In the wise words of [EMAIL PROTECTED], on Thursday 01 December 2005
18:57:
[SNIP]
> Using crypto all the way from the web server to a smart-card (so all the
> compromised system can see is encrypted data it can't get the key for) can
> help yere.
Even then, you would need a card reader with inte
The original message was received Mon, 21 Nov 2005 10:10:58 +0100
from -
- The following address(es) had permanent fatal errors -
<[EMAIL PROTECTED]>; originally to [EMAIL PROTECTED] (unrecoverable error)
The mail system encountered a delivery failure, code -11.
This fai
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- --
Debian Security Advisory DSA 915-1 [EMAIL PROTECTED]
http://www.debian.org/security/ Martin Schulze
December 2nd, 2005
WinEggDropShell Multiple Remote Stack Overflow
by Sowhat
2005.12.02
http://secway.org/advisory/AD20051202.txt
http://secway.org/exploit/wineggdropshell_bof.py.txt
Affected:
WinEggDropShell Eterntiy version (1.7)
Other version may be vulnerable too
Overview:
WinEggDropShell is a popular Ch
nah, screen grabber and keylogger installed on system, compromised password.
Biometrics, SecurID, one time password, usb key fob, actual physical key,
something that is not on the system is what would be needed to be secure...
perhaps not totally secure, but pretty damn secure using more t
>
> > That is a "help and support account" that you should disable.
> > Also set very long random password and forget it.
> I prefer simply delete it. Good choice?
>
> But I heard a rumours that this account can be activated remotely
> without user's aware decision and used for Remote Assistance
> How about one-time passwords? Just go ahead and *let* them
> keylog it all
> they like; by the time they've snarfed a pw, it's no use any
> more. (See S/Key for more details.)
Please no one time passwords: they are a nightmare to manage
_
> I'm looking for input on what you all believe the most common
> keystroke loggers are.
http://keylogger.org/ claims to be an independent testing site
for all keyloggers, but they have all the old versions of the
Keylogger.
You can use this site as starting point for your search.
Visit the
> Hi list, I've been a firm advocate of Sygate Pro for some
> time but as Symantec
> has bought and canned it I'm wondering what you guys would
> recommend as a
> replacement.
Tiny Firewall 2005 works for both 64 and 32 bit machines
And is good - I have been using in since version 2.1.5
And no
synchronet! Me too! I loved my Synchronet BBS back in the day :-) RIP
graphic support, all the doors you could muster...
I had forgotten how much fun the scriptable co-sysop was :-)
Exibar
(Exibar's Lair BBS (whoop whoop!)
> -Original Message-
> From: mary [mailto:[EMAIL PROTECT
Is there something wrong with Zone Alarm? ;-)
>
> Also, it was just announced today by Sunbelt Software that they
> are picking up Kerio.
>
> http://www.sunbelt-software.com/Press.cfm?id=134
>
> - ferg
Hi Fergie, I quite like the fact that Kerrio is light on sys resources as not
all my clients hav
>
> > Why cant you use google to find out this ?
>
> The same reason you can't use Google and find your answer fuckbag.
Are you n3td3v ?
>
> > *In the para 4*
> > "Protecting whistleblowers is an essential component of an ethical
> > and open work environment."
>
> No mention of an anon emai
As many folks have pointed out and consistent with the recent Dyad
advisory, these bugs are indeed exploitable. I only mention this because
a reporter quoted someone who quoted my original message and then used it
to downplay the severity of the problem.
$ perl -e 'printf("%2918905856\$vs")'
Is there something wrong with Zone Alarm? ;-)
Also, it was just announced today by Sunbelt Software that they
are picking up Kerio.
http://www.sunbelt-software.com/Press.cfm?id=134
- ferg
-- Paul Stephens <[EMAIL PROTECTED]> wrote:
Hi list, I've been a firm advocate of Sygate Pro for some tim
See below marc email part
>> Aditya Deshmukh [EMAIL PROTECTED] wrote:
>>
>>If you read the last line in para 6 you will find that anon
>> mailbox is
>> a requirement for SOX compliance.
>>
>> >And mailbox was ment for email Michael :)
>>
>> >But I think that "with a post and some concrete" ma
Title: [xfocus-SD-051202]openMotif-libUil-Multiple_vulnerability
Affected version : openmotif 2.2.3(not got 2.2.4,so not test in
openmotif 2.2.4)
Product: http://www.motifzone.net/
xfocus (http://www.xfocus.org) have discovered multiple vulnerability in
openmotif libUil library. details followin
Hi list, I've been a firm advocate of Sygate Pro for some time but as Symantec
has bought and canned it I'm wondering what you guys would recommend as a
replacement.
>From the limited testing I've done I'm leaning toward Ghostwall for XP64 &
Outpost for 32bit machines.
Any suggestions welcomed.
Come on... lets go right old school. I loved and ran RA
right old school? Hm, okies! ..didn't care for RA, personally - I ran
Synchronet and RENEGADE. Thinking back.. Synchronet's scriptable co-sysop
was a lot of fun..
-m
Pfft..
RENEGADE all the way :>
WWIV was great for modding too.
I wrote:
> I also don't see how having a button change to be blank after
> mousing over it effects people with fine motor skills.
Apologies, "fine motor skills" should have been "accessibility
problems relating to fine motor skill deficiencies or problems".
Z.
__
eng.nprotect.co.kr
comes to mind.
-m
Hi All,
I'm looking for input on what you all believe the most common keystroke
loggers are. I've been challenged to write an authentication method (for
a web site) that can be secure while using a compromised system.
Thanks,
Shannon
__
Nick Fitzgerald wrote:
You are deeply confused if you think "is totally trivial and hasn't
been attacked _yet_" is in any meaningful way "more secure"
than "is equally trivial and has already been broken".
And if that was what I was talking about, fair enough, but seeing
as I'm not ... all I was
Kyle Lutze to Blue Boar:
<>
> > Note, however, that "keyloggers" that grab some portion of the screen
> > surrounding the mouse pointer every time you click have already been
> > observed in the wild. They are designed to specifically defeat this
> > kind of mechanism.
> >
> Actually, I think
2005/12/1, Nick FitzGerald <[EMAIL PROTECTED]>:
> Some South American banks currently under massive identity
> theft/keylogging "attack" (like Banco Brasil) apparently don't talk to
> others in the banking industry, as some have recently started using
> such "on-screen keyboards" to "defeat" the ke
Kyle Lutze wrote:
say somebody's password is foobar, on screen there would be a page that
shows the new alignment of characters,such as saying a=c, d=3, b=z, etc.
so instead of typing foobar the password they would type in for that
session would be hnnzck.
The next time the screen came up, it
Blue Boar wrote:
Shannon Johnston wrote:
Hi All,
I'm looking for input on what you all believe the most common keystroke
loggers are. I've been challenged to write an authentication method (for
a web site) that can be secure while using a compromised system.
I don't think that's possible for
[EMAIL PROTECTED] to Lyal Collins:
> >In 1996, this virtual keypad concept was broken by taking 10x10 pixel images
> >under the cursor click, showing the number/letters used in that password.
> >
> >Virtual keypads are just a minor change of tactics, not a long term
> >resolution to this risk, imh
Just expand the size of the image captured under the hotspot to include
surrounding buttons.
If the image shows the values "around" the button clicked, it makes it
possible (but less trivial) to infer the value clicked.
Having a totally blank on-screen keypad might work - let the
users guess the
Typo - I meant 1997 NOT 1996.
-Original Message-
From: Lyal Collins [mailto:[EMAIL PROTECTED]
Sent: Friday, 2 December 2005 9:42 AM
To: 'deepquest'; '[EMAIL PROTECTED]'
Cc: 'Full-Disclosure'
Subject: RE: [Full-disclosure] Most common keystroke loggers?
In 1996, this virtual keypad conce
two irrelevancies for you folks
>WildCAT BBS Anyone :)
>
>I remember playing tradewars and calling who knows where to get new
text
>files :)
>
>Used Tone-loC a lot more back then :)
>
I rember my first zmodem download. I dropped it in the middle to test
the resume feature. When I saw it work
At 9:41 AM +1100 2/12/05, Lyal Collins wrote:
>In 1996, this virtual keypad concept was broken by taking 10x10 pixel images
>under the cursor click, showing the number/letters used in that password.
>
>Virtual keypads are just a minor change of tactics, not a long term
>resolution to this risk, imh
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Several errors in your poc,
if(argc == 7) (your usage says 5 or 6...)
And
if(argc < 6 || argv[argc-1][0] != 'S')
What a leet script kiddie protection lol , keep it up :>
- -Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[
Yes, obviously not perfect or even near, i didn't even say that. Just a
plus, an alternative to having to depend on keyboard / screen / files to
help out with the authentication discussed.
php0t
- Original Message -
From: "Nick FitzGerald" <[EMAIL PROTECTED]>
To:
Sent: Friday, De
"Usage once" is not an effeective measure against mitm attacks, as has been
discussed earlier in this thread.
Give user error message, while executing txn of attacker's choice on the
victim site with the legitimate user's authority.
How do disputed transactions get resovled in this supposedly more
php0t wrote:
[top-posting-itis corrected]
> > I agree but what about the second random password and challenge
> > authentification? Both should be unique and usage once.
>
> How'bout adding direct printing on lpt of new one-time usage passwords? :)
So you will limit access to your services t
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Cisco Security Advisory: IOS HTTP Server Command Injection Vulnerability
Document ID: 68322
Advisory ID: cisco-sa-20051201-http
http://www.cisco.com/warp/public/707/cisco-sa
deepquest wrote:
> To me the only thing that can defeat keystroke is what a software or
> trojan can not do: See (OCR is just a partial application of guess
> but not applicable in that case)
Then you are so far inside the box you cannot see the walls...
The OP said "keystroke logger" BUT he als
How'bout adding direct printing on lpt of new one-time usage passwords? :)
In order to get the passwords, they'd have to hook the printing, too. Not
too common, yet.
I agree but what about the second random password and challenge
authentification? Both should be unique and usage once.
_
In 1996, this virtual keypad concept was broken by taking 10x10
pixel images
under the cursor click, showing the number/letters used in that
password.
Virtual keypads are just a minor change of tactics, not a long term
resolution to this risk, imho.
I agree but what about the second rando
In 1996, this virtual keypad concept was broken by taking 10x10 pixel images
under the cursor click, showing the number/letters used in that password.
Virtual keypads are just a minor change of tactics, not a long term
resolution to this risk, imho.
Lyal
-Original Message-
From: [EMAIL
Spamo-Squaters on FD list?
Nice auto-reply. We should do a hall shame for those!
-D
Début du message réexpédié :
De : "4Daily.com Hotline" <[EMAIL PROTECTED]>
Date : 1 décembre 2005 23:28:02 HNEC
À : [EMAIL PROTECTED]
Objet : [HWU-83468]: Re: [Full-disclosure] Most common keystroke
loggers?
David Harker wrote:
> It may be easier and safer to require the user to follow onscreen
> instructions for character substitution into their password than attempt
> to defeat many individual bits of software. Since it's online, a munged
> dynamic image could be used to supply the instructions quit
Gustavo wrote:
> If you want to provide reliable authentication, given that the user
> has a keystroke logger installed, you may simply use a visual keyboard
> written in Java.
Dude -- you really are out of your depth here...
Barclays (and other UK banks?) were doing this in the late 90s. Withi
Dave Korn wrote:
> How about one-time passwords? Just go ahead and *let* them keylog it all
> they like; by the time they've snarfed a pw, it's no use any more. (See
> S/Key for more details.)
Ignoring the silliness of pre-printed lists of of OTP (such as some
European banking systems' TAN
To me the only thing that can defeat keystroke is what a software or
trojan can not do: See (OCR is just a partial application of guess
but not applicable in that case)
Imagine a web page with a virtual keyboard page (clickable). In order
to prevent the localisation on the keys mapping based
Edgewall Trac SQL Injection Vulnerability
Trac is an enhanced wiki and issue tracking system
for software development project. It provides an
interface to Subversion.
More information on http://projects.edgewall.com/trac/
Description:
Malicious user can conduct SQL injection in ticket query mo
If you want to provide reliable authentication, given that the user
has a keystroke logger installed, you may simply use a visual keyboard
written in Java.
Banks have already started doing this .. and phishers have responded
with framegrabbing loggers.
~Mike.
_
If the user is passed to a phishing site that ask for the OTP, the user
enters it, the phishing site can return a error and instruct the user to
use the next OTP password, hence giving the attacker any number of
OTPthe OTP ones that are list based anyways.
Social Darwinism :
Try to make som
This is exploitable - Immunity has a PoC exploit in our Partner's
section written by Bas Alberts.
Thanks,
Dave Aitel
Immunity, Inc.
[EMAIL PROTECTED] wrote:
Hello!
I succeeded in crashing webmin 1.230 with:
username %n
password
after klicking 4 times on "Login" webmin was dead.
There w
Very True..
The BBS and door game back in the days kept me interested to learn and
luckily I get to down security full time now... it's just fun.. (
mostly )
I remember back when we where all playing doom on 9600 modems and
hacking around with the USR robotic connection strings.. I really
enjoy
Christopher Carpenter wrote:
Yeah, and if you didn't register V-X after like 90 days, it formatted
your hard drive.
Imagine if an application tried that today.
They'd defend their position as a DRM strategy and after a long battle
would finally recall their products, only leaving them on s
Josh Perrymon wrote:
WildCAT BBS Anyone :)
I remember playing tradewars and calling who knows where to get new text
files :)
Used Tone-loC a lot more back then :)
And Renegade, WWIV, MajorBBS + clones... Those were the days. I
remember Tradewars, but I was more of a BRE fan myself.
Hello pot...this is kettlejeessh!
On 12/1/05 9:14 PM, "InfoSecBOFH" <[EMAIL PROTECTED]> wrote:
> On 12/1/05, Christian kopacsi <[EMAIL PROTECTED]> wrote:
>> InfoSecBOFH,
>> Show me on the doll where they touched you. You should see a therapist to
>> get a grip on all your issues. And w
If the user is passed to a phishing site that ask for the OTP, the user
enters it, the phishing site can return a error and instruct the user to
use the next OTP password, hence giving the attacker any number of
OTPthe OTP ones that are list based anyways.
> -Original Message-
> From:
On 12/1/05, Christian kopacsi <[EMAIL PROTECTED]> wrote:
> InfoSecBOFH,
> Show me on the doll where they touched you. You should see a therapist to
> get a grip on all your issues. And why would you talk shit about Clement?
> He has done so much for the Infosec community.
Now that is a great res
-Original Message-
From: Blue Boar
Sent: Friday, December 02, 2005 12:15 AM
To: [EMAIL PROTECTED]
Cc: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Most common keystroke loggers?
Shannon Johnston wrote:
> Hi All,
> I'm looking for input on what you all believe the most
Dear Dave Korn,
DK> How about one-time passwords? Just go ahead and *let* them keylog it all
DK> they like; by the time they've snarfed a pw, it's no use any more. (See
DK> S/Key for more details.)
ITAN I hear you scream. Oh yes.. keylogger fakes that the OTP is not
accepted, user enters a new
If you want to provide reliable authentication, given that the user
has a keystroke logger installed, you may simply use a visual keyboard
written in Java.
regards,
Gustavo
2005/12/1, Shannon Johnston <[EMAIL PROTECTED]>:
> Hi All,
> I'm looking for input on what you all believe the most common k
Blue Boar wrote in news:[EMAIL PROTECTED]
> Shannon Johnston wrote:
>> Hi All,
>> I'm looking for input on what you all believe the most common keystroke
>> loggers are. I've been challenged to write an authentication method (for
>> a web site) that can be secure while using a compromised system.
>
InfoSecBOFH,
Show me on the doll where they touched you. You should see a therapist to get a grip on all your issues. And why would you talk shit about Clement? He has done so much for the Infosec community.
On 11/24/05, InfoSecBOFH <[EMAIL PROTECTED]> wrote:
Bottom line is... and you can igno
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
It may be easier and safer to require the user to follow onscreen
instructions for character substitution into their password than attempt
to defeat many individual bits of software. Since it's online, a munged
dynamic image could be used to supply the
Hello!
I succeeded in crashing webmin 1.230 with:
username %n
password
after klicking 4 times on "Login" webmin was dead.
There were no logs at all, and no error was shown in the web interface...
Any idea if it's really exploitable (executing code I mean)? Is anyone working
on a POC?
[EMAI
Hello!
I succeeded in crashing webmin 1.230 with:
username %n
password
after klicking 4 times on "Login" webmin was dead.
There were no logs at all, and no error was shown in the web interface...
Any idea if it's really exploitable (executing code I mean)? Is anyone working
on a POC?
[EMAI
Haha disregard my previous post, forgot to disable my AV program.
Thinks it's a trojan.
Very Unprivate Software wrote:
Since the purpose is showing that the authentication method is "safe"
even on a compromised system (hm, hm...) the keystroke logger doesn't
have to be common, the point
Whats up with www.zorro.hu/sc-kl/
I download the .dll file to my desktop along with the .exe and they
dissapear. Strange. Dos dosent show them, either does attrib.
[EMAIL PROTECTED] wrote:
On Thu, Dec 01, 2005 at 12:57:16PM -0500, [EMAIL PROTECTED] wrote:
Forget it. You can't do it with
Shannon Johnston wrote:
Hi All,
I'm looking for input on what you all believe the most common keystroke
loggers are. I've been challenged to write an authentication method (for
a web site) that can be secure while using a compromised system.
I don't think that's possible for all compromise situ
On Thu, Dec 01, 2005 at 12:57:16PM -0500, [EMAIL PROTECTED] wrote:
> Forget it. You can't do it without going to two-factor authentication,
> *and* make sure that the second factor is *not* subvertible by the
> compromised system (for instance, even a SecureID won't totally work,
> because the key
On Thu, 01 Dec 2005 10:24:50 MST, Shannon Johnston said:
> I'm looking for input on what you all believe the most common keystroke
> loggers are. I've been challenged to write an authentication method (for
> a web site) that can be secure while using a compromised system.
Forget it. You can't do
Since the purpose is showing that the authentication method is "safe" even
on a compromised system (hm, hm...) the keystroke logger doesn't have to be
common, the point is to show that the system is "under control". For that,
just plant a vnc server, with that you can even do a nifty presenta
On Thu, Dec 01, 2005 at 10:24:50AM -0700, Shannon Johnston wrote:
> I'm looking for input on what you all believe the most common keystroke
> loggers are. I've been challenged to write an authentication method (for
> a web site) that can be secure while using a compromised system.
I can think of a
Hi All,
I'm looking for input on what you all believe the most common keystroke
loggers are. I've been challenged to write an authentication method (for
a web site) that can be secure while using a compromised system.
Thanks,
Shannon
___
Full-Disclosure
Google "sox whistleblowers" = hard work
But let me help you,
http://www.whistleblowers.org/html/sox_whistleblower_statute.htm
jeff Wilder wrote:
>Can some please send me the actual regulation that states or validates
the comments of
>http://www.nonprofitrisk.org/nwsltr/archive/employprac0910
Can some please send me the actual regulation that states or validates the
comments of
http://www.nonprofitrisk.org/nwsltr/archive/employprac091005-p.htm ?
I am in this very situation right now.
-Jeff Wilder
CISSP,CCE,C/EH
-BEGIN GEEK CODE BLOCK-
Version: 3.1
GIT/CM/CS/O
Drupal security advisory DRUPAL-SA-2005-009
Advisory ID:DRUPAL-SA-2005-009
Project:Drupal core
Date:
Drupal security advisory DRUPAL-SA-2005-008
Advisory ID:DRUPAL-SA-2005-008
Project:Drupal core
Date:
Drupal security advisory DRUPAL-SA-2005-007
Advisory ID:DRUPAL-SA-2005-007
Project:Drupal core
Date:
SUMMARY. perl suffers from an integer wrap overflow inside the explicit
parameter format string functionality, this has been confirmed to be a
vector for remote code execution.
Date Found: September 23, 2005.
Public Release: TBD.
Application:perl
Credit: Jack Louis of Dyad Security
Yeah, and if you didn't register V-X after like 90 days, it formatted
your hard drive.
Imagine if an application tried that today.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of MH
Sent: Wednesday, November 30, 2005 11:53 PM
To: full-disclosure@lists.gro
IANAL, But IMO use an Intranet web page that allows employees to submit
anonymous html post to the web server via html. Now if your security
policy is pervasive then surely auditing is enabled on all your systems,
thus removing any anonymity this would have provided. Have you
considered, dare I s
Roland Ruf wrote:
Cool stuff.. *lol*
I do not think, that the FBI is still using this old analogue recorders in
Total recording mode connected to the analogue extensions...
That may have worked 10 or 15 years ago depending on many things like the
connection type, the way the recorder detec
===
Ubuntu Security Notice USN-221-1 December 01, 2005
ipsec-tools vulnerability
CVE-2005-3732
===
A security issue affects the following Ubuntu releases:
Ubuntu 4.10 (Warty Wa
===
Ubuntu Security Notice USN-220-1 December 01, 2005
w3c-libwww vulnerability
CVE-2005-3183
===
A security issue affects the following Ubuntu releases:
Ubuntu 4.10 (Warty War
Cool stuff.. *lol*
I do not think, that the FBI is still using this old analogue recorders in
Total recording mode connected to the analogue extensions...
That may have worked 10 or 15 years ago depending on many things like the
connection type, the way the recorder detects the signal, etc, but I
On 01/12/05, pagvac <[EMAIL PROTECTED]> wrote:
> Even in corp environments you still see some users running admin
> privileges. Yes, I agree, it doesn't happen as often as in home
> environments, but it *does* happen.
Our corporate environment is almost completely full of administrators.
The EMEA
coderman wrote,
> heheheh
>
> http://seattlepi.nwsource.com/national/250215_wiretap30.html
//snip
> The tone, also known as a C-tone, sounds like a low buzzing and
> is "slightly annoying,"
Obtaining a snooping order based on the fact that this C-tone was
detected should be easy. Did you know
On 11/29/05, Andrew Simmons <[EMAIL PROTECTED]> wrote:
> pagvac wrote:
>
> > Again, my testing is based on today's reality which is that most
> > Windows users use administrative accounts for regular tasks such as
> > web browsing and using their email clients.
>
>
> er, not really. Home users, per
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- --
Debian Security Advisory DSA 914-1 [EMAIL PROTECTED]
http://www.debian.org/security/ Martin Schulze
December 1st, 2005
Hello, James Tucker!
On 01.12.2005 11:27 you wrote:
Someone is actually spreading rumors of a service being abused that
isn't even listening at the time?
RA requires the RA server to be launched.
Don't leave un-closed tickets or RA support connection scripts hanging
around.
Of course :) bu
SUMMARY. perl suffers from an integer wrap overflow inside the explicit
parameter format string functionality, this has been confirmed to be a
vector for remote code execution.
Date Found: September 23, 2005.
Public Release: TBD.
Application:perl
Credit: Jack Louis of Dyad Security
88 matches
Mail list logo