[funsec] Seriously?
Seriously? The new threat of user-initiated drive by downloads? === Don’t Install Android Security Updates While Browsing the Web, http://www.gottabemobile.com/2012/05/04/dont-install-android-security-updates-while-browsing-the-web/ Surfing the web on Android is relatively safe, but a new threat tricks users into installing a trojan that calls itself a security update. Symantec discovered the Android.Notcompatible threat this week, calling attention to the new threat of user-initiated drive by downloads. Malware is a problem on Android smartphones, but it is typically reserved for infected fake games and apps found on third-party marketplaces. This new attack can happen on any infected webpage, and relies on tricking the user into installing the malware. ... ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
[funsec] Cost/benefit?
http://www.cbc.ca/news/world/story/2012/05/05/japan-nuclear-power-shut-off.html Boy, this came as a bit of a shocker. Yeah, I know people are afraid of nukes (and power companies are often more careless than they should be. Even so, you would think that some people would realize the huge risks and (invisible) costs of coal and oil. == (quote inserted randomly by Pegasus Mailer) rsl...@vcn.bc.ca sl...@victoria.tc.ca rsl...@computercrime.org A lot of good arguments are spoiled by some fool who knows what he is talking about. - Miguel de Unamuno victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links http://blogs.securiteam.com/index.php/archives/author/p1/ http://twitter.com/rslade ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
[funsec] Fwd: [cryptography] Apple Legacy filevault barn door...
Interesting reading from the cryptography mailing list -- Forwarded message -- From: David I. Emery d...@dieconsulting.com Date: Fri, May 4, 2012 at 8:40 PM Subject: [cryptography] Apple Legacy filevault barn door... To: cryptogra...@randombit.net As someone said here recently, carefully built crypto has a unfortunate tendency to consist of three thick impregnable walls and a picket fence in the back with the gate left open. That seems to have happened to Apple's older (legacy) Filevault in the current release of MacOX Lion (10.7.3) something intended to protect sensitive information stored on laptops by providing for encrypted user home directories contained in an encrypted file system mounted on top of the user's home directory. Someone, for some unknown reason, turned on a debug switch (DEBUGLOG) in the current released version of MacOS Lion 10.7.3 that causes the authorizationhost process's HomeDirMounter DIHLFVMount to log in *PLAIN TEXT* in a system wide logfile readible by anyone with root or admin access the login password of the user of an encrypted home directory tree (legacy Filevault). The log in question is kept by default for several weeks... Thus anyone who can read files accessible to group admin can discover the login passwords of any users of legacy (pre LION) Filevault home directories who have logged in since the upgrade to 10.7.3 in early February 2012. This is worse than it seems, since the log in question can also be read by booting the machine into firewire disk mode and reading it by opening the drive as a disk or by booting the new-with-LION recovery partition and using the available superuser shell to mount the main file system partition and read the file. This would allow someone to break into encrypted partitions on machines they did not have any idea of any login passwords for. One can partially protect oneself against the firewire disk and recovery partition attacks by using Filevault 2 (whole disk encryption) which then requires one know at least one user login password before one can access files on the main partition of the disk. And one can provide further weaker protection by setting a firmware password which must be supplied before one can boot the recovery partition, external media, or enter firewire disk mode - though there is a standard technique for turning that off known to Apple field support (genius bar) persons. But having the password logged in the clear in an admin readible file *COMPLETELY* breaks a security model - not uncommon in families - where different users of a particular machine are isolated from each other and cannot access each others files or login as each other with some degree of assurance of security. Granted, of course that someone able to alter executable code could plant keyloggers and the like... and break this ... but actually shipping product that does so without notice is disturbing. And for those who use Apple's easy backup tools (Time Capsule), it was possible to assume that those tools only wrote copies of the sparsebundle encrypted container for a Filevault legacy home directory to the backup media meaning that an unencrypted backup would still provide protection for the contained encrypted home directories... but with the password required to decrypt the sparebundles stored in the clear on the (unencrypted) backup that assumption is no longer true. One wonders why such a debug switch exists in shipped production code... clearly it could be invoked covertly in specific situations, this seems to be an example of someone turning it on for the entire release by accident. Nobody breaks encryption by climbing the high walls in front... when the garden gate is open for millions of machines. This bug (LEA feature?) seems to have been introduced into MacOS Lion 10.7.3 early February 2012 and so far has not been corrected by any updates. ... ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Seriously?
I wouldn't exactly call it new. -- Joel Esler On May 5, 2012, at 3:18 PM, Jeffrey Walton noloa...@gmail.com wrote: Seriously? The new threat of user-initiated drive by downloads? === Don’t Install Android Security Updates While Browsing the Web, http://www.gottabemobile.com/2012/05/04/dont-install-android-security-updates-while-browsing-the-web/ Surfing the web on Android is relatively safe, but a new threat tricks users into installing a trojan that calls itself a security update. Symantec discovered the Android.Notcompatible threat this week, calling attention to the new threat of user-initiated drive by downloads. Malware is a problem on Android smartphones, but it is typically reserved for infected fake games and apps found on third-party marketplaces. This new attack can happen on any infected webpage, and relies on tricking the user into installing the malware. ... ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Seriously?
It's gotten substantially worse. Sent from my iPhone On May 5, 2012, at 2:06 PM, Joel Esler jes...@sourcefire.com wrote: I wouldn't exactly call it new. -- Joel Esler On May 5, 2012, at 3:18 PM, Jeffrey Walton noloa...@gmail.com wrote: Seriously? The new threat of user-initiated drive by downloads? === Don’t Install Android Security Updates While Browsing the Web, http://www.gottabemobile.com/2012/05/04/dont-install-android-security-updates-while-browsing-the-web/ Surfing the web on Android is relatively safe, but a new threat tricks users into installing a trojan that calls itself a security update. Symantec discovered the Android.Notcompatible threat this week, calling attention to the new threat of user-initiated drive by downloads. Malware is a problem on Android smartphones, but it is typically reserved for infected fake games and apps found on third-party marketplaces. This new attack can happen on any infected webpage, and relies on tricking the user into installing the malware. ... ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Seriously?
On Sat, 05 May 2012 15:18:39 -0400, Jeffrey Walton said: Seriously? The new threat of user-initiated drive by downloads? NBC actually used if you haven't seen it, it's new to you as a slogan during reruns season a few years back. pgpu1upVqsIVZ.pgp Description: PGP signature ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
[funsec] Ubuntu, Linux Mint, and the Guest Account
I know there's not much new here, but I am amazed that Ubuntu, Linux Mint and friends ship with a Guest account present and enabled. The Guest account is surreptitiously added through a lightdm configuration file, and is not part of the standard user database. Because its not part of the standard user database, it can't be disabled through /etc/shadow, nor disable it through familiar tools such as userdel and usermod. Additionally, the damn account does not show up in distribution provided tools such as User Accounts applet. To make matters worse, grepping for guest returns 0 results because lightdm.conf does not mention one must add the following to disable the guest account (nothing is required to enable the account): allow-guest=false To add insult to injury, the Guest account is not sandboxed and user home directories lack sufficient ACLs, so the guest account is able to wander through user's home directories: guest-dojMxl@vb-mint-12-x64 ~ $ pwd /tmp/guest-dojMxl guest-dojMxl@vb-mint-12-x64 ~ $ whoami guest-dojMxl guest-dojMxl@vb-mint-12-x64 /home/jwalton $ cd /home/ guest-dojMxl@vb-mint-12-x64 /home $ ls -al total 12 drwxr-xr-x 3 rootroot4096 2012-05-05 16:29 . drwxr-xr-x 23 rootroot4096 2012-05-05 16:32 .. drwxr-xr-x 5 jwalton jwalton 4096 2012-05-05 16:35 jwalton guest-dojMxl@vb-mint-12-x64 ~ $ cd /home/jwalton/ guest-dojMxl@vb-mint-12-x64 /home/jwalton $ ls -al total 28 drwxr-xr-x 5 jwalton jwalton 4096 2012-05-05 16:35 . drwxr-xr-x 3 rootroot4096 2012-05-05 16:29 .. -rw-r--r-- 1 jwalton jwalton 220 2012-05-05 16:29 .bash_logout drwx-- 3 jwalton jwalton 4096 2012-05-05 16:35 .cache drwxr-xr-x 3 jwalton jwalton 4096 2012-05-05 16:29 .config drwxr-xr-x 4 jwalton jwalton 4096 2012-05-05 16:29 .mozilla -rw-r--r-- 1 jwalton jwalton 675 2012-05-05 16:29 .profile ... Is there any reason a KIOSK-like account is enabled by default? Do KIOSKs really dominate the desktop market to warrant the account out of the box? ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Seriously?
Does anyone have a sample website? I am wondering if you need to have the checkbock selected for allowing external apps from non-sanctioned marketplaces.. Original Message Subject: [funsec] Seriously? From: Jeffrey Walton noloa...@gmail.com Date: Sat, May 05, 2012 12:18 pm To: FunSec List funsec@linuxbox.org Seriously? The "new threat of user-initiated drive by downloads"? === Don’t Install Android Security Updates While Browsing the Web, http://www.gottabemobile.com/2012/05/04/dont-install-android-security-updates-while-browsing-the-web/ Surfing the web on Android is relatively safe, but a new threat tricks users into installing a trojan that calls itself a security update. Symantec discovered the Android.Notcompatible threat this week, calling attention to the new threat of user-initiated drive by downloads. Malware is a problem on Android smartphones, but it is typically reserved for infected fake games and apps found on third-party marketplaces. This new attack can happen on any infected webpage, and relies on tricking the user into installing the malware. ... ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Seriously?
Dan Hubbar wrote: Does anyone have a sample website? I am wondering if you need to have the checkbock selected for allowing external apps from non-sanctioned marketplaces.. Not been able to find a working site (the first level IFrame domain is working again -- well, last I looked -- but the next level of redirection was (still) down) but from the descriptions I've read and discussions with colleague, the answer is yes, you need to have enabled that option. It's not a driveby anything though -- except for the mental cripples who accept Wikipedia's definition of drive by download. When it works it does so by the browser popping up an accept this download warning and the user assenting. This is nothing different from a squillion other pages over the years (mostly compromised) that via a redirect of some kind, a JS, an Iframe, etc cause a visitor's browser to request a URL whose contents turn out to be of a content type that the browser has no native handler for, causing the browser to pop-up some kind of a what the heck do you want to do with this dialog. driveby download, driveby exploit, etc, etc means nothing whatsoever to do with the browser user (think victim) other than happening to have been in the wrong place at the wrong time, as should be obvious to anyone with a fifth-grade education and a vague understanding of the meaning of the term drive by shooting, which is the analogy from which driveby downloads, etc, etc were named in the first place. user-initiated drive by download is thus, again obviously so, an oxymoron. Regards, Nick FitzGerald ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Seriously?
I LOVE stuff like this Just because of the security professionals that come running out of the woodwork to us asking us ... Hey you see this new thing?!?! It's totaly OH-day and I'll bet A/V doesn't detect it too!!... I use it as a gauge of how much those folks actually know, and try to avoid them in the future It really sucks when it's folks that work with you too! Used to happen in another gig years ago... Would never happen where I a now! LOL Mike B - Original Message - From: Jeffrey Walton [mailto:noloa...@gmail.com] Sent: Saturday, May 05, 2012 03:18 PM To: FunSec List funsec@linuxbox.org Subject: [funsec] Seriously? Seriously? The new threat of user-initiated drive by downloads? === Don’t Install Android Security Updates While Browsing the Web, http://www.gottabemobile.com/2012/05/04/dont-install-android-security-updates-while-browsing-the-web/ Surfing the web on Android is relatively safe, but a new threat tricks users into installing a trojan that calls itself a security update. Symantec discovered the Android.Notcompatible threat this week, calling attention to the new threat of user-initiated drive by downloads. Malware is a problem on Android smartphones, but it is typically reserved for infected fake games and apps found on third-party marketplaces. This new attack can happen on any infected webpage, and relies on tricking the user into installing the malware. ... ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Seriously?
So what's your bet on whether AV detects it? On Sat, May 5, 2012 at 7:40 PM, michael.blanch...@emc.com wrote: I LOVE stuff like this Just because of the security professionals that come running out of the woodwork to us asking us ... Hey you see this new thing?!?! It's totaly OH-day and I'll bet A/V doesn't detect it too!!... I use it as a gauge of how much those folks actually know, and try to avoid them in the future It really sucks when it's folks that work with you too! Used to happen in another gig years ago... Would never happen where I a now! LOL Mike B - Original Message - From: Jeffrey Walton [mailto:noloa...@gmail.com] Sent: Saturday, May 05, 2012 03:18 PM To: FunSec List funsec@linuxbox.org Subject: [funsec] Seriously? Seriously? The new threat of user-initiated drive by downloads? === Don’t Install Android Security Updates While Browsing the Web, http://www.gottabemobile.com/2012/05/04/dont-install-android-security-updates-while-browsing-the-web/ Surfing the web on Android is relatively safe, but a new threat tricks users into installing a trojan that calls itself a security update. Symantec discovered the Android.Notcompatible threat this week, calling attention to the new threat of user-initiated drive by downloads. Malware is a problem on Android smartphones, but it is typically reserved for infected fake games and apps found on third-party marketplaces. This new attack can happen on any infected webpage, and relies on tricking the user into installing the malware. ... ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Flash! TSA bans bread!
Date sent: Sun, 6 May 2012 10:54:21 +0900 From: peter evans pe...@ixp.jp Someone should televise the antics of the TSA, it might be good watching. A sort of combination of the it crowd and fawlty towers *Don't* mention the scanners! == (quote inserted randomly by Pegasus Mailer) rsl...@vcn.bc.ca sl...@victoria.tc.ca rsl...@computercrime.org I have to inform you that my mind is registered as a deadly weapon with the RCMP Commercial Crimes Squad, Computer Crimes Division. victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links http://blogs.securiteam.com/index.php/archives/author/p1/ http://twitter.com/rslade ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Seriously?
I'll bet A/V detects this... BUT, I'll also bet it's rare to find AV running on the 'droids :-) Mike B From: Dan Kaminsky [mailto:d...@doxpara.com] Sent: Saturday, May 05, 2012 11:08 PM To: Blanchard, Michael (InfoSec) Cc: noloa...@gmail.com noloa...@gmail.com; funsec@linuxbox.org funsec@linuxbox.org Subject: Re: [funsec] Seriously? So what's your bet on whether AV detects it? On Sat, May 5, 2012 at 7:40 PM, michael.blanch...@emc.commailto:michael.blanch...@emc.com wrote: I LOVE stuff like this Just because of the security professionals that come running out of the woodwork to us asking us ... Hey you see this new thing?!?! It's totaly OH-day and I'll bet A/V doesn't detect it too!!... I use it as a gauge of how much those folks actually know, and try to avoid them in the future It really sucks when it's folks that work with you too! Used to happen in another gig years ago... Would never happen where I a now! LOL Mike B - Original Message - From: Jeffrey Walton [mailto:noloa...@gmail.commailto:noloa...@gmail.com] Sent: Saturday, May 05, 2012 03:18 PM To: FunSec List funsec@linuxbox.orgmailto:funsec@linuxbox.org Subject: [funsec] Seriously? Seriously? The new threat of user-initiated drive by downloads? === Don’t Install Android Security Updates While Browsing the Web, http://www.gottabemobile.com/2012/05/04/dont-install-android-security-updates-while-browsing-the-web/ Surfing the web on Android is relatively safe, but a new threat tricks users into installing a trojan that calls itself a security update. Symantec discovered the Android.Notcompatible threat this week, calling attention to the new threat of user-initiated drive by downloads. Malware is a problem on Android smartphones, but it is typically reserved for infected fake games and apps found on third-party marketplaces. This new attack can happen on any infected webpage, and relies on tricking the user into installing the malware. ... ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Seriously?
I was actually referring to the type of article that claims XYZ is a new threat I remember recently along with this drive by is new that there was a memory viruses are the new threat There are too many security professionals that get their recent news from C-net or information week :-( Mike B From: Blanchard, Michael (InfoSec) Sent: Saturday, May 05, 2012 11:55 PM To: 'd...@doxpara.com' d...@doxpara.com Cc: 'noloa...@gmail.com' noloa...@gmail.com; 'funsec@linuxbox.org' funsec@linuxbox.org Subject: Re: [funsec] Seriously? I'll bet A/V detects this... BUT, I'll also bet it's rare to find AV running on the 'droids :-) Mike B From: Dan Kaminsky [mailto:d...@doxpara.com] Sent: Saturday, May 05, 2012 11:08 PM To: Blanchard, Michael (InfoSec) Cc: noloa...@gmail.com noloa...@gmail.com; funsec@linuxbox.org funsec@linuxbox.org Subject: Re: [funsec] Seriously? So what's your bet on whether AV detects it? On Sat, May 5, 2012 at 7:40 PM, michael.blanch...@emc.commailto:michael.blanch...@emc.com wrote: I LOVE stuff like this Just because of the security professionals that come running out of the woodwork to us asking us ... Hey you see this new thing?!?! It's totaly OH-day and I'll bet A/V doesn't detect it too!!... I use it as a gauge of how much those folks actually know, and try to avoid them in the future It really sucks when it's folks that work with you too! Used to happen in another gig years ago... Would never happen where I a now! LOL Mike B - Original Message - From: Jeffrey Walton [mailto:noloa...@gmail.commailto:noloa...@gmail.com] Sent: Saturday, May 05, 2012 03:18 PM To: FunSec List funsec@linuxbox.orgmailto:funsec@linuxbox.org Subject: [funsec] Seriously? Seriously? The new threat of user-initiated drive by downloads? === Don’t Install Android Security Updates While Browsing the Web, http://www.gottabemobile.com/2012/05/04/dont-install-android-security-updates-while-browsing-the-web/ Surfing the web on Android is relatively safe, but a new threat tricks users into installing a trojan that calls itself a security update. Symantec discovered the Android.Notcompatible threat this week, calling attention to the new threat of user-initiated drive by downloads. Malware is a problem on Android smartphones, but it is typically reserved for infected fake games and apps found on third-party marketplaces. This new attack can happen on any infected webpage, and relies on tricking the user into installing the malware. ... ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Seriously?
Mike B wrote: I'll bet A/V detects this... BUT, I'll also bet it's rare to find AV running on the 'droids :-) But of course -- everyone knows that Android is based on Linux and _everyone_ knows Linux, _like all other Unix-y OSes, BSDs and thus Apple-OSes_, are inherently virus-immune. Fred Cohen sure made those early PC users look stupid... http://all.net/books/Dissertation.pdf Oh, wait, I was misremembering that, wasn't I??? ... Android, like Apple-OSes, shows the fallacy of all that historic BS. Make a Unix like machine anywhere near as usuable as Windows, for your run-of-the-mill typical computer user and guess what? Mostly the same security issues, as once the non-truly-expert users are using such OSes _and_ the manufacturers are in a competitive bidding war for sales, guess what turns out to most easily removed or at least watered- down? And before all the fan boiz get upset, notice that that is not a defence of MS doing it exceptionally _and deliberately_ crappily for their first two decades or so. It is just (part of) the explanation for why any given fan boiz' favourite nix-ish OS was never anywhere near as popular as Windows. Regards, Nick FitzGerald ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.