RE: [Full-Disclosure] Scandal: IT Security firm hires the author of Sasser worm

2004-09-20 Thread Nick Jacobsen 
Does it not strike anyone that there is a disturbing trend in malicious hackers (yes, 
yes, I know, they are not hackers if they are malicious, so call em whatever you want) 
getting hired to security firms, mainly because the "hacker" gets media attention?  It 
is honestly like we are declaring to the world that the best way to get a good paying 
job in the computer security field is to perform some major attack - and get caught 
for it - and then after serving a short sentace, start applying for jobs.  I know lots 
of young people, myself included, that could make headlines by performing some act or 
another of a sensational nature, and all that stops us is our own sense of ethics - 
but those ethics get harder and harder to hold as we earn a pittance doing your 
standard boring days work, while some other guy is out there essentially (in my mind) 
having fun doing some detrimental to society, and then getting hired at a substantial 
salary, as a reward.
This may sound like a rant, and it probably is, but that makes my point no less 
accurate.
Responses anyone?
 
Nick Jacobsen
[EMAIL PROTECTED]
 

-Original Message- 
From: [EMAIL PROTECTED] on behalf of bb 
Sent: Mon 9/20/2004 3:32 AM 
To: Feher Tamas; [EMAIL PROTECTED] 
Cc: 
Subject: Re: [Full-Disclosure] Scandal: IT Security firm hires the author of 
Sasser worm



If he has fulfilled all the obligation of his sentence, whats wrong with him
being allowed to seek gainful employment that plays to his skills?

Second chance anyone? Being allowed to learn from his mistakes?


- Original Message -
From: "Feher Tamas" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, September 20, 2004 10:21 AM
Subject: [Full-Disclosure] Scandal: IT Security firm hires the author of
Sasser worm


> Hello,
>
> The german IT security company "Securepoint" has hired Sven
> Jaschan, who wrote and spread the Sasser Internet worm,
> which caused widespread and costly damages to legions of
> Windows computers.
>
> He will work as a developer for security softwares such as
> firewalls.
>
> This is a scandal! Whether or not you like the 250k USD
> head-hunting bounty which Microsoft Corp. paid to have Mr.
> Jaschan nailed, he is still a criminal.  Hiring him is a
> taboo. It is totally unacceptable to picture him as a modern
> age Robin Hood or freedom fighter. He is a criminal, similar
> to an arsonist, who sets a house alight and the fire spreads
> to an entire city.
>
> I urge all to boycott the Securepoint and I urge those who
> suffered losses due to the Sasser worm to sue Securepoint
> and seek damages. VXing must end and we must send a strong
> message to teenagers that cracking is not hacking and will
> not be tolerated.
>
> Securepoint website:
> http://www.securepoint.cc/
>
> Info about Sven Jaschan's hiring:
> http://www.f-secure.com/weblog#0296
>
> Sincerely: Tamas Feher from Hungary.
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] Scandal: IT Security firm hires the author of Sasser worm

2004-09-20 Thread Nick Jacobsen 
I am not disagreeing with that at all - I wholeheartedly agree in fact.  The point of 
my little rant was that we are being told that the easiest way to make the big bucks 
is to attack a high profile target, which is a dangerous path to take - for both the 
IT industry and the individual.

-Original Message- 
From: Todd Towles [mailto:[EMAIL PROTECTED] 
Sent: Mon 9/20/2004 8:08 AM 
To: Nick Jacobsen 
Cc: 
Subject: RE: [Full-Disclosure] Scandal: IT Security firm hires the author of 
Sasser worm



I agree it is a bad trend, but security is a double edged sword.

Security people are rare in this world, some are good at protection,
some are good at breaking. But the line between is grey.
Sometime it is good to have a little of both on your team from a
security standpoint but project a bad social image.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Nick
Jacobsen
Sent: Monday, September 20, 2004 9:11 AM
To: [EMAIL PROTECTED]
Subject: RE: [Full-Disclosure] Scandal: IT Security firm hires the
author of Sasser worm

Does it not strike anyone that there is a disturbing trend in malicious
hackers (yes, yes, I know, they are not hackers if they are malicious,
so call em whatever you want) getting hired to security firms, mainly
because the "hacker" gets media attention?  It is honestly like we are
declaring to the world that the best way to get a good paying job in the
computer security field is to perform some major attack - and get caught
for it - and then after serving a short sentace, start applying for
jobs.  I know lots of young people, myself included, that could make
headlines by performing some act or another of a sensational nature, and
all that stops us is our own sense of ethics - but those ethics get
harder and harder to hold as we earn a pittance doing your standard
boring days work, while some other guy is out there essentially (in my
mind) having fun doing some detrimental to society, and then getting
hired at a substantial salary, as a reward.
This may sound like a rant, and it probably is, but that makes my point
no less accurate.
Responses anyone?
    
    Nick Jacobsen
[EMAIL PROTECTED]


-Original Message-
From: [EMAIL PROTECTED] on behalf of bb
Sent: Mon 9/20/2004 3:32 AM
To: Feher Tamas; [EMAIL PROTECTED]
Cc:
Subject: Re: [Full-Disclosure] Scandal: IT Security firm hires
the author of Sasser worm
   
   

If he has fulfilled all the obligation of his sentence, whats
wrong with him
being allowed to seek gainful employment that plays to his
skills?
   
Second chance anyone? Being allowed to learn from his mistakes?
   
   
- Original Message -
From: "Feher Tamas" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, September 20, 2004 10:21 AM
Subject: [Full-Disclosure] Scandal: IT Security firm hires the
author of
Sasser worm
   
   
> Hello,
>
> The german IT security company "Securepoint" has hired Sven
> Jaschan, who wrote and spread the Sasser Internet worm,
> which caused widespread and costly damages to legions of
> Windows computers.
>
> He will work as a developer for security softwares such as
> firewalls.
>
> This is a scandal! Whether or not you like the 250k USD
> head-hunting bounty which Microsoft Corp. paid to have Mr.
> Jaschan nailed, he is still a criminal.  Hiring him is a
> taboo. It is totally unacceptable to picture him as a modern
> age Robin Hood or freedom fighter. He is a criminal, similar
> to an arsonist, who sets a house alight and the fire spreads
> to an entire city.
>
> I urge all to boycott the Securepoint and I urge those who
> suffered losses due to the Sasser worm to sue Securepoint
> and seek damages. VXing must end and we must send a strong
> message to teenagers that cracking is not hacking and will

RE: [Full-Disclosure] BAD NEWS: Microsoft Security Bulletin MS03-032

2003-09-07 Thread Nick Jacobsen 
nice find, very nice...  wonder how many more times microsoft will mess
up?
Though, I do sort of wonder exactly what they thought they were
patching, since this still works.

-Original Message- 
From: [EMAIL PROTECTED] 
Sent: Sun 9/7/2003 6:17 AM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: [Full-Disclosure] BAD NEWS: Microsoft Security Bulletin
MS03-032





Since the cat somehow got out of the bag, and more importantly,
this
is so blatantly obvious, herewith is the "Bad News":

The patch for Drew's object data=funky.hta doesn't work:

http://www.malware.com/badnews.html


  var oPopup = window.createPopup();

  function showPopup() {
oPopup.document.body.innerHTML = "";
oPopup.show(0,0,1,1,document.body);
  }
 
  showPopup()


Notes:

1. Disable Active Scripting
2. In case that does not work, uninstall Internet Explorer
3. http://www.eeye.com/html/Research/Advisories/AD20030820.html
4. This was sent to the manufacturer quite some time prior to
this
   going out. Surprisingly no immediate acknowledgement
5. This is so blatantly obvious, in particular because it is
   the coupling of two known issues[one current + one from
2002]:

   http://www.securityfocus.com/bid/3867/

It is beyond comprehension why this was not checked from the
outset as it is a known issue plus file://::{CLSID}in the control
panel in the object tag still functions to date.
6. At this stage one must really question the compentency of
this
particular operation. This is a pathetic oversight.

--
http://www.malware.com






___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html






RE: [Full-Disclosure] Backdoor.Sdbot.N Question




2003-09-08

Thread
Nick Jacobsen



Sounds like you probably got hit with a custom packed/encrypted version
of sdbot.  Most likely vector of attack was the newish IE  tag
exploit.
 
Nick J.

-Original Message- 
From: James Patterson Wicks 
Sent: Mon 9/8/2003 1:18 PM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: [Full-Disclosure] Backdoor.Sdbot.N Question



Anyone know how Backdoor.Sdbot.N spreads?  This morning we had
several users pop up with this trojan (or a new variant).  These users
generated a ton of traffic until their machines were unplugged from the
network.  There systems have all the markers for the Backdoor.Sdbot.N
trojan (registry entries, etc), but was not picked up by the Norton
virus scan.  In fact, even it you perform a manual scan after the trojan
was discovered, it is still not detected in the scan.

I would also like to know if this is also an indicator of not
having the patch for the Blaster worm.

This e-mail is the property of Oxygen Media, LLC.  It is
intended only for the person or entity to which it is addressed and may
contain information that is privileged, confidential, or otherwise
protected from disclosure. Distribution or copying of this e-mail or the
information contained herein by anyone other than the intended recipient
is prohibited. If you have received this e-mail in error, please
immediately notify us by sending an e-mail to [EMAIL PROTECTED] and
destroy all electronic and paper copies of this e-mail.


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


<>







Re: [Full-Disclosure] SunnComm to sue 'Shift key' student for $10m




2003-10-09

Thread
Nick Jacobsen



it seems to me the perfect chance for a countersuite...  cause at least
as far as I know, most state's definition of computer crime would
include installing software on a machine withough the owners permission.
or knowlege..  and since that is what SunnComm's protection is doing...
 
Nick Jacobsen
(Ethics)
[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> 
 

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html








RE: [Full-Disclosure] [Full-Disclosure]: Attempt to steal paypal password




2003-11-11

Thread
Nick Jacobsen



I see  this crap posted to the list all the time, and I have to ask,
what does this have to do with computer security?  If someone falls for
one of these scams, it is pure user error.  There are a few exceptions
to this rule, such as if the email uses an exploit of some sort to
change your hosts file, but this is very much not in that category.
These are so common that I am suprised you even noticed getting the damn
thing.
 
Nick Jacobsen
Ethics Design
[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> 
 

-Original Message- 
From: Michael Linke 
Sent: Tue 11/11/2003 1:04 AM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: [Full-Disclosure] [Full-Disclosure]: Attempt to steal
paypal password



There seams to be a new faked Email on the way since today
morning, with the
subject "PayPal User Agreement 9".
The Email is in html form and content a Hyperlink named

https://www.paypal.com/cgi-bin/webscr?cmd=login-run
But under this hyperlink is not paypal, it is:

http://[EMAIL PROTECTED]/.


So someone is going to collect paypal passwords. Using this
password an
attacker can send money from there. The whole action seams to be
a spamming
attempt sent to random email addresses, because the receiver
Email Address
[EMAIL PROTECTED] is not registered at paypal.


According ARIN Whois the IP Search 64.191.16.16 belongs to:


OrgName:Network Operations Center Inc.
OrgID:  NOC
Address:PO Box 591
City:   Scranton
StateProv:  PA
PostalCode: 18501-0591
Country:US

The Email comes from 68.77.201.24.
(X-RBL-Warning: (dialup.bl.kundenserver.de) this mail has been
received from
a dialup host.)


Email Header below. The Email Msg is attached to this email.

-
Return-path: <[EMAIL PROTECTED]>
Envelope-to: [EMAIL PROTECTED]
Delivery-date: Tue, 11 Nov 2003 02:46:25 +0100
Received: from [68.77.201.24]
(helo=adsl-68-77-201-24.dsl.milwwi.ameritech.net)
by mxng14.kundenserver.de with smtp (Exim 3.35 #1)
id 1AJNbg-0005Xc-00
for [EMAIL PROTECTED]; Tue, 11 Nov 2003 02:46:17
+0100
Received: from paypal.com (smtp2.sc5.paypal.com [64.4.244.75])
by adsl-68-77-201-24.dsl.milwwi.ameritech.net (Postfix)
with ESMTP
id D7A073BEBC
for <[EMAIL PROTECTED]>; Mon, 10 Nov 2003 19:46:12
-0600
From: Support <[EMAIL PROTECTED]>
To: Michael <[EMAIL PROTECTED]>
Subject: PayPal User Agreement 9
Date: Mon, 10 Nov 2003 19:46:12 -0600
Message-ID: <[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable
X-Priority: 1 (Highest)
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook, Build 10.0.2616
Importance: High
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
X-RBL-Warning: (dialup.bl.kundenserver.de) This mail has been
received from
a dialup host.
---


<>







RE: [Full-Disclosure] POS#1 Self-Executing HTML: Internet Explorer 5.5 and 6.0




2003-11-11

Thread
Nick Jacobsen



it is harmless - it tells you what it does, and how to fix it, and does
nothing overtly malicious.

-Original Message- 
From: Feher Tamas 
Sent: Tue 11/11/2003 2:05 AM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: [Full-Disclosure] POS#1 Self-Executing HTML: Internet
Explorer 5.5 and 6.0



Hello,

>Fully self-contained harmless *.exe:
>CAUTION: back up notepad.exe before opening
> http://www.malware.com/self-exec.zip

Kaspersky Antivirus says:
TrojanDropper.VBS.Inor.i

I wouldn't call this malware harmless. Please remove it!

Regards, Tamas Feher, 2F 2000.


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


<>







RE: [Full-Disclosure] Frontpage Extensions Remote Command Execution




2003-11-12

Thread
Nick Jacobsen



Has anyone even had any luck reproducing this?  I can't for the life of
me get a crash...

-Original Message- 
From: Geo. 
Sent: Wed 11/12/2003 11:41 AM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: RE: [Full-Disclosure] Frontpage Extensions Remote
Command Execution



>>
Well, for one, it's not root level.  It allows ANONYMOUS (Guest)
access
<<

No it's not, IWAM is Web Applications MANAGER account you were
thinking of
IUSR perhaps? This is not guest. This account can change
websites so in a
multi host environment this level of access will allow a
compromise of every
website on the server.

Geo. (I'd call that root)

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


<>







[Full-Disclosure] Yahoo Geocities allowing scam sites?




2004-02-01

Thread
Nick Jacobsen



Not exactly on topic, but WTF is up with www.e-qo1d.com
 ?  it is an e-gold scam site, and it is hosted
on yahoo geocities servers, using a premium hosting package.  I (and at
least 2 others) have sent emails to yahoo about it when it first came to
our attention (Jan 22nd), but nothing has been done about it, and it is
still up, and still on yahoo servers.  Does yahoo just not care anymore,
or what?
 
On a side note, it is f-ing impossible to find contact point for yahoo
geocities' abuse department - the email is lited no-where in their
help...  I finally foundnd it at abuse.net, but I would think an abuse
contact point would be something pretty damn basic...

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html








RE: [Full-Disclosure] Re: DoomJuice.A, Mydoom.A source code




2004-02-10

Thread
Nick Jacobsen



Now Nick, don't take this wrong...  but this seems to me to be a case of
closing the barn door after the f***ing hourses already got away.  The
source code is now freely available from many sites, so why not share
with someone who at least seems a bit professional?
 
As four the source code, Riad...  check the following link:
http://www.astalavista.com/index.php?section=dir&id=84
 
 
Now, I don't generally recommend that site, but hey...  if they got it,
use it...

-Original Message- 
From: Riad S. Wahby 
Sent: Mon 2/9/2004 8:29 PM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: [Full-Disclosure] Re: DoomJuice.A, Mydoom.A source code



Mr. FitzGerald,

Nick FitzGerald <[EMAIL PROTECTED]> wrote:
> I can see how it could be used as an invaluable _publicity_
aid for
> attracting folk to the class.  However, as a teaching aid, it
is highly
> unlikely to be of much more or less value than the source of
any of
> dozens upon dozens of other malwares, and and that value would
be very
> low...

People won't be attracted to the class based on the source code
I'm
presenting, as they won't know about it beforehand.  To be sure,
the
source to any old virus would in fact work, and I will certainly
consider many others as well in deciding the specifics of the
cirriculum.  My intent is to emphasize material taken from
issues that
attendees can relate to directly; undergrads are extremely
unlikely to
have much personal experience at all with Robert Morris's 1988
worm.

> Unless you are planning on teaching malware _writing_?

Of course not.  The seminar deals with the mechanisms, targets,
and
psychology of a malware pandemic.

> For folk interested in work in the antivirus and related
security
> fields, source code is all but worthless.  We rarely have the
source
> code of the malware we have to analyse -- at least, we rarely
have it
> in advance of, or concurrent with, having do such analyses.
Reverse
> engineering is the name of this game and source code is then
useless
> -- if you have source you need not reverse and if you must
reverse you
> would not have the source...

The class in question is not about reverse engineering.  It
discusses
not the response and interdiction from AV companies et cetera,
but the
underlying social and technical infrastructure upon which
viruses and
their authors rely.

> Also, from a purely pedagogical perspective (I majored in
Psychology
> and Education), I find your claim that having the source of
this
> malware "could be an invaluable teaching aid" deeply
suspicious. 
> Teaching from the specific is generally superficial, less
long-lasting
> and generalizes much less well than providing a good
theoretical
> grounding in the subject matter.  Could you expound the
theoretical
> applications that presenting this specific malware's source
code to
> your class would illustrate especially well?

Clearly one must also recognize the importance of providing
particulars in which to couch the theoretical.  Of course, I'm
not
going to hand out pages of source and say "this is it kids,
study up."
Instead, general claims will be augmented with carefully chosen,
specific examples.

> Finally, whether you obtain this code or not, what aspects of
the
> ethics of possessing, handling, distributing, etc such code
will be you
> be teaching?

This is obviously an important topic, and one that I will go to
great
lengths to stress.

> Personally, I doubt they will be substantial (or even present)
as
> your initial approach to obtaining the code shows a serious
lack of
> concern for some significant ethical issues straight off...

I asked people to email me personally; in doing so, I was
attempting
to contact those who might be of assistance.  Moreover, by
attempting
to do so in a personal context (off-list) I've implied that I'm
willing to confirm my identity and describe in greater detail my
intentions.  As far as I can tell, I have ignored no "ethical
issues"
in attempting to establish a dialogue with those who might help
me.

> And what controls will you be placing on your students
obtaining,
> copying, etc the code?  Given your brazenly open and
"uncaring" request
> here, why should we expect that you will take any special care
with the
> code and its further distribution to and among those taking
your class
> and t






RE: [Full-Disclosure] W2K source "leaked"?




2004-02-12

Thread
Nick Jacobsen



http://smokeherb.com/windows/
Both NT4 and 2000.
 
As a side note, there is actually very little content in these files...
this is a very much "partial" leak...

-Original Message- 
From: Byron Copeland 
Sent: Thu 2/12/2004 5:16 PM 
To: Gregory A. Gilliss 
Cc: [EMAIL PROTECTED] 
Subject: Re: [Full-Disclosure] W2K source "leaked"?



As an avid FULL DISCLOSURE reader, where is this "some of"
source code?

On Thu, 2004-02-12 at 18:55, Gregory A. Gilliss wrote:
> Does this count as confirmation?
>
> http://news.bbc.co.uk/1/hi/business/993933.stm
>
> G
>
> On or about 2004.02.12 23:48:52 +, Gadi Evron
([EMAIL PROTECTED]) said:
>
> > A couple of days ago a friend of mine drew my attention to
the source
> > making rounds on the encrypted p2p networks, I was hoping it
would take
> > a bit longer for it to be "out", but that was just
day-dreaming.
> >
> > Thor Larholm just gave me this URL, as you can notice, the
server is busy:
> > http://www.neowin.net/comments.php?id=17509
> >
> <>

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


<>







RE: [Full-Disclosure] RE: W2K source "leaked"?




2004-02-13

Thread
Nick Jacobsen



obviously, you didn't do your research...  I consider Microsoft, C|net,
and KOMO (A Seattle ABC Affiliate) to be accurate news sources, or at
least as accurate as you can get...  did you even consider trying to
google for news articles?

-Original Message- 
From: sil 
Sent: Thu 2/12/2004 4:20 PM 
To: [EMAIL PROTECTED] 
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED] 
Subject: [Full-Disclosure] RE: W2K source "leaked"?





On Thu, 12 Feb 2004 [EMAIL PROTECTED] wrote:

> for Whistler (now Windows XP) had been leaked, though they
never
> confirmed it.
>
> http://www.wired.com/news/business/0,1367,35135,00.html
>
> WinBeta is also reporting on the new leak
>
>
http://www.winbeta.org/winbeta/forums/index.php?showtopic=2663&st=0&#ent
 
> ry9449
>
> 0-day exploits being used on Microsofts network, foul play by
privileged
> partners or a hoax? Let's see what Microsoft reports.


Personally I believe you've answered you're curiousities,
questions, ^*,
for yourself, and for everyone else. While I don't intend on
knocking
'Neowin', but I'm sure if something held substantially here,
news agencies
all over the world would have covered this situation forming.
Outside of
the posts on 'forums' there is nothing more than talk. Think
digital Elvis
sightings here: I've seen, I've heard, someone who knows someone
who knows
someone /$/*, ...

I wrote a doc a while back on the dangers of forging information
called
Breaking Point, and although it was not PhD type material, this
is an
exact situation I described here. What's say I wanted to make
money on the
stock market, say shorting Microsoft. Get the picture? Unless
some
CONCRETE information comes of it, anyone who pays attention to
these
rumors are doing nothing more than adding fuel to the fire.

"BREAKING POINT: FORGING CHAOS AND DESTRUCTION ONLINE"
http://www.politrix.org/segment/bpoint.html



-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Privacy in the US? Tell me another great story!
http://www.politrix.org/segment/opinbast.html

"The most tyrannical of governments are those which make
crimes of  opinions, for everyone has an inalienable
right to his thoughts." -- Benedict Spinoza

J. Oquendo //sil

http://www.kungfunix.net   http://www.politrix.org
http://www.infiltrated.net http://bush.shafted.us

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


<>







RE: [Full-Disclosure] Re: http://federalpolice.com:article872@1075686747




2004-02-16

Thread
Nick Jacobsen



one major issue left out by that link is the fact that it is not just a
keylogger, it also rapes the Protected Storage Subsystem, as is obvious
by the fact that it imports pstorec.dll, and calls PStoreCreateInstance.
Another interesting thing to note is that it can be uninstalled by
finding the EXE and running it with the "Uninstall" flag...

-Original Message- 
From: [EMAIL PROTECTED] 
Sent: Mon 2/16/2004 1:48 AM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: [Full-Disclosure] Re:
http://federalpolice.com:[EMAIL PROTECTED]



More info on this here:


http://spamwatch.codefish.net.au/modules.php?op=modload&name=News&file=a
rticle&sid=55
 

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


<>







RE: [Full-Disclosure] Looking for a tool




2004-03-01

Thread
Nick Jacobsen



Well, I usually use *sysinternals* Process Exporer, and have yet to see
it fail to list a process...  how do you know the process exists, if you
can't list it?
 
Nick J.

-Original Message- 
From: Schmehl, Paul L 
Sent: Mon 3/1/2004 2:37 PM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: [Full-Disclosure] Looking for a tool



I ran into a situation today where neither Foundstone's Process
Explorer
nor Sysinternals' "pslist" would list the master process that
was
controlling some processes that I was trying to kill.  Does
anyone on
the list know of a better utility that will list *all* running
processes
on a Windows box?  (This was WinXP Pro if that matters.)

Paul Schmehl ([EMAIL PROTECTED])
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


<>







[Full-Disclosure] Suggestions for a netbios emulator (honeypot)?




2003-06-08

Thread
Nick Jacobsen



I am looking for a utility that will emulate netbios (mainly, logons), and
simply log the attempt and then respond with a logon denied message.  Any
ideas?

Nick J

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html








Re: [Full-Disclosure] Suggestions for a netbios emulator (honeypot)?




2003-06-08

Thread
Nick Jacobsen



Looking for something a bit lighter, honestly...  though I guess if there is
not already something out there, this could be modified for what I need...
it's a good idea

Nick J.
- Original Message - 
From: "Paulius M." <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Saturday, June 07, 2003 8:37 AM
Subject: Re: [Full-Disclosure] Suggestions for a netbios emulator
(honeypot)?


> Hi,
>
> > I am looking for a utility that will emulate netbios (mainly, logons),
and
> > simply log the attempt and then respond with a logon denied message.
Any
> > ideas?
>
> why don't you use SAMBA?
>
> -- 
> Paulius M.
> ICQ#151037255
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html








[Full-Disclosure] Recommendations for a Passive Web Content Monitoring solution?




2003-04-10

Thread
Nick Jacobsen



Not sure that this is an exactly suitable topic, but anything seems to go,
so...

I am trying to find an open source (read free) PASSIVE web content
monitoring solution.  We are looking for something that can be put on a
network, and using promiscuous mode, capture and analyze web traffic, etc...
We would obviously place this in such a way that all network traffic would
pass by it.  Any suggestions would be welcome, though again, I am looking
for something specifically designed to do this, as I know I could modify
existing tools myself...

Nick

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html








Re: [Full-Disclosure] The Two Faces of Foundstone




2003-06-10

Thread
Nick Jacobsen



Heh...  this is pretty funny.  Back in 2001, I attended NetSec '01 in New
Orleans, and Foundstone had a booth there.  There were challenging people to
break into one of their WinNT boxes that was on site, and when I did so, I
notice a cracked copy of L0phtCrack, as well as the program used to crack
it...  I asked one of the employees in the booth about it, and he got this
*stupid* look on his face and said that they had lost the reg code, so they
just cracked the program...  *right*...  god, some companies can be funny


Nick J,

- Original Message - 
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, June 10, 2003 7:23 AM
Subject: [Full-Disclosure] The Two Faces of Foundstone


>
> http://www.fortune.com/fortune/technology/articles/0,15114,457276,00.html
>
> COMPUTER SECURITY
> The Two Faces of Foundstone
> A leading computer-security company is accused of software piracy.
> FORTUNE
> Monday, June 9, 2003
> By Richard Behar
>
>
> George Kurtz may be his own worst enemy. In just four years Kurtz, CEO
> of Foundstone, and Stuart McClure, its president, created one of the
> best-known U.S. computer-security companies by exposing the
vulnerabilities
> of software firms. Thousands of FORTUNE 500 executives and government
> officials--from the FBI and the National Security Agency to the Army,
>  the Federal Reserve, and even the White House--have taken Foundstone's
> Ultimate Hacking courses, at up to $4,000 per person. Motorola and Bank
> of America have shelled out more than $300,000 each for Foundstone
products,
>  and the company recently installed software to protect the FAA.
>
> But it doesn't take the skills of a hacker to see that Foundstone, a
> privately owned $20-million-a-year company in Mission Viejo, Calif.,
> is in trouble. It has been accused of widespread software piracy by a
> leading industry trade group, FORTUNE has learned--charges corroborated
> by current and former Foundstone employees and by computer printouts
> obtained by the magazine.
>
> The trade group, the Software & Information Industry Association, informed
> Kurtz by letter in May that it intended to pursue copyright-infringement
> charges against Foundstone. It acted after a confidential source alleged
> that McClure and Gary Bahadur, Foundstone's chief information officer,
>  routinely spread unlicensed software to the company's 125-member
workforce;
> that Kurtz was aware of that practice; and that in early April the CEO
> ordered his staff to delete unlicensed software from their computers.
> "They're gambling with their reputation," says Keith Kupferschmid, head
> of the association's antipiracy unit, which investigated and found the
> allegations credible. "That's not a smart thing to do."
>
> Kurtz vehemently denies the company engaged in piracy. "We have strict
> policies against piracy," he says. "We take intellectual property very
> seriously, given that we are a software company." He adds that Foundstone
> conducted an internal audit in April, "and we're in compliance."
>
> The evidence suggests otherwise. For years, according to former employees,
>  top executives at Foundstone dumped a seemingly endless supply of the
> latest software onto a company server called Zeus and into a Microsoft
> Outlook folder called Tools, available to everyone on staff. Employees
> say they were told to download whatever programs they needed by using
> license keys registered only to McClure or Bahadur. (Legally Foundstone
> should have paid for each user.) The unauthorized software ranged in
> value from $35 to $15,000 per user and included everything from Acrobat
> to X-WinPro.
>
> "They've stolen pretty much everything when it comes to software," says
> a founding employee who asked not to be named. The company even cracked
> Microsoft's operating system, Windows XP, says Dan Kuykendall, a former
> Foundstone software engineer, "so you could install it on multiple
computers
> without any problems." The founding employee estimates that only 5% of
> the software used at Foundstone was paid for. (Foundstone's lawyers say
> that only 5% was unlicensed and that the company has spent more than
> $1.5 million on software.) Foundstone also trained thousands of corporate
> and government security personnel on software that it duplicated in ways
> that avoided triggering license fees, according to Kurt Weiss, a training
> coordinator until last year, who says it was part of his job to copy
> software packages onto the drives of 40 laptops per class.
>
> The use of unlicensed software is a global problem--estimates of lost
> revenues range up to $13 billion a year--but it's rare among companies
> whose business is safeguarding intellectual property. "We happen not
> to have any experience with other security-software companies' doing
> that," says William Plante, chief investigator at Symantec, a Foundstone
> competitor. "Especially for a software company interested in protecting
> its own copyrighted material. If true, 






RE: [Full-Disclosure] Does your IE6 crash with these "URLs"?




2003-07-17

Thread
Nick Jacobsen



Odd...  it DOES crash on mine...
Windows 2000 SP4
IE 6.0.2800.1106, SP1, all updates

-Original Message- 
From: Martin 
Sent: Thu 7/17/2003 8:57 AM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: [Full-Disclosure] Does your IE6 crash with these
"URLs"?



Hi,

I have a question. I would like to know, if you can also crash
IE6, when typing the following "URL":

ftp*://?

I have also tried from HTML like this:




window.open(" ftp://ftp*://?";);




I could crash IE about a year ago with the first "URL" above
and I've sent already various crash reports to Microsoft a
long time ago. There was no reaction.

That's why I just want to ask if someone can check this for me.
Maybe only my 3 PCs are weird.

Thanks,
Martin


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


<>







RE: [Full-Disclosure] Credit card numbers




2003-07-17

Thread
Nick Jacobsen



Perhaps it is just my imagination here, and I do realize this is an
unmoderated list, but this seems to be a more than unacceptable email.
This is a professional list - would you go up to someone at a computer
security conference and tell em "oh yeah, I used to card during
highschool all the time"?  My favorite phase is the "I don't exploit
this *ANYMORE*" (emphasis added)
 
Nick Jacobsen
[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> 
 

-Original Message- 
From: Kristian Hermansen 
Sent: Thu 7/17/2003 12:43 PM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: Re: [Full-Disclosure] Credit card numbers


There are many companies that still leave the full numbers on
their receipts.  I am going to give away a pretty big secret right now.
If you have ever eaten at the "99 Restaurant" you will notice that they
have the MOST sensitive information out of any company I have ever used
my credit card at.  Here's a list of what is on the receipt:
 
1) Full CC# - nothing blanked out
2) Full Name - just as it appears on the card
3) Expiration date
4) Customer signature (if they signed their copy)
 
Now here's how to easily get them.  When I was in high school I
used to go there late on Friday and Saturday nights and snag all the
receipts out of the "conveniently placed" trash receptacle right outside
the front door.  Friday and Saturday nights are the best because they
usually have the most customers (at the bar, drunk people, etc...)
Anyway, I have kept this pretty much a secret for a long time now and
since we are on the topic and I don't exploit this anymore I figured I
should make it public.  There is even a way to get the CVV2 numbers from
the back of the cards, but I will NOT tell you how to do that!  If you
check out the restaurant, I'm sure you will figure out how I got the
CVV2 numbers as well.  AND DON'T F**KING EMAIL ASKING HOW TO DO IT!!!
 
Peace out...
 
Kris

<>







RE: [Full-Disclosure] Agobot/Gaobot/Phatbot




2004-05-03

Thread
Nick Jacobsen



uh, doubt it - inspect the url :)

-Original Message- 
From: Exibar 
Sent: Mon 5/3/2004 10:54 AM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: Re: [Full-Disclosure] Agobot/Gaobot/Phatbot



oh joy, here comes another 900 versions of the darned thing :-(

- Original Message -
From: "thE_iNviNciblE" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, May 03, 2004 12:23 PM
Subject: Re: [Full-Disclosure] Agobot/Gaobot/Phatbot


> hello,
>
> one source code can you find here
> http://127.0.0.1:5554/phatbot_source.zip
> (plz, only people who relly wants to study this source)
>
>
>
>Best Regard thE_iNviNciblE
>--
>Wissen ist Macht - Knowledge is Power
>
> Freie Meinung: http://www.your-mind-is-free.de.vu
> IT-Security  : http://www.kid2elite.de.vu
> IT-Forum : http://www.security-focus.de.vu
>
>
>
> Nick FitzGerald wrote:
> > [EMAIL PROTECTED] wrote:
> >
> >
> >>Does anybody know where to get the source of
> >>Agobot/Gaobot/Phatbot for study and analysis?
> >
> >
> > There are more than 900 varaints to date.  You going to
study them all?
> >
> > Yeah right...
> >
> > If you really have "legitimate research purposes" that
"require" you
> > have such material, this would be the absolute last place
you would
> > never have to ask because you would have many other faster,
more
> > reliable and less unethical methods of getting the
information you
> > need.
> >
> > [Roll on the "This is full-disclosure and we're a bunch of
red-necks
> > who don't give a sh*t about ethics..." mantra...]
> >
> >
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


<>







RE: [Full-Disclosure] A FreeBSD server that is converted in a MS 2003 Server... and viceversa




2004-05-04

Thread
Nick Jacobsen



Well, first off, I am guessing you are trying to access the machine
without the owners permission - and FD does *NOT* support, endorse, or
condone unauthorized "hacking"...
 
But, as for an answer to your question, there are two possible answers
that pop to mind...
 
1)  the IP address you are hitting is actually some sort of load
balancing server, and so while one request might go to the BSD machine,
another request might go to the win2k3 machine...
 
2) or, more likely, it is a win2k3 box running some form of VirtualPC or
VMWare with FreeBSD as the client OS (or vice versa)...
 
just an idea, but...  this is a lot like what I would do if I wanted to
set up a honeypot *grin*.
 
Ethics

-Original Message- 
From: DrD 
Sent: Tue 5/4/2004 7:05 AM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: [Full-Disclosure] A FreeBSD server that is converted in
a MS 2003 Server... and viceversa



Hi all...  I have a problem that I can't understand... lets see
if you guys
can help me with it.
I have access to a FreeBSD server, I accessed and look a little.
The problem
is when sometimes I have not access anymore, and its because the
server is
not a FreeBSD, is a MS 2003 Server... :(
I mean, the server looks not to be the same, and the user/pass
that I got
before, dont work anymore. And then nmap tells that is a FreeBSD
server, and
I can access like before. But then I can't access, and nmap
tells that is a
MS 2003 Server.
This server is aparently a hosting server, I saw many webpages
in there... and
I supose it has static IP. But this problem happening many times
already.
Anyone can tell me why is happening that? is this a extrange
technique of
security? I mean... is more easy patch the server, is full of
holes... :)
Anyway... sorry but my english is very bad. Thanks a lot.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


<>







Re: [Full-Disclosure] Fwd: fuck symantec & boycott bugtraq




2003-01-11

Thread
Nick Jacobsen



Now, the question is, HAS anyone mirrored it?  would be nice if someone had,
and was willing to share...

Nick J,
Ethics Design
[EMAIL PROTECTED]

- Original Message -
From: "Ken Dyke" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, January 10, 2003 8:00 AM
Subject: Re: [Full-Disclosure] Fwd: fuck symantec & boycott bugtraq


> On Fri, 2003-01-10 at 06:21, Brian McWilliams wrote:
> > Like folks said earlier, the "Exploit" tab is missing, but that doesn't
> > mean the exploit is gone. You just have to dig, starting with the stuff
in
> > the "Credit" tab, to find the SF mailing list message that spawned the
BID
> > in the first place.
>
> It could also be argued that this is the first step in making that
> information disappear.  Keep moving it to raise the doubt that it has
> not disappeared but one is simply not "digging" deep enough to find it.
>
> It also raises the level of friction for workers who have relied on that
> info being there.  Greatly increasing the time required for a task that
> involves referencing that info in some way.
>
> Of course, if this info is core to what someone does they are an idiot
> for not mirroring the data in some fashion.  Never rely on another party
> for a core dependency.  To me, this is the number one reason against
> proprietary operating systems and applications.
>
> --
> I think, therefore, ken_i_m
> Chief Gadgeteer,
> Elegant Innovations
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html









Re: [Full-Disclosure] RE: MS SQL WORM IS DESTROYING INTERNET  BLOCK PORT 1434!




2003-01-26

Thread
Nick Jacobsen



No, the Morris worm did not necessarily down entire countries, but if you
look at the percentage of the internet (DARPA/ARPA Net) that it downed, I
would still say that this worm does not even come close.

Nick J.
Ethics Design
[EMAIL PROTECTED]

- Original Message -
From: "madsaxon" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Saturday, January 25, 2003 10:08 PM
Subject: Re: [Full-Disclosure] RE: MS SQL WORM IS DESTROYING INTERNET BLOCK
PORT 1434!


> At 08:29 PM 1/25/03 -0500, Matt Smith wrote:
> >Guys,
> > This puppy is FAR from harmless and I mean far, This SOB is gonna
> >wind up worse than Code Red, Nimda, or even the great worm of '88.  I
> >doubt very much the Morris Worm downed ENTIRE COUNTRIES, as Sapphire did
> >to South Korea today.  Cyberterrorism has been spoken of for years.
> >Well, guess what boys and girls, it's here, right now. :(.
>
> OK, granted this thing is a nuisance, and it's sucking up bandwidth
> like a sponge.  But...let's not get carried away and start labeling it
> "cyberterrorism."  How many people have died today as a direct result of
this
> worm?  I'm not talking about someone who got hit by a car crossing the
street
> to look for another ATM.  How many have been injured?  How many
> innocent victims have suffered long-term trauma? Have any demands
> been issued?  Has any terrorist group claimed credit?  Has any real,
> quantifiable physical damage been done?
>
> I don't actually know the answers to any of the above questions.  But
until
> we do, or unless we want to change the definition of terrorism the way
> we have, say, 'hacking,' let's try not to add to the FUD that's already
> swirling madly around this issue...
>
> M5x
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html









Re: [Full-Disclosure] RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!




2003-01-27

Thread
Nick Jacobsen



>
> > I'd be real interested to hear the names of any edus that 1) have a
> > firewall and 2) have a "deny all" policy in place and *implemented*.
>
Well, isn't quite a university, but two local colleges/technical schools
have this:  Umpqua Community College (www.cc.umpqua.or.us) , in southern
Oregon, and Oregon Institute of Technology, also in southern Oregon.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html









Re: [Full-Disclosure] Mirror of the SecurityFocus BID




2003-01-31

Thread
Nick Jacobsen



NICE, and thanks...

Any chance of someone starting a new BID-like database WITH updates, that
will be updated on a regular basis?

Thanks,
Nick J
Ethics Design
[EMAIL PROTECTED]

- Original Message -
From: "Nicob" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Friday, January 31, 2003 3:22 AM
Subject: [Full-Disclosure] Mirror of the SecurityFocus BID


> Hi all !
>
>
> A lightweight (no Javascript, no images, less HTML) version of the BID,
> is available at :
>
> http://nicob.net/mirrors/bid.tar.gz (5.7 Mo)
>
> The exploits linked from the BID are at :
>
> http://nicob.net/mirrors/sploits.tar.gz (7.4 Mo)
>
> The packages are designed to be stored just under the web-root of an
> HTTP server. Play with the BASE tag if you dislike this setting ...
>
>
> Nicob
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html