Re: [Full-Disclosure] shadowcrew.com

2004-10-15 Thread Harlan Carvey
't > register. Does anyone have any info on this? What kind of info are you looking for? How to resolve this issue, by cleaning your machines? Or are you looking for info on the site? = ------ Harlan Carvey, CISSP "Windows Forensics and Incident R

Re: [Full-Disclosure] Norton AntiVirus 2005 treats Radmin as a Virus ??!

2004-10-12 Thread Harlan Carvey
the AV vendors need a lawyer...based on what? How about doing a better job of troubleshooting the issue? How long have malware authors been changing the names of files? However, long it's been, those admining the machines don't seem to be catching on... = -----

Re: [Full-Disclosure] Hacking into private files, my credit card purchases, personal correspondence or anything that is mine is trespassing and criminal.

2004-10-08 Thread Harlan Carvey
s, you still have issues of...is the "victim" capable of determining/demonstrating when a crime has occurred? = ---------- Harlan Carvey, CISSP "Windows Forensics and Incident Recovery" http://www.windows-ir.com http://groups.yahoo.com/group/wi

Re: [Full-Disclosure] Hacking into private files, my credit card purchases, personal correspondence or anything that is mine is trespassing and criminal.

2004-10-08 Thread Harlan Carvey
thinking about it, you should also do in the online world. = -- Harlan Carvey, CISSP "Windows Forensics and Incident Recovery" http://www.windows-ir.com http://groups.yahoo.com/group/windowsir/ "Meddle not in the affairs of dragons, for you a

Re: [Full-Disclosure] Hacking into private files, my credit card purchases, personal correspondence or anything that is mine is trespassing and criminal.

2004-10-08 Thread Harlan Carvey
rception...a perception that needs to change. Only after that perception changes will we see better, more secure software, etc. = ------ Harlan Carvey, CISSP "Windows Forensics and Incident Recovery" http://www.windows-ir.com http://groups.yah

Re: [Full-Disclosure] Spyware installs with no interaction in IE on fully patched XP SP2 box

2004-10-03 Thread Harlan Carvey
BHOs... Sorry, wish I could help more, but I'd need more info... = -- Harlan Carvey, CISSP "Windows Forensics and Incident Recovery" http://www.windows-ir.com http://groups.yahoo.com/group/windowsir/ "Meddle not in the affairs of dragons, fo

Re: [Full-Disclosure] Spyware? Worm? Trojan? "face license free bait"

2004-09-29 Thread Harlan Carvey
un...that thing you did the other night was funnier than "America's Funniest Home Videos" and "COPs" put together. > Thank you very much indeed for your help.. and sorry > for my really bad english. It isn't your English that's the problem, dude...it'

Re: [Full-Disclosure] How to obtain hostname lists

2004-09-28 Thread Harlan Carvey
ices you're targetting. = -------- Harlan Carvey, CISSP "Windows Forensics and Incident Recovery" http://www.windows-ir.com ht

Re: [Full-Disclosure] How to obtain hostname lists

2004-09-28 Thread Harlan Carvey
w they > can obtain hostnames asnd create a huge database for > potencial host victims? Besides the usual scanning techniques, throw Googling and searches via Netcraft for httpd's into the mix. = -------- Harlan

Re: [Full-Disclosure] New virus?

2004-09-27 Thread Harlan Carvey
> Consultant / ISH Tecnologia > > > > Phone: +55-27-3334-8900 > > Mobile: +55-27-8111-0884 > > Email: [EMAIL PROTECTED] > > PGP Fingerprint: >6A42 3701 70D7 FD0F 5FA9 D232 CDD4 6189 EF43 > 95F5 > > > = ---

RE: [Full-Disclosure] Rootkit For Spyware? Hide your adware from all Adware removers and Anti-viruses

2004-09-23 Thread Harlan Carvey
> Some of them can (almost) hide from everything > because of the way they integrate. Not everything...check out my book. > Even hashes > won't work for program execution detection very > well. I'm not entirely clear on how a hash of a file pertains to detecting the execution of a program...c

Re: [Full-Disclosure] unknown backdoor: 220 StnyFtpd 0wns j0

2004-09-23 Thread Harlan Carvey
Ryan, > I've been finding a few compromised Windows systems > on our campus that > have a random port open with a banner of "220 > StnyFtpd 0wns j0". All the > systems seem to be doing SYN scans on port 445 and > LSASS buffer overflow > attempts. Anyone know what worm/bot is doing this? > I

Re: [Full-Disclosure] Rootkit For Spyware? Hide your adware from all Adware removers and Anti-viruses

2004-09-23 Thread Harlan Carvey
> Windows is likely the most susceptible to such an > attack due to the > limited amount of people that fully understand the > kernel and "flow > chart" of processes. (Or those that don't put 2 and > 2 together, like myself.) I realize that this is purely speculation on your part, but I'd be care

RE: [Full-Disclosure] Rootkit For Spyware? Hide your adware from all Adware removers and Anti-viruses

2004-09-23 Thread Harlan Carvey
> The thing that has me worried about this (at least > enough to justify the > posts) is that this seems to be an avenue for growth > in kits. That's exactly what it is. On a slightly tangential note, while many people I know of in the security community bash Microsoft, I've more often been

RE: [Full-Disclosure] Rootkit For Spyware? Hide your adware from

2004-09-23 Thread Harlan Carvey
> It depends on which kit they based it on. My guess > is these guys weren't > good enough to do the coding themselves so they > stole someone else's code. That, or they're learning (rootkit coding training via Blackhat), or they're simply purchasing it (there are folks who do custom rootkit codi

RE: [Full-Disclosure] Rootkit For Spyware? Hide your adware from all Adware removers and Anti-viruses

2004-09-23 Thread Harlan Carvey
> Nothing new about rootkits. They aren't big news > because they are old news. > Although depressing this is defiantly possible. Old news, yes...but to some, not everyone. Taking users (home, corporate, academic, etc.) out of it, sysadmins and LEOs are still way behind when it comes to understa

Re: [Full-Disclosure] Lots of traffic on port 1472 from explorer

2004-09-21 Thread Harlan Carvey
> I removed it, but it seems that something else is > amiss, > I still see lots of traffic from explorer.exe on the > 1472 port. Have you captured any of this traffic? > The traffic is indeed coming from a system I have > control of, > I still have no dumps though. I can see nothing > worrying

Re: [Full-Disclosure] Lots of traffic on port 1472 from explorer

2004-09-21 Thread Harlan Carvey
Giuseppe, > from a home computer I'm seeing lots of traffic > generated from > explorer on port 1472 towards the microsoft-ds port, > typically > on IP addresses starting with 35.xx.xx.xx This isn't clear...is it coming from a system you have control of? I'm going to assume that this is the case

RE: [Full-Disclosure] Scandal: IT Security firm hires the author of Sasser worm

2004-09-21 Thread Harlan Carvey
The myopic and narrow-minded view of respondants in this forum never ceases to amaze me. More often than not, it's clear that the person responding is more interested in disproving statements made by others, rather than attempting to understand those statements. So, ktabic, you want to know "how

Re: [Full-Disclosure] @Stake Aquired by Symantec

2004-09-20 Thread Harlan Carvey
> The trend of Anti_Virus companies buying out > security services companies has seriously caught my > atttention[sic]. Why does this seem to have suddenly caught your attention? This has been going on for a while. > Will Symantec keep LophtCrack listed as a > virus/trojan? Why are you asking t

RE: [Full-Disclosure] Scandal: IT Security firm hires...

2004-09-20 Thread Harlan Carvey
> > Does it not strike anyone that there is a > disturbing trend in > > malicious hackers (yes, yes, I know, they are not > hackers if > > they are malicious, so call em whatever you want) > getting > > hired to security firms, Regardless of the reason for hiring these individuals, this fact s

RE: [Full-Disclosure] Scandal: IT Security firm hires the author of Sasser worm

2004-09-20 Thread Harlan Carvey
> Todd...what on earth makes you think they did not? > This is not new behavior...at all. Exactly. If you don't really believe that the movie "Catch me if you can" was based on a true story, check out this site: http://www.abagnale.com/index2.asp __

Re: [Full-Disclosure] Where is security industry gng??

2004-09-13 Thread Harlan Carvey
> Network security -> application security -> software > security -> > > What do u guys think?? This sort of view is too granular...they are all part of information security. The strongest network security fails in the face of poor physical security. __

Re: [Full-Disclosure] Any idea about that?

2004-09-10 Thread Harlan Carvey
> I received this file through email (Yahoo) nothing > was detected from Yahoo > or NAV 2003. According to my understanding this is > some kind of worm or > irc-bot. I found this file making connections on > port 6667 6660 and opening > major important ports on the infected PC. > > Any one has

Re: [Full-Disclosure] Where to submit a suspected trojan or virus?

2004-09-03 Thread Harlan Carvey
> > I found an explorer.exe in my system32 folder > which I believe take > > precedence over the real explorer.exe located in > c:\windows. The fact that there's a copy of this Explorer.exe in System32 may be an issue. Was there an application running? Was there a Registry entry related to thi

Re: [Full-Disclosure] Re: Microsoft Update Loader msrtwd.exe

2004-09-03 Thread Harlan Carvey
> When I first posted, I didnt have the EXE. When I > did receive a copy of the file, I was told I cannot > sent it outside of the network. > > Besides, Ive been on this list long enough to know > that questions like mine are asked from time to > time. If that's really the case, you should h

Re: [Full-Disclosure] Microsoft Update Loader msrtwd.exe

2004-09-01 Thread Harlan Carvey
> Recently discovered a trojan(? - possibly a virus) > called msrtwd.exe. > It's listed in the Registry as "Microsoft Update > Loader" > > Does anyone know anything about this? Google > doesnt offer much. Where in the Registry did you find it? Which key(s)? What about this makes you think it

Re: [Full-Disclosure] Viral infection via Serial Cable

2004-09-01 Thread Harlan Carvey
> > You're right, but what does that have to do with > an > > RS-232 serial cable? > > What did you hook your modem to the computer with? Phone cord with an RJ-ll connector. Even back when I did own a 300baud modem, installed in an Epson QX-10, it was phone cable...not RS-232. __

Re: [Full-Disclosure] Viral infection via Serial Cable

2004-09-01 Thread Harlan Carvey
> > The same reason there are so many Windows > viruses... 90 something % of > > the people online are using Windows, that's thats > what the viruses are > > after. Back in the day when serial connections > were the only means of > > communication possible, viruses weren't very > possible > > Act

Re: [Full-Disclosure] Is this a new Trojan?

2004-08-31 Thread Harlan Carvey
If you don't have access to the source machine, then maybe take a look here... http://www.pestpatrol.com/pestinfo/t/trojandownloader_win32_delf.asp ...or maybe here... http://www.pestpatrol.com/pestinfo/w/worm_p2p_surnova.asp without more info (rest of packet, openports output, etc)... --- Sumee

[Full-Disclosure] [Full Disclosure] More fun w/ XP SP 2

2004-08-25 Thread Harlan Carvey
Hey, folks, More on (no pun intended...well, maybe...) the ":Zone.Identifier" issue in XP SP 2. I originally saw this here: http://www.heise.de/security/artikel/print/50051 Other Google hits refer back to this article. Interestingly enough, Microsoft doesn't mention alternate data streams (ADSs

RE: [Full-Disclosure] Possible New Malware....

2004-08-24 Thread Harlan Carvey
--- "Aditya , ALD [ Aditya Lalit Deshmukh ]" <[EMAIL PROTECTED]> wrote: > Blankdo you know that www.slimeware.com is a > paranody site with no real coproation behind it, the > fellow who wrote this program has a real good sence > of humor What?!? What's a "paranody"? And what's a "coproation"

RE: [Full-Disclosure] Foundstone's Future as Part of McAfee

2004-08-18 Thread Harlan Carvey
> To answer your question...YES I was kidding! > I did post it to invite speculation! But why? Speculation is a complete waste of time. > The Truth is, the mergers within the security space > are getting interesting. > First Watchbot buys Sanctum. > Now McAfee finally bought Foundstone (Rumored

Re: [Full-Disclosure] Foundstone's Future as Part of McAfee

2004-08-17 Thread Harlan Carvey
> Press releases are social engineering, plain and > simple. Agreed. > There's a good chance the OP already read them and > is looking for > hints as to what the *REAL* story is. Good chance? If so, perhaps the OP should have said so. As to the *real* story, it isn't going to be found here.

Re: [Full-Disclosure] best tools for network discovery

2004-08-17 Thread Harlan Carvey
nmap ping/tracert SNMP enumeration --- Jose Pena <[EMAIL PROTECTED]> wrote: > Would like to get a better picture of the company > network (other than diagrams given). > > Thought I'd ask what are the most recommended tools > in > discovering a network environment. > > Thx for the help, > J. >

Re: [Full-Disclosure] Foundstone's Future as Part of McAfee

2004-08-17 Thread Harlan Carvey
You're kidding, right? What's the purpose of posting something like that, other than to invite speculation? Since I doubt that senior management of neither McAfee nor Foundstone actively monitors this list, one would think that you could have saved yourself some time if you'd simply read the pres

Re: [Full-Disclosure] (no subject)

2004-08-13 Thread Harlan Carvey
Barry, > I think the whole AV naming issue is, though > problematic, the least of > our problems. I think you hit the nail on the head > here, Harlan. One other thing I'd like to throw into the mix. This whole discussion is being viewed, it seems to me from the wrong perspective. The attitude

Re: [Full-Disclosure] (no subject)

2004-08-13 Thread Harlan Carvey
> > As > > I explained in other of my posts in this and the > related "AV Naming > > Convention" thread, in general by far the largest > "cost" of naming > > disagreement is borne by the users in the early > hours of large-scale > > outbreaks. Forget the whole naming thing...it's been bandied

Re: [Full-Disclosure] SP2 is killing me. Help?

2004-08-12 Thread Harlan Carvey
> i agree that this is "crap update". Ok. > don't use windoze for anything serious, but a person > familiar with windoze > said sp2 breaks so much warez it is unusable. Just how useful is a phrase like "breaks so much warez it is unusable"? So far, I've seen multiple posts to various lists wh

Re: [Full-Disclosure] Service Pack 2, don't discuss it here.

2004-08-12 Thread Harlan Carvey
Tom, I don't think the OP means "don't talk about SP2 with regards to security here". I think what he's rather clearly referring to is if you install SP2 without thinking, and then something bad happens (ie, cardreader stops working) b/c you installed SP2 on a production system, don't bring *that

Re: [Full-Disclosure] SP2 is killing me. Help?

2004-08-12 Thread Harlan Carvey
Darren, > Windows XP SP2 has got to be up there with Windows > NT 4.0 service pack 2 > in terms of crap updates, possibly even worse. > Maybe M$ are trying to > push everyone away from Windows ? Wow! MS goes about doing what the security folks have been harping on for years...providing a modic

Re: [Full-Disclosure] WIndows XP SP2 "breaks" things

2004-08-11 Thread Harlan Carvey
All I can say about this, Greg, is...well...duh! > > Just FYI, my company is experiencing a high volume > > of calls from customers > > claiming that they have installed Windows SP2. > > Customers claim that SP2 is > > "breaking" previously working network behavior. > > Initial testing indicates

Re: [Full-Disclosure] IDS for Windows

2004-08-10 Thread Harlan Carvey
snort --- Carsten Ruckelshausen <[EMAIL PROTECTED]> wrote: > Hi, > > i'm looking for a Intrusion Detection System (host > and/or net) for Windows. > It should be Free or Shareware and perhaps it could > work in a Windows/Linux > network. > > Any idea ? > > > Bis denn dann, > > Carsten > --

Re: [Full-Disclosure] New Security web site: http://exploitwatch.org

2004-08-06 Thread Harlan Carvey
Thanks for the reply. > True, but as I said: "Some web-sites and mailing > lists > already provide this functionality, but we have > found them > way too slow to publish new updates as well as being > incomplete." Right, I caught that, too. > We focus on exploits only, and aim to increase > awar

Re: [Full-Disclosure] New Security web site: http://exploitwatch.org

2004-08-06 Thread Harlan Carvey
What will this new service provide that isn't already available? --- [EMAIL PROTECTED] wrote: > exploitwatch.org is a mailinglist aiming to keep > security proffesionals updated > with information on new software exploits. > > When new exploits make a public occurance, the risk > if being targe

Re: [Full-Disclosure] antisemtism, FD and bandwidth - what I want out of it

2004-07-22 Thread Harlan Carvey
Raymond, > It merely is the trade-off of total > freedom of speech, which this list tries to > maintain. I agree with you on that. One would hope that people would realize that with free speech (and other freedoms) comes responsibility...or at the very least, observe some modicum of courtesy. H

RE: [Full-Disclosure] Presidential Candidates' Websites Vulnerable

2004-07-01 Thread Harlan Carvey
Jan, Thanks for the response... > http://www.rense.com/general52/fgult.htm I read the site, and it linked to a CNN story: http://www.cnn.com/2002/ALLPOLITICS/12/29/mandatory.military/ Notice that the date on the CNN piece is 30 Dec '02. > A link to the article about the passed but yet > unsig

RE: [Full-Disclosure] Presidential Candidates' Websites Vulnerable

2004-07-01 Thread Harlan Carvey
Jan, > If any issue is more important than electronic > voting I don't > know what it is. Congress has approved starting in > the Spring > of 2005, the draft, all the way up to 49 years of > age for special skills. I'm not clear as to what one issue has to do with the other. Those in Congress

Re: [Full-Disclosure] Tools for checking for presence of adware remotely

2004-07-01 Thread Harlan Carvey
> > It's not difficult to figure out how things work > on > > Windows systems. Once you find that out, it's > pretty > > simple. I will defer to Marcus Ranum's title of > > "artificial ignorance" to describe how the Perl > > scripts work...by identifying those things that > are > > known to be '

Re: [Full-Disclosure] Tools for checking for presence of adware remotely

2004-06-30 Thread Harlan Carvey
-aditya > > Sure...Perl scripts. As a security admin in an > FTE > > position, I had scripts that checked all systems > > within the domain for entries in the ubiquitous > 'Run' > > key, as well as for BHOs. Easy stuff, pretty > trivial, actually. > > but then you would have to keep on updating

Re: [Full-Disclosure] Tools for checking for presence of adware remotely

2004-06-30 Thread Harlan Carvey
> Does anyone out there know of any tools available to > probe network workstations for the presence of > adware/spyware? Sure...Perl scripts. As a security admin in an FTE position, I had scripts that checked all systems within the domain for entries in the ubiquitous 'Run' key, as well as for

Re: [Full-Disclosure] CISCO Vpn

2004-06-23 Thread Harlan Carvey
Ron, > It's estimated > that at least 75% of vpn's in place for this kind of > use are nothing more then that. I'd like to take a closer look at this...when you say "estimated", by whom? What's your source? I'm not disagreeing, as I agree with your post...I'm just looking to dig a little deeper

Re: [Full-Disclosure] USB risks - working autorun example (fwd from pen-test)

2004-06-19 Thread Harlan Carvey
> Attached is a proof-of-concept as made available by > [EMAIL PROTECTED] > for using autorun with USB. I haven't been able to get it to work on Win2K or XP, and the OP doesn't seem to have specified the manufacturer and model of the device used. > This should work. As it was already released,

Re: [Full-Disclosure] Re: USB risks (continued)

2004-06-19 Thread Harlan Carvey
I agree, the use of USB-connected devices is nothing new. They make a very unobtrusive delivery system, as well as a great way to load vast amounts of data into an extremely small space to get information out of an organization. But you know something, that's not really the point. Yes, this is a

Re: [Full-Disclosure] USB autorun function

2004-06-18 Thread Harlan Carvey
--- Evil Wrangler <[EMAIL PROTECTED]> wrote: > I want to say how flattered I am to have generated > so much discussion > from my little 2600 article. I welcome all > corrections and additions. > > Information should be free! Okay, how about this request then...can you provide enough details (ie,

Re: [Full-Disclosure] USB Auto run function

2004-06-18 Thread Harlan Carvey
Oscar, > This issue has been discused in pentest list. Take > a look at: I don't think the issue is that it's been discussed, more that it hasn't been really resolved/addressed. Take a look at the post you linked to, specifically: "I think turning off auto-run is a REALLY good idea." Accor

Re: [Full-Disclosure] USB Auto run function

2004-06-17 Thread Harlan Carvey
> I have been interested in a potential exploit that > may or may not be an > issue, I read lately that a potential malicious file > could enter a system > via a USB Memory stick with a structured autorun.pif > , and this file would > operate even if the screen lock is activated . This is an i

Re: [Full-Disclosure] antivirus and spyware scanning

2004-06-15 Thread Harlan Carvey
> I think it is very useful to scan a windows machine > from viruses while having that machine booted to > linux. This pretty much ensures that you will find > all the virii on that system. Not necessarily. You'll have to update the virus signatures on your CD distribution prior to scanning, an

Re: [Full-Disclosure] !! Internet Explorer !!

2004-06-11 Thread Harlan Carvey
>Yesterday i was visitng web sites. so i felt > my computer slow. and that time i shutdown my > computer and go somewhere. now today i restarted my > computer and when i open internet explorer i got Web > Page. Which i didn't SET. and now i am not able to > write www.anydomain.com . when i

Re: [Full-Disclosure] tvm.exe / poll each.exe / blehdefyreal toolbar

2004-06-09 Thread Harlan Carvey
Mark, > The idea here is to learn something from it. > Reformatting the system is > a good idea, but before that takes place it'd be > nice to learn what the > thing actually is and how it works. "Once you understand the nature of a thing, you know what it's capable of." - Blade > This thing r

Re: [Full-Disclosure] Possible First Crypto Virus Definitely Discovered!

2004-06-08 Thread Harlan Carvey
Bill, >From your post, you don't seem to have a great deal of detailed information to share about this issue... > The virus works on port 443. Wouldn't it then be, by definition, a worm? > It seems to accept inbound connections on that > port as well and, presumably, awaits for commands > fro

Re: [Full-Disclosure] anyone seen this worm/trojan before?

2004-06-03 Thread Harlan Carvey
Josh, I tried to download the archive, and McAfee alerted me to "W32/Sdbot.worm.gen.g". From: http://www.sophos.com/virusinfo/analyses/w32sdbotcf.html "W32/SdBot-CF spreads to other computers on the local network protected by weak passwords." > I found this worm/ trojan on a laptop. Ran FPort

Re: [Full-Disclosure] anyone seen this worm/trojan before?

2004-06-03 Thread Harlan Carvey
Josh, > I would like to know the attack vectors. I'm > guessing LSASS. If you don't know what the worm is, what would lead you to guess that the infection vector is LSASS? Is there some other piece of information that you're not sharing? ___ Full-Disc

Re: [Full-Disclosure] Cleanining viruses from netware

2004-06-01 Thread Harlan Carvey
Gadi, For the sake of the list, would you be willing to share the answer you received? --- Gadi Evron <[EMAIL PROTECTED]> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Dowling, Gabrielle wrote: > > | A certain mass maier that infected a netware > environment? And you > have a b

RE: [Full-Disclosure] Vendor casual towards vulnerability found in product

2004-05-26 Thread Harlan Carvey
> >> Perhaps. What is the real risk of destroying > >> configuration files, if backups are being made? > They restore from backup, someone erases them again, > they restore, someone erases again, they restore... Right, I understand that. However, as a consultant, I've seen places where increme

Re: [Full-Disclosure] Vendor casual towards vulnerability found in product

2004-05-26 Thread Harlan Carvey
Steven, One bit of advice...to quote Morpheus, "welcome to the desert of the real." > 1. Would an exploit like this be said to be severe? Perhaps. What is the real risk of destroying configuration files, if backups are being made? > 2. Is the vendor right in their approach to this > issue?

Re: [Full-Disclosure] Cisco's stolen code

2004-05-25 Thread Harlan Carvey
m5x, As with most public forums, you've missed the point... --- madsaxon <[EMAIL PROTECTED]> wrote: > At 10:45 AM 5/25/2004 -0700, Harlan Carvey wrote: > > >Valdis, > > > >I sincerely hope that you do not presume to speak > for > >everyone... > &

Re: [Full-Disclosure] Cisco's stolen code

2004-05-25 Thread Harlan Carvey
Valdis, I sincerely hope that you do not presume to speak for everyone... --- [EMAIL PROTECTED] wrote: > On Tue, 25 May 2004 11:28:19 EDT, Brian Toovey > <[EMAIL PROTECTED]> said: > > > if whitehats dont audit the code, who will? I > find your response more > > ignorant. > > Whitehats won't

Re: [Full-Disclosure] I Got Hacked. Now What Do I Do?

2004-05-19 Thread Harlan Carvey
I have to apologize, as I didn't see the original post in my inbox...could someone forward it to me? > > Now one can't trust somewhat 50% of all Microsoft > Computers. > > you trusted that many before? :) > > Honestly though, it isn't a total writeoff. > > Your data may well have been compromis

Re: Re[2]: [Full-Disclosure] Sasser author

2004-05-13 Thread Harlan Carvey
Thierry, > SvGs> I'm stupid, yes, > And you will be fined if you report it to the > police. whoops. You're saying that it's against the law to be stupid in Germany? Just tell all those people to come to the US and run for Congress... ;-) See, we reward stupidity w/ promotions! ___

Re: [Full-Disclosure] Support the Sasser-author fund started

2004-05-13 Thread Harlan Carvey
Micah, > I wonder if people forget the liability that any > organization inherits if > they do NOT maintain a above standard protection > scheme for their network/hosts. What kind of liability are you talking about? Social? I'm not aware of any legal liability that's been tested here in the US

Re: [Full-Disclosure] Sasser author

2004-05-13 Thread Harlan Carvey
Rodrigo, Please go back and re-read my post...particularly: "And yeah, I know about the dial-up and VPN issues, but there are designs that protect against infections there, was well. Perhaps after all these years of publishing "best practices", maybe the victims would stop...well...being victim

RE: [Full-Disclosure] Sasser author

2004-05-13 Thread Harlan Carvey
Serge, I agree with you, as well...but I think at some point, we (and by "we", I mean the CxOs responsible to the Boards of companies for the operation and function of those entities...) really need to start heading "best practices". The Principle of Least Privilege wasn't something that just spa

RE: [Full-Disclosure] Sasser author

2004-05-13 Thread Harlan Carvey
Come on, Larry... The first thing in the MS bulletin about Sasser is "enable a firewall"...block the port. Slammer was the same way. And yeah, I know about the dial-up and VPN issues, but there are designs that protect against infections there, was well. Perhaps after all these years of publish

Re: [Full-Disclosure] Sasser author

2004-05-13 Thread Harlan Carvey
Earl, I agree...to a point. Sasser violates poorly designed/implemented network infrastructures. > Let's be clear. Sasser violates networks and causes > grief. It is > wrong. Put him in jail. ___ Full-Disclosure - We believe in it. Charter: http:

RE: [Full-Disclosure] Calcuating Loss

2004-05-11 Thread Harlan Carvey
's pathetic, but it's the way that many companies > operate. > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > Behalf Of Harlan > Carvey > Sent: Tuesday, May 11, 2004 08:38 > To: Full-Disclosure > Cc: Clint Bodungen > Subje

Re: [Full-Disclosure] Calcuating Loss

2004-05-11 Thread Harlan Carvey
> So let's say (hypothetically) someone hacks a > company's network. Let's say > the hack is internal (as opposed to external). The > company detects the > hack (let's say) and runs down to the suspected > cubicle and ...does what? > Well, if they're smart they have an in-house team > (or outs

Re: [Full-Disclosure] Calcuating Loss

2004-05-11 Thread Harlan Carvey
Clint... Two words..."testing process". What happened to that? Don't tell me you're installing patches directly to production systems... --- Clint Bodungen <[EMAIL PROTECTED]> wrote: > How about when Micro$oft releases a bundled patch > (cough cough MS04-011) to > fix several bugs and security

Re: [Full-Disclosure] Calcuating Loss

2004-05-11 Thread Harlan Carvey
Michael, To quote Morpheus..."welcome to the desert of the real." Perhaps more appropriately...to quote Neo..."There is no spoon." How does the industry "calcuate" [sic] loss? Yes, that's a very interesting question. Removing a script mapping from IIS at install time as part of a configuration

Re: [Full-Disclosure] Psexec on *NIX

2004-05-06 Thread Harlan Carvey
any of the r* services...rlogin, rexec, rshell? http://csrc.nist.gov/publications/nistpubs/800-7/node129.html --- Chris Carlson <[EMAIL PROTECTED]> wrote: > This has probably come up before, but does anyone > know of a *nix utility > similar to psexec[1] to execute commands on remote > windows sy

Re: [Full-Disclosure] Use of Brutus

2004-05-05 Thread Harlan Carvey
Chris, Just out of curiosity, what did the author say when you contacted him about this issue? --- Chris Sharp <[EMAIL PROTECTED]> wrote: > Hi all, > > I've been trying for some time now to use Brutus > (BrutusA2.exe) to help with an internal review of > the security of the user passwords for

Re: [Full-Disclosure] re: Winfix3.exe file information

2004-05-05 Thread Harlan Carvey
I am one of the people who received a copy of the file via my Yahoo inbox. I had Yahoo scan the file before downloading it, and it identified the malware. I've sent this information to Stacey, and might suggest that perhaps the anti-virus software used needs to be updated. >> Stacey Katz <[EMAI

RE: [Full-Disclosure] I'm looking for information about a file called winfix3.exe

2004-05-04 Thread Harlan Carvey
Jon, Interesting info...did you happen to read it? The posts seem to indicate that someone else found this process running, but was not able to locate an executable image (the actual binary file). However, in the case of the OP (original poster), there should an executable image file available.

Re: [Full-Disclosure] I'm looking for information about a file called winfix3.exe

2004-05-04 Thread Harlan Carvey
Stacey, It would seem that if you have a copy of the file, you would be the one to be able to provide information about it. You have to remember, you can't necessarily expect to find much if you're searching based on filename alone, as that's probably the most easily altered thing about a file.

Re: [Full-Disclosure] A rather newbie question

2004-05-03 Thread Harlan Carvey
> While I think you have a point I also think Ethan > has one too. It is important > to remember that users are generally clueless and/or > unconcerned with > security. Of course I'm grossly generalizing but I > think you get my point. Yes, I can agree with that...I do get the point. But who a

RE: [Full-Disclosure] A rather newbie question

2004-05-03 Thread Harlan Carvey
Ethan, > I just wanted to point out that this is probably the > no.1 security fallacy I hear among my endlusers. Having done vulnerability assessments for a long time, one of the biggest issues I run up against is admins who refer to users as "lusers". Funny joke, yeah, but a lack of discretion

Re: [Full-Disclosure] morning_wood is really a blackhat

2004-05-03 Thread Harlan Carvey
Moderation also cuts down on useless noise, as well... --- Sebastian Krahmer <[EMAIL PROTECTED]> wrote: > On Fri, 30 Apr 2004, Kurt Seifried wrote: > > > Just a note to all I run a moderated subset of > this and several other lists, > > which averages 20 messages a day or so. > > > > > http://li

RE: [Full-Disclosure] Top 15 Reasons Why Admins Use Security Scan ners

2004-04-28 Thread Harlan Carvey
> > Question: Should admins be using security > scanners? > > Someone should be. Admins should be to confirm that > their environment is in > the state that they believe it to be. I guess we'll have to agree to disagree. In my experience, the guy who set a system up shouldn't be the one to in

RE: [Full-Disclosure] Top 15 Reasons Why Admins Use Security Scan ners

2004-04-28 Thread Harlan Carvey
And you know something, Chris...that's fine. Really. I just left a position in the private sector w/ a company that was audited over a dozen times a year by various customers. Even their external auditors (ie, *not* customers) were clueless when it comes to IT or security. One audit did includ

RE: [Full-Disclosure] Top 15 Reasons Why Admins Use Security Scanners

2004-04-28 Thread Harlan Carvey
Just some things to think about... > Top 15 Reasons Why Admins Use Security Scanners Question: Should admins be using security scanners? > This list has been compiled by emailing various > Security/Admin lists... > Anyone care to offer their input - add to the list? > > -Am I sure that I have f

RE: [Full-Disclosure] no more public exploits and general PoC gui de lines

2004-04-27 Thread Harlan Carvey
Well, then the hole you get stuck in with that particular situation is systems going unpatched, b/c there is no exploit for the vulnerability. A company I used to work for was that way. Regardless of what security strongly recommended, patches weren't being installed in a timely manner...largely

RE: [Full-Disclosure] Security Sites

2004-04-23 Thread Harlan Carvey
> > > ----Original Message Follows > From: Harlan Carvey <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > CC: [EMAIL PROTECTED] > Subject: RE: [Full-Disclosure] Security Sites > Date: Fri, 23 Apr 2004 10:32:43 -0700 (PDT) > > > > > I have been lookin

RE: [Full-Disclosure] Security Sites

2004-04-23 Thread Harlan Carvey
> > I have been looking around and haven't found a > very good security forum > > and > > I was wondering if anyone has some ideas. Im new > to the security field and > > am looking at learning as much as possible. Also > maybe even some more > > mailing lists. I appreciate everyone that posts > h

Re: [Full-Disclosure] FAT32 input > output = null?

2004-04-08 Thread Harlan Carvey
Somehow I get the feeling that this would be a much better world if the "touch morning_wood" command were executed more often... Geez, this has really gotten into the gutter... --- morning_wood <[EMAIL PROTECTED]> wrote: > >executing this at the dos promt would create a > zero byte m.wood file >

Re: [Full-Disclosure] Training & Certifications

2004-04-03 Thread Harlan Carvey
> I'm not an authority on training as the only > training I've had is SANS, but > I can vouch for the quality it. Any particular instructors? I find it hard to believe that someone who is an instructor at SANS would endorse tools like inzider. But I do know other instructors that are pretty d

Re: [Full-Disclosure] Training & Certifications

2004-04-03 Thread Harlan Carvey
Robert, First, let me say that I completely understand your need and concern, from a sales perspective. > What we're doing is porting customers from > consultancy by one person to a > new, larger business owned by that person as a > growth move. We're > "inheriting" three small (~150 seat) co

Re: [Full-Disclosure] Training & Certifications

2004-04-02 Thread Harlan Carvey
> Without the experience behind the cert, any and all > certs aren't even worth the paper they're printed on. This is true, and I couldn't agree more. However, the thing about certs is that they have to be measureable and repeatable...which, when one becomes popular, very quickly leads to boot

Re: [Full-Disclosure] Possible Comprimised IIS 5 on Win2k help

2004-03-24 Thread Harlan Carvey
Ben, > Some useful info for beginners is here: > No Stone Unturned: Part One > http://www.securityfocus.com/infocus/1550 Thanks for the reference, from the author... ;-) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-di

Re: [Full-Disclosure] Counter-Attacking hackers? Is this really a good idea?

2004-03-08 Thread Harlan Carvey
> Are these guys nuts? I'm not sure if this is a good > idea or not. Oddly enough, this *has* been discussed...at length. That doesn't mean that it's not worth discussing more... Check this stuff out: http://www.hammerofgod.com/strikeback.txt Check out the "Strikeback" and "Right to defend"

RE: [Full-Disclosure] Looking for a tool

2004-03-04 Thread Harlan Carvey
> ok i was not speculating, this proecess is a win32 > service. these types of images cannot be stopped by > a admin from the process manager, they have to be > stopped from the serives mmc under the > admininstative tools in contol panel. > > since this is exactly what the first post described

  1   2   >