Peter Besenbruch | 1 Dec 03:42 2007
Picon

Re: High Value Target Selection

On Friday 30 November 2007 09:02:26 gmaggro wrote:
> I think it'd be interesting if we started a discussion on the selection
> of high value targets to be used in the staging of attacks that damage
> significant infrastructure. The end goals, ranked equal in importance,
> would be as follows:

[big snip]

So, you wanted to send a little Christmas present to the NSA folks monitoring 
the Internet backbone? Make their unutterably boring lives a little 
more "interesting?"

We live in "interesting" times (not a good thing). I was over at the Mycroft 
site, and noticed that there was a Firefox search extension for Scroogle that 
uses encryption. There was another encrypted search tool for Wikipedia.

http://mycroft.mozdev.org/download.html?name=scroogle&sherlock=yes&opensearch=yes&submitform=Search
http://mycroft.mozdev.org/download.html?name=secure+wikipedia&sherlock=yes&opensearch=yes&submitform=Search

--

-- 
Hawaiian Astronomical Society: http://www.hawastsoc.org
HAS Deepsky Atlas: http://www.hawastsoc.org/deepsky

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

coderman | 1 Dec 06:27 2007
Picon

Re: High Value Target Selection

On Nov 30, 2007 11:02 AM, gmaggro <gmaggro <at> rogers.com> wrote:
> I think it'd be interesting if we started a discussion on the selection
> of high value targets

translation: let's discuss how to discern high degree and/or vulnerable
nodes in critical infrastructure networks.

> 1. To bring like minded people together while operating under the
> strategy of 'leaderless resistance'
> (http://en.wikipedia.org/wiki/Leaderless_resistance)

*yawn*


> 2. To be the 'aboveground' partner to the 'underground' scene, or at
> least serve to distract authorities from the activities of underground
> groups

... ZZzzzzZZZ ... you're losing me, jim.

> 3. To see exactly what can be accomplished, and accomplish it

pretty easy to make inferences once you've mapped out the critical
infrastructure in question.  this is of course a little more difficult now
given the mostly inept attempts to reign in useful information on such
infrastructure.  (the easy days of pulling up fiber plats via county/gov
websites is long gone...)

as for actual attacks, you'll be biting the hand that feeds...
(i'll wait for that decentralized wireless mesh net before slicing
(Continue reading)

Williams, James K | 1 Dec 09:37 2007

Re: ZDI-07-069: CA BrightStor ARCserve Backup Message Engine Insecure Method Exposure Vulnerability


> Date: Wed, 28 Nov 2007 03:32:51 +0000
> From: cocoruder. <frankruder <at> hotmail.com>
> Subject: Re: [Full-disclosure] ZDI-07-069: CA BrightStor 
>           ARCserve Backup Message Engine Insecure Method Expos
> To: <full-disclosure <at> lists.grok.org.uk>, <bugtraq <at> securityfocus.com>
>
> it is so amazing that the vendor's advisory has been released 
> more than one month ago, (see my advisory of a similar vul at 
> http://ruder.cdut.net/blogview.asp?logID=221), and another thing 
> is that I have tested my reported vul again after CA's patch 
> released one month ago, but in fact they have not fixed it!! I 
> report it again to CA but there is no response, I guess CA is 
> making an international joke with us:), or because this product 
> is sooooooooo bad that they will not support it any more?  
> welcome to my blog:http://ruder.cdut.net

cocoruder,

We have not received any email from frankruder <at> hotmail, but we did 
receive an email about this issue from hfli <at> fortinet on 
2007-10-15.  We responded to that email on 2007-10-15.

FYI, we are currently wrapping up QA on new patches, and we have 
contacted hfli <at> fortinet with details.

Regards,
Ken

Ken Williams ; 0xE2941985
(Continue reading)

Slythers Bro | 1 Dec 11:27 2007
Picon

Re: PlayStation 3 predicts next US president (fwd)

is it real ?

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Major Malfunction | 1 Dec 11:25 2007

DC4420 - London DEFCON chapter Christmas Party - 11th December

hi all,

you are cordially invited to the final DC4420 meet of 2007, which will 
be held on Tuesday the 11th December, at the usual location - Charing 
Cross Sports Club, Charing Cross Hospital:

http://www.multimap.com/map/browse.cgi?lat=51.4857&lon=-0.2194&scale=5000&icon=x

more info here:

   http://dc4420.org

we have the bar to ourselves and there will be no particular agenda 
other than drinking the place dry, eating good food and socialising, but 
we will definitely also be celebrating Alien's continued presence on our 
home planet after his near miss with the man in the black cloak!

all are welcome... "fight club" speaking rules are suspended for the 
evening, so bring a friend or two and make this a party to remember!

cheers,
MM
--

-- 
"In DEFCON, we have no names..." errr... well, we do... but silly ones...

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Gobbles is back | 1 Dec 13:55 2007

Phioust gets all emotional to gobbles and friends ...

Phioust means business with his real name and all those philosopher (HAAAA), CISSP and MCSE (lol) degrees ... see for urself in his dangerously sexy email ... in response to our spam threat :)
 
---------- Forwarded message ----------
From: phioust <phioust <at> gmail.com>
Date: Nov 30, 2007 9:33 PM
Subject: spam?
To: isbackgobbles <at> googlemail.com

i suggest you do not make anymore threats, belive me, i have lots of contacts to track you down ..

--
Lionel Phioust

Phd, CISSP, MCSE
 
 
ohhhh f33r the b33r, he owns 100 TOR nodes, 10000 wireless hotspots and one lesbian gmail server admin to track our IP's .. wuuuuu !!!!
 
Spammers - We got Phiousts real name for yaall, self pat on the back for good work. ohhh wait wait .. lets make him a bit more jobless by the oath of google
 
Lionel Phioust, security, exploits, bugtraq, scriptkiddie, lamer, idiot, bisexual, Phioust. ROFL
 

Note - Some of our concerned fans suspect us not to be gobbles. I will save all those online forensic retards the time to analyse our emails and come straight to the point .. in w00w00 style .. 10 europeans, 15 asians, 11 americans and one hell of a funny little turkey .. 5 member required to not f33r w00w00 might .. and no .. Shok dont look like Marilyn Mansons gimp boy !!! .. well the gimp suite was stiched by us ..

 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Kristian Erik Hermansen | 1 Dec 14:06 2007
Picon

MD5 algorithm considered toxic (and harmful)

I know of many commercial security products which still utilize MD5 to
prove integrity of the data they distribute to customers.  This should
no longer be considered appropriate.  Now that tools are readily
available to exploit newer MD5 collision research, I think it is safe
to say that the public should retire its usage for good.

Read the most recent research regarding chosen-prefix collisions:
http://www.win.tue.nl/hashclash/EC07v2.0.pdf

A concrete example for your perusal:
khermans <at> khermans-laptop:/tmp$ wget
http://www.win.tue.nl/hashclash/SoftIntCodeSign/HelloWorld-colliding.exe
--04:36:32--  http://www.win.tue.nl/hashclash/SoftIntCodeSign/HelloWorld-colliding.exe
           => `HelloWorld-colliding.exe'
Resolving www.win.tue.nl... 131.155.70.190
Connecting to www.win.tue.nl|131.155.70.190|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 41,792 (41K) [application/octet-stream]

100%[====================================>] 41,792       109.16K/s

04:36:33 (108.92 KB/s) - `HelloWorld-colliding.exe' saved [41792/41792]

khermans <at> khermans-laptop:/tmp$ wget
http://www.win.tue.nl/hashclash/SoftIntCodeSign/GoodbyeWorld-colliding.exe
--04:36:37--  http://www.win.tue.nl/hashclash/SoftIntCodeSign/GoodbyeWorld-colliding.exe
           => `GoodbyeWorld-colliding.exe'
Resolving www.win.tue.nl... 131.155.70.190
Connecting to www.win.tue.nl|131.155.70.190|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 41,792 (41K) [application/octet-stream]

100%[====================================>] 41,792       127.20K/s

04:36:38 (126.82 KB/s) - `GoodbyeWorld-colliding.exe' saved [41792/41792]

khermans <at> khermans-laptop:/tmp$ ls -lsha *.exe
44K -rw-r--r-- 1 khermans khermans 41K 2007-11-23 01:08
GoodbyeWorld-colliding.exe
44K -rw-r--r-- 1 khermans khermans 41K 2007-11-23 01:08 HelloWorld-colliding.exe
khermans <at> khermans-laptop:/tmp$ strings HelloWorld-colliding.exe | tail
SetFilePointer
MultiByteToWideChar
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW
SetStdHandle
CloseHandle
KERNEL32.dll
Hello World ;-)
khermans <at> khermans-laptop:/tmp$ strings GoodbyeWorld-colliding.exe | tail
SetFilePointer
MultiByteToWideChar
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW
SetStdHandle
CloseHandle
KERNEL32.dll
Goodbye World :-(
khermans <at> khermans-laptop:/tmp$ md5sum HelloWorld-colliding.exe | awk
'{print $1}' | tee hw
18fcc4334f44fed60718e7dacd82dddf
khermans <at> khermans-laptop:/tmp$ md5sum GoodbyeWorld-colliding.exe | awk
'{print $1}' | tee gw
18fcc4334f44fed60718e7dacd82dddf
khermans <at> khermans-laptop:/tmp$ cmp hw gw
khermans <at> khermans-laptop:/tmp$ echo $?
0

There you have it.  Surely a GPL'd tool implementing this attack style
will be available shortly.  And since Chinese researchers have been
attacking SHA-1 lately, should SHA-256 be considered the proper
replacement?  I am unsure :-(
--

-- 
Kristian Erik Hermansen
"I have no special talent. I am only passionately curious."

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

carl hardwick | 1 Dec 14:48 2007
Picon

Firefox 2.0.0.11 File Focus Stealing vulnerability

Firefox 2.0.0.11 File Focus Stealing vulnerability:

Sorry Mozilla, but the recent file focus fix was not enough. I think
Mozilla made another mistake while fixing the previous file/label
issue. Because now I embed a file field and a textfield inside one
label. When this happens, and you type only one time in the textfield,
the focus travels to the file field and the value travels with it.
Back to the drawing board I would say. I only got it to work in
Firefox, Gareth checked Safari for me, and it also works in Safari. I
guess this type of exploit could function on other HTML objects as
well, and could be very dangerous because it only requires a one time
focus in a textfield.

PoC here:
http://carl-hardwick.googlegroups.com/web/Firefox20011StealFocusFlaw.htm

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Steven Adair | 1 Dec 16:20 2007

Re: MD5 algorithm considered toxic (and harmful)

>
>
> There you have it.  Surely a GPL'd tool implementing this attack style
> will be available shortly.  And since Chinese researchers have been
> attacking SHA-1 lately, should SHA-256 be considered the proper
> replacement?  I am unsure :-(

Yes, it would probably be a good idea.  I think this link has been put out
on this list in the past with respect to discussion on SHA-1:

http://csrc.nist.gov/groups/ST/toolkit/secure_hashing.html

NIST might not be the bible to you on what to follow and implement, but
they are definitely worth listening to (even if you're not a U.S. Federal
agency) when they tell you not to use something anymore.  For those that
don't want to click and just want to read, here's the relevant parts:

----

March 15, 2006: The SHA-2 family of hash functions (i.e., SHA-224,
SHA-256, SHA-384 and SHA-512) may be used by Federal agencies for all
applications using secure hash algorithms. Federal agencies should stop
using SHA-1 for digital signatures, digital time stamping and other
applications that require collision resistance as soon as practical, and
must use the SHA-2 family of hash functions for these applications after
2010. After 2010, Federal agencies may use SHA-1 only for the following
applications: hash-based message authentication codes (HMACs); key
derivation functions (KDFs); and random number generators (RNGs).
Regardless of use, NIST encourages application and protocol designers to
use the SHA-2 family of hash functions for all new applications and
protocols.

----

Steven
http://www.securityzone.org

> --
> Kristian Erik Hermansen
> "I have no special talent. I am only passionately curious."
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Juha-Matti Laurio | 1 Dec 16:24 2007
Picon

Re: Firefox 2.0.0.11 File Focus Stealing vulnerability

Netscape Navigator version 9.0.0.4 is affected too. Test done with PoC-type URL mentioned on Mac OS X
10.4.10 fully patched.
Vendor was contacted on 1st Dec 2007.

- Juha-Matti

carl hardwick <hardwick.carl <at> gmail.com> wrote: 
> Firefox 2.0.0.11 File Focus Stealing vulnerability:
> 
> Sorry Mozilla, but the recent file focus fix was not enough. I think
> Mozilla made another mistake while fixing the previous file/label
> issue. Because now I embed a file field and a textfield inside one
> label. When this happens, and you type only one time in the textfield,
> the focus travels to the file field and the value travels with it.
> Back to the drawing board I would say. I only got it to work in
> Firefox, Gareth checked Safari for me, and it also works in Safari. I
> guess this type of exploit could function on other HTML objects as
> well, and could be very dangerous because it only requires a one time
> focus in a textfield.
> 
> PoC here:
> http://carl-hardwick.googlegroups.com/web/Firefox20011StealFocusFlaw.htm
> 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Gmane