Re: [Full-Disclosure] OpenSSL =3D 0.9.6m vulnerability
Hi!
[EMAIL PROTECTED] [2005-03-02 5:58 -0800]:
The vulnerability specifically exists due inproper use of then
strncpy function.
The vulnerable code is shown below:
-- snip --
char name[128];
-- snip --
if (ghbn_cache[i].order 0)
{
if (strncmp(name,ghbn_cache[i].name,128) == 0)
break;
}
Due to a routine security audit of the strncpy man file, we at
tal0n security now know that the result of strncpy will not be null
terminated !!
The code you cited uses strncmp(), not strncpy(), and since
ghbn_cache[i].name really is 128 bytes, I cannot see anyting wrong
with the strncmp().
In apps/s_socket.c, copying into this string is well-checked with
if(strlen(name) sizeof ghbn_cache[0].name)
{
strcpy(ghbn_cache[lowi].name,name);
In crypto/bio/b_sock.c, this is done more sloppily with
strncpy(ghbn_cache[lowi].name,name,128);
It is clear that the resulting string might not be null-terminated any
more; agreed, this is really bad practice. However, since strnmcp() is
used with limiting to 128 bytes this is still safe (although fragile).
However, I just checked 0.9.7e, is there an additional vulnerability
in 0.9.6 which was fixed in the meantime? Or am I missing something?
Have a nice day,
Martin
--
Martin Pitt http://www.piware.de
Ubuntu Developerhttp://www.ubuntulinux.org
Debian GNU/Linux Developer http://www.debian.org
signature.asc
Description: Digital signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: test
no way, really? On Wed, 2 March, 2005 22:37, Roberto Arias said: Ignore this message. Testing the maillist pingywon wrote: not too /Smart/ you are John - Original Message - *From:* John Smart mailto:[EMAIL PROTECTED] *To:* full-disclosure@lists.netsys.com mailto:full-disclosure@lists.netsys.com *Sent:* Wednesday, March 02, 2005 1:41 PM *Subject:* [Full-Disclosure] test test ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html -- For security and Opensource news check out: http://www.xyberpix.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] [USN-90-1] Imagemagick vulnerability
=== Ubuntu Security Notice USN-90-1 March 03, 2005 imagemagick vulnerability CAN-2005-0397 === A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) The following packages are affected: imagemagick libmagick6 The problem can be corrected by upgrading the affected package to version 5:6.0.2.5-1ubuntu1.4. In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Tavis Ormandy discovered a format string vulnerability in ImageMagick's file name handling. Specially crafted file names could cause a program using ImageMagick to crash, or possibly even cause execution of arbitrary code. Since ImageMagick can be used in custom printing systems, this also might lead to privilege escalation (execute code with the printer spooler's privileges). However, Ubuntu's standard printing system does not use ImageMagick, thus there is no risk of privilege escalation in a standard installation. ImageMagick is also commonly used by web frontends; if these accept image uploads with arbitrary file names, this could also lead to remote privilege escalation. Source archives: http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.0.2.5-1ubuntu1.4.diff.gz Size/MD5: 129865 b6158cb1e8ac827114bbd483465e8f90 http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.0.2.5-1ubuntu1.4.dsc Size/MD5: 874 6d01d5029e385ef25ffcc4b7c1b8f9bc http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.0.2.5.orig.tar.gz Size/MD5: 6700454 207fdb75b6c106007cc483cf15e619ad amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.0.2.5-1ubuntu1.4_amd64.deb Size/MD5: 1366250 9bd394c1da6ea7f94619af3f9afd8796 http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++6-dev_6.0.2.5-1ubuntu1.4_amd64.deb Size/MD5: 226626 a8fb07c1e1c893d64fd1450518da0c71 http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++6_6.0.2.5-1ubuntu1.4_amd64.deb Size/MD5: 161238 538c672bbbfe4e1c7ff23bd0e531a4d2 http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick6-dev_6.0.2.5-1ubuntu1.4_amd64.deb Size/MD5: 1520098 8bcdd9116e7fd42772b3bd3b3eb97695 http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick6_6.0.2.5-1ubuntu1.4_amd64.deb Size/MD5: 1167436 817bc00875893b331e673b6199516bf0 http://security.ubuntu.com/ubuntu/pool/universe/i/imagemagick/perlmagick_6.0.2.5-1ubuntu1.4_amd64.deb Size/MD5: 138790 df954c96f52dad5f38302c04f387de54 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.0.2.5-1ubuntu1.4_i386.deb Size/MD5: 1366210 92438f9dc9e47084c225f6b16390f645 http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++6-dev_6.0.2.5-1ubuntu1.4_i386.deb Size/MD5: 206716 7d8f89d2f933e03ba957a4dab3bd3b05 http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++6_6.0.2.5-1ubuntu1.4_i386.deb Size/MD5: 162920 cdb938585e251bd9304f3203efe4541a http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick6-dev_6.0.2.5-1ubuntu1.4_i386.deb Size/MD5: 1425872 439f600c0fd309caf5e69df2e7e98a88 http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick6_6.0.2.5-1ubuntu1.4_i386.deb Size/MD5: 1115876 d487f8b1259d468c5c0309c2937388a4 http://security.ubuntu.com/ubuntu/pool/universe/i/imagemagick/perlmagick_6.0.2.5-1ubuntu1.4_i386.deb Size/MD5: 137370 a5a62a05568a9687681c30c4cdd7e749 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.0.2.5-1ubuntu1.4_powerpc.deb Size/MD5: 1371458 4c9cf675b5e4d68b903bfc92f657137d http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++6-dev_6.0.2.5-1ubuntu1.4_powerpc.deb Size/MD5: 225366 5772b0ce2aa584a9030bbbe4388b3f95 http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++6_6.0.2.5-1ubuntu1.4_powerpc.deb Size/MD5: 154678 01f57a326e5fd9785fd1c9e7aecacc8d http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick6-dev_6.0.2.5-1ubuntu1.4_powerpc.deb Size/MD5: 1660840 ee31f265a2129e7a9da5b9c26dd35910 http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick6_6.0.2.5-1ubuntu1.4_powerpc.deb Size/MD5: 1151880 9612131ca3b44c2c6f22b3a751143297 http://security.ubuntu.com/ubuntu/pool/universe/i/imagemagick/perlmagick_6.0.2.5-1ubuntu1.4_powerpc.deb Size/MD5: 136294 eb63a44b42367710ec5fd91fedb369e2 signature.asc Description: Digital signature ___ Full-Disclosure - We believe in it. Charter:
Re: [Full-Disclosure] Things that make you go Hmmm
[complete snip] What amazes me most having read this whole thread, is not so much that a server may have been hacked; this happens if you gain enough attention from the wrong people and do not build your systems hard enough (like people in a failing company). I am amazed that a forensics box was the target, moreover, that it was capable of being the target, and even more amazed that in fact it was a corporate mailserver. 1. If the box was to be used for forensics research, it is likely that it contains sufficient tools in certain user accounts to do any amount of damage to the system and to view almost every important property of it in a relatively short space of time. To put such a system in a high point of exposure, or in a point of high information value (such as running a mailserver from it) is extremely bad practice. 2. The company uses spamsoap store and forward. If the mail server was configured to retrieve mail from spamsoap it is entirely possible that the store and forward account was also compromised, leading to potential disclosure without continued access to pivx network infrastructure. 3. If the machine was so core to infrastructure why was it given a live dns address so close to the domain root? 4. Pivx' (lack of proper) response to the issue. They had a box labelled forensics hacked, and it is being re-imaged. So in other words, it's going to be returned to the same state as it was originally, without any forensics work taking place. 5. If re-imaged there is nothing to suggest that the previously used exploits will not work again on the new system, thus the need for proper forensics work, which has clearly been neglected. 6. Recent major disclosure of internal publications and communications, there are allot of clearly frustrated employees within pivx each of which may be attempting to cover their tracks of information disclosure by hacking, or allowing said machine to be hacked. 7. Given the nature of the company and the configuration which they would seem to be referring too there is no good reason why the server in question was publicly accessible at all, there is a perfectly good store and forward service which can happily be the sole external communicator with the box. 8. The forensics department seems to be out of contact with the operations staff, who seem to be not directly related to the corporate counsel. Who is actually in charge of your company? I am beginning to think the hacker has more control than any of you. 9. Discussions of server exploitation via potentially disclosed communications mediums. In the event that the hacker had successfully spread from forensics.pivx.com to some other machine (not unlikely being your displayed e-mail etiquette) then the mails you send discussing the matter may also have been compromised. In essence you do not know where the mail has come from, who sent it, or when it was sent. In fact there is no reason to trust anything in or out of pivx right now. 10. Evident lack of experience dealing with internal corporate security issues and poor communication leading to wide spread disclosure of potentially damaging situations without explained cause or reason. I would strongly suggest that any and probably all of Pivx financial issues are products of the above, or situations similar to the above. This company is not capable of picking up the phone or reaching individuals over any secured transport medium. In fact it would seem that everyone knows a little of something, but not even allot. There is deceit and destruction occurring from within the company. My suggestion to Pivx as a whole is to stop what you are currently doing, look at your infrastructure (human and systems) and decide what CAN be managed and what CANNOT. Remove immediately that which cannot be managed and begin MANAGING that which can. There is no reason to keep any employees which are not capable of full filling the company goals. A company is a team so someone trying to score at the wrong end is no use at all. I am sure your investors are mighty excited to hear the next installment. If you still have any value in your company, given that you had an attack and you destroyed all the evidence of what was done. What if a mail was captured containing sufficient information to gain access to build files for your products? Have you verified the contents of the applications on your web servers? Are your customers safe from attacks? Are you un-knowing as to the status of your system automations such as updates and the current state of information flow out of the company? Whilst it is true from this point that Jason Coombs may have thought the box was being hacked during the time when some other member of the business was performing critical updates or some other management function, there is no good reason why Jason was not aware of this before it happened. If Mark is confident that the box has not been hacked, then he needs to take actions to find out what is going on with Jason and
[Full-Disclosure] Fwd: IObjectSafety and Internet Explorer
tru$tworthy computing in action.
- Forwarded message from Shane Hird [EMAIL PROTECTED] -
Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm
Precedence: bulk
List-Id: bugtraq.list-id.securityfocus.com
List-Post: mailto:bugtraq@securityfocus.com
List-Help: mailto:[EMAIL PROTECTED]
List-Unsubscribe: mailto:[EMAIL PROTECTED]
List-Subscribe: mailto:[EMAIL PROTECTED]
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=yahoo.com;
b=UHlx/DCPay5aDx3sQLhz8ksQD4C3uPVxYXp0ZbQBw9VYpP5qoK2Fkukp3B328ifM0GilOTUGDfuJjT+rNuEQ3PJ5Hdm0A2VQAuM3E5WFqWRzOfWeBX63BJUZVsajfP3uICmK08t2MwA87Lud3oP/xH7KimUc7fmXC1WoQ4/vhv8=
;
Date: Tue, 1 Mar 2005 06:59:35 -0800 (PST)
From: Shane Hird [EMAIL PROTECTED]
Subject: IObjectSafety and Internet Explorer
To: bugtraq@securityfocus.com
Summary
Problems with ActiveX in Internet Explorer are nothing new. However, I
believe there is a design flaw in the way they are implemented in IE which
could be easily corrected, but has never been addressed.
The following issues with the use of IObjectSafety in Internet Explorer can
be summed up with this excerpt from a Microsoft knowledge base article (PSS
ID Number: 216434)
INFO: How Internet Explorer Determines If ActiveX Controls Are Safe
http://support.microsoft.com/kb/q216434/ :
There are two ways to mark a control as safe for scripting and
initialization:
Implement the IObjectSafety interface.
Provide the following registry keys for the control's CLSID under the
Implemented Categories section:
The following key marks the control safe for scripting:
{7DD95801-9882-11CF-9FA9-00AA006C42C4}
The following key marks the control safe for initialization from persistent
data:
{7DD95802-9882-11CF-9FA9-00AA006C42C4}
Microsoft recommends that you implement IObjectSafety to mark a control as
safe or unsafe. This prevents other users from repackaging your control and
marking it as safe when it is not.
1] The IObjectSafety interface allows a container to retrieve the control's
initialization and scripting capabilities through its
SetInterfaceSafetyOptions method. First, Internet Explorer checks to see if
a control implements the IObjectSafety interface. If it does, Internet
Explorer calls SetInterfaceSafetyOptions for the IPersist interfaces to
check if the object is safe for initialization. When a control is first
scripted, Internet Explorer first calls SetInterfaceSafetyOptions on the
IDispatchEx interface of the control. If that fails, it calls
SetInterfaceSafetyOptions on the IDispatch interface.
snip
2] If the control does not implement the IObjectSafety interface, Internet
Explorer looks under the Implemented Categories section of the control for
the keys mentioned above. If these keys are not present, Internet Explorer
warns the user according to the security settings.
Design flaw
What this article fails to mention is that checks to see if a control
implements the IObjectSafety interface requires and results in the starting
of the COM server process. This is due to the requirement of COM that
querying for an interface is done thorough the servers running code, rather
than a static lookup for the interface.
This means that, even if the COM server has not been marked as safe, or was
even built before the existence of Internet Explorer, it can still be
started (at least to the point where IObjectSafety can be queried) by
arbitrary web pages on the Internet. (with the default IE Medium security
settings).
AFAIK, this is also relates to why there was the spate of {--11..}
codebase=calc.exe type exploits possible in IE.
This poses two problems:
---1) We have no easy way of determining what COM servers on a given
machine can be started and scripted by IE.
Enumerating safe objects using the registry keys is both fast and stable.
But with the addition of objects which can only be determined if they are
safe by starting the (potentially heavyweight) COM server and querying
them, this becomes impractical to do.
---2) Any COM server can be started, including potentially corrupt or
dangerous servers, that were never marked as safe.
Just starting the server and querying for IObjectSafety in 99% of cases
isn't going to cause any significant security violation. However this is
dependent on the particular components installed on the machine and how they
initialise. Components that may never have been intended to be started from
remote web pages. It also poses a stability issue for IE.
Exploitable safe objects
To give an example of a control which has IObjectSafety but not marked as
safe by keys in the registry, we have the Log Sink class provided by
pkmcore.dll (Common Files/Microsoft Shared/Web Folders/).
This object would allow a remote attacker to write data to any file. I.e..
object
Re: [Full-Disclosure] PIVX IS BANKRUPT
hahaha i thought it was hilarious On Thu, 3 Mar 2005 11:49:25 +1300, VeNoMouS [EMAIL PROTECTED] wrote: ummm WHO GIVES A SHIT?? - Original Message - From: [EMAIL PROTECTED] To: full-disclosure@lists.netsys.com Sent: Thursday, March 03, 2005 5:47 AM Subject: [Full-Disclosure] PIVX IS BANKRUPT -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 It is common knowledge amongst the security community that the reverse shell merger (lowest form of financing generally reserved for penny stocks and mining stocks) company called PIVX SOLUTIONS INC has zero traction since its inception. It is nothing more than a vehicle to try to make the primary shareholders rich quickly - the product called Qwik-Fix Pro, PIVX's flagship product is the laughing stokc of the security commmunity, nothing more than a GUI wrapped around Window OS registry files. Coded so poorly it looks like the sample product of a 10 year old child's first code efforts - the primary auditor of PIVX SOLUTIONS INC cite: On January 12, 2005, McKennon, Wilson Morgan LLP (McKennon) resigned as Independent Registered Public Accounting Firm for PivX Solutions, Inc. (PivX). stating that it had; cite: substantial doubt about PivX's ability to continue as an ongoing concern (source SEC Filing: :PIVX SOLUTIONS, INC. 0001160420 8-K 1/20/2005 1/12/2005) - the principal Geoff Shively was recently outed as a non-player in the security community cite: But the source didn't want to stop there. He says he and his friends are laughing at the story because all of Shivley's claims are patently false (source: http://www.networklifemag.com/weblogs/securitychief/2005/007302.html ) - there are no sales of note for this product called Qwik-Fix Pro, PIVX's flagship product, there are no distribution agreements of note for this product domestically or internationally, despite the daily press releases made by PIVX SOLUTIONS INC, names of signed distributors internationally prove non-existent as do OEM reportdely carrying this non-product - the financials of PIVX SOLUTIONS INC after launching its product called Qwik-Fix Pro, PIVX's flagship product are pitiful: Three Months Ended Nine Months Ended September 30, 2004 September 30, 2003 September 30, 2004 September 30, 2003 - - - --- Revenues: Consulting revenue $ 62,171 $163,935 $ 86,171 $743,923 Subscription revenue 13,619 -- 18,028 -- -- - -- Total revenues75,790 163,935104,199743,923 Total liabilities and stockholders' equity $ 3,558,287 See accompanying notes to these condensed consolidated financial statements (sourceSEC Filing: PIVX SOLUTIONS, INC. 0001160420 10QSB 11/12/2004 9/30/2004) - - the owners of this farce thought they could create something from nothing, aka called Qwik-Fix Pro, PIVX's flagship product, sadly it is nothing and was always nothing. Handing out and diluting shares in PIVX SOLUTIONS, INC. to everyone and anyone who would promote their nothing product. Alas the rats will flee the shinking ship and yet anothing comical entry into the security scene will shattered into smithereens. The clock is ticking. Daddy needs to get a real job next time. -BEGIN PGP SIGNATURE- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.4 wkYEARECAAYFAkIl7iwACgkQTrOyScgyfI42WwCfZh1d/05v3GypNHRBhUCgVupJDt8A oJUx/QhAS4GkgYA84dkkxejlY5/+ =N1/S -END PGP SIGNATURE- Concerned about your privacy? Follow this link to get secure FREE email: http://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger http://www.hushmail.com/services-messenger?l=434 Promote security and make money with the Hushmail Affiliate Program: http://www.hushmail.com/about-affiliate?l=427 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html -- smile tomorrow will be worse ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Retrieve Internet Explorer protected storage ?
hi list ! I seeking a source code to retrieve Internet Explorer stored passwords, like CanAbel do. If someone had this... Fred ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] slashdot
This is almost certainly caused by the old, old, slashdot formatting bug in the gecko redering engine. I've noticed it's been happening a bit more frequently in the past day or so, as well. A workaround is to decrease and then increase the text size (Ctrl-minus,Ctrl-plus), which forces the browser to re-do the layout. This thread should die now. -Brendan On Wed, 2 Mar 2005 20:37:53 -0800, Export TheGeek [EMAIL PROTECTED] wrote: I keep getting messed up formatting, with the articles appearing out of the main and normal area, to the right of everything, takes 3 or 4 reloads for it to work properly. On Wed, 02 Mar 2005 23:00:03 -0500, ntx0f [EMAIL PROTECTED] wrote: Frank Denis (Jedi/Sector One) wrote: On Wed, Mar 02, 2005 at 07:20:38AM -0300, Carlos de Oliveira wrote: Whats wrong with slashdot this morning? Nothing. Slashdot seems to work flawlessly. why is this on the mailing list? i dont think the point of full disclosure is to send in a email everytime someone's dns is fucked up and a site doesnt come up for them. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] PIVX IS BANKRUPT
On Wed, Mar 02, 2005 at 08:47:41AM -0800, [EMAIL PROTECTED] wrote: It is common knowledge amongst the security community that the reverse shell merger (lowest form of financing generally reserved for penny stocks and mining stocks) company called PIVX SOLUTIONS INC has zero traction since its inception. It is nothing more than a vehicle to try to make the primary shareholders rich quickly Looks like someone has a beef with PivX. Too many badmouthing lately. (No, I don't care a bit about PivX, and certainly don't work for them. I'll keep to Linux/Solaris and family, thank you.) Joachim ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Things that make you go Hmmm
Wow, James. Very nice analysis. You've drawn invalid conclusions based on speculations, but it's the thought process that matters most in incident response, and you've got a decent ability to infer possibilities from limited information. At least you get yourself to the point where you can ask good questions. That's hard to teach. Do you work incident response? I don't think the forensics.PivX.com Linux box was doing anything other than sitting there wearing a fancy FQDN... But that's not something that I know about for sure. I haven't been an employee of PivX since September. I do know that I was accused of doing something to the box. If the assertion that I received from two different sources, that the box was compromised in some way, was itself based on bad information, then I may have passed on bad information. Whether or not that is so will require expert forensic analysis and opinion testimony that, as you point out, may now be impossible due to re-imaging. The 'incident' here, to continue your thought process for you, may be as simple as a malicious ex-employee who is just trying to spread rumors in order to harm the company. How would you advise your client that such an incident be handled? For starters, you'd see if you can interest law enforcement in prosecuting based on the presumption of guilt. As a public company in the U.S.A. you would have extra leverage of securities laws, as criminal charges could be filed against anyone who may have tried purposefully to manipulate the company's stock price. Then there's tortious interference in trade. No person or entity is allowed to interfere with the capability of another person or entity to interest others in doing business, or continuing to do business, with them, by any but fair means of competition. http://www.lectlaw.com/def2/t061.htm Doing so results in a cause of action that may be brought in civil court. Does this apply to sincere and truthful communications with one's peers on full-disclosure, when that communication results in the (temporary) appearance of diminished capacity to effectively compete? What if there is no thought whatsoever of competition? What if the interest and motive are purely the best interest of the security community at large? How then does tortious interference come into play as a result of simple security-related communications? Wasn't this essentially the argument made by HP against SnoSoft for publishing Tru64 vulnerability exploits? Sure, the DMCA and Computer Fraud and Abuse Act gave the appearance of substance to the accusations for a short time, based on fears that speech could now be curtailed just by alleging that it was harmful to the copyright or computer security of an owner of same, in essence abusing courts' and legislators' lack of understanding of technical jargon to gain new power and advantage, and thus increased economic value, from intellectual property rights... http://www.theregister.co.uk/2002/07/31/hp_invokes_dmca_to_quash/ ... but isn't it the same thing in different terms when we declare other people's speech, and their important and valuable communications, to be illegal or to be a justification for lawsuit based solely on the difference of status, the speaker being not an owner and the subject of the speech being an owner of property, or the subject of speech being an artificially created storehouse of perceived value with perpetual existence (i.e. a corporation) ? Why do natural persons have inferior rights and fewer complex civil and criminal legal protections than do artificial persons in possession of immortality? Surely the natural person is entitled to a level playing field, something to balance out the harm that is otherwise done to natural persons' sense of self-worth and hopefulness for the future during their short and relatively insignificant existence compared to that of a corporation? Next in your incident response, James, you might examine any contracts that bind the suspect, and ascertain whether there was any duty of care or misuse of company property or violation of confidentiality agreements that might give rise to a cause of action against the individual for passing on the bad information as a breach of contract or as defamation of character. Bearing in mind that this cause of action will hinge on the question of fact with respect to the server's true condition. Passing on something that is believed to be true may not be enough to save the offender from liability for defamation if it turns out that person could have or should have known the information to be false and acted recklessly. Your point that if a mail server is compromised, why wouldn't the attacker send bogus e-mail all day long, creating fights and watching them spiral out of control, is very insightful. This does happen in the real world. Information forensics is a very strange business, and incident response often takes you where you least expected to go at
Re: [Full-Disclosure] Retrieve Internet Explorer protected storage ?
Hello Frederic, Thursday, March 3, 2005, 1:27:17 PM, you wrote: FC hi list ! FC I seeking a source code to retrieve Internet Explorer stored passwords, FC like CanAbel do. FC If someone had this... FC Fred FC ___ FC Full-Disclosure - We believe in it. FC Charter: http://lists.netsys.com/full-disclosure-charter.html what compiler do u want to use? i have code, google have it too. -- Best regards, Egoistmailto:[EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Things that make you go Hmmm
In a good company Incidence Response isn't dictated by any of what you said above. It's dictated by policy. Because if you stand around too long gathering all the information, be it usable or not, you're doing 2 things. 1. You're wasting time. 2. You're possibly prejudicing yourself to one side or another. You don't make assumptions, you don't find out if the government is interested in prosecuting based off any information you can acquire, cause i assure you, they won't be unless you've lost hundreds of thousands of dollars. And you absolutely never, ever have a suspect in mind when you start examining a machine. Which usually leads my bad to my first statement, Dictated by policy. Usually in order to have someone without prejudice examine a machine, an outsider or someone without knowledge of the event will be brought in and not told anything other than the box is suspect. They will then examine the box, look for any traces of wrongdoing on the box, record it carefully and present you with the findings. If in their search they can find some trail that leads them to an individual, be it a real name or an alias, they will then make their judgement as to if that person is then a suspect. That is the way proper forensics is carried out. And this all brings me back to my original message. they're still just that stupid Cause anyone who leaves a box connected to the internet that doesn't need to be deserves to have it hacked. Especially if they're not firewalling it off carefully. Just cause the Internet is out there doesn't mean you've got to be a part of it with your lame box. -- On Thu, 3 Mar 2005 12:39:21 + GMT, Jason Coombs [EMAIL PROTECTED] wrote: Wow, James. Very nice analysis. You've drawn invalid conclusions based on speculations, but it's the thought process that matters most in incident response, and you've got a decent ability to infer possibilities from limited information. At least you get yourself to the point where you can ask good questions. That's hard to teach. Do you work incident response? I don't think the forensics.PivX.com Linux box was doing anything other than sitting there wearing a fancy FQDN... But that's not something that I know about for sure. I haven't been an employee of PivX since September. I do know that I was accused of doing something to the box. If the assertion that I received from two different sources, that the box was compromised in some way, was itself based on bad information, then I may have passed on bad information. Whether or not that is so will require expert forensic analysis and opinion testimony that, as you point out, may now be impossible due to re-imaging. The 'incident' here, to continue your thought process for you, may be as simple as a malicious ex-employee who is just trying to spread rumors in order to harm the company. How would you advise your client that such an incident be handled? For starters, you'd see if you can interest law enforcement in prosecuting based on the presumption of guilt. As a public company in the U.S.A. you would have extra leverage of securities laws, as criminal charges could be filed against anyone who may have tried purposefully to manipulate the company's stock price. Then there's tortious interference in trade. No person or entity is allowed to interfere with the capability of another person or entity to interest others in doing business, or continuing to do business, with them, by any but fair means of competition. http://www.lectlaw.com/def2/t061.htm Doing so results in a cause of action that may be brought in civil court. Does this apply to sincere and truthful communications with one's peers on full-disclosure, when that communication results in the (temporary) appearance of diminished capacity to effectively compete? What if there is no thought whatsoever of competition? What if the interest and motive are purely the best interest of the security community at large? How then does tortious interference come into play as a result of simple security-related communications? Wasn't this essentially the argument made by HP against SnoSoft for publishing Tru64 vulnerability exploits? Sure, the DMCA and Computer Fraud and Abuse Act gave the appearance of substance to the accusations for a short time, based on fears that speech could now be curtailed just by alleging that it was harmful to the copyright or computer security of an owner of same, in essence abusing courts' and legislators' lack of understanding of technical jargon to gain new power and advantage, and thus increased economic value, from intellectual property rights... http://www.theregister.co.uk/2002/07/31/hp_invokes_dmca_to_quash/ ... but isn't it the same thing in different terms when we declare other people's speech, and their important and valuable communications, to be illegal or to be a justification for lawsuit based solely on the difference
[Full-Disclosure] Windows Registry Analzyer
Anyone know of any free tools to analyze what changes have been made to a Windows 2000/XP registry? Thanks, ...D ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Windows Registry Analzyer
You can, of course, use regmon (sysinternals.com) to monitor the registry 'live' while changes are being made, however it sounds like you want a product that would analyse the reg, then re-analyse after installation, and report on changes. This would indeed be a handy tool. Anyone know of anything better than regmon for this purpose? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Danny Sent: 03 March 2005 15:36 To: Full-Disclosure (E-mail) Subject: [Full-Disclosure] Windows Registry Analzyer Anyone know of any free tools to analyze what changes have been made to a Windows 2000/XP registry? Thanks, ...D ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Windows Registry Analzyer
Danny wrote: Anyone know of any free tools to analyze what changes have been made to a Windows 2000/XP registry? Thanks, ...D ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html try Regshot. Didin't find the original site but is downloadable from many site. http://www.pcworld.com/downloads/file_description/0,fid,19540,00.asp Have nice day. Spencer ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Windows Registry Analzyer
Sysinternals Regmon. http://www.sysinternals.com/ntw2k/source/regmon.shtml Laters, Dave King CISSP http://www.thesecure.net Danny wrote: Anyone know of any free tools to analyze what changes have been made to a Windows 2000/XP registry? Thanks, ...D ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Windows Registry Analzyer
http://www.sysinternals.com/ntw2k/source/regmon.shtml Check out all their stuff - filemon is the cousin app for watching file systems. On Thu, 3 Mar 2005 10:35:49 -0500, Danny [EMAIL PROTECTED] wrote: Anyone know of any free tools to analyze what changes have been made to a Windows 2000/XP registry? Thanks, ...D ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Windows Registry Analzyer
On Thu, 3 Mar 2005 16:14:03 -, Cassidy Macfarlane [EMAIL PROTECTED] wrote: You can, of course, use regmon (sysinternals.com) to monitor the registry 'live' while changes are being made, however it sounds like you want a product that would analyse the reg, then re-analyse after installation, and report on changes. This would indeed be a handy tool. Anyone know of anything better than regmon for this purpose? You read my registry, I mean, mind. Thanks everyone for your suggestions. So far, the following has been tossed my way: 1) WinINSTALL LE - it's on every Windows 2000 Pro CD I've ever seen *I will look into this one. 2) Regmon of course, from Sysinternals *Which from my understanding only states what changes are being made in real time. 3) Regshot *Never head of it, but will give it a go. That's it so far. I will post my results. Cheers, ...D ...D ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Windows Registry Analzyer
Another possibility for static analysis would be to use Regedit to export the registry to a text file before and after and then use WinDiff or ExamDiff or some other file comparison utility to find the changes for you. Laters, Dave King http://www.thesecure.net Cassidy Macfarlane wrote: You can, of course, use regmon (sysinternals.com) to monitor the registry 'live' while changes are being made, however it sounds like you want a product that would analyse the reg, then re-analyse after installation, and report on changes. This would indeed be a handy tool. Anyone know of anything better than regmon for this purpose? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Danny Sent: 03 March 2005 15:36 To: Full-Disclosure (E-mail) Subject: [Full-Disclosure] Windows Registry Analzyer Anyone know of any free tools to analyze what changes have been made to a Windows 2000/XP registry? Thanks, ...D ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Windows Registry Analzyer
On Thu, 2005-03-03 at 10:35 -0500, Danny wrote: Anyone know of any free tools to analyze what changes have been made to a Windows 2000/XP registry? There used to be a company/product called Intact, which provided change monitoring of Registry settings as part of its HIDS offerings. I'm not sure if they are still around or got bought. Unfortunately it's not a free tool though. Regards, Frank signature.asc Description: This is a digitally signed message part ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Bios programming...
Title: Message I am trying to write a program to help people who are addicted to internet pornography. This application would be tied into an online service where someone could sign up for monitoring, and download a thin client app. The application would run in the background of the person's computer, and upload the person's internet activity to the website. The service would then email this activity report to designated recipients. I have most of the knowledge to create this service, but I need to know how to do a couple things: 1. I would like the program to be "un-installable". I've heard of a couple of hardware security tracking services that can load a very small setup package in the CMOS and if a computer is stolen, and the hard drive is replaced, the app reloads itself and the next time the computer is on the internet, it sends out a beacon. Does anyone have any insight about how to do something like this? I want the CMOS program to run on boot, and check to see if the monitoring software is still installed. If it is not, the boot process reloads it. 2. obviously, the program does not need to be very large, so I want it to run in the background and not be visible to the computer's user.This is easy, I know, but I want the process to be completely invisible. (even to super-geeks) 3. I would like to figure out a way to monitor traffic for multiple protocols (HTTP, FTP, File Sharing, Chat, etc.). I'm wondering if there is a way to figure out "bad" requests on a packet level. I really appreciate any help with these questions! Thank you all, -- Matt ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Windows Registry Analzyer
Use RegMon for real-time Reg watching and try this product for Snapshot compares. I haven't used it but it looks to be fun and there is a write-up in PCWorld about it. --- Readme file of Regshot 1.61 2002/03/30 --- Please view whatsnew.txt for update info! - Package includes: - regshot.exe,language.ini,readme.txt,whatsnew.txt - Introduction: - RegShot is a small registry compare utility that allows you to quickly take a snapshot of your registry and then compare it with a second one - done after doing system changes or installing a new software product. The changes report can be produced in text or HTML format and contains a list of all modifications that have taken place between snapshot1 and snapshot2.In addition, you can also specify folders (with sub filders) to be scanned for changes as well.In version 1.60+ you can save your whole registry in a *.hiv file for future use. Note: Regshot is a FREEWARE! http://regshot.yeah.net/ PCWorld Page - http://www.pcworld.com/downloads/file_description/0,fid,19540,00.asp -Todd -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Knobbe Sent: Thursday, March 03, 2005 11:54 AM To: Danny Cc: Full-Disclosure (E-mail) Subject: Re: [Full-Disclosure] Windows Registry Analzyer On Thu, 2005-03-03 at 10:35 -0500, Danny wrote: Anyone know of any free tools to analyze what changes have been made to a Windows 2000/XP registry? There used to be a company/product called Intact, which provided change monitoring of Registry settings as part of its HIDS offerings. I'm not sure if they are still around or got bought. Unfortunately it's not a free tool though. Regards, Frank ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Re: Windows Registry Analzyer
Eric Windisch wrote in message news:[EMAIL PROTECTED] Perhaps this is just the Unix user in me, but I ask: How about just making a copy of the registry on boot (or at intervals) and compare it to the last copy? Note that the following example is untested, but should be mostly accurate. No, it would be completely useless. In case you didn't realise, the registry is not an ASCII text file, it's megabytes of unintelligible binary gibberish. cheers, DaveK -- Can't think of a witty .sigline today ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Bios programming...
I believe the software is Softex TheftGuard. I wonder how this is possible. I understood that most modern BIOS are protected against writing. I know there are a fiew viruses that can write to the BIOS? Anybody know how to store a small program there? -Original Message- From: Gerry Eisenhaur [mailto:[EMAIL PROTECTED] Sent: Thursday, March 03, 2005 2:28 PM To: Matt Marooney Subject: Re: [Full-Disclosure] Bios programming... -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Matt, I too am interested in un-installable apps. Do you know that name of the application you are talking about (in 1.)? I am interested for different reasons than you, but think we may be able to help each other. Thanks, Gerry Matt Marooney wrote: I am trying to write a program to help people who are addicted to internet pgraphy. This application would be tied into an online service where someone could sign up for monitoring, and download a thin client app. The application would run in the background of the person's computer, and upload the person's internet activity to the website. The service would then email this activity report to designated recipients. I have most of the knowledge to create this service, but I need to know how to do a couple things: 1. I would like the program to be un-installable. I've heard of a couple of hardware security tracking services that can load a very small setup package in the CMOS and if a computer is stolen, and the hard drive is replaced, the app reloads itself and the next time the computer is on the internet, it sends out a beacon. Does anyone have any insight about how to do something like this? I want the CMOS program to run on boot, and check to see if the monitoring software is still installed. If it is not, the boot process reloads it. 2. obviously, the program does not need to be very large, so I want it to run in the background and not be visible to the computer's user. This is easy, I know, but I want the process to be completely invisible. (even to super-geeks) 3. I would like to figure out a way to monitor traffic for multiple protocols (HTTP, FTP, File Sharing, Chat, etc.) . I'm wondering if there is a way to figure out bad requests on a packet level. I really appreciate any help with these questions! Thank you all, -- Matt -- -- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html - -- +--+ | Gerry Eisenhaur | || | Cisco Security Agent ||| ||| | | Boxborough, Massachusetts.|. .|. | | PGP Key: 0xC13E8AFC .:|:.:|:. | | 978-936-0465 C i s c o S y s t e m s | +--+ -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCJ2VXRY7FIcE+ivwRAsd/AKCipzmsU+j8cIwNnve3WqbgX/7i/ACeID7t V6jxmM0BLNyGRzc73blLM5A= =SWZV -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Bios programming...
On Thu, Mar 03, 2005 at 01:44:39PM -0500, Matt Marooney wrote: I am trying to write a program to help people who are addicted to internet pornography. That is very nice of you. This application would be tied into an online service where someone could sign up for monitoring, and download a thin client app. The application would run in the background of the person's computer, and upload the person's internet activity to the website. The service would then email this activity report to designated recipients. I have most of the knowledge to create this service, but I need to know how to do a couple things: I see millions of poor addicts that would love to get logs sent to some service. This service WILL have a GREAT future!! 1. I would like the program to be un-installable. I've heard of a couple of hardware security tracking services that can load a very small setup package in the CMOS and if a computer is stolen, and the hard drive is replaced, the app reloads itself and the next time the computer is on the internet, it sends out a beacon. Does anyone have any insight about how to do something like this? I want the CMOS program to run on boot, and check to see if the monitoring software is still installed. If it is not, the boot process reloads it. That's easy, will easily run on millions of different hardware combinations. NOT 2. obviously, the program does not need to be very large, so I want it to run in the background and not be visible to the computer's user. This is easy, I know, but I want the process to be completely invisible. (even to super-geeks) You are lying. There is no reason why someone would sign up for a service that installs some application that is invisible and not removable and sents data to some service. 3. I would like to figure out a way to monitor traffic for multiple protocols (HTTP, FTP, File Sharing, Chat, etc.) . I'm wondering if there is a way to figure out bad requests on a packet level. In the end you are either a insufficient troll[1] or someone who has no idea of nothing. Oh, or you are working for the Bush administration. Regards Christian Leber [1] If that is true, I'm sorry that i gave food to it. -- http://www.nosoftwarepatents.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Bios programming...
Thanks for the feedback Valdis! I've been doing some reading about custom BIOS chips that include security programs, so that may not be the way I want to go... I definatly want the program to behave like spyware, but not show up on scanners! :) The intent of the BIOS portion of the program was just to have a small bit of code that checked for the existence of the main monitoring program on the disk, and if it was not there, reload it somehow. The main program would run from the disk, not the BIOS. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, March 03, 2005 3:19 PM To: Matt Marooney Cc: full-disclosure@lists.netsys.com Subject: Re: [Full-Disclosure] Bios programming... On Thu, 03 Mar 2005 13:44:39 EST, Matt Marooney said: 1. I would like the program to be un-installable. I've heard of a Did you mean un-installable, as in an inability to be installed, or non-uninstallable, as in not removable? :) In any case, some time with Google will probably find you an Agobot or spyware that will give you lots of hints on how to create a hard-to-remove program. ;) couple of hardware security tracking services that can load a very small setup package in the CMOS and if a computer is stolen, and the hard drive is replaced, the app reloads itself and the next time the computer is on the internet, it sends out a beacon. Does anyone have any insight about how to do something like this? I want the CMOS program to run on boot, and check to see if the monitoring software is still installed. If it is not, the boot process reloads it. Note that this would almost certainly require an additional PROM chip, and hooks into the BIOS to invoke it at the right points. Note that about all it can probably do is If the disk is different, toss a crafted packet out the Ethernet and hope for the best. Note that you're probably screwed if they either reboot while not on the net, or re-flash the BIOS with the original vendor BIOS (which implies further hardware hacks to make the box not bootable with the original vendor BIOS image). If you want it to additionally run a program in the background, you'll have to get the operating system to cooperate. 2. obviously, the program does not need to be very large, so I want it to run in the background and not be visible to the computer's user. This is easy, I know, but I want the process to be completely invisible. (even to super-geeks) Remember that in general, the BIOS is in control before boot, but after boot, the BIOS is not in any meaningful control anymore. Ask yourself what happens if your problem user boots a Knoppix CD that doesn't want to play nice with your CMOS? 3. I would like to figure out a way to monitor traffic for multiple protocols (HTTP, FTP, File Sharing, Chat, etc.) . I'm wondering if there is a way to figure out bad requests on a packet level. Take a look at Snort or other similar IDS, that tries to do that - particularly in terms of the size of the binary, and the system load impact. And then ask yourself if something that big is easily hidden inside the BIOS functionality (and consider carefully how many vendors ship totally borked ACPI DSDT's or just broken BIOSes) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Re: Windows Registry Analzyer
Cassidy Macfarlane wrote in message news:[EMAIL PROTECTED] You can, of course, use regmon (sysinternals.com) to monitor the registry 'live' while changes are being made, however it sounds like you want a product that would analyse the reg, then re-analyse after installation, and report on changes. This would indeed be a handy tool. Anyone know of anything better than regmon for this purpose? Yes, absolutely. It's called InCtrl5 and it is *exactly* what you both want. You run it once, it snapshots the state of the registry, the entire contents of your HD, and the content of all the various text files such as autoexec.bat / win.ini / boot.ini / autoexec.nt (etc). Then it exits. You install whatever it is you wanted to install, then run it again; it takes another snapshot, then compares the two and makes you a nice report showing *every* change to your system - registry keys and values added, deleted or modified; files and directories added, deleted or modified; and any changes to those startup-script text files. It needn't be an install. It'll tell you whatever differences there are between the before and after snapshots. What you do in between those two times is up to you. For instance it's quite interesting to take a snapshot, do a reboot, and run the comparison when the machine boots up again, to see how much volatile stuff gets changed every time you reboot windows. Or you can *un*install something, and by checking against the original installation report (or by snapshotting, installing, running, then uninstalling the app straight away before finally getting the comparison report) see if it's left any traces behind. It's incredibly useful. You'll have to google for it though. It was originally given away by some PC magazine or other, but they've restricted access to their archives now. See what you can find. cheers, DaveK -- Can't think of a witty .sigline today ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Bios programming...
On Thu, Mar 03, 2005 at 01:44:39PM -0500, Matt Marooney wrote: I am trying to write a program to help people who are addicted to internet pornography... This application would be tied into an online service where someone could sign up for monitoring, and download a thin client app. The application would run in the background of the person's computer, and upload the person's internet activity to the website. The service would then email this activity report to designated recipients. I have most of the knowledge to create this service, but I need to know how to do a couple things:... 2. obviously, the program does not need to be very large, so I want it to run in the background and not be visible to the computer's user. This is easy, I know, but I want the process to be completely invisible. (even to super-geeks) Christian Leber wrote: There is no reason why someone would sign up for a service that installs some application that is invisible and not removable and sents data to some service... In the end you are either a insufficient troll[1] or someone who has no idea of nothing. Oh, or you are working for the Bush administration. No, I suspect he is working for a company that wants state, or local government contracts for monitoring pedophiles. Pedophile access to the Internet is often limited as a part of their probation or parole. The software Mr. Marooney proposes would enable such people to use the Internet more extensively. Unfortunately, even I can think of some easy ways to bypass such a system. -- Hawaiian Astronomical Society: http://www.hawastsoc.org HAS Deepsky Atlas: http://www.hawastsoc.org/deepsky ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Bios programming...
Very true, and I'm sure that I am not going to be able to keep people from getting around it, I just want to make it really really hard. Obviously, if the person is smart enough to boot to a different OS, setup their internet connection on that OS, and browse, then they are not going to be using this product in the first place! I want this software to help people who want help, to keep them honest, and unaware that their system is monitoring activity. Most of the other services out there are very in-your-face or they only monitor one type of traffic. The BIOS requirement was to keep the users using the system. If they take the machine in to BestBuy to get it serviced, and the tech wipes or replaces the hard drive, the poor guy doesn't remember to reload the monitoring software. I'm open to other suggestions, I just want to make it next to impossible to delete (without the admin password, of course), and invisble to operate. Thanks for the comments! -- Matt -Original Message- From: Paul J. Morris [mailto:[EMAIL PROTECTED] Sent: Thursday, March 03, 2005 8:46 PM To: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Bios programming... Matt, Don't know much about working that close to the bios, but a couple of potential means of circumvention immediately come to mind: 1) booting from cd, in particular booting with a different operating system from the one you wrote the monitoring code for, as in booting from a knoppix distribution. 2) browsing the web through a secure anonymous proxy (such as guardster) -Paul On Thu, 3 Mar 2005 13:44:39 -0500 Matt Marooney [EMAIL PROTECTED] wrote: I am trying to write a program to help people who are addicted to internet pornography. This application would be tied into an online service where someone could sign up for monitoring, and download a thin client app. The application would run in the background of the person's computer, and upload the person's internet activity to the website. The service would then email this activity report to designated recipients. I have most of the knowledge to create this service, but I need to know how to do a couple things: 1. I would like the program to be un-installable. I've heard of a couple of hardware security tracking services that can load a very small setup package in the CMOS and if a computer is stolen, and the hard drive is replaced, the app reloads itself and the next time the computer is on the internet, it sends out a beacon. Does anyone have any insight about how to do something like this? I want the CMOS program to run on boot, and check to see if the monitoring software is still installed. If it is not, the boot process reloads it. 2. obviously, the program does not need to be very large, so I want it to run in the background and not be visible to the computer's user. This is easy, I know, but I want the process to be completely invisible.(even to super-geeks) 3. I would like to figure out a way to monitor traffic for multiple protocols (HTTP, FTP, File Sharing, Chat, etc.) . I'm wondering if there is a way to figure out bad requests on a packet level. I really appreciate any help with these questions! Thank you all, -- Matt ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: Windows Registry Analzyer
Yes, absolutely. It's called InCtrl5 and it is *exactly* what you both want. Found it : http://publicdata.home.comcast.net/inctrl5.zip Also note : this is Plugin #56 on PartPE (which would be quite useful for forensics -- you could boot the undisturbed system under BART, grab a snapshot, do (x), and grab a comparison snapshot agian under BART -- thus avoiding all the other volitle crud that changes between Windows reboots). ~Mike. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Bios programming...
On Mar 3, 2005, at 11:40 AM, Christian Leber wrote: 3. I would like to figure out a way to monitor traffic for multiple protocols (HTTP, FTP, File Sharing, Chat, etc.) . I'm wondering if there is a way to figure out bad requests on a packet level. In the end you are either a insufficient troll[1] or someone who has no idea of nothing. And if it grabs credit card numbers and account passwords, the whole project becomes self-funding. And if it's run by a religious group, it's tax free! It's brilliant. The hapless 'addicts' identity gets owned by the group trying to rehabilitate them. Meanwhile, Matt should look up Integrity Online, which was an ISP run by the Promise Keepers. I think they logged everything and told either your spouse or cadre leader if you went to counterrevolutionary sites. Studying the techniques of Comrade Mao will also yield great ideas for keeping your people on the proper revolutionary path. Closing the colleges and sending the youth to work on collective farms was big in the 1960's. Now that the communists are gone, someone has to step into their place. Cheers. -- whump ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Bios programming...
Anybody know how to store a small program there? It's easy. Use an EEPROM programmer. On write protected BIOSes all you have to do is figure out which pin is write_enable (get a pinout from the web) and figure out if that pin goes to +5v or ground to do what you want. Jumper accordingly. However, on most motherboards I've encountered, the BIOS is writable .. just boot to a minimal OpenDOS disk (or linux counterpart). There are a lot of hacks out there for BIOSes .. the Linux BIOS project for example, or the ways you can get your non-raid IDE controller to do raid by installing the retail BIOS for the RAID version of the same chipset. ~Mike. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Bios programming...
On Thu, 03 Mar 2005 20:40:00 +0100, Christian Leber said: There is no reason why someone would sign up for a service that installs some application that is invisible and not removable and sents data to some service. That's assuming of course that the user actually signs up for the service. If they don't, the usual name for this sort of thing is spyware. :) pgpv8ysUb1gja.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Bios programming...
Thank you for your wonderful sarcastic wit and humor for the end of my day. I'm not sure if you checked before making your comments, but there are already services out there that do this...and make money doing this. Contrary to popular belief, there are people in the world that want to get help for their problems. I'll disregard the troll comment as this is the first time I've NEEDED to post anything to this list. I've been reading it for years now. Thanks. -- Matt -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christian Leber Sent: Thursday, March 03, 2005 2:40 PM To: full-disclosure@lists.netsys.com Subject: Re: [Full-Disclosure] Bios programming... On Thu, Mar 03, 2005 at 01:44:39PM -0500, Matt Marooney wrote: I am trying to write a program to help people who are addicted to internet pornography. That is very nice of you. This application would be tied into an online service where someone could sign up for monitoring, and download a thin client app. The application would run in the background of the person's computer, and upload the person's internet activity to the website. The service would then email this activity report to designated recipients. I have most of the knowledge to create this service, but I need to know how to do a couple things: I see millions of poor addicts that would love to get logs sent to some service. This service WILL have a GREAT future!! 1. I would like the program to be un-installable. I've heard of a couple of hardware security tracking services that can load a very small setup package in the CMOS and if a computer is stolen, and the hard drive is replaced, the app reloads itself and the next time the computer is on the internet, it sends out a beacon. Does anyone have any insight about how to do something like this? I want the CMOS program to run on boot, and check to see if the monitoring software is still installed. If it is not, the boot process reloads it. That's easy, will easily run on millions of different hardware combinations. NOT 2. obviously, the program does not need to be very large, so I want it to run in the background and not be visible to the computer's user. This is easy, I know, but I want the process to be completely invisible. (even to super-geeks) You are lying. There is no reason why someone would sign up for a service that installs some application that is invisible and not removable and sents data to some service. 3. I would like to figure out a way to monitor traffic for multiple protocols (HTTP, FTP, File Sharing, Chat, etc.) . I'm wondering if there is a way to figure out bad requests on a packet level. In the end you are either a insufficient troll[1] or someone who has no idea of nothing. Oh, or you are working for the Bush administration. Regards Christian Leber [1] If that is true, I'm sorry that i gave food to it. -- http://www.nosoftwarepatents.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Bios programming...
On Thu, 03 Mar 2005 15:33:09 EST, Matt Marooney said: The intent of the BIOS portion of the program was just to have a small bit of code that checked for the existence of the main monitoring program on the disk, and if it was not there, reload it somehow. The main program would run from the disk, not the BIOS. Like I said - all it takes is a Knoppix disk to screw over most of these schemes - you can't even disable booting from CD and put a BIOS password on, because you have the following: 1) A motivated user 2) Unmonitored, unobserved physical access (if you don't, there's *bigger* problems in this scenario ;) 3) Somewhere in there, there's a jumper that will reset the BIOS password There's really *NO* way to do this on today's commodity hardware in a way that will stop a user who knows it's there and has physical access. At best, you can do it in a way that will surprise an *unsuspecting* person (which is what most of these anti-theft beacon programs do - the only reason they work is because the guy who jacked the laptop probably doesn't realize the program is installed, and thus doesn't take precautions to stop it). The only way you can make this work is if you have hardware that includes something like the TPM chipsets from NatSemi or Atmel. Unfortunately, if your operating system contains enough support for the chipset to use it so the person at the keyboard can't subvert it, it will almost certainly use it *itself* to stop people from doing exactly the sort of code insertion you're trying to do. So you're *still* screwed. :) pgpMUByEipWpC.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: Windows Registry Analzyer
No, it would be completely useless. In case you didn't realise, the registry is not an ASCII text file, it's megabytes of unintelligible binary gibberish. True, but there are many programs (the Linux Registry Editor, for example) that can open it. http://developer.berlios.de/projects/tlr-regedit ~Mike. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Bios programming...
Very interesting software indeed, though i am not sure how many people would like you keeping them honest and nice! Also, i wont be surprised if someone soon attacked your website for making something that ruined one of the few businesses on the net that make real money, namely porn. Not that I am a patron of porn, but you sure will have a lot of people knocking on your company's network. anyway, I hope you manage to make this great little utility. I would love to lay my hands on something like this to install a backdoor! ;) Now, why didn't anyone think of that?!! regards Ankush Kapoor On Thu, 3 Mar 2005 15:33:09 -0500, Matt Marooney [EMAIL PROTECTED] wrote: Thanks for the feedback Valdis! I've been doing some reading about custom BIOS chips that include security programs, so that may not be the way I want to go... I definatly want the program to behave like spyware, but not show up on scanners! :) The intent of the BIOS portion of the program was just to have a small bit of code that checked for the existence of the main monitoring program on the disk, and if it was not there, reload it somehow. The main program would run from the disk, not the BIOS. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, March 03, 2005 3:19 PM To: Matt Marooney Cc: full-disclosure@lists.netsys.com Subject: Re: [Full-Disclosure] Bios programming... On Thu, 03 Mar 2005 13:44:39 EST, Matt Marooney said: 1. I would like the program to be un-installable. I've heard of a Did you mean un-installable, as in an inability to be installed, or non-uninstallable, as in not removable? :) In any case, some time with Google will probably find you an Agobot or spyware that will give you lots of hints on how to create a hard-to-remove program. ;) couple of hardware security tracking services that can load a very small setup package in the CMOS and if a computer is stolen, and the hard drive is replaced, the app reloads itself and the next time the computer is on the internet, it sends out a beacon. Does anyone have any insight about how to do something like this? I want the CMOS program to run on boot, and check to see if the monitoring software is still installed. If it is not, the boot process reloads it. Note that this would almost certainly require an additional PROM chip, and hooks into the BIOS to invoke it at the right points. Note that about all it can probably do is If the disk is different, toss a crafted packet out the Ethernet and hope for the best. Note that you're probably screwed if they either reboot while not on the net, or re-flash the BIOS with the original vendor BIOS (which implies further hardware hacks to make the box not bootable with the original vendor BIOS image). If you want it to additionally run a program in the background, you'll have to get the operating system to cooperate. 2. obviously, the program does not need to be very large, so I want it to run in the background and not be visible to the computer's user. This is easy, I know, but I want the process to be completely invisible. (even to super-geeks) Remember that in general, the BIOS is in control before boot, but after boot, the BIOS is not in any meaningful control anymore. Ask yourself what happens if your problem user boots a Knoppix CD that doesn't want to play nice with your CMOS? 3. I would like to figure out a way to monitor traffic for multiple protocols (HTTP, FTP, File Sharing, Chat, etc.) . I'm wondering if there is a way to figure out bad requests on a packet level. Take a look at Snort or other similar IDS, that tries to do that - particularly in terms of the size of the binary, and the system load impact. And then ask yourself if something that big is easily hidden inside the BIOS functionality (and consider carefully how many vendors ship totally borked ACPI DSDT's or just broken BIOSes) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Bios programming...
Hmm... That's all true... Especially the motivated user part :) I'm banking on the probability that most people don't even know what a BIOS is. If they go to a site, and sign up for the service, after entering their info, and email recipients, they would be prompted to continue and download a small piece of software onto their computer. The user would be assured that the software would not interfere with their normal computer use (and it won't) and that's that. They would have no idea how the program is working, or where the program resides. This ignorance, should, IMHO, keep MOST people from figuring out how to remove it (except you and me and everyone else on this list ;)) I want to exploit the fact that they don't know which protocols are being monitored, so they will be afraid to try to get around it. Psychologically, the unknown will be more of a deterrent than anything else. I know that I have had a bear of a time removing spyware in the past, maybe we can leverage that technology for good somehow. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, March 03, 2005 3:57 PM To: Matt Marooney Cc: full-disclosure@lists.netsys.com Subject: Re: [Full-Disclosure] Bios programming... On Thu, 03 Mar 2005 15:33:09 EST, Matt Marooney said: The intent of the BIOS portion of the program was just to have a small bit of code that checked for the existence of the main monitoring program on the disk, and if it was not there, reload it somehow. The main program would run from the disk, not the BIOS. Like I said - all it takes is a Knoppix disk to screw over most of these schemes - you can't even disable booting from CD and put a BIOS password on, because you have the following: 1) A motivated user 2) Unmonitored, unobserved physical access (if you don't, there's *bigger* problems in this scenario ;) 3) Somewhere in there, there's a jumper that will reset the BIOS password There's really *NO* way to do this on today's commodity hardware in a way that will stop a user who knows it's there and has physical access. At best, you can do it in a way that will surprise an *unsuspecting* person (which is what most of these anti-theft beacon programs do - the only reason they work is because the guy who jacked the laptop probably doesn't realize the program is installed, and thus doesn't take precautions to stop it). The only way you can make this work is if you have hardware that includes something like the TPM chipsets from NatSemi or Atmel. Unfortunately, if your operating system contains enough support for the chipset to use it so the person at the keyboard can't subvert it, it will almost certainly use it *itself* to stop people from doing exactly the sort of code insertion you're trying to do. So you're *still* screwed. :) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Bios programming...
The program in question is quite legitimate in nature and already exists in several forms. In some instances, it sends the data to 'accountability partners' who are your chosen peers that monitor your activity. Think of it as AA for online porn. Online porn has become a real problem for males age 12 to early 40's. Properly implemented, solutions to combat porn are good business. (mind you, this is not 'spyware' for parents. this is targeted at adults who are trying to curb their own behavior). Those who are not aware of that epidemic should sit quietly and not scoff at the efforts of others. As for the function of BIOS, that is the wrong road to go down. If you are looking for checking if services are disabled, then have a bot call home every so often (much like DirectTV PPV). Any 'net activity could be logged in a seperate file and compared to the monitor's activity report (to determine if it was active or not). It would purge every 2-3 days to the online site. If you do not have an update in 2-3 weeks, then send out an email reminder. To monitor IP activity, you might want to insert into the tcp/ip stack through LSP layers (only for Windows boxes). This lower level monitoring is harder to disable (but not impossible). In this scenario you could either choose to redirect/block sites (through blacklists or other) -or- Just log activity, don't block anything and lean towards the 'accountability' side. Good luck with the project, it sounds noble at root. RP -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 266.5.1 - Release Date: 2/27/2005 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] [ GLSA 200503-06 ] BidWatcher: Format string vulnerability
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200503-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: BidWatcher: Format string vulnerability Date: March 03, 2005 Bugs: #82460 ID: 200503-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis BidWatcher is vulnerable to a format string vulnerability, potentially allowing arbitrary code execution. Background == BidWatcher is a free auction tool for eBay users to keep track of their auctions. Affected packages = --- Package / Vulnerable / Unaffected --- 1 net-misc/bidwatcher 1.3.17 = 1.3.17 Description === Ulf Harnhammar discovered a format string vulnerability in netstuff.cpp. Impact == Remote attackers can potentially exploit this vulnerability by sending specially crafted responses via an eBay HTTP server or a man-in-the-middle attack to execute arbitrary malicious code. Workaround == There is no known workaround at this time. Resolution == All BidWatcher users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =net-misc/bidwatcher-1.13.17 References == [ 1 ] CAN-2005-0158 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0158 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200503-06.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2005 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.0 pgpDtvxUY4Pxo.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Bios programming...
Bill Humphries wrote: Closing the colleges and sending the youth to work on collective farms was big in the 1960's. Now that the communists are gone, someone has to step into their place. S - don't give the Republicans any more bright ideas... Regards, Brent -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.308 / Virus Database: 266.6.0 - Release Date: 3/2/2005 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Bios programming...
Hello, Out of curiousity, isn't it possible/easier to monitor those stats by viewing your firewall traffic logs? Goodbye, Edgardo On Thu, 3 Mar 2005, Matt Marooney wrote: I am trying to write a program to help people who are addicted to internet pornography. This application would be tied into an online service where someone could sign up for monitoring, and download a thin client app. The application would run in the background of the person's computer, and upload the person's internet activity to the website. The service would then email this activity report to designated recipients. I have most of the knowledge to create this service, but I need to know how to do a couple things: 1. I would like the program to be un-installable. I've heard of a couple of hardware security tracking services that can load a very small setup package in the CMOS and if a computer is stolen, and the hard drive is replaced, the app reloads itself and the next time the computer is on the internet, it sends out a beacon. Does anyone have any insight about how to do something like this? I want the CMOS program to run on boot, and check to see if the monitoring software is still installed. If it is not, the boot process reloads it. 2. obviously, the program does not need to be very large, so I want it to run in the background and not be visible to the computer's user. This is easy, I know, but I want the process to be completely invisible. (even to super-geeks) 3. I would like to figure out a way to monitor traffic for multiple protocols (HTTP, FTP, File Sharing, Chat, etc.) . I'm wondering if there is a way to figure out bad requests on a packet level. I really appreciate any help with these questions! Thank you all, -- Matt ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] [ GLSA 200503-07 ] phpMyAdmin: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200503-07 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: phpMyAdmin: Multiple vulnerabilities Date: March 03, 2005 Bugs: #83190, #83792 ID: 200503-07 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis phpMyAdmin contains multiple vulnerabilities that could lead to command execution, XSS issues and bypass of security restrictions. Background == phpMyAdmin is a tool written in PHP intended to handle the administration of MySQL databases from a web-browser. Affected packages = --- Package/Vulnerable/Unaffected --- 1 dev-db/phpmyadmin 2.6.1_p2-r1 = 2.6.1_p2-r1 Description === phpMyAdmin contains several security issues: * Maksymilian Arciemowicz has discovered multiple variable injection vulnerabilities that can be exploited through $cfg and GLOBALS variables and localized strings * It is possible to force phpMyAdmin to disclose information in error messages * Failure to correctly escape special characters Impact == By sending a specially-crafted request, an attacker can include and execute arbitrary PHP code or cause path information disclosure. Furthermore the XSS issue allows an attacker to inject malicious script code, potentially compromising the victim's browser. Lastly the improper escaping of special characters results in unintended privilege settings for MySQL. Workaround == There is no known workaround at this time. Resolution == All phpMyAdmin users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =dev-db/phpmyadmin-2.6.1_p2-r1 References == [ 1 ] PMASA-2005-1 http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2005-1 [ 2 ] PMASA-2005-2 http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2005-2 [ 3 ] phpMyAdmin bug 1113788 http://sourceforge.net/tracker/index.php?func=detailaid=1113788group_id=23067atid=377408 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200503-07.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2005 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.0 pgp808kLumHZd.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Bios programing
Title: Bios programing Your best bet would be a pci card that At boot time emulates a ide controller via a compaq flash device and has its own mbr that loads a minni os ala msntv that provides a virtual driver for Both win and unix platforms ala vmware That's job is to stream packets back to the on chip device for decodeing and filtering based on A web updateable database and transport them back to the driver ,then the os Or failing that get a big box of tissue and call it a day Mister Mojo -- Sent via Mojo tracking implant ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Things that make you go Hmmm
Matt wrote: In a good company Incidence Response isn't dictated by any of what you said above. It's dictated by policy. Good point. Even in a good company, though, incident response often occurs outside of policy. An incident response professional who works for clients during emergencies is presented with variables and circumstances with which to contend, not a policy playbook to follow. I agree that it would be nice if we could schedule and plan all of our emergencies according to policy. :-) Cheers, Jason Coombs [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: Windows Registry Analzyer
On Thu, 2005-03-03 at 19:39 +, Dave Korn wrote: No, it would be completely useless. In case you didn't realise, the registry is not an ASCII text file, it's megabytes of unintelligible binary gibberish. The registry can be exported to ASCII text, edited, and re-imported. Have you ever opened a .reg file? -- Eric Windisch [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] unace-2.x buffer overflow
One of the buffer overflows in unace-1.x affects unace-2.x as well. The Gentoo guys originally found this in a bug report [1] where they were testing unace-2.2 after upgrading unace-1.2b. As stated there, unace-2.2 crashes when listing (l), testing (t) or verbosely listing (v) my bufoflow1.ace archive. I looked further into this, and I found that it in fact is an exploitable buffer overflow where the attacker controls EIP. I also found that it affects all versions of unace-2.x that I checked, namely 2.04, 2.2 and 2.5. I also checked WinAce running on Windows XP for this bug with inconclusive results. [1] http://bugs.gentoo.org/show_bug.cgi?id=81958 // Ulf Härnhammar bufoflow1.ace Description: Binary data ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Bios programming...
Matt, maybe you should not be so concerned with trying to put code into the bios; but, rather install it to the boot sector of the hard drive. That is copy the monitoring program to the boot sector That will launch the service you are talking about And that service can also rewrite itself to the boot Sector (*hint* *hint* a boot sector virus, perhaps?) That can be spread to all of the people's email addresses That you harvest from this little operation (this would include An executable attachment that would restore the service to the hard drive, upon Execution). I mean, that is the only feasible means for you to Have this service installed remotely (that is you will probably Not be given direct, physical, access to the users computer -- which Means no hardware or bios chip modifications or EEPROM Reprogramming). ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Windows Registry Analzyer
Anyone know of any free tools to analyze what changes have been made to a Windows 2000/XP registry? Regmon - www.sysinternals.com best and free Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Bios programming...
On Mar 3, 2005, at 1:39 PM, Matt Marooney wrote: Exactly, thank you Randall. I appreciate your feedback, I'll check into your suggestions further. I like the way you put, this is targeted at adults who are trying to curb their own behavior. Seems like this list needs more people like that! ;) You asked a security list-serve a security related question. Now, let me review, in a less snarky fashion, my issues with your proposal. 1) It is easily circumvented. a) the subject uses another computer. b) the subject programs their upstream router to drop packets intended for the monitoring organization. 2) It violates the privacy of other users. a) your application could, unless written specifically to avoid this, report on the actions of those other than the subject, on a shared computer. Note that it renders the application moot, as then the subject creates another user to go to the proscribed sites. b) since you have specified that the application be difficult to un-install, if the computer is transferred to another person, their activity will be monitored, potentially generating false positives attributed to the original subject under surveillance. 3) It can easily generate false positives. There are a number of exploits for systems such as phpBB that inject hidden IFRAMEs into HTML documents, which in turn load use JavaScript to load other URLs. As those URLs could be on the proscribed sites list, a visit to a hacked phpBB site, say a support group for addicts could spawn visits to your list of proscribed sites. Or, someone could attempt to spoof the monitoring server to get to record false hits. 5) It could be exploited. See any number of reports of buffer overflow exploits sent to this list. Without careful detainting of user inputs (URLs) you could allow injection of malicious code. Those are my technical objections. As for the others: 6) Who decides what is a 'suspect site'? The decision to classify as site as pornographic has a significant political component. 7) Trustworthiness of the Monitoring Organization The monitoring organization now has at least one piece of information (the act of installation is itself a datum) that can be used to attack a person's reputation. Will the subject be able to terminate their relationship with the monitoring organization? What are the monitoring organization's data privacy policies? Will violations be reported to data aggregators such as ChoicePoint? How secure is that data? 8) Trust vs. Pervasive Surveillance Several people said they felt a legitimate need for this software citing pornography addiction. I've emailed a few friends who are in grad programs and clinical practice to confirm if there's an actual diagnosis of pornography addiction. Sorry, the term feels loaded, like something tossed about during a congressional hearing. And others mentioned the AA angle. However, when you join AA, to the best of my knowledge, you do not have an alcohol sensor implanted in your esophagus or stomach to report violations to AA. What you do have is a sponsor, who you can call if you're on the verge of taking a drink. And when, if ever, do you build trust with the person who you have said you have harmed? It strikes me as too easy to leave the secret policeman on forever. But now there's a third pillow in that bed, and I get the feeling that you do not condone polyamory. That's why I made those remarks comparing your plan to the abuses of Mao's Cultural Revolution. You privatize the intrusive, something which, until recently, was the domain of totalitarian states. - In conclusion, if someone believes they have an issue with respect to adult materials, drugs, alcohol, or anything else, then instead of installing software, maybe they should seek out a mental health professional, cleric, or trusted friend. They are less likely to be abused or exploited. In short, don't create new problems trying to solve old ones. I doubt this will change your course, but now I've said my piece on it. Cheers, -- whump ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Windows Registry Analzyer
You can, of course, use regmon (sysinternals.com) to monitor the registry 'live' while changes are being made, however it sounds like you want a product that would analyse the reg, then re-analyse after installation, and report on changes. I don't know if a free tool like this exist but norton cleanup and other tools like this do this job very nicely - aditya Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Bios programming...
I don't know if I would want to contribute tio something like this. I mean this seems like a job for depth psychologists not technical people. Remember no matter how noble a cause is in theory providing tools for opression is not a good idea. What you want to do is create unremovable spyware. I can't see it as an good. This will get may off topic. But much of the whole addiction to pornography stuff is convincing people something is a problem that probably isn't. There will be always be people like the crazy lady who got sick because she drank most of her calories as tomatoe juice. Do I want to help someone make a shopping card to stop the 1:1,000,000,000 people like her ... the answer is no. If you browbeat people enough you can convince them that somehow curious behaior is evil. But that doesn't make it so. I'll shut up now I'd rather talk about technical stuff and not opressing humans or providing tools to do so. Have Fun, Sends Steve Matt Marooney wrote: Exactly, thank you Randall. I appreciate your feedback, I'll check into your suggestions further. I like the way you put, this is targeted at adults who are trying to curb their own behavior. Seems like this list needs more people like that! ;) -- Matt -Original Message- From: Randall Perry [mailto:[EMAIL PROTECTED] Sent: Thursday, March 03, 2005 4:17 PM To: full-disclosure@lists.netsys.com Cc: Matt Marooney Subject: RE: [Full-Disclosure] Bios programming... The program in question is quite legitimate in nature and already exists in several forms. In some instances, it sends the data to 'accountability partners' who are your chosen peers that monitor your activity. Think of it as AA for online porn. Online porn has become a real problem for males age 12 to early 40's. Properly implemented, solutions to combat porn are good business. (mind you, this is not 'spyware' for parents. this is targeted at adults who are trying to curb their own behavior). Those who are not aware of that epidemic should sit quietly and not scoff at the efforts of others. As for the function of BIOS, that is the wrong road to go down. If you are looking for checking if services are disabled, then have a bot call home every so often (much like DirectTV PPV). Any 'net activity could be logged in a seperate file and compared to the monitor's activity report (to determine if it was active or not). It would purge every 2-3 days to the online site. If you do not have an update in 2-3 weeks, then send out an email reminder. To monitor IP activity, you might want to insert into the tcp/ip stack through LSP layers (only for Windows boxes). This lower level monitoring is harder to disable (but not impossible). In this scenario you could either choose to redirect/block sites (through blacklists or other) -or- Just log activity, don't block anything and lean towards the 'accountability' side. Good luck with the project, it sounds noble at root. RP ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Bios programming...
Good God Orwell was right. I mean this is all about terrrorizing and theatening people. It's just evil. It would be just as easy for some adware person to accidentally cause something like this to happen for other less noble reasons. There are probably some pathes we shouldn't go down nor aid others in going down them. Have Fun, Sends Steve Matt Marooney wrote: Hmm... That's all true... Especially the motivated user part :) I'm banking on the probability that most people don't even know what a BIOS is. If they go to a site, and sign up for the service, after entering their info, and email recipients, they would be prompted to continue and download a small piece of software onto their computer. The user would be assured that the software would not interfere with their normal computer use (and it won't) and that's that. They would have no idea how the program is working, or where the program resides. This ignorance, should, IMHO, keep MOST people from figuring out how to remove it (except you and me and everyone else on this list ;)) I want to exploit the fact that they don't know which protocols are being monitored, so they will be afraid to try to get around it. Psychologically, the unknown will be more of a deterrent than anything else. I know that I have had a bear of a time removing spyware in the past, maybe we can leverage that technology for good somehow. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, March 03, 2005 3:57 PM To: Matt Marooney Cc: full-disclosure@lists.netsys.com Subject: Re: [Full-Disclosure] Bios programming... On Thu, 03 Mar 2005 15:33:09 EST, Matt Marooney said: The intent of the BIOS portion of the program was just to have a small bit of code that checked for the existence of the main monitoring program on the disk, and if it was not there, reload it somehow. The main program would run from the disk, not the BIOS. Like I said - all it takes is a Knoppix disk to screw over most of these schemes - you can't even disable booting from CD and put a BIOS password on, because you have the following: 1) A motivated user 2) Unmonitored, unobserved physical access (if you don't, there's *bigger* problems in this scenario ;) 3) Somewhere in there, there's a jumper that will reset the BIOS password There's really *NO* way to do this on today's commodity hardware in a way that will stop a user who knows it's there and has physical access. At best, you can do it in a way that will surprise an *unsuspecting* person (which is what most of these anti-theft beacon programs do - the only reason they work is because the guy who jacked the laptop probably doesn't realize the program is installed, and thus doesn't take precautions to stop it). The only way you can make this work is if you have hardware that includes something like the TPM chipsets from NatSemi or Atmel. Unfortunately, if your operating system contains enough support for the chipset to use it so the person at the keyboard can't subvert it, it will almost certainly use it *itself* to stop people from doing exactly the sort of code insertion you're trying to do. So you're *still* screwed. :) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Bios programming...
Title: Message does this not look like a big brother watching scheme ? and with what areu trying to do how can u monitor if I access all the things from my own proxy over encrypted tunnels using my own custom protocol encapsulated over tcp/ip. u cannot detect it but from your post it look like u want to hook your girl friend's or bosses computer. better watch where u are asking question :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt MarooneySent: Friday, March 04, 2005 12:15 AMTo: full-disclosure@lists.netsys.comSubject: [Full-Disclosure] Bios programming... I am trying to write a program to help people who are addicted to internet pornography. This application would be tied into an online service where someone could sign up for monitoring, and download a thin client app. The application would run in the background of the person's computer, and upload the person's internet activity to the website. The service would then email this activity report to designated recipients. I have most of the knowledge to create this service, but I need to know how to do a couple things: 1. I would like the program to be "un-installable". I've heard of a couple of hardware security tracking services that can load a very small setup package in the CMOS and if a computer is stolen, and the hard drive is replaced, the app reloads itself and the next time the computer is on the internet, it sends out a beacon. Does anyone have any insight about how to do something like this? I want the CMOS program to run on boot, and check to see if the monitoring software is still installed. If it is not, the boot process reloads it. 2. obviously, the program does not need to be very large, so I want it to run in the background and not be visible to the computer's user.This is easy, I know, but I want the process to be completely invisible. (even to super-geeks) 3. I would like to figure out a way to monitor traffic for multiple protocols (HTTP, FTP, File Sharing, Chat, etc.). I'm wondering if there is a way to figure out "bad" requests on a packet level. I really appreciate any help with these questions! Thank you all, -- Matt ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Re: Windows Registry Analzyer
Surely you can simply export before and after your action and use windiff on the two files Mark Handy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Windisch Sent: 03 March 2005 21:48 To: Dave Korn Cc: full-disclosure@lists.netsys.com Subject: Re: [Full-Disclosure] Re: Windows Registry Analzyer On Thu, 2005-03-03 at 19:39 +, Dave Korn wrote: No, it would be completely useless. In case you didn't realise, the registry is not an ASCII text file, it's megabytes of unintelligible binary gibberish. The registry can be exported to ASCII text, edited, and re-imported. Have you ever opened a .reg file? -- Eric Windisch [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html NOTICE: If received in error, please destroy and notify sender. Sender does not waive confidentiality or privilege, and use is prohibited. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Bios programming...
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Marooney Sent: Friday, March 04, 2005 01:35 AM I want this software to help people who want help, to keep them honest, and unaware that their system is monitoring activity. I still don't see any reason why u should be doing all this. And I would certainly not want anyone to know what I am watching much less random persons on the net... Most of the other services out there are very in-your-face or they only monitor one type of traffic. The BIOS requirement was to keep the users using the system. If they take the machine in to BestBuy to get it serviced, and the tech wipes or replaces the hard drive, the poor guy doesn't remember to reload the monitoring software. U already get a lot of monitoring software like that - and they can also be very stealty like actmon just make it a part of the installaion cdrom so now when someone wipes the hdd and the user does a install it gets reinstalled I'm open to other suggestions, I just want to make it next to impossible to delete (without the admin password, of course), and invisble to operate. tell me how me people are going to use a guest accont on their own computer and then be able to use the computer normally ? -aditya ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Windows Registry Analzyer
InstallWatch/InstallRite is a nice tool. Basically, you do a system snapshot, and then analyze. Registry modifications/additions/deletions between the snapshot and analysis will be detected by the program. It can be found here http://www.epsilonsquared.com/ It can also monitor added/modified/deleted files as well as changes done to INI files. and its freeware. regards, On Fri, 4 Mar 2005 09:20:13 +0530, Aditya Deshmukh [EMAIL PROTECTED] wrote: You can, of course, use regmon (sysinternals.com) to monitor the registry 'live' while changes are being made, however it sounds like you want a product that would analyse the reg, then re-analyse after installation, and report on changes. I don't know if a free tool like this exist but norton cleanup and other tools like this do this job very nicely - aditya Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Bios programming...
I'm banking on the probability that most people don't even know what a BIOS is. If your main security is through obscurity then just wait untill someone post a way to bypass this program and removal instrctions on the net. Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Bios programming...
On Fri, 04 Mar 2005 09:46:54 +0530, Aditya Deshmukh said: tell me how me people are going to use a guest accont on their own computer and then be able to use the computer normally ? Actually, if the regular user needs more than guest privs to do their *normal* stuff, the system's security model is severely screwed. In fact, the *very first* thing that happened when computers got the ability to support multiple userids was to separate user and sysadmin - this was already a well-understood idea when Multics showed up in 1967 or so. Ever since then, there's only been one vendor of multi-user operating systems that thought that running with more than usual privs is a sane way to do things. pgpJ56w2NzMYL.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
