| New User, Welcome! Login |
Next Page >>
National Identity
The security community may be interested in this:
The New ISO Hacking Standard
New York, May 17, 2010 -- The world’s national standards bodies met
again during April, this time in Malaka, Malaysia and they extended
talks about the Open Source Security Testing Methodology Manual. This
ultimate security guide, better known to security experts and hackers
alike as the OSSTMM (spoken like “awesome” but with a “t”), is a
formal methodology for breaking any security and attacking anything
discoverer of a vulnerability, I would say that "you will only get
details if you do X" is a form of blackmail.
So the result is that the developers of the main implementation of the
SSH protocol are without the details of the vulnerability, all in the
cause of "protecting national security".
-Otto
=============================================================================
Pete Herzog wrote:
> The security community may be interested in this:
>
> The New ISO Hacking Standard
>
> New York, May 17, 2010 -- The world’s national standards bodies met
> again during April, this time in Malaka, Malaysia and they extended
> talks about the Open Source Security Testing Methodology Manual. This
> ultimate security guide, better known to security experts and hackers
> alike as the OSSTMM (spoken like “awesome” but with a “t”), is a formal
> methodology for breaking any security and attacking anything the most
Haroon Meer, Thinkst Applied Research
Bruce Dang, Microsoft Security Response Center
Dan Ryan, US National Defence University
Derek Jinks, US Naval War College
Jeffrey Carr, Greylogic
Take a look at the actual vulnerability advisory.
http://www.cpni.gov.uk/Docs/Vulnerability_Advisory_SSH.txt
Or the original posting by OpenSSH
http://www.securityfocus.com/archive/1/498558/30/0/threaded
Where is there any condition related to National Security?
If you read the vulnerability advisory you would see that the problem is "a
design flaw in the SSH specification". OpenSSH was merely used as an example of
an implementation of SSH written to implement the specification.
CVE Identifier: N/A
____________
Credit:
Security Assurance Team of the National Australia Bank.
The vendor was advised of this vulnerability prior to its public release. National Australia Bank adheres to the “Guidelines for Security Vulnerability Reporting and Response V2.0” document when issuing Security Advisories.
Class: Stored Cross Site Scripting
____________
Hey!
They put a condition because of "National Security". Should that mean
that they use OpenSSH in "National Security"-sensitive applications
(interesting ;););))?
If so, should that mean that they implicitely recognize the very good
work done by the community?
If so, why not act politely with the community and share knowledge?
CVE Identifier:
____________
Credit:
National Australia Bank's Security Assurance Team.
The vendor was advised of this vulnerability prior to its public release. National Australia Bank adheres to the “Guidelines for Security Vulnerability Reporting and Response V2.0” document when issuing security advisories.
Class:
Information Disclosure
Privilege Escalation
http://www.acis.org.co/index.php?id=1068
- Call for Papers-
National Computer and Information Security
Conferences ACIS 2008
Bogot, D.C - COLOMBIA
Luis Angel Arango Library
June 18, 19 and 20/2008
Developers.
The last conference has been attended by: Ericsson, Commerzbank, Philips,
RBT, GRZ IT, IERN Sierra Leone, SAP, Improware, Telekom Austria, Microsoft,
BAWAG, T-Systems, Iphos, Sektion Eins, T-Mobile, Red Hat, SWITCH, Austrian
National Bank, Daimler, Sentrigo, University of Vienna, SEC Consult, Tech
Data, S21Sec, DHL, Bearing Point, Cygnos, wecon, YCO, Rolex SA, Austrian
National Bank, US Army, Fraunhofer Institut, Kapsch CarrierCom AG, IronPort,
Cisco, SonyDADC, TÜV Austria, Telecom Italia, Vodafone, Siemens, BAWAG,
CheckPoint, DHL, and many others.
Do you like good wine, french bread & food, strikes and the french kiss?
If so, you will love FRHACK!
[ - Introduction - ]
FRHACK is the First International IT Security Conference, by hackers -
for hackers, in France!
FRHACK is not commercial - but - highly technical.
Target Audience: Security Officers, Security Professionals and Product
Vendors, IT Decision Makers, Policy Makers, Security-, Network-, and
The information in this email and any attachments is confidential. If you are not the named addressee you must not read, print, copy, distribute, or use in any way this transmission or any information it contains. If you have received this message in error, please notify the sender by return email, destroy all copies and delete it from your system.
Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls. You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or Director of BDO Kendalls. It is your responsibility to scan this communication and any files attached for computer viruses and other defects. BDO Kendalls does not accept liability for any loss or damage however caused which may result from this communication or any files attached. A full version of the BDO Kendalls disclaimer, and our Privacy statement, can be found on the BDO Kendalls website at http://www.bdo.com.au or by emailing administrator@bdo.com.au.
BDO Kendalls is a national association of separate partnerships and entities.
________________________________________
From: Steve Shockley [steve.shockley@shockley.net]
Sent: Friday, 28 December 2007 5:11 AM
> there's no zero day anything unless it's public.
>
> The moment you have an opportunity to measure it, the waveforms collapse.
>
Its a little less abstract than that. Consider that the United States
government might want to worry about whether some foreign nation is
banking a large pool of private 0day exploits in preparation for war.
Such a nation might farm these private 0day exploits by employing a pool
of vulnerability researchers and exploit developers, and just not
published the results.
* Radio Appz & Hackz: Mesh @ RF Layer 1-3
* Database & Privacy
* Problematic & Ethical Open Source/Content Licenses
* Institutional Relationships: Lobbying or Licking?
* Non Lethal Protection (anti-taser vests?)
* Survival in the Age of the Ministry of Immigration and National
Identity
* Mental asylum improvised visit
* Open Source Legacy Media(TM) Production Solutions (TV, Radio, Press,
DRM)
* Gas Sensors & Environmental Benchmarking
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.
These vulnerabilities were reported to Cisco by National Australia
Bank's Security Assurance team.
Cisco would like to thank the National Australia Bank's Security
Assurance team for the discovery and reporting of these vulnerabilities.
#####
Greetings from the Cooperative Cyber Defence Centre of Excellence (CCD CoE) in Tallinn, Estonia!
Registration is now open for the CCD CoE Conference on Cyber Warfare, which will take place at the Estonian National Theater on June 17-19, 2009.
Following a worldwide Call for Papers, there will be 29 presentations given by researchers from 13 countries. Highlights include:
• Jaak Aaviksoo, Estonian Defence Minister
• Information Warfare Monitor: Tracking GhostNet: Investigating a Cyber Espionage Network
Do you like good wine, french bread & food, strikes and the french kiss?
If so, you will love FRHACK!
[ - Introduction - ]
FRHACK is the First International IT Security Conference, by hackers -
for hackers, in France!
FRHACK is not commercial - but - highly technical.
Target Audience: Security Officers, Security Professionals and Product
Vendors, IT Decision Makers, Policy Makers, Security-, Network-, and
monitoring system. The system is composed by software installed on
standard computer equipment running on commercial-of-the-shelf Microsoft
Windows operating systems.
A vulnerability was found in CitectSCADA that could allow a remote
un-authenticated attacker to force an abnormal termination of the
vulnerable software (Denial of Service) or to execute arbitrary code on
vulnerable systems to gain complete control of the software. To
accomplish such goal the would-be attacker must be able to connect to
the vulnerable service on a TCP high-port.
Mikko Hypponen, Chief Research Officer, F-Secure
Evolution of the Threat
KEYNOTE
James Lewis, Director and Senior Fellow, Technology and Public Policy
Program, Center for Strategic and International Studies (CSIS)
Securing Cyberspace for the 44th Presidency
Jose Nazario, PhD., Arbor Networks
Measuring Global Denial of Service Attacks
> damage however caused which may result from this communication or any
> files attached. A full version of the BDO Kendalls disclaimer, and our
> Privacy statement, can be found on the BDO Kendalls website at
> http://www.bdo.com.au/ or by emailing mailto:administrator@bdo.com.au.
>
> BDO Kendalls is a national association of separate partnerships and
> entities. Liability limited by a scheme approved under Professional
> Standards Legislation.
> -----Original Message-----
>
> From: Thor (Hammer of God) [mailto:thor@hammerofgod.com]
The information in this email and any attachments is confidential. If you are not the named addressee you must not read, print, copy, distribute, or use in any way this transmission or any information it contains. If you have received this message in error, please notify the sender by return email, destroy all copies and delete it from your system.
Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls. You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or Director of BDO Kendalls. It is your responsibility to scan this communication and any files attached for computer viruses and other defects. BDO Kendalls does not accept liability for any loss or damage however caused which may result from this communication or any files attached. A full version of the BDO Kendalls disclaimer, and our Privacy statement, can be found on the BDO Kendalls website at http://www.bdo.com.au/ or by emailing mailto:administrator@bdo.com.au.
BDO Kendalls is a national association of separate partnerships and entities. Liability limited by a scheme approved under Professional Standards Legislation.
-----Original Message-----
From: Thor (Hammer of God) [mailto:thor@hammerofgod.com]
Sent: Thursday, 19 June 2008 3:11 AM
To: security-basics@lists.securityfocus.com; bugtraq@securityfocus.com
Credit: The disclosure of this issue has been credited to National Australia Bank Security
Assurance.
Vulnerable:
Secure Computing Webwasher 6.6.3 build 3102 and older versions running on CGLinux 4/5, RHEL 4, Debian 4, SLES10
Not vulnerable:
Secure Computing Webwasher Builds 3150 and newer (all platforms)
Webwasher (all versions) for Windows
have strongly lobbied against this law and done everything we deemed
possible. The unfortunate truth however is that the lawmakers simply
didn't care what the experts had to say, mostly out of sheer
stubbornness and the attitude that if a law is lacking in any way,
jurisdiction will fix it in the long run. As many of you probably know,
these laws are the German national implementation of the so-called
European Cybercrime Convention. The convention however - in contrast to
our national law - does contain explicit exceptions for researchers and
professionals. As of the reasons why these are missing here, one can
only speculate (a task that I better leave to Fefe, he's much better at
it :P ).
It can possibly hurt very much - if ctr mode is subject to a
different vulnerablility. There has been much discussion of ctr mode having
*possible* issues, although nothing I know of published directly about ssh.
On the other hand, we have a national security agency who refuses
full disclosure, raising a vulnerability and pointing to a switch to
counter mode. Perhaps this is to prevent the low likelyhood but
possible attack they have found, or perhaps it is to encourage a hasty
switch to counter mode which is "more convenient for national security
reasons". I don't honestly know - the only REAL info on the subject I've
numbers, and instructions and e-mail addresses for use in various languages.
Exploitation and Public Announcements
=====================================
This vulnerability was reported to Cisco by National Australia Bank's
Security Assurance team.
Cisco would like to thank the National Australia Bank's Security
Assurance team for the discovery and reporting of the vulnerability.
Minor point:
No need to limit such accumulations to nation-states though. People interested
in fiddling with other peoples' computers have come up with attacks that don't
get instantly published at least since the 1970s, and have had more-or-less private
channels to communicate them. The motives these days, if you believe the press,
may be more around money than simple mischief, but the practice of not disclosing
bugs and exploits to the world has been with us a long time. Such exploits are 0day
exploits until someone gets wind of them who will do something to defend against
them. This can be a vendor, someone who publishes workarounds for admins, or whatnot,
>> "We can assure you that we do not cooperate with the NSA or any other
>> government agency anywhere in the world. We invite whomever is
>> making this
>> statement to provide proof, rather than making a baseless accusation.
>
> Note that if they had been served with an NSL (National Security
> Letter),
> they may be legally *required* to lie about it while cooperating.
> Actually
> truthfully saying "Yeah, an NSL showed up and we complied" could
> land them
Hash: SHA256
Folks,
In August 2008 the UK CPNI (United Kingdom's Centre for the Protection of
National Infrastructure) published the document "Security Assessment of the
Internet Protocol". The motivation of the aforementioned document is
explained in the Preface of the document itself. (The paper is available
at: http://www.cpni.gov.uk/Docs/InternetProtocol.pdf )
Once the paper was published by CPNI, I produced an IETF Internet-Draft
...
[ - Introduction - ]
FRHACK is the First International IT Security Conference, by hackers -
for hackers, in France!
FRHACK is not commercial - but - highly technical.
Target Audience: Security Officers, Security Professionals and Product
Vendors, IT Decision Makers, Policy Makers, Security-, Network-, and
storing, manipulating, and accessing multidimensional data sets.
The basic component of CDF is a software programming interface that is
a device-independent view of the CDF data model.
The CDF software package is used by hundreds of government agencies,
universities, and private and commercial organizations as well as
independent researchers on both national and international levels.
CDF has been adopted by the International Solar-Terrestrial Physics
(ISTP) project as well as the Central Data Handling Facilities (CDHF)
as their format of choice for storing and distributing key parameter
data. A list of some applications that use the CDF library can be found
at http://cdf.gsfc.nasa.gov/html/examples.html.
Next Page>>
|
|
|
