Erik Soderquist | 2 May 21:38 2005

RE: VNC Security

if the VNC data is unencrypted, *any* password you type during the
session (domain admin to update drivers for example) is also sent
unencrypted. and the attacker would not likely be some random hacker,
but rather someone who is targeting the company already. it isn't that
difficult to connect sniffing hardware to say the T1 line to look for
weak points. after a few days surveillance, everything unencrypted is
then captured and analyzed for login/password information. it isn't so
much "low hanging fruit" as it is simply a chink in the armor that can
be exploited. the fewer chinks the better.

as to odds, here is a more common example of overblown paranoia
surrounding a real possibility (the last time I checked this was a while
ago, it may have shifted some):

due to the technological differences, it is far more likely that someone
will steal your credit card number by eavesdropping on an order placed
by phone than by someone sniffing it from an unencrypted internet
transaction.

please note this only examines an actual sniffing attack. phishing and
spyware are not examined in this.

-----Original Message-----
From: vnc-list-admin <at> realvnc.com [mailto:vnc-list-admin <at> realvnc.com] On
Behalf Of Steve Bostedor
Sent: Tuesday, April 19, 2005 20:57
To: Alexander.Bolante <at> gmail.com
Cc: security-basics <at> securityfocus.com; vnc-list <at> realvnc.com
Subject: RE: VNC Security

(Continue reading)

Erik Soderquist | 2 May 21:58 2005

RE: VNC Security

alternative method: you have listening viewer available to the internet
when helping someone, someone installs VNC (in 3.3.7 if you don't put a
password in, it refuses incoming connections) and adds you as a client.
no VNC password is even needed at that point, and the server is never
exposed to the internet if it is behind a NAT router. (also saves the
port forwarding troubles) 

-----Original Message-----
From: vnc-list-admin <at> realvnc.com [mailto:vnc-list-admin <at> realvnc.com] On
Behalf Of Andy Bruce - softwareAB
Sent: Monday, April 25, 2005 19:47
To: Mike Miller
Cc: Steve Bostedor; security-basics <at> securityfocus.com; VNC List
Subject: Re: VNC Security

First--I believe we're talking apples and oranges. VNC is not an 
appropriate solution for a true corporate network unless a firewall and 
a secure link is available (and even then is dodgy). My scenario is
this:

  a. Random user in cyberspace has a problem.

  b. User installs VNC under direction of tech support:
      i. strong password
      ii. not installed as service
      iii. temporary port forwarding only

  c. User allows remote person to login, generally for 20-30 mins.

  d. User stops VNC server process and disables port forwarding
(Continue reading)

Ailton Caetano | 3 May 00:06 2005
Picon

Re: File Integrity / IDS

I could suggest you a very good one written in perl hosted on sourceforge.net

http://sourceforge.net/projects/labrador-ids/

Kelly Martin | 3 May 00:08 2005
Picon

SF new column announcement: Sarbanes Oxley for IT Security?

The following columnist commentary was published on Symantec's
SecurityFocus today:

Sarbanes Oxley for IT Security?
By Mark Rasch
May 02 2005 03:00PM

"Sarbanes Oxley seems wholly focused on the accuracy of a company's
financial records and controls around these records, so where does IT
security come into the picture?"

http://www.securityfocus.com/columnists/322

Jafet Macallin | 3 May 08:03 2005
Picon

Folder Permission Dumpsec


Hello Im using dumpsec to extract the vulnerabilities from multiple domains, but what I need is only the
information of the shared folders who has everyone permision as a default security level,,  I dont need the
files inside the folders ...  this is  part of the script that im using but is giving me the folders and
subfolders ...  I need only the main folder,,
------------------------

Set objFile = objFS.OpenTextFile(ServerListFile, 1)
Do While Not objFile.AtEndOfStream
   strLine = Trim(objFile.ReadLine)     
   if strLine <> "" then
      WScript.Echo "Running report for " & strLine
      objShell.Run "C:\WINNT\system32\cmd.exe /c c:\PROGRA~1\SYSTEM~1\dumpsec.exe /rpt=allsharedirs
/outfile=" & strLine & ".tmp /computer=" & strLine & " /saveas=tsv /showdirsonly", 0, true
   end if
Loop

Paul Guibord | 3 May 14:54 2005
Picon

Unrestricted Outbound Web Server Access Opinion


Hello All,

Someone within our company wants our Internet facing web servers to have
unrestricted outbound access. Port 80 is the only port permitted from
the outside coming in. I need the experts opinion why we do not want to
permit this PLEASE. Two things I could think of are if the web servers
were compromised, then the hacker would have the ability offload any
data they want. Another being if they were infected with a worm they
would bring down the Internet T1 in their attempt to find other devices
to infect.

Thanks in advance for everyone's input.

Paul

James Fryman | 3 May 17:11 2005
Picon

Re: what's this (email question)


I'm pretty sure that by the time that this makes the list, it will be
answered, but my .02 anyway!

It is very easy to forge an address! Check out RFC 821.
http://www.faqs.org/rfcs/rfc821.html

The localhost could be spoofed simply by sending the
'HELO localhost'
before the e-mail. This is why the header showed 'Received from
"localhost'. One could make this header say anything, something stupid
like 'YourMamma.pwn3d', to 'mail1.microsoft.com' or 'smtp.paypal.com'...
designed specifically for phishing attacks.

The only SMTP commands that need to be defined are: (Straight from RFC)

MAIL <SP> FROM:<reverse-path> <CRLF>
RCPT <SP> TO:<forward-path> <CRLF>

After that, telling the SMTP server to begin receiving data for the
actual message, where any of the headers can be changed, including:

From:, To:, Subject:, Reply-To:, etc... the list goes on.

E-Mail is not the most secure medium around. A good place to learn more
about this would be by reading the RFC, as well as delving into some
scripting. I learned quite a bit about SMTP after doing some Perl
scripting using Net::SMTP. There are plenty of books and whitepapers out
there describing how SMTP works, and how open it really is.

(Continue reading)

yonesy | 3 May 23:09 2005
Picon

Re: Windows Service Accounts and Password Expiration

Short answer:

You should enforce expiry, uniqueness and complexity of passwords.

The how is the difficult question.  I was evaluating a product by the
name of Password Auto-Repository by eDMZ based on its white papers it
seemed to do everything I required of it (including changing account
passwords automatically).  This product would also help in the change
of passwords for non-windows systems (*nix, Oracle, etc.).  Hope this
helps!

On 28 Apr 2005 15:46:21 -0000, Jack Mogren <mogren <at> mayo.edu> wrote:
> 
> 
>   Our security policies and standards have always required passwords to expire, requiring account owners
to change the passwords on a specific periodic basis.  We also have standards for when generic or trusted
accounts are acceptable.  For instance, we deem the use of generic accounts acceptable in purely machine -
to - machine batch processes.  Still we require certain criteria, including password expiration.
>   In the Windows server world there are generic accounts called "Service" accounts.  "A rose by any other
name ......."  Until recently, so-called "service" accounts have slipped by this requirement.  But
system admin folks have become more security aware (thank you very much) and some are starting to ask the
question.  Should Windows "service" accounts be required to have password expiration?  I'm getting good
arguments from both sides of the issue.  Application availability VS adherance to standards, industry
best practices, etc.  Keep in mind that we are in a patient care environment.  Any thoughts from the list?
> 
> - Jack
> 

--

-- 
Yonesy F. Nuñez, ISSAP, ISSMP, CISSP, MCSE, Security+
(Continue reading)

Steven Jones | 3 May 00:27 2005
Picon
Picon

RE: how to block ALL AIM traffic ?

Add in random ports, and then sending traffic via port 80, trying to
block some of this stuff is hard work. 

Regards

thing

-----Original Message-----
From: Jesus [mailto:jesus <at> resurrected.us] 
Sent: Saturday, 30 April 2005 2:05 p.m.
To: david kuhlman
Cc: Realized Mofo; security-basics <at> securityfocus.com
Subject: Re: how to block ALL AIM traffic ?

On Thu, 28 Apr 2005, david kuhlman wrote:

> Why don't you just block connections to oscar.login.aol.com?
>
> That works for us.
>
> David Kuhlman

Considering anyone can bypass blocks with a proxy, little you can do
without digging into packet specifics, to block AIM traffic.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
"The most tyrannical of governments are those which make
crimes of  opinions, for everyone has an inalienable
right to his thoughts." -- Benedict Spinoza

(Continue reading)

Netops | 3 May 06:23 2005

Re: how to block ALL AIM traffic ?


Decent application level filters can block proxies such as socks 
connections and HTTP tunneling software. The hardest ones are the ones 
the use the "CONNECT" method which most SSL sites use in order to 
function through web proxies.

That can be blocked by only allowing the CONNECT method on port 443 and 
restricting SSL connections to required servers such as banks, airlines 
or other approved sites by managers.

Michael

Jesus wrote:
> On Thu, 28 Apr 2005, david kuhlman wrote:
> 
> 
>>Why don't you just block connections to oscar.login.aol.com?
>>
>>That works for us.
>>
>>David Kuhlman
> 
> 
> Considering anyone can bypass blocks with a proxy, little you can do
> without digging into packet specifics, to block AIM traffic.
> 
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
> "The most tyrannical of governments are those which make
> crimes of  opinions, for everyone has an inalienable
> right to his thoughts." -- Benedict Spinoza
(Continue reading)


Gmane