Re: [Full-disclosure] www.dia.mil
On 10/27/2008 8:03 PM, Gary E. Miller wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Yo All! On Mon, 27 Oct 2008, [EMAIL PROTECTED] wrote: On Mon, 27 Oct 2008 21:07:46 +0400, Razi Shaban said: On Mon, Oct 27, 2008 at 7:59 PM, Bipin Gautam [EMAIL PROTECTED] wrote: A picture is worth a thousand words. But whats so wrong about it? So what? A US intelligence agency is basically betting the bank that statcounter.com, a company apparently based in Ireland, doesn't get pwned or subverted. And betting that the plain text from the DIA job applicants to statcounter.com is not sniffed by anyone along the way. If I was Russia I would love to have the home IP for everyone that has applied to the DIA for a job this year. A few small bribes would make that happen. RGDS GARY - --- Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97701 [EMAIL PROTECTED] Tel:+1(541)382-8588 Or maybe applying for the job without getting tracked by statcounter.com is the first part of the test. - Jorrit ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] www.dia.mil
http://www.whitehouse.gov/omb/memoranda/m00-13.html draw your own conclusions... On Thu, Oct 30, 2008 at 11:18 AM, Jorrit Kronjee [EMAIL PROTECTED] wrote: On 10/27/2008 8:03 PM, Gary E. Miller wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Yo All! On Mon, 27 Oct 2008, [EMAIL PROTECTED] wrote: On Mon, 27 Oct 2008 21:07:46 +0400, Razi Shaban said: On Mon, Oct 27, 2008 at 7:59 PM, Bipin Gautam [EMAIL PROTECTED] wrote: A picture is worth a thousand words. But whats so wrong about it? So what? A US intelligence agency is basically betting the bank that statcounter.com, a company apparently based in Ireland, doesn't get pwned or subverted. And betting that the plain text from the DIA job applicants to statcounter.com is not sniffed by anyone along the way. If I was Russia I would love to have the home IP for everyone that has applied to the DIA for a job this year. A few small bribes would make that happen. RGDS GARY - --- Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97701 [EMAIL PROTECTED] Tel:+1(541)382-8588 Or maybe applying for the job without getting tracked by statcounter.com is the first part of the test. - Jorrit ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] www.dia.mil
Welcome to the web! 1 website = content retrieved from dozens/hundreds of sites. Much more than what the browser's address bar shows ;) Think of ad banners, analytics JS (legit spyware), static content served from high-speed embedded httpds, etc ... And yes, there are security implications to this design problem. -Original Message- From: [EMAIL PROTECTED] Sent: 27 October 2008 17:22 To: Razi Shaban [EMAIL PROTECTED] Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] www.dia.mil On Mon, 27 Oct 2008 21:07:46 +0400, Razi Shaban said: On Mon, Oct 27, 2008 at 7:59 PM, Bipin Gautam [EMAIL PROTECTED] wrote: A picture is worth a thousand words. But whats so wrong about it? :P So what? A US intelligence agency is basically betting the bank that statcounter.com, a company apparently based in Ireland, doesn't get pwned or subverted. Does that give you warm-n-fuzzies? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] www.dia.mil
And maybe friends, you could explain me what's so special about dia.mil ? I would actually understand if CIA central internal information system would use such trackers, but if it's a public web page, what's so special about it ? And ok, even if the information on visitors leaks - what's so interesting about visitors statistics to dia.mil ? What makes those visitors or the URL-s they request so special ? Or maybe you suppose CIA will hold sensetive materials on a public webserver ? e.g. www.dia.mil/sometopsecretstuff... Well I agree, you can find stupid things everywhere nowdays, but I surely hope that they don't do it. I guess that visitor statistics to google.com are thousand times more interesting than dia.mil. From my personal point of view dia.mil visitors statistics offer exactly the same interest like www.desperatehousewives.com visitor statistics. (intelligence guys, no offence :P) Kindest regards, --- Viktor Larionov snr. system administrator RD team Salva Kindlustuse AS Parnu mnt. 16 10141 Tallinn ESTONIA tel: (+372) 683 0636, (+372) 680 0500 fax: (+372) 680 0501 gsm: (+372) 5668 6811 [EMAIL PROTECTED] MOTD: Dream Big. Think the impossible. If you can dream it - you can create it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Adrian P. Sent: Wednesday, October 29, 2008 12:02 PM To: [EMAIL PROTECTED]; Razi Shaban Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] www.dia.mil Welcome to the web! 1 website = content retrieved from dozens/hundreds of sites. Much more than what the browser's address bar shows ;) Think of ad banners, analytics JS (legit spyware), static content served from high-speed embedded httpds, etc ... And yes, there are security implications to this design problem. -Original Message- From: [EMAIL PROTECTED] Sent: 27 October 2008 17:22 To: Razi Shaban [EMAIL PROTECTED] Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] www.dia.mil On Mon, 27 Oct 2008 21:07:46 +0400, Razi Shaban said: On Mon, Oct 27, 2008 at 7:59 PM, Bipin Gautam [EMAIL PROTECTED] wrote: A picture is worth a thousand words. But whats so wrong about it? :P So what? A US intelligence agency is basically betting the bank that statcounter.com, a company apparently based in Ireland, doesn't get pwned or subverted. Does that give you warm-n-fuzzies? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] www.dia.mil
On Mon, Oct 27, 2008 at 7:59 PM, Bipin Gautam [EMAIL PROTECTED] wrote: A picture is worth a thousand words. But whats so wrong about it? :P So what? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] www.dia.mil
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Yo All! On Mon, Oct 27, 2008 at 7:59 PM, Bipin Gautam [EMAIL PROTECTED] wrote: A picture is worth a thousand words. This should be hilarious, except it is so sad. RGDS GARY - --- Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97701 [EMAIL PROTECTED] Tel:+1(541)382-8588 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFJBfgSBmnRqz71OvMRAhylAJwPFqPTR2/gl7T2zqc9si0D/vvgcQCgj4A/ vVHMaKskcTbIlsxHRrbeOkk= =aXK4 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] www.dia.mil
He's pointing out the wrong part. He's highlighted the link, which is of no importance. Yes, they're including a remote javascript. Then again, tens if not hundreds of thousands of other websites include the very same script. If statcounter's servers aren't very secure, they would have already been compromised. On the other hand, look at the voting machines the US gov't has contracted. They have a tendency to screw up with technology, making this one of their lesser problems (if you want to consider it a problem at all). Just my $.02. -- Razi Shaban ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] www.dia.mil
On Mon, 27 Oct 2008 21:33:19 +0400, Razi Shaban said: Yes, they're including a remote javascript. Then again, tens if not hundreds of thousands of other websites include the very same script. If statcounter's servers aren't very secure, they would have already been compromised. One would *hope* that a major country's spook agencies kept themselves to a *slightly* higher security standard than Sixpack Joe's Website and Bait-n-Tackle Emporium. The risk/benefit analysis for the average .com and the average .spook are a bit different. On the other hand, look at the voting machines the US gov't has contracted. They have a tendency to screw up with technology, making this one of their lesser problems (if you want to consider it a problem at all). A totally separate problem, but one that's not in DIA's jurisdiction. pgpKwt8B5bdbG.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] www.dia.mil
I am more concerned about IP address of people who visit .mil website leaking to third party/intelligence. If you have it, you could do some traffic analysis. Are some people visiting the website too often? Time of day ? What are their IP's? What are other websites /network on your control do those IP also visit? Do some linguistic analysis if you can, do browser fingerprinting. Now, If you (a marked IP) visit any other website that use statcounter.com someone out there can know it its you again who visited the .mil website in visiting different domain. Such web-service can act like a honeypot that can passively identify the presence an identity across different domains. Do some more personality profiling, what type of website do they visit etc Try to build some correlation, say; using Paterva, Maltego to process the data. If you know someone who runs a botnet, are there any ip from the list already infected... See if you can look around. The point is one with the resource can find such data valuable. The point is if/what does this information leak value to you. thanks, -bipin -- X-No-Archive: ___ http://groups.google.com/group/Intelligence-Studies ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] www.dia.mil
I don't know, u tell me? -- Message: 2 Date: Mon, 27 Oct 2008 21:44:31 +0545 From: Bipin Gautam [EMAIL PROTECTED] Subject: [Full-disclosure] www.dia.mil To: full-disclosure@lists.grok.org.uk Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=iso-8859-1 A picture is worth a thousand words. But whats so wrong about it? :P -- next part -- A non-text attachment was scrubbed... Name: dia.jpg Type: image/jpeg Size: 89903 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20081027/e3e3ed75/attachment.jpg -- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ End of Full-Disclosure Digest, Vol 44, Issue 42 *** I don't know, u tell me? -- been great, thanks Big R ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] www.dia.mil
On Mon, 27 Oct 2008 21:07:46 +0400, Razi Shaban said: On Mon, Oct 27, 2008 at 7:59 PM, Bipin Gautam [EMAIL PROTECTED] wrote: A picture is worth a thousand words. But whats so wrong about it? :P So what? A US intelligence agency is basically betting the bank that statcounter.com, a company apparently based in Ireland, doesn't get pwned or subverted. Does that give you warm-n-fuzzies? pgpTPd4Km89oo.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] www.dia.mil
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Yo All! On Mon, 27 Oct 2008, [EMAIL PROTECTED] wrote: On Mon, 27 Oct 2008 21:07:46 +0400, Razi Shaban said: On Mon, Oct 27, 2008 at 7:59 PM, Bipin Gautam [EMAIL PROTECTED] wrote: A picture is worth a thousand words. But whats so wrong about it? So what? A US intelligence agency is basically betting the bank that statcounter.com, a company apparently based in Ireland, doesn't get pwned or subverted. And betting that the plain text from the DIA job applicants to statcounter.com is not sniffed by anyone along the way. If I was Russia I would love to have the home IP for everyone that has applied to the DIA for a job this year. A few small bribes would make that happen. RGDS GARY - --- Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97701 [EMAIL PROTECTED] Tel:+1(541)382-8588 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFJBhCaBmnRqz71OvMRArbmAKCzlkar/tsZzQr1KTFiyM92G64ZZgCgheNh WtECwiFpb+VX8vOrWlq3qsE= =Zmv6 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] www.dia.mil
On 10/28/08, Gary E. Miller [EMAIL PROTECTED] wrote: A US intelligence agency is basically betting the bank that statcounter.com, a company apparently based in Ireland, doesn't get pwned or subverted. And betting that the plain text from the DIA job applicants to statcounter.com is not sniffed by anyone along the way. If I was Russia I would love to have the home IP for everyone that has applied to the DIA for a job this year. A few small bribes would make that happen. And ifhttp://www.statcounter.com/features/is not actually a demo of what they already have for an agency i bet my money they have a huge potential to be one. But aren't these old school tricks already. How can security audits be so careless about such a shortcoming. The good old Microsoft saying goes almost like this, i.e If a third party script is embedded in your website its no longer your website ( or unless the third party is your big brothers website ) Once upon a time there was someone who use to blog software review's except he had clients who paid him for he use to redirect software downloads from a IP-list to a special spyware_infected_download. -bipin -- X-No-Archive: ___ http://groups.google.com/group/Intelligence-Studies ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/