I guess the release of this tool makes physical access pen-tests a little
bit easier huh? Will have to try this out some time.
Steven
http://www.smh.com.au/news/security/hack-into-a-windows-pc--no-password-needed/2008/03/04/1204402423638.html
___
.
Explain to me what I am missing here.
On Wednesday 12 December 2007 08:05:35 Steven Adair wrote:
You aren't really able to take action on Google's site per the
real definition of CSRF.
CRSF: Canadian Rope Skipping Federation (Google's I'm feeling lucky)
Center for Research
Hi,
I didn't read all of the documents in detail, but I noticed the first
bunch mentioned spoofing/changing your MAC address to that of someone that
is validated/authorized. This is of course assuming this is feasible and
someone has authenticated already. Many of the hotspots will just simply
There you have it. Surely a GPL'd tool implementing this attack style
will be available shortly. And since Chinese researchers have been
attacking SHA-1 lately, should SHA-256 be considered the proper
replacement? I am unsure :-(
Yes, it would probably be a good idea. I think this link
Right this problem has existed for a long time, but it's not the end of
the world for someone to point it out again I suppose.
I think it's obvious that there's another main issue here and that's the
way WordPress handles its cookies in general. They are not temporary
sessions that expire or are
http://www.bleedingthreats.net/cgi-bin/viewcvs.cgi/sigs/CURRENT_EVENTS/CURRENT_E-Jihad?view=markup
Steven
http://www.securityzone.org
Does anyone have a copy of e-jihad15.zip? I would
like to see if there is something unique in the
generated HTTP traffic that would be signature worthy?
Well it's not that I can really argue that most of the content on this
list is really in line with the list charter or the idea of full
disclosure, but asking a basic question about scanning doesn't exactly fit
either.
I'd suggest Google (as mentioned) or subscribing to a list such as
--On November 1, 2007 10:14:50 PM -0400 Jay Sulzberger [EMAIL PROTECTED]
wrote:
On Thu, 1 Nov 2007, Paul Schmehl [EMAIL PROTECTED] wrote:
--On November 1, 2007 6:31:39 PM -0400 Adam St. Onge
[EMAIL PROTECTED] wrote:
So if i put a picture of a naked girl on a website and said to see
more
ISC just put up a diary on it that has a little bit more information for
anyone interested:
http://isc.sans.org/diary.html?storyid=3529
Steven
www.securityzone.org
I saw an unusually high volume of scans between 2200 and last night
on my residential connection. They all made their
I think you guys are both mixing up CERT (cert.org) and US-CERT
(us-cert.gov) -- both of which have very different functions. As
mentioned though, you probably wouldn't want to call either if your
Internet goes down.
Steven
On Mon, 08 Oct 2007 19:55:59 BST, worried security said:
If you
So are we dealing with an RDCB (Recently Disclosed Calculation Bug) or was
this just a mistake?
Steven
Actually, I see 5.1005 in both browsers.
Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blogs.eweek.com/cheap_hack/
Contributing Editor, PC
Nice, sounds almost exactly like what I said a few days ago. Good to see
the bullet-proof wikipedia has my back.
Steven
www.securityzone.org
http://en.wikipedia.org/wiki/0day
/thread
--=Q=--
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Not in my book. I guess the people on this list are working off too many
different definitions of 0day. 0day to me is something for which there is
no patch/update at the time of the exploit being coded/used. So if I code
an exploit for IE right now and they don't patch it until April September
I'm not sure exactly why they do not accept submissions from the general
non-customer public, but I am sure there is a good reason. Chances are
the most likely have the sample you are coming across from one source or
another. They probably also get a much larger number of duplicates for
I went to the below URL you referenced
(http://www.cisco.com/cgi-bin/tablebuild.pl/windows?psrtdcat20e2), logged
in, and it works fine for me with a listing of all the clients to
download.
vpnclient-win-msi-5.0.01.0600-k9.exe
VPN Client Software for 2000/XP/Vista - Microsoft Installer
Also, if everyone saw the update from yesterday, it was apparently an
erroneous action by a third-party:
ATT Inc said on Thursday a company it hired to handle the cybercast of a
live concert by U.S. rock band Pearl Jam erroneously omitted lyrics
criticizing U.S. President George Bush that were
Just a few additions/ideas:
You have RFI but not LFI.. so add that. I'd also say general input
validations as some other mentioned. This ties into your XSS (persistent
or otherwise) and some of your other issues like injecting
code/iframes/xss etc into forums and so on. Also as mentioned a big
Did they fix this already because all I see when I go to your URL is:
II. Solution
We are currently unaware of a practical solution to this problem.
Unregister the AIM protocols
Disabling the AIM protocol handler may mitigate this vulnerability. To
unregister the protocol handlers, delete or
Finding collisions is definitely one piece. The other is that you can
argue about SHA-1 being the Federal standard. Is it used more due to
widespread use in existing applications? Yes. However, all Federal
agencies (and people in general) should stop using it where possible.
NIST has mandated
I care.. nice observation
And if you did'nt care you would'nt have taken the time to reply.
Flawed logic.
However, I think you don't really care because you didn't take the time to
put your apostrophes in the right places.
Also, I don't really understand the original post. He is cussing
Amazing, you were able to find multiple instances where a script-based
gender guesser was wrong? This is more profound than the initial research
itself. I suppose I could post a series of 10 writings where it was
correct, but what would that prove? Did you try reading this from the
same page:
Looks like a few others have been found:
http://erratasec.blogspot.com/2007/06/nce.html
Steven
securityzone.org
Apple released version 3 of their popular Safari web browser today, with
the added twist of offering both an OS X and a Windows version. Given
that Apple has had a lousy track
How about a month of someone not suggesting and/or starting a month of
anyhing bugs? Does that cancel itself out..maybe only if announced in
advance?
How about a month of annoying project ideas?
Shirkdog
' or 1=1--
http://www.shirkdog.us
From: Kristian Hermansen [EMAIL PROTECTED]
To:
We are also at risk from rogue developers, people that have
hacked/poisoned your trusted DNS provider, those that have modified your
/etc/hosts, /etc/resolv.conf, windows\system32\drivers\etc\hosts (and/or
related files), people that have hacked the update server and put there
own malicious
So do you think his two WordPress blogs (I am assuming here..looks a lot
like WP, but I'm not pounding out GET requests to verify) were included in
this survey that was done? I wonder if he's running a safe version?
And as mentioned in one of his blog comments, version reporting isn't
always
--On Thursday, May 24, 2007 09:44:02 -0500 Steven Adair
[EMAIL PROTECTED] wrote:
So do you think his two WordPress blogs (I am assuming here..looks a lot
like WP, but I'm not pounding out GET requests to verify) were included
in
this survey that was done? I wonder if he's running a safe
On 5/21/07, ascii [EMAIL PROTECTED] wrote:
Brian Eaton wrote:
To summarize what I've heard from various sources: I am missing
something important. =) Both PHP and ASP.NET will decode these
characters into their ASCII equivalents.
(AFAIK)
Only ASP.NET/IIS decodes that automatically.
I think a good share of the time when someone states that the DoS may
possibly lead to remote code execution are making such a statement for a
couple different reasons:
1) They found a DoS and truly have no idea whether or not it can cause
remote code execution due to not having the
It is funny that this stuff ever comes to surface. Now I am wondering if
this a case of trying to spread FUD or someone who just didn't pay any
attention to what was going on?
Steven
securityzone.org
I forwarded the original issue to Steganos as I am a user of their
software
package. This
Is this in anyway surprising? I think we all know the answer is no. Many
Fortune 500 companies have more employees than some ISPs have customers.
Should we really expect differently?
Also, as a side note, I would like to add that just because SPAM is coming
from a certain gateway does not
On 13/04/07, Steven Adair [EMAIL PROTECTED] wrote:
Is this in anyway surprising? I think we all know the answer is no.
Many
Fortune 500 companies have more employees than some ISPs have customers.
Should we really expect differently?
Yes! Off the top of my head:
1. Corporations should
Greetings,
I would like to see if I could get the community's take on these
vulnerability purchasing programs such as those offered by iDefense and
3COM. There have been previous discussions that I have seen on the lists
surrounding poor monetary offerings of one program versus that of another.
There are numerous tools out there that will take IP addresses and report
back [all] the domains on them. The best one I came across some time
about was the Reverse IP search from www.domaintools.com. Unfortunately
to get the entire list you have to pay now -- I think. You used to just
be able
I do not use WEP at home. I use WPA2 on my home network. I agree with
the majority of what you both have said. However, if you solely relied on
the risk level as the reason not upgrading to a more secure mechanism, I
would say you are doing yourself a disservice. Now since I often rely on
NIST
34 matches
Mail list logo