Re: [Full-Disclosure] driver for display goes to a infinite loop by viewing a html!
Random wrote: Does nothing with FireFox 0.9.3 on Linux 2.6.7. You're wrong: On Tue, 2004-08-10 at 18:23, bipin gautam wrote: [tested with firefox and IE browser...] please test it with winxp sp1 or sp2! You have to install a product like vmware in order to test xp things under linux !
Re: [Full-Disclosure] Unsecure file permission of ZoneAlarm pro.
John LaCour wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 There is absolutely no security issue here. ZoneAlarm does not rely on file permissions to protect any configuration files. Configuration files are protected by our TrueVector(r) driver in the kernel. In addition to protecting configuration files against unauthorized changes, there are additional integrity checks and other protection mechanisms implemented for all policy configuration files. Should any policy configuration files fail integrity checks, the firewall will fail closed. Again, no issue. Zone Alarm stores its config. files in %windir%\Internet Logs\* . But strangely, Isn't it supposed to store logs ? My english knowledge is probably too poor. EVERYONE: Full As everybody knows, windows * is a single user system on which you can only install zonealarm, no other software, especially no software using this directory for storing any kind of information. As I understand the zap answer: Kidding with file permissions is not an issue on any os... unless, maybe, if you wish to use your system. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] The 'good worm' from HP
The Central Scroutinizer wrote: Would it not be better to have a standard secure backdoor provided by a security package that could downloaded or installed by disk and works hand in hand with port scanning software, if this is really necassary. I am supprised Microsoft have not released such a peice of software; maybe a third party have. There is a known backdoor on every modern system: the administrator/root/whatever account. Systeminternals(and others) have a tool which allows remote execution on windows nt/2k/xp (*)... could be a solution (we used it to install ie 6 and thunderbird x.y.z), ssh or even rsh exists for most unix variants. We once used symantec's av remote management console (named: ???, the current version is not smart enough for this) to install things like netscape browser and making sure some registry & files were as we wanted...it's again a windows nt/2k/xp 'feature', for unixes, ssh or rsh (or is it rexec ?) are still available. *: one such a tool adds a scheduled task and make sure the task scheduler is running. Even if it is a controlled worm that moves around in the internal network patching computers, it sounds like a very stupid idea. I hope it is a bad choice of words. He is a VP, should I say more? ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: Fwd: Re: FullDisclosure: Security aspects of time synchronization infrastructure
[EMAIL PROTECTED] wrote: Depending upon the criticality of the time sensitive applications on the network, you might want to reconsider the use of "radio clocks" and especially "GPS clocks". [...] For a fixed installation detecting if someone is dinking the gps signal is trivial. The unit starts thinking it is not in Kansas anymore. As far as I can remember, the gps is not accurate ... during US raids (i.e. against Iraq) I could not tell if time is affected or if it only reduce the precision over the location (50-20 meters during normal operation, 100-1000 meters during raids). Anyway, I use a couple internet & free ntp services (my ISP, some european & US labs, ...) If all the servers are compromised, I'm too (as far as time and I are concerned, I want my whole network to be synchronized, I don't really care for the real time, before configuring a remote ntp server, there was only a 'virtual' time (my whatch), which was enough for my logs), if only a few are, I can see there's a difference in the timing they provide (which,anyway, I don't care about). In germany (which means anywhere between spain and russia), there is an official radio-clock (known as dcf-77) which does not suffer the gps limitation (this is not a military toy). As an official clock (used for synching administratins, parking payments,... ) it have to be up and give the official accurate time 24-7, You (or at least I) can be confident with this time. Unfortunatly, most receivers do not work in machine rooms (too many ecm noise, sometimes, the building is radio-protected,...) you have to put your receivers (yes, one is not to be concidered reliable) out of your building ! These radio clock are easier to corrupt than gps (plain old fm against spread spectrum)... I never faced any real time-critical project,so for me (and I guess most admins), even the worst solution (internet NTP) is more than enough right now (it may change in the future). Anyway if you consider this kind of solution (internet NTP), do not forget ACL on your routers/firewalls, use a single/cluster ntp server for synching your network, do not let multile servers sync with the internet NTP.
Re: [Full-Disclosure] New paper on Security and Obscurity
This not so new info may bring some lights : http://www.fact-index.com/a/au/auguste_kerckhoffs.html : "... the security of a cryptosystem must depend only on the key, not on the secrecy of any other part of the system." Peter Swire wrote: “full disclosure” and computer security: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=531782 The paper begins by analyzing the cliché that “there is no security through obscurity.” It observes that the traditional military and intelligence cliché is that “loose lips sink ships.” ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] New paper on Security and Obscurity
Just a stupid tought inspired by page 7 - B: who will create the first satellite with me (i.e. for watching what's doing our ennemy / in order to know where he is)? I guess we could earn some $ if we are the first on this topic, I hope I'm not too late :-) Is full-disclosure includes password/shared secret disclosure ? Maybe 'full' is not the best choosen word.. It seems 'full' is limited to algorithms, and do not extend to secrets (such as passwords), what would be the use of a safe if the secret (either the code or the key) is written on the door (I know .. in case of fire, a safe is safer than the fireman and its water). It looks like computer and military security are not so different ...I'm continuing to read this paper. Scientific American / pour la science had an issue on cryptography/computer security about a year ago (no 36 of the french edition) Peter Swire wrote: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=531782 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Viral infection via Serial Cable
Most viruses use the user (they expect to contact a stupid user which will execute it), they don't care how it reached your pc, it knows the user will spread it somehow (i.e. it's a nice porno exe which will be sent to friends, ...). Current viruses do not even need user interaction, some expect to contact a stupid user who's using some outlook flavor. The worms are using servers and their vulnerabilities (and the admin lazyness), ip or higher level email features. Current viruses and worms are not very different as they do not always need user action. Some viruses could be called worms as they spread automatically, using server features of some clients. Back in the 80s and early 90s, I was using fidonet (a modem/rs232 based network), file and email transfers were automatic (using a software like binkley term). There were no known way for automatically execute the files you received (outlook or outlook express did not exist, not even windows nt, just msdos), but viruses were working anyway. It was the begining of companies like mcafee! That was the time I first checked my executables before executing anything on my PC. Über GuidoZ wrote: James Tucker said: 4. Most viruses in circulation today use TCP/IP or higher level protocols, not native RS232. AND Personally I never saw or heard of a virus which tries to communicate with another computer attached to an RS232 port (maybe a laplink virus or the like??), as this is an unusual scenario. Exactly the point I was trying to make. Nothing more, nothing less. I too never heard such a think, which doesn't mean: -such a virus/worm does not exist -the software on any side of the rs232 link is not vulnerable (I guess the risk will not come from a virus/worm but a targeted attack by someone knowing the vulnerabilities of this soft and also knowing your network infrastructure and that you have this soft)
Re: [Full-Disclosure] Senior M$ member says stop using passwords completely!
Todd Towles wrote: I was under the understand that passwords of over 14 characters were stored with a more secure hash, therefore 14 characters passwords were harder to crack, due to the more secure hash. Windows will create two different hashes for passwords shorting than 14 characters, I do believe. If my memory is right, lm passwords are hashed as 2*7 uppercase bytes (which is not the same as 14 bytes, it's easier to bf) If lm passwords are enabled, even longer passwords will collide with a 14 characters password (as far as you're more interested in accessing one's account than knowing its dog's name, i.e. if your pass is "My name is bond, james bond!", using "MY NAME IS BON" will give you the access you diserve)! Back in the nt 4.0 time, it was required to disable lm passwords (w95 compatibility issue) in order to have stronger passwords (if nt password fails, lm password is checked). Just use a non-printable character in your password and cracking is useless...if they crack it, they can't read what they cracked. ;) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Zone Alarm
Squid (and probably others) can filter accesses based on the user agent. Some network firewall (as opposed to personal ones) can be configured to filter accesses based on the user agent header. As you know, every peace of software trying to access internet through a proxy advertise its flavour using the user agent header, and the user agent header is very hard to spoof :-) Never heard of studip answers on mailinglists, did you? :-) > >> Zone alarm and other Windows based Software Firewalls can block > >> network access for programs. > >> A HW firewall can only block a whole machine but can't denied access for one > >> software > > Never heard about proxies, did you? :-) > If proxies can now distinguish which program redirects via them, I > would be interested to hear how... ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] funny things - SpamAssassin results
/etc/iscan is not spamassassin related. It's the trendmicro antivirus gateway main directory. morning_wood wrote: funny things... SpamAssassin results 1. spoof 80.179.152.112.forward.012.net.il (80.179.152.112) Whois: 80.179.152.0 - 80.179.171.255 Please Send Abuse/SPAM complaints To [EMAIL PROTECTED] DNS REG 25 Hsivim st. Petach-Tiikva, Israel [EMAIL PROTECTED] 2. path reveal The uncleanable file details.pif is moved to /etc/iscan/virus/virZNvE0n --- --- Return-Path: <[EMAIL PROTECTED]> Received: (qmail 2425 invoked by uid 504); 21 Aug 2003 15:03:01 - Received: from localhost (HELO iceman.incidents.org) (127.0.0.1) by 0 with SMTP; 21 Aug 2003 15:03:01 - Received: (qmail 2164 invoked from network); 21 Aug 2003 15:02:30 - Received: from 80.179.152.112.forward.012.net.il (HELO SKUNK) (80.179.152.112) by 0 with SMTP; 21 Aug 2003 15:02:30 - From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Date: Thu, 7 Jan 1999 14:20:55 +0200 X-MailScanner: Found to be clean Importance: Normal X-Mailer: Microsoft Outlook Express 6.00.2600. X-MSMail-Priority: Normal X-Priority: 3 (Normal) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="_NextPart_000_0E151FE1" X-Spam-Status: Yes, hits=8.0 required=6.5 tests=AWL,DATE_IN_PAST_96_XX,FORGED_MUA_OUTLOOK, MIME_BOUND_NEXTPART,MISSING_MIMEOLE,NO_REAL_NAME, RAZOR2_CHECK version=2.53 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.53 (1.174.2.15-2003-03-30-exp) X-Spam-Report: Start SpamAssassin results 8.00 points, 6.5 required; * 0.7 -- From: does not include a real name * 2.0 -- Listed in Razor2, see http://razor.sf.net/ * 2.0 -- Date: is 96 hours or more before Received: date * 3.3 -- Forged mail pretending to be from MS Outlook * 0.5 -- Message has X-MSMail-Priority, but no X-MimeOLE * 0.4 -- Spam tool pattern in MIME boundary * -0.9 -- AWL: Auto-whitelist adjustment End of SpamAssassin results X-Spam-Flag: YES Subject: *SPAM* Your details This is a multipart message in MIME format --_NextPart_000_0E151FE1 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit -- Virus Warning Message (on the network) Found virus WORM_SOBIG.F in file details.pif The uncleanable file details.pif is moved to /etc/iscan/virus/virZNvE0n ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Strange ldap Behavior.
Soderland, Craig wrote: ETHER: Destination = 0:0:5e:0:1:1, U.S. Department of Defense This mac looks familiar for me,isn't it the mac address used by vrrp ID 1? Isn't your default gateway a nokia firewall (or was,in which case you should reconfigure some device in order to remove any/many static arp entries (i.e. cisco routers can't learn these mac,that's why you may have/had to add static arp on some devices)) or any other vrrp device? ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Successful in blocking all known exploits
Maarten wrote: On Saturday 03 July 2004 18:25, J.A. Terranson wrote: On Sat, 3 Jul 2004, RandallM wrote: After a number of years, much thought,and long nights I have developed a systematic method to prevent and thwart exploits on my system! NEVER REBOOT! up and running for 876 days straight and have had no problems Yeah, but what about Windowz boxes? I've seen one (pdc) alive for +- 2 years. The administrator didn't believe me when I sayd the latest issue (a stupid thing I don't remember such as no authentication possible anymore) he was facing would -probably- be solved by a reboot (My limited nt eperience is: reboot twice (at least) watch the screen with 3-4 colleagues (at least) if the issue is not solved by these 2 magic keys, spend some time but do not spend too much time trying to understand what's happening::it's usually a waste of time). Hum, how did you guess he isn't talking about a windows box ? 8-)) Did he meant neve reboot or never boot. In the 2nd case,I guess most of you will agree. The same kind of things applys for infratructures: isn't air gap firewalls one of te most secure piece of hardware?
Re: [Full-Disclosure] IE is just as safe as FireFox
Stuart Fox (DSL AK) wrote: Re: [Full-Disclosure] IE is just as safe as FireFox > Can the Firefox settings be controlled centrally? >Yes, and more flexible than IE versions zoo at user computers. Download >a Firefox ZIP (not Firefox_Setup_1.0.exe but Firefox 1.0.zip), unpack it >to R/O share on file server, edit JS configuration files in >.\defaults\pref and .\greprefs, then create a shortcut to firefox.exe on > user desktops. To change FF settings, edit JS configs again. Voila! Can the executable reside on the workstation with the settings stored on the network? In an ideal world, you'd be able to control the settings via Group Policy (which is how you do it with IE). I'm not sure your method is any more flexible than using Group Policy to be honest. Unfortunatly, ms group policy do not handle mac, solaris, linux, ... only ms toys can be configured using this. I also think it is somewhat new and will probably be old (why don't you use this miracle ms tool named: sorry, this falls under some nda) in a year or so. This mail doesn't mean firefox/mozilla is the greatest tool of the world. It lacks (or my knowledge is too limited) good ldap support (I tryed keeping my netscape config on my ldap directory, mozilla do not seems to have this feature). Other browsers&mail readers are using a dedicated central config server (I forgot the name) in order to make them more corporate aware. Some years ago, it was possible to share the same config on netscape / nt4 & solaris 2.6, which was not possible with ie or outlook (or outlook express).
Re: [Full-Disclosure] Why is IRC still around?
Micheal Espinola Jr wrote: Is SMTP bad? Yes. Why? Because they are simple and basic protocol implementations Are or were ? smtp supports tls for example (I dropped irc because I have very little knowledge about it). Not that they aren't efficient and easy, but they certainly have their shortcomings in terms of security and AAA. smtp supports both plaintext (login/password) and tls/certificate authentications. Configuration is not a technology issue but a sysadmin issue. We need to move forward with technology. Or would you rather be like Microsoft - and attempt to be backward compatible for all-time - and continue to use products that have fundamental flaws in them? smtp is backward compatible with fossile like technology (sendmail comes to mind as it have a 'good' bugs record) but also 21th century technology aware (s/mime, tls). Much could be said against protocols such as rpc, ftp, telnet, iiop, http, ... but some/most of them are also supporting some somewhat new technology (encryption, authentication, ...) some of them do not add much value when used over the internet (rpc comes to mind) these are more lan protocols. Microsoft don't try to be backward compatible: w2k is not backward compatible with nt or dos, even xp sp2 is not backward compatible with xp sp1:-) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] spoolcll.exe - new worm being distributed via mysql vulnerability?
my firewall alerted me that a program called spoolcll.exe the worm created a service called "evmon" The only information about this worm on google is a discussion at the following url: http://forums.whirlpool.net.au/forum-replies.cfm?t=291921&p=1 they are beginning to determin that it is being distributed via a hole in mysql. There is a slashdot.org article & comments. It looks like it exploits a few sysadmin brain vulnerabilities: weak password, bad practice. I guess the mysql vulnerability is required for copying&executing the bot. http://it.slashdot.org/it/05/01/27/1546222.shtml?tid=220&tid=172&tid=95 *Don't keep the port open!* by [EMAIL PROTECTED] 99.99% of people who run MySQL run it on the same machine as their webserver that queries it. Most people don't actually do queries /across the network/ to the database server. Just run MySQL with --skip-networking at startup (skip-networking in my.cnf), to disable MySQL from listening on port 3306. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] New virus?
Matthew Burling wrote: C:\windows\system32\dxmsrv.exe C:\windows\system32\winmes.exe Submit your suspicious file to norman sandbox ( http://sandbox.norman.no/live_4.html ), it will tell you if these are bots contacting their 0wner via some irc channel and other suspicious activity. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
