date:20040319

[Full-Disclosure] Malware added in transit

2004-03-19 Thread Paul

[H.  Interesting concept, but unlikely.  (Maybe if you were clearer about the definition of a node?)  I can't recall anything that actually did this.  Happy99 and PrettyPark did something similar, but really just creating a followup to the original (innocent) message.  It's unlikely you'd find something that would/could infect a router to perform this kind of action.  Not impossible, but unlikely.]
By node I am thinking moe of any server the file may travel through rather than a router.  And my theoretical question is more concerned with downloaded files (such as media files) than email.
 
Thus, if a web site provides a clean media file for download, can it become tainted by travelling through a compromised server?
one step at a time...
Find local movie times and trailers on Yahoo! Movies.

Re: [Full-Disclosure] Is this a paypal scam?

2004-03-19 Thread ja6.com

Hmm, a quick search of ARIN (www.arin.net) and the APNIC (www.apnic.net)
reveals this IP is in CHINA. Unless PayPal is hosting servers in China, I would guess 
it is a scam.
Also seems kinda suspect that the IP does not have a reverse lookup assigned to it if 
it is valid.
For example one of Paypal's front end servers is 64.4.231.34 and resolves to www.paypal.com.

I wouldn't send them anything, but thats just me. 

% [whois.apnic.net node-1]
% Whois data copyright termshttp://www.apnic.net/db/dbcopyright.html
*_inetnum_*:  218.62.0.0 - 218.62.127.255
netname:  CNCGROUP-JL
country:  CN
descr:CNCGROUP jilin province network
admin-c:  CH444-AP 

tech-c:   WT92-AP 

status:   ALLOCATED NON-PORTABLE
changed:  [EMAIL PROTECTED] 20031016
mnt-by:   APNIC-HM 

mnt-lower:MAINT-CNCGROUP-JL 

changed:  [EMAIL PROTECTED] 20040301
source:   APNIC
*person*:   CNCGroup Hostmaster
_nic-hdl_:  CH444-AP
e-mail:   [EMAIL PROTECTED]
address:  No.156,Fu-Xing-Men-Nei Street,
address:  Beijing,100031,P.R.China
phone:+86-10-82990775
fax-no:   +86-10-82990885
country:  CN
changed:  [EMAIL PROTECTED] 20031027
mnt-by:   MAINT-CNCGROUP 

source:   APNIC
*person*:   Wang Tiegang
_nic-hdl_:  WT92-AP
e-mail:   [EMAIL PROTECTED]
address:  96,JieFang Road ChangChun 130021 China.
phone:+86-431-8925217
fax-no:   +86-431-8925190
country:  CN
changed:  [EMAIL PROTECTED] 20030117
mnt-by:   MAINT-CNCGROUP-JL 

source:   APNIC
--
--Jon
[EMAIL PROTECTED] wrote:

http://218.62.43.30/verify.html

Signed up for paypal 2 weeks ago, and then this came in the mail as a link 
in a paypal looking html email asking me to confirm by entering my credit 
card/account info.
I've only purchased 1 thing since signing up; it was from ebay from a 
longtime seller with nearly 100% positive feedback, and I received the 
equipment as expected.
If this is a scam, then maybe paypal has some employees passing new 
account info outside the company.

-jamie-

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
 



--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] malware added in transit

2004-03-19 Thread Rob, grandpa of Ryan, Trevor, Devon & Hannah

From:   Paul <[EMAIL PROTECTED]>
Date sent:  Thu, 18 Mar 2004 23:58:07 +1100 (EST)

> Hi all, perhaps I'm way off-base but I've been under the impression that
> malware can be added to clean transmissions as they pass through infected
> nodes.  Is this possible? 

H.  Interesting concept, but unlikely.  (Maybe if you were clearer about the 
definition of a node?)  I can't recall anything that actually did this.  Happy99 and 
PrettyPark did something similar, but really just creating a followup to the original 
(innocent) message.  It's unlikely you'd find something that would/could infect a 
router to perform this kind of action.  Not impossible, but unlikely.

==  (quote inserted randomly by Pegasus Mailer)
[EMAIL PROTECTED]  [EMAIL PROTECTED]  [EMAIL PROTECTED]
Never mistake motion for action.  - Ernest Hemingway
http://victoria.tc.ca/techrevorhttp://sun.soci.niu.edu/~rslade

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Re: Administrivia

2004-03-19 Thread Spiro Trikaliotis

Hello,

I'm sorry since I think this is really OT on this list, but I only want
to tell that little bit of information in the hope to stop this
discussion.

* On Thu, Mar 18, 2004 at 11:07:27PM -0600 Frank Knobbe wrote:

> There is no absolute answer to this problem, like in much of security.
> It's a decision where each and everyone of us has to apply something
> special common sense.

Isn't that the reason why there is a Mail-Followup-To (MFT) header
(http://cr.yp.to/proto/replyto.html)? With this, the sender of a mail
can decide if he wants a copy of the mail or not.

If I want to get a copy of the mail in addition to the list, the header
is set to the list and my address, if I don't want this, I set it to the
list only.

Mutt, my MUA, supports the notion of lists and subscribed list. On a
non-subscribed list, I get a copy of any reply by setting MFT to myself,
too, while I don't get a copy on subscribed lists.

Why don't you all just let the user choose which way he wants to go?

Thank you,
   Spiro.

PS: Please honour my MFT.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] New Virus probably Bagle.Q

2004-03-19 Thread Rob, grandpa of Ryan, Trevor, Devon & Hannah

From:   "Helmut Hauser" <[EMAIL PROTECTED]>
Date sent:  Thu, 18 Mar 2004 11:08:44 +0100

> link to virus is ...
> http://blah.blah.blah:81/100721.php

The php is a dead giveaway: this is probably Bagle.Q et al.  (The message probably 
had object tags around this, correct?)  The infected machine will download a 
script: the script will download a (seemingly innocuous) file, and then rename it 
and invoke it.  Then *you* start sending out email like that  :-)

> Host is in Korea, abuse warning has been sent.

Have you also contacted the ISP?  The machine owner is probably unaware of 
what is going on.  (The samples I've got are from Korea as well.)


==  (quote inserted randomly by Pegasus Mailer)
[EMAIL PROTECTED]  [EMAIL PROTECTED]  [EMAIL PROTECTED]
Those are my principles. If you don't like them I have others.
  - Groucho Marx
http://victoria.tc.ca/techrevorhttp://sun.soci.niu.edu/~rslade

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: Re[2]: [Full-Disclosure] New Virus under way ...

2004-03-19 Thread Jos Osborne


> How about Bagle2.x ?

Or Bagle3.11, Bagle'95, BagleMe, Bagle2000, BagleXP...

;>

Jos

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] New Virus under way ...

2004-03-19 Thread Paolo A. Gallenga

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
You forgot Bagle'95 SR-1, Bagle'98 and Bagle'98SE!
:-D
Jos Osborne wrote:
|>How about Bagle2.x ?
|
|
| Or Bagle3.11, Bagle'95, BagleMe, Bagle2000, BagleXP...
|
| ;>
|
| Jos
- --
Paolo A. Gallenga
System Administrator
Atlantica Sistemi S.r.l.
[EMAIL PROTECTED] - http://www.atlantica.it/
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (MingW32)
iD8DBQFAWsW/wreiUCR0oIoRAvvNAKC2MK5HXaWC8uGeijFTYy7TeePTTgCgwpy4
t4y24tNGPQBr8L/MLUtOolc=
=So2D
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] Re: Microsoft Security, baby steps ?

2004-03-19 Thread Random Letters



The only way to 100% secure a Windows client machine is to take it away from 
the user and lock it in a cupboard.

Surely I'm not alone in thinking this?

In reality we calculate the risk/productivity ratio and then hand over the 
machine (we do as we're told). Most people can't be persuaded that there is 
any risk (see below) so don't even take the precautions available.

Linux, etc. is still for geeks and not for your average punter. Windows is 
better at hiding its complexity. Plus, Windows comes preinstalled on 
probably 99% of client machines.

Users are getting better educated on the risks but as we have seen this 
week, they can still be tempted to open that juicy attachment. Solutions 
don't come as fast as the problems.

If Windows was 100% secure, why bother at all with patches and virus 
updates?

BTW I'm sure these arguments can be applied to all OSs including those 
running on PDAs and phones.



I must be unfit for my job :-) Oh well - I'm sure someone will notice 
eventually.

---
If you're happy and you know it clap your hands
---
  Does HoTMaiL come with a spell checker?
Microsoft, Linux, Solaris, xBSD - they're all capable of being secured
by anyone who can follow simple instructions.  Anyone who says otherwise
merely shows that they are totally unfit for their job.
_
Express yourself with cool new emoticons http://www.msn.co.uk/specials/myemo
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] Re: Administrivia

2004-03-19 Thread John . Airey

> -Original Message-
> From: Jason [mailto:[EMAIL PROTECTED]
> Sent: Friday, 19 March 2004 01:08
> To: [EMAIL PROTECTED]
> Subject: [Full-Disclosure] Re: Administrivia
> 
> 
> Nick FitzGerald wrote:
> 
> > [EMAIL PROTECTED] wrote:
> > 
> > 
> >>And please guys, stop cc'ing me. I'm on the list and have 
> been almost
> >>since it started!
> > 
> > 
> > Indeed.
> > 
> > First, it is actually _rude_ to CC responses to messages from "self-
> > moderating" lists (such as Full-Disclosure) to the poster 
> and the list 
> > because, by definition, the poster is on the list and will see your 
> > reply.
> > 
> 
> Perhaps a read over RFC 1855 would be in order for a few?
> 
> ftp://ftp.rfc-editor.org/in-notes/rfc1855.txt
> 
> but *I* prefer to be in the recipient list if I have joined in on the 
> discussion, it is clearly a discussion I am interested in or 
> felt like 
> chiming in on. I have filters... they filter... they filter 
> differently 
> if I am a named to or cc... discussions I am participating in 
> by default 
> float to my attention.
> 
Except I would add that the quoted RFC (which is informational, not
mandatory) does say that signatures should be kept short:

- If you include a signature keep it short.  Rule of thumb
  is no longer than 4 lines.  Remember that many people pay for
  connectivity by the minute, and the longer your message is,
  the more they pay.

The observant will note that mine breaks this advice (although it doesn't if
you ignore the extra bit that I put in. It usually offends at least one
person). The RNIB disclaimer is outside my control, except that I have
pointed out that it can lead to our own email being classed as SPAM and
suggested a link to a web page would be better.

Anyway, it follows logically from this that most people wouldn't like to
receive more than one copy either.

I won't even mention the number of evil remailers out there that are
resending messages to this list and bugtraq like it's going out of business!

- 
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

Shameless movie plug - go see the Passion of the Christ!

- 
DISCLAIMER: 

NOTICE: The information contained in this email and any attachments is 
confidential and may be privileged. If you are not the intended 
recipient you should not use, disclose, distribute or copy any of the 
content of it or of any attachment; you are requested to notify the 
sender immediately of your receipt of the email and then to delete it 
and any attachments from your system. 

RNIB endeavours to ensure that emails and any attachments generated by 
its staff are free from viruses or other contaminants. However, it 
cannot accept any responsibility for any  such which are transmitted.
We therefore recommend you scan all attachments. 

Please note that the statements and views expressed in this email and 
any attachments are those of the author and do not necessarily represent 
those of RNIB. 

RNIB Registered Charity Number: 226227 

Website: http://www.rnib.org.uk 

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: Administrivia (was: RE: [Full-Disclosure] Re: Microsoft Secu rity, baby steps ? )

2004-03-19 Thread John . Airey

> -Original Message-
> From: Nick FitzGerald [mailto:[EMAIL PROTECTED]
> Sent: Friday, 19 March 2004 02:31
> To: [EMAIL PROTECTED]
> Subject: Re: Administrivia (was: RE: [Full-Disclosure] Re: Microsoft
> Security, baby steps ? )
> 
> 
> madsaxon <[EMAIL PROTECTED]> wrote?
> 
> > >Also, when sending messages to multiple lists (say F-D and 
> Bugtraq), it
> > >seems you may slightly reduce the multiple message spew that often
> > >results on F-D because of the above by putting all the 
> addresses in the
> > >To: header, rather than one in the To: and the other(s) in CC:.
> > 
> > Why is that, do you think?
> 
> Because, from a rather cursory look at several such multiple mails, 
> _some_ of those braindead "I'll forward it to every address I 
> can find 
> in the message headers even though it did not originate on-site" re-
> posters only seem to do this with messages that have CC: headers.
> 
Actually, it's still happening even with posts to the to: field.

A case in point is the message I sent to Bugtraq and Full-Disclosure
yesterday where all the entries were in the to line. Some of the bounce
messages I received (not the copious out of office messages which I delete
anyway) were saying that they were unable to deliver to full-disclosure or
bugtraq, which they shouldn't have been doing anyway.

One of these faulty remailers appeared to belong to Microsoft.

- 
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

Shameless movie plug - go see the Passion of the Christ!

- 
DISCLAIMER: 

NOTICE: The information contained in this email and any attachments is 
confidential and may be privileged. If you are not the intended 
recipient you should not use, disclose, distribute or copy any of the 
content of it or of any attachment; you are requested to notify the 
sender immediately of your receipt of the email and then to delete it 
and any attachments from your system. 

RNIB endeavours to ensure that emails and any attachments generated by 
its staff are free from viruses or other contaminants. However, it 
cannot accept any responsibility for any  such which are transmitted.
We therefore recommend you scan all attachments. 

Please note that the statements and views expressed in this email and 
any attachments are those of the author and do not necessarily represent 
those of RNIB. 

RNIB Registered Charity Number: 226227 

Website: http://www.rnib.org.uk 

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Is this a paypal scam?

2004-03-19 Thread Michael Cecil

[EMAIL PROTECTED] wrote:

>http://218.62.43.30/verify.html
>
>Signed up for paypal 2 weeks ago, and then this came in the mail as a link
>in a paypal looking html email asking me to confirm by entering my credit
>card/account info.
>I've only purchased 1 thing since signing up; it was from ebay from a
>longtime seller with nearly 100% positive feedback, and I received the
>equipment as expected.
>If this is a scam, then maybe paypal has some employees passing new
>account info outside the company.
>
>-jamie-
Short answer:  Yes, it is a scam.

I don't have any paypal account (and never will) but I routinely get these 
kind of emails.  I get them apparently from banks and credit card companies 
as well.

Good rule of thumb - never click on a link in email.  Always use your 
existing  known-good URL for paypal (or whatever), then check the site for 
security announcements, etc.
--
Michael Cecil
[EMAIL PROTECTED]
http://home.comcast.net/~macecil/howto/
http://home.comcast.net/~antiviruscd/

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] Re: Microsoft Security, baby steps ?[Scanned] [Scanned] [Scanned]

2004-03-19 Thread Luke Scharf

On Thu, 2004-03-18 at 14:40, James P. Saveker wrote:
> That's the *real* challenge of trying to secure a network - the vast gap
> between what could be done given the proper mandate and financing, and what
> you can usually actually deploy with the mandate and financing you actually
> got. :)

Plus, in the case of VT, many of the machines on campus are owned, for
instance, by the students who use them.  It's a little harder to impose
something like a domain and SUS on them -- when it's their own machine. 

The current policy, AFAIK, is "if your machine does something bad, we'll
turn off the network port and sort it out later."

-Luke

-- 
Luke Scharf, Systems Administrator
Virginia Tech Aerospace and Ocean Engineering

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: Re: [Full-Disclosure] Re: Administrivia

2004-03-19 Thread Jos Osborne

>If we eliminated most of the legal disclaimers from the mails we send we 
>would have plenty of time to read duplicated mail since we would no 
>longer have to pass the bar to know if we are even allowed to read mail.

Maybe we should have an unwritten rule here - rather than having a whole 8 line 
disclaimer at the end of your email, just write:

Disclaimer: "It's not our fault!"

and everyone will know you/your company/your ISP/your dog are disclaiming all 
responsibility for anything that happened after the Schleswieg-Holstein war...

;>

Jos

"It's not our fault!"

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] Operating Systems Security, "Microsoft Security, baby steps"

2004-03-19 Thread Luke Scharf

On Fri, 2004-03-19 at 01:49, Todd Burroughs wrote:
> Wasn't that something that MS tried to say, the "hackers" are reverse
> engineering our patches?  That was funny, but the sad thing is that a
> lot of people will believe it.

I have no doubt that people reverse engineer their patches.

However, saying "hackers ONLY reverse engineer our patches" is a lot
different from saying "one possible technique for abusing a Windows
system is to look for problems by reverse engineering out patches."

Biiig difference.  Driving while sloshed is one possible way to get
hurt while driving a car, but certainly not the only way.

> What I meant is that you can most likely actually use the Internet to get
> patches with a fresh install before you get taken over, not that somehow
> UNIX-like systems make patches before the exploits are out there and being
> used ;-)  It's quite apparent by other threads on the list that this is
> not generally the case with Windows.  Just being patched doesn't mean
> that you are safe, but it's better than running well known security holes.

For the last couple of years (maybe longer?) RedHat Linux (and recently
Fedora) have been shipping with a built-in firewall that enabled by
default.

If you don't know it's there, the it should certainly be enabled!  :-) 
And if you decide to turn it off, you have to at least justify the
effort to run /usr/sbin/lokkit.

I hear that some BSD's do something similar.

> Obviously, if you go on the Net with all services running, especially
> on an unpatched box, you're gonna get rooted pretty quickly.

Yup.  Last I checked, Sun does it this way...  Yay!  Fortunately,
they're a smaller target, and ppro is decent.  But, it still takes me a
few minutes to turn off all of the unnecessary stuff before I can begin
the real work of setting up a useful system (and re-enabling anything
that I actually need).

-Luke

-- 
Luke Scharf, Systems Administrator
Virginia Tech Aerospace and Ocean Engineering

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

OT: Re: [Full-Disclosure] Re: Administrivia

2004-03-19 Thread Jason



[EMAIL PROTECTED] wrote:

-Original Message-
[...]

>> ftp://ftp.rfc-editor.org/in-notes/rfc1855.txt
Except I would add that the quoted RFC (which is informational, not
mandatory) does say that signatures should be kept short:
While only informational, some on this list should be forced to digest 
the printed text and understand _why_ there was ever a need for it.

<:-)>
That .sig and disclaimer used as many bytes as the actual content and 
offered more value. It actually made me ponder deleting the message 
completely instead of writing a reply.


[...]
I won't even mention the number of evil remailers out there that are
resending messages to this list and bugtraq like it's going out of business!
Multiple lists are not required. I have received an extra copy of the 
mail from Frank on this thread, one to me, one to the list, and another 
to me.

<:-)>

*I* still prefer to be a named recipient and it does not violate RFC 
1855 recommendations like those horrendous .sigs

If we eliminated most of the legal disclaimers from the mails we send we 
would have plenty of time to read duplicated mail since we would no 
longer have to pass the bar to know if we are even allowed to read mail.

Then again, perhaps the person owning the address 
[EMAIL PROTECTED] felt it apropos to remail the message



___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Is this a paypal scam?

2004-03-19 Thread Nico Golde

Hallo Alerta,

* Alerta Redsegura <[EMAIL PROTECTED]> [2004-03-19 14:51]:
> >http://218.62.43.30/verify.html
> 
> > If this is a scam, then maybe paypal has some employees
> > passing new account info outside the company.
> > -jamie-
> 
> Indeed, Paypal e-mail scams started in 2002 I think.
> 
> In regards to employees passing new acct info, I have never had a paypal
> account and have received several times this type of scam mail.
> 
> I would suggest you to contact Paypal and send them a full copy of the email
> (as an attachment, not just re-send the e-mail, since it would drop some
> headers).

I think he can make an whois question to the given ip and look if this
is an official paypal host.
regards nico
-- 
Nico Golde| [EMAIL PROTECTED]  | [EMAIL PROTECTED] | [EMAIL 
PROTECTED]
http://www.ngolde.de  | GnuPG Key: http://www.ngolde.de/gpg/nico_golde.gpg
Fingerprint   | FF46 E565 5CC1 E2E5 3F69  C739 1D87 E549 7364 7CFF 
echo "[q]sa[ln0=aln256%Pln256/snlbx]sb729901041524823122snlbxq"|dc


pgp0.pgp
Description: PGP signature

mails without subject (was: [Full-Disclosure] (no subject))

2004-03-19 Thread Nico Golde

Hallo Jim,

* Jim Burnes <[EMAIL PROTECTED]> [2004-03-19 14:51]:
> Actually, what is really needed and primarily missing
> from the security picture is:

a mail with a subject.
regards nico
-- 
Nico Golde| [EMAIL PROTECTED]  | [EMAIL PROTECTED] | [EMAIL 
PROTECTED]
http://www.ngolde.de  | GnuPG Key: http://www.ngolde.de/gpg/nico_golde.gpg
Fingerprint   | FF46 E565 5CC1 E2E5 3F69  C739 1D87 E549 7364 7CFF 
echo "[q]sa[ln0=aln256%Pln256/snlbx]sb729901041524823122snlbxq"|dc


pgp0.pgp
Description: PGP signature

Re: [Full-Disclosure] Operating Systems Security, "Microsoft Security, baby steps"

2004-03-19 Thread Nico Golde

Hallo Schmehl,

* Schmehl, Paul L <[EMAIL PROTECTED]> [2004-03-19 14:51]:
> > Updating any OS is a pain in the ass, but all of them have 
> > flaws and need to be updated.  I find that at least with the 
> > UNIX-like ones, you can go on the Net and do your updates 
> > faster than you get rooted.
> 
> This is foolish thinking.  Do you really think that, when a patch comes
> out, *then* the hackers start working on exploits?  The exploits were
> being used *long* before the patch comes out.  The only thing a patch
> gets you is protection against *future* hack attempts against *that*
> weakness.

and thats quite logic because noone writes a patch before he tested this
vulnerability for example with an exploit.
if the exploiter releases his exploit on public websites is another
question.
regards nico
-- 
Nico Golde| [EMAIL PROTECTED]  | [EMAIL PROTECTED] | [EMAIL 
PROTECTED]
http://www.ngolde.de  | GnuPG Key: http://www.ngolde.de/gpg/nico_golde.gpg
Fingerprint   | FF46 E565 5CC1 E2E5 3F69  C739 1D87 E549 7364 7CFF 
echo "[q]sa[ln0=aln256%Pln256/snlbx]sb729901041524823122snlbxq"|dc


pgp0.pgp
Description: PGP signature

Re: [Full-Disclosure] Re: Administrivia

2004-03-19 Thread Ron DuFresne


[SNIP]

>
> but *I* prefer to be in the recipient list if I have joined in on the
> discussion, it is clearly a discussion I am interested in or felt like
> chiming in on. I have filters... they filter... they filter differently
> if I am a named to or cc... discussions I am participating in by default
> float to my attention.
>

Agreed.  Rude is not a one size fits all scenario.  There are reasons,
especially in moderated forums whence threads might well be dropped mid
discusion as wel that a cc: might be in order.  But, I also prefer to be
singled out for those threads I've taken to participate in.

Thanks,

Ron DuFresne
~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] Re: Administrivia

2004-03-19 Thread Ron DuFresne


[SNIP]
> >
> Except I would add that the quoted RFC (which is informational, not
> mandatory) does say that signatures should be kept short:
>
> - If you include a signature keep it short.  Rule of thumb
>   is no longer than 4 lines.  Remember that many people pay for
>   connectivity by the minute, and the longer your message is,
>   the more they pay.
>
> The observant will note that mine breaks this advice (although it doesn't if
> you ignore the extra bit that I put in. It usually offends at least one
> person). The RNIB disclaimer is outside my control, except that I have
> pointed out that it can lead to our own email being classed as SPAM and
> suggested a link to a web page would be better.
>

I avoid the issue of required .sig/banners by not posting to lists via my
work e-mail.  Course that requires one has ssh access to another system.
I tend to use two different personal accounts for mailing lists for the
most part.  Then again I've a .sig just over spec...

Thanks,

Ron DuFresne
~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Norton Internet Security Remote Command Execution

2004-03-19 Thread NGSSoftware Insight Security Research

NGSSoftware Insight Security Research Advisory

Name: Norton Internet Security Remote Command Execution
Systems Affected: XP (not confirmed on 2000); NIS & NIS Pro 2004, not
confirmed on previous versions.
Severity: High
Vendor URL: http://www.symantec.com
Author: Mark Litchfield [ [EMAIL PROTECTED] ]
Date Vendor Notified:4th March 2004
Date of Public Advisory: 19th March 2004
Advisory number: #NISR19042004b
Advisory URL: http://www.ngssoftware.com/advisories/nisrce.txt

Description
***

Symantec's Norton Internet Security T 2004 Professional protects you and
your business from online threats. It eliminates viruses automatically,
blocks hackers, safeguards your personal information, fights spam, increases
online productivity, recovers lost or damaged files, and thoroughly deletes
confidential data you no longer need.


Details
***

Installed with Norton Internet Security and Professional is an ActiveX
component that is marked safe for scripting, namely WrapNISUM Class
(c:\program files\Norton Internet Security Professional\WrapUM.dll).
Using the LaunchURL method an attacker has the ability to force the browser
to run arbitrary executables on the target.  In a real world attack, this
would more than likely take the form of a UNC path.  It's important to note
here that on those windows operating systems that support the WEBDAV
redirector file system if the UNC path cannot be reached over TCP port 139
or 445 it will switch to TCP Port 80 (http).  Needless to say this aspect
will allow attacks to go through corporate firewalls.  The attack can be
achieved either by encouraging the 'victim' to visit a malicious web page or
placing a script within the content of an (html) email.


Fix Information
***

Shipped with all Symantec's products is the LiveUpdate feature. Open
Internet Security / Professional and select the LiveUpdate feature which
will retrieve the lastest patch.  It's worth mentioning Symantec's quick
response to this issue in ensuring their clients remain protected.

About NGSSoftware
*
NGSSoftware design, research and develop intelligent, advanced application
security assessment scanners. Based in the United Kingdom, NGSSoftware have
offices in the South of London and the East Coast of Scotland. NGSSoftware's
sister company NGSConsulting, offers best of breed security consulting
services, specialising in application, host and network security
assessments.

http://www.ngssoftware.com/

Telephone +44 208 401 0070
Fax +44 208 401 0076

[EMAIL PROTECTED]



___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Norton AntiSpam Remote Buffer Overrun

2004-03-19 Thread NGSSoftware Insight Security Research

NGSSoftware Insight Security Research Advisory

Name: Norton AntiSpam Remote Buffer Overrun
Systems Affected: XP (not confirmed on 2000)
Severity: High
Vendor URL: http://www.symantec.com
Author: Mark Litchfield [ [EMAIL PROTECTED] ]
Date Vendor Notified:4th March 2004
Date of Public Advisory: 19th March 2004
Advisory number: #NISR19042004a
Advisory URL: http://www.ngssoftware.com/advisories/antispam.txt

Description
***

Symantec's Norton AntiSpam 2004 filters unwanted email out of your inbox.
Working with any POP3 email program, it filters incoming mail on multiple
levels, detecting and flagging unsolicited messages while promptly
delivering valid mail. To make your online time more enjoyable, Norton
AntiSpam also blocks intrusive pop-up and banner ads.

It is worth mentioning here, that Norton AntiSpam is also packaged within
Norton Internet Security 2004 and Norton Internet Security 2004
Professional.

Details
***

Installed with Norton AntiSpam is an ActiveX component that is marked safe
for scripting, namely SymSpamHelper Class
(c:\program files\common files\symantec shared\antispam\symspam.dll).

Using the method LaunchCustomRuleWizard with an overly long parameter, an
attacker can cause a stack based overflow allowing the ability to remotley
run arbitrary code on the target.  This can be achieved either by
encouraging the 'victim' to visit a malicious web page or placing a script
within the content of an (html) email.


Fix Information
***

Shipped with all Symantecs products is the LiveUpdate feature. Open Norton
AntiSpam or Norton Internet Security / Professional and select the
LiveUpdate feature which will retrieve the lastest patch.  Also worth
mentioning is Symantec's quick response to this issue in ensuring their
clients remain protected.

About NGSSoftware
*
NGSSoftware design, research and develop intelligent, advanced application
security assessment scanners. Based in the United Kingdom, NGSSoftware have
offices in the South of London and the East Coast of Scotland. NGSSoftware's
sister company NGSConsulting, offers best of breed security consulting
services, specialising in application, host and network security
assessments.

http://www.ngssoftware.com/

Telephone +44 208 401 0070
Fax +44 208 401 0076

[EMAIL PROTECTED]



___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] Re: Microsoft Security, baby steps ?

2004-03-19 Thread Paul Schmehl

--On Friday, March 19, 2004 10:15:06 AM + Random Letters 
<[EMAIL PROTECTED]> wrote:



The only way to 100% secure a Windows client machine is to take it away
from the user and lock it in a cupboard.
[snipped a bunch in the middle.
If Windows was 100% secure, why bother at all with patches and virus
updates?
Write this on the chalkboard 100 times.

"Nothing is 100% secure!  Nothing is 100% secure!  Nothing is 100% secure!"

Paul Schmehl ([EMAIL PROTECTED])
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Re: Full-Disclosure digest, Vol 1 #1522 - 45 msgs

2004-03-19 Thread Daniel H. Renner

On Fri, 2004-03-19 at 06:16, [EMAIL PROTECTED]
wrote:
> Date: Fri, 19 Mar 2004 11:04:49 +0100
> From: "Paolo A. Gallenga" <[EMAIL PROTECTED]>
> Reply-To: [EMAIL PROTECTED]
> Organization: Atlantica Sistemi S.r.l.
> To: Jos Osborne <[EMAIL PROTECTED]>
> CC: [EMAIL PROTECTED]
> Subject: Re: [Full-Disclosure] New Virus under way ...
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> You forgot Bagle'95 SR-1, Bagle'98 and Bagle'98SE!
> :-D
> 
> Jos Osborne wrote:
> |>How about Bagle2.x ?
> |
> |
> | Or Bagle3.11, Bagle'95, BagleMe, Bagle2000, BagleXP...
> |
> | ;>
> |
> | Jos
> - --
> Paolo A. Gallenga
> System Administrator
> Atlantica Sistemi S.r.l.
> [EMAIL PROTECTED] - http://www.atlantica.it/
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.2.4 (MingW32)
> 
> iD8DBQFAWsW/wreiUCR0oIoRAvvNAKC2MK5HXaWC8uGeijFTYy7TeePTTgCgwpy4
> t4y24tNGPQBr8L/MLUtOolc=
> =So2D
> -END PGP SIGNATURE-

And then the mighty Bagle.Longhorn will smite you all!!!

Bru-haw-haw-haw!!!

-- 


Thank you,

Dan Renner
President
Los Angeles Computerhelp
http://losangelescomputerhelp.com
818.352.8700


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Administrivia (very OT, but should be addressed)

2004-03-19 Thread Cael Abal

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Spiro Trikaliotis wrote:
> Isn't that the reason why there is a Mail-Followup-To (MFT) header
> (http://cr.yp.to/proto/replyto.html)? With this, the sender of a mail
> can decide if he wants a copy of the mail or not.
>
> If I want to get a copy of the mail in addition to the list, the
> header is set to the list and my address, if I don't want this, I set
> it to the list only.
>
> Mutt, my MUA, supports the notion of lists and subscribed list. On a
> non-subscribed list, I get a copy of any reply by setting MFT to
> myself, too, while I don't get a copy on subscribed lists.
>
> Why don't you all just let the user choose which way he wants to go?

[This is way off-topic, but I'm afraid that folks will get the wrong
impression from Spiro's e-mail.]

Hi Spiro,

Unfortunately, last I checked there *isn't* a Mail-Followup-To header.
Even though some mail clients support it, it's nonstandard and some
folks consider it an ugly kludge.

See Keith Moore's plea here:

http://pm-doc.sourceforge.net/pm-tips-body.html#replyto_header

He suggests that adding another mail header will only complicate matters
more, and that Bernstein's MFT concept is inherently broken:

"Dan's proposal is intrinsically flawed. It incorrectly assumes that the
sender can reasonably anticipate the recipient's needs in replying to
the message, and that such needs can reasonably be lumped into either
"reply" or "followup". It doesn't solve the real problem, which is that
responders need to think about where their replies go. Mail-Followup-To
won't decrease the number of messages that go to the wrong place."

Please give it a read before you continue to advocate MFT.

Sincerely,

Cael
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (MingW32)

iD8DBQFAWyLKR2vQ2HfQHfsRApwqAKCloX20ztxmfbjuwave1bKVLovdXQCgiXrS
LVcPloe0HSGraeewnMLO74s=
=zxKs
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Re: New Virus under way ...

2004-03-19 Thread David Schultz

On 3/18/04 11:24 AM, "[EMAIL PROTECTED]"
<[EMAIL PROTECTED]> wrote:

> Message: 2
> got a strange Mail 2day:
> 
> Subject: RE: Protected message
> From: [EMAIL PROTECTED]
> 
> link to virus is ...
> http://221.153.61.232:81/100721.php
> 
> Host is in Korea, abuse warning has been sent.
> 
> can anyone verify what kind of malware that is ?
> 
> Helmut

The php script has a download link from the same web server. The linked file
is a jpg that has what norton corporate version 8.00.9374 calls
bloodhound.packed (defs are 3/10/04 rev 5)

DVS
-- 
"If you want to eat hippopotamus, you've got to pay the freight."
-attributed to an IBM guy, about why IBM software uses so much memory

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] Emailing SSN info

2004-03-19 Thread Federated Information Security

Google's a wonderful thing.  A quick search on "Social Security Number
Privacy Law" brought up the SSN FAQ
(http://www.faqs.org/faqs/privacy/ssn-faq/) along with lots of other
good links.  Here's an excerpt from the FAQ:

-

   The Privacy Act of 1974

The Privacy Act of 1974 (Pub. L. 93-579, in section 7), which is the
primary law affecting the use of SSNs, requires that any federal, state,
or local government agency that requests your Social Security Number has
to tell you four things:



1: The authority (whether granted by statute, or by executive order of
the 
   President) which authorizes the solicitation of the information and 
   whether disclosure of such information is mandatory or voluntary;

2: The principal purposes for which the information is intended to be
used;

3: The routine uses which may be made of the information, as published 
   annually in the Federal Register, and

4: The effects on you, if any, of not providing all or any part of the 
   requested information.

The Act requires state and local agencies which request the SSN to
inform the 
individual of only three things:

1: Whether the disclosure is mandatory or voluntary, 
2: By what statutory or other authority the SSN is solicited, and 
3: What uses will be made of the number.



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tony Gettig
Sent: Thursday, March 18, 2004 3:45 PM
To: [EMAIL PROTECTED]
Subject: [Full-Disclosure] Emailing SSN info


Hi all,

I work for a school district in the USA. Higher management wants to
email a zipped data export (presumbably password protected) to a vendor
that includes the Social Security Number for employees. I have advised
them against this. Shipping a CDROM overnight would be more secure, IMO.


Now they want to know if there are any laws pertaining to the emailing
of SSN info. (Why they are asking me and not an attorney, I am not
sure...though I AM going to tell them to speak to an attorney too.) 

Can any one point me to a website or cite specific US (or even state)
laws regarding this? Even a reply telling me why this is a bad idea
would be great. If I am wrong, I am glad to hear that too. Thanks in
advance!

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Re: Administrivia

2004-03-19 Thread Valdis . Kletnieks

On Fri, 19 Mar 2004 09:46:43 +0100, Spiro Trikaliotis <[EMAIL PROTECTED]>  said:

> Isn't that the reason why there is a Mail-Followup-To (MFT) header
> (http://cr.yp.to/proto/replyto.html)? With this, the sender of a mail
> can decide if he wants a copy of the mail or not.

This would be a lot more widely supported if it was an IETF RFC rather
than just something on one guy's webpage.  Yes, it may be a good idea,
but it's still just one guy's proposal, and as such it's hard to get traction
with commercial MUA vendors


pgp0.pgp
Description: PGP signature

[Full-Disclosure] Re: User Insecurity

2004-03-19 Thread gadgeteer

On Thu, Mar 18, 2004 at 11:48:45AM -0600, Earl Keyser ([EMAIL PROTECTED]) wrote:
> I think you folks miss the point.
> 
> My VISA card doesn't have any bells and whistles to turn on or off -just
> a PIN to remember.  My car is serviced by my mechanic. I don't know
> what's under the hood except where to put washer fluid. To ask me to
> make my own Visa card or tune my engine is an impossibility.  My Dad is
> an MD - but he can't set the time on the VCR.
> 
> Until the whole paradigm changes, we will live in an insecure world. 
> Most home users are clueless - they want to remain that way.  It's up to
> our industry (PC makers, OS makers, techies and researchers to build a
> better, safer mousetrap.
> 
> Railing at the "clueless lusers" is both stupid and counter-productive.

What you describe regarding you and your mechanic is "blind trust".  
You are trusting his abilities as a mechanic based on you preception 
of him as a person.

OTOH, I learned the theory behind the design of the various systems that 
comprise an automobile and got some hands on experience rebuilding 
engines in high school auto shop.  While I do not pretend to have the 
working skills and knowledge to actually diagnose and repair a modern 
auto I do have domain-specific knowledge which allows me to make informed
judgements of my mechanic's abilities by engaging him in conversation 
regarding mechanics.

Likewise I have some interest in biology and expect the MD to explain 
sufficiently so that I can fit what she is saying into my knowledge-base 
without conflict.

Knowing proper food handling I can make reasonable judgement regarding a 
restaurant and chances of food poisoning.

Just as "folk physics" and "folk psychology" can lead to erroneous 
conclusions so too can limited knowledge-based judgements.  However,
willful ignorance is simply a "kick me" sign hung on one's forehead 
to a malicious social engineering attack.

Willful ignorance is "both stupid and counter-productive".  Demands 
for protection of the "clueless lusers" is merely shifting the burden 
from those too f*g lazy to be curious to the rest of us.

"Making something safe for idiots means only idiots will use it."  
(It also makes it much more costly.)
-- 
Chief Gadgeteer
Elegant Innovations

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Re: New Virus under way ... ...doh!

2004-03-19 Thread David Schultz

I was typing too fast without brain engaged on my post. "Bloodhound packed"
is the NAV way of saying unknown virus, but as I just received other emails
from the list pointing out its origin is bagle/beagle, I will now go back to
lurking and being quiet.

Have a good weekend everyone.


DVS
-- 
"The best index to a person's character is a) how he treats people who can't
do him any good and b) how he treats people who can't fight back."
-- Abigail Van Buren

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] NEVER open attachments

2004-03-19 Thread VB

NEVER open attachments


Isnt this what we have been taught? haven't we tried to pound this simple
rule into the heads of our users? Do we not practice what we preach? then
why do several users of this list only send messages and replies as
attachments?
I'm sure
[EMAIL PROTECTED] <[EMAIL PROTECTED]>, Nico Golde, Frank Knobbe,
et al have wonderful things to say and contribute great things to this list,
but i have never read anything they post because they post as attachments.
Yes, granted, they are .txt attachments but that is no excuse as it's just a
matter of time before they are exploited. In fact, they have been exploited,
one can pad spaces after the .txt to hide the true extension of a malicious
file. more .txt exploits are probably just around teh corner.
So, why do these folks post attachments? Why is this even permitted? I would
love to hear what these people have to say, but i cannot break my own rule
to find out.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Managed Security Vendors

2004-03-19 Thread DeBerry, Casey

Anyone had any experience working with any of these vendors?

Specifically, Counterpane, ISS, think oracle even started selling this
service...

Wondering if anyone can shed light on how effective/inneffective these
companies are in helping to "secure" corporate networks.


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Re: NEVER open attachments

2004-03-19 Thread Valdis . Kletnieks

On Fri, 19 Mar 2004 14:27:53 EST, you said:

> [EMAIL PROTECTED] <[EMAIL PROTECTED]>, Nico Golde, Frank Knobbe,
> et al have wonderful things to say and contribute great things to this list,
> but i have never read anything they post because they post as attachments.

PGP signed messages are not executable attachments.

See the following RFCs:

1847 Security Multiparts for MIME: Multipart/Signed and
 Multipart/Encrypted. J. Galvin, S. Murphy, S. Crocker, N. Freed.
 October 1995. (Format: TXT=23679 bytes) (Status: PROPOSED STANDARD)
2015 MIME Security with Pretty Good Privacy (PGP). M. Elkins. October
 1996. (Format: TXT=14223 bytes) (Updated by RFC3156) (Status:
 PROPOSED STANDARD)
2440 OpenPGP Message Format. J. Callas, L. Donnerhacke, H. Finney, R.
 Thayer. November 1998. (Format: TXT=141371 bytes) (Status: PROPOSED
 STANDARD)
3156 MIME Security with OpenPGP. M. Elkins, D. Del Torto, R. Levien,
 T. Roessler. August 2001. (Format: TXT=26809 bytes) (Updates RFC2015)
 (Status: PROPOSED STANDARD)

http://www.ietf.org/rfc/rfc1847.txt
http://www.ietf.org/rfc/rfc2015.txt
http://www.ietf.org/rfc/rfc2440.txt
http://www.ietf.org/rfc/rfc3156.txt

If anything, you should *encourage* the use of PGP or S/MIME to sign mail,
because even if my machine gets whacked by a virus and starts spewing correctly
signed mail, you will *know* it's my machine doing it and not some
address-scraping virus on a machine in Zanzibar or someplace.



pgp0.pgp
Description: PGP signature

[Full-Disclosure] Re: NEVER open attachments

2004-03-19 Thread gadgeteer

On Fri, Mar 19, 2004 at 02:27:53PM -0500, VB ([EMAIL PROTECTED]) wrote:
> NEVER open attachments
> [EMAIL PROTECTED] <[EMAIL PROTECTED]>

I think this has more to do with your poor choice of MUA.
Here is a header from a recent email from Valdis.Kletnieks:

Content-Type: multipart/signed; boundary="==_Exmh_-717208290P";
 micalg=pgp-sha1; protocol="application/pgp-signature"

It is not a txt attachment.
-- 
Chief Gadgeteer
Elegant Innovations

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] NEVER open attachments

2004-03-19 Thread Jeremiah Cornelius

> [EMAIL PROTECTED] <[EMAIL PROTECTED]>, Nico Golde, Frank >
Knobbe, et al have wonderful things to say and contribute great 
> things to this list, but i have never read anything they post because 
> they post as attachments. 
> Yes, granted, they are .txt attachments but that is no excuse as it's >
just a matter of time before they are exploited. 

These gentlemen do not post as attachments.  They SIGN their messages, and
some clients insist on representing inline S/MIME and OpenPGP messages as
attachments.

Five will get you 10, that you are using Outlook Express, or an MS Outlook
prior to OfficeXP.

The blinking signing is so that you CAN trust the source!  Assuming you have
verified the sender's key and trust them for safe practices, open
attachments 'till you get RSI!  The NEVER OPEN rule is a dogma for
unverified senders - you /knew/ that.


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Administrivia (very OT, but should be addressed)

2004-03-19 Thread Bruno Wolff III

On Fri, Mar 19, 2004 at 11:41:46 -0500,
  Cael Abal <[EMAIL PROTECTED]> wrote:
> 
> "Dan's proposal is intrinsically flawed. It incorrectly assumes that the
> sender can reasonably anticipate the recipient's needs in replying to
> the message, and that such needs can reasonably be lumped into either
> "reply" or "followup". It doesn't solve the real problem, which is that
> responders need to think about where their replies go. Mail-Followup-To
> won't decrease the number of messages that go to the wrong place."

But you can at least tell people if you want or need a separate copy
in addition to what gets sent to the list. People who don't want separate
copies should be setting mail-followup-to. Even if not all mail clients
support it some do.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] iDEFENSE Security Advisory 03.19.04: Borland Interbase admin.ib Administrative Access Vulnerability

2004-03-19 Thread idlabs-advisories

Borland Interbase admin.ib Administrative Access Vulnerability

iDEFENSE Security Advisory 03.19.04
www.idefense.com/application/poi/display?id=80&type=vulnerabilities
March 19, 2004

I. BACKGROUND

Borland Interbase is a small, high performance commercial database for
Linux, Solaris, and Windows operating systems. More information about
Borland Interbase is available at http://www.borland.com/interbase/.

II. DESCRIPTION

Exploitation of default file permissions in Borland Interbase can allow
local attackers to gain database administrative privileges.

The vulnerability specifically exists due to insecure permissions on the
admin.ib user database file. Local attackers can add or modify existing
accounts to gain administrative privileges.

The default file permissions are shown below:

[EMAIL PROTECTED] interbase]# ls -l /opt/interbase/admin.ib

-rw-rw-rw- 1 root root 616497 Dec 30 11:17 /opt/interbase/admin.ib

III. ANALYSIS

Successful exploitation yields administrative privileges over the
database to local attackers. This can lead to further compromise as any
information stored within the database is now available to the attacker.
This may include: authentication information, financial information and
personal information.

Exploit code for this issue is unnecessary.

IV. DETECTION

iDEFENSE has confirmed the existence of this vulnerability in Borland
Interbase 7.1 for Linux. It is suspected that previous versions of
Borland Interbase for Linux are also vulnerable.

V. WORKAROUNDS

Remove global write permissions from the admin.ib user database file.

[EMAIL PROTECTED] interbase]# chmod 664 /opt/interbase/admin.ib

[EMAIL PROTECTED] interbase]# ls -l /opt/interbase/admin.ib

-rw-rw-r-- 1 root root 616497 Dec 30 11:17 /opt/interbase/admin.ib

VI. CVE INFORMATION

A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not
been assigned yet.

VII. DISCLOSURE TIMELINE

January 13, 2004Vulnerability acquired by iDEFENSE 
February 9, 2004Initial vendor notification sent - no response
February 12, 2004   iDEFENSE clients notified
March 1, 2004   Secondary vendor notification sent - no response
March 19, 2004  Public disclosure

VIII. CREDIT

Larry Cashdollar (http://vapid.dhs.org) is credited with this discovery.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

IX. LEGAL NOTICES

Copyright (c) 2004 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email [EMAIL PROTECTED] for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] NEVER open attachments

2004-03-19 Thread Luis Bruno

VB wrote:
> [they] have wonderful things to say and contribute great things to
> this list, but i have never read anything they post because they post
> as attachments.

There's a strong possibility that your MUA is misinterpreting their
multipart/signed messages. For example, my User-Agent displays messages
from Valdis just fine.

> So, why do these folks post attachments?

They don't. Maybe your User-Agent is wrong when it takes the text/plain
in the multipart/signed message and shows it as an attachment. AIUI,
rfc1847 says that even if your MUA can't work with the signature, in can
continue processing the other body part.

You might want to try one of the freely available MUAs like Thunderbird.

Cheers!
-- 
Luis Bruno
UTM: 29T 629481E 4511776N 576m

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] NEVER open attachments

2004-03-19 Thread William Warren

nos those txt attachments get killed at my firewall..

VB wrote:

NEVER open attachments

Isnt this what we have been taught? haven't we tried to pound this simple
rule into the heads of our users? Do we not practice what we preach? then
why do several users of this list only send messages and replies as
attachments?
I'm sure
[EMAIL PROTECTED] <[EMAIL PROTECTED]>, Nico Golde, Frank Knobbe,
et al have wonderful things to say and contribute great things to this list,
but i have never read anything they post because they post as attachments.
Yes, granted, they are .txt attachments but that is no excuse as it's just a
matter of time before they are exploited. In fact, they have been exploited,
one can pad spaces after the .txt to hide the true extension of a malicious
file. more .txt exploits are probably just around teh corner.
So, why do these folks post attachments? Why is this even permitted? I would
love to hear what these people have to say, but i cannot break my own rule
to find out.
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
--
My "Foundation" verse:
Isa 54:17  No weapon that is formed against thee shall prosper; and 
every tongue that shall rise against thee in judgment thou shalt 
condemn. This is the heritage of the servants of the LORD, and their 
righteousness is of me, saith the LORD.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] NEVER open attachments

2004-03-19 Thread Ben Nelson

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I think you're MUA is interpreting signed mail as simply a blank email
with a text attachment (the PGP signed message).  Many people on this
list PGP sign their messages, so if your MUA is mis-interpreting these
messages as text attachments, you need to either change MUA's or deal
with it.
- --Ben

VB wrote:
| NEVER open attachments
|
|
| Isnt this what we have been taught? haven't we tried to pound this simple
| rule into the heads of our users? Do we not practice what we preach? then
| why do several users of this list only send messages and replies as
| attachments?
| I'm sure
| [EMAIL PROTECTED] <[EMAIL PROTECTED]>, Nico Golde, Frank
Knobbe,
| et al have wonderful things to say and contribute great things to this
list,
| but i have never read anything they post because they post as attachments.
| Yes, granted, they are .txt attachments but that is no excuse as it's
just a
| matter of time before they are exploited. In fact, they have been
exploited,
| one can pad spaces after the .txt to hide the true extension of a
malicious
| file. more .txt exploits are probably just around teh corner.
| So, why do these folks post attachments? Why is this even permitted? I
would
| love to hear what these people have to say, but i cannot break my own rule
| to find out.
|
| ___
| Full-Disclosure - We believe in it.
| Charter: http://lists.netsys.com/full-disclosure-charter.html
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFAW1aK3cL8qXKvzcwRAomSAJ9uZRKzi9YR1SLhbMUpS4uJWE/inACeLM4E
UgRzkxler26wnmN0hM+yq9Y=
=fPFU
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] NEVER open attachments

2004-03-19 Thread Staves, Steve

I would like to second that motion.  I never open attachments, especially on
newsgroups etc as they are a prime target.

-Original Message-
From: VB [mailto:[EMAIL PROTECTED] 
Sent: Friday, March 19, 2004 11:28 AM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: [Full-Disclosure] NEVER open attachments

NEVER open attachments

Isnt this what we have been taught? haven't we tried to pound this simple
rule into the heads of our users? Do we not practice what we preach? then
why do several users of this list only send messages and replies as
attachments? I'm sure [EMAIL PROTECTED] <[EMAIL PROTECTED]>,
Nico Golde, Frank Knobbe, et al have wonderful things to say and contribute
great things to this list, but i have never read anything they post because
they post as attachments. Yes, granted, they are .txt attachments but that
is no excuse as it's just a matter of time before they are exploited. In
fact, they have been exploited, one can pad spaces after the .txt to hide
the true extension of a malicious file. more .txt exploits are probably just
around teh corner. So, why do these folks post attachments? Why is this even
permitted? I would love to hear what these people have to say, but i cannot
break my own rule to find out.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] NEVER open attachments

2004-03-19 Thread VB

no, i was referring to the fact that the body of their e-mails were blank
and their text comes as a separate attachment. then i was informed that it
is actually my mail client that is not handling the pgp properly and this
does not happen to people using non MS clients. so.Never Mind.
thanks to those that set me straight.
vb

- Original Message - 
From: "Scott Boegemann" <[EMAIL PROTECTED]>
To: "'VB'" <[EMAIL PROTECTED]>
Sent: Friday, March 19, 2004 4:20 PM
Subject: RE: [Full-Disclosure] NEVER open attachments


> Uhmm, I think you're referring to their pgp signature data, not their
> posts. But, I guess you can never be too safe :/
>
> Regards-
> Scott
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of VB
> Sent: Friday, March 19, 2004 2:28 PM
> To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject: [Full-Disclosure] NEVER open attachments
>
> NEVER open attachments
>
>
> Isnt this what we have been taught? haven't we tried to pound this
> simple
> rule into the heads of our users? Do we not practice what we preach?
> then
> why do several users of this list only send messages and replies as
> attachments?
> I'm sure
> [EMAIL PROTECTED] <[EMAIL PROTECTED]>, Nico Golde, Frank
> Knobbe,
> et al have wonderful things to say and contribute great things to this
> list,
> but i have never read anything they post because they post as
> attachments.
> Yes, granted, they are .txt attachments but that is no excuse as it's
> just a
> matter of time before they are exploited. In fact, they have been
> exploited,
> one can pad spaces after the .txt to hide the true extension of a
> malicious
> file. more .txt exploits are probably just around teh corner.
> So, why do these folks post attachments? Why is this even permitted? I
> would
> love to hear what these people have to say, but i cannot break my own
> rule
> to find out.
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] NEVER open attachments

2004-03-19 Thread Bennett Todd

2004-03-19T19:27:53 VB:
> NEVER open attachments

NEVER use a Mail User Agent (MUA) like Microsoft Outlook Express
6.00.2800.1158 (from your X-Mailer: header).

Folks like those you listed post digitally signed messages,
conforming to standards. They are doing things exactly right.

Your MUA is broken, and is incorrectly claiming that the
multipart/signed messages with a text/plain body followed by an
application/pgp-signature are some kind of attachment that requires
opening.

If you choose to use incompetently designed and poorly implemented
software, don't blame the rest of the world for the problems you
cause yourself.

But, of course, since you refuse to read digitally signed messages,
since it's unsafe with your mail user agent, you won't see this
either.

I think it's about time to procmail that X-Mailer into a junk
bucket.

-Bennett


pgp0.pgp
Description: PGP signature

[Full-Disclosure] Credibility (was User Insecurity)

2004-03-19 Thread Gregory A. Gilliss

Actually what he is describing is what I refer to as "credibility".

The CISSP after my name is a measure of my credibility. It tells otherwise
clueless people, people without first hand experience and knowledge,
something about me. Perhaps it tells them that I exhibit some measurable
degree of knowledge or experience in my chosen field (security). For
people who know me or know security, it may tell them nothing more than 
the fact that that I am a person who can afford $450 and can pass a 
standardized test. The letters mean something different than they do for
people without experience, since each group (a) bases their measure of my
credibility on something different (personal experience, word of mouth, 
rumor, slander, etc). 

Credibility is a function of perception (my assertion - YMMV). Sales 
people with crappy clothes and long hair may be "less credible" than "Ken
dolls". MCSE is "more credible" than "pimply-kid-who-knows-how-to-install-
NT". Doesn't necessarily mean that MCSE is "more knowledgeable" or "more 
professional" than "NT kid", but if *you* see it that way then *you* have
defined the credibility. A hiring manager may look at two resumes and,
all else being equal, will likely hire the one with the college degree or
the certification because that person is "more qualified" - or, IOW, that
person has more credibility. May not be the best choice, but that's what
goes on. (Hiring managers who take exception may email me off list pls).

Credibility equates to experience equates to clue (my assertion). In a
"trust" relationship, you can start from "no trust" or "full trust" or
anywhere in between (some trust, limited trust, etc). SSL is a good example
of "full trust". Holes, exploits, etc reduce "trust" for a time (until the
hole is patched). Microsoft suffers from a credibility problem because
(a) people keep finding holes, (b) Microsoft often denies/ignores the
holes, and (c) Microsoft takes a subjectively long period of time to
patch the holes found in (a) and denied in (b).

Credibility. We live and die by it in the security world as much as any
mechanic/lawyer/doctor/insert other professional designation here...

G

On or about 2004.03.19 11:39:19 +, [EMAIL PROTECTED] ([EMAIL PROTECTED]) said:

> What you describe regarding you and your mechanic is "blind trust".  
> You are trusting his abilities as a mechanic based on you preception 
> of him as a person.
<>

-- 
Gregory A. Gilliss, CISSP  E-mail: [EMAIL PROTECTED]
Computer Security WWW: http://www.gilliss.com/greg/
PGP Key fingerprint 2F 0B 70 AE 5F 8E 71 7A 2D 86 52 BA B7 83 D9 B4 14 0E 8C A3

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Re: NEVER open attachments

2004-03-19 Thread Blue Boar

[EMAIL PROTECTED] wrote:
If anything, you should *encourage* the use of PGP or S/MIME to sign mail,
Absolutely.

because even if my machine gets whacked by a virus and starts spewing correctly
signed mail, you will *know* it's my machine doing it and not some
address-scraping virus on a machine in Zanzibar or someplace.
Well, if a worm nails your machine to the point where it has your 
private keys, there's nothing stopping it from carrying a copy on its 
way to Zanzibar, for purposes of spoofing as you.

We'd at least know you were compromised at one point, though. :)

		BB

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] NEVER open attachments

2004-03-19 Thread Kenton Smith

I have to say that I have no idea what you are talking about, I never
see any email as attachments. Could it be your email client or server
(you're using Outlook Express apparently, so that could be it)?

Kenton

On Fri, 2004-03-19 at 12:27, VB wrote:
> NEVER open attachments
> 
> 
> Isnt this what we have been taught? haven't we tried to pound this simple
> rule into the heads of our users? Do we not practice what we preach? then
> why do several users of this list only send messages and replies as
> attachments?
> I'm sure
> [EMAIL PROTECTED] <[EMAIL PROTECTED]>, Nico Golde, Frank Knobbe,
> et al have wonderful things to say and contribute great things to this list,
> but i have never read anything they post because they post as attachments.
> Yes, granted, they are .txt attachments but that is no excuse as it's just a
> matter of time before they are exploited. In fact, they have been exploited,
> one can pad spaces after the .txt to hide the true extension of a malicious
> file. more .txt exploits are probably just around teh corner.
> So, why do these folks post attachments? Why is this even permitted? I would
> love to hear what these people have to say, but i cannot break my own rule
> to find out.
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] Managed Security Vendors

2004-03-19 Thread Jeremiah Cornelius

Check out LURHQ.  Good MSP about to move to national presence.

http://www.lurhq.com

Up and coming.  Good source of education and whitepapers.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of DeBerry, Casey
Sent: Friday, March 19, 2004 11:52 AM
To: [EMAIL PROTECTED]
Subject: [Full-Disclosure] Managed Security Vendors

Anyone had any experience working with any of these vendors?

Specifically, Counterpane, ISS, think oracle even started selling this
service...

Wondering if anyone can shed light on how effective/inneffective these
companies are in helping to "secure" corporate networks.


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Re: NEVER open attachments

2004-03-19 Thread gadgeteer

On Fri, Mar 19, 2004 at 12:43:59PM -0800, Staves, Steve ([EMAIL PROTECTED]) wrote:
> I would like to second that motion.  I never open attachments, especially on
> newsgroups etc as they are a prime target.

Hey Steve!!! Wake up!!!
The issue the OP describes is a result of a broken MUA.
MUA == Outlook < Mirco'we don't heed no stinkin RFCs'soft
-- 
Chief Gadgeteer
Elegant Innovations

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] NEVER open attachments

2004-03-19 Thread VB

Thanks for the info. i did open your attachment.
Now dont hurt yourself falling off your high horse. I did not write Outlook
Express, perhaps your bitterness would be better off directed to those that
did.
vb

- Original Message - 
From: "Bennett Todd" <[EMAIL PROTECTED]>
To: "VB" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Friday, March 19, 2004 3:26 PM
Subject: Re: [Full-Disclosure] NEVER open attachments

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] NEVER open attachments

2004-03-19 Thread Bennett Todd

2004-03-19T20:42:10 VB:
> Thanks for the info. i did open your attachment.

Good for you!

> Now dont hurt yourself falling off your high horse.

Not to worry.

> I did not write Outlook Express, perhaps your bitterness would be
> better off directed to those that did.

You do, however, choose to use it; then you expect others to try and
adjust their behavior to help you avoid facing the consequences of
your choice.

-Bennett


pgp0.pgp
Description: PGP signature

Re: [Full-Disclosure] NEVER open attachments

2004-03-19 Thread Paul Schmehl

--On Friday, March 19, 2004 02:27:53 PM -0500 VB <[EMAIL PROTECTED]> wrote:

NEVER open attachments

So, why do these folks post attachments? Why is this even permitted? I
would love to hear what these people have to say, but i cannot break my
own rule to find out.
Fine.  I'll answer for them.  It's called PGP.  You might try looking it up 
some time.  They are PGP-signing their posts, and the sig comes across as 
an attachment.

Here - I'll copy Valdis' sig from his most recent post:

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFAWzehcC3lWbTT17ARAvEAAKCpGKqvDH9GstlHpkhkWWEQR9QIDwCfYfBx
CYjkBP8/amWzuuu1JT2lAh0=
=DTsh
-END PGP SIGNATURE-
You might try using an MUA that actually understands this stuff.

Paul Schmehl ([EMAIL PROTECTED])
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Re: NEVER open attachments

2004-03-19 Thread David Hane

On Friday 19 March 2004 13:21, [EMAIL PROTECTED] wrote:
> Hey Steve!!! Wake up!!!
> The issue the OP describes is a result of a broken MUA.
> MUA == Outlook < Mirco'we don't heed no stinkin RFCs'soft

Ahem, I'm no MS fan but they're not the only guilty ones. A default Eudora 
install does the same thing.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Re: NEVER open attachments

2004-03-19 Thread gadgeteer

On Fri, Mar 19, 2004 at 03:42:10PM -0500, VB ([EMAIL PROTECTED]) wrote:
> Thanks for the info. i did open your attachment.
> Now dont hurt yourself falling off your high horse. I did not write Outlook
> Express, perhaps your bitterness would be better off directed to those that
> did.

from a private email:
[...]
  The original MS-MAIL came from a Canadian company
  that MS acquired way back. Some of the people in the
  Redmond building 16 were veterans from that old company.
  The reply semantics in their mail client dated back to
  those days, before MS was even on the scene.
[edit note: above bit refers to the top post and other M$ MUA behavior]

  Before that, in 1993 or so, I wrote a paper for a PM
  at MS which outlined how to fixup the then 'Capone'
  project (which was named 'Outlook' later) such that
  it interoperated with SMTP and POP and used sensible
  reply semantics. I didn't get that contract because the PM
  discovered that an engineer there had independently
  written his own Internet mail client, which was called
  'Athena' then, and which eventually became 'Outlook Express'.
[...]

PM == project manager

A little (perhaps) unwritten history...
-- 
Chief Gadgeteer
Elegant Innovations

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Re: Re: NEVER open attachments

2004-03-19 Thread gadgeteer

On Fri, Mar 19, 2004 at 02:05:55PM -0800, David Hane ([EMAIL PROTECTED]) wrote:
> On Friday 19 March 2004 13:21, [EMAIL PROTECTED] wrote:
> > Hey Steve!!! Wake up!!!
> > The issue the OP describes is a result of a broken MUA.
> > MUA == Outlook < Mirco'we don't heed no stinkin RFCs'soft
> 
> Ahem, I'm no MS fan but they're not the only guilty ones. A default Eudora 
> install does the same thing.

Quite true.  They are targeted at the same audience.
-- 
Chief Gadgeteer
Elegant Innovations

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

OT MS Code names (Was Re: [Full-Disclosure] Re: NEVER open attachments)

2004-03-19 Thread Mike Barushok


There does appear to be some places these code names have
been unofficially listed, i.e.
 http://gomo.no-ip.com/other/Microsoft%20Codenames.htm

On Fri, 19 Mar 2004 [EMAIL PROTECTED] wrote:

> On Fri, Mar 19, 2004 at 03:42:10PM -0500, VB ([EMAIL PROTECTED]) wrote:
> > Thanks for the info. i did open your attachment.
> > Now dont hurt yourself falling off your high horse. I did not write Outlook
> > Express, perhaps your bitterness would be better off directed to those that
> > did.
> 
> from a private email:
> [...]
>   The original MS-MAIL came from a Canadian company
>   that MS acquired way back. Some of the people in the
>   Redmond building 16 were veterans from that old company.
>   The reply semantics in their mail client dated back to
>   those days, before MS was even on the scene.
> [edit note: above bit refers to the top post and other M$ MUA behavior]
> 
>   Before that, in 1993 or so, I wrote a paper for a PM
>   at MS which outlined how to fixup the then 'Capone'
>   project (which was named 'Outlook' later) such that
>   it interoperated with SMTP and POP and used sensible
>   reply semantics. I didn't get that contract because the PM
>   discovered that an engineer there had independently
>   written his own Internet mail client, which was called
>   'Athena' then, and which eventually became 'Outlook Express'.
> [...]
> 
> PM == project manager
> 
> A little (perhaps) unwritten history...
> -- 
> Chief Gadgeteer
> Elegant Innovations
> 

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Broadcast client buffer-overflow in Terminator 3 1.0

2004-03-19 Thread Luigi Auriemma


###

 Luigi Auriemma

Application:  Terminator 3: War of the Machines
  http://www.t3war.com
Versions: 1.0
Platforms:Windows
Bug:  broadcast client's buffer-overflow
Risk: very high
Exploitation: remote and automatic, versus clients
Date: 19 Mar 2004
Author:   Luigi Auriemma
  e-mail: [EMAIL PROTECTED]
  web:http://aluigi.altervista.org


###


1) Introduction
2) Bug
3) The Code
4) Fix


###

===
1) Introduction
===


"Terminator 3: War of the Machines" is a multiplayer FPS game developed
by Clevers (http://www.clevers.com) and based on the homonym Swarzy's
movie.


###

==
2) Bug
==


The bug is a broadcast buffer-overflow affecting clients.
Everytime a user enters in the multiplayer menu, the game contacts the
master server and then each online server automatically.
The bug happens during the usage of some vulnerable instructions that
are exactly the following:

char ServerInfoTemp[200];
...
for (int i = 0; i < strlen(ServerInfo); i++) {
ServerInfoTemp[i] = toupper(ServerInfo[i]);
}

They get a string (ServerInfo) previously generated with the server's
IP and port and all the values in its reply, after which they put this
string into a new smaller buffer (ServerInfoTemp) converting the chars
to upper case.

The effects of this bug are the usual 2 known problems:

- automatic buffer-overflow (here with the upper-case limitation)
- network Denial of service, nobody can use the game online

For who wanna see the problem at runtime, the vulnerable instructions
in the executable of the pre-release demo are the loop between 004953d4
and 004953fe.


###

===
3) The Code
===


http://aluigi.altervista.org/poc/t3cbof.zip


###

==
4) Fix
==


No fix.
Developers promised a patch a lot of times (for 3 months) but it has
not been released yet.


###


--- 
Luigi Auriemma
http://aluigi.altervista.org

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] XP SP2 is out

2004-03-19 Thread Gadi Evron

http://www.microsoft.com/technet/prodtechnol/winxppro/sp2preview.mspx

	Gadi Evron.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Administrivia (very OT, but should be addressed)

2004-03-19 Thread Cael Abal

>>"Dan's proposal is intrinsically flawed. It incorrectly assumes that the
>>sender can reasonably anticipate the recipient's needs in replying to
>>the message, and that such needs can reasonably be lumped into either
>>"reply" or "followup". It doesn't solve the real problem, which is that
>>responders need to think about where their replies go. Mail-Followup-To
>>won't decrease the number of messages that go to the wrong place."
> 
> But you can at least tell people if you want or need a separate copy
> in addition to what gets sent to the list. People who don't want separate
> copies should be setting mail-followup-to. Even if not all mail clients
> support it some do.

Bruno, did you read the objections raised in that link I provided?  I
know how Mail-Followup-To works.  I also understand there are unresolved
problems with it.

Here's that link again:

http://pm-doc.sourceforge.net/pm-tips-body.html#replyto_header

This will be my last post on the subject, but please consider that MFT
is *not* a standard (and as far as I know hasn't shown up in an RFC
since the late '90s), supported by only a handful of MUAs...  And the
(default), polite course of action has historically been not to CC folks
in mailinglist posts.

Enjoy your weekend,

Cael

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] NEVER open attachments

2004-03-19 Thread Frank Knobbe

On Fri, 2004-03-19 at 14:43, Staves, Steve wrote:
> I would like to second that motion.  I never open attachments, especially on
> newsgroups etc as they are a prime target.

No problem, that's yours (and VB's) choice. Just don't open anything we
post. I don't have a problem with that. I'm not quite sure how that
evolved into a thread though...

Cheers,
Frank 
(realizing that it's probably futile to respond to your post...hehe)

signature.asc
Description: This is a digitally signed message part

Re: [Full-Disclosure] Re: NEVER open attachments

2004-03-19 Thread Jim Richardson

On Fri, Mar 19, 2004 at 12:49:33PM -0800, Blue Boar wrote:
[EMAIL PROTECTED] wrote:
If anything, you should *encourage* the use of PGP or S/MIME to sign mail,
Absolutely.

because even if my machine gets whacked by a virus and starts spewing 
correctly
signed mail, you will *know* it's my machine doing it and not some
address-scraping virus on a machine in Zanzibar or someplace.
Well, if a worm nails your machine to the point where it has your 
private keys, there's nothing stopping it from carrying a copy on its 
way to Zanzibar, for purposes of spoofing as you.

We'd at least know you were compromised at one point, though. :)


Key won't do them much good if they don't have my passphrase :)

--
Jim Richardson http://www.eskimo.com/~warlock
Windows XP... now runs all your favorite viruses.


signature.asc
Description: Digital signature

RE: [Full-Disclosure] PGP attachments (was: NEVER open attachments)

2004-03-19 Thread Frank Knobbe

On Fri, 2004-03-19 at 14:09, Jeremiah Cornelius wrote:
> They SIGN their messages, and
> some clients insist on representing inline S/MIME and OpenPGP messages as
> attachments.

BTW: I prefer to have Evolution (my email program of choice) sign
messages inline like PGP in Outlook used to do, but I can't convince
neither Evolution nor GPG to do so. If anyone knows of a clean hack to
trick Evolution to sign an email inline, please let me know.

Thanks,
Frank

PS: You will notice that I did not cc Jeremiah on this email since I
wasn't responding to him directly, but opening this question to the
list.  ;)

signature.asc
Description: This is a digitally signed message part

Re: [Full-Disclosure] Administrivia (very OT, but should be addressed)

2004-03-19 Thread Bruno Wolff III

On Fri, Mar 19, 2004 at 19:55:01 -0500,
  Cael Abal <[EMAIL PROTECTED]> wrote:
> 
> Bruno, did you read the objections raised in that link I provided?  I
> know how Mail-Followup-To works.  I also understand there are unresolved
> problems with it.

My argument was that it was better than not using it. It isn't a perfect
solution.
> 
> This will be my last post on the subject, but please consider that MFT
> is *not* a standard (and as far as I know hasn't shown up in an RFC
> since the late '90s), supported by only a handful of MUAs...  And the
> (default), polite course of action has historically been not to CC folks
> in mailinglist posts.

I disagree that not cc'ing senders is the default in general. I think it
depends on the kind of list, and the ones I use it is typically preferred
that you cc senders unless they indicate that they shouldn't be using
a mail-followup-to header.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] What Antivirus Should I Get

2004-03-19 Thread Nancy Kramer

Hello,

I would like list members to suggest what anti virus software I should 
get.  My Norton subscription is expiring soon and I think there may be 
something better.  Need to protect a Windows ME system and a Windows 2000 
system

Thanks,

Nancy Kramer

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] PGP attachments (was: NEVER open attachments)

2004-03-19 Thread petard

On Fri, Mar 19, 2004 at 08:13:13PM -0600, Frank Knobbe wrote:
> BTW: I prefer to have Evolution (my email program of choice) sign
> messages inline like PGP in Outlook used to do, but I can't convince
> neither Evolution nor GPG to do so. If anyone knows of a clean hack to
> trick Evolution to sign an email inline, please let me know.
> 
Apply the patch from bug 127521:
http://bugzilla.gnome.org/show_bug.cgi?id=127521


Alternatively, you could use an external program to do the deed. Just
paste your mail into something like seahorse (search sourceforge) and
sign it there.

hth,

petard

-- 
If your message really might be confidential, download my PGP key here:
http://petard.freeshell.org/petard.asc
and encrypt it. Otherwise, save bandwidth and lose the disclaimer.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Re: PGP attachments (was: NEVER open attachments)

2004-03-19 Thread gadgeteer

On Fri, Mar 19, 2004 at 08:13:13PM -0600, Frank Knobbe ([EMAIL PROTECTED]) wrote:
> BTW: I prefer to have Evolution (my email program of choice) sign
> messages inline like PGP in Outlook used to do, but I can't convince
> neither Evolution nor GPG to do so. If anyone knows of a clean hack to
> trick Evolution to sign an email inline, please let me know.

Early versions of Evolution use to support inline signing.  But in 
their efforts to emulate M$ this went away.  Eventually they got so 
good at pretending be M$ that I had to switch to another email client 
so that I could get my work done.
-- 
Chief Gadgeteer
Elegant Innovations

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Re: PGP attachments (was: NEVER open attachments)

2004-03-19 Thread petard

On Fri, Mar 19, 2004 at 09:53:36PM -0700, [EMAIL PROTECTED] wrote:
> Early versions of Evolution use to support inline signing.  But in 
> their efforts to emulate M$ this went away.  Eventually they got so 
> good at pretending be M$ that I had to switch to another email client 
> so that I could get my work done.
What do you mean, exactly, by "emulate M$" in this context? Due to a
limitation in the way the MIME data is exposed to add-ins, LookOut can
*only* support inline signing. It cannot presently support PGP/MIME,
which is the newer standard. (This is a serious defect; it means you
can't PGP sign attachments.) Adding inline signing is an attempt to
improve interop with MS and others. The reason it went away was tied to
problems supporting multibyte character sets with inline signing.

regards,

petard

-- 
If your message really might be confidential, download my PGP key here:
http://petard.freeshell.org/petard.asc
and encrypt it. Otherwise, save bandwidth and lose the disclaimer.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] NEVER open attachments

2004-03-19 Thread Jimmy Mitchener

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I am with everyone else when they claim you need to find a decent MUA.
But regardless, I think you need to learn about a little friend of mine
called SYSTRACE! I don't run anything I deem insecure without it (im
clients, mail clients, firefox, any and everything I don't trust). I
really don't see how someone can claim their system is "safe" when they
are not watching, monitoring, and setting policies for every major
application that they run on their system.
Jimmy Mitchener

VB wrote:
| NEVER open attachments
|
|
| Isnt this what we have been taught? haven't we tried to pound this simple
| rule into the heads of our users? Do we not practice what we preach? then
| why do several users of this list only send messages and replies as
| attachments?
| I'm sure
| [EMAIL PROTECTED] <[EMAIL PROTECTED]>, Nico Golde, Frank
Knobbe,
| et al have wonderful things to say and contribute great things to this
list,
| but i have never read anything they post because they post as attachments.
| Yes, granted, they are .txt attachments but that is no excuse as it's
just a
| matter of time before they are exploited. In fact, they have been
exploited,
| one can pad spaces after the .txt to hide the true extension of a
malicious
| file. more .txt exploits are probably just around teh corner.
| So, why do these folks post attachments? Why is this even permitted? I
would
| love to hear what these people have to say, but i cannot break my own rule
| to find out.
|
| ___
| Full-Disclosure - We believe in it.
| Charter: http://lists.netsys.com/full-disclosure-charter.html
|
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (FreeBSD)
iD8DBQFAW9h+wWNPHBCx0c8RArv0AJ9or6OiE3xeXEdjcv1Si461GEws3gCdE4L4
SbMmYsy0Tc+ZMYchCzEeI0E=
=lrUL
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] XPSP2

2004-03-19 Thread Paul

While Service Pack 2 for XP may only be in beta, I have been running it for some time on a test machine and haven't yet broken anything.
one step at a time...
Find local movie times and trailers on Yahoo! Movies.

RE: [Full-Disclosure] XP SP2 is out

2004-03-19 Thread Larry Seltzer

>>http://www.microsoft.com/technet/prodtechnol/winxppro/sp2preview.mspx 

Actually, this is just release candidate 1, and we already know there will be a release
candidate 2.

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
[EMAIL PROTECTED] 

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Re: XP SP2 is NOT out - Only the beta release candidate is out

2004-03-19 Thread James Garrison

This is  RC1 - i.e. not ready for prime time

Gadi Evron wrote:

http://www.microsoft.com/technet/prodtechnol/winxppro/sp2preview.mspx

Gadi Evron.

--
James GarrisonAthens Group, Inc.
mailto:[EMAIL PROTECTED]5608 Parkcrest Dr
http://www.athensgroup.comAustin, TX 78731
PGP: RSA=0x92E90A3B DH/DSS=0x498D331C (512) 345-0600 x150
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Re: XP SP2 is out

2004-03-19 Thread Hauskins, S

This is a technical preview... not recommended for production use.

On Sat, 20 Mar 2004, Gadi Evron wrote:

> http://www.microsoft.com/technet/prodtechnol/winxppro/sp2preview.mspx
>
>   Gadi Evron.
>
>

Stephen Hauskins
Academic Computing Group
Division of Physical and Biological Sciences

Where all think alike, no one thinks very much.
   Walter Lippmann

"Each problem that I solved became a rule which served afterwards to
solve other problems."
- Rene Descartes (1596-1650), "Discours de la Methode"

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

71 matches

Mail list logo