securityfocus.com · Domains · Slashdot Mirror

interview with German lawyer by Anonymous Coward · 2007-08-13 22:22 · Score: 0 · on Strict German Computer Crime Law Now in Effect

SecurityFocus published an interview with a German lawyer:

Germany is passing some new laws regarding cybercrime that might affect security professionals. Federico Biancuzzi interviewed Marco Gercke, one of the experts that was invited to the parliamentary hearing, to learn more about this delicate subject. They discussed what is covered by the new laws, which areas remain in the dark, and how they might affect vulnerability disclosure and the use of common tools, such as nmap.

Wow, good to see this dug up again by OffBeatMammal · 2007-08-09 06:18 · Score: 1 · on Bring Down Internet Explorer In Six Words

it's been a while since anyone mentioned the malformed tag as a problem
http://www.securityfocus.com/archive/1/319360/2003 -04-20/2003-04-26/0

Would all the anti IE folks please put this on their site immediately so I don't have to spend time on them ;)

Re:A little oversimplified... by EveLibertine · 2007-08-07 15:34 · Score: 1 · on Oklahoma Security Expert Attacks RIAA Claims

It occurred to me that in this situation, it was completely legal, completely ethical, and completely necessary

I think you mean:
Possibly not illegal
Not completely unethical
Probably not "necessary"

Breaking WEP is trivial for someone who wants to break into it, knows how, and has the proper equipment, which is what makes it useless from a security standpoint when it's the only method you are using to secure your wireless network. Further complication is added by the fact that not all wireless cards allow you the appropriate level of hardware access to initiate packet injection, which is the primary step in breaking into a WEP network speedily and with any decent probability of success without having to retry in between possible rekeying. WEP is possible to break without packet injection, and with only one computer, but the standard (super speedy) setup involves two machines; one for injection and one for listening to the response.

Here's an article to get started:
http://www.securityfocus.com/infocus/1824/

Re:At the risk of being flamed... by Toreo+asesino · 2007-08-06 06:07 · Score: 1 · on Netcraft Says IIS Gaining on Apache

Not so simple as that I'm afraid - http://www.securityfocus.com/infocus/1765

Bear in mind that the core, being in kernel mode, is less likely to fail as it's running completely separate from any ISAPI filters, user-applications, etc. Regardless, we are talking an extremely simple part of the kernel which deals with the lowest level of HTTP - anything more complex is pass onto an appropriate user-mode process, which for anything remotely dangerous will be running in its own isolated application pool.

Stego by zentinal · 2007-08-03 02:07 · Score: 1 · on Forensic Analysis Reveals Al-Qaeda's Image Doctoring

After reading TFA I didn't see any mention of any steganographic analysis. To me, that's the juicy stuff. This may be off topic, but, has anyone (publically) been doing stego analysis on these videos?

The Answer: Blame Makes You Slash-innocent. by Anonymous Coward · 2007-08-01 18:00 · Score: 0 · on The DRM Scorecard

"The secret to success is simple: make a good product and sell it at a fair price."

Guess Michael Moore's movie must have been a bad product at a hugely inflated price then.

Even the stuff that's not yet for sale.

Good thing that only happens to games.

Alternatives... by fadilnet · 2007-07-28 18:37 · Score: 1, Informative · on KisMAC Developer Discontinues Project

Though KisMAC is still out there, there are alternatives such as Airsnort, Airattack, WepLab, Web,.. Can a live CD such as this one http://www.securityfocus.com/infocus/1814#auditor be booted off a macintelatosh?

Re:Other types of cloaking... by Anonymous Coward · 2007-07-27 12:57 · Score: 1, Informative · on Merely Cloaking Data May Be Incriminating?

Here is Larry Gill's self-serving post. Sounds like he's saying, "None of these bugs are important, because we don't have any important bugs in our software." Don't we all know people/companies like this, who won't own up to anything? The submitter is making a bit much of the data cloaking comment, if you ask me.

http://www.securityfocus.com/archive/1/474727/30/0 /threaded

Re:New Update since i submited this yesterday by idontgno · 2007-07-24 05:44 · Score: 1 · on TimeWarner DNS Hijacking

Most everyone hates botnets, but no one wants to actually do anything about it. I commend them for actually doing something about it.

Congratulations on doing the wrong thing about it. But I guess the appearance of action is better than a wise and considered inaction.

In case you didn't know, botnets don't use static IRC services for command and control any more. (http://www.mcafee.com/us/local_content/white_pape rs/threat_center/wp_vb2006_myers.pdf) (http://honeyblog.org/archives/32-Steganography-in -Botnet-Command-Control.html) (http://www.securityfocus.com/news/11473).

This unsanctioned action by the ISPs is simply fighting the last war with untargeted dumb weapons. The only thing they're accomplishing is collateral damage.

Re:...for that matter... by drakaan · 2007-07-20 03:22 · Score: 1 · on Ubiquitous Multi-Gigabit Wireless Within Three Years

Right...just like they do with WEP.
Yes, you'd have to be stupid not to encrypt wireless traffic. That doesn't make it safe, though, assuming the data is actually worth obtaining.

Re:sad by Anonymous Coward · 2007-07-19 02:42 · Score: -1 · on Mac Worm Author Gets Death Threats

He can post whatever he wants on his own blog. He didn't ask for his story to be posted on Slashdot so that idiots like you who will
comment on something they know nothing about.

http://www.securityfocus.com/bid/24924

Re:Have mDNSresponder run without root privileges by Lars+T. · 2007-07-18 06:20 · Score: 1 · on Worm Claimed For Apple OS X

1. launchctl is used to unload and load the mDNSResponder daemon.

I guess I am one of the bazzilions of Mac users who have not upgraded to Tigger. I can't use launchctl.

Well, according to http://www.securityfocus.com/bid/24924 you then aren't vulnerable anyway.

Grey-market exploits by athloi · 2007-07-18 06:13 · Score: 2, Interesting · on FBI Remotely Installs Spyware to Trace Bomb Threat

The answer is right in front of you. Governments and spy shops pay for exploits before they're made public, so they can use them to enter your machine as they need to. In this case, we don't know how CIPAV was delivered, but it might be as simple as an undiscovered exploit in Outlook or a browser-based email system. While none of us trust government, I equally don't trust my fellow citizens, so the "ethics" of this point are moot.

Off by a factor of sixty by symbolset · 2007-07-18 03:33 · Score: 1 · on Worm Claimed For Apple OS X

You guys are right. My bad.

Security focus blog has a link to the now dead ISC diary page.

My bad. I guess one alleged but unproven lab only virus for Mac might be as bad as 0 to pwned in 20 minutes for pre-sp2 XP.

Re:worm in apple? by mgv · 2007-07-18 01:31 · Score: 1 · on Worm Claimed For Apple OS X

Hey, there's a worm in my apple...

If there is a worm in there, its an old apple:

The current version of OS X (10.4.10) and the server version of 10.4.10 are NOT listed as vulnerable.

Not saying that apple computers are invulnerable, just that this already appears to be patched

Michael

Re:Understanding != Writing Code by einhverfr · 2007-07-14 16:56 · Score: 1 · on Any "Pretty" Code Out There?

I have never heard someone call code "ugly" because they couldn't understand it. Ugly usually means "repulsive" and this usually means that it is an aesthetic and expressive difference.

SQL-Ledger code is about as ugly as Perl code gets. Heck I think it would make anyone who know.s Perl cry. As I say, the author hit (as far as I could tell) 75% of the programming anti-patterns listed in Wikipedia, and many of them he managed to extend in bizarre and disturbing ways. For example, he has magic strings in his *comments.* Delete the comments and things break. I kid you not. Then there are the points where he takes the spaghetti metaphore rather literally (say a function that wanders between six or seven files because of different files overwriting functions which are called inside). Then he has the God object which again is quite literal because it is the *only* object and does *everything.*

If that wasn't bad enough, the Perl is just plain ugly. You will have calls like: AP->transactions(\%myconfig, \%$form); ($form is the God object.) Note that the only reason why %myconfig is not a hashref is because he decided to dereference it on return of another function.

He also insists on parsing the HTTP request himself rather than relying on standard libraries, and where he can't avoid using CPAN, tends to copy and paste the relevant portions of the code into his software (as you can see in SL/Mailer.pm). He didn't do this with DBI and DBD::Pg, though.

Is it any wonder that a year ago, the code was vulnerable to a serious security bypass issue because he was using timestamps for session ids and not checking them against what was actually issued (he was only checking to see whether the timestamp was somewhat recent-- the real session key was the login)? You can read more about that at http://www.securityfocus.com/archive/1/445512. To be fair, since we have moved away from SQL-Ledger, that program *has* patched all auth bypass security issues we have reported to DWS, but most other security issues have not been patched because the author doesn't see insider threat as a real issue.

Re:Lately? by Killjoy_NL · 2007-07-10 09:11 · Score: 2 · on In Wake of Price Drops, Further PS3 Doubts

Hello ye old purveyor of facts:

Feast thy eyes on this little article then

http://www.theregister.co.uk/2005/11/09/sony_drm_w ho_cares/

I'll quote the most delicious sentence ""Most people, I think, don't even know what a rootkit is, so why should they care about it?" he huffed." as said by The President of Sony BMG's global digital business division Thomas Hesse.

The article also goes on about the damages

And this article

http://www.eff.org/IP/DRM/Sony-BMG/

Also gives some nice info on the Rootkit case.

But you mentioned damages, let's take a look at this article

http://www.securityfocus.com/brief/34

It tells about the ruckus the rootkit caused that made cheating in games such as World of Warcraft a lot more difficult to detect, impossible at that time even (don't know if it can be now), Blizzard probably lost customers over this, they had to program pieces of extra security software like "the Warden" to check for known cheating/botting programs, costs I don't think that will be covered by the nice chaps at Sony.

So don't mind me if I agree with the other poster on the opinion that you are a fanboy, nothing wrong with that, your choice, but don't feign innocence.

Re:You had me... by Holmwood · 2007-06-30 07:47 · Score: 5, Interesting · on Fuzzing Toolkit For Web Server Testing

Heh. It is funny, but Microsoft actually started doing this a while back. Mainly because IE was so awful. (Anyone remember IE3, IE4?). I used to fuzz IE for fun. It's one of the big reasons I switched to Firefox. By IE6 my own light fuzzing seemed to show IE had gotten a lot better at dealing with really bad, even malicious HTML. So they were having some success and getting better.

But not quite good enough. Nowhere near in fact.

At CanSecWest last year, HD Moore and a student took an hour to hack together a fuzzer that found over fifty flaws in Internet Explorer. http://www.securityfocus.com/news/11387

Think about that. Two person-hours work, that leads directly to the discovery of fifty flaws. That's pretty impressive for a released product that's supposedly had a great deal of scrutiny. There are few other techniques that could discover flaws as rapidly.

The simple thing is, fuzzing is one of the cheapest things to do with one of the highest yields in bugs. Moore noted:

"Fuzzing is probably the easiest way to find flaws, because you don't have to figure out how the application is dealing with input," said Moore, a well-known hacker and the co-founder of the Metasploit Project. "It lets me be a lazy vulnerability researcher."

The idea of using a pseudo-random number generator with a known seed is good, but fuzzing is better if you actually work it so as to try and give increased code coverage (as the article notes). So rather than just spew purely "random" stuff, set up a handshake properly for a particular type of protocol, that will likely take you down a particular code path, and then go into 'random world'.

Indeed, because of the ease, I'd guess a lot of black-hat work these days is fuzzing-based, and then examining the results carefully, discovering specific vulnerabilities, and then trying to weaponize them.

Re:Update! by danweber · 2007-06-28 07:34 · Score: 1 · on Major Flaw Found In Security Products

No. What makes this attack scary is that they can submit requests as you even without knowing your username and password.

Knowing the username and password is a separate way of using this attack, in which they trick you into (first) logging in and (then) doing the bad stuff.

This is one of the reasons that home routers, which often use HTTP Basic Authentication, are ironically more secure: HTTP Authentication pops up that annoying box we all hate. It's a pretty big signal that Something Weird Is Going On.

See Drive-By Pharming at http://www.securityfocus.com/archive/1/460251 or the article linked from TFA, http://labs.calyptix.com/csrf-tracking.php

Re:Maybe that's because... by Lars+T. · 2007-06-12 02:47 · Score: 1 · on Apple Safari On Windows Broken On First Day

Really? Back when Firefox 1.0 and IE 1.0 were written, the web wasn't a hostile environment. The problems reported here are fairly basic issues (canonicalization problems while handling protocol handlers are VERY old news). So what is your excuse for all the bugs in Firefox 2.0 Final?

Release: 2006/10/25
First DoS: 10/23
Breach of privacy: 10/25
Another DoS: 10/31

Re:"Spam King"? by Otter · 2007-06-12 02:34 · Score: 1 · on "Spam King" Pleads Guilty in U.S. Federal Court

For example:

The first ten results on Google give four different Spam Kings, none of which is the guy here, one of which involves Burger King and real Spam.