[Full-Disclosure] Finally the truth slips out.
Hello, From the White House website: http://www.whitehouse.gov/news/releases/2004/08/20040805-4.html G. W. Blush, at the signing of a defense appropriations bill, fourth paragraph from the bottom: Our enemies are innovative and resourceful, and so are we. They never stop thinking about new ways to harm our country and our people, and neither do we Finally the truth slips out: GWB and UBL work towards the same goal. Credit for the discovery goes to USENET group rec.aviation.military. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Re: [ GLSA 200408-04 ] PuTTY: Pre-authentication arbitrary code execution
Sune Kloppenborg Jeppesen wrote: snip Description === PuTTY contains a vulnerability allowing a malicious server to execute arbitrary code on the connecting client before host key verification. Impact == When connecting to a server using the SSH2 protocol an attacker is able to execute arbitrary code with the permissions of the user running PuTTY by sending specially crafted packets to the client during the authentication process but before host key verification. snip does this mean that everyone on the network can execute arbitrary code on the victim's machine by simply doing a man in the middle attack? what other security issues are attached to this? is it only a vulnerability if the server you're on is not trusted? (in that case, you shouldn't even trust the ssh deamon and you shouldn't be there :)) -- harry aka Rik Bobbaers K.U.Leuven - LUDIT -=- Tel: +32 485 52 71 50 [EMAIL PROTECTED] -=- http://harry.ulyssis.org \x41\x20\x63\x6f\x6d\x70\x75\x74\x65\x72\x20\x77\x69\x74\x68\x6f\x75\x74\x20 \x57\x69\x6e\x64\x6f\x77\x73\x20\x69\x73\x20\x6c\x69\x6b\x65\x20\x61\x20\x66 \x69\x73\x68\x20\x77\x69\x74\x68\x6f\x75\x74\x20\x61\x20\x62\x69\x63\x79\x63 \x6c\x65\x0a\x00 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Re: MS04-025 - Ignorance is truly bliss....
On Thursday, 5 August 2004, hellNbak wrote: The paper slowly went sideways and turned into a large rant low on technical information but relevant about MS04-025, CERT, and other random things [...] Despite of what you would like to think, your rants are not relevant in any way. I do not say this because I want to insult you - heck, I happen to respect you - but simply because that's the way it is. The Internet is no longer a world of hippie hacker idealists, but quite simply a global market. Because of lack of centralized authority overseeing it (wasn't that what you fought for?), it is a wild style economy, often driven by shoddy practices and cutting corners where customers won't notice, or marketing on the verge of deceit. This is how we do big business - honesty, altruism, and respect for ideals were never its strong sides, unless you could get a tax break doing those. But then, were the Internet and IT security still merely a hobby of a bunch of enthusiasts, you wouldn't be getting your paycheck, would you? You benefit from these changes, with all their side effects. You tell your customers to buy products, not to distrust the system, to uncloak treasons, or banish false prophets. You tell them what they want to hear, then cash the check so that you can afford to write rants about how the world should be. The problem with socialist utopias where all do their jobs best, and get exactly what they deserve, is that they all seem to fail quite miserably (how odd). Unjust exploitation, trickery to claim undeserved credibility or recognition, commercialization of everything you can capitalize on - that's what makes a country (or an industry) great. What do you hope to achieve, or how do you believe your opinion is being relevant or novel, if you come to this audience, and state that CERT is no longer credible, and is a bunch of crooks who live off selling advance vulnerability warnings? Or that Microsoft is not exactly particularly devoted to improving security of their products and protecting their customers? ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards
Simply by exposing another vulnerability in a secure system allows judgement to be made on what type of hardware is necessary for the secure system (i.e. will this system serve as a public kiosk, or will this system be at the user's bidding?). Vulnerabilities should be kept to a minimum and narrow the choice of attack vectors an attacker may choose from when attempting to compromise a target system. Once a system is compromised and rooted there is little that can prevent the attacker from collecting what they are searching for (be it pins, passwords, source code, etc) before they vanish into the darkness. Israel Torres -Original Message- From: Kevin Sheldrake [mailto:[EMAIL PROTECTED] Sent: Thursday, August 05, 2004 3:39 AM To: Toomas Soome; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards Surely if the user is entering a passphrase then the same problem exists - that of effectively eavesdropping that communication from the keyboard? Ignoring the initial expense for a moment, wouldn't it have made a lot of sense to include the keypad actually on the cards? Obviously, card readers would need to be contructed such that the keypad part of the card would be exposed during use. The keypad security could then rely on the tamper resistant properties of the rest of the card. From a costs perspective, I would guess that the actual per-card cost increase would be minimal if hundreds of millions of these cards were produced. Kev Lionel Ferette wrote: Note that this is true for almost all card readers on the market, not only for Datakey's. Having worked for companies using crypto smart cards, I have conducted a few risk analysis about that. The conclusion has always been that if the PIN must be entered from a PC, and the attacker has means to install software on the system (through directed viruses, social engineering, etc), the game's over. The only solution against that problem is to have the PIN entered using a keypad on the reader. Only then does the cost of an attack raise significantly. But that is opening another can of worms, because there is (was?) no standard for card readers with attached pin pad (at the time, PC/SCv2 wasn't finalised - is it?). at least some cards are supporting des passphrases to implement secured communication channels but I suppose this feature is not that widely in use how many card owners are prepared to remember both PIN codes and passphrases... toomas -- Kevin Sheldrake MEng MIEE CEng CISSP Electric Cat (Bournemouth) Ltd ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards
Kevin Sheldrake [EMAIL PROTECTED] wrote: Ignoring the initial expense for a moment, wouldn't it have made a lot of sense to include the keypad actually on the cards? Obviously, card readers would need to be contructed such that the keypad part of the card would be exposed during use. No, they wouldn't. The card could remember the key typed on it for, say, 60 seconds. Seth ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards
This exposure, of PIN compromise, is genric in all smartcard products today, unless a dedicated PINpad or biometric-sensor equipped readers are used - putting cost of ownership towards $1000 in some cases. PC/SC doesn't help - as a data interfcae API spec, it excludes human interface aspects. STIP (Small Terminal Interoperability Platform at www.stip.org) moves in this direction, but has evolved into many variants to interoperate with proprietary vendors and proprietary industry standards. The challenges in putting biometric sensors or PINpads onto cards include the need to conform to ISO 7816 for form factor, physical resilience etc, and that the cards are unpowered. Or, someone redesigns the entire form-factor, user interface model, portability and business model - something that has previously failed to go anywhere. Something like a mobile phone or PDA is a good compromise tool to this overall exposure, imho. Lyal -Original Message- From: Kevin Sheldrake [mailto:[EMAIL PROTECTED] Sent: Thursday, 5 August 2004 8:39 PM To: Toomas Soome; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards Surely if the user is entering a passphrase then the same problem exists - that of effectively eavesdropping that communication from the keyboard? Ignoring the initial expense for a moment, wouldn't it have made a lot of sense to include the keypad actually on the cards? Obviously, card readers would need to be contructed such that the keypad part of the card would be exposed during use. The keypad security could then rely on the tamper resistant properties of the rest of the card. From a costs perspective, I would guess that the actual per-card cost increase would be minimal if hundreds of millions of these cards were produced. Kev Lionel Ferette wrote: Note that this is true for almost all card readers on the market, not only for Datakey's. Having worked for companies using crypto smart cards, I have conducted a few risk analysis about that. The conclusion has always been that if the PIN must be entered from a PC, and the attacker has means to install software on the system (through directed viruses, social engineering, etc), the game's over. The only solution against that problem is to have the PIN entered using a keypad on the reader. Only then does the cost of an attack raise significantly. But that is opening another can of worms, because there is (was?) no standard for card readers with attached pin pad (at the time, PC/SCv2 wasn't finalised - is it?). at least some cards are supporting des passphrases to implement secured communication channels but I suppose this feature is not that widely in use how many card owners are prepared to remember both PIN codes and passphrases... toomas -- Kevin Sheldrake MEng MIEE CEng CISSP Electric Cat (Bournemouth) Ltd ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Re: MS04-025 - Ignorance is truly bliss....
On Thu, 5 Aug 2004 someone pretending to have a nmrc email addy wrote: But then, were the Internet and IT security still merely a hobby of a bunch of enthusiasts, you wouldn't be getting your paycheck, would you? You benefit from these changes, with all their side effects. You tell your customers to buy products, not to distrust the system, to uncloak treasons, or banish false prophets. You tell them what they want to hear, then cash the check so that you can afford to write rants about how the world should be. The problem with socialist utopias where all do their jobs best, and get exactly what they deserve, is that they all seem to fail quite miserably (how odd). Unjust exploitation, trickery to claim undeserved credibility or recognition, commercialization of everything you can capitalize on - that's what makes a country (or an industry) great. The only mistake you make above is that you paint the entire industry with the same brush. Yes, I and a lot of people make money in this industry. We took a hobby and made it a job -- why not? Why not get paid for something you enjoy. Working in this industry does not automatically make you a false profit as you explain above. Over the long term -- no one will benifet -- and I dont care how big the paycheck is -- telling a client what they want to hear is not the way many of us choose to make a living. Sure, there are a lot of people in EVERY industry that are willing to push ethics aside and do what it takes for that paycheck but I know I can look myself in the mirror and say that I am not one of those people. Eventually the false prophets are exposed, sure they already got their paycheck and have moved on to the next sucker but eventually they run out of suckers and money. What do you hope to achieve, or how do you believe your opinion is being relevant or novel, if you come to this audience, and state that CERT is no longer credible, and is a bunch of crooks who live off selling advance vulnerability warnings? Or that Microsoft is not exactly particularly devoted to improving security of their products and protecting their customers? I hoped to stir some shit up, perhaps give the guys over at [EMAIL PROTECTED] a bit of a kick in the nuts as there was a time that they were making at least a little progress. I was hoping to draw enough attention to this issue that perhaps someone from one of the major banks will one day sit down and correlate the connection between vulnerabilities such as this and losses due to fraud. The only way that any vendor is going to be forced to actually care about security and actually care about users is when those users mean lots of $$$ to them. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] New Security web site: http://exploitwatch.org
exploitwatch.org is a mailinglist aiming to keep security proffesionals updated with information on new software exploits. When new exploits make a public occurance, the risk if being targeted by it increases dramatically. We therefore consider this vital information to anyone involved in the information security field. Some web-sites and mailing lists already provide this functionality, but we have found them way too slow to publish new updates as well as being incomplete. Hope you enjoy this free service, [EMAIL PROTECTED] http://exploitwatch.org ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] waa waa (was Finally the truth slips out)
May not specifically be a political list, but it sure does get heated like one... Lots of idiots flaming each other. Happens a lot. In fact, I am flaming igotroot right now. I guess I better hush now... Back to your regularly scheduled flames igotroot wrote: We all make mistakes when we speak, and things come out wrong sometimes. Its called a mistake! This isnt a political mailing list you dumb hippy. Your weak tree hugger political opinions mean nothing. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] waa waa (was Finally the truth slips out)
We all make mistakes when we speak, and things come out wrong sometimes. Its called a mistake! This isnt a political mailing list you dumb hippy. Your weak tree hugger political opinions mean nothing. Go vote for nader and get my boy GWB elected again, thx! (GWB you every other liberal tard) thanks and goodnight ill be here for the next 4 years :;;::;:;)) Hello, From the White House website: http://www.whitehouse.gov/news/releases/2004/08/20040805-4.html G. W. Blush, at the signing of a defense appropriations bill, fourth paragraph from the bottom: Our enemies are innovative and resourceful, and so are we. They never stop thinking about new ways to harm our country and our people, and neither do we Finally the truth slips out: GWB and UBL work towards the same goal. Credit for the discovery goes to USENET group rec.aviation.military. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] New Security web site: http://exploitwatch.org
What will this new service provide that isn't already available? --- [EMAIL PROTECTED] wrote: exploitwatch.org is a mailinglist aiming to keep security proffesionals updated with information on new software exploits. When new exploits make a public occurance, the risk if being targeted by it increases dramatically. We therefore consider this vital information to anyone involved in the information security field. Some web-sites and mailing lists already provide this functionality, but we have found them way too slow to publish new updates as well as being incomplete. Hope you enjoy this free service, [EMAIL PROTECTED] http://exploitwatch.org ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards
Guys... RSA has been doing PIN cards for ages...I don't get the hangup on SmartCards vs plain old something you have/something you know two factor http://www.rsasecurity.com/node.asp?id=1311 Cost of entry/ownership is nothing remotely close to the $1000 you mention Lyal...in fact, it's under 1/10 of that on a per seat basis... Why get hung up on it being a smartcard, when you can do two factor with a much lower entry cost and do it, frankly, easier? Bart Lansing Manager, Desktop Services Kohl's IT [EMAIL PROTECTED] wrote on 08/05/2004 08:45:33 PM: This exposure, of PIN compromise, is genric in all smartcard products today, unless a dedicated PINpad or biometric-sensor equipped readers are used - putting cost of ownership towards $1000 in some cases. PC/SC doesn't help - as a data interfcae API spec, it excludes human interface aspects. STIP (Small Terminal Interoperability Platform at www.stip.org) moves in this direction, but has evolved into many variants to interoperate with proprietary vendors and proprietary industry standards. The challenges in putting biometric sensors or PINpads onto cards include the need to conform to ISO 7816 for form factor, physical resilience etc, and that the cards are unpowered. Or, someone redesigns the entire form-factor, user interface model, portability and business model - something that has previously failed to go anywhere. Something like a mobile phone or PDA is a good compromise tool to this overall exposure, imho. Lyal -Original Message- From: Kevin Sheldrake [mailto:[EMAIL PROTECTED] Sent: Thursday, 5 August 2004 8:39 PM To: Toomas Soome; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards Surely if the user is entering a passphrase then the same problem exists - that of effectively eavesdropping that communication from the keyboard? Ignoring the initial expense for a moment, wouldn't it have made a lot of sense to include the keypad actually on the cards? Obviously, card readers would need to be contructed such that the keypad part of the card would be exposed during use. The keypad security could then rely on the tamper resistant properties of the rest of the card. From a costs perspective, I would guess that the actual per-card cost increase would be minimal if hundreds of millions of these cards were produced. Kev Lionel Ferette wrote: Note that this is true for almost all card readers on the market, not only for Datakey's. Having worked for companies using crypto smart cards, I have conducted a few risk analysis about that. The conclusion has always been that if the PIN must be entered from a PC, and the attacker has means to install software on the system (through directed viruses, social engineering, etc), the game's over. The only solution against that problem is to have the PIN entered using a keypad on the reader. Only then does the cost of an attack raise significantly. But that is opening another can of worms, because there is (was?) no standard for card readers with attached pin pad (at the time, PC/SCv2 wasn't finalised - is it?). at least some cards are supporting des passphrases to implement secured communication channels but I suppose this feature is not that widely in use how many card owners are prepared to remember both PIN codes and passphrases... toomas -- Kevin Sheldrake MEng MIEE CEng CISSP Electric Cat (Bournemouth) Ltd ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html CONFIDENTIALITY NOTICE: This is a transmission from Kohl's Department Stores, Inc. and may contain information which is confidential and proprietary. If you are not the addressee, any disclosure, copying or distribution or use of the contents of this message is expressly prohibited. If you have received this transmission in error, please destroy it and notify us immediately at 262-703-7000. CAUTION: Internet and e-mail communications are Kohl's property and Kohl's reserves the right to retrieve and read any message created, sent and received. Kohl's reserves the right to monitor messages by authorized Kohl's Associates at any time without any further consent. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] waa waa (was Finally the truth slips out)
It's a slip up in words no doubtbut he sure has a habit of that... Does he have a speech writer? I'm Australian so Bush is nothing more then a politician to me and we(as Australian's)don't give politicians much credit. Who elected this guy???.*grin* --- We all make mistakes when we speak, and things come out wrong --- sometimes. Its called a mistake! This isn't a political mailing list --- you dumb hippy. Your weak tree hugger political opinions mean nothing. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] New Security web site: http://exploitwatch.org
True, but as I said: Some web-sites and mailing lists already provide this functionality, but we have found them way too slow to publish new updates as well as being incomplete. We focus on exploits only, and aim to increase awareness and publish information faster and more systematically than existing services do. best regards, [EMAIL PROTECTED] Quoting Harlan Carvey [EMAIL PROTECTED]: What will this new service provide that isn't already available? --- [EMAIL PROTECTED] wrote: exploitwatch.org is a mailinglist aiming to keep security proffesionals updated with information on new software exploits. When new exploits make a public occurance, the risk if being targeted by it increases dramatically. We therefore consider this vital information to anyone involved in the information security field. Some web-sites and mailing lists already provide this functionality, but we have found them way too slow to publish new updates as well as being incomplete. Hope you enjoy this free service, [EMAIL PROTECTED] http://exploitwatch.org ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] New Security web site: http://exploitwatch.org
Thanks for the reply. True, but as I said: Some web-sites and mailing lists already provide this functionality, but we have found them way too slow to publish new updates as well as being incomplete. Right, I caught that, too. We focus on exploits only, and aim to increase awareness and publish information faster and more systematically than existing services do. Faster is good. But how do you plan to address the issue of completeness? Also, since you're focusing only on exploits (and not the vulnerabilities that lead to the actual exploits), I'm really curious to see how you plan to address completeness in that sense. Specifically...if a vulnerability exists, it's clear that you're not going to address it until someone actually exploits it. Once the vulnerability gets exploited, from what you've said, you're going to publish information faster...but what information? In the vast majority of cases, when a company gets a vulnerability exploited, all we hear is that they were compromised, but not what vulnerability was actually exploited. Thanks. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Re: Microsoft Internet Explorer 6 Protocol Handler Vulnerability
Hi, On Thu, Aug 05, 2004 at 03:33:38PM -0400, Robillard, Nicolas wrote: Description : Protocol Handler allow arbitrary switch to be passed to the associated program. I found this vulnerability (or class of them) in July 2003 and described it on several security lists on March 9th, 2004. For examples (actual exploitable vulnerabilities), you can try Google search for argument injection vulnerability or read my messages on this list about Outlook mailto: URL vulnerability, Windows Help and Support Center HCP: URL vulnerability, or Lotus Notes notes: URL vulnerability. Thanks, -- Jouko Pynnönen Web: http://iki.fi/jouko/ [EMAIL PROTECTED]GSM: +358 41 5504555 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Finally the truth slips out.*************OFF TOPIC***********************
* *** OFF TOPIC * * -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Feher Tamas Sent: Friday, August 06, 2004 3:57 AM To: [EMAIL PROTECTED] Subject: [Full-Disclosure] Finally the truth slips out. Hello, From the White House website: http://www.whitehouse.gov/news/releases/2004/08/20040805-4.html G. W. Blush, at the signing of a defense appropriations bill, fourth paragraph from the bottom: Our enemies are innovative and resourceful, and so are we. They never stop thinking about new ways to harm our country and our people, and neither do we Finally the truth slips out: GWB and UBL work towards the same goal. Credit for the discovery goes to USENET group rec.aviation.military. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Re: Microsoft Internet Explorer 6 Protocol Handler Vulnerability
I found this vulnerability (or class of them) in July 2003 and described it on several security lists on March 9th, 2004. There's at least one instance of prior art that I aware of http://cert.uni-stuttgart.de/archive/bugtraq/2001/03/msg00193.html I think there have been more but I can't seem to find them For examples (actual exploitable vulnerabilities), you can try Google search for argument injection vulnerability or read my messages on this list about Outlook mailto: URL vulnerability, Windows Help and Support Center HCP: URL vulnerability, or Lotus Notes notes: URL vulnerability. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Static ARP Replies?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Dan, What does it prevent exactly? It certainly doesn't prevent gratuitous ARPs nor does it prevent someone from responding with their own ARP replies. As far as I can tell, it's nothing more than a feeble attempt to route *ALL* traffic through the gateway including local subnet traffic. Easily subverted. Thanks, Darren Bounds, CISSP 443D 628D 0AC7 CACF 6085 C0E0 B2FC 534B 3D9E 69AF - -- Intrusense - Securing Business As Usual On Aug 5, 2004, at 11:15 PM, Dan Taylor, Jr. wrote: I have encountered a few 802.11b public access points (I can't remember the vendors, but they were for hotels) that seem to have built-in ARP cache poisoning prevention. I found it nonetheless impressive and am looking for solutions to implement it (presumably with my own wireless card and hostap drivers). Here's what happens on one of these networks: Say the AP's MAC address is DE:AD:C0:DE:CA:FE, with the IP of 192.168.1/255.255.255.0, and I send out an ARP request for hosts 192.168.1.2-254. Say my MAC address is FE:ED:FA:CE:BE:EF, with the IP address of 192.168.1.100 -- ARP broadcast (source FE:ED:FA:CE:BE:EF destination FF:FF:FF:FF:FF:FF) -- Who has 192.168.1.2? Tell 192.168.1.100 -- ARP Reply (source DE:AD:C0:DE:CA:FE, destination FE:ED:FA:CE:BE:EF) -- 192.168.1.2 is at DE:AD:C0:DE:CA:FE I'm assuming this is a rather effective way of not only preventing ARP poisoning attacks, but making it so that all communication is virtually done between the client and the access point). Has anyone seen this feature implemented in any other access points? To what extent does this work and/or it's behavior on layer-2 broadcasting or client to client (mac address to mac address) communications? Thanks. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (Darwin) iD8DBQFBE2vtsvxTSz2eaa8RAkuxAJ4nfkPZB4fzYyuRJVzgNbg3svARqgCePjTf fzuZ7t1FOZku2hYTha53GJY= =Fy2C -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] waa waa (was Finally the truth slips out)
One thing to keep in mind. Arguing on the internet is a lot like winning the Special Olympics... Even if you win, your still retarded... Agree to disagree, and move on. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: MS04-025 - Ignorance is truly bliss....
On Thursday 05 August 2004 18:49, hellNbak allegedly wrote: On Thu, 5 Aug 2004 someone pretending to have a nmrc email addy wrote: snip The only mistake you make above is that you paint the entire industry with the same brush. Yes, I and a lot of people make money in this industry. We took a hobby and made it a job -- why not? Why not get paid for something you enjoy. Working in this industry does not automatically make you a false profit as you explain above. Over the long term -- no one will benifet -- and I dont care how big the paycheck is -- telling a client what they want to hear is not the way many of us choose to make a living. Sure, there are a lot of people in EVERY industry that are willing to push ethics aside and do what it takes for that paycheck but I know I can look myself in the mirror and say that I am not one of those people. Eventually the false prophets are exposed, sure they already got their paycheck and have moved on to the next sucker but eventually they run out of suckers and money. What do you hope to achieve, or how do you believe your opinion is being relevant or novel, if you come to this audience, and state that CERT is no longer credible, and is a bunch of crooks who live off selling advance vulnerability warnings? Or that Microsoft is not exactly particularly devoted to improving security of their products and protecting their customers? I hoped to stir some shit up, perhaps give the guys over at [EMAIL PROTECTED] a bit of a kick in the nuts as there was a time that they were making at least a little progress. I was hoping to draw enough attention to this issue that perhaps someone from one of the major banks will one day sit down and correlate the connection between vulnerabilities such as this and losses due to fraud. The only way that any vendor is going to be forced to actually care about security and actually care about users is when those users mean lots of $$$ to them. There just might be some hope . . . check out this white paper from PWC on Integrity-Driven Performance. http://www.cfodirect.com/cfopublic.nsf/f19696b6432afb8b8525690a000c9f67/86a39deb761f514d85256e3f00641442/$FILE/PWC_GRC_WP.pdf (URL might wrap). You can get it from Google if you search on pwc_grc_wp.pdf . . . Cheers, /g ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Defcon spelled half backwards is Fedcon and you dumfucks walked into a trap
Out of the 20-30 FEDS you can spot at DEFCONthere is usually 2 or 3 you would never ever guess as a FED. They are the ones sitting next to you drinking and watching porn at a CDC Party or 23.ORG party. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Towles Sent: Thursday, August 05, 2004 09:45 To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] Defcon spelled half backwards is Fedcon and you dumfucks walked into a trap Well, it doesn't better if they are Feds, they look like one. That is what counts..lol -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick FitzGerald Sent: Thursday, August 05, 2004 4:09 AM To: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Defcon spelled half backwards is Fedcon and you dumfucks walked into a trap Exibar wrote: Of course there are Feds at DefCon how else would we be able to play Spot the Fed without the Feds? :-) Well, given the horrific false-positive rate at previous events, I doubt Defcon would need any actual feds to have a successful game of Spot the Feds... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] follow up question...
Hey there everyone, No answer to the question here...just another one.I caught this and got thinking...I don't know near enough about wirelesssystems so here's a question in addition to his. Does that really make itmore secure(prevent ARP poisoning). Doesn't that make it easier tocorrupt the network? How hard would it be to assume the identity of the AP?What happens if two AP's with the same IP and MAC attempt to get on the samenetwork? I been reading and heard a lot more about people infiltrating bysetting up their own rouge AP's. If I don't understand this right let meknow.I believe from what has been said that this system forces all comunicationto be sent to the AP and the AP handles routing it to the true destination.ieSource=192.168.1.34 FE:EF:FA:CE:BE:EFDest=192.168.1.35 FE:EF:FA:CE:BE:EEAP=192.168.1/255.255.255.0 DE:AD:C0:DE:CA:FESituation: Source want to send to Dest.Source queries as in previous email...Source sends to DE:AD:CO:DE:CA:FE.AP re-routes this to FE:EF:FA:CE:BE:EE.- Original Message - From: "Dan Taylor, Jr." [EMAIL PROTECTED]To: [EMAIL PROTECTED]Sent: Thursday, August 05, 2004 11:15 PMSubject: [Full-Disclosure] Static ARP Replies? I have encountered a few 802.11b public access points (I can't remember the vendors, but they were for hotels) that seem to have built-in ARP cache poisoning prevention. I found it nonetheless impressive and am looking for solutions to implement it (presumably with my own wireless card and hostap drivers). Here's what happens on one of these networks: Say the AP's MAC address is DE:AD:C0:DE:CA:FE, with the IP of 192.168.1/255.255.255.0, and I send out an ARP request for hosts 192.168.1.2-254. Say my MAC address is FE:ED:FA:CE:BE:EF, with the IP address of192.168.1.100 -- ARP broadcast (source FE:ED:FA:CE:BE:EF destination FF:FF:FF:FF:FF:FF) -- Who has 192.168.1.2? Tell 192.168.1.100 -- ARP Reply (source DE:AD:C0:DE:CA:FE, destination FE:ED:FA:CE:BE:EF) -- 192.168.1.2 is at DE:AD:C0:DE:CA:FE I'm assuming this is a rather effective way of not only preventing ARP poisoning attacks, but making it so that all communication is virtually done between the client and the access point). Has anyone seen this feature implemented in any other access points? To what extent does this work and/or it's behavior on layer-2 broadcasting or client to client (mac address to mac address) communications? Thanks. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: MS04-025 - Ignorance is truly bliss....
[EMAIL PROTECTED] wrote: On Thursday, 5 August 2004, hellNbak wrote: The Internet is no longer a world of hippie hacker idealists, but quite simply a global market. Because of lack of centralized authority overseeing it (wasn't that what you fought for?), it is a wild style economy, often driven by shoddy practices and cutting corners where customers won't notice, or marketing on the verge of deceit. This is how we do big business - honesty, altruism, and respect for ideals were never its strong sides, unless you could get a tax break doing those. I agree with this... But then, were the Internet and IT security still merely a hobby of a bunch of enthusiasts, you wouldn't be getting your paycheck, would you? I disagree here -- unless you're going to try to prove that those who created this technology weren't paid. We have tons of example of so-called hippy idealists getting paid relatively large sums of money for their work over the past 30+ years. You benefit from these changes, with all their side effects. You tell your customers to buy products, not to distrust the system, to uncloak treasons, or banish false prophets. You tell them what they want to hear, then cash the check so that you can afford to write rants about how the world should be. The problem with socialist utopias where all do their jobs best, and get exactly what they deserve, is that they all seem to fail quite miserably (how odd). Unjust exploitation, trickery to claim undeserved credibility or recognition, commercialization of everything you can capitalize on - that's what makes a country (or an industry) great. First of all, there hasn't been a single socialist utopia that actual subscribed to it's own stated ideals. All of the supposed Socialist/Communist systems were fascist-style command economies which had much more in common with global capitalism than they ever did their socialist roots. So, I fail to see the comparison. The assumptions you're making are very Ayn Rand in their style... meaning that you're making the one capital failure that most cold-war economists made: that one could simply believe the propaganda laid out by groups on both sides of the economic ideological debate. Reality, as has been slowly exposed, is much more complex. The same is true of the Internet. Without the idealists the anarcho-capitalists that you're lauding here would never have been able to take root as they did. We, the idealistic, want a playground for all with respect for those around you -- meanwhile, they want to smother all who stand in their way of getting profit, be they competition, idealists, or their own users. I suppose the old saying must surely be true: there is a sucker born every minute. Because without that fact, the anarcho-capitalists of the world would have been exposed long ago. Profit and resource-gain are ultimately generated through the economic system operating properly. This means that the tools of the economic system must operate properly. The wheeling and dealing and excuse making of the anarcho-capitalists may make significant profits for them short term, but long term we all pay a much heavier price. This is the story that is told in the so-called socialist utopias that you cite -- they didn't fail because they were socialist, they failed because their leaders were frauds who cared more for their own short-term profit than they did the long-term sustainability of the state. The system that you're discussing above will ultimately succumb to it's own weight. It is an inevitable law of economics. What do you hope to achieve, or how do you believe your opinion is being relevant or novel, if you come to this audience, and state that CERT is no longer credible, and is a bunch of crooks who live off selling advance vulnerability warnings? Or that Microsoft is not exactly particularly devoted to improving security of their products and protecting their customers? A better question is what does anyone hope to achieve by griping about something? Perhaps increasing the rate of change? -Barry ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] waa waa (was Finally the truth slips out)
On Sat, 07 Aug 2004 00:16:46 +1000, Sean Crawford [EMAIL PROTECTED] said: Who elected this guy???.*grin* The Supreme Court. :) pgpo86dE6gVXf.pgp Description: PGP signature
Re: [Full-Disclosure] Re: MS04-025 - Ignorance is truly bliss....
you respect hellNbak? please stop smoking bad stuff ;) georgi On Thu, Aug 05, 2004 at 05:48:50PM -0400, [EMAIL PROTECTED] wrote: On Thursday, 5 August 2004, hellNbak wrote: Despite of what you would like to think, your rants are not relevant in any way. I do not say this because I want to insult you - heck, I happen to respect you - but simply because that's the way it is. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] waa waa (was Finally the truth slips out)
He does have a speech writer. But he is from Texas (as am I) and we do have a way of talking down here that is different than most places. =) Some are worse than others of course. I mess up all the time when I talk - my mind goes faster than my mouth. But that seems to be common among computer people so=) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sean Crawford Sent: Friday, August 06, 2004 9:17 AM To: [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] waa waa (was Finally the truth slips out) It's a slip up in words no doubtbut he sure has a habit of that... Does he have a speech writer? I'm Australian so Bush is nothing more then a politician to me and we(as Australian's)don't give politicians much credit. Who elected this guy???.*grin* --- We all make mistakes when we speak, and things come out wrong --- sometimes. Its called a mistake! This isn't a political mailing list --- you dumb hippy. Your weak tree hugger political opinions mean nothing. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] perhaps outsourcing needs a closer look by some companies;;
August 05, IDG News Service - Source code stolen from U.S. software company in India. Jolly Technologies, a division of U.S. company Jolly Inc., reported Wednesday, August 4, that an insider at its research and development center in Mumbai, India, stole portions of the source code and confidential design documents relating to one of its key products. As a result, the company has halted all development at the center. A recently hired software engineer used her Yahoo e-mail account to upload and ship the copied files out of the research facility. Most U.S.-based software companies require their employees to sign an employment agreement that prohibits them from carrying the company's source code out of a development facility or transferring it in any way. Though the Indian branch of Jolly Technologies requires employees to sign a similar employment agreement, the sluggish Indian legal system and the absence of intellectual property laws make it nearly impossible to enforce such agreements, the company said. Source: http://www.computerworld.com/governmenttopics/government/legalissues/story/0 ,10801,95045,00.html Thanks, Ron DuFresne ~~ Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Re: NMRC article and followup
Ah, some of us in banks are aware of fraud and working on some answers. We'll see if they help. Recall my analogy of the work of info security to that of building fortifications. The first guy who thought of wide low sloped earth banks to resist cannon fire probably didn't want to give his adversaries advance notice in which to devise digging machines either. Didn't care for the white paper though. I prefer to look at how people live and wrt computer security, how often they ask what the security implications of anything they do are. By their fruits shall ye know them... (Also: Use the source, Luke!) ;-) Glenn Everhart -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of George Capehart Sent: Friday, August 06, 2004 11:49 AM To: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Re: MS04-025 - Ignorance is truly bliss On Thursday 05 August 2004 18:49, hellNbak allegedly wrote: On Thu, 5 Aug 2004 someone pretending to have a nmrc email addy wrote: snip The only mistake you make above is that you paint the entire industry with the same brush. Yes, I and a lot of people make money in this industry. We took a hobby and made it a job -- why not? Why not get paid for something you enjoy. Working in this industry does not automatically make you a false profit as you explain above. Over the long term -- no one will benifet -- and I dont care how big the paycheck is -- telling a client what they want to hear is not the way many of us choose to make a living. Sure, there are a lot of people in EVERY industry that are willing to push ethics aside and do what it takes for that paycheck but I know I can look myself in the mirror and say that I am not one of those people. Eventually the false prophets are exposed, sure they already got their paycheck and have moved on to the next sucker but eventually they run out of suckers and money. What do you hope to achieve, or how do you believe your opinion is being relevant or novel, if you come to this audience, and state that CERT is no longer credible, and is a bunch of crooks who live off selling advance vulnerability warnings? Or that Microsoft is not exactly particularly devoted to improving security of their products and protecting their customers? I hoped to stir some shit up, perhaps give the guys over at [EMAIL PROTECTED] a bit of a kick in the nuts as there was a time that they were making at least a little progress. I was hoping to draw enough attention to this issue that perhaps someone from one of the major banks will one day sit down and correlate the connection between vulnerabilities such as this and losses due to fraud. The only way that any vendor is going to be forced to actually care about security and actually care about users is when those users mean lots of $$$ to them. There just might be some hope . . . check out this white paper from PWC on Integrity-Driven Performance. http://www.cfodirect.com/cfopublic.nsf/f19696b6432afb8b8525690a000c9f67/86a39deb761f514d85256e3f00641442/$FILE/PWC_GRC_WP.pdf (URL might wrap). You can get it from Google if you search on pwc_grc_wp.pdf . . . Cheers, /g ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ** This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you ** ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] follow up question...
I don't see what is so special here. The fact that all communication are routed through the access point is the usual way in the WiFi infrastructure mode. Maybe you should look at the differences between the 2 WiFi modes : infrastructure and ad hoc. For me, the infrastructure mode is the most usual. -Message d'origine-De: kyle stapp [mailto:[EMAIL PROTECTED]Envoyé: vendredi 6 août 2004 15:20À: [EMAIL PROTECTED]Objet: [Full-Disclosure] follow up question... Hey there everyone, No answer to the question here...just another one.I caught this and got thinking...I don't know near enough about wirelesssystems so here's a question in addition to his. Does that really make itmore secure(prevent ARP poisoning). Doesn't that make it easier tocorrupt the network? How hard would it be to assume the identity of the AP?What happens if two AP's with the same IP and MAC attempt to get on the samenetwork? I been reading and heard a lot more about people infiltrating bysetting up their own rouge AP's. If I don't understand this right let meknow.I believe from what has been said that this system forces all comunicationto be sent to the AP and the AP handles routing it to the true destination.ieSource=192.168.1.34 FE:EF:FA:CE:BE:EFDest=192.168.1.35 FE:EF:FA:CE:BE:EEAP=192.168.1/255.255.255.0 DE:AD:C0:DE:CA:FESituation: Source want to send to Dest.Source queries as in previous email...Source sends to DE:AD:CO:DE:CA:FE.AP re-routes this to FE:EF:FA:CE:BE:EE.- Original Message - From: "Dan Taylor, Jr." [EMAIL PROTECTED]To: [EMAIL PROTECTED]Sent: Thursday, August 05, 2004 11:15 PMSubject: [Full-Disclosure] Static ARP Replies? I have encountered a few 802.11b public access points (I can't remember the vendors, but they were for hotels) that seem to have built-in ARP cache poisoning prevention. I found it nonetheless impressive and am looking for solutions to implement it (presumably with my own wireless card and hostap drivers). Here's what happens on one of these networks: Say the AP's MAC address is DE:AD:C0:DE:CA:FE, with the IP of 192.168.1/255.255.255.0, and I send out an ARP request for hosts 192.168.1.2-254. Say my MAC address is FE:ED:FA:CE:BE:EF, with the IP address of192.168.1.100 -- ARP broadcast (source FE:ED:FA:CE:BE:EF destination FF:FF:FF:FF:FF:FF) -- Who has 192.168.1.2? Tell 192.168.1.100 -- ARP Reply (source DE:AD:C0:DE:CA:FE, destination FE:ED:FA:CE:BE:EF) -- 192.168.1.2 is at DE:AD:C0:DE:CA:FE I'm assuming this is a rather effective way of not only preventing ARP poisoning attacks, but making it so that all communication is virtually done between the client and the access point). Has anyone seen this feature implemented in any other access points? To what extent does this work and/or it's behavior on layer-2 broadcasting or client to client (mac address to mac address) communications? Thanks. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] waa waa (was Finally the truth slips out)
It's a slip up in words no doubt Would that be a Freudian slip? : P -- Mary ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] [OpenPKG-SA-2004.036] OpenPKG Security Advisory (cvstrac)
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
OpenPKG Security AdvisoryThe OpenPKG Project
http://www.openpkg.org/security.html http://www.openpkg.org
[EMAIL PROTECTED] [EMAIL PROTECTED]
OpenPKG-SA-2004.036 06-Aug-2004
Package: cvstrac
Vulnerability: arbitrary code execution
OpenPKG Specific:no
Affected Releases: Affected Packages: Corrected Packages:
OpenPKG CURRENT = cvstrac-1.1.3-20040505= cvstrac-1.1.3-20040806
OpenPKG 2.1 = cvstrac-1.1.3-2.1.0 = cvstrac-1.1.3-2.1.1
OpenPKG 2.0 = cvstrac-1.1.2-2.0.0 = cvstrac-1.1.2-2.0.1
Dependent Packages: none
Description:
As reported on BugTraq [1], Richard Ngo discovered a vulnerability
in the CVS repository web browsing tool CVSTrac [2]. If properly
exploited an attacker can execute arbitrary code on the CVSTrac host
with the privileges of the associated web server.
Please check whether you are affected by running prefix/bin/openpkg
rpm -q cvstrac. If you have the cvstrac package installed and its
version is affected (see above), we recommend that you immediately
upgrade it (see Solution) [3][4].
Solution:
Select the updated source RPM appropriate for your OpenPKG release
[5][6] and fetch it from the OpenPKG FTP service [7][8] or a mirror
location. Verify its integrity [9], build a corresponding binary RPM
from it [3] and update your OpenPKG installation by applying the
binary RPM [4]. For the most recent release OpenPKG 2.1, perform the
following operations to permanently fix the security problem (for
other releases adjust accordingly).
$ ftp ftp.openpkg.org
ftp bin
ftp cd release/2.1/UPD
ftp get cvstrac-1.1.3-2.1.1.src.rpm
ftp bye
$ prefix/bin/openpkg rpm -v --checksig cvstrac-1.1.3-2.1.1.src.rpm
$ prefix/bin/openpkg rpm --rebuild cvstrac-1.1.3-2.1.1.src.rpm
$ su -
# prefix/bin/openpkg rpm -Fvh prefix/RPM/PKG/cvstrac-1.1.3-2.1.1.*.rpm
Addendum:
Although simply upgrading the affected CVSTrac installation
does remove the vulnerability in question, the existing CVSTrac
configuration should be corrected on the underlying SQLite level as
well. Repeat the following for all project databases:
$ prefix/bin/sqlite prefix/var/cvstrac/project.db
sqlite select value from config where name=filediff;
rcsdiff -q -r%V1 -r%V2 -u '%F'
sqlite select value from config where name=filelist;
co -q -p%V '%F' | diff -c /dev/null -
sqlite .exit
Any commands using version or file replacements (%V, %V1, %V2, %F) but
lacking single quotes (') around them should be corrected:
$ prefix/bin/sqlite prefix/var/cvstrac/project.db
sqlite update config
... set value=rcsdiff -q -r'%V1' -r'%V2' -u '%F'
... where name=filediff;
sqlite update config
... set value=co -q -p '%V' '%F' | diff -c /dev/null -
... where name=filelist;
sqlite .exit
An identical result can be achieved by logging in to the CVSTrac
project pages as the user 'setup'. Select 'Diff Programs' from the
'Setup Menu', and then review both HTML input fields for missing
single quotes as shown.
References:
[1] http://www.securityfocus.com/archive/1/370955/2004-08-03/2004-08-09/0
[2] http://www.cvstrac.org/
[3] http://www.openpkg.org/tutorial.html#regular-source
[4] http://www.openpkg.org/tutorial.html#regular-binary
[5] ftp://ftp.openpkg.org/release/2.1/UPD/cvstrac-1.1.3-2.1.1.src.rpm
[6] ftp://ftp.openpkg.org/release/2.0/UPD/cvstrac-1.1.2-2.0.1.src.rpm
[7] ftp://ftp.openpkg.org/release/2.1/UPD/
[8] ftp://ftp.openpkg.org/release/2.0/UPD/
[9] http://www.openpkg.org/security.html#signature
For security reasons, this advisory was digitally signed with the
OpenPGP public key OpenPKG [EMAIL PROTECTED] (ID 63C4CB9F) of the
OpenPKG project which you can retrieve from http://pgp.openpkg.org and
hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/
for details on how to verify the integrity of this advisory.
-BEGIN PGP SIGNATURE-
Comment: OpenPKG [EMAIL PROTECTED]
iD8DBQFBE6uFgHWT4GPEy58RAg55AKCzGm4IZ0TfWKuqoaAEvk/qeKM0yQCgwZuL
aPzhupWq4Zo+33VhZPl9fAY=
=42L4
-END PGP SIGNATURE-
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] SP is here (soon) !
Go to : http://www.microsoft.com/windowsxp/downloads/updates/sp2/cdorder/en_us/default810.mspx I m french. So i select France in country section. And select Windows XP SP french CD in language section. Last click on Order now. Microsoft VBScript compilation error '800a03f6' Expected 'End' ?, line 0' Someone needs SP3 ;) Marc Rees www.acbm.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] follow up question...
Preventing ARP poisoning is a very good security measure, but I am not sure how they made it do it in this case. If you dont know what ARP poisoning is and why it is dangerous, then google it. An AP is basically a normal router but for wireless. ARP poisoning allows for sniffing packets on switched network (not really important on the wireless side, since you can sniff them out of the air) and is the start of man-in-the-middle attacks most of the time. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of kyle stapp Sent: Friday, August 06, 2004 8:20 AM To: [EMAIL PROTECTED] Subject: [Full-Disclosure] follow up question... Hey there everyone, No answer to the question here...just another one. I caught this and got thinking...I don't know near enough about wireless systems so here's a question in addition to his. Does that really make it more secure(prevent ARP poisoning). Doesn't that make it easier to corrupt the network? How hard would it be to assume the identity of the AP? What happens if two AP's with the same IP and MAC attempt to get on the same network? I been reading and heard a lot more about people infiltrating by setting up their own rouge AP's. If I don't understand this right let me know. I believe from what has been said that this system forces all comunication to be sent to the AP and the AP handles routing it to the true destination. ie Source=192.168.1.34 FE:EF:FA:CE:BE:EF Dest=192.168.1.35 FE:EF:FA:CE:BE:EE AP=192.168.1/255.255.255.0 DE:AD:C0:DE:CA:FE Situation: Source want to send to Dest. Source queries as in previous email...Source sends to DE:AD:CO:DE:CA:FE. AP re-routes this to FE:EF:FA:CE:BE:EE. - Original Message - From: Dan Taylor, Jr. [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, August 05, 2004 11:15 PM Subject: [Full-Disclosure] Static ARP Replies? I have encountered a few 802.11b public access points (I can't remember the vendors, but they were for hotels) that seem to have built-in ARP cache poisoning prevention. I found it nonetheless impressive and am looking for solutions to implement it (presumably with my own wireless card and hostap drivers). Here's what happens on one of these networks: Say the AP's MAC address is DE:AD:C0:DE:CA:FE, with the IP of 192.168.1/255.255.255.0, and I send out an ARP request for hosts 192.168.1.2-254. Say my MAC address is FE:ED:FA:CE:BE:EF, with the IP address of 192.168.1.100 -- ARP broadcast (source FE:ED:FA:CE:BE:EF destination FF:FF:FF:FF:FF:FF) -- Who has 192.168.1.2? Tell 192.168.1.100 -- ARP Reply (source DE:AD:C0:DE:CA:FE, destination FE:ED:FA:CE:BE:EF) -- 192.168.1.2 is at DE:AD:C0:DE:CA:FE I'm assuming this is a rather effective way of not only preventing ARP poisoning attacks, but making it so that all communication is virtually done between the client and the access point). Has anyone seen this feature implemented in any other access points? To what extent does this work and/or it's behavior on layer-2 broadcasting or client to client (mac address to mac address) communications? Thanks. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] waa waa (was Finally the truth slips out)
Sean Crawford wrote: It's a slip up in words no doubtbut he sure has a habit of that... [snip] This was not a mistake on his part. We Americans are always looking for new and innovative ways to harm our country and our people, as are the Brits, the Aussies, the Russians, the Chinese, and every other country with an organised defence. It's the age old concept of Know thy enemy. Something that we as IT security specialists understand and work hard at every day. --- We all make mistakes when we speak, and things come out wrong --- sometimes. Its called a mistake! This isn't a political mailing list --- you dumb hippy. Your weak tree hugger political opinions mean nothing. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] waa waa (was Finally the truth slips out)
[EMAIL PROTECTED] wrote: On Sat, 07 Aug 2004 00:16:46 +1000, Sean Crawford [EMAIL PROTECTED] said: Who elected this guy???.*grin* The Supreme Court. :) Excellent to see this posted, it was more of an appointment wasn't it :-) And why does this have anything to do with security? Well a few things come to mind. 1) The Patriot act allowing the abuse of technology and power that affects us all. 2) Do you want your country invaded based on shoddy information presented as truth? 3) Electronic voting in it's current form makes that much easier. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] waa waa (was Finally the truth slips out)
--On Friday, August 06, 2004 01:40:58 PM -0400 Jason [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] wrote: On Sat, 07 Aug 2004 00:16:46 +1000, Sean Crawford [EMAIL PROTECTED] said: Who elected this guy???.*grin* The Supreme Court. :) Excellent to see this posted, it was more of an appointment wasn't it :-) No, it's not excellent. There are tons of places on the web to spread this crap. This is not one of them. And why does this have anything to do with security? Well a few things come to mind. I has *nothing* to do with security. Take to alt.i.hate.bush. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ir/security/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] waa waa (was Finally the truth slips out)
Paul Schmehl wrote: No, it's not excellent. There are tons of places on the web to spread this crap. This is not one of them. And why does this have anything to do with security? Well a few things come to mind. I has *nothing* to do with security. Take to alt.i.hate.bush. Normally, I'd agree... However, in this case an argument can be made. Bush's intentions when signing laws does have an affect on security. As does the current security condition of the electoral process. If people can post about the status of government computer security and on legislation relating to security, then they can also comment on the motivations of those actions. Just because you don't like it's content, doesn't negate the value of the message. -Barry p.s. Security has been a primary issue during Bush's presidency. I find it odd how people can claim that discussion of this administration's impact on security should be removed -- whichever way someone falls on the political spectrum. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] waa waa (was Finally the truth slips out)
Paul Schmehl wrote: [...] FD is slow today... Excellent to see this posted, it was more of an appointment wasn't it :-) No, it's not excellent. There are tons of places on the web to spread this crap. This is not one of them. I think you are just upset because it hurts your Texan Pride that the best representative of the Lone Star State is an internationally recognized tool that was effectively appointed to office. How much better would the international perception of a Texan be without that appointment? And why does this have anything to do with security? Well a few things come to mind. I has *nothing* to do with security. Take to alt.i.hate.bush. It most certainly does :-) An administration pushing electronic voting run on platforms widely recognized as insecure that were developed by a company openly interested in a specific election outcome. This combination provides little to no motivation to develop secure voting systems and I suspect it will soon become a public issue having to be handled like the rest of the large corporations that feel they are beyond the public good. This is why Full-Disclosure is good and the proper forum. I don't hate him at all, I would prefer him as the commissioner of baseball instead of the leader of the US but that is a different story. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ir/security/ ^^^ See what I mean ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] waa waa (was Finally the truth slips out)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Yo Paul! On Fri, 6 Aug 2004, Paul Schmehl wrote: I has *nothing* to do with security. Take to alt.i.hate.bush. You are 100% right. Bush's actions have absolutely no relationship to security all. So why does Bush keep babbling that they do? RGDS GARY - --- Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701 [EMAIL PROTECTED] Tel:+1(541)382-8588 Fax: +1(541)382-8676 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFBE99p8KZibdeR3qURAk9lAJ4kK25QjjcNJq/nCG2U3/ht+sNiigCg5o2s HOAoPm/5Kz1fZFGCODSGP/c= =wQzf -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] waa waa (was Finally the truth slips out)
I thought this list was originally meant to focus primarily on computer hardware/software types of security issues. Malware, discovered exploitables, etc. Barry Fitzgerald [EMAIL PROTECTED] 08/06/04 03:05PM Paul Schmehl wrote: No, it's not excellent. There are tons of places on the web to spread this crap. This is not one of them. And why does this have anything to do with security? Well a few things come to mind. I has *nothing* to do with security. Take to alt.i.hate.bush. Normally, I'd agree... However, in this case an argument can be made. Bush's intentions when signing laws does have an affect on security. As does the current security condition of the electoral process. If people can post about the status of government computer security and on legislation relating to security, then they can also comment on the motivations of those actions. Just because you don't like it's content, doesn't negate the value of the message. -Barry p.s. Security has been a primary issue during Bush's presidency. I find it odd how people can claim that discussion of this administration's impact on security should be removed -- whichever way someone falls on the political spectrum. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure,copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Anyone know IBM's security address?
Have a vulnerability in an IBM product. sent alert to [EMAIL PROTECTED] [EMAIL PROTECTED] and [EMAIL PROTECTED], all three bounced. Can anyone tell me the official address or procedure to notify IBM? -- Michael Scheidell SECNAP Network Security 561-999-5000 x 1131 www.secnap.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Re: Anyone know IBM's security address?
On Fri, Aug 06, 2004 at 05:11:19PM -0400, Michael Scheidell wrote: Have a vulnerability in an IBM product. sent alert to [EMAIL PROTECTED] [EMAIL PROTECTED] and [EMAIL PROTECTED], all three bounced. Can anyone tell me the official address or procedure to notify IBM? For AIX-releated flaws, the contact is [EMAIL PROTECTED] For other products... good luck. I also have a vulnerability in an IBM product but I wasn't able to get in touch with anyone. Online forms told me to call a number that is unreachable outside USA. The AIX security officer told me he would find the right contact but I never got anything else since. -- __ /*-Frank DENIS (Jedi/Sector One) j at 42-Networks.Com-*\ __ \ '/a href=http://www.PureFTPd.Org/; Secure FTP Server /a\' / \/ a href=http://www.Jedi.Claranet.Fr/; Misc. free software /a \/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: Anyone know IBM's security address?
Post all unhead reports PUBLICALLY (e.g here)! When everyone has head everything, someone will do something On Friday 06 August 2004 23:42, Jedi/Sector One wrote: On Fri, Aug 06, 2004 at 05:11:19PM -0400, Michael Scheidell wrote: Have a vulnerability in an IBM product. sent alert to [EMAIL PROTECTED] [EMAIL PROTECTED] and [EMAIL PROTECTED], all three bounced. Can anyone tell me the official address or procedure to notify IBM? For AIX-releated flaws, the contact is [EMAIL PROTECTED] For other products... good luck. I also have a vulnerability in an IBM product but I wasn't able to get in touch with anyone. Online forms told me to call a number that is unreachable outside USA. The AIX security officer told me he would find the right contact but I never got anything else since. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] waa waa (was Finally the truth slips out)
On Fri, 06 Aug 2004 15:39:45 CDT, John Creegan [EMAIL PROTECTED] said: I thought this list was originally meant to focus primarily on computer hardware/software types of security issues. Malware, discovered exploitables, etc OK, you need a tie-in to computers? Go read up on CALEA and friends, and remember that just because the Clipper chip got shot down doesn't mean they won't try again pgpBKW3xEl1ev.pgp Description: PGP signature
RE: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards
as I understand it a PIN Card is a card with an EEPROM on it that contains a PIN. Possibly encrypted but its the same effect as any other file. The host decides if the PIN matches. A smart card has onboard microprocessor with software that includes encryption support (in my day it was DES). The reader presents the PIN to the card and the *card* not only can authenticate but also provide authorization information (or any other supplementary response, such as not just a PGP key pair (i.e. the secret and public keys) but the user's keyring as well. Even more interesting and useful is the use of this card to run algorithms to provide one-time pad ciphers. While you could do that host-based from a regular EEPROM card it requires that the host know the pad selection algorithm . On Fri, 6 Aug 2004 [EMAIL PROTECTED] wrote: Guys... RSA has been doing PIN cards for ages...I don't get the hangup on SmartCards vs plain old something you have/something you know two factor http://www.rsasecurity.com/node.asp?id=1311 Cost of entry/ownership is nothing remotely close to the $1000 you mention Lyal...in fact, it's under 1/10 of that on a per seat basis... Why get hung up on it being a smartcard, when you can do two factor with a much lower entry cost and do it, frankly, easier? Bart Lansing Manager, Desktop Services Kohl's IT [EMAIL PROTECTED] wrote on 08/05/2004 08:45:33 PM: This exposure, of PIN compromise, is genric in all smartcard products today, unless a dedicated PINpad or biometric-sensor equipped readers are used - putting cost of ownership towards $1000 in some cases. PC/SC doesn't help - as a data interfcae API spec, it excludes human interface aspects. STIP (Small Terminal Interoperability Platform at www.stip.org) moves in this direction, but has evolved into many variants to interoperate with proprietary vendors and proprietary industry standards. The challenges in putting biometric sensors or PINpads onto cards include the need to conform to ISO 7816 for form factor, physical resilience etc, and that the cards are unpowered. Or, someone redesigns the entire form-factor, user interface model, portability and business model - something that has previously failed to go anywhere. Something like a mobile phone or PDA is a good compromise tool to this overall exposure, imho. Lyal -Original Message- From: Kevin Sheldrake [mailto:[EMAIL PROTECTED] Sent: Thursday, 5 August 2004 8:39 PM To: Toomas Soome; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards Surely if the user is entering a passphrase then the same problem exists - that of effectively eavesdropping that communication from the keyboard? Ignoring the initial expense for a moment, wouldn't it have made a lot of sense to include the keypad actually on the cards? Obviously, card readers would need to be contructed such that the keypad part of the card would be exposed during use. The keypad security could then rely on the tamper resistant properties of the rest of the card. From a costs perspective, I would guess that the actual per-card cost increase would be minimal if hundreds of millions of these cards were produced. Kev Lionel Ferette wrote: Note that this is true for almost all card readers on the market, not only for Datakey's. Having worked for companies using crypto smart cards, I have conducted a few risk analysis about that. The conclusion has always been that if the PIN must be entered from a PC, and the attacker has means to install software on the system (through directed viruses, social engineering, etc), the game's over. The only solution against that problem is to have the PIN entered using a keypad on the reader. Only then does the cost of an attack raise significantly. But that is opening another can of worms, because there is (was?) no standard for card readers with attached pin pad (at the time, PC/SCv2 wasn't finalised - is it?). at least some cards are supporting des passphrases to implement secured communication channels but I suppose this feature is not that widely in use how many card owners are prepared to remember both PIN codes and passphrases... toomas -- Kevin Sheldrake MEng MIEE CEng CISSP Electric Cat (Bournemouth) Ltd ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html CONFIDENTIALITY NOTICE: This is a transmission from Kohl's Department Stores, Inc. and may contain information which is confidential and proprietary. If you are not the addressee, any disclosure, copying or
Re: [Full-Disclosure] Re: MS04-025 - Ignorance is truly bliss....
On Fri, 6 Aug 2004, Georgi Guninski wrote: you respect hellNbak? please stop smoking bad stuff ;) Well your sister respected me very nicelyfor a price of course but whats $.50 Let old dogs lie Georgie Peorgie... ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] waa waa (was Finally the truth slips out)
The Electoral College votes the President into office, and they are not tied to the popular vote. Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, August 06, 2004 12:31 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] waa waa (was Finally the truth slips out) On Sat, 07 Aug 2004 00:16:46 +1000, Sean Crawford [EMAIL PROTECTED] said: Who elected this guy???.*grin* The Supreme Court. :) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] antisemtism, FD and bandwidth - what I want out of it
Gadi Evron said: I want our ideology to be respected and successful. Not a waste of time. Here Here! I agree, was just about to feed another political troll and saw your post. How about a new kind of listserver/board that uses a cloudmark or http://www.herbivore.us/ type of spam ranking where the group as a whole decides what is allowed and what is not? ...some genius here with too much time and a vault of Jolt Cola could come up with something. So when I go on some discussion about Fortigate versus Netscreen that contains no disclosure of vulns...you all could just rank me accordingly!...Maybe set a flag on the email header so that we can all filter according to our tastes. Cheers, -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Bryan K. Watson - InfoSec Consultant - [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] SP is here (soon) !
XP SP2 Final is up on MSDN Downloads for the MSDN Subscribers. English and German as of right now. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marc Rees Sent: Friday, August 06, 2004 12:59 PM To: [EMAIL PROTECTED] Subject: [Full-Disclosure] SP is here (soon) ! Go to : http://www.microsoft.com/windowsxp/downloads/updates/sp2/cdorder/en_us/defau lt810.mspx I m french. So i select France in country section. And select Windows XP SP french CD in language section. Last click on Order now. Microsoft VBScript compilation error '800a03f6' Expected 'End' ?, line 0' Someone needs SP3 ;) Marc Rees www.acbm.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: Anyone know IBM's security address?
what kind of products? informix? db2? BEst regards On Fri, 6 Aug 2004, Jedi/Sector One wrote: On Fri, Aug 06, 2004 at 05:11:19PM -0400, Michael Scheidell wrote: Have a vulnerability in an IBM product. sent alert to [EMAIL PROTECTED] [EMAIL PROTECTED] and [EMAIL PROTECTED], all three bounced. Can anyone tell me the official address or procedure to notify IBM? For AIX-releated flaws, the contact is [EMAIL PROTECTED] For other products... good luck. I also have a vulnerability in an IBM product but I wasn't able to get in touch with anyone. Online forms told me to call a number that is unreachable outside USA. The AIX security officer told me he would find the right contact but I never got anything else since. -- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Re: Anyone know IBM's security address?
Quoting Michael Scheidell ([EMAIL PROTECTED]): sent alert to [EMAIL PROTECTED] [EMAIL PROTECTED] and [EMAIL PROTECTED], all three bounced. Can anyone tell me the official address or procedure to notify IBM? Try [EMAIL PROTECTED] -- Troy Bollinger [EMAIL PROTECTED] Network Security Analyst PGP keyid: 1024/0xB7783129 Troy's opinions are not IBM policy ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] waa waa (was Finally the truth slips out)
please keep politics out of this list, this need is not limited to usa -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of igotroot Sent: Friday, August 06, 2004 6:23 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: [Full-Disclosure] waa waa (was Finally the truth slips out) We all make mistakes when we speak, and things come out wrong sometimes. Its called a mistake! This isnt a political mailing list you dumb hippy. Your weak tree hugger political opinions mean nothing. Go vote for nader and get my boy GWB elected again, thx! (GWB you every other liberal tard) thanks and goodnight ill be here for the next 4 years :;;::;:;)) Hello, From the White House website: http://www.whitehouse.gov/news/releases/2004/08/20040805-4.html G. W. Blush, at the signing of a defense appropriations bill, fourth paragraph from the bottom: Our enemies are innovative and resourceful, and so are we. They never stop thinking about new ways to harm our country and our people, and neither do we Finally the truth slips out: GWB and UBL work towards the same goal. Credit for the discovery goes to USENET group rec.aviation.military. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
