[Full-Disclosure] Question for DNS pros
Can this be done? Conditions: 1) You know an IP address that is running a DNS server. (IOW, it responds to digs.) 2) You do not know the hostname or domain of the host. 3) The DNS server does not allow zone transfers. You want to find out *all* the domains that that DNS server is authoritative for. (Essentially you're trying to find out what's in the named.conf file rather than zone file info.) Has anyone written a tool that can do this? I thought about the possibility of parsing all the registration sites for the Primary and Backup NS, but that would take forever. I imagine you could write a perl script that would access the web interfaces, do the queries and return the results, but it would run for days... Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ir/security/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Re: Enumerating a DNS servers authoritative zones (was Question for DNS pros)
I'll take that as a "No." :-) Thanks for the info, Todd. --On Friday, July 23, 2004 06:01:42 PM + Bennett Todd <[EMAIL PROTECTED]> wrote: [ enumerate domains for which a nameserver publishes authoritative data ] Even if the nameserver _did_ allow zone transfers, you _still_ couldn't enumerate its zones. Even if you "parsed all registration sites" you'd still be nowhere near there. Any subdomain at any depth can be delegated, by any nameserver. And a server can offer authoritative data even if nobody delegates it at 'em, this is sometimes a very useful technique, e.g. declaring SOA for a classfully-aligned superset of your real classless delegation in in-addr.arpa. And one of the more popular top-level zones, .com, is jealously guarded as a secret by the lucky bastards who stole it from the public domain, to prevent other folks from stepping in and doing a more responsible job of managing registry for the domain. The place where this question rises routinely is in DNS server sets. It's quite common within organizations to want to maintain sets of domains across some collection of more or less independent nameservers. DNS has a protocol within it, zone transfer, for replicating the contents of a zone; not the best-designed protocol, but occasionally useful. But as it has no mechanism for enumerating the zones that would need to be transferred, some out-of-band mechanism needs to be used to maintain the zone list; and once that's in place, many folks note that using common off-the-shelf components for replication works better than zone xfer even for the zone data. The one place zone xfer is handy is as a rendesvous point; nameservers with different native zone data formats can share zone xfer as a way to convert zones from one format to another. -Bennett Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ir/security/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Question for DNS pros
--On Friday, July 23, 2004 09:50:44 PM +0200 [EMAIL PROTECTED] wrote: hm... you could also try reverse lookups for all existing ip-adresses in the world :) Well, no, because that wouldn't solve the problem. A host on our network is being queried quite regularly on udp/53 by other hosts. A review of the packets reveals that these other hosts believe that our host is a dns server. (AAMOF the IP address isn't even in use at the present time.) Now, if you do a reverse lookup for that IP, *our* DNS servers, which are authoritative for our network will tell you what the hostname is. But that isn't what I want to know. Obviously, a simple dig -x IP will tell me that. What I want to know is *why* do these "foreign" hosts think an IP on my network is serving DNS when there's not even a host at that address. I can think of two possibilities: 1) At some time in the past, a host *was* serving DNS at that address and some "foreign" hosts have cached the address. 2) Someone somewhere has registered a domain and used our IP address for one of their "nameservers" in the registration. (If anyone can think of other explanations, please let me know.) Now how is a reverse lookup going to help you with that? It would be trivial to write a perl script that did reverse lookups for every IP on the Internet and wrote the responses to a comma delimited file, but the resulting file would be useless to solve the problem that I'm trying to solve. And for those who were thinking "just do a tcpdump", here's what *that* looks like - no domain info there - 17:01:44.646943 x.x.x.x.17388 > xx.utdallas.edu.domain: 48072 NS? . (17) 17:01:45.386919 x.x.x.x.17388 > xx.utdallas.edu.domain: 48073 NS? . (17) 17:01:46.153402 x.x.x.x.17388 > xx.utdallas.edu.domain: 48074 NS? . (17) 17:01:47.657898 x.x.x.x.17388 > xx.utdallas.edu.domain: 1084 PTR? 63.37.110.129.in-addr.arpa. (44) 17:01:48.399150 x.x.x.x.17388 > xx.utdallas.edu.domain: 1085 PTR? 63.37.110.129.in-addr.arpa. (44) 17:01:49.144398 x.x.x.x.17388 > xx.utdallas.edu.domain: 1086 PTR? 63.37.110.129.in-addr.arpa. (44) The best suggestion yet has been to set up a name server at that address with verbose logging. That's probably what I will do next week. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ir/security/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Question for DNS pros
--On Saturday, July 24, 2004 9:39 AM +0530 "ALD, [ Aditya Lalit Deshmukh ]" <[EMAIL PROTECTED]> wrote: I can think of two possibilities: 1) At some time in the past, a host *was* serving DNS at that address and some "foreign" hosts have cached the address. i think your isp should have this info Umm..did you look at my address? We own a class B. We don't have an ISP. then his domain is toast anyway as there is not dns server so effectively his domain is offline, this will be corrected soon if this is the case. Not if the "other" DNS server is working. You're required to register two nameservers; a primary and a secondary. You only need one to answer queries. If a guy registered a domain and used *his* box for the primary and just grabbed a random IP to register as a "secondary", why would he care of the secondary didn't work? 1. just block of port 53 / udp for that address at the firewall 2. run a dns server that replies to all the quries with localhost or 127.0.0.1 after you have found what is causing this 3. set the refresh time, TTL and other values to -1 this should solve most of the problems as the clients would simply stop querying You're misunderstanding the problem. The problem is, we want to make sure our IPs aren't being used by someone else, even inadvertantly. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: FW: [Full-Disclosure] Question for DNS pros
--On Saturday, July 24, 2004 10:16 AM -0500 Suzi and Harold VanPatten <[EMAIL PROTECTED]> wrote: It seems to me you could do this without setting up a dns server. Just tcpdump the traffic or sniff or snoop the traffic. It you set it up with a snaplength of 1500 you'll get enough of the packet to see exactly what dns query is being asked...something like tcpdump -n -s 1500 udp and port 53 and host 1.2.3.4 I already did this, and I already posted it here. It didn't reveal anything that I wasn't already aware of - ns requests and ptr requests for that IP. then you'll be able to tell if the queries are all for one specific domain (meaning something has that IP registered as an authoritative server for that domain) or are the queries for many different domains meaning people think you have a dns server they can use as a resolver. As I already stated, they're coming from all over. Same with issue number one, once you know the domain they are querying, you can find the POC of that domain and get them to fix the problem. Hopefully, it is one of these two issues. Good luck! That's the one piece I don't have yet - what domain is being queried. Thus the request for suggestions here. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: FW: [Full-Disclosure] Question for DNS pros
--On Saturday, July 24, 2004 10:16 AM -0500 Suzi and Harold VanPatten <[EMAIL PROTECTED]> wrote: It seems to me you could do this without setting up a dns server. Just tcpdump the traffic or sniff or snoop the traffic. It you set it up with a snaplength of 1500 you'll get enough of the packet to see exactly what dns query is being asked...something like tcpdump -n -s 1500 udp and port 53 and host 1.2.3.4 And --On Sunday, July 25, 2004 11:41 AM +0200 Paul Rolland <[EMAIL PROTECTED]> wrote: Update your tcpdump or verify the syntax. I just tried : tcpdump -v -s 1500 -n udp port 53 on our NS server, and it shows the complete details of the request. 09:38:50.669060 eth0 < 67.166.39-62.rev.gaoland.net.3746 > sim-01.PAR.witbe.net.domain: 34277+ PTR? 250.92.168.192.in-addr.arpa. (45) (DF) (ttl 61, id 145) For the last time, I have *already* done this. With both a snaplen of 1024 and a snaplen of 4096. It *hasn't* produced anything useful unless someone thinks *this* is useful (I'm using tcpdump on FreeBSD 4.9 RELEASE.): tcpdump -c 100 -xX -s 4069 -i xl0 -p -w x.x.dump 'udp && host x.x.x.x && port 53' (Our IP has been changed to x.x.x.x) I've altered the real hostname on our network to "targethost" and altered the querying IP to x.x.x.x for privacy reasons. All these queries are *from* the same host. This pattern is *typical* of what I'm seeing from a *number of diverse hosts* from all over the world. 22:06:10.294071 x.x.x.x.2566 > targethost.utdallas.edu.domain: 29462 NS? . (17) 22:06:11.043050 x.x.x.x.2566 > targethost.utdallas.edu.domain: 29463 NS? . (17) 22:06:11.791218 x.x.x.x.2566 > targethost.utdallas.edu.domain: 29464 NS? . (17) 22:06:13.298805 x.x.x.x.2566 > targethost.utdallas.edu.domain: 30290 PTR? 63.37.110.129.in-addr.arpa. (44) 22:06:14.052600 x.x.x.x.2566 > targethost.utdallas.edu.domain: 30291 PTR? 63.37.110.129.in-addr.arpa. (44) 22:06:14.799270 x.x.x.x.2566 > targethost.utdallas.edu.domain: 30292 PTR? 63.37.110.129.in-addr.arpa. (44) 22:06:15.775488 x.x.x.x.2566 > targethost.utdallas.edu.domain: 30818 NS? . (17) 22:06:16.526565 x.x.x.x.2566 > targethost.utdallas.edu.domain: 30819 NS? . (17) 22:06:17.277716 x.x.x.x.2566 > targethost.utdallas.edu.domain: 30820 NS? . (17) 22:06:18.776723 x.x.x.x.2566 > targethost.utdallas.edu.domain: 31424 PTR? 63.37.110.129.in-addr.arpa. (44) Comparing "real" queries to a functioning nameserver to what I'm trying to figure out is apples to oranges. If these *were* real queries, I wouldn't even have posted this here. I would have already figured it out. It really would help if folks would *read* the list before replying. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: FW: [Full-Disclosure] Question for DNS pros
--On Sunday, July 25, 2004 5:51 PM -0500 Frank Knobbe <[EMAIL PROTECTED]> wrote: could you please post some *payload* of these packets instead of just the tcpdump one-liner? Perhaps that's why we confused about your tcpdump output/usage. That *is* the payload. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Automated SSH login attempts?
--On Thursday, July 22, 2004 10:47 AM -0400 Jay Libove <[EMAIL PROTECTED]> wrote: Here are some log entries from my system: Jul 15 10:01:34 panther6 sshd[8267]: Illegal user test from 62.67.45.4 Jul 15 10:01:34 panther6 sshd[8267]: Failed password for illegal user We've been seeing these as well, and in every case we've notified the owners, they have mailed us back to let us know that the host had been rooted. You would be doing the owners a big favor by notifying them that their host is probably compromised. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: FW: [Full-Disclosure] Question for DNS pros
--On Monday, July 26, 2004 08:58:48 AM +0200 Paul Rolland <[EMAIL PROTECTED]> wrote: Seems to be a query for the NS for the "." (root) zone. Well, you're correct about that. The machine sending the queries is probably configured to use your server as a complete DNS resolver and transfer all its queries to your server. Umm...I don't *have* a server at that address. In fact, there is no live host at all at that address. *That*, after all, is the entire point of this thread. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ir/security/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [VulnDiscuss] Re: [Full-Disclosure] Automated SSH login attempts?
--On Monday, July 26, 2004 03:29:56 PM -0400 RBabb
<[EMAIL PROTECTED]> wrote:
This makes me feel better. I thought it odd that so many machines were
hitting my ssh server. I even blocked it at the firewall for a day or so.
Is anyone talking on what the bot system was that allowed them to
automate this? It seemed that as soon as 1 got it so did a whole bunch
more so obviously people are distributing lists of IP's for potential SSH
access.
That's not obvious at all. In our case, they're hitting IPs in sequential
order, so it looks (to us) more like a "brute force" attempt rather than
the targeting of hosts that are specifically running sshd.
I'm not real sure on who to contact for these machines, but here are all
the ones that have hit me. Mostly seem to be Asian so far.
Jul 25 19:48:40 server sshd[55910]: Failed password for illegal user test
from 212.4.172.123 port 56843 ssh2
Jul 25 19:48:42 server sshd[55915]: Failed password for illegal user
guest from 212.4.172.123 port 56916 ssh2
Jul 25 20:37:19 server sshd[57221]: Failed password for illegal user test
from 210.40.224.10 port 49738 ssh2
Jul 25 20:37:22 server sshd[57223]: Failed password for illegal user
guest from 210.40.224.10 port 49756 ssh2
[EMAIL PROTECTED] pauls]$ dig -x 212.4.172.123
; <<>> DiG 9.2.2-P3 <<>> -x 212.4.172.123
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 123
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
;; QUESTION SECTION:
;123.172.4.212.in-addr.arpa.IN PTR
;; ANSWER SECTION:
123.172.4.212.in-addr.arpa. 604800 IN PTR mail.enet.de.
Since this is a mail server, I would say the odds are *extremely high* that
it's been compromised and that the owners would greatly appreciate a heads
up. (So I've cc'd them. But these are *your* logs, so *you* should notify
them as well.
Jul 24 21:37:50 server sshd[21578]: Failed password for illegal user test
from 218.244.240.195 port 58900 ssh2
Jul 24 21:37:53 server sshd[21580]: Failed password for illegal user
guest from 218.244.240.195 port 58928 ssh2
person: ShouLan Du
address: Fl./8, South Building, Bridge Mansion, No. 53
country: CN
phone:+86-010-8316
fax-no: +86-010-83155528
e-mail: [EMAIL PROTECTED]
nic-hdl: SD76-AP
mnt-by: MAINT-CNNIC-AP
changed: [EMAIL PROTECTED] 20020403
source: APNIC
Jul 22 18:23:36 server sshd[38184]: Failed password for illegal user test
from 216.86.221.113 port 58012 ssh2
Jul 22 18:23:37 server sshd[38195]: Failed password for illegal user
guest from 216.86.221.113 port 51509 ssh2
;; ANSWER SECTION:
113.221.86.216.in-addr.arpa. 14400 IN PTR
adsl-gte-la-216-86-215-113.mminternet.com.
Technical Contact:
Master, Host (NC312) [EMAIL PROTECTED]
3780 Kilroy Airport Way
Suite 410
Long Beach, CA 90806
US
562-427-0344 fax: 562-427-3622
Paul Schmehl ([EMAIL PROTECTED])
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Why should one buy (or not) an Appliance-based security gateway?
--On Friday, July 30, 2004 02:55:04 PM -0300 Bernardo Santos Wernesback <[EMAIL PROTECTED]> wrote: A few colleagues and I started a discussion as to why one should or shouldn't buy an appliance-based firewall, ids/ips or other security appliance instead of installing software on a server. We thought about patching, performance, and other reason for each option but I'd like to hear what other people think. I would really appreciate if you could share your thoughts with me. 1) Most appliance-based devices do not allow access to the operating system from the application. In fact, they don't even allow access to the application, except for its configuration. 2) Most appliance-based devices have a kernel and OS that is specifically built (or the latest buzz word "purpose-built") for the service they provide, making them capable of running on lower speed processors and lower memory footprints than a general purpose OS (or conversely, capable of doing a great deal more with the same CPU speed and memory footprint.) Those are the two main benefits that I hear most often touted. I haven't done any research into those claims. Perhaps someone else has? Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ir/security/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Fortinet Firewalls
--On Monday, August 02, 2004 04:56:42 PM +0100 Ben <[EMAIL PROTECTED]> wrote: Anyone had any experience with these - they claim to be able to offer content filtering and there by detect malicious content embedded into HTML, as well as the usual deliver systems. Sounds interesting my only concern is how you would stay on top of each new threat... Through automatic updates from the vendor. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ir/security/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: FW: [Full-Disclosure] Question for DNS pros
--On Tuesday, August 03, 2004 09:48:59 AM -0500 Frank Knobbe <[EMAIL PROTECTED]> wrote: I'm seeing the same thing now. It caught my eye because of another oddity that occurs from those IP's and I wanted to check with you if you see that as well. These addresses (about a dozen IP's from China in my case) also send a TCP SYN packet with 24 '0x00' bytes payload to port 53. Seq # and Ack # are set, windows size is 2048 (although I haven't confirmed that with all past scans). Below is a tcpdump. See if that looks familiar :) Very familiar. So it doesn't appear to be targeted just at UT Dallas. I start to wonder if other sites get hit too, but if that flies under the radar. I have no doubt that would be true. This now appears to be very deliberate and well planned. Also, there is no name server at that address, never has been. The IP being targeted is the global NAT IP of a firewall. All outbound connections come from that IP. No other IP (in a two class C range) is being hit. That's interesting. The address being targeted here was *also* a firewall PAT address. I'm starting to wonder if this is some sort of a recon tool to get past firewalls. That would explain why they're using port 53 (normally open) and udp (stateless). If they get any kind of response at all, they've identified a live host. This has started on a regular basis last week and seems steady: Ours has stopped. There are about 18 sources involved, but the majority of the packets are coming from 218.75.110.194 (601), Ditto 61.135.158.28 (589), and 61.135.158.29 I don't have those two in my dumps, but I only identified 8 unique addresses before the probes ceased. (451), all three from China. All unsolicited incoming packets. Nothing is part of any kind of communication (i.e. response to web browsing, triggering web bugs, p2p, IM, etc). Ditto Paul, were you able to find anything out about this? Do those IP's correlate with your captured IP's? Do you see the TCP SYN too? Unfortunately, I wasn't capturing *all* traffic to that IP, just udp/53, so I can't tell you if there was any tcp traffic to it. 21:16:15.434753 218.75.110.194.3847 > x.x.x.x.53: [udp sum ok] 51621 NS? . (17) (ttl 44, id 51622, len 45) 21:16:16.194129 218.75.110.194.3847 > x.x.x.x.53: [udp sum ok] 51622 NS? . (17) (ttl 44, id 51623, len 45) 21:16:16.932505 218.75.110.194.3847 > x.x.x.x.53: [udp sum ok] 51623 NS? . (17) (ttl 44, id 51624, len 45) 21:16:18.431546 218.75.110.194.3847 > x.x.x.x.53: [udp sum ok] 9949 PTR? x.x.x.x.in-addr.arpa. (45) (ttl 44, id 9950, len 73) 21:16:19.186279 218.75.110.194.3847 > x.x.x.x.53: [udp sum ok] 9950 PTR? x.x.x.x.in-addr.arpa. (45) (ttl 44, id 9951, len 73) 21:16:19.939409 218.75.110.194.3847 > x.x.x.x.53: [udp sum ok] 9951 PTR? x.x.x.x.in-addr.arpa. (45) (ttl 44, id 9952, len 73) Mine are identical to yours. Same host, same src port, same types of packets, same ttl, same len) Whatever this is is obviously crafted from some sort of script. The only thing I can think of is recon. If someone has any bright ideas, speak up. 14:07:51.507129 218.75.110.194.3847 > x.x.x.x.domain: [udp sum ok] 23237 NS? . (17) (ttl 48, id 23238, len 45) 14:07:52.256946 218.75.110.194.3847 > x.x.x.x.domain: [udp sum ok] 23238 NS? . (17) (ttl 48, id 23239, len 45) 14:07:53.573977 218.75.110.194.3847 > x.x.x.x.domain: [udp sum ok] 23619 NS? . (17) (ttl 48, id 23620, len 45) 14:07:53.752289 218.75.110.194.3847 > x.x.x.x.domain: [udp sum ok] 23703 PTR? x.x.x.x.in-addr.arpa. (44) (ttl 48, id 23704, len 72) 14:07:54.336206 218.75.110.194.3847 > x.x.x.x.domain: [udp sum ok] 23620 NS? . (17) (ttl 48, id 23621, len 45) 14:07:54.516745 218.75.110.194.3847 > x.x.x.x.domain: [udp sum ok] 23704 PTR? x.x.x.x.in-addr.arpa. (44) (ttl 48, id 23705, len 72) 14:07:55.087551 218.75.110.194.3847 > x.x.x.x..domain: [udp sum ok] 23621 NS? . (17) (ttl 48, id 23622, len 45) 14:07:55.275934 218.75.110.194.3847 > x.x.x.x.domain: [udp sum ok] 23705 PTR? x.x.x.x.in-addr.arpa. (44) (ttl 48, id 23706, len 72) Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ir/security/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: FW: [Full-Disclosure] Question for DNS pros
Frank, I've only checked two of the "attacking" IPs, but they are both BigIP load balancers. I'd bet that they all are, and these packets are some sort of probe to see if a host that contacted them before is still alive. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ir/security/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Tipping Point IPS systems
--On Tuesday, August 3, 2004 1:46 PM -0700 Ryan Sumida <[EMAIL PROTECTED]> wrote: Not sure if I should be posting to this list but didn't know where else to ask. I've seen a few posts on network protection devices such as Netscreen, Checkpoint and Fortigate products but I haven't seen anything on Tipping Point. Of any of you that have used a Tipping Point box, how does it compare to the others? I'm aware of the bugs in the reporting features, I'm more interested in hearing how effective their filters work especially under heavy conditions. We were impressed with it during an eval. I know of one school that is using it and is so happy they've bought more (for the interior networks.) Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: FW: [Full-Disclosure] Question for DNS pros
--On Wednesday, August 4, 2004 12:04 PM +1000 Ian Latter <[EMAIL PROTECTED]> wrote: I've been flat out here -- but I've tried to stay on this thread .. Are you guys sure that this isn't the server end of the ip-over-dns software (nstxd) trying to get data back to the now non-existent client? It would have made it through your statefull kit if it was initiated from that problem address of yours (Paul), originally. The address involved is the PAT address for one subnet, so yes, it could well have been a conversation initiated by a host on our network, but when I checked the translation tables were empty. Unfortunately, the logging is so verbose (for translataions) that we don't have it enabled, so we can only tell if a conversation is active. In any case, it looks like my surmise about BigIP was correct. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] waa waa (was Finally the truth slips out)
--On Friday, August 06, 2004 01:40:58 PM -0400 Jason <[EMAIL PROTECTED]> wrote: [EMAIL PROTECTED] wrote: On Sat, 07 Aug 2004 00:16:46 +1000, Sean Crawford <[EMAIL PROTECTED]> said: Who elected this guy???.*grin* The Supreme Court. :) Excellent to see this posted, it was more of an appointment wasn't it :-) No, it's not excellent. There are tons of places on the web to spread this crap. This is not one of them. And why does this have anything to do with security? Well a few things come to mind. I has *nothing* to do with security. Take to alt.i.hate.bush. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ir/security/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] (no subject)
--On Monday, August 09, 2004 07:06:11 PM -0500 Frank Knobbe <[EMAIL PROTECTED]> wrote: Isn't the complete lack of naming standardization in the AV industry simply amazing? Imagine that were the case in science, particular medicine... Getting the AV industry to agree on virus names is about as likely as getting a government to do anything beneficial for its citizens. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ir/security/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Scandal: IT Security firm hires the author of Sasser worm
--On Monday, September 20, 2004 01:35:46 PM -0500 Fred Newtz <[EMAIL PROTECTED]> wrote: This has never worked before, just look at NYC and the drug laws there. Shoot, how come the death penalty does not deter people from committing murder? If it was a deterrent, it would be called "the death deterrent". It's called a "penalty" for a reason... Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Denial of service in KitchenAid blenders
--On Sunday, October 10, 2004 08:12:35 PM +0200 "Jedi/Sector One" <[EMAIL PROTECTED]> wrote: Product : KitchenAid blenders Date: 10/10/2004 Author : Frank Denis <[EMAIL PROTECTED]> [ Vulnerability ] There's a race condition in KitchenAid blenders that can trigger a denial of service. The device will require a physical shutdown in order to work again. You left out - "But still better than Windows". (TM Georgi) Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Will a vote for John Kerry be counted by a Hart InterCivic eSlate3000 in Honolulu?
--On Thursday, October 21, 2004 09:29:11 AM -0500 [EMAIL PROTECTED] wrote: Jason, I have a rather direct question: Given what you know...and what you wrotewhy in blazes did you cast your vote electronically? Doesn't who he voted for make that patently obvious? Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Will a vote for John Kerry be counted by aHartInterCivic eSlate3000 in Honolulu? - OT
--On Friday, October 22, 2004 12:10:29 AM +1300 Nick FitzGerald <[EMAIL PROTECTED]> wrote: Most of the non-US folk I've met in the last six months (and many US citizens too) are downright petrified of a Bush re-election. Better start adjusting to the idea, Nick. Please - can we take this OFF list now? Thanks. Had you followed your own advice by not posting your inflammatorily ignorant off-topic opinion, you would not have prompted this (and other) followups... Too late now. :-) Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Will a vote for John Kerry be counted by a HartInterCivic eSlate3000 in Honolulu?
--On Wednesday, October 20, 2004 10:36:06 PM -0500 "J.A. Terranson" <[EMAIL PROTECTED]> wrote: FYI: This election *does* matter to people not in America. If you haven't noticed, the position of "President of the USA" is currently being played by a power-crazed jesus freak who has a penchant for declaring war on anyone who he thinks God might have a beef with. And since this coward is ostensibly in charge of a huge modern armed force, when he draws lots to see which country he'd like to Christianize next, you could be the unlucky contestant. Getting this angry little bully away from both the nuclear and conventional triggers should be a top priority for *every* country. Yes, what we need in an American president is a sycophantic, indecisive appeaser so France, Germany and the UN can continue their graft, bribery and corruption with the Arab world without interference from those meddling idiots in America. That way we can all be Islamo-facists in a few years (except for the resisters and infidels who will be beheaded by those sensitive, righteous, true believers.) Hope your SO likes wearing a burka and being bitch-slapped by your local politicians. What's a few hundred million people in slavery anyway? Idiot! Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Will a vote for John Kerry be counted by a Hart InterCivic eSlate3000 in Honolulu?
--On Friday, October 22, 2004 10:32:34 AM -0400 Barry Fitzgerald <[EMAIL PROTECTED]> wrote: I share similar concerns. If we trace the "why" of this issue back to it's root (and discard conspiracy theories - which, given the attitude of a certain voting machine company that begins with a 'D's executives, would be impossible to discard) is that it comes down to the fact that our (s)elected officials are more and more often coming from the corporate power-base. This is false. <http://www.polisci.wisc.edu/~kritzer/teaching/ls415/Miller1993CP.htm> The U.S. Congress has long been dominated by lawyer-politicians. Friedman notes that, "From 1780 to 1930, two thirds of the senators and about half of the House of Representatives were lawyers; the percentage seems to have stayed fairly stable" (Friedman 1985: 647). As Table 1 indicates, at the beginning of the 101st Congress in 1989, 184 members (42%) of the U.S. House of Representatives were lawyers (47% of the Democrats and 35 % of the Republicans). Sixty-three senators were lawyers, roughly equally distributed between the two parties (Ornstein, Mann, and Malbin 1990: 20-21, 26-27). At the beginning of the 102nd Congress in January, 1991, 244 of the 535 members of both houses (46%) claimed attorney as their profession (Congressional Quarterly Weekly Report 1/12/91: 118). <http://www.c-span.org/questions/weekly30.asp> There are more lawyers than any other profession in Congress - 217. There are 184 businessmen/bankers, 124 public service/politicians (never had a real job), 99 educators, 28 farmers/ranchers, 24 realtors, 17 journalists, 17 medical professionals, 10 law enforcement officers, 9 engineers, etc, etc., etc. Please get your facts straight before posting to a public list. There are two facts about corporate leadership: a) Negate your responsibility and liability and b) the appearence of legitimacy is all you need. Using that filter, you can explain all of the actions and perspectives of the current government. Of course, this isn't a statesmanly thing. Nor is it a true thing, but I guess that's beside your point. This is why I support removing the right to run for office from anyone who has served as an executive in a company. Having served in that capacity produces a mindset that is poisonous to the democratic process. I'll make a deal with you. If I get to ban all lawyers from Congress, you get to ban all business persons. Of course, if you're going to do that, you might as well just transfer the membership of the NEA, but I supposed *you'd* be all for *that*. This is not a "discriminatory" practice in the sense that being elected is a right. That's the first argument people throw at me. They're stupid then. It's just plain discriminatory in that it treats one class of citizens differently from all others. You *do* understand *that* don't you? However, it's an argument that is not grounded in reality. Or common sense or logic either, but that doesn't seem to stop you for a second. I'm sure glad you don't make the rules. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Undetectable Virus from CANADA ISP 69.197.83.68
--On Farrukh Hussain <[EMAIL PROTECTED]> wrote: Hi, Today I got e-mail from "69.197.83.68" CANADA ISP which has undetectable virus. Well I downloaded this file but I didn't run it because I know it is virus. It's undetectable, and yet you detected it. Imagine that. It's the W32/[EMAIL PROTECTED] virus, and you really shouldn't make it available for download from the web. You can complain to rogers.com if you want, but I doubt it will do any good. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Slightly off-topic: www.georgewbush.com
--On Saturday, October 30, 2004 11:46 PM +0100 n3td3v <[EMAIL PROTECTED]> wrote: If bush gets voted in, bin laden will go, OK the enemy is bush/U.S gov and the american people I'm just curious. How hard would someone have to work to become this stupid? Is it a 24/7 exercise? Or can you get some sleep as well? Instead of parroting the stupid liberal line, what you ought to do is try reading a little. Osama bin Laden made Americans the enemy about 15 years ago, *long* before Bush was even thinking about running for Governor of Texas, much less the President of the United States. I am continually amazed by the stupidity of people who claim to be educated. If kerry gets voted in, it will say the problem is the U.S gov and not the american people. If Kerry is elected, the French and Germans will rejoice, because they will know that they can engage in corruption and bribery with rogue states and stymie any attempt by the UN...oh, wait, the UN will be involved in the bribery and corruption, strike that. The French and the Germans will know that they are free to do anything they want without interference from a weak, appeasing President who is afraid to risk a single life in the cause of freedom. Of course, 25 million Afghans, who have democratically elected a President **of their choice** for the first time in their history might be a little disappointed, but who cares about them anyway, right? They're about as important as those black muslims in Sudan that no one in Europe cares about. Oh, and Iraq will have elected *their* first government by the time the President is sworn into office, but who cares about them either, right? After all, they don't have European blood, so their essentially worthless anyway. One more idiot joins the chorus of worldwide idiots. I hope you get the idea. Oh, yeah, I get the idea all right. Bozo's international is enjoying a worldwide explosion in membership. Now, PLEASE keep the damn politics off this list, because I assure you, I will not sit idly by and allow this kind of unadulterated crap to be spewed on this list without responding. All replies to /dev/null. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Authorities eye MSBlaster suspect
--On Friday, August 29, 2003 3:47 PM -0500 Jerry Heidtke <[EMAIL PROTECTED]> wrote: It looks like it took the FBI 6 days to find what took 10 minutes on Google. Let's see, executable name is teekids.exe, here's a script-kiddie that goes by teekid, he's got a web site called t33kid.com, the whois for the domain gives his real name and address. Enough probable cause to get a warrant right there. Wow! I'm glad you're not in charge of the Justice Department. I would *hope* you need a little more proof than that. Everything you've listed is purely circumstantial. Wouldn't you at least like to have an IP linking him to the seeding of the worm? Or is the mere presence of his "handle" enough to throw his ass in jail? Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Authorities eye MSBlaster suspect
--On Friday, August 29, 2003 3:43 PM -0700 Anthony Saffer <[EMAIL PROTECTED]> wrote: Sorry for just jumping in here but I couldn't resist. Certainly, you have to admit that there is a such thing as shared responsibility and contributory negligence. Even the law recognizes these things. Sure, it's the coders fault for creating and releasing the worm but the administrators do bear SOME responsibility for not being proactive and patching their systems. There have been cases of patches being available for 6 months to a year and a worm coming along and cleaning house. How can anyone say that the admin isn't partially responsible? Absolutely the admins are at least partly responsible for the damage caused to their own systems (and I would argue the greater the time since a patch was released the more responsibility they bear) and for damage they cause to other systems. But for the worm itself? Absolutely not. Sure, in a perfect world, we wouldn't have to worry about patching our systems and all would be well. But we don't live in a perfect world and every computer admin should know how to patch his system. If he/she doesn't then they shouldn't have their job. There is, after all, a such thing as preventative action. In a perfect world, admins would get to implement the practices they know to be best for their organization. We don't live in a perfect world. Oftentimes admins' hands are tied by the decision makers who control the purse strings. We still have infected hosts in the student apartments. Would you blame the admins for that? By law they are not allowed to support the students' personal computers. The best they can do is deny them network access until they're fixed. So the damage is limited to our network and doesn't go out to the world. Yet you would have them fired for incompetence. The admins know exactly what to do to protect a system. In this case they aren't allowed to do it. Yet, if the worm writer hadn't released the worm, the problem wouldn't even exist, would it? Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Authorities eye MSBlaster suspect
--On Friday, August 29, 2003 1:14 PM -1000 Jason Coombs <[EMAIL PROTECTED]> wrote: Before we can make progress in a discussion of blame we have to get the analogy right. So, are you responsible for all five copies of this message? :-) Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Authorities eye MSBlaster suspect (longreply)
--On Friday, August 29, 2003 15:49:43 -0700 Chris DeVoney <[EMAIL PROTECTED]> cast his pearls before swine and wrote: In short, yeah, what you suggest is true but now let's talk about a part of the real world that is examined infrequently. Well stated, but an absolute waste of time on this list. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Authorities eye MSBlaster suspect
--On Friday, August 29, 2003 7:13 PM -0400 [EMAIL PROTECTED] wrote: You're totally missing the point. And this surprises you? If I'm doing security 30 hours a week, that's 30 hours a week I'm not available for other things. [skip the long litany of *other* things you could be doing] In case anybody thinks that Valdis is somehow bragging, forget it. The many roles he is expected to fulfill are typical in a university environment. There *is* no such thing as "an intrusion detection specialist". Everyone in edu wears many hats - most of which are fulltime jobs in their own right. And you can't weasel out by saying "Hire somebody else to do that other stuff" or "hire somebody else to do security" - the point is that if we did hire somebody else, then we'd only have 1 person of the 2 available for productive work. If we didn't have to keep spending resources on security, BOTH people would be available then. That's won't stop anyone from trying though. They actually think "security" is the stuff you *should* be doing, not helping your users be more productive. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Authorities eye MSBlaster suspect
--On Saturday, August 30, 2003 9:24 AM -0500 Michael D Schleif <[EMAIL PROTECTED]> wrote: OK, they nabbed a nickel-bagger; let's not get carried away! This kid is small potatoes, compared to other vermin spreaders, and we -- on this list, at least -- know that as fact. It's one thing to make an example of this kid; it's quite another thing to put a lid on this whole wormy Internet thingy . . . Trust me, work is being done to catch other ones as well. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] MS Blaster author / morning_wood misinformed
--On Saturday, August 30, 2003 6:22 PM +0200 Peter Busser <[EMAIL PROTECTED]> wrote: I don't know about US, Canadian, German or Chinese law. But in Dutch law there is a big difference between entering a house and stealing stuff and breaking into a house and stealing exactly the same stuff. Apparently the house owner has a responsibility of his own. And the difference is? Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] MS Blaster author / morning_wood misinformed
--On Sunday, August 31, 2003 1:32 AM +0200 yossarian <[EMAIL PROTECTED]> wrote: Bit sad this has to be explained. Think some people in security need some legal training. Really? I prefer not to assume things, which is why I asked him for clarification. Perhaps you assume laws are the same everywhere. I don't. In the context of the discussion, however, it seemed that he was saying that entering an unlocked house is not a crime in his country. That is why I asked for clarification. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Bill Gates blames the victim
--On Sunday, August 31, 2003 12:31:03 -0300 [EMAIL PROTECTED] wrote: And what about the flaws MS probably found during the code audit and that were never published? I would like to see MS releasing patches/fixes for flaws they found during these audits. Or did they find none? The only thing we know for certain is that they didn't find them all. That point has been driven home decisively by Blaster and Nachi. During the launch of Windows XP, Microsoft announced that they had "eliminated" buffer overflows in Windows XP (using a commercial tool that they had purchased.) One month later eEye announced what I still believe to be the most devastating hole in Windows, the UPnP vulnerability. It hasn't been exploited like RPC DCOM has, but it's an even more serious vulnerabilty. How many more are lying around waiting to be exploited? It's obvious that Microsoft doesn't know. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Virus, whether the scanners say so or not?
I guess you didn't use McAfee, right? The item wupdated.zip has been replaced because it was infected by the W32/Sdbot.worm.gen virus --On Monday, September 01, 2003 09:09:01 -0400 "Scott Phelps / Dreamwright Studios" <[EMAIL PROTECTED]> wrote: I just got this from a co-workers computer. I've run it against 4 virus scanners I have around (after running each one's definition update) and nothing recognized it. It really looks like W32.HLLW.Moega Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] SMC Router safe Login in plaintext
--On Wednesday, September 03, 2003 17:14:04 -0500 "C. Church" <[EMAIL PROTECTED]> wrote: Did you read what you just said? How many ISPs have you called where they would "Tell you what your password is"? If your ISP can tell you what your password is, let us know who it is, so we can all avoid them in the future. SBCGlobal.net, ATT.net to name two big ones. Answer: they don't need to know your old password to change your password. It's called permissions, and privileged access. As root, or a priveleged user, I can change anyone's password without having to know the old one. No, really? I would have never guessed. Think about it. OK, I thought about it. Now what do I do? BTW, when I say "tell you what your password is", what I mean is something like this, "Mr. Schmehl, your password is 1234qwer. Are you sure you're typing it right?" Doh! Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] new virus: (fwd)
--On Saturday, September 20, 2003 12:15 PM +0530 morning_wood <[EMAIL PROTECTED]> wrote: attatched virus spoofing microsoft network security update file is .zip password is "infected" email body follows Thanks, morning. The other 137 copies I got weren't zipped, so this is obviously something new. ;-) Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Is Marty Lying?
--On Monday, September 22, 2003 2:13 PM -0700 security snot <[EMAIL PROTECTED]> wrote: "Detect intrusions" - if you can set an IDS signature for something, then you shouldn't be vulnerable to it. So the functionality of IDS is to tell you when you've been compromised by six-month old public vulnerabilities that dvdman has finally gotten his hands on an exploit for, that you never bothered to patch for? Useless. You bring new meaning to the word "idiot". Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] CyberInsecurity: The cost of Monopoly
--On Friday, September 26, 2003 10:06 PM -0300 Fabio Gomes de Souza <[EMAIL PROTECTED]> wrote: Virues have never been a threat for Open Source systems, since they (viruses) use vulnerabilities that get fixed by users *regardless* of some company liking or not. Nick??? This is your cue. :-) Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] RE: Probable new MS DCOM RPC worm for Windows
--On Friday, September 26, 2003 7:28 PM -0400 Cael Abal <[EMAIL PROTECTED]> wrote: Personally, I'm of the opinion that if a person doesn't have admin privs on a machine, they shouldn't be expect to *cough* /administrate/ it. Ah, but there's a big difference between being an "administrator" on a box and trying to find out how many "administrators" haven't done their job lately. I realize that in a school environment it's not that simple (you can't really stand by while the worm du jour has its way with your campus network) but really, the student subnets are virtually guaranteed to be a wasteland of Mad Max-like proportions no matter what you do, no? Isn't your only real weapon a set of very enthusiastic edge filters? Those aren't the only weapons. Good sound security policy is by far the biggest one. Education is another (don't think classrom, think experience.) Lose access to the network a time or too, spend a little time in the Dean of Students office and you begin to appreciate timely patching and up to date virus protection and copyright violations, etc., etc. We're working on a "jail vlan" concept now, where "evil" computers go. They get access to email (so they can beg for forgiveness), a web page that says, "You naughty, naughty boy" and access to one website - their vendor of choice's patch site - so they can fix their problem. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Rootkit
--On Friday, September 26, 2003 11:25 PM + Nate Hill <[EMAIL PROTECTED]> wrote: On Fri September 26 2003 20:57, David Hane wrote: ... Also, am I the only one who is totally exhausted from trying to keep up with the last couple of week's patch frenzy? I would have had my last server patched before the attack but things like, sleep, food, and bathroom time got in the way :-) You could always install NetBSD. And do what? Not patch openssh? Three times in the last week??? Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Rootkit
--On Friday, September 26, 2003 5:43 PM -0600 Bruce Ediger <[EMAIL PROTECTED]> wrote: In a later message, you said it was a Solaris rootkit. Not all Solaris root kits have a name: Have you downloaded sidekick.sh? <http://www.sun.com/solutions/blueprints/tools/fingerprint_license.html?red irect=false&refurl=http://wwws.sun.com/software/security/downloads.html> It's a very nice tool for Solaris that Sun provides for free. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] RE: Probable new MS DCOM RPC worm for Windows
--On Saturday, September 27, 2003 7:30 AM -0400 Karl DeBisschop <[EMAIL PROTECTED]> wrote: I imagine mail out of that subnet passes through a proxy server with spam and virus detection. Yes. And they will get an entirely different DNS server (through DHCP) that will only resolve the hosts that we want them to resolve. :-) This is a cute concept Paul. You've got a pretty challenging environment there, and this looks like a creative and functional help for you. It will be interesting to hear how well this ends up working for you and what evolution it goes through. For instance, if your security policy includes supporting diversification, you could add connections to mirrored Linux and/or (Net|Free|Open)BSD distros (which would be easy enough to mirro locally). That's the plan, although the focus right now is completely on the Microsoft clients. I recently suggested that we should switch all MS clients to Mac OS X. :-) They actually didn't laugh this time. We already are pretty diversified. Our "backoffice" stuff is primarily Solaris, but we've got plenty of Linux flavors, HP_UX, SGI, FreeBSD, OpenBSD, etc. Maybe this concept is already widely in use at academia. If it is not, it may soon be. The ideas along this line have been floating around for some time and variations of it have been implemented during the Blaster mess, but I haven't seen this *exact* idea espoused. Don't misunderstand. It's not really my idea. It's more a result of ongoing discussions amongst a group of us, with me and others throwing out various thoughts and input from a number of mailing lists that we read, all thrown together into a stewpot and stirred vigorously. :-) The implementation will require the skills of other people. I'm not a DNS expert nor a switching/routing expert, but we have guys that are, and they're figuring out the implementation now. Essentially what would happen is a person's MAC address would end up in the "evil" file and their connection would be killed. Then DHCP would see their next REQUEST and ACK an address in the "evil vlan" (10.x.x.x so they can't serve anything or get off campus without translation) with a special DNS server that resolves the vendor's patch site, our gateway mail server and a web page that warns them of the problem. Eventually mirroring could enter into the equation as well. We already mirror all MS patches and AV stuff locally anyway. As much as possible we're trying to eliminate work for us and put the onus on the user to fix their problem, with help from IT if they need it. Eventually I can see us putting hosts in there that have been hacked, tagged, infected, whatever. Personally I'd like to put them in there if they're simply vulnerable, not hacked, but I haven't yet persuaded the powers that be that we should be that "draconian". (I prefer to see it as proactive.) Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Does Swen forge the sender? WARNING - LONG POST
p 2003 10:38:18 -0400 Message-Id: <[EMAIL PROTECTED]> Received: from tmvav ([213.97.150.28]) by tsmtp5.mail.isp (terra.es) with SMTP id HLVN7N01.FO3; Sat, 27 Sep 2003 16:35:47 +0200 FROM: "Microsoft Security Center" <[EMAIL PROTECTED]> TO: "Commercial Partner" <[EMAIL PROTECTED]> SUBJECT: Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="kbeceexggkugyd" --kbeceexggkugyd Content-Type: multipart/related; boundary="foudxvmnxeo"; type="multipart/alternative" --foudxvmnxeo Content-Type: multipart/alternative; boundary="mxdpvsxsnxqyeaia" --mxdpvsxsnxqyeaia Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Microsoft Partner this is the latest version of security update, the "September 2003, Cumulative Patch" update which resolves all known security vulnerabilities affecting MS Internet Explorer, MS Outlook and MS Outlook Express. Install now to continue keeping your computer secure. This update includes the functionality = of all previously released patches. So how does the first bounce get to me? Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] RE: Probable new MS DCOM RPC worm for Windows
--On Saturday, September 27, 2003 2:53 PM -0400 Karl DeBisschop <[EMAIL PROTECTED]> wrote: As food for thought, what if you took an OS that gave you a little lattitude - say Mandrake Linux, which is considered fairly user friendly, and said "If you install this, the default configuration will automatically download and install updates as they come from the vendor" (after UT has done some light verification I'd assume). That's actually been done at some edus. Not that you or I would likely want this on our desltop, but maybe some of your students would. And again, unless their job is computing, I don't think that wish is totally ill-founded. One problem would be that it would be hard then to avoid some degree of responsibility for the quality of the patches. That's the real sticking point. Whenever these types of discussions arise (which is often right after another MS debacle) two concerns are raised. As a state agency, we by law cannot work on personal equipment on state time. This means that we cannot support student computers. (Despite this prohibition we do provide small levels of support if they bring their computer to our help desk.) Secondly there is a real concern that if we provide them with any software through any kind of automated methodology that we then become liable for anything that goes wrong. I suppose you could allow students to sign up for a UT-sponsored SMS-style software push for windows. And in the long run, the cost might be less than some of the other efforts you have to undertake to secure things. But the initial outlay might be daunting. We've talked about providing them with access to SUS and possibly even SMS, but no decision has been made. I suspect we'll end up not doing it. It's much less troublesome (WRT the two issues I mentioned above) to simply quarantine them when they have a problem and let them figure out the solution on their own or with our assistance. Just sort of thinking out loud -- all these require additional work on your part. But there may be some useful middle ground. I'm a big believer in doing work now to allow us to do less work later. IOW being proactive rather than reactive. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Antigen Notification:Antigen found VIRUS= Exploit-MIME.gen (NAI,C A(Vet)) virus (fwd)
Antigen get's my vote for the most braindead AV gateway software. There were *no* attachments in my message, only headers that are used for attachments. You'd think they could at least look for some base64 encoding before barfing. Sheesh! Forwarded Message Date: Saturday, September 27, 2003 2:50 PM -0400 From: ANTIGEN_SSUMUSR01 <[EMAIL PROTECTED]> To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> Subject: Antigen Notification:Antigen found VIRUS= Exploit-MIME.gen (NAI,C A(Vet)) virus Antigen for Exchange found Body of Message infected with VIRUS= Exploit-MIME.gen (NAI,CA(Vet)) virus. The file is currently Removed. The message, "[Full-Disclosure] Does Swen forge the sender? WARNING - LONG POST", was sent from Paul Schmehl and was discovered in Realtime Scan Job\Public Folders\Staff Functions\Information Technology\IT Security\Mailing Lists\Full Disclosure located at PPG/BRAZIL/SSUMUSR01. This email message is for the exclusive use of the recipient (s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, copying, action taken in reliance on the contents or distribution is strictly prohibited. If you received this email in error, contact the sender by reply email and destroy all copies of the original message. ------ End Forwarded Message -- Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] CyberInsecurity: The cost of Monopoly
--On Sunday, September 28, 2003 8:14 AM -0400 Karl DeBisschop <[EMAIL PROTECTED]> wrote: Crunchy shell, soft-chewy insides? I don't think "we" as a "security community" have even begun to tackle this problem. We talk about it, but who is *really* doing it? For example, if you want to network machines you *have* to use SMB/NetBIOS for Windows, NFS for Unix, CIFS, or something similar. Who is really looking at how to be secure while still allowing internal machines to talk to each other? Certainly none of the above protocols qualify as secure. When a machine is problematic, for whatever reason, the usual reaction is "block it at the firewall". But that doesn't protect that machine from *other* internal machines. It only protects it from the outside. Oh, you might have a firewall that cordons off accounting from the rest of the enterprise, but *inside* accounting, you still have the "soft, chewy" problem. I haven't really seen anything that addresses this problem, and I'm not aware of anyone who is working on solving it. For the most part security thinking is still in the middle ages - build a castle with moats and outer defensive rings, and staggered entrances to make it hard for the enemy to get it. Once he gets in, what does current security thinking offer? Not much. What we need is a paradigm shift in thinking. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] CyberInsecurity: The cost of Monopoly
--On Sunday, September 28, 2003 8:04 PM +0200 Michal Zalewski <[EMAIL PROTECTED]> wrote: I'd argue... many vendors (Okena aka Cisco, BlackICE aka ISS, etc) provide integrated corporation-wide mechanisms for enforcing group firewalling, access and logging/IDS policies on workstations or groups of workstations (and, why not, also servers). The problem is that you cannot "firewall" the networking protocols. Okena and other products like it make a good attempt at stopping attacks, but they are outrageously expensive for the most part. I'm arguing that more thinking and planning needs to go in to the networking part of the equation (not TCP/IP but file sharing/authentication protocols.) Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Re: Pudent default security
--On Sunday, September 28, 2003 10:20 PM -0400 "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> wrote: I would add yet another take on this. [sniipped a lot of good thinking] I think that the problem is not the protocol or the application. It is a fundamental lack of understanding of the security model and the network as a whole. Yes, that is what I was trying to say, however lamely. The preponderance of discussions and papers on security today focus on the network and how to control the flow of data/packets. But in the final analysis, the problems always come down to the individual machine, be it server or workstation. Why aren't security ideas focusing on that problem primarily? Oh, we all know you shouldn't run unnecessary services, but that's about as far as the wisdom goes. SANS has made some efforts in this area with their best practices documents, but where is the software development to address it? The Bastille is about the only thing I can think of off the top of my head that even attempts to address this area. The OS vendors are beginning to come around to the off-by-default model (slowly), but protecting what *must* be on (such as CIFS, SMB, NFS) is still a laborious (or outrageously expensive) process when you're trying to do it on an enterprise level. IMO the vendors should be providing these types of tools as an integral part of the OS in addition to shipping in an off-by-default model. It should be trivial to "do security" in an OS. (It still blows my mind that every WinXP box comes with UPnP on by default. RPC I can *almost* understand, but UPnP???) I'm saying we need a paradigm shift in *thinking* about how an OS should be configured out of the box *and* a paradigm shift in the ease of configuration on an enterprise level. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [inbox] Re: [Full-Disclosure] CyberInsecurity: The cost of Monopoly
--On Monday, September 29, 2003 21:49:26 -0300 Rodrigo Barbosa <[EMAIL PROTECTED]> wrote: As some may recall, my original statement was an answer to someone that was points that Unix is more secure then Windows (I agree up to this point), and gave and example telling that there are still several codered vulnerable machine around. This is the point I was commenting about. And you do have to agree that is a machine, today, is still vulnerable to Codered, it is mostly due to a fault of the administrator. I'm going to pick one small nit with you. There is another possible guilty party. In some cases, at least in edu and medical centers (that's what I'm familiar with) the *vendor* is at fault. Some vendors will not certify their scientific instruments with the latest Service Packs and patches, leaving the admins no other choice but to find some other way to protect the machine. (Hell, we sometimes have trouble getting vendors of *security* devices to support their products with the latest SPs and patches. (Which is another reason that I dislike putting security-related software on Windows boxes, but sometimes you simply have no choice.) Case in point, I just today helped a professor set up a small SOHO router to protect three machines, one running NT 4.0 SP3, another running Win2k SP2 and a third running Win98. All three machines are controlling six figure scientific instruments, and all three are as vulnerable as can be. The "admins" are professors whose job it is to discover new things in science, *not* secure computing equipment. But the reason the machines are vulnerable is because of the vendor, not because we choose to keep them that way. Now they're safely tucked away, nated and firewalled, and there is no access to them from our network, much less from the internet. So, while I agree with you that in *many* cases, if a box is vulnerable to Code Red, it is the admins' fault, that is not true in *every* case. (It *is* the admins' fault if they don't solve the problem somehow, however.) Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [inbox] Re: [Full-Disclosure] CyberInsecurity: The cost of Monopoly
--On Monday, September 29, 2003 19:30:24 -0600 Bruce Ediger <[EMAIL PROTECTED]> wrote: I realize you're from Texas and everything, but are you nuts? An 8-year old with a handgun should cause vast feelings of insecurity in you, with or without proper training on her part. Hmmm...I am from Texas, and I can tell you that many an eight year old learns to handle firearms down here. Not all of Texas is citified, you know. We still have a lot of open range with coyotes and ground hogs and other things to shoot at. Besides that, what do you mean by "proper safety training" for a computer used? If you mean the failed "don't click on any attachments, don't open email from someone you don't know" recipe-style of training, then no to that too. No, I meant proper security training. Is that so hard to understand? Regardless of the OS, every user should know how and why to patch. Every user should understand what social engineering is, how to detect it and what to do about it. Every user should understand physical security, locking your workstation, why you should logout and when, etc., etc. Every user should understand the basics of malicious code, how to spot it, what to do about it, how to recognize hoaxes, where the resources are when they need help. Without user training and an educated user community, no security program can ever hope to succeed. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Snort-sigs] Re: [Full-Disclosure] Mystery DNS Changes
--On Thursday, October 02, 2003 6:29 AM -0500 Paul Tinsley <[EMAIL PROTECTED]> wrote: Someone brought to my attention that I neglected udp (thank you Adam), sorry about that I was in a hurry when I posted this, there is another just like the tcp one that says udp :) Both are being triggered by the clients affected as one would expect, so for full coverage, do both. Wouldn't it make more sense to use: alert ip $HOME_NET any > $MAL_DNS 53 blah, blah, blahinstead of having two rules? (That's what I'm using, and it's working fine.) Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Snort-sigs] Re: [Full-Disclosure] Mystery DNS Changes
--On Friday, October 03, 2003 20:10:08 -0500 Paul Tinsley <[EMAIL PROTECTED]> wrote: Yep it would, I threw those up real quick just to try and get some visibility as to how much we were being affected by it. Didn't put much thought into it. Just out of curiosity how many of those out there who are using this or other similar rules are still seeing traffic to those servers? I have seen a steady flow of them even though the servers that were distributing the malicious code seem to be down. I have written a script that gives me (from proxy logs) the union of all URLS visited by those "infected" and I can't seem to track down a common url that looks to be an infection vector. Has anybody seen a mail based version of this? We have three boxes in the student residences that are attempting to resolve using those addresses. I don't think there's a new infection vector. I think these are boxes that went to the Fortunecity site before it was taken down and so got infected. They can't be resolving hosts now, so it's amazing to me that they haven't complained about it, but there you go. Some students can go for months without reporting a problem. ??? Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Mystery DNS Changes
--On Friday, October 03, 2003 18:39:31 -0400 Mike O'Connor <[EMAIL PROTECTED]> wrote: I have the described behaviour when visiting google.com, but have neither the aolfix.exe nor registry entries, on my XP box. Where would one find the registry entry for the current DNS(s)? They aren't in the registry. The google redirection is done in the HOSTS file. Search your hard drive for "hosts" and look at those files with notepad. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Internet Explorer (BAN IT !!!)
--On Thursday, October 09, 2003 07:54:08 +1000 gregh <[EMAIL PROTECTED]> wrote: - Original Message - From: "Stephen" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, October 09, 2003 5:19 AM Subject: [Full-Disclosure] Internet Explorer (BAN IT It becomes really dangerous to use IE ... http://www.k-otik.com/WMPLAYER-TEST/ God bless Mozilla http://www.mozilla.org/ Your test didn't work on my IESP1 under XP with all patches excepting 811394. Absolutely no effect on WMP. My original WMP remains and works. Didn't work on my FreeBSD 4.8 box with Mozilla either. :-) Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Port 135 scans, IDS/incidents mailing lists
--On Thursday, October 09, 2003 17:54:16 -0400 Damian Gerow <[EMAIL PROTECTED]> wrote: First off, has anyone noticed a massive increase in port 135/tcp scans? We're seeing tons of packets spewing out of some of our customers: There's been discussions about it on the intrusions list. [EMAIL PROTECTED] List-Subscribe: <mailto:[EMAIL PROTECTED]> Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] NASA.GOV SQL Injections
--On Saturday, October 18, 2003 1:50 PM -0400 [EMAIL PROTECTED] wrote: On Fri, 17 Oct 2003 10:24:59 CDT, "Schmehl, Paul L" said: No offense meant to the fine IT people at NASA, but do you seriously believe that the one-percenters are securing the network? As opposed to say, figuring out how to land a rover on Mars, how to keep astronauts alive in space, how to overcome the long-term negative effects of zero gravity, etc., etc.??? If the IT people are busy figuring out how to land a rover etc, then: a) What the f--k are the *scientists* doing? b) Who's busy keeping the IT going while the scientists aren't doing the stuff the IT people are doing instead of their jobs? I continue to be amazed at how misunderstood this was. The post to which I was responding suggested that the "one percenters" were protecting the NASA network. My response was that the one percenters would be the scientists, working on space projects, not the IT people protecting the network. Not that NASA wouldn't have good or even great IT people, but geniuses work on space physics. They *don't* do the grunt work of securing networks. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] NASA.GOV SQL Injections
--On Sunday, October 19, 2003 2:25 AM -0400 [EMAIL PROTECTED] wrote: On Sat, 18 Oct 2003 23:34:38 CDT, Paul Schmehl <[EMAIL PROTECTED]> said: Better have at least one genius over in IT doing security rather than space physics, or you'll be screwed anyhow.. Those grunt workers need direction. :) I could be wrong, but I don't think geniuses work in the trenches. I think they do research. I'm not aware of any geniuses in security. Are you? Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] No Subject (re: openssh exploit code?)
--On Monday, October 20, 2003 5:19 PM -0700 "Gregory A. Gilliss" <[EMAIL PROTECTED]> wrote: Hi, Maybe I missed something here... No, you didn't. I'm an assembler jockey from BITD and I know a few things about alloc/ calloc/malloc and heaps and stacks etc. So what's the key, may I ask, to this heap exploit that was the origin of this thread? You're never going to find that out, Gregory, because mitch, our l33t code monkey, is keeping the code to himself. Now mind you, he *assures* us that it's easy to 'sploit, so we're just gonna have to take his word for it. But you'd better patch now, 'cause he's gunnin' for ya. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: No Subject
--On Wednesday, October 22, 2003 1:20 AM +0200 Michal Zalewski <[EMAIL PROTECTED]> wrote: Rant: mainstream Linux is generally not all that enthusiastic about implementing security features (even non-executable stack or using some feeble but standard kernel security capabilities is quite unpopular in major distributions). Adding transcluent buttons to KDE/GNOME seems to be the top priority. Am I the only one on the list who immediately thought of Microsoft when reading this rant? :-) Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: Linux (in)security (Was: Re: [Full-Disclosure] Re: No Subject)
alware follows negligent users, *not* OSes. Shouldn't we focus our efforts on figuring out what aspects of Linux or Mac cultures keep epidemics from occuring? It's certainly a waste of breath to point out that OS X has horrendous security flaws when none of them turn into grotesque epidemics like Sobig.f. Well, think about it for a minute. You're going to write a virus that's designed to trojan machines so you can use them in a massive distributed spam network. What do you attack? The 5 million Mac machines worldwide? Or the 150 million Windows boxes? If your rate of success is 1 in 500, you get 2,000 bots with Mac and 300,000 with Windows. Which would you choose? I don't doubt that there is some politicization in malware production (people who hate Gates and his OS and want to embarrass him any way they can), but most malware authors are simply trying to get the most bang for the buck, if you will. They'll follow the desktop crowd wherever it leads them. And they won't have any more difficulty infecting KDE users than they do Windows users. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] RE: Linux (in)security
--On Thursday, October 23, 2003 02:34:35 PM -0500 Ron DuFresne <[EMAIL PROTECTED]> wrote: There's a vast difference in having to backout patches in complex production env;s and having a poor patch affect all or most every end desktop/home users system too though. And I don't recall the last time that we had to back out a patch in an over 3500 Windows machines environment. In fact, in the last seven years, I can only recall two incidents where a patch had to be backed out, and both of those were servers with special applications on them. I'm not saying that it doesn't happen. It's just not as ubiquitous as some seem to think it is. There isn't a vast difference between patching Windows and patching *nix. At least not in my experience, which includes every version of Windows, RedHat 7-9, Solaris 7-9, OpenBSD 2.6-3.2, FreeBSD 4.7-5.1, Mac 0S 6-X and Gentoo. (I've installed others but don't have much patching experience on them because I usually dumped them quickly because I didn't like them.) Every OS has its problems, and every OS has to be patched. And patching is a PITA no matter what OS it is. Some are just more of a PITA than others. The myth of the vast superiority of *nix over everything else (WRT security and patching) is just that - a myth. But this conversation has been going on for over 20 years and nothing has ever been settled. Nor will it be. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [inbox] Re: [Full-Disclosure] RE: Linux (in)security
widely used application that hasn't had at least *one* patch released for a security problem, can you? (Even Postfix had a remote DoS recently, which really depressed me.) Don't get me wrong. My favorite OS right now is FreeBSD. And I believe that open source is superior to closed, proprietary source, for a number of reasons. But they all have problems, and they all need to be fixed from time to time and they *all* need to improve their security procedures and code auditing and programming practices. Every one of them. What we need is a sea change in the way OS vendors do business. Not OS bigotry and constant sniping about who's worst and who's best. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [inbox] Re: [Full-Disclosure] RE: Linux (in)security
--On Thursday, October 23, 2003 7:10 PM -0400 Andy Wood <[EMAIL PROTECTED]> wrote: Paul should know better than most. He sits on his ass all day reading/replying to posts instead of fixing the almost insurmountable # of vulns in his domain. And I get paid well for doing it, which obviously galls you. :-) Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [inbox] Re: [Full-Disclosure] RE: Linux (in)security
--On Thursday, October 23, 2003 5:11 PM -0700 Dan Wilder <[EMAIL PROTECTED]> wrote: Among those advisories you mention on the Linux sites, I see subjects including tomcat4, openssl, freesweep, marbles, gopher, sendmail, mah-jong, wu-ftpd, exim, perl, phpgroupware, mutt, qpopper, squirrelmail. And many more that are similar in that they've no relationship with the OS save being shipped with it. Hardly *just* the Linux OS. Some of those packages mentioned on the Debian site were begun long before there _was_ such a thing as Linux. Even if you classify things like XFRee86 and Samba as being part of the OS for purposes of comparing with Windows, which features much tighter coupling between the OS and some of its services than do the UNIX-like OSs, I believe you're going to be hard-pressed to come up with 47 advisories against the OS. Or anything remotely near that number. Nor will you with Windows. Look at the 47 bulletins for this year and you'll find things like Messenger, Internet Explorer, Outlook, Access, Content Management Server, ISA Server, etc., etc., none of which are part of the OS, despite MS's bs claims in court. But *none* of this childish tit for tat is the point. The point is that lots of software has significant, security related bugs, and the way software is taught and done obviously needs to change. It's evident to an impartial observer that buffer overflows are a problem in almost *everyone's* software. So something is wrong with the way software is "done", *not* with the end result, which is OSes and applications. I've read here that it's not possible to write software that doesn't have flaws because programmers are human. I think that's a crutch that allows us to accept less than the best. There was an article in Fortune, back in March of this year, that refutes that. I'll give you the URL, but you'd have to pay to read it. <http://www.fortune.com/fortune/imt/0,15704,427288,00.html> The bottom line is that there is a company in Canada, QNX Software Systems, that writes an OS that simply does not fail and does not have bugs in it. Their website is here if you want to take a look: <http://www.qnx.com/>. Their software powers cars and laser surgery devices and it simply *cannot* fail, and so they make sure that it doesn't by doing it right the first time. Let's compare apples to apples, so to speak, if we're going to invest the effort in the first place, into making silly comparisons. Do you really believe it matters what the exact numbers are? Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [inbox] Re: [Full-Disclosure] RE: Linux (in)security
--On Sunday, October 26, 2003 12:45 PM -0500 Bill Royds
<[EMAIL PROTECTED]> wrote:
Actually there is a significant difference between OS that get a large
number of vulnerabilities released like Windows, Linux etc. and those OS
like VMS and OS/400 that do not.
The real difference is the programming language used to write the code.
The C programming language used for Windows, Linux etc. is inherently
insecure. The C string is an invitation to a buffer overflow. It has no
bounds checking by default so each use of it (copy, string search ...)
must be checked for a buffer overflow.
You mean, as a programmer, it's not possible to write a library function
that checks string lengths and simply call it for every buffer?
Like (in pseudocode)?
chk_str_len(buf) {
if (buf>256) {
print "Error! Input larger than allocated buffer!"
return err_num
}else{
return 0
}
Granted you probably want to be more gracious handling errors than an
abrupt exit and you'd probably want to use a case statement to allow for
checking numerous different allowed lengths, but seriously - is a language
supposed to be goof proof? Or are programmers supposed to learn how to do
it right?
How hard is it, really, to add a couple of lines to each input call - ok =
chk_str_len(buf), if {ok == 0} continue}else{ handle_error(ok)}?
(I'm sure there are more efficient ways to handle this than my simplistic
suggestion, but the point remains - handling buffer overflows should be
trivial to write in C. The problem is that programmers simply don't think
about it (or don't even know about it) when they're writing the code.
Another problem with C is that there is not an inherent mechanism to
match the types of parameters in a fnction call with the types of the
actual parameters used, especially when calling with arrays or pointers.
A pointer argument is inherently insecure because it could point to
anything. The only mechanism for passing parameters that need to be
changed by a function is a pointer in C (others have value/result where
the subroutine makes a local copy modifies that then returns the modified
value for caller to use). If we really want to have more secure
software we need to look at the tools we use to write it, not just at the
platforms it runs on.
Isn't it the programmer's job to *know* what types he's using and what his
pointers refer to? And if he can't know, to error check? It think we'd be
vastly better off teaching how to program properly than we would be trying
to devise a language that is idiot-proof. b
Paul Schmehl ([EMAIL PROTECTED])
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Coding securely, was Linux (in)security
--On Monday, October 27, 2003 10:23 AM +1100 Brett Hutley <[EMAIL PROTECTED]> wrote: Also using these type of functions in operating system code is a good way to create a *REALLY* S L O W system. In maybe 80% of system code you are going to know who ALL the callers of the function are and are going to be working with input that has already been validated further up the call tree. Why slow this code down with unnecessary checks? Validation of input is important when the input is specified by something external to the system - user parameters, environment variables... If the input is *known* or has already been validated, why would you need to check it? My point is, if you can't know what the input will be, you *must* check it. The problem is that many programmers don't think like hackers. They write code as if every user will input the correct data because, after all, they're trying to use it, not abuse it. That, of course, fails with the first person who types something incorrectly on the keyboard (intentionally or unintentionally) or when the input from some device is different than what the programmer thought it could ever be (for whatever reason.) Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Coding securely, was Linux (in)security
--On Sunday, October 26, 2003 8:04 PM -0500 Bill Royds <[EMAIL PROTECTED]> wrote: You are saying that a language that requires every programmer to check for security problems on every statement of every program is just as secure as one that enforces proper security as an inherent part of its syntax? Well, no, that's not at all what I'm saying. What I'm saying is that, no matter how well the language is devised, programmers must still understand how to write secure code and be aware of those places in the code where problems can arise and prevent them. And I suppose that you also believe in the tooth fairy. Of course. Just last week I found a dime under my pillow [snipped a bunch] I have been programming in C since the 70's so I am quite aware of what the language can do and appreciate its power. But the power comes at the price of making it much more difficult to handle the security and readability of C code. Since one can do just about anything in C, the language compilers will not prevent you from shooting yourself in the foot. Other languages restrict what you can do, to prevent some security problems. But there is so much code out there that is written in C (or its bastard child C++) that we are not going to get rid of it soon. Java would actually be a good language if Sun would allow one to write compilers for it that generated native machine language, not just Java byte code. But the conversion of the world programmer mindset to restricting use of insecure language features will take eons so I give it no hope. So which makes more sense to you? To convert the world's programmers to a new language? Or to teach them to code securely? Surely, if we were to replace C today, they would just find other ways to write insecure code? A programmer certainly can not know what his pointers refer to. That would require the writer of a function to know all possible circumstances in which the routine would be called and to somehow prevent her routine from being linked in with code that calls it incorrectly. That is often called the halting problem. Most security problems come from exactly the case that the subroutine user "knows" what are the arguments for all calls in the original use and handles those. The infinity of all other cases can not be checked at run time without either significantly slowing down the code or risking missing some. But it shouldn't be the job of the writer of a subroutine to verify the inputs. The writer of a subroutine defines what the appropriate inputs to that routine are, and it's up to the *user* of that subroutine to use it properly. The entire concept behind OOP is that you cannot know what's in the "black box" you're using. That makes it incumbent on you as the *user* of a subroutine to use the correct inputs and to *verify* those inputs when necessary. Now a subroutine writer is prefectly free to do error checking if they choose, but the user of that subroutine should never *assume* that the subroutine *does* do error checking. The recent MSBlaster worm is a case in point. The writers of the RPC code "knew" that code within MS Windows never passed more than a 16 unicode character (32 byte) machine name as one of its parameters so did not need to check ( the argument was not of type wchar * but of type wchar[16]). Since C actually does not implement arrays at all, but only uses array syntax [] as an alias for a pointer, the only way to prevent buffer overflow in a C routine is to never allow string arrays as parameters to functions, complete obscuring the meaning of code. The problem is that C encourages bad coding practice and obscures the actual meanings of various data structures and even the code auditing techniques of the OpenBSD crowd do not find all the possible mistakes A language will never be goof-proff, but it should not make it easier to goof than be correct. I'm not disagreeing with this point at all. I'm simply saying that programmers *must* verify inputs when they cannot be known. In this particular example, you're pointing out a classic mistake. The programmers of the RPC code *assumed* that they knew what the input would be when in fact they could not *know* that for certain. And so we ended up with another classic example of a buffer overflow (actually several). Assumptions are the mother of all problems. You complain that the code would be really slowed down if consistent and complete error checking were done. I wonder if anyone has ever really tried to write code that way and then tested it to see if it really *did* slow down the process? Or if this is just another one of those "truisms" in computing that's never really been put to the test? BTW, in my example, I didn't use strlen. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dalla
RE: [Full-Disclosure] Coding securely, was Linux (in)security
--On Sunday, October 26, 2003 7:25 PM -0800 Chris Eagle <[EMAIL PROTECTED]> wrote: That is the most backward thing I have ever heard. So you are saying all I need to do as a programmer is tell you not to pass a negative number/null pointer/un-initialized value... to my function and I am off the hook. All I can say is that I am glad utdallas doesn't have you teaching programming. The fact that you are unaware what lies inside the black box in no way relieves the responsibility of the designer of the black box to make sure that it behaves predictably under all input cases. No, that is not what I'm saying. What I'm saying is that the programmer should not *expect* the subroutine to do his error checking for him. If *everyone* wrote code that way, including the writer of the subroutine, we wouldn't have the problems we have with buffer overflows. The problem we have now is everyone is expecting someone *else* to do the error checking, when in fact everyone should be expecting exactly the opposite. However, what you are expecting the writer of the subroutine to do is anticipate every possible input, and that may not be possible in all cases. Certainly the writer should do error checking, but that doesn't alleviate the *user* of the subroutine from doing their job. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: Gates: 'You don't need perfect code' for good security
--On Friday, October 31, 2003 5:15 PM -0800 "Gary E. Miller" <[EMAIL PROTECTED]> wrote: So what is your solution for the folks that carry those USB keychain memories? People carry those around with virus infected files and plug them in to whatever machine they are sitting in front of. Had people I never seen before try to plug them in to my hosts. "Just wanted to read my email man" Man, that's so easy, I'll answer it. You just don't allow them to do that. It's the "just say no" method of security. Hey, it worked for Nancy. :-) Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: Gates: 'You don't need perfect code' for good security
--On Friday, October 31, 2003 10:16 PM -0800 "Charles E. Hill" <[EMAIL PROTECTED]> wrote: Gates spoke as a politician. His comments were very narrowly tailored. Read them close. He spoke almost exclusively of Win2003 Server -- which has very minimal deployment and is brand new. I don't know anyone who has actually installed Win2k3, yet. Well, now you do. We rolled out Win2k3 AD a month ago. We have a number of Win2k3 servers. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Microsoft plans tighter security measures in Windows XP SP2
--On Sunday, November 02, 2003 8:20 AM -0500 William Warren <[EMAIL PROTECTED]> wrote: I have dcom killed on all machines here in my house and file and printer sharing work just fineas to RA i bet if the windows version is broken i use VNC here and it works without issue.. That's nice. At UTD we have over 3500 Windows computers and numbers VLANs. Our issues are slightly more complex than yours. At home, I don't even have Client for Microsoft Networks enabled, much less File and Printer Sharing. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Fw: Red Hat Linux end-of-life update and transition planning
--On Monday, November 03, 2003 6:55 PM -0700 Michael Gale <[EMAIL PROTECTED]> wrote: RH is, oh wait - was linux's version of windows, a pain in the a$$. People who started off on RH usually never learned anything and are stuck with the same problems as windows has except for less crashing. Modifying things is a pain because there are 50 millions different places that RH keeps the data and you can't do anything from the console so you get stuck using the GUI they provide. I hate OS wars, but I find this statement extremely odd. I run a RH 7.2 server on the Internet, and it's 50 miles away. It doesn't have a keyboard, mouse or monitor, and X and its pieces aren't even installed. It's been sitting there running for about two years now, and I haven't had one single problem doing things "from the console", nor have I had a problem with updates, even kernel patches. I just reboot the box and log back in a minute later, after it's rebooted. Obviously, OSes are a matter of taste for many. I personally prefer FreeBSD. But my experience with RedHat has been dramatically different than what you claim. It's easy to use, easy to update, easy to maintain, and it's run without a hitch, handling 2.6 millions hits a month on the website without breaking a sweat. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] WinME firewalling
--On Sunday, November 09, 2003 20:03:30 -0500 j <[EMAIL PROTECTED]> wrote: What software firewall solution is truly suitable for Grandma? As invisible to the user as possible, of course, since this Grandma doesn't understand most of the 'little window thingies' that spontaneously appear already. (you know at least one - the manic 'ok' clicker...) Additional hardware of any kind is not permitted, this has to be a software solution under WinME. Get her a $50 (Linksys, SMC, etc.) DSL router. Set it up for her, and then tell her to have fun, put patch and keep her AV software up to date. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Frontpage Extensions Remote Command Execution
--On Wednesday, November 12, 2003 02:53:02 PM -0500 Damian Gerow <[EMAIL PROTECTED]> wrote: Thus spake [EMAIL PROTECTED] ([EMAIL PROTECTED]) [12/11/03 14:41]: bulletin. A decent admin would configure FPSE such that this flaw is a non-issue. This is because no ordinary user has a reason to be accessing FPSE's files. If FPSE is secured, this means that an attacker is getting their own privileges back. A decent OS shouldn't need the admin to go in and modify permissions on specific files in order to give a ensure a basic security requirement. While an ordinary user may have no reason to access those files, an ordinary admin should similarily have no reason for modifying the permissions on those files. You're serious? I mean *really* serious? Or is this a test? How do you explain this, for example? http://httpd.apache.org/docs/misc/security_tips.html Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Feeding Stray Cats
--On Thursday, November 13, 2003 4:46 PM -0800 Josh <[EMAIL PROTECTED]> wrote: It is people like you who will drive this list into the ground. The only reason you are here is to hear yourself talk and possibly to get some 0-day sploitz that you can impress your computer lab buddies with. Just one comment. I'll never understand what the fascination is with "0-day sploitz". Who really cares? Do you seriously think most professionals are salivating waiting for them? Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] SSH Exploit Request
--On Friday, November 14, 2003 21:10:04 -0500 [EMAIL PROTECTED] wrote: I'm sure I'm not the only sysadmin who's SSH'ed in to an ill box, decided a reboot was needed, and typed 'shutdown -i6 -g0 -y' (runlevel 6 to reboot, zero seconds grace, and don't prompt me), and instead realized 7 seconds later that what the other end *received* was '-i0 -g6 -y' (poweroff with 6 seconds warning), and made a bad situation worse. Just curiouswhy wouldn't you use 'shutdown -r now'? Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] SSH Exploit Request
--On Friday, November 14, 2003 22:46:31 -0500 [EMAIL PROTECTED] wrote: On Fri, 14 Nov 2003 20:36:59 CST, Paul Schmehl <[EMAIL PROTECTED]> said: Just curiouswhy wouldn't you use 'shutdown -r now'? % uname -rsv IRIX64 6.5 10151453 % man shutdown shutdown(1M) shutdown(1M) NAME shutdown - shut down system, change system state SYNOPSIS cd /; /etc/shutdown [ -y ] [ -ggrace_period [ -iinit_state ] [ -p ] OK.. Let's check another box... % uname -rsv SunOS 5.8 Generic_108528-22 % man shutdown Reformatting page. Please Wait... done Maintenance Commands shutdown(1M) NAME shutdown - shut down system, change system state SYNOPSIS /usr/sbin/shutdown [ -y ] [ -g grace-period ] [ -i init- state ] [ message ] You see a -r in either of those? I don't. Nope. But I sure do in a lot of other unixes. Wasn't thinking of Solaris at the time. Sorry. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Antivirus Software Solutions?
--On Friday, November 28, 2003 12:20 PM +1100 Paul Szabo <[EMAIL PROTECTED]> wrote: Do not use "traditional" AV at all (as that would never protect you from the latest virus). Rather, set up your email gateway to "defang" all suspicious emails (e.g. containing EXE or SCR or PIF, or ZIP, attachments); it is a matter to debate whether to reject (bounce), drop, or somehow encode such things so as to render harmless. - Probably you will want your email gateway to run UNIX/Linux, so you can set this up. This is a good first step, but you should also have a/v protection at the gateway. Look at amavisd and vexira if you're allowed to use open source. If you have to use commercial products, Sophos has a good gateway product. Trend is popular but not as good. You might also consider some of the newer IPS appliances such as Tippingpoint, Fortigate or ISS's Proventia M. These provide virus protection for all protocol streams, not just email, http and ftp. (We are evaling all three of those.) Once your email gateway is "safe", any AV on desktops becomes much less important, but you may still want some "traditional" AV on your desktops; any reasonably well supported product should do. This is horrible advice. You *must* have traditional a/v on your desktops or some equivalent replacement. The desktop is you last line of defense and often the only one that will "catch" things. Gateway a/v scanners such as trend will do *nothing* to protect you against worms such as Blaster and Slammer. There are just too many avenues for attack to leave the desktops unprotected; removeable media (CDs, floppies, DVDs, Zip disks), IRC, ICQ, P2P, IM, web, etc., etc. Furthermore, you don't want just "any reasonable well supported product". You want a product that is highly effective against none viruses. Some that fall in to that category are Sophos, McAfee, Kaspersky and Norton. Foregoing the use of top notch protection on the desktops is a recipe for disaster. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Antivirus Software Solutions?
--On Saturday, November 29, 2003 10:12 AM -0500 "Marc Chabot (.net)" <[EMAIL PROTECTED]> wrote: I had a bad opinion of mc-a-fee before, but if you say it's highly effective against NONE viruses, I believe you. :-D That's just the modern spelling of known. :-) I'm looking for anybody who had something negative to say about the lastest version of NOD32 (for windoze boxes) available since this summer. Any comment about it? If you are serious about knowing which a/v products are "best" (for some definition of best that is meaningful for you), you need to look at the real researchers, not the pc mags, which are all about touchy feely and not about performance and not the vendors, who are obviously biased. <http://www.av-test.org/> <http://www.uta.fi/laitokset/virus/> <http://agn-www.informatik.uni-hamburg.de/vtc/naveng.htm> <http://www.virusbtn.com/> NOD 32 scored very well in the most recent tests at the University of Tampere. Unfortunately, not all researchers test NOD 32, so you have less data to rely on than other scanners. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] RE: Yahoo Instant Messenger YAUTO.DLL buffer overflow
--On Thursday, December 04, 2003 10:02 PM -0500 Kristian Hermansen <[EMAIL PROTECTED]> wrote: You are censoring your child's freedom of speech based on your own problem in dealing with the fact the society generally does not "accept" this sort of language. Good for you, I hope your child becomes another upstanding citizen of our US population, unaware of the world around them, conforming to their leaders (aka you, the father - later the prez) and not questioning authority. Why are "fuck" and "shit" considered "impolite language" according to you? Is it because society told you they are bad? <http://www.catb.org/~esr/jargon/html/P/plonk.html> Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Flawed arguments (Was all that other crap about PFW day)
--On Friday, January 16, 2004 4:14 AM +0100 Erik van Straten <[EMAIL PROTECTED]> wrote: "Chris Harrington" <[EMAIL PROTECTED]>: So do you expect Annie to fix these broken locks or doors?? Nope. Annie is not reading this list. Microsoft probably does. I had to laugh at this. Do you seriously think Microsoft has employees reading this list? I doubt it. In fact I issue a challenge right now. If *anyone* who works at MS is reading this list, respond when you read this. If you don't want to do so publicly, you can email me and I will notify the list. (David, are you there?) What you are saying is that you would not need a wall if the locks worked properly?? Nope. What I'm saying is that the doors to the Internet shouldn't have been there by default (135-139, 445, 1026-1030, RDP, UPnP etc. - run netstat) Oh, I get it. You mean like NFS, X Windows, RPC, portmap, finger, chargen, rlogin, rsh, ftp, like those sorts of things? The things that Unix had almost 20 years to disable in the default install before they finally did? That sort of stuff? This translates to not needing a firewall if the OS flaws are fixed. Nope. It translates to not needing simple PFW's -for ingress traffic- if there are no listening ports. Flaws shouldn't have been there in the first place, and any found should be fixed ASAP%001. Well, hell, let's ban iptables, ipfw, pf, ipchains, et. al. from "workstation" installs of *nix. After all, *nix is secure out of the box, right? And PFW's just give people a false sense of security anyway, right? Yep. But flaws have been found in PFW's, and they do provide a false sense of security. You mean like this? <http://www.shmoo.com/mail/bugtraq/apr01/msg00028.shtml> or this? <http://www.blu.org/pipermail/discuss/1999-July/030040.html> or this? <http://www.ciac.org/ciac/bulletins/l-029.shtml> or this? <http://www.openbsd.org/errata28.html#ipf_frag> Of course, I'm absolutely *certain* that there isn't a single *nix user who thinks they're more secure with a firewall enabled. Oh wait, Dan, who doesn't even use AV because he uses Unix pointed out that *nix firewalls are now enabled by default (obviously making the OS more secure, right?) The irony is overwhelming me. With ABS you can drive much closer to the car in front of you. With AV and a PFW people tend to believe it is safe to run any exe (or hta). Marketing helps making people believe this. I have to agree with you here. It's been made obvious to me by the posts today in this thread. Nope. I want all unused ports closed. For inbound connections, there's no point blocking 80/tcp if you run a public webserver, right? However, permitting access to selected IP's, combined with stateful inspection, (provided you can trust all boxes behind your router) Here's the only hint I'm going to give you. YOU CANT. from connecting to certain ports (like DNS), may help. However I do not see any advantage for Annie's free/cheap PFW here. You must run a network of one. Windows, Linux, BSD all have services / ports listening by default... I've never ran BSD. Which way-back-when flavor of Linux are you using? With Trustix, out of the box only postfix listens (to 127.0.0.1). Annie could *learn* how to edit inetd.conf. Or I, or someone like me, or you, could help her. However, we cannot disable RPC in XP, and I cannot configure it such that it doesn't listen to the Internet iface. You guys just don't seem to get the point. Annie can learn inetd.conf but not Windows PFWs? What planet is annie from? What planet are you from? You can't disable RPC? Please! Search the FD archives. The point is the PFW makes it possible for the home user to limit their exposure without having a great deal of technical expertise. Is it perfect? No. But it is an improvement over having nothing between Annie and the Internet. Maybe. But many people (and companies) have not patched DCOM because they thought to be safe behind their firewall. Also apparently they don't run AV; lots have been hit by blaster or nachi after someone plugged in an infected notebook. My fear is that PFW's will have people postone patching, and not upgrade their AV license when it expires. Which would change things how? Exactly? Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Who's to blame for malicious code?
--On Tuesday, January 20, 2004 9:31 PM +0100 Tobias Weisserth <[EMAIL PROTECTED]> wrote: The two examples I gave in my initial answer to you actually contain that. I wonder why you didn't comment on them. What's your opinion on an enabled RPC port by default in consumer OSs? Precisely the same as my opinion of shipping the OS with inetd running and chargen, finger, et. al. enabled. It's stupid. But we know that *now*, don't we? We obviously didn't know that a few years ago, or all the *nix vendors wouldn't have done that years ago, right? Don't you think the simple measure of shipping Windows XP Home without such a service enabled would have stopped the spread of Blaster cold? I do. Of course it would have, but so would have appropriate OS maintenance. The only machines we had that got infected by Blaster and friends are those that ignored my many warnings *and* refused to participate in our push-patching program (either through ignorance or belligerence.) So, while Microsoft may be criticized for shipping RPC on by default, you really can't blame them for the results of the Blaster worm, simply because it was possible to be unaffected by it by updating properly. We have thousands of Windows machines running RPC, and none of them are infected because they've all been patched. It's high time for us to stop making excuses for stupid behavior simply because Microsoft is an easy target. *None* of the famous exploits and worms (Code Red, Nimda, Slammer, Blaster, Nachi, et. al.) would have ever happened had people simply updated their machines in a timely and regular manner. We expect people to change the oil in their cars regularly. Why don't we expect similar behavior in the computer world? Would you blame OpenBSD if a user got hacked because he hadn't bothered to patch? I'm not arguing that Microsoft has done the right thing or even that their OS is secure. (It isn't, and I refuse to use it as a server unless forced to. I prefer to use FreeBSD whenever possible.) I'm arguing that you can't blame Microsoft for malicious code that takes advantage of weaknesses for which they have already issued patches, sometimes 12 months in advance of an outbreak. *That* is a problem directly attributable to users. What you're trying to argue is that, if OS vendors would simply do the right thing from the start, users would be protected despite their lack of patching, and I am saying that is preposterous. *No* OS is so secure that you can simply leave it on the Internet, never patch it, and still be secure. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Re: Mail undeliverable and filtered
--On Saturday, January 31, 2004 3:44 PM -0500 "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> wrote: Your mail to [EMAIL PROTECTED]; was filtered because of the potential spam or virus keyword [gambling] please contact the user by fax or telephone thank you. For this email filter system and other powerful software visit http://software.high-pow-er.com Yeah! That's high powered software all right! I am highly impressed. Sheesh. (And this one will bounce too, no doubt.) Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] MyDoom download info
--On Saturday, January 31, 2004 12:25 PM -0500 [EMAIL PROTECTED]
wrote:
On Sat, 31 Jan 2004 12:03:37 +1300, Steve Wray
<[EMAIL PROTECTED]> said:
What worries me is we haven't seen *either* an actual damaging virus
(imagine if the last 2 lines of Mydoom were "sleep(4hours); exec("format
c:);") or a "sleeper" virus.
This doesn't worry me much at all. Since virus writing has been taken over
by the scammers, spammers, criminals and thieves, the last thing they want
to do is destroy their bots. Their purpose isn't to infect and harm, it's
to infect and use for their nefarious purposes - like the recent extortion
attempts on online gambling sites (threatening to shut them down through
DDoS during the Super Bowl thereby depriving them of large amounts of
revenue.)
The irony is the vxers got replaced by the professional criminals. Now the
concern is not getting infected, it's making sure the computer is really
and truly clean. It would be nice if the malware *did* use exec(format
C:). It would save networks a lot of time cleaning up and identify the
infected machines quickly. :-)
Paul Schmehl ([EMAIL PROTECTED])
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] another Trojan with the ADO hole? + a twist in the story
--On Saturday, January 31, 2004 7:35 PM +0200 Gadi Evron <[EMAIL PROTECTED]> wrote: The past Trojan horses which spread this way took advantage of the fact web servers send an HTML 404 message if a file doesn't exist. The original sample - britney.jpg - was simply an html file itself, and using that fact, and IE loading it. It was combined with one of the latest exploits of the time (I don't think MS patched it yet), and downloaded the Trojan horses. This time around there is actually a picture on the web page, of a real honest to God girl. But in another frame.. the same story all over again. For blocking purposes, the (un-safe) URL is: http://ut.uk.to/cs.jpg . Didn't work on my Titanium using Safari. The girl wasuh....well-endowed. :-) Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] MyDoom.b samples taken down
--On Sunday, February 1, 2004 7:45 PM -0500 [EMAIL PROTECTED] wrote: On Mon, 02 Feb 2004 11:45:47 +1300, Nick FitzGerald <[EMAIL PROTECTED]> said: If anything, *not* fueling the problem to ensure you have a job would be so out-of-character for the A/V industry that you'd probably be shunned as a complete and total loon. Then how do you explain F-Prot's recent article condemning other AV companies for doing the "spamvertising" you complain about? The AV industry is not mono-lithic and there are many internal disagreements that the public are never privy to. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Removal?
--On Wednesday, February 4, 2004 12:41 AM + axid3j1al axid3j1al <[EMAIL PROTECTED]> wrote: usr_crtl.dll wont unregister and fag.exe is not in the process list. It was worth a shot. You could download pslist from sysinternals and use that to list the process id, and then use their pskill to kill it. <http://www.sysinternals.com/ntw2k/utilities.shtml> (I would put these on a write-protected floppy.) Then you should be able to remove the files. I would also check the registry for entries. You can use Ctrl F to search for the file names "usr_crt.dll" and "faq.exe" in the registry and remove them. Then reboot, and you should be able to remove them. Norton is fully patched to current as is windows update. Any idea how this got on your computer? Current versions of adaware, spybot (search & Destroy) or norton found any trace of the trojan. Even when pointed directly at that directory. Anything else that recgnises this? Did you try housecall.antivirus.com? Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] home land tracker software
--On Friday, February 6, 2004 6:52 PM + DAN MORRILL <[EMAIL PROTECTED]> wrote: http://www.ofaccompliance.com/ anyone want to debate the ethics of this The ethics of what? Making publicly available information easy to access? and the US Patriot act and how to secure the system when it is in use or misuse? Use and misuse of what? The ability to access publicly information? I'm afraid I don't see what the problem is. You can check our own name at the web site, as well as more popular folks. Well, I tried my name, WIlliam R. Murray and William Gates. Got nothing back. Maybe I did something wrong? I *did* get hits on Osama bin Laden and Mustafa Mohammed, but that's not exactly a startling revelation. As an information security person, this worries me. Both from a compliance issue (corporate) and on a personal issue. Why? I can look you up in the phone book. I can look you up online in numerous search engines. I can contact someone who knows you and find out more about you. I really don't understand what the problem is. Now, if they were publishing your bank account information, *that* would be a problem. Additional reading US Patriot act, section 326. All information security related ideas welcome, flames to /dev/null/blackhole/no-read-access My question is : what were they thinking? Ease of use? Quick access to information that could be life saving? Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] (no subject)
--On Saturday, February 7, 2004 11:05 AM -0500 KF <[EMAIL PROTECTED]> wrote: Use a friggin subject line fools! Like you did, for example? :-) Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Why are postmasters distributing the MyDoom virus?
--On Saturday, February 7, 2004 2:15 PM -0500 "Richard M. Smith" <[EMAIL PROTECTED]> wrote: It looks like some postmasters are in the virus distribution business pretty much like the MyDoom virus itself. Perhaps these postmasters need to review their bounce message policies and remove all attached files from messages being bounced. Richard, did you happen to note what MTAs were used? I suspect it's a function of the software or default configuration rather than something postmasters deliberately setup. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Apparently the practice was prevalent
According to this story, some programmers have been up late "fixing" the inability to use @ in their urls. :-) Once company is even proposing reversing the change (by sending their users a registry update) so they can continue to use the feature. Makes you wonder how long it will be before a virus or worm reverses the registry key so it can use that "feature". http://news.com.com/2100-7355_3-5153534.html?tag=nefd_top Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] RE: [kinda-but-not-really-Full-Disclosure-so-we-feel-warm-and-fuzzy] Re: EEYE: Microsoft ASN.1 ...
--On Thursday, February 12, 2004 11:11:51 PM +1300 Brett Moore <[EMAIL PROTECTED]> wrote: Its great... With the MS patching been relegated to monthly, it means we only have to put up with this crap once a month... but man it drags on.. and on... and on Everyone has an opinion, agreed. But its not like those same opinions are not shared by others.. Some would like full disclosure, because its interesting and inciteful... OK. I'll bite. Did you mean to write "inciteful" (because I thought that was a really cool word creation), or did you mean to write "insightful"? Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Security Watch Essay (was: (no subject))
--On Thursday, February 12, 2004 09:39:41 AM -0800 Trevor Benson <[EMAIL PROTECTED]> wrote: You know what I love. How a usefull list has 40% of the posts some snotty little comment a child (regardless of chronological age) has to make to insult someone else in the list. Which of course spawns the other 40% rebuttals to the attacks. When in all reality, not one of us cared what the child said, or the defense of your decision to post. Hmmm, trying to remember. Did I join the list for Soap Opera while reading email, or to keep up with current issues and security??? I am guessing it must have been the soap operas.. Just apply the standard 80/20 rule. 80% of the posts are useless. The other 20% make the list worth subscribing to. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] RE: W2K source "leaked"?
--On Saturday, February 14, 2004 1:35 AM +0100 Tobias Weisserth <[EMAIL PROTECTED]> wrote: Hi Paul, Odd. I would have thought the answer was self evident. You take the standard precautions that every security person should know. So just because the source code hasn't been leaked until now means people were not obliged to take these precautions? A weak point, don't you think? No, that's not what I meant at all. The fact is almost all software has weaknesses and flaws in it. Unless you happen to be one of those with enough time and skill to hunt down these flaws, you won't know about them until they either become public knowledge, a patch is released or you experience a compromise. In the meantime, what can you do? The same thing you always have to do. Take the appropriate security precautions. Unfortunately far too many wait until they have a problem to take those steps. So what you are saying here, reduced to the essence, is that the only "preparation" we can do as an answer to the leaking are the same precautions we are doing all the time anyway?! Yes, unless you are able to determine what, if any, flaws are in the software. Not many can do that. I have to agree the initial doubting question then that there is hardly anything we can do but sit and wait and apply standard security precautions we would have anyway. We're talking about closed source software here. Everything customers can do is to sit and wait for patches from MS if there's a problem. Personally I don't think this leak will unavoidably lead to a serious increase of heavy and even more sneakier exploits. We already have them. The last week has been evidence enough. Maybe this will even lead to more security as customers with the capacity will have the potential to identify possible threats themselves and point them out to MS ;-) I suspect that flaws will probably be found. After all, they already have been found without the source. It's only logical that with the source in hand more flaws will be found. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] New Security News Website
--On Monday, February 16, 2004 1:49 PM -0800 "Gregory A. Gilliss" <[EMAIL PROTECTED]> wrote: You're kidding, right? Me thinks you *need* some hacker intel! So you think a simple nmap scan is sufficient to determine if a host is insecure? Interesting. If you scanned my Windows XP boxes, you'd find a bunch of juicy ports open. What you wouldn't find is a hackable daemon. All the open ports feed a program that captures the packets for analysis later. The boxes are running no Internet-addressable services. Yet, from an nmap scan you might (wrongly) assume that those boxes were grossly insecure. This is the Internet. Things are not always what they seem. And open ports don't always mean negligence. For example: bash-2.05b# telnet www.hackerintel.com 113 Trying 216.92.170.7... Connected to hackerintel.com. Escape character is '^]'. Connection closed by foreign host. bash-2.05b# telnet www.hackerintel.com 543 Trying 216.92.170.7... Connected to hackerintel.com. Escape character is '^]'. Connection closed by foreign host. bash-2.05b# telnet www.hackerintel.com 544 Trying 216.92.170.7... Connected to hackerintel.com. Escape character is '^]'. Connection closed by foreign host. Looks suspiciously like tcpwrappers to me. And just because you *can* get a login prompt or banner on a particular port, *even if* it appears to be a "normal" service for that port, does not necessarily mean you are addressing that actual service. (The program I refer to would make you *think* you were talking to a compromised machine running NetBus, for example - as well as MyDoom, Slammer and a few other nasties, if all you did was telnet to that port.) Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] New Security News Website
--On Monday, February 16, 2004 6:21 PM -0800 g0d <[EMAIL PROTECTED]> wrote: on a host running a production website common sense would dictate that *any* non-essential services be turned off, if for no other reason then the fact that having multiple services running makes the host a prime target for attacks. i should think this is even more true when the host is running a website that has been advertised on a mailing list which attracts the specific element of computing society with a bent towards system compromise. while having a test box out there 'in the wild' accumulating data on currently-employed techniques for cracking hosts, methinks that functionality would be better suited to a separate host. That's certainly the conventional wisdom. All I'm saying is that one should not assume that open ports == insecure. Sometimes it doesn't mean that at all. If one takes everything they find on the Internet at face value, one will often be mistaken. I suspect that you would agree that there's nothing wrong with running multiple services on a "production" box if one has made that decision consciously and intelligently? If so, why assume that the OP has *not* done that? I've already shown evidence that not all the ports are as open as they first appear. Without knowledge of the box, why assume that the OP has insecurely configured the host? Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] New Security News Website
--On Monday, February 16, 2004 4:36 PM -0800 "Gregory A. Gilliss" <[EMAIL PROTECTED]> wrote: Hey Paul, Two questions ... One, why make assumptions about someone you don't know? I wasn't aware I made any assumptions. You posted a list of open ports you found by using nmap and suggested that the OP needed help learning about hackers. All I did was ask a question and point out that open ports do not necessarily mean insecure ports. Two, why answer in an antagonistic tone (minus smileys)? What about my answer was antagonistic? I asked a simple question and made simple observations. AFAIK the original post was an ad for a new list. First thing I'm going to look for is whether the machine hosting the list *appears* secure. Yeah, they can have a loud nmap response and it can be bogus, no duh! The machine in question may be running honeypot/masquerading/whatever. I don't care. Scan any of my IPs and you get RSTs back. That's *my* version of secure. Attackers get diddly. Notice that I am not saying that *my* version of secure has to be *yours*. If what you say is true, then why assume that what you found at someone else's site is insecure? ISTM you're being a little hypocritical, aren't you? I miss the good old BBS days when people who had a clue would *help* each other instead of making every f**king post into a pissing contest. Posts like this one are why I have a blacklist for FD. Aren't you being a bit disingenuous? It was you that posted the list of open ports and suggested the OP need instruction in hacking. All I did was suggest that there were other possibilities beside the OP being clueless. Then you take that as a personal attack and insinuate that anyone who disagrees with you is clueless *and* that this is a pissing contest! If you take offense each time someone offers another POV, you're going to be taking offense all day long, especially on *this* list, aren't you? Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] New Security News Website
--On Monday, February 16, 2004 8:05 PM -0500 [EMAIL PROTECTED] wrote: Yes, you included a smiley, but it was buried some 27 lines later where it was easily lost. I had to read your posting 3 times before I spotted the smiley myself. As a result, it was very easy to misread your posting as being total derision. I never noticed a smiley. But frankly I don't think adding a smiley at the end of a caustic response makes it OK. Smileys, IMNSHO, are a poor substitute for clearly articulating a position in a professional manner. (And no, Gregory, I am NOT referring to you.) Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
