Slashdot Mirror

Still, the DMCA scares a lot of non-Americans. Remember Dmitry Sklyarov? Some crypto researchers now refuse to make their findings public.

From securityfocus.com "The worm does not infect computers running Windows XP Service Pack 2 nor Windows 2003, as those systems are somewhat protected against the Windows Plug-and-Play vulnerability" http://www.securityfocus.com/news/11281 But, I am not sure how this affects pirated machines... that stuff doesn't often get published.

It was just hyped big time by a few big media outlets. And really the patch was out, and you know Windows 2000 needs a firewall. I blame it more on crappy IT administration.

Actually Windows 2000 does have a firewall. It just doesn't have a purdy gui.
http://online.securityfocus.com/infocus/1559

Anyhow, how does a firewall help one when an infected machine gets in the building (like a laptop)? You cannot block port 445 (which zotob uses) since that is what is used in part for file and print sharing.

While we didn't get hit where I work I can sympathize with companies that did. When you're working in a large environment it can take some time to test patches to make sure they work as advertised (esp. on mission ciritcal servers). One week lead time is really intense.

Here is the description of a real working rootkit.

Start compiling.

Just like online gaming.... Teams were not balanced. From what I heard the top 3 teams all had 20+ people. Some 30..... 4th place had 7 people. Also heard the points system was a little skewed. Basicly if you owned someone else's server then you scored points for the length of time you owned it. B ut then the team that was being hacked would take it off line and you would be out of luck. The penalties for off line boxes were less sever than the rewards for owning someone. The contest was run by a group called Kenshoto. The story goes that they are an anonymous bunch and that is the alias they are using. I was there and the set up was ultra cool. A few improvements and next year will be even better. Check out this link for more info. http://www.securityfocus.com/news/11269

Dude, what's your problem? Security prophessionals sometimes need to make up words that sound new and specialized. Can't you just embrace the ph-speak like the rest of us?

Besides, it gives reporters a chance to attend Blackhat where they can learn the new lingo.

Oh, you're going to love this article too: Phlooding attack could leave enterprises high and dry

"the person installing the network, be they a home user or a business, has ultimate responsibility for any criminal activity that takes place on that network," ?

WTF? If someone sneaks into my garden and starts dealing crack does that meen I'm responsible for that crime too? I meen, it was on my property after all.

Enlgish law is f***ed up. Someone should point these dumb-asses at a book about computers which they should read before passing laws like this.

If you're going to fine or jail anyone for having an insecure router it should be the company thats still selling WEP-only routers even though they've been proven to be insecure:

http://securityfocus.com/infocus/1814 ..that gets fined or has it's CEO jailed.

Where are the laws to protect the consumer from purchasing insecure WEP routers? Where's the consumer protection law making it illegal to sell someone an insecure communication device? Nowhere. Typical!

I wonder how many people have actually gone to jail over this? Wouldn't this be a really easy way to set someone up that you didn't like? Hack their WEP, browse to a kiddy pr0n site on their connection and then tip off the police!

But it only became "wide open" with the public disclosure of exactly how to exploit it.

He used an already patched exploit to show the vuln. He only showed how easy it would be were you to find a new, unpatched exploit.

Also, from an interview at security focus

"It has been confirmed that bad people are working on this (compromising IOS). The right thing to do here is to make sure that everyone knows that it's vulnerable."

The bad guys already know about this, Lynn believes it's time the rest of us found out.

PHP being more secure than perl. You're joking right?

Where's PHP's equivalent of perl's taint mode? Where's the PHP's equivalent of perl's "use warnings" and "use strict"? Where's PHP's equivalent of DBI's parameterised queries?

And have you seen the amount of entries for PHP on bugtraq: http://www.securityfocus.com/swsearch?query=php&sb m=%2F&submit=Search!&metaname=alldoc&sort=swishran k

Actually, it's also being used by security professionals and pen-testers for legitimate testing and assessment. There's currently a discussion regarding TOR for pen-testing purposes on the SecurityFocus pen-test mailing list. See http://securityfocus.com/archive/101/406238/30/0/t hreaded.

Just because the kiddies are using it doesn't minimize the usefulness of the protocol. Bitorrent, P2P, and other protocols face the same abuse issues.

Full disclosure: I am the moderator of the pen-test mailing list.

Sorry about the earlier post slashdot turned my less than or equal into the start of an html tag...

Hmm, that page talks about flaws in Microsoft's implementation of Java, not in SUN's JVM. In fact it specifically points you to the SUN JVM as a way to avoid the problem. There was also a system vulnerability in J2SE 1.4 below 1.4.2_06 that would allow javascript to instantiate a normally protected class which can access system resources, but that has been fixed for over a year. However I started checking the normal sources and I did find this somewhat cryptic post which says that all but the most current versions of the SUN JRE are vulnerable to an unspecified flaw which allows local file access, guess it's time to check to make sure everyones autoupdate for JRE is functioning correctly!

Anyone can spend money, and I'm quite aware of the many things that they're supposedly working on, but why aren't we seeing any real benefit in the Microsoft products that we're actually using on a day-to-day basis?

It's one thing to work on pie-in-the-sky research (and I have no problem with that), but quite another to do that while also continuing to maintain one of the most problematic computing platforms in history in an almost unchanged state for over a decade.

Some of the money might be better spent researching things like Linux Capabilities, a feature that the mainframe OSes I play^H^H^H^Hwork on for a living have had for a number of decades now.

I mean, UNIVAC boxes and VAXen both had the concept of a permissions bitmask down over 20 years ago, so what the heck is Microsoft's problem? Too expensive to implement? I think not...

I'm a foundation employee and the guy who wrote the message we sent to Spread Firefox users. A few notes:

• Spread Firefox does not store plaintext passwords; it hashes them using MD5. So if the attackers have obtained the passwords, they cannot easily use them to gain access to user accounts. Nevertheless, since weak hashed passwords are susceptible to brute force attacks, there is some risk from the exposure, and that is why we recommended users change their passwords.
• The attackers did indeed exploit the vulnerability in the XML-RPC for PHP library shipped with Drupal.

Ah, you mean like this!

Limiting searches makes the numbers a lot less exciting, doesn't it?

no, like this

Did you actually investigate the link you posted? Many of the actually say "not affected" right in the title...

Riight. Like this?
Go on, pull the other one. Windows is just as leaky as it's ever been.

no, like this

oh, and btw, microsoft offered has had a fix for those issues for at least a week now.

OpenBSD's weakness' list (just a TINY sampling of what is/was possible to penetrate OpenBSD):

1.) OpenBSD False syslogd Source IP Reporting Weakness:

http://www.securityfocus.com/bid/6219

2.) OpenBSD's mysql security weakness:

http://www.monkey.org/openbsd/archive2/bugs/200103 /msg00022.html

(Seems OpenBSD isn't as "secure out of the box" as I stated most all OS' are w/out tweaking it)

3.) PAM Authentication Execution Path Timing Information Leakage Weakness:

http://securityfocus.com/bid/7342

(Funny, I see OpenBSD on THAT list also)

4.) systrace in OpenBSD:

http://www.informit.com/articles/article.asp?p=363 731&seqNum=7&rl=1

"Despite its many features, systrace has a number of limitations that bear mentioning. First, it lacks a facility to specify that you can permit once for a system call, such as binding to a socket. This can allow an attacker to recycle a system call, potentially at elevated privilege.

Second, system calls have no exclusive or. For example, an application might be permitted to open a le or a device, but not both. This weakness could ultimately be leveraged by an attacker who seeks to do more than a program was intended to do.

Lastly, the parent process has no control over spawned processes. For example, if you allow /bin/sh to be executed, you cannot control it beyond its own systrace policy. One way to get around this limitation is to specify a policy for the child process to inherit if it is to be less liberal than the normal system policy. This would be done via systrace"

5.) OpenBSD lprm(1) exploit:

Code is right there:

http://security.opennet.ru/base/bsd/1047145087_128 9.txt.html

For an exploit into OpenBSD...

*****

Need I go on? I don't think so but I easily could... OpenBSD's not some "magically secure system" any more than any other is and new holes get found on them all every month.

So, DrSkwid?

Please: Don't try to tell others that your OpenBSD is 'impregnable out of the box', because like most other OS'? It isn't.

(Sure, some of that may or may not have been patched above from my lists by this point, but you try to make it seem as if OpenBSD is some 'security panacea' magical formula, & it's clearly not).

And, it most certainly isn't as flexible, ubiquitous, & powerful as Windows Server 2003 is with as any applications surrounding it in both commercial and freeware implementations as Windows has a tremendous wealth of and most certainly does not run on as many types of hardware.

6.) This is not just myself stating it, here is another one regarding that:

http://geodsoft.com/opinion/server_comp/security/l inux.htm

"The default OpenBSD install is much more secure but also much less functional than a Windows NT or 2000 default install and most"

Keyword = DEFAULT! AND, less functional. BIG sticking points vs. Windows Server 2003.

Which is WHY I put up my list for Windows 2000/XP/2003 server users.

To teach them how to REALLY secure these Os' from MS, far above the DEFAULT security settings they ship with and how + why.

Give it up DrSkwid about OpenBSD being 'so great' when clearly, it's not by comparison. And, having to call me names?

Not too intelligent, nor fact based. The sign of the loser in forums online. It's right up there with spelling and grammar checking.

Above all - It's easy to secure

OpenBSD's weakness' list (just a TINY sampling of what is/was possible to penetrate OpenBSD):

1.) OpenBSD False syslogd Source IP Reporting Weakness:

http://www.securityfocus.com/bid/6219

2.) OpenBSD's mysql security weakness:

http://www.monkey.org/openbsd/archive2/bugs/200103 /msg00022.html

(Seems OpenBSD isn't as "secure out of the box" as I stated most all OS' are w/out tweaking it)

3.) PAM Authentication Execution Path Timing Information Leakage Weakness:

http://securityfocus.com/bid/7342

(Funny, I see OpenBSD on THAT list also)

4.) systrace in OpenBSD:

http://www.informit.com/articles/article.asp?p=363 731&seqNum=7&rl=1

"Despite its many features, systrace has a number of limitations that bear mentioning. First, it lacks a facility to specify that you can permit once for a system call, such as binding to a socket. This can allow an attacker to recycle a system call, potentially at elevated privilege.

Second, system calls have no exclusive or. For example, an application might be permitted to open a le or a device, but not both. This weakness could ultimately be leveraged by an attacker who seeks to do more than a program was intended to do.

Lastly, the parent process has no control over spawned processes. For example, if you allow /bin/sh to be executed, you cannot control it beyond its own systrace policy. One way to get around this limitation is to specify a policy for the child process to inherit if it is to be less liberal than the normal system policy. This would be done via systrace"

5.) OpenBSD lprm(1) exploit:

Code is right there:

http://security.opennet.ru/base/bsd/1047145087_128 9.txt.html

For an exploit into OpenBSD...

*****

Need I go on? I don't think so but I easily could... OpenBSD's not some "magically secure system" any more than any other is and new holes get found on them all every month.

So, DrSkwid?

Please: Don't try to tell others that your OpenBSD is 'impregnable out of the box', because like most other OS'? It isn't.

(Sure, some of that may or may not have been patched above from my lists by this point, but you try to make it seem as if OpenBSD is some 'security panacea' magical formula, & it's clearly not).

And, it most certainly isn't as flexible, ubiquitous, & powerful as Windows Server 2003 is with as any applications surrounding it in both commercial and freeware implementations as Windows has a tremendous wealth of and most certainly does not run on as many types of hardware.

6.) This is not just myself stating it, here is another one regarding that:

http://geodsoft.com/opinion/server_comp/security/l inux.htm

"The default OpenBSD install is much more secure but also much less functional than a Windows NT or 2000 default install and most"

Keyword = DEFAULT! AND, less functional. BIG sticking points vs. Windows Server 2003.

Which is WHY I put up my list for Windows 2000/XP/2003 server users.

To teach them how to REALLY secure these Os' from MS, far above the DEFAULT security settings they ship with and how + why.

Give it up DrSkwid about OpenBSD being 'so great' when clearly, it's not by comparison. And, having to call me names?

Not too intelligent, nor fact based. The sign of the loser in forums online. It's right up there with spelling and grammar checking.

Above all - It's easy to secure

It's also known for its recent priviledge escalation vulnerability,a turn-of-the-century sounding "gain admin at signup" issue which would probably lead most sane people to disregard Drupal as a contender for any serious use.

According to securityfocus, this bug does affect the 2.0.x branch as well as 2.1.x. It says that the 2.1.x version has been released to fix, and that a fix is available in the subversion repository for 2.0.x. I'd suspect that there will be a new version of 2.0.x out soon.

Securityfocus article is here.

Perhaps this might be part of the cause?

http://www.securityfocus.com/swsearch?sbm=%2F&meta name=alldoc&query=firefox

Firefox is just as full of holes and hacks as IE.

The answer to safe browsing with either is EXACTLY THE SAME.

1) Configure for security (Firefox is NOT secure at install!)

2) Patch often.

3) Don't install 50 extensions and plugins many of which violate or bypass your FF security settings.

Virtually everyone on this site is completely disengenuous with thier commants, ranging from plain ignorance to downright perjury.

Okay, sorry if I am sounding like a jerk. I really just want to know how this can happen!


In case you've been living in a hole for the past few years, IE has a particularly lengthy history of exploits. Auto execution of downloaded files by playing mime-type tricks, arbitrary execution of code via client side scripting languages, etc., etc..

It's perfectly possible that you could download and install spyware/adware/virii with IE with 0 clicks. Sure there are patches issued but they've been far from what I'd consider timely responses.

You can be as vigilant as you want with IE patches but I'd still be very cautious going to "seedier" sides of the the internet. I'm not saying there aren't problems in other browsers because there are. They just don't have nearly as many problems. Maybe that's because they don't have large enough of a market share to catch adware/virus author's attention.

Regardless, I've stopped using IE years ago because of these very issues and couldn't be happier with the alternatives.

Read this, you fucking zealot monkey. My lord, you zealot faggots are full of yourselves. Do you even think? Jihad bitches...

Read here, you fucking zealot monkey. Do you even bother educating yourself before you puke your zealotry all over the Internet? Damn, you zealots are fucking RETARDED!

There was a very interesting article posted on Tom's Networking Guide a while ago about how ridiculously simple it is for people nowadays to crack WEP keys using an assortment of techniques such as replay attacks and forced dissassociations.

The Article also includes tips to keep wireless access points relatively secure.
http://www.tomsnetworking.com/Sections-article111- page5.php

And here's another article about WEP and how it has become one of the most insecure methods of encryption over the years.
http://securityfocus.com/infocus/1814

Thank God the FBI is on our side.

nothing can reach it

This is like your 5th time saying this. Methinks you have no damned idea about security, and whoever keeps modding you up needs to get a clue.

Let me help you out. The following things ARE NOT attributes of a computer that is powered on and connected to a network: 100% secure, untouchable, inpenetrable.

You should try reading some sites like securityfocus. I recommend a 2-part article that just came out, Software Firewalls: Made of straw? and part 2.

nothing can reach it

This is like your 5th time saying this. Methinks you have no damned idea about security, and whoever keeps modding you up needs to get a clue.

Let me help you out. The following things ARE NOT attributes of a computer that is powered on and connected to a network: 100% secure, untouchable, inpenetrable.

You should try reading some sites like securityfocus. I recommend a 2-part article that just came out, Software Firewalls: Made of straw? and part 2.

I guess you didn't hear, caller ID can be completely spoofed now. They can put your mother's number on your caller ID. http://www.securityfocus.com/news/9822

Andrew Jaquith, senior analyst with The Yankee Group in Boston. "There is really no good, consistent source for security information on the Internet," he said.

There are already a handful of really good sites out there. How will ATT compete with the likes of: The Internet Storm Center, Security Focus, Packet Storm, and Security Peline which are current and relevant.

Also in the TFA, there were statements that the news serviecs will be offered to ATT customers. Will non-customers also have access to the site for free? If not, how does this compare to other managed services offerings from the likes of Symantec, ISS, and others?

This is a good writeup of Solaris 10 Security. They pulled some things in from Trusted Solaris such as process rights management.

> Not to mention that he has own problems to
> contend with.
>
UMM, ok... When have (do) we ever seen a linux _local_ *anything* fixed, in a similar timeframe?? Remind me please...!

http://www.securityfocus.com/bid/13977
> Published: Jun 16 2005 12:00AM

http://www.openbsd.org/cgi-bin/cvsweb/src/sys/neti net/ip_output.c
> Revision 1.169.2.1 / (download) - annotate - [select for diffs] , Tue Jun 14 02:10:03 2005 UTC (4 days, 4 hours ago) > by brad
> Branch: OPENBSD_3_7
> Changes since 1.169: +20 -2 lines
> Diff to previous 1.169 (colored) next main 1.170 (colored)

> MFC:
> Fix by markus@

> getsockopt(): allocate a mbuf cluster for large ipsec credentials
> fixes kernel panic from pr 4252; Stefan Miltchev

> ok deraadt@ markus@

dig dig dig.....

You're fucking insane. OSX is FAR from secure. Look at some of the ridiculous vulnerabilites that sneak out:

Can read any file with at. (WTF APPLE!!)
Can get root by answering a DHCPREQUEST (Fucken eh, the next windows!)

You want more, visit here:
http://securityfocus.com/cgi-bin/index.cgi?o=60&l= 30&c=12&op=display_list&vendor=Apple&version=&titl e=Mac%20OS%20X

And those are just disclosed! Depending on where you look, you can usually find more undisclosed OSX sploits than Linux.

http://www.securityfocus.com/bid/13977

In my opinion, IIS has been more secure compared to Apache in their respective latest major versions.

Go to SecurityFocus and do a search on the vulnerabilities. IIS 6.0 since its release in April of 2003 has had two (2) vulnerabilities. Apache, on the other hand has had 30 (!) since its release of 2.0.44, which is the release I could find that was closest to the release date of IIS 6.0. If you go back to all of Apache 2.0 (the major release), there's a whole page more of them, but I didn't think that comparison was fair.

PS: Is there some kind of bot storm going on, I'm getting all kinds of weird accesses to my site today, they're all fetching just the home page and leaving, and the referrer tag is null for everyone... They may be committing click fraud through my site, which makes me mad...

See this discussion on SecurityFocus

http://www.securityfocus.com/archive/75/401729/30/ 0/threaded

http://www.securityfocus.com/bid/12483 Who needs rights? :)

Wait. What do you mean they won't take Kim Chee? Dammit, they know we're good for it!

Telnet is not necessarily safe: http://www.securityfocus.com/advisories/3490

I do however have a nagging feeling that because the signal is short-range by design, the security measures implemented within the protocol are minimal and/or naive. WEP initially looked like a very well thought out security framework and it turned out to be a disaster. Something tells me that whatever is used by wireless keyboards is not even on WEP level.

Just like we have WarSpying intercepting signal from wireless cameras, nothing in theory prevents anyone from coming up with a receiver made from RadioShack parts that intercepts wireless keyboard signal. The implications will be much more serious than a couple of teenagers oogling at someone in underwear strolling around her apartment.

Until there is an honest discussion about wireless keyboard security, I don't feel that the risk is adequately compensated by the convenience.

P'raps the bad guys have already had a trial run. Notice that the witty worm didn't make big headlines at the time, but it attacked a particular sensitive part of internet infrastructure. Analysis was done by a consortium of private firms, .edu & .gov entities. It seems the perpetrator(s) deliberately aimed and charged the first shot.

Or, suppose that someone manages to sneak a virus inside a nuclear plant control system. Wait -- that actually already happened! Slammer worm crashed Ohio nuke plant network.

The environmental movement has done a good job at requiring so many frivolous regulations that nuclear power in the US cannot be financially feasible, leading to increased pollution and disease due to other production methods.

However, with mismangement at the level we see at reactors like the Davis Besse reactor, we're lucky that these plants are offline most of the time.

If we really want to do nuclear power right, instead of designing each plan from scratch we should use the (US) design that the French use for all one of their plants. That way, the properties of the reactors would be well understood, and experience gained at one site would be directly transferrable to other sites.

Of course, with our current administration, if we use the design the French are fond of, we'll probably have to call it a "Freedom Reactor."

It might be better to use a more modern design that does not produce long-lasting nuclear waste, and can't melt down, but whatever we do, we should standardize on one reactor design. That would lower the costs of design, construction and operation without sacrificing safety.

Also, what idiot decided these things should be run by for-profit corporations? Has anyone else noticed that the safety of commercially run plants gets worse, not better, over time? (Do we really want Dogbert and the pointy-haired boss having final say over nuclear reactor operations?!?)

Sorry, browser exploits were still more common before SP2 or windows 2003. Why don't you try... y'know researching it?

Look at the number of vulnerablities for IIS(247) vs. the number for Apache(290). Now consider Apache has about 70% and IIS has about 21% of the webserver market. By your theory Apache should have a lot more vulnerabilities because it's "under the microscope more" (and you can look for them directly in the code, rather than just by blackbox testing). So based on evidence instead of conjecture, dominance in the market has little to do with how many vulnerablities are found in your code.

Look at the number of vulnerablities for IIS(247) vs. the number for Apache(290). Now consider Apache has about 70% and IIS has about 21% of the webserver market. By your theory Apache should have a lot more vulnerabilities because it's "under the microscope more" (and you can look for them directly in the code, rather than just by blackbox testing). So based on evidence instead of conjecture, dominance in the market has little to do with how many vulnerablities are found in your code.

What can they do, infect routers with viruses now?
Potentially, but more likely they'd find a vulnerability in the code that would allow for DoS attacks - along the lines of the BGP transitive attribute problem. It would also give them a chance to poke holes in the telnet/ssh/tacacs...etc functions so they could get onto the device, wipe it and reload it. Specially good fun if they also screw with the console baud rate, partition the flash, change the config register... etc.

I guess a virus is possible, they could compile a problem into the IOS code, upload it over the top of the old one and reload. A subtle issue (drop one in ten packets or something) would be very tricky to isolate - not that Cisco aren't more than capable of making mistakes with similar results themselves...

a exploit is out. 1.0.3 spoof+auto dl

wait for the spyware slags get hold of this one
full remote execution of an exe with no user interaction
http://www.securityfocus.com/archive/1/397747/2005 -05-05/2005-05-11/0

catching up with MSIE

"Quantum cryptography - long the stuff of cyberpunk novels and hi-tech spy stories - is leaving the laboratory and making its way into commercial markets. A briefing session at the UK's Department of Trade and Industry on Wednesday featured demonstrations of working quantum key exchange systems by QinetiQ, Toshiba Cambridge and US start-up MagiQ."

"Quantum cryptography - long the stuff of cyberpunk novels and hi-tech spy stories - is leaving the laboratory and making its way into commercial markets. A briefing session at the UK's Department of Trade and Industry on Wednesday featured demonstrations of working quantum key exchange systems by QinetiQ, Toshiba Cambridge and US start-up MagiQ."

Visit http://www.securityfocus.com/ and read the ntbugtraq archives.

There is a reason why Windows Update exists and why it is giving you dozens of updates every month.

Put an un-patched windows 2000 or XP box on an open internet connection and you will be (silently) spreading viruses in minutes.

When I was working at Microsoft, the corporate network was so flooded that newly installed systems were instantly infected unless we took them off of the network before we installed and patched a windows 2000 system.