RE: [Full-Disclosure] TinyURL
Ahh well, who would not remember the famous unbreakable DBMS... Their QA department is recruiting again: http://tinyurl.com/dork Cheers Steffen. On Thu, 2003-10-30 at 02:11, Bassett, Mark wrote: Anyone want an Asus Motherboard from newegg? :) http://www.tinyurl/boob Mark Bassett Network Administrator World media company Omaha.com 402-898-2079 -Original Message- From: Joel R. Helgeson [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 29, 2003 5:19 AM To: [EMAIL PROTECTED] Subject: [Full-Disclosure] TinyURL This is an information leak rather than a real vulnerability. I thought it might be of interest to others... www.tinyurl.com is a website that will convert a long url to a short one. If you want to email a link to say, driving directions on mapquest, the url is rather long and will get broken up. Tinyurl will store that long link, and give you a short one that looks like: http://tinyurl.com/abcd It appears that the last four letters are incremented one letter at a time, so my URL may be , then aaab, and so forth. If people are using the tiny URL service to pass along URL's to sensitive information, it is easy to guess these URL's. I recently sent an email to someone with a tinyurl, and decided to change one character in the url and came across a link to a kiddie porn site... http://tinyurl.com/stab Its a coincidence that stab is a word, but its just a few characters off from my URL, staa stac are also valid URL's. The TinyURL service should use a randomly created string, rather than one that is incremented by one character. Regardless, users of this service could have the information they intend to share with others viewed by anyone that types in the string. Thoughts? Joel R. Helgeson Director of Networking Security Services SymetriQ Corporation Give a man fire, and he'll be warm for a day; set a man on fire, and he'll be warm for the rest of his life. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html signature.asc Description: This is a digitally signed message part
[Full-Disclosure] IEpatch.exe?
Has anyone seen this Email before: From: Microsoft Corp. [EMAIL PROTECTED] Subject: [Users] You must patch your Internet Explorer. Text: Microsoft official patch for IE, AntiBlasterWorm 1.1 Microsoft released a security patch on 20.10.2003 designed to fix two security vulnerabilities in all versions of its Internet Explorer web browser. The worm, W32.Blaster.Worm and its variants infects your computer through security holes in Microsoft web browser, Internet Explorer.This worm also has the potential to exploit a similar issue that is addressed by Microsoft Security Bulletin MS03-039. These issues concern a vulnerability in the Remote Procedure Call (RPC) function. So, we ask you that you patched your version of Internet Explorer. You must patch your version of Internet Explorer,otherwise, virus can infect your computer at days. Your patch-program was attached to this letter. 1. Personal Information -- - ---*** Your KEY: HFKFLW63JKGFF348FLD0467D *** - --- If you have any questions, please read a file (README.TXT). 2. Technical support --- For technical support questions, please go to http://www.microsoft.com -- Thank you for using Microsoft! -- Attachment: IEpatch.exe, README.txt The README.txt contains: Microsoft Internet Explorer official patch AntiBlasterWorm 1.1 == Version: 1.1 (c) Copyright Microsoft, Inc. All Rights Reserved. 1. Personal Information --- Your KEY: HFKFLW63JKGFF348FLD0467D --- Table of Contents - 2. Installation instructions 3. Technical support Installation instructions - To install AntiBlasterWorm 1.1, you should follow the following simple steps: 1. Run the installer program by double-clicking on the IEpatch.exe icon. 3. Follow the instructions of the installer program to install the AntiBlasterWorm 1.1. 4. Done! The Internet Explorer should be patched. Technical support - For technical support questions, please go to http://www.microsoft.com -- Jürgen ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re:[Full-Disclosure] stcloader.exe / slmss.exe ??
James Bruce wrote Anyone seeing this file stcloader.exe (Nortons does not detect) downloading a slmss.exe file (which nortons detects as Downloader. Trojan) I just had 3 computers with it all around the same time. Stcloader.exe is the run part of the registry and in the system32 directory. After deleting then both the smlss.exe did not show back up. Hi James, looks like FreeScratchCards look here: http://www.pestpatrol.com/PestInfo/f/freescratchcards.asp HtH tom -- NEU FÜR ALLE - GMX MediaCenter - für Fotos, Musik, Dateien... Fotoalbum, File Sharing, MMS, Multimedia-Gruß, GMX FotoService Jetzt kostenlos anmelden unter http://www.gmx.net +++ GMX - die erste Adresse für Mail, Message, More! +++ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Corsaire Security Advisory: BEA Tuxedo Administration CGI multiple argument issues
-- Corsaire Security Advisory --
Title: BEA Tuxedo Administration CGI multiple argument issues
Date: 04.07.03
Application: BEA Tuxedo 8.1 and prior
Environment: Various
Author: Martin O'Neal [EMAIL PROTECTED]
Audience: General distribution
Reference: c030704-009
-- Scope --
The aim of this document is to clearly define several issues in the
argument handling functionality of the BEA Tuxedo Administration Console
application, as supplied by BEA Systems, Inc [1].
-- History --
Vendor notified: 04.07.03
Document released: 31.10.03
-- Overview --
The BEA Tuxedo Administration Console is a CGI application that allows
the remote administration of Tuxedo functions. One of the start-up
arguments it accepts is a path to an INI file containing environmental
settings. By entering various path values into this argument it is
possible to:
- Confirm the existence of files outside of the web server environment.
- Cause a Denial of Services (DoS) on the web server host.
- Execute a cross-site scripting (XSS) attack through the application.
-- Analysis --
The BEA Tuxedo Administration Console is a CGI application that allows
the remote administration of Tuxedo functions. One of the start-up
arguments that this CGI application accepts is a path to an INI file.
This file contains environmental variables, such as the default
installation path of the Tuxedo application etc.
The INIFILE argument appears not to be checked for any basic formatting
issues such as a path outside of the web root, the use of device names,
or for the presence of HTML constructs.
By entering various path values into the INIFILE argument it is possible
to use the Administration Console to confirm the existence of files
outside of the web server environment, including those on different
logical filesystems and even network drives. Through this approach it is
possible to enumerate files, drives and hosts that are contactable by
the target web server, so that they might be used with other exploits.
By using standard device names (CON, AUX, COM1, COM2 etc) within the
arguments, the server thread will become unresponsive until the
service/daemon is restarted.
By using HTML constructs, mobile code such as JAVA can be executed
within the users context. This style of attack can be used to gain
access to sensitive information, such as session cookies etc.
-- Proof of concept --
This proof of concept is known to work with a default BEA Tuxedo
installation on a Windows platform. To make it work within different
environments, you may need to alter the path used in the URL
appropriately.
To replicate the XSS issue, initiate a connection to the server that is
hosting the Tuxedo application, then use the following URL.
http://host/udataobj/webgui/cgi-bin/tuxadm.exe?
INIFILE=scriptalert('XSS')/script
This should result in an error, accompanied by a popup script dialog
containing the message XSS.
-- Recommendations --
The application should be reviewed in line with security best practises,
such as those recommended by the OWASP project [2], with special
consideration paid to the validation of input and output fields.
Access to administrative tools such as this should be restricted to
trusted domains only and where possible, should also be protected by
additional measures, such as strong authentication.
BEA have released an advisory (BEA03-38.00) [3] detailing the
availability of a patch to correct the issues. This should be reviewed
and if found to be suitable, the patch should be applied.
-- CVE --
The Common Vulnerabilities and Exposures (CVE) project has assigned
Multiple numbers to this issue:
CAN-2003-0621 BEA Tuxedo Administration CGI file disclosure issue
CAN-2003-0622 BEA Tuxedo Administration CGI DoS issue
CAN-2003-0623 BEA Tuxedo Administration CGI XSS issue
These are candidates for inclusion in the CVE list, which standardises
names for security problems (http://cve.mitre.org).
-- References --
[1] http://www.bea.com
[2] http://www.owasp.org
[3] http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/
advisory03_38_00.jsp
-- Revision --
a. Initial release.
b. Revised to include vendors recommendations.
-- Distribution --
This security advisory may be freely distributed, provided that it
remains unaltered and in its original form.
-- Disclaimer --
The information contained within this advisory is supplied as-is with
no warranties or guarantees of fitness of use or otherwise. Corsaire
accepts no responsibility for any damage caused by the use or misuse of
this information.
Copyright 2003 Corsaire Limited. All rights reserved.
--
CONFIDENTIALITY: This e-mail and any files transmitted with it are
confidential and intended solely for the use of the recipient(s) only.
Any review, retransmission, dissemination or other use of, or taking
any action in reliance upon this
[Full-Disclosure] SUSE Security Announcement: thttpd (SuSE-SA:2003:044)
-BEGIN PGP SIGNED MESSAGE- __ SUSE Security Announcement Package:thttpd Announcement-ID:SuSE-SA:2003:044 Date: Friday, Oct 31st 2003 13:04 MEST Affected products: 7.3, 8.0, 8.1, 8.2, 9.0 Vulnerability Type: remote privilege escalation/ information leak Severity (1-10):5 SUSE default package: no Cross References: CAN-2003-0899 CAN-2002-1562 Content of this advisory: 1) security vulnerability resolved: - buffer overflow - information leak (virtual hosting) problem description, discussion, solution and upgrade information 2) pending vulnerabilities, solutions, workarounds: - libnids - KDE - postgresql - frox - sane - ircd - fileutils - mc - apache1/2 3) standard appendix (further information) __ 1) problem description, brief discussion, solution, upgrade information Two vulnerabilities were found in the tiny web-server thttpd. The first bug is a buffer overflow that can be exploited remotely to overwrite the EBP register of the stack. Due to memory-alignment of the stack done by gcc 3.x this bug can not be exploited. All thttpd versions mentioned in this advisory are compiled with gcc 3.x and are therefore not exploitable. The other bug occurs in the virtual-hosting code of thttpd. A remote attacker can bypass the virtual-hosting mechanism to read arbitrary files. Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command rpm -Fhv file.rpm to apply the update. Our maintenance customers are being notified individually. The packages are being offered to install from the maintenance web. Intel i386 Platform: SuSE-9.0: ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/thttpd-2.23beta1-165.i586.rpm e33f3897cac1e1fe117eff8ca252ec0f patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/thttpd-2.23beta1-165.i586.patch.rpm cd5c2aeb6d31d6a6781f392af17a4989 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/thttpd-2.23beta1-165.src.rpm c6e2446bc94c8c00d35b7741b67df678 SuSE-8.2: ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/thttpd-2.23beta1-164.i586.rpm a491b55f562fa0f3b1679ee819140c72 patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/thttpd-2.23beta1-164.i586.patch.rpm bbb3dd624b19d8683223049a070d4cf2 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/thttpd-2.23beta1-164.src.rpm 2710751ff1ee8fbab3c2934c5cb09f3d SuSE-8.1: ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/thttpd-2.23beta1-163.i586.rpm 428db4fb2eccebb5ed16cb28161ba2a5 patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/thttpd-2.23beta1-163.i586.patch.rpm b32fb0a87d8d7de3ed1953e64da89bc8 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/thttpd-2.23beta1-163.src.rpm e64bc1488747a414f6bd60735f82385f SuSE-8.0: ftp://ftp.suse.com/pub/suse/i386/update/8.0/n4/thttpd-2.20c-98.i386.rpm 952dcca179b647afdeea02b987e3daf8 patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.0/n4/thttpd-2.20c-98.i386.patch.rpm e596221f34a73ba6fdd29abcecb6e211 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/thttpd-2.20c-98.src.rpm 8500be9c635d1c5c9618ecca2a09a5e7 SuSE-7.3: ftp://ftp.suse.com/pub/suse/i386/update/7.3/n1/thttpd-2.20b-175.i386.rpm 16ffc5238c1f57b8a1e6e02989524e82 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/thttpd-2.20b-175.src.rpm b5c4b9c65182fcd2a326e3edad7b2dfb PPC Power PC Platform: SuSE-7.3: ftp://ftp.suse.com/pub/suse/ppc/update/7.3/n1/thttpd-2.20b-112.ppc.rpm e7aaff82bd90c459849dd78b1cc47515 source rpm(s): ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/thttpd-2.20b-112.src.rpm 8ac31eb38063a891e37ed327a5ddbc0c __ 2) Pending vulnerabilities in SUSE Distributions and Workarounds: - libnids New libnids packages were released to stop remote command execution due to a memory corruption in the TCP reassembly code. (CAN-2003-0850) Please download them from our FTP servers. - KDE New KDE packages are currently being tested. These packages fixes several
[Full-Disclosure] Corsaire Security Advisory: BEA WebLogic example InteractiveQuery.jsp XSS issue
-- Corsaire Security Advisory --
Title: BEA WebLogic example InteractiveQuery.jsp XSS issue
Date: 04.07.03
Application: BEA WebLogic 8.1 and prior
Environment: Various
Author: Martin O'Neal [EMAIL PROTECTED]
Audience: General distribution
Reference: c030704-008
-- Scope --
The aim of this document is to clearly define a vulnerability in the BEA
WebLogic InteractiveQuery.jsp example application, as supplied by BEA
Systems, Inc [1], that would allow an attacker to perform a Cross Site
Scripting (XSS) attack.
-- History --
Vendor notified: 04.07.03
Document released: 31.10.03
-- Overview --
The BEA WebLogic InteractiveQuery.jsp example application can be passed
HTML constructs within arguments. This makes it possible to achieve an
XSS attack, potentially giving access to confidential information, such
as session cookies etc.
-- Analysis --
The BEA WebLogic InteractiveQuery.jsp example application is a CGI
application that demonstrates the use of arguments to query a database.
One of the start-up arguments that it accepts is a name of a person.
This argument does not appear to be tested for formatting and if an
invalid value is passed to the application, the value is simply repeated
back in a results page.
By using a carefully constructed value, mobile code such as JAVA, can be
executed within the users context. This style of attack can be used to
gain access to sensitive information, such as session cookies etc.
-- Proof of concept --
This proof of concept is known to work with a default BEA WebLogic
example installation on a Windows platform. To make it work within
different environments, you may need to alter the path used in the URL
appropriately.
To replicate this issue, initiate a connection to the server that is
hosting the WebLogic application, then use the following URL.
http://host/examplesWebApp/InteractiveQuery.jsp?
person=scriptalert('XSS')/script
This should result in a new page, accompanied by a popup script dialog
containing the message XSS.
-- Recommendations --
Example applications should never be installed within a production
environment.
Read and follow the advice contained within the BEA supplied advisory on
dealing with XSS issues [2].
The application should be reviewed in line with security best practises,
such as those recommended by the OWASP project [3], with special
consideration paid to the validation of input and output fields.
When providing example applications for use by developers, vendors
should uphold the strictest compliance with security best practises, as
it is common for such examples to be used as templates for real-world
projects. By providing flawed examples, vendors are perpetuating poor
development practise.
-- CVE --
The Common Vulnerabilities and Exposures (CVE) project has assigned
the name CAN-2003-0624 to this issue. This is a candidate for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.
-- References --
[1] http://www.bea.com
[2] http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/
SA_BEA03_36.00.jsp
[3] http://www.owasp.org
-- Revision --
a. Initial release.
b. Included reference for vendor advisory.
-- Distribution --
This security advisory may be freely distributed, provided that it
remains unaltered and in its original form.
-- Disclaimer --
The information contained within this advisory is supplied as-is with
no warranties or guarantees of fitness of use or otherwise. Corsaire
accepts no responsibility for any damage caused by the use or misuse of
this information.
Copyright 2003 Corsaire Limited. All rights reserved.
--
CONFIDENTIALITY: This e-mail and any files transmitted with it are
confidential and intended solely for the use of the recipient(s) only.
Any review, retransmission, dissemination or other use of, or taking
any action in reliance upon this information by persons or entities
other than the intended recipient(s) is prohibited. If you have
received this e-mail in error please notify the sender immediately
and destroy the material whether stored on a computer or otherwise.
--
DISCLAIMER: Any views or opinions presented within this e-mail are
solely those of the author and do not necessarily represent those
of Corsaire Limited, unless otherwise specifically stated.
--
Corsaire Limited, 3 Tannery House, Tannery Lane, Send, Surrey, GU23 7EF
Telephone: +44(0)1483-226000 Email:[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Shortcut...... may cause 100% cpu use!!!
ctv wrote: Hi |reduced|minus|none|! @2003.10.30_22:52:12_ WUT. I THOT HIS ARTICLES WUZ GOOD. YU SCRIPT KIDD. -- [EMAIL PROTECTED] AIM: l4m3n00b MSN: [EMAIL PROTECTED] http://www.instable.net GnuPG Public Key: http://www.instable.net/pubkey.asc The only sovereign you can allow to rule you is reason. - Wizard's Sixth Rule, Faith of the Fallen by Terry Goodkind sod it -^^^ it's an |--- CIA agent Read Dedication on Pillars of Creation ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html wow, interesting dedication for a book of that nature... hmm weird. -- [EMAIL PROTECTED] AIM: l4m3n00b MSN: [EMAIL PROTECTED] http://www.instable.net GnuPG Public Key: http://www.instable.net/pubkey.asc The only sovereign you can allow to rule you is reason. - Wizard's Sixth Rule, Faith of the Fallen by Terry Goodkind ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] IEpatch.exe?
It wass discussed earlyer, microsoft doesn`t send patches by mail :)) Regards -- Andrei Galca-Vasiliu Customer Support Brasov Branch Romania Data Systems T: +402 68 474133 F: +402 68 474133 www.rdsnet.ro -- Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsable for delivery of the message to such person), you may not copy or deliver this message to anyone. In such a case, you should destroy this message and kindly notify the sender by reply e-mail. -- - Original Message - From: Jürgen R. Plasser [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, October 31, 2003 1:03 PM Subject: [Full-Disclosure] IEpatch.exe? Has anyone seen this Email before: From: Microsoft Corp. [EMAIL PROTECTED] Subject: [Users] You must patch your Internet Explorer. Text: Microsoft official patch for IE, AntiBlasterWorm 1.1 Microsoft released a security patch on 20.10.2003 designed to fix two security vulnerabilities in all versions of its Internet Explorer web browser. The worm, W32.Blaster.Worm and its variants infects your computer through security holes in Microsoft web browser, Internet Explorer.This worm also has the potential to exploit a similar issue that is addressed by Microsoft Security Bulletin MS03-039. These issues concern a vulnerability in the Remote Procedure Call (RPC) function. So, we ask you that you patched your version of Internet Explorer. You must patch your version of Internet Explorer,otherwise, virus can infect your computer at days. Your patch-program was attached to this letter. 1. Personal Information -- - ---*** Your KEY: HFKFLW63JKGFF348FLD0467D *** - --- If you have any questions, please read a file (README.TXT). 2. Technical support --- For technical support questions, please go to http://www.microsoft.com -- Thank you for using Microsoft! -- Attachment: IEpatch.exe, README.txt The README.txt contains: Microsoft Internet Explorer official patch AntiBlasterWorm 1.1 == Version: 1.1 (c) Copyright Microsoft, Inc. All Rights Reserved. 1. Personal Information --- Your KEY: HFKFLW63JKGFF348FLD0467D --- Table of Contents - 2. Installation instructions 3. Technical support Installation instructions - To install AntiBlasterWorm 1.1, you should follow the following simple steps: 1. Run the installer program by double-clicking on the IEpatch.exe icon. 3. Follow the instructions of the installer program to install the AntiBlasterWorm 1.1. 4. Done! The Internet Explorer should be patched. Technical support - For technical support questions, please go to http://www.microsoft.com -- Jürgen ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Microsoft plans tighter security measures in Windows XP SP2
Very interesting MSDN Article: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwxp/html/securityinxpsp2.asp Helmut Hauser Systemadministration EDV ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Microsoft plans tighter security measures in Windows XP SP2
Most of it appears to be tighten the defaults. Usefull, yes, but not very new.. New is: Interface restriction (exposed to developers, for example, through a new registry key called RestrictRemoteClients) modifies the behavior of all remote procedure call interfaces on the system and will, by default, eliminate remote anonymous access to RPC interfaces on the system, with some exceptions.. All I can say is better late than never, this should have existed ages ago - this is not XP specific. In 2001 when the first RPC issues appeared on NT4 and W2k, I had expected such a step. The introduction of an ACL on DCOM: well, why not just disable DCOM? Most users don't need it, it does not solve problems that could not be solved in another way. The possibility for 'more granular control' for admins on DCOM means that more things can be tightened, if you now what they are and have time to do so in a few thousand or more PC's. Never had much trouble with PC's that had DCOM completely disabled anyway. Not more security in this SP2 thingie, unless a raise in the TCO is acceptable - things can be secured. ICF will be enabled by default but will no longer block RPC. Yeah, great. Oh, it will have a 'shielded mode', to block all RPC till a fix for a new vulnerability is found. Yeah, same as with previous remark - who really needs RPC? Many admins have no time to use remote management and/or registry features and just put a ghosts disk in a faulty machine - quick and effective. IMHO most admins would not know what to do with the features anyway, since the insight in what the machine is doing, and what might be wrong, is completely lacking. Usually they can't be bothered, anyway. As far s I can see, this feature will make systems more vulnerable (i.e. the ones using ICF) since RPC will be open unless it is closed on ICF protected boxes. The application white list is an extension for ICF that has the same problem, who knows what apps are valid, who is to manage the list of 'known to be good' etc. Usually admins consider the Firewall a thing that just is, and often it is managed by a specialized admin. Now every NT-admin will have to know the working of an application firewall, and generally, of all the installed software. This will raise the TCO, and if companies do not employ more and more skilled support staff, the feature will just be in the way, and ICF probably disabled. My 0.02 cents: nice try, but next time go for less is more - less features is more security, this is just another featuritis. - Original Message - From: Helmut Hauser [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, October 31, 2003 2:26 PM Subject: [Full-Disclosure] Microsoft plans tighter security measures in Windows XP SP2 Very interesting MSDN Article: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwxp/html/ securityinxpsp2.asp Helmut Hauser Systemadministration EDV ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] pipeupadmin
try on google it's easy http://content.443.ch/pub/security/blackhat/WinNT%20and%202K/pipeup/W2KPipeUp/ http://www.xillioncomputers.com/modules.php?name=Downloadsd_op=MostPopular On Fri, 31 Oct 2003 13:46:38 +1000rIvan Coric [EMAIL PROTECTED] wrote: does anyone have the source or exe of pipeupadmin/pipeupsam? thanks Ivan *** Messages included in this e-mail and any of its attachments are those of the author unless specifically stated to represent WorkCover Queensland. The contents of this message are to be used for the intended purpose only and are to be kept confidential at all times. This message may contain privileged information directed only to the intended addressee/s. Accidental receipt of this information should be deleted promptly and the sender notified. This e-mail has been scanned by Sophos for known viruses. However, no warranty nor liability is implied in this respect.** ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html -- it's so easy to forget me ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] pipeupadmin
try on google it's easy http://content.443.ch/pub/security/blackhat/WinNT%20and%202K/pipeup/W2KPipeUp/ http://www.xillioncomputers.com/modules.php?name=Downloadsd_op=MostPopular On Fri, 31 Oct 2003 13:46:38 +1000rIvan Coric [EMAIL PROTECTED] wrote: does anyone have the source or exe of pipeupadmin/pipeupsam? thanks Ivan *** Messages included in this e-mail and any of its attachments are those of the author unless specifically stated to represent WorkCover Queensland. The contents of this message are to be used for the intended purpose only and are to be kept confidential at all times. This message may contain privileged information directed only to the intended addressee/s. Accidental receipt of this information should be deleted promptly and the sender notified. This e-mail has been scanned by Sophos for known viruses. However, no warranty nor liability is implied in this respect.** ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html -- it's so easy to forget me -- it's so easy to forget me ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] pipeupadmin
Euhm .. I think he was asking for SOURCE code of this very publicly available exploit. -Original Message- From: . [mailto:[EMAIL PROTECTED] Sent: vrijdag 31 oktober 2003 16:05 To: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] pipeupadmin try on google it's easy http://content.443.ch/pub/security/blackhat/WinNT%20and%202K/pipeup/W2KPipeU p/ http://www.xillioncomputers.com/modules.php?name=Downloadsd_op=MostPopular On Fri, 31 Oct 2003 13:46:38 +1000rIvan Coric [EMAIL PROTECTED] wrote: does anyone have the source or exe of pipeupadmin/pipeupsam? thanks Ivan *** Messages included in this e-mail and any of its attachments are those of the author unless specifically stated to represent WorkCover Queensland. The contents of this message are to be used for the intended purpose only and are to be kept confidential at all times. This message may contain privileged information directed only to the intended addressee/s. Accidental receipt of this information should be deleted promptly and the sender notified. This e-mail has been scanned by Sophos for known viruses. However, no warranty nor liability is implied in this respect. ** ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html -- it's so easy to forget me -- it's so easy to forget me ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html === De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is alleen bestemd voor de geadresseerde. Indien u dit bericht onterecht ontvangt, wordt u verzocht de inhoud niet te gebruiken en de afzender direct te informeren door het bericht te retourneren. Hoewel Orange maatregelen heeft genomen om virussen in deze email of attachments te voorkomen, dient u ook zelf na te gaan of virussen aanwezig zijn aangezien Orange niet aansprakelijk is voor computervirussen die veroorzaakt zijn door deze email.. The information contained in this message may be confidential and is intended to be only for the addressee. Should you receive this message unintentionally, please do not use the contents herein and notify the sender immediately by return e-mail. Although Orange has taken steps to ensure that this email and attachments are free from any virus, you do need to verify the possibility of their existence as Orange can take no responsibility for any computer virus which might be transferred by way of this email. === ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Microsoft plans tighter security measures in Windows XP SP2
yossarian wrote: Most of it appears to be tighten the defaults. Usefull, yes, but not very new.. New or not, it is one of the major gripes I always hear from Sys Admins in reference to MS software. No doubt, it should have happened a long time ago, butas they saybetter late than never. The application white list is an extension for ICF that has the same problem, who knows what apps are valid, who is to manage the list of 'known to be good' etc. Usually admins consider the Firewall a thing that just is, and often it is managed by a specialized admin. Now every NT-admin will have to know the working of an application firewall, and generally, of all the installed software. This will raise the TCO, and if companies do not employ more and more skilled support staff, the feature will just be in the way, and ICF probably disabled. The application firewall sounds like a good idea. Of course, it may take a few iterations and some bug fixes to get it right and make it easy to administer, but you've got to start somewhere and this also seems to me like a step in the right direction. The ultimate fix would be to promote better (and more secure code), but since this will also protect 3rd party applications that MS has no control over it'll definitely help. A little 'defense in depth' (hardly) ever hurts. My 0.02 cents: nice try, but next time go for less is more - less features is more security, this is just another featuritis. I agree that 'less features is more security', but lets face itpeople (by people, I mean the general public) want features and MS is in the business of making money. More features == more money for them. I don't begrudge them this (I work for a software company myself), so taking steps to make the additional features more secure (if even by using sane defaults) is a good thing. I have traditionally been an anti-MS bigot. However, I am always happy to see vendors making an effort (however small it may seem) to improve the security of the environment that they provide. I don't even own a Windows machine, but if these 'enhancements' help mitigate the spread of things like Blaster and SoBig.F, then I don't have to spend my time going through a zillion IDS alerts and wasting CPU cycles on my Unix-based MTA filtering out crap emails. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Installation Security Issue for DATEV IDVS
Topic: Installation Security Issue for DATEV IDVS Release Date: 2003-10-31 Affected Software: == - Eigenorganisation comfort (IDVS) - Eigenorganisation classic (IDVS) Unaffected Software: - none known Summary: DATEV eG is a German Company, which makes Software for tax advisors and lawyers. During installation/Update of IDVS,sensitive database administrator logon information may be captured in the installation log file. Issue: == The installation program for IDVS records installation/update data into a log file for troubleshooting purposes related to product installation. This file generally contains basic information about installation/update options and installation/update processes. User name and password information related to the data base account are captured in the log file. The user name and password is used to connect to the database. Workaround: === Remove the installation log files after successfully installing/updating Eigenorganisation (IDVS). The IDVS installation log files (file names LW:\DATEV\LOG\IDVS\SRV\PostRep*.log | PostUpd*.log | PreRep*.log | PreUpd*.log) is located in the DATEV log directory. The administrator should delete this file once installation has completed This file may be deleted using Windows Explorer or may be deleted by starting a Command Prompt and typing the following command: del LW:\DATEV\LOG\IDVS\SRV\Post*.log del LW:\DATEV\LOG\IDVS\SRV\Pre*.log Credits: Discovered by t4rku5 Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messengerl=434 Promote security and make money with the Hushmail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliatel=427 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Asian Hackers?
Greetings All, I'm interested in learning a bit more about the Asian hacking scene. Who are some of the biggest players in the following locations: Singapore Hong Kong South Korea Kuala Lumpur Japan Over the past year, I've heard quite a bit of interest in the Asian market for security products and services, and I wanted to know if that demand has driven up the amount of hackers in those areas as well. QA ...it's mmm mmm good Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messengerl=434 Promote security and make money with the Hushmail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliatel=427 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] 27347
http://www.iss.net/security_center/advice/Exploits/Ports/27374/default.htm Joe Blow wrote: Anyone ever find out what this was? Do you Yahoo!? Exclusive Video Premiere - Britney Spears http://launch.yahoo.com/video/?1093432fs=1redirectURL=http://launch.yahoo.com/promos/britneyspears/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] (no subject)
Topic: DATEV Nutzungskontrolle Bypassing Release Date: 2003-10-31 Affected system: - Nutzungskontrolle V.2.2 - Nutzungskontrolle V.2.1 Unaffected system: == - none known Summary: DATEV eG is a German Company, which makes Software for tax advisors and lawyers. The Nutzungskontrolle (NUKO) is a Software to restrict the access for the users. For example, a normal user is not allowed to see the internal reward accounting data. These data are restrictet by the NUKO by, for example, blocking the advisor number, which is used for all data in the internal reward accounting. Issue: == It is possible to find out simple or blank passwords in the NUKO, by searching in the NUKO Database. The Problem is that DATEV changed the default database password for all their databases, except for the NUKO DB. At the moment the Sybase ASA Database is used to manage this stuff. I will not write the login password down here, because i think it is no problem to find this with google. 1. First you have to add the default superuser to the group DATEV: example: GRANT MEMBERSHIP IN GROUP DATEV TO the superuser login (without ) 2. Then just make a query to the table u_nkw_passwords for the colum nk_password to check where a password hash 3D7595A98BFF809D3D7595A98BFF809D3D7595A98BFF809D3D7595A98BFF809D is. example: select nk_user_id from u_nkw_passwords where nk_password = '3D7595A98BFF809D3D7595A98BFF809D3D7595A98BFF809D3D7595A98BFF809D' 3. Now query the user name of the nk_user_id. example: select nk_user_name from u_nkw_users where nk_user_id = 'one of the userid from 2.' 4. Now you have a NUKO login with a blank Password. Workaround: === Change the default database password. Credits: Discovered by t4rku5 Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messengerl=434 Promote security and make money with the Hushmail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliatel=427 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] IEpatch.exe?
Hi Andrei, --On 31.10.2003 14:57 +0200 Andrei Galca-Vasiliu wrote: It wass discussed earlyer, microsoft doesn`t send patches by mail :)) I already know that! :-) And because of that I assumed to have got a virus or worm email. Our anti virus software did not catch it, so I asked this list for any references. Regards, Jürgen ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] 27347
Why do people keep posting crap like this. Its port 27347 not 2737*4* Mark Bassett Network Administrator World media company Omaha.com 402-898-2079 -Original Message- From: Ben Nelson [mailto:[EMAIL PROTECTED] Sent: Friday, October 31, 2003 9:30 AM To: Joe Blow Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] 27347 http://www.iss.net/security_center/advice/Exploits/Ports/27374/default.h tm Joe Blow wrote: Anyone ever find out what this was? Do you Yahoo!? Exclusive Video Premiere - Britney Spears http://launch.yahoo.com/video/?1093432fs=1redirectURL=http://launch.y ahoo.com/promos/britneyspears/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html Omaha World-Herald Company computer systems are for business use only. This e-mail was scanned by MailSweeper ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Microsoft plans tighter security measures in Windows XP SP2
quote from the m$ crap: 'Additionally, Microsoft is working with microprocessor companies to help Windows support hardware-enforced no execute (or NX) on microprocessors that contain the feature.' Although the only currently shipping processor families with Windows-compatible hardware support for execution protection are the AMD K8 and the Intel Itanium Processor Family, it is expected that future 32 and 64-bit processors will provide execution protection. Microsoft is preparing for and encouraging this trend by supporting execution protection in its flagship Windows operating systems. There have been linux solutions for this for years. Apparantly m$ can't make it themselves and need help from microprocessor companies, lol. georgi On Fri, 31 Oct 2003 14:26:17 +0100 Helmut Hauser [EMAIL PROTECTED] wrote: Very interesting MSDN Article: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwxp/html/securityinxpsp2.asp Helmut Hauser Systemadministration EDV ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] stcloader.exe / slmss.exe ??
Here's your answer.. Google is a beautiful thing.. http://www.pestpatrol.com/PestInfo/f/freescratchcards.asp -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Matt Wagenknecht CISSP | MCSE Security Administrator -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Never be afraid to try something new. Remember, amateurs built the ark; professionals built the Titanic. This email may contain confidential and privileged information for the sole use of the intended recipient. Any review or distribution by others is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies of this email message. -Original Message- From: Tom Koehler [mailto:[EMAIL PROTECTED] Sent: Friday, October 31, 2003 4:21 AM To: [EMAIL PROTECTED] Subject: Re:[Full-Disclosure] stcloader.exe / slmss.exe ?? James Bruce wrote Anyone seeing this file stcloader.exe (Nortons does not detect) downloading a slmss.exe file (which nortons detects as Downloader. Trojan) I just had 3 computers with it all around the same time. Stcloader.exe is the run part of the registry and in the system32 directory. After deleting then both the smlss.exe did not show back up. Hi James, looks like FreeScratchCards look here: http://www.pestpatrol.com/PestInfo/f/freescratchcards.asp HtH tom -- NEU FÜR ALLE - GMX MediaCenter - für Fotos, Musik, Dateien... Fotoalbum, File Sharing, MMS, Multimedia-Gruß, GMX FotoService Jetzt kostenlos anmelden unter http://www.gmx.net +++ GMX - die erste Adresse für Mail, Message, More! +++ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] pipeupadmin
On Fri, 31 Oct 2003 16:31:41 +0100 [EMAIL PROTECTED] wrote: Euhm .. I think he was asking for SOURCE code of this very publicly available exploit. does anyone have the source or exe of pipeupadmin/pipeupsam? ... source OR exe ... i only know where is the exe have a nice day -Original Message- From: . [mailto:[EMAIL PROTECTED] Sent: vrijdag 31 oktober 2003 16:05 To: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] pipeupadmin try on google it's easy http://content.443.ch/pub/security/blackhat/WinNT%20and%202K/pipeup/W2KPipeU p/ http://www.xillioncomputers.com/modules.php?name=Downloadsd_op=MostPopular On Fri, 31 Oct 2003 13:46:38 +1000rIvan Coric [EMAIL PROTECTED] wrote: does anyone have the source or exe of pipeupadmin/pipeupsam? thanks Ivan *** Messages included in this e-mail and any of its attachments are those of the author unless specifically stated to represent WorkCover Queensland. The contents of this message are to be used for the intended purpose only and are to be kept confidential at all times. This message may contain privileged information directed only to the intended addressee/s. Accidental receipt of this information should be deleted promptly and the sender notified. This e-mail has been scanned by Sophos for known viruses. However, no warranty nor liability is implied in this respect. ** ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html -- it's so easy to forget me -- it's so easy to forget me ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html === De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is alleen bestemd voor de geadresseerde. Indien u dit bericht onterecht ontvangt, wordt u verzocht de inhoud niet te gebruiken en de afzender direct te informeren door het bericht te retourneren. Hoewel Orange maatregelen heeft genomen om virussen in deze email of attachments te voorkomen, dient u ook zelf na te gaan of virussen aanwezig zijn aangezien Orange niet aansprakelijk is voor computervirussen die veroorzaakt zijn door deze email.. The information contained in this message may be confidential and is intended to be only for the addressee. Should you receive this message unintentionally, please do not use the contents herein and notify the sender immediately by return e-mail. Although Orange has taken steps to ensure that this email and attachments are free from any virus, you do need to verify the possibility of their existence as Orange can take no responsibility for any computer virus which might be transferred by way of this email. === ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html -- it's so easy to forget me ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] stcloader.exe / slmss.exe ??
Yeah. Yeah. Yeah. I know.. Flame flame flame.. Here, I'll do it for you.. Tom Koehler already answered, you idiot, Read your f'n email before replying! Did I miss anything? I'm running on little sleep, here. Give me a break.. =c) -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Matt Wagenknecht CISSP | MCSE Security Administrator -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Never be afraid to try something new. Remember, amateurs built the ark; professionals built the Titanic. This email may contain confidential and privileged information for the sole use of the intended recipient. Any review or distribution by others is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies of this email message. -Original Message- From: Matthew Wagenknecht [mailto:[EMAIL PROTECTED] Sent: Friday, October 31, 2003 9:00 AM To: 'Tom Koehler'; [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] stcloader.exe / slmss.exe ?? Here's your answer.. Google is a beautiful thing.. http://www.pestpatrol.com/PestInfo/f/freescratchcards.asp -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Matt Wagenknecht CISSP | MCSE Security Administrator -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Never be afraid to try something new. Remember, amateurs built the ark; professionals built the Titanic. This email may contain confidential and privileged information for the sole use of the intended recipient. Any review or distribution by others is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies of this email message. -Original Message- From: Tom Koehler [mailto:[EMAIL PROTECTED] Sent: Friday, October 31, 2003 4:21 AM To: [EMAIL PROTECTED] Subject: Re:[Full-Disclosure] stcloader.exe / slmss.exe ?? James Bruce wrote Anyone seeing this file stcloader.exe (Nortons does not detect) downloading a slmss.exe file (which nortons detects as Downloader. Trojan) I just had 3 computers with it all around the same time. Stcloader.exe is the run part of the registry and in the system32 directory. After deleting then both the smlss.exe did not show back up. Hi James, looks like FreeScratchCards look here: http://www.pestpatrol.com/PestInfo/f/freescratchcards.asp HtH tom -- NEU FÜR ALLE - GMX MediaCenter - für Fotos, Musik, Dateien... Fotoalbum, File Sharing, MMS, Multimedia-Gruß, GMX FotoService Jetzt kostenlos anmelden unter http://www.gmx.net +++ GMX - die erste Adresse für Mail, Message, More! +++ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Microsoft plans tighter security measures in Windows XP SP2
-Original Message- From: yossarian [mailto:[EMAIL PROTECTED] Sent: Friday, October 31, 2003 8:15 AM To: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Microsoft plans tighter security measures in Windows XP SP2 The introduction of an ACL on DCOM: well, why not just disable DCOM? Most users don't need it, it does not solve problems that could not be solved in another way. File and printer sharing is not needed? Remote administration is not needed? Maybe not in home use, but in corporate? Many admins have no time to use remote management and/or registry features and just put a ghosts disk in a faulty machine - quick and effective. IMHO most admins would not know what to do with the features anyway, since the insight in what the machine is doing, and what might be wrong, is completely lacking. We have *students* using RA to get users' machine back up and running. If admins can't do that, they shouldn't be admins. I seriously doubt admins would do this sort of work anyway. This is basic tech support stuff. Admins do remote connections to *servers*, not workstations (except for personal stuff). Usually they can't be bothered, anyway. As far s I can see, this feature will make systems more vulnerable (i.e. the ones using ICF) since RPC will be open unless it is closed on ICF protected boxes. This makes no sense. RPC is *already* open. If ICF leaves it open, nothing has changed WRT RPC. A great deal has changed WRT other things, however. How do systems become more vulnerable by doing this? The application white list is an extension for ICF that has the same problem, who knows what apps are valid, who is to manage the list of 'known to be good' etc. This is the same thing Zone Alarm does. I don't see too many average users struggling with the concept, do you? Internet Explorer wants to access the Internet. Do you want to allow this? Yes! An unknown application, mytroj.exe, wants to access the Internet. Do you want to allow this? Huh? NO! Usually admins consider the Firewall a thing that just is, and often it is managed by a specialized admin. Now every NT-admin will have to know the working of an application firewall, and generally, of all the installed software. In AD you simply set the group policies and you're done. This is a *good* thing, which will reduce work for admins and make the enterprise more secure. For personal users, they will have a box that is truly a client and cannot be a server without their specific authorization. That is a good thing as well. How many *nix distributions have the firewall enabled by default? Not many that I know of. You usually have to enable it during the install, and then you have to decide on a configuration for it. Granted, RedHat (for example) makes that pretty easy, but you still have to agree to it. Instead of griping about this, you should be thankful that MS is finally starting to get a clue and moving in the right direction. This will raise the TCO, and if companies do not employ more and more skilled support staff, the feature will just be in the way, and ICF probably disabled. This will allow us, for the first time, to deploy personal firewalls to all our Windows desktops. I think that's a good thing, don't you? We looked at several but couldn't afford them. This allows us to deploy *and* control desktop firewalls which will provide another layer of protection for us at no additional cost other than the time spent writing the group policy, which I'm pretty sure the admins we have can do in a few minutes. My 0.02 cents: nice try, but next time go for less is more - less features is more security, this is just another featuritis. I obviously totally disagree. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Proxies
Help needed, please. We use all cisco networking gear. Currently using a cisco cache engine with SmartFilter to manage the surfing for our staff/students. As usual, the little devils figured a way to get around it. They went to Google, entered open proxy list and bingo-bango. From this list they found open proxies to use in IE. Besides suspending them, we made one technological change. Outgoing ports 8000, 8080, and 3128 are now blocked at the firewall. Can anyone suggest further refinements to reduce this kind of abuse? I know some proxies run on port 80, but I'll have to live with that. TIA Earl Earl Keyser, Network Specialist Wayzata Public Schools 763-745-5105 Unix IS user-friendly. It's just picky about who its friends are. This outbound message has been scanned for viruses by ISD#284. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Microsoft plans tighter security measures in Windows XP SP2
In AD you simply set the group policies and you're done. This is a *good* thing, which will reduce work for admins and make the enterprise more secure. For personal users, they will have a box that is truly a client and cannot be a server without their specific authorization. That is a good thing as well. How many *nix distributions have the firewall enabled by default? Not many that I know of. You usually have to enable it during the install, and then you have to decide on a configuration for it. Granted, RedHat (for example) makes that pretty easy, but you still have to agree to it. IIRC Anaconda puts the redhat firewall on High security by default. Which means no incoming connections and uses their Lokkit script for DNS and so on. signature.asc Description: This is a digitally signed message part
Re: [Full-Disclosure] Proxies
On Fri, 31 Oct 2003, Earl Keyser wrote: We use all cisco networking gear. Currently using a cisco cache engine with SmartFilter to manage the surfing for our staff/students. As usual, the little devils figured a way to get around it. They went to Google, entered open proxy list and bingo-bango. From this list they found open proxies to use in IE. Besides suspending them, we made one technological change. Outgoing ports 8000, 8080, and 3128 are now blocked at the firewall. Can anyone suggest further refinements to reduce this kind of abuse? I know some proxies run on port 80, but I'll have to live with that. Yeah. Implement technological measures at the end-nodes to prevent them from using other proxies then yours. As long as you allow outgoing traffic from the end-nodes *and* they can set their own proxies there is no way to prevent them doing just that. And there are proxies anywhere, on any port. And if there are no proxies available, they'll just set them up at home, using their broadband connectivity. Might be a bit slower, but gets the job done. And, invest more in organisational measures. Make sure everyone *knows* about your local websurfing-rules. And knows what happens if they don't adhere. Focussing on the end-nodes will give you an added bonus if you choose to implement it: more secure end-nodes. Nice to have before the next MS worm hits. Jan -- /~\ The ASCII / Jan Meijer \ / Ribbon Campaign-- --SURFnet bv X Against HTML/ http://www.surfnet.nl/organisatie/jm/ / \ Email http://cert-nl.surfnet.nl/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Proxies
Yo Earl! On Fri, 31 Oct 2003, Earl Keyser wrote: Besides suspending them, we made one technological change. Outgoing ports 8000, 8080, and 3128 are now blocked at the firewall. So what about al the legit services that run on those ports? You have now broken a LOT of applications. Can anyone suggest further refinements to reduce this kind of abuse? I know some proxies run on port 80, but I'll have to live with that. The Cluebat personally applied is your best and only hope. They are way more proxies, open and otherwise, than you will ever be able to close. They can be on any port, or use no TCP port. RGDS GARY --- Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701 [EMAIL PROTECTED] Tel:+1(541)382-8588 Fax: +1(541)382-8676 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Proxies
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 You can never get around it, as you're aware -- proxies on ports 80, 20, 21, 22 or something else really common will always be available. However, since you need to show due diligence, you can do the following. 1. Have the administration set a policy with some teeth. If you avoid the proxy, your account gets suspended or some such. 2. And I'm not sure how easy this will be... restrict protocols to their known ports. Configure your firewall to only allow HTTP traffic through Port 80, and not other ports. FTP only through 20 21. SSH only through22, etc. Don't allow HTTP headers through any other port. On Friday 31 October 2003 09:20, Earl Keyser wrote: - -- Charles E. Hill Technical Director Herber-Hill LLC http://www.herber-hill.com/ Help needed, please. We use all cisco networking gear. Currently using a cisco cache engine with SmartFilter to manage the surfing for our staff/students. As usual, the little devils figured a way to get around it. They went to Google, entered open proxy list and bingo-bango. From this list they found open proxies to use in IE. Besides suspending them, we made one technological change. Outgoing ports 8000, 8080, and 3128 are now blocked at the firewall. Can anyone suggest further refinements to reduce this kind of abuse? I know some proxies run on port 80, but I'll have to live with that. TIA Earl Earl Keyser, Network Specialist Wayzata Public Schools 763-745-5105 Unix IS user-friendly. It's just picky about who its friends are. This outbound message has been scanned for viruses by ISD#284. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE/oquDeljutq/VnacRAhvXAJ0ZHREfG345O+vx/3at6m4g+zjh3wCfYra2 J34T2QGPXZ9Nn4DWKBiu9/g= =hOps -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Proxies
On Fri, 2003-10-31 at 17:20, Earl Keyser wrote: Besides suspending them, we made one technological change. Outgoing ports 8000, 8080, and 3128 are now blocked at the firewall. Can anyone suggest further refinements to reduce this kind of abuse? I know some proxies run on port 80, but I'll have to live with that. Make their IE's autoconfigure to a proxy server you set up, then disallow all internal -- external HTTP connections bar from your proxy? Maybe your cisco cache engine = proxy server in which case, presumably the problem is you can't prevent them changing their proxy settings? You can encourage them by preventing internal -- external HTTP access, I suppose (just based on ports is the crude way). But if you don't want to do that you may have to inspect each connection initiation packet to see if it's HTTP...since it's not hard to spread the traffic out over any port. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Microsoft plans tighter security measures in Windows XP SP2
-Original Message- From: yossarian [mailto:[EMAIL PROTECTED] Sent: Friday, October 31, 2003 8:15 AM To: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Microsoft plans tighter security measures in Windows XP SP2 The introduction of an ACL on DCOM: well, why not just disable DCOM? Most users don't need it, it does not solve problems that could not be solved in another way. File and printer sharing is not needed? Remote administration is not needed? Maybe not in home use, but in corporate? No, sorry Paul. Printers have their own IP address, file and printersharing was introduced for small networks. But since the mid nineties a network interface became standard in laserprinters- printersharing became a real non issue. File sharing: not for workstations, unless you make backups of every workstation. Not suitable for corporations, user data is corporate property, needs a back up so MUST be on a server. It is impossible to secure a network where file and printsharing is common (where is the sensitive info to secure?) - my personal BOFH way is disable the server service on every Workstation. And the browser service as well. Remote administration may be needed, I just said it is rarely used, for various reasons, the foremost being that the support staff don't know sh**t about the inner workings of windows, MCP or not. Many admins have no time to use remote management and/or registry features and just put a ghosts disk in a faulty machine - quick and effective. IMHO most admins would not know what to do with the features anyway, since the insight in what the machine is doing, and what might be wrong, is completely lacking. We have *students* using RA to get users' machine back up and running. If admins can't do that, they shouldn't be admins. I seriously doubt admins would do this sort of work anyway. This is basic tech support stuff. Admins do remote connections to *servers*, not workstations (except for personal stuff). What your students are doing is your problem, and I agree, admins don't do this kind of work. But technical support in corporates is not done by students, but by admins. And since it is all about TCO, put back the standard image is the policy of choice. BTW, how do you use RA to get a machine up and running? If it is down, so is RA Usually they can't be bothered, anyway. As far s I can see, this feature will make systems more vulnerable (i.e. the ones using ICF) since RPC will be open unless it is closed on ICF protected boxes. This makes no sense. RPC is *already* open. If ICF leaves it open, nothing has changed WRT RPC. A great deal has changed WRT other things, however. How do systems become more vulnerable by doing this? Better you read the MS paper first, RPC is closed by ICF. The application white list is an extension for ICF that has the same problem, who knows what apps are valid, who is to manage the list of 'known to be good' etc. This is the same thing Zone Alarm does. I don't see too many average users struggling with the concept, do you? Internet Explorer wants to access the Internet. Do you want to allow this? Yes! An unknown application, mytroj.exe, wants to access the Internet. Do you want to allow this? Huh? NO! Ask your tech staff: what is this DNS service wanting to connect, or any weird ADS related service? Anyway, zonealarm is more common in small, unprotected networks, have yet to see it in a corporate network. Usually admins consider the Firewall a thing that just is, and often it is managed by a specialized admin. Now every NT-admin will have to know the working of an application firewall, and generally, of all the installed software. In AD you simply set the group policies and you're done. This is a *good* thing, which will reduce work for admins and make the enterprise more secure. For personal users, they will have a box that is truly a client and cannot be a server without their specific authorization. That is a good thing as well. How many *nix distributions have the firewall enabled by default? Not many that I know of. You usually have to enable it during the install, and then you have to decide on a configuration for it. Granted, RedHat (for example) makes that pretty easy, but you still have to agree to it. Like I said before, disabling server and browser service is a lot easier. Less is more, better not to need a application firewall at all. Instead of griping about this, you should be thankful that MS is finally starting to get a clue and moving in the right direction. I have been supporting MS software since 1989. I am not saying that they are not moving in the right direction when they start caring about security, but they make the mistake nearly all programmers make: more features. And unlike what has been said in this thread, users do not ask for more features, unless it is a screensaver or a PDA connection. As an admin I
[Full-Disclosure] IE6 - Crash via DOS device
Oct 30, 2003 Donnie Werner [EMAIL PROTECTED] I thought these bugs in Internet Explorer 6 had been fixed... all of these make use of a local call to a legacy DOS device, example ( file:///AUX ) as a link, called in an iframe ( XSS ) or used as an IMG tag. I tested, CON, PRN, AUX, COMx, LPTx, CLOCK$ and NUL only AUX and COM1 caused a lockup of Internet Explorer 6 do these links crash your browser? 1. http://exploitlabs.com/files/notices/AUXcrash.html --- click for links to crash 2. http://exploitlabs.com/files/notices/AUX-iframe.html -- click this link to crash 3. http://exploitlabs.com/files/notices/AUX-img.html -- click this link to crash note: these can be embeded via Cross Site Scripting ( XSS ) to deny service to a website to those clients trying to connect via affected versions of IE6 Donnie Werner http://exploit.labs.com [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] XSS In mldonkey - But....
Mldonkey is an open source p2p client which supports a load of networks, it doesn't have a built in UI, you can telnet into it, or there's a web interface which can be accessed from http://127.0.0.1:4080/ (or whatever port you configure it to run on) They've done a great job at making sure there's no XSS issues, especially with data coming from the network. You can inject scripts into the html error page rather trivially using http://127.0.0.1:4080/script.../script But who cares? There are far more dangrous things you can do if you can make the mldonkey go to URL's for example http://localhost:4080/submit?setoption=qoption=allowed_ipsvalue=255.255.255.255 This will unlock the IP based access control, suddenly everyone in the world can access the search interface. The whole control system is via http, you can search, download, whatever all via http. If you can get the user to go to arbitrary URL's then you can do dangerous things directly without having to resort to XSS, although the XSS does have some uses in terms of automating multiple requests. Being really Evil is left as an exercise for the reader. Now, if there were some method to inject html via responses to a p2p search, then the whole thing would be a little more interesting. Some media files may contain embedded URL's, that may be an interesting way of delivering payloads across a P2P network. So, at the very least the web iterface should include some referrer checking to ensure that commands aren't being generated from untrusted pages. This is a general problem with any application controlled via web interfaces. Chris __ Do you Yahoo!? Exclusive Video Premiere - Britney Spears http://launch.yahoo.com/promos/britneyspears/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Gates: 'You don't need perfect code' for good security
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 FLAME ON! http://www.itbusiness.ca/index.asp?theaction=61sid=53897 But there are two other techniques: one is called firewalling and the other is called keeping the software up to date. None of these problems (viruses and worms) happened to people who did either one of those things. If you had your firewall set up the right way - and when I say firewall I include scanning e-mail and scanning file transfer -- you wouldn't have had a problem. But did we have the tools that made that easy and automatic and that you could really audit that you had done it? No. Microsoft in particular and the industry in general didn't have it. The second is just the updating thing. Anybody who kept their software up to date didn't run into any of those problems, because the fixes preceded the exploit. Now the times between when the vulnerability was published and when somebody has exploited it, those have been going down, but in every case at this stage we've had the fix out before the exploit. So next is making it easy to do the updating, not for general features but just for the very few critical security things, and then reducing the size of those patches, and reducing the frequency of the patches, which gets you back to the code quality issues. We have to bring these things to bear, and the very dramatic things that we can do in the short term have to do with the firewalls and the updating infrastructure. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/oqq3Ji2cv3XsiSARAlkdAJ0aGkBViYkoE193iZycTmQZohzwbQCg1KDA SjPLY1EEzamQCtIGKwJT1Vk= =mIsY -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] nEW wINDOWS EXPLOIT -- 100% D.O.S.
Yeah the patch doesn't even work; any 1337 HaQQoR could
easily just rip the square patch of gaffa tape right off
of the switch and then DoS my bOx easy as!
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Friday, 31 October 2003 10:23 a.m.
To: vb
Cc: [EMAIL PROTECTED]
Subject: Re: [Full-Disclosure] nEW wINDOWS EXPLOIT -- 100% D.O.S.
Word is ... it affects ALL patched systems regardless of
patch level/version ... And the patch is already there
... so there is no fix.
Sorry, a little (additional) levity never hurts .. ;)
{BIMPIN ADVISORY}
[PLATFORM]
I TESTED THIS ON A WINDOWS XP BOX. IT WAS PATCHED.
DISCOVERY
aLMOST EVERY COMPUTER HAS A SWITCH ON IT SOMEWHERE.
SOMETIMES THEY ARE
VIZIBLE, SOMETIMES THEYR HIDDEN. IF A HAQQER WERE TO TAMPER
OR MOVE THIS
SWITCH, IT COULD CAUSE A MASSIVE DOS ON THAT MACHINE.
{THE EXPLOYT}
FIND AN UNATTENDED PC THAT IS TURNED ON. FIND THE SWITCH
MOVE THE SWITCH UP AND DOWN OR IN AND OUT. IF YOU DO IT
RIGHT, THE MACHINE
WILL DOS1%
mAN, THIS IS SO AWESOME.IM GUNNA BECOME A FAYMOUS
CONPUTER SECURITY
CUNSULTENT. WOW THIS LIST THING IS AWESOME. WOW, MY FRIENDS
BACK AT GOBBLES
HEADQUARTERS ARE GUNNA LIFT ME UPON THER SHOULDERS.
AND YOU SKRIPT KIDDIES THOUGHT YOU COULD OUTSMART ME
HEHE
BIMPIN 4 EVA
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Proxies
Blocking all internal-external traffic and then allowing ONLY the needed services from the necessary hosts is the best way to stop this sort of abuse. Then, using a web proxy that filters web content and only understands HTTP (to prevent other services from being tunneled over port 80), you should be good to go. --Ben Earl Keyser wrote: Help needed, please. We use all cisco networking gear. Currently using a cisco cache engine with SmartFilter to manage the surfing for our staff/students. As usual, the little devils figured a way to get around it. They went to Google, entered open proxy list and bingo-bango. From this list they found open proxies to use in IE. Besides suspending them, we made one technological change. Outgoing ports 8000, 8080, and 3128 are now blocked at the firewall. Can anyone suggest further refinements to reduce this kind of abuse? I know some proxies run on port 80, but I'll have to live with that. TIA Earl Earl Keyser, Network Specialist Wayzata Public Schools 763-745-5105 Unix IS user-friendly. It's just picky about who its friends are. This outbound message has been scanned for viruses by ISD#284. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Proxies
Blocking all internal-external traffic and then allowing ONLY the needed services from the necessary hosts is the best way to stop this sort of abuse. Then, using a web proxy that filters web content and only understands HTTP (to prevent other services from being tunneled over port 80), you should be good to go. --Ben Earl Keyser wrote: Help needed, please. We use all cisco networking gear. Currently using a cisco cache engine with SmartFilter to manage the surfing for our staff/students. As usual, the little devils figured a way to get around it. They went to Google, entered open proxy list and bingo-bango. From this list they found open proxies to use in IE. Besides suspending them, we made one technological change. Outgoing ports 8000, 8080, and 3128 are now blocked at the firewall. Can anyone suggest further refinements to reduce this kind of abuse? I know some proxies run on port 80, but I'll have to live with that. TIA Earl Earl Keyser, Network Specialist Wayzata Public Schools 763-745-5105 Unix IS user-friendly. It's just picky about who its friends are. This outbound message has been scanned for viruses by ISD#284. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Gates: 'You don't need perfect code' for good security
the fixes preceded the exploit. and pigs fly ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Proxies
Doesn't matter, you can still set up a squid http proxy on port 80 and funnel everything through it. Web traffic will appear through port 80. If you analyzed the protocols, and made sure nothing but http traffic was going through port 80 you would eliminate using other apps through the port 80 proxy, but you cannot eliminate a port 80 http proxy for http traffic. You could set a policy in your domain to restrict proxy settings, but a user could always use a different browser (group policy only effects IE) Currently I use a squid http proxy on port 80 to bypass my own firewall to listen to shoutcast radio, IRC, and ftp to non-standard ports. Protocol inspection and analysis could eliminate some of this, but would the overhead be worth it? You could do a couple things to detect that people were using proxies though. Parse through your logs / ip accounting for repeated hits to hosts on port 80 and the source ip, have it email you those ips and investigate. Mark Bassett Network Administrator World media company Omaha.com 402-898-2079 -Original Message- From: Charles E. Hill [mailto:[EMAIL PROTECTED] Sent: Friday, October 31, 2003 12:36 PM To: Earl Keyser Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Proxies -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 You can never get around it, as you're aware -- proxies on ports 80, 20, 21, 22 or something else really common will always be available. However, since you need to show due diligence, you can do the following. 1. Have the administration set a policy with some teeth. If you avoid the proxy, your account gets suspended or some such. 2. And I'm not sure how easy this will be... restrict protocols to their known ports. Configure your firewall to only allow HTTP traffic through Port 80, and not other ports. FTP only through 20 21. SSH only through22, etc. Don't allow HTTP headers through any other port. On Friday 31 October 2003 09:20, Earl Keyser wrote: - -- Charles E. Hill Technical Director Herber-Hill LLC http://www.herber-hill.com/ Help needed, please. We use all cisco networking gear. Currently using a cisco cache engine with SmartFilter to manage the surfing for our staff/students. As usual, the little devils figured a way to get around it. They went to Google, entered open proxy list and bingo-bango. From this list they found open proxies to use in IE. Besides suspending them, we made one technological change. Outgoing ports 8000, 8080, and 3128 are now blocked at the firewall. Can anyone suggest further refinements to reduce this kind of abuse? I know some proxies run on port 80, but I'll have to live with that. TIA Earl Earl Keyser, Network Specialist Wayzata Public Schools 763-745-5105 Unix IS user-friendly. It's just picky about who its friends are. This outbound message has been scanned for viruses by ISD#284. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE/oquDeljutq/VnacRAhvXAJ0ZHREfG345O+vx/3at6m4g+zjh3wCfYra2 J34T2QGPXZ9Nn4DWKBiu9/g= =hOps -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html Omaha World-Herald Company computer systems are for business use only. This e-mail was scanned by MailSweeper ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Re: Gates: 'You don't need perfect code' for good security
Jeremiah Cornelius posted an excerpt from an interview with Bill Gates earlier here. FYI, in response to Mr. Gates's quote, my co-author and I have written an _opinion_ piece, included below. We feel pretty strongly that Mr. Gates is missing (at least) a couple of important issues. Cheers, Ken van Wyk = 31 October 2003 In a recent interview for ITBusiness.ca (full text available at http://www.itbusiness.ca/index.asp?theaction=61sid=53897), Microsoft Chairman and Chief Software Architect Bill Gates is quoted as having said: You don't need perfect code to avoid security problems. There are things we're doing that are making code closer to perfect, in terms of tools and security audits and things like that. But there are two other techniques: one is called firewalling and the other is called keeping the software up to date. None of these problems (viruses and worms) happened to people who did either one of those things. If you had your firewall set up the right way -- and when I say firewall I include scanning e-mail and scanning file transfer -- you wouldn't have had a problem. Mr. Gates overlooks here two critical points. First, firewalling and patching can not in fact shield networks from all of the impact of worms and viruses. Ask any experienced network admin. There will always be users who bring into a firewalled network a laptop that was, for example, infected at home. Once that infected laptop is connected to the enterprise, the firewall is irrelevant. Worse yet, no matter how aggressively a company has propagated a patch throughout the network, the routine influx of vulnerable, unpatched systems (from that same migrant laptop community) will continue to supply fresh meat for the malicious software. Second, the security of the application itself is tightly bound to its design and implementation as well. A company that writes its own business software could well go broke following Mr. Gates's advice. To illustrate this, let's consider a hypothetical example that is very realistic in today's business environment. A company writes a web-based application that enables its customers to login and purchase its goods. In keeping with Mr. Gates's recommendations, they install a high quality, state of the art firewall and put in place processes for rapidly installing every security patch that Microsoft releases. (Perhaps they test them in a controlled lab environment first.) Now, let's further say that the team that wrote the application software took the above quote by Mr. Gates to be accurate. But it turns out that there's a problem in the software that the team wrote. Because their front-end software (that runs on their web server) doesn't properly screen users' input -- after all, you don't need perfect code -- and an attacker discovers that a vulnerability known as SQL Insertion exists in the application. The SQL Insertion vulnerability enables the attacker to enter SQL-based database inquiries directly to the back-end database server, and make read/write changes to the database at will -- perhaps he would change the price of his purchase to $0 and the quantity of his order to 1000, or some such. You get the drift. In this hypothetical example, the firewall did its job perfectly. All systems had up-to-date security patches installed. Yet the attack succeeded at compromising the database system (AKA the company's crown jewels). While it's true that perfect code is probably not achievable, you do need secure enough code; and achieving that takes a great deal more than a good firewall and patch maintenance processes. It takes a sound design, built on top of a firm architecture. It takes an implementation of the software that is free of such common flaws as SQL Insertion, buffer overflows, and the like. And, it takes a well designed and operated production environment with a firewall and such. Every Software Designer and Software Architect in major corporations needs to understand these principles if their own network and business applications are to be secure. Mark G. Graff Kenneth R. van Wyk Authors, Secure Coding http://www.securecoding.org Copyright (C) 2003, Mark G. Graff and Kenneth R. van Wyk. Permission granted to reproduce and distribute in entirety with credit to authors. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] IE6 - Crash via DOS device
none of them worked for me... version 6.0.2800.1106.xpsp2.030422-1633 windows xp corp. with sp1 -- [EMAIL PROTECTED] AIM: l4m3n00b MSN: [EMAIL PROTECTED] http://www.instable.net GnuPG Public Key: http://www.instable.net/pubkey.asc The only sovereign you can allow to rule you is reason. - Wizard's Sixth Rule, Faith of the Fallen by Terry Goodkind thanks, i was running win2k ie6 2800.1106 in the meantime i stumbled on this, you could try... http://exploitlabs.com/files/notices/activedesktop.html Donnie Werner [EMAIL PROTECTED] http://exploitlabs.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Proxies
- Original Message - From: Ben Nelson [EMAIL PROTECTED] To: Earl Keyser [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Friday, October 31, 2003 8:06 PM Subject: Re: [Full-Disclosure] Proxies only understands HTTP (to prevent other services from being tunneled over port 80), you should be good to go. That isn't going to stop other services from being tunneled over port 80. There quite a few ways to do this. See Firepass. It is a tunneling tool, allowing one to bypass firewall restrictions and encapsulate data flows inside legal ones that use HTTP POST requests. TCP or UDP based protocols may be tunneled with Firepass http://www.gray-world.net/pr_firepass.shtml and no, I don't work for them, I don't know them, and I have no commercial interest in advertising this freeware product ;p View it as proof of concept ;p What exactly are you trying to stop these students from doing? Is there a problem with them visiting certain sites, or using certain services or bandwith restricitions etc? Thanks Richard Spiers ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Proxies
Hello, you can't really prevent users from accessing some sites. Even if you block all direct connection from the clients to external adresses (which would stop http proxies), users can still use services like http://www.the-cloak.com/. The only thing which might help is locking the account of those users trying to circumvent the restrictions. Regards Jakob ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] IE6 - Crash via DOS device
morning_wood wrote: Oct 30, 2003 Donnie Werner [EMAIL PROTECTED] I thought these bugs in Internet Explorer 6 had been fixed... all of these make use of a local call to a legacy DOS device, example ( file:///AUX ) as a link, called in an iframe ( XSS ) or used as an IMG tag. I tested, CON, PRN, AUX, COMx, LPTx, CLOCK$ and NUL only AUX and COM1 caused a lockup of Internet Explorer 6 do these links crash your browser? 1. http://exploitlabs.com/files/notices/AUXcrash.html --- click for links to crash 2. http://exploitlabs.com/files/notices/AUX-iframe.html -- click this link to crash 3. http://exploitlabs.com/files/notices/AUX-img.html -- click this link to crash note: these can be embeded via Cross Site Scripting ( XSS ) to deny service to a website to those clients trying to connect via affected versions of IE6 Donnie Werner http://exploit.labs.com [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html none of them worked for me... version 6.0.2800.1106.xpsp2.030422-1633 windows xp corp. with sp1 -- [EMAIL PROTECTED] AIM: l4m3n00b MSN: [EMAIL PROTECTED] http://www.instable.net GnuPG Public Key: http://www.instable.net/pubkey.asc The only sovereign you can allow to rule you is reason. - Wizard's Sixth Rule, Faith of the Fallen by Terry Goodkind ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] IE6 - Crash via DOS device
- Original Message - From: morning_wood [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, October 31, 2003 9:08 PM Subject: [Full-Disclosure] IE6 - Crash via DOS device Oct 30, 2003 Donnie Werner [EMAIL PROTECTED] I thought these bugs in Internet Explorer 6 had been fixed... all of these make use of a local call to a legacy DOS device, example ( file:///AUX ) as a link, called in an iframe ( XSS ) or used as an IMG tag. I tested, CON, PRN, AUX, COMx, LPTx, CLOCK$ and NUL only AUX and COM1 caused a lockup of Internet Explorer 6 Not on my side. None of those links crashed my browser ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] _another_ Internet explorer vulnerability (spread via IRC) - new variation of irc.trojan.fgt
Another worm spreading through IRC - the only reported solution to infection being reformatting your computer. The URL given is: (DO NOT VISIT WITH IE IF YOU VALUE YOUR OPERATING SYSTEM) http://www. angelfire.com/pro/pics33/jessica_alba.jpg The virus/worm is exactly the same as the previously reported 'Fgt' britney.jpg virus. For more information visit the following symantec site: http://securityresponse.symantec.com/avcenter/venc/data/pf/irc.trojan.fgt.html Regards, Tom Russell 2tone:development (www.2tone-dev.com)
Re: [Full-Disclosure] Proxies
On Fri, 31 Oct 2003 10:35:41 PST, Charles E. Hill said: Don't allow HTTP headers through any other port. I'm having some trouble with our webserver. We send GET /foobar.cgi HTTP/1.1 *BLAM*no carrierthwe False positives suck.. pgp0.pgp Description: PGP signature
RE: [Full-Disclosure] Proxies
It is more or less impossible with current technology to set up an automated system to *completely* prevent users from accessing certain HTTP content. What I mean here is that everything available can be bypassed. How do you block *all* HTTP proxies, for instance(a la Surfola and party)? How about custom written CGI proxies? How about JAP like software? You could do a couple things to detect that people were using proxies though. Parse through your logs / ip accounting for repeated hits to hosts on port 80 and the source ip, have it email you those ips and investigate. IMHO, these kind of measures are the only thing you can do to enforce your content access policies. -- S.G.Masood Hyderabad, India. __ Do you Yahoo!? Exclusive Video Premiere - Britney Spears http://launch.yahoo.com/promos/britneyspears/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Proxies
Users can also setup a hotmail account and email themselves links to site. Then log into hot and click there link. As most of you know that hotmail will open the website within itself and to any logs/traffic it looks like there surfing on hotmail. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Richard Spiers Sent: Friday, October 31, 2003 2:48 PM To: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Proxies - Original Message - From: Ben Nelson [EMAIL PROTECTED] To: Earl Keyser [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Friday, October 31, 2003 8:06 PM Subject: Re: [Full-Disclosure] Proxies only understands HTTP (to prevent other services from being tunneled over port 80), you should be good to go. That isn't going to stop other services from being tunneled over port 80. There quite a few ways to do this. See Firepass. It is a tunneling tool, allowing one to bypass firewall restrictions and encapsulate data flows inside legal ones that use HTTP POST requests. TCP or UDP based protocols may be tunneled with Firepass http://www.gray-world.net/pr_firepass.shtml and no, I don't work for them, I don't know them, and I have no commercial interest in advertising this freeware product ;p View it as proof of concept ;p What exactly are you trying to stop these students from doing? Is there a problem with them visiting certain sites, or using certain services or bandwith restricitions etc? Thanks Richard Spiers ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Gates: 'You don't need perfect code' for good security
What an idiot Take the loveletter worm, when it was first released even if you had a 100% up to date AntiVirus software program, you would still get hit within the first 8 hours slammer, blaster, etc all the same thing.The took advantage of holes in the OPERATING SYSTEM Yes we have ways of updating our VirusSoftware that works very very well, McAfee has E-Policy Orchstrator, which I swear by. I'm not going to go on, but if Windows was as secure as Bill Gates and company says it is, why was blaster, slammer, codered etc even an issue? Exibar - Original Message - From: Jeremiah Cornelius [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, October 31, 2003 1:32 PM Subject: [Full-Disclosure] Gates: 'You don't need perfect code' for good security -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 FLAME ON! http://www.itbusiness.ca/index.asp?theaction=61sid=53897 But there are two other techniques: one is called firewalling and the other is called keeping the software up to date. None of these problems (viruses and worms) happened to people who did either one of those things. If you had your firewall set up the right way - and when I say firewall I include scanning e-mail and scanning file transfer -- you wouldn't have had a problem. But did we have the tools that made that easy and automatic and that you could really audit that you had done it? No. Microsoft in particular and the industry in general didn't have it. The second is just the updating thing. Anybody who kept their software up to date didn't run into any of those problems, because the fixes preceded the exploit. Now the times between when the vulnerability was published and when somebody has exploited it, those have been going down, but in every case at this stage we've had the fix out before the exploit. So next is making it easy to do the updating, not for general features but just for the very few critical security things, and then reducing the size of those patches, and reducing the frequency of the patches, which gets you back to the code quality issues. We have to bring these things to bear, and the very dramatic things that we can do in the short term have to do with the firewalls and the updating infrastructure. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/oqq3Ji2cv3XsiSARAlkdAJ0aGkBViYkoE193iZycTmQZohzwbQCg1KDA SjPLY1EEzamQCtIGKwJT1Vk= =mIsY -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Gates: 'You don't need perfect code' for good security
On Fri, 31 Oct 2003 13:21:56 MST, Stephen Blass [EMAIL PROTECTED] said: the fixes preceded the exploit. and pigs fly From RFC1925: (3) With sufficient thrust, pigs fly just fine. However, this is not necessarily a good idea. It is hard to be sure where they are going to land, and it could be dangerous sitting under them as they fly overhead. pgp0.pgp Description: PGP signature
Re: [Full-Disclosure] Proxies
only understands HTTP (to prevent other services from being tunneled over port 80), you should be good to go. That isn't going to stop other services from being tunneled over port 80. There quite a few ways to do this. See Firepass. It is a tunneling tool, allowing one to bypass firewall restrictions and encapsulate data flows inside legal ones that use HTTP POST requests. TCP or UDP based protocols may be tunneled with Firepass Very true. Bottom linethere will always be a way. It's just a matter of how sophisticated your clients (K-12 students and teachers in this case) are.If you can narrow the illegal traffic down enough that any breaches are an anomoly that is caught by your IDS (or some other form of monitoring), then you're doing well. Once the anomoly shows up, you can enforce your policy; which I should mention should also be an integral part of the security architecture. If you can't enforce the policy, there's no incentive to follow it. $.02 --Ben ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Gates: 'You don't need perfect code' for good security
the fixes preceded the exploit. and pigs fly The fixes might precede the exploit, but this says nothing to the fact that A) Not everyone can run the fixes, or B) The fixes actually fix the problem. Rob Ahnemann Intranet Application Developer 1401 S. Lamar St. Dallas, TX 800.270.8565 x 780 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Microsoft plans tighter security measures in Windows XP SP2
On Fri, 2003-10-31 at 11:12, yossarian wrote: snip File and printer sharing is not needed? Remote administration is not needed? Maybe not in home use, but in corporate? No, sorry Paul. Printers have their own IP address, file and printersharing was introduced for small networks. But since the mid nineties a network interface became standard in laserprinters- printersharing became a real non issue. File sharing: not for workstations, unless you make backups of every workstation. Not suitable for corporations, user data is corporate property, needs a back up so MUST be on a server. It is impossible to secure a network where file and printsharing is common (where is the sensitive info to secure?) - my personal BOFH way is disable the server service on every Workstation. And the browser service as well. What planet are you working on? I have bought 5 printers in the last three years and 2 of those had built-in network cards. The others use jet-Direct type interfaces which require software to be installed on the server. You're saying I install this on everyone's workstation so they can connect directly? Uh huh. No file sharing; everything should be stored on a central server. Sure, no problem I'll just go out and drop $100k on a SAN to store it all. *Or* I could take advantage of the fact that every machine I buy comes with at least 40 GB of drive space on it. And I'm sure you're going to suggest thin clients here, so I'll go out and buy a small render farm for my graphics guys to do their 3D work on. Remote administration may be needed, I just said it is rarely used, for various reasons, the foremost being that the support staff don't know sh**t about the inner workings of windows, MCP or not. Right and what inner workings do I need to know to use my remote patch management software without RPC? It's really handy actually, but then again maybe there's a better way to do it that I'm just to stupid to know about. snip Hopefully we can all agree that anything Microsoft can do to attempt to make it's O/S more secure is better than the way it is now. Kenton ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Microsoft plans tighter security measures inWindows XP SP2
On Fri, 2003-10-31 at 11:12, yossarian wrote: snip File and printer sharing is not needed? Remote administration is not needed? Maybe not in home use, but in corporate? No, sorry Paul. Printers have their own IP address, file and printersharing was introduced for small networks. But since the mid nineties a network interface became standard in laserprinters- printersharing became a real non issue. File sharing: not for workstations, unless you make backups of every workstation. Not suitable for corporations, user data is corporate property, needs a back up so MUST be on a server. It is impossible to secure a network where file and printsharing is common (where is the sensitive info to secure?) - my personal BOFH way is disable the server service on every Workstation. And the browser service as well. What planet are you working on? I have bought 5 printers in the last three years and 2 of those had built-in network cards. The others use jet-Direct type interfaces which require software to be installed on the server. You're saying I install this on everyone's workstation so they can connect directly? Uh huh. No file sharing; everything should be stored on a central server. Sure, no problem I'll just go out and drop $100k on a SAN to store it all. *Or* I could take advantage of the fact that every machine I buy comes with at least 40 GB of drive space on it. And I'm sure you're going to suggest thin clients here, so I'll go out and buy a small render farm for my graphics guys to do their 3D work on. I usually work for banks and government agencies - yes SAN systems are getting fairly normal, nowadays. I think you are in the SoHo market, with 5 printers in three year, 50 users that develop software - the customer I am working for at the moment has some 5000 printers in the network, all HP with Jetdirect with an IP adress. I am not a printer admin, so I had to check at the HP4000 here at home - nope, it runs even when I turn off the server, all you do is install IP printing service on the workstations, not printersharing which is a NetBios thingie... Yeah, you can install software on the server and share the printer to the users, but to use a shared resource you do NOT need to install file and printersharing on the workstations. Like I wrote - workstations, NOT servers. Jetdirect cards are printerservers, at least the ones in HP's. Connecting a printer to a PC IMHO makes it a server, albeit a non-ded one - and it is utterly useless. I am not into thin clients for power users, but this has absolutely no relation to file or printersharing And I do consider the big disks in new 'puters a waste of capacity, but since they cost the same as 4GB few years ago, who cares? Dunno how it is on the planet you work on, but PC's get stolen on a fairly regular basis, so having data on it is considered insecure. No need for firewall, superglue is better here. And for the SAN thing - I agree people doing rendering takes a lot of disk space, but Joe Average User won't need so much storage - maybe 50MB per year. With 2000 users per server - who needs a SAN? Unless you allow them to store everything - MP3's, holiday snapshots, downloaded software they aren't allowed to install anyway, bedroom movies, every previous version of every document, etc. Maybe I am getting old, but what is wrong with disk quota? It actually increases efficiency, less time needed to find an older document. Different with developers, graphic types et all, I know, but the large majority of puterusers type word documents, send e-mail and use big apps that are serverbased or mainframe based. So no local data. Remote administration may be needed, I just said it is rarely used, for various reasons, the foremost being that the support staff don't know sh**t about the inner workings of windows, MCP or not. Right and what inner workings do I need to know to use my remote patch management software without RPC? It's really handy actually, but then again maybe there's a better way to do it that I'm just to stupid to know about. Login script. Daisychaining patches. Basic stuff, really. snip Hopefully we can all agree that anything Microsoft can do to attempt to make it's O/S more secure is better than the way it is now. What is the use of a wrong attempt? A false feeling of security is actually more dangerous. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Gates: 'You don't need perfect code' for good security
Exibar wrote: What an idiot Take the loveletter worm, when it was first released even if you had a 100% up to date AntiVirus software program, you would still get hit within the first 8 hours slammer, blaster, etc all the same thing.The took advantage of holes in the OPERATING SYSTEM loveletter didn't. you had to open it. -- [EMAIL PROTECTED] AIM: l4m3n00b MSN: [EMAIL PROTECTED] http://www.instable.net GnuPG Public Key: http://www.instable.net/pubkey.asc The only sovereign you can allow to rule you is reason. - Wizard's Sixth Rule, Faith of the Fallen by Terry Goodkind ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Gates: 'You don't need perfect code' for good security
Correct me if I am wrong but... I believe every worm listed below could have been prevented had everyone patched their systems. I would like the security community to take more responsibility for their own (in)actions. If you were hit by Blaster then you failed to enforce a good patch management policy. Who's fault is that? Patch management is boring and so we often ignore it. Hackers and worms simply take advantage of our laziness. I guess blaster could be a form of social engineering. I know admins don't patch so I can write a worm and kill the world. There is no such thing as perfect code. If you want a completely secure system you can buy them but they are unbelievably expensive. If you have a business justification for something that secure then buy it. Otherwise you have to live with what you can get from Linux, UNIX, or even Microsoft. Microsoft has at least come out with some very good patch management systems lately (SUS) and they are free. Red Hat charges me a yearly fee for their RHN. I believe the #1 security threat today is poor patch management. Is that Microsoft's fault? -- I am off of my soap box now. Bryan Beaty -Original Message- From: Exibar [mailto:[EMAIL PROTECTED] Sent: Friday, October 31, 2003 1:40 PM To: Jeremiah Cornelius; [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Gates: 'You don't need perfect code' for good security What an idiot Take the loveletter worm, when it was first released even if you had a 100% up to date AntiVirus software program, you would still get hit within the first 8 hours slammer, blaster, etc all the same thing.The took advantage of holes in the OPERATING SYSTEM Yes we have ways of updating our VirusSoftware that works very very well, McAfee has E-Policy Orchstrator, which I swear by. I'm not going to go on, but if Windows was as secure as Bill Gates and company says it is, why was blaster, slammer, codered etc even an issue? Exibar - Original Message - From: Jeremiah Cornelius [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, October 31, 2003 1:32 PM Subject: [Full-Disclosure] Gates: 'You don't need perfect code' for good security -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 FLAME ON! http://www.itbusiness.ca/index.asp?theaction=61sid=53897 But there are two other techniques: one is called firewalling and the other is called keeping the software up to date. None of these problems (viruses and worms) happened to people who did either one of those things. If you had your firewall set up the right way - and when I say firewall I include scanning e-mail and scanning file transfer -- you wouldn't have had a problem. But did we have the tools that made that easy and automatic and that you could really audit that you had done it? No. Microsoft in particular and the industry in general didn't have it. The second is just the updating thing. Anybody who kept their software up to date didn't run into any of those problems, because the fixes preceded the exploit. Now the times between when the vulnerability was published and when somebody has exploited it, those have been going down, but in every case at this stage we've had the fix out before the exploit. So next is making it easy to do the updating, not for general features but just for the very few critical security things, and then reducing the size of those patches, and reducing the frequency of the patches, which gets you back to the code quality issues. We have to bring these things to bear, and the very dramatic things that we can do in the short term have to do with the firewalls and the updating infrastructure. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/oqq3Ji2cv3XsiSARAlkdAJ0aGkBViYkoE193iZycTmQZohzwbQCg1KDA SjPLY1EEzamQCtIGKwJT1Vk= =mIsY -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Microsoft plans tighter security measures in Windows XP SP2
On Fri, 31 Oct 2003 15:00:28 MST, Kenton Smith [EMAIL PROTECTED] said: Hopefully we can all agree that anything Microsoft can do to attempt to make it's O/S more secure is better than the way it is now. No. We can't. Consider the case of Microsoft letting Bozo the Clown do the design work and the Three Stooges carrying out the implementation. Remember that Microsoft is a *business*, and they don't have any responsibility to you, the customer (since they've managed to thus far evade liability lawsuits). They *do* however have a fiduciary responsibility to the stockholders to maximize the company's bottom line. As a result, if Bozo, the stooges, and enough press releases to make Gartner give a pretty 8.5x11 glossy costs $2M, and doing it *right* costs $20M, they will choose the cheap route unless it's demonstrable that spending $20M will generate enough additional sales that more than another $18M in profits will accrue. If I were a conspiracy theorist, I'd compare the probable cost of buying off Guninsky, the @stake crew, and the pivx crew, and compare that to the cost of actually fixing IE. Then remember that although the open-source world is about pride and craftsmanship, Microsoft is all about the benjamins pgp0.pgp Description: PGP signature
Re: [Full-Disclosure] Microsoft plans tighter security measures in Windows XP SP2
On Fri, 2003-10-31 at 16:27, [EMAIL PROTECTED] wrote: On Fri, 31 Oct 2003 15:00:28 MST, Kenton Smith [EMAIL PROTECTED] said: Hopefully we can all agree that anything Microsoft can do to attempt to make it's O/S more secure is better than the way it is now. No. We can't. Consider the case of Microsoft letting Bozo the Clown do the design work and the Three Stooges carrying out the implementation. I think you maybe got off on a tangent and forgot to explain why you answered no to my question. In reference to your anti-capitalist rant... In the last 2 weeks MS has had to re-release their Oct. 15 patches twice. In that time their stock price has dropped more than 10%. Could it be that shareholders are learning that MS needs to do something about their shoddy work? ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: Gates: 'You don't need perfect code' for good security
First, firewalling and patching can not in fact shield networks from all of the impact of worms and viruses. Ask any experienced network admin. There will always be users who bring into a firewalled network a laptop that was, for example, infected at home. Part of the problem here is network design. For example, if when laptops are brought in they were only allowed to connect to a wireless network and that wireless network was on the far side of the firewall (perhaps slightly more access than from the internet but still majorly firewalled) and treated as untrusted systems which they in fact are, then it would not be such an issue. There is no rule that says you can't have internal firewalls to separate untrusted from trusted systems. But you have to design your network around this idea for it to work. Geo. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Re: Gates: 'You don't need perfect code' fo r good security
I think the issue at hand is how Bill has simply given ideas for band aid patches and not ways to ultimate secure systems. Fire walling and virus protection has its place in any environment. But poorly designed software with bugs known and unknown should not be a part of a secure system. So while some choose to look at the problem at a higher level then others the issue still remains no matter how many firewalls, av products, IPS's, IDS's you have in place if your still running shitty software at the end of the line it is a liability. PLAIN AND SIMPLE And look at it from Bills view, he cant play on the fact that ultimately it is the quality of your code that makes a software system safe, not add on measures. If he was to openly admit that then it would be the same as Bill kicking himself in the nuts. Lets face it Bill isn't stupid, he knows what the real deal is and regardless of what any of us mailing list experts deem is the truth. (he is mighty keen on manipulating media as well) Andre Ludwig, CISSP -Original Message- From: Geoincidents [mailto:[EMAIL PROTECTED] Sent: Friday, October 31, 2003 4:30 PM To: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Re: Gates: 'You don't need perfect code' for good security First, firewalling and patching can not in fact shield networks from all of the impact of worms and viruses. Ask any experienced network admin. There will always be users who bring into a firewalled network a laptop that was, for example, infected at home. Part of the problem here is network design. For example, if when laptops are brought in they were only allowed to connect to a wireless network and that wireless network was on the far side of the firewall (perhaps slightly more access than from the internet but still majorly firewalled) and treated as untrusted systems which they in fact are, then it would not be such an issue. There is no rule that says you can't have internal firewalls to separate untrusted from trusted systems. But you have to design your network around this idea for it to work. Geo. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Gates: 'You don't need perfect code' for good security
On Fri, 2003-10-31 at 16:50, Beaty, Bryan wrote: Correct me if I am wrong but... I'll be glad to. I believe every worm listed below could have been prevented had everyone patched their systems. I would like the security community to take more responsibility for their own (in)actions. If you were hit by Blaster then you failed to enforce a good patch management policy. Who's fault is that? Patch management is boring and so we often ignore it. Hackers and worms simply take advantage of our laziness. I guess blaster could be a form of social engineering. I know admins don't patch so I can write a worm and kill the world. Since you directed this to the security community it seems you are speaking to IT folk and not end users. I **cannot** apply MS patches till they go through quite a bit of testing. I have been bitten with production boxes that are rendered unusable after a round of MS patches. We are a BSD/Linux shop with just a few MS boxes but it still takes a lot of time to make sure the patch(es) will work with various configurations and applications. I **shudder** to think what orgs that are all MS have to do to deploy patches. Who's fault is that? ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: Gates: 'You don't need perfect code' for good security
Yo Geo! On Fri, 31 Oct 2003, Geoincidents wrote: Part of the problem here is network design. For example, if when laptops are brought in they were only allowed to connect to a wireless network and that wireless network was on the far side of the firewall (perhaps slightly more access than from the internet but still majorly firewalled) and treated as untrusted systems which they in fact are, then it would not be such an issue. So what is your solution for the folks that carry those USB keychain memories? People carry those around with virus infected files and plug them in to whatever machine they are sitting in front of. Had people I never seen before try to plug them in to my hosts. Just wanted to read my email man RGDS GARY --- Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701 [EMAIL PROTECTED] Tel:+1(541)382-8588 Fax: +1(541)382-8676 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: Gates: 'You don't need perfect code' for good security
Yo Geo! On Fri, 31 Oct 2003, Geoincidents wrote: So what is your solution for the folks that carry those USB keychain memories? People carry those around with virus infected files and plug them in to whatever machine they are sitting in front of. Had people I never seen before try to plug them in to my hosts. Just wanted to read my email man Any virus there should be caught by your AV software. No different than a floppy or CD. And recent experience shows that the virus is a world-wide issue before the new signatures come out for it. RGDS GARY --- Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701 [EMAIL PROTECTED] Tel:+1(541)382-8588 Fax: +1(541)382-8676 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: Gates: 'You don't need perfect code' for good security
I think the issue at hand is how Bill has simply given ideas for band aid patches and not ways to ultimate secure systems. Fire walling and virus protection has its place in any environment. But poorly designed software with bugs known and unknown should not be a part of a secure system. You're partially right. Microsoft's biggest mistakes are in 2 places. But it's not software design, it's default settings and really stupid feature sets. First, default settings, they have tended in the past to enable everything instead of asking where you want to go then only enabling what you need to get there. Recently I've seen good solid progress being made in this area, a number of things are now installing OFF or at least have off switches that are easy to find. I do believe they are on the right track although I'm not sure they are going to get it right yet. The second area is adding functions that have no business being there in the first place. One current example of this is the new functionality they are adding to office that will allow people who are working in office to suddenly shoot off to amazon to do some shopping simply because they mentioned some product in a document. I'll refer to these types of functions as the desktop salesman. When this new office feature was first mentioned here or on one of the other security lists the first comment I saw was someone asking doesn't this strike anyone as the type of feature that even SOUNDS exploitable?. Nobody needs this type of feature but Microsoft being the capitalist they are know they can make money by charging for advertising space on everyone's desktops. Be it web beacons, IE popup windows, Media player exposing DVD names to outside sites, picture folders that offer professional printing services, windowsupdate cataloging your hardware, this new Office feature, etc. these types of things have no place in a secure desktop environment and until MS stops selling out the users in favor of the desktop salesman advertisers we can expect this insanity to continue. I still see no sign of them relenting on this part of the insanity (with the exception of email based web beacons, but that was driven by mass revolt). Microsoft really needs to get back to serving the users and forgetting about compromising our privacy and anonymity in favor of the marketing types. Only then will they be able to create a secure desktop environment. Geo. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: Gates: 'You don't need perfect code' for good security
So what is your solution for the folks that carry those USB keychain memories? People carry those around with virus infected files and plug them in to whatever machine they are sitting in front of. Had people I never seen before try to plug them in to my hosts. Just wanted to read my email man Any virus there should be caught by your AV software. No different than a floppy or CD. Geo. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: Gates: 'You don't need perfect code' for good security
And recent experience shows that the virus is a world-wide issue before the new signatures come out for it. I think that's more a problem for network spreading of a worm like slammer or email virus than it is for a virus that infects files you might store on a memory stick. Typically that type of virus spread would be delayed long enough that AV should be updated already. But yes, what you suggest is a possibility. However, I wasn't saying this is how you create a secure network, I was just trying to point out one way to deal with the laptop issue. They aren't trusted systems, don't put them on the trusted network segments. Geo. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: Gates: 'You don't need perfect code' for good security
--On Friday, October 31, 2003 5:15 PM -0800 Gary E. Miller [EMAIL PROTECTED] wrote: So what is your solution for the folks that carry those USB keychain memories? People carry those around with virus infected files and plug them in to whatever machine they are sitting in front of. Had people I never seen before try to plug them in to my hosts. Just wanted to read my email man Man, that's so easy, I'll answer it. You just don't allow them to do that. It's the just say no method of security. Hey, it worked for Nancy. :-) Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: Gates: 'You don't need perfect code' for good security
I am not used to get involved in discussions but i'm tired of hearing bullshit so here it goes.. Bill said: ... Anybody who kept their software up to date didn't run into any of those problems, because the fixes preceded the exploit... I say: One of the reasons is because independent security researchers are being nice with vendors. Well, i was going to make comments on all what Bill said but i'm tired. Latelly CEOs of big companies (Microsoft, Oracle, etc.) have been talking bullshit, if they would spend more money in QA, security testing, etc. than marketing the world would be different, but that's another history this is a capitalist world the last end is to have good sales. I say shut up and fix your buggy software and be thankful that security researchers are being nice with you, your sales depends a lot on how vulnerabilities are disclosed and how your software is trusted, so SHUT UP. PS: Hey Bill, do you use Outlook for e-mails? I bet you use a text only e-mail client, you don't want anyone hacking you, or is your personal computer running Linux? :) Cesar. __ Do you Yahoo!? Exclusive Video Premiere - Britney Spears http://launch.yahoo.com/promos/britneyspears/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Re: Gates: 'You don't need perfect code' for good security
Gates spoke as a politician. His comments were very narrowly tailored. Read them close. He spoke almost exclusively of Win2003 Server -- which has very minimal deployment and is brand new. I don't know anyone who has actually installed Win2k3, yet. The comments about anyone who patched didn't have these problems and the patches proceeded the incidents *WAS CORRECT* -- for the last half-dozen issues over the last month -- which is what he was talking about. It wasn't a general statement on MS security, though it was ambiguous enough. He mixed a lot of generalisms (layered security, Windows a target because it is more widely deployed) with a lot of non-sequitur specifics (Win2K3 hasn't seen a lot of exploits [duh! it isn't widely deployed! See the last sentence!] Keep in mind how Mr. Gates handled his deposition in the anti-trust trial... 'At other points, Gates has claimed he doesn't know what his interrogators mean when they use terms such as concerned, ask and non-Microsoft browser.' -- Charles E. Hill Technical Director Herber-Hill LLC http://www.herber-hill.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
