush 2.5

HACKERShack0d4yc4nh4pp3nTOanyONEfull-disclosureh4ckkfisaniggerEPICLULZ
DVDMANlyk3zD1ck101010ri0nSNORTsCOKEmethSHOOTheroinNIGGERbabydrownedlol
[EMAIL PROTECTED]:DLOLHATshifteeisafed+ROOFEYZ/GHBdaterapelul 
SEKURITYIZSERIOUSBUSINESS
=EPICLULZ
-END PGP SIGNATURE- 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape, Miranda, Skype

[Kurt Dillard]

In my opinion, every application should handle incoming data as bad data. 
Its poor programming to assume that incoming data is properly formatted and 
safe to process as is, even if the data is supposed to come from a process 
you own. Why so extreme? Because the bad guys are going to figure out how to 
get bad data to your code using pathways you didn't consider. In other 
words, I agree with Geo that each of the applications should inspect the URI 
before processing it. The OS components that are involved should too, but 
the 3rd party apps should never assume that IE or whatever has done so.

--
From: "Thierry Zoller" <[EMAIL PROTECTED]>
Sent: Saturday, October 06, 2007 1:06 PM
To: <[EMAIL PROTECTED]>; 
Subject: Re[2]: [Full-disclosure] URI handling woes in Acrobat Reader, 
Netscape,Miranda, Skype

> Dear Geo.,
>
> G> If the application is what exposes the URI handling routine to 
> untrusted
> G> code from the internet,
> Sorry, Untrusted code from the internet ?
>
> The user clicks on a mailto link, is that untrusted code?
> Or the mailto link is clicked for him.
>
> Anyways, the mailto link
> POST IE7 has a flaw/threat/vulnerablity it hasn't had PRE IE7.
>
> G>  then it's the application's job to make sure that
> G> code is trusted before exposing system components to it's commands, no?
> Yes to a certain degree it is, like I said mitigation is fine, though
> it shouldn't be the final word here, _if_ my assumptions I derive from
> the things I know and just tested are correct. I might be wrong, but I
> dont' think so =)
>
> The problem here is the root cause, the root cause is that IE7
> introduced a problem, you can call it "vulnerability" or "Threat" or
> whatever floats your boat, I don't care, my point is, in my opinion
> the handler itself is broken.
>
>
> -- 
> http://secdev.zoller.lu
> Thierry Zoller
> Fingerprint : 5D84 BFDC CD36 A951 2C45  2E57 28B3 75DD 0AC6 F1C7
>
> 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/