Re: [Full-disclosure] EE BrightBox router hacked - bares all if you ask nicely
On Thu, 16 Jan 2014 11:30:18 +, Dan Ballance said: So your point is that there should be legislation to require companies to adhere to certain security standards? I'd support that - particularly in an ISP market which is clearly defined by national boundaries and law. OK.. What standard do you want to hoist as a legal mandate? Bonus points for finding a standard that provides enough *actual* security that it is worth doing, but yet won't bankrupt the industry. Consider that of all the credit-card breaches we've seen so far this century, something outrageous like 97% of the victim companies had current audits that listed them as being 100% PCI compliant at the time of the incident. So how do you do it so it actually adds security, rather than just being a huge government-mandate money transfer to the auditing/certification groups involved? pgpbQrkYAF_i3.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] EE BrightBox router hacked - bares all if you ask nicely
On Thu, 16 Jan 2014 14:52:37 +, Dan Ballance said: Well users do care about getting hacked when it happens - so maybe they do need to be forced to pay a little more to be secure. This also has benefits for e-commerce and on-line banking, credit card fraud etc Actually, the entire credit card industry is build around the assumption that there *will* be 4-5% fraudulent transactions, and it's not cost-effective to try to reduce fraud any further (though it *is* usually worth it if there's a new spike of a fraud variant that is fairly easily dealt with)... pgpPEDEBufpO3.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerabilities hiddenly fixed in WordPress 3.5 and 3.5.1
On Sun, 22 Dec 2013 23:45:24 +0200, MustLive said: not designed to have detailed description of vulnerabilities, just information about non-serious developers who hiddenly fixed multiple vulnerabilities in different versions of their software. The fact they didn't tell you every single little bugfix they put into a release doesn't necessarily make them non-serious. I'd also like to point out that often, the developers aren't the people who make the final decision about what to list in the release notes. It's quite possible the developers wanted it included, but somebody else edited it out. I've met lots of serious developers from lots of vendors who end up being muzzled by their legal department. You know, all those possibilities that serious security researchers take into account before they shoot their mouth off. ;) pgp8Da0eTazM3.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Who's behind limestonenetworks.com AKA DDoS on polipo(8123)
On Sun, 18 Aug 2013 10:04:58 +0200, Jann Horn said: On Sat, Aug 17, 2013 at 07:50:34PM -0400, valdis.kletni...@vt.edu wrote: Not all DDoS are pure bandwidth based. Consider SYN flooding, where the packets sent are relatively small and often not even all that frequent, but can tie up large amounts of resources on the target machine. This sort of attack works particularly well against sites that have a big blind spot because they think that all DDoS attacks are massive bandwidth hosedowns. So, why would an attacker use a distributed attack for that? Wouldn't one machine with good connectivity be sufficient (assuming that you spoof the source address differently each time)? (a) Because 75% of the Internet doesn't allow spoofing of source addresses, and (b) Although there's a chance that one machine throwing 3,000 SYN packets a second will show up on somebody's network monitor, you're never going to see 3,000 network monitors pop on 1 SYN packet per second. And oh yeah, (c) sometimes you don't want to spoof the connection but want to actually *make* the connection, in order to send them stuff that will consume even more system resources than just a dangling half-open connection How many connections/sec does it take to forkbomb your Apache server into uselessness? And if you rate limit your Apache so your system doesn't forkbomb, how many does it take to prevent legitimate traffice from being serviced? Right, that would be much harder to block if it was distributed. Remember - *you* are the guy who thinks that a DDoS is just bandwidth, it's going to take you a while to look in your Apache logs. And then it's going to take you even longer to twig into what's going on, because it all looks like normal traffic until you pay attention to the timestamps. And then you'll find it's *very* hard to block requests that belong to a malicious attack because they look *real similar* to legitimate traffic. Sometimes, they look identical. You don't believe me - ask anybody who's site has ever folded under the load after they got mentioned on Slashdot. Every single hit looked like a legitimate request - because it *was* a legitimate request coming from an actual like human using a browser. Sure - you can then turn around and put in a filter for references to your homepage to stop the attack. But then you're just cutting off your nose to spite your face, because now your legitimate customers/readers/visitors/whatever can't actually use your site either. Near as I can tell, they've stopped teaching Evil 101 to the newbies. Doesn't anybody spend any time anymore thinking about Wow, if I'm going to attack this site, what can I do to maximize the pain per packet? pgpvr9Pt7spnR.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] XKeyscore sees 'nearly EVERYTHING you do
On Sat, 10 Aug 2013 22:16:15 -0400, Pedro Luis Karrasquillo said: NSA picks this up remotely via a very secret SNMP command. So has anybody ever spotted this SNMP command in a tcpdump? Found the code that handles it in net-snmp? Cisco IOS? JunOS? Nobody's ever caught their supervisor CPU get pegged due to SNMP management? Nobody spotted it a few years ago when everybody and their pet llama was fuszzing SNMP implementations? Not one Hey, that command didn't get rejected, wonder what it does? If it isn't on a device installed on the local net, how does the SNMP packet get through firewalls and/or airgaps to the management network? And more importantly, how does the return traffic get exfiltrated without being noticed? Occam's Razor suggests it's much more likely to be very similar in form and function to a CALEA box on steroids. Not saying the NSA isn't sucking up data - but I've seen no plausible evidence that it's done via SNMP. pgpcamgxS3tcd.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Facebook allows disclosure of friends list.
On Tue, 06 Aug 2013 16:51:39 +0200, Alex said: Nice finding, but how do you know the victims email address? If you can't figure out how to social-engineer that information, you probably need to be in some other business. ;) pgpTYCzPk9Kmu.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Software that you *really* wish had been more secure...
tl;dr: Everything shipped with the same PIN of ''. Hilarity and lulz ensue. http://www.androidpolice.com/2013/08/03/android-bluetooth-exploit-for-japanese-toilet-brings-new-meaning-to-the-word-vulnerability/ pgpedoCDpUIxu.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] XKeyscore sees 'nearly EVERYTHING you do online
On Thu, 01 Aug 2013 22:46:55 +0200, XF said: So you think this is real ? All Tiers 1 would be partner with NSA ? Even in Europ ? This sound crazy= Well, for a long time, the NSA was legally prohibited from spying on US citizens, and the British CGHQ was similarly not allowed to spy on Her Majesty's subjects. So we'd spy on Brits and they'd spy on our people and we'd have a data swap of stuff, and everybody involved could with a clear conscience testify in a court of law under oath that they never installed a network tap to spy on their own people... Of course, that seems to have eroded over the past decade or so and countries no longer outsource their domestic surveillance... pgpdpRQvHzlQK.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Flush+Reload: a High Resolution, Low Noise, L3 Cache Side-Channel Attack
On Fri, 26 Jul 2013 07:31:09 +0100, Hurgel Bumpf said: Just found this online.. might be of interest Direct PDF: http://eprint.iacr.org/2013/448.pdf From the fine PDF: The Flush+Reload attack is a variant of the Prime+Probe attack that relies on sharing pages between the spy and the victim programs. With shared pages, the spy program can ensure that a specic memory line is evicted from the whole cache hierarchy. The spy uses this to monitor access to the memory line. The fact you need to get gnupg to share the pages in question with you does mean that this isn't, by itself, a knockout blow. Still quite the interesting attack. And attacks always improve. Maybe somebody will find a way to do better... pgplip2VsjAis.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Top Information Security Consultants to Hire -- WANTED
On Mon, 22 Jul 2013 21:23:08 -0500, Bob iPhone Kim said: BUT... turns out that about half of the people we mentioned are NOT looking for new clients. ironic_trombone.wav So are you making a list of actual top consultants, or a list of those people who have free time to read F-D precisely because they *aren't* top consultants? pgpn2GMbpkJ0K.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Abusing Windows 7 Recovery Process
On Sat, 13 Jul 2013 13:23:18 +0200, Alex said: This one is a classic, but it will fail integrity checks of tripwire/ossec/whatever you use. What percent of systems actually do this? On Sat, 13 Jul 2013 14:19:19 +0200, Alex said: And trigger automated incident/alarm Trigger the automated alarm from the tripwire program you just axed? Much more likely is some monitoring system like Big Brother or Zabbix alerting that the system has been rebooted. And again, the vast majority of systems don't have this sort of monitoring. pgpNSxbA6xZ8T.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Abusing Windows 7 Recovery Process
On Sat, 13 Jul 2013 22:13:38 +0300, Moshe Israel said: All secured/regulated systems as required by most certifications/standards/best practices. You're new in the industry, aren't you? :) The point you're missing is that the vast majority of computers aren't covered by said certifications and standards. And most of the certifications are merely a money grab by the auditors - the last numbers I found, something like 98% of breaches of systems that were covered by PCI were of systems that at the time of the breach were PCI-compliant. In other words, being PCI compliant didn't actually slow the attackers down one bit. You social engineer your way into the 5th office building you pass, pick a random PC on the 4th floor - I'll bet you that PC is probably *not* running sufficient monitoring to detect an intruder rebooting it and messing with the system. pgpCMwP1cVcZ9.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] nginx 1.3.9/1.4.0 x86 brute force remote exploit (CVE-2013-2028)
On Thu, 11 Jul 2013 09:49:50 -0500, Grandma Eubanks said: There are already exploits for this vulnerability. This is just taking an entirely different approach for internally accessible systems then what's available, for a reason I can't yet discern. Get some caffeine, and figure out what happens if this goes zipping across the network, and encounters a security device that has a signature for the well-known exploit. pgpCJDSh3sSOQ.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] tor vulnerabilities?
On Wed, 03 Jul 2013 17:34:52 +0300, Georgi Guninski said: Or maybe some obscure feature deanonymize in O(1) :) IT's open source. You're allegedly a security expert. Start auditing the code and let us know what you find. :) (And hey - it would be worth it. The guy who finds an O(1) hole in Tor is going to pick up some serious street cred.) pgp5Rtl8WcVKD.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] tor vulnerabilities?
On Wed, 03 Jul 2013 10:54:09 -0500, Michael T said: What about keysigning among tor operators? I trust top_op1, and he trusts top_op2, 3, and 4, so I can trust them as well. Chunk it through - if you make keysigning mandatory, you're probably going to see a drop from the current 4,000 or so relays down to maybe 500 or so. At which point it becomes *easier* for a group to subvert enough servers to deanonymize people. And how do you get a new Tor relay set up if a key signing is mandatory? There's also a more subtle problem. A PGP-style web-of-trust doesn't say anything about whether you should actually trust the *content* of signed data as far as content goes, only that it's from the signature it claims to be. So if you sign my Tor key, what are you *actually* attesting to? Only the fact that I run a Tor relay or three. You aren't actually saying anything about whether or not I'm part of the cabal trying to take over Tor. So unless signing a key includes an attestation/verification that the key you're signing isn't for a server that's part of the cabal (and how would you verify that before you sign?), the key signing doesn't actually add any real security. pgpLNeTL8iYTc.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] tor vulnerabilities?
On Fri, 28 Jun 2013 23:37:45 -0400, Neel Rowhoiser said: I just stumbled across this and despite its sort of half-assed write up, I think its possibly an advisory? If I am understanding it correctly, they're saying that you can use a directory authority that hands out invalid/wrong RSA keys for other relays, you can cause decryption to fail and thus introduce path bias to nodes of the directory authorities choosing by selectively handing out valid RSA keys? Oh, it's *that* attack again (as far as I can tell). Some French guys did a proof-of-concept a few years ago that you could do this sort of thing if you subverted a sufficient number of nodes. But keep reading. If the bit towards the end about guard nodes is correct, it would seem to indicate that they can use the semantics for detecting when a guard is causing too many extend relay cells to fail to cause valid guards to be marked invalid, and their rogue guards to succeed essentially using tor's semantics against them and causing the odds that you-re ingress point to the tor network is rogue to approach 1. The problem is that you have to subvert a large number of relays to do it, in a way that doesn't get noticed.. Why aren't the tor relay keys signed? And what other myriad of documents do And who would sign said relay keys? They're all essentially self-signed already, so what you're looking for is a PKI. And the whole point of the tor system is that nobody involved trusts a central authority. If you've got a good idea on how to do it, feel free to comment. directory authorities serve that also don't have integrity controls? This sort of makes me question the tor projects ability to deliver on any of the promises they make, as it would seem that a person needs like 3 or 4 rogue nodes before they could start de-anonymizing users, and the more of them they introduced the more of the network they could capture? Actually, it's more like 3 or 4 *hundred* nodes. As I write this, there are 3,903 relays connected, 1,218 guard nodes, and 2,396 directory mirrors. http://torstatus.blutmagie.de/ Even if you control 400 of those routers, the odds that any connection will only traverse your nodes is only 0.1% or so. If you have 3 or 4', it's literally a one-in-a-billion shot. Assuming a million tor tunnels form a day, you'd catch one circuit every 3 years or so. And no guarantee that the circuit you caught carried anything you would find useful. I suppose you could bring up 4,000 tor nodes of your own, to increase your odds of end-to-end control on a circuit all the way to 12% or so. However, that's very much a one trick pony, and probably wouldn't work simply because people would notice the sudden growth before you got enough nodes connected to do much damage. And using rogue directory servers to improve your odds doesn't help either. Currently, there's a whole whopping 5 'bad exit' routers. You can improve your chances by corrupting stuff so half the exits are bad - but again, that will get noticed when a single-digit number hits three digits. And you need to get it up to 4 digits before you have decent odds. And yes, the Tor designers are totally aware that this vulnerability exists - the problem is that all proposed solutions so far are even worse (for instance, requiring signed relay keys). pgpmJm772jRTK.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] How to lock up a VirtualBox host machine with a guest using tracepath over virtio-net network interface
On Fri, 21 Jun 2013 16:33:35 +0200, Thomas Dreibholz said: - The host system is a 64-bit Linux (tested with Ubuntu 12.04 LTS and Kubuntu What does 'uname -r' on the host return? This is almost certainly a bug in either the host network stack or the VirtualBox modules (probably one of the vboxnet ones). Also, if you can manage to capture the output of 'sysrq-T' or 'echo t /proc/sysrq-trigger' (unfortunately, netconsole will probably *not* be an option here), so we can see where teh various kernel threads are locked up. Do you have the stack traceback that should have come out with the BUG message? pgpRrw2nMPMia.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Happy Birthday FreeBSD! Now you are 20 years old and your security is the same as 20 years ago... :)
On Thu, 20 Jun 2013 06:56:16 -0500, Mark Felder said: But does your exploit compile with clang? I'm gonna have to call Poe's Law on this one. I can't tell if you're trolling or merely confused. :) pgpaBf1CNScQF.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Outlook Vulnerability: S/MIME Loss of Integrity
On Sun, 16 Jun 2013 00:51:10 +0930, Defence in Depth said: Microsoft Outlook (all versions) suffers from an S/MIME loss of integrity issue. Outlook does not warn against a digitally signed MIME message whose X509 EmailAddress attribute does not match the mail's From address. Congrats on the technical side, for spotting this. On the flip side, there are a number of cases where the signer address legitimately does not match the From: address. For instance - if the signer is listed in Sender: instead of From:, if it has passed through a mailing list that rewrites the From: line, or some combinations of resends and forwards. And yes, a lot of this sort of crap is only semi-legit because it's coming from misconfigured servers - but operational reality dictates that you have to deal with the fact that there's a *lot* of (And we'll overlook the additional fun and games available due to the distinction between an RFC821 MAIL FROM: and and RFC822 From: line). I suppose it could be worse - it's been a few years since I last saw a %-hacked address in an e-mail. A few operational notes regarding alerts in user-facing software: 1) A lot of browsers used to display broken padlocks when SSL failed. They don't do this anymore because users *will not* look at that sort of subtle warning. 2) They'll look at a big pop-up that obstructs their view - but only if it happens so rarely that they have to call somebody and ask wtf is this?. If it becomes a oh it does this once every week or two click-through, it's now become worse than useless. As you noted, most browsers will notify the user if the browser detects a CN mismatch. What you gloss over is that browsers *totally suck* at presenting that warning in a way that is both understandable and actionable to a general user. Just yesterday I had Firefox alert on a SLL certificate mismatch, and it gave me the helpful info that the certificate presented was only valid for *.akamai.net. Now, *I* know exactly what happened there, and *you* know, and the guy who pushed some content to Akamai without looking to see if there were https: links pointing at the content will go D'Oh! when he finds out - but if you're Joe Sixpack and don't know if Akamai is a box in your ISP's server room or a box in a server roomin the Ukraine, you got nothing. And if you get enough of these totally annoying pop ups, you'll just learn to click through without thinking. Bottom line: yes, it would be nice if all this sort of stuff was more widely deployed and enforced. But given that we've tried this with dismal results with Windows UAC alerts, firewall alerts, browser alerts, and A/V alerts, there's no real reason to expect that *this* time we'll actually get it right for MUA alerts. Bonus points for the most creative suggestion for how to leverage a *fake* From:/signature mismatch alert into a compromise (a la fake AV alerts that get you to download actual malware). Really - Outlook may do this wrong, but I don't think we as an industry have a frikking clue how to actually do this right. pgpVUgY3i0m3w.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Outlook Vulnerability: S/MIME Lossof Integrity
On Mon, 17 Jun 2013 15:51:56 +0200, ACROS Security Lists said: Good points, Valdis, but I think we know how to do this right: an invalid/untrusted/unmatching certificate is not a cause for user-waivable warning but for a fatal you-shall-not-pass error. By allowing users to even go past the warning we're nurturing the automation of okaying such warning as well as (I've seen this too many times) the development of HTTPS web sites with untrusted certs that ask their users to download and install a root CA cert to remove the warning - and do so over HTTP. No, that's how to do it *hardline*. There's many in the security industry that will explain to you that it's also doing it *wrong*. Hint - the first time that HR sends out a posting about a 3-day window next week to change your insurance plan without penalty, signs it with something that doesn't match the From:, and the help desk is deluged by phone calls from employees who can't read the mail, the guy who put You shall not pass in place will be starting a job hunt. For even more fun, think about the failure modes when an insurance company blows it while sending to Joe Sixpack's GMail account. Who's help desk gets called, and how do they resolve it? Probably the ISP, and the user gets told You could just turn off that checking And that's what will happen to your proposal. Security measures that get in the way of actual work *will* get turned off. Case in point: Google for threads discussing problems with SELinux. 98% of them end with I couldn't figure out how to make it work, so I just turned it off. (And the fact that SELinux is hard to Unless you plan to actually train the users how to fix the problem *correctly*. Which I'd love to see, actually, since it would be a first in the security industry :) pgpjWxwVIi3ga.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Why PRISM kills the cloud | Computerworld Blogs
On Tue, 11 Jun 2013 19:10:53 -0400, Justin Ferguson said: A Canadian and what appears to be a British subject discussing the not so finer points of American legislation. I'm sure at some point the irony will become apparent. To be fair - they appear to know more about the US Constitution than most Americans. pgpPiutt3xDpu.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] OT bait on freelancer.com about md5 preimage
On Fri, 10 May 2013 17:31:57 +0300, Georgi Guninski said: I need a preimage for a specific MD5 hash (will be revealed in private message). Although there are easy attacks to collide two texts to the same MD5 hash, the actual hash generated is not controllable. As far as I know, there's no known easy way to pre-image a text to a pre-specified hash. Would be interesting to see who bids on that project for a few thousand $$. I know if I knew how to do that, I'd be busy making a bit more than a few thousand doing it. :) pgpVkzV7ZnYV2.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0day Vulnerability in VLC (this is my first release of the vuln anywhere)
On Tue, 23 Apr 2013 17:51:55 +0300, Georgi Guninski said: Completely disagree. IMHO nobody should bother negotiating with terrorist vendors. Q: What responsibility vendors have? A: Zero. Check their disclaimers. And disclaimer or no disclaimer, there's a lot of vendors who want to Do The Right Thing and fix their stuff to protect their users (if for no other reason than the possibility of lost customers if they ignore security issues too often). If you're a black hat, do whatever the heck you want. If you're a white hat, be responsible and at least try to engage the vendor. If you're worried about being stiffed for the credit for the find, write the advisory and post the MD5 hash somewhere before contacting the vendor. If they respond and work on the problem, the process works. If they blow you off, go blackhat and do whatever the heck you want. :) Now wasn't that easy? :) pgpNyNoIlavW1.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0day Vulnerability in VLC (this is my first release of the vuln anywhere)
On Tue, 23 Apr 2013 09:22:36 -0700, Tavis Ormandy said: Easy and nonsense, I really hope you don't think this is about credit. I mention the credit issue only because some people *have* gotten peeved when they contact a vendor and the vendor issues an advisory that doesn't give them a shout-out. So for at least *some* researchers, the lack of vendor notification *is* about the credits. pgpnAUBMrylZx.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0day Vulnerability in VLC (this is my first release of the vuln anywhere)
On Tue, 23 Apr 2013 12:54:42 -0400, Gary Baribault said: I hope we are all here for our users and customers. The problem is that what my users and customers want is different from what other researcher's users and customers want pgphJC5TPnWKk.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] VUPEN Security Research - Adobe Flash Player RTMP Data Processing Object Confusion (CVE-2013-2555)
On Sat, 20 Apr 2013 20:02:12 -0400, Bryan said: The only point that I was trying to make is that there needs to be more of an investement in the security facet of software development, and that if a company is not willing to invest the resources to create a secure product, not to whine when they get hacked. Are they allowed to whine if they invest the resources, and still get hacked? pgpp9HBYdgeVe.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [ MDVSA-2013:147 ] libarchive
On Fri, 19 Apr 2013 12:30:12 -0400, l3thal said: looks like you are still at it heh... procmail is your friend. pgpwyxsjl5aNI.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Port scanning /0 using insecure embedded devices
On Tue, 19 Mar 2013 17:25:18 -0400, Jeffrey Walton said: Many of them are based on Linux and allow login to standard BusyBox with empty or default credentials. Forgive my ignorance, but what does the authentication problem (or lack thereof) have to do with linux/uclibc/busybox? It seems to be a manufacturer problem (for example, Actiontec) or an integrator problem (such as Verizon or Comacast), unless I am missing something. For the integrator, it's a warning flag: 53 companies have made this same identical mistake, don't be the 54th. For the black hats, it's low-hanging fruit. pgp2AgCJovwsJ.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] how do I know the fbi is followin
On Mon, 04 Mar 2013 10:04:09 -0500, Jason Storm said: Stay frosty everyone, looks like they got an FBI sniper out there somewh I see what you did t pgpT1HDdo9V7D.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] list patch
On Sat, 02 Mar 2013 18:17:46 +0200, Georgi Guninski said: indeed the list headers changed. lightly moderated sounds like likely pregnant to me. i suggest we move somewhere else. seriously. You do realize that what you're *actually* seeing here is the list headers being changed to match the way thing have actually been for over 3 years now? And apparently you've been OK with it for 3 years until somebody pointed it out? (Though I suppose we *could* all move to someplace else where a certain troll is still allowed to post. Let me know how that turns out. :) pgpYapbWkEZYS.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] user data collection
On Tue, 26 Feb 2013 13:28:26 +0100, taxakis said: I have a simple question to this list: Do we have somewhere specified in detail who (Facebook, Apple, etc.) collects what exact (data) on users ? I do NOT mean 'in general terms' or whatever blurb these companies put on/in their web pages, privacy policies, terms and conditions; but the factual fields they collect (per company/field). There's probably not an up to date accurate list, for several reasons: 1) It's a moving target - companies change what they collect. 2) Especially for large companies like Facebook or Google, the data collected by different business units may be different - that's part of why Google's privacy policy was so hairy for a while. 3) Some information may be gathered indirectly - for instance, geolocation information, your ISP/employer (as intuited from IP-ASN translations), and data collected by third parties (run NoScript sometime, and look at how many sites load Javascript from tons of other sites). 4) Similar to 3 - third-party cookies and other tracking. Get the Collusion plugin for Firefox, and be prepared to be amazed. 5) Keep in mind that many of these companies (and basically 100% of those who provide any free service) consider the data to be valuable business assets that they intend to monetize and not share - when your business model depends on being able to correlate the type of music you download with how often you visit Wikipedia, you're going to try *really* hard to avoid letting anybody find out that you're tracking music downloads and Wiki hits. pgp59B2fVrXUv.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] #warning -- DICE.COM insecure passwords
On Mon, 11 Feb 2013 04:30:29 -0800, warn...@type-error.net said: job / recruiter website dice.com use ancient crypt() hash function. passwords limited to seven characters. cracking user passwords quite simple. be very afraid of future hash / cracked password dump. maybe dice.com should improve their security to avoid public shaming? That's assuming that they didn't do the risk analysis and decide that the effort required to fix the problem (which will probably require, among other things, having every single user change their password) is worth the effort. Given that so many places have gotten hacked and pwned that the user community response is usually Meh. Another one, they may rightfully have concluded that risking public shaming is in fact a good business decision... pgphRbCDeVV7S.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] ifIndex overflow (Linux Kernel - net/core/dev.c) [maybe offtopic]
On Thu, 07 Feb 2013 20:28:31 +0100, Daniel Preussker said: I was looking into the net/core/dev.c from the current Kernel (previous also have this) and found out that ifIndex gets incremented by an endless loop. After creating 4 billion pseudo-eth devices I finally got it to overflow and endless loop, had to kill the kernel - fun right? I wonder what /proc/slabinfo and related memory statistics looked like after 3.9 billion devices created. You'll need a fairly beefy box to roll that counter without OOM'ing the kernel first. pgppPpdbOjmgM.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Student expelled from Montreal college after finding vulnerability that compromised security of 250, 000
On Fri, 25 Jan 2013 09:57:51 +, Dan Ballance said: I don't personally think a degree should or shouldn't be awarded because a student has or has not met some kind of arbitrary moral standard. It should assess their abilities in computer science, not that their ethics meet with what the dominant powers in society currently deem to be acceptable behaviour. In the future some of these people may be remembered as freedom fighters - and our whole conception of what was ethical action at that time may shift. Doesn't matter if he ends up a corporate knob or a freedom fighter. If he says I promise to XYZ you want him to be trustworthy on said promise. You might want to ask the guys in Anonymous who got ratted out by one of their own how they feel about the word trustworthy regarding the rat who said I promise not to rat you out. pgpycquoQII_p.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Student expelled from Montreal college after finding vulnerability that compromised security of 250, 000
On Thu, 24 Jan 2013 10:16:29 -0500, Benjamin Kreuter said: There is also the matter of the school itself. They were presented with a student who had found a vulnerability, reported it, and then checked to see if there were still problems. Does expulsion really sound like a reasonable punishment to you? Does any punishment seem in order, given that the student made no attempt to maliciously exploit his discoveries? It seems to me that a much better approach would have been to offer the student a chance to present the vulnerability in a computer security class. The school's mission is, theoretically, to teach its students -- why, then, would they remove from the student body someone who could do just that? I've seen reference to a few more details on this - namely: 1) The kid, as part of his major, signed an ethics document. 2) He was either told or agreed to not run the scanner again. 3) He did so anyhow. and that he didn't get kicked out because he ran the scanner, but because he did so *in violation of the ethics standard*. I'll probably have to go back and find references for all that - but even without that, it's something to think about. If somebody agrees not to do something, and then does it anyhow, is he *trustworthy* enough for a degree in that field? pgp9c8S3qSviZ.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Student expelled from Montreal college after finding vulnerability that compromised security of 250, 000
On Thu, 24 Jan 2013 19:59:53 +0100, Stefan Weimar said: 1) The kid, as part of his major, signed an ethics document. A better solution would have been to not do the steps 1 and 2 but make an NDA (Ok, we know and you know but that's enough by now.) instead. I mean, some kind of responsible disclosure. By proposing this ethics document it was the college being unprofessional and not the kid. I think you misunderstand - the ethics document was signed *when he applied as a student. If you think that's unprofessional, you might want to consider that doctors, lawyers, and other professions have ethics standards as well. As does anybody who has a CISSP: https://www.isc2.org/ethics/default.aspx I'd say anybody who persisted in doing something after they promised not to would be running afoul of the necessary public trust and confidence clause of the CISSP code of ethics? pgpGXtSgvS14j.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] White Paper: Detecting System Intrusions
On Wed, 16 Jan 2013 12:39:18 -0500, Almaz said: How to detect system intrusions? What are the techniques? Can one character difference in the output be an indicator of compromise? Paging Cliff Stoll.. Cliff Stoll to the courtesy phone... pgpbzm07bhB35.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] how to sell and get a fair price
On Wed, 16 Jan 2013 10:18:36 +0400, grem...@gremlin.ru said: On 15-Jan-2013 16:45:30 -0500, valdis.kletni...@vt.edu wrote: Also, what stops a person to file it under a company name if that's easier? I admit I'm not into this area, so I might be missing something fundamental... If you publish an exploit as BitWizard97, and somebody scarfs it up and starts selling it, Starts selling what? Already published exploit? Bwahahaha... You'd be amazed how many people try that sort of thing. Consider that over on the GPL side of the fence, there's more than enough companies that try to play fast-n-loose with the GPL requirements that www.gpl-violations.org stays in business. (Also, keep in mind that there *are* a large number of exploits that are in limited circulation. Hacker X releases it to 10 or 15 of his friends, and then one of his friends turns around and cashes it in at some corporate, and then said corporate starts selling it as part of their cyber-defense product. At that point, Hacker X wants to get paid (money, fame, credit, whatever)). filing the suit to enjoin them from selling it without your permission under a company name doesn't make it any easier to prove that you, or the company, have any legal standing to represent BitWizard97. Digital signatures may help. Actually, you don't need to prove that you are the BitWizard97 - you only need to prove that you can act on his behalf (that means: read encrypted messages and sign the replies with his key). I believe I mentioned PGP way back at the start of the thread. Also helps if you actually PGP-signed your release. Bonus points for figuring out how to explain digital signatures to a jury, stripping it down to up-goer-five level needed for the people who can't figure out how to avoid serving on a jury (see http://www.xkcd.com/1133/ for the details on that). It's especially problematic if the local law enforcement authorities want to have a little chat with BitWizard97 regarding some other activities... They should want to ask those questions to another person - say, BitBreaker12, who may be suspected in something illegal. And why should they ask that other person instead? You think if the LEO is interested in a particular person's activities, that person gets a free pass just because they're involved in an unrelated court case? That the cops are just going to say Wow, he's busy in court today, let's go hassle somebody who's name hasn't even come up in this context? pgpimfY5y5UNe.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] how to sell and get a fair price
On Mon, 14 Jan 2013 23:24:30 +0100, Christian Sciberras said: Couldn't one talk through a lawyer? Guess in such a case it would be a matter of how much you trust your lawyer. As I said, it's doable, but *not* a slam dunk, and requires help from both your lawyer and the judge. Also, what stops a person to file it under a company name if that's easier? I admit I'm not into this area, so I might be missing something fundamental... If you publish an exploit as BitWizard97, and somebody scarfs it up and starts selling it, filing the suit to enjoin them from selling it without your permission under a company name doesn't make it any easier to prove that you, or the company, have any legal standing to represent BitWizard97. It's especially problematic if the local law enforcement authorities want to have a little chat with BitWizard97 regarding some other activities... pgpWyUNRs0Zb0.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] petition to remove Aaron Swartz prosecutor
On Mon, 14 Jan 2013 11:02:26 -0500, Jeffrey Walton said: On Mon, Jan 14, 2013 at 10:34 AM, richa...@fastmail.fm wrote: https://petitions.whitehouse.gov/petition/remove-united-states-district-attorney-carmen-ortiz-office-overreach-case-aaron-swartz/RQNrG1Ck Above link to remove this prosecutor needs to have signatures by February 11. Its unfortunate Schwartz committed suicide over the incident. From the fine article: On his blog, Swartz had written of his history of depression. Given that, and the fact that the article doesn't mention a suicide note stating Aaron's reasons, it's not entirely clear that he in fact committed suicide over the incident. It may have been one factor out of many. pgpx72Ry6ZgD4.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] how to sell and get a fair price
On Thu, 10 Jan 2013 12:03:03 -0500, Mikhail A. Utin said: After all,a vulnerability and an exploit are intellectual products. Not sure copyright could be claimed, but why not? Actually, claimed or not, if the exploit was coded in a Berne signatory country, it's almost always automatically copyrighted at creation (most likely to the coder, or to their employer if it was a work-for-hire). In the US, there's a exemption for work product of federal employees - that's one of the few ways for US-produced material to become public domain (expiration of term is the other one, but with ever-increasing copyright terms, it's unclear that anything will ever actually expire in the US). More interesting is the question of how to enforce a copyright claim while remaining anonymous... pgp5WzORR_t4m.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] how to sell and get a fair price
On Mon, 14 Jan 2013 22:17:12 +0100, Christian Sciberras said: Valdis, we've had spam companies suing blacklist/antispam companies before... Surely an anonymous person legitimately and legally enforcing copyright can't be harder? Yes, but the spam companies at least filed under their own name. Running a lawsuit with a John Doe plaintiff is a little bit harder, and requires finding a cooperative lawyer and judge. The really hard part is proving that you're the rightful owner of the copyright while remaining anonymous (in particular, proving you're the *same* anonymous person who wrote the code). At this point, it helps if you posted the item in question signed with a pseudonymous PGP key that you control, or have other ways to prove that your anonymous is the author's anonymous. pgpQsQ0d0P3yI.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] how to steal openssh private key
On Mon, 22 Oct 2012 15:10:54 +0800, nothacking said: environment is A is hacker client£¬ B is target and C is Manager center and C have all A and B private key. How (and more importantly, *why*) would C ever get A's private key in the first place? pgpBgTl9o1ujh.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Multiple 0-days in Dark Comet RAT
On Fri, 19 Oct 2012 03:22:04 +0330, kaveh ghaemmaghami said: I appreciate his analyze coz if somebody gets pwn in my network i don't have to spend time for reversing and analyzing this malware . No, if you find one of these in your network, it means you have *bigger* problems that you *do* need to spend time on. The exploit is against the CC (Command and Control) server, *not* the bot end. In other words - if you find this one on your net, it means somebody has been *controlling* a botnet from a host on your net. Just a tad more serious than just finding a botted host. pgp4RyWgXTXdJ.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Multiple 0-days in Dark Comet RAT
On Sat, 13 Oct 2012 14:47:20 -0400, Hertz, Jesse said: The cool thing about it is that if you are a net/sys admin, and you notice one of your computers has been compromised, you can pwn the C+C server. these are exploits in the C+C server, not in the installed trojan. that's why its relevant. you can counterhack and pwn the person who pwned you. Strongly recommended that you retain competent legal counsel before actually doing so. The legality of counterhacking is *highly* debated in most jurisdictions. pgpWIfJusv6DW.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Multiple 0-days in Dark Comet RAT
On Wed, 10 Oct 2012 23:25:50 +0200, Pascal Ernster said: I suppose it turns into a 0 day when you post it on this mailing list and happen to be in the mood to put the vendor's marketing division on BCC. -1 day could be when you ask a friend to check your mail to this ML for major grammar errors before you post it. All this ranting about the meaning of a 0-day - and not one person has mentioned the fact that the vulnerability is in *malware*??!? pgpAPykqZVkv4.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Printer in the DMZ
On Mon, 27 Aug 2012 12:45:23 -0400, Igor Igor said: Robots.txt not supported in any printer.. too bad, all listed in all major search engine /me pops off a whois query, looks at the owner of the address space, and is amazed that Igor was only able to find 36 printers there. Benji, are they belong to you ? You are the only one that I can think off that would put that in a DMZ Anybody who didn't just fall out of a tree would look at the address space owner and not be at all surprised. Not everybody buys into the corporate-fascist thou must have a firewall mindset. pgpJj7UazS6Rk.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Associate professor from Pakistan National University - spammer
On Thu, 16 Aug 2012 21:29:02 +0900, Tonu Samuel said: He is PhD in Software Engineering and does not notice during two years someone posting into his Facebook account? If it's an abandoned account that he never actually *uses* for anything, it's conceivable. Somebody mentioned to me yesterday that they had gone to get a specific *very* unlikely name on GMail, only to find it was taken. And then 20 minutes later, updated it with I totally forgot that I had already taken that name and never used it. There's similar disused and abandoned accounts across all the social media and email services. pgpxQyUxQbcj5.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Intercepting TOR
On Wed, 15 Aug 2012 13:09:38 -0700, full-disclos...@grid32.com said: Read an interesting article on intercepting TOR users via proxies Any ideas on how this could be mitigated? Well... using TOR the way it was intended would help mitigate a lot of it. TORButton, NoScript, SSL-Everywhere.. all the usual stuff. The TOR people are *very* up front about the fact that it does *not* protect you after it leaves the exit node so you should https: from there if possible. Also, the suggestion in the paper to hit a page directly and via TOR and comparing the two results is probably a *bad* idea, because it allows fingerprinting. You really need to hit the page both times with the same User-Agent string and all that, in case the page you test acts differently for different values (it sucks to false-positive a mismatch just because the site saw a spoofed IE8 header one time and FIreFox the other and sent different HTML for teh two cases). And if you hit it twice with the same setup, then it becomes easier to equate the two hits unless you work *real* hard to minimize the amount of leaked info, and hit a *really* high activity site like CNN's homepage. Go check these links out: https://panopticlick.eff.org/index.php https://www.eff.org/press/archives/2010/05/13 and then ask yourself if you want to hit anything twice... pgpiTt2ftn8gX.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Associate professor from Pakistan National University - spammer
On Tue, 14 Aug 2012 14:55:41 +0900, Tonu Samuel said: I found that person who is spamming OpenCV list with Plz visit my e-gaming site at http://.; is PhD So... did you establish that the person doing the spamming actually *is* that professor, or merely somebody who managed to phish the professor's credentials and is using their identity to send the spam? (We get 5 or 10 phished users a day, and maybe 1 or 2 actual spammers a year) As you note yourself: Man who writes into computer vision list: Dear Friends, ... does not look like scientist with problem solving skills able to work on satellite vision problems. So it's possible the person has been phished or joe-jobbed. pgpon34IvYGWR.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] WTB: CIK and Fortezza card
On Sat, 11 Aug 2012 12:07:34 -0700, Hambone Turkey said: sell them anymore. FWIW I am a US citizen...so no, I'm not a spy :P So said Aldrich Ames, Andrew Daulton Lee, Christopher Boyce, Robert Hanssen, and John Anthony Walker. pgpJ8grgJYjA3.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linux - Indicators of compromise
On Thu, 26 Jul 2012 09:07:33 -0400, ÐÑигоÑий ÐÑаÑиÑлава said: Really? Shut down is entire racks? Because you will have backup/standby entire 42Us? If you can't shut down the entire rack, you've screwed up your DR and business continuity planning. This isn't just a problem for large sites - I've seen lots of places claim We can't take 3 hours of downtime to patch/upgrade/test/whatever because everything is on that one server. And my response has always been And what were you planning to do if you blew out a power supply or a system board and had a 3-hour outage?. But unfortunately, you're right - most places have screwed up their DR planning and can't shut down. They've also screwed up their network config so it isn't trivial to track down which port a problem attacker is on. (And yes, tracking down a miscreant at level 2/3 *is* trivial if your network is in fact properly designed and managed) pgpsU2t8vxHRK.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] A modest proposal
On Fri, 20 Jul 2012 04:01:39 +0200, Bzzz said: In this matter, everybody's here knows that threatening these corpos of a full disclosure is the only way to go, because they're like kids that won't grow up and seek the least effort possible max benefit way - in a word, they're irresponsible. Actually, at least in the US, the corporations are in fact acting *very* responsibly. Legally, their obligation is *not* to their clients and customers, but to their shareholders.In fact, spend as little money and resources as possible on security without adversely affecting the stock price is what they're pretty much obligated to do. Now go back and look at how big a hit the TJX, Heartland, and Sony PSN pwnages hurt the company's stock prices. Currently, damage and losses sustained by clients and customers aren't usually reflected back to the corporation - you can't sue Microsoft because you got pwned through an IE bug (thanks to the EULA you agreed to). So said costs are (to Microsoft) Somebody Else's Problem, or what economists call an externality. And as long as a corporation can treat those costs as externalities, things aren't going to change much. The only reason that any sort of full or responsible disclosure works is that the corporation sees bad PR as something it can't treat as an externality (and if the corp sees itself as bulletproof against bad PR, it has no reason to cooperate with a full or responsible disclosure). pgpxbf8tZw2Y8.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [Anonymous/iWot] Somaleaks !!!
On Wed, 18 Jul 2012 09:16:29 -0400, Abdikarim Roble said: As some of us already explained, we are not a terrorist organization. It's just that we are fed-up with the fact that our society is loosing time. So we just decided to speed-up actions against terrorists and their friends. We will first try to eradicate the sources of terrorist financing. It is not possible to know at this time the precise scope or the duration of our actions to counter terrorist threats linked to Internet. Cool story, bro. Too bad you're going after terrorists rather than the *real* threat to our society - those who are destroying our civil liberties and way of life in the name of protecting us from terrorists. pgp9WHAmkjKyR.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] A modest proposal
On Thu, 19 Jul 2012 21:08:47 -0400, Glenn and Mary Everhart said: If every copy of a program is laid out differently, and data gets moved around also from copy to copy, the job of the attacker would seem to get much harder. As is the job of the software development team. It's really easy to write code that uses different combos of opcodes to achieve the same result (heck, just feed the program to hydan and stand back) - but that doesn't help because 'char a[50]; for (i=0;i50;i++) a[i+1]=a[i];' remains exploitable no matter what set of opcodes you use to implement it. So indeed, you need different in form but same in function. This is a lot harder than it looks - download the source for Firefox, or Emacs, or any other large package. Find some random function that's 100-200 lines long. Now re-write it in a totally different form without introducing any bugs. Now do that 3 or 4 more times (after all, only having 2 variants doesn't make things much harder for the attacker). Oh.. then find a bug report against that function, and make the code fix at least once, possibly in every version, depending on whether or not the other 4 versions have the same bug. And then repeat that for a semantic change to the function - it's now passed an added parameter it has to do something with. Implement it correctly in all 5 versions. ;) Now do this for several dozen or maybe a hundred or so function - you have to do this to enough functions that for any given copy, there are enough *different* combination of (say) module size that you can't easily distinguish between sub1_variant4_sub9_variant2, sub4_variant3_sub37_variant6, and a large set of others. Remember that even if there's a few billion variants, you can iterate through them *all* and see which ones total up to the required number in just a few seconds. If you're a good programmer, you can probably even fit all the data needed into just a dozen lines in the L1 cache and *really* chug through the variants. And they really *do* need to be same in function - if it's a function to apply gamma correction to an RGB image, your 5 or 6 variants need to produce bitwise identical results (or the users will file bug reports) And they need to run in roughly the same amount of time, both to prevent timing attacks to determine which variant is in use, and to avoid every 37th call to gamma_correct() takes far too much CPU time bug reports. And you *will* get bitten by the difference between the function's documented behavior, and the actual behavior that other functions depend on. Wander over to the linux-kernel mailing list, and look at how often a developer will replace a function with a new implementation - only to have it flame out on one CPU type/speed due to a timing issue, or crashes because locking is done in a subtly different way, or because the new code reveals a hidden assumption in some *other* piece of code, or... Your software debugging team will hate you as well. Rather than nice easy replicatable bugs when function A calls B which calls C, you'll have one crash when A1 calls B7 calling C2, incorrect output when A1 calls B5 calling B2, a hang anytime A4 calls B1, and a totally unexplained data corruption issue once in every several thousand runs that you may or may not find before your heavy drinking causes cirrosis of the liver... tl;dr: We don't know how to efficiently write and maintain non-buggy complex software - if we did, we'd not need defenses against things that exploit bugs. Adding *more* complexity can't possibly improve the situation (do the math - if there's N exploitable bugs per K-line of code, how many additional exploitable holes do you add when you toss in 27K more lines of code to implement multiple versions of 12 functions?) pgp1dnnzleeeR.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linux - Indicators of compromise
On Sat, 14 Jul 2012 12:46:50 -, Ali Varshovi said: Most of the materials I've seen are more aligned to malware and rootkit detection which is not the only concern apparently. It's hard to say what else to check without knowing what other concerns you're checking for, and what data sources are available (I'm thinking about auditd and friends, but there's other data sources as well). pgpHTMmfWUjpc.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0x00: MustntLive not he is robot.
On Fri, 13 Jul 2012 07:35:13 -0500, Fatherlaptop said: No...more like Yoda. https://plus.google.com/photos/104234302931579992973/albums/5756965881020743937/5756965879525909730 pgpibzlz8hQW4.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Full-Disclosure Digest, Vol 89, Issue 15 suspicion of rootkit (Alexandru Balan)
On Thu, 12 Jul 2012 11:00:36 -0400, ÐÑигоÑий ÐÑаÑиÑлава said: I just checked your machine for you. You are is safe. Stay thirsty my friend +1 pgp2fPfB2HtKf.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Full-Disclosure Digest, Vol 89, Issue 15 suspicion of rootkit (Alexandru Balan)
On Thu, 12 Jul 2012 18:47:53 +0200, phocean said: - Volatility: anything has to sit somehow in the memory, so there is no way for it to escape from the analysis. There's a number of attacks using the MTRR and IOMMU to cause the CPU to have a different view of memory. It is indeed possible for something to be sitting in memory but not be visible to *you* (while still being visible to something that didn't expect it to be visible, and thus delivering an exploit). pgpXgQfbr39mY.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] has Thor big ego, has Thor long boring messages
On Tue, 10 Jul 2012 23:38:49 -0700, NETT Dave said: Please has us let peace: has you shut up. procmail is your friend. pgpIv9dNkNElt.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] suspicion of rootkit
On Wed, 11 Jul 2012 22:42:42 +0200, phocean said: I have a lab virtual machine that behaves as if it was owned by a rootkit: weird behavior with system certificates and keyboard driver. Out of curiosity, why are you guessing it's a rootkit, rather than just another case of Windows being messed up and needing fixing? What release of Windows? When did it start misbehaving? Was that anytime near Patch Tuesday? pgpZE1YgzVfuJ.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Full-Disclosure Digest, Vol 89, Issue 11: ] How much time is appropriate for fixing
On Tue, 10 Jul 2012 15:16:39 -0400, ÐÑигоÑий ÐÑаÑиÑлава said: I reply to you is back on-list. Information is for meant to be free. And so you know, is no, your English is improper: The longer this thread goes on, the more I become convinced that one of these guys actually lives in Nebraska and the other in Arizona. ;) pgpROuedBllv1.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] How much time is appropriate for fixing a bug?
On Sun, 08 Jul 2012 14:07:52 +0200, Stefan Kanthak said: The industry will (typically) not fix any error if the cost for fixing exceeds the loss (or revenue) that this fix creates, including the vendors gain/loss of reputation, gain/loss of stock value, loss of money in court cases or due to compensations, loss of (future) sales due to (dis-)satisfied customers, ... Court cases? *Really*? When was the last time you saw a court case about defective COTS software? You see the occasional squabble regarding bespoke one-off developments, but your average shrink-wrapped EULA does a pretty good job of absolving the vendor from all blame, no matter how egregious the error. Oftentimes, they even manage to waive responsibility for the common-law concepts of merchantability or fitness for intended use. Joe Average can't tell the difference between a program which is designed, developed, built and maintained according to the state of the art, and some piece of crap that is not. That's OK. Those of us who do this for a living are *also* often hard-pressed to find any notable difference between state of the art and piece of crap, as they're about as close as the two level of a hyperfine transition of a cesium atom. pgpeuEX3RjkYX.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] WordPress Authenticated File Upload Authorisation Bypass
On Thu, 21 Jun 2012 08:02:26 -0700, Gage Bystrom said: to me it seems like hes trying to say that someone with administrative access has the ability tohave administrative access. Its like saying Hey guys! I found a local exploit and all it requires is to be a root user!!! I'm not sure if he's trolling or just stupid. There are many things that, while technically not vulnerabilities, are still pretty interesting to remember, in case you find a way to trick that admin user into doing it for you. This has been true ever since Unix boxes got pwned by getting the root user to look at your odd core dump - after putting something interesting in .dbxrc in the directory pgpTQu0w7e9UJ.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran
On Sun, 10 Jun 2012 08:58:31 +0300, Georgi Guninski said: What about legal windows backdoors (NSA key)? It was never confirmed whether the infamous NSAKEY was an actual backdoor, or just a hilariously poorly named variable. In any case, even if it was a backdoor, it's certainly not the same legal status as CALEA, where Federal law said ISPs Will Provide A Law Enforcement Tap. A lot of universities which had just finished positioning themselves as ISPs in order to qualify for the 17 USC 512 copyright safe harbor provisions, ended up doing a 180 degree turn and said Not An ISP - Private Network so they wouldn't have to meet the CALEA requirements. (An amazing number of .edu's ended up a private net' for CALEA purposes, but kept things in place for the safe harbor stuff as well. Fortunately, nobody's ever pushed the issue). If NSAKEY was a backdoor, it was at best a quasi-legal one, and I'm positive that everybody at both Microsoft and the NSA would prefer that their roles in the story never came to light. pgp4ONx93cMuv.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran
On Sun, 10 Jun 2012 17:00:19 -0400, Laurelai said: I dont listen to either. And sorry to burst your bubble but I did serve 10 years in the army. Except i don't like the government. The cognitive dissonance is strong in this one. :) pgpaZxMuz7e2q.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran
On Sun, 10 Jun 2012 17:06:37 -0400, Laurelai said: I am a bit surprised by the direction of this conversation and I have been waiting for someone to say the obvious in regards to protecting yourself from .gov malware, it really is quite simple if you think about it. Stuxnet, duqu, flame, ect.. all only run on windows platforms. If the people you are protecting are concerned about that kind of malware (and they should be) it would be a great time to tell them about GNU/Linux, BSD, ect.. You *do* realize that's basically the same logic as Macs don't get viruses, only even worse security-wise. If your threat model actually includes attacked by state actors, then it should include the possibility that the team of state actors includes an OSX jockey and a few Linux geeks. pgpnHLrnDXf0n.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran
On Mon, 11 Jun 2012 02:17:15 +0200, Christian Sciberras said: All this talk about a lot of arguments to syscalls reminded me of `ls`and that's just the beginning.. The real reason GNU ls is 8-bit-clean is so that they can start using ISO-8859-1 option characters. - Christopher Davis (c...@loiosh.kei.com) pgpSnc65OXNtB.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran
On Fri, 08 Jun 2012 21:56:23 -0400, Jason Hellenthal said: Shit, Ill give the NSA a shell on any system... if it means achieving a greater goal. Whether its wrong or not... let the bots decide who is the better player as long as it brings the US into a primary position of power. The problem with backdoors is they can be abused. What do you do if you give the NSA a shell, the Bad Guys abuse it, and it ends up with the US in a non-primary position of power? (CALEA taps are *widely* exploited by the bad guys. Why would giving the NSA a shell be any different?) pgpXep5MmiBk6.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks
On Sat, 09 Jun 2012 14:25:00 +0200, Christian Sciberras said: Yes, let's just forget Iran would strike any country against its religious views, especially Israel. I'm personally more worried that US Islamophobia will lead to a first strike than I am that Iran will make a first strike. pgphR7FEapxMn.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran
On Sat, 09 Jun 2012 16:11:55 +0200, phocean said: Oh n !!! Sounds scary. Le 9 juin 2012 =E0 14:20, andrew.wallace ecrit : You've just libeled yourself. What's scary is Andrew's lack of understanding of the law. It's pretty hard to libel yourself. In fact, I think Andrew is one of the few people I've seen succeed at it. My lawyers will be identifiying you to serve you legal papers. Andrew, that's a old, worn-out magic word. I'm *still* waiting for your lawyers to serve me papers for Neal Krawetz's 2006 Black Hat presentation, or any of the *other* multitudinous times you've threatened to do so. You *really* need to find new lawyers, as the ones you have are apparently totally incompetent crack-addicted baboons that can't even figure out how to properly serve papers after 6 years of trying.. Every time you say that we should expect legal papers and your lawyers screw up and don't deliver, it makes you look bad and people take you even less seriously. Unless of course you're saying you're doing it and failing to ask your lawyers to do so - in which case your lawyers probably have grounds for a tort against *you* for slander and libel, for making them look incompetent. You're treading on thin ice there, Andrew. Be careful. Getting sued by your own legal team is embarassing. (I won't ask how an unemployed 30-something affords my lawyers plural) pgpc38iXAix6M.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran
On Thu, 07 Jun 2012 13:48:33 -0400, Ian Hayes said: On Thu, Jun 7, 2012 at 1:40 PM, andrew.wallace andrew.wall...@rocketmail.com wrote: On Tue, Jun 5, 2012 at 8:43 PM, valdis.kletni...@vt.edu wrote: One could equally well read that as We're fed up and about to pound North Korea even further back into the Stone Age. With Stuxnet, it was lucky nobody was seriously injured. You cannot condone such weapons Valdis, or your hat will start to turn grey, black. Stuxnet may not have killed anyone, but several Iranian nuclear scientists were assassinated in conjunction with Stuxnet's release. Please don't feed the troll - the only way he can post to full-disclosure is if somebody quotes him in. The worst part is that Andrew's reading comprehension is as good as always - I wasn't commenting on Stuxnet, but the move of naval forces to the Pacific. China isn't the only reason we might want a naval task force over there. And I never said I condoned it, merely pointed out alternate interpretations. The funny thing is that Andrew was going on for a *long* time that there is no such thing as cyber-warfare - when in fact it was going on while he was denying it. pgpcuzYV04mCt.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran
On Fri, 08 Jun 2012 12:04:11 -0400, Laurelai said: I think the real question we should all think on is what are we going to do about this kind of thing? Because the way I see it, the infosec industry is part of this problem until it finds a way to be a part of the solution, if you all even desire this. You're actually almost right, except for one minor detail - saying the infosec industry is part of this problem as if the infosec industry is one entity with one agenda. We got black hats, we got grey hats, we got white hats, we got people with paisley hats selling us software. Some of us are attackers, some are defenders, some are consultants who give advice to whoever will pay. If anything, different parts of the infosec industry are part of the problem, but in different ways. And not all of them will desire a solution, nor will you even get a consensus on what solution even means - we got people who want no cyber-warfare, but we also got people who's next mortgage payment depends on it continuing. pgpmih7YBMNrM.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran
On Wed, 06 Jun 2012 10:41:24 -0400, Laurelai said: People seem to think that since the US Gov did it that makes it ok, well I do not think it does. Especially when they throw kids with small botnets in jail for being mad at the system cause its crooked. You're a little bit confused here. It doesn't matter what people think. It matters what the people with more rifles, mortars, tanks, and ammo than you think. Unless you come up with a way to level the playing field. pgp8CdcQKUqEP.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran
On Wed, 06 Jun 2012 18:19:21 -0400, Andrew D Kirch said: I think you just identified it. buy rifles (I have, there's a Colt M4 Law Enforcement Carbine sitting next to me), but mortars (a bit difficult but not impossible to get) buy tanks (quite easy to get if you know where to look), and buy ammo. DEMAND that federal firearms laws be revised, and specifically repeals of 18 USC 921-922. Yet again I point out your VT.edu e-mail and your refusal to listen to Jefferson's warnings. What's this *my* refusal to listen? I suspect you know less of my politics than you think you do. ;) Incidentally, asymmetric warfare does a great job of leveling the field. ;) pgpS4hGwcdP4k.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran
On Wed, 06 Jun 2012 23:22:32 -0400, Laurelai said: Guys can we focus on the fact that the US Government is en mass accessing computer systems without due process, and trying to prosecute the people who made this known to the public. After a decade of unindicted torture of prisoners, renditions, spying on our own citizens, and killing of our own citizens, and a long list of other stuff, all without due process, you really think anybody cares about a little illicit hacking without due process? I'm afraid that ship basically sailed when Pelosi said impeachment was off the table... pgplza902Lwxl.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran
On Tue, 05 Jun 2012 15:06:25 -0400, Jack Slade said: There's an election year in the US. A president has not been re-elected in the last 40 years when the unemployment rate is above 8% Nixon got re-elected at 3.6%., Reagan got re-elected at 7.5%,, Clinton at 5.4%, and Bush the II got re-elected at 5.5%. Ford failed to get re-elected with an unemployment rate of 7.7%. Carter failed at 9.7%. Bush the First failed at 7.5% (even though Reagan got re-elected at that same rate). And extending back more than 40 years, Johnson didn't get re-elected even though the rate was 3.6% or so. So we have 4 guys that got re-elected, 4 that didn't, and only Carter ran for re-election in a year that the rate was over 8%. The previous president that ran for re-election with a rate that high was FDR during the Depression. So it looks like no president has been re-elected when the rate is over 8% isn't as strong a predictor as you might hope, with only one sample. Though I'll grant it appears to be a lot harder to get re-elected if the rate is over 7% unless you have the charisma of a Ronnie. (I got the yearly rates from here: http://www.infoplease.com/ipa/A0104719.html if anybody wants to do the research to find what the monthly rate in October of the elections was, feel free - short term spikes could have pushed it over 8% for Ford and Bush the First even though for the year it was under 8%.) pgp3jb0jW1I6c.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran
On Tue, 05 Jun 2012 17:01:49 +0300, Georgi Guninski said: http://www.theregister.co.uk/2012/06/01/stuxnet_joint_us_israeli_op/ US officials confirm Stuxnet was a joint US-Israeli op Well, sure ... so why are you telling us, Mr President? Posturing and positioning, mostly. Before the announcement, foreign states had to base their strategies on The US *may* have the ability to create a Stuxnet, but it's not certain they have any ability at all. Now, they have to plan based on They certainly have Stuxnet-level ability, and almost certainly have even more in their bag of tricks that they haven't admitted to. pgpEAdgjocMtL.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran
On Tue, 05 Jun 2012 14:03:58 -0400, Peter Dawson said: Please don't feed the troll. On Tue, Jun 5, 2012 at 1:57 PM, andrew.wallace andrew.wall...@rocketmail.com wrote: Interpol should be investigating it and issuing arrest warrants, then individuals taken to The Hague for war crimes. Interpol is unable to issue arrest warrants, as they are merely an information clearinghouse and coordination center. This is a very common misconception about Interpol. https://en.wikipedia.org/wiki/Interpol#Methodology In other words, Andrew is going on about stuff he doesn't understand again. pgpNX7uLjQ1Xj.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran
On Tue, 05 Jun 2012 16:20:04 -0300, Marcio B. Jr. said: really matters, that is, an imminent *real* war against China: http://www.bbc.co.uk/news/world-us-canada-18305750 One could equally well read that as We're fed up and about to pound North Korea even further back into the Stone Age. Also, a move of 10% of the navy over the next 8 years doesn't translate to imminent. pgpxXCA7XZrdZ.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Certificacion - Profesional Pentester
On Wed, 23 May 2012 19:26:15 -, Thor (Hammer of God) said: Iâm looking forward to it! Thank you. /me makes popcorn. ;) pgpRWe8RebXul.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] The story of the Linux kernel 3.x...
On Wed, 16 May 2012 23:49:40 +0200, Adam Zabrocki said: so the latest update has this fix but still official ISO has old kernel. Fix was applied in March/April. So again _sock kernels_ have/had so simple mistake ;) You're assuming it's a *mistake* rather than something intentional. Remember that the distro does *not* know what you run on the kernel, so they need to build one that covers all the bases. So they really need to make a choice. Which is going to result in more nasty phone calls and e-mails: leaving COMPAT_VDSO set (which is probably the 12,934th most security crucial security setting in a distro), or turn it off and *know* this will break certain older binaries? Remember that if you're a distro with a million users, even if only 0.1% of them still have old binaries, you just borked 1,000 user's machines. Now compare that number to the number that will get hacked if you leave COMPAT_VDSO on (remember that the *only* thing it stops is exploits that hard-code certain addresses) pgpDZafOLeoaB.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] The story of the Linux kernel 3.x...
On Thu, 17 May 2012 20:56:54 +0200, Adam Zabrocki said: Sorry I can not agree with you. Suse 12.1 is very new/fresh distribution so I don't see any point of delivering old binaries with new system. Still there is an open question about 3rd party vendors applications. Exactly - it's all about the old 3rd party binaries. But if you look carefully for our discussion you will realize that other systems do not have problem with that so you are suggesting that only Suse don't have problems with clients? Each distro has to decide for itself where to draw the line, and apparently Suse 12.1 drew it differently than others. Keep in mind that Suse is targeting itself as an enterprise distro. As such, they have to worry a lot more about shops that run huge ancient creeping-horror software systems that often have binaries that nobody really understands how to rebuild. My point was just that it's not necessarily a mistake (as you put it) - each distro has to make lots of these sorts of decisions every release cycle. Stay compatible with old stuff, or ship new stuff? Decide to keep a compatibility option around for one more release cycle, and you take heat for having old stuff. Go the other way, and you end up shipping Unity. :) Additionally Marcus Meissner from the Suse team wrote interesting sentence about problem with 'old' binaries: Nobody can actually point to an application that breaks. and openSUSE 12.2 will have it disabled. I'll bet a large pizza with everything but anchovies that once 12.2 ships, somebody will find an application that breaks. But we'll probably never hear about it, because nobody will want to admit having that creeping horror binary. ;) pgpJXquFBC0WY.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [OT] New online service to make XSSs easier
On Mon, 07 May 2012 02:27:33 +0530, karniv0re said: And this is anonymous.. How?? Haven't checked, but if you set up the userid/password via Tor, should be pretty anonymous. http://www.getmycookie.com/view.m3?hash=insert_hash_here And you get somebody else's hash value, how? pgpp6UeiOQBSi.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] University of Washington Infected with GetMama 3000 files!
On Sat, 05 May 2012 19:33:52 -, washington_u_getm...@hushmail.com said: dearest FD the university of washington server has been feeding *the* server, or *a* server? precision in writing is often useful - I have literally several thousand servers across the hall here. if they can not keep the servers safe from the public then what are they getting paid to do? So in a bored moment, I took a look at the list, and noticed the following: 1) There's only a very limited number of upper-level pathnames: /nfs/aesop02/hw22/d23/sauf/hubproject/ (493 files) /nfs/aesop01/hw11/d04/geog/wordpress/ (605 files) /nfs/aesop01/hw11/d08/rjsanyal/ (326 files) /nfs/aesop01/hw11/d29/drobnygp/wordpress/ (658 files) /nfs/aesop01/hw12/d56/dwsamplr/ (2 files) /nfs/giovanni11/dw21/d98/uwfarm (1 file) /nfs/aesop03/hw31/d24/cerid/ (1 file) /nfs/giovanni13/dw23/d68/uwkc/phpBB3/cache/ (129 files) /nfs/giovanni13/dw23/d95/rgeorgi/ (2 files) /nfs/giovanni13/dw23/d15/ckwalsh/post_versions/ (50 files) /nfs/giovanni13/dw23/d72/ukc/wordpress/ (308 files) /nfs/aesop01/hw11/d04/geog/wordpress/ (1 file) 2) The pathnames certainly look like they have components that are probably userids or department hames - and there's only 12 of them. 3) UW is like 30K students. If out of 30K students, only 12 have gotten hit with this thing, that's an incredibly *good* track record. So this raises the question - what *exactly* does the UW AUP say? This becomes important, because we need to know that to resolve several questions: 1) If a user uploads infected files, or creates a publically writable directory that then gets used to upload the files, is it the user's responsibility or UW's to clean up the user's mess? 2) Does UW even have the *right* to take down a user file without lots of due process just because it's infected with something? At least in the US, an ISP has a safe harbor exemption under 17 USC 512 that the ISP has no liability for copyright-infringing material uploaded by a user as long as they respond to takedown notices. And that's for files who's very existence is *illegal*. I don't think anybody on this list (with the possible exception of n3td3v if he's still lurking) wants the ISP to have the right (or worse, the responsibility) to auto-nuke files that are merely likely dangerous - simply because likely dangerous is a very slippery slope indeed. And since UW is a university, the whole academic freedom thing means it's usually even tougher to take a user's stuff down without lots of due process. pgpmuIsUD1Uz6.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] cDc Created Hong Kong Blondes and 'Hacktivism' as a Media Hack
On Thu, 03 May 2012 19:24:29 -, Wei Honker said: If Anonymous truly wants to make a difference they need to evolve beyond the simple DDoS attacks, web defacements and the media hack that currently defines hacktivsm and become the movement they want to be. Cool story, bro. First fallacy: Anonymous is a plural noun, not singular. It's not one thing with a cohesive leadership, plan, and direction, it's a bunch of things all wandering in the same semi-general direction. There is no singular wants to Anonymous. Second fallacy: Evenif Anonymous as a whole wants one thing, there is no actual evidence that the one thing is to be anything more than DDoS/defacement/media hacks. They seem content at that. Third fallacy: Never underestimate the value of a good media hack. Consider the Maine, the Lusitania, the Gulf of Tonkin, and yellowcake uranium - all to some extent media hacks. Overall grade: B-. pgpHWWSlZ0ZNW.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] DoS vulnerabilities in Firefox, Internet Explorer and Opera
On Mon, 30 Apr 2012 15:37:08 +0300, MustLive said: * Mozilla Firefox 3.0.19 consumes resources (50% CPU and a lot of RAM) and crashes. * Mozilla Firefox 3.5.11 consumes resources (50% CPU and a lot of RAM) and crashes. * Mozilla Firefox 3.6.8 consumes resources (50% CPU and a lot of RAM) and crashes. * Mozilla Firefox 4.0 beta 2 freezes and consumes resources (50% CPU and a lot of RAM). * Mozilla Firefox 11.0 freezes and consumes resources (50% CPU and a lot of RAM). * Internet Explorer 6 freezes and consumes resources (50% CPU and a lot of RAM). * Internet Explorer 7 freezes and consumes resources (50% CPU and a lot of RAM). * Internet Explorer 8 only consumes resources (50% CPU and a lot of RAM). I.e. in IE8 the problem was partly fixed by Microsoft. * Opera 10.62 freezes and consumes resources (50% CPU and a lot of RAM). Anybody want to guess how many cores are on his test box? :) pgpUhWZRZilnh.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerability in Gentoo hardened
On Tue, 24 Apr 2012 17:36:55 +0200, Milan Berger said: if you read his advisories and 0-days you know: It's not a joke... I always thought it was misunderstood performance art... pgpBMDMGRP44M.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] phpMyBible 0.5.1 Mutiple XSS
On Sun, 22 Apr 2012 19:59:46 -, Thor (Hammer of God) said: You dropped a FD on the BIBLE?? Dude, you're going straight to Hacker Hell! :) Wait, wouldn't that require that the unerring Word of God was buggy? ;) pgprGAaEplMQ7.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Windows XP denial of service 0day found in CTF exercise
On Tue, 17 Apr 2012 17:48:47 -0400, Elazar Broad said: At least configure your SPF record policy to hard fail, and consider Domain Keys and/or DMARC. Given where his MX's point, and the fact that the SPF includes a :include that points at another domain, simply setting it to hard fail without breaking his e-mail may or may not be easy to do. Similarly, if he sets it to hard fail, he probably can't turn on DKIM without the cooperation of the domain listed in the :include (A *lot* of sites that do SPF only code 'soft fail' so that other tools like spamassassin can add a few points if the mail comes from an unexpected place, but don't want to have hard-fail because that can break users. For instance, we don't publish a hard-fail because that results in a support headache if one of our professors goes to a conference and sends e-mail from his hotel room - and the hotel network hijacks the connection. *loads* of fun to sort that out when the professor calls our help desk from Seattle or Tokyo. And of course, he's a chemical engineering professor, so has zero network debugging tools on the laptop...) pgpABj3YdUSAt.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] new law proposal on EU against hacking tools and practices
On Mon, 09 Apr 2012 16:43:16 +0200, psy said: this is the official text. http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//NONSGML+COMPARL+PE-476.089+01+DOC+PDF+V0//ENlanguage=EN Thanks for posting that. Looks like the final text is in fact not that bad. In particular, Amendent 7 clarifies that authorized pen-testing is legal, and Amendment 22 strikes the possession of tools/devices and adds for the clear purpose of committing any of the offences. So you're allowed to have a copy of Metasploit, but pointing it someplace you don't have permission is still strictly forbidden. Sanity wins, at least this time. ;) pgpLbvl3GGPWG.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] new law proposal on EU against hacking tools and practices
On Mon, 09 Apr 2012 12:06:24 -0400, Travis Biehn said: 'Clear purpose for committing any of the offenses' is usually easy to prove. Say I'm heading to Munich for a pen-testing gig, complete with a signed contract and rules of engagement and a get-out-of-jail-free from their CISO. How do you usually easy to prove that I have Metasploit for the clear purpose of committing any of the offenses? You got evidence of me using Metasploit on machines not covered by my contract? You got e-mails or IM logs or anything like that saying I intend to do it? (Compare and contrast this to at least one previous draft, where they didn't have to show clear purpose - mere possession was sufficient. Consider that distinction as it applies to a professional pen-tester) pgp1wRYWGhCt3.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] new law proposal on EU against hacking tools and practices
On Mon, 09 Apr 2012 19:49:59 +0100, Dave said: Or noobs like me who are not professional pentesters and only hit our own machines/VM's/network devices in the course of self training. They made special notice of that. Amendment 7 got reworded a bit (the phrase authorized testing was replace with testing in accordance with law, and in the Justification they say: The term authorised testing can be interpreted in a way that would require a formal authorization before the security testing of own in formation systems. This would entirely undermine the effectiveness and practicality of self tests without criminal intent. Further, there should be no criminal liability when the limitation of access to a system is illegal by itself. pgphwk5CMZEsm.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Working to get more people to check if their infected with DNS Changer
On Wed, 04 Apr 2012 10:09:12 -0700, Gage Bystrom said: You forget that the culprits have already been caught, no one is there in order to issue an update to circumvent the check site. In *this* case. Just keep in mind the *general* case where the miscreants are still on the loose and can still target you for mischief. In that case, demonsdebason is right - checking a DNS mapping without DNSSEC or similar isn't guaranteed to reveal an infection, because the attacker can still lie to you... pgpxDm1om7zmR.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] www.LEORAT.com is scam
On Fri, 30 Mar 2012 19:23:38 +0530, smith joseph said: LEORAT.COM is SCAM | LEOIMPACT.COM is SCAM | LEORAT.COM is SCAM Yes. . I bought this RAT software from him. (And of course, said ratware was *only* going to be used for the highest moral purposes) I don't know why you're so upset at being scammed by somebody who's better at it that you are. I mean, it's not like you're actually *out* anything, unless you were foolish enough to pay with your own... Wait. No, you didn't pay with your own money, did you? Noob. ;) pgpaadb5DRx6q.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] PcwRunAs Password Obfuscation Design Flaw
On Wed, 28 Mar 2012 11:34:56 -0400, Jeffrey Walton said: Under Linux, about the best you can do to avoid hard coded passwords in source files is store the password in a file, and then clamp the ACL on the file so only tomcat, apache, or whomever can read. Generally, it means you remove world and group. Or clamp down even further using SELinux, which can get you to the point of only /usr/bin/httpd can read this file. Combine this with only the init process can launch httpd, and it gets pretty hard for an attacker to get at the passwords without a complete system compromise. (Yes, it's still vulnerable to exploit allows running arbitrary code in the httpd process's context and similar. I *said* pretty hard, not impossible ;) pgpG7mCOSp6jN.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Apple IOS security issue pre-advisory record
On Sat, 24 Mar 2012 13:21:12 -0700, IA64 LOL said: everything is obvious after its pointed out. Not everything. Consider Diffie-Hellman key exchange. There are very few people with enough number theory clue that it's obvious as to *why* DH works on a first explanation . Most people can eventually convince themselves that it can be used to exchange numbers. Convincing yourself that it's done in a non-interceptible manner is a lot harder.. Or consider BPG wedgies - if it's obvious to you why they're peristent, you should be applying for a job as a senior BGP engineer at a major network. ;) pgpdAxgHQbSgW.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Mexican Drug Cartels and Cyberspace
On Mon, 26 Mar 2012 09:28:38 -0500, Adam Behnke said: Mexican drug trafficking organizations are increasingly demonstrating a desire to make money from cyber-crime, attracted by the high profits and minimal risks, offered by such activities as fraud, theft, and piracy. The Russians and Ukranians already in that business aren't going to like the competition. This could get interesting... pgpu2ArBVwKSZ.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Mexican Drug Cartels and Cyberspace
On Mon, 26 Mar 2012 16:14:21 +0100, Dave said: Looking forward to a Mexican standoff? Short-tempered and easily excited trigger-happy Mexican gangsters versus psychopathic Russian gangsters? The proper time units for how long *that* standoff will last are usually foind only in textbooks on subatomic physics. ;) pgp8UJW2BCoiP.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Apple IOS security issue pre-advisory record
On Sat, 24 Mar 2012 10:26:48 -, Dave said: Doesn't the the -e, robots=off, --page-requisites and -H wget directives enable one to collect all the necessary files that are called from a page? No, not *all* the files, for the same reason that if you visit a page with NoScript enabled, you may end up with missing content and/or big open spaces on the page. Consider a page that has Javascript on it: todaysfile = http://www.news-site.com/; + date_as_string; document.load(todaysfile); Unless you interpret the javascript, you don't know what URL will get loaded, because yesterday and tomorrow will get a different URL. So basically, if you try to pull it down with wget or similar, you will miss *all* the stuff that's pulled down via Javascript (and probably via css as well - does wget know how to follow CSS references?). On many modern web designs, this ends up being the vast majority of the content. pgp5mx3nmY6WB.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/