Slashdot Mirror

there was a small thread on ssh server for windows back in april that you can find here. a guy mentioned a OpenSSH port for windows, get it here.

Were do people get these dates from? At least do a little research. The first reference to CodeRed I could find was a post to the Incidents list at SecuirtyFocus.com on July 15th. The acutual data was captured a couple of days prior to the post if my memory serves me correctly (the poster is a good friend of mine and a coworker at the time).

Were do people get these dates from? At least do a little research. The first reference to CodeRed I could find was a post to the Incidents list at SecuirtyFocus.com on July 15th. The acutual data was captured a couple of days prior to the post if my memory serves me correctly (the poster is a good friend of mine and a coworker at the time).

http://online.securityfocus.com/cgi-bin/sfonline/v ulns.pl?vendor=Apple

(If the link stops working, then I guess the answer would be "No".)

At the company-wide meeting about the acquisition, Symantec president John Schwarz said repeatedly that Symantec is committed on the highest levels to keeping the SecurityFocus Web site alive, and editorially independant. A written policy will set this out explicitly in the weeks to come.

" This is far and away the best large corporate desktop resources location system ever written bar none"

Well I doubt it's as good as NDS but we'll let that one go.

"For Active Directory to work however virtually every server and every desktop needs to be using Windows 2000 / XP. Samba does not support Active Directory and further Samba is a long way away from supporting this"

By the time the corporations upgrade every single one of their desktops to windows 2K linux will be able to connect to a AD server. In fact it can do that now! Check out this or
this

"But from a company / OEM perspective it doesn't really matter why this issue it exists;"

True for some people but not others. There are some ethical people in business and surely there must a few business people whith a moral compass. I would even venture to guess that there might be a few business executives who could muster more synapses then a couple of dead files and could see through this situation. But then again with all that's happening in the business world today I may be totally off base.

The hypocracy in doing this is incredible. For a site that routinely condems companies that attempt such heavy-handed tactics shows that Slashdot is almost as morally bankrupt as VA/Systems soon will be. I would expect such tactics from the Church of Scientology or a Fortune 500 company. I guess Slashdot has learned: "If you can't beat them, join them!"

To make matters extra special, Jamie updated Slashdot's Slashcode, yet didn't release details of this exploit to other sites running Slashcode. [securityfocus.com] Guess its only important for Slashdot to look out for number one!

Is the imminent collapse of their parent company causing them all this stress? Or maybe its years of using that substandard open source software. Whatever the case, this is one of the slimiest things Slashdot has done since the First Troll Post Investigation. [kuro5hin.org]

For those wondering the code in question can be found here [slashdot.org].

Thank you for your time,

Egg Troll

Hey, there are even gays on the other side of the fence, so to speak...

Here is Theo de Raadt slamming into Darren Reed over Darren having a bit of a poke at OpenBSD practices in the shadow of the recent OpenSSH hole that led to a remote exploit in the default install.

I spend more than 8 hours of every single day of my life auditing code (and over the last week, 16+ hours a day), and here is some gay guy from Australia who spent all of Usenix in San Antonio years ago moping with droopy eyes after a very straight and girlfriended Mudge is not going to tell me that I am not doing enough

I love reading Theo's posts.

> If not, you're vulnerable to a worm that's been going around that is similar to Code Red (hijacks your server and turns it into a DDoS platform). I know at least 4-5 people who were hit by this in the 2 days it took the fix to get into security.debian.org.

If you are going to lie, you have to be smarter about it than that. Remember your training: don't embellish. Microsoft should penalize you a day's pay.

You can't possibly know 4-5 people who were infected while waiting for a fix to reach Debian, because during that time the only exploit that existed was a _BSD_ exploit. There were no Linux exploits during that period.

Besides, I don't know what you are gloating about. Unlike the constantly-vulnerable IIS, this is the first major exploit to hit Apache in years. In fact, according to this article, Apache has gone "four and a half years without a serious vulnerability":

http://online.securityfocus.com/columnists/91

By the way, the Apache worm has been a total flop. Because the fix got out so quickly, and because Linux and Apache are so easy to keep up-to-date, the vast majority of Apache servers are now immune.

Contrast that with Windows and IIS. Code Red and Nimda are a year old, yet they are still making the rounds.

It is a sad fact that, even with current patches applied, Microsoft software is still full of holes. As evidence, note that there are currently 19 unpatched IE security holes:

http://www.pivx.com/larholm/unpatched/

Nice troll. http://online.securityfocus.com/cgi-bin/sfonline/v ulns.pl Shows approximately 5 times as many vulnerabilities for Microsoft than for Red Hat.

How this reached +5 is beyond me.

"When Microsoft announces a patch for Windows two days after a security hole is found, they get bashed for publishing insecure software. When Apple fixes a hole five days after acknowledging it, they're praised for being so quick to patch it."

The situation is not quite comparable...

The last n Microsoft security holes that I've seen have been discovered by security groups which reported them privately to Microsoft, and worked with Microsoft for typically a month or two to get the patch out. Then the vulnerability was announced the same day as the patch release. A few days or weeks later, an exploit for the vulnerability was posted someplace reasonably mainstream.

Not so here. The Apple vulnerability was just posted to bugtraq along with an exploit. No indication was made that any attempt to contact Apple was made, much less working privately with Apple while the problem was resolved.

http://www.cunap.com/~hardingr/projects/osx/exploi t.html

http://online.securityfocus.com/archive/1/280964

Also this wasn't the worst vulnerability ever found. If someone poisons your DNS server they really can do all manner of bad things to you; Software Update is (was) just one of many concerns you should have. Keep your DNS servers secure!

The following is a copy of the letter one of the ISP sent out. This topic has been discussed on SecurityFocus' vuln-dev for the past day or so.

Dear Customer,

We are writing on behalf of Cox Communications to advise you that we have
received a notification that you are using your Cox High Speed Internet
service to post or transmit material that infringes the copyrights of a
complainant's members. I have enclosed a copy of the complaint letter.
Pursuant to the provisions of the Digital Millennium Copyright Act ("DMCA"),
which is codified at 17 U.S.C. 512, upon receiving such notification, Cox
is required to "act expeditiously to remove, or disable access to" the
infringing material in order to avoid liability for any alleged copyright
infringement. Accordingly, Cox will suspend your account and disable your
connection to the Internet within 24 hours of your receipt of this email if
the offending material is not removed.

Please be aware that the DMCA also provides procedures by which a
subscriber accused of copyright violation can respond to the allegations of
infringement and, under certain circumstances, cause his or her account to
be reinstated. To do so, however, the response must meet certain criteria.
Pursuant to section (g) of the DMCA (17 U.S.C. 512(g)), you have the right
to submit to Cox a counter-notification which, to be effective, must include
the following elements:

(a) a physical or electronic signature of the subscriber;
(b) identification of the material that has been removed or to which
access has been disabled and the location at which the material appeared
before it was removed or disabled;
(c) a statement under penalty of perjury that the subscriber has a good
faith belief that the material was removed or disabled as a result of
mistake or misidentification of the material to be removed or disabled;
(d) the subscriber's name, address, and telephone number and a statement
that the subscriber consents to the jurisdiction of the Federal District
Court for the judicial district in which the address is located.

In the event that you submit to Cox a counter-notification that includes
these elements, Cox will forward your counter notification to the
complainant and advise them that Cox will cease disabling access to the
allegedly infringing material in ten (10) business days. Unless the
complainant notifies us that it has filed an action seeking a court order to
restrain you from engaging in the allegedly infringing activity prior to the
expiration of those ten (10) business days, Cox will reactivate your
account.

Sincerely,

The Cox Abuse Team

Rob Malda ASCDC Buffer Overflow Vulnerability

Here.

Here.

Here.

Rob Malda ASCDC Buffer Overflow Vulnerability

Here.

Here.

Here.

Let's take a look at some of Microsoft's more questionable practices:

• UML and other modelling fads. My former employer required the use of 65-page UML diagrams for the simplest command-line utilities. Why? Because it was popular, and the investors liked to make sure we were buzzword-compliant. UML is designed for non-technical audiences, and as such it flies in the face of the engineering goals it is designed to solve. What's good for the suits isn't necessarily good for the engineers.
• Formal checkins. These stand in the way of progress like no other corporate "bad habit." Requiring programmers to have a supervisor (often a non-technical PHB) "sign off" on their code prior to the commit is ludicrous. Developer time costs $20-40 an hour - should that time be wasted pursuading co-workers to check in and approve their code, or should it be spent doing actual development?
• Code review. Code review is a power trip and best, and a drain on morale at worst. If a programmer cannot be trusted to develop excellent code, he should be replaced with somebody who can. It's a tight labor market on the developers' side, so incompetent programmers should be spending their time reading O'Reilley books instead of playing games and looking at porn in their parents' basement.
• Large, geographically concentrated development teams. The best work is emphatically not done by 1400 people in the Redmond campus. The best work is done by culling experts of individual niche areas from around the globe. Not surprisingly, this is the model that Linux and most Open Source software uses, and that is why OSS is phenominally successful compared with any of its proprietary competition.

-sting3r

Serveral of the "security agencies" in Canada offer courses which are fairly strong overviews. The RCMP technical security branch offers a number of workshops for free. I have taken the 4 day IT security officer and 1 day malacious code course and both were very good overviews.

The Communications Security Establishement (Canada's NSA) offers a number of courses quite cheap. This is a good place to start and often provide a wealth of resources for additional learning. I would look into whether the same exist in your country...

SANS reading room boasts 1300 research papers. Here are some other places for reading off the top of my head:

@Stake
phrack
antionline
securityfocus

There are tons more if you look

Sig, Shmig...who needs one

This may have been mentioned already...

Subscribe to mailing lists like Bugtraq and NT Bugtraq and any other OS or application specific products you are supporting. Not bleeding edge but not worth ignoring either.

The most up to date security list in the world and it's free.

BugTraq

I'm in the same boat. I've taken responsibility for computer security at my little company, but there is no training budget at all. I was pleasantly surprised to find that DallasCon had a student price of 40 dollars for their security conference. I got a ton of good information there. Otherwise I rely on web sites like SecurityFocus.com for information.

Just subscribe to mailing lists like bugtraq and the lists at securityfocus, that will give you everything you need.

Or if you're really desperate, you could try #hack, #2600 and #trolls on IRC.

This really is fascinating stuff. Note that most of the entrants used the disassembler known as IDA, available here. There was also much discussion of this contest recently on various security-related mailing lists.

Hopefully they will be doing a similar contest again next year. In the meantime, I guess we'll just have the Scan of the Month to analyse.

eggtroll posted

Slashdot editors once again continue their campaign of censorship. It has come to Egg Troll's attention that Jamie "Security Through Obscurity" McCarthy has sent a Cease and Desist order to our beloved Trollaxor for a diary entry posted on his website that detailed a javascript exploit to Slashcode.

The hypocracy in doing this is incredible. For a site that routinely condems companies that attempt such heavy-handed tactics shows that Slashdot is almost as morally bankrupt as VA/Systems soon will be. I would expect such tactics from the Church of Scientology or a Fortune 500 company. I guess Slashdot has learned: "If you can't beat them, join them!"

To make matters extra special, Jamie updated Slashdot's Slashcode, yet didn't release details of this exploit to other sites running Slashcode. Guess its only important for Slashdot to look out for number one!

Is the imminent collapse of their parent company causing them all this stress? Or maybe its years of using that substandard open source software. Whatever the case, this is one of the slimiest things Slashdot has done since the First Troll Post Investigation.

For those wondering the code in question can be found here

Thank you for your time,

Egg Troll

--

The hypocracy in doing this is incredible. For a site that routinely condems companies that attempt such heavy-handed tactics shows that Slashdot is almost as morally bankrupt as VA/Systems soon will be. I would expect such tactics from the Church of Scientology or a Fortune 500 company. I guess Slashdot has learned: "If you can't beat them, join them!"

To make matters extra special, Jamie updated Slashdot's Slashcode, yet didn't release details of this exploit to other sites running Slashcode. Guess its only important for Slashdot to look out for number one!

Is the imminent collapse of their parent company causing them all this stress? Or maybe its years of using that substandard open source software. Whatever the case, this is one of the slimiest things Slashdot has done since the First Troll Post Investigation.

For those wondering the code in question can be found here.

Thank you for your time,

Egg Troll

sshutup-theo.tar.gz

See here for the corresponding message.

sshutup-theo.tar.gz

See here for the corresponding message.

It doesn't really have anything to do with what type of program it is....even single player games would be affected. it's simply an infectable executable that was run.

> I shouldn't have to run external programs to play games online.

So you won't run the wolfenstein demo? Or even the full install from the CD? If you would, then you could theoritically get a virus (no, not starting any rumors here). You do understand that you're limiting yourself to games that run solely from the browser and even then, there's no guarantee that you won't get malware.

I can't believe GameSpy is doing this. It's sooo passé. Microsoft already did this. Next time GameSpy wants to get infected, it should be original and choose a different virus, maybe W32.Klez.E or even a McAfee homebrew bug, instead of just copying MS because it's an industry leader. Me, I prefer my KaZaA virus, because it has its own EULA.

Traffic on bugtraq the last few hours indicates there is now a worm in the wild exploiting the Apache chunked-encoding vulnerability. http://online.securityfocus.com/archive/1/279529/2 002-06-25/2002-07-01/0

First, test your modem to find out the up/down speed: http://dslreports.com/stest/

Next, if you're a Windows user, there are registry tweaks you can make:

http://www.cable-modems.org/articles/speed_tweaks/

Mac and Windows tweaks:

http://www.dslreports.com/tweaks

Note, however, these are all legal -so far!

Uncapping a 3Com cable modem (what AT&T uses)--

http://online.securityfocus.com/news/353

http://online.securityfocus.com/news/493

As someone that was following the series of articles that securityfocus was publishing on "phone phreakers owning Vegas" this is actually very interesting news. The articles detail about how "hackers" are stealing business by re-routing phone calls. After multiple complaints from the business owners sprint could never seem to find a problem during its investigations and insisted they were crazy. It was concluded that the "hackers" had someone inside working for sprint tipping them off because the phone system always seemed to route just fine while sprint was doing its audits. One of the frustrated business owners hired Kevin Mitnick to come in and help straighten things out, and that was the last I've heard till now. The Security focus has a write up is here

You've heard of the recent apache bug. Apparently, the OpenBSD team is announcing it as a "possible remote crash".

Since a remote exploit already exists, shouldn't they detail the severity on their front page?

Nothing against the OpenBSD team... I believe they do excellent work, but heck, people, PLEASE patch up those systems! It's only a matter of days before someone is going to drop a new worm! This is horribly serious!

Um, yeah. Except that unlike the rest of the world, we're not trying anything of the sort.

Um, yeah, except that as it turns out, it was the article's author who was on crack.

you will see that there is an update: US DENIES DATA RETENTION PLANS

• The page linked at the very top of the link you give says that the White House is denying that they actually want to put this into law; it was in the draft, but now they just want to "request" the ISPs to keep this information. Read the article before you post it to the front page! We are going to have hundreds of uninformed posts from people who didn't read the article and say totally irrelivant things!
  
• It's an unworkable idea even voluntarily. Who is going to PAY for the storage, retention, and transfer of the GIGABYTES of data that these records will require the ISPs to keep?
  
• What kind of data would be logged? I make LOTS of connections to things that don't involve SMTP or port 80. And i'd expect most "illegal" activities on the internet these days would involve either telnet/ssh, or very very high ports (I.E. filesharing apps.) Moreover, "web access logs"? Would that include, say, CGI GET and POST information? A lot of websites these days use POST cgi stuff to navigate sometimes, but if you log that you're going to get all of my volumnous posts to slashdot in the logs.
  
• If ISPs are going to be gathering that kind of information, how about writing down the IPs of computers requesting of other computers "index.ida" or similar things, then calling them up and asking them to fix their goddamn computers? (I.E., computers infected with code red or NIMBDA)

Finally got through, and ... Nothing to worry about yet. Apparently, this is from a misreading of the report. No data retention requirements, these aren't the droids you're looking for, move along.

I visited the site, and this is what it says here. I'm posting it in case the site gets slashdotted. [And I'm not a karma whore since I already have 50.]

U.S. Denies Data Retention Plans

The Justice Department refutes claims that Internet service providers could be forced to spy on their customers as part of the U.S. strategy for securing cyberspace.
By Kevin Poulsen, Jun 19 2002 12:24PM
An early draft of the White House's National Strategy to Secure Cyberspace envisions the same kind of mandatory customer data collection and retention by U.S. Internet service providers as was recently enacted in Europe, according to sources who have reviewed portions of the plan.

But a Justice Department source said Wednesday that data retention is mentioned in the strategy only as an industry concern -- ISPs and telecom companies oppose the costly idea -- and does not reflect any plan by the department or the White House to push for a U.S. law.

In recent weeks, the administration has begun doling out bits and pieces of a draft of the National Strategy to technology industry members and advocacy groups. On Tuesday, sources who had reviewed segments of the plan said a federal data retention law is suggested in a section written in part by the Justice Department.

The comprehensive strategy is being assembled by the President's Critical Infrastructure Protection Board, headed by cyber security czar Richard Clarke, and is intended as a collaborative road map for further action by government agencies, private industry, and Congress.

While not binding, proposals that find their way into the final version of the National Strategy would likely have added weight in Congress, and could lead to legislation.

A controversial directive passed by the European Parliament last month allows the 15 European Union member countries to force ISPs to collect and keep detailed logs of each customer's traffic, so that law enforcement agencies could access it later.

Data to be gathered under the European plan includes the headers (from, to, cc and subject lines) of every e-mail each customer sends or receives, and every user's complete Web browsing history. The period of time that the data will have to be retained is up to each member country; specific legislative proposals range from 12 months to seven years, according to Cedric Laurant, policy fellow at the Electronic Privacy Information Center (EPIC), which opposed the directive.

"Somebody could see their past for the last seven years be completely open," says Laurant, speaking of the European directive. "It violates freedom of speech," as well as the legal principal that a defendant is presumed innocent until proven guilty.

The White House did not return phone calls on the National Strategy, which is scheduled for release in September.

And things can get very quickly complicated, because again, once a malicious person has gained access to ONE of your systems, suddenly it's completely trivial to get into all the rest. If you enforce different passwords on each box, then you're containing the fire. The blackhat will still have 0wNz0r3d one of your boxes, but it's contained there, and he's got to go through the same amount of work to get into any of the others, which increases the probability of someone noticing illicit behaviour, increases the probability that this person will screw up and make a mistake, and increase the probability that he might not be able to get in at all.

As to writing passwords down, obviously that's a problem. If people are going to be writing passwords down somewhere, you've got to have a good deal of actual, physical security if you want to be able to feel safe about it. It helps to have passwords related somehow. Pick a paragraph from a book; the first letter of each word in sentence 1 makes up the password for box 1, the second sentence goes for box 2 . . . There's many ways to relate passwords such that it's easier to remember.

Remember, you're not just defending against a brute-force cracker or someone sniffing plaintext passwords. There's much more to it than that.

And things can get very quickly complicated, because again, once a malicious person has gained access to ONE of your systems, suddenly it's completely trivial to get into all the rest. If you enforce different passwords on each box, then you're containing the fire. The blackhat will still have 0wNz0r3d one of your boxes, but it's contained there, and he's got to go through the same amount of work to get into any of the others, which increases the probability of someone noticing illicit behaviour, increases the probability that this person will screw up and make a mistake, and increase the probability that he might not be able to get in at all.

As to writing passwords down, obviously that's a problem. If people are going to be writing passwords down somewhere, you've got to have a good deal of actual, physical security if you want to be able to feel safe about it. It helps to have passwords related somehow. Pick a paragraph from a book; the first letter of each word in sentence 1 makes up the password for box 1, the second sentence goes for box 2 . . . There's many ways to relate passwords such that it's easier to remember.

Remember, you're not just defending against a brute-force cracker or someone sniffing plaintext passwords. There's much more to it than that.

While this is not a proper fix for the real problem, it will prevent the bug being remotely exploited:

ISS X-Force response (fwd)

I found this message and this message (from bugtraq) to be informative regarding the interesting issues here.

I found this message and this message (from bugtraq) to be informative regarding the interesting issues here.

I posted this as a story earlier...

Turns out the ISS X-Force team doesn't trust the Apache crew to fix what seems to be a very serious exploitable bug in the http code. They just released an advisory to the Bugtraq mailing list here and provided some 'patch code'. The patch code (which attempted to typcast the vulnerable area) doesn't seem to fix the issue.
So in effect there are a bunch of Apache servers out there with a possibly remote exploitable buffer overflow. Was this a big ooops on the part of ISS?
One has to wonder why they didn't go to the Apache team first with this? Rumor has it that ISS feels that Red Hat has burned them (ISS) in the past and since the Apache team has some Red Hat employees they shouldn't be trusted.
Another rumor that has been floating is that the ISS team doesn't consider Apache to be "a vendor" and therefore doesn't need to follow the normal disclosure rules. This sets a pretty bad precedant of not working with vendors just because you don't get along with them. A companies personal pettiness should not be allowed to override the security of a majority of the internets websites. The patch has offically made it into the Apache CVS but again why the hell didn't ISS talk with Apache? I noticed another post by NGGS (referenced in link above) that they already had a CVS number so they appeared to have gone through the proper channels and got 'beat to the punch' by ISS. Sounds like a motive to me....

or, you could just count on them using something like IE or Outlook.

IE ignores the mimetype of files instead looking at the first 256 bytes of the file to determine what it is and how to handle it. this allows you to do things like embed html with javascript or vbscript inside images and have it executed when viewed. probably could stick activex components in there too.

If a hole was discovered in that library, it could be used as a vector for viruses.

Works on *nix and Windows:

http://online.securityfocus.com/bid/1503

I'm really kind of surprised by the comments in this thread. It's almost like nobody remembers the fairly recent JPEG comment heap overflow problem in Netscape. I can't find the Slashdot comment right off-hand, but do a netsearch for more information. This issue is not that far-fetched, folks.

http://online.securityfocus.com/bid/1503

http://online.securityfocus.com/archive/1/276350

It makes very little sense to me that an application should be able to bring down the X server because it made a library call with an obviously bad parameter. If the library can verify it, it should. Furthermore, it should return an error value and Mozilla should check it. It shouldn't have to abort().

Actually that bug is *not* Mozilla's fault. If you keep up to date with bugtraq, it was later clarified to be an X-Windows problem.