[Full-disclosure] IP-Adresses of German Secret Intelligence Agency supposedly leaked
Don't know, if this is the right place for this kind of information. I
also believe it's no big deal but you might want to scan your server
logs for these addresses to see who's watching you.
https://secure.wikileaks.org/wiki/T-Systems_BND_network_assignments%2C_13_Nov_2008
The PDF contains a list of ip-addresses which seem to be used by the
german "Bundesnachrichtendienst".
Changes to german wikipedia pages committed by those addresses are
listed here (german text):
http://blog.datenritter.de/archives/393-angebliche-IP-Adressen-des-BND-und-Wikipedia-AEnderungen.html
http://bastards22.vs8807.vserver4free.de/?p=170
German blogger Fefe knew about (some of) these adresses inn 2005 already
and notice visits to his site. They were looking for "cold fusion at
home" ("kalte fusion zuhause") and "muslim world outreach".
http://blog.fefe.de/?ts=bc15908d
n.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] URLs with hexcode-obscured IPs still work?
Today I received a phishing mail containing a link which obscures the IP-address as a hexadecimal number. The URL looks like this: http:// 0x ded 6d8a1/www.paypal.com/int ... /index.htm (Spaces added to circumvent phishing filters.) Obviously the IP-address is disguised as an hexcode, to distract unexperienced users from the fact that they are not actually visiting PayPal. This seems to be an old problem, and links like that - IMHO - just shouldn't work. They don't do when using proxy servers, but they do in some Firefox-versions, in Konqueror and in Microsoft's Internet Explorer. While the IE presents the IP-addresses in dotted-decimal format., KDE's Konqueror simply shows the hexcode-URL in the address bar. Some Info here (german): http://blog.datenritter.de/archives/421-Phisher-tarnen-IP-Adressen-als-Hexcode.html Why does this still work? n. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] n3td3v has been tracked to Slough, UK
> no one gives a flying fuck about the pissing contest between you two, > 90% of this list is NOISE and you two clowns generate 89% of it. this just in: actually it could be 99% of the 90%, i.e. 0.9*0.99. n. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] round and round they go
> http://blog.wired.com/27bstroke6/2008/02/researchers-dis.html (cooling down DRAMs keeps their contents for longer time, even during reboot.) well, this shows how important mechanical security still is, even with all the crypto-stuff out there. if you e.g. just *glued* your RAM modules into your motherboard, the option left would be booting a malicious OS. a BIOS-password might put delays on that. so, if it is really secret put your PC in a locked steel box! as a dircet countermeasure you might as well consider a simple temperature sensor next to your DRAMs, releasing [evil self-destruction hack] when temperatures drop below 0°C. thermite does a good job on destroying HDDs but it's very dangerous. it's probably more easy to use this device then: http://www.wiebetech.com/products/HotPlug.php looking at these two methods, i notice how "they" (whoever) seem to aim not only on physical access but also more and more on surprising the crypto-user. "they" might use the methods mentioned above or just hit you with a flashbang, so you can't press the lock key anymore. this worries me more than any it-related security flaw. i don't want the police to behave like that. n. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] round and round they go
> I would think a more realistic scenario might be a person working at > an airport shutting their system down then getting it stolen vs a > forensic examiner yanking the cord on purpose. Just an observation. if somebody steals your notebook at the air port the chance of this person just beeing an ordinary criminal not interested in your data is very high. and if you just shut down your notebook, the DRAMs are still warm, decreasing the time window for an "ice-spray-attack". so, unless the notebook is thrown into a barrel of liquid nitrogen... n. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] round and round they go
> hrm. sigh. Normal moles not being able to grasp trivial knowledge. *cough* > Airports are duh known conduits of business travellers with lots of > data, first question: do those travellers use encryption? from my experience, most people are just ignorant when it comes to security. how many notebooks are stolen to do industrial espionage? any statistics? anyway, you're right - if they do use encryption and if they felt safe, they have to feel a little less safe from now on. that means: if in doubt, you should not carry too much important data on your notebook. (a VPN access might help...) and you might just turn your notebook OFF, instead of putting it to sleep. > thus increasing the possibility of targeting a more valuable > target. So your statement that only ordinary criminals steal at > airports is shortsighted. If anything a common criminal isnt going to > try and steal at a place with a fucking million security cameras > around. hmm, ok, who would do so? would you say, it is easy to grab a notebook in an airport lounge and leave the airport before anyone notices or security folks get after you? > You hardly need a barrel of liquid nitrogen - If you could summon not > a barrel but more of a can of clue you would be better off. ok, so what you have to do is: grab the notebook while it's powered on or in an ACPI sleep state. (maybe hit the victim in the toilet or something.) get out of the airport into a car and disappear quickly. in your car you might have a *can* of liquid nitrogen or just a bunch of screwdrivers and an ice spray. (the DRAMs might not be easily accessible.) you need a computer with the same slots and be sure that the DRAMs have compatible timing... and gloves, by the way... possible, but complicated. still, there are comparatively *simple* countermeasures. use glue. use TWO encrypted drives (one for your personal data and one for your secret business data). use an RFID- or bluetooth device to secure your notebook. and then there are anti-tempering methods. i have heard there are secure memory modules which erase themselves quickly... or just don't let them snatch your computer! n. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] OpenSSL-Bug still allows MITM, Browser(s) set up badly - Re: Identify weak Debian OpenSSL clients in SSH DH key exchange
Alex, you recently wrote that you tested the CA-certificates - but you didn't test the certificates which have been *signed* by the CAs. They are a serious problem. The attack described in your recent post can easily be avoided by exchanging vulnerable certificates, BUT: If somebody grabbed an old (vulnerable) certificate quickly he or she could generate the private key which fits to it and then abuse the cert. for a man in the middle attack. I think all servers which had a vulnerable certificate, even for a short time, are still not secure - at least as long as the old certificates are still valid, which depends on the validity date saved in the certificate, only. No, CRLs don't work. Firefox for example does not check for CRLs (default setting), making certificate revocation senseless. I assume, other Browsers don't check CRLs either. And what about the german tax-software ELSTER? German CCC Member Fefe describes this here (english and german): http://blog.fefe.de/?ts=b6c9ec7e His post is dated 23rd of May. He says, somebody allready got the old cert. of "a248.e.akamai.net". My comment with screenshots of Firefox' settings pages and an error message here (german): http://blog.datenritter.de/archives/208-gefaehrliche-Angriffsmoeglichkeit-durch-das-OpenSSL-Debakel.html I think the only option is to change domain names. :-( IMHO Felix is totally right in his criticism of PKI. When you download a browser you get a bunch of CA-Certificates but no reason to trust even a few of them. n. > Everybody keeps talking about changing your keys and updating OpenSSL, > but this is not the only issue with the Debian/OpenSSL debacle. Consider > that someone has sniffed your SSH traffic (say at a securit conference?). > If either a compromised server or client were involved, you have got > a problem as the Diffie-Hellmann key exchange at the start of the > SSH session can now be broken. This means that all the data (passwords, > SSH tunnel anyone?) can now be considered compromised if you are > reasonably paranoid. (...) > You can find the script at > http://www.cynops.de/download/check_weak_dh_ssh.pl.bz2 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Firefox 2.0.x: tracking unsuspecting users using TLS client certificates
> ... I realised that you can do something with Firefox 2.0.x that > you could not do with Firefox 1.5.x: track an unsuspecting user > using TLS client certificates. this is not new. in a way it has been in the apache documentation for years. it simple, and it's very bad: a) firefox does not ask the user which certificate to deliver if not set up to do so. b) firefox does not offer a checkbox to remember the choice the user made. the irritating dialogue will appear up to two times for each webpage and not stay activated for long. (konqueror in comparison does remember the user's choice for each domain/site. k. doesn't send out certficates without being told to.) c) in the apache documentation you can read about a simple setupwhich asks for and accepts ANY certificate that the browser delivers - which leaves the choice to the browser and makes it deliver one _silently_ if present. (IIRC the choice is usually made by comparing certain fields in the certificate, e.g. company, common name etc. the certficate that matches best will be sent. though the server certificate's CN must be * or match the domain to be accepted, FF does not require any information from the client certificate to match the domain it is sent to.) you want to make use of that? very simple: 1) all information from the client certificate can of course be read by the server, e.g. in a CGI. 2) though you could achieve this easily (contrary to statements on the list my FF never required client certificates to be signed by a known CA - why should it?), you do not have to make users actually install a certificate. would be too obvoius anyway, and... ...users who are part of a company network or any other organization which uses certificate authentication will already have one. they are very concerned about security, so they are probably more interesting targets anyway. 3) for tracking purposes just remember the fingerprint of ANY delivered client certificate. combine it with any other information information you get from the now perfectly identified client, like IP-address, information filled into forms, etc. 4a) simple tracking of a certficate holder might be nice for secret services and adserver owners, but as companies like to have their own CA or at least write the company name into the certificates, competitors can see easily who's clicking. 4b) if you are a spammer the valid e-mail-address stored in the certificate might be of some value. 4c) the "common name" field is great information for phishers and all kinds of evildoers who are now empowered to create individualized mails with this information. n. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
