[Full-disclosure] QUANTUMSQUIRREL - attrition.org unmasked as NSA TAO OP
Jericho has some 'splaining to do! c.f. QUANTUMSQUIRREL** clearly the squirrel schwag is just cover for the _real_ rogue revenues... ** https://peertech.org/files/QUANTUMSQUIRREL.JPG attachment: QUANTUMSQUIRREL.JPG___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] OT What is happening with bitcoins?
On Thu, Mar 6, 2014 at 4:09 PM, Pedro Worcel pe...@worcel.com wrote: Bitcoins are doing great actually. =) Used to be worth 0 a few years back, useless, and now you can use them to buy some stuff. also providing some awesome information for future uses, c.f.: http://blog.magicaltux.net/wp-content/uploads/2014/03/MtGox2014Leak.zip http://89.248.171.30/MtGox2014Leak.zip https://mega.co.nz/#!0VliDQBA!4Ontdi2MsLD4J5dV1-sr7pAgEYTSMi8rNeEMBikEhAs http://burnbit.com/download/280433/MtGox2014Leak_zip let me know if you're still short a mirror... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Hacking in Schools
i for one am moved by the selfless dedication to promoting a happy bit it every horse's mouth. may the hack-a-more live forevar! On Wed, Feb 26, 2014 at 11:01 AM, Sanguinarious Rose sanguiner...@occultusterra.com wrote: You have my Axe! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] RFP: FOIA with privacy waivers[0] for oversight
On Thu, Nov 28, 2013 at 12:25 PM, coderman coder...@gmail.com wrote: Request for participants FOIA with privacy waivers[0] ... it is in my best interest not to pursue this effort any further. the donations received for this have gone to Cryptome instead for their FOIA efforts. if you would like to pursue your own requests please do so: Citizen's Guide on Using the Freedom of Information Act https://www.fas.org/sgp/foia/citizen.html and DOJ_361_revised_2-certification_of_identity.pdf if making requests on behalf other individuals. freedom of information laws are important and should be supported! perhaps i can do more at a later date... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SCADA StrangeLove 30C3 releases: all in one
On Sat, Jan 4, 2014 at 3:35 PM, scadastrangelove scadastrangel...@gmail.com wrote: ... ICS/SCADA/PLC Google/Shodan Cheat Sheet THC Hydra with Siemens S7-300 support Slides and video from SCADA Strangelove 2 talk. A Hacker Disneyland by @ygoltsev and @arbitrarycode Firebird/interbase database engine hacks by @GiftsUngiven http://scadastrangelove.blogspot.co.at/2014/01/30c3-releases-all-in-one.html#more i'm waiting for the day Parastoo starts using these methods. right now their cyber vector appears limited to cutting fibers... http://cryptome.org/2014/01/parastoo-pge-metcalf.htm what disturbs me most is that despite wide spread and persistent vulnerabilities in our critical infrastructure, there is nothing more than token security efforts applied this last decade. (except the security applied to keeping infrastructure information secret - a lot of money spent trying to get that cat back in the bag...) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] the Fairphone is fatally flawed for security
On Sat, Jan 4, 2014 at 6:55 PM, Bernhard Kuemel bernh...@bksys.at wrote: ... the modem is ... poorly ... isolated from the rest of the platform and could access critical components such as storage, RAM, GPS and audio (microphone) of the device Can you tell me what attack vectors might exploit this vulnerability? baseband attack (remote injection, carrier cooperation, other vector) leads to - bus access leads to - storage, RAM, GPS and audio, etc. baseband vulnerabilities are difficult to identify and weaponize, but growing ever more pervasive. see also these QUANTUMINSERTs: 30C3 Baseband Exploitation in 2013 http://www.youtube.com/watch?v=_5DqsPCCtiI ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Open phones for privacy/anonymity applications, Guardian
On Mon, Dec 30, 2013 at 10:02 AM, l...@odewijk.nl wrote: ... Since the GSM f/w controls a radio, and thus the power, it may need a FCC certification... [bad dependencies and liabilities here] alternatively, encourage a market for open hardware and firmware/software components suitable for mobile. sell SDR SoCs that pair with an open handset like a SIM. minor assembly required; less than setting clock on microwave but slightly harder than point-and-click tethered jailbreak... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Open phones for privacy/anonymity applications, Guardian
On Tue, Dec 10, 2013 at 10:43 AM, Sean Lynch se...@literati.org wrote: ... software-defined radios such as the HackRF are coming onto the market. My suspicion is that the legislation simply hasn't caught up to this reality yet and that these will become difficult to obtain... i hope you're wrong; although in some repressive locales this is already true? SDR as applied to highly efficient and ultra-wide band / cognitive radio has too much potential to be crippled by bureaucracy. (if not, this is a sign your governing bureaucracy has run amuk and must be corrected) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Open phones for privacy/anonymity applications, Guardian
On Wed, Jan 1, 2014 at 3:14 AM, Lodewijk andré de la porte l...@odewijk.nl wrote: I love being mentioned... duly noted; i aim to please! best regards, p.s. if you're looking for good high performance SDR gear, look for the Noctar/BladeRF/HackRF/USRP*/RTL-SDR/*.* equivalents of these now mostly 5-7 year old products :) - http://cryptome.org/2013/12/nsa-catalog.zip ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [SECURITY] [DSA 2833-1] openssl security update
On Wed, Jan 1, 2014 at 4:09 AM, Moritz Muehlenhoff j...@debian.org wrote: ... In addition this update [...] no longer uses the RdRand feature available on some Intel CPUs as a sole source of entropy unless explicitly requested. no CVE for the oops you were entirely dependent on RDRAND issue, predictable. no release from OpenSSL with fix either? ... hard to check right now, i think their site had some issues lately. *cough* no list of affected packages, who may have generated potentially week long-lived keys if a future leak or other incident identifies RDRAND as mass produced and distributed vulnerable to attacks against key space / DRBG output. i know we're all fucked six ways to sunday[0], but is that sufficient excuse to slack off or conveniently shy away? best regards, 0. QFIRE Pilot Lead http://cryptome.org/2013/12/nsa-qfire.pdf extrapolate QFIRE, BULLRUN, QUANTUM* to FY 2013 and it is hard not to feel a bit hopeless... ... must find a way to detao ourselves! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] 30c3: The Year in Crypto default engines loaded in openssl-1.x through openssl-1.0.1e]
in 30c3: The Year in Crypto with djb, Nadia Heninger, Tanja Lange http://www.youtube.com/watch?v=Fty107Us7oc at ~28min discussion of RDRAND, Intel's pass the buck to NIST no-comment, (after initial just trust us, we looked at a lab sample close didn't fly far enough...) alt slides: hyperelliptic.org/tanja/vortraege/talk-30C3.pdf also, Tor 0.2.4.20 (Mon Dec 23 07:21:35 UTC 2013) updates to avoid direct RDRAND use in specific circumstances: https://lists.torproject.org/pipermail/tor-talk/2013-December/031483.html per previous discussion on OpenSSL use of RDRAND directly when engines on.[0] TL; DR - very rare case you may want to re-gen relay and hidden service keys now,, you may wonder if IETF could apply resistance to NSA seducing of NIST, but you'd be stepping into a quagmire :P http://arstechnica.com/security/2013/12/critics-nsa-agent-co-chairing-key-crypto-standards-body-should-be-removed/ http://www.ietf.org/mail-archive/web/cfrg/current/msg03554.html [specifically, all of Dan Harkins appeals for legitimacy bear striking resemblance to other demonstratively failed approaches to failure by default designs. Dragonfly is not sufficiently justified. insert pleas to appeal to decency and step away from CFRG and IETF authority roles for propriety sake, regardless of any reasonable claims or other implications best exemplified by RSA[1]] also,, SIMON and SPECK is lulz; no really: fuck those guys! and remember that AES GCM is a choice between: - user-land side channels galore /or/ - hardware instruction back-door . . 2013 was indeed a year for crypto let's not do this again soon? best regards, 0. BADRAND and testing OpenSSL engines enabled behavior with direct RDRAND engine https://peertech.org/goodrand BADRAND lets you link a test version of your application or library against OpenSSL 1.0.1e that uses a specific sequence of deterministic random numbers in OpenSSL. e.g. standard C lib function rand() seeded at zero replacing RDRAND. the debug logging to stderr can identify bad fork() assumptions. 1. Dual-EC-DRBG is bad and RSA should feel bad. No excuses. https://gist.github.com/0xabad1dea/8101758 IETF standards not a good reference for formal proof level thoroughness, and highly deployed does not mean highly used nor scrutinized (WEP, LEAP, OpenSSL's Dual_EC_DRBG implementation, [the set is large]) X. see that one top post ... [was: RDRAND used directly when... On Sat, Dec 14, 2013 at 4:33 AM, coderman coder...@gmail.com wrote: as per the FreeBSD announcement[0] and others[1][2] direct use of RDRAND as sole entropy source is not recommended... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] RDRAND used directly when default engines loaded in openssl-1.0.1-beta1 through openssl-1.0.1e
On Mon, Dec 16, 2013 at 7:27 PM, coderman coder...@gmail.com wrote: ... what is affected?? fortunately impacts are less than anticipated! nickm devised most concise fix: RAND_set_rand_method(RAND_SSLeay()); always after ENGINE_load_builtin_engines(). https://gitweb.torproject.org/tor.git/commitdiff/7b87003957530427eadce36ed03b4645b481a335 --- full write up is here including a BADRAND engine patch for testing: https://peertech.org/goodrand --- last but not least, notable omissions on NSA role in reqs for random number sources in Appendix E: US Government Role in Current Encryption Standards.: http://cryptome.org/2013/12/nsa-usg-crypto-role.pdf can we get a do-over? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [CVE-2013-6986] Insecure Data Storage in Subway Ordering for California (ZippyYum) 3.4 iOS mobile application
On Mon, Dec 16, 2013 at 2:50 PM, Fyodor fyo...@nmap.org wrote: ... Apparently you touched a nerve! If the legal threats we received for archiving this security advisory on SecLists.org are any indication, ZippyYum really doesn't want anyone to know they were storing users' credit card info (including security code) and passwords in cleartext on their phones. ... Here are the legal threats we received today and last Wednesday: -- Forwarded message -- From: Mikken Tutton mikken.tut...@intersecworldwide.com Date: Mon, Dec 16, 2013 at 1:33 PM ... We contacted you last week regarding some private information about our client that you have posted on your website, in violation of Non-Disclosure agreements we have in place with our customer Zippy Yum. We are requesting that this information be removed immediately. i have a solution to the incompetent PCI vendor problem: put credit card data under NDA! how many nastygrams does seclists get a year? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] RDRAND used directly when default engines loaded in openssl-1.0.1-beta1 through openssl-1.0.1e
On Sat, Dec 14, 2013 at 4:33 AM, coderman coder...@gmail.com wrote: ... if you are using an application linked with openssl-1.0.1-beta1 through openssl-1.0.1e you should do one of the following: updated list with env suggestion: a.) rebuild your OpenSSL with OPENSSL_NO_RDRAND defined b.) call ENGINE_unregister_RAND() on rdrand engine followed by ENGINE_register_all_complete() to unregister rdrand as default c.) set OPENSSL_ia32cap=~0x4000 in global environment (this is poor fix) d.) git pull latest openssl with commit: Don't use rdrand engine as default unless explicitly requested. - Dr. Stephen Henson what is affected?? - someone sorry, i am not your distro maintainer. but the list includes, potentially (depending on configure opts / runtime / etc): RHEL 6.5, 7.0 Centos 6.5 Fedora 18,19,rawhide Ubuntu 12.04, 12.10, 13.04, 13.10, trusty Debian 7.0, jessie, sid Gentoo stableunstable Knoppix 7.0.5, 7.2.0 Kali 1.0.5 Slackware 14, 14.1, current ... if ssh built with --with-ssl-engine. these all use OpenSSL 1.0.1+. (remember both ssh client and server may use engines!) and other libs, like: M2Crypto libpam-sshagent-auth encfs ... which appear to use OpenSSL default engines. but really, you should go check your shit. best regards, P.S. if anyone is aware of RDRAND engine backports to OpenSSL 1.0.0* or 0.9.8* in any distros i'd like to know about it! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] RDRAND used directly when default engines loaded in openssl-1.0.1-beta1 through openssl-1.0.1e
as per the FreeBSD announcement[0] and others[1][2] direct use of RDRAND as sole entropy source is not recommended. from Westmere onward you could use AES-NI to make crypto fast in OpenSSL. a common theme is to initialize OpenSSL via ENGINE_load_builtin_engines() which lets OpenSSL take advantage of this acceleration. with Sandy Bridge you also got RDRAND. now load_builtin_engines results in the application using RDRAND directly for all entropy, in addition to accelerating AES. if you are using an application linked with openssl-1.0.1-beta1 through openssl-1.0.1e you should do one of the following: a.) rebuild your OpenSSL with OPENSSL_NO_RDRAND defined. b.) call RAND_set_rand_engine(NULL) after ENGINE_load_builtin_engines(). c.) git pull latest openssl with commit: Don't use rdrand engine as default unless explicitly requested. - Dr. Stephen Henson the OPENSSL_NO_RDRAND option is recommended; an inadvertent call to load engines elsewhere could re-enable this bad rng behavior. best regards, 0. FreeBSD Developer Summit: Security Working Group, /dev/random https://wiki.freebsd.org/201309DevSummit/Security 1. Surreptitiously Tampering with Computer Chips https://www.schneier.com/blog/archives/2013/09/surreptitiously.html 2. How does the NSA break SSL? ... Weak random number generators http://blog.cryptographyengineering.com/2013/12/how-does-nsa-break-ssl.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] RDRAND used directly when default engines loaded in openssl-1.0.1-beta1 through openssl-1.0.1e
On Sat, Dec 14, 2013 at 8:31 AM, Dennis E. Hamilton dennis.hamil...@acm.org wrote: It would have been good if you had said security issue ... i think the word you're looking for is Feature. ... but you and me are not the customer. ;) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] RDRAND used directly when default engines loaded in openssl-1.0.1-beta1 through openssl-1.0.1e
On Sat, Dec 14, 2013 at 4:33 AM, coderman coder...@gmail.com wrote: ... if you are using an application linked with openssl-1.0.1-beta1 through openssl-1.0.1e you should do one of the following: ... b.) call RAND_set_rand_engine(NULL) after ENGINE_load_builtin_engines(). correction: this won't leave you vulnerable, but it will crash your app. not broken convention: /* If we are using a version of OpenSSL that supports native RDRAND make sure that we force disable its use as sole entropy source. See https://trac.torproject.org/projects/tor/ticket/10402 */ if (SSLeay() OPENSSL_V_SERIES(1,0,0)) { t = ENGINE_get_default_RAND(); if (t (strcmp(ENGINE_get_id(t), rdrand) == 0)) { log_warn(LD_CRYPTO, OpenSSL is using RDRAND by default. Attempting to force disable.); ENGINE_unregister_RAND(t); ENGINE_register_all_complete(); } } see https://peertech.org/dist/tor-latest-rdrand-disable.patch best regards, ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Multiple issues in OpenSSL - BN (multiprecision integer arithmetics).
On Mon, Dec 2, 2013 at 12:31 PM, ScripT setInterval(function(){for( ){alert('fixme')} } 10) /scRIpt tytusromekiatomek@... -^ this is what happens when little bobby tables and his younger cousin get into mischief... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] RFP: FOIA with privacy waivers[0] for oversight
On Thu, Nov 28, 2013 at 12:25 PM, coderman coder...@gmail.com wrote: Request for participants FOIA with privacy waivers... yes; this requires trust in my efforts on your behalf. alternatively you can file the requests yourself, covering your own fees, if any, and collaborate with others on the relevant aspects of the returned information. i will provide details on performing these requests and assisting with a collaborative analysis of them for those who wish to pursue this route. this entails some hours of preparation for specific and detailed wording of requests, sending the requests to the many dozens of relevant field offices, headquarters, and executive offices relevant to the query, and paying fees, or providing subsequent justifications for requests not immediately serviced. my sincere thanks to those who wish to assist this effort to ensure accountability and proper use of powerful technologies applied in the public interest. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] RFP: FOIA with privacy waivers[0] for oversight
Request for participants FOIA with privacy waivers[0] to investigate: - FBI and other TLA use of offensive attacks as part of active forensics in investigations. Circumstances around use; e.g. lack of search and seizure warrants, only classified expedient requests or pen register orders. - InfraGard partnerships with industry and the extent to which private corporate interests drive FBI priorities and interest in cyber crime investigations. - FBI involvement and support of criminal offensive attacks against third parties through confidential informants and contractors. If you were involved in independent security research prior to 2010 in the United States as a US citizen and would like to assist with FOIPA requests please reply. 0. Meet the Punk Rocker Who Can Liberate Your FBI File http://www.motherjones.com/politics/2013/11/foia-ryan-shapiro-fbi-files-lawsuit ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Wapiti 2.3.0 - the python-powered web-application vulnerability scanner
On Wed, Nov 27, 2013 at 2:10 PM, Nicolas Surribas nicolas.surri...@gmail.com wrote: ... I'm proud to announce the release of a new version of Wapiti, the web-application vulnerability scanner... What's new in version 2.3.0 ? ... * Removed SOCKS proxy support (due to migration to python-requests). You will have to use proxies like Polipo to tunnel requests through SOCKS. requests, i am disappoint (~_~;) ah well, transparent|HTTP[S] proxy FTW... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] DEF CON 19 - hackers get hacked!
On Thu, Aug 11, 2011 at 4:14 AM, coderman coder...@gmail.com wrote: ... seriously EOM this time. well, what do you know, sunlight prevails! ;) http://electrospaces.blogspot.com/2013/11/drtbox-and-drt-surveillance-systems.html ... this is but a feeling; one aspect of the whole.[0] 0. Blind men and an elephant https://en.wikipedia.org/wiki/Blind_men_and_an_elephant ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] DEF CON 19 - hackers get hacked! , DEF CON 20 was not DRT
no, DC20 was not DRT. then i would feel bad for getting my ass handed to me... (when i discover the codename for my retribution, it shall become my headstone..) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ip address and mac address hardcoded
On Sat, Nov 16, 2013 at 3:59 AM, mrame...@hushmail.com wrote: ... I come acrosss an ip address and a mac address hardcoded in some libraries of a firmware for a vendor. Why should it be there this kind of hardcode? i've seen this done for testing purposes, when running hardware through a quality check harness which needs such static configuration. what is the IP? (publicly route-able or internal only?) what is the MAC OUI prefix? (valid vendor or some arbitrary unallocated ident?) answering these questions would help identify test vs. backdoor intent... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] OpenSSH Security Advisory: gcmrekey.adv
surprised not a peep about this one here yet,... hmmm a fun one ;) we are accustomed to old software adding risk; new (secondary effects of combined AUTH+ENC modes) also carries risk! --- OpenSSH Security Advisory: gcmrekey.adv This document may be found at: http://www.openssh.com/txt/gcmrekey.adv 1. Vulnerability A memory corruption vulnerability exists in the post- authentication sshd process when an AES-GCM cipher (aes128-...@openssh.com or aes256-...@openssh.com) is selected during kex exchange. If exploited, this vulnerability might permit code execution with the privileges of the authenticated user and may therefore allow bypassing restricted shell/command configurations. 2. Affected configurations OpenSSH 6.2 and OpenSSH 6.3 when built against an OpenSSL that supports AES-GCM. 3. Mitigation Disable AES-GCM in the server configuration. The following sshd_config option will disable AES-GCM while leaving other ciphers active: Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc 4. Details When using AES-GCM, sshd was not initialising a Message Authentication Code (MAC) context that is unused when the cipher mode offers authentication itself. This context contains some callback pointers, including a cleanup callback that was still being invoked during a rekeying operation. As such, the address being called was derived from previous heap contents. This vulnerability is mitigated by the difficulty of pre-loading the heap with a useful callback address and by any platform address-space layout randomisation applied to sshd and the shared libraries it depends upon. 5. Credit This issue was identified by Markus Friedl (an OpenSSH developer) on November 7th, 2013. 6. Fix OpenSSH 6.4 contains a fix for this vulnerability. Users who prefer to continue to use OpenSSH 6.2 or 6.3 may apply this patch: Index: monitor_wrap.c === RCS file: /cvs/src/usr.bin/ssh/monitor_wrap.c,v retrieving revision 1.76 diff -u -p -u -r1.76 monitor_wrap.c --- monitor_wrap.c 17 May 2013 00:13:13 - 1.76 +++ monitor_wrap.c 6 Nov 2013 16:31:26 - @@ -469,7 +469,7 @@ mm_newkeys_from_blob(u_char *blob, int b buffer_init(b); buffer_append(b, blob, blen); - newkey = xmalloc(sizeof(*newkey)); + newkey = xcalloc(1, sizeof(*newkey)); enc = newkey-enc; mac = newkey-mac; comp = newkey-comp; ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] OpenSSH Security Advisory: gcmrekey.adv
On Fri, Nov 8, 2013 at 10:56 AM, CERT OPS Marienfeldt cert.marienfe...@gmail.com wrote: If exploited, this vulnerability might permit code execution with the privileges of the authenticated user might explains the absence ;-) how many integrations and services auth without shell? /sbin/nologin to /sbin/privescalate ... tough crowd. i leave you to your preauth remote exec fantasies, ;) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] OpenSSH Security Advisory: gcmrekey.adv
On Fri, Nov 8, 2013 at 8:28 PM, Bob Man Van Kim evdo.hs...@gmail.com wrote: Actually, guys... im wondering if the lack of response is due to falling user participation... clearly we need more vulnerable installations. please reply with to this email with your IPv4 listen addr and port once you've updated to OpenSSH 6.2 or 6.3 sans calloc(). best regards, your friendly host configuration verifier ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] coderman's keys
my contempt for email is well known and reinforced by choice of provider. there are myriad rebuttals to email as private channel, of which i agree fully. however, if you pass muster, i can be reached via secure email. yes your default client will balk. this is a feature not a bug... you must be this high to ride... -BEGIN PGP PUBLIC KEY BLOCK- mQStBAAAcjURDADr+BmpnhH+3n2ZNsrInvXMQL4pyFkysD0h9uhVKScUaQu5WoYT TSbgP0MINjjba7hq8j6bFfMZgaRfJU4O6w8BO9ugjjre8RopBptpgabCdXNzZS6Q 3YqBxb723pnYOj35Ie0fXMGDZZeNseSv76ATr+GuVtQ4VuDr8XmEkreS/Jikkuot r2VeII/7GmJ6tdEHF3yIPFXhOzp32fEyzc2ZaKmyR5wo7CT9GR4oFhSdnzXhw3CZ DqSqQx3eRLGX8gGgEiye3CluekcRmD7V2m4fWZsnD1ohdxBAx/8TWf/rF5H9lp5O 1dWNE03MK9Iuzfnc+kcsUhQHcRIR1fzeYGtHL9cEXckxOuvZpxGqPr9vg6jxVD+/ VhEkcHHVzSj1gidj4BdSzMsfBc9yS+aYGX8O9GLcYk2+ry3VZOkb2QnDlrgd8o3H LBSleqxxoXpn+m5obatK0kkxzvD4LCuMHlvel/Fq5/5I37l7zL0drQ2j3XLSJjpW gFT7p/PQTBnt1nsBAM+ZbY4kaX+O15NzYcoNzr1GwnQKn6T49c/Tv8hNR0EpDADf bMFJrTfQKtK4/1F/ERUzygPa8wYzMZDCO5Tfjhx6x3ctHSj/7nT/vqYoutip7KXi LZ+2D/UqXDqj7WycJ1NBpqKvnvzjbcrXYHV+MSWZRIMS2bKRbq9Dmck8Rc3rVoRN p49/M5zLfyWA9CLj/A15zOjqI0y53tExogFVdykXoJmfy/zvm4wme+4X6h2BAmQv tZP5Z+aYmYCtPxkqzaTrkTw4QRVdz/Iykw5rPn7bzi5Rw1jHPNl+9L2+wGfSeJNl hCmiwdZWddKV0rHBfo7tegd82Oi8BS4dZFsDCPbXBiHFMWvtgR0b+2+V8THIc9k3 0ZvpxWHjreVvl/9ikGyfpZTenrbKjKO6hKrgwG9/Ev/FSQhyiqFeO7ysUEfGzsXu oNEeN95MlgVPdeOvClq11MYaRXZ2pjuoMiOM7bZzxz79CgA5i8ebraVAbUZLbDLM cmLkKFv2JpiBlJtahZe6jIij7XOFlKjWlxbVxMOmfqoY6p2xZQ+QIuYJyEaoVq8L 9RYy8LF29QsCfMRF+X8VGFU8FQYoJDvpJRNgX4urBtZltMpsLFFREDVUrScXoXmZ KgUgkcttWMIDOWg0ZHzTuvNmMwvO3c/C3i+48Xoge+JXY+KHH8HY4vcJ7M7Bggfq 4U2Fp6f1mBv61iFu3cet1xHcCt1IVYZSXh/DLWQcRDM//tPoDcaDs9r4L2IlPGL/ 1iC6uz2X4ZOHQLYHMYi10yirXNce3GVZplB2HUuW5gjgqcG/5S3g9MJLnY2UXlRG uiNFmzuxqFQKYK13noMCwTxNr7hOrgf2isc/ILsXJ0a1NEmCgfg5DUldkm0VURfs u572h83WIj5lglExvvXC85bHckczDNeObt5mL3cd4XQvDzgQ2RtfjsqFdmkMA/7W yqkhT+E1yIk23qmSrasS5u3uz0zw9kFOiGa6HNGjwskSNhoEmK+pPELla8IwXIzV L/6iOODXuSM9MHNfmUFTxiD6oLN02DILrMqvn7qQ5I+KxjGpNGQtI+NYZMj+chTp tI5oaWRkZW5AZG90Lm9uaW9uICgiYm9ybiBvbiBKYW51YXJ5IDMxIDE5NzkgLi4g YWxsIHByaW1lIG51bWJlcnMgLi4gSSB3b3VsZCBzaXQgb24gdGhlIGZsb29yIGlu IG15IGJlZHJvb20gYW5kIGp1c3QgY291bnQuIikgPGhpZGRlbkBkb3Qub25pb24+ iHkEExEIACEFAgAAcjUCGwMFCwkIBwMFFQoJCAsFFgMCAQACHgECF4AACgkQZahH 58K5OAw/QwD9EJaiCtFysCYeCuQfABa+Np68FkIlq9xunDqpxO8JtmwBAKchQFu9 +bHa2tXJZeTwR4SR3oiyBN3tzRP3f4c4zCL6uQMNBAAAcjUQDAC5x2Igm4sw/3ch fBwptsTV3MLd4z1q9vaxcegQXMsAT9+zBlVdzdTWaWKPZwn65QJx472vDSnIdC/O SOj9rp2+uBTuXkE47UNYxgc0lLdG13fafS5SQR86bwmvcvaqAqDxcwzELNPFV2UG 13BgOeiDWAjTHEN33MzV4lAyK7qUTcK10vMYmdvi793W7EjtaVigzzCTxWEEaIli OtURb46C6g65F5oVt6Nihhnlb1Al4LsTfqA0y1aw9CSCQdYritANvF+ekWYcxeGb 9qRSjAdFWLH8fxv7nteCzBDvsmR7aXvzZ2GkXVMmCAt9XvxajI329CArU1LixMrW 1/xSr6n3tU7ezLwZ8CxrjsZKYTYYzcrJ3vGlZ06Ez1T4QdUiFHxSAU7OADiRUNAu tW6cxgZs5hNtpNoU9HRlShaMO9xqhrWQkiwSCmVuRWwPqHFVnMrh/GROJUgMj82B RlS0YVp8ZgQHwRmi0womzSqJ4j+fCbzgtDpLZoGpCMyeLS/WOLMAAwUL/A2uMgOG 9dADx6MKMdpWor9l6WgG34AN6sbUkEaetxpFPKCd0LRyebvlueJJirFOhNheUqns 1rixVO7yaMqrY1wYYUoGMspQQ/QhGlTckxKIaygjjbq9843P3bFOUutgo7V8Wm/E N53MxD7kE/f/IcvkH9W84/aLUsjO4xStP7fTq7B/d5Cx5HbLiRVMFykRB1PjrPRF ojO26I2O7h9zIH5PXqD+DbJ3i4FsZqSvOFOkt0H70cyDZse22vniS4YnL/yPcjqH DZoGz99k5sLf14RP0W+8QgnXRqTaReFnGU7o7cQmozomocKTlQ4nQInaJeiFiZCS vLjq4RWN/vhHgm1Zt8D5ihvo0v/ztEM4EILIJ5M47Vhg9lFPKUambTd7qf+k28nA FAusEhf7U9s8S9TMJIAYPBwsoYoH5vzJZNaEZKEKflYVhgHbx137OpHCXtLo/iuT Xy23fBl5zeZlGNiq6PWlIOd/zc8qrudXnvBBbE1/F34K/ipENDWi1YO/EohhBBgR CAAJBQIAAHI1AhsMAAoJEGWoR+fCuTgM3Q4BAMzZ6XcvyqVe/IkbqwxvtEwQ+DbX tXJofbiwx8RL1MpAAP44ZMisc8+A7W0UPa/NWB8VQvKWX8ONw/sPtGc2CB4EYw== =H0Fx -END PGP PUBLIC KEY BLOCK- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] coderman's keys
On Thu, Oct 31, 2013 at 7:55 PM, coderman coder...@gmail.com wrote: my contempt for email is well known and reinforced by choice of provider. there are myriad rebuttals to email as private channel, of which i agree fully. however, if you pass muster, i can be reached via secure email. yes your default client will balk. this is a feature not a bug... you must be this high to ride... still no successful encrypted responses. do i have to sweeten this pot? let's try an experiment: one bitcoin (~200$USD) to whoever successfully encrypts a message to my key. ... ready, set, go! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Serious Yahoo bug discovered. Researchers rewarded with $12.50
On Thu, Oct 3, 2013 at 3:21 AM, coderman coder...@gmail.com wrote: ... i would pay money to never read about lame XSS on this list again... ok, lame is too harsh; inaccurate. as part of a larger campaign of pwn, XSS can play part in a pandemic pounding of target host or network. better to say routine XSS, which XSS certainly is. E.g. ...we built a total of 181,238 unique exploit test cases,... these [test cases] we were able to trigger our reporting function 69,987 times... [and] that the exploits triggered 8,163 unique vulnerabilities. http://ben-stock.de/2013/09/summary-of-our-ccs-paper-on-dom-based-xss/ i've read 2,261 threads discussing XSS on this list. do we really need to discuss the remaining thousands? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Serious Yahoo bug discovered. Researchers rewarded with $12.50
On Thu, Oct 3, 2013 at 3:20 AM, coderman coder...@gmail.com wrote: ... incompetent, disrespectful vendors can be really motivating... i recant my accusation that Yahoo is disrespectful and idiotic; they just have poor timing and appear to be addressing the complaints discussed, and had been working on this improved program before the brouhaha. http://yahoodevelopers.tumblr.com/post/62953984019/so-im-the-guy-who-sent-the-t-shirt-out-as-a-thank-you plenty of assholes all around in this story though... keep it classy infosec! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Internet has vuln.
''' The NSA has undermined a fundamental social contract. We engineers built the internet – and now we have to fix it... By subverting the internet at every level to make it a vast, multi-layered and robust surveillance platform, the NSA has undermined a fundamental social contract. The companies that build and manage our internet infrastructure, the companies that create and sell us our hardware and software, or the companies that host our data: we can no longer trust them to be ethical internet stewards. This is not the internet the world needs, or the internet its creators envisioned. We need to take it back. And by we, I mean the engineering community... One, we should expose. If you do not have a security clearance, and if you have not received a National Security Letter, you are not bound by a federal confidentially requirements or a gag order. If you have been contacted by the NSA to subvert a product or protocol, you need to come forward with your story... If you work with classified data and are truly brave, expose what you know. We need whistleblowers Two, we can design. We need to figure out how to re-engineer the internet to prevent this kind of wholesale spying. We need new techniques to prevent communications intermediaries from leaking private information. We can make surveillance expensive again. In particular, we need open protocols, open implementations, open systems... Generations from now, when people look back on these early decades of the internet, I hope they will not be disappointed in us. We can ensure that they don't only if each of us makes this a priority, and engages in the debate. We have a moral duty to do this, and we have no time to lose. Dismantling the surveillance state won't be easy. Has any country that engaged in mass surveillance of its own citizens voluntarily given up that capability? Has any mass surveillance country avoided becoming totalitarian? Whatever happens, we're going to be breaking new ground. ''' - Bruce Schneier http://www.theguardian.com/commentisfree/2013/sep/05/government-betrayed-internet-nsa-spying/print note from the editor: i'll believe we have made progress toward robust crypto once every personal computing device has a robust hardware entropy source. (backdoor generators like RDRAND don't count, of course ;) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] cypherpunks celebrate the fourth writing code ... ; )
Re: [Full-disclosure] tor vulnerabilities? On Wed, Jul 3, 2013 at 11:04 AM, coderman coder...@gmail.com wrote: ... next generation low latency anonymity networks are a fun area of research and suited to interesting attacks. you could help build and break them when you're sufficiently sated with vague criticisms... today's homework: build a low latency, datagram capable, traffic analysis resistant anonymity network! bring your books to class, [0] start by implementing the transport stacks, then continue to measurement, path selection, directory/control consensus and distribution and remaining aspects. apply SCTP for congestion control of transparent proxy traffic. local classification of traffic allocates by protocol / use fairness instead of aggregate tcp fairness. like bittorrent or aria2 parallel traffic treated as distinct low priority unit of traffic, deferring to higher priority low latency web traffic and messaging. multi-homing / multi-path endpoints in SCTP would maintain concurrent connection with distinct endpoints, avoiding predecessor, timing, denial of service attacks present in reliable, ordered, single stream transports. edges would be screwed by correlation, unless they were full fledged participants consistently. using a UDP based transport with LEDBAT or other technique to keep broadband upstream unsaturated and unclogged (no deep queues), allowing all broadband endpoints the ability to contribute to a large shared network. [Bonus points: specify practical application level privacy preserving proxy system for common web protocols to support exit node support for TCP and UDP based protocols.] ORCHID IPv6 addressing with IPsec tunnels is intended to re-use existing work, including well tested auth+privacy with datagram padding in IPsec. SCTP+TLS would fit over top of IPv6 ORCHID endpoints (using IPsec SAs) to transport signalling/keying and encapsulated client traffic. part of this would also include lowest priority (lossy reliable) SRMP type delivery of useful, less immediate information to nodes. to some extent the ORCHID addresses could be thought of as hidden service names and also circuit endpoints for a given IPsec tunnel. apply petnames or gnunet shared nicknames for mapping to human meaningful identifiers. this set of: a. critical signalling and keying traffic b. high priority, interactive web traffic and messaging c. lower priority bulk traffic, downloads, streaming media d. best effort, latent bulk caching and exchange are the classful shaping groups ordered inside of opaque SFQ outbound queues at various improved/concurrent stratified dependent link padding paths of IPsec telescopes carrying intermediate hop(signalling) and bearer traffic. combining better prioritization of traffic and consistent consumption of traffic (deferring low priority packets and using opportunistic caching strategies for network information respectively) obtains the best performance out of the SFQ DLP paths with the lowest latency for priority traffic. --- 0. thing you'll want to read for this project: Anonymity Bibliography | Selected Papers in Anonymity http://freehaven.net/anonbib/ or by topic http://freehaven.net/anonbib/topic.html LEDBAT edge management http://tools.ietf.org/html/draft-ietf-ledbat-congestion-09 SCTP http://tools.ietf.org/html/rfc4960 IPsec telescopes http://tools.ietf.org/html/rfc4843 multicast gradients (reliable multi-cast) http://disi.unitn.it/locigno/preprints/TR-DISI-08-041.pdf ORCHID overlay addresing http://tools.ietf.org/html/rfc4410 stochastic fair queuing http://www2.rdrop.com/~paulmck/scalability/paper/sfq.2002.06.04.pdf Kernel and stacks in userspace (BSD Anykernel and Rump kernels) http://www.netbsd.org/docs/rump/index.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] tor vulnerabilities?
On Wed, Jul 3, 2013 at 7:34 AM, Georgi Guninski gunin...@guninski.com wrote: ... I see no reason to trust tor. How do you disprove that at least (say) 42% of the tor network is malicious, trying to deanonymize everyone and logging everything? end to end privacy is orthogonal to anonymity, however, exit nodes imply risks most users aren't familiar with or accustomed to. does this mean Tor is useless? No - but it must be used with care, certainly. Or maybe some obscure feature deanonymize in O(1) :) these bugs are short lived but do happen from time to time... my favorite will always be CVE-2007-4174 *grin* next generation low latency anonymity networks are a fun area of research and suited to interesting attacks. you could help build and break them when you're sufficiently sated with vague criticisms. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] reasonable return on investment; better investments in security [was Re: VUPEN Security Research - Adobe Flash Player RTMP Data Processing Object Confusion (CVE-2013-2555)]
On Fri, Apr 19, 2013 at 1:26 PM, paul.sz...@sydney.edu.au wrote: ... 2012-02-15 - Vulnerability Discovered by VUPEN 2013-03-06 - Vulnerability Exploited At Pwn2Own 2013 and Reported to Adobe... Is a delay of a year before reporting to the vendor, acceptable? three years or more is better of course! i would not be disappointed with a dozen months, however. alas external factors (especially when licenses are non-exclusive) complicate longevity of weaponized exploits... if you really want to improve security: a) remove all criminal and civil liability for hacking, computer trespass, and all related activities performed over data networks; establish proactive shield legislation to protect and encourage unrestricted security research of any subject on any network. extend to international agreements for blanket protection in all jurisdictions. b) establish lock picking, computing, and hacking curriculum in pre school through grade school with subsidized access to technical resources including mobile, tablet, laptop test equipment, grid/cloud computing on-demand, software defined radios with full receive/transmit, and gigabit internet service or faster. c) organize a program of blue and red teaming challenges for educational and public participation at the district, regional, and national level cultivating expertise and rewarding it with hacking toys, access, and monies. if implemented, i can guarantee a significant and measurable improvement in the security posture of the systems that remain in such an environment. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Advisory: PonyOS Security Issues
On Tue, Apr 2, 2013 at 10:49 AM, John Cartwright jo...@grok.org.uk wrote: In all seriousness I accept the fact that the OS isn't meant to be secure in any way and I have essentially wasted 24 hours of my life horsing around with it. attachment: good-one.jpg___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] test
On Wed, Feb 27, 2013 at 3:13 AM, imipak imi...@gmail.com wrote: SMTP_ECHO_REQUEST ICMP_SOURCE_QUENCH ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] how to sell and get a fair price
On Thu, Jan 10, 2013 at 9:03 AM, Mikhail A. Utin mu...@commonwealthcare.org wrote: ... I once shared my idea that ZDI is not right way to go. It should be a market place (web portal) for selling vulnerabilities based on action price. Like eBay. this reasoning assumes money is the only deciding factor on when and to whom to release a vuln. some buyers represent more or less ethical implications for your work, which will in turn influence fair price. and sometimes burning a million dollar vuln for great justice is more satisfying than all the gold in the world... ;) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] how i stopped worrying and loved the backdoor
Dan just released DakaRand http://dankaminsky.com/2012/08/15/dakarand/ src http://s3.amazonaws.com/dmk/dakarand-1.0.tgz while admitting that Matt Blaze has essentially disowned this approach, and seems to be honestly horrified that I’m revisiting it and Let me be the first to say, I don’t know that this works. this mode would greatly reduce, maybe eliminate the incidence of key duplication in large sample sets (e.g. visibly poor entropy for key generation) the weak keys[0] authors clearly posit that they have detected merely the most obvious and readily accessible poor keys, and that further attacks against generator state could yield even more vulnerable pairs... you have been warned :P the solution is adding hw entropy[1][2] to the mix. anything less is doing it wrong! if you don't have hw entropy, adding dakarand is better than not. 0. Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices - Extended https://factorable.net/weakkeys12.extended.pdf 1. Intel RNG http://lists.randombit.net/pipermail/cryptography/2012-June/002995.html see also by thread: http://lists.randombit.net/pipermail/cryptography/2012-June/thread.html#2995 2. xstore http://www.via.com.tw/en/downloads/whitepapers/initiatives/padlock/rng_prog_guide.pdf X. LD 50 radiation exposure of the common pigeon. entropy via carrier pigeon (DRAFT) ;P P.P.S: if you're not passing valid hw entropy into VM guests, you're also doing it wrong. even enough passed at boot is sufficient, provided key generation is secure. always a million caveats... and adding dakarand to guests is better than not. On Wed, Jul 18, 2012 at 12:35 PM, coderman coder...@gmail.com wrote: On Fri, Dec 24, 2010 at 5:08 PM, Dan Kaminsky d...@doxpara.com wrote: ... Don't we have hardware RNG in most motherboard chipsets nowadays? clearly not enough of them! 'Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices' https://factorable.net/weakkeys12.extended.pdf ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] debugfs exploit for a number of Android devices
On Wed, Aug 15, 2012 at 6:10 AM, Dan Rosenberg dan.j.rosenb...@gmail.com wrote: ... So many things wrong here. What's actually happening is these devices have a line in their /init.rc scripts, which are run at boot as root by the init process,... some of my favorite stories start this way! ;P ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Android HTC Mail insecure password management
On Tue, Aug 7, 2012 at 10:06 PM, Jeffrey Walton noloa...@gmail.com wrote: ... Android 4.0+ offers a Keychain, and applications should be storing base secrets in the Keychain any bets on adoption? prepare to be disappointed... (we should have a name and shame for just this purpose) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] how i stopped worrying and loved the backdoor
On Fri, Dec 24, 2010 at 5:08 PM, Dan Kaminsky d...@doxpara.com wrote: ... Don't we have hardware RNG in most motherboard chipsets nowadays? clearly not enough of them! 'Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices' https://factorable.net/weakkeys12.extended.pdf RSA and DSA can fail catastrophically when used with malfunctioning random number generators, but the extent to which these problems arise in practice has never been comprehensively studied at Internet scale. We perform the largest ever network survey of TLS and SSH servers and present evidence that vulnerable keys are surprisingly widespread. We find that 0.75% of TLS certificates share keys due to insufficient entropy during key generation, and we suspect that another 1.70% come from the same faulty implementations and may be susceptible to compromise. Even more alarmingly, we are able to obtain RSA private keys for 0.50% of TLS hosts and 0.03% of SSH hosts, because their public keys shared nontrivial common factors due to entropy problems, and DSA private keys for 1.03% of SSH hosts, because of insufficient signature randomness. We cluster and investigate the vulnerable hosts, finding that the vast majority appear to be headless or embedded devices. infosec comedy gold :P ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] XSS vulnerabilty on eenmiljardseconden.frankdeboosere.be
On Mon, Jul 16, 2012 at 12:23 AM, Yvan Janssens yvan.janss...@vasco.com wrote: I found an XSS vulnerability in http://eenmiljardseconden.frankdeboosere.be/ . This vulnerability was possible due to invalid input validation/bad programming. The owner was contacted and a satiric fix was deployed. ... It is now solved, and if you try to execute it again, you get a link to Rick Astley’s “Never gonna give you up” on YT. priceless! ++ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] CRYPTO-GRAM, July 15, 2012
On Sat, Jul 14, 2012 at 4:25 PM, Bruce Schneier schne...@schneier.com wrote: ... Many roadside farm stands in the U.S. are unstaffed. They work on the honor system: take what you want, and pay what you owe. I like systems that leverage personal moral codes for security. But I'll bet that the pay boxes are bolted to the tables. many but not most. also, goats are exceptional sources of inspiration on side channel attacks and insider threats. more on this later.. ;) [i'd like to see a survey of info-sec specialists[0] turned ag entrepreneurs. or sechors[0] as jya calls them...] The Failure of Anti-Virus Companies to Catch Military Malware Mikko Hypponen of F-Secure attempts to explain why anti-virus companies didn't catch Stuxnet, DuQu, and Flame. His conclusion is simply that the attackers -- in this case, military intelligence agencies -- are simply better than commercial-grade anti-virus programs. this is true. they are better. I don't buy this. It isn't just the military that tests its malware against commercial defense products; criminals do it, too. many criminals are also better! ... but not most. heh Probably the people who wrote Flame had a larger budget than a large-scale criminal organization. as evidenced by novel MD5 collision attacks leveraged for windows update MitM (aka, holy grail) and expansive A/V countermeasures via, again novel, code injection methods. they also do extensive QA to ensure success against their targets, spanning whatever platform and processes. QA is expensive, and methodical QA on malware; this makes me chortle! I think the difference has more to do with the ways in which these military malware programs spread. That is, slowly and stealthily. this is intended to preserve return on investment. maybe one difference, but not the most significant. it seems clear that conventional non-military malware writers who want to evade detection should adopt the propagation techniques of Flame, Stuxnet, and DuQu. they won't and they don't need to. conventional malware targets the masses, and they're vulnerable without much effort. military malware targets the specific, and they'll do whatever they can (which is significant) to achieve success. entirely different domains! ... I think there's an interesting discussion to be had about why the anti-virus companies all missed Flame for so long. http://www.f-secure.com/weblog/archives/2388.html this is succinct and apropos. commercial A/V is not going to protect against state sponsored attacks (of which world class malware is a part). such protection requires ..., well, far more than kaspersky can ever give you :P 0. Reign of the Sechors http://cryptome.org/2012/07/sechors.htm ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linux - Indicators of compromise
On Mon, Jul 16, 2012 at 10:59 AM, Григорий Братислава musntl...@gmail.com wrote: ... Is in my experience is that I place two folders in directory in is root folder called /root/MilaKunisLeakedPhotos/ and /root/OlgaKurlyenko/ is when I see is accessed. Then I know is my machine compromised. Everyone is want see Olga and Mila there are honey tokens, and there are *honey* tokens. Григорий Братислава doing it right! ;P ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Linux - Indicators of compromise
On Mon, Jul 16, 2012 at 11:52 AM, Ali Varshovi ali.varsh...@hotmail.com wrote: I'm thinking that we need a comparison base or normal behavior profile to be able to detect any deviations or abnormal/suspicious activity. While some known patterns of behaviors are useful to detect malware or backdoors we still need that normal profile to detect 0-day or APT style intrusions. Isn't that the same idea from early days of intrusion detection research (anomaly detection approach)? yes, also called: Anomaly Detection Anomaly-Based Intrusion Detection System Outlier Detection Behavior Analysis and other things i've forgotten... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Entropy distribution to virtual machines
On Mon, Jun 25, 2012 at 12:21 AM, BMF badmotherfs...@gmail.com wrote: ... I have a server with one of these in it: http://www.entropykey.co.uk/ although I still need to find a reasonably secure way to share the entropy with all of my VMs where it is really needed. check out http://www.vanheusden.com/entropybroker/ or virtio-rng. i haven't used either; does anyone have positive experiences? for now, roll my own: pass entropy into guest kernel command line which is mixed into guest pool during init, then entropy distribution from host to guest egd's via tcp once networking is up. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [SECURITY] [DSA 2502-1] python-crypto security update
On Sun, Jun 24, 2012 at 1:37 PM, Moritz Muehlenhoff j...@debian.org wrote: ... Package : python-crypto Vulnerability : programming error... It was discovered that that the ElGamal code in PythonCrypto, a collection of cryptographic algorithms and protocols for Python used insecure insufficient prime numbers in key generation i wish i had a dollar for every not-so-random random number generator error that has transpired the last few years. i could pay for DEF CON. ;) decades pass, and yet people still fuck up the fundamentals. regularly... how many of you fools mix a hw entropy source into your crypto keying? ever hear of 82802? XSTORE? RDRAND? lava lamps? /cry ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] CORE-2012-0530 - Lattice Diamond Programmer Buffer Overflow
On Thu, Jun 21, 2012 at 1:37 PM, CORE Security Technologies Advisories advisor...@coresecurity.com wrote: ... 9. *Report Timeline* . 2012-05-30: Core Security Technologies notifies Lattice Semiconductor Corporation of the vulnerability. Publication date is set for June 26th, 2012. . 2012-06-06: Core notifies Lattice Semiconductor Corporation of the vulnerability. . 2012-06-11: Core notifies that the previous emails were not answered and requests for a reply. . 2012-06-11: Vendor asks Core to remove their email addresses from Core's mailing lists. now that's some classic vendor behavior! contrast with http://www.reddit.com/r/netsec/comments/vbrzg/etsy_has_been_one_of_the_best_companies_ive/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] www.LEORAT.com is scam
On Tue, Jun 19, 2012 at 2:05 AM, Fyodor fyo...@insecure.org wrote: From: Leo Impact Security,Inc cont...@leoimpact.com To: fyo...@insecure.org Subject: subject: http://seclists.org/fulldisclosure/2012/Apr/19 removing ... I am Mark, CISO of Leo Impact Security, some fraud person post illigmate post so please remove asap else we hire a lawer to send legal letter on your site. is this how n3td3v is paying for intarwebs? :o ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran
On Sun, Jun 10, 2012 at 9:42 AM, Benjamin Kreuter ben.kreu...@gmail.com wrote: ... (CALEA taps are *widely* exploited by the bad guys. Do you have a good citation for this? the most infamous case is the athens affair: http://spectrum.ieee.org/telecom/security/the-athens-affair While this is the first major infiltration to involve cellphones, the scheme did not depend on the wireless nature of the network. Basically, the hackers broke into a telephone network and subverted its built-in wiretapping features for their own purposes. with the built-in wiretapping features being CALEA components... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran
On Sun, Jun 10, 2012 at 2:05 PM, Benjamin Kreuter ben.kreu...@gmail.com wrote: ... It is not clear to me that these were CALEA components, as opposed to some similar law in Greece or the UK (where Vodaphone is based). ... is it clear that the Greek equipment was built to US standard i.e. that all CALEA requirements are already met by that equipment? lawful intercept: pioneered by CALEA in USA, adopted by every government across the planet. we can split hairs on the origin and naming of a given capability, but these are CALEA (aka lawful intercept) functions used unlawfully. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran
On Sun, Jun 10, 2012 at 2:22 PM, coderman coder...@gmail.com wrote: ... we can split hairs on the origin and naming of a given capability, but these are CALEA (aka lawful intercept) functions used unlawfully. more fun reading, if you're curious: Exploiting Lawful Intercept to Wiretap the Internet http://www.blackhat.com/presentations/bh-dc-10/Cross_Tom/BlackHat-DC-2010-Cross-Attacking-LawfulI-Intercept-slides.pdf Lawful Interception and Countermeasures http://web.it.kth.se/~maguire/DEGREE-PROJECT-REPORTS/080922-Romanidis_Evripidis-with-cover.pdf ... and, there are rumors VUPEN got hacked a few days ago. their weaponized exploits, also marketed as lawful intercept technologies, are sure to be abused if now in the wild. we could do this all day! ;) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran
On Sun, Jun 10, 2012 at 2:06 PM, Laurelai laure...@oneechan.org wrote: ... in regards to protecting yourself from .gov malware, it really is quite simple... all only run on windows platforms. this is wrong in fact, and understanding. factually other state driven malware has targeted OSX, iOS, Android, many other popular operating systems. the cost of exploit development varies significantly between them, yet they are all vulnerable targets. your understanding is flawed in that at root these are well funded, highly skilled, large resource entities able to position effective attacks at multiple points around / within a target. if you are using another OS distribution they may only get 2 vectors instead of 12; not exactly a winning strategy for such a blanket statement. defending against large resource attackers a very long tangent, too long for this margin. ... more a method and practice of continuous learning, eventually making you harder nut to crack than others ;P ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran
On Sat, Jun 9, 2012 at 3:30 PM, valdis.kletni...@vt.edu wrote: ... I'm *still* waiting for your lawyers to serve me papers for Neal Krawetz's 2006 Black Hat presentation cmon' valdis, it's Dr. Neak Krawetz, PhD. ... i thought we've been through this?? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran
On Fri, Jun 8, 2012 at 10:03 AM, Thor (Hammer of God) t...@hammerofgod.com wrote: ... What solution? [to countries using cyberwar] And who exactly is going to “find” it? AV industry vows to become better detectors, find and reverse; you get million dollar vuln RD for free! incident response, analyze and sell to ZDI *grin* am-pro white/grey hatters and black alike - raise your game. find holes first. government and private sector are making you look bad :/ beat them to punch - leave no pickings or path to arb exec! developers: much has been and yet to say to you, alas you know your plentiful failures well. :P end users! you can, you could, ... you... well, you're all pretty fucked given the current state of things. try voting with your wallet! sadly that implies you know what sucks and what doesn't. a criteria disturbingly more complicated than it should be :( and industry? industry is slave to profit. security and quality not a priority until it is a monetary priority with plenty of blame to go around throughout and external to your average organization. this doesn't mean all is lost, acute despair moribund comedy abounds all around :P ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran
On Wed, Jun 6, 2012 at 7:41 AM, Laurelai laure...@oneechan.org wrote: ... Is anyone else the least bit concerned that stuxnet was carried out by the US Government? remember the siberian pipeline? uncle sam has been up in yer SCADA for two decades. if this is a surprise, you aren't paying attention. and if you're only concerned _now_, you aren't paying attention. http://en.wikipedia.org/wiki/Siberian_pipeline_sabotage ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran
On Wed, Jun 6, 2012 at 11:16 AM, coderman coder...@gmail.com wrote: ... uncle sam has been up in yer SCADA for two decades. three decades; too early for maths! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] imagine ..
On Thu, May 31, 2012 at 6:56 AM, RandallM randa...@fidmail.com wrote: ..if flame was hidden in angry birds flame is as successful as it is precisely because it is extremely targeted. indiscriminate, promiscuous infection would defeat the purpose. however, if this same level of skill were applied to mass infection we would probably see curious yellow in action. http://blanu.net/curious_yellow.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Info about attack trees
On Mon, May 28, 2012 at 10:49 AM, Georgi Guninski gunin...@guninski.com wrote: some ...words you can use for profit: division by _zero_, _integer_ overflow, attack _vector_, attack _vector space_ [1], attack _curve_, attack _surface_, attack _abelian surface_ [1], attack _group law_ [1] , attack _tree_, attack _graph_, attack _constrained path on graph_ [1], attack _turing machine_ [1], attack halting _problem_ [1]. you've written a prospectus or two, it seems. ... I believe it to be infeasible to make an attack tree against any modern system... the best attack trees are planted in a firmament of bayesian machine learning, nurtured with cloud based social graph analysis, and precipitated via distributed simulation into actionable tactics with certainty of execution. i have generated a truly marvelous computer-assisted proof of this, which this message is unable to contain. the details just how many 0days rain down from this exploit cloud shall sadly remain obscured... for now. anyone want to seed a 7.44TB torrent? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Info about attack trees
On Sat, May 26, 2012 at 1:32 PM, Gage Bystrom themadichi...@gmail.com wrote: If you havnt guessed from the replies, there are no such thing as an attack tree... The classical method is something along the lines of preform recon, enumerate, attack, presist/extract data. You react based upon the information you gather, the more information you have, the clearer it is on to what the next step ought to be. this concept is more useful in fully automated exploit + post-exploitation systems, where you have an arsenal of exploits of varying stealth, reliability, applicability. the result of exploit preference, exploit chaining, and contingency paths based on real-time feedback results in a tree like structure following the path of least resistance to total compromise. you need to prepare this tree ahead of time as a human in the loop will only slow down the process and increase the risk of counter measures frustrating further attack. a pedant would call them exploit graphs ;) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Accounts Security Vulnerability
On Thu, May 17, 2012 at 5:51 AM, Mike Hearn he...@google.com wrote: I understand your concerns, however they are not valid. ++ best thread on list all month. :) now if only Google's two factor auth could use tamper resistant tokens. i trust my phone even less than my browser... :( ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] (no subject)
___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Apple IOS security issue pre-advisory record
On Sun, Mar 25, 2012 at 7:25 AM, Charlie Derr cd...@simons-rock.edu wrote: ... I always figured attempting to grab things with links or lynx from a command-line GNU/linux environment ought to be fairly safe, even for files that I'm pretty certain contain viral/trojan code once upon a time there was an ugly Tor attack that would pwn through lynx/links on console (if you had control port open). that line of thinking gets you into trouble ;) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] The Mystery of the Duqu Framework
On Sat, Mar 10, 2012 at 12:43 PM, Alberto Fabiano albe...@computer.org wrote: ... C++ is´nt the unique language that use COM, still has a way familiar... can be another language. where does the application framework end and the domain specific language begin? lean event machine for invoking syscalls direct, routing params. pretty handy ... ocamlc? i thought i saw a six subject call in there ;P ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] coverity
why did they drop 11 billion lines of code from the open source scan report? (11.5b 2009 to 0.037b 2011, hard to use 5.x? only 0.06b really scanned in 2009?) do any projects publish their fp db? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] The Mystery of the Duqu Framework
On Sat, Mar 10, 2012 at 3:36 PM, William Pitcock neno...@systeminplace.net wrote: VC++ generates code like this when used with COM. The COM implementation used on windows is compiler-assisted. Basically to generate assembly like this, just you know, build code that uses COM (#using, various __declspec etc.) they call this kickin' it old skewl you fuckin' newbs... also, making it uber-portable. which for a framework, you want it to be ;P ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] The Mystery of the Duqu Framework
2012/3/10 夜神 岩男 supergiantpot...@yahoo.co.jp: ... From the description, it looks like someone pushed some code from a Lisp[1] variant (like Common Lisp, which is preprocesed into ANSI C by GCL, for example, before compilation) into a C++ DLL. you're hilarious!! ... but keep the day job. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] The Mystery of the Duqu Framework
On Sat, Mar 10, 2012 at 8:04 PM, valdis.kletni...@vt.edu wrote: ... So what you're saying here is that there's a lot of people accepting security advice and/or software from professionals who wouldn't recognize a COM object if it came up and bit them on the butt... cmon' valdis, if anyone you should now how short the attention span of the IT community is. everything old is new again, like fashion. le sigh... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] The Mystery of the Duqu Framework
On Sat, Mar 10, 2012 at 8:24 PM, coderman coder...@gmail.com wrote: everything old is new again, like fashion. and you can kick it old skewl without {---C000-0046} ;) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Welcome Back IRL
On Fri, Feb 24, 2012 at 5:54 AM, not here zpamh...@gmail.com wrote: -- I'll just pin this here -- http://www.bop.gov/iloc2/InmateFinderServlet?Transaction=NameSearchFirstName=stephenLastName=watt lol, be careful who you blabla to... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Circumventing NAT via UDP hole punching.
On Wed, Feb 22, 2012 at 7:36 AM, Adam Behnke a...@infosecinstitute.com wrote: A new write up at InfoSec Institute on circumventing NAT. The process works in the following way. We assume that both the systems A and B know the IP address of C. a new write up? ... http://www.brynosaurus.com/pub/net/p2pnat/ [circa 2005 summary of 200x p2p hackers lore] more great content from infowhoresinstitute! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] power of this list..
On Fri, Mar 9, 2012 at 6:01 AM, RandallM randa...@fidmail.com wrote: This list currently has served to xpose and disclose vulnerabilities. Imagine its possibilities with humans. The talent here is endless. hard pressed to top the talent of an angry squirrel, http://attrition.org/errata/charlatan/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] gnome-terminal, xfce4-terminal, terminator and others write scrollback buffer to disk
On Tue, Mar 6, 2012 at 1:46 PM, Mark Krenz m...@suso.com wrote: Title: Gnome terminal, xfce4-terminal, terminator and other libVTE based terminals write scrollback buffer data to /tmp filesystem temp data in /tmp ? i'm shocked, SHOCKED! *cough* Worse case scenario: Classified, secret or medical information that was accessed through a terminal window was thought to be safe because it was on a remote server and only accessed via SSH people in this scenario have bigger concerns to worry about given their lack of understanding re: operating systems and application software. Some may not consider this a bug and make the excuse that your terminal's memory stack may end up in swap anyways, or that only root would have access to the data or that you should encrypt /tmp. correction: one must always use full-disk encryption. anything less is fail. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] RSA and random number generation
On Thu, Feb 23, 2012 at 10:50 AM, Georgi Guninski gunin...@guninski.com wrote: ... if i understood the paper correctly they broke some rsa keys because they shared a prime $p$ (the rsa keys are different, shared rsa keys might be explained by the debian random fiasco or the like bugs). i would suspect it is quite unlikely entropy/seed to explain the above scenario - the odds appear small to me. see https://freedom-to-tinker.com/blog/nadiah/new-research-theres-no-need-panic-over-factorable-keys-just-mind-your-ps-and-qs How could this happen? It wasn't obvious at first how these types of entropy problems might result in keys that could be factored. We'll explain now for the geekier readers. Here's one way a programmer might generate an RSA modulus: prng.seed(seed) p = prng.generate_random_prime() q = prng.generate_random_prime() N = p*q If the pseudorandom number generator is seeded with a predictable value, then that would likely result in different devices generating the same modulus N, but we would not expect a good pseudorandom number generator to produce different moduli that share a single factor. However, some implementations add additional randomness between generating the primes p and q, with the intention of increasing security: prng.seed(seed) p = prng.generate_random_prime() prng.add_randomness(bits) q = prng.generate_random_prime() N = p*q If the initial seed to the pseudorandom number generator is generated with low entropy, this could result in multiple devices generating different moduli which share the prime factor p and have different second factors q. Then both moduli can be easily factored by computing their GCD: p = gcd(N1, N2). OpenSSL's RSA key generation functions this way: each time random bits are produced from the entropy pool to generate the primes p and q, the current time in seconds is added to the entropy pool. Many, but not all, of the vulnerable keys were generated by OpenSSL and OpenSSH, which calls OpenSSL's RSA key generation code. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] RSA and random number generation
On Tue, Feb 21, 2012 at 2:09 PM, Ramo r...@goodvikings.com wrote: I'll just leave this here. http://eprint.iacr.org/2012/064.pdf anyone who cares about proper key generation uses a hardware entropy source. they put them in CPUs, they provide them on motherboards. they make them very high throughput so your /dev/urandom will never block no matter what the task. hwrandom - egd - /dev/[u]random always filled at boot and ever after... SOLVED. anything less is asking for failure. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fwd: [Webappsec] Call for Assistance: OWASP Virtual Patching Survey
On Mon, Feb 20, 2012 at 6:04 PM, Jeffrey Walton noloa...@gmail.com wrote: From the folks at OWASP. Please take a moment to provide feedback if you have helpful comments. i see your survey contained many reasons for using virtual patching, none of which included: Haste: virtual patches can be deployed extremely quickly relative to any other remediation technique. who wrote this survey? i am disappoint. ಠ_ಠ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] when did piracy/theft become expression of freedom
On Sat, Jan 28, 2012 at 2:26 PM, valdis.kletni...@vt.edu wrote: ... For the record, all my media is legitimately acquired, i once saw Valdis rockin' out with headphones on - volume at 11, providing an unauthorized, non-personal broadcast of a copyright'ed composition to those near by. clearly a public performance outside the limited scope of his personal use only license for the material. officers, arrest this man! (and his mustache too...) [ resting that portable DVD player on top of your seat where others may view it is also a federal crime! i'm just trying to inform. they won't let you into Ethical Hacker training with a felony conviction. i tried... ~_~; ] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] VNC viewers: Clipboard of host automatically sent to remote machine
On Wed, Jan 25, 2012 at 2:55 AM, Ben Bucksch n...@bucksch.org wrote: Dear coderman, posting mails that were explicitly marked offlist on the public list is no-go. you must be new around here... why not let everyone learn from your fail? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] VNC viewers: Clipboard of host automatically sent to remote machine
On Tue, Jan 24, 2012 at 3:47 PM, Ben Bucksch n...@bucksch.org wrote: ... That is *precisely* what VNC is: an open-source IP KVM. *precisely* ?? you keep using that word. i do not think it means what you think it means... this thread is full of lulz; you newbs might want to check out http://wiki.qubes-os.org/trac/wiki/CopyPaste ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] VNC viewers: Clipboard of host automatically sent to remote machine
On Tue, Jan 24, 2012 at 6:45 PM, Ben Bucksch n...@bucksch.org wrote: ... The VNC protocol (RFB) is very simple, based on one graphic primitive from server to client ('Put a rectangle of pixel data at the specified X,Y position') and event messages from client to server. what Dan was trying to point out to you was the vast difference in attack surface between an IP KVM and the VNC protocol and architecture. IP KVM: keyboard, video, mouse interface to physical ports. dumb dumb dumb. VNC: not so simple full of bugs year after year privileged service running on host hooking into various OS facilities and exposing all sorts of vulnerabilities between server and client. sma^H^H^H^H stupid stupid stupid (from a security perspective) if you believe these present *precisely* the same risk profile, well... can i have some of what you're smoking? On Tue, Jan 24, 2012 at 6:34 PM, Ben Bucksch n...@bucksch.org wrote: On 25.01.2012 02:05, coderman wrote: you keep using that word. i do not think it means what you think it means... Where else did I use that word? And what does it mean, in your understanding, that differs from my usage? I checked the dict and it seems fine. let me spell it out: your precise equivalency between a KVM device and a VNC service is neither accurate nor correct. http://www.youtube.com/watch?v=OHVjs4aobqs ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Facebook seems to think my Arch Linux box has malware on it
On Thu, Jan 19, 2012 at 7:13 PM, Wesley Kerfoot wja...@gmail.com wrote: So there I was, innocently posting ... on ... facebook hey, there's your problem! friends don't let friends friend whore themselves. friend. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response
On Thu, Jan 12, 2012 at 1:57 AM, Giles Coochey gi...@coochey.net wrote: ... If you have been hired by the company in a security capacity ... I've always found that you are listened to, taken very seriously and usually have a direct route to the CEO, CIO, COO or the whole board of directors. lol you need to qualify this statement. do you consider QA part of a security capacity? what about operations? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response
On Wed, Jan 11, 2012 at 9:40 AM, Kyle Creyts kyle.cre...@gmail.com wrote: I would also like to point out that finding the bugs is not the same as fixing the bugs, and that for all the focus that is placed on finding them, and lauding the people that do, fixing them is usually pretty thankless. finding the bugs before a product or service is released is also thankless. as is verifying that bugs are never re-introduced due to carelessness or oversight. implementing with robustness, vs. implementing with haste, also thwarted thankless pursuit in these times. not a gap in knowledge or skill, but a gap in practice that dooms infosec so many places. I think shifting that dynamic would be more rewarding if advancing the state of the industry is really what is valued. keep up the good fight, sir! ... and don't hold your breath. ;) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response, Philosophy of Information Security
On Sat, Jan 7, 2012 at 12:55 PM, Shyaam Sundhar shy...@gmail.com wrote: ... why are people sloppy by nature when it comes to security? this is like asking for the origin of existence; a mystery to the end! Why is security still considered as a blanket as opposed to the core of any system? build security in: a radical concept! instead quality is conferred second rate status, lucre and expedience trump effectiveness, and short sighted competition creates cavities of vulnerability where only broad cooperation can protect. an endless playground for the curious and devious to deceive, thwart, and threaten at will. PS: I am totally wrong and I know that ;) infosec is totally wrong as industry, too few know that! ;P ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] INSECT Pro - Version 3.0 Released!
On Sat, Dec 31, 2011 at 9:13 PM, R0me0 *** knight@gmail.com wrote: PROCMAIL!? come on, by some case ... are you a big loosseer !? cmon' fuckface, classifying your email is internet 101 bitching about the noise is only adding to the noise.. you see the problem? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] n.runs-SA-2011.004 - web programming languages and platforms - DoS through hash table
On Thu, Dec 29, 2011 at 11:24 AM, adam a...@papsy.net wrote: In any case, the concept is pretty interesting. data structures exposed to potentially malicious user input. what could go wrong? Big-O: a perfect case is not typical. real-world is sometimes not average. attacker inputs, they're always aiming for the worst! It's not a vector that most people would think of when securing their applications/servers. At least, most people I've come in contact with, anyway. welcome to the state of 21st century infosec. :) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Using hardware to attack software
On Tue, Dec 27, 2011 at 2:30 PM, Gage Bystrom themadichi...@gmail.com wrote: ... My main criticisms involved presentation of your work that I believed could wind up coining useless buzz words, proliferation of bad terminology, and enforcing incorrect paradigms. in infosec they call this putting your mark on the world for those who play the game this is a feature, not a bug! ... Perhaps refocusing the paper around some sort of 'driver vulnerability taxonomy', or as you said was intended 'overlooked/poorly understood driver attacks'... *yawn* when was the last time physical or emissions security was interesting? even side channels are second tier these days. the microcomputer is a microcosm of distributed systems, with rich attack surfaces at every layer from bios to firmware to embedded components and offload systems (themselves a fractal iteration of general purpose computing, within general purpose computing, within...) all before you even get to the software interfacing with this malleable hardishsoftyware or the applications running top side. turtles all the way down! with vuln crumbs or exploit feasts spanning decades, depending on specialization and isolation of the technologies at hand. I hope that is clear as I sometimes have a bad habit of rambling. your analysis is succinct and sane! this, however, is a negative sign given the subject at hand... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Do: Re: Mi: Using hardware to attack software
On Tue, Dec 27, 2011 at 3:29 PM, syka...@astalavista.com wrote: Ladies and gentleman, I will be unplugged from my email until the 17th of January. In the mean time here's a video of a bunny opening your mail http://www.youtube.com/watch?v=LMyaRmTwdKs ... ah, it's that time of year again. who's getting hacked for new years?? let's watch and see! happy holidays :P ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Using hardware to attack software
On Fri, Dec 23, 2011 at 2:27 PM, Forristal, Jeff jeff.forris...@intel.com wrote: Folks on this list may be interested in a recent whitepaper talking about types of attacks that leverage PC hardware to attack local software. i look forward to the next installment: 'Hardware involved wetware attacks' Abstract Password recovery and information disclosure attacks involving hardware resources are under-represented within the security industry. With a growing number of attackers moving beyong pure cyber attack scenarios into blended hardware on flesh methods combined with automated software strategies to fully realize world class exploit trees for maximum effect, this hardware involved wetware attack can be ignored no longer. This paper introduces and details a wide variety methods from simple brass knuckles or fist packs to elaborate mental models of exploitation implying pain to the genitals, elaborate set pieces, and trained performances. we show how this taxonomy of coercion can be leveraged to extract passwords and obtain information with great efficiency and efficacy according to a framework we put forth... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] OT: Firefox question / poll
On Thu, Dec 22, 2011 at 8:08 AM, Christian Sciberras uuf6...@gmail.com wrote: Since when hackers write excellent, well performing code? In fact, quite the opposite, many hacks actively need to crash the browser to work. Killing script execution before that overflow happens may unintentionally stop the attack. only the chinese are this sloppy. [0] here in the west, we take pride in our exploits! [1][2][3] 0. C.f. don't be a dull boy https://media.blackhat.com/bh-us-10/presentations/Waisman/BlackHat-USA-2010-Waisman-APT-slides.pdf 1. The Spyfiles http://wikileaks.org/the-spyfiles.html 2. The Surveillance Catalog http://projects.wsj.com/surveillance-catalog/#/ 3. Wired for Repression http://topics.bloomberg.com/wired-for-repression/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] OT: Firefox question / poll
On Tue, Dec 20, 2011 at 9:40 AM, Charles Morris cmor...@cs.odu.edu wrote: I'm curious what everyone's opinion is on the following question... esp. to any FF dev people on list: Do you think that the Firefox warning: unresponsive script is meant as a security feature or a usability feature? anyone who said security feature is an idiot and/or not thinking clearly. your security is harmed by malicious script in milliseconds. this does nothing to protect you from anything.* it is purely a usability feature in response to shitty developers writing shitty webapps leading to excessively long script execution (which can thus be terminated if desired once this warning presents) * someone may say availability is a security requirement!. true, but then a modem link to web 2.0 is a DoS, and there's simply no point going down that road... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Carrier IQ for your phone
On Sat, Dec 3, 2011 at 4:14 AM, Alan J. Wylie shyyqvfpybf...@wylie.me.uk wrote: ... Interesting response from Carrier IQ in a long article on The Register: http://www.theregister.co.uk/2011/12/02/carrier_iq_interview/ interesting response from FBI in regards to Carrier IQ http://www.muckrock.com/news/archives/2011/dec/12/fbi-carrier-iq-files-used-law-enforcement-purposes/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Carrier IQ for your phone
On Tue, Dec 13, 2011 at 2:50 PM, Ivan .Heca ivan...@gmail.com wrote: http://www.gizmodo.com.au/2011/12/carrier-iq-explains-what-it-does-with-your-data/ These logs [full debug, keylogging, etc.] are generated on phones sold with the Carrier IQ program preloaded but the company says it’s working with manufacturers and networks to adjust the certification process and turn off debugging messages when the phone is activated. what a convenient little bit to flip. debug mode on! anyone else found a way to toggle this remotely? :) also fun: https://collector.iota.spcsdns.net:10003/collector/ anyone got a list of other iq collector URLs? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Carrier IQ for your phone
On Sat, Dec 3, 2011 at 4:14 AM, Alan J. Wylie shyyqvfpybf...@wylie.me.uk wrote: ... | Yes, Carrier IQ is a vast digital fishing net that sees geographic | locations and the contents of text messages and search queries | swimming inside the phones the software monitors.. But except | in rare circumstances, that data is dumped out of a phone's internal | memory almost as quickly as it goes in. one thing many of these stories seem to miss is that these limits assume a carrier in control and acting responsibly. if you're under a MitM attack these not used features sitting latent are now actively acting against your interests. similar to CALEA capabilities leveraged for clandestine surveillance, e.g. the Athens Affair... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Writing Self Modifying Code
On Wed, Nov 30, 2011 at 1:30 PM, Adam Behnke a...@infosecinstitute.com wrote: Hello full disclosureites, a new tutorial is available at InfoSec Institute ... Your thoughts? who was this content plagiarized from? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SploitCloud: exploiting cloud brokers for fun and profit
On Wed, Nov 9, 2011 at 11:25 AM, Sam Johnston s...@samj.net wrote: Apologies for the HTML — too many inline links the cool thing about plain text email: it can often prune those annoying markup links! it is cooler than a google barrel roll... try it ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] THC SSL DOS tool released
On Wed, Nov 2, 2011 at 2:07 PM, coderman coder...@gmail.com wrote: ... - cipher suite probing to find un-accelerated suites or more computationally expensive suites supported by a target. a nice write up here covering relative costs of some suites, and more discussion on computation DoS: http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html suites clearly make a big difference (but you knew that already, right?) regarding concurrent connections stress, use = 8G of memory on injector and: # in /etc/security/limits.conf : * softnofile 65535 * hardnofile 2097152 # ... and ulimit -Hn 2097152 before launching load # in /etc/sysctl.conf : net.core.somaxconn = 2097152 net.ipv4.tcp_fin_timeout = 5 # or less # ... and sysctl -p /etc/sysctl.conf if you're routing through conntrack or equivalent facilities (this will cut your capacity in half) you also need to adjust conntrack limits. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] THC SSL DOS tool released
On Wed, Nov 2, 2011 at 1:21 AM, Marc Heuse m...@mh-sec.de wrote: ... still you dont need a gpu, even with renegotiation disabled and hardware acceleration present. Just don't use openssl (or similar libraries). indeed. reminds me of the vanity onion generator shallot. you could do this with legitimate keys and take forever, or you could generate weak keys quickly to find a prefix in reasonable time. (in this case, legitimate handshakes are not strictly required for testing, but it would be nice to keep that option. for example, establishing an upper bound of concurrent SSL/TLS connections for load balancer / server benchmarks. it takes me forever to do this in software. i can actually stress with hardware acceleration performing full handshakes. i've had to test upwards of 1.5MM concurrent sessions per endpoint on such systems; this is not a theoretical need :) and the thc-ssl-dos is a proof of concept code, and could be enhanced to do be more effective too. since we're on the subject: - cipher suite probing to find un-accelerated suites or more computationally expensive suites supported by a target. - client certificate support (with either static|fixed, pre-generated, or on-demand client cert generation) regardless, this is a handy tool. even if i have to manually edit out the script kiddie pisser. :P ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Citibank CitiDirect - forced usage of vulnerable version of Java Runtime Environment
On Wed, Nov 2, 2011 at 10:04 AM, Tomasz Ostrowski tomet...@gmail.com wrote: ... Suggested actions for clients Change a bank, as Citibank is blatantly ignorant about security. this is good advice for many reasons. citigroup is full of thieves: http://mobile.nytimes.com/2011/10/30/opinion/sunday/friedman-did-you-hear-the-one-about-the-bankers.xml ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/