*throws his The CISSP Prep Guide: Gold Edition away, picks up Security for Dummies*
On Tue, Nov 23, 2010 at 3:03 PM, Mikhail A. Utin <[email protected] > wrote: > This my final reply. > For still interested: > - it happened on my home PC > - immediately disconnected (for a few interested people I can forward email > to taste this thing after receiving appropriate paperwork) > - it is beyond MS released SPs for Office and Windows > - using this list is OK as we discuss vulnerabilities > - using corporate email is not prohibited to discuss professional topics > - public emails, charts/IM, social sites are prohibited by policies > > Sorry, I was looking for a few short ideas and mostly for known cases, but > not lecturing. I'll fix it, not a big deal. Expect others as having some > knowledge as well and do not waste time. BTW, certifications help in all > covered matters, believe me. Even in understanding that other may know > something and do have certain experience. > > If you know such cases, please, reply. Otherwise do not waste your and > computer energy. > > Thank you > > Mikhail A. Utin, CISSP > Information Security Analyst > Commonwealth Care Alliance > 30 Winter St. > Boston, MA > TEL: (617) 426-0600 x.288 > FAX: (617) 249-2114 > http://www.commonwealthcare.org > [email protected] > > > -----Original Message----- > From: Ryan Sears [mailto:[email protected]] > Sent: Monday, November 22, 2010 5:41 PM > To: Thor (Hammer of God) > Cc: [email protected]; Mikhail A. Utin > Subject: Re: [Full-disclosure] virus in email RTF message MS OE almost > disabled > > Yeah I've got to go with Thor on this one. > > You endangered your entire infrastructure by exposing internal defects in > your (or your staffs) knowledge. That's a big no-no. Every company > presumably has people in it who aren't the 'sharpest tools in the shed' so > to speak, but in one email you've divulged more then enough information to > mount a social-engineering attack to gain access to not only your home > computer, but assuming you're using the same passwords for everything, > *everything you run*. > > Don't ask questions about this kind of stuff on FULL-DISCLOSURE. This is a > security mailing list, and you asking if you got a virus is equivalent to > installing that retardo purple dancing monkey and being suprised it's > backdoored your computer. You're going to be endlessly flamed for it, > because you're wasting people's time to make you look like a fool. > > The fact that you're looking for newly installed executables is a joke, > really. Most modern initial exploitation vectors have been built to run > fully in memory, never hitting the disk. Also thanks to DLL migration you > can instantly exploit then migrate to something like explorer.exe. You > should've been looking for network connections as opposed to an entry in > your uninstall menu saying 'l33t M$0FFICE expl0itz lul!'. > > While Thor's response might have been a bit sharp-tonged, I share his > frustrations and agree with him whole-heartedly. Too many times our most > important information is stored in the hands of people who either don't > think about security, or blatantly ignore it. This is not only disturbing, > but sad as well. What's the point in protecting my information on my private > network if it's going to be poached when it enters YOUR hands? Hackers look > for the path of least resistance, and operate on the old adage 'work smart, > not hard'. > > You sir, are a classic example of why certifications and titles are a bad > idea, and are currently failing our industry. How can you call yourself a > 'genius' if you aren't actually one? How can a CISSP *not* know about basic > virus/exploitation behavior? You're the equivalent to the people who go to a > garage sale, buy a purple heart then tell everyone to call him 'sarge'. I'd > say spend 10 min googling for some file format analyzers (which aren't the > greatest but MIGHT catch blatant stuff like that assuming there's something > there), then spend another 10 finding a professional to help you re-order > your infrastructure, and look at your company through the eyes of a hacker, > not just someone who read a few paragraphs on security then decided to call > them-self a 'security professional'. > > Sorry if I seem impatient, but this is the *exact* behavior that all of our > infrastructures should be not only curving, but cauterizing with fire. If > you don't understand about file-format vectors of attack, LEARN ABOUT THEM. > Don't expect to get spoon-fed answers, but we live in a time where *any* > question can be answered within a minute of googling, and that's if your > google-fu ISN'T strong. > > Google-fu. That's how you become half-decent at anything now-a-days. There > are vast communities centered around everything from web attacks, ring-0 > level exploits, wireless hacking, embedded devices, and everything else > in-between. We all start off as n00bs, but the difference is the people who > actually want to learn do, because they enjoy learning about it, and go seek > the knowledge relevant to them. If you wanted any real help, you should've > enclosed the file in question, not just said there was some mystery file > that caused some cpu load. Welcome to Windows. That happens quite often. > > Ryan Sears > > ----- Original Message ----- > From: "Thor (Hammer of God)" <[email protected]> > To: "Mikhail A. Utin" <[email protected]> > Cc: [email protected] > Sent: Monday, November 22, 2010 4:52:07 PM GMT -05:00 US/Canada Eastern > Subject: Re: [Full-disclosure] virus in email RTF message MS OE almost > disabled > > Keep it on the list. No need for private emails if you need assistance - > give everyone a chance! > > My response was far more useful than your post - "I got pwned by an Office > virus by opening an attachment in OE - What could it be??" Jeeze dude. And > I didn't give any "adice" about "Noton." I said to get someone > professional, which you *clearly* need to do. > > You should look up these guys: > http://www.rubos.com/pisa.html > > Apparently they are Information System Security Professionals, and they are > in the same town as you. One even has a CISSP, so you KNOW that he knows > what he is doing. Funny thing is that he has the exact same name as you do. > What are the chances of that? If these guys formed the company to sell > services to businesses and individuals to comply with legal security and > privacy requirements, then they should be able to figure out how to find an > Office virus on XP, right? > > You can even join them as "Security professionals and experienced > Information Sestems professionals are welcome." I'm not sure what a > "Sestems professional" is, but it must be very important work. > > Waste of time indeed. Apple Stores are hiring "geniuses" for the holidays > - even they know how to use XP and could help. > > t > > > > > > From: Mikhail A. Utin [mailto:[email protected]] > Sent: Monday, November 22, 2010 1:26 PM > To: Thor (Hammer of God) > Subject: RE: virus in email RTF message MS OE almost disabled > > Your email is useless. It is on my home PC. If you have better adice than > using Noton SW, then please use your mind to get something minigful. > If you can name the virus or where to find its instance, it would be a > help. Otherwise do not waste you and my time. > > From: Thor (Hammer of God) [mailto:[email protected]] > Sent: Monday, November 22, 2010 3:17 PM > To: Mikhail A. Utin; [email protected] > Subject: RE: virus in email RTF message MS OE almost disabled > > You know, every time I start to get a bit of hope for what looks like an > upward trend of businesses and organizations taking security seriously, I > see crap like this. Your organization is a Medicare prescription contractor > with a national network of 61,022 contracted pharmacies, and not only are > you running unpatched versions of old OS's and opening email attachments > because they "look OK," but you have to post to Full Disclosure asking help > for trivial virus detection and removal advice? Now that everyone on FD > knows that you are vulnerable and that you open email attachments, you've > probably just caused the organization to be pwned 9 ways from Sunday. > > To answer your question, call a professional and have them do it. And in > the future, don't send out emails like this from your organization email > announcing the state of your security. That's what Hotmail is for. > > t > > From: [email protected] [mailto: > [email protected]] On Behalf Of Mikhail A. Utin > Sent: Monday, November 22, 2010 7:18 AM > To: [email protected] > Subject: [Full-disclosure] virus in email RTF message MS OE almost disabled > > Hello, > Opening looking OK email message in my MS OE I've very likely got new kind > of virus, which exploits MS Office flaw recently announced. Immediately > after, my OE started consuming huge memory when I switched between folders > or messages. I've not seen any process in Task Manager taking up to 1 GB > memory (physical is 512M). I did not find any newly installed executables > either. When I shut down OE, the computer works fine. > Any thoughts? > Thank you > > Mikhail > CONFIDENTIALITY NOTICE: This email communication and any attachments may > contain confidential > and privileged information for the use of the designated recipients named > above. If you are > not the intended recipient, you are hereby notified that you have received > this communication > in error and that any review, disclosure, dissemination, distribution or > copying of it or its > contents is prohibited. If you have received this communication in error, > please reply to the > sender immediately or by telephone at (617) 426-0600 and destroy all copies > of this communication > and any attachments. For further information regarding Commonwealth Care > Alliance's privacy policy, > please visit our Internet web site at http://www.commonwealthcare.org. > > CONFIDENTIALITY NOTICE: This email communication and any attachments may > contain confidential > and privileged information for the use of the designated recipients named > above. If you are > not the intended recipient, you are hereby notified that you have received > this communication > in error and that any review, disclosure, dissemination, distribution or > copying of it or its > contents is prohibited. If you have received this communication in error, > please reply to the > sender immediately or by telephone at (617) 426-0600 and destroy all copies > of this communication > and any attachments. For further information regarding Commonwealth Care > Alliance's privacy policy, > please visit our Internet web site at http://www.commonwealthcare.org. > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > CONFIDENTIALITY NOTICE: This email communication and any attachments may > contain confidential > and privileged information for the use of the designated recipients named > above. If you are > not the intended recipient, you are hereby notified that you have received > this communication > in error and that any review, disclosure, dissemination, distribution or > copying of it or its > contents is prohibited. If you have received this communication in error, > please reply to the > sender immediately or by telephone at (617) 426-0600 and destroy all copies > of this communication > and any attachments. For further information regarding Commonwealth Care > Alliance's privacy policy, > please visit our Internet web site at http://www.commonwealthcare.org. > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
