Slashdot Mirror

And opening themselves up for privacy lawsuits. Hmmm... get an email from a parent concerned about health issue X you are experiencing (unbeknownst to your employer). Employer finds out and terminates employee or boss uses it for leverage for extra work/projects. According to Mark Rasch from SecurityFocus.com, it's not as clear cut as one might think. Varying laws in the USA from State to State make the issue even more challenging. From Mark: "In many states, the same law that prohibits the interception or recording of telephone calls also prohibits the interception or recording of electronic communications without the consent of all parties."(Reference: http://www.securityfocus.com/columnists/412).

Talk about a confusing issue. You require outright consent from employees AND the party your emailing. Period. No exceptions. Simply stating 'we monitor all emails' will not hold up in court - should it ever come to it - you need permission from that individual employee - or all employees and have a readily available record of their consent.

If what I'm reading is correct, its far easier to leave your emails alone, and then search if you have an issue with court permission, than it is to be actively reading emails.

Why would flashing even be allowed through remote management?

This is common on leased and subscription based stuff where you are not the owner even when you think you are.

This remote intentional bricking is not new. The only part new is spoofed sources for the updates and bricking by a third party instead of the owner.

Refrence.. Sure;

http://www.satisfied-mind.com/directv/news/articles/Hackers.htm
http://www.securityfocus.com/news/143 Remote bricking article from 2001

Nope, they've decided that the contents are a valid search to make sure you're not carrying in any information which could be used to cause havoc.

The definition of supposedly dangerous information is quite broad, too. Mark Rasch of SecurityFocus had this excellent column on the subject of laptop searches by Customs. He observes "The customs agents' job is to protect the nation from 'anything harmful,' to gather intelligence, prevent terrorism, and to enforce all of the laws, including child pornography and copyright laws. [emphasis mine]"

In fact the original case concerned someone who carried a computer with child pornography into the US.

If your laptop has a collection of movies or songs that you've "acquired" from various helpful people around the world, I'd make sure they were gone before crossing a US border as well.

Then, you have built-in kill switches used to fight satellite TV piracy, like the dreaded DirecTV Black Sunday killer packets that killed unauthorized access cards.

So this stuff has happened.

How many Counterfeit Cisco Routers have built in exploits or kill switches is another question...

This is similar to what good bacteria and viruses in our bodies are doing to the bad bacteria and viruses. If the good are winning we are well and alive but if the bad are winning are sick and dying.
However we need to learn the lesson from the Blue Security which they were counteract spam with their "unsubscribe" messages. Bad guys have alot up their sleeves so we need to be careful and have fall back plans before we go after these badbots.

http://www.securityfocus.com/news/11392
http://en.wikipedia.org/wiki/Blue_Frog

I think you're referring to the fix for Code Red 2 written by Sam Phillips. This article makes passing mention of it: http://www.securityfocus.com/infocus/1515

Google for http://www.dasbistro.com/default.ida and you'll see it referenced a few places.

Yeah it's very old news even before it made /. Check it out. http://www.securityfocus.com/news/11512 Posted 30.3.08 was done at CanSecWest

Try these http://www.securityfocus.com/bid/27246/exploit

> fairly trivial to make secure. ... do not allow anything to moved from the plug to the register

All I can say is, I hope you don't work in the computer security field.

How is the driver going to access the USB drive without transferring data from the plug? You do realize that the driver is going to need to read a lot of data about the state of the filesystem, right? System drivers, especially third-party ones, are well known to be weak points in the security of a lot of systems.

E.g., A Linux kernel vulnerability somewhat connected to this discussion.

The solution? CutePuppies.exe is not executable. End of discussion.

The solution? CutePuppies.exe is not executable. End of discussion.

He's trying to store a lifetime on his laptop. He's gone on to collect images of every Web page he's ever visited, television shows he's watched, recorded phone conversations, and images and audio from conference sessions, along with his e-mail and instant messages.

What a goldmine that might be for inquisitive Customs or FBI agents.

There is another vulnerability, a PoC has been published some months ago:

http://2wire-poc.blogspot.com/

http://www.securityfocus.com/bid/27516

Sasktel, as well as Telus units are affected - I just tested it on my 2700 and was able to set the new password without needing the old one. Feel free to try it on yours http://192.168.1.254/xslt?PAGE=H04_POST&PASSWORD=admin&PASSWORD_CONF=admin - this is the URL someone connected to your unsecured wireless network can enter to reset your router's password (IP may vary if modified, the one used is a default). Information taken from http://www.securityfocus.com/bid/27516/exploit

Vulnerable:
2Wire 2071 Gateway 5.29.51
2Wire 2071 Gateway 3.17.5
2Wire 2071 Gateway 3.7.1
2Wire 1800HW 5.29.51
2Wire 1800HW 3.17.5
2Wire 1800HW 3.7.1
2Wire 1701HG 5.29.51
2Wire 1701HG 3.17.5
2Wire 1701HG 3.7.1

They're not interested in your MMORPG, in fact it's unlikely a human would even be involved in the hack. They want your computer to be a part of a spam-sending bot farm.

I find your question pretty pointless, considering there's no way to know for sure on Linux either.

Oh dear.

Start here; http://www.securityfocus.com/infocus/1416

Once you've had a look at that, Google for Wireshark, Snort and SELinux. Some of these tools are available for Windows too.

There are some really good comments here, (checks, sees if it's /.)
After the jump - read the comments, starting here:
Further:

http://www.securityfocus.com/comments/articles/11372/33017/threaded#33017

http://slashdot.org/comments.pl?sid=453034&cid=22412440

I believe you were entirely within your rights to act as you did, Fyodor, but would be grateful if you'd take a moment to elaborate on why you chose your course of action.

From Securityfocus's account and your own it sounds like the FBI was trying to chase down a botnet that, as part of some process, downloaded Nmap 3.77. You emphasized that their requests were very narrowly crafted: a specific file requested via a specific user-agent within a specific five-minute window. It certainly didn't sound like a fishing expedition. If I had to guess, the requests were probably tied to the investigation of a specific criminal act or actor and they were trying to strengthen a case by establishing place-and-time.

My sleep-deprived analogy is this:

Meanwhile, you are the owner of Fyodor's Hardware, the busiest hardware store in three counties, and the tri-county area's only seller of Stihl chainsaws and accessories. You easily sell forty or fifty replacement chains a day.

So this morning the sheriff comes to you and asks if you sold or installed a 16" Stihl chain yesterday between 11:00 AM and 2:00 PM, and if so who did you sell it to. In fact, you sold ten, just like any other day.

Not a perfect analogy, I know, but seriously, what do you do? I mean, you could make him come back with a subpoena, but let's skip that step and get to the crux of the matter: You sold ten new 16" Stihl chains yesterday and it's the sheriff's opinion that one of them probably went to the chainsaw burglar. You, he and every defense attorney and Slashdotter all know there's always the chance the burglar got the chain somewhere else and that at least nine of your sales were to honest customers. If you tell the sheriff about all ten sales, to what extent (if any) have you violated the rights of all the non-criminal chain buyers? If on the other hand you refuse to cooperate, how do you justify the social cost of the continued burglaries against the rights of ordinary chain buyers?

I think it's an interesting dilemma. As I said, I certainly respect that you took a principled stand (or at least stayed slippery enough that you didn't have to), but not everything that law enforcement -- even the FBI -- does is a sinister conspiracy against civil liberties. Sometimes they really are just trying to catch a bad guy.

Add to this that AV is almost entirely reactive and usually based on a list of older exploits, and it's pointless to run it in the background all the time if you already have a firewall and keep up to date with your software. In fact running another program as a background process makes you vulnerable to other exploits in the AV itself, while failing to protect against new or unknown ones.

PS: Forgot http://www.securityfocus.com/bid/28285/info

CHESTER COPPERPOT:

Question:

"Is it possible to overload a power supply to the point of fire from a remote location? I've heard of black hats getting into the climate control systems of certain areas and loading up the heat and frying certain parts of computers, but a power supply?"

Answer:

"The trojan has controllers on the universal power supply."

http://www.securityfocus.com/comments/articles/11372/33500/threaded#33500

http://www.securityfocus.com/comments/articles/11372/34207/threaded#34207

CHESTER COPPERPOT:

Question:

"Is it possible to overload a power supply to the point of fire from a remote location? I've heard of black hats getting into the climate control systems of certain areas and loading up the heat and frying certain parts of computers, but a power supply?"

Answer:

"The trojan has controllers on the universal power supply."

http://www.securityfocus.com/comments/articles/11372/33500/threaded#33500

http://www.securityfocus.com/comments/articles/11372/34207/threaded#34207

Read article and comments:
Several people had the same hack as ours later in the thread - as difficult as it is to read the "crazy" ones, they are pretty accurate as well. Once you've been "there" everything else become somewhat trivial by comparison.

http://www.securityfocus.com/cgi-bin/index.cgi?c=articlecomments&op=display_comments&ArticleID=11372&expand_all=true&mode=threaded

You think about it, I'll wait:

http://www.securityfocus.com/comments/articles/11372/33500#33500

If you think you have a chance or a clue as to how mature this stuff is, reconsider. Also if they're asking "permission", it's too late.

Hi Mom !

Microsoft does hire bright minds. It's a pity what they do to them. And with them.

As for poorly trying to attack the NT platform for multi-tasking,...

The "NT platform" didn't invent multitasking. They cribbed it from the Mach kernel with the help of Dave Cutler. That's what they meant by "Unix underpinnings". Unfortunately, like a psychotic french chef, they'll adopt the best recipe for bouillabaisse but they don't like the flavor until they pee in it. The result was so hideously insecure it nearly broke the Internet - and that's saying something. The Internet was designed to survive nuclear war, but Code Red nearly broke it. I will concede that NT was the first useful Windows platform - but not that better alternatives didn't exist even then.

You evade the point that by the time NT came out in 1992, Unix had had multitasking for more than 20 years. Let's not forget your statement, shall we?:

assuming Windows users were like Mac users and were only capable of running one application at a time...

... As if .mac were the only alternative. Lovely. Say what you want about .mac and nobody cares. OS X is Unix. When Windows is a Unix, get back to me, k? Did you know OS X server has drag and drop clustering, and network imaging built right in? I didn't think so.

Disparage Apple's video playback all you want. I don't care for any DRM'd format so you're not going to bother me. I would bet a week's pay you couldn't decode a token string into a framebuffer using only the specification and C between now and the end of your pitiful existence, but I can and you miss the point: iTunes users care enough to avoid Vista, and that's the only thing saving this post from being off topic.

If you want to further try to argue the multi-tasking issue as a Windows Vista issue, go look up BeOS...

Cute. You're bringing up BeOS. You don't even do your homework well enough to check my slashdot user page where my favorite quote sits:

"I once preached peaceful coexistence with Windows. You may laugh at my expense -- I deserve it." Jean-Louis Gassée, former CEO, BeOS

And you have the gall to call me semi-retarded.

Then go look up a little fact that Vista is the only major consumer OS....

You know, if you narrow the scope of that statement any more it's going to disappear entirely. Who decides "major"? Who decides "consumer"? I'm asking because Shuttle has just announced a box that's going to clean your clock, the eee is sweeping the world, the olpc is selling in the millions of units and for years you have been able to buy a Linux PC at Wal-Mart, including the $200 PC I'm typing this on (but I got it from zareason and it works just fine, thanks, and no it's not my only one).

Then go look up a little fact that Vista is the only major consumer OS that uses realtime scheduling for multi-media, something OS X just can't do.

OK, let's talk about the Vista scheduler a little bit. You've got some insight into this you would like to share. It's completely fa

I have already faced this problem here in Georgia, and I was challenged on the STAND while testifying in a case I did the computer forensic work on. I have been doing forensics for almost 7 years, but here in Georgia they had initially passed the law and was only waiting for the governor to sign it or veto it. Well it took a lot of work to get it vetoed and everyone I know called into the governor. However, they have since fixed the wording that was the reason for the veto. There is a great chance it will pass in Georgia this year. There is a body of the PI's that are moving together on this issue in every state. Any state that this has not been submitted yet, they are planning to submit it. Michigan just submitted it and it has passed one of the bodies it needs to so far. Look out for this to change the world of forensics. The issue is that most of the laws are making it a criminal felony with penalty of jail time if you get caught or if you are called to the stand for evidence you did collect without a PI license. Since this happened, I have done everything I could to prevent this law from passing, but since then I have become a PI to protect myself and to have business. It will be coming for all of you.

This is the article about my adventure.
http://www.securityfocus.com/columnists/399

Scott Moulton
www.ForensicStrategy.com
Phone:770-926-5588

The worst part about this all is that there are usually just about as many vulnerabilities affecting Apple's platform as there are vulnerabilities affecting Microsoft's platform for any period of time. I invite you to review a few pages and look at the volume by date range.

One day someone will actually do diligence before proclaiming the "Macs are more secure" line of propaganda/conventional wisdom. Or then again, maybe not. Maybe we'll just have to wait for the first occasion where someone actually cares to mass-exploit one of these vulnerabilities and Mac users everywhere suddenly realize that their systems are infected, that they have infected their friends systems, that they have no anti-virus, and that they have to take their computers back to the Apple store for repairs.

The worst part about this all is that there are usually just about as many vulnerabilities affecting Apple's platform as there are vulnerabilities affecting Microsoft's platform for any period of time. I invite you to review a few pages and look at the volume by date range.

One day someone will actually do diligence before proclaiming the "Macs are more secure" line of propaganda/conventional wisdom. Or then again, maybe not. Maybe we'll just have to wait for the first occasion where someone actually cares to mass-exploit one of these vulnerabilities and Mac users everywhere suddenly realize that their systems are infected, that they have infected their friends systems, that they have no anti-virus, and that they have to take their computers back to the Apple store for repairs.

I don't know. I have done some work with schools and it has been the way the parent suggested with an additional draw back on costs. It has to be in the budget err, the budget has to have funds to cover it.

I would think that for the most part, the teachers do have some say in how things work in their classroom. Well, unless your a sub and complain about pornographic pop ups. But then you get 40 years to think about changing the system. Thank god(tm) someone has the ability to think straight.

Ah I picked a bad example although you have to admit that was a bit abusive of the spirit of copyright if not the letter.

Here is a study that suggests that as many as 1/3 of DMCA takedowns could readily be challenged in court on clear grounds.

Here is an outright abuse of the DMCA to silence discussion of a topic: DMCA Abused

Linux Kernel Random Number Generator Local DoS and Privilege Escalation Vulnerability: http://www.securityfocus.com/bid/25348 Vulnerable: Ubuntu Ubuntu Linux 7.04 sparc Ubuntu Ubuntu Linux 7.04 powerpc Ubuntu Ubuntu Linux 7.04 i386 Ubuntu Ubuntu Linux 7.04 amd64 Ubuntu Ubuntu Linux 6.10 sparc Ubuntu Ubuntu Linux 6.10 powerpc Ubuntu Ubuntu Linux 6.10 i386 Ubuntu Ubuntu Linux 6.10 amd64 Ubuntu Ubuntu Linux 6.06 LTS sparc Ubuntu Ubuntu Linux 6.06 LTS powerpc Ubuntu Ubuntu Linux 6.06 LTS i386 Ubuntu Ubuntu Linux 6.06 LTS amd64 Linux kernel 2.6.22 1 Linux kernel 2.6.22 Linux kernel 2.6.22 Linux kernel 2.6.21 4 Linux kernel 2.6.21 .7 Linux kernel 2.6.21 .6 Linux kernel 2.6.21 .2 Linux kernel 2.6.21 .1 Linux kernel 2.6.21 Linux kernel 2.6.21

Care to elaborate on this? I'm just sitting here looking at the source code for the Oracle listener, so maybe you can tell me which part of the listener will ensure that the database on a machine secured inside the network and not directly accessible from the outside can be accessed?

Here are 66 potential exploits for Oracle listeners, take your pick.

http://search.securityfocus.com/swsearch?sbm=%2F&metaname=alldoc&query=oracle+listener&x=8&y=7

There's an interesting article on Security Focus covering this subject:

[...]
One could simply build a special device with a short range Bluetooth receiver that performs a scan for discoverable Bluetooth devices every minute, and then reports all discovered devices to the monitoring system. If more then one receiver is installed at various distances, the network of such devices (nodes) could record the device's position and additionally, the movement of a Bluetooth device -- all this without the device owner's knowledge. The non-discoverable device could be also reported if we know the MAC address and make a request to it every 1 minute and report any response.

Such system could have a number of interesting uses. For instance, if we carry a Bluetooth enabled handset (in discoverable mode) with us while shopping at the local supermarket, the supermarket owner could easily track our movements as we walk through the supermarket, record how long we spend in certain areas, and eventually create a map of our movements within the supermarket. Based on gathered data, it would be possible to analyze our shopping behavior as market research, and as result change positions of certain products or advertisements, or worse, sell the marketing data to research companies. RFID might seem to be more efficient in such a system, however this would require the supermarket to issue RFID tags to their customers, which most people would not accept. By using the Bluetooth technology on the phone they are already carrying, companies can avoid issuing special tracking cards or badged to customers yet still be able to track their movements.

BT positioning based on zones and is not necessary limited to an indoor environment or a small area. It can also be used for the surveillance of citizens within a city. The perfect example of such a system exists as the Loca project. It is an artistic project run in Helsinki which explores various aspects of Bluetooth surveillance and mobile media, and also raises public awareness of pervasive surveillance.
[...]

http://www.securityfocus.com/infocus/1836

So by placing the CD-ROM in a computer, it will automatically hack what ever OS the computer is running and auto install your software? Or are you implying that this company left server consoles logged in as an admin user?

I call major bullshit on this article. There's some real iffy stuff here as pointed out by other /.'ers as well. I get that it's all about social engineering, which is a huge problem. But some of their claims are a little too out there. Like saying they "could" have done this, or "could" have done that. Well you don't know that you really could until you try it. Most of our environments here have NO Internet access. It is entirely firewalled going out. Does your magic CD-ROM also auto-hack their firewalls too?
--

Before you call major BS, please consider the following... When people find thumb drives or CD ROM's, they often will check their content while logged into their own account. In a server room, this is often an admin or root account. Does it work? Take a look;

http://www.securityfocus.com/news/11397

This hack even works when the employees are warned in advance that they will be tested for security. Leaving a few CD's and thumb drives in a server room is a target rich environment for root access.

An admin checking out the item at his desk is a wonderful way to gain access without originally needing the admin password.
Does your magic CD-ROM also auto-hack their firewalls too?
In short, it has the root privileges of the administrator's account. How many administrators have auto-run disabled? They may know to not bring in outside media, but checking the contents of a misplaced internal CD might get past security checks.

Perhaps you and the GP should read TFA and become aware of some of the issues here.
Oh, and for the "it's the Register, pooh pooh" crowd, the original FA was frist psoted on Security Focus.

To say "you cannot establish a TCP or any other connection" is not true. There are plenty of things you can do without seeing responses coming back, and many types of spoofing attacks have been seen.

Well, for one, it's pretty hard to get your name, address and phone number from the details of your hardware and what software you have installed. There's just nothing linking back to you; even if it got your hard drive serial numbers, you'd still have to access to every hard drive manufacturer's sales database before it could be used to pinpoint which continent you're on.

However, the stuff you type in google tends to be far more intimate and personally revealing just by itself.

Of course, this is all moot given a good IP address and a willing ISP, but that's a different story (and nothing to be concerned about).

Wasn't "95% of email is spam" reported by the BBC back in 2006?

And Security Focus has a great article that shows how all of these numbers are totally made up.

Other security sites do call it a Vista issue. It looks like Vista is only OK if IE7 is running in protected mode.

And they can build voting machines that way too, if their customers ask for them. Again, that's a policy and procurement issue at the election board level.

And when the equipment vendor is the one telling election boards what their policies should be, how do you address all of the shrill people who scream that Diebold is running the elections?

Remote attackers may exploit these issues by enticing victims into opening maliciously crafted TIFF files.

An attacker can exploit these issues to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial of service.

I just calculated that an 8Mbps connection could download 100GB in a little more than a day. That sounds like an unbelievable amount to me since a) I never need to download that much, despite nearly constant bittorrent use and b) downloading that much would be impossible, or at the very least not a very nice thing to do to any server I have access to. Still, if people are getting booted off Comcast for downloading at the advertised top speed for only one day a month, I can understand why they're pissed. It would just never occur to me to place that heavy a demand on a consumer broadband connection.

That said, the Comcast technician in the article you linked said that people were being sent letters for anywhere from 100GB to 1 terabyte per month. Jesus! That is a lot to ask of a consumer broadband product. Still, if Comcast advertises their product at 8Mbps you ought to be able to use it for more than 1-10 continuous days without violating their terms of service, even if it seems ludicrous to me that very many people would expect to be able to do so. Ah well.

At any rate, the truly ludicrous thing is that they still offer only 784Kbps upload. That should be a tipoff that this isn't a business-class offering. But you shouldn't have to read between those lines. Agreed, they are wankers, but then I already thought they were wankers anyway.

This is just a Web site and of course it changes all the time, but I defy you to show me where Comcast advertises their service as "unlimited" without any clearly visible disclaimer.

I didn't say they do advertise their service as unlimited -- but they evidently used to:

http://www.securityfocus.com/news/7940

I wasn't aware that they'd stopped doing so until stories of Comcast cutting people off came up. What's more, the reaction from many people, whenever one of these stories makes the rounds, is invariably "I thought they advertised their service as unlimited!" It's pretty clear Comcast has carefully avoided dispelling the impression that they still provide an unlimited service--something that would be spoiled if they DID, in fact, publish a limit.

If Comcast really did want to provide perspective of their limits that are consistent with their high-bandwidth advertising, they wouldn't use "sending emails" as a reference.

Where $strlen is a placeholder for the function declared in stdio.h. Note that at this point the compiler has no idea at all if strlen() is going to be statically or dynamically linked, nor does it matter.

If you use static linking, ld looks at the object files specified on the command line and when it finds strlen in a symbol table, it replaces $strlen with the address of the function. If you use dynamic linking, then the dynamic linker looks at the .so's referenced by the binary, loads the dll if necessary, and replaces $strlen with the address of the function. The end result is exactly the same, the exact same sequence of instructions, and the exact same mapping of the object code into the app's virtual address space. The only difference is when it happens -- run time or compile time -- and this is by design.

In the context of native Win32 EXEs & DLLs your understanding is fundamentally flawed. This article from 1994 covers the details of the PE, which have not changed significantly for native Win32 executables. Section PE File Imports describes Win32 load-time dynamic linking; note especially figure 3, which illustrates that this is essentially a jump table mechanism. Section Differences Between PE and COFF OBJ Files is also worth a read. Win32 executables can also load DLLs using run-time dynamic linking via API functions such as LoadLibrary(). The latter approach to dynamic linking is useful for "plug-in" style implementations.

Static, i.e. build-time, linking is quite different. Section Static Libraries vs. Shared Libraries here, although brief, should make that clear.

- T

You ask:
"Who knows what the more sophisticated hackers are up to!"

Since this story is off the main page [and I can avoid the flame war] ... the link is to the comments - the story is also worthwhile.
From what I've gathered a handful of people were hit with this [myself included] - it's reeks of a test run, most everything in the comments is true, even the crazy ass sounding stuff has some merit.
X-platform, anything, my colleagues and I know it's a hardware based attack.
Truly, a wonder to see operating - it even mocks you when you think you're making "headway".
Good luck and check your boot blocks.

http://www.securityfocus.com/cgi-bin/index.cgi?c=a rticlecomments&op=display_comments&ArticleID=11372 &expand_all=true&mode=threaded

Forensic Discovery [free book download]
Dan Farmer and Wietse Venema

http://www.porcupine.org/forensics/forensic-discov ery/

Don't forget Mac and Linux. The ability to register a custom protocol handler to launch programs in the OS is standard. The ability to reference said protocol handler in a hyperlink is also standard. These problems effect every (major) OS.

MacOSX has had a number of vulnerabilities due to URI handling:

Daring Fireball - Using the 'telnet' URI Protocol to Delete Files
Mac OS X Volume URI Handler Registration Code Execution Vulnerability
Apple Mac OS X SSH URI Handler Remote Code Execution Vulnerability

As long as you can get a browser to pass arbitrary data to an application you will be vulnerable. What needs to happen is that the custom protocol handlers should be white-listed by default requiring the user to explicitly allow a new protocol handler. Any protocol handler not handled directly by the browser should display a dialog to inform the user of the action and permit them to cancel it. The user needs to be aware that they're not clicking on a "normal" hyperlink.

Ultimately I think the only way to really mitigate these kinds of security problems is to sandbox or virtualize the browser, which is actually what MS has done with IE7 in Vista. Vulnerabilities are inevitable so the OS and browser should do what it can to limit the extent of the damage that can be caused.