[snip original comments... read the archives if you don't know what
this thread is about]
Three comments:
1) Yes, playing with dst MAC addresses will work against most if not
all inline IPS solutions, and probably every sniffer based IDS... they
just don't track that sort of thing, although some
Greetings!
On Thu, 27 May 2004 19:27:09 +0200 Maarten [EMAIL PROTECTED]
wrote:
Mmmm... answered my own question with a bit of googling, sorry...
But it may be helpful or useful in this thread too, so here goes:
[...]
Surely not comparable to Ghost, but with no extra effort or cost...
--On Thursday, May 27, 2004 3:57 pm -0500 Michael Williamson
[EMAIL PROTECTED] wrote:
Every time I post to a list I get these out of office auto-responses.
Can these responders be configured to not respond to stuff from a list?
The autoresponders are meant to ignore mails with Precedence: bulk
CNET:
Security-technology company Symantec says it has analyzed what it believes
to be the first known threat to 64-bit Windows systems, a virus labeled
W64.Rugrat.3344.
http://tinyurl.com/yspgd
Regards,
Kovács László
Security Analyst
m-sec
___
Ghost won't work (IIRC) on unknown OS types as it ony copies used data
blocks. Netcat does a binary copy and does not care what OS or data...
Not sure about newer versions of Ghost, but I know some older versions will copy
unknown partition types just fine; it merely does a bitwise copy of
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
This is an announcement only email list for the x86 architecture.
Turbolinux Security Announcement 28/May/2004
The following
On Thu, 2004-05-27 at 16:11, Maarten wrote:
Note that if you came into possession of something but there is no evidence of
a worm uploading that stuff, you'd probably still be screwed. Let's say they
find you have all manuscipts of Stephen King in your possession. Would you
be successful
Volker Tanger [EMAIL PROTECTED] wrote:
Ghost won't work (IIRC) on unknown OS types as it ony copies used data
blocks. Netcat does a binary copy and does not care what OS or data...
That just might be a limitation if you are GUI-bound, but I'm sure
there are (or, at least were on the most
Yo! Skylined, don't hold back, tell us how you really feel!
|Message: 30
|From: Berend-Jan Wever [EMAIL PROTECTED]
|To: [EMAIL PROTECTED]
|Subject: Re: [Full-Disclosure] lists, autoresponders, and netiquette
|Date: Fri, 28 May 2004 03:42:40 +0200
|
|Every time I post to a list I get these out of
--SNIP
| For me, breaking laws is NOT acceptable under ANY circumstance. I hope
| the majority of people on this list is with me on this.
--SNIP
| ...Attitudes like your's are what fosters computer insecurity
| and social passivity in general. Breaking laws IS acceptable in MANY
plz un-subscribe me .. i am already subscribed to a mail id
--
__
Sign-up for Ads Free at Mail.com
http://www.mail.com/?sr=signup
___
Full-Disclosure - We believe in it.
Charter:
Ok. It seems the case described. A spoofed packet with your
IP as the source tries to connect to the compromised machine
to port 80 at localhost. The compromised machine doesn't have a
webserver listening at 127.0.0.1:80 so the tcp stack replyes
ACK RST and sends this packet to your spoofed
Unlikely. If this were the case, the server would reply with
RST, not RST, ACK. There's too little information to come to
any conclusion at this point.
I have to correct myself, the server would reply with RST, ACK. Blaster.E
(Skip Duckwall) looks like a more probable cause, but there is not
On Thu, 27 May 2004 15:57:28 CDT, Michael Williamson [EMAIL PROTECTED] said:
Every time I post to a list I get these out of office auto-responses.
Can these responders be configured to not respond to stuff from a list?
Well.. Yes. Sort of. The 'vacation' program that ships with Sendmail has
--SNIP
| For me, breaking laws is NOT acceptable under ANY circumstance. I hope
| the majority of people on this list is with me on this.
--SNIP
| ...Attitudes like your's are what fosters computer insecurity
| and social passivity in general. Breaking laws IS acceptable in MANY
On Thursday 27 May 2004 16:19, Michal Zalewski wrote:
For the purpose of this discussion, let us assume the IDS has a
detector designed to detect malicious SMTP commands sent to a remote
server. The detector looks for DEBUG command in these commands, but
not when the session is in BODY mode
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- ---
Fedora Legacy Update Advisory
Synopsis: Updated cvs resolves security vulnerability
Advisory ID: FLSA:1207
Issue date:2004-01-28
Product:
you need to look at a new industry to make your living, perhaps flipping
burgers or something simple like mowing lawns, since mailing lists are far
to complex for you to handle. Especially when all the
subscribe/unsubscribe info is attached to each and every post to the list
smile.
Thanks,
Ron
On Fri, 28 May 2004, Charlie Harvey wrote:
--SNIP
| For me, breaking laws is NOT acceptable under ANY circumstance. I hope
| the majority of people on this list is with me on this.
--SNIP
| ...Attitudes like your's are what fosters computer insecurity
| and social
On Fri, 28 May 2004, Jim Bauer wrote:
The IDS will see not see a valid response to the DATA command (that is
never received) so it will know it is still in SMTP command mode. Even
if your not-so-smart IDS let this slip by, there is still the issue of
DEBUG not being in a valid format for a
On Fri, 2004-05-28 at 10:14, Curt Purdy wrote:
You are right about vmWare. It is THE most usefull tool for lab work I've
found. When you are through trashing a virtual OS, just delete it and copy
over the original folder that you initially backed up and you're good to go
again.
Why so
I'm not going to explain the details of networking, I
assume if people subscribe they have a base knowledge.
Exploit:
Wireless networking is simple to sp00f IPs and it
would be trivial to setup a DNS server on a laptop
then sp00f the IP to match that of the ISPs DNS server
and cause a wee bit
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200405-24
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Charlie...
Put down the crack pipe and back away
slowly. You are surely not suggesting that this issue of Cisco's
code has anything...at all...remotely...in common with the people and actions
you listed...seriously...you're kidding...right??
Bart Lansing
Manager, Desktop Services
Kohl's IT
Title: Printer Buffer Security??
I'm trying to figure out if the Epson Color Stylus 800 printer looses it's buffer memory when unplugged. I've got to use it for some classified processing and don't want to have to destroy it when I'm finished.
Epson says that it won't retain any information
-BEGIN PGP SIGNED MESSAGE-
__
SGI Security Advisory
Title : SGI Advanced Linux Environment security update #20
Number: 20040508-01-U
Date : May 28, 2004
Fixed in :
-BEGIN PGP SIGNED MESSAGE-
__
SGI Security Advisory
Title : SGI Advanced Linux Environment 3 Security Update #2
Number: 20040509-01-U
Date : May 28, 2004
Fixed in
Yes, you are correct; when you go to the contact us page they require you to use the
quite un-secure login page first. That is brilliant. The credentials are passed
along unsecured over the Internet. I am glad that my bank has an actual SSL login
page.
I sent them a message - one that the
Bringing up an old topic (discussed 15-May), because
it seems noone replied to my post, which contains er..
wrong claims.
Michael Tokarev wrote:
Shaun Colley wrote:
---
if (NULL == (tmp = kmalloc(optlen + 1, GFP_KERNEL))) {
retval = -ENOMEM;
goto
On Friday 28 May 2004 13:08, Oliver Friedrichs wrote:
I don't see how a broacast MAC address would help the attacker.
The target would still recieve it.
I think you're missing his point, which is that IDSs that do not
track MAC level state (and only track IP / TCP level state) are
At 12:41 PM 5/28/2004 -0500, [EMAIL PROTECTED] wrote:
Put down the crack pipe and back away slowly. You are surely not
suggesting that this issue of Cisco's code has anything...at
all...remotely...in common with the people and actions you
listed...seriously...you're kidding...right??
I dunno.
i found a nice email... with some strange code, i'm not a hacker but
i think this is what some people call a 0-day exploit... :)
i think you can use this to hack servers running rsync :)
and as i support full disclosure i send it to the list.. happy hacking
:)
I don't see how a broacast MAC address would help the attacker. The
target would still recieve it.
I think you're missing his point, which is that IDSs that do not track MAC
level state (and only track IP / TCP level state) are vulnerable to an
insertion attack. It doesn't matter what the
Then, an extra attack step involves host A sending an IP packet addressed
to host X and containing a valid message (be it a DATA command, or RST
frame, or whatnot), but to a bogus hardware-level address (belonging to
host Y, some broadcast/multicast group, or just nobody in particular).
This
Dan,
I don't know if we've progressed beyond
hemlock...but we should have progressed to MAC filtering, rotating WEP
keys, VLANing/IPSECing/VPNing traffic...and maybe even to things like using
certificates issued to wireless devices AND servers to validate them as
well. Nothing is foolproof, but
Vladis, I think you've misunderstood
me. I mean to say that the Cisco events pales...amazingly...to the
people and events he listed. If you feel the Cisco code leak/theft
is in any way as important, meaningful, or impactful as any of them...I'm
not the one in need of foil.
Cheers.
Bart Lansing
[EMAIL PROTECTED] writes:
Many financial institutions do the same thing.
www.americanexpress.com:
Security is important to everyone!
Please be assured that, although the home page itself does not have an
https URL, the login component of this page is secure. When you enter your
User ID
Bringing up an old topic (discussed 15-May), because
it seems noone replied to my post, which contains er..
wrong claims.
Michael Tokarev wrote:
Shaun Colley wrote:
---
if (NULL == (tmp = kmalloc(optlen + 1, GFP_KERNEL))) {
retval = -ENOMEM;
goto
Bringing up an old topic (discussed 15-May), because
it seems noone replied to my post, which contains er..
wrong claims.
Michael Tokarev wrote:
Shaun Colley wrote:
---
if (NULL == (tmp = kmalloc(optlen + 1, GFP_KERNEL))) {
retval = -ENOMEM;
goto
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Perry E.
Metzger
Sent: Friday, May 28, 2004 12:57 PM
To: [EMAIL PROTECTED]
Subject: [Full-Disclosure] http://www.chase.com/ vulnerability
I don't know if this is the right place to note a vulnerability
Many financial institutions do the same thing.
www.americanexpress.com:
Security is important to everyone!
Please be assured that, although the home page itself does not have an
https URL, the login component of this page is secure. When you enter your
User ID and password, your information is
Brandon [EMAIL PROTECTED] writes:
Wells Fargo and Bank of America have similar home pages, although they do
offer a secure login page, I'm sure most users don't bother using it.
So does Chase (if you bother learning how to get to it, which they
don't make obvious.)
American Express appears to
On Fri, 28 May 2004 15:25:31 CDT, [EMAIL PROTECTED] said:
events pales...amazingly...to the people and events he listed. If you
feel the Cisco code leak/theft is in any way as important, meaningful, or
impactful as any of them...I'm not the one in need of foil.
Oh.. I was just trying to
[EMAIL PROTECTED] wrote:
Charlie...
Put down the crack pipe and back away slowly. You are surely not
suggesting that this issue of Cisco's code has anything...at
all...remotely...in common with the people and actions you
listed...seriously...you're kidding...right??
Bart Lansing
Manager,
Now, an IDS that sees all network traffic but performs TCP stream analysis
building on top of a traditional proto / saddr / daddr / sport / dport
stream identification method (discarding hardware address data) - as I
would expect it is almost always the case - would run into serious
lol, ok, I think we can both take off
the tinfoil hats now, eh?
Bart Lansing
Manager, Desktop Services
Kohl's IT
[EMAIL PROTECTED]
05/28/2004 03:33 PM
To
[EMAIL PROTECTED]
cc
[EMAIL PROTECTED]
Subject
Re: [Full-Disclosure] Breaking
Laws Cisco's stolen code
On Fri, 28 May
On Fri, 28 May 2004 12:41:32 CDT, [EMAIL PROTECTED] said:
Put down the crack pipe and back away slowly. You are surely not
suggesting that this issue of Cisco's code has anything...at
all...remotely...in common with the people and actions you
listed...seriously...you're kidding...right??
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Is Strangers who answered my question on the Internet among the
sources you want to quote when you find out it does, even though you
thought it didn't? This is one of those cases when you want to err on
the side of safety, I think. It's just a printer.
On Fri, 28 May 2004 15:42:37 CDT, [EMAIL PROTECTED] said:
lol, ok, I think we can both take off the tinfoil hats now, eh?
ObSecurity: The Internet-Draft includes this sentence:
Mechanisms should be in place to limit unauthorized personnel
from performing or knowing about lawfully authorized
On Fri, 28 May 2004 12:20:30 -0700
[EMAIL PROTECTED] wrote:
i found a nice email... with some strange code, i'm not a hacker but
i think this is what some people call a 0-day exploit... :)
i think you can use this to hack servers running rsync :)
and as i support full disclosure i send it
On Fri, 28 May 2004, Mike Frantzen wrote:
This has been a known attack at least since Ptacek and Newsham's seminal
paper on IDS evasions.
As far as I can see, they describe an attack where the attacker uses IDS's
own MAC address to route frames directly to this box; this is usually
prevented
nice mail...but if somebody wants to use it, check the shellcode first...i
think it deletes all your files in your home dir. i'm not sure, maybe
somebody else can check it...
greets...
On Friday 28 May 2004 21:20, [EMAIL PROTECTED] wrote:
i found a nice email... with some strange code, i'm
No, you are not correct. Take a look at the source of the page, and you
can see that the login is a POST operation to an https page.
Subject: RE: [Full-Disclosure] http://www.chase.com/ vulnerability
Date: Fri, 28 May 2004 12:11:26 -0700
From: Schmidt, Michael R. [EMAIL PROTECTED]
To: 'Perry
dkey wrote:
nice mail...but if somebody wants to use it, check the shellcode first...i
think it deletes all your files in your home dir. i'm not sure, maybe
somebody else can check it...
Yes.
seg000: ; Segment type: Pure code
seg000: seg000 segment byte public 'CODE'
On Thu, 27 May 2004, Michael Tokarev wrote:
I was wrong reading the above code, simple as that.
Sure, kmalloc(0) will NOT return NULL as I claimed.
if (size csizep-cs_size)
continue;
Here, when size == 0 (and csizep-cs_size is always 0),
the
55 matches
Mail list logo