Here's a good example. Yesterday, a problem was resolved with OpenSSL.
This package is used in a *lot* of software (yes, including *BSD ;-).
SuSE had patches out the fastest, within hours of the official release.
Over the course of the day, I saw most/all of the major open source OS
vendors
On Wed, Mar 17, 2004 at 12:52:55PM +0100, Daniele Muscetta wrote:
Dave Horsfall said:
On Wed, 17 Mar 2004, Daniele Muscetta wrote:
I know, you roughly have some 26 Megabytes of patches to be
installed POST-SP4 and POST IE60SP1 on W2K.
Is any other OS any better lately ?
OpenBSD.
Geo. [EMAIL PROTECTED] wrote:
... Even the stupid check tools assume you have the thing
on the net
before it's patched.
Yep, yet there are still MS apologists who refuse to open
their eyes so
as to understand that Microsoft still shows little hint that
it 'gets'
security.
also sprach Jason Coombs [EMAIL PROTECTED] [2004.03.16. +0100]:
http://www.linuxsecurity.net/articles/network_security_article-5514.html
Without servers in the network and no Windoze client ever polluting
my environment, I don't see a problem.
--
martin; (greetings from the
The version I heard went something like:
Hayes implemented a guard ... they required a pause
between the +++ and the following command. When
other manufacturers implemented the command set,
they had to make some small changes so they could
claim they hadn't *completely* ripped off the Hayes
Todd Burroughs wrote:
I know that other major software companies use OpenSSL in their products;
the free/open source software community responds very quickly, much
faster than any commercial vendor (I noticed that Cisco released
a patch). This is proof, same day fix vs. fix in a few months.
Odd that a company that supposedly has now developed a serious interest
in security has not done this, but has found the time and staffing to
produce, test, manufacture and distribute an at least six month out-of-
date patch CD... (Not that the patch CD is bad thing, but it
provides an interesting
Full-Disclosure [EMAIL PROTECTED] wrote:
In an corporate environment, you will have SUS or SMS running.
If so, no need for internet access.
But, need for general network access to get to those machines. thereby
breaking the no general network access until secure rule. You could
have a
got a strange Mail 2day:
Subject: RE: Protected message
From: [EMAIL PROTECTED]
link to virus is ...
http://221.153.61.232:81/100721.php
Host is in Korea, abuse warning has been sent.
can anyone verify what kind of malware that is ?
Helmut
___
Todd Burroughs said:
Kudos to SuSE, keep up the good work! We're getting nervous with the
Novell thing, but keep security first.
Yeah. tell Novell, indeed:
http://support.novell.com/cgi-bin/search/searchtid.cgi?/2968352.htm
for their propreitary Groupwise Webmail interface I have been
On Wed, 17 Mar 2004, Cowles, Robert D. wrote:
Hayes implemented a guard ... they required a pause between the +++
and the following command. When other manufacturers implemented the
command set, they had to make some small changes so they could claim
they hadn't *completely* ripped off the
We don't even know how many weeks this bug was in circulation in the
vendor community before that date.
The OpenSSL issues were disclosed to the NISCC by me on February 25th
2004, the NISCC then notified vendors starting on February 26th with the
embargo date of March 17th. The OpenSSL group
Hi
Looks to be the latest in the Bagle / Beagle family. Symantec have got it as
the [EMAIL PROTECTED], discovered March 18 10:00
http://securityresponse.symantec.com/avcenter/venc/data/[EMAIL PROTECTED]
Regards
Guruban
- Original Message -
From: Helmut Hauser [EMAIL PROTECTED]
To:
No need to be patronising or dismissive.
Our problems (assuming we're professional sysadmins rather than home
dabblers) are several.
1. Home users - don't have adequate protection and get turned into zombies.
They then bombard us. OK - this is dealt with by an externally facing
firewall but
Helmut Hauser [EMAIL PROTECTED] wrote:
got a strange Mail 2day:
Subject: RE: Protected message
From: [EMAIL PROTECTED]
link to virus is ...
http://IP:81/100721.php
snip
It will have been one of the new Bagle variants discovered in the last
few hours -- Bagle.Q (though some vendors had
Hi,
sure interesting for administrators of Trend Micro Interscan Viruswall or
IMSS.
In general, pattern update server should be very reliable, especially in
case of need for pattern updates because of a new worm is spreading...
Since longer we have problem on a customers installation with
-Original Message-
From: Geo. [mailto:[EMAIL PROTECTED]
Sent: Wednesday, 17 March 2004 18:26
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: [Full-Disclosure] Re: Microsoft Security, baby steps ?
From experience, you can't just lock down to that one server.
You need to
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Wednesday, 17 March 2004 19:52
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: [Full-Disclosure] Re: Microsoft Security, baby steps ?
On Wed, 17 Mar 2004 16:46:58 GMT, [EMAIL PROTECTED] said:
Hi all, perhaps I'm way off-base but I've been under the impression that malware can be added to clean transmissions as they pass through infected nodes. Is this possible?
Find local movie times and trailers on Yahoo! Movies.
On Wed, 2004-03-17 at 21:17, Paul Szabo wrote:
for details. (Also, there was a discussion on BugTraq at the end of
September 1998, maybe it would be useful to look in the archives?)
A good resource that I'll check the next time!
Thanks,
-Luke
--
Luke Scharf, Systems Administrator
Virginia
Paul wrote:
Hi all, perhaps I'm way off-base but I've
been under the impression that malware can be added
tocleantransmissions as they pass through
infected nodes. Is this possible?
Unless you're talking about inserting a proxy in-line and manually
grabbing the packets and manipulating
On Wed, 2004-03-17 at 21:30, cstone wrote:
* = Hayes has a patent on a scheme to protect against unintentional
triggering of the escape sequence; on their modems, you have to
wait a specific amount of time before and after the +++ before
issuing a command.
Doh! I thought that there was an
Hello Nick,
NF It will have been one of the new Bagle variants discovered in the last
NF few hours -- Bagle.Q (though some vendors had already named this with
NF an earlier variant ascription), Bagle.R and Bagle.S all fit the
NF description, and possibly the just discovered (within the last hour
Hi list.
It's surely possible, but I'm not aware of anything doing so at this time
(i'd be interested to see)
This kind of malware would be quite specific to be traffic aware (HTTP
down/upload, FTP, Net shares...),
to be able to understand file transfers negociations and act at the right
time...
This message was forwarded to me from:
Matteo Schiavi [ [EMAIL PROTECTED] ]
*** TSniffer 1.0 - Readme ***
This archive can been downloaded from:
http://net.supereva.it/noobsaibot.superdada/tsniffer/tsniffer.zip_
(use the final \_\ in the link)
*** DESCRIPTION ***
TSniffer is
Dear Luke Scharf,
--Thursday, March 18, 2004, 4:42:55 AM, you wrote to [EMAIL PROTECTED]:
LS P.S. Oh, yeah, just for laughs:
LS +++ath0
This is well known problem of multiple modems (+++ is accepted without
pause). And it's often exploited with ping packet with +++ath0 in
payload.
On Thu, 2004-03-18 at 11:23, Dave Horsfall wrote:
On Wed, 17 Mar 2004, Cowles, Robert D. wrote:
Hayes implemented a guard ... they required a pause between the +++
and the following command. When other manufacturers implemented the
command set, they had to make some small changes so they
Todd Burroughs wrote:
Kudos to SuSE, keep up the good work! We're getting nervous with the
Novell thing, but keep security first. One thing, we need a basic
install, no X, just a base install that is secure.
As an example of SuSe being cluefull on security, the 9 install goes out and
updates
Random Letters said
snip
1. Home users - don't have adequate protection and get turned into zombies.
They then bombard us. OK - this is dealt with by an externally facing
firewall but see #2 below.
2. Office workers with laptops or VPN connections to the internal LAN - get
'infected' (see
Thanks for the clarification, Curt.
one step at a time...
Find local movie times and trailers on Yahoo! Movies.
There is however, a type of attack
sometimes referred to as a ghost attack that is similar to a man in the middle
attack that can do something like this.
The way it works is Eve inserts herself
between Bob and Alice using some type of man in the middle attack then using
certain
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Full-Disclosure
Sent: Thursday, March 18, 2004 2:17 AM
To: [EMAIL PROTECTED]
Subject: RE: [Full-Disclosure] Re: Microsoft Security, baby steps ?
In an corporate environment, you will have SUS or
Curt wrote:
Unless you're talking about inserting a proxy in-line and manually grabbing
the packets and manipulating them at a huge amount of work, you ARE way
off-base. There is no malware I know of that would even know what the
packets were, muchless re-assemble them into the original
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Todd Burroughs
Sent: Thursday, March 18, 2004 2:17 AM
To: [EMAIL PROTECTED]
Subject: [Full-Disclosure] Operating Systems Security,
Microsoft Security, baby steps
Updating any OS is a pain in the
On Thu, 18 Mar 2004 12:02:47 EST, Alerta Redsegura [EMAIL PROTECTED] said:
I think there is a world market for maybe five computers.
Thomas Watson, chairman of IBM, 1943
Please note that this has gotten out of context in the last 60 years or so. At the
time, computer meant one of a kind
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Random letters said...
The need to patch before I put it on the network / need to put it
on the network to get the patches IS a real problem for many sysadmins.
***
But not for everyone
The
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Frederik Berger
Sent: Thursday, March 18, 2004 8:03 AM
To: [EMAIL PROTECTED]
Subject: Re[2]: [Full-Disclosure] New Virus under way ...
come to think of it. what will be the names of the viruses
Random Letters said
snip
1. Home users - don't have adequate protection and get turned into zombies.
They then bombard us. OK - this is dealt with by an externally facing
firewall but see #2 below.
2. Office workers with laptops or VPN connections to the internal LAN - get
'infected' (see #1
What the heck was that you just sent?
I've attached a strings version of the smime.p7m that I was happy to
receive.
Content-Type: text/plain;
charset=us-ascii
Content-Transfer-Encoding: 7bit
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED] wrote:
http://218.62.43.30/verify.html
Signed up for paypal 2 weeks ago, and then this came in the
mail as a link
in a paypal looking html email asking me to confirm by
entering my credit
card/account info.
Be cluefull:
1) Don't ever click a link with an ip address.
2)
[EMAIL PROTECTED] said...
snip
If you have 30K machines, figure on several dozen needing to install from
disk *every day*, just due to hard drive failures and the like.
And it only takes 1 junior secretary using the old disks instead of last
Tuesday's.
The real problem is at the low-end
smime.p7m
Description: S/MIME encrypted message
- Original Message -
From: Schmehl, Paul L [EMAIL PROTECTED]
Bagle.AA,AB,AC, etc.
And on and on it goes, and where it ends, nobody knows...
It'll end when Bagle.AAA... hits a BoF in a virusscanner
overwriting EIP with 0x41414141 ;)
Packages: Corrected Packages:
OpenPKG CURRENT = openssl-0.9.7c-20040207 = openssl-0.9.7d-20040318
OpenPKG 2.0 = openssl-0.9.7c-2.0.0 = openssl-0.9.7c-2.0.1
OpenPKG 1.3 = openssl-0.9.7b-1.3.2 = openssl-0.9.7b-1.3.3
Affected Releases: Dependent Packages
I think you folks miss the point.
My VISA card doesn't have any bells and whistles to turn on or off -just
a PIN to remember. My car is serviced by my mechanic. I don't know
what's under the hood except where to put washer fluid. To ask me to
make my own Visa card or tune my engine is an
also sprach [EMAIL PROTECTED] [EMAIL PROTECTED] [2004.03.16.2215 +0100]:
The obvious is that the usual DNS spoofing hacks often only have a
few milliseconds for you to stick in a bogus packet before the real DNS
answers - here you have entire seconds to play with.
Sure, you do. However, the
i doubt this is a internal paypal link..jsut naother relaly good phising
scam as this is some chinese ip..:)
[EMAIL PROTECTED] wrote:
http://218.62.43.30/verify.html
Signed up for paypal 2 weeks ago, and then this came in the mail as a link
in a paypal looking html email asking me to confirm
Jamie said:
http://218.62.43.30/verify.html
If this is a scam, then maybe paypal has some employees
passing new account info outside the company.
-jamie-
Indeed, Paypal e-mail scams started in 2002 I think.
In regards to employees passing new acct info, I have never had a paypal
account
Thanks to those who've expressed an opinion on the possibility of malware being added to a transmission in transit.
I didn't really have email in mind so a plain text interception/manipulation would not be required. My query really centres on whether a data stream (such as a media file) being
Random letters said...
snip
No, but people do use their laptops outside the office. It can be quicker
to get infected than get either Windows or virus updates. When they bring
their laptop onto the LAN (either through VPN or physically) then they are
an internal source of infection that an
Hi all,
I work for a school district in the USA. Higher management wants to
email a zipped data export (presumbably password protected) to a vendor
that includes the Social Security Number for employees. I have advised
them against this. Shipping a CDROM overnight would be more secure, IMO.
Now
On Thu, 2004-03-18 at 18:21, Berend-Jan Wever wrote:
- Original Message -
From: Schmehl, Paul L [EMAIL PROTECTED]
Bagle.AA,AB,AC, etc.
And on and on it goes, and where it ends, nobody knows...
It'll end when Bagle.AAA... hits a BoF in a virusscanner
Hi Frederik,
- Original Message -
come to think of it. what will be the names of the viruses after
Bagle.Z ?
How about Bagle2.x ?
Greetings,
Michael
___
Full-Disclosure - We believe in it.
Charter:
Yes,
software can be modified in transit. See the 1995
paper
http://www.cs.berkeley.edu/~daw/papers/endpoint-security.html
" These work because the
trusted path to executables is really not trustworthy in most
environments. Although we use on-the-wire patching to compromise executables,
The delay+++delay scheme, using time delays, was more like the old
break signal, not really like a string that would not transmit...at least
on modems that used the delay. You could sometimes kinda/sorta get
something like that to work by switching to 110 baud and sending nulls,
then switching
[EMAIL PROTECTED] said
snip
All very good best practices concepts - too bad so few sites manage to
actually deploy them correctly
That's the *real* challenge of trying to secure a network - the vast gap
between what could be done given the proper mandate and financing, and what
you can
Hi,
...on Thu, Mar 18, 2004 at 08:48:59AM -0500, Luke Scharf wrote:
But, still, isn't a string of characters that the modem won't transfer
something that the communications system on a PC should handle?
Why should it? After all, the escape sequence is
configurable with the S2 register on
Thursday, March 18, 2004
Unbelievably ridiculous insertion of arbitrary html into the
Hotmail web based email account of your targeted buddy.
In order to gain your little pal's credentials, simply send
him or her an email with an extra long subject like so:
On Thu, Mar 18, 2004 at 10:37:58AM -0600, [EMAIL PROTECTED] wrote:
http://218.62.43.30/verify.html
Signed up for paypal 2 weeks ago, and then this came in the mail as a link
in a paypal looking html email asking me to confirm by entering my credit
card/account info.
As PayPal states
Hi Paul,
Not that I'd ever discourage s/mime from anyone, but *please* clear-sign
messages to public mailing lists. Opaque-signed mails are very difficult
for some folks to read.
Actually, I usually encourage folks to clear-sign all the time. Is there
any reason you're not?
For the rest of the
[EMAIL PROTECTED] said:
Please note that this has gotten out of context in the last
60 years or so. At the time, computer meant one of a
kind system far beyond the normally available technology...
We must remember that Thomas Watson Sr. was not an engineer but a marketer:
he did not foresee the
On Thu, 18 Mar 2004 12:17:23 EST, Byron Copeland [EMAIL PROTECTED] said:
What the heck was that you just sent?
I've attached a strings version of the smime.p7m that I was happy to
receive.
Looks like something that was trying to do S/MIME without bothering with the
RFC1847 encapsulation.
At 10:08 AM 3/18/2004 +0100, Martin F Krafft wrote:
Bet there's a bunch over at the Dept of the Interior. :)
There's nothing wrong with infosec at DOI. It's just a pissing
contest between the DOI leadership and Judge Lambreth.
Politics, not incompetence.
m5x
On Thu, 18 Mar 2004 16:46:26 GMT, James P. Saveker [EMAIL PROTECTED] said:
If you have 30K seats then as I pointed out image installation would be done
via the SMS server or for companies not running SMS they may use RIS or
another image multicast server. The desktop units will of course
Totally agree. There is no magic bullet for security, especially on a large
network. You can have firewalls guarding the outside, run Anti Virus
against the mail servers, the file servers, and all the desktops. How about
consultants coming in? How about vendor demos that need to be plugged
Actually a WHOIS of the address returns a site in China so unless Paypal
was outsourced I would guess a scam.
If you want to see what the page is telnet to port 80 and do a GET
/verify.html it is a javascript from the site but using graphics and
links from paypal.com
An invalid get returns the
On Thu, 18 Mar 2004 15:29:28 EST, Alerta Redsegura [EMAIL PROTECTED] said:
Take a look at www.top500.org.
Number 3 is across the hall from my office. Literally.
pgp0.pgp
Description: PGP signature
James P. Saveker wrote:
snip
(Guess who's come across waaay too many boxes that the owner didn't know
were compromised because the box knows how to say You've got Mail! but
doesn't know how to say You've got Malware! ;)
:)
snip
I have seen companies running SBS and using ISP mail accounts when
Tony Gettig wrote:
Higher management wants to
email a zipped data export (presumbably password protected) to a vendor
that includes the Social Security Number for employees.
Yes, it's a bad idea. Even if it is password, it can be cracked, just a matter of
time. If managment insists on this
[EMAIL PROTECTED] wrote:
And please guys, stop cc'ing me. I'm on the list and have been almost
since it started!
Indeed.
First, it is actually _rude_ to CC responses to messages from self-
moderating lists (such as Full-Disclosure) to the poster and the list
because, by definition, the
Agreed. It's a bad idea. Why not scp it or another direct connect
transfer. Like put it on a secured website locked down for the receiver
to get to via IP and password.
-mwh
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Curt Purdy
Sent:
buddyiframe src=http://www.malware.com/pithy.html;
so could this url be considered a phishing scam ?
regardless of your implied intent? It does pretend
to be a genuine login, and i am sure you are collecting successfull
attempts to a log ( right? ). Has your demo oversteped the bounds
of
Frank Knobbe [EMAIL PROTECTED] wrote:
However, the topic at hand doesn't lend itself to a quick switch or
simple addition of data at the end of the stream. If you want to add
malware to an SMTP session on the fly, you will have to intercept and
rewrite the email. ...
Well, that really
Now they want to know if there are any laws pertaining to the emailing of
SSN info.
Answer this question with the phrase I recommend you consult the school
board counsel's office, since you're no more qualified to authoritatively
answer this question than an attorney would be qualified to
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- -
Red Hat Security Advisory
Synopsis: Updated Mozilla packages fix security issues
Advisory ID: RHSA-2004:112-01
Issue date:2004-03-17
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- --
Debian Security Advisory DSA 466-1 [EMAIL PROTECTED]
http://www.debian.org/security/ Martin Schulze
March 18th, 2004
OK, I'll bite. It's now over four hours since this update was released, but
the files still aren't on the advertised server. (I've tried from two
different locations, in case it was a weird location based problem). What
gives guys?
Also, where's the mozilla-psm package?
-
John Airey, BSc (Jt
###
Luigi Auriemma
Application: Chrome
http://www.chromethegame.com
Versions: = 1.2.0.0
Platforms:Windows
Bug: reading and writing into unallocated memory (crash)
Not knowing what vendor they want to ship these SSN's off to makes it hard
to answer, although I am NOT an attorney I believe they are opening up
themselves for trouble giving ANY third party the SSN's of their employees.
Unless it's a gov agency that is requesting this info, or a payroll company
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Alexander Bochmann wrote:
Quite funny how much time has been wasted rediscovering
this feature over and over again in the last years.
Indeed -- I half expect to see some leet 0day exploits involving ANSI
key remapping.
Cael
-BEGIN PGP
Schmehl, Paul L [EMAIL PROTECTED] wrote:
come to think of it. what will be the names of the viruses
after Bagle.Z ?
Bagle.AA,AB,AC, etc.
Obvious, ain't it?
Its an (English) alphabetic counting system...
And on and on it goes, and where it ends, nobody knows...
Indeed.
The most
At 11:40 AM 3/19/2004 +1300, Nick FitzGerald wrote:
Also, when sending messages to multiple lists (say F-D and Bugtraq), it
seems you may slightly reduce the multiple message spew that often
results on F-D because of the above by putting all the addresses in the
To: header, rather than one in the
Richard [EMAIL PROTECTED] wrote:
Looks to be the latest in the Bagle / Beagle family. Symantec have got it
as the [EMAIL PROTECTED], discovered March 18 10:00
Yes -- there is huge naming confusion with the Bagles.
This is partly because of similarities between some Bagle variants and
some of
Internet Security Systems PAM ICQ Server Response Processing
Vulnerability
Release Date:
March 18, 2004
Date Reported:
March 8, 2004
Severity:
High (Remote Code Execution)
Vendor:
Internet Security Systems
Systems Affected:
RealSecure Network 7.0, XPU 22.11 and before
RealSecure Server Sensor
Nick FitzGerald wrote:
[EMAIL PROTECTED] wrote:
And please guys, stop cc'ing me. I'm on the list and have been almost
since it started!
Indeed.
First, it is actually _rude_ to CC responses to messages from self-
moderating lists (such as Full-Disclosure) to the poster and the list
because,
I'm not sure what EIP is but I do know that hex in this case is for lack of
a better way to say it binary shorthand. Each hex digit 0-9, A-F
representing a 4 bit binary string (binary table=128 64 32 16 8 4 2 1). In
this case h4=0100 h1=0001 so 0x41414141 is short-hand for the 32 bit binary
First off review the Institutes Privacy Policy I'm sure you have one.
Then ask Higher management why they are password protecting a zip file
(worthless secure).
Finally make a recommendation to speak with the vendor who is getting
the data and ask what secure methods of transport they support
Dave Sherohman [EMAIL PROTECTED] wrote:
No, it gets sent to everyone whether they have a PayPal account or
not. Like spam, credit card scams don't even need anything close to
a 1% response rate to be profitable, so they don't care how many
non-PayPal-users get it.
_AND_ probably nearly the
Michael Bemmerl [EMAIL PROTECTED] wrote:
How about Bagle2.x ?
No.
For lots of reasons, no...
Regards,
Nick FitzGerald
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
At 03:30 PM 3/19/2004 +1300, Nick FitzGerald wrote:
Because, from a rather cursory look at several such multiple mails,
_some_ of those braindead I'll forward it to every address I can find
in the message headers even though it did not originate on-site re-
posters only seem to do this with
On Thu, 2004-03-18 at 19:08, Jason wrote:
but *I* prefer to be in the recipient list if I have joined in on the
discussion, it is clearly a discussion I am interested in or felt like
chiming in on. I have filters... they filter... they filter differently
if I am a named to or cc...
On Thu, 18 Mar 2004, Schmehl, Paul L wrote:
Updating any OS is a pain in the ass, but all of them have
flaws and need to be updated. I find that at least with the
UNIX-like ones, you can go on the Net and do your updates
faster than you get rooted.
This is foolish thinking. Do you
Eudora 6.0.3 for Windows was released recently. Though known for years, the
spoofing of attachments is still not fixed; the problem with LaunchProtect
is not fixed either.
Spoofing demo (essentially identical to 6.0.1 version) below.
Cheers,
Paul Szabo - [EMAIL PROTECTED]
93 matches
Mail list logo
