[Full-Disclosure] SuSE Security Announcement: lsh (SuSE-SA:2003:041)
-BEGIN PGP SIGNED MESSAGE- __ SuSE Security Announcement Package:lsh Announcement-ID:SuSE-SA:2003:041 Date: Wed Oct 1 10:24:45 CEST 2003 Affected products: 8.0, 8.1, 8.2 Vulnerability Type: remote code execution Severity (1-10):5 SuSE default package: yes Cross References: - Content of this advisory: 1) security vulnerability resolved: Buffer overflow in lsh. problem description, discussion, solution and upgrade information 2) pending vulnerabilities, solutions, workarounds: - node - proftp - OpenSSL 3) standard appendix (further information) __ 1) problem description, brief discussion, solution, upgrade information LSH is the GNU implementation of SSH and can be seen as an alternative to OpenSSH. Recently various remotely exploitable buffer overflows have been reported in LSH. These allow attackers to execute arbitrary code as root on un-patched systems. LSH is not installed by default on SuSE Linux. An update is therefore only recommended if you run LSH. Maintained SuSE products are not affected by this bug as LSH is not packaged on maintained products such as the Enterprise Server. For the updates to take effect execute the following command as root: /usr/sbin/rclshd restart Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command rpm -Fhv file.rpm to apply the update. Our maintenance customers are being notified individually. The packages are being offered to install from the maintenance web. i386 Intel Platform: SuSE-8.2: ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/lsh-1.5-114.i586.rpm 798f52402cda6c7e1733aed15bf0d9cb patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/lsh-1.5-114.i586.patch.rpm 9308cdb133d2311a9dc4a10bbf613501 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/lsh-1.5-114.src.rpm 1e1b5beac002cf51d1eea0277934a69d SuSE-8.1: ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/lsh-1.4.2-73.i586.rpm b5ff8ba104623fe9a77705154aad92f7 patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/lsh-1.4.2-73.i586.patch.rpm 6341acd3fe513921b7123d7c1d98cc43 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/lsh-1.4.2-73.src.rpm 0a2b95e911f8760009ad0d5b2fd7618e SuSE-8.0: ftp://ftp.suse.com/pub/suse/i386/update/8.0/sec3/lsh-1.3.5-188.i386.rpm bccfd85985bab8a324b25c1b2443bf2b patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.0/sec3/lsh-1.3.5-188.i386.patch.rpm 8a232720cb0a4b35d0899e9c6a4e80ae source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/lsh-1.3.5-188.src.rpm 8e3e30b134b12400559152bb5c53d0f8 __ 2) Pending vulnerabilities in SuSE Distributions and Workarounds: - node A format string vulnerability has been fixed in the new node packages available on our ftp servers. An update is recommended if you use this package. - proftp A off-by-one buffer overflow has been fixed in the proftp packages for SuSE Linux 7.2 and 7.3. Note that the bug that was fixed is different from the 'ASCII File Transfer Buffer Overrun Vulnerability' (CAN-2003-0831). The proftp packages shipped by SuSE are not affected by CAN-2003-0831. - OpenSSL Critical bugs within the ASN.1 parsing routines have been reported recently. We are currently building new packages and will notify you in a separate advisory when the packages are available. __ 3) standard appendix: authenticity verification, additional information - Package authenticity verification: SuSE update packages are available on many mirror ftp servers all over the world. While this service is being considered valuable and important to the free and open source software community, many users wish to be sure about the origin of the package and its content before installing the package. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or rpm package: 1) md5sums as provided in the (cryptographically signed) announcement. 2) using the internal gpg signatures of the rpm package. 1) execute the command md5sum
[Full-Disclosure] Security presentation from OracleWorld
I've posted on presentation I gave at OracleWorld last month. This presentation covers writing secure code in Oracle databases and Oracle Application Server. The topics covered include: Managing state Query parameters Hidden fields Cookies Cross-site scripting SQL Injection PL/SQL Injection Buffer overflows in EXTPROC Resources You can download the presentation at http://www.appsecinc.com/techdocs/presentations.html under the heading Writing Secure Code in Oracle Presentation. I welcome comments and criticisms. Regards, Aaron ___ Aaron C. Newman CTO/Founder Application Security, Inc. www.appsecinc.com Phone: 212-420-9270 Fax: 212-420-9680 - Securing Business by Securing Enterprise Applications - ** Attend AppSecInc's FREE Webinars ** - Learn about the latest Database Attacks! - Learn about the latest data security regulations! Reserve Your Spot Today at: http://www.appsecinc.com/webinar ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] SuSE Security Announcement: mysql (SuSE-SA:2003:042)
-BEGIN PGP SIGNED MESSAGE- __ SuSE Security Announcement Package:mysql Announcement-ID:SuSE-SA:2003:042 Date: Wed Oct 1 12:12:38 CEST 2003 Affected products: 7.2, 7.3, 8.0, 8.1, 8.2 SuSE Linux Connectivity Server SuSE Linux Enterprise Server 7, 8 SuSE Linux Office Server UnitedLinux 1.0 Vulnerability Type: remote code execution Severity (1-10):5 SuSE default package: no Cross References: - Content of this advisory: 1) security vulnerability resolved: Buffer overflow in mysql. problem description, discussion, solution and upgrade information 2) pending vulnerabilities, solutions, workarounds: - OpenSSL 3) standard appendix (further information) __ 1) problem description, brief discussion, solution, upgrade information A remotely exploitable buffer overflow within the authentication code of MySQL has been reported. This allows remote attackers who have access to the 'User' table to execute arbitrary commands as mysql user. The list of affected packages is as follows: mysql, mysql-client, mysql-shared, mysql-bench, mysql-devel, mysql-Max. In this advisory the MD5 sums for the mysql, mysql-shared and mysql-devel packages are listed. To be sure the update takes effect you have to restart the MySQL server by executing the following command as root: /usr/sbin/rcmysql restart Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command rpm -Fhv file.rpm to apply the update. Our maintenance customers are being notified individually. The packages are being offered to install from the maintenance web. i386 Intel Platform: SuSE-8.2: ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/mysql-3.23.55-22.i586.rpm 41e8d3781aeedd2e48837293d261f9e2 ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/mysql-shared-3.23.55-22.i586.rpm b75bdea7f484305c62415cd7412151af ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/mysql-devel-3.23.55-22.i586.rpm 264920dc6e1def4e26253cc3d82f2fc7 patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/mysql-3.23.55-22.i586.patch.rpm 82bac86826eb08ccf8c3204a792e0df1 ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/mysql-shared-3.23.55-22.i586.patch.rpm ea14dd33b2e390009513209e71229cd3 ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/mysql-devel-3.23.55-22.i586.patch.rpm b8e64deab45bdd05657a5447b4e279eb source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/mysql-3.23.55-22.src.rpm fd33faf5fe7efc9f9c5871db37ea88b4 SuSE-8.1: ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/mysql-3.23.52-106.i586.rpm e7488a05d07282bbd8317f834c24f0d4 ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/mysql-shared-3.23.52-106.i586.rpm e6db8d49932368487a334d803572ed4e ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/mysql-devel-3.23.52-106.i586.rpm 9c6c4ab2b8a461ca391a2453d05d9b71 patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/mysql-3.23.52-106.i586.patch.rpm 37960d363c09a1123c25b11d6a753968 ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/mysql-shared-3.23.52-106.i586.patch.rpm 77d66503d21447bd1dd8339463c7b25b ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/mysql-devel-3.23.52-106.i586.patch.rpm c747e07c307e9619cf04a3e2c8cc369f source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/mysql-3.23.52-106.src.rpm 952c96bc22740b252e151c27537e5c1b SuSE-8.0: ftp://ftp.suse.com/pub/suse/i386/update/8.0/ap2/mysql-3.23.48-81.i386.rpm 7126396c99deb931dda869fdc8e5e6ef ftp://ftp.suse.com/pub/suse/i386/update/8.0/ap2/mysql-shared-3.23.48-81.i386.rpm 6cfa50d58f7b23201f2056d6097c4161 ftp://ftp.suse.com/pub/suse/i386/update/8.0/ap3/mysql-devel-3.23.48-81.i386.rpm 23d978a491c8a0a0035142276ae9c806 patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.0/ap2/mysql-3.23.48-81.i386.patch.rpm 49833c754e880fba15e579ad32d6861c ftp://ftp.suse.com/pub/suse/i386/update/8.0/ap2/mysql-shared-3.23.48-81.i386.patch.rpm 3eba782210bf2e3a714616571bea0066 ftp://ftp.suse.com/pub/suse/i386/update/8.0/ap3/mysql-devel-3.23.48-81.i386.patch.rpm 9d6d58e8da20ea06bfd3207c44925190 source rpm(s):
Re: [Full-Disclosure] Soft-Chewy insides (was: CyberInsecurity: The cost of Monopoly)
Michael Scheidell wrote: cynical grin Would that that would really help. I guess maybe in the long run it might, but I'm not holding my breath. There's still the small matter of connecting cause with effect and then implementing a program that will function appropriately at all levels of the Just did a presentation to a bunch of AeA CFO's (AeA is American Electronics Association) where the fist slide I gave them a piece of paper that has to go with their 10K reports and said: Ok, as the CFO of a public company, would you sign this: (a bunch of legal gook I got from our SEC lawyer). Went through a high(board level) presentation with lots of pretty color pictures, talked about jail time and fines and informed them that the CFO is the one who will sign it.. then when done, said 'ok, NOW who will sign this. You KNOW for a FACT that your IT department has taken care of this, right? you don't need an outside/third party audit to make sure the IT or internal security guys did their job, right? NO ONE. wanted to sign it then. Heh. That's great. Wish I could have been there to see that. Sounds like you really got their attention. But this brings me back to the original concern: It's one thing to realize that you have a problem. It's something else to fix it. And my experience has been that the people who have the problem don't have a clue how to fix it. Clueful organizations have a strong Information Security/Assurance *program* in place. CFOs of those organizations *will* sign the document because there *is* a formal risk management process in place which includes some kind of certification and accrediation process. They are *very* likely to be the approving authority on some of the systems. They are also part of the governance process. If there is no Information Security / Assurance *program*, there is a huge problem. This is the one I continue encounter: When an external audit/assessment shows many deficiencies, the response of the clueless organization is to; a) (try to) patch the holes, and b) maybe offer up a sacrificial lamb. However, the _root_cause_ of the existence of the problems in the first place is the absence of a real program. In the absence of a program, even if the holes are patched, within a year they will return or be replaced by others. So the *real* solution to the problem is to patch the holes *and* the organization . . . by implementing an effective program. One would hope that, having had their attention focused on the existence of symptoms, the CFOs will conclude that their organization is sick. Some will. Some won't. Of those that will, how many will know what the cure is, or how to go about getting it? *This* has been my frustration: having enough time with the right people to educate them on what the options are and what the solution is . . . Cheers, George Capehart -- George W. Capehart We did a risk management review. We concluded that there was no risk of any management. -- Dilbert ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] [SECURITY] [DSA-393-1] New OpenSSL packages correct denial of service issues
-BEGIN PGP SIGNED MESSAGE- - -- Debian Security Advisory DSA 393-1 [EMAIL PROTECTED] http://www.debian.org/security/ Michael Stone October 1, 2003 http://www.debian.org/security/faq - -- Package: openssl Vulnerability : denial of service Problem-Type : remote Debian-specific: no CVE Ids: CAN-2003-0543 CAN-2003-0544 Dr. Stephen Henson ([EMAIL PROTECTED]), using a test suite provided by NISCC (www.niscc.gov.uk), discovered a number of errors in the OpenSSL ASN1 code. Combined with an error that causes the OpenSSL code to parse client certificates even when it should not, these errors can cause a denial of service (DoS) condition on a system using the OpenSSL code, depending on how that code is used. For example, even though apache-ssl and ssh link to OpenSSL libraries, they should not be affected by this vulnerability. However, other SSL-enabled applications may be vulnerable and an OpenSSL upgrade is recommended. For the current stable distribution (woody) these problems have been fixed in version 0.9.6c-2.woody.4 For the unstable distribution (sid) these problems have been fixed in version 0.9.7c-1 We recommend that you update your openssl package. Note that you will need to restart services which use the libssl library for this update to take effect. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.4.dsc Size/MD5 checksum: 675 76da6f792eccfa0e219a0bb42296546f http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c.orig.tar.gz Size/MD5 checksum: 2153980 c8261d93317635d56df55650c6aeb3dc http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.4.diff.gz Size/MD5 checksum:44514 c07ae1f584c7a8bc4d0a821b8e6801ab Architecture independent packages: http://security.debian.org/pool/updates/main/o/openssl/ssleay_0.9.6c-2.woody.4_all.deb Size/MD5 checksum: 970 734c96f61a7d7032584ce001811d99ce Alpha architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.4_alpha.deb Size/MD5 checksum: 1551438 add644f20298bb07dd2368f6139e03bd http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.4_alpha.deb Size/MD5 checksum: 571194 17117f28911fee940def4cc5a5168ebf http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.4_alpha.deb Size/MD5 checksum: 736296 f571a65a29ea963e9f82b4a70cc61bbc ARM architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.4_arm.deb Size/MD5 checksum: 474030 c34ae889a0b0b05d16ab071069886ee8 http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.4_arm.deb Size/MD5 checksum: 1357972 7b5efab549fcace562b1df40f58eb434 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.4_arm.deb Size/MD5 checksum: 729736 bea9047ba98358b5d843ec5502c08d14 HP Precision architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.4_hppa.deb Size/MD5 checksum: 1435088 64ec697612a1a8bb7ec02a8dfe0f082a http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.4_hppa.deb Size/MD5 checksum: 564870 7c9f44efb6fbf092a4c6285438f4218f http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.4_hppa.deb Size/MD5 checksum: 741856 c593ae8279de436da67de14a147b991c Intel IA-32 architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.4_i386.deb Size/MD5 checksum: 461714 9c291cab723133eb1c7c2309540dd9e2 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.4_i386.deb Size/MD5 checksum: 721748 654531d126d43611b236964e691b67e2 http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.4_i386.deb Size/MD5 checksum: 1289866 0b05581c2d1c03f72644737aa7c37fe9 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.4_ia64.deb Size/MD5 checksum: 763482 0292998feaac6ea041d2d044305b7715
[Full-Disclosure] [TURBOLINUX SECURITY INFO] 01/Oct/2003
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 This is an announcement only email list for the x86 architecture. Turbolinux Security Announcement 01/Oct/2003 The following page contains the security information of Turbolinux Inc. - Turbolinux Security Center http://www.turbolinux.com/security/ (1) openssl - DoS vulnerability in openssl === * openssl - DoS vulnerability in openssl === More information : The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. Unusual ASN.1 tag values can cause an out of bounds read under certain circumstances, resulting in a denial of service vulnerability. Impact : The vulnerability allow an attacker can cause to denial of service of the openssl. Affected Products : - Turbolinux 8 Server - Turbolinux 8 Workstation - Turbolinux 7 Server - Turbolinux 7 Workstation - Turbolinux Server 6.5 - Turbolinux Advanced Server 6 - Turbolinux Server 6.1 - Turbolinux Workstation 6.0 Solution : Please use turbopkg(zabom) tool to apply the update. - # turbopkg or # zabom update openssl openssl-devel - Turbolinux 8 Server Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/SRPMS/openssl-0.9.6k-2.src.rpm 2263218 7c7271e7263b1fc39847f5dd097dfac8 Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/openssl-0.9.6k-2.i586.rpm 1366934 0f92e0d644d5ee1e44b31bcf531e1d8c ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/openssl-devel-0.9.6k-2.i586.rpm 1156710 584a99ceae84e0f457326b2fee6e06f1 Turbolinux 8 Workstation Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/SRPMS/openssl-0.9.6k-2.src.rpm 2263218 7f36441af28ed717ba65176c7b66680e Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/openssl-0.9.6k-2.i586.rpm 1367811 6526ca70ae9d6593e8be87bc193089d7 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/openssl-devel-0.9.6k-2.i586.rpm 1156964 30f36c1d28481a8243ff38308efc7b1e Turbolinux 7 Server Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/SRPMS/openssl-0.9.6k-2.src.rpm 2263218 834875cad5d1b9e7bbf316470728f97b Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/openssl-0.9.6k-2.i586.rpm 1335850 57efa60311c81b5af0f3721e08bf05ef ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/openssl-devel-0.9.6k-2.i586.rpm 1138724 b7a90942f1e81066443d94e921476f21 Turbolinux 7 Workstation Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/SRPMS/openssl-0.9.6k-2.src.rpm 2263218 4df3af6b3df204ff0fae655646cec9ae Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/openssl-0.9.6k-2.i586.rpm 1335646 e76c5ddc5ff49b3ffeaf704179bb1cf1 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/openssl-devel-0.9.6k-2.i586.rpm 1139634 702820b81eface29fdc6e7a8092674bc Turbolinux Server 6.5 Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.5/updates/SRPMS/openssl-0.9.6k-2.src.rpm 2263218 5f069ba70311d673515b6cc572748e3b Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.5/updates/RPMS/openssl-0.9.6k-2.i386.rpm 1466551 612a0925a8b7e276fb4ee2e867f86f61 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.5/updates/RPMS/openssl-devel-0.9.6k-2.i386.rpm 1273363 d466f3b0414335a8fde5243e714fc26b Turbolinux Advanced Server 6 Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/AdvancedServer/6/ja/updates/SRPMS/openssl-0.9.6k-2.src.rpm 2263218 1ffa548a309f2da23f917e0d103d55e3 Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/AdvancedServer/6/ja/updates/RPMS/openssl-0.9.6k-2.i386.rpm 1466406 96f2960852682c5e42d14ac7d30d2647
Re: [Full-Disclosure] CyberInsecurity: The cost of Monopoly
Yeah you know, that has always been my theory as to why, in Star Trek (and others), the control panels on starship bridges sometimes explode with sparks and smoke for no better reason than that some component on the outer hull got shot up by the Klingons (or whoever); its an important feedback mechanism ensuring that the operator knows that something is very seriously wrong. Now if only desktop PCs had such a system... Hi Steve, You know, now that you mention it that makes perfect sense. Although, keep in mind we're talking about MS machines here -- these machines will need to be capable of emitting a shower of sparks and smoke virtually non-stop. Hmm. Actually, I think it might be fun to construct a spring-loaded BANG! type flag, triggered every time Dr. Watson or the current equivalent is executed. take care, C ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Security Vulnerabilities - Week 39, 2003
A summary of all vulnerabilities published in Week 39, 2003 are available at: http://www.sintelli.com/sinweek/week39-2003.pdf Regards Sintelli www.sintelli.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Re: Prudent default security
Steve, it would be a very boring mailing list if only the people who know everything (Paul, apparently) posted to it. I'm expecting that bulk admin tools for windows systems will mature greatly over the next year or so. Hopefully MS will continue to work on the path they have set rather than reinventing the wheel and making all current system and network administration policies and tools obsolete. Sigh, you are right. On the one hand, as a Linux geek from way back, I have a small sense of pride in my lack of MS knowledge. But I use MS; XP is a great desktop, Outlook is a great mail client (I also use a Linux desktop and kmail is a great mail client). So, on the other hand, I know that there are a lot of *nix people out there who endlessly bash MS without any knowledge of that which they curse. I don't want to be one of those. When the ignorant ask honest questions, don't get abusive, just answer them... Please? ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] NINCOMPOOPERY OF MICROSOFT
Hackers are criminals Most, he notes, release their malicious code after patches for Microsoft software have been released, meaning that they are simply reverse engineering to exploit security weaknesses or holes in software. - Microsoft CEO Steve Ballmer 'ninkum`poop [n] a stupid foolish person See Also: simple, simpleton Microsoft has claimed that the majority of the security bugs reported by the companys software users have been traced back to the code provided by the third party software vendors Almost 90 per cent of the problems, that are reported by the users as part of our automated feedback system, come from the code that is not provided by Microsoft. - Chief Technology Officer Craig Mundie http://www.internetwk.com/breakingNews/showArticle.jhtml?articleID=15200897 http://www.financialexpress.com/fe_full_story.php?content_id=43039 BG Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messengerl=434 Promote security and make money with the Hushmail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliatel=427 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Re: Prudent default security
I'm expecting that bulk admin tools for windows systems will mature greatly over the next year or so. Hopefully MS will continue to work on the path they have set rather than reinventing the wheel and making all current system and network administration policies and tools obsolete. Remember - MS is a *corporation*. They have *no* reason to change path, unless by doing so they improve *their* bottom line. If they can crush a competitor and spur sales with a new improved product that changes course, they will. People keep acting like MS has some moral or ethical obligation to their customers. They don't. That's why they engage in behavior that outsiders find revolting - because said behavior is good for the bottom line. And the only way to change it is to make the behavior bad for the bottom line (either in lost sales when a shop goes Linux, or damages in a lawsuit, whatever...) I agree whole heartedly, MS has no moral or ethical obligation to their customers (and shouldn't, other than to try to fix flaws in software they have sold). I was only pointing out that the upgrade path that has evolved through their OSes has made it difficult to maintain or improve administration tools (as a SysAdmin). The tools I developed in the early 90s to help me administer a WFWG/DOS network differed from the ones I used in 95-00 to administer a Win9x network differed from the ones I use now to admin a W2k/XP network... while most of the tools I've used to admin the unix side of those networks are very similar if not the same. I have absolutely NO problem with MS being engaged in the bottom line. I am one of the few here (maybe the only one) who doesn't have a major problem with @stake letting Dan Geer go... The bottom line is that if he was hurting their business by slamming one of their clients, even if he was correct (which he was), they *should* have let him go. People seem to forget that companies exist to make money. If I had an employee who was working against MY best interests, you can bet he wouldn't last very long. I think that companies have an obligation to act ethically, but I also believe that employees have the same obligations they should 'ride for the brand' as it were. ~mike ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [inbox] Re: [Full-Disclosure] CyberInsecurity: The cost of Mo nopoly
Maybe it takes an old mainframer to point this out but it depends on what kind of functional unit you're talking about. I remember the days when, from the users point of view, the computer was a dumb terminal and all the intelligence (and security risk) was safely off in a locked room somewhere. We still had security problems back then but they were a lot easier to deal with. Yet another case where Bill Bates and his like have a lot to answer for. Remind me again why client/server was supposed to have been a good idea? Sigh. -- -- Jim LaneQuestion authority: Sysadmin, CSLab Amateurs built the Ark, [EMAIL PROTECTED]Professionals built the Titanic I think the point is that most people expect their cars to be operational and do NOT do the maintenance themselves... they DO outsource it to a mechanic. The average user has A LOT less control over their car than their computer. A car is basically a single function unit, point A to point B. Computers never have been nor ever will be that one dimensional. At the most, I think we could hope for users who learn to know better than to try to do the 'maintenance' on their computers themselves. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] SuSE Security Announcement: openssl (SuSE-SA:2003:043)
-BEGIN PGP SIGNED MESSAGE- __ SuSE Security Announcement Package:openssl Announcement-ID:SuSE-SA:2003:043 Date: Wednesday, Oct 1st 2003 16:12 MET Affected products: 7.2, 7.3, 8.0, 8.1, 8.2, 9.0 SuSE Linux Database Server, SuSE eMail Server III, 3.1 SuSE Linux Enterprise Server 7/8, SuSE Linux Firewall on CD/Admin host SuSE Linux Connectivity Server SuSE Linux Office Server Vulnerability Type: remote denial-of-service Severity (1-10):5 SuSE default package: yes Cross References: CAN-2003-0543 CAN-2003-0544 CAN-2003-0545 Content of this advisory: 1) security vulnerability resolved: - problems with ASN.1 encoding - accepting client certificates even if disabled problem description, discussion, solution and upgrade information 2) pending vulnerabilities, solutions, workarounds: - whois - gdm2 - postgresql 3) standard appendix (further information) __ 1) problem description, brief discussion, solution, upgrade information OpenSSL is an implementation of the Secure Socket Layer (SSL v2/3) and Transport Layer Security (TLS v1) protocol. While checking the openssl implementation with a tool-kit from NISCC several errors were revealed most are ASN.1 encoding issues that causes a remote denial-of-service attack on the server side and possibly lead to remote command execution. There are two problems with ASN.1 encoding that can be triggered either by special ASN.1 encodings or by special ASN.1 tags. In debugging mode public key decoding errors can be ignored but also lead to a crash of the verify code if an invalid public key was received from the client. A mistake in the SSL/TLS protocol handling will make the server accept client certificates even if they are not requested. This bug makes it possible to exploit the bugs mentioned above even if client authentication is disabled. There is not other solution known to this problem then updating to the current version from our FTP servers. To make this update effective, restart all servers using openssl please. Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command rpm -Fhv file.rpm to apply the update. Our maintenance customers are being notified individually. The packages are being offered to install from the maintenance web. Please note that this update includes openssl, openssl-devel and openssl-doc. openssl: Intel i386 Platform: SuSE-9.0: ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/openssl-0.9.7b-71.i586.rpm 88e30d20d288ecffe1e185b6ccc5099e patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/openssl-0.9.7b-71.i586.patch.rpm 68ffad90868b2107e3d82cc8fc50f6b7 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/openssl-0.9.7b-71.src.rpm 1f5a12184b14ac5281f8da50da7deab6 SuSE-8.2: ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/openssl-0.9.6i-19.i586.rpm 20818d3b2d257bcf9258707e2adf8812 patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/openssl-0.9.6i-19.i586.patch.rpm 2fbea6d1b3c19ed67d76337deef05363 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/openssl-0.9.6i-19.src.rpm 24d40081aa2644a336279ecae878c1f3 SuSE-8.1: ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/openssl-0.9.6g-99.i586.rpm a2c35048358d85fffd5a5ab7b58f6683 patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/openssl-0.9.6g-99.i586.patch.rpm 08803c7ac279b8c9ad1dc4aef4146617 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/openssl-0.9.6g-99.src.rpm 8bb653a4f779a125498f47dbaff0dc2f SuSE-8.0: ftp://ftp.suse.com/pub/suse/i386/update/8.0/sec1/openssl-0.9.6c-86.i386.rpm 671dc039955089f8523064272a4aad49 patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.0/sec1/openssl-0.9.6c-86.i386.patch.rpm 4ae58f8e66b2cc7c2cc936132558ea46 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/openssl-0.9.6c-86.src.rpm 7577ca638434ebe20406bfab85ec72ad SuSE-7.3:
RE: [Full-Disclosure] Re: [ISN] Technology Firm With Ties to Microsoft Fires Executive Over Criticism
It's posted in the Columns section: http://mcpmag.com/columns/article.asp?EditorialsID=610 -- Shawn -Original Message- From: Paul Robichaux [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 30, 2003 2:41 PM To: InfoSec News; [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: [Full-Disclosure] Re: [ISN] Technology Firm With Ties to Microsoft Fires Executive Over Criticism I erred in saying that Geer represented himself, or the report, as speaking for @stake. There's a lot more that I'm tempted to say, but I think Roberta Bragg said it better in her column yesterday. Rather than muddle her arguments, I refer interested readers to http://mcpmag.com/security; the column's not posted there yet but should be shortly. Cheers, -Paul ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Cross-site Scripting Vulnerability in Atrise EveryFind
Ezhilan of Sintelli has identified a Cross-Site Scripting Vulnerability in Atrise EveryFind 5.0.2. Details of the vulnerability are provided here: http://www.sintelli.com/adv/sa-2003-01-everyfind.pdf Users are advised to upgrade to EveryFind 5.0.3 http://www.atrise.com/everyfind/version.html Regards Sintelli www.sintelli.com Week 39, 2003 Security Vulnerabilities http://www.sintelli.com/sinweek/week39-2003.pdf ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] [SECURITY] [DSA-393-1] New OpenSSL packages correct denial of service issues
FYI -BEGIN PGP SIGNED MESSAGE- - -- Debian Security Advisory DSA 393-1 [EMAIL PROTECTED] http://www.debian.org/security/ Michael Stone October 1, 2003 http://www.debian.org/security/faq - -- Package: openssl Vulnerability : denial of service Problem-Type : remote Debian-specific: no CVE Ids: CAN-2003-0543 CAN-2003-0544 Dr. Stephen Henson ([EMAIL PROTECTED]), using a test suite provided by NISCC (www.niscc.gov.uk), discovered a number of errors in the OpenSSL ASN1 code. Combined with an error that causes the OpenSSL code to parse client certificates even when it should not, these errors can cause a denial of service (DoS) condition on a system using the OpenSSL code, depending on how that code is used. For example, even though apache-ssl and ssh link to OpenSSL libraries, they should not be affected by this vulnerability. However, other SSL-enabled applications may be vulnerable and an OpenSSL upgrade is recommended. For the current stable distribution (woody) these problems have been fixed in version 0.9.6c-2.woody.4 For the unstable distribution (sid) these problems have been fixed in version 0.9.7c-1 We recommend that you update your openssl package. Note that you will need to restart services which use the libssl library for this update to take effect. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.4.dsc Size/MD5 checksum: 675 76da6f792eccfa0e219a0bb42296546f http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c.orig.tar.gz Size/MD5 checksum: 2153980 c8261d93317635d56df55650c6aeb3dc http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.4.diff.gz Size/MD5 checksum:44514 c07ae1f584c7a8bc4d0a821b8e6801ab Architecture independent packages: http://security.debian.org/pool/updates/main/o/openssl/ssleay_0.9.6c-2.woody.4_all.deb Size/MD5 checksum: 970 734c96f61a7d7032584ce001811d99ce Alpha architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.4_alpha.deb Size/MD5 checksum: 1551438 add644f20298bb07dd2368f6139e03bd http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.4_alpha.deb Size/MD5 checksum: 571194 17117f28911fee940def4cc5a5168ebf http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.4_alpha.deb Size/MD5 checksum: 736296 f571a65a29ea963e9f82b4a70cc61bbc ARM architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.4_arm.deb Size/MD5 checksum: 474030 c34ae889a0b0b05d16ab071069886ee8 http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.4_arm.deb Size/MD5 checksum: 1357972 7b5efab549fcace562b1df40f58eb434 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.4_arm.deb Size/MD5 checksum: 729736 bea9047ba98358b5d843ec5502c08d14 HP Precision architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.4_hppa.deb Size/MD5 checksum: 1435088 64ec697612a1a8bb7ec02a8dfe0f082a http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.4_hppa.deb Size/MD5 checksum: 564870 7c9f44efb6fbf092a4c6285438f4218f http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.4_hppa.deb Size/MD5 checksum: 741856 c593ae8279de436da67de14a147b991c Intel IA-32 architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.4_i386.deb Size/MD5 checksum: 461714 9c291cab723133eb1c7c2309540dd9e2 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.4_i386.deb Size/MD5 checksum: 721748 654531d126d43611b236964e691b67e2 http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.4_i386.deb Size/MD5 checksum: 1289866 0b05581c2d1c03f72644737aa7c37fe9 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.4_ia64.deb Size/MD5 checksum:
Re: [Full-Disclosure] Mystery DNS Changes
Hansen, Kevin wrote: We have seen multiple instances where DHCP enabled workstations have had their DNS reconfigured to point to two of the three addresses listed below. Can anyone else confirm this? Incidents.org is reporting an increase in port 53 traffic over the last two days. Are we looking at the precursor to the next worm? This is currently being discussed on NTBUGTRAQ too. -- Gary Flynn Security Engineer - Technical Services James Madison University Please R.U.N.S.A.F.E. http://www.jmu.edu/computing/runsafe ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Mystery DNS Changes
Title: Mystery DNS Changes We have seen multiple instances where DHCP enabled workstations have had their DNS reconfigured to point to two of the three addresses listed below. Can anyone else confirm this? Incidents.org is reporting an increase in port 53 traffic over the last two days. Are we looking at the precursor to the next worm? 216.127.92.38 69.57.146.14 69.57.147.175 -KJH ++ Kevin J. Hansen Architect Global Network Thomson Legal Regulatory [EMAIL PROTECTED] 651-687-8466 ++
Re: [Full-Disclosure] Re: [ISN] Technology Firm With Ties to Microsoft Fires Executive Over Criticism
Paul Robichaux wrote: I erred ... but I think Roberta Bragg said ... http://mcpmag.com/security It was very good of you to acknowledge, Paul, that your response was in error. Mistakes happen... I personally make several per day. Often in writing. One's goal, if one cares about security, must be to understand the source of behaviors, biases, preconceived notions, misunderstandings, etc. that one exhibits in connection with mistakes, even if a given symptom has only been observed once, and trace those flaws to their root cause -- then reprogram. Roberta Bragg makes a sincere attempt to respond to the report, but she does so with emotion rather than critical thinking and an open mind. Roberta is currently unwilling to accept, emotionally, that she is personally supporting a malicious entity that is still engaged in unfair and unreasonable attacks against good people. This is a normal response that people go through (denial) when they are struggling to come to terms with having enabled (co-dependency) a substance abuser. The thinking is something like this: Microsoft can't be evil because if they are then what does that make me? To add context, my professional background includes almost being published by Microsoft Press recently in the security area... Until Microsoft saw that the security advice being offered by my book told too much of the truth, and much of it just wasn't compatible with corporate monopolistic self-interest. Here is my response to her article. Since you appear to be an ally of hers, perhaps you'll forward my comments to her personally. 10/1/2003: Jason Coombs says: Roberta has been so badly compromised by her own bias that she isn't aware that she completely missed the point of the report. The Microsoft monopoly is causing severe harm, and its potential for new specific harm increases (force multiplication) as the monopoly grows. A necessary step in the process of information security is selecting software that is designed with open, provable security features -- until Microsoft changes its abusive, monopolistic behaviors (which come from the top of the company) it will never build a trustworthy product. Roberta chooses to trust Microsoft because she is underinformed. Perhaps she has smelled the truth and opted for a financially-comfortable condition of denial where she can help further Microsoft's cause while looking the other way when Microsoft commits terrible offenses. This way the stink doesn't create a denial of service condition for her personal bank account balance. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] NINCOMPOOPERY OF MICROSOFT
IANAL, but the typical way it works in the US is that wealthy defendants are found guilty, possibly suffer some consequence, and that's the end of it. Poor defendants are found guilty and are labelled criminals for the rest of their lives. Regards, Brent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Georgi Guninski Sent: Wednesday, October 01, 2003 3:07 PM To: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] NINCOMPOOPERY OF MICROSOFT This user Bullmur should be carefull with the word criminal. Question to the lawyers on the list: It is my understanding that criminal is someone who breaks the law. microsoft seem to have been found guilty by a court in the antitrust trial, so they seem to have broken the law. Are microsoft criminals from legal point of view? Or does justice work this way: if you deface a website, you are a criminal, but if you screw most of the internet you are a hero? georgi On Wed, 1 Oct 2003 07:54:12 -0700 [EMAIL PROTECTED] wrote: Hackers are criminals Most, he notes, release their malicious code after patches for Microsoft software have been released, meaning that they are simply reverse engineering to exploit security weaknesses or holes in software. - Microsoft CEO Steve Ballmer 'ninkum`poop [n] a stupid foolish person See Also: simple, simpleton ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] NINCOMPOOPERY OF MICROSOFT
Well, it goes like this: If you kill 1 man, you're a murderer Kill 20, and you're a mass-murderering maniac. Kill 6 million, and you're a revolutionary. - Original Message - From: Georgi Guninski [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, October 01, 2003 2:06 PM Subject: Re: [Full-Disclosure] NINCOMPOOPERY OF MICROSOFT This user Bullmur should be carefull with the word criminal. Question to the lawyers on the list: It is my understanding that criminal is someone who breaks the law. microsoft seem to have been found guilty by a court in the antitrust trial, so they seem to have broken the law. Are microsoft criminals from legal point of view? Or does justice work this way: if you deface a website, you are a criminal, but if you screw most of the internet you are a hero? georgi On Wed, 1 Oct 2003 07:54:12 -0700 [EMAIL PROTECTED] wrote: Hackers are criminals Most, he notes, release their malicious code after patches for Microsoft software have been released, meaning that they are simply reverse engineering to exploit security weaknesses or holes in software. - Microsoft CEO Steve Ballmer 'ninkum`poop [n] a stupid foolish person See Also: simple, simpleton ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] NINCOMPOOPERY OF MICROSOFT
IANAL, but I know that the legal system is divided into a criminal piece and a civil piece. Criminals are those who break criminal law. Civil proceedings tend to be about business disputes, lawsuits, divorces, etc, where the court acts like a third party mediator. cheers, bob On Wed, 1 Oct 2003, Georgi Guninski wrote: This user Bullmur should be carefull with the word criminal. Question to the lawyers on the list: It is my understanding that criminal is someone who breaks the law. microsoft seem to have been found guilty by a court in the antitrust trial, so they seem to have broken the law. Are microsoft criminals from legal point of view? Or does justice work this way: if you deface a website, you are a criminal, but if you screw most of the internet you are a hero? georgi On Wed, 1 Oct 2003 07:54:12 -0700 [EMAIL PROTECTED] wrote: Hackers are criminals Most, he notes, release their malicious code after patches for Microsoft software have been released, meaning that they are simply reverse engineering to exploit security weaknesses or holes in software. - Microsoft CEO Steve Ballmer 'ninkum`poop [n] a stupid foolish person See Also: simple, simpleton ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Mystery DNS Changes
This exploit has been dubbed QHosts-1 Trojan by NAI. Details can be found at: http://vil.nai.com/vil/content/v_100719.htm Regards, Mary Landesman Antivirus About.com Guide http://antivirus.about.com - Original Message - From: Hansen, Kevin [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, October 01, 2003 3:19 PM Subject: [Full-Disclosure] Mystery DNS Changes We have seen multiple instances where DHCP enabled workstations have had their DNS reconfigured to point to two of the three addresses listed below. Can anyone else confirm this? Incidents.org is reporting an increase in port 53 traffic over the last two days. Are we looking at the precursor to the next worm? 216.127.92.38 69.57.146.14 69.57.147.175 -KJH ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] NINCOMPOOPERY OF MICROSOFT
IANAL and I only can reference law in the USA. YMMV. Once upon a time, hackers were people who wanted to understand how things worked. They were not criminals. The reason that they were not criminals was that there were no laws passed that said that what they were doing was against the law :) A person cannot be accused of a crime unless there is a law in existence that they can be accused of violating. Thus Congress set about creating laws so that the judicial process would have laws to accuse people of breaking. Onel de Guzman basically got a get out of jail free card when he released the Lovebug virus for the simple reason that the Phillipines did not at that time have a law that made his actions criminal, therefore they could not charge him with a crime. Needless to say that little oversight was changed muy pronto. Currently, in the USA it is illegal to attempt a connection or to connect or to gain access or to modify any computer inside or outside of the USA without the owner's permission or with the intent of doing harm. Yes, Virginia, port scanning is a crime. Heck, if I telnet manually to lists.netsys.com on port 25 and type in this message and *try* VRFY and EXPN, I could be charged with a crime because that is not the way that the SMTP service is used in practice (most people use automated MUAs) and because it could be argued that my attempted use of VRFY and EXPN were not usual and that therefore I must have been trying to do something wrong or illegal. Whether or not what I did is illegal is a point of fact, and has to be decided by a jury trial in a court of law. Reality - the Federal Bureau of Investigation (FBI) likely will not even make the effort to prosecute computer crimes that cannot be said to have caused significant (like US$500,000) amounts of damage. It's just not worth the time and resources for them to assign people to port scanning. That's also why ...the pentagon reported that hackers attempted to access critical infrastructure computers ten gazillion times last year... statements are a farce, because my nmap scan of 65,535 potential open ports on their firewall doesn't count as 65,535 attempts to access critical infrastructure - it's just a damned port scan. But, like Halloween, it's easier to get money from people if you scare them first. -) G On or about 2003.10.01 22:06:46 +, Georgi Guninski ([EMAIL PROTECTED]) said: This user Bullmur should be carefull with the word criminal. Question to the lawyers on the list: It is my understanding that criminal is someone who breaks the law. microsoft seem to have been found guilty by a court in the antitrust trial, so they seem to have broken the law. Are microsoft criminals from legal point of view? Or does justice work this way: if you deface a website, you are a criminal, but if you screw most of the internet you are a hero? -- Gregory A. Gilliss, CISSP Telephone: 1 650 872 2420 Computer Engineering E-mail: [EMAIL PROTECTED] Computer SecurityICQ: 123710561 Software Development WWW: http://www.gilliss.com/greg/ PGP Key fingerprint 2F 0B 70 AE 5F 8E 71 7A 2D 86 52 BA B7 83 D9 B4 14 0E 8C A3 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] NINCOMPOOPERY OF MICROSOFT
At 01:32 PM 10/1/03 -0700, Gregory A. Gilliss wrote: Reality - the Federal Bureau of Investigation (FBI) likely will not even make the effort to prosecute computer crimes that cannot be said to have caused significant (like US$500,000) amounts of damage. It's just not worth the time and resources for them to assign people to port scanning. Minor point: the reason the FBI is unlikely to investigate crimes with smaller dollar amounts is because the US Attorney's Office will not prosecute them. Since the FBI is a federal agency, it investigates federal crimes, and those crimes are prosecuted by the US Attorney's Office. The FBI can only pursue cases with the potential for successful prosecution, ergo the monetary damage limitation (although it's more like $5,000 than $500,000). Also remember that the DOJ generally only prosecutes felonies, and these often have lower monetary boundaries. That's why it's very important if you want to bring in law enforcement that you make a credible attempt at quantifying your losses first. m5x ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Mystery DNS Changes
Gary Flynn wrote: Hansen, Kevin wrote: We have seen multiple instances where DHCP enabled workstations have had their DNS reconfigured to point to two of the three addresses listed below. Can anyone else confirm this? Incidents.org is reporting an increase in port 53 traffic over the last two days. Are we looking at the precursor to the next worm? This is currently being discussed on NTBUGTRAQ too. McAfee labels it QHosts-1 http://us.mcafee.com/virusInfo/default.asp?id=descriptionvirus_k=100719 Brian -- Brian Eckman Security Analyst OIT Security and Assurance University of Minnesota 612-626-7737 There are 10 types of people in this world. Those who understand binary and those who don't. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Mystery DNS Changes
On Thu, 2003-10-02 at 08:04, Gary Flynn wrote: Hansen, Kevin wrote: We have seen multiple instances where DHCP enabled workstations have had their DNS reconfigured to point to two of the three addresses listed below. Can anyone else confirm this? Incidents.org is reporting an increase in port 53 traffic over the last two days. Are we looking at the precursor to the next worm? This is currently being discussed on NTBUGTRAQ too. This is the QHosts-1 trojan http://vil.nai.com/vil/content/v_100719.htm This information was posted to the Avien list about an hour ago by Craig Schmugar, McAfee AVERT. advertisement :) If you want fast access to information on trojans and viruses Avien is the place to be. Yes is costs but the membership fees are modest and extremely good value. www.avien.org /advertisement -- Russell Fulton, Network Security Officer, The University of Auckland, New Zealand. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Mystery DNS Changes
Title: RE: [Full-Disclosure] Mystery DNS Changes -Original Message- From: Hansen, Kevin To: '[EMAIL PROTECTED]' Sent: 10/1/03 3:19 PM Subject: [Full-Disclosure] Mystery DNS Changes We have seen multiple instances where DHCP enabled workstations have had their DNS reconfigured to point to two of the three addresses listed below. Can anyone else confirm this? Incidents.org is reporting an increase in port 53 traffic over the last two days. Are we looking at the precursor to the next worm? 216.127.92.38 69.57.146.14 69.57.147.175 Are these entries coming in the DHCP packets or are they being set *after* DHCP is complete? Are compromised systems acting like DHCP servers stuffing their own DNS entries into specially crafted replies? Can you post traffic dumps? Best Regards, jpb === Note: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. ThruPoint, Inc.
RE: [Full-Disclosure] Mystery DNS Changes
Title: Message -Original Message-From: Hansen, Kevin [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 01, 2003 2:19 PMTo: '[EMAIL PROTECTED]'Subject: [Full-Disclosure] Mystery DNS Changes We have seen multiple instances where DHCP enabled workstations have had their DNS reconfigured to point to two of the three addresses listed below. Can anyone else confirm this? Incidents.org is reporting an increase in port 53 traffic over the last two days. Are we looking at the precursor to the next worm? 216.127.92.38 69.57.146.14 69.57.147.175 According to McAfee: This is the QHosts-1 trojan http://vil.nai.com/vil/content/v_100719.htm Paul Schmehl ([EMAIL PROTECTED])Adjunct Information Security OfficerThe University of Texas at DallasAVIEN Founding Memberhttp://www.utdallas.edu/~pauls/ �
RE: [Full-Disclosure] Mystery DNS Changes
it was said
--
We have seen multiple instances where DHCP enabled workstations have had
their DNS reconfigured to point to two of the three addresses listed
below. Can anyone else confirm this? Incidents.org is reporting an
increase in port 53 traffic over the last two days. Are we looking at
the precursor to the next worm?
216.127.92.38
69.57.146.14
69.57.147.175
Are these entries coming in the DHCP packets or are they being
set *after* DHCP is complete? Are compromised systems acting
like DHCP servers stuffing their own DNS entries into
specially crafted replies?
Can you post traffic dumps?
--
check here:
http://isc.sans.org/diary.html?date=2003-10-01
--
DNS abnormalitities
As initially posted to the SANS intrustions list, some sites observe an
increase in abnormal DNS queries. For the original post, see
http://cert.uni-stuttgart.de/archive/intrusions/2003/10/msg3.html
A likely related issue has been reported to NT Bugtraq:
http://www.ntbugtraq.com/default.asp?pid=36sid=1A2=ind0310L=ntbugtraqD=0
F=PP=1048
Here, a user reported that Various Windows 2000 professional workstations
are changing the DNS servers they are configured to use. The new DNS
server, 216.127.92.38 and 69.51.146.14, is hosted by 'Everyone's Internet
Inc.', (ev1.com).
This user did report suspicous changes to the registry:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Inter
faces\windows]
r0x=your s0x
NameServer=69.57.146.14
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Inter
faces\{45F95E82-B443-428B-9EB7-4C65CDCD9006}]
T2=dword:3e057410
LeaseTerminatesTime=dword:3e067130
LeaseObtainedTime=dword:3dfe8830
T1=dword:3e027cb0
NameServer=69.57.146.14
for more details, see this NT Bugtraq post:
http://www.ntbugtraq.com/default.asp?pid=36sid=1A2=ind0310L=ntbugtraqD=0
F=PP=1879
--
If you would like to share any related logs, please send them to
isc_AT_sans.org
--
...and someone else on NTBugTraq said...
--
The top DNS server change was made by a newer variant of the
Delude/Startpage trojan. It used to add bogus entries in the
system32\drivers\etc\hosts file, but lately has begun to change the
user's DNS registry settings as well. It hijacks the user's traffic to
and from major search engines, redirecting it to a single webserver
under the control of the trojan author. Any requested search pages have
popup ads for gambling/porn site registration, presumably because the
trojan author is getting money for registrations via affiliate
programs.
It is being installed via the MS03-032 IE object tag exploit. A scan of
the system may not turn up any infected files - this trojan does not
run at startup, and deletes its files after the DNS/hosts configuration
changes are complete.
--
-d
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Mystery DNS Changes
Sounds like http://vil.nai.com/vil/content/v_100719.htm ---Mike At 03:19 PM 01/10/2003, Hansen, Kevin wrote: We have seen multiple instances where DHCP enabled workstations have had their DNS reconfigured to point to two of the three addresses listed below. Can anyone else confirm this? Incidents.org is reporting an increase in port 53 traffic over the last two days. Are we looking at the precursor to the next worm? 216.127.92.38 69.57.146.14 69.57.147.175 -KJH ++ Kevin J. Hansen Architect Global Network Thomson Legal Regulatory [EMAIL PROTECTED] 651-687-8466 ++ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Strange behavior in Windows 98 and 2000
Not likely. This is happening with many boxes in different buildings. Also, a friend of mine who has a WISP, called me today about the same problem that is happening with his customers. He told that Windows 2000 and XP boxes lose TCP/IP communication and, after a reboot, they work again. I am SOOO scared. :D Fabio David Vincent escreveu: I've got a w2k box like that. no matter what I do it will freeze when it gets about 1/3 of the way through the ie 6 download. doesn't matter the day, time, power outlet, network card, power supply, ram, cat-5 cable, network drop, phase of the moon, or where any of the planets or tides are. at least part of the problem was the power conditioner it was on before. we replaced that workstation with another and it had the same problems of flaky conenctivity and random BSODs. only after the power conditioner died and was replaced did we figure out what the problem was. I can download huge files with the original box, but can't get past 1/3 of the way through the ie 6 download before it chokes. reboots do nothing. so, I guess what I'm saying is check the power somehow. might be getting dirty power. -d -Original Message- From: Fabio Gomes de Souza [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 30, 2003 6:13 PM To: [EMAIL PROTECTED] Subject: [Full-Disclosure] Strange behavior in Windows 98 and 2000 Hi, Some of the Windows 98 and 2000 boxes of my customers are suddenly losing their TCP/IP functionality. After a reboot, they become normal again for some time until the TCP/IP stack gets crazy again. - After the craziness takes place, Win2K it is still able to reach the local network, but it won't cross any router. - Windows 98 does not even reach the local net. - Both systems are able to ping the local net and the outside. - Current TCP connections still work, but you cannot establish new ones. - Both systems are behind linux NAT firewalls. Weird. Are you guys noting the same behaviour? I'm scared. :D Fabio Gomes de Souza ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Mystery DNS Changes
Is that non-disclosure notice on your sig supposed to be a joke? Tom Sent by:[EMAIL PROTECTED] To: 'Hansen, Kevin ' [EMAIL PROTECTED], ''[EMAIL PROTECTED]' ' [EMAIL PROTECTED] cc: Subject:RE: [Full-Disclosure] Mystery DNS Changes -Original Message- From: Hansen, Kevin To: '[EMAIL PROTECTED]' Sent: 10/1/03 3:19 PM Subject: [Full-Disclosure] Mystery DNS Changes We have seen multiple instances where DHCP enabled workstations have had their DNS reconfigured to point to two of the three addresses listed below. Can anyone else confirm this? Incidents.org is reporting an increase in port 53 traffic over the last two days. Are we looking at the precursor to the next worm? 216.127.92.38 69.57.146.14 69.57.147.175 Are these entries coming in the DHCP packets or are they being set *after* DHCP is complete? Are compromised systems acting like DHCP servers stuffing their own DNS entries into specially crafted replies? Can you post traffic dumps? Best Regards, jpb === Note: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. ThruPoint, Inc. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Mystery DNS Changes
I have laid hands on a machine hit with the Qhosts-1 Trojan It drops a replacement hosts file in the $system%\help\ directory and also makes the registry changes described in the NAI posting http://vil.nai.com/vil/content/v_100719.htm DNS detail, hosts file details, captured headers all follow below the signature block sorry for the length of message and no I don't have a full capture Mike --- Michael C Harris System Security Analyst - GSEC University of Missouri Health Center [EMAIL PROTECTED] KC0PAH --- DNS changed to 69.57.146.14 69.57.147.175 hosts file included the following entries 88.88.88.88 elite 207.44.194.56 www.google.akadns.net 207.44.194.56 www.google.com 207.44.194.56 google.com 207.44.194.56 www.altavista.com 207.44.194.56 altavista.com 207.44.194.56 search.yahoo.com 207.44.194.56 uk.search.yahoo.com 207.44.194.56 ca.search.yahoo.com 207.44.194.56 jp.search.yahoo.com 207.44.194.56 au.search.yahoo.com 207.44.194.56 de.search.yahoo.com 207.44.194.56 search.yahoo.co.jp 207.44.194.56 www.lycos.de 207.44.194.56 www.lycos.ca 207.44.194.56 www.lycos.jp 207.44.194.56 www.lycos.co.jp 207.44.194.56 alltheweb.com 207.44.194.56 web.ask.com 207.44.194.56 ask.com 207.44.194.56 www.ask.com 207.44.194.56 www.teoma.com 207.44.194.56 search.aol.com 207.44.194.56 www.looksmart.com 207.44.194.56 auto.search.msn.com 207.44.194.56 search.msn.com 207.44.194.56 ca.search.msn.com 207.44.194.56 fr.ca.search.msn.com 207.44.194.56 search.fr.msn.be 207.44.194.56 search.fr.msn.ch 207.44.194.56 search.latam.yupimsn.com 207.44.194.56 search.msn.at 207.44.194.56 search.msn.be 207.44.194.56 search.msn.ch 207.44.194.56 search.msn.co.in 207.44.194.56 search.msn.co.jp 207.44.194.56 search.msn.co.kr 207.44.194.56 search.msn.com.br 207.44.194.56 search.msn.com.hk 207.44.194.56 search.msn.com.my 207.44.194.56 search.msn.com.sg 207.44.194.56 search.msn.com.tw 207.44.194.56 search.msn.co.za 207.44.194.56 search.msn.de 207.44.194.56 search.msn.dk 207.44.194.56 search.msn.es 207.44.194.56 search.msn.fi 207.44.194.56 search.msn.fr 207.44.194.56 search.msn.it 207.44.194.56 search.msn.nl 207.44.194.56 search.msn.no 207.44.194.56 search.msn.se 207.44.194.56 search.ninemsn.com.au 207.44.194.56 search.t1msn.com.mx 207.44.194.56 search.xtramsn.co.nz 207.44.194.56 search.yupimsn.com 207.44.194.56 uk.search.msn.com 207.44.194.56 search.lycos.com 207.44.194.56 www.lycos.com 207.44.194.56 www.google.ca 207.44.194.56 google.ca 207.44.194.56 www.google.uk 207.44.194.56 www.google.co.uk 207.44.194.56 www.google.com.au 207.44.194.56 www.google.co.jp 207.44.194.56 www.google.jp 207.44.194.56 www.google.at 207.44.194.56 www.google.be 207.44.194.56 www.google.ch 207.44.194.56 www.google.de 207.44.194.56 www.google.se 207.44.194.56 www.google.dk 207.44.194.56 www.google.fi 207.44.194.56 www.google.fr 207.44.194.56 www.google.com.gr 207.44.194.56 www.google.com.hk 207.44.194.56 www.google.ie 207.44.194.56 www.google.co.il 207.44.194.56 www.google.it 207.44.194.56 www.google.co.kr 207.44.194.56 www.google.com.mx 207.44.194.56 www.google.nl 207.44.194.56 www.google.co.nz 207.44.194.56 www.google.pl 207.44.194.56 www.google.pt 207.44.194.56 www.google.com.ru 207.44.194.56 www.google.com.sg 207.44.194.56 www.google.co.th 207.44.194.56 www.google.com.tr 207.44.194.56 www.google.com.tw 207.44.194.56 go.google.com 207.44.194.56 google.at 207.44.194.56 google.be 207.44.194.56 google.de 207.44.194.56 google.dk 207.44.194.56 google.fi 207.44.194.56 google.fr 207.44.194.56 google.com.hk 207.44.194.56 google.ie 207.44.194.56 google.co.il 207.44.194.56 google.it 207.44.194.56 google.co.kr 207.44.194.56 google.com.mx 207.44.194.56 google.nl 207.44.194.56 google.co.nz 207.44.194.56 google.pl 207.44.194.56 google.com.ru 207.44.194.56 google.com.sg 207.44.194.56 www.hotbot.com 207.44.194.56 hotbot.com sample headers 2003/10/01-16:54:05.242697 161.130.204.xxx.2306 207.44.220.30.http: S 22870760:22870760(0) win 8192 (DF) 2003/10/01-16:54:05.281848 207.44.220.30.http 161.130.204.xxx.2306: S 1904832103:1904832103(0) ack 22870761 win 5840 (DF) 2003/10/01-16:54:05.282723 161.130.204.xxx.2306 207.44.220.30.http: . ack 1904832104 win 8760 (DF) 2003/10/01-16:54:05.283772 161.130.204.xxx.2306 207.44.220.30.http: P 22870761:22871132(371) ack 1904832104 win 8760 (DF) 2003/10/01-16:54:05.326527 207.44.220.30.http 161.130.204.xxx.2306: . ack 22871132 win 6432 (DF) 2003/10/01-16:54:05.328614 207.44.220.30.http 161.130.204.xxx.2306: . 1904832104:1904833564(1460) ack 22871132 win 6432 (DF) 2003/10/01-16:54:05.329041 207.44.220.30.http 161.130.204.xxx.2306: . 1904833564:1904835024(1460) ack 22871132 win 6432 (DF) 2003/10/01-16:54:05.330076 161.130.204.xxx.2306 207.44.220.30.http: . ack 1904835024 win 8760 (DF)
[Full-Disclosure] Google FILTERS searches for possible DMCA infringable content!!!
I don't know if you guys noticed this or not, but recently Google has started FILTERING requests for information that may violate the DMCA. This just started recently, but test it yourself. Go to Google.com and try searching for "kazaa lite k++", which is the enhanced version of the popular P2P client. If you notice, the website will not show up in the lists. In fact, it seems that the site that offered this client is now no longer online. What's REALLY SAD is that Google admits to the filtering at the bottom of the page and gives an explanation, along with some documentation. Here's what it says: http://www.google.com/search?hl=enlr=ie=UTF-8oe=UTF-8q=kazaa+lite+k%2B%2B "In response to a complaint we received under the Digital Millennium Copyright Act, we have removed4 result(s) from this page. If you wish, you may read the DMCA complaint for these removed results." If you click on the second link, you can read the complaint from Sharman Networks against Google. http://www.chillingeffects.org/dmca512/notice.cgi?NoticeID=861(text) http://www.chillingeffects.org/dmca512/notice.cgi?action="">(PDF) This is a sad day for us all. It seems that Sharman Networks weren't happy enough with the profits they made on advertising -a business that is run solely on the attraction that customerscan download digital content, which they may or may not own legally. Now, why would they want to block this program so badly? My guess...K++'s anonymous enhancements make it much too difficult to track downpiracy and since users would benefit from this, it is a danger to their business. Also, they are probably making even more money on the side by selling information about who is massively sharing MP3/VIDEO to the RIAA and MPAA. BUT IRONICALLY THEY ARE USING THE F**KING DMCA TO HAVE GOOGLE FILTER SEARCHES!!! If anything, the DMCA should be used against THEM for making it easy for people to download illegal content. "Hey you don't have the right to steal what I am currently stealing!!!" Reminds me of Microsoft stealing from Apple. This is the most improper use of the DMCA I have ever seen. What do you guys all think of this? Kris Hermansen CEO- HT Technology Solutions PS - Since Google won't allow you to find the new K++ homepage, here it is: http://www.klitesite.com/
RE: [Full-Disclosure] Google FILTERS searches for possible DMCA infringable content!!!
Yeah... But if you read the complaint that they show it gives the URLs there ^^ But, yeah, I dislike how the DMCA allows this. =/ You can show somebody doing/buying drugs on TV Which tells people how to get them etc But you cant do the same thing online Sucks eh? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kristian Hermansen Sent: Wednesday, October 01, 2003 17:11 To: Full Disclosure Subject: [Full-Disclosure] Google FILTERS searches for possible DMCA infringable content!!! I don't know if you guys noticed this or not, but recently Google has started FILTERING requests for information that may violate the DMCA. This just started recently, but test it yourself. Go to Google.com and try searching for kazaa lite k++, which is the enhanced version of the popular P2P client. If you notice, the website will not show up in the lists. In fact, it seems that the site that offered this client is now no longer online. What's REALLY SAD is that Google admits to the filtering at the bottom of the page and gives an explanation, along with some documentation. Here's what it says: http://www.google.com/search?hl=enlr=ie=UTF-8oe=UTF-8q=kazaa+lite+k%2B%2B In response to a complaint we received under the Digital Millennium Copyright Act, we have removed4 result(s) from this page. If you wish, you may read the DMCA complaint for these removed results. If you click on the second link, you can read the complaint from Sharman Networks against Google. http://www.chillingeffects.org/dmca512/notice.cgi?NoticeID=861(text) http://www.chillingeffects.org/dmca512/notice.cgi?action="">(PDF) This is a sad day for us all. It seems that Sharman Networks weren't happy enough with the profits they made on advertising -a business that is run solely on the attraction that customerscan download digital content, which they may or may not own legally. Now, why would they want to block this program so badly? My guess...K++'s anonymous enhancements make it much too difficult to track downpiracy and since users would benefit from this, it is a danger to their business. Also, they are probably making even more money on the side by selling information about who is massively sharing MP3/VIDEO to the RIAA and MPAA. BUT IRONICALLY THEY ARE USING THE F**KING DMCA TO HAVE GOOGLE FILTER SEARCHES!!! If anything, the DMCA should be used against THEM for making it easy for people to download illegal content. Hey you don't have the right to steal what I am currently stealing!!! Reminds me of Microsoft stealing from Apple. This is the most improper use of the DMCA I have ever seen. What do you guys all think of this? Kris Hermansen CEO- HT Technology Solutions PS - Since Google won't allow you to find the new K++ homepage, here it is: http://www.klitesite.com/
[Full-Disclosure] Red Hat Certification for... (however much you want to pay)
From the Red Hat list... http://www.redhat.com/archives/redhat-list/2003-October/msg00098.html Chris writes; https://www.redhat.com/apps/response/ enroll_training.html?num=RH300name=RH300- RHCE%20Rapid%20Track%20Courseloc=New%20York,%20NYdate=20-OCT- 03price=2498M3_offer_code=49004 When you click the link above, the URL will be redirected to a redhat url with value of price=. Just change the price, and you've changed the cost of your Redhat Training. See, RHCE IS affordable! Nice programming Red Hat. --- For that matter, you can change the course location, date, price, whatever you want! (all in the URL) Isn't using URL parameters to track the price of a product the first thing you learn in BAD WEB COMMERCE PRACTICES 101? -Sean ;) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Mystery DNS Changes
On Wednesday 01 October 2003 21:19, Hansen, Kevin wrote: We have seen multiple instances where DHCP enabled workstations have had their DNS reconfigured to point to two of the three addresses listed below. Can anyone else confirm this? Incidents.org is reporting an increase in port 53 traffic over the last two days. Are we looking at the precursor to the next worm? 216.127.92.38 69.57.146.14 69.57.147.175 -KJH How bout asking [EMAIL PROTECTED] You likely have some spy/ad/pay ware on client machines. See lop.com and others. There's crap traffic on port 53 all the time, I get speedera ping-like traffic on my port 53 several times a day. It's a verifiable swarm but no one at att, verio, uunet, whatever seem to care. My cable ISP told me I could start legal action. Yeah right. This is probably a common occurance. I think you're mixing up two different issues here. Dan ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Strange behavior in Windows 98 and 2000
2000 and XP boxes lose TCP/IP communication and, after a reboot, they work again. Win XP tries to push itself as being the authoritative server of its own host name by attempting to transfer its zone to the (local) dns server, doesn't it? Erratic behaviour is always a good way to break the thing. I rarely use WinXP, but did note that it behaves like that. Dunno about W2k. HTH Dan ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Red Hat Certification for... (however much you want to pay)
If I had my druthers at redhat, someone aint gonna have a job come thursday mornin What's more, I played around and came to amusement with the fact that I had just made the security course cost me 0.99 . Talk about cheap! Why, Redhat should invest in training their coders, and avoid being duped by the oldest technique in webapp history... -- Justin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Sean Earp Sent: Wednesday, October 01, 2003 8:43 PM To: [EMAIL PROTECTED] Subject: [Full-Disclosure] Red Hat Certification for... (however much you want to pay) From the Red Hat list... http://www.redhat.com/archives/redhat-list/2003-October/msg00098.html Chris writes; https://www.redhat.com/apps/response/ enroll_training.html?num=RH300name=RH300- RHCE%20Rapid%20Track%20Courseloc=New%20York,%20NYdate=20-OCT- 03price=2498M3_offer_code=49004 When you click the link above, the URL will be redirected to a redhat url with value of price=. Just change the price, and you've changed the cost of your Redhat Training. See, RHCE IS affordable! Nice programming Red Hat. --- For that matter, you can change the course location, date, price, whatever you want! (all in the URL) Isn't using URL parameters to track the price of a product the first thing you learn in BAD WEB COMMERCE PRACTICES 101? -Sean ;) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Google FILTERS searches for possible DMCA i nfringable content!!!
This is old news. This was on slashdot over a month ago. Joshua ThomasNetwork Operations EngineerPowerOne Media, Inc.tel: 518-687-6143[EMAIL PROTECTED] -Original Message-From: Kristian Hermansen [mailto:[EMAIL PROTECTED]Sent: Wednesday, October 01, 2003 8:11 PMTo: Full DisclosureSubject: [Full-Disclosure] Google FILTERS searches for possible DMCA infringable content!!! I don't know if you guys noticed this or not, but recently Google has started FILTERING requests for information that may violate the DMCA. This just started recently, but test it yourself. Go to Google.com and try searching for "kazaa lite k++", which is the enhanced version of the popular P2P client. If you notice, the website will not show up in the lists. In fact, it seems that the site that offered this client is now no longer online. What's REALLY SAD is that Google admits to the filtering at the bottom of the page and gives an explanation, along with some documentation. Here's what it says: http://www.google.com/search?hl=enlr=ie=UTF-8oe=UTF-8q=kazaa+lite+k%2B%2B "In response to a complaint we received under the Digital Millennium Copyright Act, we have removed4 result(s) from this page. If you wish, you may read the DMCA complaint for these removed results." If you click on the second link, you can read the complaint from Sharman Networks against Google. http://www.chillingeffects.org/dmca512/notice.cgi?NoticeID=861(text) http://www.chillingeffects.org/dmca512/notice.cgi?action="">(PDF) This is a sad day for us all. It seems that Sharman Networks weren't happy enough with the profits they made on advertising -a business that is run solely on the attraction that customerscan download digital content, which they may or may not own legally. Now, why would they want to block this program so badly? My guess...K++'s anonymous enhancements make it much too difficult to track downpiracy and since users would benefit from this, it is a danger to their business. Also, they are probably making even more money on the side by selling information about who is massively sharing MP3/VIDEO to the RIAA and MPAA. BUT IRONICALLY THEY ARE USING THE F**KING DMCA TO HAVE GOOGLE FILTER SEARCHES!!! If anything, the DMCA should be used against THEM for making it easy for people to download illegal content. "Hey you don't have the right to steal what I am currently stealing!!!" Reminds me of Microsoft stealing from Apple. This is the most improper use of the DMCA I have ever seen. What do you guys all think of this? Kris Hermansen CEO- HT Technology Solutions PS - Since Google won't allow you to find the new K++ homepage, here it is: http://www.klitesite.com/
Re: [Full-Disclosure] Google FILTERS searches for possible DMCA infringable content!!!
http://www.google.com/dmca.html -KF ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Mystery DNS Changes
... DHCP enabled workstations have had their DNS reconfigured to point to two of the three addresses User-driven trojan or not, machines running DHCP can pretty much be told by a DHCP server that their leases are up and it's time to renumber, and then that their new DNS servers are X Y and maybe Z. This is part of the protocol, astoundingly enough, but spells attack vector any way *I* look at it. This would probably work on most cable-modem infrastructures, at least where the provider hasn't done anything about the fact that any customer [i.e. customer's box, forget the human] can become a rogue DHCP server. Within a soft chewy corporate net, a rogue server probably presents an even higher risk cuz *none* of the end user boxes would have the benefit of a somewhat protective device [cable modem with clueful config] in between it and the rogue. Expect it. Script your bootup to nuke dhclient/dhcpcd/whatever after it's gotten an address, and sanity-check what you get back. DHCP clients, at least in the unix world, generally run OUTSIDE your filters, as ROOT. Windows users, you're probably just hosed, because if you stop DHCP client you release your address. _H* ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Mystery DNS Changes
Don't know if this will help anybody else but I have added this to all my sensors that see internal traffic headed for firewalls: var MAL_DNS [216.127.92.38/32,69.57.146.14/32,69.57.147.175/32] alert tcp any any $MAL_DNS 53 (msg:Malicious DNS Traffic; sid:900027; rev:1;) This along with a rule in my alerting software that alerts once per hour per machine that is triggering this alert seems to be working pretty well. Harris, Michael C. wrote: I have laid hands on a machine hit with the Qhosts-1 Trojan It drops a replacement hosts file in the $system%\help\ directory and also makes the registry changes described in the NAI posting http://vil.nai.com/vil/content/v_100719.htm DNS detail, hosts file details, captured headers all follow below the signature block sorry for the length of message and no I don't have a full capture Mike --- Michael C Harris System Security Analyst - GSEC University of Missouri Health Center [EMAIL PROTECTED] KC0PAH --- DNS changed to 69.57.146.14 69.57.147.175 hosts file included the following entries 88.88.88.88 elite 207.44.194.56 www.google.akadns.net 207.44.194.56 www.google.com 207.44.194.56 google.com 207.44.194.56 www.altavista.com 207.44.194.56 altavista.com 207.44.194.56 search.yahoo.com 207.44.194.56 uk.search.yahoo.com 207.44.194.56 ca.search.yahoo.com 207.44.194.56 jp.search.yahoo.com 207.44.194.56 au.search.yahoo.com 207.44.194.56 de.search.yahoo.com 207.44.194.56 search.yahoo.co.jp 207.44.194.56 www.lycos.de 207.44.194.56 www.lycos.ca 207.44.194.56 www.lycos.jp 207.44.194.56 www.lycos.co.jp 207.44.194.56 alltheweb.com 207.44.194.56 web.ask.com 207.44.194.56 ask.com 207.44.194.56 www.ask.com 207.44.194.56 www.teoma.com 207.44.194.56 search.aol.com 207.44.194.56 www.looksmart.com 207.44.194.56 auto.search.msn.com 207.44.194.56 search.msn.com 207.44.194.56 ca.search.msn.com 207.44.194.56 fr.ca.search.msn.com 207.44.194.56 search.fr.msn.be 207.44.194.56 search.fr.msn.ch 207.44.194.56 search.latam.yupimsn.com 207.44.194.56 search.msn.at 207.44.194.56 search.msn.be 207.44.194.56 search.msn.ch 207.44.194.56 search.msn.co.in 207.44.194.56 search.msn.co.jp 207.44.194.56 search.msn.co.kr 207.44.194.56 search.msn.com.br 207.44.194.56 search.msn.com.hk 207.44.194.56 search.msn.com.my 207.44.194.56 search.msn.com.sg 207.44.194.56 search.msn.com.tw 207.44.194.56 search.msn.co.za 207.44.194.56 search.msn.de 207.44.194.56 search.msn.dk 207.44.194.56 search.msn.es 207.44.194.56 search.msn.fi 207.44.194.56 search.msn.fr 207.44.194.56 search.msn.it 207.44.194.56 search.msn.nl 207.44.194.56 search.msn.no 207.44.194.56 search.msn.se 207.44.194.56 search.ninemsn.com.au 207.44.194.56 search.t1msn.com.mx 207.44.194.56 search.xtramsn.co.nz 207.44.194.56 search.yupimsn.com 207.44.194.56 uk.search.msn.com 207.44.194.56 search.lycos.com 207.44.194.56 www.lycos.com 207.44.194.56 www.google.ca 207.44.194.56 google.ca 207.44.194.56 www.google.uk 207.44.194.56 www.google.co.uk 207.44.194.56 www.google.com.au 207.44.194.56 www.google.co.jp 207.44.194.56 www.google.jp 207.44.194.56 www.google.at 207.44.194.56 www.google.be 207.44.194.56 www.google.ch 207.44.194.56 www.google.de 207.44.194.56 www.google.se 207.44.194.56 www.google.dk 207.44.194.56 www.google.fi 207.44.194.56 www.google.fr 207.44.194.56 www.google.com.gr 207.44.194.56 www.google.com.hk 207.44.194.56 www.google.ie 207.44.194.56 www.google.co.il 207.44.194.56 www.google.it 207.44.194.56 www.google.co.kr 207.44.194.56 www.google.com.mx 207.44.194.56 www.google.nl 207.44.194.56 www.google.co.nz 207.44.194.56 www.google.pl 207.44.194.56 www.google.pt 207.44.194.56 www.google.com.ru 207.44.194.56 www.google.com.sg 207.44.194.56 www.google.co.th 207.44.194.56 www.google.com.tr 207.44.194.56 www.google.com.tw 207.44.194.56 go.google.com 207.44.194.56 google.at 207.44.194.56 google.be 207.44.194.56 google.de 207.44.194.56 google.dk 207.44.194.56 google.fi 207.44.194.56 google.fr 207.44.194.56 google.com.hk 207.44.194.56 google.ie 207.44.194.56 google.co.il 207.44.194.56 google.it 207.44.194.56 google.co.kr 207.44.194.56 google.com.mx 207.44.194.56 google.nl 207.44.194.56 google.co.nz 207.44.194.56 google.pl 207.44.194.56 google.com.ru 207.44.194.56 google.com.sg 207.44.194.56 www.hotbot.com 207.44.194.56 hotbot.com sample headers 2003/10/01-16:54:05.242697 161.130.204.xxx.2306 207.44.220.30.http: S 22870760:22870760(0) win 8192 (DF) 2003/10/01-16:54:05.281848 207.44.220.30.http 161.130.204.xxx.2306: S 1904832103:1904832103(0) ack 22870761 win 5840 (DF) 2003/10/01-16:54:05.282723 161.130.204.xxx.2306 207.44.220.30.http: . ack 1904832104 win 8760 (DF) 2003/10/01-16:54:05.283772 161.130.204.xxx.2306 207.44.220.30.http: P 22870761:22871132(371) ack 1904832104 win 8760 (DF)
[Full-Disclosure] CERT Advisory CA-2003-26 Multiple Vulnerabilities in SSL/TLS Implementations (fwd)
Regards Muhammad Faisal Rauf Danka _ --- [ATTITUDEX.COM] http://www.attitudex.com/ --- ---BeginMessage--- -BEGIN PGP SIGNED MESSAGE- CERT Advisory CA-2003-26 Multiple Vulnerabilities in SSL/TLS Implementations Original issue date: October 1, 2003 Last revised: -- Source: CERT/CC A complete revision history is at the end of this file. Systems Affected * OpenSSL versions prior to 0.9.7c and 0.9.6k * Multiple SSL/TLS implementations * SSLeay library Overview There are multiple vulnerabilities in different implementations of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. These vulnerabilities occur primarily in Abstract Syntax Notation One (ASN.1) parsing code. The most serious vulnerabilities may allow a remote attacker to execute arbitrary code. The common impact is denial of service. I. Description SSL and TLS are used to provide authentication, encryption, and integrity services to higher-level network applications such as HTTP. Cryptographic elements used by the protocols, such as X.509 certificates, are represented as ASN.1 objects. In order to encode and decode these objects, many SSL and TLS implementations (and cryptographic libraries) include ASN.1 parsers. OpenSSL is a widely-deployed open source implementation of the SSL and TLS protocols. OpenSSL also provides a general-purpose cryptographic library that includes an ASN.1 parser. The U.K. National Infrastructure Security Co-ordination Centre (NISCC) has developed a test suite to analyze the way SSL and TLS implementations handle exceptional ASN.1 objects contained in client and server certificate messages. Although the test suite focuses on certificate messages, any untrusted ASN.1 element may be used as an attack vector. An advisory from OpenSSL describes as vulnerable Any application that makes use of OpenSSL's ASN1 library to parse untrusted data. This includes all SSL or TLS applications, those using S/MIME (PKCS#7) or certificate generation routines. There are two certificate message attack vectors. An attacker can send crafted client certificate messages to a server, or attempt to cause a client to connect to a server under the attacker's control. When the client connects, the attacker can deliver a crafted server certificate message. Note that the standards for TLS (RFC 2246) and SSL 3.0 state that a client certificate message ...is only sent if the server requests a certificate. To reduce exposure to these types of attacks, an SSL/TLS server should ignore unsolicited client certificate messages (VU#732952). NISCC has published two advisories describing vulnerabilities in OpenSSL(006489/OpenSSL)and other SSL/TLS implementations (006489/TLS). The second advisory covers multiple vulnerabilities in many vendors' products. Further details, including vendor status information, are available in the following vulnerability notes. VU#935264 - OpenSSL ASN.1 parser insecure memory deallocation A vulnerability in the way OpenSSL deallocates memory used to store ASN.1 structures could allow a remote attacker to execute arbitrary code with the privileges of the process using the OpenSSL library. (Other resources: NISCC/006490/OpenSSL/3, OpenSSL #1, CAN-2003-0545) VU#255484 - OpenSSL contains integer overflow handling ASN.1 tags (1) An integer overflow vulnerability in the way OpenSSL handles ASN.1 tags could allow a remote attacker to cause a denial of service. (Other resources: NISCC/006490/OpenSSL/1, OpenSSL #2, CAN-2003-0543) VU#380864 - OpenSSL contains integer overflow handling ASN.1 tags (2) A second integer overflow vulnerability in the way OpenSSL handles ASN.1 tags could allow a remote attacker to cause a denial of service. (Other resources: NISCC/006490/OpenSSL/1, OpenSSL #2, CAN-2003-0544) VU#686224 - OpenSSL does not securely handle invalid public key when configured to ignore errors A vulnerability in the way OpenSSL handles invalid public keys in client certificate messages could allow a remote attacker to cause a denial of service. This vulnerability requires as a precondition that an application is configured to ignore public key decoding errors, which is not typically the case on production systems. (Other resources: NISCC/006490/OpenSSL/2, OpenSSL #3) VU#732952 - OpenSSL accepts unsolicited client certificate messages OpenSSL accepts unsolicited client certificate messages. This could allow an attacker to exploit underlying flaws in client certificate handling, such as
Re: [Full-Disclosure] Google FILTERS searches for possible DMCAinfringable content!!!
- Original Message - From: "myuu" [EMAIL PROTECTED] To: "Kristian Hermansen" [EMAIL PROTECTED] Sent: Thursday, October 02, 2003 1:56 AM Subject: Re: [Full-Disclosure] Google FILTERS searches for possible DMCAinfringable content!!! First off this has been in place for a couple weeks, second it was pretty well publicized when it was added. Anyway, would you rather not see any notice at all? Seems more reasonable that they would at least admit to it. Even if it is old news, which I was unaware, the Kazaa filtering is new as of September 12th. I can't believe that it is even possible to allow this kind of activity. What is going to happen if this sets a precedent for other companies? I don't want every company in the world writing letters to Google referencing the DMCA and not allowing me to get my search results. That's ludicrous! The internet was created to be a medium for information exchange. Google of all people should fight this since they are an information querying engine. What ever happened to the Freedom of Information Act? Guess it went right out the window with all of our civil rights after 9/11... - Original Message - From: "Mary Landesman" [EMAIL PROTECTED] To: "Kristian Hermansen" [EMAIL PROTECTED] Sent: Wednesday, October 01, 2003 9:03 PM Subject: Re: [Full-Disclosure] Google FILTERS searches for possible DMCA infringable content!!! I've noticed this with other searches. In other words, I don't believe this is Google's first foray into selective filtering. I use Dogpile quite a bit for this very reaso, and have found them in most cases to be a better source. (Some things, like group searches, require Google). Specifically regarding their invoking the DCMA, perhaps they were threatened with abetting and their hand was forced. OTOH, other rumors have been circulating regarding Google's close ties with the NSA. They are a private company, meaning they are largely unaccountable (publicly) for their actions, so it's rather difficult to know which side of the fence they are sitting on. Certainly this recent decision of theirs does not bode well for it being on the side of the users. :-) -- Mary Ties to the NSA? Where did you hear this? If it turns out to be true, I will no longer be using Google... - Original Message - From: Exibar To: Kristian Hermansen Sent: Wednesday, October 01, 2003 9:32 PM Subject: RE: [Full-Disclosure] Google FILTERS searches for possible DMCA infringable content!!! I got a hit for Kazaa lite on the first pageare you sure that you're not an employee of sharman networks trying to get more searches for Kazaa Lite so it will get to the top of Google's listing? sure sounds like it to me. Download Kazaa Lite K++ 2.4.2 - Improved version of Kazaa LITE !... Kazaa Lite K++ 2.4.2, Subscribe to this program, Developer, ... ENGLISH.A spyware free version of Kazaa, with many improvements ! Kazaa ... www.softnews.ro/public/cat/10/6/10-6-25.shtml - 68k - Cached - Similar pages Exibar First of all, I'm NOT an employee of Sharman Networks. And, you must not have noticed that your search yeilded a russian downloadsite with an OLD version of the client. The OFFICIAL page was never revealed to you... - Original Message - From: Poof To: [EMAIL PROTECTED] Sent: Wednesday, October 01, 2003 8:57 PM Subject: RE: [Full-Disclosure] Google FILTERS searches for possible DMCA infringable content!!! Yeah... But if you read the complaint that they show it gives the URLs there ^^ But, yeah, I dislike how the DMCA allows this. =/ You can show somebody doing/buying drugs on TV Which tells people how to get them etc But you cant do the same thing online Sucks eh? ...Yeah, really sucks... Kristian Hermansen
Re: [Full-Disclosure] Red Hat Certification for... (however much you want to pay)
Isn't using URL parameters to track the price of a product the first thing you learn in BAD WEB COMMERCE PRACTICES 101? And this is one of the top 3 certifications sought by IT and IS professionals. Perhaps they should consider a slight change in curriculum. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Red Hat Certification for... (however much you want to pay)
On Wed, Oct 01, 2003 at 09:18:51PM -0400, Justin Shin wrote: If I had my druthers at redhat, someone aint gonna have a job come thursday mornin What's more, I played around and came to amusement with the fact that I had just made the security course cost me 0.99 . Talk about cheap! Why, Redhat should invest in training their coders, and avoid being duped by the oldest technique in webapp history... Even more funny, I set it to be -$8098082308 and redhat now owes me that much ;) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Solaris security patches.
NOTE: These are personal opinions and as such I do not speak for any entity other than myself. I've been complaining about the slow reaction times from Sun regarding security patches lately, and I haven't seen much improvement. It actually seems that Sun security team is even slower now than when I first started noticing the slowdown. Two recent vulnerabilities (openssh, and sendmail) come to mind. Note: Since Sun has now embedded openssh into Solaris 9 it sucks to have to rip out Sun's openssh and switch to the portable open source version. In the case of sendmail 8.12.x most people who really used Solaris for mail servers probably run something else like postfix, or at least maintains their own sendmail so no big deal. However, there are many sites that have to rely on patches alone from Sun since they may not have people who can compile new versions of software. There might be sites that will permit only official patches from Sun installed on their servers. Reference: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F56861zone_32=category%3Asecurity http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F56860zone_32=category%3Asecurity Initially even though the bulletins were finally released the workaround was to disable sendmail or to disable sshd. I'm sorry but these aren't realistic or credible. Now they've updated them to include references to T Patches that don't exist on the registered customer private patch archives. It's been quite a while for those who rely on ssh and sendmail, so generally everyone eventually is forced to ditch official versions of ssh and sendmail in favour of building these critical pieces of software from source from the open source development teams. It really makes the job of keeping Solaris servers secure very difficult in comparison to say Linux, or *BSD whose security teams are quite responsive when there is a significant new hole. Perhaps the dire financial situation that Sun is facing is to blame for this. If so, I'll volunteer to help put together an organization to publish Solaris patch packages for security-related problems if Sun will sanction same. I love Solaris and I am a dedicated sparc person -- I don't want to see people who are STILL using Solaris to be the ones to suffer. Thanks for listening Sun. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Mystery DNS Changes
Somewhat off topic, but a killer dhcp toolset that i have played with a bit is Gobbler from www.networkpenetration.com . Might give some people who don't understand the whole DHCP vulnerability thing a bit of an education. Andre Ludwig http://www.networkpenetration.com/downloads.html -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 01, 2003 1:11 PM To: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Mystery DNS Changes ... DHCP enabled workstations have had their DNS reconfigured to point to two of the three addresses User-driven trojan or not, machines running DHCP can pretty much be told by a DHCP server that their leases are up and it's time to renumber, and then that their new DNS servers are X Y and maybe Z. This is part of the protocol, astoundingly enough, but spells attack vector any way *I* look at it. This would probably work on most cable-modem infrastructures, at least where the provider hasn't done anything about the fact that any customer [i.e. customer's box, forget the human] can become a rogue DHCP server. Within a soft chewy corporate net, a rogue server probably presents an even higher risk cuz *none* of the end user boxes would have the benefit of a somewhat protective device [cable modem with clueful config] in between it and the rogue. Expect it. Script your bootup to nuke dhclient/dhcpcd/whatever after it's gotten an address, and sanity-check what you get back. DHCP clients, at least in the unix world, generally run OUTSIDE your filters, as ROOT. Windows users, you're probably just hosed, because if you stop DHCP client you release your address. _H* ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Google FILTERS searches for possible DMCA infringable content!!!
Okay, now *this* is a security issue. First off, let's set some boundaries - the DMCA is *law* therefore it has to be obeyed by corporations (Google) unless they are prepared to fight it with their legal staff (not likely). So let's not waste bandwidth bashing the DMCA. There's better fora for that. Also, mea Culpa - IANAL. BTW, pls don't anyone misconstrue the previous paragraph as an endorsement of the law. I just don't want to waste peoples' time with DMCA rants on FD. Now, if you scroll down this Web page you can find Google's policy for affected sites to protest their exclusion. All they have to do is identify their material of dubious nature, identify themselves (name, address, etc), sign the paper (which makes it legally binding, and give it to Google. So, if you have mp3 ph1l3z or whatever on your site and Google excludes your URL because of the DMCA, and you write them a counter notification, what you are doing effectively is giving the DOJ (or whoever decides to chase after the nasty software/music pirates) the ammunition to come and kick down your door and confiscate your servers and charge you with DMCA violations. For those of you who don't know (this is gonna get me in a lot of trouble, but WTF) Google searches are monitored by agencies that care about things like crime and terrorism. Don't ask me to validate that assertion, because there's no way that I can or would. Call me a conspiracy nut, but it is and they are. 'nuf said. G On or about 2003.10.02 20:55:31 +, KF ([EMAIL PROTECTED]) said: http://www.google.com/dmca.html -- Gregory A. Gilliss, CISSP Telephone: 1 650 872 2420 Computer Engineering E-mail: [EMAIL PROTECTED] Computer SecurityICQ: 123710561 Software Development WWW: http://www.gilliss.com/greg/ PGP Key fingerprint 2F 0B 70 AE 5F 8E 71 7A 2D 86 52 BA B7 83 D9 B4 14 0E 8C A3 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [inbox] Re: [Full-Disclosure] CyberInsecurity: The cost of Mo nopoly
Title: RE: [inbox] Re: [Full-Disclosure] CyberInsecurity: The cost of Mo nopoly -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, 30 September 2003 11:49 PM To: Chris Cozad Cc: 'Paul Schmehl'; '[EMAIL PROTECTED]' Subject: Re: [inbox] Re: [Full-Disclosure] CyberInsecurity: The cost of Mo nopoly On Tuesday, 30 September 2003 11:49 PM, Valdis.Kletnieks said: Do you really think you could convince the average user that they need to know this much about security? I mean, most users see their computers (and the network, servers, phones, faxes, etc...) as a tool to do business with. Nothing else. The computers are there to do a job, or help get a job done, and nothing else. It is not so much that they don't know, it is that they don't need to know. This argument is a total crock. Most people manage to drive cars that remain operational, because they either learn how to do the maintenance themselves, or they outsource it to a guy called a mechanic. Here.. let's do a s/computer/cars/ on that paragraph: You are just re-wording my point. Security Personel are the mechanics in your example. There are two types of people user) in the computer world. There are those that have an interest in how things work, and those that don't care, or don't want to know. Our problem is that the vast majority of users out there don't care about security. And these people probably don't need to know. They are accountants, sales people, managers, trainers, etc... They are employed for their abilities in other areas. I suppose I could follow your example, and come up with a different analogy. These same people that use our computers also use photocopiers. They don't necessarily know all the functions that are available on that machine, nor do they know how to fix it when it breaks. They may just know how to put a piece of paper in the top, and make 10 copies come out the bottom. But that is fine. Thats all they need to know to sell their product, or do their accounts, or whatever. I could keep going with coffee machines, printers, calculators, etc..., but you get the point. Do you really think you could convince the average person that they need to know this much about fuel injectors? I mean, most people see their cars (and the network, servers, phones, faxes, etc...) as a tool to do business with. Nothing else. The cars are there to do a job, or help get a job done, and nothing else. It is not so much that they don't know, it is that they don't need to know. I'll point out that the average car no longer comes with a crank to start it, or a manual choke button that you have to remember to push back in. The average car no longer needs major maintenance every few hundred miles. So why are we tolerating computers that have cranks and choke buttons and need major maintenance every few hundred hours? We definitely shouldn't tolerate this, but until there is a viable solution... Chris This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the originator of the message. This footer also confirms that this email message has been scanned for the presence of computer viruses. Any views expressed in this message are those of the individual sender, except where the sender specifies and with authority, states them to be the views of Service Corporation International Australia. Scanning of this message and addition of this footer is performed by SurfControl SuperScout Email Filter software in conjunction with virus detection software. This email and any files transmitted with it are confidential andintended solely for the use of the individual or entity to whomthey are addressed.If you have received this email in error please notify theoriginator of the message. This footer also confirms that thisemail message has been scanned for the presence of computer viruses.Any views expressed in this message are those of the individualsender, except where the sender specifies and with authority,states them to be the views of Service Corporation International Australia.Scanning of this message and addition of this footer is performedby SurfControl SuperScout Email Filter software in conjunction with virus detection software.
[Full-Disclosure] Microsoft moves beyond patches
The funniest thing in a while Microsoft is conceding defeat on the patch front AND running in the wrong direction: http://news.com.com/2100-1002_3-5085251.html?tag=st_lh Somebody please tell them that the days of perimeter defense have come and passed... Enjoy, Frank signature.asc Description: This is a digitally signed message part
