FYI
Thoughts?
Step-by-step instructions for securing patients' medical data on your
iPhone or iPad, courtesy of Dr. John Halamka, chief information
officer for Boston's Beth Israel Deaconess Medical Center and Harvard
Medical School.
Hi,
At the risk of being ridiculed here, I'll point out that UCF does have
a Infosec office and a incident response POC.
https://publishing.ucf.edu/sites/itr/cst/Pages/IncidentResponse.aspx
s...@mail.ucf.edu
fwiw, security folks in .edus are at the low-end of this industry's
pay-scale and it's
Hi,
On Sat, Feb 19, 2011 at 12:04, Hack Talk hacktalkb...@gmail.com wrote:
countless attempt to contact both their infosec team, the tech rangers,
and their personal web developers with no contact back or patching of these
vulnerabilities I decided to post these up on FD. There are still many,
Hi,
On Sat, Feb 19, 2011 at 12:46, Hack Talk hacktalkb...@gmail.com wrote:
Thanks for doing your best to extinguish the flamewar that was starting :D.
Who say I don't want one? This _is_ FD after all...maybe just keep
the misogynistic pr0n in check? ...must...not...click... ;P
Back to
Testimony of Fred B. Schneider
Samuel B. Eckert Professor of Computer Science
Cornell University, Ithaca, New York
February 19, 2010
http://www.cs.cornell.edu/fbs/publications/SciPolicyHouseArmedServsFeb2010.pdf
snip
A Cybersecurity Credential.
Most professions expect their practitioners to
Any word on these vulns? Seems the deadline was 2011-02-04, or am I
missing something?
Cheers,
--scm
http://www.zerodayinitiative.com/advisories/upcoming/
ZDI ID Affected Vendor(s) SeverityReportedDeadline
Hi Coderman,
On Sat, Feb 5, 2011 at 17:44, coderman coder...@gmail.com wrote:
fitting that a professor propose a process without any aspect of real
world experience or demonstrated capability* in such a credentialed
organization for cyber security. i'm all for deprecation of
pointless exams,
Hi Coderman,
On Sat, Feb 5, 2011 at 19:00, coderman coder...@gmail.com wrote:
there is plenty of informative and insightful summary in the document
by clearly experienced individuals. however, i wanted to point out
this is essentially a funding proposal seeking Federal Funding for
Research.
Fwiw, some public forums on BestBuy discuss this...
http://forums.bestbuy.com/t5/Best-Buy-Geek-Squad-Policies/For-a-Return-they-scan-your-ID-Don-t-think-so/m-p/218912
http://forums.bestbuy.com/t5/Best-Buy-Geek-Squad-Policies/Driver-s-License-required-for-return/td-p/234098
Hi FD folks,
A short review of a new title on building a vendor product security
response and team. I think this book would prove useful for vendors
wishing to avoid the shame and humiliation of having vulns published
when they could have avoided it with a process and team in place.
from http://www.gogoinflight.com/gogo/content/FAQ_Service.do
also noteworthy that the privacy policy link is broken:
http://www.gogoinflight.com/gbp/privacy.do
snip
Is it safe to use Wi-Fi in flight?
Passenger security and safety is of utmost importance to Gogo. Before
allowing our service to
On Thu, Nov 18, 2010 at 1:22 PM, savethedollarmenu
i...@savethedollarmenu.com wrote:
There is a recent 0day vulnerability in the McDonalds dollar menu, namely
that it is going to be going away in 2011.
fwiw, lobbyists are costly
Hi FD,
The list below contains the Approved Test Procedures, Version 1.0,
for evaluating conformance of complete EHRs and/or EHR Modules to the
initial set of standards, implementation specifications, and
certification criteria defined in the Health Information Technology:
Initial Set of
To: Shawn Merdinger shawn...@gmail.com
Hello Shawn,
Thanks for forwarding this information onto us. We will make our
developers aware.
Kind regards,
Tom
Tom Burton
Technical Support Assistant
HumanWare Europe
-Original Message-
From: Shawn Merdinger
Hi Halfdog,
While I have not come across any specific documentation of willful
attacks, security (and software quality) issues abound in the medical
device space. You might try researching some of the databases at the
FDA [1]. In particular, a good place to start is the FDA MAUDE
database
Hi Gadi,
On Mon, Jul 26, 2010 at 6:44 AM, Gadi Evron g...@linuxbox.org wrote:
A new research paper from the Freedom And Law Center deals with issues
Killed by Code: Software Transparency in Implantable Medical Devices
One of the more useful aspects I found in that paper are the
references to
fyi, an interesting read imho.
snip
The FDA has issued 23 recalls of defective devices during the
first half of 2010, all of which are categorized as “Class I,” meaning
there is “reasonable probability that use of these products will cause
serious adverse health consequences or death.” At
Hi Chris,
Maybe take a look at GLtail -- http://www.fudgie.org
Cheers,
--scm
On Tue, Mar 2, 2010 at 10:38 AM, Christopher Covington c...@vt.edu wrote:
Does anyone have recommendations for network visualization and auralization
software that could produce pretty animations and suitable
Hi Michael,
On Wed, Oct 21, 2009 at 9:36 AM, Michael Krymson krym...@gmail.com wrote:
Oh shit, account...@mckesson.com bounced, too! That must mean they don't
even have any accounting!
Hehe...who knows? Maybe you needed to do @internal.mckesson.com ;-P
Bringing this back to the issue at
Great find!
And should we _really be surprised_ at the following bounce?
snip
Delivery to the following recipient failed permanently:
secur...@mckesson.com
Technical details of permanent failure:
Google tried to deliver your message, but it was rejected by the
recipient domain. We
Hi Valdis,
I did a CSI NetSec preso on this and touched on the WRT54G, Nokia 770,
Gumstix and (my personal favorite) PicoTux as good candidates for
corporate espionage hijinks.
Slides are here:
http://www.slideshare.net/shawn_merdinger/csi-netsec-2006-poor-mans-guide-merdinger-1251099
Cheers,
Google calendar has some listed.
http://www.google.com/calendar/embed?src=pe2ikdbe6b841od6e26ato0asc%40group.calendar.google.com
cheers,
--scm
On Mon, Sep 21, 2009 at 5:00 PM, TK ktriv...@msn.com wrote:
Where can I find a list of security conferences that I can attend?
Securityfocus.com use
While US law focused, you might take a look at the few guides by the
EFF (Electronic Frontier Foundation).
http://www.eff.org/issues/coders/vulnerability-reporting-faq
Cheers,
--scm
On Mon, Jun 15, 2009 at 2:14 PM, Giuseppe
Fuggianogiuseppe.fuggi...@gmail.com wrote:
What are, if any, the legal
On Fri, Feb 6, 2009 at 11:01 AM, rembrandt rembra...@jpberlin.de wrote:
Is somebody aware of security contacts at Netgear or D-Link?
Products of those vendors do suffer from possible DoS, propably default
hardcoded root accounts (D-Link) and other issues.
Timeline:
ZDI:
Case Opened
On Fri, Jan 30, 2009 at 12:07 PM, valdis.kletni...@vt.edu wrote:
On Thu, 29 Jan 2009 17:04:53 CST, hack ery said:
Security Risk: High
Exploitable: Local
Vulnerability: Arbitrary Flow Control Control, Cat Spoofing
Discovered by: The Hackery Channel
Note the additional possibility of a
fyi, an interesting email to Risks Digest 25.43:
http://catless.ncl.ac.uk/Risks/25.43.html
Date: Mon, 27 Oct 2008 02:15:20 -0700 (PDT)
From: Paul Robinson [EMAIL PROTECTED]
Subject: Poison-pill auto-disclosure for security vulnerabilities
I have thought of something
thongs.
http://www.iloveanything.com/order/w5.asp?custom=n3td3vI1.x=74I1.y=20
On 7/11/08, n3td3v [EMAIL PROTECTED] wrote:
I'm still calling for Secunia to be dropped as a sponsor of
Full-Disclosure mailing list and it to be funded by public donations
instead.
..snipped
? If this is the case, then maybe this type of attack
vector may have potential against the MDS 9000?
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-3593
Thanks again for sharing and kindest regards,
--scm
Shawn Merdinger
Independent Security Researcher
VoIPninja.com
On 8/1/07, Felix 'FX' Lindner [EMAIL PROTECTED
Hi All,
Following up on my own question here ;-)
On 8/3/07, Shawn Merdinger [EMAIL PROTECTED] wrote:
Does anyone know the OS for the MDS 9000?
http://www.cisco.com/en/US/products/ps6217/index.html
SAN-OS 2.1 is the latest version of the operating system for the
Cisco MDS 9000 SAN switch
Hi All,
At level 15 permissions, when I enter debug k on the CLI the router
freezes immediately, requiring a manual reboot.
While not a vulnerability per se, perhaps something to keep in mind
from the fat-finger risk?
Anyone else seeing this?
Kindest regards,
--scm
Shawn Merdinger
just posting a Hey, I'm seeing this, anyone
else?
Folks, give debug kernel a try like FX mentioned and see what
happens. It worked with debug k on my version I'm working on, but
that's a Cisco question I guess.
Kindest regards,
--scm
Shawn Merdinger
Independent Security Researcher
VoIPninja.com
Hello,
Is the Madynes VoIP fuzzer available for public download? If not,
when/if do you expect to release it?
Thanks,
--scm
On 3/20/07, Radu State [EMAIL PROTECTED] wrote:
MADYNES Security Advisory
http://madynes.loria.fr
Severity: High
Title: Cisco 7940 SIP INVITE remote DOS
Date:
/pocketpc/
Collin
On Wed, 2006-12-06 at 10:40 -0800, Shawn Merdinger wrote:
Vulnerability Description
==
The Linksys WIP 330 VoIP wireless phone will crash when a full
port-range Nmap scan is run against its IP address.
Linksys WIP 330 Firmware Version
at that screenshot again...
http://www.flickr.com/photos/metalmijn/295348294/
Heck buddy, you appear correct
~p
- Original Message -
From: Shawn Merdinger [EMAIL PROTECTED]
To: full-disclosure@lists.grok.org.uk
Sent: Wednesday, December 06, 2006 1:40 PM
Subject: [Full-disclosure
Vulnerability Description
==
The Linksys WIP 330 VoIP wireless phone will crash when a full
port-range Nmap scan is run against its IP address.
Linksys WIP 330 Firmware Version
==
1.00.06A
Nmap scan command
nmap -P0 WIP 330 ip address -p
No better/worse than this I suppose.
http://www.cisco.com/warp/public/707/cisco-response-20060113-ip-phones.shtml
Thanks,
--scm
On 12/6/06, Knud Erik Højgaard [EMAIL PROTECTED] wrote:
The Linksys WIP 330 VoIP wireless phone will crash when a full
port-range Nmap scan is run against its IP
Hi,
Paul Schmehl wrote:
The engineers who designed this should be summarily fired. The terminal
stupidity of it is mind boggling!
Nick FitzGerald [EMAIL PROTECTED] wrote:
I think _beyond_ mind-boggling.
Your spirited comments are fun to read, but I personally don't find
these types of
In the readme in the ohrwurm tarball from Matthius Wenzel's site:
http://mazzoo.de/blog/2006/08/25#ohrwurm
snip
SUCCESS
~~~
As of August 2006 ohrwurm broke the following applications/transports:
- linphonec 1.10 / iLBC (stops sending RTP, no crash)
- linphonec 1.10 / iLBC (re-negotiates
Zachary McGrew has discovered and reported that the FiWin SS28S WiFi
VoIP SIP/Skype Phone with firmware version 01_02_07 has VxWorks Telnet
open with a hardcoded user/pass of 1/1. Various debug commonds enable
viewing SIP credentials, WEP keys, etc. on the phone.
More details here:
Nice find. But probably not a big deal since these are just home-use
routers, right?
Well, maybe not.
1. Sandia nuclear plant scada network recommended gear doc (October, 2005):
http://www.sandia.gov/scada/documents/NSTB_NSIT_V1_2.pdf
You'll see when you read the doc that the crux of the
network devices.
3. Undocumented port, TCP/513 allows an attacker rlogin access with no
credentials.
4. The phone configuration has a hardcoded Taiwan NTP server
CONTACT INFORMATION:
Shawn Merdinger
[EMAIL PROTECTED]
___
Full-Disclosure - We believe
to disabling this undocumented open port.
CONTACT INFORMATION:
Shawn Merdinger
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
the attacker's control from
the CPW-100, thereby turning the phone into a remote monitoring
device.
There appears to be no means to neither disable this access nor enable
authentication.
CONTACT INFORMATION:
Shawn Merdinger
[EMAIL PROTECTED]
___
Full-Disclosure - We
an avenue for DoS.
There appears to be no workaround for this issue.
CONTACT INFORMATION:
Shawn Merdinger
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored
. Also, the undocumented open port may
provide an avenue for DoS.
There appears to be no workaround for this issue as far as disabling the port.
CONTACT INFORMATION:
Shawn Merdinger
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http
the CLIP shell, that allows an attacker to
enable call tracing and debugging, conduct a factory reset, write to
registers, dump memory, etc.
There appears to be no means to neither disable this access nor enable
authentication.
CONTACT INFORMATION:
Shawn Merdinger
[EMAIL PROTECTED
I disclosed today the following vulnerabilities at the 32nd CSI
conference in Washington, D.C.
https://www.cmpevents.com/CSI32/a.asp?option=GV=3id=406438
Thanks,
Shawn Merdinger
===
VENDOR:
Hitachi
PRODUCT:
Hitachi IP5000 VOIP WIFI
I disclosed today the following vulnerabilities at the 32nd CSI
conference in Washington, D.C.
https://www.cmpevents.com/CSI32/a.asp?option=GV=3id=406438
Thanks,
Shawn Merdinger
===
VENDOR:
UTStarcom
VENDOR NOTIFIED:
27 June, 2005 via
I disclosed today the following vulnerabilities at the 32nd CSI
conference in Washington, D.C.
https://www.cmpevents.com/CSI32/a.asp?option=GV=3id=406438
Thanks,
Shawn Merdinger
===
VENDOR:
Zyxel
PRODUCT:
Zyxel P2000W Version 1 VOIP
I disclosed today the following vulnerability at the 32nd CSI
conference in Washington, D.C.
https://www.cmpevents.com/CSI32/a.asp?option=GV=3id=406438
Thanks,
Shawn Merdinger
===
VENDOR:
Senao
VENDOR NOTIFIED:
28 June, 2005
VENDOR
50 matches
Mail list logo