Re: [Full-disclosure] Vodafone Phone Hacking Scandal - Femto hacked
Much more importantly it allows you to avoid the insane VF roaming charges... Um .. if you have access to a fast enough Ethernet network (wherever outside the UK you are) to pull this off, you could just use a vanilla SIP phone and be done with it. Cool hack though .. sure is nice of the carriers to supply off-the-shelf UMTS modules .. cheaper/easier than USRP+GNUradio. Anyone done this to ATT's kit this side of the pond? Cheers, Michael Holstein Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Encrypted files and the 5th amendment
Tim, I actually use TruCrypt now to do exactly what you speak of. I pre-allocate a fixed virtual disk, and use one passcode for one section of data and a different passcode for a different section of data. It is impossible to determine if the disk is set up in this manner, and impossible to tell which section of data is being used. It is actually quite easy to do. All fine and dandy until the authorities say Your honor, the defendant is using nested encryption, we didn't find the $self_incriminating_evidence so he obviously hasn't complied with our request. double-edged sword. Cheers, Michael Holstein Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Decrypting SSL for Network Monitoring
InfoSec Institute resources author Alec Waters gives you step by step instructions on how to decrypt SSL for network monitoring: What? .. you mean it's possible to decrypt RSA when I have access to the private key? /news. If you want to IDS your SSL stuff, you put the cert on a load balancer in front of the webserver and IDS the traffic coming out the backside .. you don't pass out copies of the key. My 0.02. Michael Holstein Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Computer name should match with your real identity?
I am not doing it You are free to reject corporate policy as you see fit. Your personal effects will be at the security desk on Friday. We will mail your last check. it could be case of information leakage Internal NETBIOS/DNS names are generally helpful for identification of machines, and most places follow some soft of template of location+type+model+serial .. just so the IT department doesn't have to figure out some UNIX admin's scheme-de-jour of colors/gods/planets/whatever. Really .. what's easier to find the location/function of .. the machine named CORPHQWWWDEV1 or the one named Aristotle. Michael Holstein Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] iPhone Geolocation storage
While Android doesn't write the info to local storage, there is a lot of interesting information stored in the debug log (RSSI, etc.) that could be used to determine a coarse location/track. And some helpful chap wrote this in response to the Apple fiasco : https://github.com/packetlss/android-locdump Cheers, Michael Holstein Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] iPhone Geolocation storage
Pretty scary btw. I hope there's not the equivalent for Android. TFA says the researchers searched the android code for a similar functionality and didn't find it. Doesn't mean it's not there, but since anyone can git the android repository and look at the source, it's a lot more likely to *be* found if it did. While Android doesn't write the info to local storage, there is a lot of interesting information stored in the debug log (RSSI, etc.) that could be used to determine a coarse location/track. Get the SDK and put your phone in USB debug mode and run 'adb logcat -b (whatever)' .. relevant options documented here : http://developer.android.com/guide/developing/tools/adb.html Cheers, Michael Holstein Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerability discloses PIN used in Microsoft Excel secure printing
Wtf, I've never heard heard of a 'secure' print :S Most large multifunction devices do this .. it's not secure in the traditional (crypto) sense of the word, it's just a part of the job sent via the postscript driver. Look at the PSD files for any large multifunction and you'll find the options for it. How it works is instead of printing the job immediately, it queues and holds until the operator goes and enters the code on the console .. so that you have time to walk over to the printer and grab it, versus having it sit there while you walk down the hall. What's interesting is that Excel is embedding the PIN (part of the printer driver) in the default printer settings it saves in the document metadata. The PIN itself isn't particularly private (it's sent in the clear when printing) but embedding it is dumb. Cheers, Michael Holstein Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerability discloses PIN used in Microsoft Excel secure printing
I assume it is embedded so that cancelled or queued jobs can still require PIN. You can't have one job pause all other jobs in the queue, so it would need some way of continuing from bypass. The whole vulnerability angle is pretty lame. How it works on our Xerox printers is you hit a button to pull up the jobs and the secure ones are held (in memory, on the printer) until the user enters the same code embedded in the job. The primary purpose is to target the resistance against departmental printers under the privacy angle. Jobs that don't have this tag print FIFO (secure jobs are a separate queue internally). The PIN just an attribute sent by the postscript driver and embedded in the job. I have seen print drivers and hardware that do operate in a secure manner (we have ID printers that do this), but IMHO that's more for license compliance than actual security of the information. The fact that Excel stores it as a printing default is interesting, but hardly a vulnerability. If you have access to the document to see the printing PIN in metadata, you obviously can read the document itself .. It'd be like saying OMG! Excel remembers what size paper I like to use. One could argue the whole creatures of habit aspect around the PIN (dammit, now I need to change my luggage), but the whole secure print thing is sort of a misnomer and more of a marketing trick (internally and externally) than anything else. Cheers, Michael Holstein Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] CCBILL.COM Internet billing service multiple vulnerabilities
It is very easy to reach our Information Security team at secur...@ccbill.com mailto:secur...@ccbill.com. Please show at least 1 page where this e-mail is written ! http://www.faqs.org/rfcs/rfc2142.html (but I see your point .. Microsoft --for example-- refuses to read email sent to such addresses and requires you answer a convoluted webform to do most anything). Cheers, Michael Holstein Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] targetted SSH bruteforce attacks
Is anyone else seeing this type of attack? Or is someone really targeting MY box? No, I assure you it's not just you. It's also not uncommon to see a sequential (basically a nmap -p 22) scan at full throttle several times a day. You can basically : a) move to another port (obscurity .. but pretty effective in weeding out the casual versus committed) b) switch to public key only auth (recommended anyway if possible). c) use denyhosts, tarpitting, etc. to frustrate the casual guessers and bots. The ones that are committed will find a way around (a) and (c). But it will take somebody a long time to properly guess a key for (b) .. unless you forgot to patch your Debian SSHd from their little snafu .. but you'd have been owned long ago if that was the case. If you really must use passwords on a multi-user system listening on tcp/22, then employ something like the PAM modules for JTR (/pam_passwdqc) /just to make sure people don't use stupid ones. Cheers, Michael Holstein Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] targetted SSH bruteforce attacks
Note that with iptables you can leave ssh on port 22 but have it answer on other ports. See http://proxyobsession.net/?p=869 Or just change the entry in ./etc/sshd_config # What ports, IPs and protocols we listen for Port 22 From man(5)sshd_config : Port:Specifies the port number that sshd(8) listens on. The default is 22. Multiple options of this type are permitted. See also ListenAddress. Cheers, Michael Holstein Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Congratulations Andrew
So what grants you legal access to aol.com (HTTP port 80 get / )? I'm confused? Does search engine indexing grant legal access to online resources? The activity in question (sequentially guessing serial numbers and submitting them to a form) is more like SSH brute-force than it is to stumble upon a random HTTP site with no authentication. Having a bunch of drugs laying about when $agency comes to ask about it .. also a bad idea. My $0.02, IANAL, etc. Michael Holstein Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] iPhone data protection flaw
AFAIK the USB-protocol does not contain any authorization / authentication-mechanism: USB just defines the signaling protocol and interface. After that, you can make the target device to whatever you want with the corresponding driver on the host side. Take a look at any Sansa MP3 player .. you can tell it to act as USB Mass Storage or act as a MTP device. The latter requires a certificate to communicate with it. Cheers, Michael Holstein Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
A = Spend money on compliance 'A' is *mandatory* if you choose to do certain operations in-house. Why is this so hard to understand? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Besides, in a democratic society (where CC do operate as well), you can't force someone to install an anti-virus just because _you_ think it is secure. This isn't a democracy .. it's a business. You want to process credit cards in-house, you need to comply with the PCI standards. It *doesn't matter* if you think you're smarter/better than what's in the standard .. you play by their rules or you don't play. Much like if your boss says you have to wear a tie, but you think ties are stupid. You've already stated in a prior email that you have no involvement with PCI implementation on either side of the fence (hell no, was your answer, I believe) .. so I don't see where you're really qualified to make a categorical statement that PCI compliance lends nothing to security. PCI/DSS is an attempt to paint (as broadly as possible) a minimum set of standards. You are allowed (in some cases) to state a mitigating circumstances that renders a particular point moot. None of the things in the PCI/DSS standard contradict basic best practice when it comes to securing data and the networks and hosts on which it resides and traverses. The argument were compliance is wasted money still holds. Well .. waste your money on compliance .. or waste your money on the surcharge you pay to another entity that *is* compliant. Take your pick. Cheers, Michael Holstein Cleveland State University PS: Just because you say your network is secure doesn't make it so. Internal and external audit is routine course in the business world, and you'll find that the less you try and make life difficult for them, the easier things tend to go. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
My point isn't about a particular section, nor whether the amount of experience I have in PCI DSS compliance (which is next to novice). So we can agree that you're arguing about something with which you have no experience? The point is, what s PCI aiming at? It's on the first substantive page of the document .. to wit : The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. Real security Again, I ask what is 'real security'?. or just a way companies can excuse their incompetence by citing full PCI compliance? If you self-audit and just check the boxes because you have a box that says firewall on it and another that says IDS and so forth, then yes .. it's just excusing incompetence .. but any real auditor would be asking you about change management for those assets, who has access to them and why, how logs are reviewed and by whom, etc. There's 12 basic points in the 1.2 spec, none of which contradict current best-practice for network design. Cheers, Michael Holstein Cleveland State University PS: This is starting to sound like the discussion many of us have with Mac end-users .. the one that goes but Mac's don't get viruses. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Some people in the information security industry actually care about securing systems and the information they contain rather than filling in check boxes. So what's the problem? .. if you have done it according to (or exceeding) the spec .. check the box, buy a box of donuts for the auditor .. let them look it over, and be done with it. Compliance may ensure a minimum standard is met, but it does not ensure or imply that real security is being maintained at an organization. If VISA (et.al.) could define real security and write it down, they would. What is real security exactly? .. I'd argue the only secure computer is one that's still sealed in the factory carton. Break the seal, game over .. just like it says on a box of Band-Aids Sterility guaranteed until opened. As you say, PCI has become a cost of doing business whereas having a secure network is apparently not a cost of doing business. This is a problem. The thinking goes .. that if you implement the PCI standards and aim to actually do as it suggests (meaning doing what the documents suggests *correctly* .. not just having a blinkinlight in place so you can check a box) .. you're already down the right path. Even so .. the problem with securing networks/systems is there's millions of them and only a few of you. Also .. you have to be right 100% of the time, and they only have to get lucky once. My $10.02 ($10 minimum purchase on all credit cards). ** Cheers, Michael Holstein Cleveland State University ** : yes, I know this goes against the merchant agreement .. sarcasm. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
You don't think in-house payment gateways can be as stable as third party gateways? Probably not .. it goes back to the how many '9s' can you afford to pay for question. But in-house has the advantage of knowing who to yell at when it breaks. Management generally prefers to yell locally instead of being told I dunno, ask the cloud. Cheers, Michael Holstein Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Security system
An adversary with the resources and motivation to kill power, net, and jam GSM when they're pwning your house would probably be able to know about and take out your watchdog box in the same move. Reminds me of the adage Locks keep honest people honest. Dream up all the fancy security and countermeasures you want .. but it still makes more sense to just take reasonable proactive steps to make your house less attractive to burglars than the ones nextdoor .. and have good insurance. The geeky stuff is more fun to think up and implement, but trimming the hedges and installing some exterior lights works better. Cheers, Michael Holstein Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Victorinox Launches Super-Secure USB Stick
Victorinox says that during the Secure's launch event in London, the company offered a team of professional hackers close to $150,000 if they could get past the Secure's security measures. No, they offered them a set amount of time to do it. In practical terms for a lost/stolen USB stick this is a totally useless test, and is 100% marketing fluff. If they were really serious, they would have published the full specifications and provided a dozen sample units for a reasonable entry fee to anyone that wanted to try. They also wouldn't be the first manufacturer to severely misunderstand the correct implementation of AES : http://www.h-online.com/security/news/item/NIST-certified-USB-Flash-drives-with-hardware-encryption-cracked-895308.html Cheers, Michael Holstein Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] I have been threatened.
Yahoo.com has assassins? Wow! User-agent: Slurp Disallow: * ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fwd: steathbomb
anyone see this and know about it? How it works and good detection? http://www.brickhousesecurity.com/pc-computer-spy.html autorun.inf is how it installs itself. once installed, it works like any other rootkit spyware (screen grabs, keystroke/window logger, etc). Cheers, Michael Holstein Cleveland State University PS: Brickhouse : Why parent when you can spy?. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
download truecrypt and add a custom cascade of ciphers to your truecrypt source code... so that your truecrypt hidden volume will be very hard to bruteforced with off the self tools (which is what most No off-the-shelf tool exists for cracking any of the existing ciphers used in TrueCrypt beyond those that speed up a brute-force attack (like the Tableau TACC1441), but those tools just speed up the password-key generation process .. they aren't even attempting a true keyspace attack. Cheers, Michael Holstein Cleveland State University PS: as for custom ciphers, I hear 2 rounds of ROT13 is pretty good, 4 is even better, and with 6 rounds, it's practically invincible. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
By the way, does somebody knows about the flash memory? Is zeroing a whole usb key enough to make the data unrecoverable? No, wear-leveling (done at the memory controller level) will dynamically re-map addresses on the actual flash chip to ensure a relatively consistent number of write cycles across the entire drive. The only way to completely wipe a flash disk is with a hammer. Regards, Michael Holstein Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
If the police or spies look for determined words or sentences (presumed not encryptered), at an unknown point on an unknown layer of the disk, it will be much easier for them to find it if the rest was random data (or video or whatever) than if it was random text that can have a meaning when looking with a program, but not in front of a Court. You're forgetting that most such work is either done by salaried government employees or contractors paid by the hour .. neither of which care how long it takes. Cheers, Michael Holstein Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
Yes, but what if I overwrite the device with random data from the very first to the very last byte? Suppose the size of the device hasn't decreased I'd think that wear-levelling has no chance to spare blocks in this case. Research paper on forensics for flash media : http://www.ssddfj.org/papers/SSDDFJ_V1_1_Breeuwsma_et_al.pdf In any case, provided you take a factory-new drive and immediately install an encrypted filesystem on it, any such orphan data would be essentially random. Regards, Michael Holstein Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
I must suggest your experience is quite limited - the case below is not unique: Yes it is. Rarely do you get a group of 28 computer scientists to volunteer their time/money in a criminal case. Cheers, Michael Holstein Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
- The absence of evidence 9 times out of 10 is just as bad as the evidence itself in court. In what court? - What you type text or email can, and will, be used against you in a court of law. Only if obtained by correct process of law and you resist the temptation to explain yourself to the police. So, plausible deniability solution for disk wiping?: Let, disk wiping tools LOAD the whole WIKIPEDIA in nxn matrices and mix ALL the words phrases in a random pool continuously and use THIS as the Wiping passes and patterns while they wipe the disk-space (instead of using random-pass or zero) You're forgetting that you aren't required to explain yourself in court (5th Ammendment). It's the job of the prosecution to connect the dots and prove you're guilty. Smart defendants hire their own expert to refute the testimony of of the prosecution's expert. As to Wikipedia, I think a random overwrite pattern would be way better than them finding fragments of the following (just two examples) : http://en.wikipedia.org/wiki/Nuclear_weapon_design http://en.wikipedia.org/wiki/Child_prostitution Practically every illegal act has an article on Wikipedia .. why deliberately seed your hard disk with them? Cheers, Michael Holstein Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
Ok, then why not encode the same keywords that these TOOLS look for with your Markov chains idea and mix it to wipe a 1 TB hdd with alice chatter-bot idea ? How do you know what they'd search for, and if you did, why would you want to fill your drive with a bunch of related information? Modern forensic tools are good enough to find your needle in that haystack in short order, regardless of how well you try to hide it in plain sight among the contents of wikipedia, et.al. If you truly desire to hide in plain sight, consider Steganography [*1*]. If you want to create plausible deniability, consider TrueCrypt's hidden volumes [*2*]. [*1*]: http://en.wikipedia.org/wiki/Steganography [*2*]: http://www.truecrypt.org/docs/plausible-deniability Regards, Michael Holstein Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
You are telling me Modern forensic examiners DRAW CONCLUSIONS without look it ALL possible evidence and by shifting just a few bytes of possible related keywords and draw insufficient conclusions? No, they find the keyword in a file (or fragment thereof) and examine the resulting file or reconstruct the fragments to see if it's relevant to their investigation. Putting YOUR bomb plot amidst thousands of news articles about OTHER bomb plots won't fool them, and it'll make you look sufficiently guilty that you'll sit in jail while they waste their time. it like, when an forensic incident happens you take fingerprint from the whole house skipping a few rooms thinking there are so many rooms to look for.? Depends on what they're trying to prove. In a burglary case, they might see prints on the stereo cabinet and lift those. No need to fingerprint the entire house when they've got a clear print, although they usually grab a few others just to be sure. Apparently you've never sat through a trial .. find an interesting case and go attend, it's highly educational. Basically a jury is 12 people of the general population (in actuality, an in-depth knowledge of the subject matter at hand is likely to get you dismissed as a juror by one or both sides). The jury, having watched CSI and such will listen with utter fascination at the State's expert in computer forensics talk about how he extracted the data and it will paint a VERY convincing picture for 12 people that know nothing about computers. On top of that, the keywords they fish-out that way is by no guarantee belonging to the OWNER OF THE COMPUTER instead as leftover chunks from the internet written by someone and lands on your computer's in disk-fragments as free-space as browser cache is flushed ? Possession is 9/10ths of the law. You can try and float your wikipedia did it theory at trial, but ultimately it's a matter of which theory sounds more plausible to the jury : 1. defendant had illegal stuff on his computer. 2. defendant says illegal stuff on his computer was an effort to hide any potential illegal stuff by putting articles about related illegal stuff he didn't do on there. Quit trying to re-invent the wheel and get your crypto on and lawyer up when asked about it. Cheers, Michael Holstein Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Question about IPTV pentestng - packet manipulation for subscribing charged content
I wanna edit this file name. (a1d1.mpg is free, a1d2.mpg not free) If this is all that needs to be done, why not use a transparent proxy (on the bridge) : http://www.faqs.org/docs/Linux-mini/TransparentProxy.html and just use rewrite rules : http://www.squid-cache.org/Doc/config/rewrite/ Cheers, Michael Holstein Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Two MSIE 6.0/7.0 NULL pointer crashes
I'm developing an app for linux, the PC at work can't run a single version of linux Post a copy of lspci -v and I bet somebody proves you wrong. Cheers, Michael Holstein Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] All China, All The Time
With all the hubbub around China yet again, I would like to remind you of the utilities available at Hammer of God that allow one to completely block any or all traffic to or from China or any other country in the world via ISA/TMG. Source for pre-built blocklists in DNSBL, CIDR, or Cisco ACL format : http://www.okean.com/thegoods.html Regards, Michael Holstein Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Geolocation Question
was a tick box along the lines of disable all communication with MS servers Well, as it pertains to WGA, the hack was to include the following in ./system32/drivers/etc/hosts : 127.0.0.1 mpa.one.microsoft.com If you have a router that can run [DD|Open]WRT, you can mount a SMB share and run tcpdump -w /that/share on your connection to see exactly what your system of choice is doing network-wise. You can also do this with a hub and another computer (or even directly on the box with winpcap, assuming you trust that M$ didn't do some trickery that would lie to it). If you want to get fancier still, run Quagga on a linux box with a BGP feed from somewhere and blackhole AS8060, AS8069, AS8705, AS3598, and a couple of others I'm too lazy to look up at the moment .. and route your traffic through that. Cheers, Michael Holstein Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] iiscan
This definitely sounds like a clueless federal agent. Especially since he uses an autogenerated email address. Yeah, because government employees want to state on-the-record from their @leo.gov email address that China is bad, m'kay?. Actually, in all my (informal) contacts with FBI folks, I've never had one of them say to use their official email address, it's always Gmail (or something else) with PGP at the client side. By the way, the FBI folks I've dealt with have been anything but clueless. It's the local barny-fife types that provide the hilarity. Get with the programthe internet is wide open for people to scan. True, but when I see a bunch of *unsolicited* scans I know they're malicious. You're asking for them, and then you don't know what happens to the results. It's not paranoia when they really *are* out to get you. Cheers, Michael Holstein Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Transmission #19-WT [re: Andrew Wallace / n3td3v]
BEGIN TRANSMISSION 7040dc5b9583e367068a06f25a7bce8a wtf is this? .. up until the last line it looks like md5 hashes. Number stations used to be fun to find when I was like 15 .. and I thought for a minute this might be something funny when run through john with format=raw-MD5, but ..meh. Cheers, Michael Holstein Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Facebook Police
What UoW-LaCrosse students should do is flood FB with pictures of staged underage drinking shots and put a stop to this. Or just start photoshopping hookers into the front seat of local cop cars. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Some shit going on in seclist
I guess this is an email list. This guy -/ Day Jay, has put up this vulnerability up on seclist, stating that it relates to microsoft iis 6.0, when it actually deletes the user's home folder. / If you don't understand the code well enough to realize what it's doing, then you deserve getting whacked for running some random shit you found on an anonymous mailing list. PS: I send this file to have your advice, Loveletter.txt.vbs, etc. Oh .. and I hear 4chan has a bunch of cool pictures you can rename from .jpg to .js and get free porn for life. (the only time I remember this actually being funny was when somebody did one that mailed the contents of /etc/passwd .. and somebody else took the time to make a passwd file that when run through jtr said something like you're so lame for decoding this) Cheers, Michael Holstein Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Meet Kurt Greenbaum, Director of Social Media, St. Louis Post-Dispatch, Reports commenter to employer.
(Remember - in this case, contacting the school's network provider would *not* have found the user, because the network provider just provides a connection and bandwidth. Any login records/etc are at the *school*, not the provider). Vladis .. not sure about that school since it was K12, but in both your case and mine .. we *are* the ISP (insofar as we have our own ASN and valid info on whois). If K12 is done there like I've seen in a lot of other places, they probably have a consortium that provides connectivity and each institution has a CIDR block within the consortium's AS .. and I'm sure the school had some web-nazi appliance that made it a few-clicks of a mouse to figure out whodunit. Also .. as to the legal matters .. the instructor in question would have been in a much better position if he'd been fired rather than resigning. Granted, he probably quit because he knew he *would* be fired .. but it's hard to argue unlawful termination when you quit on your own (IANAL, etc.). Cheers, Michael Holstein Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Meet Kurt Greenbaum, Director of Social Media, St. Louis Post-Dispatch, Reports commenter to employer.
What Greenbaum did was against the privacy policy of the site: You seem to be missing the part where the comment was removed (several times) and re-posted. From : http://www.stltoday.com/help/privacy-policy ..to protect against misuse or unauthorized use of our web sites Cheers, Michael Holstein Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Cellphone with USB host
AFAIK, it's a field of one: http://www.hackerspace.net/hostilewrt A WRT-54GL with a LiPO battery will run for (at least) a week. The PCB inside fits in a long Kleenex box along with a battery underneath it and some real kleenex on top. Scatter a few around as needed. Cheers, Michael Holstein Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ant-Sec - We are going to terminateHackforums.net and Milw0rm.com - New Apache 0-day exploit uncovered
That site has already been pwned by the DEA, so if you go there, expect to be logged and contacted. I doubt that .. for several reasons. 1. The DEA likes to announce their successes, so there'd be a press release about it. 2. Junk like that is in places like 4chan, et.al. all the time .. just to make k1dd13s crap their pants. 3. Google of the hostname provides no links to actual drug sales at all .. just a bunch of IRC chat logs. If it actually had been used for that, it'd be in tons of spam links. 4. Hosting provider is Linode.com, a VPS colo. 5. The real DEA banner (http://www.usdoj.gov/dea/dea_banner.jpg) was edited with Photoshop to produce the one on that site : wget -proxy=on -O - http://narc.oti.cz/dea_banner.jpg |strings |head -3 JFIF Ducky Adobe But as always .. click on links in email at your own risk. Use TOR+wget if you want to be careful. Cheers, Michael Holstein Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Who is destroying our internet?
While these two events are not related in anyway, I am wondering why people don't create backup off site or don't plan normal failsafe's when there site is as big as Google (we have seen a few popular sites die because of this mistake) Google fat-fingered something in their BGP configs(*) .. even with all the HA and redundancy in the world, mistakes happen. BGP/Routing is probably the one place where a mistake will monkey-wrench even the most elaborate redundancy schemes. (*) : http://googleblog.blogspot.com/2009/05/this-is-your-pilot-speaking-now-about.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] THC releases video and tool to create fakeePassports
Incredibly, last week, after performing a series of security tests on the passport application process and discovering some failures, the US GAO still state they don't know much about the fraudulent methods: http://www.gao.gov/new.items/d09583r.pdf Ironically, all their fancy methods for detecting fraud discuss cross-checking the SSN of the applicant, when in fact, the SSN isn't even required to process a passport application (although the IRS can technically fine you $500 if you don't). Ever actually READ the back of the passport application? The relevant information is at the top of page 3 http://www.state.gov/documents/organization/14.pdf Heck .. you can get a passport without any ID *at all* if you bring a family bible record of your birth and somebody that can vouch for your identity (see page 2 of the above application). Oh .. and the funniest thing of all on the application .. bottom of page 4 : The electronic chip must be read using specially formatted readers, which protects the data on the chip from unauthorized reading. specially formatted .. meaning anything from this list? : http://rfidiot.org/index.html#Hardware Regards, Michael Holstein Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] metasploit.com = 127.0.0.1
.org is now being affected as well. Not here .. $ date Wed Feb 11 10:17:01 EST 2009 $ host metasploit.org metasploit.org has address 66.240.213.84 metasploit.org mail is handled by 20 slug.metasploit.com. metasploit.org mail is handled by 1 bogus.metasploit.com. metasploit.org mail is handled by 30 core.metasploit.com. $ host metasploit.com metasploit.com has address 66.240.213.81 metasploit.com mail is handled by 30 core.metasploit.com. metasploit.com mail is handled by 20 slug.metasploit.com. metasploit.com mail is handled by 1 bogus.metasploit.com. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] metasploit.com = 127.0.0.1
that's all fine and dandy. still can't reach port 80. Again .. not here (AS32818 in Cleveland, OH) .. ~$ wget -O - http://www.metasploit.org --10:52:43-- http://www.metasploit.org/ = `-' Resolving www.metasploit.org... 66.240.213.84 Connecting to www.metasploit.org|66.240.213.84|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 8,157 (8.0K) [text/html] 0% [ ] 0 --.--K/s !DOCTYPE html PUBLIC -//W3C//DTD XHTML 1.1//EN http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd; html xmlns=http://www.w3.org/1999/xhtml; xml:lang=en head titleThe Metasploit Project/title ... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] metasploit.com = 127.0.0.1
that's all fine and dandy. still can't reach port 80. Have you tried using OpenDNS, etc. to see if it resolves? eg: host -t a www.metasploit.org *208.67.222.222 Perhaps your school/employeer/ISP has decided that Metasploit is off-limits. ~Mike.* ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Hackery Channel 01-09-01-LOLZ: Cat Spoofing against Flow Control
Have any of you guys heard of RFID? Yeah .. wouldn't it make more sense to just build one that reads the AVID chip most pets have in them anyway? Then again .. I think the point was to deny entry if kitty was bringing in a prize. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] US-CERT Current Activity - Malicious Code Circulating via Israel/Hamas Conflict Spam Messages
Their PGP keys have expired =) No, they haven't .. learn about ISO date formats : http://www.iso.org/iso/date_and_time_format It's called calendar date, and goes from largest element to smallest, eg: -MM-DD Expires: 2009-10-01 That'd be the First day of October, 2009. GPG uses ISO-format dates : $wget ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-1.4.9.tar.bz2 tar -jxvf gnupg-1.4.9.tar.bz2 $more ./gnupg-1.4.9/doc/DETAILS All dates are displayed in the format -mm-dd unless you use the option --fixed-list-mode in which case they are displayed as seconds since Epoch. Cheers, Michael Holstein Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Solaris 10 Auditing
I am looking for a free audit script / tool to audit host level security for Solaris 10 machines. Does any one know of any such scripts / tools around? http://www.cisecurity.org/benchmarks.html Cheers, Michael Holstein CISSP GCIA Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sonicwall license servers down .. all customers affected
https://licensemanager.sonicwall.com/newui/admin/admin.jsp thats hilarious - it MUST be a kind of honeypot :P I think they threw up a new licensemanager server without reviewing the config .. it allows directory enumeration on a lot of pages (including the root). This one is interesting : https://licensemanager.sonicwall.com/js/ClientValidationMethods.js Seems remote debug is on as well : https://licensemanager.sonicwall.com/mf/fwregister_done.jsp Cheers, Michael Holstein CISSP GCIA Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Bluetooth keyloggers?
Just wondering if anyone has technical feedback/musings on the emerging bluetooth keyloggers available, such as the following products: Yeah .. use a USB keyboard ;) * Remote discovery of these devices (active and passive) via bluetooth, localhost device discovery, any other means, etc. Bluesniff can discover devices (including non-discoverable ones, if they're active) .. much like you can find wifi devices even if the SSID is hidden. Even though BT is encrypted, you can still see the frames at L2. They can also be found the same way one find hidden 2.4ghz cameras .. using spectrum analyzers (I have an icom handheld that does this marginally well if you're close enough). * Countermeasures, any and all, including isolated jamming and, if feasible, control of data flow or injection of false data Well, if you're willing to throw the Part B rules out the window .. any broadband noise generator tuned to the appropriate frequency will work. Most of the cheap-o Chinese jammers for Cellphone/GPS are just a simple VCO and amplifier .. easy to tune into the appropriate band. As for injection .. with the bluejacking tools you can force a re-pairing, and then bruteforce. Since the devices you link to are designed to be passive, I'd imagine they'd automatically re-pair (versus a phone, which would prompt the user to do something). * Real-world performance in light of interference (signal and obstacles) bluetooth dongle to my Samsung cellphone works ~20' in a typical office. Their statement about a football field is only true if you were actually in an open field. * Any other stuff -- honeypots, long-distance snarfage, creative applications, automation, etc. ;-) .. a 24db parabolic plus a bluetooth dongle modded for an external antenna can give you several hundred feet, easily. Cheers, Michael Holstein CISSP GCIA Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] New round of SSH scan IP's
Oh wow, that is amazing. Learn whois, contact the respective abuse handlers, let the rest of us be in peace. Better yet, show us your app and tell us your ip so we can laugh and most likely lock you out of Net::Abuse::Utils http://search.cpan.org/~mikegrb/Net-Abuse-Utils-0.09/lib/Net/Abuse/Utils.pm ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ford Motors IT Contact
In response to them still being infected with sql slammer and it probing my networks regularly. Let me guess .. it's 136.1.7.55 ? Here's what I get (from ford) every time that IP pops up in our automated abuse report .. --snip-- Our investigation into this matter has determined that the recent onset of attacks from this IP is the result of the IP being forged by an external party. External parties will commonly use IP addresses that belong to large organizations to mask network traffic. --snip-- Cheers, Michael Holstein Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Working exploit for Debian generated SSH Keys
Generating real pseudo-random streams is a hard problem which is way more than what people can handle. Usually, PRNGs are composed of various periodic elements which, in the end, all combined produce a repeating stream of pseudo-random numbers. OpenSSL uses a modified MAC for this as a state machine and extracts some state bits as random stream on every access. Smoke Detector + Webcam = cheapo RNG http://inventgeek.com/Projects/alpharad/overview.aspx I know some highly secure operations (eg: web casinos, using Geiger counters and background radiation) use a version of this for their RNGs, and random.org does it with RF (radios listening to static) .. do patches exist for OpenSSL to use hardware devices? (short of a hack to take something like the above and pipe it to /dev/random, etc). Cheers, Michael Holstein Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] clustering question
just a simple question Better suited for lists related to $cluster_software when i'm building a cluster, do i have to have all machines in the cluster be exactly the same capacity ,configuration and brand? (cpu power, storage,network connectivity and memory) No, but doing so makes configuration simpler .. though generally you can set a multiplier in the config that allows for dissimilar hardware. Have a look at Beowulf or OpenMOSIX. Regards, Michael Holstein Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] round and round they go, keys in ram are ripe for picking...
Countermeasures and their Limitations FIPS 140-1 [http://www.itl.nist.gov/fipspubs/fip140-1.htm] addresses this. [snip] *SECURITY LEVEL 4* In addition to the requirements for Security Levels 1, 2 and 3, the following requirements shall also apply to a multiple-chip embedded cryptographic module for Security Level 4. * The contents of the module shall be completely contained within a tamper detection envelope (e.g., a flexible mylar printed circuit with a serpentine geometric pattern of conductors or a wire- wound package or a non-flexible, brittle circuit) which will detect tampering by means such as drilling, milling, grinding or dissolving of the potting material or cover. * The module shall contain tamper response and zeroization circuitry. The circuitry shall continuously monitor the tamper detection envelope for tampering, and upon the detection of tampering, shall immediately zeroize all plaintext cryptographic keys and other unprotected critical security parameters (see Section 4.8.5). The circuitry shall be operational whenever plaintext cryptographic keys or other unprotected critical security parameters are contained within the cryptographic module. * The module shall either include environmental failure protection (EFP) features or undergo environmental failure testing (EFT) as specified in Section 4.5.4. [snip] Consider the IBM 4758 [http://www-03.ibm.com/security/cryptocards/pcicc/overproduct.shtml] as a good example of how it's implemented. Cheers, Michael Holstein CISSP GCIA Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Eee PC Security
Has anyone had a go with/against the Asus Eee PC? SANS did a write-up on this the other day : http://isc.sans.org/diary.html?storyid=3687 .. and they include the steps required to disable the offending services. ~Mike. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Wiretapping
He states that the CSI/FBI surveys suggest that wiretapping is rare. Should companies still be concerned with Wiretapping? I'd argue that the vast majority of wiretapping isn't done officially by the Government. There's more money to be made in stealing your company secrets or mis-using your resources than trying to put you in jail. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Sacure (A. Jodoin)
WTF is cross-site shipping ??? A way to implement RFC 1149. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] DHS need to get on top of this right now
I'm sorry everyone I was just trying to highlight a valid point, i didn't expect a flame war to errupt. Then be more judicious in your use of Reply-All. The DHS need to ban ISP's from talking about infrastructure security in public places. it should be classified information don't you all think? I doubt that the NANOG folk are posting public fiber route-maps, or anything similarly useful to a troublemaker. Heck .. most ISPs have a hard enough time finding their OWN fiber to mark it for a construction crew, much less accidentally telling somebody ELSE where it is. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] What does everyone make of this
http://www.abovetopsecret.com/forum/thread302187/pg1 Read the other posts on that site .. the conspiracy nuts over there have predicted the end of the world each month, every month going back for some time. If real,this is scary!! Not as scary as people that think I read it on the Internet, it *must* be true!. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Cracking the entire set of DES-based crypt(3) hashes. Interested ?
JtR will only succeed if the password is based on frequently used characters. If it is truly random and 8 characters long, JtR will not be able to crack it. Sure it will, it just takes adjustments to john.conf and a *lot* longer. djohn (distributed JtR) was written to address this : http://ktulu.com.ar/blog/software/djohn I am talking about cracking the *entire* set of DES-based crypt hashes. The EFF built a gizmo (in 1998 no less) that could to it in 4.5 days on average : http://www.schneier.com/crypto-gram-9808.html I'd bet a good VHDL programmer with the cash to cough up for top-notch Xlinix gear could do it cheaper and faster. Is this what you're planning on doing? ~Mike. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Certain Prior Notices Concerning the Unauthorized Distribution of HBO Television Programming
SafeNet goofs again they haven't mastered the concept of timezones. Cheers, Michael Holstein CISSP GCIA Information Security Administrator Cleveland State University --snip-- May 31, 2007 [our address] RE: Certain Prior Notices Concerning the Unauthorized Distribution of HBO Television Programming Dear [me] Please be advised that some of the Notices of Claimed Infringement” previously sent by us regarding infringements of HBO programs identified on either the BitTorrent or eDonkey protocols and occurring during the period 04/02 to 04/28, inclusive, might have incorrect time stamps. Specifically, the offer to download referenced in the notice may have occurred four hours later than the time identified in the notice, which in some cases may also affect the referenced date. As a result, out of an abundance of caution, we request that you disregard the notices that are described above, notwithstanding that we can and do confirm our prior information and belief that each such notice accurately identified an IP address owned by you that was utilized to offer a download of HBO television programming via BitTorrent or eDonkey. We regret any inconvenience this error may have caused. Please direct any inquiries to Steve Rosenthal, Legal Department, Home Box Office, Inc., 1100 Avenue of the Americas, New York, NY 10036, 212-512-1780 (phone), 212-512-5854 (fax), email: [EMAIL PROTECTED] Respectfully, Mark Weaver Enforcement Coordinator SafeNet, Inc. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Enable secret 5 : Cisco Password
Since it's an MD5 password, you would need quite a bit of processing power, maybe put the hash up on milw0rm? Well, that depends on how long/complex the password is. Using djohn and several CPUs would increase efficiency substantially. I'd suggest checking against one of the many public rainbow tables first though. Remember, with a hash, you need not figure out the actual password, just something that generates a collision. Cheers, Michael Holstein CISSP GCIA Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Enable secret 5 : Cisco Password
Dork, show me a full set of a-zA-Z0-9{8} rainbow tables with salted md5 and I will show you a picture of me in a bathing suit. My *point* was that a rainbow attack against is a lot faster than a brute-force with JTR or similar. Might as well try the easier options first. Of course, if the router is in hand it's even easier still to reboot it into ROMmon and reset the config register, but that's not what the OP asked. ~Mike. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Retrieving deleted sms/mms from Nokia phone (Symbian S60)
and what's more .. Flash memory not being infinitely over-writable, file systems used on those devices (JFFS2 for example) actually encourage leaving data behind by ensuring recently unlinked logical blocks aren't re-used anytime soon (wear-leveling). I know the original method proposed is non-destructive, but using a test clip it's possible to dump the contents of just about any flash device. Furthermore, given a significantly motivated adversary (and barring all but physical destruction of the chip die itself -- not just the package) one could also read the contents with a microscope -- even after several erasures(*). (*) link : http://www.cl.cam.ac.uk/~sps32/DataRem_CHES2005.pdf But if all you're trying to do is retrieve SMS messages, it'd be a lot easier to just subpoena the carrier .. they keep the contents forever (even if they say they don't .. I know for a fact they do because I personally saw one of the major US carriers .. [ahem.. Verizon] .. deliver boxes of sent/received text messages -- for hundreds of phones -- going back at least a year). Cheers, Michael Holstein CISSP GCIA Cleveland State University It's also possible to recover deleted photos from almost any flash card in almost any device (camera, mobile, etc) - it's a way general purpose file systems work. Requirement to delete information securely is enforced in devices certified to e.g. process US military secretes. In this case, device must follow DoD 5220-22-M recommendations and you can expect secure erase. In general purpose operation systems and devices, todelete information securely (wipe it) some additional actions/utilities are usually required. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Question Regarding Wireless Frames
You mean SSID not broadcast? Look for the client's network-specific probe request. Kismet (and others) do this automagically. Windows quite helpfully issues probe requests for *all* the networks it has past associations for. You can also use aircrack-ng to force-deauth a client and just watch for them to reauth, since the mac-layer stuff isn't encrypted. IMHO, the Atheros chipsets work best for this sort of stuff. Get the patches to allow raw frames from aircrack's website (aircrack-ng.org/patches). The only bummer is you can't change *your* mac with ifconfig like you can with other cards. ~Mike. Code Breaker wrote: Hi All, Recently i come to know about a network where becon frames where blocked.With the limited knowledge about this stuff i am wondering is there any other kind of frames from which we can identify the accesspoint over a wirless network? Thanks for any help. -- _code ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Question Regarding Wireless Frames
Sure you can. You have to do it on the primary wifi0 and not a vap (athx). shut it first, then change it (ifconfig or tool such as macchanger), then bring it back up. This apparently wasn't working in madwifi-ng : http://madwifi.org/wiki/UserDocs/ChangeMacAddress but it was patched (apparently, it's been a while since I had to do a wireless pentest .. I've got an older version).. http://madwifi.org/ticket/323 Mea culpa. ~Mike. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] WEEPING FOR WEP
I use WEP at home, even though my house is far enough from the road to make it rather difficult for someone to jump on my network. Really? Like how far? I've done point-to-multipoint (me with 24db parabolic, them with a standard omni) at 6 miles (granted, I was on the 12th floor of a building). Even if someone decided to hide in the woods at the edge of my yard with a laptop they're more likely to be eaten by a bear, sprayed by a skunk, or chewed alive by mosquitoes 2 Linksys boxes running OpenWRT and a decent battery (actually using WDS you could have a whole string of such devices) sort of negates the mosquito/bear/skunk problem if you're so far away that you can't be found with a reasonably high-gain antenna. WEP is basically a screen door, and always has been. ~Mike. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] WEEPING FOR WEP
* Intent: This is a biggie. If someone trespassed on your private network through an open wireless access point, then proving digital trespassing can be very difficult. However, if the user must bypass your minimalist WEP security, then they clearly show intent to trespass. Accessing it is different than listening to it. Assuming I don't do ARP replay or other L2 games because I'm impatient, I've never really trespassed since you were blasting your signal into a public area, and it's an unlicensed band. (IANAL .. anyone have a case law link for the above conjecture?) Consider WEP like a low fence around a swimming pool. Without the fence, you are in trouble if a neighborhood kid drowns in the pool. It's an attractive nuisance. However, with the fence, you should be covered if a kid climbs the fence and drowns. It's still bad, but you have a standing to refute blamed since you put up a barrier, even if the barrier was minimal. Depends .. can they convince the jury that your fence wasn't *really* tall enough? Remember .. here in the US, store owners get sued because a burglar falls through the roof during the course of a break-in. Put another way, if I use a system known to be ineffective (a twist-tie on a gate lock, to use the above pool example) it could be plausibly argued that you in effect made no effort at all. Once someone writes a network widget that automates the (capture - crack - connect) process, it could probably argued the same way for WEP (again .. IANAL). ~Mike. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] flickr not truly private
apologies if this is lame or already known. What, you mean the part about stuff you post to the Internet not being private? Well .. *duh*. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Solaris telnet vulnberability - how many on yournetwork?
If you run Solaris, please check if you got telnet enabled NOW. Simple test : nmap -sV -oG - -p23 your.net/cidr |grep Sun Solaris Cheers, Michael Holstein CISSP GCIA Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Anybody need an alibi
Kidnappers will just start lining their car trunks with copper mesh. [EMAIL PROTECTED] wrote: Engineer: GPS Shoes Make People Findable ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] DVR (Digital Video Recorders) + hack?
I've DOS's one with ICMP before using fragmentation attacks (a Nessus plugin actually did it). Only crashed the web interface .. the unit still recorded, but you couldn't get to it remotely. Required a power-cycle to fix. Vendor has since fixed it with new firmware. If you're on the same L2 segment, do a MITM with ARP and stash a laptop. Then just wait for somebody to login. Cheers, Michael Holstein CISSP GCIA Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Call For Participants For A Research Study Of Hacker Culture
Wouldn't the best way to do this to be find a way to get friendly with the State's board of Probation Parole? .. survey the folks that got caught so they can tell you about it. Folks that haven't gotten caught are obviously not all that bright if they chat it up about their misdeeds. That said .. I've had some interesting discussions with the botnet kiddies by reverse-engineering their malware and lurking in the appropriate IRC channel (just do it from a separate dialup connection, lest you get DDOS'ed). Usually the why question is answered with a variation of because I could.. or boredom or both. Cheers, Michael Holstein CISSP GCIA Cleveland State University PS: I hate to be the one to point this out, but nothing will protect your confidential research from a subpoena. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Financial firms warned of Qaeda cyber attack
Reportedly DHS confirmed an alert had been distributed but said there was no reason to believe the threat was credible. and since when is DHS credible itself? and why to people scatter every time their terrorism mood ring changes color? I guess they don't realize that servers overheat when wrapped with plastic and duct tape. ~Mike. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Nmap Online
...I wonder if someone probably didn't like all the portscans they got from it (thinks of Microsoft) and took it out? David. Heck .. how to portscan Microsoft has been in the Nmap man page for ages (even in the help you get when you execute it without arguments) .. although it's not in the latest version (it was the -P0 option). It still has Microsoft as an example in usage though : Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254 ~Mike. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 802.1X tool?
Okay .. wait, maybe I didn't understand your question. Windows XP (post sp1) can natively do 802.1x on both wired and wireless connections. Windows 2000 can do it if you get this : http://support.microsoft.com/kb/313664 You can push the 802.1x details out via GPO. http://technet2.microsoft.com/WindowsServer/en/Library/5506eeef-9e91-4cab-8e1e-3efb504d1b471033.mspx The wired instructions are similar. If you're not in a domain model (ie: you're talking about a college resnet, etc) you're out of luck on the GPOs, but you can do it other ways (package your own script, .reg file, etc .. but telling people to click ok on a .reg file is a *bad* thing to do... It gets a bit trickier if you're using client-side certs, more so if you're not using a Microsoft CA to issue them, but certainly not impossible (eg: you've got to import the root and client certs manually, not to mention getting OpenSSL/whatever to cough up ones that MS understands) ... Cheers, Michael Holstein CISSP GCIA Cleveland State University Ozan Ozkara wrote: Hi folks, I am trying to find a tool which provides automatic client configuration for 802.1X implementation in windows environment. I'm trying to implement 802.1x authentication for both wired and wireless connection. Is there any way to do remote client configuration tool for win32 environment. Will i be able to do that? I'd appreciate any real world experience on the subject. thanks ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sasser or other nasty worm needed
Does anyone have a copy of Sasser or a similar worm that they would be willing to send or link me to? Please contact me off-list. I would be happy to verify my identity as a high school teacher off-list as I'm sure that is a concern for most anyone who has what I am looking for. You're kidding, right? .. just take a fresh install of Win2K and hook it to the Internet. Go get coffee. Come back in ~15min. Boot to BartPE (or Knoppix, etc) and look for anything new in %systemroot%. You'll probably have more than one. It'll be a binary though, probably packed/encrypted 3+ times (and that's annoying, but not impossible, to reverse-engineer). The source code for all the [SD|RX|AGO]bot variants is easily found on the web. Recompile in Visual Basic, pack with UPX (or whatever) and off you go. To prison that is... Meanwhile .. a quick look at your email : Received: from blueberry ( [69.3.80.94]) by mx.google.com with ESMTP id i20sm9690041wxd.2006.11.26.14.32.22; Sun, 26 Nov 2006 14:32:22 -0800 (PST) From: kikazz [EMAIL PROTECTED] suggests that you aren't a teacher at all .. network:IP-Network-Block:69.3.80.88 - 69.3.80.95 network:Org-Name:Compu' Counts Consulting Inc. network:Street-Address:6174 Darleon Place network:City:ALEXANDRIA network:State:VA network:Postal-Code:22310 sigh .. another consultant that is trying to get other folks to do his dirty work... Cheers, Michael Holstein CISSP GCIA Information Security Administrator Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSH brute force blocking tool
why not save all that trouble and just use the --limit directive in iptables? (examples on the netfilter mailing-list). ~Mike. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSH brute force blocking tool
That specially crafted attempt would be a HUGE raping of TCP/IP. How do you supposed it would be possible for someone to insert 0wn3ed or any other variable outside of an IP address? Remember the (in)famous quote ...that vulnerability is purely theoretical...? I think the point is you don't use $language to split a bunch of fields, and then pipe them back through /bin/sh without making sure they're not malicious. Doesn't matter that you can't think of a way to make them malicious .. somebody else will find one. It's safer to just assume it'll happen and always sanitize variables before you {do_stuff;} with them. (my $0.02) ~Mike. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Putty Proxy login/password discolsure....
It's also loads of fun if the box in question is a server that's being monitored by Big Brother or similar. Kinda hard to erase the 'red' marker on the big screen in the NOC. Similar comments apply to machines that report to a central syslog server... 7b) unplug target network cable [thus avoiding the remote syslog issue] With BigBrother you get 5 minutes (typically) before you create an alarm .. so, depending on what sort of Oragami is required to get into the server, that may be possible. The easiest thing to do though would be just flip the power on a whole rack (and maybe a few next to it) .. somebody will just figure a janitor tripped over something. ... or just hit the EPO on the way out of the datacenter. We had that happen *more than once* at a former site because people mistook it as the release for the maglocks (which it sort of still was, since those were on datacenter power). ~Mike. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] RFID enabled e-passport skimming proof of concept code released (RFIDIOt)
That article focuses on Dutch passports, but in the US it's essentially the same. The Passport number a 10 digit number (I don't know where they start, but it certainly wasn't 01). The Date Of Birth of the holder about 32,000 possibilities (assuming 90yrs old) The Expiry Date of the Passport Passports are vaild for 10 years (for an adult in the US), and expiration is just MM/ .. so that's only 120 possibilities. A very small dictionary for brute force indeed, and I'd be happy to code such a routine. Does anyone know if the chips in the latest passports (USA issue) prevent this sort of thing, or can you try keys as fast as the RF interface will permit? Cheers, ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] RFID enabled e-passport skimming proof of concept code released (RFIDIOt)
And easily optimized by starting with a guess at the person's age - are they 20, or 45, or 70? Take 5 years either side, and you're down to 3,650 or so guesses. I was thinking more along the lines of hanging around just outside security or immigration with my long range antenna and laptop carefully concealed in my roll-on. I'm sure it's only a matter of time before somebody exposes the embarrassment of this 'nifty technology' by publishing a list of everybody that visited the airport on a given day. Why dumpster-dive when you can sip coffee at the airport? ~Mike. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ask for spam...
Does anyone could give me some spam archive, or spam to [EMAIL PROTECTED], thanks. Yeah, I've got gigabytes of it here sitting in the quarantine on my Mailfrontier boxes .. problem is, I can't think of an easy way to anonymize it and screen for false-positives that may contain sensitive information. I'd guess that most anyone else is in the same boat. Trust me .. those newsletter and freebie offers (regardless of if they're truly unsolicited .. are definitely SPAM when you look at them. Who in *real life* actually asks for information about online gambling, pharmacies, etc. and supplies an email address? Cheers, ~Mike. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ask for spam...
Here's what I did when researching the same thing ... Google free stuff. Find a page with thousands of free offers. Fill one out and check *every* box. Reply to whatever confirm emails come in. I did a few of those thousand freebie things to various bogus email addresses in a fake subdomain and was getting thousands per day (and it wasn't long until the DHA attacks started on that newly created subdomain either -- configure your first-touch MTA to blindly accept anything as valid if you're curious, just be careful not to relay it). The nice thing about doing the subdomain trick is you can just delete the subdomain when you're done and not waste your bandwidth (and disk space) dealing with test SPAM. Cheers, Michael Holstein CISSP GCIA Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] New Laptop Polices
OK, so you pull the hard drive - where do you *put* it? Remember, if it's packaged to be removable, it's going to look a lot like an MP3 player or some other thing-with-a-battery, and you end up having to check it. Being as the original email came from an exec at Universal Music, I think the intent is to require airlines to 'rm -r *.mp3' to you before boarding with any electronic device ;) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] New Laptop Polices
Well, how about this : build a PXE type CD/DVD with all your business applications (you could automate a nightly build to keep antivirus, patches, etc current). Do folder redirection or similar to mount all user-specific bits from a USB thumb drive (itself an encrypted volume). Then your traveling salesman needs only the DVD and thumbdrive -- neither of which contain batteries. You could go one better and write a wrapper around the bootloader so that the contents of the CD/DVD (the O/S part, where you might have a corporate VPN client or something) are encrypted as well [in linux this would be easy .. in Windows I'm not so sure?] Personally, I'm worried about what happens when some wacky terrorist gets caught with a stick of Semtex in his keister... /mike. Peter Dawson wrote: We have done some storming on this issue. The issue is basically forked in terms of 1) Airline security 2) Data Security ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] anoNet: Cooperative Chaos
http://www.anonet.org Forbidden You don't have permission to access /index.html on this server. Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request. Apache/1.3.36 Server at www.anonet.org Port 80 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] FBI Says Data on VA Laptop Not Accessed
The FBI, in a statement from its Baltimore field office, said a preliminary review of the equipment by its computer forensic teams has determined that the data base remains intact and has not been accessed since it was stolen. More tests were planned, however. Didn't the original wanted notice for this hardware specifically mention an external (USB) drive? Gee .. 'mount -t ntfs -o ro /dev/sda1 /mnt/goodies' How are their forensic people going to determine if *that* happened? Their argument about a real crook wouldn't return the hardware .. well, why not? .. $50,000 to buy that fancy ID printer off eBay to get yourself started. /mike. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] RFID Attack theory
So most of the research has been done here already.. Which brings me to the work done by www.rfidvirus.org http://www.rfidvirus.org They have some really good ideas about attacking the middleware using SQL injections, SSL includes, and buffer overflows on the reader to middle ware interface. Some really good stuff. As small as the actual chips are, imagine how much fun you could have if you scattered handfuls of malicious chips around your favorite high-security place (airport, office, whatever...). You could render these high-tech authentication schemes completely useless .. just like the military does with their carbon-fiber bombs designed to defeat electrical gear. /mike. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] New member asking question...
I have been reading the posts over the past few weeks, and am wondering how the heck you guy discover these vulnerabilities. Granted, I am still very new to the IS world, but I cannot begin to understand how you discover weaknesses. After reading these posts, the explanation always makes since, but are you guys actively seeking weaknesses, or just happen to come across them? Learn how things are *supposed* to work (for example, write your own webserver in C), then intentionally throw broken requests at it. Eventually you'll find a result you *didn't* expect, and that's what you should investigate. Knowing *what* is broken is never as important as *why*. As mentioned by another, learning to dream in C, and understanding asm go a *long* way. Oh .. and one more note .. practice on your own stuff. It's easy to get arrested in the process of learning if you're not careful. When you get good at it, play nice and adhere to the rules of responsible disclosure (search the archives for lengthy threads on this seperate issue) /mike. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sniffing on 1GBps
Sure, it's possible .. but (possible != cheap). A cheap way to go is to use a Intel card, and enable device polling for it in the kernel (*bsd), or use PF_RING (linux). A lot of other factors will come into play, depending on the link utilization (sustained line-rate capture at 1gbps is much harder than 1gpbs bursts). While 33mhz 32bit PCI will get you close, you should get something that's 66mhz or PCI-X, etc. You should also try to get the ethernet card on it's own PCI bus if possible (eg: don't put it next to the RAID card). You will also need a fairly fast disk array to offload the capture at line rate, and you should have lots of physical memory. If you've got deep pockets, get a dedicated capture card like the DAG units from Endace (there are a half-dozen folks that make similar models) .. these let you put BPF expressions on the card itself, and offload a lot of the capture CPU overhead onto dedicated processors. Also .. if you've got fiber as your PHY and you're using passive taps, you'll actually need 2 cards (using receive on each card for one half the link), and combine the two in the kernel using something like netgraph (again, *bsd). When doing gigabit (or faster) capture at wire-speed, a lot of other factors like PCI bandwidth, disk bandwidth, interrupts, etc. come into play. Good luck. Michael Holstein CISSP GCIA Cleveland State University crazy frog crazy frog wrote: Hi List, I m just wondering if it is possible to capture the data from a highspeed NIC card?if it is possible then wht kind of precaution we have to take so that we does not miss the data? thanks for any help. --- CF ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] tcpdump logfile viewer
Are there any viewers for tcpdump log files ? 1) a) On Linux tcpdump -r /some/file b) on Windows tcpdump -r /some/file c) as an HTML server Not offhand, but it'd be trivial to write a CGI to do this. An easy cheat would be to write a snort rule to log everything, run the packets through snort with -r, log them to mysql, and use ACID to look at them. This will be one-packet-per-page, though. Probably better to wrap tethereal with a CGI script or some-such though. 2) a) text dump file tcpdump -Xr /some/file b) binary dump file hexedit /some/file As someone already pointed out, if you want a nice GUI to look at them (and do advanced protocol decodes) use Ethereal (or tethereal for text output). Note that the display expressions in [t|e]thereal are different than the BPF expressions used to capture. Cheers, Michael Holstein CISSP GCIA Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] notepad oddatiy
Confirmed on xpsp2, fully patched. ~Mike. John Bond wrote: could some one tell me why/how this happens. 1. Open up Notepad 2. Type in this sentence exactly (without quotes): this app can break 3. Save the file to your hard drive. 4. Close Notepad 5. Open the saved file by double clicking it. Instead of seeing your sentence, you should see a series of squares. ref:http://www.wincustomize.com/Articles.aspx?AID=117870 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSL VPNs and security
Set up a wildcard record, *.webvpn.example.org, pointing to the device. The device then maps all internal domain names or IP addresses to a unique hostname, such as: internalhost.webvpn.example.org, or 192-168-0-1.webvpn.example.org, etc. This has the side effect of making procurement of the SSL certificates *very* expensive. /mike. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SSL VPNs and security
SSL certificates are free. You just have to have enough knowledge to distribute your own CA certificate. For a VPN appliance, this should not be a problem at all, since only your trusted users should be accessing it. Even if you aren't competent enough to figure out how to distribute your own CA certificate, I believe there are such things as wildcard certificates. Great .. setup a SSL vpn, then tell your users it's okay to click yes on the untrusted certificate popup. Sure, it's trivial to create self-signed certs (or run a CA), but distributing your cert (or the CA cert) to all but a handful of clients is a logistical nightmare. If you're going to be installing stuff, might as well make that a IKE/IPSEC client and do it the right way to begin with. /mike. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: blocking tor is not the right way forward. It may just be the right way backward.
again, redirecting a tor user to a 403 requires you to sit and think up of a workaround. perhaps you aren't able to come up with one or you don't want to take the time/effort. this means i've effectively deterred you from using tor to get to the website. now if you care about the website more than your privacy, you'd not use tor. if you cared about privacy more, you'd not visit the site. you've been deterred from visiting the site anonymously. which means it worked. how many people will spend more time in order to visit the site? As an avid supporter of TOR (and previous operator of a multi-megabit exit node), I do this all the time. I'm going to be anonymous dammit, and I don't care what the other side thinks. The harder you try to keep us out, the harder we work to get around it. This is a technical battle you'll never win, because there are more idealists that believe in privacy than there are un-clued admins (and LEO) that think otherwise. /mike. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: blocking tor is not the right way forward. It may just be the right way backward.
But remember your rights stop when the rights of others start. So, if a give admin wants people who use Tor to be blocked from his particular site, it is his right. I might not agree with it, but I'll defend his right to do so. After all, it is his site. If he was to do that (and makes a clear statement that he is doing so), he will be loosing users perhaps, but it is his call. As long as I'm not breaking into anything, there's nothing wrong/illegal with using anonmnity tools to access a public website. If you put something on the public internet for all to see, you can't complain about people trying to avoid your attempts to survail them. What rights do you have over other people's networks and sites ? What rights do you have to circunvect the decisions they made ? If you don't like what the way they are doing things, go somewhere else. No one is forcing you to stop using Tor or being anonymous. Public Internet is just that .. Public. If I can't acccess said site with method #1, I can use method #2. If site says you're using TOR, go away, I can use $random_proxy in $random_country and accomplish the same thing. If you want to make your website private, don't put it on the Internet. /mike. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/