Re: [Full-disclosure] Email Disclaimers...Legally Liable if breached?
At 2007-10-11 08:52 +1000, Kelly Robinson [EMAIL PROTECTED] wrote: It is common these days for email messages to contain a disclosure notice, which may include statements such as: You forgot the most absurd: the content of this message [sent often, on purpose, to publicly visible and archived mailing lists] is intended 'only for the adressee'. Do these notices carry any *legal* force? Why or Why not? I am not a lawyer, but my understanding is the same as Geoff's ([EMAIL PROTECTED]): because the warning, such as it is, appears after the recipient has already read the content with no way (and not even tacking it on the top would really be enough, I don't think) for the recipient to opt-out and simply not read that content. They should be contrasted with warnings of potential legal culpability if a connecting user continues to use a system in /etc/issue or similar: those are a Good Idea, and help one's case against attackers, because they go a long way to nullify I didn't know it wasn't okay sorts of defenses. -- gabriel rosenkoetter [EMAIL PROTECTED] pgpdoeRbATsWk.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] tinyurl.com - Local Clipboard
On Thu, Mar 15, 2007 at 12:30:48PM -0500, Shaun wrote: I took a quick look and it appears that they aren't trying to read the clipboard, they're trying to write the generated tinyurl to it for the folks who are too lazy to control-c it out of the page. Annoying to have your clipboard contents clobbered, but not really a threat. It didn't do anything in FF2. Since I only use Windows, let alone IE, at Work (where I'm invariably issued a Windows laptop whether I like it or not), and I'm too lazy to dig out the work laptop at the moment, I'm not checking this now, but I recall pretty clearly that this is a behavior that tinyurl.com OPENLY ADVERTISES as being a feature of using that site with IE under Windows (and nowhere else, because no other browser and OS security model permits such silliness). It's a security problem, but it's not indicative of any particular threat on their part. (Really, if the original poster wanted to bitch about evil intentions at tinyurl.com, the obfuscation of affiliate links is a much better target...) -- gabriel rosenkoetter [EMAIL PROTECTED] pgpPjeieCC7YI.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Simcard 0day.
On Mon, Jan 01, 2007 at 05:43:05PM -0800, Blue Boar wrote: Does this actually work on people on a security mailing list? Speaking as someone whose current employer has chosen to subscribe its NOC staff group email (a member of which, thankfully, I am not) on an Exchange server to various security mailing lists, in the interest of having the NOC monitor security alerts and open tickets over those affecting systems and applications in use, for which purpose they of course use Outlook... Yes, it pretty definitely does, and gets you in places that are otherwise decently protected. There's little cure for stupidity at the management level other than patience. -- gabriel rosenkoetter [EMAIL PROTECTED] pgpppQae0tfwB.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSH brute force blocking tool
On Mon, Nov 27, 2006 at 03:51:39PM -0500, J. Oquendo wrote:
Since you seem to be clueless I'll answer step by step. Here goes idiot.
(Sinful to see someone so clueless coming from Gentoo... Guess it goes
with the romper room Linux territory)
Uh... actually, no. The provided exploit Will work, and you're the
idiot.
Here, let me show you.
You do this:
/
awk '/error retrieving/{getline;print $13}' /var/log/secure|sort -ru
/tmp/hosts.deny
diff /etc/hosts.deny /tmp/hosts.deny | awk '/\./ //{print $2}'
/etc/hosts.deny
/
There is no hocus pocus here. Look at /var/log/secure and fine the term
error retrieving and print the next line, 13th column. Then sort it and
print the unique entries into /tmp/hosts.deny. After you do this, compare
/tmp/hosts.deny with /etc/hosts.deny and put the differences not in
/etc/hosts.deny
into /etc/hosts.deny
What will be in column 13 when Tavis does this:
Tavis Ormandy wrote:
Here's an exploit.
#!/bin/sh
ssh 'foo bar `/sbin/halt`'@victim
Why, the shelled-out output of `/sbin/halt`!
Or, hey, anything he or I care to put inside backticks. You'll
execute it blindly, as root, on your system.
Kids, don't use this script. Please.
--
gabriel rosenkoetter
[EMAIL PROTECTED]
pgpfX9tuMYBhq.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSH brute force blocking tool
On Mon, Nov 27, 2006 at 03:59:37PM -0500, gabriel rosenkoetter wrote:
Uh... actually, no. The provided exploit Will work, and you're the
idiot.
Begging your pardon, you are saved by single-quoting your awk(1)
statement:
awk '/error retrieving/{getline;print $13}' /var/log/secure|sort -ru
/tmp/hosts.deny
[...]
What will be in column 13 when Tavis does this:
Tavis Ormandy wrote:
ssh 'foo bar `/sbin/halt`'@victim
[...]
Why, the shelled-out output of `/sbin/halt`!
Nope, I'm wrong, just the literal string `/sbin/halt`, which you
never exec.
Mea culpa. Tavis's exploit doesn't so scary things, although he's
right you should really be doing a bit more sanitization of (evil)
user-supplied input, given that you're (insisting that you) run as
root.
On Mon, Nov 27, 2006 at 04:12:11PM -0500, J. Oquendo wrote:
Look at the script. Although YOU'RE opening /var/log/authlog what is the
script opening. Please tell me you're really not that stupid.
Actually, your BSD version DOES open /var/log/authlog (which will
fail on FreeBSD, btw, where it's /var/log/auth.log), so you should
probably stop casting stones and quit while you're ahead with my
explanation above of why Tavis's exploit is a non-starter.
But since we're on the topic... wouldn't it be a better plan to
check the local syslog.conf for the location of the auth failure
log messages rather than hard code it?
--
gabriel rosenkoetter
[EMAIL PROTECTED]
pgp9aDaZQPXuz.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSH brute force blocking tool
On Mon, Nov 27, 2006 at 09:29:33PM +, Tavis Ormandy wrote:
Gabriel, I was referring to this line:
awk '!/#/ /\./ !a[$0]++
{print iptables -A INPUT -s $1 -i eth0 -d '$ifaddr' -p TCP --dport 22
-j REJECT}' /etc/hosts.deny |\
awk '/iptables/ !/#/ !/-s -i/'|sh
(note the |sh), $1 can be controlled by specially crafted attempted
logins.
Aha.
Yep, sure can!
I couldn't find where the malicious input was actually executed, but
I didn't spend long looking.
I take back my take back.
--
gabriel rosenkoetter
[EMAIL PROTECTED]
pgpZhqVSn11PF.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSH brute force blocking tool
On Mon, Nov 27, 2006 at 04:27:24PM -0500, J. Oquendo wrote:
So for the third time now. Explain to me how I am backdooring someone's
system.
[EMAIL PROTECTED] include]# uname -a
Linux int-mrkt 2.6.18-1.2200.fc5 #1 Sat Oct 14 16:59:26 EDT 2006 i686
i686 i386 GNU/Linux
[EMAIL PROTECTED] include]# awk '/error retrieving/{getline;print $13}'
/var/log/secure|sort -ru
222.171.20.252
211.137.74.58
My logs parse out addresses not named and there is no redirection going
on. If you want to say Hey... It should be written as such then gladly
do so.
You are dealing with output you can't trust there. $13 could be
anything, including \n`rm -rf /`. Later on, you pass $13,
unstripped of newlines, backticks, or any number of other special
character to a shell running as uid 0. That shell will proceed to
execute whatever we would like it to, where we are the remote
attacker who doesn't even have an account.
I don't believe the suggestion was ever that you had malicious
intent, but rather that you have very horrible coding security
habits.
I'm disinclined to sort out which of your machines I can get root on
right now because you are running this script, but I would expect
that someone reading this mailing list is already on the way and
would strongly advise that you disable those cron jobs.
--
gabriel rosenkoetter
[EMAIL PROTECTED]
pgpnRZzA4hpPU.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Seeking anyone damaged by Yuma Arizona!
On Fri, Nov 10, 2006 at 09:18:04AM -0500, [EMAIL PROTECTED] wrote: What are you babbling about NOW? I wouldn't pretend (nor want) to be inside measl's head, but I think he's talking about (attempted? alleged?) electonic voting machine intrusion: http://kvoa.com/Global/story.asp?S=5659237nav=HMO6 -- gabriel rosenkoetter [EMAIL PROTECTED] pgpLQaCF4qckn.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Mail Drives Security Considerations
On Fri, Nov 03, 2006 at 11:28:27AM -0500, Matthew Flaschen wrote: Why can't message signing offer backwards compatibility (assuming you use multipart/signed)? Seems to me that adding a PGP signature verification to every operation on files (even ls(1); you have to check to make sure it's not a spoofed file) would rather noticeably impact the performance of what's already got to be pretty slow on most users' connections, and it adds a layer of complexity to the setup (you have to generate the key pair, and have the private key available on any system which you intend have write access) but that would certainly work. Spam will still be a DoS against storage space, of course. Never mind that this software violates gmail's acceptable use policy and is transmitted back and forth in the clear (unless you want to roll PGP encryption into the mix, in which case keeping paths in the clear in the subject breaks the security), so it'd be hard to view data stored this way as being secure to begin with... -- gabriel rosenkoetter [EMAIL PROTECTED] pgpG7NwlouORV.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [ Capture Skype trafic ]
On Sat, Oct 28, 2006 at 11:24:40AM +0200, Cedric Blancher wrote: Have you ever header of Skype API that basicly allows two application to communicate on top of Skype network, thus inheriting Skype resilience, encryption, obfuscation and firewall punching capapbilities ? I don't see how this isn't still an HR problem. Unless you're concerned about infected systems communicating in this way as part of a zombie network? In that case, your vector to fix it is dealing with your broken virus checking. Setting up network filtering to keep your internal users from doing something, rather than persuading them that they should not do that, will never, ever work. -- gabriel rosenkoetter [EMAIL PROTECTED] pgpqgXgKsQTex.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [ Capture Skype trafic ]
On Sat, Oct 28, 2006 at 10:58:38AM +1300, Nick FitzGerald wrote: Final enforcement may be an HR problem, [...] Both setting the policy for acceptable use and enforcing that policy are HR's problem. -- gabriel rosenkoetter [EMAIL PROTECTED] pgpn0ticCW8QM.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ask for spam...
On Mon, Oct 16, 2006 at 09:41:08PM -0400, Peter Dawson wrote: I think the point here is that you seed you email addy to these freebie newsletters and then wait for the spammer to harverst the email addy's. Propagation window shoud be about 10-15 days and then you can counter anlaysis the source data within smtp The problem is that you'll catch things that are actually email that the user ostensibly requested, from the original source, no matter what. I find the vast majority of my spam shows up from web spiders harvesting mailing list archives online that do not munge email addresses and GNATs bug databases, which may be a better clean-room way to put email addresses Out There. -- gabriel rosenkoetter [EMAIL PROTECTED] pgp5fUOblftlu.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
