Slashdot Mirror

The javascript for the virus described at http://isc.sans.org/diary.html?storyid=3063 is XORed with 0x7F. The code to decrypt it is even stored directly in the same file.

I've seen worse forms of security. There are some PHP scripts with blocks Base64 encoded so you can't remove the copyright notice.

"Check the percentage of pwned IIS servers and the uptime of Apache on Linux" - by Technician (215283) on Wednesday June 20, @01:12AM (#19574975)

I tell you what, I will use the # of vulnerabilities found in BOTH webservers, because I could find it easily enough!

Bookmark this page;
http://isc.sans.org/ The SANS Internet Storm Center keeps track of data swarms caused by worms, bots, and other out of control threats. When they occur, pay attention to what machines are exploited. It's not always workstations on cable modems.

http://news.yahoo.com/s/ap/20070620/ap_on_go_ca_st _pe/dhs_computer_security

Care to guess the OS exploited?

Nice try.
IIS (first URL) shows less bugs/vulnerabilities than Apache (2nd URL) does (and less critical ones) & in fact, 10 TIMES LESS!

They tested Apache version 2.0.x. The current versions are 2.2.x. I can declare Windows 98 full of unpatched problems.. and be right.

IIS secure? Apache secure?
They both have exploits. The number of exploits is one thing. The number of exploited machines is another.
http://www.google.com/search?hl=en&q=IIS+exploits& btnG=Search
http://www.google.com/search?hl=en&q=Apache+exploi ts

To make you feel good, here is a current Linux exploit;
http://www.scanit.be/uploads/php-file-upload.pdf
And Windows exploits
http://www.symantec.com/enterprise/security_respon se/weblog/2007/05/mpack_packed_full_of_badness.htm l
http://isc.sans.org/diary.html?storyid=2994
http://isc.sans.org/diary.html?storyid=2985
http://isc.sans.org/diary.html?storyid=2979
http://isc.sans.org/diary.html?storyid=2976

A Safari exploit;
http://isc.sans.org/diary.html?storyid=2982 (It's on Windows, not Apple)

To be fair some Linux worms and exploits;
http://www.packetstormsecurity.org/unix-exploits/l inux-exploits/

For workstations which visit the web, I avoid Windows. Just seeing the headlines is enough.
http://news.bbc.co.uk/2/hi/technology/6465833.stm

I know they were nice and didn't bother to mention the OS, but I think it's very likely the monoculture OS. If you have any data on the number of non Windows bots in the herds, let me know. I'm looking for any data on the breakdown of OS on exploited bots.

Current June 2007 exploit list... http://www.packetstormsecurity.org/0706-exploits/
From the list.. 06072007-CVE-2007-2237.zip
Description:
Microsoft Windows GDI+ ICO file remote denial of service exploit.

comicsense-sql.txt
Description:
Comicsense suffers from a SQL injection vulnerability in index.php.

CVE-2007-2815.txt
Description:
Exploit that takes advantage of the Microsoft IIS5 NTLM and basic authentication bypass vulnerability. I wonder if this is one of the patched MS ones?

Many of the exploits are php / SQL exploits. I don't think MSSQL is immune.

Feel free to resear

"Check the percentage of pwned IIS servers and the uptime of Apache on Linux" - by Technician (215283) on Wednesday June 20, @01:12AM (#19574975)

I tell you what, I will use the # of vulnerabilities found in BOTH webservers, because I could find it easily enough!

Bookmark this page;
http://isc.sans.org/ The SANS Internet Storm Center keeps track of data swarms caused by worms, bots, and other out of control threats. When they occur, pay attention to what machines are exploited. It's not always workstations on cable modems.

http://news.yahoo.com/s/ap/20070620/ap_on_go_ca_st _pe/dhs_computer_security

Care to guess the OS exploited?

Nice try.
IIS (first URL) shows less bugs/vulnerabilities than Apache (2nd URL) does (and less critical ones) & in fact, 10 TIMES LESS!

They tested Apache version 2.0.x. The current versions are 2.2.x. I can declare Windows 98 full of unpatched problems.. and be right.

IIS secure? Apache secure?
They both have exploits. The number of exploits is one thing. The number of exploited machines is another.
http://www.google.com/search?hl=en&q=IIS+exploits& btnG=Search
http://www.google.com/search?hl=en&q=Apache+exploi ts

To make you feel good, here is a current Linux exploit;
http://www.scanit.be/uploads/php-file-upload.pdf
And Windows exploits
http://www.symantec.com/enterprise/security_respon se/weblog/2007/05/mpack_packed_full_of_badness.htm l
http://isc.sans.org/diary.html?storyid=2994
http://isc.sans.org/diary.html?storyid=2985
http://isc.sans.org/diary.html?storyid=2979
http://isc.sans.org/diary.html?storyid=2976

A Safari exploit;
http://isc.sans.org/diary.html?storyid=2982 (It's on Windows, not Apple)

To be fair some Linux worms and exploits;
http://www.packetstormsecurity.org/unix-exploits/l inux-exploits/

For workstations which visit the web, I avoid Windows. Just seeing the headlines is enough.
http://news.bbc.co.uk/2/hi/technology/6465833.stm

I know they were nice and didn't bother to mention the OS, but I think it's very likely the monoculture OS. If you have any data on the number of non Windows bots in the herds, let me know. I'm looking for any data on the breakdown of OS on exploited bots.

Current June 2007 exploit list... http://www.packetstormsecurity.org/0706-exploits/
From the list.. 06072007-CVE-2007-2237.zip
Description:
Microsoft Windows GDI+ ICO file remote denial of service exploit.

comicsense-sql.txt
Description:
Comicsense suffers from a SQL injection vulnerability in index.php.

CVE-2007-2815.txt
Description:
Exploit that takes advantage of the Microsoft IIS5 NTLM and basic authentication bypass vulnerability. I wonder if this is one of the patched MS ones?

Many of the exploits are php / SQL exploits. I don't think MSSQL is immune.

Feel free to resear

"Check the percentage of pwned IIS servers and the uptime of Apache on Linux" - by Technician (215283) on Wednesday June 20, @01:12AM (#19574975)

I tell you what, I will use the # of vulnerabilities found in BOTH webservers, because I could find it easily enough!

Bookmark this page;
http://isc.sans.org/ The SANS Internet Storm Center keeps track of data swarms caused by worms, bots, and other out of control threats. When they occur, pay attention to what machines are exploited. It's not always workstations on cable modems.

http://news.yahoo.com/s/ap/20070620/ap_on_go_ca_st _pe/dhs_computer_security

Care to guess the OS exploited?

Nice try.
IIS (first URL) shows less bugs/vulnerabilities than Apache (2nd URL) does (and less critical ones) & in fact, 10 TIMES LESS!

They tested Apache version 2.0.x. The current versions are 2.2.x. I can declare Windows 98 full of unpatched problems.. and be right.

IIS secure? Apache secure?
They both have exploits. The number of exploits is one thing. The number of exploited machines is another.
http://www.google.com/search?hl=en&q=IIS+exploits& btnG=Search
http://www.google.com/search?hl=en&q=Apache+exploi ts

To make you feel good, here is a current Linux exploit;
http://www.scanit.be/uploads/php-file-upload.pdf
And Windows exploits
http://www.symantec.com/enterprise/security_respon se/weblog/2007/05/mpack_packed_full_of_badness.htm l
http://isc.sans.org/diary.html?storyid=2994
http://isc.sans.org/diary.html?storyid=2985
http://isc.sans.org/diary.html?storyid=2979
http://isc.sans.org/diary.html?storyid=2976

A Safari exploit;
http://isc.sans.org/diary.html?storyid=2982 (It's on Windows, not Apple)

To be fair some Linux worms and exploits;
http://www.packetstormsecurity.org/unix-exploits/l inux-exploits/

For workstations which visit the web, I avoid Windows. Just seeing the headlines is enough.
http://news.bbc.co.uk/2/hi/technology/6465833.stm

I know they were nice and didn't bother to mention the OS, but I think it's very likely the monoculture OS. If you have any data on the number of non Windows bots in the herds, let me know. I'm looking for any data on the breakdown of OS on exploited bots.

Current June 2007 exploit list... http://www.packetstormsecurity.org/0706-exploits/
From the list.. 06072007-CVE-2007-2237.zip
Description:
Microsoft Windows GDI+ ICO file remote denial of service exploit.

comicsense-sql.txt
Description:
Comicsense suffers from a SQL injection vulnerability in index.php.

CVE-2007-2815.txt
Description:
Exploit that takes advantage of the Microsoft IIS5 NTLM and basic authentication bypass vulnerability. I wonder if this is one of the patched MS ones?

Many of the exploits are php / SQL exploits. I don't think MSSQL is immune.

Feel free to resear

"Check the percentage of pwned IIS servers and the uptime of Apache on Linux" - by Technician (215283) on Wednesday June 20, @01:12AM (#19574975)

I tell you what, I will use the # of vulnerabilities found in BOTH webservers, because I could find it easily enough!

Bookmark this page;
http://isc.sans.org/ The SANS Internet Storm Center keeps track of data swarms caused by worms, bots, and other out of control threats. When they occur, pay attention to what machines are exploited. It's not always workstations on cable modems.

http://news.yahoo.com/s/ap/20070620/ap_on_go_ca_st _pe/dhs_computer_security

Care to guess the OS exploited?

Nice try.
IIS (first URL) shows less bugs/vulnerabilities than Apache (2nd URL) does (and less critical ones) & in fact, 10 TIMES LESS!

They tested Apache version 2.0.x. The current versions are 2.2.x. I can declare Windows 98 full of unpatched problems.. and be right.

IIS secure? Apache secure?
They both have exploits. The number of exploits is one thing. The number of exploited machines is another.
http://www.google.com/search?hl=en&q=IIS+exploits& btnG=Search
http://www.google.com/search?hl=en&q=Apache+exploi ts

To make you feel good, here is a current Linux exploit;
http://www.scanit.be/uploads/php-file-upload.pdf
And Windows exploits
http://www.symantec.com/enterprise/security_respon se/weblog/2007/05/mpack_packed_full_of_badness.htm l
http://isc.sans.org/diary.html?storyid=2994
http://isc.sans.org/diary.html?storyid=2985
http://isc.sans.org/diary.html?storyid=2979
http://isc.sans.org/diary.html?storyid=2976

A Safari exploit;
http://isc.sans.org/diary.html?storyid=2982 (It's on Windows, not Apple)

To be fair some Linux worms and exploits;
http://www.packetstormsecurity.org/unix-exploits/l inux-exploits/

For workstations which visit the web, I avoid Windows. Just seeing the headlines is enough.
http://news.bbc.co.uk/2/hi/technology/6465833.stm

I know they were nice and didn't bother to mention the OS, but I think it's very likely the monoculture OS. If you have any data on the number of non Windows bots in the herds, let me know. I'm looking for any data on the breakdown of OS on exploited bots.

Current June 2007 exploit list... http://www.packetstormsecurity.org/0706-exploits/
From the list.. 06072007-CVE-2007-2237.zip
Description:
Microsoft Windows GDI+ ICO file remote denial of service exploit.

comicsense-sql.txt
Description:
Comicsense suffers from a SQL injection vulnerability in index.php.

CVE-2007-2815.txt
Description:
Exploit that takes advantage of the Microsoft IIS5 NTLM and basic authentication bypass vulnerability. I wonder if this is one of the patched MS ones?

Many of the exploits are php / SQL exploits. I don't think MSSQL is immune.

Feel free to resear

"Check the percentage of pwned IIS servers and the uptime of Apache on Linux" - by Technician (215283) on Wednesday June 20, @01:12AM (#19574975)

I tell you what, I will use the # of vulnerabilities found in BOTH webservers, because I could find it easily enough!

Bookmark this page;
http://isc.sans.org/ The SANS Internet Storm Center keeps track of data swarms caused by worms, bots, and other out of control threats. When they occur, pay attention to what machines are exploited. It's not always workstations on cable modems.

http://news.yahoo.com/s/ap/20070620/ap_on_go_ca_st _pe/dhs_computer_security

Care to guess the OS exploited?

Nice try.
IIS (first URL) shows less bugs/vulnerabilities than Apache (2nd URL) does (and less critical ones) & in fact, 10 TIMES LESS!

They tested Apache version 2.0.x. The current versions are 2.2.x. I can declare Windows 98 full of unpatched problems.. and be right.

IIS secure? Apache secure?
They both have exploits. The number of exploits is one thing. The number of exploited machines is another.
http://www.google.com/search?hl=en&q=IIS+exploits& btnG=Search
http://www.google.com/search?hl=en&q=Apache+exploi ts

To make you feel good, here is a current Linux exploit;
http://www.scanit.be/uploads/php-file-upload.pdf
And Windows exploits
http://www.symantec.com/enterprise/security_respon se/weblog/2007/05/mpack_packed_full_of_badness.htm l
http://isc.sans.org/diary.html?storyid=2994
http://isc.sans.org/diary.html?storyid=2985
http://isc.sans.org/diary.html?storyid=2979
http://isc.sans.org/diary.html?storyid=2976

A Safari exploit;
http://isc.sans.org/diary.html?storyid=2982 (It's on Windows, not Apple)

To be fair some Linux worms and exploits;
http://www.packetstormsecurity.org/unix-exploits/l inux-exploits/

For workstations which visit the web, I avoid Windows. Just seeing the headlines is enough.
http://news.bbc.co.uk/2/hi/technology/6465833.stm

I know they were nice and didn't bother to mention the OS, but I think it's very likely the monoculture OS. If you have any data on the number of non Windows bots in the herds, let me know. I'm looking for any data on the breakdown of OS on exploited bots.

Current June 2007 exploit list... http://www.packetstormsecurity.org/0706-exploits/
From the list.. 06072007-CVE-2007-2237.zip
Description:
Microsoft Windows GDI+ ICO file remote denial of service exploit.

comicsense-sql.txt
Description:
Comicsense suffers from a SQL injection vulnerability in index.php.

CVE-2007-2815.txt
Description:
Exploit that takes advantage of the Microsoft IIS5 NTLM and basic authentication bypass vulnerability. I wonder if this is one of the patched MS ones?

Many of the exploits are php / SQL exploits. I don't think MSSQL is immune.

Feel free to resear

"Check the percentage of pwned IIS servers and the uptime of Apache on Linux" - by Technician (215283) on Wednesday June 20, @01:12AM (#19574975)

I tell you what, I will use the # of vulnerabilities found in BOTH webservers, because I could find it easily enough!

Bookmark this page;
http://isc.sans.org/ The SANS Internet Storm Center keeps track of data swarms caused by worms, bots, and other out of control threats. When they occur, pay attention to what machines are exploited. It's not always workstations on cable modems.

http://news.yahoo.com/s/ap/20070620/ap_on_go_ca_st _pe/dhs_computer_security

Care to guess the OS exploited?

Nice try.
IIS (first URL) shows less bugs/vulnerabilities than Apache (2nd URL) does (and less critical ones) & in fact, 10 TIMES LESS!

They tested Apache version 2.0.x. The current versions are 2.2.x. I can declare Windows 98 full of unpatched problems.. and be right.

IIS secure? Apache secure?
They both have exploits. The number of exploits is one thing. The number of exploited machines is another.
http://www.google.com/search?hl=en&q=IIS+exploits& btnG=Search
http://www.google.com/search?hl=en&q=Apache+exploi ts

To make you feel good, here is a current Linux exploit;
http://www.scanit.be/uploads/php-file-upload.pdf
And Windows exploits
http://www.symantec.com/enterprise/security_respon se/weblog/2007/05/mpack_packed_full_of_badness.htm l
http://isc.sans.org/diary.html?storyid=2994
http://isc.sans.org/diary.html?storyid=2985
http://isc.sans.org/diary.html?storyid=2979
http://isc.sans.org/diary.html?storyid=2976

A Safari exploit;
http://isc.sans.org/diary.html?storyid=2982 (It's on Windows, not Apple)

To be fair some Linux worms and exploits;
http://www.packetstormsecurity.org/unix-exploits/l inux-exploits/

For workstations which visit the web, I avoid Windows. Just seeing the headlines is enough.
http://news.bbc.co.uk/2/hi/technology/6465833.stm

I know they were nice and didn't bother to mention the OS, but I think it's very likely the monoculture OS. If you have any data on the number of non Windows bots in the herds, let me know. I'm looking for any data on the breakdown of OS on exploited bots.

Current June 2007 exploit list... http://www.packetstormsecurity.org/0706-exploits/
From the list.. 06072007-CVE-2007-2237.zip
Description:
Microsoft Windows GDI+ ICO file remote denial of service exploit.

comicsense-sql.txt
Description:
Comicsense suffers from a SQL injection vulnerability in index.php.

CVE-2007-2815.txt
Description:
Exploit that takes advantage of the Microsoft IIS5 NTLM and basic authentication bypass vulnerability. I wonder if this is one of the patched MS ones?

Many of the exploits are php / SQL exploits. I don't think MSSQL is immune.

Feel free to resear

There have been dozens (at least, and excluding dupes) of stories covering systems that can lift the last ten layers of disk content off a drive.

Writing a one or zero to a hard drive leaves a pretty solid magnetic print. Magnetic media has a fair amount of memory, but that mostly comes into play with analog signals where there's a range rather than hard off or on. Given that hard drives have no built in way to recover data like you suggest, you would theoretically need to move the disks to a special reader in a clean room, ensure that the hard drive platters were compatable with your special reader, and then painstakingly go through a bit by bit recover the data. We're talking about an extremely long, still hypothetical process. It's one thing to develop technology that might be able to extract wiped bits - recovering gigabytes of data is another matter. Maybe the NSA has something worked out but it's not going to be brought into play for a matter like this. If the data is erased, it's gone.

I'm not sure I would trust a technologically-ignorant group to run a critical service.

Not to be too much of a jerk, but reading something on slashdot doesn't mean it's true or that you are technologically informed. Here's my instructor who stated that magnetic recovery is very unlikely. Can you show an equally reliable source that says that it is?

Security researchers find security vulnerabilities in all browsers. Just two weeks ago Opera fixed an arbitrary code execution vulnerability. I suppose by your standards no browsers are ever really ready yet.

There are a shitload of sites that host malicious code to intentionally infect vulnerable browsers. Even regular sites are occasionally hacked to host malicious code. The most recent big name one I can think of is the Miami Dolphins football team website during the last superbowl. A few years back a number of sites that produce banner advertisements were hacked, which resulted in widespread malicious banners getting hosted on tons of otherwise secure sites. I don't know of any database of malicious websites, but http://isc.sans.org/ usually has a good daily handlers report that lists widespread nastiness and other new developments.

Link to info on the Dolphins hack:
http://www.infoworld.com/article/07/02/02/HNdolphi nssiteshacked_1.html

I'd rather say that DNS is damned weak. It's probably the weakest point in the Internet infrastructure as a whole, and that's a lot to say. DNS was chosen by SANS Institute as one of the top 20 Internet vulnerabilities in 2006:

http://www.sans.org/top20/

Last time there was a major DNS failure? The DNS system relies on 13 servers. In 2002 nine of them went down due to a DDoS attack, the whole Internet was very slow or unreachable for an hour. This year in February almost three of the servers crashed due to another DDoS, which moved the Department of Defense to say that next time they will counterattack and even bomb the source of the DDoS, so guess if it was important.

By the way, remember that Paul Vixie's BIND is just one implementation and it's considered to be flawed by some wise people:

http://cr.yp.to/djbdns/blurb/unbind.html

(Disclaimer: I teach the following courses) SANS has two 6-day courses on Linux and Unix; Linux System Administration (track 408) and Securing Linux and Unix (track 506). Both are hand-on courses that require laptops. The first focuses on system administration, the second on hardening and security, with a small amount of overlap. --Bill

(Disclaimer: I teach the following courses) SANS has two 6-day courses on Linux and Unix; Linux System Administration (track 408) and Securing Linux and Unix (track 506). Both are hand-on courses that require laptops. The first focuses on system administration, the second on hardening and security, with a small amount of overlap. --Bill

(Disclaimer: I teach the following courses) SANS has two 6-day courses on Linux and Unix; Linux System Administration (track 408) and Securing Linux and Unix (track 506). Both are hand-on courses that require laptops. The first focuses on system administration, the second on hardening and security, with a small amount of overlap. --Bill

The top 10 was in 2000 www.sans.org and covered BIND 8.

BIND 9 has a lot better record. BIND 9 was designed to die when a programing error was found rather than continuing to execute in a known bad state. Despite thousands of assertion checks there have only been a small number of externally triggerable DoS events against BIND 9 www.isc.org.

I'm talking more poor applet security than poor Java desktop security. Java 6 makes Java *applications* sizzle. But for applets...

1) Poor auto-update features for client-side JVM (People do not tend to update their Java client JVM)
2) A vulnerability in the JDK or Java plugin may move all your clients into the attackable surface
3) Older JVM's (in the past) could force the application to use an older vulnerable JVM if installed
4) Stuff like java.lang.Runtime().getRuntime().exec("cmd.exe")
5) 2006 hall of fame!
http://www.kb.cert.org/vuls/id/759996
http://www.securityfocus.com/bid/17981
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id =4396719
Intesting tidbit:
http://www.securityfocus.com/archive/1/434001

PS: Consider taking http://www.sans.org/ns2007/description.php?tid=447

It is great to give back to the community. I can help hook you up with the right folks if you want to a "how to" or develop a checklist or cheat sheet for an open source tool. We post them for the community to use as they will on http://www.sans.org/score, just drop me a note.

How many of the EU registrations are clear attempts to catch typos looking for an EDU domain traffic. Some are just typo squatters and some are looking for more ...

http://isc.sans.org/diary.html?storyid=1866

SANS says they've received reports of the "vulnerability being exploited in the wild using files renamed to jpeg". So, yeah, I think you're right (proxy won't help, unless you're going to block jpegs too).

>
and be used by it.
see:
http://isc.sans.org/index.html

Gozi trojan anyone.

According to the SANS Incident Handler's Diary, various issues have been reported in Cisco VOIP phones, Blackberrys, Veritas aka Symantec BackupExec, and Watchguard firewalls.

I can confirm that they were down, but it looks like they might be coming back up. Some of my hosts are responding now.

For a bit, the GoDaddy support site mentions "technical difficulty". Godaddy.com

The Internet Storm Center has notes, too: SANS Internet Storm Center

Another slashdotter spouting off with no clue. Hint - know what you are talking about before telling anyone they are wrong. What you said is a typical knee-jerk reaction, probably from someone that thinks they know a lot about security. Look here - http://isc.sans.org/diary.html?storyid=2220 . Did you even bother to do a "man login" to see what parms it takes? You expect login to not check for such things?

If you were getting bugtraq notices you would know that telnet worked EXACTLY as designed. The -f option was added to login in Solaris and that is why the bug is only in the later versions Solaris - 10 and 11. The parameter also gets passed to login in the previous versions, however since it didn't support it nothing bad happened. It asked you for a username, then password. In the vulnerable version, it isn't up to telnet to ask for a password, login does that. This is also not the same bug that showed up in AIX.

Before telling me I'm wrong again, tell SUN they are wrong because that is what they said and they are the ones that fixed it. Of course if you are smart you would see that there is another way to attack the machine.

Oh and sorry to attack you like that... however your handle is "The Man" and it isn't often I get to tell "The Man" off like that.

The OP that you quoted made absolutely no reference to VMware - just to VMs in general.

True. But we were discussing whether it was technically possible to detect if you were running inside a virtual machine. There's no reason why we wouldn't discuss the most popular virtualization technology currently in use, aka, VMWare.

As the other guy said, you made a poor choice in picking VMware to demonstrate that virtualization is always detectable because it does not even try to hide - other virtualization systems DO make the effort to hide -- see the Blue Pill anti-DRM virtualization system for one example.

Really? That's not what he said at all. He said "VMWare doesn't make any attempt at hiding the fact that you're running in a virtual machine. Where did you get the idea that it did?" Quite a bit of difference there. But the truth is, VMWare isn't the only virtualization tool that is detectable from within the VM. Try reading the article that I referenced earlier from the ISC/SANS Institute: here.

And yes, you can point out some niche anti-DRM tool that lets you do limited virtualization, but good luck running the operating systems for your entire production environment on them...oh wait, you can't. Which pretty much makes them irrelevant in this conversation.

You shouldn't have the DCE/RPC preprocessor running, you shouldn't be exposing RPC to the internet anyway. FC6 default install of 2.1.1.2 has it disabled in snort.conf.

There are some instances where this should be running such as internal traffic monitoring, but I don't see how this can hit people from the internet with fragmented RPC traffic unless they're allowing it at the firewall.

Also, don't run any network service as root. FC6 install of snort does run as root by default, kinda lame.

-u username -g groupname arguments in the init script when starting the daemon will make it run as username:groupname credentials. nobody:nogroup maybe. Consider also chroot jail.

Old tips http://isc.sans.org/diary.html?date=2005-10-18

Also covering this one: SANS ICS

Is anyone suprised that if one place was pinpointed as the source of the attack on any countries infrastructure it might be a target? I'm not. The net is more important than some buildings at this point.

The only thing I'm suprised is to expect any attack to be from one place... I'd expect it to be distributed.

Javascript vulnerabilities still exist for unix browsers. Javascript in general is incredibly dangerous. "Lets let anyones website whom I surf to execute arbitrary code in my browser." This is insane, and even the ISC (Linux Fanboy Researchers) is recommending noscript: http://isc.sans.org/diary.html?n&storyid=1999 I live dangerously and leave Javscript on myself. Do as I say, not as I do!

Well, take a look at the SANS Top-20 Internet Security Attack Targets and count how many times you see the word 'Microsoft' versus the number of times you see 'Apple' or 'OSX'.

Hmmm...

It's interesting that, to me, SANS is starting to look like a spammer. I joined their mailing list several years ago. Now, my work role has changed to the point where I no longer need to be on their mailing list. I use the "portal" link at the bottom of their email to try to unsubscribe, but as many times as I try to remove myself, it doesn't work. I've emailed their "help" addresses several times, trying to be taken off the list, and haven't gotten any response. So I just get in the habit of deleting that email whenever it shows up, but it's feeling a lot like spam at this point. How ironic that SANS is breaking rule #1.

When it's not being exploited

The anonymous coward understood. Any network service used by (not just provided by) a computer can present a risk. Wander over to http://www.sans.org/top20/#m1 and have a snoop.

> By CHOICE, I'm still running one Windows 2000 box just to run a few applications.

http://isc.sans.org/diary.php?storyid=1990

Update: It has been brought to our attention that Microsoft Windows Defender is no longer intallable or supported for Windows 2000. Microsoft states that W2K is out of lifecycle and is no longer supported. So those of you running Windows Defender on Windows 2000, you will need to look for another program.

http://www.wi-fiplanet.com/tutorials/article.php/3 484186
http://www.sans.org/rr/whitepapers/vpns/1459.php

couple of interesting references for setting up vpn access to your network

Nice troll. Even got me to respond. ;-)

I, for one, have grown quite tired of Apple and the the MacFanBoi's claims that OS X is perfectly secure.

1. Apple does not, and never has, claimed Mac OS X is "perfectly secure" or anything near "perfectly secure".

2. No reasonable person makes that claim. If some jackass wants to say that Mac OS X is invulnerable, they're exactly that. A jackass.

Its even prevalent on the securityfocus list dedicated to Apple products, where every security concern, malware or exploit is somehow poo-poo'd into not existing. (Reference: Apple dmg and safe files problems; reference: wireless driver exploits; ad nauseum.)

What's prevalent? If you're talking about the focus-apple list, we've already collectively decided that Safari's "safe files" feature should be disabled by default at a minimum, and preferably discontinued altogether. As to the wireless driver exploit, which is fixed, Johnny Cache, David Maynor, nor SecureWorks, to this day, provided Apple with ANY useful or verifiable information the vulnerability even existed. Remember, they were presenting themselves as professional security researchers with a "responsible disclosure policy", even hiding the brad of the 3rd party wireless card they used, to this day (we have since discovered it was the Raytheon RayLink chipset). Krebs totally sensationalized it, as is typical for him. Further, this vulnerability was a general 802.11 vulnerability, which affected far more chipsets than the ones Apple uses, and far more operating systems, including Windows and Linux. But Apple got ALL the bad press, alone, for a vulnerability that is actually quite difficult to exploit in practice and, even then, requires that the attacker be within 802.11 range.

Care to explain to me how that's fair?

So you're a troll *and* a liar.

Also reference, for the second year running, OS X itself has made it to the SANS top20 vulnerabilities. http://www.sans.org/top20/?portal=ddc5dd3511b787e1 a2d58aeb8338dfaa and http://www.sans.org/top20/2005/?portal=ddc5dd3511b 787e1a2d58aeb8338dfaa

"Second year running." *Chuckle*.

Anyway, yeah, please do take a look at those lists. Since Mac OS X is by far the most used desktop operating system other than Windows, is it any surprise it would show up on the SANS list? Behind everything Windows-related, of course.

I'm really hoping that the month of Apple bugs shuts up Apple,

Well, since Apple doesn't claim that Mac OS X is anything you've claimed they do, and in fact doesn't even comment on security issues before they are patched, it probably won't be too hard to "shut up" Apple, since they'll be almost completely silent on this issue.

shuts up the MacFanBio,

Unlikely.

and actually gets someone paying attention to the damn things

Macs can already be managed quite well in a corporate/enterprise setting with an IT staff anywhere remotely worth their salt.

-- at least as far as to kick them and their users out of the corporate environment.

It really irks you that people use Macs, doesn't it? And that the share is growing, especially in academic, research, and enterprise environments? Well, sorry bud, but that's going to continue, and for good reason: it's a manifestly more secure operating system, not just for reasons of marketshare, and people are sick of Windows and all of its problems.

And for non-managed systems, there is no question that Mac OS X is the better choice for the typical general purpose desktop user. Look how quickly a typical user gets a Windows system packed with spyware and how much malware, including self-propagating malware, and all manner of vulnerabilities, including ones exploitable from remote in Windows' stock configuration, that keep getting discover

Nice troll. Even got me to respond. ;-)

I, for one, have grown quite tired of Apple and the the MacFanBoi's claims that OS X is perfectly secure.

1. Apple does not, and never has, claimed Mac OS X is "perfectly secure" or anything near "perfectly secure".

2. No reasonable person makes that claim. If some jackass wants to say that Mac OS X is invulnerable, they're exactly that. A jackass.

Its even prevalent on the securityfocus list dedicated to Apple products, where every security concern, malware or exploit is somehow poo-poo'd into not existing. (Reference: Apple dmg and safe files problems; reference: wireless driver exploits; ad nauseum.)

What's prevalent? If you're talking about the focus-apple list, we've already collectively decided that Safari's "safe files" feature should be disabled by default at a minimum, and preferably discontinued altogether. As to the wireless driver exploit, which is fixed, Johnny Cache, David Maynor, nor SecureWorks, to this day, provided Apple with ANY useful or verifiable information the vulnerability even existed. Remember, they were presenting themselves as professional security researchers with a "responsible disclosure policy", even hiding the brad of the 3rd party wireless card they used, to this day (we have since discovered it was the Raytheon RayLink chipset). Krebs totally sensationalized it, as is typical for him. Further, this vulnerability was a general 802.11 vulnerability, which affected far more chipsets than the ones Apple uses, and far more operating systems, including Windows and Linux. But Apple got ALL the bad press, alone, for a vulnerability that is actually quite difficult to exploit in practice and, even then, requires that the attacker be within 802.11 range.

Care to explain to me how that's fair?

So you're a troll *and* a liar.

Also reference, for the second year running, OS X itself has made it to the SANS top20 vulnerabilities. http://www.sans.org/top20/?portal=ddc5dd3511b787e1 a2d58aeb8338dfaa and http://www.sans.org/top20/2005/?portal=ddc5dd3511b 787e1a2d58aeb8338dfaa

"Second year running." *Chuckle*.

Anyway, yeah, please do take a look at those lists. Since Mac OS X is by far the most used desktop operating system other than Windows, is it any surprise it would show up on the SANS list? Behind everything Windows-related, of course.

I'm really hoping that the month of Apple bugs shuts up Apple,

Well, since Apple doesn't claim that Mac OS X is anything you've claimed they do, and in fact doesn't even comment on security issues before they are patched, it probably won't be too hard to "shut up" Apple, since they'll be almost completely silent on this issue.

shuts up the MacFanBio,

Unlikely.

and actually gets someone paying attention to the damn things

Macs can already be managed quite well in a corporate/enterprise setting with an IT staff anywhere remotely worth their salt.

-- at least as far as to kick them and their users out of the corporate environment.

It really irks you that people use Macs, doesn't it? And that the share is growing, especially in academic, research, and enterprise environments? Well, sorry bud, but that's going to continue, and for good reason: it's a manifestly more secure operating system, not just for reasons of marketshare, and people are sick of Windows and all of its problems.

And for non-managed systems, there is no question that Mac OS X is the better choice for the typical general purpose desktop user. Look how quickly a typical user gets a Windows system packed with spyware and how much malware, including self-propagating malware, and all manner of vulnerabilities, including ones exploitable from remote in Windows' stock configuration, that keep getting discover

I, for one, have grown quite tired of Apple and the the MacFanBoi's claims that OS X is perfectly secure. Its even prevalent on the securityfocus list dedicated to Apple products, where every security concern, malware or exploit is somehow poo-poo'd into not existing. (Reference: Apple dmg and safe files problems; reference: wireless driver exploits; ad nauseum.)

Also reference, for the second year running, OS X itself has made it to the SANS top20 vulnerabilities. http://www.sans.org/top20/?portal=ddc5dd3511b787e1 a2d58aeb8338dfaa and http://www.sans.org/top20/2005/?portal=ddc5dd3511b 787e1a2d58aeb8338dfaa

I'm really hoping that the month of Apple bugs shuts up Apple, shuts up the MacFanBio, and actually gets someone paying attention to the damn things -- at least as far as to kick them and their users out of the corporate environment.

I, for one, have grown quite tired of Apple and the the MacFanBoi's claims that OS X is perfectly secure. Its even prevalent on the securityfocus list dedicated to Apple products, where every security concern, malware or exploit is somehow poo-poo'd into not existing. (Reference: Apple dmg and safe files problems; reference: wireless driver exploits; ad nauseum.)

Also reference, for the second year running, OS X itself has made it to the SANS top20 vulnerabilities. http://www.sans.org/top20/?portal=ddc5dd3511b787e1 a2d58aeb8338dfaa and http://www.sans.org/top20/2005/?portal=ddc5dd3511b 787e1a2d58aeb8338dfaa

I'm really hoping that the month of Apple bugs shuts up Apple, shuts up the MacFanBio, and actually gets someone paying attention to the damn things -- at least as far as to kick them and their users out of the corporate environment.

...you mean the SANS, who have a site, powered by, er, php?

http://www.sans.org/index.php

And as to structurally similar to ASP? Put down the pipe...
ASP isn't even a language. First link from google:
http://www.webwizguide.info/asp/tutorials/what_is_ asp.asp

"I'm searching for where SANS has recommended the Heise Security Offline update script and cannot seem to find this information anywhere on the SANS site. If I can find this evidence it would go a long way towards convincing my security group that my IT organization can use this to develope iso cds."

The SANS homepage changed shortly after the editors published this story. For the last few hours it's been the somewhat underwhelming account: "Microsoft Office 2004 (Mac OS X) update was a accident. (NEW)" ... and only that.

The links under 'Diary Archive' at the bottom right of the main page omit the Heise references. Odd. However a search for Heise does bring up two results at the bottom which both point to this: http://isc.sans.org/diary.php?date=2006-12-12&isc= 584e460f1a298753d999481d6d2d81f8 ... which points to this: http://isc.sans.org/diary.php?storyid=1939 - hope it helps.

"I'm searching for where SANS has recommended the Heise Security Offline update script and cannot seem to find this information anywhere on the SANS site. If I can find this evidence it would go a long way towards convincing my security group that my IT organization can use this to develope iso cds."

The SANS homepage changed shortly after the editors published this story. For the last few hours it's been the somewhat underwhelming account: "Microsoft Office 2004 (Mac OS X) update was a accident. (NEW)" ... and only that.

The links under 'Diary Archive' at the bottom right of the main page omit the Heise references. Odd. However a search for Heise does bring up two results at the bottom which both point to this: http://isc.sans.org/diary.php?date=2006-12-12&isc= 584e460f1a298753d999481d6d2d81f8 ... which points to this: http://isc.sans.org/diary.php?storyid=1939 - hope it helps.

The organization referred to as Sans in this article is the SANS Internet Storm Center found at http://isc.sans.org/ You can find the reference to Black Tuesday and more information on this update at http://isc.sans.org/diary.php?storyid=1928

The organization referred to as Sans in this article is the SANS Internet Storm Center found at http://isc.sans.org/ You can find the reference to Black Tuesday and more information on this update at http://isc.sans.org/diary.php?storyid=1928

The Dragons are shown in real time on this map http://isc.sans.org/large_map.php

Sure it does!

http://www.snort.org/dl/binaries/win32/
http://www.winsnort.com/
http://www.sans.org/resources/idfaq/snort.php

http://www.sans.org/resources/idfaq/switched_netwo rk.php

Well, just because you can't imagining option 4 happening doesn't mean that it doesn't (and Windows still "leads" the pack here by a country mile).

There are commercial tools that do this and malware are starting to use the techniques to protect against antivirus dissection as well. See http://isc.sans.org/diary.php?storyid=1871&rss