RE: [Full-Disclosure] How big is the danger of IE?
Nick FitzGerald wrote: >http://www.kb.cert.org/vuls/id/713878 > >... > >Use a different web browser Thanks for the link Nick. I've been telling everyone for months, securityfocus told us a few weeks ago and now CERT is telling us - run, don't walk and download FireFox as quickly as you can click. Also a few of the extensions are real productivity improvers, although FireSomething does steal a few seconds every day ;) Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] RE: Unchecked buffer in mstask.dll
Nick FitzGerald wrote: > > I'd say that's because you changed the filetype; pif files simply > > contain information on how to handle a DOS executable; they aren't a > > program themselves. All you did was make it get confused and kill > > itself. > > Yeah, but how long is it now since we've been telling programmers > "don't trust user-supplied data"?? (H -- does it also fail on > W2K3??) No, in W2K3 you get "Cannot query the properties for this program. There may not be enough memory available. blah blah" as opposed to 100% cpu in 2K. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- former White House cybersecurity adviser Richard Clarke ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [ok] [Full-Disclosure] RE: Unchecked buffer in mstask.dll
Dmitry Yu wrote: > > Being curious, on Win2k, I copied cmd.exe (from > winnt\system32) as xyz.pif; > > then (right-click) Properties, Program crashes explorer. Is > this related to > > IconHandler, and is it exploitable? > > Disassembly window shows that there was an attempt to read dword > at [EAX] (EAX=0). So at first glance this doesn't seem to be > trivially > exploitable, but I'm not a win32 expert, and intuition > suggests that there > must be a way. One possible exploit is to simply place the file on your desktop. explorer.exe goes to 100% cpu. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- former White House cybersecurity adviser Richard Clarke ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [ok] [Full-Disclosure] Possible Virus/Trojan
Todd Towles wrote: > I received an e-mail today that looked very much like a virus. Here is the message > > Attachment – erupts.avi.exe > > Subject – New Southern California wildfire erupts . > > Either this is a new Trojan that changes it body and subject based on the current AP news or someone used a very lame trick against me. =) I'm guessing the latter. Although story scraping would be possible, intellegent naming of the .exe would not be. Most likely a friend... or enemy. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDAInformation Security EngineerDP SolutionsIf you spend more on coffee than on IT security, you will be hacked.What's more, you deserve to be hacked.-- former White House cybersecurity adviser Richard Clarke
RE: [ok] Re: [Full-Disclosure] Cry For help
Abilash Praveen wrote: > whats this about? > - Original Message - > From: "g0bb13s" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Sunday, July 25, 2004 12:58 PM > Subject: [Full-Disclosure] Cry For help > > > > Good sirs and madames, It's a 491 scam parody. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- former White House cybersecurity adviser Richard Clarke ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [ok] [Full-Disclosure] RE: [Full-Disclosure]MS should re-write code with security in mind
Clairmont, Jan M wrote: > M$ should just bite the bullet and re-write windows with > security in mind, give it a true process scheduler, multi-user > with windows as a client server processes. It ain't gonna happen. There is so much legacy code, dating all the way back to NT 3.5 in 2K XP that no-one really knows how it works. Of course, that is the beauty of open-source, lots of people know how Linux works. Of course you don't have to be open-source to be secure, as Netware was always built with security in mind. Novell engineers have a saying, "We patch Netware twice a year whether it needs it or not." I hate to see it go. I love SuSE linux, am running the 64-bit version on AMD, but I wish they were keeping the Netware kernal also, for my security-critical clients. Sadly, the days of not having to run around patching servers all the time will be gone after Netware 7. BTW, when I have to run windows (rarely), I start a VMWare session under SuSE, do what I need, and close it out as quickly as possibe, after checking for patches of course ;) Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- former White House cybersecurity adviser Richard Clarke <>
RE: [in] Re: [Full-Disclosure] Will a vote for John Kerry be counted by a Hart InterCivic eSlate3000 in Honolulu?
Exibar wrote: > The question comes to mind... why oh why did you cast your > vote for Kerry? > I guess you want the US to be policed and governed by the UN. > I guess you want Though in danger of starting a flame war... Exibar, Dude! You've fallen head over heals for the Republican brain-washing line. There might be a lot about John Kerry you don't like, like his honesty, forthrightednes, and straght-forward talking. But I will never vote for a President that has coldly lied to his people. And I am one of those people Bush has bold-facely lied to. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions - If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- former White House cybersecurity zar Richard Clarke ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] EULA
Actually, failure to achieve compliance with HIPAA could find hospital executives and physicians facing fines of up to $25,000. Certain criminal violations could cost individuals and organizations $250,000 and up to 10 years in jail. This is quoted out of more than one reference. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions [EMAIL PROTECTED] 936.637.7977 ext. 121 If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- former White House cybersecurity zar Richard Clarke -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Gregory A. Gilliss Sent: Tuesday, September 09, 2003 5:13 PM To: [EMAIL PROTECTED] Subject: [inbox] Re: [Full-Disclosure] EULA Okay, this is from my girlfriend, so flame her if it's wrong :-) Basically, a HIPAA compliant hospital/practice/etc. that is found to be in violation of, say, the regs on software change control, can be fined up to US$ 10,000 per violation. I would guess that tha *could* be construed as "per personal computer" if they wanted to be dicks about it... But, it gets better...if they hospital/practice/etc that has been inspected and cited doesn't comply with the violated HIPAA regs, they can be closed down. BAM! In practice I do not think that this has happened (yet) because the whole HIPAA thing is so new. However if you look at it from the security perspective, I expect that M$ legal will be amending their existing EULA for health care providers as soon as they read about this... G On or about 2003.09.09 14:08:04 +, David Hayes ([EMAIL PROTECTED]) said: > So, if a HIPAA site uses Windows and accepts the SP3 EULA, they're > screwed. If a HIPAA site uses Windows and does not accept the SP3 > EULA, they're screwed. > > Logical conclusion, if a HIPAA site uses Windows, they're screwed. > Thus they should use a different OS? > > -- > David HayesNetwork Security Operations Center MCI Network Svcs > email: [EMAIL PROTECTED] vnet: 777-7236 voice: 972-729-7236 > > > On Mon, Sep 08, 2003 at 01:13:21PM -0400, [EMAIL PROTECTED] wrote: > > On Mon, 08 Sep 2003 08:43:14 PDT, D B <[EMAIL PROTECTED]> said: > > > > > does the EULA of Microsoft violate lawyer client > > > privilege . as in if my lawyer is using windows > > > is he violating my rights > > > > I can't speak for the legal profession, but the SP3 EULA (the one where you agree to > > allow Microsoft to install, without warning or notification, anything labeled a "security > > patch", even if it breaks 3rd party software), is known to be very bad mojo for sites > > covered by HIPPA, because it cedes software change control. > > > > Of course, if you fail to agree to the EULA and you're a HIPPA site, you're still screwed > > because then you can't install post-SP3 patches. > > > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html -- Gregory A. GillissTelephone: 1 650 872 2420 Computer Engineering E-mail: [EMAIL PROTECTED] Computer SecurityICQ: 123710561 Software Development WWW: http://www.gilliss.com/greg/ PGP Key fingerprint 2F 0B 70 AE 5F 8E 71 7A 2D 86 52 BA B7 83 D9 B4 14 0E 8C A3 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Security firm Symantec has rubbed subscribers to the Full-Disclosure mailing list the wrong way
Yes, in this time of the "Busch"wackers, it is all too easy for the gov'ment to rob us of our freedom. And unfortunately there are far too many corporate types ready to take advantage of that in the name of the almighty buck. Wired is cool though. They went on to say " He did not say, though, how legislators would determine the difference between malicious information and that used for legitimate security research, or whether such a law might compromise freedom of speech." Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- former White House cybersecurity zar Richard Clarke -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Geoff ShivelySent: Monday, September 15, 2003 4:40 PMTo: [EMAIL PROTECTED]Subject: [inbox] [Full-Disclosure] Security firm Symantec has rubbed subscribers to the Full-Disclosure mailing list the wrong way "Security firm Symantec has rubbed subscribers to the Full-Disclosure mailing list the wrong way by due to a quote attributed to its chief operating officer, John Schwarz. In a Wired story titled " Just Say No to Viruses and Worms", Schwarz was quoted as calling for laws to make it a criminal offence to share information and tools online which could be used by malicious hackers and virus writers. " http://www.smh.com.au/articles/2003/09/12/1063268553158.html Cheers,Geoff Shively, CTOPivX Solutions, LLC Are You Secure?http://www.pivx.com
Re: [Full-Disclosure] What about astalavista.net
They are two virtual servers on the same box. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- former White House cybersecurity zar Richard Clarke -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jordan Wiens Sent: Thursday, September 25, 2003 8:27 AM To: GARCIA Lionel Cc: Full-Disclosure (E-mail) Subject: [inbox] Re: [Full-Disclosure] What about astalavista.net Dunno, but I sure hope it's more than just a pretty frontend to: http://astalavista.box.sk/ Because that would be a rip if so. -- Jordan Wiens, CISSP UF Network Incident Response Team (352)392-2061 On Thu, 25 Sep 2003, GARCIA Lionel wrote: > Hi, > > This may be a little out of subject, but I'm looking for experiences on > www.astalavista.net. > Subscription is $29 for a 6 months access, and I'm wondering if it worth it > and if I should ask my hierarchy to spend bucks in it. > > Thanks by advance. > > Lionel GARCIA > ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [inbox] [Full-Disclosure] DoS of Antivir Gateways with huge amount of attatchments with same name
Yes, very interesting Helmut. In fact this has been an interesting month for email admins with both sobig and swen. Swen hosed up our Postfix server with millions of messages to newsgroups, had to end up manually blocking them. Please keep us abreast of your results when you figure out which AV it was. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- former White House cybersecurity zar Richard Clarke -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Helmut Hauser Sent: Wednesday, September 24, 2003 12:42 PM To: [EMAIL PROTECTED] Subject: [inbox] [Full-Disclosure] DoS of Antivir Gateways with huge amount of attatchments with same name We got an E-Mail yesterday from one of our customers. It had 291 (!) base64 coded attatchments which caused our antivirus gateway to fail. Further investigation of this mail shows that there were saved html pages with all pictures saved seperatly so there were 7 times the same picture(s) in this mail with the same filename(s). We have different Antivirproducts working together and one of them (still can´t figure out which one) has been fooled by the same filename(s) and caused the gateway to fail. Very interesting. Helmut Hauser Systemadministration EDV ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] CyberInsecurity: The cost of Monopoly
I think we have lost the point of the thread CyberInsecurity: The Cost of Monopoly which states your exact point that diversity is the most important aspect of network protection. It clearly states, and I agree, that Microsoft has been the biggest danger to that diversity by creating a monolithic Tower of Babel that could all come crashing down at the displacement of a single foundation stone. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- former White House cybersecurity zar Richard Clarke -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Rick Kingslan Sent: Saturday, September 27, 2003 11:02 AM To: '*Hobbit*'; [EMAIL PROTECTED] Subject: [inbox] RE: [Full-Disclosure] CyberInsecurity: The cost of Monopoly Wouldn't this have been better posted in alt.religious? And, to wit - working in a completely homogenous environment with Microsoft products, Red Hat, AIX, Tandem, much custom written apps, and the platform chosen for the best APPLICATION fit (remember - it doesn't really matter if you prefer Linux if the business drivers DICTATE an APP that only runs on Windows, and CygWin, wine, etc. are not options), I think I can speak to both sides of the argument. BTW - Don't care about certs Do I personally feel like I've wasted 10+ years of MY life? No - absolutely not. Do I take PRIDE in my WORK? Absolutely yes. Working to integrate and interoperate disparate platforms and OSs to provide a cohesive Business solution is both challenging and enlightening. One learns the best of both worlds - and is not hobbled by prejudice and raw hate for a given product or company. (However, SCO is on the real strong dislike list.) Would I change? Nope - I like flexibility and the ability to choose a solution based on what the requirements are - not because someone has dictated a given OS is the only one we support. That thinking would have kept Linux out of our environment, and there would be more MS product. I'm also not so hard headed to realize that diversity is a good thing - in computing, and in life. -rtk -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of *Hobbit* Sent: Friday, September 26, 2003 7:44 PM To: [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] CyberInsecurity: The cost of Monopoly I gotta love how all the Microsoft victims get all defensive when someone implies that they've spent the last decade+ ruining their own careers and wasting time running in tiny circles getting pretty much nowhere. Do you guys honestly take PRIDE in your WORK?? What, and tacking MCS* after your name doesn't count, have you actually ACCOMPLISHED? How would things be different today if you had spent all that time helping to bring open-source up to today's level of expected functionality and designing the future, instead of scratching your heads late at night over obscurely ailing Exchange servers and service packs that broke all your apps? Why won't you admit to yourselves that in the big picture, you could have gone a different and more rewarding way, if you'd only started out right so long ago? If you were given a second chance now, would you change? ** THINK ABOUT IT. ** _H* ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Soft-Chewy insides (was: CyberInsecurity: The cost of Monopoly)
When we get this far off-topic, how about putting up a new subject line with a was: Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- former White House cybersecurity zar Richard Clarke -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Paul Schmehl Sent: Sunday, September 28, 2003 12:20 PM To: Full Disclosure Subject: [inbox] Re: [Full-Disclosure] CyberInsecurity: The cost of Monopoly --On Sunday, September 28, 2003 8:14 AM -0400 Karl DeBisschop <[EMAIL PROTECTED]> wrote: > > Crunchy shell, soft-chewy insides? > I don't think "we" as a "security community" have even begun to tackle this problem. We talk about it, but who is *really* doing it? For example, if you want to network machines you *have* to use SMB/NetBIOS for Windows, NFS for Unix, CIFS, or something similar. Who is really looking at how to be secure while still allowing internal machines to talk to each other? Certainly none of the above protocols qualify as secure. When a machine is problematic, for whatever reason, the usual reaction is "block it at the firewall". But that doesn't protect that machine from *other* internal machines. It only protects it from the outside. Oh, you might have a firewall that cordons off accounting from the rest of the enterprise, but *inside* accounting, you still have the "soft, chewy" problem. I haven't really seen anything that addresses this problem, and I'm not aware of anyone who is working on solving it. For the most part security thinking is still in the middle ages - build a castle with moats and outer defensive rings, and staggered entrances to make it hard for the enemy to get it. Once he gets in, what does current security thinking offer? Not much. What we need is a paradigm shift in thinking. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [inbox] Re: [Full-Disclosure] CyberInsecurity: The cost of Monopoly
I wasn't refering to the SMB community, but IMHO even they will be choosing simplicity (don't think I've ever used that term with Microsoft considering their use of a registry as one example) over security that will someday bite them in the butt. The paper was refering to the government and society in general. Even medium businesses and larger better get their head out. One of my standard rec's after auditing Windows networks is to go to Netware or UNIX on the server side and Linux on the client-side. With Open Office and Crossover, 90% of Windows can be eliminated while introducing a MUCH more secure networking environment. The following sentence from the work cannot be argued and it applies to networks as well, "In the broadest sense, economic diversification is as much the hallmark of free societies as monopoly is the hallmark of central planning." And we all better wake up and see that Microsoft is the "central planner" here and Bill Gates is Big Brother. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- former White House cybersecurity zar Richard Clarke -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Florian Weimer Sent: Sunday, September 28, 2003 3:21 AM To: Curt Purdy Cc: 'Rick Kingslan'; '*Hobbit*'; [EMAIL PROTECTED] Subject: [inbox] Re: [Full-Disclosure] CyberInsecurity: The cost of Monopoly On Sat, Sep 27, 2003 at 01:12:01PM -0500, Curt Purdy wrote: > I think we have lost the point of the thread CyberInsecurity: The Cost of > Monopoly which states your exact point that diversity is the most important > aspect of network protection. I often hear such claims, but I'd rather see companies to allocate adequate resources to deal with a uniform computing environment. Currently, most companies with such an environment do not deploy *any* countermeasures. There was a wide range of options to counter the recent malware waves, yet many organziations did nothing. Diversity is good, sure, but unless you can afford the costs of a workforce which is equally skilled on very diverse platforms, you just make things worse. Furthermore, some aspects of diversity are already creating huge problems, e.g. mobile devices which are not configured according to company guidelines, but are nevertheless connected to the company network. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [inbox] Re: [Full-Disclosure] CyberInsecurity: The cost of Monopoly
I must disagree. When Netware has had one major security patch this year vs. 39 for Microsoft, the quality of the platform becomes fundamental. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- former White House cybersecurity zar Richard Clarke -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Rodrigo Barbosa Sent: Saturday, September 27, 2003 3:36 AM To: [EMAIL PROTECTED] Subject: [inbox] Re: [Full-Disclosure] CyberInsecurity: The cost of Monopoly On Fri, Sep 26, 2003 at 11:59:04PM -0600, Bruce Ediger wrote: > On Fri, 26 Sep 2003, Rick Kingslan wrote: > Oh, wait. Apache has about 2 times the market share of IIS, and I'm > still getting Code Red and Nimda hits TWO YEARS after they were released. > > By contrast, I only got about 2 days worth of hits from Slapper. Ok, I'm all for opensource and stuff. But this kind of thing, like still getting hitted by code red (same here), speaks more about the quality of the administrators then of the platform itself. -- Rodrigo Barbosa <[EMAIL PROTECTED]> "Be excellent to each other ..." - Bill & Ted (Wyld Stallyns) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [inbox] Re: [Full-Disclosure] CyberInsecurity: The cost of Monopoly
I suppose you're talking to me Georgi (notice the letters). Besides several different flavors of W2K & W2K3 server (won't allow XP on my network, much less my box), I have RedHat, Suse, FreeBSD, and Netware6.5 on my personal server. As for what happened to Dan Geer, I think it is despicable. I am actually less upset at Microsoft's presure (what else would you expect from Uncle Bill) as I am at @Stake selling out. What ever happened to that great crew at L0pht Heavy Industries? Personally, I will never purchase another @Stake product or service again. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- former White House cybersecurity zar Richard Clarke -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Georgi Guninski Sent: Tuesday, September 30, 2003 6:31 AM To: [EMAIL PROTECTED] Subject: [inbox] Re: [Full-Disclosure] CyberInsecurity: The cost of Monopoly [resending because of FD filter] Knowing m$, i am not surprised by this accident. This is just more FUD - you bash m$, you lose your job. Question to the Microsoft Certified Solitaire Experts and simlar crowd: Is your freedom so cheap? georgi On Sat, 27 Sep 2003 00:43:36 + (GMT) [EMAIL PROTECTED] (*Hobbit*) wrote: > I gotta love how all the Microsoft victims get all defensive when someone > implies that they've spent the last decade+ ruining their own careers > and wasting time running in tiny circles getting pretty much nowhere. > ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [inbox] Re: [Full-Disclosure] CyberInsecurity: The cost of Monopoly
NT4 SP2 was a nightmare. Luckily I heard about it in the newsgroups the day I planned on installing it on my ISP boxes (yes I run IIS, locked down, in addition to Apache). That taught me a lesson, and I now wait 48-72 hours after release before installing any Microsoft service pack or hotfix, while I observe Uncle Bill's guinea-pigs. One of the things I love about *NIX is the stability. FreeBSD 5.1 (I run on my desktop) is more stable than any Microsoft .1 product ever hoped to be, but the FreeBSD crew is still classifying 4.8 the production version (I run on my servers). Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- former White House cybersecurity zar Richard Clarke -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Rodrigo Barbosa Sent: Tuesday, September 30, 2003 2:01 AM To: [EMAIL PROTECTED] Subject: Re: [inbox] Re: [Full-Disclosure] CyberInsecurity: The cost of Monopoly On Mon, Sep 29, 2003 at 11:51:03PM -0500, Paul Schmehl wrote: > >As some may recall, my original statement was an answer to someone that > >was points that Unix is more secure then Windows (I agree up to this > >point), and gave and example telling that there are still several codered > >vulnerable machine around. This is the point I was commenting about. And > >you do have to agree that is a machine, today, is still vulnerable to > >Codered, it is mostly due to a fault of the administrator. > > > I'm going to pick one small nit with you. There is another possible guilty > party. In some cases, at least in edu and medical centers (that's what I'm > familiar with) the *vendor* is at fault. Some vendors will not certify > their scientific instruments with the latest Service Packs and patches, > leaving the admins no other choice but to find some other way to protect > the machine. (Hell, we sometimes have trouble getting vendors of > *security* devices to support their products with the latest SPs and > patches. (Which is another reason that I dislike putting security-related > software on Windows boxes, but sometimes you simply have no choice.) I stand corrected. I kind of remember something about a friend of mine (Win admin) installing NT SP2 and it breaking MS-SQL server. And yes, you are correct about vendors too. So, simply put, we are doomed :) - When the software gets a bugfix released, you can't install it because of the vendor - When you can install it regardless of the vendor, the net admin forgets to install it - When the net admin remembers to install it, the users mess up - When the user don't mess up, the cleaning lady pulls the plug Talk about trustworthy computing :) []s -- Rodrigo Barbosa <[EMAIL PROTECTED]> "Be excellent to each other ..." - Bill & Ted (Wyld Stallyns) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] CyberInsecurity: The cost of Monopoly
It's one thing to sell-out for commerce, it's quite another to give up your humanity by selling your soul to the devil, and basically that is what they have done by throwing one of their own to the wolves. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- former White House cybersecurity zar Richard Clarke -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of morning_wood Sent: Tuesday, September 30, 2003 8:57 AM To: Curt Purdy; 'Georgi Guninski'; [EMAIL PROTECTED] Subject: Re: [inbox] Re: [Full-Disclosure] CyberInsecurity: The cost of Monopoly >What ever happened to that great crew > at L0pht Heavy Industries? Personally, I will never purchase another @Stake > product or service again. > sellouts, but then again... driving new BMW M8's are a bit better than staying tru-2-da-kr3w. I just wish they stopped giving crap advice to the masses and start doing real work again ( hi Chris ). morning_wood ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Spam with PGP
The answer to SPAM IMHO is filtering on the client side. Our server filter gets 80%+ of it but I still got 50+ SPAMs a day. Since going to PopFile proxy filter on my laptop (awsome & free @ sourceforge) I get maybe one a week. It's based on Bayesian Theorum. Not bad for a 15th Century monk ;) Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- former White House cybersecurity zar Richard Clarke -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of MaX Flebus Sent: Tuesday, October 07, 2003 6:52 PM To: [EMAIL PROTECTED] Subject: [inbox] Re: [Full-Disclosure] Spam with PGP > I remember hearing this is another method for bypassing spam filters. >Apparently some filters will pass e-mail with PGP signatures thinking it >is legitimate. It is an interesting concept, though. > > I think my favorite is still the jpgin an html enabled e-mail with >seemingly valid information and links that is actually a link to an xss or >pr0n site. Spammers are starting to use better methodologies and soon >filtering options will be almost impossible. I find it amusing to see what >they will do next, though. > >-William Well, this reminds us that a spam filter, although definitely a good thing, it's not the definitive solution, just like a firewall IMHO. You can't bet too much on a purely automatic solution. Anyway, again like firewalls, I'm not so pessimistic: completely filtering out what you don't want could be, OK, impossible but filtering out almost all, is what we really need. MaX -- www.flebus.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [inbox] Re: [Full-Disclosure] Spam with PGP
The jumbled letters at the end don't fool PopFile. I think it actually marks those as I haven't had one in months. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Senior Systems Engineer Information Security Engineer DP Solutions [EMAIL PROTECTED] 936.637.7977 ext. 121 If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- former White House cybersecurity zar Richard Clarke On 07/10/2003 at 14:45, Jonathan A. Zdziarski wrote: IMHO, bayesian filters are no panacea right now, many spams I get end like this: ---8<--- ahdmf uvhuex qnzysthoa r xdgmeqxqyawg --->8--- And this nonsense "words" fool bayesian filters. And also do what Brian Dinello pointed. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [inbox] Re: [Full-Disclosure] MS RPC remote exploit.
> --- Sudharsha Wijesinghe <[EMAIL PROTECTED]> > wrote: > > According to MS there cant be any Remote exploit on > > MS RPC except for a > > DOS attack using 139/135/445. > > How ever the code is available for a shell code. > > has any one tried this exploit? > > no remote exploit ? > > http://www.k-otik.com/exploits/10.09.rpc2universal.c.php > http://www.k-otik.com/exploits/09.20.rpcdcom2ver1.1.c.php > http://lists.netsys.com/pipermail/full-disclosure/2003-Septemb er/009848.html What about dcom.exe that hit the streets before MS even released the first 032 patch. With it, you could own a box in 2 minutes. I can only imagine how many thousands of bots were deployed before blaster hit, as the kiddies were hitting their keyboards just as fast as their little fingers could type. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] SPAM, credit card numbers, what would you do?
> It's sad... Look at some of the reports on some 'hacker' > being arrested for > pointing out a problem in some companies network. (WiFi maybe?) You may be referring to the guy who pointed out to a reporter that the Houston, TX County Courthouse wifi was wide open allowing complete access to the network. Also in that vein is Adrian Lamo, an underground hero of the highest caliber who has just been arrested for helping many large corporations like GE clean up their act. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] FW: change of address
> Flames about the disclaimer appended to my email aside, I > have just got this > message too: > > > Thank you for writing me I have changed my address to > [EMAIL PROTECTED] > > > > thank you for your time > > Moshe A This guy is appearently a masive spammer (same one associated with the "Any news on www.kievonline.org site?" thread and is trolling for addresses. I got it at an address I never use for this or any other list as well this address. Thank God for PopFile! Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] FW: Last Microsoft Patch
Anybody else get this? Looks legit, originating address is from msnbc.com. But can't believe even Microsoft would be this stupid after the rash of trojan-attached "patch announcements" lately. Plus all security people have been saying that Microsoft would never email a patch out. Or are they thinking, "Send this out so all the stupid people will click on this before they click on a real trojan? Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions [EMAIL PROTECTED] If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- former White House cybersecurity zar Richard Clarke -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Technical ServicesSent: Tuesday, October 14, 2003 11:33 AMTo: MS Corporation UserSubject: [inbox] [admin] Last Microsoft Patch Microsoft All Products | Support | Search | Microsoft.com Guide Microsoft Home Microsoft Userthis is the latest version of security update, the "October 2003, Cumulative Patch" update which eliminates all known security vulnerabilities affecting MS Internet Explorer, MS Outlook and MS Outlook Express as well as three new vulnerabilities. Install now to help protect your computer from these vulnerabilities, the most serious of which could allow an malicious user to run code on your system. This update includes the functionality of all previously released patches. System requirements Windows 95/98/Me/2000/NT/XP This update applies to MS Internet Explorer, version 4.01 and laterMS Outlook, version 8.00 and laterMS Outlook Express, version 4.01 and later Recommendation Customers should install the patch at the earliest opportunity. How to install Run attached file. Choose Yes on displayed dialog box. How to use You don't need to do anything after installing this item. Microsoft Product Support Services and Knowledge Base articles can be found on the Microsoft Technical Support web site. For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site, or Contact Us. Thank you for using Microsoft products.Please do not reply to this message. It was sent from an unmonitored e-mail address and we are unable to respond to any replies. The names of the actual companies and products mentioned herein are the trademarks of their respective owners. Contact Us | Legal | TRUSTe ©2003 Microsoft Corporation. All rights reserved. Terms of Use | Privacy Statement | Accessibility
Re: [Full-Disclosure] FW: Last Microsoft Patch
> On Thu, Oct 16, 2003 at 12:14:32AM -0400, Exibar wrote: > > Well, I was able to verify his GSEC. By far the easiest of > the certs he's > > listed to attain. Actually, I beg to differ. Never went to a school or training for any of them but the GSEC. The special 8x12-hour-day SANS conference in D.C. last year was awesome. You either came out of there scared s___less or with a head 2 hat-sizes bigger. Anyone who takes it, try to get Eric Cole, a real brain and great teacher. The course is worth it for anyone in infosec, whether you want the cert or not. As for the cert's I prefer getting them from experience vs. boot-camp, more meaningful to me. As for the easiest, unquestionably the CISSP followed by the CCDA, also have CCNA which was even easier, but I ran out of room ;) I just put CISSP first because it seems to be so well respected. As for the snipes on my unfamiliarity with Swen, I am blushing, but I have also just finished a month-long security audit for a HIPAA client and have not kept up like I should have. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] FW: Last Microsoft Patch
> Debates over > the validity of an infosec-related point are useful and constructive; > character assassination and personal attacks are not. Thank you madsaxon. Love the handle. Curt ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] NASA experience
> From my experience working at NASA (moffet field as an intern one > summer) was that their IT department (in my building) was good at what > they did but had a pretty restrictive security policy (which is a good > thing i guess). So i would rate them as excellent although too > restrictive. > -- > Jason Freidman <[EMAIL PROTECTED]> Since a primary tenant of all good security policies is the principle of least privilage that baisically states that no-one should have more access than the absolute minimum necessary to do their job. Of course no-one really does this that I have seen. But a good yard-stick of your security policy and implementation is if everyone complains it is too strict. As long as you have the support of managment, this is when I feel most comfortable. It looks like NASA is doing it right, which I have always heard. Being ahead of the curve, 4 years ago they instituted a comprehenive vullnerability assessment and patching and remediation program that turned the hostile penetration rate from over 20% to less than 1% in a year. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [inbox] [Full-Disclosure] Problems with MS03-042 (KB826232) patch?
> For example, on one computer that had Windows 2000 SP2, we installed > KB826232 and then the other critical patches from 10/15. We then > installed SP4. When attempting later to uninstall KB826232, we get a > warning that Internet Explorer, Windows Media Player, and > other patches > installed after KB826232 might be non-functional if we proceeded. We > tested Windows Media Player and it was, in fact, non-functional (it > could download a video clip and display that it was playing, it just > couldn't display any video... a minor inconvenience I guess). Though referring to patch 40 and not 42 this from Brian Livingston's newsletter is likely relevant: Update HTML Help. As was the case with MS03-032 and a few other recent patches, installing MS03-040 will cause problems with Windows' HTML Help engine unless you also install a fix to update the help feature. This is explained in Microsoft Knowledge Base article 811630. Update Windows Media Player. After installing MS03-040, you also need to install an update for Windows Media Player versions 6.4, 7.1, and 9, and Media Player for XP. Microsoft-style audio and video data files are allowed (stupidly, in my opinion) to command Media Player to open Web pages. These pages might be malicious or infected. The update allows administrators to shut down this feature by making changes to the Registry. I don't believe this capability should ever have been shipped, but I recommend that you install the patch and implement the more-secure policies, as described in KB 828026. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke <>
RE: [inbox] Re: [Full-Disclosure] Windows covert channel
> You are probably thinking of ADS(Alternate Data Streams). > > jazper > > > > I seem to remember in the dim reaches of my memory a covert > channel in > > the Windows file system where you could paste one file at > the end of > > another without it being detectible when you edited the > orginal file. It may be that he is referring to an exe packer as used to attach a trojan to a legitimate exe aka whackamole. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [inbox] Re: [Full-Disclosure] RE: Linux (in)security
> > I have never heard of a Linux vendor saying that Linux is > "secure out of the > > box." > > More than enough people assert that Linux is secure. Just > enter "Linux is > secure" in Google and you see what I mean: > > http://www.linuxunlimited.com/why-linux.htm > ``Properly configured and maintained, Linux is one of the > most secure operating > systems available today.'' The key words here are "properly configured". One of the folowing links talked about the model being based on UNIX, true but the implementation is quite different. Take FreeBSD 5.1, though more solid than any first release of Linux, it is still referred to as a "New Technology Release" basically synonymous with beta. There "Production" release is 4.8 that I have on some of our servers (not running a gui). I have 5.1 as well as Linux on workstations. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [inbox] Re: [Full-Disclosure] RE: Linux (in)security
> >> http://www.linuxunlimited.com/why-linux.htm > >> ``Properly configured and maintained, Linux is one of the > >> most secure operating systems available today.'' > > > > The key words here are "properly configured". > > Well, once "properly configured", pretty much _any_ operating > system would > make it to the top 0.01% of the most secure boxes in the > world. I hardily disagree. When you have inherently more secure code in OS's like *NIX and Netware, as evidenced by the paltry number of patches required by those OS's (1 in Netware vs. 38 for Windows in the same period)it doesn't matter how well you configure Windows, it will still be vulnerable, waiting for a compromise of the next discovered hole. The reason for this is fundamental in the design. From the use of a registry (which corrupts with time, finally requiring re-installation) to the fact that no single human being knows all the source code for Windows, much less audits it, is the difference between MS and the rest. This is the reason open-source is inherently more secure. First, people can actually audit it for security (you think IBM recommended Linux without going over every single line of code?) Second, everyone can see the code and contribute fixes when they see a potential problem, not after a vulnerability has developed and been discovered. True Netware is closed-source but the engineering is superb and it does only what it needs to do, be a network OS. People have the wrong idea when they say "Windows vulns are more researched and discovered because it so prevalent. Without a total re-architecture and re-write of Windows code, if and when (hopefully) Windows OS's become a minority, they will still be getting the vast majority of discovered and exploited holes. Lay a dollar to a dime on that. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [inbox] Re: [Full-Disclosure] RE: Linux (in)security
> I agree that inherent OS features have much to do with their > security, but must observe that OSs like VMS and OS/400 have > very few security issues Agreed, I believe OS/400 may be the most secure out-of-the-box system out there. But never underestimate a lousy vendor. My last audit was for a HIPAA client that had all patient records on an AS/400. I thought I didn't have a chance in heck of touching them. On the AS/400 side that was true, with extremely granular access, allowing only certain users to certain data that was unreachable otherwise. However their main application happened to create a world readable/writeable windows share of the records. I simply plugged my laptop into an empty wall socket, browsed the ip network (not even logged into anything) and saw, copied, and wrote to any record of my choosing. I was so shocked it took me a few minutes to realize I just hit a grand slam. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke <>
RE: [inbox] [Full-Disclosure] Is bugtraq even worth it anymore?
David M wrote: > Once upon a time, pre-symantec it seems, it used to be a viable and > pertinent list. I'm debating unsubscribing, since it's down > to maybe a dozen > posts a week at this point and just doesn't seem worth the > effort to read > posts that are 3, even 4, days old. I'm still subscribed to several securityfocus lists, but have not submitted for some time as I kept getting returned rejects even though they were on-topic valid points. A real shame but not unusual for big-$ corporate America to get their grubby little fingers on something good and run it into the ground. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [inbox] Re: [Full-Disclosure] Show me the Virrii!
Exibar wrote: > Why do you ultimately blame Windows/DOS for the virus > problem? This is > simply not true. Are there not SQL worms? Was it not a SQL > worm that was > the fastest to spread in history? Are there not many Linux worms and > viruses, and more being written each day? Are there not > viruses and/or > worms that exploit Cisco products? Jeeze, you know how many pages I had to delete off the end of this thing? It doesn't take remembering PINE to know how to clean up your act. OK, to business. Your points: the SQL worm exploited ONLY MS SQL. The cisco worm exploited IIS that was the web interface in their DSL routers. Yes, there are a few Linux worms but the numbers are tiny vs. MS. And that is NOT because MS is so prevelant, although of course that is a factor as explained in the seminal work "Cyberinsecurity: The Cost of Monopoly". The primary reason for so many MS virii is the poorly written code that has evolved into their current elephants of OS's. All is not lost for MS, but it will take a ground-up rewrite to solve the problems. Unfortunately they seem to be taking the opposite tack of taking W2K, the best OS they have come up with yet, and folded it into XP, the biggest pile of dog doo since 3.1 and telling customers they can't get 2K even if they prefer it. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [inbox] RE: [Full-Disclosure] Anti-MS drivel
Wicks wrote: > Microsoft has competition. Apple, Sun, Red Hat . . . > > Problem is Apple is full of idiots who feature style over substance. > The system has to look better than it performs. The OS is more stable than >Microsoft, but their elitist attitude will >always keep them at 5% market share. > Business on the other hand is moving slowly to Linux. Why > slowly? Who > do you sue when your business is hacked by someone who planted a > backdoor in the Linux kernel? Your point about Apple is off the mark. However that very statement applies perfectly to MS. They take the best OS they ever made, W2K (though not as good as the other three mentioned) and make a pretty interface for XP while adding very little in functionality but adding tons of bugs and security flaws to come up with the worst OS since 3.1 If you doubt Apples commitment to a solid, secure, enterprise strategy, read Tom Yager of InfoWorld sometime. I would gladly give you 2-to-1 odds on your 5% market prediction. As for Linux, the problem is not who to sue, otherwise MS would have thousands of suits against it right now. The problem is support and that has now been solved with Novell's acquisition of Suse. The combination of the most secure OS around with an experienced, quality support staff, fully integrated with Linux is a driving force. Novell has finally got it right and their growing market share in the enterprise will reflect that. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke <>
RE: [inbox] Re: [Full-Disclosure] Anti-MS drivel
yossarian wrote: >And a propos the ADS rant - you can hardly call it an MS invention. For me >it is NDS revisited. And a poor revisit at that. I have had ADS crash and burn at two customers in the last year (unfortunately no backup domain controllers - no we did not set them up). Check out MS's knowledge base article on repairing ADS. It is like a 50 page article that basically ends with "Re-install and restore from tape and synch with other controllers". I have NEVER seen that happen with DNS in all the years I've worked with Netware. Also have seen ADS get all confused more than once in multiple domain sites requiring either finding the server with the least corruption and making it authoritative, or restoring from a known good backup. No way to run an enterprise. Again, whenever a problem has shown up in NDS, a simple DSREPAIR has always fixed everything, without fail. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [inbox] Re: [Full-Disclosure] Anti-MS drivel
tobias wrote: > > What's the incentive to make the vendor change? It's going > >to take one > > HUGE boycott to achieve that, HUGE becuase the market is > >worlwide > The ultimate solution to solve this problem would be a free > market with > free competition and no entry barriers for potential competitors for > Microsoft. We won't have to boycott, the market will decide. In 10 years MS may not be dead, but they will not be dominant IMHO. The tide turned the day Novell bought Suse. The only thing Linux lacked for the enterprise was enterprise level support and Novell just gave it that. And we in security have always known that Netware was not only the best networking OS around, but also the most secure. When admins come to realize they will patch once or twice a year, how much work they will save, I believe Novell share will grow dramatically, in both Netware and Linux. >Apply liability laws to software and IT products in general. Liability laws do apply, unfortunately we sell our soul and give up all rights when we scroll down and hit F8. > And let's face it, many of the folks on this and other > lists that buy a > PC, wipe windows and install a *bsd or linux/*nix clone, are still > contributing to the redmond bottom line of their big buck, > cause most > those PC's come pre-installed with a M$ OS underneath. The cheapest PC HP/Compaq carries is a box running Linux. Again the market. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [inbox] [Full-Disclosure] Unbelievable: I just got sensored
Byron Copeland wrote: > I replied to the BUGTR(ASH)Q list with a reference pointing > that out. I > am not trashing @stake, but I only wanted to point that out to the > list. I stopped posting to most of the securityfocus lists long ago because of their habit of returning perfectly valid, technically correct input. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [inbox] Re: [Full-Disclosure] Re: DoomJuice.A, Mydoom.A source code
Frank Knobbe wrote: > As for the code, have you tried catching the bug with a honeypot? I > heard of people using netcat listening on port 3127 to catch > the bug... An easy alternative would be to catch the MyDoom.A virus (just kill you AV and open a few emails), then DoomJuice will kindly drop the source for MyDoom.A on you're box. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [inbox] [Full-Disclosure] IE crashes
Puneet wrote: > and after 10 seconds when an applet loaded...first IE hanged > and then the > system got hanged.What's that which causes the system to halt Try FireFox a.k.a. FireBird at mozilla.org - awesome. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [inbox] Re: [Full-Disclosure] IE crashes
Rabourdin Clement wrote: > Crashed MozillaFirebird on FreeBSD 4.9 STABLE, too :( > The applet is working but Mozilla goes down... But no system crash Simply comes up with a couple of pics on Firebird 7.1 and FireFox 8.0 on W2K. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [inbox] RE: [Full-Disclosure] Removing Fired admins
Michael T. Harding wrote: > am looking for is some kind of checklist/ information sheet so we > don't forget anything major, at least to check. Sent this to the incidents list on securityfocus to see if they can help you. Just hope it doesn't get bounced by the moderator. They have a nasty habit of doing that. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke
[Full-Disclosure] RE: [inbox] W2K source "leaked"?
Gadi Evron wrote: > I never believed in 0-days. > but now... I don't know. I can assure you 0-days do and have existed for a long time. In the past the true l33t h4x0rs would turn their creations over to the kiddies when they came up with something better to use. Today they do it when a patch has been released or is immanent. In fact today, they are often nicely pre-compiled. I had a copy of dcom.exe several days prior to MS releasing the RPC patch. Within a day of the release, it was all over irc and even some lists. I don't think many people realize how many tens or even hundreds of thousands of zombies were created by all the kiddies typeing dcom.exe as fast as their little fingers could go. MSBlast was likely the best thing that could have happened to force patching before the boxes were hijacked and patched by an intruder. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [inbox] RE: [Full-Disclosure] CISSP Study material
Mark Fagan wrote: > you could always attend the CBK review seminar, I think it > cost me the guts of > 3K Euro and takes one week, its probably cheaper in the UK. I found the CISSP Study Guide Gold Edition to be all the material I needed and a lot cheaper than 3k. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [inbox] RE: [Full-Disclosure] What's wrong with this picture?
Replugge wrote: > The fact that exploit code is made available after the patch > is released, > is probably because the researchers > Made the vulnerability publicly available at same time as the > patch was > released, otherwise MS wouldnt give > Credit to the researchers for the vuln. Not only that, but I have always suspected the reason for the close follow-up releasing exploits after patch release is because the value of the 0-day that had been used for whatever purposes the writer wanted was now null. At that point, her pride takes over and she releases her work for the world to see. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [inbox] [Full-Disclosure] Knocking Microsoft
James Saveker wrote: > Microsoft has in there defence started the trustworthy > computing scheme, > which many would not hesitate to laugh at. However windows > server 2003 does > not by default load unnecessary services. So MS is doing what UNIX did from the start 20 years ago. As for "trustworthy computing", their first product, 2K3 server is just as vulnerable to the two worst vulnerabilies in history, the RPC Dcom and ASN.1 vulns. > The code they produce is far more stringently tested in > regard to security > than perhaps it was before. Their registry based spagheti code still contains core code from the early NT days. Even if the new code they write now is more secure, it's like building a brick wall on quicksand. The only solution is a complete re-write from ground up and I don't believe even MS has the resources for that now. That is the reason I don't allow any XP on my networks and am slowly replacing as many of my W2K desktops with SuSe Linux as I can. My servers are already majority UNIX and Netware. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke <>
RE: [inbox] Re: [Full-Disclosure] Re: E-Mail viruses
Ron DuFresne wrote: > > 1. We use the Draconian technique of stripping all .exe > .zip. ,gif .jpg > > .scr .bat .pif files. > Very draconian in todays world, and not productive by the way > some folks > do the work they have to do with limited capabilities these days. It > seems that we might was well revert back to only allowing > e-mail in plain text Ah, I wish... An alternative is to allow only a proprietary extension through, like .inc Legitimate senders would rename the file, be it .exe .doc .jpg, indicate in the body of the message what the true extension is, and the receiver merely renames it. A little trouble yes, but it virtually eliminates email propagated viruses from the corporation. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [inbox] Re: [Full-Disclosure] Re: E-Mail viruses
Valdis.Kletnieks wrote: > > Ah, I wish... An alternative is to allow only a > proprietary extension > > through, like .inc Legitimate senders would rename the > file, be it .exe > > .doc .jpg, indicate in the body of the message what the > true extension is, > > and the receiver merely renames it. > So let's see.. the same bozos who read the text part of the > virus, get the password, and > use that to unzip the rest of the virus won't read the text > part, get the rename to do, > and. > > Color me dubious Methinks you misunderstand. Only the proprietary extension, i.e. .inc or .xyz or .whatever, would be allowed through, and since virus writers would never use this extension, it would eliminate ALL viruses at the gateway. The nice thing about this approach is that it completely eliminates the need for any anti-virus on the mail server since all virus attachments are automatically dropped without the need for scanning. Quite a simple, yet elegant solution, if I do say so myself. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [inbox] Re: [Full-Disclosure] Re: E-Mail viruses
Cael Abal wrote: > Personally I'd dispute this solution's elegance, anything > which requires > substantial user behaviour change (and doesn't drastically improve the > virus/worm situation across the board) is an ugly kludge. I would say that completely eliminating all virus infected attachments, past/present/future without any further interaction by IT dramatically improve the virus/worm situation across the board. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [inbox] [Full-Disclosure] Re: E-Mail viruses
Incident List Account wrote: > Curt, be carefull not to strain your arm patting yourself on > the back :) I actually really like your solution UNTIL the > "completely eliminates the need for antivirus on the mail > server" comment. If an outside party follows the procedure > and remnames his file to file1.inc and sends it to your user, > are you 100% confident in that outside party's attachement is > not inadvetantly infected with a virus? I agree that only > allowing a certain obscure extension through to your user > eliminates the VAST majority of the problems. I would not > however trust any file from a third party with out some sort of scan. As a firm believer in "layered security" espoused by Bruce Schneir in which five 80% effective layers achieve 99.8% effectiveness overall, I would never suggest not having a mail AV server, as well as desktop AV. The way I developed this system was I began dropping .scr, .pif, .com, .cmd as easy non-legitimate emails. I then went to .exe when I got tired of the occasional virus slipping through and told users they had to have senders zip it prior to sending. Now since Mydoom, I took the next logical step of dropping everything. Users find it just as easy to tell senders to rename the file as to zip it. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: E-Mail viruses
[EMAIL PROTECTED] wrote: > If your not kidding it furthers the arguement that > all those certification characters at the end of > your name are worthless. > > "Having NO security is better then, security by obscurity !! Pro-actively dropping all non-priority attachments is not by any means "security by obscurity". I am not hiding anywhere. I am smashing all viruses flat before they even have a chance to enter my email AV server. If anyone gets ugly who happens to know the priority extension, the AV gateway will get it anyway. BTW, I'm damn proud of those letters, worked hard for them and never took a day of school or "boot camp". Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [inbox] Re: [Full-Disclosure] Re: E-Mail viruses
Paul Szabo wrote: > Yes, it eliminates a large class of viruses. But, it would not do > anything to "local" attacks (a virus modified specifically to handle > your particular setup; and if it becomes widely used then "real" > viruses will also do the same). > > Also it does nothing to viruses that do not use attachments: attacks > on a "Subject:" buffer overflow, or a virus delivery via the web with > a link or "Content-type: message/external-body". This was meant to deal only with email virus attachments that are currently dealt with by email AV servers. As for the first point, technically true, but highly unlikely as long as everyone who implements this strategy don't use the same extension. If you pick a relatively random sequence, a.k.a as in .dps for my company, you would not be the target of a virus, whose purpose is to infect as many systems as possible. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: E-Mail viruses
docco wrote: > What Curt Purdy is saying looks to me like a > great_pain_in_the_ass_solution. > In case the "supersecret" extension would get leaked or > compromised, which I > beleive would be absolutely not hard to achieve (by means of social > engineering, sniffing or just brute force - combinations of > three letters, Jeese, it's amazing how a thread can get so twisted overnight. My original point was that is was never necessary to hide the proprietary extension and it would never need to change. The purpose of blocking everything but this extension, in our case .dps (see, I'm not scared) is to squash 99.999% (experience has been 100% so far) of all possible infected attachments before it ever gets to our email AV server. Of course that percentage may now drop if some "security expert" on this list decides to rename netsky and send it to us. However that would be a waist of time unless it was a 0-day, and I doubt anyone would want to waist that on us. In addition, it is much easier to train users to change the extension than to "not open attachments" because they are self-motivated to do the former if they ever want another attachment. If you try to educate users to do the latter, you are just setting yourself up to continually battle the social engineering used by virus coders. While I'm on the subject, just this morning on a nationally syndicated show, I heard a piece on the current "virus war" and was amazed when I heard it end with "a security expert" say "only open attachments from someone you know". We disabled notifications on our AV server months ago. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [inbox] Re: [Full-Disclosure] Re: E-Mail viruses
Valdis.Kletnieks wrote: > It's not 3^36, which is multiple billions, it's only 36^3, > which is 46,656. > > And only one has to get through to an idiot. > > Anybody else got a mail server that blocked more than that > many Netsky's > this weekend alone? Draw the obvious conclusion here... > > And *that* was why I was dubious as to the real usefulness... I don't care if it is only 46. The whole point was I don't care if the whole world knows our proprietary extension. No virus writer is going to waist time pointing her 0-day worm at us. The whole idea is to spread as much as possible, so they will pick standard extensions only. If it is not a 0-day, our AV server will kill it anyway. This mehtodology has stopped 100% of all virus attachments since institution. Our AV server is getting bored, having nothing to do. In addition I don't get up at 5am anymore to scan the lists for the newest outbreak. The peaceful sleep alone is proof of it's usefullness. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Where to start
Aschwin Wesselius wrote: > Does a good security-officer have to know everything about > every hole? If that were true there would be no sec-offs. > If I see lists and forums about network-security it seems > that everybody > knows a lot and has a huge reference base. Is this true? Although I don't pretend to be "an expert", knowledge tends to come in one of two flavors, narrow and deep, and wide and shallow. I find in my field it is best to have as wide a knowledge as possible while continually working to deepen it as much as possible. Security researches may argue with this because of their need to focus on coding. I would not argue with this but Perl is about as deep as I go there. I also would not argue with schooling, though I have had none since graduating college in '76 (when I went back to visit the next year, walked in and saw the punch card machines replaced by green screens and everyone interactively entering code straight into the mainframe, I thought it was the most amazing technological transformation in history). I prefer the school of hard-knocks and have the grey hair to prove it ;) > Just because there are discussions, it seems that there is not one > overall and central way of keeping track of evolving issues. How do > people keep track easily with up to date best practices and not get > distracted by "old" advisory? I'm waiting for Google to write a search engine for brains. Until then a Palm will have to do along with Fish Oil (the only natural source of the same protiens your brain is made of, and goog for your heart too. And also the reason human ancestors that were coastal dwellers beat out Neanderthals that were hunters). Sorry for rambling. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [inbox] Re: [Full-Disclosure] Re: Microsoft Security, baby steps ?
Geoincidents wrote: > to secure 2000 without using the network and windowsupdate: > > install 2000 > sp4 > Windows2000-KB823559-x86-ENU.exe > Q832894.exe > > NT4 is even worse and before they are allowed to completely > drop support for > NT4 they should at least have the decency to do a rollup of > all the patches > so it's left in some sort of workable condition for those who aren't > upgrading. But that would be opposed to their busines model that is based on doing their best to force you to upgrade, as opposed to creating and supporting a good product. Personally, W2K was my last MS product. BTW, I love the way SuSe updates online during install, before the first boot off the hard drive. Those guys know security. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [inbox] [Full-Disclosure] malware added in transit
Paul wrote: > Hi all, perhaps I'm way off-base but I've been under the impression that malware can be added > to clean transmissions as they pass through infected nodes. Is this possible? Unless you're talking about inserting a proxy in-line and manually grabbing the packets and manipulating them at a huge amount of work, you ARE way off-base. There is no malware I know of that would even know what the packets were, muchless re-assemble them into the original document, insert itself, and pass it on. Maybe by 2104... Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke
RE: [inbox] [Full-Disclosure] Operating Systems Security, "Microsoft Security, baby steps"
Todd Burroughs wrote: > Kudos to SuSE, keep up the good work! We're getting nervous with the > Novell thing, but keep security first. One thing, we need a basic > install, no X, just a base install that is secure. As an example of SuSe being cluefull on security, the 9 install goes out and updates everything before it ever boots off the hard drive the first time. Very cool. But don't worry about Novell. As an ancient Red Head (I remember when Netware was nothing but a print server meant to share big-bucks daisywheels that you could hear clanging down the hall) they have always done support right, and that is what Linux has always needed, enterprise level support. And as for security, Novell has always been on top of that. Whenever we have security as a primary issue, we always install Netware, otherwise BSD or SuSe. Only use Windows when we have to, and that is less and less each day. I patch my Netware servers a couple of times a year. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [inbox] [Full-Disclosure] Is this a paypal scam?
[EMAIL PROTECTED] wrote: > http://218.62.43.30/verify.html > > Signed up for paypal 2 weeks ago, and then this came in the > mail as a link > in a paypal looking html email asking me to confirm by > entering my credit > card/account info. Be cluefull: 1) Don't ever click a link with an ip address. 2) Don't ever put your cc info into any site you did not directly go to and trust. 3) nslookup 218.62.43.30 - Non-existent domain nslookup paypal.com - 64.4.241.16 Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Re: Microsoft Security, baby steps ?[Scanned] [Scanned] [Scanned]
James P. Saveker wrote: >(Guess who's come across waaay too many boxes that the owner didn't know >were compromised because the box knows how to say "You've got Mail!" but >doesn't know how to say "You've got Malware!" ;) :) >I have seen companies running SBS and using ISP mail accounts when exchange >is part of SBS, madness! Also they have not got ISA configured correctly, >assuming correctly does not involve a rules allowing all traffic from all >sources to flow bi-directionally. People that set up servers like that >should be shot, or at least not allowed to practise as consultants. Personally, I think anybody who sells and setsup a business with SBS should be shot. Starting with SBS4, it's been a piece of crap. Now to add insult to injury, they put ISA server in there and force you to put your firewall on the same box your database server is on. By license, you cannot put it on a seperate box if you wanted to. Another sign of the total cluelessness of MS on security. -- Curt Purdy CISSP MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- Former White House cybersecurity adviser Richard Clarke -- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Emailing SSN info
Tony Gettig wrote: >Higher management wants to >email a zipped data export (presumbably password protected) to a vendor >that includes the Social Security Number for employees. Yes, it's a bad idea. Even if it is password, it can be cracked, just a matter of time. If managment insists on this course, at least encrypt it with PGP or S/MIME. -- Curt Purdy CISSP MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- Former White House cybersecurity adviser Richard Clarke -- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] POSSIBLE TARGETING OF SECURITY RELESE READERS
Dude, what are you doing sending BugBear to the list? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of morning_wood Sent: Friday, June 06, 2003 7:53 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: [Full-Disclosure] POSSIBLE TARGETING OF SECURITY RELESE READERS This is the 4th one now, directly mentioning a security release\ included is the zip password = exploit I would like to know if others are getting this... thanks wood - Original Message - From: "Keith R. Watson" <[EMAIL PROTECTED]> Sent: Friday, June 06, 2003 4:34 PM Subject: [Full-Disclosure] Iomega NAS A300U security and inter-operability issues > I recently tested an Iomega NAS A300U and discovered that it has several > security and inter-operability issues as outlined in the following. > > Affected Systems: > > > ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] RE: [ISN] DARPA pulls OpenBSD funding
Unfortunately, one of the things that seems to have been overlooked in this political discussion, which I believe does not have a place in this technical forum, is that a great and sorely needed project is in jeopardy. OpenBSD is generally considered one of the most secure network operating systems available today, and that is even before the recent announcement of the new resistance, if not vulnerability to buffer overflows which can be considered the holy grail of programming. Whether you feel da Raadt was wrong for expressing his views on peace, or that DARPA was wrong for politicizing a technical project, the point here should be that the entire technical world is the loser... Curt Purdy CISSP, MCSE+I, CNE, CCDA Senior Systems Engineer Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Paul Schmehl Sent: Friday, April 18, 2003 10:21 PM To: [EMAIL PROTECTED]; InfoSec News; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] RE: [ISN] DARPA pulls OpenBSD funding Thank you. I'm so sick and tired of hearing the cry of "McCarthyism" from celebrities who have spoken out against the war and are now suffering from boycotts of their products. Get over it. You had the right to say what you want. And we have the right to not buy your stupid records, movies, whatever. It's *free* speech, *not* speech without consequences. Ask Senator Trent Lott if there is a price for speech. I didn't hear any of the anti-war celebrities complain about that. --On Friday, April 18, 2003 10:09:45 AM -1000 Jason Coombs <[EMAIL PROTECTED]> wrote: >> "In the U.S., today, free speech is just a myth," de Raadt said. > > This is an important issue because so many people get it completely > wrong, de Raadt included. > > Free speech means the government cannot put you in jail for the things > you say or believe. > > It does not mean the government is required to continue to pay you to do > work or fund your projects regardless of the things that you say or > believe. > > It does not mean the government cannot create hardship for you, or that it > must protect you from hardship imposed on you by others. > > Further, the U.S. constitution does not apply to foreign nationals and it > has no direct impact on business dealings except indirectly as it relates > to the legislative process whereby State and Federal laws are enacted and > enforced that seek to regulate business dealings consistent with > constitutional law. > > We must bear in mind that free speech exists within a context of freedom; > we cannot impose behavioral restrictions or affirmative obligations on > government agencies or private parties that remove the freedom of those > parties to exercise sound subjective judgment. The day that we impose > government controls for allowable consequences against you for your > choice to exercise your freedom of speech is the day we kill freedom in > our effort to protect speech. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] RE: [ISN] DARPA pulls OpenBSD funding
The difference is quite clear, Theo is an individual and entitled to his own policitical views whether the President of the United States agrees with them or not. DARPA is a government agency and has no right to any political view. By definition an agency is created to fullfill its charter, in DARPA's case to promote advanced research in the US government's best interests, which a secure network OS clearly is. The charter mentions nothing about Democratic, Replubican, Anarchist, war, or peace political views. Curt -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Paul Schmehl Sent: Saturday, April 19, 2003 11:22 AM To: Curt Purdy; [EMAIL PROTECTED]; 'InfoSec News'; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] RE: [ISN] DARPA pulls OpenBSD funding Somehow I think Theo will find some way to get the project done. He was doing fine before the DARPA project. I do find it interesting that you characterize Theo as "expressing his views" yet you characterize DARPA as "politicizing a technical project". Weren't they both doing the same thing? Why the difference in the characterization? --On Saturday, April 19, 2003 09:10:53 AM -0500 Curt Purdy <[EMAIL PROTECTED]> wrote: > Unfortunately, one of the things that seems to have been overlooked in > this political discussion, which I believe does not have a place in this > technical forum, is that a great and sorely needed project is in jeopardy. > OpenBSD is generally considered one of the most secure network operating > systems available today, and that is even before the recent announcement > of the new resistance, if not vulnerability to buffer overflows which can > be considered the holy grail of programming. > > Whether you feel da Raadt was wrong for expressing his views on peace, or > that DARPA was wrong for politicizing a technical project, the point here > should be that the entire technical world is the loser... Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Linux firewall
Considering that you can get a cisco 501 for around $500 and as long as you don't have internal servers, is pretty much plug and play with it's 3rd generation gui interface, it's pretty hard to beat for the SMB market. The gui even makes internal server natting pretty simple. Curt -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Michael Bergbauer Sent: Thursday, June 19, 2003 5:11 AM To: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Linux firewall On Wed Jun 18, 2003 at 04:4525PM -0400, Spencer, Gary TRI-S INC wrote: > Hello everyone. I have been following the discussions for a few months now > and enjoy the technical information that everyone has to share. What would > your recommendations be for a Linux firewall? And would you use a 50,000 > Cisco firewall instead?? As most others already pointed out, you have a wide variety of possibilities to choose, and it is very hard to give some recommandations, especially as none of the readers here has the necessary background knowlegde about what you want to protect and against which kind of attackers. Step back and think about it. A firewall is not a piece of hardware, but a sheet of paper that contains information about your threats, how dangerous they are, how likely they will occur, and how you want to protect against them. This last part can be achieved by simply not connecting your network to any public network, because you can't protect it sufficently, or you can rely on something called a packet filter, or application level gateways. When your security concept contains something called commonly "firewall", you have to decide which one to choose. As I already mentioned, there are lots of different solutions available, from very cheap ones to very expensive ones, and you have to consider a lot of factors. I hardly can suggest using a linux box if you (or anyone at your site) has no or not much expirience with linux at all. Chances are very likely that you can't achieve what you want to, and instead, a Cisco box, though much more expensive can be a better protection, especially when you are very experienced with that systems already. Hope this helps -- Michael Bergbauer <[EMAIL PROTECTED]> use your idle CPU cycles - See http://www.distributed.net for details. Visit our mud Geas at geas.franken.de Port ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Linux firewall
Have used both Linux and FreeBSD for firewalling, and though Linux is very easy with some of the auto setup distros out there, if you are a business with assets to protect, I would trust BSD as a much more stable platform for firewalling (course some idiots out there are actually using windoze isa for firewalling, can we say stable :) As far as EEye, I believe you will find those were merely automated scans that were coming from their ip's. Curt -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Denis Dimick Sent: Wednesday, June 18, 2003 9:45 PM To: Gabe Arnold Cc: Spencer, Gary TRI-S INC; [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Linux firewall Dont know about BSD.. But I would use Linux.. This is what I use everyday for the past 5 years.. Have yet to have anyone get thru.. Even the morons at EEye have tried.. On Wed, 18 Jun 2003, Gabe Arnold wrote: > I would suggest you use an OpenBSD 3.3 setup with the native PF > (Packet Filter)package which is based on the 'BSD IPF package. > It's quite nice, easy to use, and very secure. I'd check out > www.openbsd.org and www.openbsd.org/faq/pf/ for a good overview of the > PF package and how to use it. > > --Gabe > > > * Spencer, Gary TRI-S INC ([EMAIL PROTECTED]) wrote: > > > > > > Hello everyone. I have been following the discussions for a few months now > > and enjoy the technical information that everyone has to share. What would > > your recommendations be for a Linux firewall? And would you use a 50,000 > > Cisco firewall instead?? > > > > Thanks, > > > > Gary. > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Adminstrivia: Digest Limits/Netiquette
A very interesting concept Nick. I am preparing to launch a list and am looking for ways to automate moderation. Does anyone have a perl/shell script for doing this kind of thing? Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Nick FitzGerald Sent: Thursday, June 26, 2003 6:24 PM To: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Adminstrivia: Digest Limits/Netiquette Len Rose wrote: > We have increased the digest size again to 100K > which is still somewhat small but it's growing > thanks to those who still insist on quoting > so much text (including the mailing list trailers, > and complete signatures). Yeah, and they're nearly all braindead top-posters to boot... > Please don't send 1 line replies to the list, send > them to the intended recipient only. Right on...8-) I'm fully in favour of "quoted-line to new content" ratio moderation. Simply bounce any message with more quoted lines than non-quoted, or whatever more or less harsh ratio you think is reasonable. Messages without "substantial" new content relative to quoted content are generally (like 95-99%) not worth the bandwidth, storage space or deletion time they "consume". Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Participation in System Administrator Survey
Well put Ron. Stamatis actually did more work than most having dug my name out of the SANS cert list a few weeks ago, which is why I took the time to fill it out. The more young minds we bring into this field, especially from true academic research, the more we will all learn. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Ron DuFresne Sent: Wednesday, July 16, 2003 3:39 PM To: Stamatis Bolakis Cc: Schmehl, Paul L; [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] Participation in System Administrator Survey Stamatis' survey request has appeared in a number of lists, some with more restrictive participation then this unmoderated forum. I've seen a number of such and participated in many over the years. It's a fairly standard avenue for students to join and read lists in areas of their choice of study, as well as on occasion actually articipating or requesting help in gathering information for their studies. We could well see more of these kind of requests over time. some will respond to the requestor and help them out, some will hit the delete key and move on. Hopefully few will be putoff enough that the list floods for a few days of 'complaints and counter complaints and claims of spamming', that we can tolerate anothers quest for knowledge and learning . Thanks, Ron DuFresne On Wed, 16 Jul 2003, [iso-8859-7] Stamatis Bolakis wrote: > > You are absolutely right... I couldnt imagine or predict the impacts of my action. It was under my effort to reach some responses for my Survey... Of course I regret about that... > > I feel this way to distribute a Survey also can run the risk of alienating people (e.g. being perceived as spamming), but I will never know what kind of success can be have without trying... > > Regards, > Stamatis > > > Stamatis Bolakis > MSc Network Systems Engineering > University of Plymouth, UK. > > > > > - > Do You Yahoo!? > ÁðïêôÞóôå ôçí äùñåÜí [EMAIL PROTECTED] äéåýèõíóç óôï Yahoo! Mail. > ~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Re: Cisco IOS Denial of Service that affects most Cisco IOS routers- requires power cycle to recover
If the packet expires in transit i.e. ttl 1 to router 2 hops away means it never gets to that router. Not possible to fill a queue with a packet that is dropped by the previous router. Check out "Internet Core Protocols" at Oreilly. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions [EMAIL PROTECTED] 936.637.7977 ext. 121 If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] Sent: Monday, July 21, 2003 4:55 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: [Full-Disclosure] Re: Cisco IOS Denial of Service that affects most Cisco IOS routers- requires power cycle to recover > The kickup to supervisor level happens when the packet is targeted > directly at the router's IP address (per first Cisco advisory) or just > has its TTL expire in transit past the router (per revised Cisco > advisory). Has anyone been able to verify that the problem occurs when the TTL expires "in transit"? I've been able to get packets stuck on the input queue by sending to the router's interface address, sending to and but sending to a router two hops away with a TTL of 1 just gives me an icmp ttl exceeded & nothing new stuck on the input queue. Lee Richard Johnson <[EMAIL PROTECTED]>To: [EMAIL PROTECTED] cc: 07/20/2003 03:20 Subject: Re: Cisco IOS Denial of Service that affects most Cisco IOS routers- AMrequires power cycle to recover Please respond to rnews In article <[EMAIL PROTECTED]>, Tina Bird <[EMAIL PROTECTED]> wrote: > information on the detailed structure of the evil packets in these > protocols is not yet public AFAIK. The router has problems if it receives a packet, content irrelevant, that makes it to supervisor level claiming an IP protocol that it doesn't have code to handle. The kickup to supervisor level happens when the packet is targeted directly at the router's IP address (per first Cisco advisory) or just has its TTL expire in transit past the router (per revised Cisco advisory). Send enough packets (default 75), and the input queue is full. hping is enough of a launch platform for that--there's no need for questionable-source exploit binaries when testing. Richard -- My mailbox. My property. My personal space. My rules. Deal with it. http://www.river.com/users/share/cluetrain/ --- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [inbox] RE: [Full-Disclosure] Dcom.c - (Shutting it down on 5,000 systems) - a Paul Schmehl Post
Along the same line read The Cuckoo's Egg by Stoll to see where a $.25 discrepency can lead you when you have enough time and brains to dig. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer [EMAIL PROTECTED] If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Andy Wood Sent: Tuesday, July 29, 2003 5:18 PM To: [EMAIL PROTECTED] Cc: 'Schmehl, Paul L' Subject: [inbox] RE: [Full-Disclosure] Dcom.c - (Shutting it down on 5,000 systems) - a Paul Schmehl Post "Try sitting in front of the console staring at a half a million alerts and see if the IDS *does* anything besides spewing information that *you* have to research, that *you* have to interpret and that *you* have to take action on." - Paul, if I'm not mistaken. This is the CHIEF complaint of USERS that fail to comprehend how to effectively deploy or use 1 or more IDSs in their environment. This shortsightedness leads to the inability to also use an IDS to provide assistance to the non-security Windows/UNIX admins (Spotting misconfigured services as an example). 'How can I collect my overpriced salary, yet not have to do any work'? Let's bring this to another professional field. 'Ole Paul goes to his doctorsomething's amiss. The Doc draws your blood and there is surely something going onsomething is in you wreaking havoc, but he's not sure. Maybe it is a mutated virus, a bacterial agent of some sort.he just can't tell, never seen it before. Oh well for you...there's no machine to tell him and he's not into analyzing the resultstoo many patients to be worried about one perosn with a strange 'issue'.no money in that! Yeah right! How about a Lawyer? Will he pass up his $300+ dollars/hr cause he has to research a case. Nope just lame Net Admins. The research is the fun part of the job. It keeps those who like a challenge from putting a gun in their mouths and pulling the trigger from dealing with the lamers. But for those who like only to collect a paycheck, well...I can imagine what a disruption from SLACKING it must be to not have someone issue you an answer!! It's really a shame people don't get it. Our customers have benefited GREATLY from IDS monitoring (and yes, it does require time and effort). Both inside and outside hackers have been caught, evidence gathered and action taken. Not by the machine, but by a human.and a machine would not have caught these attempts, nor would IPSit was done by discovering and ANALYZING/RESEARCHING trends in allowed/authorized traffic, creating special rules for the unknown, etc. I.E., would you have liked to have seen someone accessing your print servers? Snort detects this activity, as well as people trying to mod the displays of HP printers. Since you allow unrestricted access to most of your print servers an IDS WOULD prove beneficial! After all, it was allowed web traffic...nothing wrong with www traffic right, as per policy. Thank God you need not rely on forensic analysisTalk about an unnecessary pain on the ass, whoo-doggie. All the care required to ensure admissible evidence...it's just not worth it, right? There are cases which it is appropriate and safe to use flexresp/shunting with IDSs to reject attacks, or stop use of services. For example, if you don't want your users using AOL, tcp reset the AOL login packets...that'll stop em.if *you* stay on top of the AOL logon server list, but we're back to the *you*, *you*, *you* part againsorry. It all seems to go back to the admin's job. Fixing user's font problems or catching a Mitnick wanna-be, let me think. (Let them praise his name in the dance: let them sing praises unto him with timbrel and harpKEVIN, PAUL, KEVIN, PAUL, KEVIN, PAUL, KEVIN, PAUL, KEVIN, PAUL.whoops, while you were reading this you were just hacked... were youdo you know?) Pick a packet, any packet. It's like a nursery rhyme: Pauly should-a Picked Apart A Hack Attack Packet, but the admin couldn't track the stack smack cause he lacks the faqs. So, as the fast hacks fulfilled their 'Chronic' snacks attacks while surfing the campus fibre backs and covering their syn-ack tracks, little pauly whishes he had a tool that that could keep him from playin the suck-a fool. Adjunct for a reason, are we? See ya! -Original Message- From: Schmehl, Paul L [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 29, 2003 4:06 PM To: Andy Wood; [EMAIL PROTECTED] >-Original Message- >From: Andy Wood [mailto:[EMAIL PROTECTED] >Sent: Tuesday, July 29, 2003
Re: [Full-Disclosure] DCOM RPC exploit (dcom.c)
I agree that Micro$oft must die, especially since they replaced the best OS they ever made, W2K, with the insecure POS they call XP. If they spent another few years on 2K, they could have made it almost as good as *NIX. Regardless of how you feel about the .NET concept (personally I feel distributed code is a security nightmare waiting to happen) 2003 server is an improvement. You can actually run it more than 30 days without rebooting! Unfortunately the first product of the "Trusted Computing Initiative" is still a victim of the worst vuln in history... As for Perl, I think you have unfairly diss'd the language. It is as flexible and unstructured as my life and if you don't think it is powerful, check out popfile http://popfile.sourceforge.net/, in my opinion the best anti-spam program out there. Very intellegent, learns quickly, and is based on bayesian theory. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions [EMAIL PROTECTED] 936.637.7977 ext. 121 If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dan Stromberg Sent: Monday, July 28, 2003 10:47 AM To: David R. Piegdon Cc: Dan Stromberg; [EMAIL PROTECTED] Subject: [inbox] Re: Re: [Full-Disclosure] DCOM RPC exploit (dcom.c) On Sun, 2003-07-27 at 12:25, David R. Piegdon wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > > IMHO it is TIME to sue corporations like microsoft for their stupidity > - and their believe that people/customers are even more stupid. > they sell their software and tell about their "great security-concepts", > but they actually do nothing about it. Actually, much as I absolutely despise microsoft (I'd be overjoyed for weeks if they closed doors permanently), they -are- doing a lot about security. For the short term, they're sending (have sent?) all their programmers to security training. This is but a band aid, but it is considerably better than nothing, and better than the opensource movement is likely to emulate (fully), simply because the places where programmers learn programming generally don't take this seriously. For the long term, and more importantly, they're pushing a move to interpreted languages, meaning .net. .net is evil. .net must die. But .net makes a lot of sense which we should not fail to learn from. I cannot emphasize enough that the opensource crowd (of which I am a part) needs to learn from this. Stop writing software in crappy languages like C if you want it to sit next to the network on a machine, and possibly even if you're only running in the soft, chewy center. Give up languages that make buffer overflows too damn easy. It's not enough to say "the programmer should know better", because OBVIOUSLY many do not. Use python. Use ML or a variant. Use lisp. If you have to use that excuse for line noise called perl, go ahead. Anything that doesn't put the programmer perilously close to buffer overflows! Turing (which is designed from the beginning for safe systems programming) or Modula-3, or Eiffel or Sather are good too, if you absolutely cannot give up the speed of a compiled language. The latter three all have respectable free implementations available for linux and others, as do all of the interpreted languages mentioned. They make vastly more sense than C. Even if -you- know what you're doing as a developer, that -doesn't- mean that every last maintainer that comes after you will. So yes, microsoft reeks to the sky, but it's not true to say that they're doing nothing about their security problems. Weak arguments against microsoft posed as strong ones hurt opensource's credibility. -- Dan Stromberg DCS/NACS/UCI <[EMAIL PROTECTED]> ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [inbox] Re: [Full-Disclosure] Reacting to a server compromise
Negative. Ghost is as capapble of making a bitwise copy of a drive (one of two modes it has) as is dd in *NIX. It is perfectly admissable in all courts I know, as long as it is done quickly after compromise. Standard procedure (as little as there is standard in this young but quickly maturing field) dictates you make an immediate initial dd copy for the court. Then make as many working dd's as neccessary for forensics. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Senior Systems Engineer Information Security Engineer DP Solutions [EMAIL PROTECTED] 936.637.7977 ext. 121 If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] Sent: Saturday, August 02, 2003 9:33 PM To: [EMAIL PROTECTED] Subject: [inbox] Re: [Full-Disclosure] Reacting to a server compromise On Sun, 3 Aug 2003 01:38 am, Jennifer Bradley wrote: > If this happens again, I would probably make a copy of the hard drive, > or at the very least the log files since they can be entered as > evidence of a hacked box. Under most jurisdictions, an ordinary disk image produced by Norton Ghost etc using standard hardware is completely inadmissible in court, as it is impossible to make one without possibly compromising the integrity of the evidence. The police etc use specialised hardware for making such copies, which ensures that the disk can't have been altered. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] f-prot not catching mimail ?
As soon as I saw this email I terminaled into our SMTP server and saw F-Secure grabbed the first mimail on July 27, a week ago. The reason I was so shocked by this email, is that in the 14 years I have been fighting viruses, and have used everything, I saw multiple instances of Norton and McAfee either not finding or not removing a virus. But in all that time I have never found one that got by F-Prot, then later F-Secure, which is why it is the only AV we use from firewall to mail server to desktop. If it sounds like I'm prejudiced, it's because I am. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions [EMAIL PROTECTED] 936.637.7977 ext. 121 If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mike Tancsa Sent: Saturday, August 02, 2003 1:34 PM To: [EMAIL PROTECTED] Subject: [inbox] [Full-Disclosure] f-prot not catching mimail ? I have a few copies of the mimail virus from yesterday that f-prot even with its latest updates do not catch. Both the Windows and FreeBSD version fail to identify the two main variants I have got sent my way. e.g. avscan1% md5 *.DEF MD5 (MACRO.DEF) = fc09bc864e62639bc3424e3425083421 MD5 (SIGN.DEF) = a5d8c14285b2c866e3261421f7f3a0d2 MD5 (SIGN2.DEF) = 12c403a108c398aeaca01a2a4da68de4 avscan1% f-prot -verno F-PROT ANTIVIRUS Program version: 4.1.0 Engine version: 3.13.3 VIRUS SIGNATURE FILES SIGN.DEF created 1 August 2003 SIGN2.DEF created 1 August 2003 MACRO.DEF created 28 July 2003 avscan1% avscan1% f-prot message*.html Virus scanning report - 2 August 2003 @ 14:29 F-PROT ANTIVIRUS Program version: 4.1.0 Engine version: 3.13.3 VIRUS SIGNATURE FILES SIGN.DEF created 1 August 2003 SIGN2.DEF created 1 August 2003 MACRO.DEF created 28 July 2003 Search: message.html message2.html Action: Report only Files: Attempt to identify files Switches: Results of virus scanning: Files: 2 MBRs: 0 Boot sectors: 0 Objects scanned: 0 Time: 0:00 No viruses or suspicious files/boot sectors were found. avscan1% md5 message*.html MD5 (message.html) = d1f0f5dd1f4ebbeebbd61e884ed1669c MD5 (message2.html) = d7b72f9b8370aa3b132069a878b5b5c8 avscan1% These are both caught by other scanners but passed by f-prot. Anyone with f-prot successfully identify this virus ? avscan1% f-prot -virlist | grep -i mimail [EMAIL PROTECTED] JS/Mimail.dropper avscan1% I sent email yesterday about this to frisk, but just got a "we will submit to the lab." That was before their update so I wonder if they figure they are covered. ---Mike Mike Tancsa, tel +1 519 651 3400 Sentex Communications,[EMAIL PROTECTED] Providing Internet since 1994www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [inbox] Re: [Full-Disclosure] Reacting to a server compromise
Jennifer, I made a reply to someone disagreeing with your statement on copying the drive, supporting your contention. However, most courts will not accept log files on magnetic media as evidence due to the ease of alteration. This is why we collect all logs on a central syslog server that writes directly to write-once media. That is irrefutable evidence. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions [EMAIL PROTECTED] 936.637.7977 ext. 121 If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jennifer Bradley Sent: Saturday, August 02, 2003 10:38 AM To: [EMAIL PROTECTED] Subject: [inbox] Re: [Full-Disclosure] Reacting to a server compromise Also, don't forget to document everything! You have no idea if this box was used for truly illicit purposes, instead of just trying to break into other machines. If the hacker was using your box to distribute child porn, mp3s, or warez then you will look like the guilty party. Just to be on the safe side, make sure you keep a record of everything you do just to cover yourself. It sounds too late to make a copy of the hard drive, and I don't know if this means contacting the FBI, but they won't care unless $5000 worth of damage is done. But at the very least write everything you can down in a journal so that if the police ever do come knocking on your door because child porn or something was distributed, then at least you have something as documentation. If this happens again, I would probably make a copy of the hard drive, or at the very least the log files since they can be entered as evidence of a hacked box. jb ___ LOOK GOOD, FEEL GOOD - WWW.HEALTHIEST.CO.ZA Cool Connection, Cool Price, Internet Access for R59 monthly @ WebMail http://www.webmail.co.za/dialup/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [inbox] [Full-Disclosure] Reacting to a server compromise
Although the answer may be more in coming from an attorney than from a tech, IMHO your legal responsibility is to inform both owner of the box as well as victims. As long as you show "best effort" in reporting you should be allright. But, particularly with medical victims that must conform to HIPAA, there could be serious ramifications if you don't. Keep in mind that it is trivial to find out it was that box, if investigators from the victims/compromised patients decide to run it down. That is why the cracker used that box to start with, so he couldn't be tracked. That box will be your best evidence for defense (hoping you had enough sense not to reformat it.) Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions [EMAIL PROTECTED] 936.637.7977 ext. 121 If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mark Sent: Friday, August 01, 2003 10:39 PM To: [EMAIL PROTECTED] Subject: [inbox] [Full-Disclosure] Reacting to a server compromise Hello list, In light of the current state of the internet with the DCOM vuln, I would like to ask for some advice on a situation I had at work. A little while ago(but before the DCOM vuln was released) I had a Win2k box hacked. The box was outside our firewall, running minimal services(ftp/www/smtp - gateway only) and was set to download/install everything it could via Auto-updates. Apparently I didn't reboot it often enough for all of the updates to take effect. Personally I really don't care how the hacker got in, as the box has now been replaced with a hardened Linux server, and when the attacker had control, they were still outside our firewall. The attacker created a user account with admin privs, installed a trojan, disabled all network access to any users except this new account, and proceeded to hack other vulnerable NT machines out on the net. I found a list of about 100 IPs with usernames and passwords that were either blank or the same as the username. My question is: Do I report this, and run the risk of the Feds charging me because these attacks originated from my subnet? Do I inform the owners of the machines that were hacked that their systems have been compromised? Judging from the usernames, some of these machines belonged to doctors offices, and may contain sensitive information. Or should I just have a nice cup of STFU, and pretend nothing happened? Before the flames start about how I'm such a lazy admin, I'd like you to know that I'm a developer full-time for a small company with a small budget and I manage the network with my "free" time. Yes it was stupid to stick a windows box out on the net without a firewall. I tell people all the time the same thing, maybe I'm just a sadist that likes watching M$ boxes get hacked, I don't know. But in that instance I really didn't care. I'd appreciate any comments anyone has Thanks, Mark ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [inbox] Re: [Full-Disclosure] Reacting to a server compromise
Actually the traditionally accepted court evidence is real-time printouts of
data received by the syslog server. We ran out of room to store the paper
and went to write-once cd's. We are looking at going to DVD to cut down on
disk changes.
Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA
Information Security Engineer
DP Solutions
[EMAIL PROTECTED]
936.637.7977 ext. 121
If you spend more on coffee than on IT security, you will be hacked.
What's more, you deserve to be hacked.
-- White House cybersecurity adviser Richard Clarke
-Original Message-
From: Michal Zalewski [mailto:[EMAIL PROTECTED]
Sent: Sunday, August 03, 2003 4:07 PM
To: Curt Purdy
Cc: 'Jennifer Bradley'; [EMAIL PROTECTED]
Subject: RE: [inbox] Re: [Full-Disclosure] Reacting to a server
compromise
On Sun, 3 Aug 2003, Curt Purdy wrote:
> Jennifer, I made a reply to someone disagreeing with your statement on
> copying the drive, supporting your contention. However, most courts
> will not accept log files on magnetic media as evidence due to the ease
> of alteration. This is why we collect all logs on a central syslog
> server that writes directly to write-once media. That is irrefutable
> evidence.
Of that someone spoofed a log message to your central log server, or that
someone messed with the log server itself to log fake entries?
What is your write-once media? Does it ensure integrity of the data stored
(so that it is evident when a prinout or a cd or whatnot is replaced)?
If not, it's hardly "irrefutable". If yes, what was the cost of this
device and how many businesses can afford one?
Besdies, what do your logs prove? That someone sent packets with some poor
guy's IP address as a source?
Most courts - IANALBMSUTO - will accept electronic logs, although they
usually expect them to be confirmed by several sources (i.e. the attacked
host, your ISP) and backed with an official expert opinion to be of any
value.
Still, hardly an evidence the owner of the box was in control of the
application that sent the offending traffic. The hard evidence comes from
a different source, usually.
--
- bash$ :(){ :|:&};: --
Michal Zalewski * [http://lcamtuf.coredump.cx]
Did you know that clones never use mirrors?
--- 2003-08-03 22:54 --
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [inbox] Re: [Full-Disclosure] Reacting to a server compromise
HIPAA has made it a new world. The attorneys are already salivating and trying to dig up any potential "victims" they can find, look to Arizona as an example. Since this box was used to attacke doctor's records, there is a good chance it's tracks will be found. This guys got two options, either don't touch the box, play dumb, and hope the cracker doesn't know how to cover his tracks (unlikely), or dd the drive, take the box offline (in that order in case it has a smart-bomb planted), and notify notify notify. We are instituting IDS and logging systems for healthcare customers every day and are finding attacks that they would not have even guessed at a year ago. By law they must keep their logs three years, plenty of time for even scumbag lawyers to find it. If you have done due diligence, you will be a sitting duck. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions [EMAIL PROTECTED] 936.637.7977 ext. 121 If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Aron Nimzovitch Sent: Sunday, August 03, 2003 12:28 PM To: [EMAIL PROTECTED] Subject: [inbox] Re: [Full-Disclosure] Reacting to a server compromise No good deed goes unpunished. Been there, tried that, nearly got hit with a lawsuit (IMMEDIATE threat from the suit involved). If the suits running the place had half a brain between them, your "info" would be unnecessary. If you cannot prove 'beyond a reasonable doubt' that you did not conduct the attacks yourself and then post this BS as a coverup, you will be overrun, no matter how "white" you might be. Better have deep pockets to proceed, or get the noobs here telling you to "tell all" to pony up to your defense fund. Ask Randall Schwartz about it sometime. Welcome to the real America! ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [inbox] [Full-Disclosure] Re: Reacting to a server compromise
Doing a disk dd with *NIX or a bitwise ghost does not compromise the data (other than in the quantum sense of not being able to observe an electron without changing it's orbit). If this is the rigor you would impose then any copying including your "specialized police hardware", would fall under the same restriction. Although I am not familiar with this hardware, most law inforcement I know use Encase, a $30K dd with a few analysis tools thrown in. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Alexandre Dulaunoy Sent: Sunday, August 03, 2003 2:01 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: [inbox] [Full-Disclosure] Re: Reacting to a server compromise On 03/Aug/03 12:33 +1000, [EMAIL PROTECTED] wrote: > On Sun, 3 Aug 2003 01:38 am, Jennifer Bradley wrote: > > > If this happens again, I would probably make a copy of the hard drive, > > or at the very least the log files since they can be entered as > > evidence of a hacked box. > > Under most jurisdictions, an ordinary disk image produced by Norton Ghost etc > using standard hardware is completely inadmissible in court, as it is > impossible to make one without possibly compromising the integrity of the > evidence. The police etc use specialised hardware for making such copies, > which ensures that the disk can't have been altered. Getting evidence by reading (via any software or hardware solution) may compromise the integrity of the evidence. I would like to know the difference between for example a (s)dd and the specialised hardware that you talk about ? Do you have any references ? Preserving the scene integrity is really difficult. You have to minimize the intrusion to the scene. On computer hardware is really difficult... Using a hardware device that doesn't change too much the scene is difficult... (think of a compromised disk firmware). And the worst, sometimes we see something that doesn't exist at all. Forensic analysis is the land of illusion... just my .02 EUR. adulau -- -- Alexandre Dulaunoy (adulau) -- http://www.foo.be/ -- http://pgp.ael.be:11371/pks/lookup?op=get&search=0x44E6CBCD -- "Knowledge can create problems, it is not through ignorance --that we can solve them" Isaac Asimov ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [inbox] Re: [Full-Disclosure] Reacting to a server compromise
The key here is to have the paper handled by only one person and witnessed
by another and the access to that paper by only that person. Therefore the
validity of the printouts are as sound as that person. As long as that
person can not be repudiated, neither can the printouts.
That is also applicable to the optical media we now use, with one person
responsible for handling and storage with a reliable witness.
Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA
Information Security Engineer
DP Solutions
If you spend more on coffee than on IT security, you will be hacked.
What's more, you deserve to be hacked.
-- White House cybersecurity adviser Richard Clarke
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Michal
Zalewski
Sent: Tuesday, August 05, 2003 2:46 AM
To: Curt Purdy
Cc: 'Jennifer Bradley'; [EMAIL PROTECTED]
Subject: RE: [inbox] Re: [Full-Disclosure] Reacting to a server
compromise
On Mon, 4 Aug 2003, Curt Purdy wrote:
> Actually the traditionally accepted court evidence is real-time printouts
of
> data received by the syslog server.
So what would stop anyone from replacing some of the printouts after the
fact?
It's pretty much as insecure as log files in terms of being susceptible to
tampering with by the alleged victim (although less susceptible to remote
manipulation by the attacker after the fact, true).
--
- bash$ :(){ :|:&};: --
Michal Zalewski * [http://lcamtuf.coredump.cx]
Did you know that clones never use mirrors?
--- 2003-08-05 09:43 --
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [inbox] Re: [Full-Disclosure] Hard drive images
Actually the prefered method is to dd one or more copies for forensics and use the orginal in court if you are able to immediately shut that box down afterward. However if it is a mission-critical that cannot immediately be brought down, it is preferrable to use that first copy for evidence and make multiple copies of it for forensics. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Craig Pratt Sent: Tuesday, August 05, 2003 5:27 PM To: Ron DuFresne Cc: David Hayes; [EMAIL PROTECTED] Subject: [inbox] Re: [Full-Disclosure] Hard drive images On Tuesday, Aug 5, 2003, at 13:23 US/Pacific, Ron DuFresne wrote: > On Tue, 5 Aug 2003, David Hayes wrote: > >> Our old standby, "dd", is perfectly acceptable for making an image of >> a hard drive to be used in court. It's even the #1 choice of the FBI, >> and accepted by U.S. federal courts. From the trial court order on >> admission of evidence in the case of Zacarias Moussaoui (the accused >> 20th hijacker of 9/11): >> > > Interesting, I would have thought that the original was required for > the > courts, and that forensics was conducted on the copy. > > Thanks, > > Ron DuFresne I believe there are ways to recover data at the physical/magnetic level - magnetic remnants of previously-deleted data, for instance - which would require access to the original platters. I read an article about this somewhere - would have to be SciAm or /. C --- Craig Pratt Strongbox Network Services Inc. mailto:[EMAIL PROTECTED] dtmf:503.706.2933 -- This message checked for dangerous content by MailScanner on StrongBox. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [inbox] Re: Fwd: Re: [Full-Disclosure] Administrivia: Binary Executables w/o Source
FWIW I disagree with any moderation at all. If I have to put up with all of the stupid fat on here to get the meat that does come, I can take care of myself with executables. If someone is afraid of getting hacked, they have no business on this list. The only downside I see is network bandwidth usage, and if Micro$oft would kindly go out of business, program size would again become manageable. The point is, this is a FREE forum, one of the few left in the world. That was the original concept of the Net and we must all work hard to protect that freedom, whether from governments or from crackers. That's my .02 of bandwidth usage. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- former White House cybersecurity adviser Richard Clarke On 19 Aug 2003, Russell Fulton wrote: snip > How about attachments invoke automatic moderation (i.e. any messages > with attachment get shunted to the moderator for approval). > This sounds like a decent workgap, if the moderators are going to wish to invest the added resources. Of course, it might be expanded if they are willing to provide more resources , and rather then decide to approve binaries, to post it to a website themselves, thus not *offending* anyone silly enough to execute them, and allowing readers to decide if grabbing it is of merit to them. This does make an argument about enabling idiots to do more stupid things, but, then again, they are most likely already available to these folks already... Thanks, Ron DuFresne ~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [inbox] [Full-Disclosure] What Antivirus Should I Get
Nancy Kramer wrote: > I would like list members to suggest what anti virus software > I should > get. I have been fighting virii for 15 years, longer than either Norton or McAfee have been. Back then, they were mostly passed by sneakernet. Over the years, I have found multiple instances when fully updated versions of both Norton and McAfee either could not find or could not remove a virus. I have not found one time that F-Prot, now F-Secure could not find and remove all virii. They were the first anti-virus company in the world, and IMHO still the best. On the technical side, one of their engines (they have 3) operates at the very lowest level of I/O, immediately scanning a file as it comes off the disk, before it enters memory or interacts with OS. This makes it very fast and very efficient. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [inbox] [Full-Disclosure] Possible Comprimised IIS 5 on Win2k help
[EMAIL PROTECTED] wrote: > I think my IIs 5.0(Win2k) Server has been comprimised. I would like to do some > forensics on it to find out how the person got in. I dont want to re-image the > machine and find out he setup a backdoor threw the code and not the o/s Get Vision from Foundstone as a good start, locate the illicite services and files. Do a date search several days around those shown by the services. Once you've found all the files (hopefully), Google until you've found what you've got and figure out how it got there and how to clean it. Also tools like strings is good for analyzing non-text files as well as many other tools from SysInternals. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke
RE: [inbox] [Full-Disclosure] stenagrophy software recommendations
[EMAIL PROTECTED] wrote: > i'm looking for a very simple,reliable, small (certainly less > the 1mb), > must-have gui, windows, stenographic encryption program. i'd > appreciate > any recommendations. There's a nice list at: http://www.jjtc.com/Steganography/toolmatrix.htm Although steganography has close links to crypto, they are different. Where crypto hides data behind encryption, stego hides it in plain site. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [inbox] Re: [Full-Disclosure] Training & Certifications
Robert Repp wrote: > I'd like to be able to point out a credible > authority whose > training informs our work. > I agree that the > right people and > skillset is much more important than simply having the right > certs on the > lobby wall. Side question: Is there a reliable test you favor when > interviewing new techs about network administration? I'm not an authority on training as the only training I've had is SANS, but I can vouch for the quality it. My hat size was two sizes bigger when I got out of there ;) But I can talk about hiring qualified people for both sysadmin and security work. Although a bunch of letters behind the name don't mean everything (even if they are PHD), when I see certain letters, I do pay closer attention. But when it comes to a decision, I usually make it from a 15 minute interview where I ask a series of 5-10 increasingly difficult questions. I'll break the ice by starting with something facetious like "What is the first thing you do with a Windows box and the last thing you do with a *NIX box when you have trouble?" Answer: reboot. Then I'll go with something like "How do you see what ports are open and to whom on a Windows box?" Progress to "What is a tcp/ip 3-way handshake?", and "How do you disable remote root access on a *NIX box?", and culminate with something like "What is a regular expression?" For sysadmins, I ask easier, more system specific questions, but for security I ask broad, tough questions because of the requirements of the field. I have only had one person so far, answer all correctly. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [inbox] Re: [Full-Disclosure] Training & Certifications
Harlan Carveywrote: > > I'm not an authority on training as the only > > training I've had is SANS, but > > I can vouch for the quality it. > > Any particular instructors? I had Eric Cole and was very impressed with his knowledge, experience, and teaching style. He was in the process of getting his doctorate in steganography and his experience included a stint with the CIA. > > ...when I see certain letters, I do pay closer > > attention. > > Which ones? Like the ones behind my name ;) Actually the one I've always wanted, CCIE, I'll likely never get because of the time and resources you need to dedicate to it. > "What is the > > first thing you do with a Windows box and the last > > thing you do with a *NIX > > box when you have trouble?" Answer: reboot. > > In the real world, rebooting a Windows > box isn't the first thing you should be doing. Oh contraire, the first thing we do when we go onsite to work on windows box is ask my client to reboot it first, particularly if it is a server, as occassionally they they do not come back up, and we do not want to be blamed just because the OS is unstable (we have never had a problem with *NIX or Netware, or AS/400 for that matter). Also 90% of the time, that simple rebooting fixes the problem they had (again attributal to a flaky OS). Of course if this is a production that is still online and working, we arrange to do this off-hours. This is the reason all our in-house servers are UNIX and Netware and 90% of our desktops are Linux (I prefer SuSe from a security standpoint.) Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [inbox] Re: [Full-Disclosure] Training & Certifications
Harlan Carvey wrote: > With that said, the most notable Security > > cert would have to be CISSP. > > The CISSP may be useful for Robert's upper-level > folks, but it's really more of a management level > cert. Agreed, the CISSP is wide and shallow and management-oriented, the SANS GIAC certs are narrow and deep and engineering-oriented, although they do offer a management-oriented one also. The GSEC that I have is the widest and still fairly deep cert they offer. FYI, of the two, I found the CISSP much easier to pass. I only put it up front because it seems to be more respected, being the oldest of the security certs and now requiring a bachelors degree as a pre-requisite. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] ron1n phone home, episode one, reloaded
Bugtraq Security Systems wrote: > We at BSS (Bugtraq Security Systems) are proud to announce > the publication > of a series of next generation whitepapers detailing advances in many > areas of the information security realm. We have dubbed this > series the > guides to Mostly Harmless Hacking and feel it will direct new > and upcoming > talent onto the shining path of the whitehat way. Very cool concept. Kind of like learning to hack with a conscience. Although I am a "security professional" and have been hacking since back in the BBS days (but never cracked without prior authorization, but have to admit it is the most fun short of sex when you do, and get paid for it), I am looking forward to future chapters. I might even learn something ;) Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: The Return of Carolyn Meinel (was Re: [Full-Disclosure] ron1n phone home...)
Etaoin Shrdlu wrote: > Oh. My. God. I thought that the first post was a delayed April Fool's > Prank. I feel as though the world has been stood on end. This > is posted (in > part) by none other than Carolyn Meinel > Man, you haven't been around long. Jeese, did not mean to get in the middle of this. Obviously Ms. Meinel has pissed off a few people in the past. Actually I have been around long and have the grey hair to prove it. Just never participated in the chat room underground, too busy learning to build tcp packets from scratch ;) Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] MCSE training question
Hello list, I have a friend who wants to take an MCSE bootcamp (I know, tried my best to get him to switch to Novell Certified Linux Engineer, but he wouldn't listen ;) If anyone has had experience with one of these and would care to give me their opinion of that company, I would appreciate the rec or unrec as the case may be. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] A sucker is born every day
Carolyn Meinel wrote: > Stories in the New York Times and Vanity Fair quoted the FBI >saying Martin was wrong, but what does the FBI know? Jay Dyson >tells you to believe, so believe you must, because it is cool. I don't intend to get in the middle of the crossfire here, but I just wanted to say that whatever the past holds is irrelevant to me, as it is hard enough to hold onto the present these days. After all reality is relative, in fact Jacob Bekenstein in Scientific American put forth that reality is actually be a hologram. Be that as it may Carolyn, I like the idea of what you are doing. I wished I had a chance to tell that to St. Jude before she crossed over into the OneNet. We all know that knowledge is good and self is bad. Anything we can do to pass that knowledge along with the installation of the responsiblity that knowledge carries, I am for. Keep up the good work granny hacker from heck. Curt Practice safe hex. - Andrew Briney, editor Information Security
RE: [inbox] [Fwd: Re: [Full-Disclosure] MCSE training question]
Alexander MacLennan wrote: > A certificate is intended to give you the skills to operate a > particular > product or suite of products. The certificate may or may not > teach you > the fundamentals behind the product. Actually that only applies to vendor certs like MCSE. Both CISSP and GIAC certs are in a different class of certs that apply to technologies, not products, i.e. information security, auditing, and even in the case of CEH (which I would not touch with a 10-foot pole), hacking. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Training & Certifications
[EMAIL PROTECTED] wrote: > Curt, you didn't define the case scenario for the first thing you do > on a windows box. > > One would hate to reboot a box and lose any valuable evidence > of an intruder > or otherwise incriminating material. Of course id3nt, my bad, and it appearently caused a good deal of misunderstanding. I was referring to our troubleshooting Windows problems, not security forensics. When we are called to a site to work on a problem with a Windows server related to networking/performance/system problems, not security issues, the first thing we do is ask the sysadmin to reboot the device. We have learned this over the years, you basically can't make any change in Windows without rebooting, and the look on the client's face when it comes back with a bluescreen, not caused by anything you have done, is not a pretty site. And when you then spend the rest of the night rebuilding the system and not getting paid for it because the client "knows" the bluescreen was caused by us, is not fun. We have never once had this happen on a *NIX or Netware box. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [inbox] [Full-Disclosure] ROSI
n30 wrote: > Any good links/pointers to ROSI (Return on security investment)? Here's what I've got: ROSI A classic argument is that there is similarly no clear return on life insurance, but that doesn't stop most of us from buying it; still, attempting to formulate operational-security ROI may be a lost cause. Assign values to everything from tangible assets (measured in dollars with depreciation taken into account) to intangible assets (measured in relative value, for example, software A is three times as valuable as software B). Different types of hacks were assigned costs according to an existing and largely accepted taxonomy developed by the Department of Defense. Annual Loss Expectancy (ALE) was figured. ALE is an attack's damage multiplied by frequency. Determining cost-benefit (R-E) + T = ALE R-ALE = ROSI R =the cost per year to recover from an intrusion E = the savings gained by stopping the intrusion T = the cost of the intrusion detection tool ALE = the Annual Loss Expectancy ROSI = Return On Security Investment www.csds.uidaho.edu/director/costbenefit.pdf ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [inbox] Re: [Full-Disclosure] Cisco LEAP exploit tool...
Ron DuFresne wrote: > > we are considering > > implimenting an EAP encrypted AP directly on the lan, and I > am looking for > > reasons to say it should be DMZed. > > All wireless traffic should be treated as unsecured, and > pushed through a > DMZ/encryption tunneled setup. Agreed. If the packets/hashes can be accessed it can be compromised. "Unbreakable" has been touted from the 48-bit Netscape encryption that took USC's distributed network a week to crack, to Oracle 9i that took one day to compromise, I believe. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] The new Microsoft math: 1 patch for 14 vulnerabilities, MS04-011
Exibar wrote: > Do the world a favor and hide behind your precious little > *nix machines > and *think* that you're immune to patching and security holes > while the "bad > guys" happily take over your systems, one by one Got you all beat with my newest and most beloved desktop, namely a dual G5 Mac running Panther OSX. One of, if not THE most secure *NIX kernels, BSD, known for having the fewest vulns, combined with THE most awesome gui around. Toss in nice features like an auto patcher that drops a prominant dialogue in the middle of your screen the moment it detects a patch, and the ability to have a terminal session where you can execute all the *NIX commands and scripts you're used to, and I have everything in a desktop I've always wanted. In addition to be blazingly fast, and an OS that has had one virus in 5 years, the aluminum box looks really cool. I'm in love. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [inbox] Re: [Full-Disclosure] Cisco LEAP exploit tool...
Amaury Jacquot wrote: > > To get a 2.4 Ghz signal to travel 7 miles you would have to > install an > > amplifier to boost the output to somewhere between 5 to 10 > watts > > not exactly > in fact, you don't need amplifiers in most cases. > you don't even need 1 watt > in fact, the trick lies in the antenna you attach to the > active end of > the communication devices. > for instance, we were able to do a 15km link at 11mbit/s with 2 15dBi > antennas from hyperlinktech.com. that's much more than 7 miles (it's > about 10 miles). > with 21dB antennas, we calculated that we'd be able to do > 30km, or 20 miles. This scenario requires point-to-point directional high db parabolic antennae. The original sceanario of the thread was reading packets from an AP inside a building. It would not have even a tower-mounted high db omni-directional, but even if it did, would have a maximum range of 2-3 miles under legal power limits. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [inbox] RE: [Full-Disclosure] Cisco LEAP exploit tool...
[EMAIL PROTECTED] wrote: > Dear Dave and what was it ... jeff, Curt and exhibar, your in > here too, > > and I'll throw Fitzgerled on just for fun > > Neither one of you know what the > Have you ever properly setup a 2.4 ghz wireless link longer > than 7 miles? > If not, don't post what some1 eles states as it may not be > true. I have Don't know where you get off including me in your list, but I have personally setup Cisco units up to 20 miles with parabolics and Adaptive Broadband up to 35 miles. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [inbox] Re: [Full-Disclosure] Hi! Antiviruses Comparison - A Little Research Results
Of 3APA3A wrote: > FT> Only finnish F-Secure and american CA has Windows/Linux > AV products > FT> with multiple independent virus scanning engines. This > gives protection > FT> against false positives, but requires more system resources. > > Not exactly. At least Chinese iduba.net from Kingsoft uses 2 > kernels. As > far as I know Russian Dr.Web works on engine to work > with multiple > antiviral kernels of different vendors. Been following this thread and I can bite my tongue no longer. As a long-time user of the first AV in the world, F-Secure, then F-Prot in '88, I have found it to be the only AV that could detect and remove every virus I have ever come upon, including multiple instances where fully updated Norton and McAfee either did not detect or could not remove them. They were the first AV with signature auto-updating over 4 years ago. And it does not update once a week or once a day, but continually checks on an hourly basis for new sigs. It has three seperate scan engines, so it's like having a layered defense in one product. And it operates at the lowest level of any AV I am aware of, running at the base level of I/O, actually grabbing it off the disk before any other process can touch it, making it extremely fast and efficient with no noticble impact in performance, even on slow boxes. My $.02 Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [inbox] [Full-Disclosure] Hi! Antiviruses Comparison - A Little Research Results
Feher Tamas wrote: > If you are a lamer in the AV area, then please don't fool > others! There > are at least 12 major players in the AV arena, each with diverse > weaknesses and strong points. > It could make a book, not just the disorganized > mess of text I wrote above. > > Sincerely: Tamas Feher from Hungary. Actually Tamas, that is one of the best short critiques I have seen on the AV market and I agree with almost every point. Factual and without bias. Maybe you should write that book. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
