Re: [Full-Disclosure] Defcon spelled half backwards is Fedcon and you dumfucks walked into a trap

[Exibar]

I think he wasn't allowed to go to DefCon this year and now he's a bitter
boy

Of course there are Feds at DefCon  how else would we be able to play
Spot the Fed without the Feds?  :-)

 Ex


- Original Message - 
From: "Martin Mkrtchian" <[EMAIL PROTECTED]>
To: "Day Jay" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Tuesday, August 03, 2004 6:35 PM
Subject: Re: [Full-Disclosure] Defcon spelled half backwards is Fedcon and
you dumfucks walked into a trap


> What happened? Jelous ?
>
> WHY ASK WHY?  Dont hate the player, hate the game!
>
> On Tue, 3 Aug 2004 14:09:07 -0700 (PDT), Day Jay <[EMAIL PROTECTED]> wrote:
> > Down with kiddies, down with admins, down with ppl
> > trying to make security better. Down with everyone
> > profiting off publicity.
> >
> > Why does Gobbles hang with iDEFENSE and let them buy
> > him a beer? Why he get drunk and make an ass out of
> > himself?
> >
> > Why people dont know who's who? Why ppl believe they
> > eleet when they nothing but poo?
> >
> > Why people so inconsistent?
> >
> > Why people allow themselves to be punked and not fight
> > back? Why so many fags? Why so many pussies?
> >
> > WTF?
> >
> > Why people think information sharing among all is
> > best? Fuck that.
> >
> > Why?
> >
> > __
> > Do you Yahoo!?
> > New and Improved Yahoo! Mail - Send 10MB messages!
> > http://promotions.yahoo.com/new_mail
> >
> > ___
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [inbox] Re: [Full-Disclosure] Windoze almost managed to 200x repeat 9/11

[Exibar]

Exactly.  Some idiot decided to program the entire system to shut down after
49 days.  What an idiot, why not just setup a maintenance program to perform
a scheduled re-boot of the system instead of having an automated proecess
shut down the system and then have to schedule a work around for this by
scheduling a manual boot every 30 days (which someone forgot).

  This whole thing wasn't Windows' fault, but an idiot
programmer/manager/whatever fault.

  Exibar

> -Original Message-
> From: ASB [mailto:[EMAIL PROTECTED]
> Sent: Sunday, September 26, 2004 10:56 AM
> To: [EMAIL PROTECTED]
> Subject: [inbox] Re: [Full-Disclosure] Windoze almost managed to 200x
> repeat 9/11
>
>
> ~
> Next time, please read the thread in context.
> ~
>
> The context of the thread is that an application issue is being
> incorrectly interpreted as an OS issue.
>
>
> -ASB
>
> On Fri, 24 Sep 2004 14:43:53 -0400, Barry Fitzgerald
> <[EMAIL PROTECTED]> wrote:
> > ASB wrote:
> >
> > >~
> > >Where issues like this relate to the OS is in the fact that the OS
> > >itself shouldn't be brought down by a poorly designed app.
> > >~
> > >
> > >And where in that article did you read that the OS was brought down by
> > >a poorly designed app?
> > >
> > >
> > >
> > I didn't... I was reponding to a point that was made about applications
> > being reponsible for system failures.
> >
> > >
> > >~
> > >
> > >
> > >>Was it MS Windows that actually held the code that brought
> the system down?
> > >>
> > >>
> > >~
> > >
> > >The article was pretty clear:
> > >
> > >
> > >
> > >How you managed to read "OS failure" into this is rather astounding...
> > >
> > >
> > >
> > >
> > How you manage to get up in the morning is rather astounding.
> >
> > Next time, please read the thread in context.
> >
> > Also, if you think that that's a detailed assessment of the problem,
> > you're not too bright.
> >
> > So try and think a little harder next time, and not be so abbrassive.
> > You may be having a bad day (most likely due to your poor attitude) but
> > don't take your own misunderstanding out on others, mmkay?
> >
> > -Barry
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Re: Why o why did NASA do this?

[Exibar]

- Original Message - 
From: "Feher Tamas" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, October 15, 2004 3:54 AM
Subject: [Full-Disclosure] Re: Why o why did NASA do this?


>
> Dear Sir! Increase your Redstone, enjoy a Saturn-V in just
> two weeks with our generic booster pills.
>
> Join the three dolphins club! Adult videos from the Mir and
> ISS space stations. Manhood up to 16" in vacuum. Incredible
> boob vibrations in weightlessness captured on video. Much
> better than Big Brother sex!
>
> All this on a double DVD for just 9.95$ and straight to your
> door. Orders accepted from all people over 21 years old.
> Will ship overseas for 5$.
>

 I'll take one!  WooHoo!!!  nothing like naked boobs jiggling (sort-of) in
weightlessness!!!  :-)

  you forgot to say where to send the money! :-)

  exibar

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Google Desktop Search

[Exibar]

H... I wonder if their keeping a database of these numbers and the
associated IP and/or MAC address as well?

  Has anyone installed this on a non-networked machine?

- Original Message - 
From: "Mary Landesman" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, October 15, 2004 11:34 AM
Subject: Re: [Full-Disclosure] Google Desktop Search


> >From their privacy policy:
>
> ---
> Your copy of Google Desktop Search includes a unique application number.
> When you install Google Desktop Search, this number and a message
indicating
> whether the installation succeeded is sent back to Google so that we can
> make the software work better. Additionally, when Google Desktop Search
> automatically checks to see if a new version is available, the current
> version number and the unique application number are sent to Google. If
you
> choose to send us non-personal information about your use of Google
Desktop
> Search, the unique application number with this non-personal information
> also helps us understand how you use Google Desktop Search so that we can
> make it work better. The unique application number is required for Google
> Desktop Search to work and cannot be disabled.
> ---
>
> >> The unique application number is required for Google Desktop Search to
> work and cannot be disabled. <<
>
> I have to wonder why that is.
>
> -- Mary
>
> - Original Message - 
> From: "Ivan Krstic" <[EMAIL PROTECTED]>
> To: "DogoBrazil" <[EMAIL PROTECTED]>
> Cc: <[EMAIL PROTECTED]>
> Sent: Friday, October 15, 2004 10:14 AM
> Subject: Re: [Full-Disclosure] Google Desktop Search
>
>
> > DogoBrazil wrote:
> > > The research came
> > > with a bit more than I expected 'cause the engine  went to some
webmail
> > > based accounts: Yahoo and MSN. I could click in the results and opened
> > > my Yahoo Mail inbox page without a password. Maybe some password lost
in
> > > my HD? Maybe some page cached?
> >
> > http://desktop.google.com/index.html enumerates the file types that
> > Google Desktop Search currently indexes. Your IE cache and Outlook
> > correspondence will also get indexed, so you could have been looking at
> > either a page from your browser cache, or a page you manually saved to
> > your hard drive. The program itself most certainly does not include
> > functionality to index remote, web-based mailboxes such as Yahoo and
MSN.
> >
> > Ivan
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] New virus?

[Exibar]

perform an etherreal capture and a pslist on that box too

  is this the first sign of the JPEG worm?

  exibar


- Original Message - 
From: "Harlan Carvey" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Cc: "Bernardo Santos Wernesback" <[EMAIL PROTECTED]>
Sent: Monday, September 27, 2004 3:07 PM
Subject: Re: [Full-Disclosure] New virus?


> Bernardo,
> 
> Do you have access to this machine, either physically
> or remotely (as an admin)?  If so, have you pulled any
> data from the system to see what's going on?
> 
> --- Bernardo Santos Wernesback <[EMAIL PROTECTED]>
> wrote:
> 
> > Hi everyone,
> >  
> > Has anyone seen a lot of HTTP activity to a certain
> > site: 
> > http://www.fotosgratis.pop.com.br ?
> >  
> > One of our clients has several machines making tons
> > of requests for TXT
> > files on that server:
> >  
> > botao.txt
> > mswinsck.txt
> > ita01.txt
> > caixa01.txt
> > teclado07.txt
> > caixa01.txt
> > caixa02.txt
> > caixa03.txt
> > caixa04.txt
> > caixa05.txt
> >  
> > Thanks for any info.,
> > 
> >
> _
> > 
> > Bernardo Santos Wernesback
> > 
> >  
> > 
> > ESSE,ESS,SCSE,CCNA/DA,
> > 
> > CCSA,CQS,MCP
> > 
> >  
> > 
> > Consultant / ISH Tecnologia 
> > 
> >  
> > 
> > Phone: +55-27-3334-8900
> > 
> > Mobile: +55-27-8111-0884
> > 
> > Email: [EMAIL PROTECTED]
> > 
> >   PGP Fingerprint:
> >6A42 3701 70D7 FD0F 5FA9  D232 CDD4 6189 EF43
> > 95F5  
> > 
> >  
> > 
> 
> 
> =
> 
> Harlan Carvey, CISSP
> "Windows Forensics and Incident Recovery"
> http://www.windows-ir.com
> http://groups.yahoo.com/group/windowsir/
> 
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 
> 

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Will a vote for John Kerry be counted by a Hart InterCivic eSlate3000 in Honolulu?

[Exibar]

The question comes to mind... why oh why did you cast your vote for  Kerry?
I guess you want the US to be policed and governed by the UN.  I guess you
want someone in office that can't make up his mind about anything.  I guess
you want someone in office that will start to shred the Constitution piece
by piece and change it bit by bit until it reads like the Heinz Ketchup
bottle ingrediants.

  But, it's your vote, you can vote for anyone that you wish, I'll defend
that right to the end, even if Kerry wants to take it away

  My vote will be PROUDLY cast for Bush, just like it was 4 years ago.

  Exibar


- Original Message - 
From: "Jason Coombs PivX Solutions" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Wednesday, October 20, 2004 9:24 PM
Subject: [Full-Disclosure] Will a vote for John Kerry be counted by a Hart
InterCivic eSlate3000 in Honolulu?


> I just voted for John Kerry at a walk-in absentee ballot polling place in
Honolulu County using an eSlate3000 (unit serial number A05A0B) made by Hart
Intercivic: http://www.hartintercivic.com
>
> I was told by the official who gave me the choice of voting on paper or
voting electronically that the electronic voting machines weren't supposed
to be here yet, but that since they arrived in time for the 2004 election,
they were being used anyway.
>
> Will my vote be counted? That depends on a number of unknowns, such as
whether or not the unit on which my vote was cast subsequently malfunctions,
rendering the entire vote tabulating memory card corrupt.
>
> I did not receive a paper printout following the submission of my
electronic ballot.
>
> Excluding the obvious possibility that fraud may occur, either to stuff
the electronic 'ballot box' with false votes, or to intentionally destroy or
fail to count votes for a particular candidate, there are risks inherent to
electronic voting that do not exist in the same way with paper ballots. And
although there are technical safeguards possible that seem like common
sense, these safeguards continue to be ignored. Why?
>
> Will we ever see common sense safeguards added to the electronic voting
process?
>
> A search for known security vulnerabilities or potential flaws in voting
equipment manufactured and sold by Hart InterCivic turns up:
>
> http://www.conspiracyplanet.com/channel.cfm?channelid=31&contentid=1570
>
> Prior to casting my vote, I provided a written 'application' to vote
containing my current address and other contact information. Election
officials have every bit of information necessary to inform me in the event
of a memory card failure or other malfunction that causes my electronic vote
not to be counted properly.
>
> We know the very equipment that I just used to cast my vote has
malfunctioned in the past. There have never been any reports that any voter
has ever been allowed to revote following the loss of their electronic vote
database record. Why not?
>
> I find it absurd that common sense solutions to electronic voting problems
are not being used. The vote I just cast could be made available for my
anonymous review after it has been counted. For that matter, all votes made
by all voters could be aggregated and published such that any voter could
confirm that the vote that was counted was in fact the vote that they cast.
>
> Such a safeguard would ensure that no fraud could occur without timely
detection by those voters who are directly affected, and no vote would go
uncounted or be miscounted by mistake unless voters choose not to perform
such data validation.
>
> If we're going to allow these electronic voting devices in our elections,
then we the people must be empowered to become the all volunteer quality
assurance army that validates the data output.
>
> Reasonable people can live with the necessity to trust election officials
to be honest, and the criminal justice procedures to hold them accountable
when they are not, but who are we supposed to hold accountable when
equipment failures and flawed computer disaster recovery planning result in
the secret exclusion of members of the public from access to their right to
vote?
>
> If anyone has any further information about Hart InterCivic and the
eSlate3000, please contact me directly.
>
> Sincerely,
>
> Jason Coombs
> [EMAIL PROTECTED]
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Senior M$ member says stop using passwords completely!

[Exibar]

I couldn't picture having to tell my users to type in a 256 character
password.  Let's make it force 20 uppercase, 20 symbols, 20 high-bit
character, 20 numbers as well.   Although it'll be hard to crack, it'll take
three hours before they can log in once.  and that's with 2 phone calls to
the helpdesk to unlock their accounts after they entered their password
wrong 3 times in a row. :-)

   Use a secure-ID key fob with a PIN, along with your usual Userid/password
combination.  You'll have a pretty secure login at that point.

  Exibar

- Original Message - 
From: "joe" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, October 21, 2004 11:32 AM
Subject: RE: [Full-Disclosure] Senior M$ member says stop using passwords
completely!


> Well I don't think anyone is saying that the issue is that 128 character
> passwords are being easily hacked so I am not quite sure I understand your
> point about 256 characters and why you mention it. People seem to dislike
> passwords greater than 14 characters let alone entering passwords of 150 ,
> 200 , or 250 characters. To put it another way, if MS suddenly increased
the
> buffer to allow for hashing of passwords 1024 characters in size would you
> push that MS was more secure based on that? I doubt it, I certainly
> wouldn't.
>
> BTW, I tried the link someone previously gave with the password hash I
> previously posted and it is well under 128 characters and the web site
> reported:
>
> Password: not found!
>
>
>   joe
>
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Eric Paynter
> Sent: Monday, October 18, 2004 1:32 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [Full-Disclosure] Senior M$ member says stop using passwords
> completely!
>
> On Sat, October 16, 2004 5:25 pm, Tim said:
> > The reason for my post was to point out that Mr. Hensing doesn't
> > appear to be a reliable source of information on the topic of
> > passwords and hash security.
>
> I think that much became apparent when Mr. Hensing took sarcastic shots at
> Linux security (e.g. "Attack easier targets like all those Linux boxes you
> installed because its so much more secure . . ."). Funny thing is, Linux
> supports up to 256 character passwords by default - twice as long as
> Windows.
>
> -Eric
>
> --
> arctic bears - email and dns services
> http://www.arcticbears.com
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [in] Re: [Full-Disclosure] Will a vote for John Kerry be counted by a Hart InterCivic eSlate3000 in Honolulu?

[Exibar]

we have teken it off list not a problem.

  I actually thought we were being civilized about it too :-)

  Ex

- Original Message - 
From: "KrispyKringle" <[EMAIL PROTECTED]>
To: "Exibar" <[EMAIL PROTECTED]>
Cc: "Curt Purdy" <[EMAIL PROTECTED]>; "'Jason Coombs PivX Solutions'"
<[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Thursday, October 21, 2004 3:40 PM
Subject: Re: [in] Re: [Full-Disclosure] Will a vote for John Kerry be
counted by a Hart InterCivic eSlate3000 in Honolulu?


> Exibar wrote:
> > Curt,
> > And what was it that Bush lied to you personally about?  or lied to
the
> > American People about?  WMD's in Iraq? Just because we haven't found
many of
> > them (YES we have found some, BTW), doesn't mean they didn't exist
> > Like life on Mars, just because we haven't seem little green men yet,
> > doesn't mean they don't exist.
> [...]
>
> Please keep this trash off the list. It's bad enough that we're
> discussing off-topic politics, but now even the Republicans are posting!
>
> Seriously, though, this list serves a purpose, but this isn't it. If you
> want to flame each other, I suggest you find a politically-focussed list
> or newsgroup instead. Or use Slashdot. They eat this shit up over there.
>
> Thanks for understanding.
>
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [in] Re: [Full-Disclosure] Will a vote for John Kerry be counted by a Hart InterCivic eSlate3000 in Honolulu?

[Exibar]

Curt,
And what was it that Bush lied to you personally about?  or lied to the
American People about?  WMD's in Iraq? Just because we haven't found many of
them (YES we have found some, BTW), doesn't mean they didn't exist
Like life on Mars, just because we haven't seem little green men yet,
doesn't mean they don't exist.
   Did you vote for Clinton?  Now HE out right lied to the American people,
UNDER OATH no less   Kerry has also lied, out and out the first lie
that comes to mind is the thought that he threw his medals over the fence
after Viet-nam, he still has HIS medals.  He's trying to say that he "threw
medals" not that he "threw HIS medals".  Oh and what's that, first he was
for the war that he served in, then against, and now all of a sudden he's
running for president and he's for it again.   iraq the same way, he's
against it, he's for it, he's against it... he's a friggin revolving door.

   The second BIG one (and a Flip-Flop too I guess), much more important
than the first thought that came to mind is something Kerry said in one of
the debates.  He said something to the fact that he supports people to own
firearms, that he's a hunter himself and that he would never do anything to
harm the 2nd amendment.  That is a bold face lie, right through his teeth.
There hasn't been a single gun control bill that has passed his desk that he
DID NOT sign.  He received a shotgun from some workers while on campaign a
couple weeks or so ago, that very shotgun that he received would have been
banned if one of the bills that he endorsed would have passed and became
law.  He's "striving to close the gun show loophole" as well, let me say
this once, THERE IS NO GUNSHOW LOOPHOLE!  You go to a gun show, here in Mass
for example, and want to purchase a rifle, pistol, whatever, the dealer that
you buy it from first asks for your Gun Permit, and has you fill out the
paperwork.  While you're filling out the paperwork, they are calling the FBI
to perform an instant background check on you.  ALL dealers are required to
do this before you can purchase your weapon  Where's the loophole?  Oh
that's right, if I wanted to sell a rifle, pistol, whatever that I own at a
gunshow, I can sell it to anyone that I care to as long as they have a
permit and I fill out the transfer form.  Gunshow loophole?  Nope, I can do
the same thing by placing an add in the wantads... oh! it's the wantad
loophole

  Like I've said, vote for whomever YOU feel is the best candidate.  I will
defend YOUR right to do so.  I will say again that I will PROUDLY cast my
vote for G. W. BUSH in a couple weeks.  Think about this for a second, our
ability to vote for the person we feel should be in office is something the
citizens of IRAQ hasn't been able to do until G.W.BUSH sent our troops in
and got rid of Saddam.  Now they have had their own first election.
Yes I support the war in Iraq, our troops, and our country, to the very end.

 for whoever said that I'm brainwashed or something by the media, I make up
my own mind, get my own facts, and go from there.  For the most part, the
Media cannot be trusted, period.

  This is all I will say about this to the list.  If you wish to continue
this discussion, e-mail me privately and if I have time I'll respond.

  Exibar


- Original Message - 
From: "Curt Purdy" <[EMAIL PROTECTED]>
To: "'Exibar'" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; "'Jason
Coombs PivX Solutions'" <[EMAIL PROTECTED]>
Sent: Thursday, October 21, 2004 12:05 PM
Subject: RE: [in] Re: [Full-Disclosure] Will a vote for John Kerry be
counted by a Hart InterCivic eSlate3000 in Honolulu?


>
> Exibar wrote:
> > The question comes to mind... why oh why did you cast your
> > vote for  Kerry?
> > I guess you want the US to be policed and governed by the UN.
> >  I guess you want
> 
>
> Though in danger of starting a flame war...
>
> Exibar, Dude! You've fallen head over heals for the Republican
brain-washing
> line.  There might be a lot about John Kerry you don't like, like his
> honesty, forthrightednes, and straght-forward talking.  But I will never
> vote for a President that has coldly lied to his people.  And I am one of
> those people Bush has bold-facely lied to.
>
> Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA
> Information Security Engineer
> DP Solutions
>
> -
>
> If you spend more on coffee than on IT security, you will be hacked.
> What's more, you deserve to be hacked.
> -- former White House cybersecurity zar Richard Clarke
>
>
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [inbox] Re: [Full-Disclosure] Help, possible rootkit

[Exibar]

Perhaps is a piece of spyware and not a rootkit afterall?  Spyware would be
a more common item to find on a computer system than a rootkit.  Run
Spoybot: search and destroy and Adaware on your machine.

  How up to date is your Antivirus as well?  Did you run a full antivirus
scan on your system to rule out a virus?

  Exibar

> -Original Message-
> From: Michael Rutledge [mailto:[EMAIL PROTECTED]
> Sent: Saturday, October 23, 2004 1:11 PM
> To: BillyBob
> Cc: Full Disclosure
> Subject: [inbox] Re: [Full-Disclosure] Help, possible rootkit
>
>
> What type of software do you use on a regular basis, and what software
> have you installed recently?  Is this a new install of XP?  Also, have
> you installed SP2?
>
> Give us a little background about your system so that we can rule out
> common software gliches.
>
> -Michael
>
>
> On Sat, 23 Oct 2004 13:05:29 -0300, BillyBob
> <[EMAIL PROTECTED]> wrote:
> > I have noticed that my XP system is behaving like I have a rootkit.
> >
> > - My mouse is jumpy (it freezes for a second when I move it around the
> > desktop) and the minimized Taskmanager in the systray shows I
> have around
> > 25 - 30 % usage, but when I open it, there is no process listed
> using this
> > much.
> > - I did a netstat, fport, openports and none of these show that
> I have any
> > odd ports open or any connections established.
> > - even when I disconnect from the Internet these symptoms do
> not stop.  They
> > stop if I reboot, but then start again.
> >
> > I have ran VICE, Klister, PatchFinder and RkDetect from
> rootkit.com and they
> > could not find anything.
> >
> > Any more suggestions ?
> > Any more rootkit finding tools for Windows ?
> >
> > Thanks
> > Bill
> >
> > ___
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] MS03-039 has been released - critical

[Exibar]

anyone know of a 'sploit for this one yet?  Or even proof of concept code?


- Original Message -
From: "Ryan, Pete" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, September 10, 2003 12:23 PM
Subject: [Full-Disclosure] MS03-039 has been released - critical


>
>
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
> bulletin/MS03-039.asp
>
> -Pete
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] MS03-039 has been released - critical

[Exibar]

To add to my previous reply.   The DoS is the only thing in MS03-039 that is
"old".  The two buffer overflows are brand new and are not the same as
MS03-026.  These are the real dangers here, not that the DoS isn't
dangerous, but the buffer overflows are the keys to the security alert.

   Does anyone know if there is a 'sploit for the buffer overflows in the
wild?

  Exibar


- Original Message -
From: "Mike Tancsa" <[EMAIL PROTECTED]>
To: "Exibar" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Wednesday, September 10, 2003 2:54 PM
Subject: Re: [Full-Disclosure] MS03-039 has been released - critical


>
> http://xforce.iss.net/xforce/alerts/id/152 says,
>
> "The new DoS vulnerability was disclosed by a hacking group in China on
> July 25, 2003, and functional exploit code is already in use on the
> Internet. "
>
>  ---Mike
>
>
> At 01:41 PM 10/09/2003, Exibar wrote:
> >anyone know of a 'sploit for this one yet?  Or even proof of concept
code?
> >
> >
> >- Original Message -
> >From: "Ryan, Pete" <[EMAIL PROTECTED]>
> >To: <[EMAIL PROTECTED]>
> >Sent: Wednesday, September 10, 2003 12:23 PM
> >Subject: [Full-Disclosure] MS03-039 has been released - critical
> >
> >
> > >
> > >
>
>http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security
/
> > > bulletin/MS03-039.asp
> > >
> > > -Pete
> > >
> > > ___
> > > Full-Disclosure - We believe in it.
> > > Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
> >___
> >Full-Disclosure - We believe in it.
> >Charter: http://lists.netsys.com/full-disclosure-charter.html
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] MS03-039 has been released - critical

[Exibar]

Isn't this a bit different than simply a DoS though?

  Although, now that I'm thinking about it,  this one combines ms03-026 with
the DoS that was found to be the RPC service failing.  M$ makes it sound
like this is 100% but if your patched with MS03-026, your safe from all but
the DoS.  Is that what everyone else reads into the alert as well?

   Exibar
- Original Message -
From: "Mike Tancsa" <[EMAIL PROTECTED]>
To: "Exibar" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Wednesday, September 10, 2003 2:54 PM
Subject: Re: [Full-Disclosure] MS03-039 has been released - critical


>
> http://xforce.iss.net/xforce/alerts/id/152 says,
>
> "The new DoS vulnerability was disclosed by a hacking group in China on
> July 25, 2003, and functional exploit code is already in use on the
> Internet. "
>
>  ---Mike
>
>
> At 01:41 PM 10/09/2003, Exibar wrote:
> >anyone know of a 'sploit for this one yet?  Or even proof of concept
code?
> >
> >
> >- Original Message -
> >From: "Ryan, Pete" <[EMAIL PROTECTED]>
> >To: <[EMAIL PROTECTED]>
> >Sent: Wednesday, September 10, 2003 12:23 PM
> >Subject: [Full-Disclosure] MS03-039 has been released - critical
> >
> >
> > >
> > >
>
>http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security
/
> > > bulletin/MS03-039.asp
> > >
> > > -Pete
> > >
> > > ___
> > > Full-Disclosure - We believe in it.
> > > Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
> >___
> >Full-Disclosure - We believe in it.
> >Charter: http://lists.netsys.com/full-disclosure-charter.html
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] MS03-039 has been released - critical

[Exibar]

Yes, this vulnerability is completely different than MS03-026.  Although
Microsoft did include the fix for 026 in MS03-039

 Exibar
- Original Message -
From: "Robert Ahnemann" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, September 10, 2003 2:30 PM
Subject: RE: [Full-Disclosure] MS03-039 has been released - critical


> I ran the test program (as linked by MS) to see if the network showed as
> patched.  I haven't patched any of the machines with the 039 code, but
> all are patched with the 026 one (original one as of July 16th)  Does
> this exploit still work (as in leave a vuln) if we have patched 026?
> Might be a dumb question, but I bet other people are thinking it too.
>
> -Original Message-
> From: Exibar [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, September 10, 2003 12:42 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [Full-Disclosure] MS03-039 has been released - critical
>
> anyone know of a 'sploit for this one yet?  Or even proof of concept
> code?
>
>
> - Original Message -
> From: "Ryan, Pete" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Wednesday, September 10, 2003 12:23 PM
> Subject: [Full-Disclosure] MS03-039 has been released - critical
>
>
> >
> >
> http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur
> ity/
> > bulletin/MS03-039.asp
> >
> > -Pete
> >
> > ___
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] MS03-039 has been released - critical

[Exibar]

This has been confirmed, just in case anyone was still fuzzy on this.

"039 has 1 DoS and 2 (new) BOs. All of the info in 039 is "new" and
doesn't recycle 026 info. Though 039 also includes 026 fixes, of course.

Important point - the NEW (ms03-039) bulletin is all NEW info."

Exibar

- Original Message - 
From: "Exibar" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>; "Mike Tancsa" <[EMAIL PROTECTED]>
Sent: Wednesday, September 10, 2003 3:05 PM
Subject: Re: [Full-Disclosure] MS03-039 has been released - critical


> To add to my previous reply.   The DoS is the only thing in MS03-039 that
is
> "old".  The two buffer overflows are brand new and are not the same as
> MS03-026.  These are the real dangers here, not that the DoS isn't
> dangerous, but the buffer overflows are the keys to the security alert.
>
>Does anyone know if there is a 'sploit for the buffer overflows in the
> wild?
>
>   Exibar
>
>
> - Original Message -
> From: "Mike Tancsa" <[EMAIL PROTECTED]>
> To: "Exibar" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
> Sent: Wednesday, September 10, 2003 2:54 PM
> Subject: Re: [Full-Disclosure] MS03-039 has been released - critical
>
>
> >
> > http://xforce.iss.net/xforce/alerts/id/152 says,
> >
> > "The new DoS vulnerability was disclosed by a hacking group in China on
> > July 25, 2003, and functional exploit code is already in use on the
> > Internet. "
> >
> >  ---Mike
> >
> >
> > At 01:41 PM 10/09/2003, Exibar wrote:
> > >anyone know of a 'sploit for this one yet?  Or even proof of concept
> code?
> > >
> > >
> > >- Original Message -
> > >From: "Ryan, Pete" <[EMAIL PROTECTED]>
> > >To: <[EMAIL PROTECTED]>
> > >Sent: Wednesday, September 10, 2003 12:23 PM
> > >Subject: [Full-Disclosure] MS03-039 has been released - critical
> > >
> > >
> > > >
> > > >
> >
>
>http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security
> /
> > > > bulletin/MS03-039.asp
> > > >
> > > > -Pete
> > > >
> > > > ___
> > > > Full-Disclosure - We believe in it.
> > > > Charter: http://lists.netsys.com/full-disclosure-charter.html
> > >
> > >___
> > >Full-Disclosure - We believe in it.
> > >Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [inbox] [Full-Disclosure] Re: MS03-039 has been released (DoS) sploit ?

[Exibar]

Sure 
looks that way, especially with the 7/21 datestamp for the directory and in the 
page name :-)
 
  
It's *very* unlikely that we see a worm that acts on the DoS vuln, it's just too 
much work.  The BoF's are the ones that has my attention and need to patch 
urgently.
 
  
Exibar

  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of 
  Elv1SSent: Wednesday, September 10, 2003 6:49 PMTo: 
  [EMAIL PROTECTED]Subject: [inbox] [Full-Disclosure] 
  Re: MS03-039 has been released (DoS) sploit ?
  
  thinkin' that they talking about the xfocus sploit public since 07-21 ? 
  for the DoS vuln MS03-032
   
  true or not ?
   
  http://www.k-otik.com/exploits/07.21.win2kdos.c.php
  Mike Tancsa <[EMAIL PROTECTED]> wrote:
  http://xforce.iss.net/xforce/alerts/id/152 
says,"The new DoS vulnerability was disclosed by a hacking group in 
China onJuly 25, 2003, and functional exploit code is already in use on 
theInternet. "---MikeAt 01:41 PM 10/09/2003, Exibar 
wrote:>anyone know of a 'sploit for this one yet? Or even proof of 
concept code?>>>- Original Message 
->From: "Ryan, Pete" <[EMAIL PROTECTED]>>To: 
<[EMAIL PROTECTED]>>Sent: Wednesday, September 10, 
2003 12:23 PM>Subject: [Full-Disclosure] MS03-039 has been released - 
critical>>> >> 
>>http://www.microsoft.com/technet/treeview/default.asp?url="">> 
> bulletin/MS03-039.asp> >> > -Pete> 
>> > ___> 
> Full-Disclosure - We believe in it.> > Charter: 
http://lists.netsys.com/full-disclosure-charter.html>>___>Full-Disclosure 
- We believe in it.>Charter: 
http://lists.netsys.com/full-disclosure-charter.html___Full-Disclosure 
- We believe in it.Charter: 
http://lists.netsys.com/full-disclosure-charter.html
  
  
  Do you Yahoo!?Yahoo! 
  SiteBuilder - Free, easy-to-use web site design 
software

RE: [inbox] RE: [Full-Disclosure] MS03-039 has been released - critical

[Exibar]

Sounds good to me, I've already given my IDS guy the details that you've
posted and he's going to write his IDS rules by them.

  No problem here :-)

  Exibar

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Marc
Maiffret
Sent: Wednesday, September 10, 2003 6:26 PM
To: Peter Kruse; 'Mike Tancsa'; 'Exibar';
[EMAIL PROTECTED]
Subject: [inbox] RE: [Full-Disclosure] MS03-039 has been released -
critical


Hi,

Just to cut off any stupid debate, that I promise anyone stepping to will
lose... ;-) Giving details of where a flaw is does not make exploits/worms
happen any more often. The "bad guys" do not need details in order to write
exploits and worms. That is apparent when you look at the first RPC flaw and
how NO details were released yet an exploit and worm were. However, with
details, we can all audit our networks for the flaws, to know systems we
need to fix, and setup IDS/IPS systems to monitor for attackers, whereas we
couldn't without details. Also, we can check to make sure vendors did not
(yet again) screw up and release a patch that does not truly fix a system.

Signed,
Marc Maiffret
Chief Hacking Officer
eEye Digital Security
T.949.349.9062
F.949.349.9538
http://eEye.com/Retina - Network Security Scanner
http://eEye.com/Iris - Network Traffic Analyzer
http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities

| -Original Message-
| From: [EMAIL PROTECTED]
| [mailto:[EMAIL PROTECTED] Behalf Of Peter Kruse
| Sent: Wednesday, September 10, 2003 2:20 PM
| To: 'Mike Tancsa'; 'Exibar'; [EMAIL PROTECTED]
| Subject: SV: [Full-Disclosure] MS03-039 has been released - critical
|
|
| Hi,
|
| > "The new DoS vulnerability was disclosed by a hacking group
| > in China on July 25, 2003, and functional exploit code is
| > already in use on the Internet. "
|
| This is well known. However it´s not the BoF exploit.
|
| Yet again, the detailed advisory from Eeye makes it fairly easy to write
| a working exploit. Although I haven´t seen a PoC yet I would expect it
| to be release shortly. It´s a bit harder to exploit than the previous
| RPC Dcom weakness but it´s certainly possible.
|
| Please note that Eeye has already released an update for Retina Security
| Scanner and I suppose every script kid, cracker or hacker should be able
| to sniff to code from Retina going to a remote vulnerable host. You
| think? CHAM, yeah?
|
| I suggest we update RPC - again.
|
| Med venlig hilsen // Kind regards
|
| Peter Kruse
| Kruse Security
| http://www.krusesecurity.dk
|
|
| ___
| Full-Disclosure - We believe in it.
| Charter: http://lists.netsys.com/full-disclosure-charter.html
|

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: AW: [Full-Disclosure] 9/11 virus

[Exibar]

So are you trying to tell me that Peanut Butter is good or bad for my car's
engine?   What if I have a diesel engine?  Can I use Peanut Butter in that
case?  I would think that refined peanut oil will work, but what about
straight peanut butter?

  ^--^

Exibar


- Original Message - 
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, September 11, 2003 10:53 AM
Subject: Re: AW: [Full-Disclosure] 9/11 virus


> >Tom Vogt:
>  >
> > It ain't a user-dependent vulnerability. It exploits shortcomings in the
> > interface. It exploits the fact that what the machine does is not what
the
> > user wants or expects it to do.
> >
> > User:
> > "I want to see this picture."
> >
> > Machine:
> > Ok...
> > ...oh, it isn't a picture, it's an executable...
> > ...so, let's execute it.
>
> Hi Tom.
>
> On this point, you and I agree -- a user should never receive
> indication from the UI that an executable is a picture, and then
> surprise the user by executing something which wasn't really a picture
> after all.  Implementing a UI which uses an arbitrary file naming
> convention to indicate the executability of a file, /and then going
> ahead and hiding the file extension by default/, is unbelievably
> braindead.  It's like they *tried* to blur the line between program and
> content.  Hmm.
>
> > The user never wanted to execute a file, he wanted to see a picture.
It's a
> > miscommunication issue, not stupidity of users. A better interface would
> > prevent it. For example, imagine for one second that there were no
implicit
> > actions, i.e. there is no "doubleclick and the right thing will happen",
but
> > you always have to state WHAT you want to do.(*)
>  >
>  > ...
>  >
>  > (*) And don't tell me users wouldn't accept that. Every other
>  > electronic device works that way. You don't press POWER on your TV and
>  > expect it to know which channel you want.
>
> I maintain, though, that there is a lack of user comprehension involved
> (you said 'stupidity', not me) -- a user needs to know what an
> executable is, before they can understand there's a certain amount of
> danger involved with clicking on them.
>
> As to your suggestion that the implicit behaviour of a doubleclick is a
> problem, I think you're a bit off the mark.  Users know that a
> doubleclick will 'Open' whatever they click on, there's no ambiguity
> there.  The confusion only occurs when the user doesn't exactly know
> what it is they're doubleclicking on.
>
> > It's not a user issue. Users aren't stupid, they just have a limited
need to
> > know. You'd be shouting at your car mechanic if he told you that it's
your
> > fault that the car burst into flames because that's just what it does
when
> > you open the trunk while the headlights are on and the gear is in
reverse.
>
> I think a (slightly) more appropriate analogy would be a mechanic who
> explains time and time again that one should *never* put fuel into a car
> unless they know for certain it's unleaded and from a 'safe' source (and
> actually fuel and not peanut butter!)
>
> I think we agree on the main points, but have slightly differing senses
> of what a user 'needs to know'.  In order to function responsibly in
> this e-mail enabled world of ours, users must be able to differentiate
> between executables and documents.  Period.  To that end, however, user
> interfaces must be clear and explicit when it comes to helping the user
> differentiate the two.
>
> > But hey, it's not like we haven't known this ever since the first
Outlook
> > worm, and it could've been solved for years.
>
> Oh, sure, MS completely dropped the ball on Outlook and OE -- but
> consider that this would only prevent e-mail worms, not user-distributed
> 'old-school' viruses.  Only user education could stop those.
>
> take care,
>
> Cael
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Immunity's paper?

[Exibar]

Does anyone have this paper that the quoted Microsoft PSS advisory mentions
or a link to it?  I'd love to give it a read...

thanks all!
  Exibar
The PSS Security team is issuing this alert to advise customers that on
Saturday 9/13/03 a research company called Immunity published a paper
providing guidance on how to exploit the vulnerabilities patched by
Microsoft Security Bulletin MS03-039. To date we've had no reports of actual
exploit code being publicly available or being used actively in a worm or
virus.

Customers that have applied the patch as advised in Microsoft Security
Bulletin MS03-039 are protected from exploit code developed using the
guidance provided in this paper. Customers who have not deployed the patch
or taken additional mitigating actions to protect their environment should
be aware that the existence of sample code does make it easier for an active
exploit to be developed. We are therefore strongly urging customers to
immediately deploy the patch in their environments and take additional
mitigation steps, as described in the bulletin, to protect themselves.

Information on Microsoft Security Bulletin MS03-039 and its associated
patch, mitigating factors and workarounds can be found here:

http://www.microsoft.com/technet/security/bulletin/ms03-039.asp

PSS Security Team

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Immunity's paper?

[Exibar]

The Exploit that's in the wild right now is an exploit for the DoS.  Very
doubtful that this gets turned into a worm.  I'm worried about one of the
BoF vulnerabilities getting turned into an exploit.  Haven't seen that yet
though...

  Thanks everyone for getting me the links to those papers and DoS exploit
code too!

  Exibar

- Original Message - 
From: "Jerry Heidtke" <[EMAIL PROTECTED]>
To: "Exibar" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Monday, September 15, 2003 11:25 AM
Subject: RE: [Full-Disclosure] Immunity's paper?


>
> See http://www.immunitysec.com/papers/msrpcheap.pdf and
> http://www.immunitysec.com/papers/msrpcheap2.pdf.
>
> Exploit code for one of the vulnerabilities in RPCSS is "in the wild".
> No indications of a worm being released yet, but it's only a matter of
> time. If we had a pool going, I'd pick that square for tomorrow (9/16).
>
> Jerry
>
> -Original Message-
> From: Exibar [mailto:[EMAIL PROTECTED]
> Sent: Monday, September 15, 2003 9:18 AM
> To: [EMAIL PROTECTED]
> Subject: [Full-Disclosure] Immunity's paper?
>
>
> Does anyone have this paper that the quoted Microsoft PSS advisory
> mentions
> or a link to it?  I'd love to give it a read...
>
> thanks all!
>   Exibar
> The PSS Security team is issuing this alert to advise customers that on
> Saturday 9/13/03 a research company called Immunity published a paper
> providing guidance on how to exploit the vulnerabilities patched by
> Microsoft Security Bulletin MS03-039. To date we've had no reports of
> actual
> exploit code being publicly available or being used actively in a worm
> or
> virus.
>
> Customers that have applied the patch as advised in Microsoft Security
> Bulletin MS03-039 are protected from exploit code developed using the
> guidance provided in this paper. Customers who have not deployed the
> patch
> or taken additional mitigating actions to protect their environment
> should
> be aware that the existence of sample code does make it easier for an
> active
> exploit to be developed. We are therefore strongly urging customers to
> immediately deploy the patch in their environments and take additional
> mitigation steps, as described in the bulletin, to protect themselves.
>
> Information on Microsoft Security Bulletin MS03-039 and its associated
> patch, mitigating factors and workarounds can be found here:
>
> http://www.microsoft.com/technet/security/bulletin/ms03-039.asp
>
> PSS Security Team
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
> Confidentiality Notice: This e-mail message, including any attachments,
> is for the sole use of the intended recipient(s) and may contain
> confidential and privileged information.  Any unauthorized review, use,
> disclosure or distribution is prohibited.  If you are not the intended
> recipient, please contact the sender by reply e-mail and destroy all
> copies of the original message.
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Get the Tools You Need to Compete With Linux

[Exibar]

BWHAHAHAHA finantual value of using a Microsoft product?  are they nuts?
I've never once seen the ISO for a Windows OS freely available BY Microsoft
for download at absolutely no charge   Don't even get me started on
Office 2003 vs Open Office cost of ownership!

  Yikes!  Microsoft has flipped!

  Exibar


- Original Message - 
From: "Jason Coombs" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, September 18, 2003 4:20 PM
Subject: [Full-Disclosure] Get the Tools You Need to Compete With Linux


> hahahahaha
>
> -Original Message-
> From: [EMAIL PROTECTED]
> Sent: Wednesday, September 17, 2003 9:38 PM
> To: [EMAIL PROTECTED]
> Subject: Get the Tools You Need to Compete With Linux
>
> Microsoft for Partners
>
> --

> --
> Look here for answers: COMPETING WITH LINUX. The new Partners Sales
Training
> CD.
> --

> --
> September 18, 2003
>
> Prepare yourself and your staff to handle your customer's questions about
> Linux. This new sales
>
> training CD can help you effectively communicate what you already know
about
> the financial value and
>
> technology advantages of using licensed Microsoft® solutions. Competing
with
> Linux provides you and
>
> your staff with solid business answers and training that you can use when
the
> topic of Linux comes
>
> up.
>
> Resources on the Competing with Linux CD include:
> · Solutions Evaluations
> · Cost Value Benefits
> · Case Studies
> · Interactive Demos
> · Workload Comparisons
> · Analyst Reviews
>
> CD is available worldwide in English only. Cost of CD is U.S. $3.50 plus
> shipping and handling.
>
>
> Order the CD today:
> http://go.microsoft.com/?linkid=253711
>
> Microsoft Communities is your launching pad for communicating online with
> peers and experts about Microsoft products, technologies, and services:
> http://go.microsoft.com/?linkid=253709
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [inbox] Re: [Full-Disclosure] Petition against VeriSlime's DNS abuse

[Exibar]




nah, 
all you need is to enter the following line in your HOSTS 
file:
 
216.239.53.99 sitefinder.verisign.com
 
  
That way you'll get google's error message and never have to see Verisign's shit 
again :-)
 
  
Exibar

  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of Jonathan A. 
  ZdziarskiSent: Thursday, September 18, 2003 1:54 PMTo: 
  [EMAIL PROTECTED]Cc: Full DisclosureSubject: 
  [inbox] Re: [Full-Disclosure] Petition against VeriSlime's DNS 
  abuse
  The financial backing is non-trivial. You're going to need some pretty
serious big iron, and some pretty bad-ass bandwidth.Non-profit 
  doesn't necessarily mean doesn't make any money.  The registries are 
  already paying to register domains in the first place.  I'm not opposed 
  to some trivial per-domain fee to pay for the whole project.  Aside from 
  self-funding though, think of how many registries are willing to kick serious 
  money into a project that would remove Verisign as a monopoly over the 
  space.  You can bet on BuyDomains.com and BulkRegister.com would get 
  materially involved.
  Oh.. and you'll need trusted and experienced people, and be willing to pay them.I 
  didn't say it was something that could be done overnight =) If the community 
  wanted to do this, you'd need to get people together and put together a 
  business plan just like you would if you were starting a business - it's not 
  just a big project, it's a HUGE project, and one that requires the utmost 
  critical planning.  I don't think there'll be any shortage of trusted and 
  experienced people though =).  
  Don't like how a TLD is run? Talk to ICANN and the administrator of that TLD.If 
  it's as simple as establishing a set of rules to govern all of the registries 
  (or risk getting your TLD dropped - obviously an extremely serious 
  consequence) I'm all for it as opposed to reorganizing.  Remember though, 
  ICANN are the ones who approved a Waiting List service for Verisign.  It 
  seems to me that they wouldn't be interested in enforcing some of these more 
  serious issues.

Re: [Full-Disclosure] new virus: (fwd)

[Exibar]

it is the SWEN virus.  I've received dozens of them, McAfee picks it up as
Swen,  have no reason to doubt it :-)

 Exibar


- Original Message - 
From: "Ron Clark" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, September 19, 2003 11:43 AM
Subject: Re: [Full-Disclosure] new virus: (fwd)


>
>
> -- Forwarded message --
> Date: Fri, 19 Sep 2003 18:22:00 +0300
> From: Eero Volotinen <[EMAIL PROTECTED]>
> To: Ron Clark <[EMAIL PROTECTED]>
> Subject: Re: [Full-Disclosure] new virus:
>
> Yes, it's swan virus.
>
> --
> Eero
>
> If you meant swen, this doesn't look like swen. Nothing mentioning
> micro$oft
>
> The test of the email is :
> >
> >Hi.
> >I'm sorry to have to inform you that I wasn't able to deliver your
> >message to the following addresses:
> >
> >
> >
> >Undelivered message to [EMAIL PROTECTED]
>
>
>  with an audio attachment
>
> - Original Message -
> From: "Ron Clark" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Friday, September 19, 2003 5:38 PM
> Subject: [Full-Disclosure] new virus:
>
>
> >
> > Has anyone seen an email going around with subject bug message
> > containing a supposed audio attachment that is really an exe named
> > ckcwr.exe.
> >
> > Is this a possible new virus? I have recieved numerous cpoies of this
> > email since last night.
> >
> > Ron Clark
> > System Administrator
> > Armstrong Atlantic State University
> >
> > ___
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [inbox] Re: [Full-Disclosure] Petition against VeriSlime's DNS abuse

[Exibar]

It DOES work for me :-)  I'm running Windows XP w/sp1 and all patches.

  Here's a cut/paste of the web page I get sent too, of course the actual
page is prettier.

Google
Error


Not Found
The requested URL
/lpc?url=www.verisign-can-suck-my-balls.com&host=www.verisign-can-suck-my-ba
lls.com was not found on this server.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Michael J
McCafferty
Sent: Friday, September 19, 2003 11:56 PM
To: [EMAIL PROTECTED]
Subject: RE: [inbox] Re: [Full-Disclosure] Petition against VeriSlime's
DNS abuse



No, that won't work. That'll only send you to Google if you request
sitefinder.verisign.com specifically. It will not send you to Google if you
misspell the domain. If you wanted to see Google, you would have to have
the misspelled domain in your hosts file.


At 08:34 PM 9/19/2003 -0400, you wrote:
>
>nah, all you need is to enter the following line in your HOSTS file:
>
>216.239.53.99 sitefinder.verisign.com
>
>   That way you'll get google's error message and never have to see
> Verisign's shit again :-)
>
>   Exibar

**
Michael J. McCafferty
Principal, Security Engineer
M5 Computer Security
858-576-7325 Voice
http://www.m5computersecurity.com
**
--- "If you build it, they will hack !" ---

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Using your HOSTS file to avoid seeing sightfinder (WAS: Petition against VeriSlime's DNS abuse)

[Exibar]

It sounds like it's cached perhaps as you mentioned.  After saving your
HOSTS file, head out to www.verisign-can-suck-my-hairy-balls.com and hit
CTRL-F5 if you get sightfinder and not Google's error page, the CTRL-F5 will
refresh from the server and not from Cache.

  It really does work for me here, really really :0-)

  Exibar

-Original Message-
From: Michael J McCafferty [mailto:[EMAIL PROTECTED]
Sent: Saturday, September 20, 2003 2:11 PM
To: Exibar; [EMAIL PROTECTED]
Subject: RE: [inbox] Re: [Full-Disclosure] Petition against VeriSlime's
DNS abuse



Interesting. When I read your message I thought about it, then tried it. It
did NOT work for me, on my XP SP1 all patches. Maybe the sitefinder IP is
cached for me somewhere.

The problem though is that the path is gibberish to Google. If only Google
put a search box on their error page. :o)

At 01:56 AM 9/20/2003 -0400, Exibar wrote:
>It DOES work for me :-)  I'm running Windows XP w/sp1 and all patches.
>
>   Here's a cut/paste of the web page I get sent too, of course the actual
>page is prettier.
>
>Google
>Error
>
>
>Not Found
>The requested URL
>/lpc?url=www.verisign-can-suck-my-balls.com&host=www.verisign-can-suck-my-b
a
>lls.com was not found on this server.
>
>
>-Original Message-
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED] Behalf Of Michael J
>McCafferty
>Sent: Friday, September 19, 2003 11:56 PM
>To: [EMAIL PROTECTED]
>Subject: RE: [inbox] Re: [Full-Disclosure] Petition against VeriSlime's
>DNS abuse
>
>
>
>No, that won't work. That'll only send you to Google if you request
>sitefinder.verisign.com specifically. It will not send you to Google if you
>misspell the domain. If you wanted to see Google, you would have to have
>the misspelled domain in your hosts file.
>
>
>At 08:34 PM 9/19/2003 -0400, you wrote:
> >
> >nah, all you need is to enter the following line in your HOSTS file:
> >
> >216.239.53.99 sitefinder.verisign.com
> >
> >   That way you'll get google's error message and never have to see
> > Verisign's shit again :-)
> >
> >   Exibar
>
>**
>Michael J. McCafferty
>Principal, Security Engineer
>M5 Computer Security
>858-576-7325 Voice
>http://www.m5computersecurity.com
>**
>--- "If you build it, they will hack !" ---
>
>___
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>___
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html

**
Michael J. McCafferty
Principal, Security Engineer
M5 Computer Security
858-576-7325 Voice
http://www.m5computersecurity.com
**
--- "If you build it, they will hack !" ---


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [spam] Re: [Full-Disclosure] Verisign abusing .COM/.NET monopoly, BIND releases new

[Exibar]

I'm actually surprised that they DON'T have X10 ads or some other ads up
there already!  Hell, if you're going to do it, really fucking do it!

   I have no idea how many hits sitefinder is getting, but it must be quite
a few, hundreds of thousands a day maybe?  We are talking the ENTIRE 'net
here after all...  If you owned a business, how much would you pay for your
add to be seen tens of millions of times a week?

 Exibar

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Craig Pratt
Sent: Wednesday, September 17, 2003 2:08 AM
To: Joshua Levitsky
Cc: [EMAIL PROTECTED]
Subject: [spam] Re: [Full-Disclosure] Verisign abusing .COM/.NET
monopoly, BIND releases new


Wow. This is amazing - and quite sad.

If you don't appreciate what this means, open your web browser, and
enter an URL by running your hand across the keyboard, and add ".com"
or ".net" at the end.

e.g. http://fbbgqqweffewq.com

Expecting a "server not found" message? Guess again:

   We didn't find: "fbbgqqweffewq.com"
   There is no Web site at this address.

   Search the Web: 

   Search Popular Categories:

  Travel  Entertainment  Gambling  Shopping  Gifts  ...

   Copyright© 2003 VeriSign, Inc. All Rights Reserved

There are lots of DNS implications for this, not to mention wasted
network bandwidth and caching proxy server. Perhaps people can start
billing VeriSign for these wasted resources?

Next thing you know, they'll be selling banner ads up there for casinos
and X10 equipment.

Craig

On Tuesday, Sep 16, 2003, at 21:50 US/Pacific, Joshua Levitsky wrote:
>
> On Sep 17, 2003, at 12:42 AM, Joshua Levitsky wrote:
>
>> On Sep 16, 2003, at 11:16 PM, Thor Larholm wrote:
>>
>>> Mail administrators
>>> who use any non-existant DNSBL to mark email as spam suddenly has all
>>> their mails deleted,
>>
>> Actually I figured out how to use it to my advantage. I query "."
>> which is my own DNS server of course as a ip4r blacklist and if the
>> IP for verisign's site is returned then I give the spam a very high
>> score. Any domain that doesn't exist would fail this, but any other
>> domain would not return that IP, but rather the proper IP.  I'm still
>> pissed at Verisign, but I always try to turn a problem in to an
>> opportunity so now I'm using their greed to block spam.
>>
>
> Just to clarify my own post. I meant a right hand side test so it is
> checking the address that the sender is claiming is theirs rather than
> how you typically check the host that is handing the mail to you.
> (It's late and I clicked send too quick.)
>
> -Josh
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html


--
This message checked for dangerous content by MailScanner on StrongBox.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] Snort not backdoored, Sourcefire not compromised

[Exibar]

I knew it wasn't true :-)

  Although I did think the phrack 62 was real until I actually took the time
to read some of it after getting some sleep.  I even sent the sneeze article
to my IDS guru, talk about having egg on my face for a bit, he'll rag on me
for a few days due to this!

  Thanks for the official statement Marty and keep up the great work with
Snort!

   Exibar

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Martin
Roesch
Sent: Sunday, September 21, 2003 8:44 PM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED];
[EMAIL PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED]
Subject: [Full-Disclosure] Snort not backdoored, Sourcefire not
compromised


It's come to my attention that some group is claiming to have broken
into a Sourcefire server and backdoored the Snort source code.   First
things first, there is no backdoor in Snort nor has there ever been,
everyone can relax.

A shell server got compromised well over a year ago, but what these
guys aren't telling you is that the network that it was on was not only
logically separate from the rest of the sourcefire.com domain, it was
also physically removed from it too (by about 23 miles, approximately
the distance from the Sourcefire office to my basement).  Yes, that's
right, they busted into a shell server that was maintained on a
physically separate network in my basement.  That particular machine
was maintained as a shell server for various people to log into so that
we can have a sacrificial box to use to chat on IRC without having to
worry about our real network getting compromised, and it has served its
purpose well.

While we do try to keep that system from suffering break-ins, we also
realize that many IRC clients aren't exactly the most secure pieces of
code in the world and sometimes there are problems in server code as
well (like apache and sshd), so we put together servers like that one
so that we can interact with people while minimizing the risks to the
company's networks and servers.  I thought this was fairly standard
practice for many security companies, maybe I'm wrong.

If you're wondering "how do you know the code isn't backdoored?", since
we know that that server is an "at risk" server we're not in the habit
of checking code into CVS from there.  If that's not good enough for
you, Snort has been through three code audits since March (one
Sourcefire internal, two third-party external) and there are most
definitively no backdoors in the code, nor were there any.

Hope that clears things up.

BTW, the sample code that they put into their little screed was nothing
more than an update of the 'stick' program from 2001, not really
anything to get worked up about.

  -Marty


--
Martin Roesch - Founder/CTO Sourcefire Inc. - (410) 290-1616
Sourcefire: Enterprise-class Intrusion detection built on Snort
[EMAIL PROTECTED] - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] RE: Probable new MS DCOM RPC worm for Windows

[Exibar]

I've seen the same thing but BEFORE MS03-039 came out.  I've had reports
from users stating that their network port had been turned off a number of
times and they're getting sick of it.  To quiet them down I'd add their
network port to an exclude list that wouldn't show up in the IDS (Snort) for
automatic Network port shutoff after the threshold is reached.

   My gut feeling is that Microsoft, in their haste to get MS03-026 out in
time for people to get their systems patched, used the 80/20 rule.  By that
I mean that they were only able to patch 80% of the conditions for
exploitation.  I think that's what Paul (and others) have seen.  Machines
patched for 026 but still able to be infected under certain, fairly rare
circumstances.  Microsoft took care of these remaining conditional holes
with MS03-039.

   but, my theory is just that, a theory.  and there very well could be a
variant of Welchi out there.  But, I would think that there would be more
infections or infection attempts that we are seeing now.  IMHO

  Exibar

- Original Message - 
From: "Derek Vadala" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Thursday, September 25, 2003 3:44 PM
Subject: [Full-Disclosure] RE: Probable new MS DCOM RPC worm for Windows


> > I'm thinking that there *has* to be a variant of Nachi/Welchia in the
> > wild.  We have machines that were patched for MS03-026 (verified by
> > scanning with multiple scanners) but not patched for MS03-039 (ditto)
> > and they have been infected by something that triggers my Nachi rule in
> > snort.  This should *not* be possible with the "original" Nachi/Welchia,
> > so my assumption is that either something new has been released or the
> > worm has mutated somehow.
> >
> > Mind you, this is anecdotal and a very small incidence (only three
> > machines so far), but it still bears watching IMHO.  I've been surprised
> > to not see any discussion on the lists about a new variant.  Perhaps no
> > one is looking?
> >
> > Paul Schmehl ([EMAIL PROTECTED])
>
> We've seen the same thing over here. I've had a handful of machines
> (perhaps 15-20 out of 2500) here that were reported to be patched against
> MS03-026 yet became infected with Welchia. These machines were not patched
> against MS03-039. One possibility is that the systems were already
> infected with Welchia at the time they were patched against MS03-026.
>
> I know of at least one or two cases here where the technical support
> person assigned to fix a particular system didn't appropriately follow the
> removal procedures and left a patched, but infected, system. I have to
> assume this is happening without notice in other cases, since there
> haven't been reports of a variant, and the number of systems in this
> situation is rather low.
>
> So I'm betting user error, though I find it hard to believe there isn't
> another variant making the rounds.
>
>
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [spam] Re: [Full-Disclosure] MS03-040 October cumulative patch for IE

[Exibar]

Hi Nick and all!
I think that this patch fixes the QHOSTS1 hole and perhaps the hole that
caused the Half Life 2 source code to be compromised with.  Valve software
is no doubt a big hitter for Microsoft so I'm sure they complained and MS
listened by releasing this patch.  Which in my opinion is a fix for
MS03-032....

  Exibar

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Nick
FitzGerald
Sent: Saturday, October 04, 2003 1:51 AM
To: [EMAIL PROTECTED]
Subject: [spam] Re: [Full-Disclosure] MS03-040 October cumulative patch
for IE


"Jerry Heidtke" <[EMAIL PROTECTED]> wrote:

> Just when we got used to Wednesday afternoon security bulletins from
> Microsoft, they decide to release one on Friday evening.
>
> http://www.microsoft.com/technet/security/bulletin/ms03-040.asp
>
> It allegedly fixes the object tag/hta types of vulnerabilities.

Yep -- this deviation from "patches are releasesed on Wednesday"
practice presumably suggests how darn critical MS rates this bug.

You have to wonder though when they'll work out there are thirty-
something others that in various combinations are just as bad...

   http://www.pivx.com/larholm/unpatched/

Perhaps it will take more worms and clearly malicious use such as we
have seen with the Object Data Type flaw, including the associated
media coverage, to get them all fixed too??


--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [spam] RE: [Full-Disclosure] Bush Bashing (use to be Has Verisign time arrived ?)

[Exibar]

Hear Hear!   did I hear the US National Anthem in the backgroud while I was
reading your post?  I think I did!  :-)

  I agree 100%!  I could care less what those who live in other countries
say, because they know deep down, that if they were the victims of a 9/11
type attack, they would be asking the good old USA for help.  And we WOULD
help them, even if they are from Austrailia, France, Germany, etc

  Exibar

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Dark Avenger
Sent: Saturday, October 04, 2003 9:52 PM
To: [EMAIL PROTECTED]
Subject: [spam] RE: [Full-Disclosure] Bush Bashing (use to be Has
Verisign time arrived ?)


This isn't the place to discuss political and personal views of our
country and leadership, but you 2 just opened the door.

This is typical liberal dribble attacking our president for an "immoral
war" and being "weird". Your only agenda is to try to discredit an
administration that finally has some morals and integrity and does
what's right for the country (and even for the ungrateful world
community), unlike the prior administration.

Where were your criticisms when the Clinton administation launched
cruise missles into Iraq without UN approval?
Where were your criticisms when the Clinton administation attacked
Serbia without UN, or even Congress' approval?
Where were your criticisms when the Clinton administation bombed an
aspirin factory?

Now this isn't about the Clinton administration, but it illustrates the
level of hypocrisy of those that bash the current administration.

Every nation in the UN agreed that Iraq had weapons of mass destruction,
so you can't pin the label on the Bush administration, as if they lied
about it and used it as the only reason to liberate the Iraqi people.
This was only 1 of many reasons for going into Iraq, and the liberals
are trying to cast it as the only reason.

People like you seem to forget or ignore the 17 UN resolutions that Iraq
had violated. And how the UN doesn't have enough backbone to enforce
their own resolutions.

You seem to forget or ignore the routine and systematic torture and
execution of political prisoners that Saddam's regime carried out.

You seem to forget or ignore their use of chemical weapons against Iran
that resulted in an estimated 600,000 to 1,000,000 Iraqi Kurd's and
Iranians dead in 1980 - 1988. This in itself proves he had weapons of
mass destruction, and everyone knows it. They hid entire squads of
fighter jets underneath the desert sands, showing how easy it would be
to hide small barrels of chemical and biological agents.

You seem to forget or ignore their invasion of Kuwait in 1990-1991.

You seem to forget or ignore the bloody mass killings of 30,000 to
60,000 Kurd's and Shite's in 1991.

You seem to forget or ignore the Rape rooms and imprisoned children and
execution rooms used regularly by this regime. And how the women were
suppressed and made 2nd class citizens by not being able to be seen in
public, or drive, or go to school, or vote (vote? what a laugh, even for
those who could).

Thank God we finally have an administration that is willing to do what's
right to protect us all. This new world we live in since 9/11/2001 (of
course you've forgotten about that too, I'm sure) requires us to take
the battle to the terrorists and their allies before they take it to us.
Do you actually think for one minute that Iraq wouldn't hand over WMD to
terrorists with the intent of using them on our homeland? This is a
pro-active approach to warding off terrorism before it hits again. If
this administration hadn't taken this approach, and then we had an
attack on LA, or San Francisco, or any other place in the US, then you
would have been bashing the administration for not protecting you. If
France, or Germany, or any other nation on this earth had been attacked
like we were, then who do you think would be the first people they
called upon to help them out? And we would have done it without hesitation.

I could go on and on, but this has already turned out to be longer than
I expected. But we should all be grateful for the actions this
administration is taking to make sure we are safer in our homes, despite
the bashings of liberals like you.

God Bless the USA, and yes, the President too



 Original Message 
Subject:RE: [Full-Disclosure] Has Verisign time arrived ?
Date:   Sat, 4 Oct 2003 05:12:49 -0700
From:   Poof <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>



Hey... No need to personally bash somebody...

He's not stupid for liking it... He's just weird...

Erk!

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:full-disclosure-
> [EMAIL PROTECTED] On Behalf Of Nick FitzGerald
> Sent: Saturday, October 04, 2003 02:50
> To: [EMAIL PROTECTED]
> Subject: RE: [Full-Disclosure] Has Verisign time arrived ?

RE: [Full-Disclosure] SunnComm to sue 'Shift key' student for $10m

[Exibar]

well, I think it's rediculous.  What they are proposing the the removal of
our 1st amendment rights, our God Given Rights of free speach.

  It will be a very sad day if SunnComm wins this lawsuit.  Who will they go
after next, Encyclopedia Britanica for illustrating how a bomb works?  or
for illustrating our a lock works?  or for illustrating how a computer
works?

  I know, why don't they sue Microsoft for documenting how to shut off the
"auto-run" feature in Windows?  Why don't they sue Microsoft for documenting
how to kill a process from running?

  SunnComm and company are all idiots, the only thing that they are doing by
this lawsuit is pushing the same information that they don't want people to
know onto the nightly news so even our grandmothers will know how to shut it
off.
  I think SunnComm has an inferior product that they probably paid their
engineers millions of dollars to come up with only to have the workaround to
be to "jiggle the handle".  Yes, I intentionally used a toilet reference
because that's what I think of their product, let them sue me about that!

 Exibar


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Richard M.
Smith
Sent: Thursday, October 09, 2003 6:53 PM
To: [EMAIL PROTECTED]
Subject: [spam] RE: [Full-Disclosure] SunnComm to sue 'Shift key'
student for $10m


Here's the SunnComm press release:

SunnComm CEO Says Princeton Report Critical of its
MediaMax CD Copy Management Technology Contains
Erroneous Assumptions and Conclusions

http://biz.yahoo.com/bw/031009/95573_1.html

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jeremiah
Cornelius
Sent: Thursday, October 09, 2003 6:09 PM
To: [EMAIL PROTECTED]
Subject: [Full-Disclosure] SunnComm to sue 'Shift key' student for $10m


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Ahhh...  The wildest, satirical speculations on FullDisclosure come to
fruition in a court of law.  Let the games begin!

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] FW: Last Microsoft Patch

[Exibar]

You're CISSP, GSEC,MCSE+I,CNE, and CCDA and you 
actually think this is a real patch from Microsoft?  
 
  I doubt if anyone will believe that you 
earned those premium certs after reading this last message from 
you....
 
 Exibar

  - Original Message - 
  From: 
  Curt Purdy 
  To: [EMAIL PROTECTED] 
  
  Sent: Wednesday, October 15, 2003 3:04 
  PM
  Subject: [Full-Disclosure] FW: Last 
  Microsoft Patch
  
  Anybody else get this?  Looks legit, originating 
  address is from msnbc.com.  But can't believe even Microsoft would 
  be this stupid after the rash of trojan-attached "patch announcements" 
  lately.  Plus all security people have been saying that Microsoft would 
  never email a patch out.  Or are they thinking, "Send this out so all the 
  stupid people will click on this before they click on a real 
  trojan?
  Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions [EMAIL PROTECTED] 
   
  If you spend more on coffee than on IT 
  security, you will be hacked. What's more, you deserve to be hacked. -- former White House 
  cybersecurity zar Richard Clarke 
  -Original Message-From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of Technical 
  ServicesSent: Tuesday, October 14, 2003 11:33 AMTo: MS 
  Corporation UserSubject: [inbox] [admin] Last Microsoft 
  Patch
  


    Microsoft 
    All Products |  Support |  Search |  
Microsoft.com Guide  

  Microsoft Home   
   
  


  Microsoft Userthis is the latest version of 
security update, the "October 2003, Cumulative Patch" update which 
eliminates all known security vulnerabilities affecting MS Internet 
Explorer, MS Outlook and MS Outlook Express as well as three new 
vulnerabilities. Install now to help protect your computer from these 
vulnerabilities, the most serious of which could allow an malicious user 
to run code on your system. This update includes the functionality of 
all previously released patches. 
  


   System requirements 
  Windows 95/98/Me/2000/NT/XP

   This update applies to 
  MS Internet Explorer, version 4.01 and 
laterMS Outlook, version 8.00 and laterMS Outlook Express, 
version 4.01 and later 

   Recommendation
  Customers should install the patch at the 
earliest opportunity.

   How to install
  Run attached file. Choose Yes on displayed 
dialog box.

   How to use
  You don't need to do anything after installing 
this item.
  


  Microsoft Product Support Services and Knowledge Base 
articles can be found on the Microsoft Technical Support web site. For 
security-related information about Microsoft products, please visit the 
Microsoft 
Security Advisor web site, or Contact Us. Thank you for using Microsoft 
products.Please do not reply to this 
message. It was sent from an unmonitored e-mail address and we are 
unable to respond to any replies.

The names of the actual companies and products 
mentioned herein are the trademarks of their respective owners. 
  
  


  
  Contact Us  |  Legal 
 |  TRUSTe 


  
  ©2003 Microsoft Corporation. All rights 
reserved. Terms of 
Use  |  Privacy 
Statement |  Accessibility 

<><>

Re: [Full-Disclosure] FW: Last Microsoft Patch

[Exibar]

Well, I was able to verify his GSEC.  By far the easiest of the certs he's
listed to attain.

You would think that with at least a verified GSEC cert, that he would have
been able to recognize what that message really was  I would have almost
bet money that ANY CISSP would be able to tell what that message really
was.

 ok, ok, even with a million certs you're still not expected to know
everything but sheesh even my wife knows what that message really was
and she "only" has a bachelor's degree!


Exibar


- Original Message - 
From: "Poof" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, October 15, 2003 10:56 PM
Subject: RE: [Full-Disclosure] FW: Last Microsoft Patch


> Maybe they're giving those certs out now with every icee or something you
> buy.
>
> Must be it!
>
>
> ____
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Exibar
> Sent: Wednesday, October 15, 2003 18:13
> To: Curt Purdy; [EMAIL PROTECTED]
> Subject: Re: [Full-Disclosure] FW: Last Microsoft Patch
>
> You're CISSP, GSEC,MCSE+I,CNE, and CCDA and you actually think this is a
> real patch from Microsoft?
>
> I doubt if anyone will believe that you earned those premium certs after
> reading this last message from you
>
> Exibar
> - Original Message - 
> From: Curt Purdy
> To: [EMAIL PROTECTED]
> Sent: Wednesday, October 15, 2003 3:04 PM
> Subject: [Full-Disclosure] FW: Last Microsoft Patch
>
> Anybody else get this? Looks legit, originating address is from msnbc.com.
> But can't believe even Microsoft would be this stupid after the rash of
> trojan-attached "patch announcements" lately. Plus all security people
have
> been saying that Microsoft would never email a patch out. Or are they
> thinking, "Send this out so all the stupid people will click on this
before
> they click on a real trojan?
> Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA
> Information Security Engineer
> DP Solutions
> [EMAIL PROTECTED]
>  
> If you spend more on coffee than on IT security, you will be hacked.
> What's more, you deserve to be hacked.
> -- former White House cybersecurity zar Richard Clarke
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of
Technical
> Services
> Sent: Tuesday, October 14, 2003 11:33 AM
> To: MS Corporation User
> Subject: [inbox] [admin] Last Microsoft Patch
> Microsoft
> All Products | Support | Search | Microsoft.com Guide
>
> Microsoft Home
>
> Microsoft User
>
> this is the latest version of security update, the "October 2003,
Cumulative
> Patch" update which eliminates all known security vulnerabilities
affecting
> MS Internet Explorer, MS Outlook and MS Outlook Express as well as three
new
> vulnerabilities. Install now to help protect your computer from these
> vulnerabilities, the most serious of which could allow an malicious user
to
> run code on your system. This update includes the functionality of all
> previously released patches.
>
> System requirements
> Windows 95/98/Me/2000/NT/XP
> This update applies to
> MS Internet Explorer, version 4.01 and later
> MS Outlook, version 8.00 and later
> MS Outlook Express, version 4.01 and later
> Recommendation
> Customers should install the patch at the earliest opportunity.
> How to install
> Run attached file. Choose Yes on displayed dialog box.
> How to use
> You don't need to do anything after installing this item.
>
> Microsoft Product Support Services and Knowledge Base articles can be
found
> on the Microsoft Technical Support web site. For security-related
> information about Microsoft products, please visit the Microsoft Security
> Advisor web site, or Contact Us.
>
> Thank you for using Microsoft products.
>
> Please do not reply to this message. It was sent from an unmonitored
e-mail
> address and we are unable to respond to any replies.
> 
> The names of the actual companies and products mentioned herein are the
> trademarks of their respective owners.
>
>
> Contact Us | Legal | TRUSTe
>
> ©2003 Microsoft Corporation. All rights reserved. Terms of Use | Privacy
> Statement | Accessibility
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] FW: Last Microsoft Patch

[Exibar]

You are correct we cannot verify that Curt Purdy is his real name.  I just
didn't want to go there :-)

  Exibar

- Original Message - 
From: "petard" <[EMAIL PROTECTED]>
To: "Exibar" <[EMAIL PROTECTED]>
Cc: "Poof" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Thursday, October 16, 2003 9:49 AM
Subject: Re: [Full-Disclosure] FW: Last Microsoft Patch


> On Thu, Oct 16, 2003 at 12:14:32AM -0400, Exibar wrote:
> > Well, I was able to verify his GSEC.  By far the easiest of the certs
he's
> > listed to attain.
> >
> You verified Curt Purdy's certification. Congratulations. Now verify that
> Curt Purdy posted the message. (I'm not claiming that he did or didn't,
> and don't know Curt Purdy at all.) You, like the OP, might be putting
> too much trust in where an email says it's from.
>
> His misplaced trust *is* more blatant than yours though :-)
>
> Regards,
>
> petard
>
>
> --
> If your message really might be confidential, download my PGP key here:
> http://petard.freeshell.org/petard.asc
> and encrypt it. Otherwise, save bandwidth and lose the disclaimer.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] FW: Last Microsoft Patch

[Exibar]

Eric Cole is a great presenter, he presented during one of the 5 days for
Track 4 when I took it last year (and attained the GCIH cert).

  Everyone can't know everything right? and egg wipes off the face pretty
easily :-)

  Exibar

- Original Message - 
From: "Curt Purdy" <[EMAIL PROTECTED]>
To: "'petard'" <[EMAIL PROTECTED]>; "'Exibar'" <[EMAIL PROTECTED]>
Cc: "'Poof'" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Thursday, October 16, 2003 12:00 PM
Subject: Re: [Full-Disclosure] FW: Last Microsoft Patch


> > On Thu, Oct 16, 2003 at 12:14:32AM -0400, Exibar wrote:
> > > Well, I was able to verify his GSEC.  By far the easiest of
> > the certs he's
> > > listed to attain.
>
> Actually, I beg to differ.  Never went to a school or training for any of
> them but the GSEC.  The special 8x12-hour-day SANS conference in D.C. last
> year was awesome.  You either came out of there scared s___less or with a
> head 2 hat-sizes bigger.  Anyone who takes it, try to get Eric Cole, a
real
> brain and great teacher.  The course is worth it for anyone in infosec,
> whether you want the cert or not.
>
> As for the cert's I prefer getting them from experience vs. boot-camp,
more
> meaningful to me.  As for the easiest, unquestionably the CISSP followed
by
> the CCDA, also have CCNA which was even easier, but I ran out of room ;)
I
> just put CISSP first because it seems to be so well respected.
>
> As for the snipes on my unfamiliarity with Swen, I am blushing, but I have
> also just finished a month-long security audit for a HIPAA client and have
> not kept up like I should have.
>
> Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA
> Information Security Engineer
> DP Solutions
>
> 
>
> If you spend more on coffee than on IT security, you will be hacked.
> What's more, you deserve to be hacked.
> -- White House cybersecurity adviser Richard Clarke
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] NASA.GOV SQL Injections

[Exibar]

I had the pleasure of meeting one of NASA's IT guys this week actually.  He
could certainly be considered "the cream of the crop".  If all NASA IT guys
are like him, then NASA certainly has the "best of the best" employed there.
I would also say that yes, even the janitor requires a full background check
and security clearance, to some degree.  I'm sure that there are areas where
even the 1% have to clean up after themselves every day due to the
sensitivity of their work.

  Why would anyone think that NASA wouldn't hire the best of the best, even
for administrative work?  It's not like they're raking leaves for a living,
they send people to the Moon and beyond :-)

  Exibar

- Original Message - 
From: "Jonathan A. Zdziarski" <[EMAIL PROTECTED]>
To: "Schmehl, Paul L" <[EMAIL PROTECTED]>
Cc: "full-disclosure" <[EMAIL PROTECTED]>
Sent: Friday, October 17, 2003 12:28 PM
Subject: RE: [Full-Disclosure] NASA.GOV SQL Injections


> > No offense meant to the fine IT people at NASA, but do you seriously
> > believe that the one-percenters are securing the network?  As opposed to
> > say, figuring out how to land a rover on Mars, how to keep astronauts
> > alive in space, how to overcome the long-term negative effects of zero
> > gravity, etc., etc.???
>
> Maybe I'm not as familiar with NASA as others might be, but I would
> think NASA would try and hire the most gifted IT people they could find
> (e.g. the cream of the crop).  Since I've never run into one, I can't
> prove this theory - I suppose it's possible they're all morons...but if
> I had the resources NASA has, there wouldn't be any idiots working for
> me.
>
> I wonder if their janitors require security clearance just to work
> there...if that's the case their IT people are most likely l33t.
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Bugtraq?

[Exibar]

Bugtraq and NTbugtraq has gone down hil since Symantec bought them up
'tis a shame really...

 Exibar


- Original Message - 
From: "David" <[EMAIL PROTECTED]>
To: "morning_wood" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Sunday, October 19, 2003 3:55 PM
Subject: Re: [Full-Disclosure] Bugtraq?


> morning_wood wrote:
> > hmmm.. bugtraqs empty
> > http://www.securityfocus.org/archive/1
> >
> > is it me or ... ?
>
> I haven't gotten any emails from it for the last 2 days, it might be
broke.
>
> >
> > Oct 19, 2003 11pm
> > morning_wood
> >
> > ___
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Bugtraq?

[Exibar]

Oops!  there goes my fingers typing faster than I can think again!  I meant
to say that just BugTraq as seemingly gone downhill since Symantec bought
them.
  Russ Cooper is still doing a good job with NTBugTraq, no complaints here.
Sorry 'bout that Russ!  :-)

  Exibar

- Original Message - 
From: "Nick FitzGerald" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Sunday, October 19, 2003 11:34 PM
Subject: Re: [Full-Disclosure] Bugtraq?


> "Exibar" <[EMAIL PROTECTED]> wrote:
>
> > Bugtraq and NTbugtraq has gone down hil since Symantec bought them
up
> > 'tis a shame really...
>
> I think you'll find TruSecure bought NTBugtraq...
>
>
> Regards,
>
> Nick FitzGerald
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Windows hosts file changing.

[Exibar]

I have seen qhosts act in strange ways.  Qhosts does indeed edit the HOSTS
file, sometimes will add those registry keys but not all.  Sometimes it will
add the reg keys but leave the HOSTS file alone.  I've seen it replace the
real HOSTS file, and I've also seen it add a new HOSTS file into the temp
directory.

  Qhosts doesn't always respond predictably from what I've seen.

  Exibar


- Original Message - 
From: "Brian Eckman" <[EMAIL PROTECTED]>
To: "David Gianndrea" <[EMAIL PROTECTED]>
Cc: "Kevin Gerry" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Wednesday, October 22, 2003 9:50 AM
Subject: Re: [Full-Disclosure] Windows hosts file changing.


>
>
> David Gianndrea wrote:
> > Kind of sounds like this...
> >
> > http://vil.nai.com/vil/content/v_100719.htm
> >
> >
> > Kevin Gerry wrote:
> >
> >> Does -ANYBODY- know how it occurs?
> >>
> >> I've had this happen to a couple boxes of mine now...
> >>
> >> New one:
> >> -- 
> >> 127.0.0.1localhost
> >> 66.40.16.131livesexlist.com
> >> 66.40.16.131lanasbigboobs.com
> >> 66.40.16.131thumbnailpost.com
> >> 66.40.16.131adult-series.com
> >> 66.40.16.131www.livesexlist.com
> >> 66.40.16.131www.lanasbigboobs.com
> >> 66.40.16.131www.thumbnailpost.com
> >> 66.40.16.131www.adult-series.com
> >> -- 
> >>
> >> Any idea how the search site is replacing that? =/ It's starting to
> >> piss me
> >> off =/ I had some custom information in there that's now overwritten
(Not
> >> backed up)
> >>
> >> Thanks =/
>
>
> Actually, I don't think it sounds a damn thing like Qhosts.
>
> Qhosts modifies DHCP-issued DNS server settings in the registry, and
> creates a new HOSTS file and tweaks the registry to use that HOSTS file.
> It doesn't touch the original HOSTS file.
>
> This post exhibits no Qhosts behavior, and Qhosts doesn't exhibit any
> of this behavior. I think Daniel got it right - quit going to porn
> sites. Better yet, quit going to porn sites advertised in Spam.
>
> Also, to respond to another comment, the MS03-040 patch might *not*
> address this type of attack on a system. Internet Explorer fully patched
> with default settings *still* allows silent delivery and install of
> executables. POC was sent to this list weeks ago.
>
> Brian
> -- 
> Brian Eckman
> Security Analyst
> OIT Security and Assurance
> University of Minnesota
> 612-626-7737
>
> "There are 10 types of people in this world. Those who
> understand binary and those who don't."
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] W2k users, local admin rights and GPOs

[Exibar]

It's actually very easy to prevent any policies from coming down to your
system if you have local admin rights.  What you do is first, delete the
policies from the registry, then deny everyone (except for a locally created
user) access to the policy key.  You'll see the failures in the event log
when a new policy attempts to get written.  Viola!  no more policies

  Easy as pie

  Exibar


- Original Message - 
From: "James Exim" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, October 29, 2003 3:50 AM
Subject: [Full-Disclosure] W2k users, local admin rights and GPOs


> It has been pointed out several times recently on the SF mailing lists
that
> a W2k user with local administrator rights can prevent group policy
> application on his/her machine and there is apparently nothing the domain
> administrator(s) can do about it (see
>
http://www.derkeiler.com/Mailing-Lists/securityfocus/focus-ms/2003-09/0106.html
> for an example)
>
> Does anyone know exactly (a) how, and (b) why this is possible?  Is there
> really no workaround other than removing the users from the local
> Administrators group?  I keep discovering W2k machines where end users
have
> been granted local admin rights (yuk!) and I'm trying to convince the
> relevant domain admins that, while this is an easy way to make legacy
> software work, it isn't such a great idea from a security point of view...
>
> Thanks,
>
> James
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Gates: 'You don't need perfect code' for good security

[Exibar]

What an idiot

   Take the loveletter worm, when it was first released even if you had a
100% up to date AntiVirus software program, you would still get hit within
the first 8 hours slammer, blaster, etc all the same thing.The took
advantage of holes in the OPERATING SYSTEM

   Yes we have ways of updating our VirusSoftware that works very very well,
McAfee has E-Policy Orchstrator, which I swear by.

  I'm not going to go on, but if Windows was as secure as Bill Gates and
company says it is, why was blaster, slammer, codered etc even an issue?

   Exibar


- Original Message - 
From: "Jeremiah Cornelius" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, October 31, 2003 1:32 PM
Subject: [Full-Disclosure] Gates: 'You don't need perfect code' for good
security


> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> FLAME ON!
>
> http://www.itbusiness.ca/index.asp?theaction=61&sid=53897
>
> "But there are two other techniques: one is called firewalling and the
other
> is called keeping the software up to date. None of these problems (viruses
> and worms) happened to people who did either one of those things. If you
had
> your firewall set up the right way - and when I say firewall I include
> scanning e-mail and scanning file transfer -- you wouldn't have had a
> problem. But did we have the tools that made that easy and automatic and
that
> you could really audit that you had done it? No. Microsoft in particular
and
> the industry in general didn't have it."
>
> "The second is just the updating thing. Anybody who kept their software up
to
> date didn't run into any of those problems, because the fixes preceded the
> exploit. Now the times between when the vulnerability was published and
when
> somebody has exploited it, those have been going down, but in every case
at
> this stage we've had the fix out before the exploit. So next is making it
> easy to do the updating, not for general features but just for the very
few
> critical security things, and then reducing the size of those patches, and
> reducing the frequency of the patches, which gets you back to the code
> quality issues. We have to bring these things to bear, and the very
dramatic
> things that we can do in the short term have to do with the firewalls and
the
> updating infrastructure. "
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.2.3 (GNU/Linux)
>
> iD8DBQE/oqq3Ji2cv3XsiSARAlkdAJ0aGkBViYkoE193iZycTmQZohzwbQCg1KDA
> SjPLY1EEzamQCtIGKwJT1Vk=
> =mIsY
> -END PGP SIGNATURE-
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [spam] RE: [Full-Disclosure] Gates: 'You don't need perfect code' for good security

[Exibar]

I only listed those as examples...  there are many more.

 Poor patch management is an issue yes, absolutely.  But why on earth would,
lets say SQL, first get installed with a blank SA password by default?  Ok,
it's changed now, but why was it ever?  Why on earth is a blank password
even allowed for Administrator?  Why are there still, what 30??, unpatched
IE vulnerabilities?

  Yes, at least Microsoft is finally starting to do something now.  But I
feel ONLY because Linux is starting to make a dent in their bottom line.
Before you say it, NO I am not a Linux junkie, I dont' even run it, and
Linux is just as insecure as Windows, but Linux is perceved to be
secureat least more secure than Windows.

  Loveletter could not have been prevented by a patch.  Why is a 3rd party
application allowed access to the global address list in the first place?
   Funlove could not have been prevented by a patch, perhaps a firewall
could have segmented infectous areas, but not prevented it.
  Why are Active X components allowed to run as the user and not in a
sandbox such as Java?

  I don't pretend to have all the answers, but Microsoft is coming along
only recently to do just too little, too late IMHO.

  Exibar

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Beaty, Bryan
Sent: Friday, October 31, 2003 6:50 PM
To: [EMAIL PROTECTED]
Subject: [spam] RE: [Full-Disclosure] Gates: 'You don't need perfect
code' for good security


Correct me if I am wrong but...

I believe every worm listed below could have been prevented had everyone
patched their systems.

I would like the security community to take more responsibility for
their own (in)actions. If you were hit by Blaster then you failed to
enforce a good patch management policy. Who's fault is that? Patch
management is boring and so we often ignore it. Hackers and worms simply
take advantage of our laziness. I guess blaster could be a form of
social engineering. "I know admins don't patch so I can write a worm and
kill the world."

There is no such thing as perfect code. If you want a completely secure
system you can buy them but they are unbelievably expensive. If you have
a business justification for something that secure then buy it.
Otherwise you have to live with what you can get from Linux, UNIX, or
even Microsoft.

Microsoft has at least come out with some very good patch management
systems lately (SUS) and they are free. Red Hat charges me a yearly fee
for their RHN.

I believe the #1 security threat today is poor patch management. Is that
Microsoft's fault?

--> I am off of my soap box now.

Bryan Beaty

-Original Message-
From: Exibar [mailto:[EMAIL PROTECTED]
Sent: Friday, October 31, 2003 1:40 PM
To: Jeremiah Cornelius; [EMAIL PROTECTED]
Subject: Re: [Full-Disclosure] Gates: 'You don't need perfect code' for
good security


What an idiot

   Take the loveletter worm, when it was first released even if you had
a 100% up to date AntiVirus software program, you would still get hit
within
the first 8 hours slammer, blaster, etc all the same thing.The
took
advantage of holes in the OPERATING SYSTEM

   Yes we have ways of updating our VirusSoftware that works very very
well, McAfee has E-Policy Orchstrator, which I swear by.

  I'm not going to go on, but if Windows was as secure as Bill Gates and
company says it is, why was blaster, slammer, codered etc even an issue?

   Exibar


- Original Message -
From: "Jeremiah Cornelius" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, October 31, 2003 1:32 PM
Subject: [Full-Disclosure] Gates: 'You don't need perfect code' for good
security


> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> FLAME ON!
>
> http://www.itbusiness.ca/index.asp?theaction=61&sid=53897
>
> "But there are two other techniques: one is called firewalling and the
other
> is called keeping the software up to date. None of these problems
> (viruses and worms) happened to people who did either one of those
> things. If you
had
> your firewall set up the right way - and when I say firewall I include

> scanning e-mail and scanning file transfer -- you wouldn't have had a
> problem. But did we have the tools that made that easy and automatic
> and
that
> you could really audit that you had done it? No. Microsoft in
> particular
and
> the industry in general didn't have it."
>
> "The second is just the updating thing. Anybody who kept their
> software up
to
> date didn't run into any of those problems, because the fixes preceded

> the exploit. Now the times between when the vulnerability was
> published and
when
> somebody has exploited it, those have been going down, but in every
> case
at
> this stage we've had the fix out before the 

Re: [Full-Disclosure] RE: Yahoo Instant Messenger YAUTO.DLL buffer overflow

[Exibar]

Just sit right there at home, the Secret Service will be by to have a
conversation with you I'm sure.


- Original Message - 
From: "Kristian Hermansen" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, December 04, 2003 1:37 PM
Subject: RE: [Full-Disclosure] RE: Yahoo Instant Messenger YAUTO.DLL buffer
overflow


> KillGeorgeBush.com is getting ready to go prime-time, but...oh yeah...I
have
> finals!!!  If anyone has any good content for my KillGeorgeBush.com
website,
> please send me emails/link (audio, video, documents, etc.)  Remember:
George
> Bush deserves to die for his lies and lootin'!!!  I am now accepting
> donations through Paypal, of which the money will go straight to terrorist
> organizations who have interests vested in removing the Bush
administration
> from political power...
>
>
> Kristian Hermansen
> [EMAIL PROTECTED]
>
> -Original Message-
> From: List Account [mailto:[EMAIL PROTECTED]
> Sent: Thursday, December 04, 2003 12:58 PM
> To: 'Kristian Hermansen'
> Subject: RE: [Full-Disclosure] RE: Yahoo Instant Messenger YAUTO.DLL
buffer
> overflow
>
> Nice site! Where's the content? (Killgeorgebush.com)
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> Kristian Hermansen
> Sent: Thursday, December 04, 2003 10:56 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [Full-Disclosure] RE: Yahoo Instant Messenger
> YAUTO.DLL buffer overflow
>
>
> Dude, thanks for the calc tips!!!  LATE makes perfect sense ;-)
>
>
> Kristian Hermansen
> [EMAIL PROTECTED]
>
> -Original Message-
> From: List Account [mailto:[EMAIL PROTECTED]
> Sent: Thursday, December 04, 2003 10:41 AM
> To: 'Kristian Hermansen'
> Subject: RE: [Full-Disclosure] RE: Yahoo Instant Messenger
> YAUTO.DLL buffer overflow
>
> Funny you should be talking about Calculus, I'm finishing 152 now
> (finals next week). Integration by parts not that bad. Here's a
> tip; LATE Logs Algebraic Trig Exponentials What this is for is to
> find u, so that du will be something simpler. So to use LATE to
> find u, try them in order, i.e. is there a ln? No, then is there
> an algebraic function you can integrate?, etc.
>
> HTH,
> Nathan
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> Kristian Hermansen
> Sent: Thursday, December 04, 2003 9:19 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [Full-Disclosure] RE: Yahoo Instant Messenger
> YAUTO.DLL buffer overflow
>
>
> OMFG Tri, hahahahaha!!!  Remember when you couldn't figure out
> who hijacked yer mail/Paypal accounts?  Looks like we know who
> did it now.  Did he take any money from yer Paypal account?  I do
> agree with one thing that he said..."Stop leaking and killing my
> bug kid. Go to school to learn more." Dude you missed calculus
> class again and don't forget we are doing integration by
> parts/series this week/next week.  Maybe you aren't as slick as I
> thought you were.  Stealing bugs from other people?  Dude, I had
> a lot of respect for you...but now...I'm just not so sure about
> your "integrity". Are you really finding these bugs with
> OllyDebug/IDAPro, or are you monitoring security researchers
> email accounts to get your info?  Dude, I only ask because I
> believe everyone here has the right to know...
>
>
> Kristian Hermansen
> [EMAIL PROTECTED]
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of De
> Blanc
> Sent: Thursday, December 04, 2003 2:17 AM
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: Re: [Full-Disclosure] RE: Yahoo Instant Messenger
> YAUTO.DLL buffer overflow
>
> Yeah! Yahoo is sux. Yahoo Messenger has tons of bugs.
> But you are more sux than yahoo since you stole my
> work and posted my found bug to yahoo and bugtraq.
> Funny enough when your little company SentryUnion is
> trying to sell "Indetify Theft" protection service but
> you got owned, stole mail and money from your paypal
> account, logged everything your chatted with gf via
> one another yahoo messenger 0day.
>
> Stop leaking and killing my bug kid. Go to school to
> learn more.
>
> The Blanc
>
> <[EMAIL PROTECTED]> wrote:
> >Hi all,
> >This bug is a lame bug, very lame actually. I release
> it in order to
> >show that how a big company don't even do a basic QA.
> If we look through
> >the security records of YIM, almost any YIM's
> ActiveX/Com
> >components do have some kind of buffer overflow and
> it is very easy
> >to spot them too (by fuzzing the IDispatch
> interface). I have no idea
> >how can QA guys in the YIM project can manage to let
> these
> >dangerous bugs survival through the testing state.
> Maybe they
> >are so busy watching the new "Joe Millionaire" show
> :-
> >Trihuynh
> >Sentryunion
> >-Original Message-
> >From: [EMAIL PROTECTED]
> >[mailto:[EMAIL PROTECTED] On
> Behalf Of Tri Huynh
> >Sent: Wednesday, December 03, 2003 10:07
> >To: [EMAIL PROTECTED];
> [EMAIL PROTECTED]
> >Cc: [EMAIL PROTECTED];

RE: [inbox] RE: [Full-Disclosure] RE: Yahoo Instant Messenger YAUTO.DLL buffer overflow

[Exibar]

all it would take is one person on the list to anonymously send that message
to the SS.  Easy enough email address to send to as well,
[EMAIL PROTECTED] or [EMAIL PROTECTED] can even report via
the web  http://www.firstgov.gov/feedback/FeedbackForm.jspor
[EMAIL PROTECTED]

  that posted message along with the full headers should be sufficiant to
get you federal jail time.  It's happened before with a simple conversation
that was overheard in a bar or restaurant.  the guy was hauled off to jail
and hassled for quite a while because he said something similar to what you
said.  although he said it about another president, Carter I think it was...
not sure though.

  Even though I agree that free speech could come into play, some things you
just don't say out loud.  Like saying the word BOMB in an airport try it
sometime if you really want to miss your flight :-)

 Exibar

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Kristian
Hermansen
Sent: Thursday, December 04, 2003 4:36 PM
To: [EMAIL PROTECTED]
Subject: [inbox] RE: [Full-Disclosure] RE: Yahoo Instant Messenger
YAUTO.DLL buffer overflow


Well, I also have the right to free speech; although murder is not a
right...the website is not to be taken literally.  Obviously if I wanted
Bush literally killed, I would not have a website as such exposing my
name/address.  The person who posted my address to a public mailing list is,
however, definitely in violation of my rights and this list's policies.
Although, information should be free and I never support such restrictions
to information in the public domain.

The CIA/FBI are not going to come to my house I assure you.  They have
better things to worry about.  The fact is that the Bush Administration are
TERRORISTS!!!  If you don't know this by now, you surely are uninformed.
Anyways, "kill" is a UNIX command, but you don't see any processes getting
angry and formatting my computer...


Kristian Hermansen
[EMAIL PROTECTED]
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Exibar
Sent: Thursday, December 04, 2003 2:35 PM
To: Kristian Hermansen; [EMAIL PROTECTED]
Subject: Re: [Full-Disclosure] RE: Yahoo Instant Messenger YAUTO.DLL buffer
overflow

Just sit right there at home, the Secret Service will be by to have a
conversation with you I'm sure.


- Original Message -
From: "Kristian Hermansen" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, December 04, 2003 1:37 PM
Subject: RE: [Full-Disclosure] RE: Yahoo Instant Messenger YAUTO.DLL buffer
overflow


> KillGeorgeBush.com is getting ready to go prime-time, but...oh yeah...I
have
> finals!!!  If anyone has any good content for my KillGeorgeBush.com
website,
> please send me emails/link (audio, video, documents, etc.)  Remember:
George
> Bush deserves to die for his lies and lootin'!!!  I am now accepting
> donations through Paypal, of which the money will go straight to terrorist
> organizations who have interests vested in removing the Bush
administration
> from political power...
>
>
> Kristian Hermansen
> [EMAIL PROTECTED]
>
> -Original Message-
> From: List Account [mailto:[EMAIL PROTECTED]
> Sent: Thursday, December 04, 2003 12:58 PM
> To: 'Kristian Hermansen'
> Subject: RE: [Full-Disclosure] RE: Yahoo Instant Messenger YAUTO.DLL
buffer
> overflow
>
> Nice site! Where's the content? (Killgeorgebush.com)
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> Kristian Hermansen
> Sent: Thursday, December 04, 2003 10:56 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [Full-Disclosure] RE: Yahoo Instant Messenger
> YAUTO.DLL buffer overflow
>
>
> Dude, thanks for the calc tips!!!  LATE makes perfect sense ;-)
>
>
> Kristian Hermansen
> [EMAIL PROTECTED]
>
> -Original Message-
> From: List Account [mailto:[EMAIL PROTECTED]
> Sent: Thursday, December 04, 2003 10:41 AM
> To: 'Kristian Hermansen'
> Subject: RE: [Full-Disclosure] RE: Yahoo Instant Messenger
> YAUTO.DLL buffer overflow
>
> Funny you should be talking about Calculus, I'm finishing 152 now
> (finals next week). Integration by parts not that bad. Here's a
> tip; LATE Logs Algebraic Trig Exponentials What this is for is to
> find u, so that du will be something simpler. So to use LATE to
> find u, try them in order, i.e. is there a ln? No, then is there
> an algebraic function you can integrate?, etc.
>
> HTH,
> Nathan
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> Kristian Hermansen
> Sent: Thursday, December 04, 2003 9:19 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [Full-Disclosure] RE: Yahoo Instant Mes

completely OffTopic by now... WAS (Re: [Full-Disclosure] RE: Yahoo Instant Messenger YAUTO.DLL buffer overflow)

[Exibar]

yikes... Interesting, without the US most of everyone in the world would
probably be speaking German right now... not that I have anything against
the German language, just Germany's leader back in the early 1940's

  If there was no USA there would be no freedom in the world.  Can you
imagine a communistic world, oh yah, communism FAILED, bummer what a shame
NOT!!!  Could you imagine a NAZI ruled world, now that makes me shudder!

Exibar


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of gazpa
Sent: Thursday, December 04, 2003 9:21 PM
To: full-disclosure
Subject: [inbox] Re: [Full-Disclosure] RE: Yahoo Instant Messenger
YAUTO.DLL buffer overflow


madsaxon wrote:

> You bet.  18 USC 871(a):
>
> Whoever knowingly and willfully deposits for conveyance in the
> mail or for a delivery from any post office or by any letter
> carrier any letter, paper, writing, print, missive, or document
> containing any threat to take the life of, to kidnap, or to inflict
> bodily harm upon the President of the United States, the
> President-elect, the Vice President or other officer next in
> he order of succession to the office of President of the United
> States, or the Vice President-elect, or knowingly and willfully
> otherwise makes any such threat against the President,
> President-elect, Vice President or other officer next in the
> order of succession to the office of President, or Vice
> President-elect, shall be fined under this title or imprisoned
> not more than five years, or both.
>
> Hasta la vista, baby.


I saw that not only all the world, except USA, is under the fascism of USA.
 USA is also under the fascism of USA. That scares. That scares even
freedom.

See you, nena.


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html



___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] (Was: Re: Yahoo Instant Messenger YAUTO.DLL buffer overflow)

[Exibar]

If this is really true, let him post his paper or a link to it for us all to
see.


- Original Message - 
From: "James Patterson Wicks" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, December 05, 2003 10:01 AM
Subject: RE: [Full-Disclosure] (Was: Re: Yahoo Instant Messenger YAUTO.DLL
buffer overflow)


> And you wonder why some species eat their young.
>
> Let's just hope that now that his "final project" is finished that he will
be too busy to waste our reading time.  Hopefully someone in Homeland
Security will read all of his posts and set him straight on the limits of
free speech (oh yes little boy, there are limits).  If his "re-education"
involves preventing him from using a computer, all the better for us!!!
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Kristian
> Hermansen
> Sent: Thursday, December 04, 2003 11:16 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [Full-Disclosure] (Was: Re: Yahoo Instant Messenger
> YAUTO.DLL buffer overflow)
>
>
> OK, now that I've pissed everyone off and made a scene about it, I'm sorry
> (polite).  You have all just participated in a psychological study that is
> my final project due next week before finals.  Thank you all so very much
> for participating and not even knowing it ;-)
>
>
> Kristian Hermansen
> [EMAIL PROTECTED]
>
> -Original Message-
> From: KF [mailto:[EMAIL PROTECTED]
> Sent: Friday, December 05, 2003 1:59 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [Full-Disclosure] (Was: Re: Yahoo Instant Messenger YAUTO.DLL
> buffer overflow)
>
> sheesh... picky picky... he *may* have meant "thunder bird" for the
> stand alone version of the mail client that is packaged with FireBird...
> no need to be too technical about it... and no use in correcting
> someones simple mistake for the sole purpose of being an ass.
> take it off the list... I am sure no one here gives a shit about a small
> inconsistancy like that.
> -KF
>
>
> Kristian Hermansen wrote:
>
> >Yeah, but Firebird is a web browser so I don't know if your filters will
> >work too well...
> >
> >
> >Kristian Hermansen
> >[EMAIL PROTECTED]
> >
> >-Original Message-
> >From: [EMAIL PROTECTED]
> >[mailto:[EMAIL PROTECTED] On Behalf Of Cael Abal
> >Sent: Thursday, December 04, 2003 8:23 PM
> >To: [EMAIL PROTECTED]
> >Subject: [Full-Disclosure] (Was: Re: Yahoo Instant Messenger YAUTO.DLL
> >buffer overflow)
> >
> >
> >
> >>Well, I also have the right to free speech; although murder is not a
> >>right...the website is not to be taken literally.  Obviously if I wanted
> >>Bush literally killed, I would not have a website as such exposing my
> >>name/address.  The person who posted my address to a public mailing list
> >>
> >>
> >is,
> >
> >
> >>however, definitely in violation of my rights and this list's policies.
> >>Although, information should be free and I never support such
restrictions
> >>to information in the public domain.
> >>
> >>
> >
> >I'm torn.
> >
> >You see, I'm about as left as they come, and cringe at the very
> >thought of youths wasting away in jail.  My distaste for
> >heavy-handed police action, however, is nothing compared to my
> >desire for you to just shut the hell up.  To speed up the process,
> >maybe you should go outside, flag down a cop car and confess?
> >
> >Jesus, you're like a weepy boil.  Take it off list.  Please.
> >
> >Thanks for motivating me to test out firebird's mail filters,
> >though.  Plonk!
> >
> >Yours,
> >
> >Cael
> >
> >___
> >Full-Disclosure - We believe in it.
> >Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
> >
> >___
> >Full-Disclosure - We believe in it.
> >Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
> >
> >
>
>
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
> This e-mail is the property of Oxygen Media, LLC.  It is intended only for
the person or entity to which it is addressed and may contain information
that is privileged, confidential, or otherwise protected from disclosure.
Distribution or copying of this e-mail or the information contained herein
by anyone other than the intended recipient is prohibited. If you have
received this e-mail in error, please immediately notify us by sending an
e-mail to [EMAIL PROTECTED] and destroy all electronic and paper copies
of this e-mail.
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerability

[Exibar]

I can see many people getting duped with this:

https://[EMAIL PROTECTED]

so I completely know where you're coming from.

  exibar


- Original Message - 
From: "Feher Tamas" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, December 10, 2003 3:23 AM
Subject: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerability


> >Proof-of-Concept here:
> >http://www.zapthedingbat.com/security/ex01/vun1.htm
> >
> >Vendor Notified 09 December, 2003
>
> Unless the bug has already been exploited by malicious people, it was
> a highly irresponsible act to disclose it to the public, without giving
> Microsoft a reasonable timeframe to produce a fix. It may even qualify
> as a crime!
>
> Considering the simplicity of this URL faking trick, it will be certainly
see
> active use by scammers during this Christmas shopping season and
> thousands of people will be robbed of their online banking accounts,
> etc. The money will boost organized crime and the whole society will
> suffer. A patch would give customers at least a theoretical chance to
> protect themselves and the community.
>
> I certainly would not object to ZapDingbat getting sued for a few billion
> bucks by M$ or the US Gov't sending him to a long recreation at
> Guantanamo Bay. People like him discredit security research like
> nothing else and his acts contribute towards legislation that will curb
> people's right to investigate code.
>
> Regards: Tamas Feher.
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] RE: FWD: Internet Explorer URL parsing vulnerability

[Exibar]

ummm, it doesn't seem that is the case.  the entire reason for the %01@ is
to hide the name of the site that you're actually on.  In my example of
[EMAIL PROTECTED]  if you click on that link, then look in
the address bar, it looks like you're on www.microsoft.com but you're really
on www.linux.org .

   that is what's stated in the original post.

  Exibar

- Original Message - 
From: "VeNoMouS" <[EMAIL PROTECTED]>
To: "S G Masood" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Wednesday, December 10, 2003 3:27 AM
Subject: Re: [Full-Disclosure] RE: FWD: Internet Explorer URL parsing
vulnerability


> pft sif i read the orignal posts
> - Original Message - 
> From: "S G Masood" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Wednesday, December 10, 2003 8:06 PM
> Subject: Re: [Full-Disclosure] RE: FWD: Internet Explorer URL parsing
> vulnerability
>
>
> >
> > --- VeNoMouS <[EMAIL PROTECTED]> wrote:
> >
> > >umm tested this you dont need %01
> > > either btw.
> > >
> > > [EMAIL PROTECTED]
> >
> >
> > What is your point? Have you read the original post?
> >
> >
> > Apart from this, does anyone have a "lowlevel"
> > explanation why the %01 trick works?
> >
> >
> > --
> > iNt27~
> >
> >
> >
> >
> >
> > __
> > Do you Yahoo!?
> > Free Pop-Up Blocker - Get it now
> > http://companion.yahoo.com/
> >
> > ___
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: RE:Re: [Full-Disclosure] RE: FWD: Internet Explorer URL parsing vulnerability

[Exibar]

I'll bet that this guy doesn't get half of the 
e-mail he's expecting.

  - Original Message - 
  From: 
  AntiSpam UOL 
  To: exibar 
  Sent: Wednesday, December 10, 2003 11:24 
  AM
  Subject: RE:Re: [Full-Disclosure] RE: 
  FWD: Internet Explorer URL parsing vulnerability
  
  


  
  
  

  

  
  
 
 Olá,Você enviou uma mensagem para [EMAIL PROTECTED]Para 
  que sua mensagem seja encaminhada, por favor, clique aqui
 
  
Esta confirmação é necessária porque 
  [EMAIL PROTECTED] 
  usa o Antispam UOL, um programa que elimina mensagens enviadas por 
  robôs, como pornografia, propaganda e 
  correntes.As próximas mensagens enviadas para 
  [EMAIL PROTECTED] não precisarão ser 
  confirmadas*.*Caso você receba outro pedido de confirmação, por favor, 
  peça para [EMAIL PROTECTED] incluí-lo em sua lista de 
  autorizados.
  


  Atenção! Se você não 
conseguir clicar no atalho acima, acesse este 
endereço:http://tira-teima.as.uol.com.br/challengeSender.html?data="">

  

  

  

  
  
 
 Hi,You´ve just sent a message to 
  [EMAIL PROTECTED]In order to confirm the sent 
  message, please click here
 
  
This confirmation is necessary 
  because [EMAIL PROTECTED] uses Antispam UOL, a service 
  that avoids unwanted messages like advertising, pornography, 
  viruses, and spams.Other messages sent to 
  [EMAIL PROTECTED] won't need to be 
  confirmed*.*If you receive another confirmation request, please ask 
  [EMAIL PROTECTED] to include you in his/her authorized e-mail 
  list.
  


  Warning! If the link 
doesn´t work, please copy the address below and paste it on 
your 
browser:http://tira-teima.as.uol.com.br/challengeSender.html?data="">

  Use o AntiSpam UOL e proteja sua caixa 
postal
  


  

Re: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerability

[Exibar]

Works as advertised on IE6.0.2800.1106.xpsp1 interesting, must be the
httpS that's throwing it..

- Original Message - 
From: "Rui Pereira" <[EMAIL PROTECTED]>
To: "'Exibar'" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Wednesday, December 10, 2003 12:13 PM
Subject: RE: [Full-Disclosure] Re: Internet Explorer URL parsing
vulnerability


> Er, on IE6.0.2800.1106.xpsp2this shows up as
> https://www.let_me_steal_your_money.com/ in the address line. Guess it
> don't work as advertised. Maybe we should all upgrade? ;)
>
> R
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Exibar
> Sent: December 10, 2003 7:55 AM
> To: Feher Tamas; [EMAIL PROTECTED]
> Subject: Re: [Full-Disclosure] Re: Internet Explorer URL parsing
> vulnerability
>
> I can see many people getting duped with this:
>
> https://[EMAIL PROTECTED]
>
> so I completely know where you're coming from.
>
>   exibar
>
>
> - Original Message - 
> From: "Feher Tamas" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Wednesday, December 10, 2003 3:23 AM
> Subject: [Full-Disclosure] Re: Internet Explorer URL parsing
> vulnerability
>
>
> > >Proof-of-Concept here:
> > >http://www.zapthedingbat.com/security/ex01/vun1.htm
> > >
> > >Vendor Notified 09 December, 2003
> >
> > Unless the bug has already been exploited by malicious people, it was
> > a highly irresponsible act to disclose it to the public, without
> giving
> > Microsoft a reasonable timeframe to produce a fix. It may even qualify
> > as a crime!
> >
> > Considering the simplicity of this URL faking trick, it will be
> certainly
> see
> > active use by scammers during this Christmas shopping season and
> > thousands of people will be robbed of their online banking accounts,
> > etc. The money will boost organized crime and the whole society will
> > suffer. A patch would give customers at least a theoretical chance to
> > protect themselves and the community.
> >
> > I certainly would not object to ZapDingbat getting sued for a few
> billion
> > bucks by M$ or the US Gov't sending him to a long recreation at
> > Guantanamo Bay. People like him discredit security research like
> > nothing else and his acts contribute towards legislation that will
> curb
> > people's right to investigate code.
> >
> > Regards: Tamas Feher.
> >
> >
> > ___
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
> >
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
>
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerability

[Exibar]

Yes, that's what I meant.  httpS is throwing it on SP2 (meant that this
vuln. doesn't work for httpS on SP2)  of course I assume that this vuln
works at all on SP2 :-)

  Been a long day already... is it Friday yet?  :-)

 Ex

- Original Message - 
From: "Rui Pereira" <[EMAIL PROTECTED]>
To: "'Exibar'" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Wednesday, December 10, 2003 1:00 PM
Subject: RE: [Full-Disclosure] Re: Internet Explorer URL parsing
vulnerability


> I am also on SP2...you are SP1
>
> R
>
> -Original Message-
> From: Exibar [mailto:[EMAIL PROTECTED]
> Sent: December 10, 2003 9:52 AM
> To: Rui Pereira
> Cc: [EMAIL PROTECTED]
> Subject: Re: [Full-Disclosure] Re: Internet Explorer URL parsing
> vulnerability
>
> Works as advertised on IE6.0.2800.1106.xpsp1 interesting, must be
> the
> httpS that's throwing it..
>
> - Original Message - 
> From: "Rui Pereira" <[EMAIL PROTECTED]>
> To: "'Exibar'" <[EMAIL PROTECTED]>
> Cc: <[EMAIL PROTECTED]>
> Sent: Wednesday, December 10, 2003 12:13 PM
> Subject: RE: [Full-Disclosure] Re: Internet Explorer URL parsing
> vulnerability
>
>
> > Er, on IE6.0.2800.1106.xpsp2this shows up as
> > https://www.let_me_steal_your_money.com/ in the address line. Guess it
> > don't work as advertised. Maybe we should all upgrade? ;)
> >
> > R
> >
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Exibar
> > Sent: December 10, 2003 7:55 AM
> > To: Feher Tamas; [EMAIL PROTECTED]
> > Subject: Re: [Full-Disclosure] Re: Internet Explorer URL parsing
> > vulnerability
> >
> > I can see many people getting duped with this:
> >
> > https://[EMAIL PROTECTED]
> >
> > so I completely know where you're coming from.
> >
> >   exibar
> >
> >
> > - Original Message - 
> > From: "Feher Tamas" <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>
> > Sent: Wednesday, December 10, 2003 3:23 AM
> > Subject: [Full-Disclosure] Re: Internet Explorer URL parsing
> > vulnerability
> >
> >
> > > >Proof-of-Concept here:
> > > >http://www.zapthedingbat.com/security/ex01/vun1.htm
> > > >
> > > >Vendor Notified 09 December, 2003
> > >
> > > Unless the bug has already been exploited by malicious people, it
> was
> > > a highly irresponsible act to disclose it to the public, without
> > giving
> > > Microsoft a reasonable timeframe to produce a fix. It may even
> qualify
> > > as a crime!
> > >
> > > Considering the simplicity of this URL faking trick, it will be
> > certainly
> > see
> > > active use by scammers during this Christmas shopping season and
> > > thousands of people will be robbed of their online banking accounts,
> > > etc. The money will boost organized crime and the whole society will
> > > suffer. A patch would give customers at least a theoretical chance
> to
> > > protect themselves and the community.
> > >
> > > I certainly would not object to ZapDingbat getting sued for a few
> > billion
> > > bucks by M$ or the US Gov't sending him to a long recreation at
> > > Guantanamo Bay. People like him discredit security research like
> > > nothing else and his acts contribute towards legislation that will
> > curb
> > > people's right to investigate code.
> > >
> > > Regards: Tamas Feher.
> > >
> > >
> > > ___
> > > Full-Disclosure - We believe in it.
> > > Charter: http://lists.netsys.com/full-disclosure-charter.html
> > >
> > >
> >
> > ___
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
> >
> >
> >
>
>
>
>
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] PayPal issues another blow to user security

[Exibar]

The next thing that we'll see is an www.ebaycreditcard.com site pop up

  Why do these companies always do crap like this.  PayPal reminds me of
AOL, with their little advertisement before you can get into your account.
That pisses me off to no end.

 Exibar

- Original Message - 
From: "Aaron Horst" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Monday, December 15, 2003 5:08 PM
Subject: [Full-Disclosure] PayPal issues another blow to user security


Just when I thought that PayPal may actually care for
their customers, I get the following message in my
inbox:

---

Dear *,

This holiday season...

Put PayPal Visa® at the top of your list!


0% Intro APR* for purchases.  PLUS:


- $5 credit the first time you use your card

- No PayPal sending limit - up to available credit on
your card

- No annual fee

- New card designs to choose from!


https://www.paypalcreditcard.com/paypalbanner?banner_id=paypal/email/


You'll have an online response in about 30 seconds.

* The intro APR on purchases applies for 3 billing
periods after account opening. For complete pricing
information and important terms and conditions, click
here.


https://www.paypalcreditcard.com/paypalbanner?banner_id=paypal/email/


This PayPal notification was sent to
**. Your notification preferences
are set to receive the PayPal Periodical newsletter
and Product Updates when you create a PayPal account.
To modify your notification preferences and
unsubscribe, go to https://www.paypal.com/PREFS-NOTI
and log in to your account. Changes may take several
days to be reflected in our mailings. For more
information about the security of your information,
read our Privacy Policy at
https://www.paypal.com/privacy. Replies to this email
will not be processed; if you would like to contact
PayPal, please go to our online Help Center.

If you previously asked to be excluded from Providian
product offerings and solicitations, they apologize
for this e-mail. Every effort was made to ensure that
you were excluded from this e-mail. If you do not wish
to receive promotional e-mail from Providian, go to
http://removeme.providian.com.

Copyright© 2003 PayPal, Inc. All rights reserved.
Designated trademarks and brands are the property of
their respective owners.

---

(NOTE: UID's removed)

I put it off as just another ploy to get your vital
information such as Social Security number, but decide
to check it out anyway. What do you know, it's an
"official" PayPal site! (See:
https://www.paypal.com/cgi-bin/webscr?cmd=_help-ext&leafid=1782
)

After all the work that others have done to help
people keep their vital details safe, Providian spams
all of the PayPal user base with advertisements to put
your personal details into a "PayPal" site that is
hosted on "www.paypalcreditcard.com"! This even goes
against their own stated policy on avoiding web scams:

"The term "spoofing" and "phishing" have been used to
describe the act of collecting personal information
using a fake email in order to commit identity theft,
credit card and Internet fraud. If you receive an
email that appears to come from PayPal and you click
on a link, check to make sure the web address at the
top of your web browser reads exactly www.paypal.com."
--
https://www.paypal.com/cgi-bin/webscr?cmd=_help-ext&leafid=56413

This issue is a blow to me personally, as I have told
many people time and again not to click on any links
in any email that claims to be from PayPal, Ebay, or
other scammer oriented target. This massively
undermines the efforts that many people have put into
ensuring that less then savvy users still are able to
keep their private info private. I hope that PayPal or
any of their affiliates never do something like this again.

__
Do you Yahoo!?
New Yahoo! Photos - easier uploading and sharing.
http://photos.yahoo.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] A funny (but real) story for XMAS

[Exibar]

>
> Tri, all..
>
> Since this *IS* security/privacy-related, I *WILL* respond to this...

  We all feel so honored that you will respond to this sheesh


- Original Message - 
From: "Christopher Parker" <[EMAIL PROTECTED]>
To: "Tri Huynh" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Tuesday, December 16, 2003 8:03 AM
Subject: Re: [Full-Disclosure] A funny (but real) story for XMAS


> --- Tri Huynh <[EMAIL PROTECTED]> wrote:
> > It looks like this comapany doesn't give a damn about information
> > privacy, and there is also a possibility that they are
> > the spammers too. If you guys have have any info about this
> > company, please contact [EMAIL PROTECTED] and i love
> > to gather more evidences about their privacy malpractices.
>
> Tri, all..
>
> Since this *IS* security/privacy-related, I *WILL* respond to this...
>
> If you're in a US state that has spam legislation passed, or in a country
where spamming is
> outlawed, and if you verily think this was the result of a spam, you may
wish to check out the
> suespammers list to seek some form of compensation for your time, weeding
through spam messages.
>
> Have you received other, similar, messages to this one?
>
> Information on the suespammers list may be found at:
> http://mail.spamcon.org/mailman/listinfo/suespammers
>
> SpamCon hosts a good few lists on spam. SueSpammers is but one of them.
>
>
> > "Join www.osvdb.org to make a better non-corporated vulnerability
database
> > since
> > CERT sucks ! "
>
> CERT sucks? Humm... In my UNIX & Security college course, we're being told
CERT is a great
> resource for security-related information. Can anybody else make a comment
on this? Agree?
> Disagree?
>
> Thanks.
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Internet Explorer URL parsing vulnerability - fix available

[Exibar]

Agreed.  I also feel that why should a company pay this 3rd party for a
patch for a vulnerability that isn't really *huge* like a slammer or
code-red deal.  I'm sure that Microsoft will patch it, for free.
   If the source isn't available for the 3rd party's patch, how do we know
what it's really doing?  How do we know it isn't a security hazard?  At
least Microsoft is a trusted source, and did I mention free already?

  If a home user is THAT worried about this vulnerability, they're already
aware of what it does and therefore should know better.

  Just wait for Microsoft to release the patch is what I say, FWIW.

Exibar

- Original Message - 
From: "Gregory A. Gilliss" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, December 16, 2003 2:29 PM
Subject: Re: [Full-Disclosure] Internet Explorer URL parsing vulnerability -
fix available


> Well his post gives me some pause...since this is a "shareware" product
> (the poster is out to make some $$$ for themselves) I wonder that it
doesn't
> count as a commercial solicitation. Besides that, AFAIK the URL filter
> is not available in source code format (for peer review). IN short, I'd
> say that this is about as far from "full disclosure" as you can get,
> albeit that it does appear to address the vulnerability...
>
> G
>
> On or about 2003.12.16 16:31:54 +, Frank Hagenson
([EMAIL PROTECTED]) said:
>
> > A fix for this vulnerability is available at my website:
> > http://www.abracadabrasolutions.com/UrlFilter.htm
> >
> > Regards,
> > Frank Hagenson.
>
> -- 
> Gregory A. Gilliss, CISSP  E-mail:
[EMAIL PROTECTED]
> Computer Security WWW:
http://www.gilliss.com/greg/
> PGP Key fingerprint 2F 0B 70 AE 5F 8E 71 7A 2D 86 52 BA B7 83 D9 B4 14 0E
8C A3
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] PayPal issues another blow to user security

[Exibar]

The e-mail response from PayPal sounded more like a "canned" response than
an actual human response.  I would image that they simply have a rule setup
that looks for links within a message and if it doesn't have
https://www.paypal.com then it spits back that canned message.  On the other
hand, it could simply be a college kid that is working at PayPal to make a
few extra bucks and just saw that the link didn't point to
https://www.paypal.com and hit the "send canned response" button.

  Either way, PayPal should mention something about it on their site's
homepage.  It is very irresponsible of them not to.

  Exibar

- Original Message - 
From: "Mary Landesman" <[EMAIL PROTECTED]>
To: "Rob Adams" <[EMAIL PROTECTED]>; "Aaron Horst" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Wednesday, December 17, 2003 1:23 PM
Subject: Re: [Full-Disclosure] PayPal issues another blow to user security


> I think the response speaks more of the tunnel vision of the person
> answering the email. PayPal and Providian entered a partnership in Feb
2001.
> At the time, Providian apparently took a huge stake in PayPal equity
> (estimates placed it at between $100 - $200 million) and the two companies
> agreed to co-brand the credit cards. See Forbes for details:
> http://www.forbes.com/2001/02/07/0207eccommerce.html
>
> The legal agreement between the two parties, dated March 2002, can be
found
> here:
>
http://techdeals.startup.findlaw.com/agreements/paypal/providian.card.2002.03.01.html
>
> The June 2001 press release announcing the site, and sponsored by both
> parties, can be found here:
>
http://www.findarticles.com/cf_dls/m4PRN/2001_June_18/75602419/p1/article.jhtml
>
> Perhaps PayPal might wish to take the opportunity to ensure the folks
> answering email at [EMAIL PROTECTED] are versed in company partnerships and
> policies.
>
> Regards,
> Mary Landesman
> Antivirus About.com Guide
> http://antivirus.about.com
>
> - Original Message - 
> From: "Rob Adams" <[EMAIL PROTECTED]>
> To: "Aaron Horst" <[EMAIL PROTECTED]>
> Cc: <[EMAIL PROTECTED]>
> Sent: Wednesday, December 17, 2003 12:09 PM
> Subject: Re: [Full-Disclosure] PayPal issues another blow to user security
>
>
> [[Warning -- I do not speak for, nor do I represnt, my employer. --Rob]]
>
> Aaron Horst reported earlier this week that Paypal violates their own
> anti-phish policy. He received an official email that included a
> clickable link to "paypalcreditcard.com." Their stated policy is that
> they will only ever link to "paypal.com." Paypalcreditcard.com appears
> to be a legitimate web site operated by Paypal's business partner,
> Providian Financial Corporation.
>
> I received a similar solicitation. I forwarded it to the
> "[EMAIL PROTECTED]" I think you'll enjoy the response:
>
> =
>
> Dear Rob Adams,
>
> Thank you for contacting PayPal.
>
> Thank you for bringing this suspicious email to our attention. We can
> confirm that the email you received; was not sent to you by PayPal. The
> website linked to this email is not a registered URL authorized or used
> by PayPal. We are currently investigating this incident fully. Please
> do not enter any personal or financial information into this website.
>
> If you have surrendered any personal or financial information to this
> fraudulent website, you should immediately log into your PayPal Account
> and change your password and secret question and answer information.
> Any compromised financial information should be reported to the
> appropriate parties.
>
> If you notice any unauthorized activity associated with your PayPal
> transaction history, please immediately report this to PayPal by
> following the instructions below:
>
> 1.  Go to https://www.paypal.com/
> 2.  Click on the Security Center at the bottom of the page
> 3.  Click on "Report a Problem"
> 4.  Select the Topic: Report Fraud
> 5:  Select the Subtopic: Unauthorized use of my PayPal Account, and
> click Continue.
> 6.  Follow the instructions to access the appropriate form
>
> If you have any further questions, please feel free to contact us
> again.
>
> ===
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] PayPal issues another blow to user security

[Exibar]

Heck, I wonder how many people actually clicked on www.paypalcreditcard.com
after PayPal stating never, ever to click on a site other than
https://www.paypal.com .   I'm sure a few did, but what a really foolish
marketing decision they made to use www.paypalcreditcard.com ...


  Exibar

- Original Message - 
From: "Dom Gallagher" <[EMAIL PROTECTED]>
To: "Rob Adams" <[EMAIL PROTECTED]>
Cc: "Aaron Horst" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Wednesday, December 17, 2003 2:22 PM
Subject: Re: [Full-Disclosure] PayPal issues another blow to user security


> At 11:09 AM 12/17/2003, Rob Adams wrote:
> >[[Warning -- I do not speak for, nor do I represnt, my employer. --Rob]]
> >
> >Aaron Horst reported earlier this week that Paypal violates their own
> >anti-phish policy. He received an official email that included a
clickable
> >link to "paypalcreditcard.com." Their stated policy is that they will
only
> >ever link to "paypal.com." Paypalcreditcard.com appears to be a
legitimate
> >web site operated by Paypal's business partner, Providian Financial
> >Corporation.
> >
> >I received a similar solicitation. I forwarded it to the
> >"[EMAIL PROTECTED]" I think you'll enjoy the response:
> >
> >=
> >
> >Dear Rob Adams,
> >
> >Thank you for contacting PayPal.
> >
> >Thank you for bringing this suspicious email to our attention. We can
> >confirm that the email you received; was not sent to you by PayPal. The
> >website linked to this email is not a registered URL authorized or used
by
> >PayPal. We are currently investigating this incident fully. Please do not
> >enter any personal or financial information into this website.
> >If you have surrendered any personal or financial information to this
> >fraudulent website, you should immediately log into your PayPal Account
> >and change your password and secret question and answer information. Any
> >compromised financial information should be reported to the appropriate
> >parties.
> >If you notice any unauthorized activity associated with your PayPal
> >transaction history, please immediately report this to PayPal by
following
> >the instructions below:
> >1.  Go to https://www.paypal.com/ 2.  Click on the Security Center at the
> >bottom of the page
> >3.  Click on "Report a Problem"
> >4.  Select the Topic: Report Fraud
> >5:  Select the Subtopic: Unauthorized use of my PayPal Account, and click
> >Continue.
> >6.  Follow the instructions to access the appropriate form
> >
> >If you have any further questions, please feel free to contact us again.
>
> Form letter.  eBay loves 'em, and now Paypal seem to have jumped on the
> bandwagon.
>
> If you check the original report, Paypal itself links to the so-called
> phishing site:
https://www.paypal.com/cgi-bin/webscr?cmd=_help-ext&leafid=1782
>
> Assuming the URLs were not spoofed with any of the usual fun tricks to
> catch the point-and-droolers, Paypal are either totally ignoring the
actual
> content of abuse complaints or deliberately trying to blame the phishers
> for a poorly thought out marketing effort.
>
> D.
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] PayPal issues another blow to user security

[Exibar]

yes, it is a valid link, but the whole thing started because PayPal, in
their own security advisory message, states never to click on any link that
claims to be from PayPal unless it is https://www.paypal.com   And they
usually state that any other link is bogus, even if it states that it is an
"official PayPal site".

  Exibar

- Original Message - 
From: "Seth Fogie" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, December 17, 2003 3:22 PM
Subject: Re: [Full-Disclosure] PayPal issues another blow to user security


> If you enter the official https://www.paypal.com site and click on the
> Paypal credit card link, you will be directed to
www.paypalcreditcard.com...
>
> So, it is most likely a valid link...
>
>
>
> Exibar wrote:
>
> >The e-mail response from PayPal sounded more like a "canned" response
than
> >an actual human response.  I would image that they simply have a rule
setup
> >that looks for links within a message and if it doesn't have
> >https://www.paypal.com then it spits back that canned message.  On the
other
> >hand, it could simply be a college kid that is working at PayPal to make
a
> >few extra bucks and just saw that the link didn't point to
> >https://www.paypal.com and hit the "send canned response" button.
> >
> >  Either way, PayPal should mention something about it on their site's
> >homepage.  It is very irresponsible of them not to.
> >
> >  Exibar
> >
> >- Original Message - 
> >From: "Mary Landesman" <[EMAIL PROTECTED]>
> >To: "Rob Adams" <[EMAIL PROTECTED]>; "Aaron Horst" <[EMAIL PROTECTED]>
> >Cc: <[EMAIL PROTECTED]>
> >Sent: Wednesday, December 17, 2003 1:23 PM
> >Subject: Re: [Full-Disclosure] PayPal issues another blow to user
security
> >
> >
> >
> >
> >>I think the response speaks more of the tunnel vision of the person
> >>answering the email. PayPal and Providian entered a partnership in Feb
> >>
> >>
> >2001.
> >
> >
> >>At the time, Providian apparently took a huge stake in PayPal equity
> >>(estimates placed it at between $100 - $200 million) and the two
companies
> >>agreed to co-brand the credit cards. See Forbes for details:
> >>http://www.forbes.com/2001/02/07/0207eccommerce.html
> >>
> >>The legal agreement between the two parties, dated March 2002, can be
> >>
> >>
> >found
> >
> >
> >>here:
> >>
> >>
> >>
>
>http://techdeals.startup.findlaw.com/agreements/paypal/providian.card.2002.
03.01.html
> >
> >
> >>The June 2001 press release announcing the site, and sponsored by both
> >>parties, can be found here:
> >>
> >>
> >>
>
>http://www.findarticles.com/cf_dls/m4PRN/2001_June_18/75602419/p1/article.j
html
> >
> >
> >>Perhaps PayPal might wish to take the opportunity to ensure the folks
> >>answering email at [EMAIL PROTECTED] are versed in company partnerships
and
> >>policies.
> >>
> >>Regards,
> >>Mary Landesman
> >>Antivirus About.com Guide
> >>http://antivirus.about.com
> >>
> >>- Original Message - 
> >>From: "Rob Adams" <[EMAIL PROTECTED]>
> >>To: "Aaron Horst" <[EMAIL PROTECTED]>
> >>Cc: <[EMAIL PROTECTED]>
> >>Sent: Wednesday, December 17, 2003 12:09 PM
> >>Subject: Re: [Full-Disclosure] PayPal issues another blow to user
security
> >>
> >>
> >>[[Warning -- I do not speak for, nor do I represnt, my employer. --Rob]]
> >>
> >>Aaron Horst reported earlier this week that Paypal violates their own
> >>anti-phish policy. He received an official email that included a
> >>clickable link to "paypalcreditcard.com." Their stated policy is that
> >>they will only ever link to "paypal.com." Paypalcreditcard.com appears
> >>to be a legitimate web site operated by Paypal's business partner,
> >>Providian Financial Corporation.
> >>
> >>I received a similar solicitation. I forwarded it to the
> >>"[EMAIL PROTECTED]" I think you'll enjoy the response:
> >>
> >>=
> >>
> >>Dear Rob Adams,
> >>
> >>Thank you for contacting PayPal.
> >>
> >>Thank you for bringing this suspicious email to our attention. We can
> >>confirm that the email you received; was not sent to you by PayPa

Re: [Full-Disclosure] Show me the Virrii!

[Exibar]

Although I agree with your other points, I have this comment:

Why do you ultimately blame Windows/DOS for the virus problem?  This is
simply not true.  Are there not SQL worms?  Was it not a SQL worm that was
the fastest to spread in history?  Are there not many Linux worms and
viruses, and more being written each day?  Are there not viruses and/or
worms that exploit Cisco products?  Hell there are even worms that exploit
FTP and IRC!  I can go on.

   It is not Windows that is the problem.  It is the people that write the
damned things that is the problem.  Ok, perhaps it's the lack of laws that
will make a programmer think twice about becoming a Vx'r.

   If Linux had the marketshare that Windows does right now, and it just
might one day it's hard to compete with free, and the majority of viruses
are being written for Linux, would you then blame Linux as the cause of the
problem?

  Saying Windows is to blame for the mess that we're in is like saying the
gun is what causes a murder and not the person that pulled the trigger.

  Exibar

- Original Message - 
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, January 07, 2004 5:15 AM
Subject: RE: [Full-Disclosure] Show me the Virrii!


> > -Original Message-
> > Date: Mon, 05 Jan 2004 09:09:57 -1000
> > From: Jason Coombs <[EMAIL PROTECTED]>
> > Reply-To: [EMAIL PROTECTED]
> > Organization: SCIENCE.ORG
> > To: Richard Maudsley <[EMAIL PROTECTED]>
> > CC: [EMAIL PROTECTED]
> > Subject: Re: [Full-Disclosure] Show me the Virrii!
> >
> > Richard Maudsley wrote:
> > > I recently finished a stable version of my little
> > Virus-Scanner, LMS (
> > > http://www.mindblock.org/lms ).
> > > It currently detects 19 viruses. I need it to detect hundreds.
> > >
> > > How do big Anti-Virus companies get their hands on new viruses, and
> > > how
> > > can I?
> >
> > Antivirus software is one of the biggest frauds going in the software
> > industry. You really don't want to go there. Consider
> > something useful
> > instead:
> >
> > (from http://www.windevnet.com)
> >
> > Antivirus Software Turned Upside Down
> > by Jason Coombs ([EMAIL PROTECTED])
> >
> > Antivirus software exists because viral code and malware
> > exist. Malware
> > signature databases coupled with antivirus software provide what I'll
> > call "matter of fact, after the fact" security. It is a
> > matter of fact
> > that bytes matching an a/v vendor's malware signature must have
> > malicious potential resembling a known virus, worm, Trojan, or other
> > code analyzed in the past by the a/v software vendor and labeled as
> > harmful. While false positives do occur in practice, a virus scanner
> > wouldn't be useful if it constantly failed to distinguish between
> > malware and user data or desireable code. Therefore, a/v software
> > becomes the best proof, in practice, that particular bits are
> > hostile.
> > No jury is likely to reject forensic testimony designed to
> > establish the
> >
> > presence of malware after seeing a forensic examiner employ a trusted
> > brand-name a/v scanner to detect a virus or Trojan on a hard drive or
> > other storage device. A commercial virus scanner makes a terrific
> > exhibit in front of a jury. As a result, there is a distinct
> > possibility
> >
> > that civilian security researchers may help to convict hackers (and
> > other civilian security researchers) of computer crimes
> > simply by adding
> >
> > definitions to a virus signature database. Law enforcement
> > simply lack
> > the resources necessary to assemble definitive lists of
> > criminally-malicious bits, so we end up with an interesting, and
> > uncomfortable, overlap between private sector business
> > decisions and law
> >
> > enforcement investigations.
> >
> > Antivirus software vendors make no effort to conceal the fact
> > that they
> > are in the business of selling virus signature updates. They sell
> > content more than software, and it is content updates that
> > drive their
> > profits. Updates to virus definitions occur after the fact,
> > so everyone
> > is always out-of-date and must keep paying in order to feel
> > protected.
> > This makes for a good business, but it doesn't make for very good
> > security. In fact, it's completely backwards. Think about it for a
> > moment, why should anyone go through the expense and the trouble of
> > keeping a running list of all bad code ever encountere

Re: [Full-Disclosure] Show me the Virrii!

[Exibar]

- Original Message - 
From: "Schmehl, Paul L" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, January 07, 2004 12:30 PM
Subject: RE: [Full-Disclosure] Show me the Virrii!


> >   Saying Windows is to blame for the mess that we're in is
> > like saying the gun is what causes a murder and not the
> > person that pulled the trigger.
> >
> Well, there's a boatload of people in the world that apparently believe
> guns cause murders, isn't there?  At least judging by the number of
> countries that have outlawed the ownership of them

yes there are quite a few small minded people who believe that.  But I've
never in my life seen or even heard of a gun that was just sitting on a desk
getting up and going off and shooting people on it's own.

  What happens when a country outlaws guns?  yup, only the outlaws will have
guns.  It's against the law to own a firearm in the UK, yet shootings
happen.  Same, to one degree or another, in Japan, Australia, certain cities
and states in the US ban certain types of weapons as well to some degree.

  If someone is that intent on killing someone else, and they cannot get a
gun, they'll use a knife, baseball bat, rock, bare hands, whatever TOOL they
can get.  The tool isn't to blame, it's the sick bastard that uses it to
cause harm.

  I don't want to get into a political debate about guns here though.
E-mail me off list if you want to continue a civil discussion about gun
ownership :-)

  Exibar

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [inbox] Re: [Full-Disclosure] Show me the Virrii!

[Exibar]

- Original Message - 
From: "Curt Purdy" <[EMAIL PROTECTED]>
To: "'Exibar'" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>;
<[EMAIL PROTECTED]>
Sent: Wednesday, January 07, 2004 12:18 PM
Subject: RE: [inbox] Re: [Full-Disclosure] Show me the Virrii!


> Exibar wrote:
>
> > Why do you ultimately blame Windows/DOS for the virus
> > problem?  This is
> > simply not true.  Are there not SQL worms?  Was it not a SQL
> > worm that was
> > the fastest to spread in history?  Are there not many Linux worms and
> > viruses, and more being written each day?  Are there not
> > viruses and/or
> > worms that exploit Cisco products?
>
> Jeeze, you know how many pages I had to delete off the end of this thing?
> It doesn't take remembering PINE to know how to clean up your act.
>
> OK, to business.  Your points: the SQL worm exploited ONLY MS SQL.  The
> cisco worm exploited IIS that was the web interface in their DSL routers.
> Yes, there are a few Linux worms but the numbers are tiny vs. MS.  And
that
> is NOT because MS is so prevelant, although of course that is a factor as
> explained in the seminal work "Cyberinsecurity: The Cost of Monopoly".
The
> primary reason for so many MS virii is the poorly written code that has
> evolved into their current elephants of OS's.
>
> All is not lost for MS, but it will take a ground-up rewrite to solve the
> problems.  Unfortunately they seem to be taking the opposite tack of
taking
> W2K, the best OS they have come up with yet, and folded it into XP, the
> biggest pile of dog doo since 3.1 and telling customers they can't get 2K
> even if they prefer it.

  I'm in no way saying that Microsoft writes perfect code.  Nothing is
perfect.  My point is simply that if Linux was the preferred OS of millions
of people, that the number of Windows "malware" would be much much smaller
and the number of Linux "malware" would be at the same number that Windows
is currently.  It's all a matter of the VX'r getting the most bang for their
buck.
   The poorly written code only makes it easier to write a piece of malware
for a closed source program.  It's just as easy to write a piece of malware
for an open source program.  How many Apache bugs were exploited in the past
couple months?  Quite a few, I'll even bet a dime for a dollar that there
have been MORE apache exploits and/or vulns than IIS in the past 4
months  Most bang for the buck

  Sorry about the pages of quoted old message before guys :-)

  Exibar

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Show me the Virrii!

[Exibar]

The vulnerability is the direct results of poor coding, or overlooked
coding.  The people that write, and release, malicious exploits are directly
responsible for causing other people grief.  If they spent their time
helping to fix the problem and not write something malicious, well, most of
us would be out of jobs actually H, I kinda like what I do for a
living :-)

  I guess it's kinda like the old thief's plea to a judge.  "But the door
was unlocked , I just opened it up, walked in and took what I wanted."
That's not a justification for writing malicious code, or turning PoC code
into something malicious intended to infect other files, networks, etc.

  My point was just that if the roles of Windows and Linux (just for two
examples, it could be Apple DOS and Atari DOS for all it matters) were
reversed, all we'd hear is how tough it is to patch 30,000 Linux boxes in a
timely fashion.  And that it sucks to have to re-compile the kernel every
week due to a new threat.  etc etc etc


Exibar


- Original Message - 
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, January 07, 2004 10:47 AM
Subject: RE: [Full-Disclosure] Show me the Virrii!


> > -Original Message-
> > From: Exibar [mailto:[EMAIL PROTECTED]
> > Sent: 07 January 2004 15:12
> > To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> > Subject: Re: [Full-Disclosure] Show me the Virrii!
> >
> >
> > Although I agree with your other points, I have this comment:
> >
> > Why do you ultimately blame Windows/DOS for the virus
> > problem?  This is
> > simply not true.  Are there not SQL worms?  Was it not a SQL
> > worm that was
> > the fastest to spread in history?  Are there not many Linux worms and
> > viruses, and more being written each day?  Are there not
> > viruses and/or
> > worms that exploit Cisco products?  Hell there are even worms
> > that exploit
> > FTP and IRC!  I can go on.
> >
> >It is not Windows that is the problem.  It is the people
> > that write the
> > damned things that is the problem.  Ok, perhaps it's the lack
> > of laws that
> > will make a programmer think twice about becoming a Vx'r.
> >
> >If Linux had the marketshare that Windows does right now,
> > and it just
> > might one day it's hard to compete with free, and the
> > majority of viruses
> > are being written for Linux, would you then blame Linux as
> > the cause of the
> > problem?
> >
> >   Saying Windows is to blame for the mess that we're in is
> > like saying the
> > gun is what causes a murder and not the person that pulled
> > the trigger.
> >
> >   Exibar
> >
> I hadn't even mentioned worms. In fact, if we take worms into account,
then
> the proposed solution becomes even more difficult to implement. After all,
> if you trust any program, be it httpd or sqlservr.exe to use the
processor,
> a worm can always exploit this.
>
> My original point about viruses (not worms or trojans) still stands. The
> majority exist because Windows will execute a huge number of files just
> because of its filename.
>
> Going back to worms, the SQL slammer worm caused damage far out of
> proportion to its installed base. It's a matter of public record that
> Microsoft hadn't even patched its own servers against it. How does that
> compare to the rapid patching of Apache servers? (Actually, I've said it
> before on this list that Microsoft did not have proper firewalling in
place,
> so I won't go back over that one).
>
> Your answer to a hypothetical question about Linux having a similar market
> share does not make sense. First, it's conjecture and second, Linux (and
all
> other UNIX based systems) do have reasonably sensible privileges (compared
> to Windows 98 which is still being used by many many organisations).
>
> Note that I said "mostly responsible". I don't blame Microsoft for all
worms
> and viruses, but Bill Gates is directly responsible for a flawed (with
> hindsight) design decision. Now if we did all switch to Linux/BSD
whatever,
> that flaw would go away.
>
> In fairness, he isn't the only person to make mistakes in design. Until a
> few years ago, nearly everyone had "open mail relays". In fact, if you
don't
> have an open relay, you are breaking RFC 822. Of course, this particular
> requirement should now be ignored (It may be obsoleted already. I haven't
> looked for ages).
>
> Can you please bottom post? I use evil Outlook (I have no choice), but
even
> I remember to bottom post to mailing lists.
>
> Thank you.
>
> -
> John Air

Re: [Full-Disclosure] Show me the Virrii!

[Exibar]

someone still has to pull the trigger, by accident or otherwise.  the gun
isn't going to all of a sudden think "I think I'll shoot this person in the
chest" and then go ahead and do it.
  Accidents aside (hell I could fall on a rock and be killed just the same),
the gun itself is only the tool that the murderer is using to commit murder.
The person using that tool is to be blamed for the crime, not the tool
itself.

  Thus, anyone that writes and releases, or just releases a malicious piece
of code, should be blamed for the grief it causes.  Not what's being
attacked, or not even the piece of malware itself really.

Exibar

- Original Message - 
From: "michael williamson" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, January 07, 2004 11:26 AM
Subject: Re: [Full-Disclosure] Show me the Virrii!


> >   Saying Windows is to blame for the mess that we're in is like saying
the
> > gun is what causes a murder and not the person that pulled the trigger.
>
> Well, it doesn't help things when the gun has the safety removed...
>
> Michael
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] 3 new MS patches next week... but none fix 0x01!

[Exibar]

What's going on over at Microsoft anyway?  They're releasing 3 new patches
next week, but are planned to take care of the "0x01" vulnerability in IE.
   I'm one of Microsoft's defenders, and I'm starting to get a little
confused and upset at what they're doing.

  Heck if 3rd parties can write a fix for the darned thing, why the heck
can't Microsoft  What are they thinking over there?

 oh, I guess they are waiting for a large client to get scammed by a scam
e-mail and then wait for that client to complain.  Money really does talk I
guess it's a shame

  

  I'm off my soapbox now, we now return you to your regularly scheduled
program.

  Exibar

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] 3 new MS patches next week... but none fix

[Exibar]

My source is not important, they fix SECURITY holes, so I would say that
everyone on this list would want to know.  My post wasn't about the 3 that
were being released, But about a hole that was widely discussed on this very
list that wasn't being addressed.  In any case, they are security patches,
this is still a security list is it not???

This is not a gossip, I stated nothing but facts in my message (perhaps an
opinion or two as well).  Just because you don't have access to the same
source of information that I do, certainly doesn't make it gossip.

  the three patches are widely known by now I'm sure.  I've now seen various
sites talking about them.

  Exibar

- Original Message - 
From: "Randal, Phil" <[EMAIL PROTECTED]>
To: "'Exibar'" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Friday, January 09, 2004 6:18 AM
Subject: RE: [Full-Disclosure] 3 new MS patches next week... but none fix


> Time for me to get on my soapbox too.
>
> What are the three patches, what's your source of information, and do they
> fix things readers of this list need to know about?
>
> Less gossip, more information, please.
>
> Cheers,
>
> Phil
>
> -
> Phil Randal
> Network Engineer
> Herefordshire Council
> Hereford, UK
>
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] Behalf Of Exibar
> > Sent: 08 January 2004 19:16
> > To: [EMAIL PROTECTED]
> > Subject: [Full-Disclosure] 3 new MS patches next week... but none fix
> > 0x01!
> >
> >
> > What's going on over at Microsoft anyway?  They're releasing
> > 3 new patches
> > next week, but are planned to take care of the "0x01"
> > vulnerability in IE.
> >I'm one of Microsoft's defenders, and I'm starting to get a little
> > confused and upset at what they're doing.
> >
> >   Heck if 3rd parties can write a fix for the darned thing,
> > why the heck
> > can't Microsoft  What are they thinking over there?
> >
> >  oh, I guess they are waiting for a large client to get
> > scammed by a scam
> > e-mail and then wait for that client to complain.  Money
> > really does talk I
> > guess it's a shame
> >
> >   
> >
> >   I'm off my soapbox now, we now return you to your regularly
> > scheduled
> > program.
> >
> >   Exibar
> >
> > ___
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
>
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] 3 new MS patches next week... but none fix 0x01!

[Exibar]

If it's hidden in one of them that's fine, I care not how it is addressed,
just that it is addressed.  Although a little blurb would be nice because
this vulnerability has been made public.  But the 3 scheduled patches aren't
IE related.

  Is SP2 available to download?  If not, it doesn't really do anyone any
good :-(

 Ex

- Original Message - 
From: "Poof" <[EMAIL PROTECTED]>
To: "'Michael Renzmann'" <[EMAIL PROTECTED]>; "'Exibar'"
<[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Friday, January 09, 2004 2:09 AM
Subject: RE: [Full-Disclosure] 3 new MS patches next week... but none fix
0x01!


> Actually- the 01 bug is fixed in XP SP2... So I think it may be hidden in
> one of them...
>
> They don't always disclose 'everything' in the patches...
>
> ~
>
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:full-disclosure-
> > [EMAIL PROTECTED] On Behalf Of Michael Renzmann
> > Sent: Friday, January 09, 2004 1:21 AM
> > To: Exibar
> > Cc: [EMAIL PROTECTED]
> > Subject: Re: [Full-Disclosure] 3 new MS patches next week... but none
fix
> > 0x01!
> >
> > Hi.
> >
> > Exibar wrote:
> > >   Heck if 3rd parties can write a fix for the darned thing, why the
heck
> > > can't Microsoft  What are they thinking over there?
> >
> > "When others do the work for us, why should we bother to spend money in
> > that?"
> >
> > Bye, Mike
> >
> > ___
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Virus / Trojan

[Exibar]

LOL, your AV scanner on your Exchange server detected it (or extension
blocked it), here's what came through for your attachment:

 01/09/2004 03:47 PM The original attachment contains a virus or meets the
File-Blocking rules. ScanMail took action: winxp_sp1.zip/Moved, please see
your Exchange Server administrator for details!

   All the AV vendors should have DATS/Defs for it by now.  Symantec and NAI
both do at least:

  That's the new Xombe (downloader-GJ by NAI)

http://securityresponse.symantec.com/avcenter/venc/data/trojan.xombe.html
http://vil.nai.com/vil/content/v_100945.htm

Exibar

- Original Message - 
From: "Otero, Hernan (EDS)" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, January 09, 2004 2:47 PM
Subject: [Full-Disclosure] Virus / Trojan


Today found this suspicious file attached to an email, obviously is a virus
(our AV don´t detect it :-( ). The virus/trojan is very simple, the
developer only put effort in obfuscate the strings inside the binary.

The executable file try to connect to gamemaniacs.org and download a file.
This file will be located in the system directory

The url used in the GET is:

gamemaniacs.org /download/get.php?dist=2

This will download the binary saved as msvchost.exe

any one know what virus/trojan is this?



-H


 <>

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [inbox] Re: [Full-Disclosure] 3 new MS patches next week... but none fix

[Exibar]

>I think it is a totally lame approach.  The patch distribution problem
>has been pretty much solved by other vendors.  We would all sleep better
>at night if M$ would just get a clue.  Oh well.
>
>tim


  It's not that Microsoft doesn't have a clue, they do.  We are getting
regular patches for holes that are found are we not?  If they didn't have a
clue, we would have yearly patches or none at all.  Ok, there may be some
holes that aren't patched yet, but I'm sure they're working on them and
they're coming.  Some patches just have to take precedence over others.

  I've seen quite a few vulnerabilities come across this list in this past
week, not many have vendor fixes yet either.  This is not a Microsoft
exclusive problem.  We need a better way to patch systems, ALL systems.

   I've said it once on another list, and I'll say it here, we need a sort
of "patching server" that is on an isolated subnet.  When a machine first
connects to the network, it gets an IP address and is only allowed to talk
to the patching server(s).  Once the patching servers (for ALL OS's mind
you) determine that the machine is up to date with it's patches, then and
only then is it allowed to connect to the production network.

  Now this won't take care of 0-day exploits for 0-day vulns, but it would
have taken care of 95% of the scrambles that a lot of companies went through
last year.


  Let me ask this question, if you were running a company with 30,000 LINUX
boxes.  How would you patch all of them?  Don't a lot of Linux patches
require a re-build of the kernel?

  Exibar

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [inbox] RE: [Full-Disclosure] 3 new MS patches next week...

[Exibar]

>
> This really long 'form action' item
> http://www.citibank.com:achaaa9uwdtyazjwvw9p398haaa9uwdtyazjwv
> waboundpyw
> wgc2l6zt00pjxtvgc2l6zt00pjxywwgc2l6zt00pjxt398haaa9uwdtyazjwvwaaou
> ndpywwgc2l
> [EMAIL PROTECTED]/login/form.php
>
> obviously contains the 0x01 exploit. What I'm curious about is the HUGE
> amount of crap in between the : and the @ sign. I mean, if the
> 0x01 exploit
> is 'good enough', what's with the extra characters?
>


The above http: line doesn't make use of the 0x01 exploit.  In order to make
use of that exploit, you NEED "0x01" in there just before the @ symbol.  The
above link only makes use of of a "feature" of using the @ symbol to pass
credentials.  All the gibberish that you see in the link is a poor attempt
to mask the actual address it's going to.  When you click on the link,
you'll see "211.239.150.170/login/form.php" in the browser's address bar.
If it was using the 0x01 expoilt you'd see "http://www.citibank.com"; in the
address bar.

 Exibar

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Re: Full-Disclosure digest, Vol 1 #1371 - 8 msgs

[Exibar]

>
> If you ever find a union that lives up to its mission statement, you let
me
> know.  Until then, I'll fight tooth and nail to keep unions out of my
> profession.
>

I can't agree with you more.  After working in both a Union shop and a
non-Union shop, I'll take the non-union over Union any day of the week.  I
will also fight tooth and nail to keep unions away.

 Exibar

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] netlux.org down? :-(

[Exibar]

  Is netlux.org gone forever or has it just moved to a different domain
name?

 Anyone know?

 thanks!
  Ex

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] netlux.org down? :-(

[Exibar]

ack, my darned fingers missed a couple letters  I meant to type, is
VX.netlux.org gone for good ?  VX.netlux.org used to have a pretty good
virus repository.
   If anyone knows of another such repository, please let me know off-list.

  thanks!
  Ex
- Original Message - 
From: "Nate Johnson" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, January 15, 2004 2:15 PM
Subject: RE: [Full-Disclosure] netlux.org down? :-(


> TRY
> http://www.netlux.org/
> Sorry  I can't read the language it is written in.
> Nate
> KC7JHO
>
>
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Exibar
> > Sent: Thursday, January 15, 2004 10:26 AM
> > To: [EMAIL PROTECTED]
> > Subject: [Full-Disclosure] netlux.org down? :-(
> >
> >
> >   Is netlux.org gone forever or has it just moved to a
> > different domain name?
> >
> >  Anyone know?
> >
> >  thanks!
> >   Ex
> >
> > ___
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

[Exibar]

Dave,
   Sorry to disagree with you, but telling people to simply not use windows
and not use Outlook is like telling people not to ride in a car for the fear
of getting into an accident.

   So you're telling me that if I don't run Windows and I don't run Outlook
that I'm 100% safe?  Horsesh*t!   If I install Linux and not Windows XP (for
example) I'm safe?  There isn't anything else that I have to do?

   Why not EDUCATE the end-user on how to use Windows and Outlook safely?
This is the entire basis behind these personal firewall day, it's about
EDUCATING those that don't know.

BTW:  Not running Anti-virus software is just plain stupid (I will not
respond to any flames on this point, so don't bother).  Plain and simple.
I'm very surprised that any company is able to run that way.

 Exibar

- Original Message - 
From: "David F. Skoll" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>;
<[EMAIL PROTECTED]>
Sent: Thursday, January 15, 2004 12:06 PM
Subject: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the
cause


> On Wed, 14 Jan 2004 [EMAIL PROTECTED] wrote:
>
> > I just wanted to remind everybody that tomorrow is Personal Firewall
Day.
> > http://www.personalfirewallday.org/
>
> That Web site is utterly disingenuous.  Rather than giving low-value
> information, how about high-value information that actually protects
people:
>
> 1) Don't use Windows.
> 2) Don't use Outlook.
>
> Our company uses neither Windows nor Outlook, and although we do have a
> firewall, we do not use anti-virus software.
>
> Of course, the sponsors of the site (Microsoft and a bunch of anti-virus
> vendors) can hardly see it as being in their interest to actually create
> a secure computing environment.
>
> Regards,
>
> David.
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] netlux.org down? :-(

[Exibar]

  Is netlux.org gone forever or has it just moved to a different domain
name?

 Anyone know?

 thanks!
  Ex

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

[Exibar]

> >So you're telling me that if I don't run Windows and I don't run
Outlook
> > that I'm 100% safe?  Horsesh*t!
>
> You are very much safer.  Our mail server receives on the average day 70
> viruses from cracked Windows machines, and none from cracked Linux
machines.
> We still receive several Nimda hits a day, and none from cracked Linux
> machines.

 But not 100% safe though...  there are Linux viruses,  what about all those
e-mails that
try to steal my SS# and CC#'s?  Education is the key, not the OS that you
run or don't run.

>
> >  If I install Linux and not Windows XP (for
> > example) I'm safe?  There isn't anything else that I have to do?
>
> A default install of a modern Linux distro includes firewalling rules
> by default, and is fairly safe.

there aren't any holes in that Linux distro?  there sure are, pleanty of
them.  Oh, so
the Personal Firewall is protecting the user... interesting, aren't there
Personal Firewalls
for Windows OS's?  Tons of them

>
> >Why not EDUCATE the end-user on how to use Windows and Outlook
safely?
>
> Because it is impossible to use Windows safely; the very design of the
> operating system is flawed.  This is not just my opinion; it's also that
> of Bruce Schneier and many other people, some of whom lost their jobs

  it IS possible to use Windows safely, with Education of the user.  Teach
them
how to setup a Personal Firewall, hardware firewall, and Yes, AntiVirus.


> Why?  We have no machines that are susceptible to the viruses that are
> in the wild.  We do, of course, drop .exe, .com, etc attachments on
> our mail server, but that's just to save disk space and stop annoying
> messages from filling our mailboxes.
>
I don't buy that you block them ONLY to save disk space and stop annoying
messages...
don't buy it at all
>
> We have since 1999, and haven't had any problem.  If you don't use
Windows,
> you don't need anti-virus software.

 Ignorance is bliss they say...  If you honestly and truely believe what you
say, more
power to you.  I honestly hope that nothing bad happens to your systems due
to a virus
outbreak that A/V software would have taken care of

 Ex

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

[Exibar]

- Original Message - 
From: "David F. Skoll" <[EMAIL PROTECTED]>
To: "Exibar" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Thursday, January 15, 2004 3:37 PM
Subject: Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help
the cause


> On Thu, 15 Jan 2004, Exibar wrote:
>
> >  But not 100% safe though...  there are Linux viruses,
>
> Such as ... ?
>


 Will any of these do?  Will you still think you don't need AV on Linux now?

here's a partial list. don't choke too hard now!

Linux.Bliss.a Worm.Linux.Hijack Backdoor.Linux.Kbd

Flooder.Linux.Raped

Linux.Bliss.b Worm.Linux.Kork Backdoor.Linux.Keitan

Flooder.Linux.Slice

Linux.Clifax Worm.Linux.Lion Backdoor.Linux.Kokain

Flooder.Linux.Stream

Linux.Dido.478 Worm.Linux.Lion.dam Backdoor.Linux.Kot

Flooder.Linux.Synk.a

Linux.Diesel.969 Worm.Linux.Mighty Backdoor.Linux.Muench

Flooder.Linux.Synk.b

Linux.Eriz.401 Worm.Linux.Millen Backdoor.Linux.NetBus.04

DoS.Linux.Blitz

Linux.Gildo Worm.Linux.Mworm Backdoor.Linux.Ovason DoS.Linux.Front

Linux.Godog.a Worm.Linux.Ramen Backdoor.Linux.Pass

DoS.Linux.IISuxor

Linux.Godog.b Worm.Linux.Ramen.b Backdoor.Linux.Popdoor

DoS.Linux.Octopus

Linux.Godog.c Worm.Linux.Ramen.c Backdoor.Linux.Rootin.a

DoS.Linux.SinkSlice

Linux.Henky.482 Worm.Linux.Scalper Backdoor.Linux.Rootin.b

DoS.Linux.SSPing.10

Linux.Kagob.a Worm.Linux.Scalper.a Backdoor.Linux.Rootin.c

DDoS.Linux.BlowFish

Linux.Kagob.b Worm.Linux.Scalper.b Backdoor.Linux.Shadoor

DDoS.Linux.Fork

Linux.Mandragore.666 Worm.Linux.Scalper.c Backdoor.Linux.Smack

DDoS.Linux.Glock

Linux.Manpages Worm.Linux.Slapper Backdoor.Linux.Small.a

DDoS.Linux.Knight

Linux.Mixter Worm.Linux.Slapper.unlock

Backdoor.Linux.Streamdoor DDoS.Linux.Mstream

Linux.Nuxbee.1403 Trojan.Linux.Attack Backdoor.Linux.Subsevux

DDoS.Linux.PaulCyber.10

Linux.Nuxbee.1411 Trojan.Linux.Beasted Backdoor.Linux.Trinity

DDoS.Linux.PaulCyber.20

Linux.Orig Trojan.Linux.Hacktop Backdoor.Linux.Tsunami

DDoS.Linux.Stach

Linux.Osf.8759 Trojan.Linux.IRCKiller Backdoor.Linux.UDP

DDoS.Linux.TFN

Linux.Quasi Trojan.Linux.Mircforce.a Backdoor.Linux.Excedoor

DDoS.Linux.Trin

Linux.Radix Trojan.Linux.Mircforce.b Trojan.Linux.JBellz

DDoS.Linux.XChatSouls

Linux.RST.a Trojan.Linux.Rootkit.30.Chfn Worm.Linux.Slapper.b

PolyEngine.Linux.LIME.poly

Linux.RST.b Trojan.Linux.Rootkit.30.Chsh

Backdoor.Linux.Backserv PolyEngineSGen.Linux.Lime

Linux.Satyr Trojan.Linux.Rootkit.40 Backdoor.Linux.Ltrap

Sniffer.Linux.Sysniff

Linux.Siilov.5916 Trojan.Linux.Rootkit.c DDoS.Linux.Kaiten

VirTool.Linux.Elfwrsec.a

Linux.Silvio.a Trojan.Linux.Rootkit.c2 Exploit.Linux.Teso

VirTool.Linux.Elfwrsec.b

Linux.Silvio.b Trojan.Linux.Rootkit.d Exploit.Linux.Apache.1327

VirTool.Linux.Infect

Linux.Snoopy.a Trojan.Linux.Rootkit.e Exploit.Linux.Apache.134

VirTool.Linux.Mhttpd

Linux.Snoopy.b Trojan.Linux.Rootkit.f Exploit.Linux.Da2

VirTool.Linux.Mmap.443

Linux.Snoopy.c Trojan.Linux.Wudel Exploit.Linux.Interbase

VirTool.Linux.Rawsocket

Linux.Staog Backdoor.Linux.Blackhole Exploit.Linux.Espacker

Linux.Svat.a Backdoor.Linux.BO.002 Exploit.Linux.Evilc

Linux.Svat.b Backdoor.Linux.BO.101 Exploit.Linux.IIS-Attacker

Linux.Svat.c Backdoor.Linux.BO.121.a Exploit.Linux.Kaot

Linux.Telf.8000 Backdoor.Linux.BO.121.b Exploit.Linux.KArtsd

Linux.Telf.9812 Backdoor.Linux.Bodoor Exploit.Linux.Login

Linux.Telf.11208 Backdoor.Linux.Bodoor.plugin Exploit.Linux.Nhttpd

Linux.Telf.210148 Backdoor.Linux.Bofishy.a Exploit.Linux.OpenSSL

Linux.Telf.211140 Backdoor.Linux.Bofishy.b Exploit.Linux.OpenSSL.a

Linux.Vit.4096 Backdoor.Linux.CGI.a Exploit.Linux.OpenSSL.b

Linux.Winter.341 Backdoor.Linux.CGI.b Exploit.Linux.Qpop.30

Linux.Winter.343 Backdoor.Linux.Cyrax.a Exploit.Linux.Shinject

Linux.Ynit.827 Backdoor.Linux.Cyrax.b Exploit.Linux.SSHD22.a

Linux.ZipWorm Backdoor.Linux.Darkux Exploit.Linux.SSHD22.b

Worm.Linux.Adm Backdoor.Linux.Divine Exploit.Linux.Syslog.a

Worm.Linux.Adore Backdoor.Linux.DobDrag Exploit.Linux.Syslog.b

Worm.Linux.Cheese Backdoor.Linux.Eko Flooder.Linux.Bliz.a

Worm.Linux.Corn Backdoor.Linux.Gulzan Flooder.Linux.Bliz.b

Worm.Linux.Godog Backdoor.Linux.Gummo Flooder.Linux.Pong

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

[Exibar]

>
> I don't care what you buy or don't buy, but it's the truth.  We don't
> run Windows, so we aren't susceptible to the viruses in the wild.

Because you don't run windows doesn't mean that your 100% protected from
all the viruses in the wild.  Please see the partial list of Linux viruses I
sent on earlier.

>
> > > We have since 1999, and haven't had any problem.  If you don't use
> > Windows, > you don't need anti-virus software.
>
> >  Ignorance is bliss they say...  If you honestly and truely believe
> > what you say, more power to you.  I honestly hope that nothing bad
> > happens to your systems due to a virus outbreak that A/V software
> > would have taken care of
>
> There is no A/V virus designed to protect Linux systems.  There is
> A/V software that runs on Linux, but it's designed to catch Windows
> viruses.
>
> I've been in the computer security business for a while now; I think
> I know what I'm doing.

  I happy for you that you feel that way.
But why did you feel that there aren't any Linux viruses?
  I've been in the computer security field longer than I care to admit, and
I'm
still learning something new every day.  No matter how long you you've been
in the field,
the more you know, the more you realize that there is much more to learn.

Exibar

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

[Exibar]

I'm very glad to see that it appears the majority on this list agree.

 Ex

- Original Message - 
From: "Bill Royds" <[EMAIL PROTECTED]>
To: "'cdowns'" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Thursday, January 15, 2004 5:33 PM
Subject: RE: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help
the cause


> National Smokeout Day has been very successful in getting people to quit
> smoking for those wanting to quit smoking. It is not perfect because
smoking
> is an addiction and only stupid people smoke anyway these days so it is
hard
> to persuade them to stop.
>
> Personal Firewall Day is only one of many possible approaches to improving
> security on home machines. Too many people on this list have binary minds.
> Either it works perfectly or it doesn't work at all. This may be OK for
> logic circuits,but it is not valid for humans and computer users are human
> not mechanical.
>Microsoft sells lots of software for two main reasons:
> 1/ It is installed on machines when delivered (which is why they were
> convicted of being a monopoly in desktops).
> 2/ Because most desktops run Windows, most software aimed at desktops runs
> only on Windows.
>
>   So you are not going to get MS off the desktop. How else are you going
to
> protect the Internet and other computers from these users. A personal
> firewall is much better than closing your eyes and saying "run Linux, run
> Linux". A separate firewall between the modem and the box is probably
better
> and they don't cost that much (about $50-$100) and they can act as a
switch
> for a home network as well.
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of cdowns
> Sent: January 15, 2004 11:57 AM
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED];
> [EMAIL PROTECTED]
> Subject: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help
the
> cause
>
> Out of curiousity, you cant get people to stop smoking with the
> "National Smokeout Day" what makes anyone think that this would do
> anything ?
>
> Most people consider thier computer the equivelent of a hammer ( a tool
> ), in the toolbox at 4:00 pm sharp until they start thier next workday.
>
> maybe im wrong, I wish the best on this.
>
> ~!>D
>
> [EMAIL PROTECTED] wrote:
>
> >I just wanted to remind everybody that tomorrow is Personal Firewall Day.
> >
> >http://www.personalfirewallday.org/
> >
> >The Personal Firewall Day is a campaign designed to raise awareness about
> the dangers we face without a personal firewall. Security experts such as
> yourself are encouraged to use the occasion of Personal Firewall Day to
> share your expertise and advice with your lesser technologically skilled
> friends and family, and help get them secured by installing a personal
> firewall - this could be as simple as helping them turn on the XP
firewall.
> Direct them to the website where they can learn more about personal
> firewalls and other layers of protection.
> >
> >Compromised end-user machines affect us all and the Internet as a whole
> when they are used as zombies for DDoS networks or proxies by criminal
> spammers, and your personal effort can help remedy this.
> >
> >PFD is a direct result of the discussions that originated from the
> NTBugtraq Retreat '03, and would not have been possible without the
> dedication and hard work put into the project by Paul Robertson, director
of
> risk assessment with TruSecure and the original proponent of the idea.
> >
> >
> >
> >Regards
> >Thor Larholm
> >Senior Security Researcher
> >PivX Solutions
> >24 Corporate Plaza #180
> >Newport Beach, CA 92660
> >http://www.pivx.com
> >[EMAIL PROTECTED]
> >949-231-8496
> >PivX defines "Proactive Threat Mitigation". Get a FREE Beta Version of
> Qwik-Fix
> >
> >
> >
> >
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

[Exibar]

sheesh,

Linux in the wild viruses that come to mind:  Scalper, Ramen, Lion,
Simile.  I'm sure there are lots more as well.

  Linux is NOT immune to viruses or worms, plain and simple.

  Just because the number of Linux viruses/worms are much smaller than W32
viruses/worms doesn't mean that they don't exist.  The number of Linux
installs are much smaller than W32 installs as well.  If I was a Vx'r would
I write a Linux virus that would max out at 500,000 computers to infect, or
would I write a W32 virus that would max out at 50,000,000 + computers to
infect worldwide.  W32 has, what, 92% of the computer desktops someone
mentioned?  That's a heck of a lot of bang for the Vx'r buck!

 Exibar


- Original Message - 
From: "David F. Skoll" <[EMAIL PROTECTED]>
To: "Exibar" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Friday, January 16, 2004 1:57 PM
Subject: Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help
the cause


> On Fri, 16 Jan 2004, Exibar wrote:
>
> >  Will any of these do?  Will you still think you don't need AV on Linux
now?
> > here's a partial list. don't choke too hard now!
>
> Those are all proof-of-concept.  I'm unaware of a single production
> Linux machine anywhere in the world succumbing to one of them.  Perhaps
> you can provide evidence to the contrary?
>
> Furthermore, most of them are not self-propagating, but require active
> cooperation from the recipient.
>
> I do not need nor use AV on Linux.
>
> Regards,
>
> David.
>
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

[Exibar]

>
> > Linux in the wild viruses that come to mind:  Scalper, Ramen, Lion,
> > Simile.  I'm sure there are lots more as well.
>
> None of those was an e-mail virus.  They were worms.  An e-mail virus
> scanner wouldn't have done any good.

  correct, but I'm not talking about ONLY catching e-mail viruses, that's
not the only reason you install A/V software on your desktop.  Worms are
more dangerous than e-mail viruses in my eyes, especially if you're blocking
all executables from coming in through your mail gateway.  Without A/V
software you're susseptable to these worms running rampant on your machine
and network.
   Without A/V you'll also have the problem of people clicking on links and
inadvertantly downloading a backdoor or a rootkit.  A firewall will help,
but not prevent this from happening.

 Exibar

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

[Exibar]

> On Fri, 16 Jan 2004, Exibar wrote:
>
> > But why did you feel that there aren't any Linux viruses?
>
> All right. :-)  Let me reword it!
>
> There are no self-propagating Linux e-mail viruses.  The only Linux
> e-mail viruses are proof-of-concept programs that have never actually
> infected machines other than lab machines designed to test the
> proof-of-concept.
>

Ahhh, now there we go.  That might just be the case.  Off the top of my head
I can't think of a Linux specific e-mail spreading virus.  Unless you count
"phishing" type e-mails that are completely OS independant and basically
want the user to head out to a web site and enter all their personal info
(ss#, CC#'s etc).

  Exibar

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

[Exibar]

>
> >   correct, but I'm not talking about ONLY catching e-mail viruses,
that's
> > not the only reason you install A/V software on your desktop.
>
> Are you aware of any A/V desktop software for Linux?  I'm not.  So even
> if I wanted to run A/V on our desktops, I couldn't.

yes, Mcafee has one, I'm sure there are others as well.


>
> >Without A/V you'll also have the problem of people clicking on links
and
> > inadvertantly downloading a backdoor or a rootkit.
>
> I don't let my employees run as root, so the danger is quite small, as
long
> as we keep our boxes up-to-date.
>
Always a smart thing to do, but it's basically the same as not allowing
users to be local admin of their windows box.  Joe users off the street
isn't going to run the Linux install like that though, they'll want to run
as root because it's their box and they want to be God on it.

  If you always perform due diligence, apply all patches as soon as they are
available, run behind a firewall, educate your users, run "non-mainstream"
OS and apps, you'll limit your exposure to worms and viruses.  But your
never 100% protected, even with A/V software loaded you run some risk,
although very minimal.
   In stiving for 100% you'll reach a point around 98% secure that you can
no longer use the computer because the restrictions are too tight.  You just
have to accept that risk, such as you are accepting that risk when you don't
run A/V software.  If that risk is acceptable to you, then there you have
it.

 Exibar

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day,help the cause

[Exibar]

>
> I fail to see how "phishing" (not fishing?) type emails relate to
> viruses. Those are two totally different types of attack methods. A
> virus aims for the weakness in a technical system. Sometimes, it may be
> needing a little social engineering though.
> Asking somebody to cut his own throat and smile while doing so is
> genuine social engineering and has nothing to do with the need for a
> virus scanner or technical defencive measures.
>
I agree, it looked like I was melding the two together into "threats" and
not keeping Viruses/worms separate.  Phishing's a new term that's cropped up
for these types of e-mail's.

> While you are right that there is the principal threat of "viruses" to
> Linux too, a virus scanner is not the way to protect against such
> attacks using Linux.
>
> Minimum usage (only deploy services you use)
   ---can be done on a windows box
> File Integrity Checking
   Would have to run Trip-wire or similliar.
> Rootkit Detectors (this comes closest to virus scanning)
A/V scanner will do the job
> Firewalling
Windows XP's builti in ICF, or zonelabs, etc
> Rigid Management Of User Rights
windows can get pretty granular with user rights and permissions.
> Encryption
Windows has built in file Encryption.

> These are the concepts for protecting a Linux machine.
>
> Most of them are missing in Windows. Just adding a personal firewall
> won't improve matters if the rest of these principles is absent.
>
Not really missing from Windows, just a bit more cumbersome to do.  I agree
that just adding a firewall is not the sole answer, neither is just adding
A/V software.

 Exibar

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] DOS all platforms

[Exibar]

I agree, it really does sound like a HOAX to me and those I gave the link
to.

  With all the time that has passed since he "notified" everyone, It is just
too "hoax like" that there hasn't been a formal announcement from at least
one of those guys about this.

  Causing Physical damage to equipment  Good luck  although way back
when there was a program that would set the refresh rate on your monitor
very very high and it could cause the monitor to die  Doesn't happen
anymore though :-)

  Exibar

- Original Message - 
From: "hicks" <[EMAIL PROTECTED]>
To: "Chris Brown" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Wednesday, January 21, 2004 7:38 PM
Subject: Re: [Full-Disclosure] DOS all platforms


> I have read and posted to his site, he claims that the CERT only
> acknowledges that its a UDP flood and are not concerned with it.  He also
> claims that it does physical damage to hardware on devices and that some
> need a reisntall of OS and a firmware upgrade.  There is no *REAL*
> information here.  I Consider it a HOAX and will treat it as such.  And he
> doesnt care what anyone thinks.  Oh well, someone else can try and talk to
> him :/
>
> Would make me busy though , or not guess
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Windows XP Explorer Executes Arbitrary Code in Folders

[Exibar]

It sure didn't look like a normal folder to me either.  I could edit the
file and such and renaming the file to having an .HTM extension makes it
look like a "normal" html file.  Certainly not like a directory at all, but
a simple file.

  Exibar


- Original Message - 
From: "Thor Larholm" <[EMAIL PROTECTED]>
To: "JacK" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Monday, January 26, 2004 1:39 PM
Subject: Re: [Full-Disclosure] Windows XP Explorer Executes Arbitrary Code
in Folders


> I just sent this to the other lists:
> 
>
> Why don't we call a spade a spade? You renamed an HTML file from "My
> Pics.html" to "My Pics.Folder", it's still an HTML file and not a folder.
>
> In fact, except for the changed file extension this is simply just a
repeat
> of your previous post, "Self-Executing HTML: Internet Explorer 5.5 and 6.0
> Part IV", except that the ".Folder" file extension is new to Windows XP
and
> makes the file have a folder icon.
>
> When you open any file regardless of extension, Explorer tries to find the
> proper application to open the file with. This involves inspecting the
first
> section of the files content and comparing it to a list of known
signatures.
> You can read about "MIME Type Detection in Internet Explorer" at
>
>
http://msdn.microsoft.com/workshop/networking/moniker/overview/appendix_a.asp
>
> We already know that opening HTML files from the My Computer zone is
> equivelant to opening an EXE file, given the executional rights provided
by
> the zone. The only solution to this is to lock down the My Computer zone
> which I have been trying to advocate for some time now and Microsoft has
now
> promised to do in Service Pack 2 for Windows XP.
>
>
> Regards
>
> Thor Larholm
> Senior Security Researcher
> PivX Solutions
> 24 Corporate Plaza #180
> Newport Beach, CA 92660
> http://www.pivx.com
> [EMAIL PROTECTED]
> Phone: +1 (949) 231-8496
> PGP: 0x5A276569
> 6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569
>
> PivX defines "Proactive Threat Mitigation". Get a FREE Beta Version of
> Qwik-Fix <http://www.qwik-fix.net>
>
>
>
>
> - Original Message - 
> From: "JacK" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Monday, January 26, 2004 4:54 AM
> Subject: [Full-Disclosure] Windows XP Explorer Executes Arbitrary Code in
> Folders
>
>
> > Hello,
> >
> > http://www.securitytracker.com/alerts/2004/Jan/1008843.html
> > -- 
> > JacK
> >
> > ___
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
> >
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Oldest Hack Sept. 1970 Just for Fun

[Exibar]

Not really a hack but it was fun:

Back in HighSchool, sophomore year I think, 1984, our HighSchool had a
PDP-10 for Pascal, Fortran, Basic, and cobol classes.  This was the first
year that computer programming was offered if I remember correctly.  Well, I
wrote an infinate loop in Fortran (accidentally, really!), well guess what I
did, I caused the first DoS.  That infinite loop simply sucked up all the
cycles that poor hunk of iron could give it and wouldn't allow anyone to do
anything.  Of course, my terminal was able to anything I wanted, as long as
it was terminating the program ;-)

  After I discovered what I unintentionally did, and both programming
teachers were done pulling out their hair, I quietly kept my little infinite
loop in the back of my head for future use.  I don't think I ever used it
again though  really!  probably because they knew that I knew how to do
it and I'd be blames straight away for any "lock-ups" of the system :-)


 You guys decide if it was a hack or not, not even in the 60's or 70's but
mid 80's, It really was unintentional but I look back at it and smile :-)

Exibar

- Original Message - 
From: "Clairmont, Jan" <[EMAIL PROTECTED]>
To: "'Gary E. Miller'" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Wednesday, February 04, 2004 1:49 PM
Subject: RE: [Full-Disclosure] Oldest Hack Sept. 1970 Just for Fun


>
> That's the spirit, just curious.  I teach and it is fun to have
> material to relieve the boredom.
>
> Hopefully, the statute of limitations has run out on us all 8->
>
>
> -Original Message-
> From: Gary E. Miller [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, February 04, 2004 1:37 PM
> To: Clairmont, Jan
> Subject: RE:[Full-Disclosure] Oldest Hack Sept. 1970 Just for Fun
>
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Yo Jan!
>
> I got to Brown University in 1971.  By then there were already many tales
of
> people hacking the university mainframe in the lat '60s.
>
> So you are going to have to go WAY back.
>
> My HS had a Model 33 teletype that we could use to dial to a local
> university mainframe.  In 1968 I tricked a GE time share guy giving demos
at
> a mall to show me his dial-in number, username and password. With that we
> ran up the HS long distance bill for months playing with the fancy GE
> mainframe.
>
> RGDS
> GARY
> -
> --
-
> Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701
> [EMAIL PROTECTED]  Tel:+1(541)382-8588 Fax: +1(541)382-8676
>
> On Wed, 4 Feb 2004, Clairmont, Jan wrote:
>
> > Date: Wed, 4 Feb 2004 10:58:36 -0500
> > From: "Clairmont, Jan" <[EMAIL PROTECTED]>
> > To: [EMAIL PROTECTED]
> > Subject: RE:[Full-Disclosure] Oldest Hack Sept. 1970 Just for Fun
> >
> > For all you oldies and newbies anyone know of an
> > older student or other hack?  Back in Sept. 1970
> > we as Waukesha HS students got in a teletype, modem and
> > had access to BASIC, I mean BASIC.  We were allowed
> > 2 hours computer time. And of course one of us
> > "wise group of birds" David Ferrie, found out how to change the system
> > time, so we could program all day.
> >
> > Anyone know of an older hack, just for the Guiness Book
> > of Records?
> >
> > TIME$ A$=TIME$
> >
> > Jan Clairmont
> > LDAP and Solaris Admin. Consultant and anything else I can Get my
> > Hands On.
> >
> > ___
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
> >
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.2.3 (GNU/Linux)
>
> iD8DBQFAITvr8KZibdeR3qURAhtwAJ4nekP49t9UwbOQjZZlC+5obTJHEACgxuu/
> 1XHcwzcZZEgE7BX+/UgEOl4=
> =TZHg
> -END PGP SIGNATURE-
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Oldest Hack Sept. 1970 Just for Fun

[Exibar]

- Original Message - 
From: "Erik van Straten" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, February 04, 2004 9:58 PM
Subject: Re: [Full-Disclosure] Oldest Hack Sept. 1970 Just for Fun


> Warning: if you dunno what L1-A means you may wanna press Del now
>
> On Wed, 4 Feb 2004 14:47:55 -0500 "Exibar" wrote:
> > Well, I wrote an infinate loop in Fortran (accidentally, really!),
> > well guess what I did, I caused the first DoS.
>
> Yeah, thanks to someone like you I'm in this silly business. A local
> student did the same on our univ. mainframe which cost our group about
> 500 US$ (ignoring inflation), so the professor decided to buy a Sun
> 4/110 plus 5x 3C503 (100x that price) for all AT's we had at the time.
>


Yikes!  Thanks to someone like me  What I wrote about was a programming
error, done by a teenager that was just learning Fortran and performed an
honest mistake.  Mistakes are part of the learning process.  You did read
the part where I said I terminated the program when it was found that it was
my program causing the DoS.
 But, I'll take your comment with a grain of salt and not take offense to
it.  There wasn't any monetary loss due to this error, and it was a learning
experience for everyone involved.  I'm sure that if this happened in today's
backwards thinking schools that i would have been suspended for this
programming error.  Just like that 13 year old that was suspended for using
the "net send" command and accused of hacking

   The two programming teachers and I actually had a laugh about it
afterwards  ;-)

 Ex

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] home land tracker software

[Exibar]

hrumph I just tried about a dozen maybe two dozen names and none
produced matches.  Their database can't be that big :-)

 William Gates
 George W. Bush

 were two names that I thought for sure would pop up "something" at
least.   anyone find a name that actually displays information?

 Ex


- Original Message - 
From: "DAN MORRILL" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, February 06, 2004 1:52 PM
Subject: [Full-Disclosure] home land tracker software


> http://www.ofaccompliance.com/
>
> anyone want to debate the ethics of this and the US Patriot act and how to
> secure the system when it is in use or misuse? You can check our own name
at
> the web site, as well as more popular folks. As an information security
> person, this worries me. Both from a compliance issue (corporate) and on a
> personal issue.
>
> Additional reading US Patriot act, section 326.
>
> All information security related ideas welcome, flames to
> /dev/null/blackhole/no-read-access
>
> My question is : what were they thinking?
>
>
> r/
> Dan
>
> _
> Find great local high-speed Internet access value at the MSN High-Speed
> Marketplace. http://click.atdmt.com/AVE/go/onm00200360ave/direct/01/
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] new security patches posted on Microsoft

[Exibar]

Looks like ms04-005 ms04-006 and ms04-007 have been posted.

http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS04-007.asp

007 looks pretty serious.  Anyone seeing any activity to exploit this yet?

" Patch or be owned!"  --- confucioustech, year: unknown

 Exibar

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] AOL IM Worm

[Exibar]

I would say it's more of a trojan than anything else.  If it was a worm, it
would self propigate, if a virus it would infect other files.  This darned
thing poses as a game, and does "naughty things" in the background that
you're not aware of, or that's hidden in a EULA that no-one ever reads but
us security types :-)

  Exibar

- Original Message - 
From: "Mary Landesman" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>; "Full Disclosure List"
<[EMAIL PROTECTED]>
Sent: Wednesday, February 11, 2004 3:19 PM
Subject: Re: [Full-Disclosure] AOL IM Worm


> It's not a worm - it's viral people. :-)
>
> There's something called BuddyLinks that allows really stupid people to
> install it to their instant-messaging application. It then spams out
> whatever news, games, etc., that it sees fit to all the people on that
> person's buddylist.
>
> In essence, it's as if your 'friends' handed over their entire buddylist
to
> a spammer and said, "Gee, not only can you spam my friends, but you can do
> it with my permission and from my machine!"
>
> The Osama Capture is a prologue to a game from WGUTV that BuddyLinks is
> currently advertising. The page tries to load a viewer for running the
> prologue. My guess is that 'viewer' is loaded with spyware, but as far as
I
> can tell, it's not a worm.
>
> -- Mary
>
> - Original Message - 
> From: "Justin Baldini" <[EMAIL PROTECTED]>
> To: "Full Disclosure List" <[EMAIL PROTECTED]>
> Sent: Wednesday, February 11, 2004 1:40 PM
> Subject: [Full-Disclosure] AOL IM Worm
>
>
> There appears to be an AOL IM worm going around.
>
> It's coming in as a link to here...
>
> http://www.wgutv.com/osama_capXXXture.php?nLRj
> (Without the XXX)
>
> When run, it appears to load up some fake game, installs a bunch of shit,
> and then sends itself to everyone on your IM list.
>
> Channelup.exe and blengine.exe appear to be the task list entries.
>
> Thats about all the info I have.
>
>
> ++
> Justin Baldini
> Network Admin
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Microsoft source code "leak"

[Exibar]

Anyone ever think that perhaps Microsoft "leaked" this section of code on
purpose?  Right now there are 1,000's of hacker types and curious types
pouring over that code looking for flaws.  Sounds like there was already a
flaw found using a signed integer as an offset, I've also heard that there
is an exploited version of Notepad floating around now too...

  Microsoft can't pay to have this kind of QA done in house (who could?), so
why not release a piece of source and let everyone do it for them?

  Could be that it's a clever way to distract from the ASN.1 flaw that was
found too... release a bit of code that is meaningless and the exploit
writers will be too busy looking through that code to write a huge exploit
for ASN.1?

  Ok, sounds like a conspiracy theroys doesn't it?  And it probably isn't
true, but stranger things have happened :-)

 Exibar

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] InfoSec sleuths beware ...

[Exibar]

What did I do 'this' time?  :-)

  ahhh, must be my conspiracy theory on the source code leak   The idea
that Microsoft will be going after anyone who discovers a security flaw in
any piece of that source code is another great conspiracy theory actually.

  Seriously though, the leak was a "boo-boo" by one of Microsoft's partners,
I'm sure.  I'm sure that someone got their hand slapped pretty hard for this
blunder and I'm also sure that Microsoft will see that it won't happen again
and I seriously doubt that the source leak will cause any sleepless
nights.  People make mistakes, they deal with it, and move on with
life

  although, it really could be a conspiracy against, lets just say,
Linux.  ;-)

  Exibar


- Original Message - 
From: "madsaxon" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, February 19, 2004 5:33 AM
Subject: Re: [Full-Disclosure] InfoSec sleuths beware ...


> At 11:10 PM 2/18/2004 -0500, Byron Copeland wrote:
>
> >Mad,
> >
> >OK, you have a good point there, but its only a fraction of the code
> >anyway.
>
> 'Twas not I.
>
>  > From: Exibar  [EMAIL PROTECTED]
>  ^^
> > > Sun, 15 Feb 2004 12:39:25 -0500
> > > Subject: Microsoft source code "leak"
>
> m5x
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] InfoSec sleuths beware ...

[Exibar]

I would have to venture a guess that Microsoft would only distribute the
source code on protected and controlled CD's.  Possiblely burned in house
for the few authorized 3rd parties that are allowed to have the source.  I
remember reading that the whole of the source comes to 45 - 50 Gig in
size... that's a whole lot of CD's.

   I would think that a more controllable environment would be a laptop that
must phone home every 5 minutes of activity or gets securely wiped.  Better
yet, an encrypted laptop where access to the sourcecode is limited to 5
minutes and then you must FOB authenticate back into it.  After 30 minutes
of activity and no FOB re-entry you must call back to Microsoft for a new
software FOB.  After one hour of activity and no FOB authentication the
whole laptop becomes irreversibly encrypted and must be sent back to
Microsoft to be re-built.

   Ok maybe that's TOO secure :-)

  Exibar

- Original Message - 
From: "Dave Horsfall" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, February 19, 2004 12:14 PM
Subject: Re: [Full-Disclosure] InfoSec sleuths beware ...


> On Thu, 19 Feb 2004, Exibar wrote:
>
> >   Seriously though, the leak was a "boo-boo" by one of Microsoft's
> > partners, I'm sure.  I'm sure that someone got their hand slapped pretty
> > hard for this blunder and I'm also sure that Microsoft will see that it
> > won't happen again and I seriously doubt that the source leak will cause
> > any sleepless nights.  People make mistakes, they deal with it, and
> > move on with life
>
> Am I the only one to have noticed that the unzipped contents neatly fit on
> a CD?  Not arguing one way or the other, but it does suggest a possible
> vector.  Accidental?  I doubt it.
>
> -- Dave
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] tool to reverse engineer patches???

[Exibar]

What tool are they talking about in this article?  anyone know?

http://infoworld.com/article/04/02/24/HNunderattack_1.html



However, vendors and users' headaches are being worsened by new tools

created by sophisticated hackers and made available on the Internet.

One such tool available now automatically reverse-engineers patches, creates

an exploit and launches attacks, he said, allowing any non-tech savvy user

to become a potential cyber criminal.

"These tools are so good I'm afraid we'll see more zero-day attacks,"

Aucsmith said.



___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Counter-Attacking hackers? Is this really a good idea?

[Exibar]

I don't think they mean "counter-attack" when they say "counter-measures".
counter'measures could be automatically adjusting a firewall rule or a
router ACL to adjust to the type of attack it discovers.

  But, they do mentioned "fighting fire with fire", so that makes me
question exactly what it is they're doing.

  Exibar


- Original Message - 
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Sunday, March 07, 2004 10:22 PM
Subject: [Full-Disclosure] Counter-Attacking hackers? Is this really a good
idea?


> This company...
>
> http://www.symbiot.com/
>
> Is claiming to have the "first IT security solution that can both repel
> hostile attacks on enterprise networks and accurately identify the
malicious
> attackers in order to plan and execute appropriate countermeasures -
> effectively fighting fire with fire."
>
> Are these guys nuts? I'm not sure if this is a good idea or not. I don't
> want to promote them, but on the other hand this seems to be a topic
> that should be discussed by information security professionals. If the
> community as a whole thinks this is a good idea, then there should be
> some type of standard agreed to by the masses of administrators that
> will have to put up with the results of such a system.
>
> Again, just thought this should be openly discussed and that we should
> all be aware of it.
>
> I even thought about posting thier white papers to my personal site in
> an effort to stick to the 'discussion not promotion' agenda I have, but
> then I don't want to get 'Couter-Attacked' now do I ;)
>
> -Technocrat
>
>
>
> Concerned about your privacy? Follow this link to get
> FREE encrypted email: https://www.hushmail.com/?l=2
>
> Free, ultra-private instant messaging with Hush Messenger
> https://www.hushmail.com/services.php?subloc=messenger&l=434
>
> Promote security and make money with the Hushmail Affiliate Program:
> https://www.hushmail.com/about.php?subloc=affiliate&l=427
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] 3 new microsoft security bulletins are posted today... non rated critical

[Exibar]

http://www.microsoft.com/technet/security/bulletin/ms04-008.mspx

http://www.microsoft.com/technet/security/bulletin/ms04-009.mspx

http://www.microsoft.com/technet/security/bulletin/ms04-010.mspx

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Comcast using IPS to protect the Internet from their home user clients?

[Exibar]

I know the "feeling" behind what you typed, but you really don't mean what
you typed.  Filtering should not be done by the ISPs, they should provide a
pipe, and that's it.  Ok, there are some circumstances, like a DoS against
your equipment, where the ISP is the only means of blocking the traffic,
that's a different story.
   If the ISP's start filtering traffic, scanning E-mail for viruses, etc,
they are getting close to censorship in my eyes.  They're also removing
themselves from "common carrier" status in the eyes of the law too I would
think.  Make those services OPTIONAL for those that want it, great, I'm all
for it.  But if I want a link out to the internet, that isn't filtered or
anything I should be able to get it.

Ex

- Original Message - 
From: "Frank Knobbe" <[EMAIL PROTECTED]>
To: "Chmielarski TOM-ATC090" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Wednesday, March 10, 2004 1:52 PM
Subject: RE: [Full-Disclosure] Comcast using IPS to protect the Internet
from their home user clients?

PS: I'm completely okay with them filtering as long as they allow me to
tunnel my traffic to corporate servers. Whatever it takes to get rid of
spam is fine with me...

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Comcast using IPS to protect the Internet from their home user clients?

[Exibar]

As long as ComCast specifically states what they are filtering beforehand,
when and why they cut the user off after the fact, then I wouldn't have a
problem, that way the user could make an informed judgment call as to
whether or not to keep them as a provider.

   ComCast isn't known to communicate very well.  I've heard of cases where
they cut people off for downloading too much, without telling them how much
is too much, etc etc.

  Perhaps censorship was too strong of a word.  If they advertise "unlimited
internet access for $49.95" then then better damn well provide "unlimited
internet access" and any restrictions plainly and distinctly posted so the
consumer can make an educated choice.

  Ex

- Original Message - 
From: "Randal L. Schwartz" <[EMAIL PROTECTED]>
To: "Exibar" <[EMAIL PROTECTED]>
Cc: "Frank Knobbe" <[EMAIL PROTECTED]>; "Chmielarski TOM-ATC090"
<[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Wednesday, March 10, 2004 4:58 PM
Subject: Re: [Full-Disclosure] Comcast using IPS to protect the Internet
from their home user clients?


> >>>>> "Exibar" == Exibar  <[EMAIL PROTECTED]> writes:
>
> Exibar> I know the "feeling" behind what you typed, but you really
> Exibar> don't mean what you typed.  Filtering should not be done by
> Exibar> the ISPs, they should provide a pipe, and that's it.
>
> But they also have the right/responsibility to enforce an AUP, and to
> play "good net neighbor".
>
> In this case, they are disconnecting users who are violating AUPs
> or causing them to collectively no longer play "good net neighbor".
>
> It's not censorship.  It's especially not "censorship" when it's a
> private company (you can always take your business elsewhere).
>
> "Freedom of the press" doesn't mean you get to use everyone's press
> for free, or that everyone gets a free press.  Comcast is entirely
> within their right to cut people off as clients or from the net or
> both.  It's their wires.
>
> -- 
> Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777
0095
> <[EMAIL PROTECTED]> http://www.stonehenge.com/merlyn/>
> Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
> See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl
training!
>
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Comcast using IPS to protect the Internetfrom their home user clients?

[Exibar]

BINGO!  You've hit the ISP's nail right on the head.

- Original Message - 
From: "Matthew C. Beckman" <[EMAIL PROTECTED]>
To: "Luke Scharf" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Wednesday, March 10, 2004 6:56 PM
Subject: RE: [Full-Disclosure] Comcast using IPS to protect the Internetfrom
their home user clients?


> > But, if those terms aren't acceptable, then why sign up for the
> > service in the first place?
>
> I think the objection is simply that Comcast won't define the terms.
> As someone else mentioned, there are a lot of reports of Comcast
> cutting off service to someone with the reason being, that they
> over-used the service.  If they are advertising unlimited internet
> service first off, and then won't define what 'too much' bandwidth
> usage is, that is where the problem comes in.  Even those people that
> have been cut off have been unable to find out where that line is
> drawn.
>
> If they would be more clear in their policies, I don't think anyone
> would have room to complain.
>
> - Matthew C. Beckman
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Emailing SSN info

[Exibar]

Not knowing what vendor they want to ship these SSN's off to makes it hard
to answer, although I am NOT an attorney I believe they are opening up
themselves for trouble giving ANY third party the SSN's of their employees.
Unless it's a gov agency that is requesting this info, or a payroll company
that is printing payroll checks (like ADP), they should not even entertain
the thought of giving SSN's out.

  If it is an "authorized" agency, I would send the info on CD-Rom,
certified mail.  The CD-Rom would be encrypted, and the encryption key would
be sent under separate cover, also certified mail.

  Ex


- Original Message - 
From: "Tony Gettig" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, March 18, 2004 3:44 PM
Subject: [Full-Disclosure] Emailing SSN info


> Hi all,
>
> I work for a school district in the USA. Higher management wants to
> email a zipped data export (presumbably password protected) to a vendor
> that includes the Social Security Number for employees. I have advised
> them against this. Shipping a CDROM overnight would be more secure, IMO.
>
>
> Now they want to know if there are any laws pertaining to the emailing
> of SSN info. (Why they are asking me and not an attorney, I am not
> sure...though I AM going to tell them to speak to an attorney too.)
>
> Can any one point me to a website or cite specific US (or even state)
> laws regarding this? Even a reply telling me why this is a bad idea
> would be great. If I am wrong, I am glad to hear that too. Thanks in
> advance!
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Re: Addressing Cisco Security Issues

[Exibar]

That is always a great thing to do.  If one company says it's another's
fault, you kindly ask them to hold on a second, get the other company on the
line and let them hash it out.

   I can say that it works every time :-)

  ex


- Original Message - 
From: "Jason Dodson" <[EMAIL PROTECTED]>
To: "Geo." <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>;
<[EMAIL PROTECTED]>
Sent: Monday, March 29, 2004 2:35 PM
Subject: [Full-Disclosure] Re: Addressing Cisco Security Issues


> I have had a similar run-around with AT&T Broadband and Sprint a while
back, pertaining to a DoS
> attack my organization was experiencing. Not to dive into details, to
resolve the issue, I got
> them both on the line in a 3-way conversation, and it was taken care of in
less then 5 minutes.
> They didn't seem to eager to shrug off the responsibility to someone else,
when that someone else
> was right there on the phone.
>
> Jason Dodson
>
> --- "Geo." <[EMAIL PROTECTED]> wrote:
> > I have to post this because I consider this to be a security issue in
it's
> > own right.
> >
> > Recently there were a number of exploits released for cisco equipment,
among
> > the affected equipment were the 677 and 678 consumer DSL routers of
which
> > there are millions in use.
> >
> > I have one such router, the DSL circuit is provided by Alltel and I work
for
> > the ISP who provides the actual internet access.
> >
> > So upon reading recent warning notice sent to the security email lists
about
> > the exploits being publicly available I went and read
> > http://www.cisco.com/warp/public/707/CBOS-DoS.shtml which pretty much
says
> > any router running a version of CBOS prior to 2.4.5 (actually you need
2.4.6
> > because of later exploits) is vulnerable.
> >
> > So like a good netizen I contacted cisco TAC via telephone, gave them my
678
> > serial number and they informed me that they could not provide the
security
> > update because my router is registered to alltel (alltel did provide the
> > router when I ordered the DSL circuit), please call Alltel to get it. Ok
so
> > then I called Alltel, who told me no problem we can email you the update
and
> > asked for my email address. Except since Alltel is not the ISP I don't
have
> > an alltel email address so then they won't email it to me, please
contact
> > your ISP. I then informed Alltel that I AM MY ISP to which they replied
they
> > still could not provide the patch and that I would have to get it from
> > Cisco.
> >
> > So then I call Cisco TAC again, this time I explain the full details of
all
> > I've just been thru and the tech decides to ask someone. Comes back and
says
> > if I register on the cisco website that he can open a ticket and get
someone
> > to call me back on it. (I'm presently waiting for that call)
> >
> > In the mean time I decided to google for it and low and behold I found
2.4.6
> > on a website (url not posted to protect the life saving individuals who
put
> > it on the web). Now of course I've no way to know if this version I just
> > found is safe or not but HELLO CISCO???
> >
> > If you are going to issue security alerts that require ISP's and
consumers
> > to patch their hardware devices then you had better damn well make sure
that
> > folks can actually GET THE PATCHES. It would require no effort at all to
> > post a bogus version full of back doors and whatnot on the web and after
> > seeing the nightmare it is to obtain the patch thru official channels
it's
> > clear to me that this would be a very popular download.
> >
> > Geo.
> >
>
>
> __
> Do you Yahoo!?
> Yahoo! Finance Tax Center - File online. File on time.
> http://taxes.yahoo.com/filing.html
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html