Re: [Full-disclosure] DoS via tables corruption in WordPress (Timothy Goddard)
Hello, I would add my question. I'm installing WP and MySQL for it. I installed accounts and MySQL hashed passwords. So, it's secure. However WP config file uses clear text password to communicate with MySQL. Config file more likely will stay as 755 on my Linux box. So, am I missing WP option to use the hash instead of clear text? Old time issue, but was a bit surprised. Mikhail -- Message: 3 Date: Wed, 12 Feb 2014 09:03:57 +1300 From: Timothy Goddard t...@goddard.net.nz To: na...@wordpress.org, mustl...@websecurity.com.ua Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] DoS via tables corruption in WordPress Message-ID: 0fe1t861gpkc4pjywt176h95.1392149037...@email.android.com Content-Type: text/plain; charset=utf-8 I agree that the DoS part is vague and not a vulnerability in WordPress. However, my question would be: * Will an error running a database statement lead to WordPress showing the install process to visitors? * What additional privileges do they then have? * Could this cause a non-exploitable db bug to become exploitable? If the answers there lean towards yes, lots and yes, then some mitigation is called for. Sent from Samsung Mobile Original message From: Andrew Nacin na...@wordpress.org Date: To: MustLive mustl...@websecurity.com.ua Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] DoS via tables corruption in WordPress On Mon, Feb 10, 2014 at 8:02 AM, MustLive mustl...@websecurity.com.ua wrote: There is DoS vulnerability in WordPress, snip As pointed out by others, this is unbearably vague. But it's also invalid. Your attack requires that a maintenance script to repair tables is left open for anyone to access. The constant that you point out must be set,?WP_ALLOW_REPAIR, is only there so a user can access this script, run the script, then remove the constant (as the script instructs). Your suggestion appears to be to validate the logged-in user. But because this script is to fix a *corrupt database,* we would have no way of authenticating users. Thus, the script is instead secured by a temporary configuration change. Aris mentions he experienced corruption in his own WordPress setup. It's most likely the options table simply crashed, not as a result of any particular exploit. This is, after all, why MySQL has a REPAIR command (and why we have a script for users to use). I have read?to quite a few of your attacks against WordPress core, but I don't recall ever reading a valid one. Perhaps for WordPress issues you should switch from full disclosure to a more responsible course of action, such as contacting us first (secur...@wordpress.org) so we can evaluate it.?I understand the general appeal of full disclosure, but when all you're doing is publishing invalid vulnerabilities, it's only spreading FUD and also making it tough for others to take any of your attacks seriously. This mailing list would probably appreciate the higher signal-to-noise ratio. Regards, Andrew Nacin Lead Developer WordPress -- next part -- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20140212/bd7f6c15/attachment-0001.html -- Message: 4 Date: Tue, 11 Feb 2014 20:18:50 -0200 From: William Costa william.co...@gmail.com To: full-disclosure@lists.grok.org.uk full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Reflected XSS Attacks vulnerabilities in DELL SonicWALL Universal Management Suite v7.1 (CVE-2014-0332) Message-ID: caommdvssrm9lrcob6_o1vmgjfq5om4ctrprq6o4o6+4stny...@mail.gmail.com Content-Type: text/plain; charset=iso-8859-1 I. VULNERABILITY - Reflected XSS Attacks vulnerabilities in DELL SonicWALL Universal Management Suite v7.1 II. BACKGROUND - Dell(R) SonicWALL(R) provides intelligent network security and data protection solutions that enable customers and partners to dynamically secure, control, and scale their global networks. III. DESCRIPTION - Has been detected a Reflected XSS vulnerability in DELL SonicWALL Universal Management Suite. The code injection is done through the parameter node_id in the page /sgms/mainPage?page=genNetworkscreenid=1002manager=ScreenDisplayManagerlevel=1node_id IV. PROOF OF CONCEPT - The application does not validate the parameter node_id correctly. https://ip_gms/sgms/mainPage?page=genNetworkscreenid=1002manager=ScreenDisplayManagerlevel=1node_id=a;scriptalert(document.cookie);/scriptscreenid=1002unused=help_url=node_name=Instance ViewunitType=1searchBySonicwall=0 V. BUSINESS IMPACT - An attacker can execute arbitrary HTML or script code in a targeted user's browser, , that allows the execution of arbitrary HTML/script code to
[Full-disclosure] : EE BrightBox router hacked - bares all if you ask nicely
Hello list, Understanding of cultural differences is not racism. It is understanding and appreciation of the diversity of our World. So, I would not being apologetic to mentioning that country culture affects software development. Culture is very broad term to explain not only how people eat or pray but also how they think, understand governing (i.e. management process), and what is the background of technical education. I'm Russian origin (see my full name) and know what is good in Russian culture concerning utilization in technical processes (like software development) and what is not. Russian culture surfaces in this country in any technical sphere from construction to computers. Take a look at China and India history and what has been invented there last four - five centuries. None. Neither country had normal industry last two hundred years, and thus no technical background for normal technical education. Both countries started developing technical culture around 1980 - 1990. I have seen myself very bad software development, which is done for one US major banks by development team from India (actually working in US). And the problem was not having numerous random bugs, but complete out of common technical sense design, not coding. I have multiple examples of that. Should we blame people for poor education and the lack of technical culture? Of course not. We just need to understand that upper level US business management has been ignorant and still is, and tries to exploit people without giving them a chance for step by step development of modern technical culture. The result is insecure software, and we get a lot of fun and work in security research. Management gets money, we get fun. A kind of profit sharing ... Sorry for following the post and being a bit off the list topic. However, we sometimes should discuss things leading to insecurity. Mikhail Utin, CISSP, PhD -- Message: 1 Date: Thu, 16 Jan 2014 12:00:18 +0100 From: ?micier Januszkiewicz ga...@tut.by To: gold flake ptinstruc...@gmail.com Cc: full-disclosure@lists.grok.org.uk full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] EE BrightBox router hacked - bares all if you ask nicely Message-ID: CAH72vigvpAwSQU6ncMwO8EfD7k4xGT8BAsiR=kd-e+fbaqq...@mail.gmail.com Content-Type: text/plain; charset=UTF-8 No sir, I believe I should have been more explicit at that than I was -- I did not mean to say it is about nationalities. What I meant was a simple matter of development costs when hiring personnel, and I think you won't argue that a developer in UK costs less than a developer in e.g. China or Pakistan, or Poland, or Belarus to that matter, will you? It doesn't have anything to do with their culture at all, and this point is proven by businesses hiring more and more from those countries, simply because it is cheap. Please do not try to find any point to start a is this because I'm {insert something here} thread -- there was no intention to hurt anyone, and I did mean no offense to any of the people of whatever race, nationality, or sexual preferences, or whatever else, and I apologise if it sounded like that. Let's abstract from whatever is used to differentiate between social groups and concentrate on costs and expenses alone, alright? CONFIDENTIALITY NOTICE: This email communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please reply to the sender immediately or by telephone at (617) 426-0600 and destroy all copies of this communication and any attachments. For further information regarding Commonwealth Care Alliance's privacy policy, please visit our Internet web site at http://www.commonwealthcare.org. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [CVE-2013-6986] Insecure Data Storage in Subway Ordering
Hello, I'm on your side. You are right in both how you are handling the case and you conclusion. They failed in a few business aspects, thus responsible for outcome. After all, legal side of our work is not less important than IT and InfoSec technologies we use. Good luck Mikhail Utin, CISSP, PnD _ Today's Topics: 1. Re: [CVE-2013-6986] Insecure Data Storage in Subway Ordering for California (ZippyYum) 3.4 iOS mobile application (Daniel Wood) -- Message: 1 Date: Tue, 17 Dec 2013 16:13:03 -0600 From: Daniel Wood daniel.w...@owasp.org To: Full Disclosure Mailing List full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] [CVE-2013-6986] Insecure Data Storage in Subway Ordering for California (ZippyYum) 3.4 iOS mobile application Message-ID: 5e0b8213-d336-4d52-9c44-2fbe93115...@owasp.org Content-Type: text/plain; charset=windows-1252 I would like to point out that the statements made in the emails from mikken.tut...@intersecworldwide.com are untrue at best, defamatory at worst. I am not going to lambast Jeff, Mikken, or Intersec Worldwide - but I will defend myself. Normally I would not respond to something like this in a public forum, however, Intersec Worldwide has forced my hand due to their untrue statements. I never signed a Non-Disclosure Agreement with Intersec Worldwide when I started my contracting work for them. Now that?s not to say I am going to start publishing all the vulnerabilities of their clients, far from it. I am stating this because prior to this email going out, I was called by Jeff Tutton the ?CISO? about the matter. We talked briefly for about 10 minutes on Wednesday, December 11, 2013. During this phone call I mentioned the fact that no NDA had been signed. He said he would look into this and work with his client on the matter regarding the vulnerability disclosure. I never heard back from him or anyone at Intersec Worldwide after this. I emailed Jeff/Intersec this morning when I saw Fyodor?s post and Mikken?s/Intersec email alleging I violated their NDA. I gave Jeff/Intersec until EOB today to provide the original email with the signed NDA I sent to them, however, I have yet to receive this. I asked for a copy of the allegedly signed NDA last week as well. Failure to provide a legitimate copy of my sent email with a signed NDA proves to me that they forgot to have me sign an NDA. I should not be held liable for a lapse in their own processes. If they are able to come up with a legitimate copy of the signed NDA and email with legitimate email headers - I will gracefully apologize?which won?t occur since I did not sign such a document. In this email, I also informed Jeff that I am terminating my 1099/contractor agreement with Intersec Worldwide effective immediately. Due to the mention of legal action in their email, I have now retained the services of an attorney and will be ready to see this matter to a close. Instead of focusing on the fact that information was disclosed after they had 6+ months to fix the vulnerability, they should be focusing on the positive aspect that they were able to fix the vulnerability and that it does not affect their product?s current release version. - Daniel Wood On Dec 16, 2013, at 4:50 PM, Fyodor fyo...@nmap.org wrote: On Fri, Dec 6, 2013 at 8:07 PM, Daniel Wood daniel.w...@owasp.org wrote: Title: [CVE-2013-6986] Insecure Data Storage in Subway Ordering for California (ZippyYum) 3.4 iOS mobile application Reported to Vendor: May 2013 CVE Reference: CVE-2013-6986 Apparently you touched a nerve! If the legal threats we received for archiving this security advisory on SecLists.org are any indication, ZippyYum really doesn't want anyone to know they were storing users' credit card info (including security code) and passwords in cleartext on their phones. Please remove this information from your website immediately in order at avoid further legal action. --Mikken Tutton, CEO of ZippyYum client IntersecWorldWide Of course we have ignored the threats and kept the advisory proudly posted at: http://seclists.org/fulldisclosure/2013/Dec/39 Here are the legal threats we received today and last Wednesday: -- Forwarded message -- From: Mikken Tutton mikken.tut...@intersecworldwide.com Date: Mon, Dec 16, 2013 at 1:33 PM Subject: Fwd: To: jo...@grok.org.uk, fyo...@nmap.org, hostmas...@insecure.org Dear Webmaster, We contacted you last week regarding some private information about our client that you have posted on your website, in violation of Non-Disclosure agreements we have in place with our customer Zippy Yum. We are requesting that this information be removed immediately. The information to which I am referring is located on this page of your website
Re: [Full-disclosure] Where are you guys standing re: the (full) disclosure
Answers: 1. Whether you are right and there is a bug, lrt the vendor (M$) know; that is ethical. They will decide if to consider your finding as a bug. Your following steps depend on their opinion on the finding. 2. If you keep it for yourself - no problems. If you disclose on Internet before informing M$, there is certain risk, but first of all it is not ethical. If you sell it as an exploit, and it will be widely used as 0-day, then it might be a hunt for your head with some bounty (you are not relly breaking a law as I wrote below, but angry government may find something suitable for you) . So, you need to consider risks and how to hide your identity. If you found bug not breaking MS code and not accessing to a computer illegally, you do not break any formal law. Breaking MS code may be considered as a violation of their property rights, but MS guys should be really angry to pursue such case. As you describe, you did not do anything illegal and releasing the finding is up to you, again - ethics. 3. Will make you a star, but not shining brings more risks. Shortly - inform M$ first and wait what they said. If they do not agree - you are free to go. -Original Message- From: Full-Disclosure [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of full-disclosure-requ...@lists.grok.org.uk Sent: Friday, December 13, 2013 7:00 AM To: full-disclosure@lists.grok.org.uk Subject: Full-Disclosure Digest, Vol 106, Issue 12 -- Humans, Dwarves, Elves, Fairies and all free folk on this list: Meli Kalikimaka. I think I found a relatively small bug with Windows Server running DNS with recursion turned off, that still allows the server to be used for DDOS amplification attacks. There are a sizable number of these on the net, and I do not think operators realize that the server is not totally silent with recursion turned off. I want to put my findings here on the list, as well as on my blog but I am unsure if : 1. should I tell MS first? 2. being this is possibly my first bug as a researcher, will this get me into trouble (legal or otherwise)? 3. will this make me a rock star? I have details on the bug, as well as remediation steps. I would not say I discovered it per se, as I found it while studying an attack on a network I protect, but I do not see it documented anywhere either. What say you, Wise List Readers? -- next part -- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20131212/146ff9e6/attachment-0001.html -- Subject: Digest Footer ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- End of Full-Disclosure Digest, Vol 106, Issue 12 CONFIDENTIALITY NOTICE: This email communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please reply to the sender immediately or by telephone at (617) 426-0600 and destroy all copies of this communication and any attachments. For further information regarding Commonwealth Care Alliance's privacy policy, please visit our Internet web site at http://www.commonwealthcare.org. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Full-Disclosure Digest, Vol 95, Issue 15- Aaron Swartz death
Message: 2 Date: Mon, 14 Jan 2013 11:02:26 -0500 From: Jeffrey Walton noloa...@gmail.com Subject: Re: [Full-disclosure] petition to remove Aaron Swartz prosecutor To: richa...@fastmail.fm Cc: full-disclosure@lists.grok.org.uk Message-ID: cah8yc8m+7dvauyapzfapm6bbh8xezmq7p_hoxfvntpqv3ew...@mail.gmail.com Content-Type: text/plain; charset=UTF-8 On Mon, Jan 14, 2013 at 10:34 AM, richa...@fastmail.fm wrote: https://petitions.whitehouse.gov/petition/remove-united-states-distric t-attorney-carmen-ortiz-office-overreach-case-aaron-swartz/RQNrG1Ck Above link to remove this prosecutor needs to have signatures by February 11. Its unfortunate Schwartz committed suicide over the incident. http://www.latimes.com/news/obituaries/la-me-0113-aaron-swartz-20130113,0,5232490.story Jeff -- This is a tragedy caused by the pressure from US authorities. Getting (or facing) the same imprisonment as a killer (I consider 50 years as the same as life in prison) is absolutely unfair. He paid ultimate price for what he believed in. There is no depression in such cases, it is pure pressure coming from the situation he got in and authorities handling the case. He should be respected for what he believed and what he paid for. As my common sense tells me, copying articles is not stealing. 5,000,000 in MIT possession were very likely already published papers, thus, public domain. If I come in a library, take a book and copy it, there is no crime in such activity . I do not get a profit, and neither caused any damage to any person. Unfortunately, US authorities like such high profile case very much. If persecuted, a person gets pretty tough imprisonment, and the guy who handled the case a few more stars. Personal career advancement is the real reason of their efforts, not a protection of private property rights. Regards Mikhail CONFIDENTIALITY NOTICE: This email communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please reply to the sender immediately or by telephone at (617) 426-0600 and destroy all copies of this communication and any attachments. For further information regarding Commonwealth Care Alliance's privacy policy, please visit our Internet web site at http://www.commonwealthcare.org. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] how to sell and get a fair price
In general practice, where ever you would like to publish, the publisher will ask for copyright rights. Thus, a site publishing exploits can do the same and thus may protect rights of the author, well, together with its ones. After all, my idea was about fare sale, and that could require release of rights to the mediator/auctioneer. Somebody I would bet is having a fair thought buddy, would you do your idea? I need to say frankly that I do not plan. I'm stretched by my current www.201cmr1700ma.comhttp://www.201cmr1700ma.com and its very likely extension. But feeling unfairness, will be glad to support and devout some time. Regards Mikhail From: Christian Sciberras [mailto:uuf6...@gmail.com] Sent: Monday, January 14, 2013 4:17 PM To: Valdis Kletnieks Cc: Mikhail A. Utin; full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] how to sell and get a fair price Valdis, we've had spam companies suing blacklist/antispam companies before... Surely an anonymous person legitimately and legally enforcing copyright can't be harder? On Mon, Jan 14, 2013 at 9:39 PM, valdis.kletni...@vt.edumailto:valdis.kletni...@vt.edu wrote: On Thu, 10 Jan 2013 12:03:03 -0500, Mikhail A. Utin said: After all,a vulnerability and an exploit are intellectual products. Not sure copyright could be claimed, but why not? Actually, claimed or not, if the exploit was coded in a Berne signatory country, it's almost always automatically copyrighted at creation (most likely to the coder, or to their employer if it was a work-for-hire). In the US, there's a exemption for work product of federal employees - that's one of the few ways for US-produced material to become public domain (expiration of term is the other one, but with ever-increasing copyright terms, it's unclear that anything will ever actually expire in the US). More interesting is the question of how to enforce a copyright claim while remaining anonymous... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ CONFIDENTIALITY NOTICE: This email communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please reply to the sender immediately or by telephone at (617) 426-0600 and destroy all copies of this communication and any attachments. For further information regarding Commonwealth Care Alliance's privacy policy, please visit our Internet web site at http://www.commonwealthcare.org. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] how to sell and get a fair price
List, Here is the link to Information Security Magazine issue with Market for vulnerability information grows - Cashing on Zero-day exploits for your information. I once shared my idea that ZDI is not right way to go. It should be a market place (web portal) for selling vulnerabilities based on action price. Like eBay. That would be the place to get fair price for your hard work and skills. I would like to see HP and MS betting on 0-days. After all,a vulnerability and an exploit are intellectual products. Not sure copyright could be claimed, but why not? http://www.bitpipe.com/data/demandEngage.action?resId=1354307828_722 Enjoy Mikhail CONFIDENTIALITY NOTICE: This email communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please reply to the sender immediately or by telephone at (617) 426-0600 and destroy all copies of this communication and any attachments. For further information regarding Commonwealth Care Alliance's privacy policy, please visit our Internet web site at http://www.commonwealthcare.org. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] :Re: [OT] How much a million facebook
It looks like an initial research before writing a business plan and looking for venture capital investment. I'll think about reserving some funds for :-) Mikhail Utin, CISSP -- Message: 10 Date: Thu, 1 Nov 2012 00:37:13 +0530 From: Memory Vandal memvan...@gmail.com Subject: Re: [Full-disclosure] [OT] How much a million facebook passwords would cost? To: Georgi Guninski gunin...@guninski.com Cc: full-disclosure@lists.grok.org.uk Message-ID: CAEcxYF=ywtcs8j1h-kpwqp5packmcxdynvyyo1t3u6inj1r...@mail.gmail.com Content-Type: text/plain; charset=ISO-8859-1 You buying or selling? MemoryVandal On Wed, Oct 31, 2012 at 10:03 PM, Georgi Guninski gunin...@guninski.com wrote: We are discussing this question: How much a million facebook passwords + lusernames would cost? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ CONFIDENTIALITY NOTICE: This email communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please reply to the sender immediately or by telephone at (617) 426-0600 and destroy all copies of this communication and any attachments. For further information regarding Commonwealth Care Alliance's privacy policy, please visit our Internet web site at http://www.commonwealthcare.org. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Full-Disclosure Digest, Vol 92, Issue 34 - 1. Microsoft Windows Help program (WinHlp32.exe) memory
Normal way of doing security research business (for normal people of course) is to inform the vendor and discuss the issue. I would not describe further steps as they are well-known. Kaveh Ghaemmaghami aka (coolkaveh) is either driven by his/her ego or never read this list posts. Or both. Mikhail utin, CISSP -Original Message- Today's Topics: 1. Microsoft Windows Help program (WinHlp32.exe) memory corruption (kaveh ghaemmaghami) 2. Microsoft Paint 5.1 memory corruption (kaveh ghaemmaghami) ** Hello list! I want to warn you about Microsoft Windows Help program (WinHlp32.exe) memory corruption Best Regards Kaveh Ghaemmaghami aka (coolkaveh) _ CONFIDENTIALITY NOTICE: This email communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please reply to the sender immediately or by telephone at (617) 426-0600 and destroy all copies of this communication and any attachments. For further information regarding Commonwealth Care Alliance's privacy policy, please visit our Internet web site at http://www.commonwealthcare.org. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Full-Disclosure Digest, Vol 89, Issue 15 suspicion of rootkit (Alexandru Balan)
-Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of full-disclosure-requ...@lists.grok.org.uk Sent: Thursday, July 12, 2012 4:40 AM To: full-disclosure@lists.grok.org.uk Subject: Full-Disclosure Digest, Vol 89, Issue 15 Send Full-Disclosure mailing list submissions to full-disclosure@lists.grok.org.uk I've had very similar case of downloading software and getting a malware. I wanted just to get it fixed, so wheither a virus, or worm, or rootkit I do not know. Symptoms were disabled Windows update and Windows networking. TCP in general worked. I found malicious files (just a few) using one of security tools running under Linux CD-bootable to check consistency of Windows files. First I tried three AV systems (F-Secure, Kaspersky and Symantec), but they were useless. Finally, from Linux I was able to find files having inconsistent attributes, as far as I remember - the size and modification date. Nothing of particular, but: AV systems identify less than 90% of malware (both forward and backward tests), when downloading freeware stuff a virtual machine is the best option, and if after just installing of freeware Windows screw up, it is obvious what is the reason for. Mikhail -- Message: 1 Date: Thu, 12 Jul 2012 00:46:33 +0300 From: Alexandru Balan jay...@gmail.com Subject: Re: [Full-disclosure] suspicion of rootkit To: phocean 0...@phocean.net Cc: full-disclosure@lists.grok.org.uk, valdis.kletni...@vt.edu Message-ID: c0574ee4-8509-4ff4-ab60-565d0a256...@gmail.com Content-Type: text/plain; charset=iso-8859-1 Tried checking it with an AV ? http://quickscan.bitdefender.com On Jul 12, 2012, at 12:06 AM, phocean wrote: The machine is Windows XP SP3 quite up-to-date, but not fully. Except that Windows Update is not working anymore. One of the symptoms. I described the issues there: http://www.phocean.net/2012/06/30/rootkit-in-my-lab.html http://www.phocean.net/2012/07/11/rootkit-in-my-lab-part-ii.html You will see why some symptoms make me think about a rootkit. You are right, it could be some Windows being messed up. But it actually happened on a pretty fresh install: I finished setting XP and tens of analysis tools (I aimed this box to be my fresh reversing system). So even if possible, it sounds strange that a machine gets corrupted so quickly. And of course, I suspect some of these tools, got from multiple downloads. At last, I could analyse them one by one of course, but there are many so it would be painful (and I am not sure that I kept all setups). --- phocean CONFIDENTIALITY NOTICE: This email communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please reply to the sender immediately or by telephone at (617) 426-0600 and destroy all copies of this communication and any attachments. For further information regarding Commonwealth Care Alliance's privacy policy, please visit our Internet web site at http://www.commonwealthcare.org. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Full-Disclosure Digest, Vol 89, Issue 11: ] How much time is appropriate for fixing
Dear Paul, You completely missed my point. I was talking about the foundation of this list, which is free service, and the foundation of a lot of current IT technologies, which is freeware. Giving knowledge for free (including software bugs) is the foundation of this civilization. Having profit is a necessity but not all what drives us. Could you personally show any your contribution to the society? Which was not paid for? My contribution you can find searching/google for my name and article, and DeepSec 2011 and OWASP AppSec DC 2012 presentations as well. Nobody paid me for. Plus, you can check our portal www.201cmr1700ma.com, which provides knowledge and security documents for free. Then, considering you association with math science, you can possibly estimate the time I've spent for free. So, my voice pro free knowledge distribution is completely legitimate. Sincerely Mikhail utin, CISSP, PhD -Original Message- From: paul.sz...@sydney.edu.au [mailto:paul.sz...@sydney.edu.au] Sent: Tuesday, July 10, 2012 6:41 PM To: full-disclosure@lists.grok.org.uk; Mikhail A. Utin Subject: Re: [Full-disclosure] Full-Disclosure Digest, Vol 89, Issue 11: ] How much time is appropriate for fixing Dear Mikhail, From: Thor (Hammer of God) t...@hammerofgod.com To: Georgi Guninski gunin...@guninski.com, Stefan Kanthak stefan.kant...@nexgo.de Cc: full-disclosure@lists.grok.org.uk full-disclosure@lists.grok.org.uk I'm not contradicting myself at all - in fact, *you* are the exact type of person I'm talking about. You couldn't give a rat's ass about the industry or anyone but yourself. Nothing you have ever done has been valuable to anyone other than you; it has been completely self-serving egotistical bullshit. I completely agree with Thor. ... You cannot possibly agree with someone who addresses two people in the singular. You should not agree with someone who ascribes behaviourial patterns to others, based on his own character traits. Are you familiar with Georgi's work? Please look at his website before proffering opinions. Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia CONFIDENTIALITY NOTICE: This email communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please reply to the sender immediately or by telephone at (617) 426-0600 and destroy all copies of this communication and any attachments. For further information regarding Commonwealth Care Alliance's privacy policy, please visit our Internet web site at http://www.commonwealthcare.org. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Full-Disclosure Digest, Vol 89, Issue 11: ] How much time is appropriate for fixing
Hello, I completely agree with Thor. We have to do something for free. We have to contribute, not just use. Whoever and whatever. Examples: - This list is ran for free (hardware, software, time, energy are used for) and giving us a chance to communicate - The most of us use Linux, whichever flavor you prefer. The most of it is free time contribution. Somebody pays for that, but we use. It is nice to be paid for something, but consider the alternative. Otherwise our communications will die and we do not have an OS for a fun or profit. Mikhail Utin -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of full-disclosure-requ...@lists.grok.org.uk Sent: Tuesday, July 10, 2012 7:00 AM To: full-disclosure@lists.grok.org.uk Subject: Full-Disclosure Digest, Vol 89, Issue 11 -- Message: 7 Date: Mon, 9 Jul 2012 17:24:51 + From: Thor (Hammer of God) t...@hammerofgod.com Subject: Re: [Full-disclosure] How much time is appropriate for fixing a bug? To: Georgi Guninski gunin...@guninski.com, Stefan Kanthak stefan.kant...@nexgo.de Cc: full-disclosure@lists.grok.org.uk full-disclosure@lists.grok.org.uk Message-ID: cc205e3d.3561%t...@hammerofgod.com Content-Type: text/plain; charset=Windows-1252 I'm not contradicting myself at all - in fact, *you* are the exact type of person I'm talking about. You couldn't give a rat's ass about the industry or anyone but yourself. Nothing you have ever done has been valuable to anyone other than you; it has been completely self-serving egotistical bullshit. CONFIDENTIALITY NOTICE: This email communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please reply to the sender immediately or by telephone at (617) 426-0600 and destroy all copies of this communication and any attachments. For further information regarding Commonwealth Care Alliance's privacy policy, please visit our Internet web site at http://www.commonwealthcare.org. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Full-Disclosure Digest, Vol 88, Issue 34 Re: www.LEORAT.com is scam (Thor (Hammer of God))
Whoever from so named leoimpact.com: WHOIS brings fake mailing address of PO in the US, and the phone does not belong to leorat either. Just shut up and stop sending fake messages. You are nothing and not having a name rats. Not a legal entity. Mikhail -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of full-disclosure-requ...@lists.grok.org.uk Sent: Wednesday, June 20, 2012 7:00 AM To: full-disclosure@lists.grok.org.uk Subject: Full-Disclosure Digest, Vol 88, Issue 34 2. Re: www.LEORAT.com is scam (Thor (Hammer of God)) -- Message: 2 Date: Tue, 19 Jun 2012 17:39:50 + From: Thor (Hammer of God) t...@hammerofgod.com Subject: Re: [Full-disclosure] www.LEORAT.com is scam To: coderman coder...@gmail.com, full-disclosure@lists.grok.org.uk full-disclosure@lists.grok.org.uk Message-ID: 58db1b68e62b9f448df1a276b0886df194dfb...@ex2010.hammerofgod.com Content-Type: text/plain; charset=iso-8859-1 Hey man, that's some serious shit there - it's not a letter, it's a legal letter. Those are more letter than the normal letter. Be afraid! t Timothy Thor? Mullen www.hammerofgod.com Thor's Microsoft Security Bible -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of coderman Sent: Tuesday, June 19, 2012 2:36 AM To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] www.LEORAT.com is scam On Tue, Jun 19, 2012 at 2:05 AM, Fyodor fyo...@insecure.org wrote: From: Leo Impact Security,Inc cont...@leoimpact.com To: fyo...@insecure.org Subject: subject: http://seclists.org/fulldisclosure/2012/Apr/19 removing ... I am Mark, CISO of Leo Impact Security, some fraud person post illigmate post so please remove asap else we hire a lawer to send legal letter on your site. is this how n3td3v is paying for intarwebs? :o ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ CONFIDENTIALITY NOTICE: This email communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please reply to the sender immediately or by telephone at (617) 426-0600 and destroy all copies of this communication and any attachments. For further information regarding Commonwealth Care Alliance's privacy policy, please visit our Internet web site at http://www.commonwealthcare.org. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Full-Disclosure Digest, Vol 88, Issue 11:
My 10 cents: I'm glad that such discussions happen on this list. I would not consider that as out of topic, because Information Security, and security in general, did/do include significant political component, and we cannot avoid or ignore it. Plus, and it is important as well, it gives as a freedom of speech and an ability of better understanding of each other in this fulldisclosure society of security fans and professionals. What actually surprises me, is that people's voice of millions still unheard. Internet has been already used to change regimes (like in Egypt) for better or worse, but there is no well-known and used by everybody resource of expressing an opinion. I mean a magnitude of Google or Wikipedia. I'm surprised that Google still does not have on its default page a big button My Opinion. I think that it would be much easier to implement than Maps or other services. I've seen in past some sites collecting public opinion, but we need such as Google to move that forward. Would it be beneficial to Google? I think so. To people? Of course. Politicians? I would bet for. The only one problem is the government. More likely it will be on losing end very often. So, may it be the reason Google did or will not implement that? Mikhail -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of full-disclosure-requ...@lists.grok.org.uk Sent: Friday, June 08, 2012 7:00 AM To: full-disclosure@lists.grok.org.uk Subject: Full-Disclosure Digest, Vol 88, Issue 11 We are not so savage that we decide who is powerful by military strength. Money plays a much bigger role in deciding power in our society; people with money have significant influence over the military and paramilitary police, and many make decisions that affect millions of people every day. Chris Dodd basically stated an expectation that laws can be bought after PIPA and SOPA failed, as if the money the MPAA had donated to politicians was supposed to guarantee that those politicians would do what the MPAA tells them to do. Armies and wars are expensive and need to be paid for, and money is how we pay for such things. Law enforcement (i.e. the use of guns) is rarely needed to maintain the power of money; most people accept the laws that surround money and try to follow them. People pay taxes when asked politely, they pay fines and damages that courts assess, they repay loans when legally obligated to so, and so forth. Disputes over money are almost always settled without violence and without the need to call in the police, even in cases where people broke the law. Even violent criminal gangs need money, despite being in possession of guns and despite a willingness to make use of those guns. Alexander Dumas stated it better than I can: What I mean, my dear fellow, is that I shall do more by myself with my gold than you and all your people with their daggers, their pistols, their carbines and their blunderbusses. So let me do it. (The Count of Monte Cristo) -- Ben -- Benjamin R Kreuter UVA Computer Science brk...@virginia.edu KK4FJZ -- If large numbers of people are interested in freedom of speech, there will be freedom of speech, even if the law forbids it; if public opinion is sluggish, inconvenient minorities will be persecuted, even if laws exist to protect them. - George Orwell * CONFIDENTIALITY NOTICE: This email communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please reply to the sender immediately or by telephone at (617) 426-0600 and destroy all copies of this communication and any attachments. For further information regarding Commonwealth Care Alliance's privacy policy, please visit our Internet web site at http://www.commonwealthcare.org. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Full-Disclosure Digest, Vol 88, Issue 2 Re: NSA Cyber security program [ maybe off-topic ]
-Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of full-disclosure-requ...@lists.grok.org.uk Sent: Saturday, June 02, 2012 7:00 AM To: full-disclosure@lists.grok.org.uk Subject: Full-Disclosure Digest, Vol 88, Issue 2 Send Full-Disclosure mailing list submissions to full-disclosure@lists.grok.org.uk To subscribe or unsubscribe via the World Wide Web, visit https://lists.grok.org.uk/mailman/listinfo/full-disclosure or, via email, send a message with subject or body 'help' to full-disclosure-requ...@lists.grok.org.uk You can reach the person managing the list at full-disclosure-ow...@lists.grok.org.uk When replying, please edit your Subject line so it is more specific than Re: Contents of Full-Disclosure digest... Note to digest recipients - when replying to digest posts, please trim your post appropriately. Thank you. Today's Topics: 1. Re: NSA Cyber security program [ maybe off-topic ] (InterN0T Advisories) 2. TrueCaller Vulnerability Allows Changing UsersDetails (Kuwait WhiteHat) 3. Re: NSA Cyber security program [ maybe off-topic ] (Benjamin Kreuter) 4. Re: NSA Cyber security program [ maybe off-topic ] (Alexander Georgiev) 5. Re: NSA Cyber security program [ maybe off-topic ] (Urlan) -- My 10 cents: While out of topic, the subject has touched a few people. I worked for US Navy as information security analyst /contractor for a few years, and had two projects with US DoT. Plus, had an interview at Let's not to mention exact name. I can share a few things with you guys. First, US government employees are paid very well. There are several levels of (as I remember around 12 - 14) starting at 25-30K and up to around 150-170K. That is for non-managerial positions. With my MS in CS and IT and security experience I would easy target 120K. So, the same level as in private sector. Plus, they have numerous perks, and being just contractor I managed to use one. Plus, low cost very good health insurance, and pretty good pension after several years, which is much better than what the rest of US have. So, those are positives. There are negatives as well. First, the environment is highly politicized, and technical upper level management is out of common sense. All is about getting more power. One top level manager once said during business meeting There should be no humor during business meetings. And this idiot was absolutely serious. The same manager later destroyed security department and moved information security in IT department, where one IT boy said Even monkey can do vulnerability scanning. He was expected to replace me and my contact had been terminated. I was really happy to quit. BTW, it was not a dumb stupid base in the middle of nowhere. It was Naval System Command top research center. Often US government big projects, like current related to cloud computing, are out of technical common sense and are driven by political will and something I name legal corruption. In my collection of the most stupid US government activity cases is so named NMCI project - Naval Marine Corp Intranet, which was not Intranet project at all. Who is interested to know details, please email me directly. I'm writing that because being government employee you would be involved in such stupid projects. Concerning hiring process, it also very specific. To be hired, you need to file (now electronically) twenty pages of questionnaire. Plus, two stupid tests, plus writing an essay. Does not matter if you are well-known high level professional - you should pass that crap of tests and writing. In general, each US government department has some specifics in hiring, but it is pretty standard and requires some time and devotion to deal with. Some time ago I saw a paper that US government immediately needs approximately 20,000 security professionals. My assumption - mostly in activities associated with this list interests. However, I do not think the government will do anything real to fill out this gap. NSA project in question, which triggered this discussion, is an example. BTW, NSA build new center in the middle of nowhere, somewhere in Mormon's country. If you like Wild West, you can try that. Summary: if you want good salary, thinking about retirement, health insurance, etc., you can try to get there. You can earch through US government departments' sites, and there are a few head-hunting portals listing all departments, etc. But, be ready for specifics of hiring and internal environment. In some places, like DC, you can find shocking results of equal opportunity employment. I would assume that in some places you could find good professional environment and good people to work with (I enjoyed working with navy guys of my level), but do not
[Full-disclosure] LulzSec $ Sabu - lessons learned
Hello, My two cents to lessons learned: - If FBI is hacked, CIA will LOL - if CIA is hacked, FBI will LOL - if DoD is hacked both FBI and CIA will LOL But if Stratfor is hacked, all three guys get very serious, guess why? If you do serious hacking, do not brag and do not do stupid hacks. Mikhail CONFIDENTIALITY NOTICE: This email communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please reply to the sender immediately or by telephone at (617) 426-0600 and destroy all copies of this communication and any attachments. For further information regarding Commonwealth Care Alliance's privacy policy, please visit our Internet web site at http://www.commonwealthcare.org. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Full-Disclosure Digest, Vol 83, Issue 21
Hello List, So far it has been very interesting discussion, but nevertheless nobody went to the Source, which is the Law, and used US Codes (or any others) as reference in the consideration of cases and examples. To the best of my judgment does not help too much and we are getting the result as You are right, and You are right as well. Anybody's going to the Source? Any experience with? It may bring us to the common ground and would be very helpful in future real life cases. Mikhail Utin, CISSP From: full-disclosure-boun...@lists.grok.org.uk [full-disclosure-boun...@lists.grok.org.uk] On Behalf Of full-disclosure-requ...@lists.grok.org.uk [full-disclosure-requ...@lists.grok.org.uk] Sent: Saturday, January 14, 2012 7:00 AM To: full-disclosure@lists.grok.org.uk Subject: Full-Disclosure Digest, Vol 83, Issue 21 Send Full-Disclosure mailing list submissions to full-disclosure@lists.grok.org.uk To subscribe or unsubscribe via the World Wide Web, visit https://lists.grok.org.uk/mailman/listinfo/full-disclosure or, via email, send a message with subject or body 'help' to full-disclosure-requ...@lists.grok.org.uk You can reach the person managing the list at full-disclosure-ow...@lists.grok.org.uk When replying, please edit your Subject line so it is more specific than Re: Contents of Full-Disclosure digest... Note to digest recipients - when replying to digest posts, please trim your post appropriately. Thank you. Today's Topics: 1. Re: Rate Stratfor's Incident Response (Benjamin Kreuter) 2. Re: Rate Stratfor's Incident Response (Paul Schmehl) 3. Re: Fwd: Rate Stratfor's Incident Response (Paul Schmehl) 4. Re: Rate Stratfor's Incident Response (J. von Balzac) 5. Re: Rate Stratfor's Incident Response (Benjamin Kreuter) 6. Re: Rate Stratfor's Incident Response (Benjamin Kreuter) 7. Re: Rate Stratfor's Incident Response (Michael Schmidt) 8. Re: Rate Stratfor's Incident Response (Paul Schmehl) 9. Re: Rate Stratfor's Incident Response (Laurelai) 10. Re: Rate Stratfor's Incident Response (Gage Bystrom) 11. Re: Rate Stratfor's Incident Response (Paul Schmehl) 12. Re: Rate Stratfor's Incident Response (Benjamin Kreuter) 13. Re: Rate Stratfor's Incident Response (valdis.kletni...@vt.edu) 14. Re: Rate Stratfor's Incident Response (valdis.kletni...@vt.edu) -- Message: 1 Date: Fri, 13 Jan 2012 11:15:44 -0500 From: Benjamin Kreuter ben.kreu...@gmail.com Subject: Re: [Full-disclosure] Rate Stratfor's Incident Response To: full-disclosure@lists.grok.org.uk Message-ID: 20120113111544.11bf0...@d-172-27-99-46.bootp.virginia.edu Content-Type: text/plain; charset=US-ASCII -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Thu, 12 Jan 2012 23:36:29 + Giles Coochey gi...@coochey.net wrote: On 12/01/2012 23:30, Byron Sonne wrote: Hello, Bad analogy. Closer would be if you have a house that's got a driveway on a public street, and you claim it's not breaking and entering if you walk up the driveway, try the doorknob, find it unlocked, and let yourself in without the permission of the residents. Saying that anybody could walk up and let themselves in the door doesn't make it legal. This is a pretty classic analogy that I've used many times myself, but for many years now I've found myself questioning it... I mean good analogies are valuable, but I think in this case it falls down. Mostly, there's the expectation of physical security or, at least, privacy, when it comes to a house. If someone's rattling door knobs, it's not unreasonable to expect that they could be there to rob or do you harm, as the human race does not have a significant history of peaceful/harmless door rattling practices (that I know of). Now, when it comes to the internet and networks in general, we've entered a whole new world where many old ways of looking at things, tempting as they are, don't fit. There's also no real relevance to fearing for your physical safety if someone's probing your net. To a good extent I might be talking out of my ass here, but I'd welcome feedback. If you go to a website and do a bit of clicking around that's normal behaviour, walking past the house, having a look at the front rose garden etc... Under some definition of normal. If you ask me for my DOB and I enter my name, is that normal? Plenty of users make mistakes like that all the time; how do you determine that one was being malicious whereas another just made a routine error? Where do you draw the line? Is it abnormal to try to use a web server as a proxy? Is it abnormal to ask for a directory listing? We all know what we *want* users to do. That is not necessarily what we should expect out of them, and crying about how illegal it is to do something unexpected does nothing to advance the state of computer
Re: [Full-disclosure] Facebook Attach EXE Vulnerability
Face Book is trying to save its face. It's typical. I got the same answer from SonicWALL one year ago when discovered that simple internal network scanning (Nessus, Nmap, etc.) brings down entire network. The firewall internal TCP connections stack was overloaded within a few seconds (IPS is not enabled, thus was not accepting new connections. Mikhail A. Utin, CISSP Information Security Analyst -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of full-disclosure-requ...@lists.grok.org.uk Sent: Tuesday, November 01, 2011 8:00 AM To: full-disclosure@lists.grok.org.uk Subject: Full-Disclosure Digest, Vol 81, Issue 1 Send Full-Disclosure mailing list submissions to full-disclosure@lists.grok.org.uk To subscribe or unsubscribe via the World Wide Web, visit https://lists.grok.org.uk/mailman/listinfo/full-disclosure or, via email, send a message with subject or body 'help' to full-disclosure-requ...@lists.grok.org.uk You can reach the person managing the list at full-disclosure-ow...@lists.grok.org.uk When replying, please edit your Subject line so it is more specific than Re: Contents of Full-Disclosure digest... Note to digest recipients - when replying to digest posts, please trim your post appropriately. Thank you. Today's Topics: 1. Re: Facebook Attach EXE Vulnerability (Charles Morris) Message: 1 Date: Mon, 31 Oct 2011 10:40:24 -0400 From: Charles Morris cmor...@cs.odu.edu Subject: Re: [Full-disclosure] Facebook Attach EXE Vulnerability To: Nathan Power n...@securitypentest.com Cc: Full Disclosure full-disclosure@lists.grok.org.uk Message-ID: CABgawuYGTu1=eg2nesd9g_n_aapwe1myqzrznc0tdz5sqsb...@mail.gmail.com Content-Type: text/plain; charset=ISO-8859-1 Nathan, It IS an issue, don't let their foolishness harsh your mellow. Although it's a completely ridiculous, backwards, and standards-relaxing security mechanism, the fact is they implemented it, and you subverted it. In my book that's Pentester 1 :: Fail Vendor 0 I've had large vendors (read:Microsoft) reply to issues with the same kind of garbage, where they take a situation where there wasn't a threat, create a security mechanism to counter the nonexistent threat, then implement it incorrectly, thus creating either a vulnerability in the system itself or a false sense of security for the user. Fail: Hello user, you can add attachments now! Look at our amazing 1997 web technology!! User: Oh neat, I can't wait to send my friend this random file (read: give up your rights and control of your random file to facebook) your through your excessive, unnecessary, inefficient, insecure, closed-source tool Fail: I am blocking exe attachments 'for your security' so feel free to just run attachments without a second thought, don't even bother to waste 100ns of your time to practice normal security User: Wait, what about .bat, .cmd, .vbs, .ws, .pif, .inx, .lnk etc etc? What about the extensions that I set up? Can I really just spam clicks all over the place? Fail: Oh those, well you shouldn't be clicking those. What, we can't be held responsible if you don't practice normal security!! P.S. You know when we said we were blocking .exe files? Well--- we aren't. Enjoy. /rant On Fri, Oct 28, 2011 at 1:38 PM, Nathan Power n...@securitypentest.com wrote: I was?basically?told that Facebook didn't see it as an issue and I was puzzled by that. Ends up the Facebook security team had issues reproducing my work and?that's?why they?initially?disgarded it. After publishing, the Facebook security team re-examined the issue and by working with me they seem to have been able to reproduce the bug. * CONFIDENTIALITY NOTICE: This email communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please reply to the sender immediately or by telephone at (617) 426-0600 and destroy all copies of this communication and any attachments. For further information regarding Commonwealth Care Alliance's privacy policy, please visit our Internet web site at http://www.commonwealthcare.org. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Full-Disclosure Digest, Vol 80, Issue 54
List' Sorry for taking a role of moderator. Pretty often we see discussions around politics on this list. It seems to me that it is natural. It reflects that we are the people and have certain concerns which live in us together with professional stuff. We cannot avoid outbreaks of such discussions. This list is a part of our life though. Suggestion: assign one day of a week to release steam and talk whatever we want to. Purists can just ignore discussions on that day. And as usually: you are right, and you are right too. Cheers and be patient. Mikhail A. Utin, CISSP -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of full-disclosure-requ...@lists.grok.org.uk Sent: Thursday, October 13, 2011 1:05 AM To: full-disclosure@lists.grok.org.uk Subject: Full-Disclosure Digest, Vol 80, Issue 54 Send Full-Disclosure mailing list submissions to full-disclosure@lists.grok.org.uk To subscribe or unsubscribe via the World Wide Web, visit https://lists.grok.org.uk/mailman/listinfo/full-disclosure or, via email, send a message with subject or body 'help' to full-disclosure-requ...@lists.grok.org.uk You can reach the person managing the list at full-disclosure-ow...@lists.grok.org.uk When replying, please edit your Subject line so it is more specific than Re: Contents of Full-Disclosure digest... Note to digest recipients - when replying to digest posts, please trim your post appropriately. Thank you. Today's Topics: 1. Re: [OT] Obama said: American people understand that not everybody's been following the rules (Ivan .) 2. Re: [OT] Obama said: American people understand that not everybody's been following the rules (Ivan .) 3. Re: [OT] Obama said: American people understand that not everybody's been following the rules (valdis.kletni...@vt.edu) 4. Re: [OT] Obama said: American people understand that not everybody's been following the rules (Jeffrey Walton) 5. Re: [OT] the nigger said: American people understand that not everybody's been following the rules (Ivan .) 6. Re: Search and Seizure of Email (?) 7. Cost of Hacks? (gillis jones) 8. Re: Cost of Hacks? (Jeffrey Walton) 9. Re: [OT] Obama said: American people understand that not everybody's been following the rules (?) 10. Re: [OT] Obama said: American people understand that not everybody's been following the rules (Ivan .) 11. Re: Snail mail vs. Email (Laurelai) 12. Re: [OT] the nigger said: American people understand that not everybody's been following the rules (Jeffrey Walton) -- Message: 1 Date: Thu, 13 Oct 2011 10:29:38 +1100 From: Ivan . ivan...@gmail.com Subject: Re: [Full-disclosure] [OT] Obama said: American people understand that not everybody's been following the rules To: David Alanis can...@dalan.us Cc: full-disclosure@lists.grok.org.uk Message-ID: CAKLh_qz4cgavd1pHqx5kNUH3+OB3fRX4VwtQfZ=7icuimr-...@mail.gmail.com Content-Type: text/plain; charset=iso-8859-1 http://endoftheamericandream.com/archives/fast-and-furious-22-shocking-facts-about-the-scandal-that-could-bring-down-the-obama-administration On Thu, Oct 13, 2011 at 10:33 AM, David Alanis can...@dalan.us wrote: Quoting Paul Schmehl pschmehl_li...@tx.rr.com: The thing these stupid people don't seem to get is that millionaires and billionaires are the only ones that can afford to move elsewhere. You're an idiot. If you think that Obama is a Muslim, that Obama care will bring upon death panels, that Obama is a socialist, and that all millionaires and billionaires (including Thor), will move out just because they're called upon to pay more taxes and help America out of debt, you're an idiot. Please don't call me *stupid* just because you disagree with me politically. If you're not a millionaire or billionaire, how *would you know* that the 1% are packing getting ready to move? Did you pick this up from Fox News? (I won't respond to any of your response, I am done with this silly thread) Tax them enough and they'll simply move to another country. That's already what's happening with corporations and with some individuals. As their tax load increases, the incentive to simply move gets greater and greater until one day they do. Then their tax load goes to zero and the money is gone forever. We've already seen these within the US, where millionaires are leaving CA and NY for greener pastures. If they leave the US entirely, they won't be back. Then who will the government get the money from? --On October 12, 2011 8:31:34 PM + Thor (Hammer of God) t...@hammerofgod.com wrote: Well, you said nor do I care so I too am confused. However, since you did ask, there is an important aspect to your retort that you seem ok with dancing
Re: [Full-disclosure] Microsoft's Binary Planting Clean-Up Mission
Mitja, You, unfortunately, did not get it. It is not about Microsoft, it is about you guys who do not make things better but put all you mind in doing things worse. Use common sense in whatever you do. Innovating hacks beyond and above black hats does not really help people being more secure. Mikhail A. Utin, CISSP Information Security Analyst -Original Message- From: ACROS Security Lists [mailto:li...@acros.si] Sent: Thursday, September 15, 2011 3:54 PM To: 'Thor (Hammer of God)' Cc: bugt...@securityfocus.com; full-disclosure@lists.grok.org.uk Subject: RE: [Full-disclosure] Microsoft's Binary Planting Clean-Up Mission Hi Thor, Thank you very much for sharing your point of view. If Microsoft thought the same though, they probably wouldn't be fixing these bugs. I suppose they don't understand what security really is the same way we don't. ;-) Regards, Mitja -Original Message- From: Thor (Hammer of God) [mailto:t...@hammerofgod.com] Sent: Thursday, September 15, 2011 6:11 PM To: secur...@acrossecurity.com; bugt...@securityfocus.com; full-disclosure@lists.grok.org.uk; c...@cert.org; si-c...@arnes.si Subject: RE: [Full-disclosure] Microsoft's Binary Planting Clean-Up Mission From your blog: While we know there's still a lot of cleaning up to do in their binary planting closet, our research-oriented minds remain challenged to find new ways of exploiting these critical bugs and bypassing new and old countermeasures. In the end, it was our research that got the ball rolling and it would be a missed opportunity for everyone's security if we didn't leverage the current momentum and keep researching. I would change that around a bit. I would say our self-serving and marketing-oriented minds remain challenged to understand what security really is, but regardless, continue to find ways of trying to convince people this represents an actual security threat. In the end, it was our research that falsely created security concerns and confusion where time was better spent really doing just about anything else, but it would have been a missed opportunity to get our names in the media to sell our security services. t -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure- boun...@lists.grok.org.uk] On Behalf Of ACROS Security Lists Sent: Thursday, September 15, 2011 3:05 AM To: bugt...@securityfocus.com; full-disclosure@lists.grok.org.uk; c...@cert.org; si-c...@arnes.si Subject: [Full-disclosure] Microsoft's Binary Planting Clean-Up Mission Our new blog post describes some recent changes Microsoft introduced to fight against binary planting exploits. The most recent change was the removal of a vulnerable COM server on Windows XP which we used in our proof of concept at Hack In The Box Amsterdam in May. Read the post to find out what else is hiding in the COM server binary planting closet and what to do to get our PoC back to life. http://blog.acrossecurity.com/2011/09/microsofts-binary-plant ing-clean- up.html or http://bit.ly/qWyKph Enjoy the reading! Mitja Kolsek CEOCTO ACROS, d.o.o. Makedonska ulica 113 SI - 2000 Maribor, Slovenia tel: +386 2 3000 280 fax: +386 2 3000 282 web: http://www.acrossecurity.com blg: http://blog.acrossecurity.com ACROS Security: Finding Your Digital Vulnerabilities Before Others Do ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ CONFIDENTIALITY NOTICE: This email communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please reply to the sender immediately or by telephone at (617) 426-0600 and destroy all copies of this communication and any attachments. For further information regarding Commonwealth Care Alliance's privacy policy, please visit our Internet web site at http://www.commonwealthcare.org. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Full-Disclosure Digest, Vol 79, Issue 21
See MS advisory for full list of affected products. It is NOT just 2007. It includes 2010 products as well. Mikhail A. Utin, CISSP Information Security Analyst -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of full-disclosure-requ...@lists.grok.org.uk Sent: Wednesday, September 14, 2011 7:00 AM To: full-disclosure@lists.grok.org.uk Subject: Full-Disclosure Digest, Vol 79, Issue 21 Send Full-Disclosure mailing list submissions to full-disclosure@lists.grok.org.uk To subscribe or unsubscribe via the World Wide Web, visit https://lists.grok.org.uk/mailman/listinfo/full-disclosure or, via email, send a message with subject or body 'help' to full-disclosure-requ...@lists.grok.org.uk You can reach the person managing the list at full-disclosure-ow...@lists.grok.org.uk When replying, please edit your Subject line so it is more specific than Re: Contents of Full-Disclosure digest... Note to digest recipients - when replying to digest posts, please trim your post appropriately. Thank you. Today's Topics: 1. Seeker Advisory Sep11: Reflected Cross Site Scripting in Microsoft SharePoint Portal (Irene Abezgauz) 2. Re: Apache Killer (xD 0x41) 3. Update: Vulnerability in plugins for Typepad, RapidWeaver, Habari, DasBlo, eZ Publish, EE, Serendipity, Social Web CMS, PHP-Fusion, Magento and Sweetcron (MustLive) 4. Re: Apache Killer (Javier Bassi) 5. Re: Apache Killer (GloW - XD) 6. Seeker Advisory Sep11: Insecure Redirect in Microsoft SharePoint Portal (Irene Abezgauz) -- Message: 1 Date: Tue, 13 Sep 2011 20:30:17 +0300 From: Irene Abezgauz ir...@seekersec.com Subject: [Full-disclosure] Seeker Advisory Sep11: Reflected Cross Site Scripting in Microsoft SharePoint Portal To: full-disclosure@lists.grok.org.uk Message-ID: 408E44BC9EB1A74DB458543F5BCDA35AC412F3@gandalf.Hacktics.local Content-Type: text/plain; charset=windows-1255 Seeker Research Center Security Advisory This vulnerability was discovered by Seeker? Automatic Run-Time Application Security Testing Solution Disclosed By Irene Abezgauz, September 13th, 2011 = I. Overview = A Cross Site Scripting vulnerability has been identified in Microsoft SharePoint 2007. This vulnerability allows attackers to gain control over valid user accounts, perform operations on their behalf, redirect them to malicious sites, steal their credentials, and more. A friendly formatted version of this advisory is available at: http://www.seekersec.com/Advisories/SeekerAdvMS04.html === II. Details === The Contact Details Tool Pane web part is vulnerable to cross site scripting attacks in the parameter ctl00$MSOTlPn_EditorZone$Edit0g_7aaa0c6d_72f5_4717_9b22_80188ffdbcde$peopleEditor$hiddenSpanData= By manipulating an unsuspecting user into submitting a specially crafted form an attacker causes the victim to send the malicious script to the vulnerable SharePoint 2007 instance. The malicious script is then reflected back to the user and executed on his browser. The Contact Details Tool Pane is an out-of-the-box component, accessible from various locations in SharePoint 2007 in which the Contact Details web-part is present. The exploit in this advisory has been produced when editing Report Center. === III. Exploit === Sample exploitation of this vulnerability would be crafting the following request: POST /Reports/Pages/Default.aspx HTTP/1.1 ? ctl00$MSOTlPn_EditorZone$Edit0g_7aaa0c6d_72f5_4717_9b22_80188ffdbcde$peopleEditor$hiddenSpanData=scriptalert(?SeekerSec?)/script The request also contains other parameters required by the page, the vulnerable parameter being the parameter noted above. It seems that when a script is simply placed into the input field there is a client-side encoding of the parameter value, which is insufficient to prevent attacks as directly (not via client) submitted scripts simply do not undergo such validation. IV. Affected Systems Microsoft SharePoint 2007 V. Solution Microsoft has released a fix for this vulnerability, see http://technet.microsoft.com/security/bulletin/MS11-074 for further information. === VI. Credit === The vulnerability was automatically discovered by Seeker? - New generation application security testing solution, utilizing ground breaking BRITE? technology (Behavioral Runtime Intelligent Testing Engine). Further research and publication was performed by Irene Abezgauz, Product Manager, Seeker Security. For more information please visit www.seekersec.com - Irene Abezgauz Product Manager Seeker Security www.seekersec.com ?E-Mail:??? ir...@seekersec.com -- Message: 2 Date: Tue, 13 Sep 2011 12:26
Re: [Full-disclosure] ZDI-11-208: Adobe Shockwave rcsL Parsing Remote Code Execution Vulnerability
I see numerous announcements from ZDI pointing to June 14th updates. Is that what big guys MS and Adobe missed in last week updates? If NO, then we need to stop ZDI from polluting our list with last year news. Anyway, I see repetitive announcements pretty often. Thank you Mikhail A. Utin, CISSP Information Security Analyst Commonwealth Care Alliance 30 Winter St. Boston, MA and Adobe TEL: (617) 426-0600 x.288 FAX: (617) 249-2114 http://www.commonwealthcare.org mu...@commonwealthcare.org -Original Message- From: ZDI Disclosures [mailto:zdi-disclosu...@tippingpoint.com] Sent: Tuesday, June 14, 2011 5:57 PM To: 'full-disclosure@lists.grok.org.uk'; 'bugt...@securityfocus.com' Subject: ZDI-11-208: Adobe Shockwave rcsL Parsing Remote Code Execution Vulnerability ZDI-11-208: Adobe Shockwave rcsL Parsing Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-208 June 14, 2011 -- CVE ID: CVE-2011-2109 -- CVSS: 7.5, (AV:N/AC:L/Au:N/C:P/I:P/A:P) -- Affected Vendors: Adobe -- Affected Products: Adobe Shockwave Player -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 11370. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Adobe Shockwave Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the rcsL chunk inside Adobe's RIFF-based Director file format. The code within the Dirapi.dll is affected by an integer wrap caused by size values being calculated without proper checking. This can lead to memory corruption which can be leveraged to execute arbitrary code under the context of the user running the browser. -- Vendor Response: Adobe has issued an update to correct this vulnerability. More details can be found at: http://www.adobe.com/support/security/bulletins/apsb11-17.html -- Disclosure Timeline: 2011-04-20 - Vulnerability reported to vendor 2011-06-14 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Luigi Auriemma -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi CONFIDENTIALITY NOTICE: This email communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please reply to the sender immediately or by telephone at (617) 426-0600 and destroy all copies of this communication and any attachments. For further information regarding Commonwealth Care Alliance's privacy policy, please visit our Internet web site at http://www.commonwealthcare.org. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] virus in email RTF message MS OE almost disabled
This my final reply. For still interested: - it happened on my home PC - immediately disconnected (for a few interested people I can forward email to taste this thing after receiving appropriate paperwork) - it is beyond MS released SPs for Office and Windows - using this list is OK as we discuss vulnerabilities - using corporate email is not prohibited to discuss professional topics - public emails, charts/IM, social sites are prohibited by policies Sorry, I was looking for a few short ideas and mostly for known cases, but not lecturing. I'll fix it, not a big deal. Expect others as having some knowledge as well and do not waste time. BTW, certifications help in all covered matters, believe me. Even in understanding that other may know something and do have certain experience. If you know such cases, please, reply. Otherwise do not waste your and computer energy. Thank you Mikhail A. Utin, CISSP Information Security Analyst Commonwealth Care Alliance 30 Winter St. Boston, MA TEL: (617) 426-0600 x.288 FAX: (617) 249-2114 http://www.commonwealthcare.org mu...@commonwealthcare.org -Original Message- From: Ryan Sears [mailto:rdse...@mtu.edu] Sent: Monday, November 22, 2010 5:41 PM To: Thor (Hammer of God) Cc: full-disclosure@lists.grok.org.uk; Mikhail A. Utin Subject: Re: [Full-disclosure] virus in email RTF message MS OE almost disabled Yeah I've got to go with Thor on this one. You endangered your entire infrastructure by exposing internal defects in your (or your staffs) knowledge. That's a big no-no. Every company presumably has people in it who aren't the 'sharpest tools in the shed' so to speak, but in one email you've divulged more then enough information to mount a social-engineering attack to gain access to not only your home computer, but assuming you're using the same passwords for everything, *everything you run*. Don't ask questions about this kind of stuff on FULL-DISCLOSURE. This is a security mailing list, and you asking if you got a virus is equivalent to installing that retardo purple dancing monkey and being suprised it's backdoored your computer. You're going to be endlessly flamed for it, because you're wasting people's time to make you look like a fool. The fact that you're looking for newly installed executables is a joke, really. Most modern initial exploitation vectors have been built to run fully in memory, never hitting the disk. Also thanks to DLL migration you can instantly exploit then migrate to something like explorer.exe. You should've been looking for network connections as opposed to an entry in your uninstall menu saying 'l33t M$0FFICE expl0itz lul!'. While Thor's response might have been a bit sharp-tonged, I share his frustrations and agree with him whole-heartedly. Too many times our most important information is stored in the hands of people who either don't think about security, or blatantly ignore it. This is not only disturbing, but sad as well. What's the point in protecting my information on my private network if it's going to be poached when it enters YOUR hands? Hackers look for the path of least resistance, and operate on the old adage 'work smart, not hard'. You sir, are a classic example of why certifications and titles are a bad idea, and are currently failing our industry. How can you call yourself a 'genius' if you aren't actually one? How can a CISSP *not* know about basic virus/exploitation behavior? You're the equivalent to the people who go to a garage sale, buy a purple heart then tell everyone to call him 'sarge'. I'd say spend 10 min googling for some file format analyzers (which aren't the greatest but MIGHT catch blatant stuff like that assuming there's something there), then spend another 10 finding a professional to help you re-order your infrastructure, and look at your company through the eyes of a hacker, not just someone who read a few paragraphs on security then decided to call them-self a 'security professional'. Sorry if I seem impatient, but this is the *exact* behavior that all of our infrastructures should be not only curving, but cauterizing with fire. If you don't understand about file-format vectors of attack, LEARN ABOUT THEM. Don't expect to get spoon-fed answers, but we live in a time where *any* question can be answered within a minute of googling, and that's if your google-fu ISN'T strong. Google-fu. That's how you become half-decent at anything now-a-days. There are vast communities centered around everything from web attacks, ring-0 level exploits, wireless hacking, embedded devices, and everything else in-between. We all start off as n00bs, but the difference is the people who actually want to learn do, because they enjoy learning about it, and go seek the knowledge relevant to them. If you wanted any real help, you should've enclosed the file in question, not just said there was some mystery file that caused some cpu load. Welcome to Windows
Re: [Full-disclosure] virus in email RTF message MS OE almost disabled
As we see, our list has a few (luckily just a few) unprofessional people thinking of themselves as gods, and hiding in such Russian-born domains. It's useless to engage in any discussion as they have too much time and will waste our time as well. And it's useless to explain ethics, security basics, and our experience as they are kiddies. Eventually they will grow ... may be. List, thank you very much Mikhail A. Utin, CISSP Information Security Analyst Commonwealth Care Alliance 30 Winter St. Boston, MA TEL: (617) 426-0600 x.288 FAX: (617) 249-2114 http://www.commonwealthcare.org mu...@commonwealthcare.org -Original Message- From: Thor (Hammer of God) [mailto:t...@hammerofgod.com] Sent: Monday, November 22, 2010 4:52 PM To: Mikhail A. Utin Cc: full-disclosure@lists.grok.org.uk Subject: RE: virus in email RTF message MS OE almost disabled Keep it on the list. No need for private emails if you need assistance - give everyone a chance! My response was far more useful than your post - I got pwned by an Office virus by opening an attachment in OE - What could it be?? Jeeze dude. And I didn't give any adice about Noton. I said to get someone professional, which you *clearly* need to do. You should look up these guys: http://www.rubos.com/pisa.html Apparently they are Information System Security Professionals, and they are in the same town as you. One even has a CISSP, so you KNOW that he knows what he is doing. Funny thing is that he has the exact same name as you do. What are the chances of that? If these guys formed the company to sell services to businesses and individuals to comply with legal security and privacy requirements, then they should be able to figure out how to find an Office virus on XP, right? You can even join them as Security professionals and experienced Information Sestems professionals are welcome. I'm not sure what a Sestems professional is, but it must be very important work. Waste of time indeed. Apple Stores are hiring geniuses for the holidays - even they know how to use XP and could help. t From: Mikhail A. Utin [mailto:mu...@commonwealthcare.org] Sent: Monday, November 22, 2010 1:26 PM To: Thor (Hammer of God) Subject: RE: virus in email RTF message MS OE almost disabled Your email is useless. It is on my home PC. If you have better adice than using Noton SW, then please use your mind to get something minigful. If you can name the virus or where to find its instance, it would be a help. Otherwise do not waste you and my time. From: Thor (Hammer of God) [mailto:t...@hammerofgod.com] Sent: Monday, November 22, 2010 3:17 PM To: Mikhail A. Utin; full-disclosure@lists.grok.org.uk Subject: RE: virus in email RTF message MS OE almost disabled You know, every time I start to get a bit of hope for what looks like an upward trend of businesses and organizations taking security seriously, I see crap like this. Your organization is a Medicare prescription contractor with a national network of 61,022 contracted pharmacies, and not only are you running unpatched versions of old OS's and opening email attachments because they look OK, but you have to post to Full Disclosure asking help for trivial virus detection and removal advice? Now that everyone on FD knows that you are vulnerable and that you open email attachments, you've probably just caused the organization to be pwned 9 ways from Sunday. To answer your question, call a professional and have them do it. And in the future, don't send out emails like this from your organization email announcing the state of your security. That's what Hotmail is for. t From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Mikhail A. Utin Sent: Monday, November 22, 2010 7:18 AM To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] virus in email RTF message MS OE almost disabled Hello, Opening looking OK email message in my MS OE I've very likely got new kind of virus, which exploits MS Office flaw recently announced. Immediately after, my OE started consuming huge memory when I switched between folders or messages. I've not seen any process in Task Manager taking up to 1 GB memory (physical is 512M). I did not find any newly installed executables either. When I shut down OE, the computer works fine. Any thoughts? Thank you Mikhail CONFIDENTIALITY NOTICE: This email communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please reply to the sender immediately or by telephone at (617) 426-0600 and destroy all copies of this communication
[Full-disclosure] virus in email RTF message MS OE almost disabled
Hello, Opening looking OK email message in my MS OE I've very likely got new kind of virus, which exploits MS Office flaw recently announced. Immediately after, my OE started consuming huge memory when I switched between folders or messages. I've not seen any process in Task Manager taking up to 1 GB memory (physical is 512M). I did not find any newly installed executables either. When I shut down OE, the computer works fine. Any thoughts? Thank you Mikhail CONFIDENTIALITY NOTICE: This email communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please reply to the sender immediately or by telephone at (617) 426-0600 and destroy all copies of this communication and any attachments. For further information regarding Commonwealth Care Alliance's privacy policy, please visit our Internet web site at http://www.commonwealthcare.org. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] looking for enterprise AV solution
Folks, We are looking an enterprise level AV-software to replace our current AVG having in our eyes poor detection and removal capability. Reviews bring really mixed results as nothin's perfect. Access to logs and relible management control features are important as well. Any advising? Thank you mu...@commonwealthcare.org CONFIDENTIALITY NOTICE: This email communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please reply to the sender immediately or by telephone at (617) 426-0600 and destroy all copies of this communication and any attachments. For further information regarding Commonwealth Care Alliance's privacy policy, please visit our Internet web site at http://www.commonwealthcare.org. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Full-Disclosure Digest, Vol 68, Issue 5
Their policy of publishing whatever they think is buzzing cannot be respected by people who understand possible problems of innocent people involved. Leaking of military secrets is stupid as it gets. If they get closed, it is what they deserve. Mikhail A. Utin, CISSP -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of full-disclosure-requ...@lists.grok.org.uk Sent: Monday, October 04, 2010 7:00 AM To: full-disclosure@lists.grok.org.uk Subject: Full-Disclosure Digest, Vol 68, Issue 5 Send Full-Disclosure mailing list submissions to full-disclosure@lists.grok.org.uk To subscribe or unsubscribe via the World Wide Web, visit https://lists.grok.org.uk/mailman/listinfo/full-disclosure or, via email, send a message with subject or body 'help' to full-disclosure-requ...@lists.grok.org.uk You can reach the person managing the list at full-disclosure-ow...@lists.grok.org.uk When replying, please edit your Subject line so it is more specific than Re: Contents of Full-Disclosure digest... Note to digest recipients - when replying to digest posts, please trim your post appropriately. Thank you. Today's Topics: 1. [ MDVSA-2010:193 ] qt-creator (secur...@mandriva.com) 2. [ MDVSA-2010:194 ] git (secur...@mandriva.com) 3. WikiLeaks underoing (sic) scheduled maintenance (Harry Behrens) 4. [ANN] pinktrace-0.0.1 (Ali Polatel) 5. Fwd: xss in silverstripe (dave b) 6. Re: Multiple vulnerabilities in WordPress 2 and 3 (PsychoBilly) 7. Breaking .NET encryption with or without Padding Oracle (Early Warning) 8. Re: the real stuxnet authors plz stand up (huj huj huj) 9. Re: WikiLeaks underoing (sic) scheduled maintenance (huj huj huj) -- Message: 1 Date: Sun, 03 Oct 2010 14:29:00 +0200 From: secur...@mandriva.com Subject: [Full-disclosure] [ MDVSA-2010:193 ] qt-creator To: full-disclosure@lists.grok.org.uk Message-ID: e1p2nga-0006ev...@titan.mandriva.com -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2010:193 http://www.mandriva.com/security/ ___ Package : qt-creator Date: October 3, 2010 Affected: 2010.0, 2010.1 ___ Problem Description: A vulnerability has been found in Qt Creator 2.0.0 and previous versions. The vulnerability occurs because of an insecure manipulation of a Unix environment variable by the qtcreator shell script. It manifests by causing Qt or Qt Creator to attempt to load certain library names from the current working directory (CVE-2010-3374). The updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3374 http://qt.nokia.com/about/news/security-announcement-qt-creator-2.0.0-for-desktop-platforms ___ Updated Packages: Mandriva Linux 2010.0: 72f483e1687632ee9887b5742b72891d 2010.0/i586/libaggregation1-1.2.1-2.2mdv2010.0.i586.rpm 38ef2476d9ca746576549cd230fed498 2010.0/i586/libcplusplus1-1.2.1-2.2mdv2010.0.i586.rpm 33d7aa73bc3793f7327e5e2160409f4b 2010.0/i586/libextensionsystem1-1.2.1-2.2mdv2010.0.i586.rpm 6429fd08060935dbecf7f7bdec4d2160 2010.0/i586/libqtconcurrent1-1.2.1-2.2mdv2010.0.i586.rpm 029072ad2feb8299499a79f75bf4ae8e 2010.0/i586/libutils1-1.2.1-2.2mdv2010.0.i586.rpm af66282a6100278935d3a2137af01522 2010.0/i586/qt-creator-1.2.1-2.2mdv2010.0.i586.rpm 617fccd89b2020320e4492364caed27c 2010.0/i586/qt-creator-doc-1.2.1-2.2mdv2010.0.i586.rpm 1a7f7c6820ac43102c30bf3c5ffa570c 2010.0/SRPMS/qt-creator-1.2.1-2.2mdv2010.0.src.rpm Mandriva Linux 2010.0/X86_64: a2b277c9e816765850be2242dd725738 2010.0/x86_64/lib64aggregation1-1.2.1-2.2mdv2010.0.x86_64.rpm 553865d75cf73ac6c878b013dd7230eb 2010.0/x86_64/lib64cplusplus1-1.2.1-2.2mdv2010.0.x86_64.rpm b4067d049b8333c6986eb7b7ae15bd92 2010.0/x86_64/lib64extensionsystem1-1.2.1-2.2mdv2010.0.x86_64.rpm 4edc6b295e3da81e798abf9fd7f29055 2010.0/x86_64/lib64qtconcurrent1-1.2.1-2.2mdv2010.0.x86_64.rpm 4513fa9422e50fc2766009cd0e36bef3 2010.0/x86_64/lib64utils1-1.2.1-2.2mdv2010.0.x86_64.rpm 75e44c0a21ee51a31723b8745f1dafca 2010.0/x86_64/qt-creator-1.2.1-2.2mdv2010.0.x86_64.rpm f150dba6979ef40f976972f6acc75180 2010.0/x86_64/qt-creator-doc-1.2.1-2.2mdv2010.0.x86_64.rpm 1a7f7c6820ac43102c30bf3c5ffa570c 2010.0/SRPMS/qt-creator-1.2.1-2.2mdv2010.0.src.rpm Mandriva Linux 2010.1: 127afd19d86e5e5fb75a9a9a98ceec10 2010.1/i586/qt-creator-1.3.1-3.2mdv2010.1.i586.rpm