Slashdot Mirror

← Back to Domains

Domain: securityfocus.com

Stories and comments across the archive that link to securityfocus.com.

Comments · 2,651

  1. Re:*yawn* by Wakko+Warner · · Score: 2 · on Linux Is Going Down
    Then use this page to compare OSes. Notice that the total number of security holes in all Linux distributions is less than that of Windows NT and 95/98, and that the number in any given distribution of Linux is far less than that of Windows NT.

    --
    * CmdrTaco is an idiot.

  2. Re:Avoiding This Altogether by DrWiggy · · Score: 5 · on Running BIND 4 or 8? Upgrade!

    Does anybody out there have links to some good reference material on this?

    Sure. There is a mailing list over at SecurityFocus called SECPROG that discusses secure programming practises. The idea is to produce a white paper that describes how to write secure code. The draft can be seen here and is probably the definitive how-to in existence at the moment.

    Hope that helps.

  3. Re:yeah... by pjrc · · Score: 2 · on Running BIND 4 or 8? Upgrade!

    Actually, bind, sendmail and wu-ftpd have had a really bad history of aweful bugs. The subject of this message, "WuFTPD: Providing *remote* root since at least 1994" really sums it up pretty well. As mentioned on the Cert page, BIND has had TWELVE Cert Advisories and this makes 13. The even named the 11th one "Continuing Compromises of DNS servers", though I suppose it's just the infamous NXT bug.

  4. Immunix 7 & FormatGuard Resist Ramen by Crispin+Cowan · · Score: 1 · on Cracking All The Live Long Day & RH6/7 Worms
    Upon reviewing the excellent technical summary over at Securityfocus, we found that Immunix's FormatGuard stops all three of the exploits that Ramen uses: Crispin
    ----
    Crispin Cowan, Ph.D.
    Chief Research Scientist, WireX Communications, Inc.
    Immunix: Free Hardened Linux Distribution
  5. Immunix 7 & FormatGuard Resist Ramen by Crispin+Cowan · · Score: 1 · on Cracking All The Live Long Day & RH6/7 Worms
    Upon reviewing the excellent technical summary over at Securityfocus, we found that Immunix's FormatGuard stops all three of the exploits that Ramen uses: Crispin
    ----
    Crispin Cowan, Ph.D.
    Chief Research Scientist, WireX Communications, Inc.
    Immunix: Free Hardened Linux Distribution
  6. Immunix 7 & FormatGuard Resist Ramen by Crispin+Cowan · · Score: 1 · on Cracking All The Live Long Day & RH6/7 Worms
    Upon reviewing the excellent technical summary over at Securityfocus, we found that Immunix's FormatGuard stops all three of the exploits that Ramen uses: Crispin
    ----
    Crispin Cowan, Ph.D.
    Chief Research Scientist, WireX Communications, Inc.
    Immunix: Free Hardened Linux Distribution
  7. Immunix 7 & FormatGuard Resist Ramen by Crispin+Cowan · · Score: 1 · on Cracking All The Live Long Day & RH6/7 Worms
    Upon reviewing the excellent technical summary over at Securityfocus, we found that Immunix's FormatGuard stops all three of the exploits that Ramen uses: Crispin
    ----
    Crispin Cowan, Ph.D.
    Chief Research Scientist, WireX Communications, Inc.
    Immunix: Free Hardened Linux Distribution
  8. Re:Best? maybe - BUT for what ??? by redelm · · Score: 2 · on Slackware 7.2 [Not] Released

    The security comparison URL is here. Caveat lector

    Agreed that most of the vulnerabilities are associated with the programs themselves. Newer versions fix old holes, but may make new ones.

    The distro can influence the final result by /etc/passwd, permissions, crontabs and the other configurations it makes or simply not installing some questionable pgms by default.

  9. Re:Hmmm. Is this a Linux story in the making? by ryanr · · Score: 2 · on U.S. Significantly Lowers Export Limitations

    Like this one? :)

    http://www.securityfocus.com/news/134

  10. IP Blacklist by Desdinova77 · · Score: 1 · on Undernet In Serious Trouble: Any Suggestions? (Updated)

    There was some discussion on one of the Security Foucus mailing lists that pondered the idea of an IP Blacklist that ISPs could use. The basic idea was that when a site is used in a DDOS attack they get added to this list then the ISPs black hole *all* the packet too and from the site. This means mail, web everything. This gives the sites that are being comprimised a real motive to secure thier sites. The basisc idea is that if you can't kept your box secure you become unreachable untilit's fixed. With something like this the admins that care will fix thier sites the ones that don't simply wont matter. The discussions died out while trying to figure out to administer soemthing like this. I still think it it would be a great idea if those issues can be worked out.

  11. General Question about Bounds Overflow issues by ka9dgx · · Score: 2 · on Buffer Overflow In All Shockwave Players
    Even the NSA can't release code without Bounds Overflow issues. My question is why? Please pick one... or tell me what I missed:
    • Progams are written in C, which doesn't like to do bounds checking
    • Programmers turn off bounds checking, because it slows things down too much
    • It's too difficult to do bounds checking code that works cross-platform
    • Bounds checking isn't a language feature, it belongs in the OS
    • Because OS designs tend to be flat, non-object-oriented, this will be a problem forever
    • Mike... you just don't have a clue... the real reason involves Natalie Portman, Nudity, and Hot Grits
    Well... what's up? Why have I never had this problem with my stuff? I do my programming in Delphi under Windows.

    --Mike--

  12. This has been out for a while.... by Calle+Ballz · · Score: 5 · on Buffer Overflow In All Shockwave Players

    But I guess they feel that it is now a bigger threat. Maybe joecartoon and killfrog have been rooting our boxes unsuspectingly for the last year, and they are not catching on.

    Oh well, my favorite resource has some more information here

  13. This has been out for a while.... by Calle+Ballz · · Score: 5 · on Buffer Overflow In All Shockwave Players

    But I guess they feel that it is now a bigger threat. Maybe joecartoon and killfrog have been rooting our boxes unsuspectingly for the last year, and they are not catching on.

    Oh well, my favorite resource has some more information here

  14. Say Word by xp0rnstar · · Score: 1 · on Microsoft Hack a National Security Threat

    Its funny how the government is now looking into possibly not using Microsoft products based on this incident. Last I checked at Attrition they couldn't even lock down their Unix stations either.

    Maybe Mickeysoft should just open their source code to the industry everyone knows their op sys can only get better this way and maybe their programmers could stop focusing on all the patches they have to create stemming from posts @ SecurityFocus

    Does this mean that since Glock sells to foreigners some of whom may be terrorists they should stop using them for possible leaks of information to customers, or perhaps because they'll be a fair leverage?

    Gov sucks.

    Windows2000 Spoof

  15. Bugtraq discussion by cvore · · Score: 1 · on Silverman Responds To 'End of SSL And SSH'

    This subject has been discussed for some time now on bugtraq, the discussion can be found on bugtraqs archive in "last week" and before

  16. Re:ext2 not quite as bad as shown here by Anonymous Coward · · Score: 1 · on Very Non-Biased FreeBSD Review

    The difference is that, last I checked, in Linux root can unset these flags.

    I'm not sure if that was ever true, but it isn't now. See this article. Basically, Linux has a master capability set. If you remove a capability, like the one to modify these flags, it's gone from the system and only init can change it back. The parallel to the BSD securelevel concept is obvious.

  17. New statement from bugtraq by cronack · · Score: 1 · on L0pht Joins MS As BUGTRAQ Outcasts

    A full description of the statement can be found here.
    A full description of @Stake's response can be found here.
    A full description of Microsoft's response can be found here.

  18. Hang on by ryanr · · Score: 3 · on L0pht Joins MS As BUGTRAQ Outcasts

    Geeze... people would love to create a war where there is none.

    First of all, you can see Weld's reply to Elias' post here:

    http://www.securityfocus.com/archive/1/150706

    I don't think anyone can accuse @stake of being anti full-disclosure.

    Second, no individual or group has been "banned". Elias decides what to allow on a per-post basis. If someone sends a message without any detail, he won't allow it, as indicated. Doesn't matter if it's Microsoft, the L0pht, or me. If someone sends a message with some good detail, he will let it through.

    Don't forget that Bugtraq is an e-mail list. People want to read the stuff in e-mail format. If folks want to see bugs on the web, they can look at our vulnerability database, or visit the MS or @stake website.

  19. Re:Less Accessible. by forgey · · Score: 2 · on L0pht Joins MS As BUGTRAQ Outcasts
    Why don't you try following BugTraq a little. If you did then you might have seen this message from Weld Pond which explains the reasoning behind the switch.

    Date: Wed, 13 Dec 2000 16:24:53 -0500
    From: Weld Pond
    To: BUGTRAQ@SECURITYFOCUS.COM
    Subject: @stake Advisory Notification Format

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    I think everyone out there knows that we are committed to full disclosure and the concept of freely available security advisories. Many vendors do not issue bulletins after we report problems to them, even after they subsequently fix the problems. Without advisories from independant researchers there is no check on product vendors. This is a service that we give to the security community because we think it is the right thing to do with the fruits of our research. With our new mailing list notification format we have not changed this one bit. We are giving out more information now in our advisories than we ever have before, so we are certainly not witholding anything. Quite the opposite. Over the past few months we have expanded our overview sections that allow non-technical people to scope the problem. We have expanded our detailed technical discussions of issues, many times including detailed source code examples. And, I think most importantly, we have greatly expanded our solutions discussion so that people are not always reliant on vendor patches. We need many was to mitigate vulnerabilities because there are many environments.

    The advisory notifiction format we are using has about the same amount of information as the paraphrased advisories that Elias posted for the latest Microsoft advisories and the same amount of information that some other researchers post in their advisories. This is more than enough information to decide if the issue at hand effects you and you need to dive deeper into our analysis.

    What we are doing is adding more information than we have in the past and we are adding it on our web site. There are plans to add much more. We think that our web site and its accompanying web technology is the best place to expand our free information dissemination into the future. We have many ideas in store that I know people will appreciate. Of course, notifications of important information releases will be made to mailing lists that accept them so everyone who wishes to can read and use the information. We may even set up our own notification list if there is a demand for that.

    We have stayed away from cluttering up our advisories with marketing gorp, like ads about our services or ads about our company like many commercial research teams do. We pride ourselves in publishing our research on an academic level and always have. This will not change.

    weld

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 7.0

    iQA/AwUBOjfpbaKvhX2AQSGyEQL27gCeKYX8tX++ormy4c/v1q e2RtlSn7gAoOzg
    C9aiKSrI694BEHvkh8uRE+mn
    =MyCw
    -----END PGP SIGNATURE-----

  20. Re:Incorrect info... by DaveHowe · · Score: 4 · on L0pht Joins MS As BUGTRAQ Outcasts

    Pretty close - as @stake spin it, they are not giving any less info than they have ever done, but are merely adding ADDITIONAL information to their bulletins on their website - which is their option. @stake aren't a vendor, so don't have any duty to customers, and aren't trying to assert any control over the basic alert. anyhow, decide for yourself - their message to the bugtraq users is available in the archives for you to read....
    --

  21. Re:Business as usual by Prophet+of+Doom · · Score: 1 · on L0pht Joins MS As BUGTRAQ Outcasts

    If you know Weld Pond personally (I do) you'd probably have a different opinion. I think his quote in this particular article was paobably taken a bit out of context, or at least placed in the wrong context. I know that Mudge pushed fairly hard for the compromise that has actually been reached with BugTraq.

  22. Warning: No Content Post by locust · · Score: 2 · on BugTraq No Longer Able To Publish MS Security UPDATED
    That great post is here.

    Basically xato went out and tried to figure out which bugs existed, which bug affected a given ms system, and which hot fix works for that bug... It was hell.

    --locust

  23. Re:READ the article before you submit it! by mwa · · Score: 1 · on BugTraq No Longer Able To Publish MS Security UPDATED
    Elias Levy is refusing to publish "No Content Advisories" to the BuqTraq list. I agree with that decision. And advisory that says nothing is not an advisory and adds no value to the BugTraq mission.

    Yes, the vulnerability can still be summarized and published, but that adds a layer between the true and only source of information (in the case of propriatry software) and the BugTraq audience. We will miss the dialog when BugTraq subscribers challenge the Microsoft advisories for failing to resolve, or even understand, the issues. This is a regular occurance when it comes to MS advisories.

    Personally, I think they are doing this because they are tired of getting called on the carpet when their "fixes" aren't, their "workarounds" don't, and their downplaying of the real impact is trounced.

  24. The story is not accurate. Please read. by dudle · · Score: 3 · on BugTraq No Longer Able To Publish MS Security UPDATED
    I have been following the story on Bugtraq and it's a little bit different than what the article suggests. Allow me to clear that up a bit.

    Microsoft changed the format in which they send their advisories. Before, they use to send their emails with the full advisory in plain text included in the email. For example, consider this one sent by them on Thu, 16 Nov 2000: here

    Then came advisories sent in a different format. Instead of including the full text including a description of the bug, workarounds, etc, Microsoft decided to include only a couple of URL's and that's it. You can see an example of this here. As you can see, it a pain in the ass to read and getting the information becomes really hard.

    What happens next (on Tue Dec 05), is that Elias Levy (a.k.a. Aleph1, Bugtraq moderator) decides that he will not accept advisories in this new format. You can read what he wrote here but allow me to quote:

    I will no longer be approving any advisories with little or no content that point you to some other place for information.

    Pretty isn't it.

    What happened NEXT is where the /. story starts. On the same day, Elias took a Microsoft's advisory and copy-and-pasted it plain text in an email sent to Bugtraq. You can read the message here. Please note that this email has been sent from Elias Levy (aleph1@securityfocus.com) and not from the usual Microsoft address. This is where Microsoft got pissy.

    In this email, Elias give the tone and I quote:

    It seems Microsoft was not very amused at my posting of their advisory to the list the other day.

    And now we can start talking about Microsoft actions but I guess that if you read my post, you understand better what really happened. As a last note, let me repeat what has been said on Bugtraq. A email address has been created by Microsoft for us to give them feedback about their new format. This email is secfdbck@microsoft.com. Please tell them what you think about their new format.

  25. The story is not accurate. Please read. by dudle · · Score: 3 · on BugTraq No Longer Able To Publish MS Security UPDATED
    I have been following the story on Bugtraq and it's a little bit different than what the article suggests. Allow me to clear that up a bit.

    Microsoft changed the format in which they send their advisories. Before, they use to send their emails with the full advisory in plain text included in the email. For example, consider this one sent by them on Thu, 16 Nov 2000: here

    Then came advisories sent in a different format. Instead of including the full text including a description of the bug, workarounds, etc, Microsoft decided to include only a couple of URL's and that's it. You can see an example of this here. As you can see, it a pain in the ass to read and getting the information becomes really hard.

    What happens next (on Tue Dec 05), is that Elias Levy (a.k.a. Aleph1, Bugtraq moderator) decides that he will not accept advisories in this new format. You can read what he wrote here but allow me to quote:

    I will no longer be approving any advisories with little or no content that point you to some other place for information.

    Pretty isn't it.

    What happened NEXT is where the /. story starts. On the same day, Elias took a Microsoft's advisory and copy-and-pasted it plain text in an email sent to Bugtraq. You can read the message here. Please note that this email has been sent from Elias Levy (aleph1@securityfocus.com) and not from the usual Microsoft address. This is where Microsoft got pissy.

    In this email, Elias give the tone and I quote:

    It seems Microsoft was not very amused at my posting of their advisory to the list the other day.

    And now we can start talking about Microsoft actions but I guess that if you read my post, you understand better what really happened. As a last note, let me repeat what has been said on Bugtraq. A email address has been created by Microsoft for us to give them feedback about their new format. This email is secfdbck@microsoft.com. Please tell them what you think about their new format.

  26. The story is not accurate. Please read. by dudle · · Score: 3 · on BugTraq No Longer Able To Publish MS Security UPDATED
    I have been following the story on Bugtraq and it's a little bit different than what the article suggests. Allow me to clear that up a bit.

    Microsoft changed the format in which they send their advisories. Before, they use to send their emails with the full advisory in plain text included in the email. For example, consider this one sent by them on Thu, 16 Nov 2000: here

    Then came advisories sent in a different format. Instead of including the full text including a description of the bug, workarounds, etc, Microsoft decided to include only a couple of URL's and that's it. You can see an example of this here. As you can see, it a pain in the ass to read and getting the information becomes really hard.

    What happens next (on Tue Dec 05), is that Elias Levy (a.k.a. Aleph1, Bugtraq moderator) decides that he will not accept advisories in this new format. You can read what he wrote here but allow me to quote:

    I will no longer be approving any advisories with little or no content that point you to some other place for information.

    Pretty isn't it.

    What happened NEXT is where the /. story starts. On the same day, Elias took a Microsoft's advisory and copy-and-pasted it plain text in an email sent to Bugtraq. You can read the message here. Please note that this email has been sent from Elias Levy (aleph1@securityfocus.com) and not from the usual Microsoft address. This is where Microsoft got pissy.

    In this email, Elias give the tone and I quote:

    It seems Microsoft was not very amused at my posting of their advisory to the list the other day.

    And now we can start talking about Microsoft actions but I guess that if you read my post, you understand better what really happened. As a last note, let me repeat what has been said on Bugtraq. A email address has been created by Microsoft for us to give them feedback about their new format. This email is secfdbck@microsoft.com. Please tell them what you think about their new format.

  27. The story is not accurate. Please read. by dudle · · Score: 3 · on BugTraq No Longer Able To Publish MS Security UPDATED
    I have been following the story on Bugtraq and it's a little bit different than what the article suggests. Allow me to clear that up a bit.

    Microsoft changed the format in which they send their advisories. Before, they use to send their emails with the full advisory in plain text included in the email. For example, consider this one sent by them on Thu, 16 Nov 2000: here

    Then came advisories sent in a different format. Instead of including the full text including a description of the bug, workarounds, etc, Microsoft decided to include only a couple of URL's and that's it. You can see an example of this here. As you can see, it a pain in the ass to read and getting the information becomes really hard.

    What happens next (on Tue Dec 05), is that Elias Levy (a.k.a. Aleph1, Bugtraq moderator) decides that he will not accept advisories in this new format. You can read what he wrote here but allow me to quote:

    I will no longer be approving any advisories with little or no content that point you to some other place for information.

    Pretty isn't it.

    What happened NEXT is where the /. story starts. On the same day, Elias took a Microsoft's advisory and copy-and-pasted it plain text in an email sent to Bugtraq. You can read the message here. Please note that this email has been sent from Elias Levy (aleph1@securityfocus.com) and not from the usual Microsoft address. This is where Microsoft got pissy.

    In this email, Elias give the tone and I quote:

    It seems Microsoft was not very amused at my posting of their advisory to the list the other day.

    And now we can start talking about Microsoft actions but I guess that if you read my post, you understand better what really happened. As a last note, let me repeat what has been said on Bugtraq. A email address has been created by Microsoft for us to give them feedback about their new format. This email is secfdbck@microsoft.com. Please tell them what you think about their new format.

  28. The story is not accurate. Please read. by dudle · · Score: 3 · on BugTraq No Longer Able To Publish MS Security UPDATED
    I have been following the story on Bugtraq and it's a little bit different than what the article suggests. Allow me to clear that up a bit.

    Microsoft changed the format in which they send their advisories. Before, they use to send their emails with the full advisory in plain text included in the email. For example, consider this one sent by them on Thu, 16 Nov 2000: here

    Then came advisories sent in a different format. Instead of including the full text including a description of the bug, workarounds, etc, Microsoft decided to include only a couple of URL's and that's it. You can see an example of this here. As you can see, it a pain in the ass to read and getting the information becomes really hard.

    What happens next (on Tue Dec 05), is that Elias Levy (a.k.a. Aleph1, Bugtraq moderator) decides that he will not accept advisories in this new format. You can read what he wrote here but allow me to quote:

    I will no longer be approving any advisories with little or no content that point you to some other place for information.

    Pretty isn't it.

    What happened NEXT is where the /. story starts. On the same day, Elias took a Microsoft's advisory and copy-and-pasted it plain text in an email sent to Bugtraq. You can read the message here. Please note that this email has been sent from Elias Levy (aleph1@securityfocus.com) and not from the usual Microsoft address. This is where Microsoft got pissy.

    In this email, Elias give the tone and I quote:

    It seems Microsoft was not very amused at my posting of their advisory to the list the other day.

    And now we can start talking about Microsoft actions but I guess that if you read my post, you understand better what really happened. As a last note, let me repeat what has been said on Bugtraq. A email address has been created by Microsoft for us to give them feedback about their new format. This email is secfdbck@microsoft.com. Please tell them what you think about their new format.

  29. Re:I can see their point. by stevey · · Score: 3 · on BugTraq No Longer Able To Publish MS Security UPDATED

    Security through obscurity works, in the end.

    Sorry, but that's exactly wrong - security through obscurity doesn't work .. not longterm anyway.

    There have been many programs in wide scale use, with no source, that have been exploited by [ch]rackers - all it takes is one knowledgable person, and a dissasembler.

    I've spent many a happy evening at home reverse engineering communications protocols, and the like - theres a fine example of something thats not automatically secure just because the details aren't published.

    But the only way the hackers find out is by reading bugtrak

    Granted some script kiddie[sz] will find details of exploits from reading SecurityFocus, and BugTrack - but if those sites didn't exist they'd be talking about them on IRC anyway.

    A talented [hc]racker isn't going to need somebody to spoonfeed him/her exploits - they will sit and discover them by examining source code, or binaries.


    Steve
    ---
  30. My own horn by Knight · · Score: 2 · on Who Can You Trust to Test Your Network Security?

    This will come off as a bit biased (which it is), but I work for a company that has written some software called Hailstorm that's very good at helping you test your own security. It's especially good in situations where you have written something custom, whether it be a CGI script or some sort of server program. It succeeds where security scanners fail, because it can help you find problems that are previously unknown. To see it in action analyzing IDS systems, check out the article at SecurityFocus. Good security consulting firms are VERY expenseive, so Hailstorm may be a good choice depending on what you are really looking for.

    If you want to hire a security firm, I would suggest a few different companies: Securify, a division of Kroll-O'Gara; Guardent; Ernst & Young; @Stake; and Foundstone.

    Also, if you are interested in trying out Hailstorm (which, for the time being, only runs on NT 4.0/W2K, although it can test applications on any OS), shoot me an email (removing the obvious part), and I'll help you out. A trial version can be downloaded at www.ClickToSecure.com.

  31. Impacts IDS (Intrusion Detection Systems) too by brassman · · Score: 1 · on The Fight For End-To-End: Part One
    Interesting to hear a name attached to this.

    Recently, security lists (like Bugtraq) have been getting more and more traffic about "attacks" that turn out to be one proprietary outfit or another pumping out packets to "map" the Net. (Screw the admin who is trying to figure out what the hell they're up to; some of them wouldn't tell, even when asked directly.)

    How do you get this sort of information in an e2e environment? Shouldn't there be a less wasteful way to determine this sort of thing?

  32. Re:Hah! They deserve it! by Anonymous Coward · · Score: 1 · on NIPC Warns Of E-Commerce Vulnerabilities
    Yeah, with unix at least you get properly secured tools like And it also allows you to run And best of all, there are hardly ever any security problems reported for it!
  33. Re:Increasing problems... by Pieter-Bas · · Score: 1 · on NIPC Warns Of E-Commerce Vulnerabilities
    Microsoft has a security buletin that they send out to inform everyone of the security leaks in Micorsoft products. We received 93 nw buletins and numerous updates this year (3 today...). I don't want to defend Microsoft, but I very much doubt they brag about their security in any other way than relative to prior versions.

    Second: Linux is hardly ever specifically mentioned. Most security problems are application problems, not kernel problems and affect all *nixes. Linux kernel problems are as rare as Windows NT kernel problems.

    Typically Win32 problems are with IIS, LanManager, IE and Office. Recent *nix problems have to do with apache/mysql, samba, bind, bash, ssh, identd etc. The only problems that haunt mostly the Windows OS are the Integration (and Visual Basic) related problems. Apparently that is just too complex to get secure. It's the fact that there is virtually no integration between most *nix applications that saves the *nix community from this *for now*.

    Links: [Microsoft Security] [SecurityFocus] [CERT]

    --

  34. How appropriate... by Johnath · · Score: 3 · on NIPC Warns Of E-Commerce Vulnerabilities

    ... that securityfocus has just recently started up a new mailing list to handle the Secure Programming questions whose lack of answers lead to a lot of these problems. Of course, site admins should keep up on Bugtraq postings for whatever software they use, but it's the secprog list that is discussing the development of safe programming techniques and identification of dangerous constructs.

    To get more information and potentially sign up, click here.

  35. How appropriate... by Johnath · · Score: 3 · on NIPC Warns Of E-Commerce Vulnerabilities

    ... that securityfocus has just recently started up a new mailing list to handle the Secure Programming questions whose lack of answers lead to a lot of these problems. Of course, site admins should keep up on Bugtraq postings for whatever software they use, but it's the secprog list that is discussing the development of safe programming techniques and identification of dangerous constructs.

    To get more information and potentially sign up, click here.

  36. Old issue by Calle+Ballz · · Score: 5 · on NIPC Warns Of E-Commerce Vulnerabilities

    The NIPC is way behind the times. These exploits have been out for a while now, they are nothing new. Just because a certain ammount of sites are getting hit just recently doesn't mean that extra precaution should be made now. The precautions should have been taken a long time ago. Microsoft can put out some pretty secure stuff if the gaping holes like the MDAC vulnerability are closed. They forgot an even bigger IIS vulnerability as well. The new UNICODE vulnerability affects IIS 4.0 and IIS 5.0. It's the easiest vulnerability that I have seen yet. http://target/scripts/..%c0%af../winnt/system32/cm d.exe?/c+dir. Sorry to come off strong, but if people would just pay attention to the resources out there like www.securityfocus.com then articles like these wouldn't be so common.......dick

  37. To protect yourself... by jesser · · Score: 3 · on AOL Still Working On AIM Security Hole
    I just registered sseRud (my screen name minus the first two letters) so nobody can do this to my main screen name. I also registered jsserud and tried to register esserud because the securityfocus and upsidetoday articles didn't convince me that I didn't need to register them as well. Esserud turned out to already be registered, which surprised me, but it's not important that I own those userids, just that the buggy registration thingie knows they're not available.

    (Note: I'm not trying to imply that it's ok for there to be such a huge security hole by posting these instructions to slashdot. I just want to point out that it's possible to protect your account without going through too much trouble.)

    Moderators: I'm above the karma cap, but I'm still a karma whore, so do whatever you want to this post.

    --

  38. Re:credit card numbers? by maquina · · Score: 3 · on AOL Still Working On AIM Security Hole

    The credit card numbers that are mentioned in the article are the ones being traded to acquire more desirable screen names.

    From the Article in Security Focus:
    Credit Cards Abused
    Hackers initially discovered that they could set uni_next_atom_typed to two blank spaces and create indented screen names on new AOL accounts. When it developed that the same technique could be used to take over AIM accounts, something of a screen name gold rush ensued among a mostly juvenile group of hackers eagerly snatching up the most attractive names, according to Lamo.
    Because AOL's sign-up process requires a valid credit card number, many of these hackers have taken up credit card fraud to feed their screen name habit. "People trade desirable screen names for [stolen] credit card numbers, which are then used to make more desirable screen names," Lamo says. "It's a vicious cycle."
    For full story visit link:
    http://www.securityfocus.com/news/119

    --------
    Maquina
    http://director.chessmasters.com/maquina

  39. Re:2 questions by cd_Csc · · Score: 3 · on AOL Still Working On AIM Security Hole

    Here is a detailed explanation of SecurityFocus

  40. Re:ICQ by Calle+Ballz · · Score: 1 · on AOL Still Working On AIM Security Hole

    ICQ wouldn't be the best choice, no matter who they're owned by. First of all the newest version of ICQ's installation file is 5 megs, uncompressed it takes about 7-8 megs of disk space (just for a messenger program). That and it isn't the most secure IM application either. I found this link on www.securityfocus.com which lets other people access your account. It only affects the user locally, but look at how many college computer labs have ICQ installed on them........

  41. Re:ICQ by Calle+Ballz · · Score: 1 · on AOL Still Working On AIM Security Hole

    ICQ wouldn't be the best choice, no matter who they're owned by. First of all the newest version of ICQ's installation file is 5 megs, uncompressed it takes about 7-8 megs of disk space (just for a messenger program). That and it isn't the most secure IM application either. I found this link on www.securityfocus.com which lets other people access your account. It only affects the user locally, but look at how many college computer labs have ICQ installed on them........

  42. Not everyone who uses AIM is vulnerable... by D'Arque+Bishop · · Score: 3 · on AOL Still Working On AIM Security Hole
    Well, true, AIM users who are NOT AOL subscribers are possibly vulnerable, but there were a couple of exceptions to this vulnerability, according to a SecurityFocus article:

    Once an AOL account exists under an AIM screen name it cannot be hijacked again--although a separate loophole allows hackers to create AOL accounts that automatically disappear from the system shortly after creation.

    Users of AOL's subscription service are not vulnerable. Because of the nature of the bug, AIM users with screen names that, minus the first two letters, are already taken are also immune: i.e., if Hn Doe has an AIM account, then John Doe's is safe.

    Makes me glad I already have an AOL account as a backup dialup...

  43. Re:Why? by jwy · · Score: 1 · on Pro-Linux Mail Trojan Running Around
    This was contemplated, written, and subsequently discussed on bugtraq (but never released). Here's the original announcement of the benign trojan (called Antibody):

    original post

    Here's the bugtraq community collectively tearing this guy a new asshole:

    tearing

  44. Re:Why? by jwy · · Score: 1 · on Pro-Linux Mail Trojan Running Around
    This was contemplated, written, and subsequently discussed on bugtraq (but never released). Here's the original announcement of the benign trojan (called Antibody):

    original post

    Here's the bugtraq community collectively tearing this guy a new asshole:

    tearing

  45. vuln-dev by ryanr · · Score: 2 · on More On The SDMI Crack & Why Digital Sigs Are Not

    There was a thread about this on the vuln-dev list as well:

    hacksdmi?

  46. Re: Not designed for direct linking? Sure it is. by jihad23 · · Score: 1 · on Quova Inc. Completes Trace of 4 billion IP Addresses

    But god forbid you try to read the article without having to scroll endlessly in that annoying little box they have.

    The article is actually here:
    h ttp://w ww.securityfocus.com/templates/article.html?id=110 &_ref=2090582999

    Try reading that with JavaScript turned on and you'll be redirected back to that horrible layout of theirs.

    Security Focus is a great site, but they've got one of the worst designs (in terms of usability) I've ever seen.


    --
    Turn on, log in, burn out...
  47. Eh? by Cloud+9 · · Score: 1 · on Quova Inc. Completes Trace of 4 billion IP Addresses

    (Sorry, but Security Focus is not designed for direct linking; click on the link that says "Scanning Mystery Solved.")

    This link was clearly marked on the bottom of the news report. It seems they like the linkage just fine.

  48. Not designed for direct linking? Sure it is. by IvyMike · · Score: 1 · on Quova Inc. Completes Trace of 4 billion IP Addresses

    Down at the bottom of the article in question, there's a bit of text that reads:

    Want to link to this article? Use this URL: < http://www.securityfocus.com/news/110>

    Whoops.

  49. Direct link by Chris+Pimlott · · Score: 2 · on Quova Inc. Completes Trace of 4 billion IP Addresses

    This link appears to work just fine.

  50. Roxen: GPL'd ColdFusion on steroids (?) by szap · · Score: 1 · on 4 Web Scripting Languages Compared
    From what I saw of ColdFusion, Roxen Webserver (not to be confused with Platform, their add-on which is a fully featured XSLT'd Content Manager, but not Free) was very similar. I say "was" because that was Roxen 1.x, Roxen 2.x is now XML compliant (tags must be closed, etc). Some comments on Roxen, nee Spinner:
    • Their server is fully written in Pike, a GPL'd decendant of lpc, which looks like C with OOP, GC, etc. This means that the same damn source can run on NT as well as *nix, provided Pike is happily running on the OS. And Pike is fast, VERY fast.
    • On certain setups (static pages), Roxen Webserver 2.x beats the crap out of Apache 1.2.x. Yes, I've tested this. Yes, a webserver written in an interpreted language beats Apache.
    • Security Focus runs it. In fact, Aleph One occasionally pops into the Roxen and Pike mailing lists.
    • Web browser frontend, in addition to config files in XML
    • Modules (think mod_redirect, etc) for Roxen is ridiculously easy to write compared with Apache's
    • RXML, an XML extension of XHTML. This is also amazingly powerful. Wanna render a TrueType text into your webpage? <gtext nfont="Arial">Hello, World!</gtext> and the damn thing actually renders it automagically. Gotta be seen to believe it. Works with CGI, PHP, mod_perl or JSP (not tested personally) too.
    • Experimental mod_perl, java, etc.
    • The documentation needs more work, though.
    • Kitchen sink not included

    We've been using Roxen for nearly a year now. And it really is a very productive environment. Roxen is hard to be categorized since it's both a webserver and contains its own scripting/markup language AND still works with other scripting languages.