Re: [Full-disclosure] Bank of the West security contact?

2014-02-08 Thread Jann Horn
On Sat, Feb 08, 2014 at 04:21:52AM -0500, Jeffrey Walton wrote: RFC 2142 offers a number of well known mailboxes that should be monitored. Tyr secure@, security@, and support@. Doesn't look as it any of those addresses would work: RCPT TO:secur...@bankofthewest.com 550 Mailbox unavailable or

Re: [Full-disclosure] Clickjacking (?) on Facebook.com (Question)

2013-12-12 Thread Jann Horn
On Wed, Dec 11, 2013 at 10:18:09PM +0100, Stefan Schurtz wrote: it is possible to load https://www.facebook.com/login/reauth.php?next=https://www.facebook.com/confirmphone.phpdisplay=popup; in another page. [...] My question: is this really not a security problem on Facebook? It's say it is a

Re: [Full-disclosure] Clickjacking (?) on Facebook.com (Question)

2013-12-12 Thread Jann Horn
On Thu, Dec 12, 2013 at 12:43:00PM -0800, Michal Zalewski wrote: What is your exact concern? That page allows drag-and-drop of the user's name. If you can convince the user to select his name with a triple-click and then do a drag-and-drop of that name to some place outside the iframe, you can

Re: [Full-disclosure] Clickjacking (?) on Facebook.com (Question)

2013-12-12 Thread Jann Horn
On Thu, Dec 12, 2013 at 01:25:31PM -0800, Michal Zalewski wrote: That page allows drag-and-drop of the user's name. If you can convince the user to select his name with a triple-click and then do a drag-and-drop of that name to some place outside the iframe, you can find out his name,

Re: [Full-disclosure] Clickjacking (?) on Facebook.com (Question)

2013-12-12 Thread Jann Horn
On Thu, Dec 12, 2013 at 05:11:59PM -0800, Michal Zalewski wrote: But I wouldn't consider it a failing on part of the targeted website - you'd need to put essentially everything behind XFO to fix this problem on application level, which is not feasible for a good number of websites

Re: [Full-disclosure] Clickjacking (?) on Facebook.com (Question)

2013-12-12 Thread Jann Horn
On Thu, Dec 12, 2013 at 05:25:09PM -0800, Michal Zalewski wrote: Doesn't Google always send JSON with Content-Disposition: attachment or so because of that? One of the reasons (there's also content sniffing, etc). But then, consider view-source:, too - you can use it in Firefox to render

Re: [Full-disclosure] [CVE-2013-6356] Avira Secure Backup v1.0.0.1 Multiple Registry Key Value Parsing Local Buffer Overflow Vulnerability

2013-11-17 Thread Jann Horn
On Sat, Nov 16, 2013 at 03:23:07PM +0100, Julien Ahrens wrote: A buffer overflow vulnerability has been identified in Avira Secure Backup v1.0.0.1 Build 3616. An attacker needs to force the victim to import an arbitrary .reg file in order to exploit the vulnerability. Could you please

Re: [Full-disclosure] Who's behind limestonenetworks.com AKA DDoS on polipo(8123)

2013-08-18 Thread Jann Horn
On Sat, Aug 17, 2013 at 07:50:34PM -0400, valdis.kletni...@vt.edu wrote: On Sat, 17 Aug 2013 13:39:16 +0200, Jann Horn said: And yes, you're right, a DoS attack can be unsuccessful. My point was that this small amount of traffic shouldn't be called a DDoS because there's no way

Re: [Full-disclosure] Who's behind limestonenetworks.com AKA DDoS on polipo(8123)

2013-08-17 Thread Jann Horn
On Fri, Aug 16, 2013 at 04:49:24PM -0500, adam wrote: Jann, you know what's even worse than someone being a dick for no reason? Someone being a _stupid_ dick for no reason. Maybe I'm being a dick, and maybe I'm being a dick for no reason, but I don't think I'm being a _stupid_ dick. In case

Re: [Full-disclosure] Who's behind limestonenetworks.com AKA DDoS on polipo(8123)

2013-08-17 Thread Jann Horn
On Fri, Aug 16, 2013 at 02:58:41PM -0300, Luther Blissett wrote: On Fri, 2013-08-16 at 19:31 +0200, Jann Horn wrote: Let me google that for you. Hmm. Assigned to Polipo Web proxy. So maybe someone tried to connect to them through your exit node and they do proxyscans on people who

Re: [Full-disclosure] Who's behind limestonenetworks.com AKA DDoS on polipo(8123)

2013-08-16 Thread Jann Horn
On Thu, Aug 15, 2013 at 05:29:52PM -0300, Luther Blissett wrote: Hello dear companions, Two days ago one of my tor exit nodes experienced something I'm now calling limestonenetworks DDoS on polipo ( $WAN_IP:8123 ), since all DDoS? So you mean your systems were impacted by that? packets in

Re: [Full-disclosure] Who's behind limestonenetworks.com AKA DDoS on polipo(8123)

2013-08-16 Thread Jann Horn
On Fri, Aug 16, 2013 at 01:37:54PM -0400, Jeffrey Walton wrote: On Fri, Aug 16, 2013 at 1:31 PM, Jann Horn j...@thejh.net wrote: On Thu, Aug 15, 2013 at 05:29:52PM -0300, Luther Blissett wrote: Hello dear companions, Two days ago one of my tor exit nodes experienced something I'm now

Re: [Full-disclosure] Flush+Reload: a High Resolution, Low Noise, L3 Cache Side-Channel Attack

2013-07-26 Thread Jann Horn
On Fri, Jul 26, 2013 at 03:47:41PM -0400, Jeffrey Walton wrote: Dr. Bernstein puts a lot of effort into defending against timing attacks and other side channels in his NaCl library. I'm not aware of any other libraries which go to the same depths. On the downside, NaCl is not easy to work with

[Full-disclosure] Linux reveals IO timing data

2013-07-23 Thread Jann Horn
There are multiple ways in which linux reveals IO timing data. Probably the most interesting one is the field voluntary_ctxt_switches in /proc/pid/status: It reveals how often the process has voluntarily caused a context switch so far, and usually, a process does that when it's waiting for

Re: [Full-disclosure] OpenSSH User Enumeration Time-Based Attack

2013-07-11 Thread Jann Horn
On Wed, Jul 10, 2013 at 03:38:59PM +0200, Curesec Research Team wrote: By testing several OpenSSH installations we figured there is a delay of time when it comes to cracking users (not) existing on a system. A normal Brute-force-Attack tests for the correct user and password combination,

Re: [Full-disclosure] Denial of Service in WordPress

2013-06-27 Thread Jann Horn
On Thu, Jun 27, 2013 at 11:50:47PM +0300, MustLive wrote: This just affects the client though right? This DoS only going on client side unlike other types of DoS (see my classification), but issue of web application is in allowing Looped DoS state. You see error message very quickly

[Full-disclosure] little proof-of-concept for remote traffic statistics using the IP ID field

2013-05-23 Thread Jann Horn
about giving your traffic stats to the whole world. Because graphs are good at demonstrating stuff. :) The code is attached and also at http://git.thejh.net/?p=roguegraph.git;a=tree. I'm not responsible for whatever you do with this or whatever effects it has. // Copyright (C) Jann Horn (2013

[Full-disclosure] Trying to send mail to Broadcom

2013-05-03 Thread Jann Horn
So, I found a vuln for overwriting kernel memory in kernel code by Broadcom for the Raspberry Pi (afaik not in the official kernel sources, just in the patched kernel sources for the raspberry pi). It requires you to be in the video group, so it's not very interesting, I think, but I thought,

Re: [Full-disclosure] How do I contact Vodafone Security?

2013-04-23 Thread Jann Horn
On Mon, Apr 22, 2013 at 03:10:19PM +0200, Jann Horn wrote: Hello, does anyone know how I can contact Vodafone Security (preferably a Germany-specific group because I have no idea whether the issue affects people in other countries, too)? Thanks for all the replies. I sent a mail with details

[Full-disclosure] How do I contact Vodafone Security?

2013-04-22 Thread Jann Horn
Hello, does anyone know how I can contact Vodafone Security (preferably a Germany-specific group because I have no idea whether the issue affects people in other countries, too)? I sent a mail to secur...@vodafone.de and it didn't bounce (in case someone from Vodafone is reading this: it was sent

Re: [Full-disclosure] Exploiting sibling domains cookie isolation policy to DoS CDN users

2013-04-11 Thread Jann Horn
On Thu, Apr 11, 2013 at 05:01:57PM +0200, Jan Wrobel wrote: Hello, In short: Browsers can be easily cut from any resources hosted on Content Delivery Networks that use a domain shared between users, by a visit to a malicious site that sets large number of cookies on the common prefix of

Re: [Full-disclosure] GitHub Login Cookie Failure

2013-04-08 Thread Jann Horn
On Mon, Apr 08, 2013 at 11:19:37AM -0500, Chris Roussel wrote: Dear Hackers, I've discovered what I think is a failure in GitHub.com login cookies: I installed the Import Cookies Export Cookies plugins in my firefox 20, then I signed in at github and exported my cookies, then I signed

Re: [Full-disclosure] GitHub Login Cookie Failure

2013-04-08 Thread Jann Horn
On Mon, Apr 08, 2013 at 10:37:09PM +0200, Jann Horn wrote: On Mon, Apr 08, 2013 at 11:19:37AM -0500, Chris Roussel wrote: Dear Hackers, I've discovered what I think is a failure in GitHub.com login cookies: I installed the Import Cookies Export Cookies plugins in my firefox 20

Re: [Full-disclosure] DoS vulnerability in Adobe Flash Player (BSOD)

2013-04-03 Thread Jann Horn
On Thu, Apr 04, 2013 at 01:24:29AM +0300, MustLive wrote: Hello list! I want to warn you about Denial of Service vulnerability (BSOD) in Adobe Flash Player. I've found this vulnerability at 27.01.2013. - Affected products: - Vulnerable

Re: [Full-disclosure] Data-Clone -- a new way to attack android apps

2013-03-17 Thread Jann Horn
On Sun, Mar 17, 2013 at 06:09:09PM +0800, IEhrepus wrote: Data-Clone -- a new way to attack android apps Author: super...@www.knownsec.com [Email:5up3rh3i#gmail.com] Release Date: 2013/03/16 References: http://www.80vul.com/android/data-clone.txt Chinese Version:

[Full-disclosure] A few android security issues

2013-03-14 Thread Jann Horn
. The Android Security Team says that this vuln has been fixed (the fix looks a bit racy, but I think that it probably isn't exploitable). Jann Horn signature.asc Description: Digital signature ___ Full-Disclosure - We believe in it. Charter: http

Re: [Full-disclosure] How to prevent HTTPS MitM

2013-01-18 Thread Jann Horn
On Thu, Jan 17, 2013 at 09:56:53PM +0100, Luigi Rosa wrote: If this message is offtopic, please excuse me. I was reading about Nokia HTTPS MitM. Many corporate firewall can MitM HTTPS for content inspection and many governments do this for their reasons. I was thinking: could it be

Re: [Full-disclosure] Is it OK to hold credit card numbers in cookies? Santander?

2012-11-01 Thread Jann Horn
On Mon, Oct 15, 2012 at 09:53:49PM +0200, Alexander Georgiev wrote: Now, PLEASE, when you go to their online banking site and run your one_script_to_block_them_all.py or whatever, PLEASE, skip my bank account, ok? Alex What did you say, which account number should be skipped?

[Full-disclosure] middle-clicking on links

2012-08-16 Thread Jann Horn
Have a look at this PoC: http://jsfiddle.net/wbfpM/1/ At least in Chromium and Firefox on Linux, middle-clicking the Google link opens an alert window with the current clipboard contents. Well, I guess there's not much that can be done about that, but I think it's interesting to know. Jann

[Full-disclosure] The Android Superuser App

2012-08-13 Thread Jann Horn
Hello, on Android, everyone who wants to give apps root access to his phone uses the Superuser application by ChainsDD. However, from a security perspective, that might be a somewhat bad idea. First, it's not really Open Source anymore, so you can't easily check whether everything works the way

Re: [Full-disclosure] The Android Superuser App

2012-08-13 Thread Jann Horn
On Sun, Aug 12, 2012 at 09:47:57PM +0200, Jann Horn wrote: And finally, I've found another vuln that essentially lets apps gain root rights without asking the user, and I will release all details about it in two weeks. Found another independent vuln that also gives all apps root access

Re: [Full-disclosure] [Anonymous/iWot] Somaleaks !!!

2012-07-20 Thread Jann Horn
On Wed, Jul 18, 2012 at 09:16:29AM -0400, Abdikarim Roble wrote: Contacts: no need to answer to this email address, as it's not ours. If you want to meet us, as always we'll be at Defcon soon, and we hope that there will be a special prize for Dahabshiil, though it's a bit late to propose them

Re: [Full-disclosure] Predefined Post Authentication Session ID Vulnerability

2012-07-13 Thread Jann Horn
On Wed, Jul 11, 2012 at 11:34:11AM +0300, Gokhan Muharremoglu wrote: Vulnerability Name: Predefined Post Authentication Session ID Vulnerability Type: Improper Session Handling Impact: Session Hijacking Level: Medium Date: 10.07.2012 Vendor: Vendor-neutral Issuer: Gokhan Muharremoglu

[Full-disclosure] How much time is appropriate for fixing a bug?

2012-07-05 Thread Jann Horn
After having reported a security-relevant bug about a smartphone, how long would you wait for the vendor to fix it? What are typical times? I remember telling someone about a security-relevant bug in his library some time ago - he fixed it and published the fixed version within ten minutes. On

Re: [Full-disclosure] NSA Cyber security program [ maybe off-topic ]

2012-05-31 Thread Jann Horn
On Mon, May 28, 2012 at 08:06:42PM -0300, Pablo wrote: InterestingÂ… http://www.nsa.gov/academia/nat_cae_cyber_ops/index.shtml http://www.esecurityplanet.com/network-security/nsa-announces-cyber-security -program-for-college-students.html This tells us that there is a lack of

Re: [Full-disclosure] Google Accounts Security Vulnerability

2012-05-21 Thread Jann Horn
On Sat, May 19, 2012 at 12:04:43PM -0700, Michael J. Gray wrote: On why I don't want to provide my email address to Google: It's a different email address which I don't want associated with this email address for various reasons. That is why I am not going to provide it. Your assumption

Re: [Full-disclosure] pidgin OTR information leakage

2012-02-27 Thread Jann Horn
2012/2/25 Dimitris Glynos dimit...@census-labs.com: Pidgin transmits OTR (off-the-record) conversations over DBUS in plaintext. This makes it possible for attackers that have gained user-level access on a host, to listen in on private conversations associated with the victim account.

Re: [Full-disclosure] Windows Vista/7 lpksetup dll hijack

2010-10-27 Thread Jann Horn
Am Montag, den 25.10.2010, 22:56 + schrieb Thor (Hammer of God): The main point is that you've got to get people to not only connect up to your remote share, but you've got to get them to execute the file, etc. So I'm just wondering what makes this anything more than any other put a