Re: [Full-disclosure] MS06-019 - How long before this develops into a self propagating email worm
On 10 May 2006 10:26:05 -, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I have read the Microsoft advisory and the alarm bells started to whistle ;) As fas a I can read this open the door to fully self propagating email worms with whatever payload you desire. Jeez, why bother with that? This is a better opportunity for corporate or governmental espionage. Get your own backdoor into your competitor's or enemy's email system, patch the hole behind you, and snoop at your leisure. Absolutely awesome possibilities. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] MS06-019 - How long before this develops into a self propagating email worm
n3td3v, You wrote: threat meters: Seriously, threat meters are a waste of time and should be scraped by all. I am not a big fan of them either unless they are implemented well, meaning there are concrete reasons to go from one state to the other and each state has specific actions attached to them. All the net and IRL threat meters seem to lack these requirements. Lets call it paranoia meter because its heresay, there is no particuler threat. Just because a vulnerability is wild and not patched, does not pose a threat. In terrorism a threat is specific information that an attack is being planned. I have to disagree with you definition of a threat here. Threat is the likely hood of something happening if it is planned or not. When I go into certain neighbourhoods of certain places with a lot of gold jewelary showing the threat of being mugged it higher then when I don't show the gold. The consequeces of an event happening are also part of the threat. I have a high chance of taking coffe in the next 30 minutes, but the (negative) consequeces of that so low I do not considered it a threat. Likewise the public knowledge of a vulnerability increases the likelyhood if it being exploited. If the vulnerability has serious consequences (like the current exchange culnerability) the threat is again greater. Although, the internet threat meters are lamer than the main land threat meter (and even the mainland threat meter is lame), because its completely based on heresay, theres an unptached vulnerability, this could happen, but we don't have any intelligence whatsoever that something is being programmed, but we thought we'd raise the internet threat level, you know because theres nothing else happening. Yes, this is hearsay, like most other intelligence. If it was not hearsay it would again increase the likeliness and the threat. Although, thats how it used to be. The bad guys have realised now how much money these cyber agencies are making out of exploit virii, that they've decided not to launch an attack, based on their threat meters. The only time a real threat will come is when cyber agencies are off-watch. Why would an attack be launched if governments and businesses are expecting something to happen? The element of suprise is as important as the terrorism which gives them the name terrorist. Thanks for that insight. I feel we might have to make the split between real hackers and the other 95%. Welcome to the future. Times are changing. You can create a paranoia amougst the community, but the new kids on the block aren't playing a destructive game of tig between malicious users and security vendors. The ball is in the malicious users court. Each time you raise your threat level and nothing happens is eating away at the credibility of security vendors, although the bad guys always will have a cool nack of creeping up on everyone when they least expect it. True, yet the security vendors cannot afford to not make people aware of the current conditions. Although, has it ever been the case thanks to your threat meter I wasn't hacked, or with mainland terrorism thanks to the terror meter, i spotted a terrorist and called the cops and managed to divert a 9/11 style attack Unless there are specific actions associated with a threat level it will nota ccomplisch anything. Schanulleke ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] MS06-019 - How long before this develops into a self propagating email worm
On 5/10/06, Juha-Matti Laurio [EMAIL PROTECTED] wrote: threat meters: Seriously, threat meters are a waste of time and should be scraped by all. UK has said it will never implement a terrorism threat meter, as the Bush administration already does to create a sense of public fear when the political climate requires the government to have public support on issues. It is known that U.S government has rasied the threat meter when their poll rating is low, to get the public on-side that we know more than you do, just trust us. propaganda. Would a threat meter have stopped 9/11 from happening? And what do you do if the meter goes to high alert? Are folks supposed to stop their everyday lives and start looking at everyone who looks of eastern origin in a paranoia frenzy? On 7/7 the London bombings, the government and security services were caught by suprise, they had no idea about the threat yet innocent folks died and the city of London went into lock down over fears of further attacks, so much so, an innocent member of the public was shot, because the police thought he was a potential suicide bomber. He wasn't, the police had commited a murder, because of fear, the fear and paranoia the terrorists wanted the government and the public to have, they won in London, and the terrorists won in American too. Look at the way America has reacted, in the same way the UK government and intelligence services have. In the way the terrorists planned it to be. To create a fear, a paranoia, a terror in the minds of everyone. Threat meters, what do they do? They play the role of the terrorist, bring fear, let the public know the terrorists are around. Even though only one building in one city or one train in one city would be target, the whole entire nation is put on an artifical high state of alert. The government of U.S don't even say high state of alert for X city, they just have some threat meter covering the entire U.S The same goes for the internet. We're always being told that terrorism will one day come to cyber terrorism and hit governments and businesses hard. Yet no specific targets are ever mentioned. Its a threat meter for all, everyone, the so-called cyber security agencies can't even give estimates or likely ness of attack, they just rasie a threat meter to create a hype and a need to buy the products X security company has on offer to protect consumers and corporations from imminent attack. Lets call it paranoia meter because its heresay, there is no particuler threat. Just because a vulnerability is wild and not patched, does not pose a threat. In terrorism a threat is specific information that an attack is being planned. Although, the internet threat meters are lamer than the main land threat meter (and even the mainland threat meter is lame), because its completely based on heresay, theres an unptached vulnerability, this could happen, but we don't have any intelligence whatsoever that something is being programmed, but we thought we'd raise the internet threat level, you know because theres nothing else happening. Basically, the cyber security companies are creating a hype to be suggestive to malicious users, and of course the malicious users will often bow to such a threat level and release an exploit worm to the wild. Although, thats how it used to be. The bad guys have realised now how much money these cyber agencies are making out of exploit virii, that they've decided not to launch an attack, based on their threat meters. The only time a real threat will come is when cyber agencies are off-watch. Why would an attack be launched if governments and businesses are expecting something to happen? The element of suprise is as important as the terrorism which gives them the name terrorist. I conclude to say, the cyber security companies, were once good at their predictve attack guesstimations, but no longer. In today's climate (right now) folks are more than aware of whats going on around. No longer will the would-be exploit virii offer play lap puddle to cyber security agencies, mcafee, symantec, trendmicro, us-cert and the others. Attacks will come at the least expected point. Attacks won't come based on code you guys are aware of. Attacks will come without warning. Attacks will coem when you least expect it. Attacks will never be predicted, will never have an early warning for, will always be a suprise from now on. Welcome to the future. Times are changing. You can create a paranoia amougst the community, but the new kids on the block aren't playing a destructive game of tig between malicious users and security vendors. The ball is in the malicious users court. Each time you raise your threat level and nothing happens is eating away at the credibility of security vendors, although the bad guys always will have a cool nack of creeping up on everyone when they least expect it. Rasie your threat meters, you're spoiling your own business by doing so, malicious users the more they hold off
Re: [Full-disclosure] MS06-019 - How long before this develops into a self propagating email worm
n3td3v wrote: On 5/10/06, Juha-Matti Laurio [EMAIL PROTECTED] wrote: threat meters: Seriously, threat meters are a waste of time and should be scraped by all. Hey, I believe it's right to tell someone when they're wrong and give them credit when they're right... and although I disagree with some of your conclusions, I have to say that you've got a good point here. About all that these threat meters do is drum people into action. That is, deep down, a good thing, but it's something that people should be careful with. Computers, and in particular computer security, is something that many people think is magic. An organization that is not well mitigated and is not vigilant is as likely to get cracked into during a high threat level as it is at a low threat level... the threat meters do give people a false sense of security and a false sense of fear and really do only measure paranoia. Now, that's not to say that they don't have a use, but like all tools if it's misused, the results will not necessarily be good. Something to keep in mind. -bkfsec ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] MS06-019 - How long before this develops into a self propagating email worm
bkfsec wrote: I have to say that you've got a good point here. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ These threat meters play lip service for hackers. Thereees zero-day in the wild, you're going to get haxx3d A threat is ment to be based on individuals planning something, not a here-say. Regardz, n3td3v ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] MS06-019 - How long before this develops into a self propagating email worm
On Thu, 11 May 2006 19:15:50 BST, n3td3v said: Thereees zero-day in the wild, you're going to get haxx3d It's more like We now know about a zero-day that's been on the loose for some unknown amount of time, and you may already be hax0red. And if you haven't, you probably will be as soon as the script kiddies who are even more lame than our security professionals find the zero-day. HAND. pgpsxcTRSwh13.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] MS06-019 - How long before this develops into a self propagating email worm
On 5/11/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: On Thu, 11 May 2006 19:15:50 BST, n3td3v said: Thereees zero-day in the wild, you're going to get haxx3d It's more like We now know about a zero-day that's been on the loose for some unknown amount of time, and you may already be hax0red. And if you haven't, you probably will be as soon as the script kiddies who are even more lame than our security professionals find the zero-day. HAND. Code alone is not a threat. Its obvious these security companies never have specific intelligence of worms being planned. All they can base their threat meters on is a generalization. Which one is the threat: A gun store has opened on the corner, someone might buy a gun and shoot or I overheard a conversation that johnny average is annoyed at bob and spoke about revenge, he's really into guns, and a gun store has just opened on the corner, johnny is mentally unstable, and he's really good at hitting his targets, he shot someone in the past but no one told the police. Regardz, n3td3v ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] MS06-019 - How long before this develops into a self propagating email worm
All, I have read the Microsoft advisory and the alarm bells started to whistle ;) As fas a I can read this open the door to fully self propagating email worms with whatever payload you desire. Yet, sans.org, symantec and us-cert.gov still have their threat levels on 1. What am I missing, surely this superseeds the IE7 0-day action (sorry couldn't resist). Schanulleke ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] MS06-019 - How long before this develops into a self propagating email worm
Two comments to threat meters: 1) ISS's AlertCon is at level 2/4 (Increased vigilance) now: https://gtoc.iss.net/issEn/delivery/gtoc/index.jsp listing in response to the critical issue disclosed within Microsoft Security Bulletin MS06-019 part of Microsoft`s May release. 2) McAfee's Global Threat Condition is at level 3/4 (Severe) now: http://www.mcafee.com/us/threat_center/default.asp#legend-learnmore listing a raised risk of exploitation on Microsoft Windows and Microsoft Exchange hosts. - Juha-Matti All, I have read the Microsoft advisory and the alarm bells started to whistle ;) As fas a I can read this open the door to fully self propagating email worms with whatever payload you desire. Yet, sans.org, symantec and us-cert.gov still have their threat levels on 1. What am I missing, surely this superseeds the IE7 0-day action (sorry couldn't resist). Schanulleke ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] MS06-019 - How long before this develops into a self propagating email worm
One of the things that makes this a bit more dangerous is that the patch causes problems so people are more reluctant to install the patch until they see what problems others are having. This could be interesting. On 5/10/06 6:26 AM, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: All, I have read the Microsoft advisory and the alarm bells started to whistle ;) As fas a I can read this open the door to fully self propagating email worms with whatever payload you desire. Yet, sans.org, symantec and us-cert.gov still have their threat levels on 1. What am I missing, surely this superseeds the IE7 0-day action (sorry couldn't resist). Schanulleke ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ == David Taylor //Sr. Information Security Specialist University of Pennsylvania Information Security Philadelphia PA USA (215) 898-1236 http://www.upenn.edu/computing/security/ == Penn Information Security RSS feed http://www.upenn.edu/computing/security/rss/rssfeed.xml Add link to your favorite RSS reader ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] MS06-019 - How long before this develops into a self propagating email worm
a) Installing the patch breaks Black Berry workaround is an active directory modification b) Implementing the workaround will cause loss of functionality c) The patch is currently being reverse engineered to find out what it is that is broken (by different people for different intends) a + b + c = my you live in interesting times --- David Taylor [EMAIL PROTECTED] wrote: One of the things that makes this a bit more dangerous is that the patch causes problems so people are more reluctant to install the patch until they see what problems others are having. This could be interesting. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] MS06-019 - How long before this develops into a self propagating email worm
On Thursday morning (local time in Finland) Symantec ThreatCon is at ('Elevated') Level 2 now: http://www.symantec.com/avcenter/threatcon/learnabout.html including details about the role of MS06-019. - Juha-Matti All, I have read the Microsoft advisory and the alarm bells started to whistle ;) As fas a I can read this open the door to fully self propagating email worms with whatever payload you desire. Yet, sans.org, symantec and us-cert.gov still have their threat levels on 1. What am I missing, surely this superseeds the IE7 0-day action (sorry couldn't resist). Schanulleke ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/