[Full-disclosure] Technology and your Security Program

*Why should technology be the final tier to be fully implemented in a security program?* ** I am thinking in terms of the Digital Liability Management model: http://daemonic.wordpress.com/2006/04/26/it-security/ ___ Full-Disclosure - We believe in it. Cha

[Full-disclosure] GranParadiso persistent connexion ?

Hello, Just try this : - go to this page with GranParadiso http://video.music.yahoo.com/up/music/music/? rn=1301797&vid=45557508&stationId=&curl=http%3A%2F%2Fmusic.yahoo.com% 2Fmusicvideos Wait that the video is starting and you begin hearing sound. Now just close the tab you have opened, yo

Re: [Full-disclosure] Email Disclaimers...Legally Liable if breached?

On 10/11/07, Ray P <[EMAIL PROTECTED]> wrote: > > There is a good reason. There are two types of copyrights in the US: > implicit and registered. For a long time now, a work receives an implicit > copyright at the instant it is created. If someone violates an implicit > copyright, the owner's only

Re: [Full-disclosure] Email Disclaimers...Legally Liable if breached?

On 10/11/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > The problem is that it's *really* hard to write the disclaimer with a > copyright > attached to it. The tricky part is to figure out how to make it *legal* > to > cite the text in a reply - how would you phrase your copyright statement

Re: [Full-disclosure] Jack Bauer Gets Jailed!

part b can be said about your email also On 10/11/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > On Wed, 10 Oct 2007 19:41:30 BST, worried security said: > > > Even the government goto jail sometimes... > > > > Kiefer Sutherland, the star of hit TV show '24′ has been given 48 days > in > >

Re: [Full-disclosure] Email Disclaimers...Legally Liable if breached?

There is a good reason. There are two types of copyrights in the US: implicit and registered. For a long time now, a work receives an implicit copyright at the instant it is created. If someone violates an implicit copyright, the owner's only legal recourse is to go to court and get an order to

Re: [Full-disclosure] Remote Desktop Command Fixation Attacks

My employer does this, but I think its easier to fool users, say we craft a website say which again asks for username/password & most users will blindly give away their credentials thinking it as a new session.. On 10/11/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > Not to step in to the mi

Re: [Full-disclosure] Remote Desktop Command Fixation Attacks

Security in depth is a tactic, not a process or definition. And it works for what it's designed to, which is the same thing most security solutions are designed to. That is, they raise the bar of entry. Ideally, it makes it hard to find the one-kink in the armor to bring it all down and makes th

[Full-disclosure] Tikiwiki 1.9.8 exploit ITW

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi, there's a tikiwiki (tikiwiki.org) remote code execution exploit in the wild, targetting v.1.9.8 and earlier. This vulnerability is being exploited by multiple hosts (likely a botnet) using multiple payload websites since at least Tue 08:00 PM UT

Re: [Full-disclosure] Remote Desktop Command Fixation Attacks

pdp (architect) wrote: > Thor, with no disrespect but you are wrong. Security in depth does not > work and I am not planning to support my argument in any way. This is > just my personal humble opinion. I've seen only failure of the > principles you mentioned. Security in depth works only in a perf

Re: [Full-disclosure] Remote Desktop Command Fixation Attacks

"..I am not planning to support my argument in any way.." That's a shame. If you can prove your hypothesis, it lends credibility to your claims. A refusal to do so only weakens your position. As others have pointed out, your attack only works if security in depth has been blatantly, intentionally

[Full-disclosure] rPSA-2007-0214-1 initscripts

rPath Security Advisory: 2007-0214-1 Published: 2007-10-11 Products: rPath Linux 1 Rating: Minor Exposure Level Classification: Local Information Exposure Updated Versions: [EMAIL PROTECTED]:1/8.12-8.10-1 rPath Issue Tracking System: https://issues.rpath.com/browse/RPL-1825 Descriptio

[Full-disclosure] GranParadiso persistent connexion ?

Hello, Just try this : - go to this page with GranParadiso http://video.music.yahoo.com/up/music/music/? rn=1301797&vid=45557508&stationId=&curl=http%3A%2F%2Fmusic.yahoo.com% 2Fmusicvideos Wait that the video is starting and you begin hearing sound. Now just close the tab you have opened, yo

[Full-disclosure] S21SEC-037-en: OPAL SIP Protocol Remote Denial of Service

## - S21Sec Advisory - ## Title: OPAL SIP Protocol Remote Denial of Service ID: S21SEC-037-en Severity: Medium - Remote DoS Histor

Re: [Full-disclosure] Remote Desktop Command Fixation Attacks

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SHUT UP VLADIS On Thu, 11 Oct 2007 14:54:52 -0400 [EMAIL PROTECTED] wrote: >On Wed, 10 Oct 2007 14:05:28 EDT, [EMAIL PROTECTED] >said: > >> SHUT UP VLADIS IF ANYONE CARED THEY WOULD JUST FREQUENT YOUR >BLOG >> GET OFF THIS LIST THIS IS FOR SERIOUS SEC

Re: [Full-disclosure] Email Disclaimers...Legally Liable if breached?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 VLADIS YOU ARE NOT LAWYER! YOU DO NOT EVEN KNOW HOW TO USE COMPUTER! SHUT UP VLADIS! On Thu, 11 Oct 2007 13:56:36 -0400 [EMAIL PROTECTED] wrote: >On Wed, 10 Oct 2007 22:44:08 PDT, Troy said: > >> I'm surprised we don't see more disclaimers with a co

Re: [Full-disclosure] Email Disclaimers...Legally Liable ifbreached?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 VLADIS YOU ARE NOT LAWYER! SHUT UP VLADIS! On Thu, 11 Oct 2007 13:52:08 -0400 [EMAIL PROTECTED] wrote: >On Thu, 11 Oct 2007 12:38:02 +1000, Kelly Robinson said: > >> specific examples at the moment) I am wondering if Disclaimers >can be >> referenced

Re: [Full-disclosure] Jack Bauer Gets Jailed!

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Thus "Slythers Bro" <[EMAIL PROTECTED]> spake on Thu, 11 Oct 2007 22:29:30 +0200: > n3td3v here it's Full Disclosure, not a gay tv serie fan mailing list didn't know canadians are also homophobic. what a shame. -BEGIN PGP SIGNATURE- Versio

Re: [Full-disclosure] Jack Bauer Gets Jailed!

n3td3v here it's Full Disclosure, not a gay tv serie fan mailing list ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Jack Bauer Gets Jailed!

On Wed, 10 Oct 2007 19:41:30 BST, worried security said: > Even the government goto jail sometimes... > > Kiefer Sutherland, the star of hit TV show '24$B!l(B has been given 48 days > in > jail, we can reveal. Wake us up when you: a) Figure out the difference between an actor and his role.

[Full-disclosure] iDefense Security Advisory 10.11.07: Multiple Vendor FLAC Library Multiple Integer Overflow Vulnerabilities

Multiple Vendor FLAC Library Multiple Integer Overflow Vulnerabilities iDefense Security Advisory 10.11.07 http://labs.idefense.com/intelligence/vulnerabilities/ Oct 11, 2007 I. BACKGROUND Free Lossless Audio Codec (FLAC) is a popular file format for audio data compression. AOL Corp.'s Winamp me

[Full-disclosure] EEYE: CA BrightStor ArcServe Backup Server Arbitrary Pointer Dereference

CA BrightStor ARCserve Backup Server Arbitrary Pointer Dereference Release Date: October 11, 2007 Date Reported: June 18, 2007 Severity: High (Remote Code Execution) Vendor: Computer Associates (CA) Systems Affected: BrightStor ARCserve Backup 11.5 BrightStor ARCserve Backup 11.1 BrightStor AR

Re: [Full-disclosure] Email Disclaimers...Legally Liable if breached?

I'd guess that the only disclaimer that carries any weight, and it'll probably be minimal, is the kind that says something along the lines of "The person who wrote this email is not an officer of the organization, and statements contained herein that contradict organization policy are not enforceab

[Full-disclosure] [USN-529-1] Tk vulnerability

=== Ubuntu Security Notice USN-529-1 October 11, 2007 tk8.3, tk8.4 vulnerability CVE-2007-5137 === A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubu

Re: [Full-disclosure] Remote Desktop Command Fixation Attacks

That may be a possible process/policy in some environments, but probably not most. Take education/academic environments for example. We really have to try to balance competing interests. For example, the very security and accessibility issues you describe on a macro scale. Not to mention other i

Re: [Full-disclosure] Remote Desktop Command Fixation Attacks

On Wed, 10 Oct 2007 14:05:28 EDT, [EMAIL PROTECTED] said: > SHUT UP VLADIS IF ANYONE CARED THEY WOULD JUST FREQUENT YOUR BLOG > GET OFF THIS LIST THIS IS FOR SERIOUS SECURITY MATTERS ONLY You seem a tad confused regarding the use of the "reply" button, since: > On Wed, 10 Oct 2007 07:14:32 -0400

Re: [Full-disclosure] Remote Desktop Command Fixation Attacks

gboyce, cheers... nice example! although I had something else in mind. maybe I shouldn't have used the term "security in depth" since your version differs a bit from mine. I guess different semantics. but yes, i agree that systems, processes, data, etc needs to be separated and blended into a balan

[Full-disclosure] [CAID 35724, 35725, 35726]: CA BrightStor ARCserve Backup Multiple Vulnerabilities

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Title: [CAID 35724, 35725, 35726]: CA BrightStor ARCserve Backup Multiple Vulnerabilities CA Vuln ID (CAID): 35724, 35725, 35726 CA Advisory Date: 2007-10-10 Reported By: Anonymous researcher working with the iDefense VCP (CVE-2007-5325) Dyon Bald

[Full-disclosure] Jack Bauer Gets Jailed!

Even the government goto jail sometimes... Kiefer Sutherland, the star of hit TV show '24′ has been given 48 days in jail, we can reveal. According to the New York Daily news, Kiefer , who's known for his prominent role as 'Jack Bauer' in the hit TV series must serve 18 days starting Dec. 21 to

[Full-disclosure] October Microsoft Tuesday

BreakingPoint Systems is making available the details we have discovered from October's Microsoft Tuesday patches. We have released details on what we've discovered so far to our Strike Center blog: https://strikecenter.bpointsys.com/articles/2007/10/10/october-2007- microsoft-tuesday We app

Re: [Full-disclosure] Email Disclaimers...Legally Liable if breached?

On Wed, 10 Oct 2007 22:44:08 PDT, Troy said: > I'm surprised we don't see more disclaimers with a copyright statement in > them. I would think that using copyright law as an argument against > unauthorized distribution of an email would stand a better chance in court > than a non-binding disclaime

Re: [Full-disclosure] Email Disclaimers...Legally Liable ifbreached?

On Thu, 11 Oct 2007 12:38:02 +1000, Kelly Robinson said: > specific examples at the moment) I am wondering if Disclaimers can be > referenced in a courtroom in a client's defence and if not, is it specificly There is one place that the "This message may contain privileged information" variety of

Re: [Full-disclosure] Remote Desktop Command Fixation Attacks

Well, what is your definition of "Security in Depth"? On Thu, 11 Oct 2007, pdp (architect) wrote: > gboyce, cheers... nice example! although I had something else in mind. > maybe I shouldn't have used the term "security in depth" since your > version differs a bit from mine. I guess different sem

Re: [Full-disclosure] Email Disclaimers...Legally Liable if breached?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 None of you are lawyers. SHUT UP VLADIS. On Thu, 11 Oct 2007 01:44:08 -0400 Troy <[EMAIL PROTECTED]> wrote: >On 10/10/07, Ray P <[EMAIL PROTECTED]> wrote: >> >> Would the _intended_ recipient have a case against the sender >for >> contractual failure

Re: [Full-disclosure] Remote Desktop Command Fixation Attacks

> Not to step in to the middle of this, but I once worked for an employer with what I > considered the best way of stopping attacks cold: a proxy server that prompted you for your > credentials when you went to an external web site and gp settings that disabled the ability > to save your usernam

Re: [Full-disclosure] Remote Desktop Command Fixation Attacks

At the risk of going off topic - this kind of approach makes end users to get really used to entering their username and password in the web browser. Guess what happens when a (possibly malicious) website asks for credentials (using basic auth/whatever)? These kind of solutions not only limit u

Re: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape, Miranda, Skype

Dear All, Hi everyone. This is Jonathan from the SWI team in the MSRC. We’ve just released Security Advisory 943521 regarding a vulnerability affecting Windows Server 2003 and Windows XP with Internet Explorer 7 installed. As you have probably noted there’s been a fair amount of discussi

Re: [Full-disclosure] Remote Desktop Command Fixation Attacks

On Thu, 11 Oct 2007, pdp (architect) wrote: > Thor, with no disrespect but you are wrong. Security in depth does not > work and I am not planning to support my argument in any way. This is > just my personal humble opinion. I've seen only failure of the > principles you mentioned. Security in dept

Re: [Full-disclosure] Remote Desktop Command Fixation Attacks

Not to step in to the middle of this, but I once worked for an employer with what I considered the best way of stopping attacks cold: a proxy server that prompted you for your credentials when you went to an external web site and gp settings that disabled the ability to save your username/passwo

Re: [Full-disclosure] URI handling woes in Acrobat Reader, Netscape, Miranda, Skype

Microsoft acknowledged that it was "their" problem all along: Microsoft Security Advisory (943521) URL Handling Vulnerability in Windows XP and Windows Server 2003 with Windows Internet Explorer 7 Could Allow Remote Code Execution http://www.microsoft.com/technet/security/advisory/943521.ms

Re: [Full-disclosure] Remote Desktop Command Fixation Attacks

Thor, with no disrespect but you are wrong. Security in depth does not work and I am not planning to support my argument in any way. This is just my personal humble opinion. I've seen only failure of the principles you mentioned. Security in depth works only in a perfect world. The truth is that yo

Re: [Full-disclosure] Remote Desktop Command Fixation Attacks

It is important to note that you can block this though a setting in the Terminal Sevices Configuration admin tool. There is a setting to not allow initial programs to be launch or to always launch a specific program. This will always override any program specified by the client. You can also config

[Full-disclosure] SIPVicious v0.2 - tools for auditing sip devices / PBXs

Dear all, I just released version 0.2 of SIPVicious tool suite at: http://sipvicious.googlecode.com/files/sipvicious-0.2.tar.gz or http://tinyurl.com/3xu5z9 Put up a screencast of the tools in action at: http://tinyurl.com/3yq8k7 What is SIPVicious tool suite? Consists of 4 tools: * svmap

[Full-disclosure] CA BrightStor ARCServe BackUp Message Engine Remote Stack Overflow Vulnerability

hi full-disclosure, CA BrightStor ARCServe BackUp Message Engine Remote Stack Overflow Vulnerability by cocoruder of Fortinet Security Research Team http://ruder.cdut.net Summary: A remote stack overflow vulnerability exist in the RPC interface of CA BrightStor ARCServe BackUp. An arbitr