Re: [SLUG] Linux doesn't have bad security...

[Graeme Merrall]

On Thu, Oct 26, 2000 at 01:36:38PM +1100, Rick Welykochy wrote:

> > On Thu, Oct 26, 2000 at 12:28:48PM +1100, Howard Lowndes wrote:
> > > Try the media.  They usually like a good Internet security beatup story.
> > >
> > Suggestions anyone?
> 
> How about the woman who wrote the daming article on a (ficticious)
> security hole in RH Linux based on A.Toad's crap. 
> 
> Dominique Jackson from memory (The Australian) ... she owes us one ;^)

Well Dominique Jackson has gone on to fashion writing(!) but she passed it
onto someone else who has contacted me. He says he's contacted the new Eisa
owners about it - "who will probably say 'Huh?'". SO it will be interesting
if anything comes of it.

Cheers,
 Graeme
 


-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] Linux doesn't have bad security...

[Rick Welykochy]

Graeme Merrall wrote:
> 
> On Thu, Oct 26, 2000 at 12:28:48PM +1100, Howard Lowndes wrote:
> > Try the media.  They usually like a good Internet security beatup story.
> >
> Suggestions anyone?

How about the woman who wrote the daming article on a (ficticious)
security hole in RH Linux based on A.Toad's crap. 

Dominique Jackson from memory (The Australian) ... she owes us one ;^)


--
Rick Welykochy || Praxis Services Pty Limited
"If talk is cheap how do entrepreneurs make money?"


-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] Linux doesn't have bad security...

[Graeme Merrall]

On Thu, Oct 26, 2000 at 12:28:48PM +1100, Howard Lowndes wrote:
> Try the media.  They usually like a good Internet security beatup story.
> 
Suggestions anyone?

Cheers,
 Graeme


-- 
Turn on, dial in, geek out...


-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] Linux doesn't have bad security...

[Howard Lowndes]

Try the media.  They usually like a good Internet security beatup story.

-- 
Howard.
__
LANNet Computing Associates 

On Thu, 26 Oct 2000, tom burkart wrote:

> On Thu, 26 Oct 2000, Graeme Merrall wrote:
> 
> > people have bad security.
> > Why does this bother me? If I was an Eisa customer or even an ex-Eisa
> > customer with my details sitting on that server waiting for someone to come
> > along, I'd be getting on that phone pretty darn quick. I also hope that
> > other people will nag them into doing something about it or shame them into
> Sadly I have some "customers" like that.
>  - I have tried nagging
>  - I tried abusing the owner
> It hasn't worked (sounds like the good old adage: "It WON'T happen to
> us ..."), so I have given up and am just waiting for the inevitable to
> happen.  Anyone know what else to do (apart from doing it for free ;-)?
> 
> tom.
> Consultant
> 
> AUSSECPhone: 61 4 1768 2202
> 339 Blaxland Rd., Ryde NSW 2112
> Email: [EMAIL PROTECTED]
> 
> 
> 
> 



-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] Linux doesn't have bad security...

[Graeme Merrall]

On Thu, Oct 26, 2000 at 11:59:03AM +1100, Jobst Schmalenbach wrote:

> > Why does this bother me? If I was an Eisa customer or even an ex-Eisa
> > customer with my details sitting on that server waiting for someone to come
> > along, I'd be getting on that phone pretty darn quick. I also hope that
> > other people will nag them into doing something about it or shame them into
> > it.
> 
> I am not sure whether you are or arent (I understand you dont want to say that)
> but I wonder if it is possible to bring them to court for some case
> of "neglect of sth??", you might want to talk to your lawyer?

Yeah not sure if I want to go down that road of course. You'd have to prove
(and I'm no lawyer) that you actually lost something I spose. Does the
potential for something to happen equate or come close to it actually
happening? I'm thinking of someone taking me to court for driving a car
because I may hit them at some point. I suppose it's a question of odds.

> f u cn rd ths, u cn gt a gd jb n cmptr prgmmng. [Anon]
Hey! I can read that! :)

Cheers,
 Graeme


-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] Linux doesn't have bad security...

[Jobst Schmalenbach]

On Thu, Oct 26, 2000 at 11:38:47AM +1100, Graeme Merrall ([EMAIL PROTECTED]) wrote:
> people have bad security.
> 

[snip]

> 
> Why does this bother me? If I was an Eisa customer or even an ex-Eisa
> customer with my details sitting on that server waiting for someone to come
> along, I'd be getting on that phone pretty darn quick. I also hope that
> other people will nag them into doing something about it or shame them into
> it.

I am not sure whether you are or arent (I understand you dont want to say that)
but I wonder if it is possible to bring them to court for some case
of "neglect of sth??", you might want to talk to your lawyer?



jobst



-- 
f u cn rd ths, u cn gt a gd jb n cmptr prgmmng. [Anon]

|__, Jobst Schmalenbach, [EMAIL PROTECTED], Technical Director|
|  _ _.--'-n_/   Barrett Consulting Group P/L & The Meditation Room P/L  |
|-(_)--(_)=  +61 3 9532 7677, POBox 277, Caulfield South, 3162, Australia|


-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] Linux doesn't have bad security...

[tom burkart]

On Thu, 26 Oct 2000, Graeme Merrall wrote:

> people have bad security.
> Why does this bother me? If I was an Eisa customer or even an ex-Eisa
> customer with my details sitting on that server waiting for someone to come
> along, I'd be getting on that phone pretty darn quick. I also hope that
> other people will nag them into doing something about it or shame them into
Sadly I have some "customers" like that.
 - I have tried nagging
 - I tried abusing the owner
It hasn't worked (sounds like the good old adage: "It WON'T happen to
us ..."), so I have given up and am just waiting for the inevitable to
happen.  Anyone know what else to do (apart from doing it for free ;-)?

tom.
Consultant

AUSSECPhone: 61 4 1768 2202
339 Blaxland Rd., Ryde NSW 2112
Email: [EMAIL PROTECTED]



-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] Linux doesn't have bad security...

[John Ferlito]

On Thu, Oct 26, 2000 at 11:38:47AM +1100, Graeme Merrall wrote:
> That's bad enough but here's the kicker. The forms posted to it are firstly
> not encrypted. Plain old HTTP for that including username, password and card
> details but they're also posted in the URL query string. Yes that's correct
> - the URL.
> Remember those remote exploits? This is script kiddie styuff. How trivial is
> it to gain a shell and then simply suck back the Apache access log to pull
> out all the query strings? It's some script kiddies wet dream!

Forget the apache logs.

People on the list that work for ISP's have you grepped through
your squid logs for credit card numbers yet :)

> I mailed them ages ago to offer to fix it for them but of course no
> response. 
> 

-- 
John

The difference between a good man and a bad one is the 
choice of cause - William James


-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

[SLUG] Linux doesn't have bad security...

[Graeme Merrall]

people have bad security.

Every now and then this pisses me off, but I'm more pissed off than normal
about it today so I thought I'd share it.  
I don't know if anyone has checked out the Eisa website (the ISP that would
be king) but this is a damn fine case in point of Linux and unix in general
gets a bad rap because of poor security. Remember, you're machine is only as
secure as the swiss chesse you're running on it.
I'm not sure if doing this is kosher, but more the general protection of
folks out there who have used Eisa I think it's important.

Machine: wzzx.eisa.net.au

Function: Eisa oinline signup server (remember this). Accepts and processes
online signups including credit card handling.

Details: Without poking too heavily it's a linux box running, wait for it,
Apache 1.0.5. Forms posted to it for signup processing go through the
database system mSQL. Probably some 2.0x version.

The problem: mSQL is any flavour is pretty horrid as far as security goes.
Buffer overruns etc abound. One notable bug was that you could telnet to the 
mSQL port, press ctrl-C and bye bye server.
Other problems include the ability to overflow the buffer that w3-sql (the
scripting engine add-on) uses to get the script name to process and crash
the server and there a freely available remote exploits out on the net to
gain shell access on a machine running mSSQL. One good one opened up an
xterm for you :)
That's bad enough but here's the kicker. The forms posted to it are firstly
not encrypted. Plain old HTTP for that including username, password and card
details but they're also posted in the URL query string. Yes that's correct
- the URL.
Remember those remote exploits? This is script kiddie styuff. How trivial is
it to gain a shell and then simply suck back the Apache access log to pull
out all the query strings? It's some script kiddies wet dream!

I mailed them ages ago to offer to fix it for them but of course no
response. 

Come on! This is the company that wanted to buy Ozemail. Thank god that fell
through...

Why does this bother me? If I was an Eisa customer or even an ex-Eisa
customer with my details sitting on that server waiting for someone to come
along, I'd be getting on that phone pretty darn quick. I also hope that
other people will nag them into doing something about it or shame them into
it.

Cheers,
 Graeme
 
-- 
Turn on, dial in, geek out...


-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug