Re: [Full-disclosure] Making waves on Twitter!
I think the only way to solve this debate is a Celebrity Deathmatch-style stand off. I will get the petition ready on https://wwws.whitehouse.gov/petitions. Stay tuned. On Fri, Jan 24, 2014 at 9:05 AM, David Kennedy da...@derbycon.com wrote: Y, whats up. This dude is crazy and probably Waylon Krush (can't confirm that). He's been tweeting each news organization in an attempt to throw a bunch of crap out there. Make your own determination, but I'm not the only one that's found it. First it was I absolutely had access to 70k and I'm the next Weev and should be arrested, now it's I've morphed myself into a media whore. Regardless, when its fixed, I'll post as I've always said. Even did a full writeup and updates explaining everything: https://www.trustedsec.com/january-2014/explaining-security-issues-healthcare-gov/ Dude keeps changing and morphing the story into a bunch of different things and changing the story. Happy to explain whenever and I'm not the only one who came to the same damn conclusion, 7 others did as well that were under NDA. Make your own determination, I've always done things on ethics and being up front, not hiding in the shadows and claiming insane things behind cloak and daggers. -Dave truthinallthi...@hushmail.me via lists.grok.org.uk Jan 22 (2 days ago) to root, full-disclosure This site is making waves on twitter: http://7in4mins.wordpress.com/ So what say you? Has our dear sweet Lord of the SET hacked healthcare.gov? http://healthcare.gov/? Or did he lie about what is really going on to get close to his hero's at Fox News? Has the spotlight turned him into another Gregory Evans? Desperate and willing to do anything for his next hit of the spotlight? Or did he find a way to have Google let him do 70,000 searches in four mins like he claims? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Making waves on Twitter!
As long as it involves the death star creation we may have a chance.. On Jan 26, 2014 9:57 PM, Brandon Perry bperry.volat...@gmail.com wrote: I think the only way to solve this debate is a Celebrity Deathmatch-style stand off. I will get the petition ready on https://wwws.whitehouse.gov/petitions. Stay tuned. On Fri, Jan 24, 2014 at 9:05 AM, David Kennedy da...@derbycon.com wrote: Y, whats up. This dude is crazy and probably Waylon Krush (can't confirm that). He's been tweeting each news organization in an attempt to throw a bunch of crap out there. Make your own determination, but I'm not the only one that's found it. First it was I absolutely had access to 70k and I'm the next Weev and should be arrested, now it's I've morphed myself into a media whore. Regardless, when its fixed, I'll post as I've always said. Even did a full writeup and updates explaining everything: https://www.trustedsec.com/january-2014/explaining-security-issues-healthcare-gov/ Dude keeps changing and morphing the story into a bunch of different things and changing the story. Happy to explain whenever and I'm not the only one who came to the same damn conclusion, 7 others did as well that were under NDA. Make your own determination, I've always done things on ethics and being up front, not hiding in the shadows and claiming insane things behind cloak and daggers. -Dave truthinallthi...@hushmail.me via lists.grok.org.uk Jan 22 (2 days ago) to root, full-disclosure This site is making waves on twitter: http://7in4mins.wordpress.com/ So what say you? Has our dear sweet Lord of the SET hacked healthcare.gov? http://healthcare.gov/? Or did he lie about what is really going on to get close to his hero's at Fox News? Has the spotlight turned him into another Gregory Evans? Desperate and willing to do anything for his next hit of the spotlight? Or did he find a way to have Google let him do 70,000 searches in four mins like he claims? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Making waves on Twitter!
So, here are the problems I have with both sides of this debate right now. I wouldn't normally play along with politics like this, but it's a nice Sunday afternoon, and I am feeling saucy. I post this is an open forum because I believe this debate is useful in an open forum and I don't believe that Dave should be going up against polidiots in Congress alone. Let's think about what is happening. Our claim is that healthcare.gov is is insecure. We are the ones making that claim, and so the burden of proof is on us. They have effectively proven that they had some sort of pen tests done (who knows the scope, or how much risk was simply accepted). However, the only way to prove that the website is truly insecure is to break the law. They know this (and let's not forget there is extreme bias here). You need to look at this from the point of view of the people you are trying to convince. I hate this term passive reconnoissance because the people you are trying to convince have *no* idea what this means. You are either using the website in the way it was intended or you are not (their POV, not mine). That paints a black and white picture that could fall under the CFAA. In fact, passive recon sounds like something the NSA does to collect metadata. Just saying. Krush obviously has no idea how software development works. Yes, let's build honeypots into our extremely time-crunched multi-million dollar web application instead of actually building security measures in. That makes perfect sense. However, he is playing the political game that Dave is not. He knows exactly who is audience is, and plays straight into their hand. He is telling them anything vaguely technical that backs up the story that everything is secure. And you can't prove that what he is saying isn't true. The fact that no real data is stored permanently (a point that both the Congress people and Krush make repeatedly) is no point at all. TJX and Target both had all their data stolen in transit (memory scanning malware). Nieman Marcus and Michaels are now likely in that boat as well. This is the perfect time to refute their point since it is fresh on everyone's mind. Any data existing on those servers at any given point in time should be considered at risk. There needs to be a solid story on the 70,000 number. Is there source code available for these scripts? Dave is going to get clobbered on this if he can't show exactly what this means. Anyone that is technical probably understands what is happening, but to anyone who doesn't know what an HTTP request is, the explanations are very soft and confusing (most media outlets?). This doesn't work in favor of the arguments because it makes it seem like something is being hidden. In the end, this is a political problem. Not a technical problem. You can throw out hard numbers (hell, they might even be correct), and they can put words in your mouth and twist what you say to discredit you and you lose. Politicking is all about 10 second sound bites. That is their game right now. Not to prove Dave wrong, but to discredit him. Let's recap: we can't prove the website is insecure without breaking the law, and our politichildren are not concerned about proving it is secure. They probably don't even know what secure means when it comes to technical systems like healthcare.gov. I believe Dave is approaching this as a technical problem, when this is actually a political problem. For the hell of it, I will drop a Reaganism[1]: Trust, but verify. We are effectively being told trust us, it is secure. We should be saying, Fine, we trust you. Let us verify. Our tax dollars built the system. Maybe we should be allowed to view the source code. I don't really expect any replies, but I love to eat crow. Feel free to teach me something. /me grabs some popcorn [1]. I believe Reagan stole this from the Russians. On Sun, Jan 26, 2014 at 3:03 PM, David Kennedy da...@derbycon.com wrote: As long as it involves the death star creation we may have a chance.. On Jan 26, 2014 9:57 PM, Brandon Perry bperry.volat...@gmail.com wrote: I think the only way to solve this debate is a Celebrity Deathmatch-style stand off. I will get the petition ready on https://wwws.whitehouse.gov/petitions. Stay tuned. On Fri, Jan 24, 2014 at 9:05 AM, David Kennedy da...@derbycon.comwrote: Y, whats up. This dude is crazy and probably Waylon Krush (can't confirm that). He's been tweeting each news organization in an attempt to throw a bunch of crap out there. Make your own determination, but I'm not the only one that's found it. First it was I absolutely had access to 70k and I'm the next Weev and should be arrested, now it's I've morphed myself into a media whore. Regardless, when its fixed, I'll post as I've always said. Even did a full writeup and updates explaining everything: https://www.trustedsec.com/january-2014/explaining-security-issues-healthcare-gov/ Dude keeps changing and morphing the story into a bunch
Re: [Full-disclosure] Making waves on Twitter!
Good points on all of those. I've been trying to keep it on track as a security issue and I think it is actually getting there. I had a conversation with the CISO over HHS which just took over the infrastructure. He seems pretty awesome and wanting to do the right things to get the things addressed and wants to understand them all. So on that front, I think it's gotten the light that it's needed to do change. My hope was that it would be not just hc.gov but the federal government as a whole. FISMA + 800-53 != security in any shape or form and we're seeing the ramifications of that now on an entire federal/state level. FISMA has messed us up for the next 10 years to come. Instead of proactive type solutions, its how do we get the check box and skirt around the NIST guidelines - same thing goes for any other regulatory/compliance standard - SOX/PCI no different. I may have been too ambitious to think we could change the larger problem as it become a political show instead of the focus on security. Regardless - lots of good done on that front and lots of things have changed since the last testimony. Regarding the script, its an embarrassing urllib2 request - happy to release it as soon as its fixed (still open as far as I know). Tickets #'s have been submitted to the devs. On the getting blasted front - it's actually been quite light except for Waylon/NoBiasInfosec crazy talk. For the most part, it's been received well and seems like a lot of folks interested in addressing it. To the point Let's recap: we can't prove the website is insecure without breaking the law, and our politichildren are not concerned about proving it is secure. I agree - I tried using the analogy that if I was a mechanic instead and had 14 years of working on cars and a car drove past me with the engine making clanking sounds, blue smoke everywhere and leaking oil, chances are it's probably got an engine issue, either that or its fine and just a honeypot. I can't say that the internal guts are insecure, but based on doing this type of testing for years and years, there's much more symptomatic problems out under the hood. I could be wrong, but I would be blown away if everything looked great on the inside. That's why I grabbed 7 other security folks to provide their opinion on it, most are application security folks and do this as a profession - same conclusion. Regardless, I have to say that I'm pretty finished on the politics stuff - at least for now. I'm not a political person, I stay away from it as a practice. I was hoping that it would be a focus on bringing awareness and light to a pretty bad situation. It's such a hostile environment where folks are more bent on winning their political views than it is about doing the right thing. Unfortunate but the world we live in. All good points Brandon - appreciate the responses. -Dave On Sun, Jan 26, 2014 at 11:39 PM, Brandon Perry bperry.volat...@gmail.comwrote: So, here are the problems I have with both sides of this debate right now. I wouldn't normally play along with politics like this, but it's a nice Sunday afternoon, and I am feeling saucy. I post this is an open forum because I believe this debate is useful in an open forum and I don't believe that Dave should be going up against polidiots in Congress alone. Let's think about what is happening. Our claim is that healthcare.gov is is insecure. We are the ones making that claim, and so the burden of proof is on us. They have effectively proven that they had some sort of pen tests done (who knows the scope, or how much risk was simply accepted). However, the only way to prove that the website is truly insecure is to break the law. They know this (and let's not forget there is extreme bias here). You need to look at this from the point of view of the people you are trying to convince. I hate this term passive reconnoissance because the people you are trying to convince have *no* idea what this means. You are either using the website in the way it was intended or you are not (their POV, not mine). That paints a black and white picture that could fall under the CFAA. In fact, passive recon sounds like something the NSA does to collect metadata. Just saying. Krush obviously has no idea how software development works. Yes, let's build honeypots into our extremely time-crunched multi-million dollar web application instead of actually building security measures in. That makes perfect sense. However, he is playing the political game that Dave is not. He knows exactly who is audience is, and plays straight into their hand. He is telling them anything vaguely technical that backs up the story that everything is secure. And you can't prove that what he is saying isn't true. The fact that no real data is stored permanently (a point that both the Congress people and Krush make repeatedly) is no point at all. TJX and Target both had all their data stolen in transit (memory scanning malware). Nieman
[Full-disclosure] DC4420 - London DEFCON - January meet - Tuesday 28th January 2014
Well here we go again... It's a new year, but we're still in the same place and still going strong! Last year we continued to grow and to host many fantastic and interesting talks, as well as performing the more important tasks such as drinking beer and drinking more beer... This year we hope to do the same, and to this end we are kicking off with an 'open mic' evening, as well as launching a couple of competitions... The first is the international 2014 DEF CON Groups Challenge: https://forum.defcon.org/showthread.php?t=13743 we will discuss how we can participate, and provide resources to those that wish to do so... Secondly, it's about time we had a new t-shirt! In the very early days we produced a limited number of shirts, and, frankly, mine is worn out and I need a new one, so WTF? Why hasn't someone come up with a nifty design? Get to it! Finally, open mic/lightning talks... This is your forum, and your opportunity to speak to your peers in London and shape the meetings to come... Have your say and/or tell us about the cool shit you did over Christmas! *** Venue: The Phoenix, Cavendish Square http://www.phoenixcavendishsquare.co.uk/ Date: Tuesday 28th January, 2014 Time: 17:30 till kicking out - talk starts at 19:30 *** Dates for the rest of the year and other info: http://dc4420.org *** See you there! cheers, mm -- In DEFCON, we have no names... errr... well, we do... but silly ones... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Mozilla Bug Bounty #5 - WireTap Remote Web Vulnerability
Document Title: === Mozilla Bug Bounty #5 - WireTap Remote Web Vulnerability References (Source): http://www.vulnerability-lab.com/get_content.php?id=953 Mozilla Bug Tracking ID: 875818 Video: http://www.vulnerability-lab.com/get_content.php?id=1182 Partner News (Softpedia): http://news.softpedia.com/news/Critical-Validation-and-Filter-Bypass-Vulnerability-Fixed-in-Thunderbird-420962.shtml Release Date: = 2014-01-27 Vulnerability Laboratory ID (VL-ID): 953 Common Vulnerability Scoring System: 7.3 Product Service Introduction: === Thunderbird is a free, open-source, cross-platform application for managing email and news feeds. It is a local (rather than a web-based) email application that is powerful yet easy-to-use. Thunderbird has lots of cool features. Thunderbird gives you control and ownership over your email. There are lots of add-ons available for Thunderbird that enable you to extend and customize your email experience. Thunderbird is part of the Mozilla Manifesto, a pledge that describes Mozilla`s commitment to an open, accessible, egalitarian Internet. ( Copy of the Vendor Homepage: http://www.mozilla.org ) ( Copy of the Product Homepage: http://www.mozilla.org/en-US/thunderbird/ ) Abstract Advisory Information: == The Vulnerability Laboratory Research Team discovered a critical validation and filter bypass vulnerability in the official Mozilla Thunderbird 17.0.6 email software. Vulnerability Disclosure Timeline: == 2013-05-10: Researcher Notification Coordination (Ateeq ur Rehman Khan) 2013-05-11: Vendor Notification (Mozilla Security Incident Team) 2013-05-21: Vendor Response/Feedback (Mozilla Security Incident Team) 2014-01-18: Vendor Fix/Patch (Mozilla Developer Team - Reward 1.500$ SWB) 2014-01-27: Public Disclosure (Vulnerability Laboratory) Discovery Status: = Published Affected Product(s): Mozilla Product: Thunderbird - EMail Application 17.0.6 Exploitation Technique: === Remote Severity Level: === High Technical Details Description: It has been discovered that the security controls / filters currently being used in Mozilla Thunderbird application can be easily evaded if an attacker decides to encrypt the payloads with base64 encryption and combine it with the object tag. During the testing, it was initially noticed that malicious javascript tags were being filtered / blocked in the Thunderbird application however, Attaching a debugger with the Thunderbird .exe file revealed some very interesting information and gave much better insight behind the actual working of the application. Most of the information revealed is Javascript errors which gave the researcher much hope in believing that the application might actually be vulnerable. By default, HTML tags like script and iframe are blocked in Thunderbird and get filtered immediately upon insertion however, While drafting a new email message, attackers can easily bypass the current input filters by encoding their payloads with base64 encryption and using the object tag and insert malicious scripts / code eg. (script / frame) within the emails and send it to the victims. The exploit gets triggered once the victim decides to reply back and clicks on the `Reply` or `Forward` Buttons. After successfully bypassing the input filters, an attacker can inject persistent script code while writing a new email and send it to victims. Interestingly the payload gets filtered during the initial viewing mode however if the victim clicks on Reply or Forward, the exploit gets executed successfully. For a POC i will be including multiple examples in this advisory for your review. I was able to run multiple scripts generating strange behaviour on the application which can be seen in the debugging errors which I have attached along with this report. These sort of vulnerabilities can result in multiple attack vectors on the client end which may eventually result in complete compromise of the end user system. The persistent code injection vulnerability is located within the main application. Exploitation of this persistent application vulnerability requires a low or medium user interaction. Successful exploitation of the vulnerability may result in malicious script code being executed in the victims browser resulting in script code injection, persistent phishing, Client side redirects and similar client side attacks. Vulnerable Service(s): [+] Mozilla Thunderbird 17.0.6 - Latest Release Vulnerable Section(s): [+] Write (Create a new message) [+] Email Signature (Account Settings) [+] Attach File
[Full-disclosure] RVAsec 2014 CFP
What: RVAsec 3 When: June 5-6th, 2014 Where: Richmond, VA, on the Virginia Commonwealth University campus CFP Deadline: 2/14 RVAsec is a Richmond, VA based security convention that brings top industry speakers to the midatlantic region. For 2014, the conference is a two day and dual-track format, with a mixed focus on technical and management/business presentations. All talks must be 55 minutes in length and can be on any security/privacy related topic. Note that we will not accept submissions which are sales/marketing. RVAsec has many speaker perks, including con admission (and half-off for a friend), speaker party, shirt/swag, awesome badges, and the opportunity to be the recipient of the RVAsec STFU sign! RVAsec has a limited travel budget, but speakers who request travel assistance may be eligible for: - Travel allotment up to $300 - 3 nights hotel at the Crowne Plaza Richmond Downtown For more information or to submit, please see: http://rvasec.com/2014-cfp/ -- http://rvasec.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Sentinel beta version released
Sentinel is a new 32 bit exploit mitigation tool developed in ASM/C/C++ able to protect Windows 32 bit programs against binary exploits targeted by attackers or viruses. It can protect your programs against 0-day attacks or publicly known bugs. The tool's page is: http://corelabs.coresecurity.com/index.php?module=Wikiaction=viewtype=toolname=sentinel Blogpost and demos: http://blog.coresecurity.com/2014/01/23/introducing-sentinel-a-32-bit-anti-exploit-tool-from-corelabs The Ekoparty presentation: http://corelabs.coresecurity.com/index.php?module=Wikiaction=attachmenttype=publicationpage=Sentinelfile=Sentinel.pdf Note: Remember that Sentinel is in beta version, so there may be some bugs, if you find one, please send me an email to “necono...@coresecurity.com Enjoy it ! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [CVE-2014-1673] Check Point Session Authentication Agent vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Product Information - --- Check Point Session Authentication agent is a service that is installed on endpoint system in order to communicate with security gateway and allow it to request and obtain user's credentials. Session Authentication is a part of Legacy Authentication suite which provides different authentication methods to allow or deny access to network resources. R76 Security Gateway Technical Administration Guide[1] defines typical Session Authentication operation in the following way: 1. The user initiates a connection directly to the server 2. The Security Gateway intercepts the connection 3. The Session Authentication agent challenges the user for authentication data and returns this information to the gateway 4. If the authentication is successful, the Security Gateway allows the connection to pass through the gateway and continue to the target server Issue description - - Check Point Session Authentication agent version 4.1 and higher contains a flaw which is caused by lack of peer authentication in SSL communication. Encrypted communication between agent and security gateway has been introduced due to several issues (e.g. [2], [3]) which were revealed in the previous versions (4.0 and lower) of the product. Research showed that it is still possible to exploit previously known vulnerabilities - gateway impersonation and credential stealing - even though communication between agent and security gateway is utilizing SSL. Communication between Session Authentication agent and security gateway is performed using proprietary protocol. Since version 4.1 this communication scheme uses SSL as an underlying protocol to enable encryption of both protocol commands and user provided data. When SSL communication is negotiated between gateway and agent following cipher suites are visible in SSL Client Hello message as supported by Session Authentication agent: TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 TLS_DH_anon_WITH_RC4_128_MD5 TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA TLS_DH_anon_WITH_DES_CBC_SHA TLS_DH_anon_WITH_3DES_EDE_CBC_SHA RFC2246 refers to listed cipher suites: The following cipher suites are used for completely anonymous Diffie-Hellman communications in which neither party is authenticated. Note that this mode is vulnerable to man-in-the-middle attacks and is therefore deprecated. Taking into account above information it's possible to connect to Session Authentication agent from attacker's machine, initiate SSL-based communication, pass SSL handshake without being authenticated and use encrypted channel to control agent (e.g. prompt user for login and password). For attack to be successful attacker's machine must be allowed to connect to machine on which agent is running. Newer versions of Session Authentication agent include option to define three IP addresses which are allowed to issue authentication requests to agent. When this option is used it limits possibility of exploitation. Agent software has also Allow any IP option - when enabled attacker doesn't need to take additional measures in order to be able to connect to agent. Proof of Concept - Attached PoC script simulates security gateway and allows credential stealing to be performed over encrypted communication channel against Session Authentication agent version 4.1 or higher. Affected versions - - Check Point Session Authentication agent, version 4.1 and higher Vendor response - --- Vendor has been informed about the issue on 8/8/2013. On 14/8/2013 vendor informed about expected fix date: 15/10/2013. On 28/10/2013 vendor informed that due to small user base and introduction of the Identity Awareness Software Blade[4] legacy session authentication will be deprecated in the major release of 2014. Additionally vendor published SecureKnowledge article[5]. Credits - --- It should be noted that this finding is partially based on work of individuals who reported issues in the previous versions of Session Authentication agent as referenced in [2] and [3]. References - -- [1] https://sc1.checkpoint.com/documents/R76/CP_R76_SGW_WebAdmin/6721.htm [2] http://www.securityfocus.com/bid/1661/info [3] http://osvdb.org/show/osvdb/84985 [4] https://www.checkpoint.com/products/identity-awareness-software-blade/ [5] https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=solutionid=sk98263 -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.20 (Darwin) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJS5tZHAAoJEO2gMNQgkP1iucwP/3ruK6iKIm6FvQ6DJsCVFMn1 98iWrXvU5jG0krKERu2Q2L3EkElvfq4reSeceIuVqpS20v69cCHCMKofFVaFeK2a 0Bo2zIqjnAr/T2/7DYwI1dgdZE4SAzcEscqeA8Zh6Hi04wME+sJpYxsq0lb7u2jY FuuqbUo5R4Y2hGXNoc0wKhiVhrOJ10DhvZaug+wbenX3721v+QqYzS+PUnql1WG3