Re: [Full-disclosure] Hack into a Windows PC - no password needed
I guess the release of this tool makes physical access pen-tests a little bit easier huh? Will have to try this out some time. Steven http://www.smh.com.au/news/security/hack-into-a-windows-pc--no-password-needed/2008/03/04/1204402423638.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google / GMail bug, all accounts vulnerable
Glad to see we figured it out. :) Yes, Cross Site Request Forgery would be the correct term referenced by the acronym in all of the replies (subsequently also the first result in a normal Google query). I'm still not quite sure what the big deal on the favicon stuff in terms of this issue. So lets say you completely disabled favicons altogether. Now when you visit the original PoC - it no longer works. However, if you simply had a 302 or mod_rewrite rule for any image that you actually had written into the source of your page, you could achieve the same result. Maybe the favicon.ico method is slightly transparent to the user as it's not present when you view the source. However, you could be almost as sneaky by only throwing a redirect to the Google logout page if the referer field includes your root page. Otherwise if the user directly requests it.. it displays a real image. Explain to me what I am missing here. On Wednesday 12 December 2007 08:05:35 Steven Adair wrote: You aren't really able to take action on Google's site per the real definition of CSRF. CRSF: Canadian Rope Skipping Federation (Google's I'm feeling lucky) Center for Research on Sustainable Forests Canadian Rhodes Scholars Foundation CReative Santa Fe Consolidated Rail System Federation I keep wondering when people on this thread will discuss the relative merits of various rope materials? That is the real definition isn't it? ;) On a more serious note, I agree with the question; it doesn't sound like a full cross site request forgery. Still Coderman's reply to your questions lead me to search for information on the Firefox browser.chrome.favicons. That lead to this bit of information: Caveats * browser.chrome.site_icons must be true for this preference to have an effect. * Conversely, browser.chrome.site_icons should be false when this preference is false to disable site icons and favicons completely. http://kb.mozillazine.org/Browser.chrome.favicons Given Coderman's statement about meeting fortuitously in a black hat tryst, I set both to false. Thanks all for the info. And for those people, like myself, who aren't up on all the acronymns, here is a link for CRSF: https://secure.wikimedia.org/wikipedia/en/wiki/Csrf -- Hawaiian Astronomical Society: http://www.hawastsoc.org HAS Deepsky Atlas: http://www.hawastsoc.org/deepsky ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Captive Portal bypassing
Hi, I didn't read all of the documents in detail, but I noticed the first bunch mentioned spoofing/changing your MAC address to that of someone that is validated/authorized. This is of course assuming this is feasible and someone has authenticated already. Many of the hotspots will just simply allow both TCP and UDP outbound on Port 53. I'm not overly familiar with RunningOzyManDNS - but I think this takes advantage of that to some degree. However, I've found that in airports at least, about half of the captive portals will allow TCP 53 out to anywhere. Even easier than running a special tool is to just setup SSHD or a proxy to listen on TCP 53. You can then tunnel out and do as you please without authenticating to the captive portal. Of course you might want to keep the legal aspects in mind before doing any of that. Steven http://www.securityzone.org If there were an easy to use (gold standard == nmap) and robust tool capable of bypassing all commonly used captive portals, that would make for a great 'mischief enabler'. Some googled links for the lazy lurkers... http://en.wikipedia.org/wiki/Captive_portal http://www.eusecwest.com/esw06/esw06-blancher.pdf http://www.semicomplete.com/blog/2007/Aug/11 Which in turn mentions Kaminksy's (yay Kaminsky!) OzyManDNS via http://taint.org/wk/RunningOzyManDNS http://www.doxpara.com/ozymandns_src_0.1.tgz ...and a ton of other searching resulting in alot of reading regarding the usual software flaws, poor implementations (did I repeat myself there?), etc. I do not see anything that prevents the rolling-up of all applicable bypass techniques into a single tool. Preferably one written to be as portable as possible. Is anyone actively working on this that would care to share? Anyone want to point out flaws in the idea or make suggestions? Might make for a good 'con paper presentation if anyone out there was looking for something to do. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] MD5 algorithm considered toxic (and harmful)
There you have it. Surely a GPL'd tool implementing this attack style will be available shortly. And since Chinese researchers have been attacking SHA-1 lately, should SHA-256 be considered the proper replacement? I am unsure :-( Yes, it would probably be a good idea. I think this link has been put out on this list in the past with respect to discussion on SHA-1: http://csrc.nist.gov/groups/ST/toolkit/secure_hashing.html NIST might not be the bible to you on what to follow and implement, but they are definitely worth listening to (even if you're not a U.S. Federal agency) when they tell you not to use something anymore. For those that don't want to click and just want to read, here's the relevant parts: March 15, 2006: The SHA-2 family of hash functions (i.e., SHA-224, SHA-256, SHA-384 and SHA-512) may be used by Federal agencies for all applications using secure hash algorithms. Federal agencies should stop using SHA-1 for digital signatures, digital time stamping and other applications that require collision resistance as soon as practical, and must use the SHA-2 family of hash functions for these applications after 2010. After 2010, Federal agencies may use SHA-1 only for the following applications: hash-based message authentication codes (HMACs); key derivation functions (KDFs); and random number generators (RNGs). Regardless of use, NIST encourages application and protocol designers to use the SHA-2 family of hash functions for all new applications and protocols. Steven http://www.securityzone.org -- Kristian Erik Hermansen I have no special talent. I am only passionately curious. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Wordpress Cookie Authentication Vulnerability
Right this problem has existed for a long time, but it's not the end of the world for someone to point it out again I suppose. I think it's obvious that there's another main issue here and that's the way WordPress handles its cookies in general. They are not temporary sessions that expire or are only valid upon successful authentication. The cookies work for ever.. or at least until the password changes. If someone uses an XSS attack to obtain the cookies or sniffs them (most blogs are just HTTP) they can essentially permanently authenticate. The same result occurs with being able to read the database. Furthermore, one could in theory conduct a bruteforce attack against the WordPress password by just making normal requests to the blog but changing the cookies that does the double MD5 of the password. You could in theory emulate normal continued browsing of the website while sending MD5(MD5(password)) over and over with each request via the cookie. Other than perhaps a large increase in browsing of the blog, this could possibly go unnoticed as an attack -- as it would not be logged anywhere (in most instances) that the cookies were being presented. Once authenticated into WordPress, the normal blog pages look different, so it would not require an attacker to access the Admin area to verify. Anyway, good to see the CVE is already there. Maybe better session management will find its way into WordPress. Steven http://www.securityzone.org (..runs on WordPress.. oh noes!) This is CVE-2007-6013 since 19th Nov including WordPress ticket #5367: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6013 - Juha-Matti Steven J. Murdoch [EMAIL PROTECTED] kirjoitti: On Tue, Nov 20, 2007 at 07:08:36PM +0100, Stefan Esser wrote: Could you elaborate why you consider this news? Most public SQL injection exploits for Wordpress use this cookie trick. I couldn't find it on the Wordpress bug tracker and when I mentioned it to the Wordpress security address, they did not mention having heard of it before. I also couldn't find a detailed explanation of the problem online, nor in the usual vulnerability databases. Blog administrators, like me, therefore risk sites being compromised because they didn't realize the problem. It seemed intuitive to me that restoring the database to a known good state would be adequate to recover from a Wordpress compromise (excluding guessable passwords). This is the case with the UNIX password database and any similarly implemented system. Because of the vulnerability I mentioned, this is not the case for Wordpress. So I also thought it important to describe the workarounds, and fixes. If these were obvious, Wordpress would have already applied them. Some commenters did not think that the current password scheme needs to be, or can be improved, despite techniques to do so being industry standard for decades. Clearly this misconception needs to be corrected. I did mention that this was being exploited, so obviously some people already know about the problem, but not the right ones. Before I sent the disclosure, there was no effort being put into fixing the problem. Now there is. Hopefully blog administrators will also apply the work-arounds in the meantime. Steven. -- w: http://www.cl.cam.ac.uk/users/sjm217/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Cyber Jihad? Yeah, right...
http://www.bleedingthreats.net/cgi-bin/viewcvs.cgi/sigs/CURRENT_EVENTS/CURRENT_E-Jihad?view=markup Steven http://www.securityzone.org Does anyone have a copy of e-jihad15.zip? I would like to see if there is something unique in the generated HTTP traffic that would be signature worthy? phunt --- worried security [EMAIL PROTECTED] wrote: Cyber Jihad? Yeah, right... Published: 2007-11-11, Last Updated: 2007-11-11 01:58:48 UTC by Marcus Sachs (Version: 1) In the news this past week were the ominous stories about a Cyber Jihad on November 11th. OK terrorists, it's November 11th and we haven't seen your little Jihad yet. As Johannes said in his diary a few days ago, it seems to have been called off. What happened? If there are any terrorists hanging out here reading this diary I'd like to hear from you. Please use our contact page. http://isc.sans.org/diary.html?storyid=3633 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Port scanning question...SYN/FIN ... SYN/ACK
Well it's not that I can really argue that most of the content on this list is really in line with the list charter or the idea of full disclosure, but asking a basic question about scanning doesn't exactly fit either. I'd suggest Google (as mentioned) or subscribing to a list such as http://www.securityfocus.com/archive/105 Steven http://www.securityzone.org --On Monday, November 12, 2007 20:34:03 +1100 Abuse 007 [EMAIL PROTECTED] wrote: Kelly, Try searching google. Read port scanning papers and port scanners documentation. Please. That's what I love about this list. There are so many helpful, caring people here. :-) The OP might want to try these for a basic understanding: http://nets.rwth-aachen.de/content/teaching/lectures/sub/sikon/sikonSS07/12_ID_4P.pdf http://insecure.org/nmap/man/man-port-scanning-techniques.html -- Paul Schmehl ([EMAIL PROTECTED]) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] mac trojan in-the-wild
--On November 1, 2007 10:14:50 PM -0400 Jay Sulzberger [EMAIL PROTECTED] wrote: On Thu, 1 Nov 2007, Paul Schmehl [EMAIL PROTECTED] wrote: --On November 1, 2007 6:31:39 PM -0400 Adam St. Onge [EMAIL PROTECTED] wrote: So if i put a picture of a naked girl on a website and said to see more you must open a terminal and enter rm -rf. Would we consider this a trojan...or just stupidity? I would consider it stupidity to think that that is comparable to a trojan. Paul Schmehl ([EMAIL PROTECTED]) I think, under the standard Unix system of permissions, this is a Trojan. Under the standard Unix system of permissions, every application running in my home directory can issue an 'rm -rf /home/me' and, without proper near in time backup, cause me much annoyance. The defect lies in the system of permissions. There exist systems of rolling off-machine backups and minimum privilege permissions systems, but they are not yet standard. Perhaps you don't understand what a trojan is. Its purpose is to take control of a machine to use it for purposes other than those to which its owner would put it and without the owners knowledge or permission. Destroying the machine is contrary to the design and purpose of a trojan. Not really. Remember that the term trojan, as it applies to a computer program, comes from the large horse from the trojan war. The point of the program as it that it appears to have a use/functionality other than what its real purpose is. You let your guard down thinking its something else. It will generally also remain stealthy to a degree but what it does is up to the designer. Install an IRC back door, echo funky text to your win.ini, or rm your whole file system... well that's up to the _trojan_. Paul Schmehl ([EMAIL PROTECTED]) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Spike in SSH scans
ISC just put up a diary on it that has a little bit more information for anyone interested: http://isc.sans.org/diary.html?storyid=3529 Steven www.securityzone.org I saw an unusually high volume of scans between 2200 and last night on my residential connection. They all made their initial probe using 'mysql' as the user. On average it looks like each of them made around 15 attempts, which is fairly low, and points to a scanner smart enough to recognize that it's been firewalled out. So far, nothing out of the ordinary at work or on dedicated servers. Maybe it's only targeting consumer connections? FWIW, my residential IP is in 75.65/16. -s On Sun, 21 Oct 2007 21:20:38 -0600 James Lay [EMAIL PROTECTED] wrote: Anyone else seeing these? Started about 3 hours ago..here¹s a snipit: 21:19:09 192.168.0.3 snort[577]: [1:2006435:3] BLEEDING-EDGE SCAN LibSSH Based SSH Connection - Often used as a BruteForce Tool [Classification: Misc activity] [Priority: 3]: {TCP} 203.173.40.167:21823 - 192.168.0.2:22 And a current list of hits in the last 3 hours: 124.39.168.43 129.13.250.46 145.253.128.85 148.245.157.217 149.99.20.238 161.106.180.173 193.158.0.195 194.25.114.106 195.113.185.38 195.138.155.54 195.228.238.186 195.56.72.157 195.73.54.73 200.126.111.38 200.62.177.91 200.79.37.194 201.16.17.246 201.216.245.25 201.245.109.170 211.139.69.28 212.101.30.8 212.202.248.130 212.248.23.6 213.136.105.130 213.156.69.126 213.186.47.65 213.255.77.62 213.35.211.206 213.66.184.110 213.84.74.76 216.193.233.168 217.110.171.150 217.113.71.130 217.151.68.244 217.156.103.234 217.160.19.157 217.71.214.191 218.207.69.8 218.249.108.166 60.12.130.117 62.105.180.178 62.112.158.141 62.218.215.134 62.65.142.213 62.76.246.253 64.81.228.200 66.236.209.227 67.118.242.129 67.132.173.150 70.107.224.252 70.151.62.113 72.248.139.227 77.104.241.141 80.200.249.230 80.201.241.44 80.33.222.48 80.51.139.82 80.55.142.66 81.180.88.6 81.68.198.23 81.75.124.51 82.103.102.12 82.141.44.153 82.239.231.89 83.15.246.226 83.151.18.189 83.19.34.46 83.227.183.88 83.236.170.54 83.246.96.38 83.246.96.54 83.65.141.94 85.114.130.199 85.120.129.130 85.17.10.106 85.214.54.182 85.48.224.186 87.127.193.225 88.32.56.1 89.110.147.183 89.171.12.78 91.192.189.19 James ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] If internet goes down out of hours, we're screwed
I think you guys are both mixing up CERT (cert.org) and US-CERT (us-cert.gov) -- both of which have very different functions. As mentioned though, you probably wouldn't want to call either if your Internet goes down. Steven On Mon, 08 Oct 2007 19:55:59 BST, worried security said: If you internet goes down out of business hours , don't expect anyone to answer you from CERT. Actually, if your internet goes down, you should probably be calling your ISP, not US-CERT. The vast majority of down conditions are networking issues, not security issues. And if you're being DDoS'ed, you're *still* going to need to deal with your ISP because some NOC monkey is going to need to do the mitigation, and the CERT guys aren't going to be able to do anything for you with that anyhow. Email: mailto:[EMAIL PROTECTED] (monitored during business hours) Which is as it should be - if you look at the things that are actually within their purview, it's reasonable to expect it to *not* be a 24/7 mailbox. There are *other* venues that deal with the sort of things that happen at 2:30AM and can't wait until 8AM for resolution, and they *are* monitored 24/7. The mere fact that you haven't been invited to participate in those venues doesn't mean they don't exist. Besides which you overlooked the most obvious point of all: If your internet is down, you can't e-mail to anybody anyhow. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Firefox 2.0.0.7 has a very serious calculation bug
So are we dealing with an RDCB (Recently Disclosed Calculation Bug) or was this just a mistake? Steven Actually, I see 5.1005 in both browsers. Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blogs.eweek.com/cheap_hack/ Contributing Editor, PC Magazine [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0day: PDF pwns Windows
Nice, sounds almost exactly like what I said a few days ago. Good to see the bullet-proof wikipedia has my back. Steven www.securityzone.org http://en.wikipedia.org/wiki/0day /thread --=Q=-- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Sent: Tuesday, September 25, 2007 11:55 AM To: J. Oquendo Cc: Chad Perrin; pdp (architect); Gadi Evron; [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk; Crispin Cowan Subject: Re: [Full-disclosure] 0day: PDF pwns Windows J. Oquendo wrote: Jason wrote: You present a valid position but fall short of seeing the whole picture. As an attacker, nation state or otherwise, my goal being to cripple communications, 0day is the way to go. Resource exhaustion takes resources, something the 0day can deprive the enemy of. Counterpoint... You're trying to shoot me down with 0day crap: You -- 0day attack -- My Infrastructure Me -- Botnet -- Your infrastructure Perhaps, if you can catch me everywhere I can be. The problem is that my attacks, using my 0day, are run from your infrastructure by my forward teams, long entrenched in your society. If I want to knock out your infrastructure to render it unusable I'm going to do it in a way that I can either - control when and how it goes down and makes it resistant to restore efforts (Exploiting vulns to gain control ) - destroy it entirely causing you to expend massive resources to rebuild it Never having to consume any resources other than a point and click shoot em up attack, I necessarily won't even have to use my own resources. So shoot away as your network becomes saturated. Knocking out infrastructure with attacks is a far more effective strategy. You can control it's timing, launch it with minimal resources, from anywhere, coordinate it, and be gone before it can be thwarted. The botnet would only serve as cover while the real attack happens. In a strategic war, most countries aim to eliminate supply points and mission critical infrastructure as quickly as possible. In a cyberwarfare situation me personally, I would aim to 1) disrupt/stop via a coordinated attack whether its via a botnet or something perhaps along the lines of a physical cut to a nation's fiber lines. 0day would only serve me afterwards to perhaps maintain covert states of communication. Maybe inject disinformation through crapaganda. Imagine an enemies entire website infrastructure showing tailored news... Would truly serve a purpose AFTER the attack not during. You don't start that after the fact, you start it before, maintain it during, and follow through victory. I am more inclined to believe that botnets in use today really only serve as cover, thuggish retribution, and extortion tools, not as effective tools of warfare. No real warfare threat would risk exposing themselves through the use of or construction of a botnet. Luckily for most companies and government, botnets aren't being used for their full potential. And I don't mean potential as in they're a good thing. I could think up a dozen cyberware scenarios in minutes that would cripple countries and businesses. I believe countries, providers and governments should at some point get the picture and perhaps create guidelines to curtail the potential for havoc - imagine hospitals being attacked and mission critical life saving technologies taken offline. The botnet still only serves as cover for this activity. It is a tool, like the rest, but not a primary weapon for use in active wide scale infrastructure dos. Taking out infrastructure on a wide scale using resource exhaustion requires too much resource. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0day: PDF pwns Windows
Not in my book. I guess the people on this list are working off too many different definitions of 0day. 0day to me is something for which there is no patch/update at the time of the exploit being coded/used. So if I code an exploit for IE right now and they don't patch it until April September 2008, it's a 0day exploit for a year. It's not necessarily new and it doesn't have to be used maliciously. If I code an exploit (for which there is no patch) and use it on my own servers, does that mean it's not 0day? I don't think so. If my WordPress blog gets owned by pwnpress, that's not 0day.. there's patches/updates for everything on there. It just makes me an idiot for not upgrading. Now if I get hit with some WP exploit that's not patched, then that's another [0-day] story. Steven securityzone.org Gadi Evron wrote: Impressive vulnerability, new. Not a 0day. Not to start an argument again, but fact is, people stop calling everything a 0day unless it is, say WMF, ANI, etc. exploited in the wild without being known. I don't like the mis-use of this buzzword. I respectfully disagree. By your definition, we have: * new vulnerability is just what it sounds like * 0day is a new vulnerability that comes to public attention because someone used it maliciously But then there is the important concept of the private 0day, a new vulnerability that a malicious person has but has not used yet. Does it really matter how the new vulnerability came to light? Do you really want to get into arguments about whether the person who discovered it was malicious? Especially for private 0days where the discoverer may be sitting on his discovery for some time, waiting for the highest bider to buy his result. If he sells it to criminals, then it becomes an 0day, and if he sells it to a vulnerability marketing company, then it is something else. I don't like this chain of logic. Whether a new vulnerability is an 0day or not depends entirely too much on the disclosure process, with funky race conditions in there. Rather, I just treat 0day as a synonym for new vulnerability and don't give a hoot about the alleged intentions of whoever discovered it. What makes it an 0 day is that whoever is announcing it is first to announce it in public. You could only invalidate the 0day claim by showing that the same vulnerability had previously been disclosed by someone else. Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering http://novell.com AppArmor Chat: irc.oftc.net/#apparmor ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Symantec Contact?
I'm not sure exactly why they do not accept submissions from the general non-customer public, but I am sure there is a good reason. Chances are the most likely have the sample you are coming across from one source or another. They probably also get a much larger number of duplicates for something they already detect as a result too. If you're not a customer and you're submitting it, you might not realize they already detect it. If you put it in VirusTotal or one of those sites -- they're probably going to get it from them anyway. :D I have submitted through the Gold and Platinum support before and received pretty quick updates to the general virus definitions. If not there, they usually fire them out in an optional rapid release (not tested for everyone or every product). Personally, I haven't really run into massive delays in my past experiences with them. Steven securityzone.org What's really Sad is that Symantec does not have an option for the general public (i.e. Independent Virus Researchers) to submit virus samples . You have to either A. Submit it through their product. B. Have a Corporate Support contract. Guess they don't want new samples. -S On 9/17/07, Joel R. Helgeson [EMAIL PROTECTED] wrote: Symantec is notoriously slow to release AV updates, because while they may have the AV signature available within the hour, they hold it back until they have the signature configured and working for all versions of all their products running on all platforms, which at last count was over 2.45 gazillion (and counting). They state that they don't want to issue partial releases for different products, which makes sense. If you have version xxx..z of the definition file, then you're covered against the FOO variant of the BAR virus, irrespective of whatever Symantec application, platform, or version you're running. The downside is that they take a LONG time to release signatures, as you have now seen. I do not use Symantec, as too often they have been the single point of failure in the enterprise, and one should not underestimate the system slowdown brought on by 15 years of code bloat. -joel -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Beauchamp, Brian Sent: Monday, September 17, 2007 12:28 PM To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Symantec Contact? That's where I submitted our file to yesterday. It's funny that less then 5 minutes ago I received an email that the defs had been updated to include this variant. From: Theodore Pham [mailto:[EMAIL PROTECTED] Sent: Mon 9/17/2007 1:13 PM To: Beauchamp, Brian Subject: Re: [Full-disclosure] Symantec Contact? Submit the sample to Symantec via http://www.symantec.com/avcenter/submit.html They've been pretty responsive in the past, though I haven't needed to submit a sample in over a year. Ted Pham Information Security Office Carnegie Mellon University Beauchamp, Brian wrote: Does anyone have a contact within symantec? We have numerous infections of the W32/Sdbot-DHS worm (http://www.sophos.com/virusinfo/analyses/w32sdbotdhs.html). Most major AV vendors are updating their definitions to block it, one of them isn't Symantec. We have created a removal kit but the machines keep being reinfected since they cannot all be disinfected at once (limited network access). We have submitted a virus sample last week and have contacted our sales rep neither are giving a helpful response. Aside from cutting over to sophos AV client, Any ideas? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Interesting fun with Cisco VPN Client Privilege Escalation Vulnerabilities
I went to the below URL you referenced (http://www.cisco.com/cgi-bin/tablebuild.pl/windows?psrtdcat20e2), logged in, and it works fine for me with a listing of all the clients to download. vpnclient-win-msi-5.0.01.0600-k9.exe VPN Client Software for 2000/XP/Vista - Microsoft Installer 5.0.01.06 23-JUL-2007 10676224 I would suggest getting an account if you do not have one. That would definitely make downloading the client from that URL a lot easier. Steven securityzone.org Hey All! So, as an exercise just for giggles, I attempted to get a fix for this. Reference: http://www.cisco.com/warp/public/707/cisco-sa-20070815-vpnclient.shtml As we are just a shop, we do not have a Cisco contract. Here's where the fun starts. From the above: 1. Customers who purchase direct from Cisco but who do not hold a Cisco service contract and customers who purchase through third-party vendors but are unsuccessful at obtaining fixed software through their point of sale should get their upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. +1 800 553 2447 (toll free from within North America) +1 408 526 7209 (toll call from anywhere in the world) e-mail: [EMAIL PROTECTED] Have your product serial number available and give the URL of this notice as evidence of your entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. You'll need a LOT more then just the site and serial number...you'll need to be registered with Cisco or provide them with: REQUIRED INFORMATION * CONTACT NAME: * CONTACT PHONE NUMBER: * CONTACT CISCO.COM USERID (if one exists): * CONTACT EMAIL ADDRESS: * CONTRACT #: * SERIAL #: * PRODUCT TYPE (Model Number): * SOFTWARE VERSION: * COMPANY NAME: * EQUIPMENT LOCATION (Address): * BRIEF PROBLEM DESCRIPTION: 2. Cisco will make free software available to address these vulnerabilities for affected customers. This advisory will be updated as fixed software becomes available. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/public/sw-license-agreement.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml.; Not true. My router is out of warranty, so Cisco is telling me that I'm out of luck as follows: The product that you requested support for is an older product that has passed the warranty period date for that product. Once a product becomes End of Sale, it is supported for three years beyond the End of Sale date and then becomes End of Support. After that point, we recommend that you contact your Cisco point of sale to discuss migrating your old equipment to newer supported technology. Cisco Partners, Resellers, and internal Cisco Sales Teams often have special offers and technology migration programs available. 3. The last gig is: The Cisco VPN Client for Windows is available for download from the following location on cisco.com: http://www.cisco.com/pcgi-bin/tablebuild.pl/windows?psrtdcat20e2 Heh..nothing there. Interesting...VERY interesting ;) James ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] ISP Censorship
Also, if everyone saw the update from yesterday, it was apparently an erroneous action by a third-party: ATT Inc said on Thursday a company it hired to handle the cybercast of a live concert by U.S. rock band Pearl Jam erroneously omitted lyrics criticizing U.S. President George Bush that were in a song performed by the band. Those lyrics in no way, shape or form, are something that should have been edited, ATT spokesman Michael Coe said. -Reuters (http://www.reuters.com/article/entertainmentNews/idUSN091821320070809) Maybe that's passing the buck after being called out, OR *maybe* it was just an accident without a conspiracy theory behind it. Steven securityzone.org On 8/9/07, Stack Smasher [EMAIL PROTECTED] wrote: If anyone out there was doubting Dan Kaminsky at Blackhat/DefCon this year, it has already started. http://www.reuters.com/article/technologyNews/idUSN091821320070809?feedType=RSSrpc=22sp=true This isn't really ISP censorship. ATT is an ISP, but in this case, they were acting as a broadcaster. Whether or not you agree with what ATT did, the fact is that, as a broadcaster/publisher of a concert, they have every right to edit it as they see fit. Was it a stupid thing to do? Yes, if just because it's a horrible PR move. Was it *ISP* censorship? No, because they weren't editing a third-party site so their subscribers get different content than the rest of the world. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Am I missing anything ?
Just a few additions/ideas: You have RFI but not LFI.. so add that. I'd also say general input validations as some other mentioned. This ties into your XSS (persistent or otherwise) and some of your other issues like injecting code/iframes/xss etc into forums and so on. Also as mentioned a big on is sessions and user privilege management. If sessions are predictable or don't expire (think the Orkut posts recently) this can be problems. Also, there are additional things you can look for like tieing a session to IP address or checking things that are passed by the browser. This would include HTTP REFER/REFERRER which can also be a security issue if relied on too heavily. On the user management side, checking things like elevating privileges and what not are big issues. Or verifying a user can make a certain action like changing passwords for their account only etc. Look for weak methods of password reseting. This can be a DoS to users or it can be predictable resulting in account compromise. Also, username enumeration due to poorly implemented features like this as well at login/password reset prompts. A few other things come to mind but I think what you've got plus all these responses should be more than enough to bore/excite an audience with. :) Steven securityzone.org Hi All, Just wondered if I am missing anything important. Am planning to give talk on web security. Is there any other technique other than the following I have to speak about ? 1)XSS 2)CSRF 3)SQL Injection 4)AJAX/JSON hijacking 5)HTTP response splitting 6)RFI 7)CRLF 8)MITM Thanks Deepan ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Can CERT VU#786920 be right?
Did they fix this already because all I see when I go to your URL is: II. Solution We are currently unaware of a practical solution to this problem. Unregister the AIM protocols Disabling the AIM protocol handler may mitigate this vulnerability. To unregister the protocol handlers, delete or rename the following registry keys: HKEY_CLASSES_ROOT\AIM Block access to aim: URIs Administrators may partially mitigate this vulnerability by blocking access to the aim: URI using proxy server access control lists or the appropriate content filtering rule. Nothing about the aol:. Steven I sent the following to CERT (a few hours ago, no reply yet): In http://www.kb.cert.org/vuls/id/786920 you wrote: Disabling the AIM protocol handler will mitigate this vulnerability. To unregister the protocol handlers, delete or rename the following registry keys: HKEY_CLASSES_ROOT\AOL I believe that renaming that key does NOT unregister the handler. Windows looks for registry values of URL Protocol (almost?) anywhere within the registry, not just (directly) under HKCR. And anyway, how would renaming AOL to XYZ affect the AIM handler... Now I wonder if they can in fact be right... please enlighten me. Cheers, Paul Szabo [EMAIL PROTECTED] http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [Humor] [archivists] National Archives timestamp(fwd)
Finding collisions is definitely one piece. The other is that you can argue about SHA-1 being the Federal standard. Is it used more due to widespread use in existing applications? Yes. However, all Federal agencies (and people in general) should stop using it where possible. NIST has mandated by 2010 for most uses by Federal agencies. I guess we'll see how well that goes... --- March 15, 2006: The SHA-2 family of hash functions (i.e., SHA-224, SHA-256, SHA-384 and SHA-512) may be used by Federal agencies for all applications using secure hash algorithms. Federal agencies should stop using SHA-1 for digital signatures, digital time stamping and other applications that require collision resistance as soon as practical, and must use the SHA-2 family of hash functions for these applications after 2010. After 2010, Federal agencies may use SHA-1 only for the following applications: hash-based message authentication codes (HMACs); key derivation functions (KDFs); and random number generators (RNGs). Regardless of use, NIST encourages application and protocol designers to use the SHA-2 family of hash functions for all new applications and protocols. --- Ref: http://csrc.nist.gov/CryptoToolkit/tkhash.html Steven securityzone.org They discover SHA256 but misunderstand somewhat. There will be cases where different files yield the same hash, but if the algorithm works as it should it will be infeasible to generate one given the desired hash value in any sufficiently simple way. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of J.A. Terranson Sent: Wednesday, July 11, 2007 12:25 AM To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] [Humor] [archivists] National Archives timestamp(fwd) The Great Unwashed Masses discover SHA-256! -- Yours, J.A. Terranson sysadmin_at_mfn.org 0xBD4A95BF The real point is that you cannot harbor malice toward others and then cry foul when someone displays intolerance against you. Prejudice tolerated is intolerance encouraged. Rise up in righteousness when you witness the words and deeds of hate, but only if you are willing to rise up against them all, including your own. Otherwise suffer the slings and arrows of disrespect silently. Harvey Fierstein is an actor and playwright. -- Forwarded message -- Date: Tue, 10 Jul 2007 13:52:18 -0500 From: Brad Jensen [EMAIL PROTECTED] To: 'Bill Cribbs' [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: [archivists] National Archives timestamp For those who are not aware, there is a computational procedure you can do for any digital file, that creates a unique number, called a hash, that only matches that exact file. There is a Federal standard for one hashing algorithm, called SHA-1. That is a 160-biit number. More commonly used today is the SHA-256 hash, that generates a 256 bit number. Another term for this is 'digital thumbprint'. In the following discussion I am referring implicitly to the use of the SHA-256 hash. If you take a digital file 'A', and you change the order of two characters in the file, the hash becomes completely different. No two digital files will have the same thumbprint. You cannot predict what the thumbprint will be for a file. You cannot forge or modify a file to match an existing thumbprint. There are digital time stamping services on the internet that register these 'thumbprints' to prove a particular file existed at a particular date and time, and it has not changed. The US Postal Service offers a time stamping service for a small fee that they call an 'Electronic Postmark' but it only is kept for seven years. They also require the user to have a digital certificate to establish identity of the person time stamping the file. I propose something simpler. I propose that the National Archives create and offer a free time stamping service that does not require a digital certificate. The purpose of this is to store and retrieve unique file identifiers that will establish that a file existed at a certain date and time, and has not changed. Then files can be archived in multiple locations across a distributed network, and their identity and authenticity will remain unquestionable. This service would be a public good, similar to the digital time source offered by the Navy, for example. The National Archives will keep these timestamps in perpetuity. They would basically be entries in a database, with a 32-byte thumbprint, date and time. They would be a public record, so anyone can look up a thumbprint and now the date and time it was registered. Can others see the value of this idea? I can write the basic software for this. One part would be a database for the National Archives with a web XML interface for registering and retrieving the thumbprints. It would include a feature to thumbprint each day's database entries, to eliminate any possibility of human
Re: [Full-disclosure] XSS in CIA
I care.. nice observation And if you did'nt care you would'nt have taken the time to reply. Flawed logic. However, I think you don't really care because you didn't take the time to put your apostrophes in the right places. Also, I don't really understand the original post. He is cussing out someone for publishing something but tells them to STFU if they don't have anything to publish. You guys confuse me.. On 6/29/07, Slythers Bro [EMAIL PROTECTED] wrote: we don't care On 6/29/07, Tonu Samuel [EMAIL PROTECTED] wrote: http://www.foia.cia.gov/browse_docs_full.asp?title=foobar%3Cimg%http://www.foia.cia.gov/browse_docs_full.asp?title=foobar%3Cimg%25 20style='position:absolute;top:10px;left:100px;'%20% 20src= http://hosto.ru/znako/ban-prost.gif%3E BTW, f**k you who publish hashes. If you have nothing to publish, just STFU. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Squashing supposed hacker profiling
Amazing, you were able to find multiple instances where a script-based gender guesser was wrong? This is more profound than the initial research itself. I suppose I could post a series of 10 writings where it was correct, but what would that prove? Did you try reading this from the same page: - A few quick notes: * The system generates a simple estimate (profiling). While Gender Guesser may be 60% - 70% accurate, it is not 100% accurate. This is better than random guessing (50%), but should not be interpreted as fact. In particular, men should not be offended if it says you write like a girl. * People write differently in different forums. For example, a single writing sample may appear MALE for informal writing but test as FEMALE for formal writing. Be sure to interpret the results based on the appropriate writing style. (These notes, for example, are more informal/blog than formal/non-fiction.) * Many factors can impact the interpretation from any single person's writing. The content, knowledge of the material, age of the author, nationality, experience, occupation, and education level can all impact writing styles. For example, a woman who has spent 20 years working in a male-dominated field may write like her co-workers. Similarly, professional female writers (and experienced hobbyists) frequently use male writing styles. Gender Guesser does not take any of these factors into account. * Email can blur the lines between formal and informal writing styles. An informal email from a manager may have traces of formality, and a formal email from a 12-year-old is likely to be informal compared to a letter from a 40-year-old. Do not be surprised if email messages sent to public forums test incorrectly -- when writing for an audience, people commonly use informal words, phrases, and slang within a formal writing style. * Quotations, block quotes, and included text usually carries the gender from the initial author. Be sure to remove quoted text from any pasted content. Also, significant changes from a copy-editor can result in a different gender analysis. (A male editor may make a female author's news article appear MALE or as a Weak MALE.) * Lyrics, lists, poems, and prose are special writing styles. This tool is unlikely to classify these texts correctly. * The system needs a paragraph or two of text in order to observe word repetition. A good sample should have 300 words or more. Fewer words can lead to more variation in accuracy, and a single sentence is unlikely to generate an accurate result. Pasting the same text multiple times will not change the results! * People tend to write with consistent styles. If the system misclassifies a particular author, then other writings by the same author will likely be misclassify the same way. * And most importantly: This is an ESTIMATE. Please do not email me about instances where it made the wrong determination. (I've seen it generate incorrect results lots of times already.) I can't tell if you're trolling or you have actually taken the bait. You do realize the person that you were responding to in earlier posts is not actually Neal Krawetz, right? All female authors... Your so called gender guessing mechanism is flawed either way you want to cut it. You could try fuzzy math based on theories to profile anyone on this list, but unless you have feasible and PROVEN without reasonable doubt, its all a guessing game bottom line. Anyhow back to security, sociolinguistics is not meant for this list. According to Dr. Krawetz's Gender Guesser... (http://www.hackerfactor.com/GenderGuesser.html#Analyze) http://girlygeekdom.blogspot.com/ Genre: Informal Female = 104 Male = 602 Difference = 498; 85.26% Verdict: MALE Genre: Formal Female = 116 Male = 239 Difference = 123; 67.32% Verdict: MALE REALITY: WRONG http://www.darkreading.com/blog.asp?blog_sectionid=342WT.svl=blogger1_5 Genre: Informal Female = 442 Male = 555 Difference = 113; 55.66% Verdict: Weak MALE Genre: Formal Female = 364 Male = 570 Difference = 206; 61.02% Verdict: MALE REALITY: WRONG http://invisiblethings.org/papers/joanna-talk_description-CCC04.txt Genre: Informal Female = 218v Male = 1186 Difference = 968; 84.47% Verdict: MALE Genre: Formal Female = 414 Male = 576 Difference = 162; 58.18% Verdict: Weak MALE REALITY: WRONG http://www.techsploitation.com/2007/05/31/what-the-hell-was-i-thinking-about-green-libertarians/ (text by Sue Lange) Genre: Informal Female = 210 Male = 481 Difference = 271; 69.6% Verdict: MALE Genre: Formal Female = 260 Male = 408 Difference = 148; 61.07% Verdict: MALE REALITY: WRONG http://thelizardqueen.wordpress.com/2005/06/08/a-thoroughly-and-utterly-girly-blog-post-sorry-4/ Genre: Informal Female = 415 Male = 559 Difference = 144; 57.39% Verdict: Weak MALE
Re: [Full-disclosure] Safari for Windows, 0day URL protocol handler command injection
Looks like a few others have been found: http://erratasec.blogspot.com/2007/06/nce.html Steven securityzone.org Apple released version 3 of their popular Safari web browser today, with the added twist of offering both an OS X and a Windows version. Given that Apple has had a lousy track record with security on OS X, in addition to a hostile attitude towards security researchers, a lot of people are expecting to see quite a number of vulnerabilities targeted towards this new Windows browser. There is a URL protocol handler command injection vulnerability in Safari for Windows that allows you to execute shell commands with arbitrary arguments. This vulnerability can be triggered without user interaction simply by visiting a webpage. The full advisory and a working Proof of Concept exploit can be found at http://larholm.com/2007/06/12/safari-for-windows-0day-exploit-in-2-hours/ Cheers Thor Larholm -- I call dibs on the first SafariWin bug ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Month of DoS Bugs (MODB)
How about a month of someone not suggesting and/or starting a month of anyhing bugs? Does that cancel itself out..maybe only if announced in advance? How about a month of annoying project ideas? Shirkdog ' or 1=1-- http://www.shirkdog.us From: Kristian Hermansen [EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Month of DoS Bugs (MODB) Date: Sat, 9 Jun 2007 00:18:03 -0400 An entire month dedicated to denial of service would be quite entertaining... -- Kristian Hermansen ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _ PC Magazines 2007 editors choice for best Web mailaward-winning Windows Live Hotmail. http://imagine-windowslive.com/hotmail/?locale=en-usocid=TXT_TAGHM_migration_HM_mini_pcmag_0507 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] New Vulnerability against Firefox/ Major Extensions
We are also at risk from rogue developers, people that have hacked/poisoned your trusted DNS provider, those that have modified your /etc/hosts, /etc/resolv.conf, windows\system32\drivers\etc\hosts (and/or related files), people that have hacked the update server and put there own malicious version there, and the unlocked workstation attack from an attacker with a USB flash drive with a malicious update that might sit down at your workstation and -pwn- you. Steven This information also posted (with html link goodness) to http://paranoia.dubfire.net/2007/05/remote-vulnerability-in-firefox.html -- Executive Summary -- A vulnerability exists in the upgrade mechanism used by a number of high profile Firefox extensions. These include Google Toolbar, Google Browser Sync, Yahoo Toolbar, Del.icio.us Extension, Facebook Toolbar, AOL Toolbar, Ask.com Toolbar, LinkedIn Browser Toolbar, Netcraft Anti-Phishing Toolbar, PhishTank SiteChecker and a number of others, mainly commercial extensions. Users of the Google Pack suite of software are most likely vulnerable, as this includes the Google Toolbar for Firefox. The latest version of all of these listed, and many other extensions are vulnerable. This is not restricted to a specific version of Firefox. Users are vulnerable and are at risk of an attacker silently installing malicious software on their computers. This possibility exists whenever the user cannot trust their domain name server (DNS) or network connection. Examples of this include public wireless networks, and users connected to compromised home routers. The vast majority of the open source/hobbyist made Firefox extensions - those that are hosted at https://addons.mozilla.org - are not vulnerable to this attack. Users of popular Firefox extensions such as NoScript, Greasemonkey, and AdBlock Plus have nothing to worry about. In addition to notifying the Firefox Security Team, some of the most high-profile vulnerable software vendors (Google, Yahoo, and Facebook) were notified 45 days ago, although none have yet released a fix. The number of vulnerable extensions is more lengthy than those listed in this document. Until vendors have fixed the problems, users should remove/disable all Firefox extensions except those that they are sure they have downloaded from the official Firefox Add-ons website (https://addons.mozilla.org). If in doubt, delete the extension, and then download it again from a safe place. In Firefox, this can be done by going to Tools-Add-ons. Select the individual extensions, and then click on the uninstall button. Frequently Asked Questions ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] WordPress Community Vulnerable
So do you think his two WordPress blogs (I am assuming here..looks a lot like WP, but I'm not pounding out GET requests to verify) were included in this survey that was done? I wonder if he's running a safe version? And as mentioned in one of his blog comments, version reporting isn't always reliable and patches that did not change the extractable version number could have also been applied. In any event, I think WordPress has increasingly become more secure. It's had a small rash of issues a few months back ranging from SQL injection to someone actually backdooring the source, but it's grown up quite a bit. I think someone would be hard pressed to actually come up with the Month of Wordpress bugs. The majority of all other recently reported issues have all from third party add-ons that aren't actually a part of WordPress. Steven securityzone.org Check out a recent survey of 50 WordPress blogs conducted at blogsecurity.net http://blogsecurity.net/ : http://blogsecurity.net/wordpress/articles/article-230507/ http://blogsecurity.net/wordpress/articles/article-230507/ Can the Month of WordPress Bugs be far behind? Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ blocked::http://security.eweek.com/ http://blogs.eweek.com/cheap_hack/ http://blog.eweek.com/blogs/larry_seltzer/ http://blog.ziffdavis.com/seltzer Contributing Editor, PC Magazine [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] WordPress Community Vulnerable
--On Thursday, May 24, 2007 09:44:02 -0500 Steven Adair [EMAIL PROTECTED] wrote: So do you think his two WordPress blogs (I am assuming here..looks a lot like WP, but I'm not pounding out GET requests to verify) were included in this survey that was done? I wonder if he's running a safe version? And as mentioned in one of his blog comments, version reporting isn't always reliable and patches that did not change the extractable version number could have also been applied. In any event, I think WordPress has increasingly become more secure. It's had a small rash of issues a few months back ranging from SQL injection to someone actually backdooring the source, but it's grown up quite a bit. I think someone would be hard pressed to actually come up with the Month of Wordpress bugs. The majority of all other recently reported issues have all from third party add-ons that aren't actually a part of WordPress. Yes, but the point of his post isn't that *Wordpress* is insecure. It's that blog owners are not updating their software to maintain security. While anyone in IT would go doh!, many in the real world might be surprised that the software has to be regularly updated and vigorously maintained to ensure ongoing security. This isn't exactly news for us, but it may well be for the blogosphere in general. Perhaps, but there is an assumption that may be incorrect that these blogs are insecure. Also, there is no mention of how the survey was done. I could probably go out and make a list of 2000 blogs where only one of them wasn't the latest version. I do understand his point though, and I guarantee you can find well over 50 older version WP blogs that are vulnerable. However, part of my response was geared towards Larry's post about the possibility MoWPB (Month of WordPress Bugs) -- which is something I just don't see happening. Steven -- Paul Schmehl ([EMAIL PROTECTED]) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] noise about full-width encoding bypass?
On 5/21/07, ascii [EMAIL PROTECTED] wrote: Brian Eaton wrote: To summarize what I've heard from various sources: I am missing something important. =) Both PHP and ASP.NET will decode these characters into their ASCII equivalents. (AFAIK) Only ASP.NET/IIS decodes that automatically. PHP *can* do that as like JSP and probably others but that has to happen explicitly in the application code or on an other layer. (Cracking up that somebody going by the handle ascii is commenting on character encoding issues. =) Given how few application platforms decode full-width unicode to ASCII equivalents, is there a case to be made that those application platforms that do decide this conversion is a good idea are broken? Put another way: should this be considered a bug in ASP.NET? I think you could be on either side, but I would learn towards this being a feature than a bug. Multiple products appear to do the decoding in the same manner and intentionally perform this function. However, the recent advisories that went out were geared towards IDS/IPS products that were not designed to be able to recognize such half-/full-width encoded traffic. Unless there is some RFC or generally followed documentation saying the traffic should not be encoded/decoded as such, I would continue to lean towards this being a feature. It just appears to be a place much of the IT (security) world has overlooked. Steven securityzone.org Regards, Brian ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Month of ActiveX Bug
I think a good share of the time when someone states that the DoS may possibly lead to remote code execution are making such a statement for a couple different reasons: 1) They found a DoS and truly have no idea whether or not it can cause remote code execution due to not having the knowledge/skills necessary to check for it and/or lack of time to make such a determination. 2) They have seen characteristics that would indicate that remote code execution is possible but have not quite been able to nail down a working exploit should one be possible. I do not think the evidence quickly available to us would bring us to conclude most DoS's end up resulting in remote code execution -- or even have the ability to. I would agree saying often enough would be better than most. However, regardless of whether it results in remote code execution, I don't think a DoS should necessarily be discounted as frivolous or irrelevant. It might not rank up there with critical or high vulnerabilities, but it is a vulnerability nonetheless. Steven securityzone.org Ok 'most' is probably bad wording on my part how does 'often enough' sound :). Buffer overflow in the png_decompress_chunk function in pngrutil.c in libpng before 1.2.12 allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code http://www.securityspace.com/smysecure/catid.html?id=57643 Buffer overflow in efingerd 1.5 and earlier, and possibly up to 1.61, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a finger request from an IP address with a long hostname that is obtained via a reverse DNS lookup. http://cve.mitre.org/board/archives/2003-03/msg00013.html A BrightStor ARCserve Backup contains four vulnerabilities that can allow a remote attacker to cause a denial of service or possibly execute arbitrary code. http://packetstorm.linuxsecurity.com/0703-advisories/CAID-McAfee.txt Note the use of 'possibly'. If it was possible then 'possibly' wouldn't be used. I'm not going to debate the validity of the month of activex bugs because frankly I don't care, merely that a DOS can turn out to be more and that at times either the researcher hasn't spent enough time on it, can't get the POC working, or lacks the skill to fully understand the problem. There have been multiple instances on the securityfocus lists throughout the years where a DOS suddenly became promoted to a remotely exploitable bug (i.e another person found it was actually exploitable). I'm not going to find them and post them here, but a little googling can yield results. - Robert http://www.cgisecurity.com/ Consider that most often a bug filed as DOS can actually be exploitable, but the person who discovered it can't get the POC working or is even aware it is. While command execution is the ideal goal it doesn't mean other types of issues are *completely* worthless. =20 Most often? How do you know that? Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blogs.eweek.com/cheap_hack/ Contributing Editor, PC Magazine [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] FW: Steganos Encrypted Safe NOT so safe
It is funny that this stuff ever comes to surface. Now I am wondering if this a case of trying to spread FUD or someone who just didn't pay any attention to what was going on? Steven securityzone.org I forwarded the original issue to Steganos as I am a user of their software package. This is their reply and also posted on Security Focus. Regards Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, April 26, 2007 6:56 AM To: [EMAIL PROTECTED] Subject: Re: Steganos Encrypted Safe NOT so safe In response to frankrizzo604's comment, Steganos would like to dispel the rumor that its Steganos Safe encryption software is easily cracked. Steganos Safe enables users to create any number of secure virtual drives in which data is safely stored and encrypted. However frankrizzo604 goes through several steps 'teaching' users how to open others' encrypted files. In his last step, he claims Steganos will 'PUNISH you by resetting your encrypted drives passwords to 123 until you buy a registered copy', implying that the password feature can be circumvented thus opening anyone's safe. He conveniently left out that before he was able to reset the password to 123, he had to enter his original password to open the safe. Then, he saw this message box: http://www1.steganos.com/support/screenshots/safe8_123_infobox.png It is absolutely not possible to open any Steganos Encrypted File without having the original password. The Steganos support and development team reconstructed the process he described. It is not possible to open a Safe WITHOUT the original password. In the 2007 generation of Steganos products, Steganos decided to set the Safe attributes to write protect. Steganos would like its user to rest assured that their files are in fact still encrypted and safe from hackers. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] A Botted Fortune 500 a Day
Is this in anyway surprising? I think we all know the answer is no. Many Fortune 500 companies have more employees than some ISPs have customers. Should we really expect differently? Also, as a side note, I would like to add that just because SPAM is coming from a certain gateway does not necessarily mean that the machines on their network are infected. We could assume this, but then again I would have to assume Microsoft's network is full of bots because I get SPAM originating from Hotmail.com. It might be logical and in many cases to assume this, but it's worth noting this may not be the case. Steven Support Intelligence releases daily reports on different fortune 500 companies which are heavily affected by the botnet problem, with many compromised machines on their networks. You can find more information on their blog: http://blog.support-intelligence.com/ They are good people, and they know botnets. Gadi. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ !DSPAM:461e546e15211693416514! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] A Botted Fortune 500 a Day
On 13/04/07, Steven Adair [EMAIL PROTECTED] wrote: Is this in anyway surprising? I think we all know the answer is no. Many Fortune 500 companies have more employees than some ISPs have customers. Should we really expect differently? Yes! Off the top of my head: 1. Corporations should have more of an economic incentive to prevent compromises on their internal networks. E.g. TJX breach could cost company $1B - http://weblog.infoworld.com/zeroday/archives/2007/04/tjx_breach_coul.html Now, a typical spambot will cost almost nothing compared with that, but the point is you don't know the extent of the compromise until you've examined the machines involved. You list incentives but this doesn't mean I should really expect any differently. You are also equating a compromise into TJ MAXX servers for which details have not been given. I doubt and hope the same user that's an account for TJ MAXX and using e-mail isn't conencted or able to get to a server that processes credit card transactions. 2. Corporations have a lot more influence over their employee's behaviour than ISPs do over their customers. Customers can walk away to a new ISP with minimal fuss if sanctions are threatened. Well this is true but you seem to be missing the point of the comparison. These are large corporations with tens of thousands (some more, some less) that are geographically dispersed across the countries. This isn't a small shop of 50 elite IT users. This is probably like most other places were 90% of the users can barely use Microsoft Word and Excel. Once again.. do I expect differently? No. 3. Corporations can lock down their firewalls a lot tighter than ISPs can. If my ISP blocked the way my employer does, I would be looking for a new ISP. Sure they can in some instances. How would locking down a firewall stop this e-mail from going out? Maybe you can lock down SPAM firewalls but that doesn't stop the root cause. You have 100,000 users at a Fortune 500 company with admin access to their Windows laptops. Are you going to block them form using the Internet and using e-mail? If not I am going to continue to expect them to keep getting infected. 4. ISPs don't own the data on their customer's computers. Corps very much do own most of the data on their employees computers. Therefore they need to worry about confidentiality in a way that ISPs do not. Well usually corporations not only own the data on the machines, they own the computers themselves as well. You are equating a need and want for protection with what would really be expected. I used to look after security at a large-ish university and odd activity would stand out because there the baseline was largely 'normal' traffic. ISPs have little chance to detect 'odd' behaviour because everyone is doing 'odd' things. Corps should only have a very few 'odd' things happening on their networks and a single outgoing portscan or IRC session are grounds for serious concern. (Assuming IRC is forbidden by policy - if not, you can still profile the IRC servers you expect to be talking to and those you don't.) It's not hard to find infected machines at a corp. Not sure last time you ever looked at XDCC/iroffer bots, but they can range from 10-50% .edu hosts. Universities are ripe for the picking. I've participated in UNISOG related lists and I know it's getting better and just like any organization it can very from location to location. I don't expect anything different here either. Also, as a side note, I would like to add that just because SPAM is coming from a certain gateway does not necessarily mean that the machines on their network are infected. We could assume this, but then again I would have to assume Microsoft's network is full of bots because I get SPAM originating from Hotmail.com. It might be logical and in many cases to assume this, but it's worth noting this may not be the case. Based on the Received headers, or just on the From line ? The latter is trivial to forge and has been routinely forged pretty much forever. You are talking about forging a MAIL FROM field. This is not what I am talking about. If Received headers show that mail has been relayed from within your organisation, then you have a serious problem, and it's better to learn of it by checking for outgoing spam than when someone notices something worse six months down the line. There's a field in most mail programs where you can enter in an SMTP/IMAP/Exchange address etc. This allows you to send e-mail using that server. This does not mean you are located on the internal network for that server. In fact you could even be using a forwarder server that it doens't show you. Hell you could be using a web form or webmail. My point is that seeing a header from a particular location does not necessarily mean the sender is behind a firewall sitting on that network. Do you want corporations to protect their data better? Absolutely
[Full-disclosure] Vulnerability Purchasing Program Questions
Greetings, I would like to see if I could get the community's take on these vulnerability purchasing programs such as those offered by iDefense and 3COM. There have been previous discussions that I have seen on the lists surrounding poor monetary offerings of one program versus that of another. I've also seen people come out and mention they are affiliated with some program that will offer money for these vulnerabilities. This has lead me to a few questions. - Is there a general consensus as to what program is the best? I would imagine this primarily centers on monetary offerings, but I suppose there could be other considerations. - If I normally work with vendors and disclosure vulnerabilities for free, why would I not use one of these programs? I am making the assumption that we are working with a legitimate and responsible buyer. I have no intentions to sell to shady buyers/foreign governments/etc and would like to keep the assumption the buyer is legitimate. - Do we know that the buyers are always legitimate and responsible? Has anyone ever suspected wrongdoing or felt they have been wronged by one of the more popular and legitimate buying services? For example, a submission that was rejected by either party ended up being released by the vendor anyway or integrated into their product. - Any general comments on these sort of programs that are strong towards one way or the other? Thanks, Steven securityzone.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] DNS mining ?
There are numerous tools out there that will take IP addresses and report back [all] the domains on them. The best one I came across some time about was the Reverse IP search from www.domaintools.com. Unfortunately to get the entire list you have to pay now -- I think. You used to just be able to register for a free account that would let you do 5 searches a day and show you all the domains. So if one IP had 3000 domains on it, it would let you go through all of them, and that was one search. Now you can just see a small selection. There are all similar tools on the Internet. Someone posted a while back on Full Disclosure and Security Focus about how to find all the domains on a particular IP. There were a few websites that people listed. Usually when used in conjunction with one another they would accurate list most of the domains on an IP. However, after using those and then finding this site, I found this tool to always equal to or better than using the combination of others. So just take Google IP addresses, such as on the IP your rfsee.net is on (72.14.207.99) and put it in their Reverse IP lookup. http://www.domaintools.com/reverse-ip/ I forgot the other websites. I suppose they would be better now that this search is limited. Steven Hello, I have a domain name which has it's primary A record pointing at google. This domain hasn't been published anywhere and is very low traffic, surprisingly this guy has it listed as one of the entries pointing to google: http://72.14.205.104/search?q=cache:Vp6UWUf7NmMJ:mousecave.com/google/+rfsee.net His list is correct, question is how could he possibly compose it? Scanning the whole [[:alnum:]]{1,30} dns range is impractical. I find it hard to believe he is sniffing some major backbone router for traffic and having access to a root DNS won't help him much (IMHO). How could he then have done it? The only option I can think of is that he is working @google or has backdoor access to google indexing service which allows him to query for info such as With what header did the http request came to the server. I find this highly intriguing. Ideas are welcome. -- Cheers, Maxim Veksler Free as in Freedom - Do u GNU ? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ !DSPAM:461a41ec247451260181254! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] WEEPING FOR WEP
I do not use WEP at home. I use WPA2 on my home network. I agree with the majority of what you both have said. However, if you solely relied on the risk level as the reason not upgrading to a more secure mechanism, I would say you are doing yourself a disservice. Now since I often rely on NIST for guidance, I will reference NIST SP 800-30. Risk is a function of the likelihood of a given threat-sources exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization. Now we might not allow agree with NIST or follow what they write, but they are smart people doing a good job from my point of view. However, I would have to say for almost all home users and even most business environments the impact that a successful attack would also be rated as low. These conversations have been focusing on likelihood of an attack. Well likelihood can fluctuate all of the time. It will probably be low, but it can change depending on your environment from a day-to-day basis. So let's just say for the purposes of the discussion that there was a very high likelihood someone is going to attack your home WEP network and they are also capable of doing so. Now what is the impact? I doubt the real potential impact would be crucial to ruin or end your life. If you go to shopping and banking sites that use TLS/SSL and you check your certs you probably won't have your credit card information or identity stolen. For them to actually break into your machine once on the network there would have to be more vulnerabilities resulting in the compromise of your machine. Maybe the person launches attacks and does bad stuff from your IP address and you might at worst get paid a visit (worst case scenario). When you look at the impact that would probably caused you have a low impact. Couple that with a low, medium, or high likelihood and you still have LOW risk. By these definitions WEP good enough in most situations. Heck by these definitions an open network might even be low risk in many cases. There is no question that there is a vulnerability with WEP that can be exploited. The question is whether or not someone will actually take the time to exploit this vulnerability and what will happen as a result? What I am getting at is that the cost of using WPA2 in many instances is negligible if there is a cost at all. How many people are using a Linksys WRT54G and a laptop that is less than 3 years old. Chances are all of these users can support WPA at minimum. I've had to run a separate network for WEP users so I am not oblivious to that fact that not everyone supports it. However, their are PCMIA/PCI/USB wireless cards that can be added at a low cost *if* WPA(2) is not already supported. It seems all [most] new hardware support WPA(2). The cost is very low and it's readily available and accepted. Why NOT use WPA(2) if you can? Do you use the Caesar Cipher to encrypt your data or AES-256? If you just go by risk, you could just use the Caesar Cipher half of the time. The likelihood someone will get your encrypted data is low, right? You cannot base all your decisions around risk of likelihood. Especially when there are easy, low cost, and efficient alternatives. Also, as a side note, WPA(2) Personal mode with a strong passphrase is a lot easier to remember than a WEP key...unless you have one of the utilities that generates the key for you. Even then you have diminishing returns. Steven -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I use WEP at home, even though my house is far enough from the road to make it rather difficult for someone to jump on my network. Even if someone decided to hide in the woods at the edge of my yard with a laptop they're more likely to be eaten by a bear, sprayed by a skunk, or chewed alive by mosquitoes than collecting enough packets to crack the WEP key, so WPA or LEAP would be overkill. Like you said, measurement of risk. [EMAIL PROTECTED] wrote: seconds. Knowing that WEP is no more secure than a plastic luggage lock, many people are questioning whether WEP is even useful at all. While I certainly do not recommend WEP for high security (or even moderate risk) environments, you need to remember: security is a measurement of risk. If the threat is low enough, then WEP should be fine. WEP actually has three things going in its favor: * Availability: While there are many alternatives to WEP, such as WPA and LEAP, only WEP is widely available. Hotels and coffee shops that only cater to WPA or LEAP will not support many of their customers. However, if you support WEP then everyone should be able to access the network. * Better than nothing: There's a saying in Colorado: I don't have to run faster than the bear, I just have to run faster than you. If a casual war driver or WiFi-parasite has the option to use your WEP system or your neighbor's open system, they will always choose your