Domain: digitaldefense.net
Stories and comments across the archive that link to digitaldefense.net.
Comments · 10
-
Re:I don't think many people too Gibson seriously.
[i]I would have assumed that computers in five years time would be using real-time EPS (that's embeddable PostScript, the initials standing for Encapsulated Post Script, for you young'uns, that's what we were all talking about then as being the future of vector formats)[/i]
And lest everyone forget, the PostScript language includes file operation commands (reading and writing). Which of course could be use for all sorts of nastiness by overwriting various important files (.login, .rhosts, authorized_keys, .Xsession, etc.) It wasn't even all that long ago that support for those commands was removed from ghostscript and it's decendants (xpdf, etc.). But last I checked, nobody has accused Adobe of trying to backdoor all of our computers.
Or a number of standard Unix terminal emulators which have had some pretty iffy functions added to them which can lead to system compromises: TERMINAL EMULATOR SECURITY ISSUES. Has anybody accused Rasterman (or whomever wrote Eterm) of trying to backdoor everybodies computer? Of course not.
What's my point? I don't know. Maybe that, as much fun as it is to kick around Microsoft for dangerous programming choices, they aren't the only ones to design systems and API's that have holes. In hindsight, both the PS and terminal issues I mentioned above are pretty obvious. I mean, slap your forehead obvious that you probably shouldn' do that. But they did. -
Re:This is why...
Be careful
:)
Netcat will happily output control characters to your terminal so you might be vulnerable to various terminal emulator bugs described in
http://www.digitaldefense.net/labs/papers/Termulat ion.txt -
Re:wait a second open sores fanboys
(1) I think the previous AC was referring to the Samba 2.x series exploit that Digital Defense unearthed back in 2003. See http://www.digitaldefense.net/labs/advisories/DDI
- 1013.txt.
Note that this is a remote root access by an anonymous user, as Samba is commonly deployed. It was indeed serious.
This vulnerability may have been the result of a vulnerability in Microsoft's SMB protocol itself, which also unpatched for about the same length of time. I can't recall at the moment, and I don't have backups of my notes from the time right at hand. It was a late night, I'm still sucking coffee, and feeling lazy.
(2) Strictly speaking, that would depend on your threat model, wouldn't it? That said, I would regard the vulnerability in CSRSS as typically being far more dangerous. -
Re:That's Irrevellant
"Ctrl-z would get pressed, and 'reset' would get typed."
How naive, by then it could already be to late. Consider DSA 697-1: http://www.debian.org/security/2005/dsa-697
It's quiet shocking to find those kind of bugs in ancient programs. More info can be found for eg on http://www.digitaldefense.net/labs/papers/Termulat ion.txt
BTW a simple way to get headers:
lynx -head -dump URL
or
the live http header plugin for Fire*
or
(t)ethereal/tcpdump (keep it up to date for the same reason as above) -
What makes this database "open source" ?
Calling something "open source" doesn't make it open or free (as in freedom). There are three issues of concern here.
First, the licensing terms Why didn't they license the OSVDB database under a free license, whether it be GPL, GFDL, or even the BSD license? If OSVDB and its sponsors (including primarily Digital Defense, Inc., a privately held computer security firm) retain complete ownership of the content, and nobody has the right to fork the database or create derivative works, I can't see why it's being spun as "open source".
Second, I was concerned when I read the OSVDB's statement of intent to comply with the DMCA. A non-free (read: non-forkable) database based in the United States might not be the best idea. One DMCA injunction could shut it down. Since, from my reading of the terms and conditions, nobody has the right to duplicate or fork this database, the work could not continue outside the US if a DMCA injunction shut it down.
Third, the issue of neutrality and bias. I don't believe that a non-free database sponsored by a private security consulting firm based in the United States will be able to remain neutral for long. Private companies are under no obligations to disclose their partnerships or agreements with vendors.
You know, there are non-trivial, free (GFDL) databases out there...the precedent exists for high quality, truly FREE content. I hope OSVDB considers licensing the content under the GFDL or BSD license.
-
Re:Microsoft, Apple, and...
Ermm... What happens if somethng like this pops out again?
Heaven for the script/warez kiddies is near! -
Re:Exploit code
yes, here it is: http://www.digitaldefense.net/labs/tools/trans2ro
o t.pl
enjoy! -
Exploit code
Could someone please post the expoit code that used to be here? It's the trans2root.pl script. Thx!
-
From A Different Perspective
My company provides Manged Network Security Monitoring and often times our clients will use an assessement as a chance to "test" our services. Afterwards they will also ask our opinion on how well the assessment was performed. Generally, I have found it's best to stay away from the Big 5 accounting firms (KPMG, E&Y,PWC, etc), Telcos, IBM, and other big businesses whose specialty isn't doing security assessments. These types of businesses tend to be way overpriced and provide a cookie cutter approach to security. At the same time watch out for the local "security consultant" who claims to be able to do everything in security as well as the local "hax0r" who has Nessus installed on his laptop (finally). Probably the worst assessments I have ever seen came from these types. (BTW, I am NOT bashing Nessus.)
In my opinion, your best bet is to go with a reputable company who only does security auditing and has a proven customer base (get and check references!!). In my opinion, these guys stand out as a group of people who know what they are doing, and do it well. -
IDS != firewall; it's like raising a childAlthough any incremental improvement in security is beneficial, true network security monitoring requires a real commitment of trained manpower, customized applications, and rational processes. Unless you're willing to devote all of your time, and the time of a motivated and quick-learning staff, don't bother with IDS. Network security monitoring is much more involved than firewall deployment or router ACL configuration, for example.
If you've only got the time, energy, inclination, or budget to do the job halfway, you'll get more productive results monitoring your firewall, router, and application logs.
If you really feel you want network security monitoring, but can't commit to it, I recommend a competent managed security services provider. Unfortunately, I'm not comfortable with any of the offerings besides that of my employer. Sure, it sounds like a shameless plug, but if other MSSPs care to explain how they do business, I'll have good words for them. Until then, I know my shop does good network security monitoring work. Of the few competitors whose operations I understand, none inspire confidence.
If you think I only rip on other MSSPs, I can heartily recommend Digital Defense for doing top-notch vulnerability assessments (but that's not IDS, unfortunately).
Helevius