Re: [Full-disclosure] Path to IT Security

On Jan 18, 2011, at 8:10 AM, Emmanuel Apreko wrote: > After researching i found out that the most prestigious security > certification is the CISSP and it seems like a very long journey to it since > i have no experience in it at all but need to get my foot in. Any certificate that is a based o

Re: [Full-disclosure] Path to IT Security

Well you're right about that all along the row .. I have all the certs and I'm not impressed with most of them, but if you want to get in the door, you better have the certs .. anyone who can memorize two or three books can get his CISSP or most other certs .. with a very few exceptions .. certs ar

Re: [Full-disclosure] Getting Off the Patch

>No, I'm taking the position that "most people" are in fact solely relying >on patching because they are clueless and they wouldn't even be patching at >all if auto-update wasn't turned on. (And Cal caught on what I meant in his >reply - that there's two very disjoint communities). > >And that chan

Re: [Full-disclosure] Getting Off the Patch

I'm getting a bit annoyed reading over and over arguments which I've highlighted some time ago anyway ( http://www.mail-archive.com/full-disclosure@lists.grok.org.uk/msg44454.html ). The real question, what is the *direct* alternative to patching? Don't say "sandboxing" because it doesn't always

Re: [Full-disclosure] Path to IT Security

Let me tell you one thing, "pro" isn't about certifications, it's about years of experience (and maybe certifications). It doesn't matter how many certs you have if you've never touched a computer. It's quite unthinkable - but equally true - that some university graduates, which should be able to w

[Full-disclosure] ZDI-11-020: Oracle Beehive voice-servlet Remote Code Execution Vulnerability

ZDI-11-020: Oracle Beehive voice-servlet Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-020 January 18, 2011 -- CVE ID: CVE-2010-4417 -- CVSS: 10, (AV:N/AC:L/Au:N/C:C/I:C/A:C) -- Affected Vendors: Oracle -- Affected Products: Oracle Beehive -- TippingP

[Full-disclosure] ZDI-11-019: Oracle GoldenGate Veridata Server XML SOAP Request Parsing Remote Code Execution Vulnerability

ZDI-11-019: Oracle GoldenGate Veridata Server XML SOAP Request Parsing Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-019 January 18, 2011 -- CVE ID: CVE-2010-4416 -- CVSS: 10, (AV:N/AC:L/Au:N/C:C/I:C/A:C) -- Affected Vendors: Oracle -- Affected Produc

[Full-disclosure] ZDI-11-018: Oracle Database and Enterprise Manager Grid Control Remote Code Execution Vulnerability

ZDI-11-018: Oracle Database and Enterprise Manager Grid Control Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-018 January 18, 2011 -- CVE ID: CVE-2010-3600 -- CVSS: 10, (AV:N/AC:L/Au:N/C:C/I:C/A:C) -- Affected Vendors: Oracle -- Affected Products: Ora

[Full-disclosure] ZDI-11-017: Oracle Audit Vault av.action Remote Code Execution Vulnerability

ZDI-11-017: Oracle Audit Vault av.action Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-017 January 18, 2011 -- CVE ID: CVE-2010-4449 -- CVSS: 9, (AV:N/AC:L/Au:N/C:P/I:P/A:C) -- Affected Vendors: Oracle -- Affected Products: Oracle Audit Vault -- Tippi

[Full-disclosure] ZDI-11-016: Oracle Real User Experience Insight rsynclogdird SQL Injection Vulnerability

ZDI-11-016: Oracle Real User Experience Insight rsynclogdird SQL Injection Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-016 January 18, 2011 -- CVE ID: CVE-2010-3594 -- CVSS: 9, (AV:N/AC:L/Au:N/C:P/I:P/A:C) -- Affected Vendors: Oracle -- Affected Products: Oracle Real Use

[Full-disclosure] ZDI-11-015: HP Mercury Loadrunner Agent Remote Code Execution Vulnerability

ZDI-11-015: HP Mercury Loadrunner Agent Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-015 January 12, 2011 -- CVE ID: CVE-2011-0272 -- CVSS: 10, (AV:N/AC:L/Au:N/C:C/I:C/A:C) -- Affected Vendors: Hewlett-Packard -- Affected Products: Hewlett-Packard Loa

[Full-disclosure] ZDI-11-014: Red Hat OpenJDK IcedTea6 ClassLoader Remote Code Execution Vulnerability

ZDI-11-014: Red Hat OpenJDK IcedTea6 ClassLoader Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-014 January 18, 2011 -- CVE ID: CVE-2010-4351 -- CVSS: 9, (AV:N/AC:L/Au:N/C:P/I:P/A:C) -- Affected Vendors: Red Hat -- Affected Products: Red Hat OpenJDK Ic

[Full-disclosure] ZDI-11-014: Red Hat OpenJDK IcedTea6 ClassLoader Remote Code Execution Vulnerability

ZDI-11-014: Red Hat OpenJDK IcedTea6 ClassLoader Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-014 January 18, 2011 -- CVE ID: CVE-2010-4351 -- CVSS: 9, (AV:N/AC:L/Au:N/C:P/I:P/A:C) -- Affected Vendors: Red Hat -- Affected Products: Red Hat OpenJDK Ic

[Full-disclosure] ZDI-10-301: Trend Micro Control Manager Server-agent Communication Remote Code Execution Vulnerability

ZDI-10-301: Trend Micro Control Manager Server-agent Communication Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-301 December 17, 2010 -- CVSS: 10, (AV:N/AC:L/Au:N/C:C/I:C/A:C) -- Affected Vendors: Trend Micro -- Affected Products: Trend Micro Control

Re: [Full-disclosure] [VIDEO] IE CVE-2010-3962

> The exploit was publicly released in November but as of today ( > January 2011) is still not a patch serious personal recommendation is > use another browser. I thought that CVE-2010-3962 was fixed in MS10-090. Are you saying the vulnerability is not fixed? Or maybe, you found a new vulnerabilit

Re: [Full-disclosure] Getting Off the Patch

On Tue, Jan 18, 2011 at 11:43 AM, phocean <0...@phocean.net> wrote: > ... how is this new ? It has been the best > practice of good system/security administrators for years. > > And it doesn't look like a "no patching" policy yet... sure, .. though you've made me sad considering how few organizat

Re: [Full-disclosure] Getting Off the Patch

On Tue, 18 Jan 2011 18:39:24 GMT, "Thor (Hammer of God)" said: > >On Mon, 17 Jan 2011 22:29:13 GMT, "Cal Leeming [Simplicity Media Ltd]" said: > > > >> Most people wouldn't rely solely on patch day to protect their > >> systems/network > > > >You're in for a surprise. > Are you taking the positio

Re: [Full-disclosure] Getting Off the Patch

I just agree with all that. But once again, as with Pete, how is this new ? It has been the best practice of good system/security administrators for years. And it doesn't look like a "no patching" policy yet... Le mardi 18 janvier 2011 à 11:19 -0800, coderman a écrit : > On Tue, Jan 18, 2011 at

Re: [Full-disclosure] Getting Off the Patch

On Tue, Jan 18, 2011 at 10:39 AM, Thor (Hammer of God) wrote: > ... Any security model that not only advocates non-patching, but that is > designed with the intent of not patching is completely retarded.  I defy > anyone to provide verifiable evidence to the contrary that is not based on a > se

Re: [Full-disclosure] Career Criminal Andrew Auernheimer / Weev Is In Jail Right Now

sir, "quiet" is the absence of sound, akin to the absence of thought in your reply. On Tue, Jan 18, 2011 at 9:59 AM, Eyeballing Weev wrote: > I guess you didn't get the memo about weev being in jail. ... ... > On 01/18/2011 12:48 PM, coderman wrote: >> ... at least it will be a little more quie

[Full-disclosure] [USN-1044-1] D-Bus vulnerability

=== Ubuntu Security Notice USN-1044-1 January 18, 2011 dbus vulnerability CVE-2010-4352 === A security issue affects the following Ubuntu releases: Ubuntu 8.04 LTS Ubuntu 9.10

Re: [Full-disclosure] Getting Off the Patch

>On Mon, 17 Jan 2011 22:29:13 GMT, "Cal Leeming [Simplicity Media Ltd]" said: > >> Most people wouldn't rely solely on patch day to protect their >> systems/network > >You're in for a surprise. One, as Cal pointed out, you cut out the context of what he said/meant. And two, so what if they do?

Re: [Full-disclosure] I find a bug

this very smart prince of the East is obviously listed in /etc/sudoers...;-) -h On 18.01.2011 16:47, Laurelai Storm wrote: > I have fedora 14, several centOS 5.5 machines and a vanilla ubuntu > 9.10 vm, all ask for the password > > > 2011/1/18 Christian Sciberras > > >

[Full-disclosure] Path to IT Security

Hello All, I'm a newbie to this list and all i need is some guidance into the world of IT security. i have completed Comptia A+ and Network + and wish to pursue a career in security. After researching i found out that the most prestigious security certification is the CISSP and it seems like a

Re: [Full-disclosure] I find a bug

I have fedora 14, several centOS 5.5 machines and a vanilla ubuntu 9.10 vm, all ask for the password 2011/1/18 Christian Sciberras > Every bug is a feature. Some are less obvious than others. > > ;-) > > Oh, and for what it's worth, I get asked for the root password on my > machine (vanilla u

Re: [Full-disclosure] Career Criminal Andrew Auernheimer / Weev Is In Jail Right Now

I guess you didn't get the memo about weev being in jail. http://online.wsj.com/article/SB10001424052748703954004576089791547299456.html On 01/18/2011 12:48 PM, coderman wrote: > On Sun, Jan 2, 2011 at 3:57 AM, phocean wrote: >> Here we go again ! This list looks so crazy... >> ... >> Or, my 2

Re: [Full-disclosure] Career Criminal Andrew Auernheimer has Violent Ideations of Law Enforcement

On Sun, Jan 2, 2011 at 3:57 AM, phocean wrote: > Here we go again ! This list looks so crazy... > ... > Or, my 2 cents : one schizophrenic guy is behind all this : n3td3v, > Musntlive, Dave Nett, Andrew, Weev, ... hah, you wish! at least it will be a little more quiet without Augmammer spamming f

[Full-disclosure] [VIDEO] IE CVE-2010-3962

A serious security vulnerability affects Internet Explorer on versions 6, 7 and 8, which allows a remote attacker execute arbitrary code via a CSS stylesheet in "Invalid reference flag" this exploit is marked as corruption of type memory and remote client side. The exploit was publicly released in

Re: [Full-disclosure] Getting Off the Patch

Allow me to clarify. "Most seasoned/established IT professionals" wouldn't rely solely on patch day. "Most unskilled people" shouldn't rely solely on patch day. On Tue, Jan 18, 2011 at 5:04 PM, wrote: > On Mon, 17 Jan 2011 22:29:13 GMT, "Cal Leeming [Simplicity Media Ltd]" > said: > > > Most

Re: [Full-disclosure] Getting Off the Patch

On Mon, 17 Jan 2011 22:29:13 GMT, "Cal Leeming [Simplicity Media Ltd]" said: > Most people wouldn't rely solely on patch day to protect their > systems/network You're in for a surprise. pgp7UFIXaqNQP.pgp Description: PGP signature ___ Full-Disclosure

[Full-disclosure] AST-2011-001: Stack buffer overflow in SIP channel driver

Asterisk Project Security Advisory - AST-2011-001 ProductAsterisk SummaryStack buffer overflow in SIP channel driver Nature of Advisory Exploitable Stack Buffer Overflow

Re: [Full-disclosure] I find a bug

Every bug is a feature. Some are less obvious than others. ;-) Oh, and for what it's worth, I get asked for the root password on my machine (vanilla ubuntu). 2011/1/18 Laurelai Storm > It prompts for a password on my machine, perhaps you should check your > sudoers config. > > Also, its no

Re: [Full-disclosure] I find a bug

It prompts for a password on my machine, perhaps you should check your sudoers config. Also, its not a bug its a feature :p 2011/1/18 我是王子 > hello, > > I found a bug, > > run [sudo strace su] command can get root privileges without any password. > > bill > > -- Original --

Re: [Full-disclosure] I find a bug

How ? There is not a bug, it is only work if your sudo configuration is without password to ALL or the strace command. some distributions have this configuration to default user. You can test or give us more details ? Emanuel dos Reis Rodrigues Senior Level Linux Professional (LPIC-3) LPI

[Full-disclosure] Exposing the Google Password Storage Mechanism & Encryption Secrets

Hi all, Here is the complete disclosure on Google Password Storage mechanism & Encryption Methods used by various Google applications including GTalk, Picassa, GDesktop etc and other popular browsers. You will find complete cryptography code examples for decryption of Google passwords for all thes

[Full-disclosure] Fw: Vulnerability in widget Flash Tag Cloud for Blogsa and other ASP.NET engines

Hello list! I want to warn you about Cross-Site Scripting vulnerability in b-cumulus. It's widget for Blogger, which is also using at separate sites. SecurityVulns ID: 11353. - Affected products: - Vulnerable are all versions of b-cumulus. -

Re: [Full-disclosure] Getting Off the Patch (is pointing out obvious)

Isa, issa prova bil-malti... 2011/1/18 Григорий Братислава > прежде всего я никогда не говорил, что я был русским, каждый > предполагает, что я. Я мог быть, полируют, шведский язык, китайский > язык вообще, я хочу быть. если Вы не поняли это все же, то Вы - дурак, > как - другие здесь. > > יתר ע

Re: [Full-disclosure] Getting Off the Patch (is pointing out obvious)

прежде всего я никогда не говорил, что я был русским, каждый предполагает, что я. Я мог быть, полируют, шведский язык, китайский язык вообще, я хочу быть. если Вы не поняли это все же, то Вы - дурак, как - другие здесь. יתר על כן איך אתה יודע שאני לא עובד הישראלי כיסוי עמוק בריגול עבור המוסד במקרה

Re: [Full-disclosure] Getting Off the Patch (is pointing out obvious)

2011/1/18 huj huj huj : > Меня бесит твая бесконечная болтовна Я спрошу Вас вежливо, каждый в последний раз оставляет мою нить в покое. является ничто, чтобы видеть здесь не проходит прежде, чем усы valdi уменьшаются ___ Full-Disclosure - We believe in i

Re: [Full-disclosure] Getting Off the Patch (is pointing out obvious)

Меня бесит твая бесконечная болтовна 2011/1/18 andrew wiggin > Очевидно, что вы на самом деле не пытаются узнать что-нибудь здесь. > Все, что Тора и Пит сказал стоит золото. Vladis также иногда хорошо, > чтобы читать. Тор является звезда, все, что он пишет заслуживает того, > чтобы читать. Не мо

Re: [Full-disclosure] Getting Off the Patch (is pointing out obvious)

Меня бесит твая бесконечная болтовна 2011/1/18 andrew wiggin > Очевидно, что вы на самом деле не пытаются узнать что-нибудь здесь. > Все, что Тора и Пит сказал стоит золото. Vladis также иногда хорошо, > чтобы читать. Тор является звезда, все, что он пишет заслуживает того, > чтобы читать. Не мо

Re: [Full-disclosure] Getting Off the Patch (is pointing out obvious)

2011/1/18 andrew wiggin : > Очевидно, что вы на самом деле не пытаются узнать что-нибудь здесь. > Все, что Тора и Пит сказал стоит золото. Vladis также иногда хорошо, > чтобы читать. Тор является звезда, все, что он пишет заслуживает того, > чтобы читать. Не могли бы вы не утруждая себя эту тему с

Re: [Full-disclosure] Getting Off the Patch (is pointing out obvious)

Очевидно, что вы на самом деле не пытаются узнать что-нибудь здесь. Все, что Тора и Пит сказал стоит золото. Vladis также иногда хорошо, чтобы читать. Тор является звезда, все, что он пишет заслуживает того, чтобы читать. Не могли бы вы не утруждая себя эту тему с такой глупый вопрос, для которых в

Re: [Full-disclosure] Getting Off the Patch (is pointing out obvious)

2011/1/17 Cal Leeming [Simplicity Media Ltd] : > Please reply in Russian, and I'll get one of my colleagues to translate. так как Вы хотите русский язык, вот - некоторые российские заголовки от местных новостей lulululul А несколько дней назад начальник управления ЗАГС Москвы Ирина Муравьева,

Re: [Full-disclosure] Getting Off the Patch (is pointing out obvious)

2011/1/17 Cal Leeming [Simplicity Media Ltd] : > I have absolutely no idea what you just said lol. > This part was especially amusing: > "Is when we tie up Pawel in lobby with is cable to car battery example is > set". > Please reply in Russian, and I'll get one of my colleagues to translate. не п

Re: [Full-disclosure] I find a bug

Also sudo vi, :!bash. That's why you need to be aware of what sudo access you're granting - it's more useful as a tool for keeping audit logs - together with remote syslogging - for well-meaning administrators than it is at stopping people from getting root. cheers, Jamie 2011/1/18 我是王子 : > hel

[Full-disclosure] I find a bug

hello, I found a bug, run [sudo strace su] command can get root privileges without any password. bill -- Original -- From: "Steve Beattie"; Date: Thu, Jan 13, 2011 08:01 PM To: "ubuntu-security-announce"; Cc: "full-disclosure"; "bugtraq"

Re: [Full-disclosure] Getting Off the Patch

:0: * ^Subject:.*Getting Off the Patch.* /dev/null On 01/17/11 11:18, Pete Herzog wrote: >> Fortunately this isn't the type of list where people would challenge your >> "large company" > > Thanks, good to know. And I was 18 when I did the sting operations. > You misread (again). > >> >> Now, w