| New User, Welcome! Login |
Next Page >>
just
>
> You do realize this can be read as a racial slight towards Koreans.
>
>> IS NOT a plot to sell more Win7. Granted the marketing folks spun
>> this bulletin WAY WAY TOO much. It is what it is. I do believe the
>> architecture in XP just isn't there. It's a 10 year old platform
>> that sometimes you can't bolt on this stuff afterwards. Even in
>> Vista, it's not truly fixing the issue, merely making the system more
>> resilient to attacks. Read the fine print in the patch.. it's just
>> making the system kill a session and recover better.
>>
<jaded mode off>
I know too many of the gook geeks behind Microsoft and I do trust that
this IS NOT a plot to sell more Win7. Granted the marketing folks spun
this bulletin WAY WAY TOO much. It is what it is. I do believe the
architecture in XP just isn't there. It's a 10 year old platform that
sometimes you can't bolt on this stuff afterwards. Even in Vista, it's
not truly fixing the issue, merely making the system more resilient to
attacks. Read the fine print in the patch.. it's just making the system
kill a session and recover better.
> I could only imagine. The other problem is that many people seem to think I'm saying something against
> the Chinese *people* themselves, based on the "f* you round-eye* messages I've received (and they call
> ME racist). They don't seem to get the clear distinction (to me) between the Chinese people and China's
> network. It's the machines I'm concerned with the attacks coming from those machine. Just because the
> machine is sourced in China doesn't mean the attacker is - so I have to do the best I can to defend against
> the machines. However, that unfortunately comes across to those who choose not to think it through as me
> saying something against the Chinese themselves.
> Then again, as you well know, people will take any opportunity they can just to be ugly and confrontational,
> and to have something to rail about. In the face of the reality of China's horribly infected network, when I
Subject: Re: [Full-disclosure] Remote Desktop Command Fixation Attacks
Thor, with no disrespect but you are wrong. Security in depth does not
work and I am not planning to support my argument in any way. This is
just my personal humble opinion. I've seen only failure of the
principles you mentioned. Security in depth works only in a perfect
world. The truth is that you cannot implement true security mainly
because you will hit on the accessibility side. It is all about
achieving the balance between security and accessibility. Moreover,
you cannot implement security in depth mainly because you cannot
Thor, with no disrespect but you are wrong. Security in depth does not
work and I am not planning to support my argument in any way. This is
just my personal humble opinion. I've seen only failure of the
principles you mentioned. Security in depth works only in a perfect
world. The truth is that you cannot implement true security mainly
because you will hit on the accessibility side. It is all about
achieving the balance between security and accessibility. Moreover,
you cannot implement security in depth mainly because you cannot
predict the future. Therefore, you don't know what kinds of attack
will surface next.
As others have pointed out, your attack only works if security in depth has been blatantly, intentionally ignored.
I'll grant that it's an interesting methodology, but it assumes too much and ultimately fails to prove your claims.
You're absolutely correct; "Security in depth" is a process; no one has argued this.
What no one has stated is that security in depth has an endpoint.
Not only does it require proper analysis, planning and deployment, it's greatly weakened without constant monitoring and adjustment to meet new threats.
That said, nothing you have proposed in your attack methodology changes those statements.
Jim
-----Original Message-----
Subject: Re: [Full-disclosure] Remote Desktop Command Fixation Attacks
Thor, with no disrespect but you are wrong. Security in depth does not
work and I am not planning to support my argument in any way. This is
just my personal humble opinion. I've seen only failure of the
principles you mentioned. Security in depth works only in a perfect
world. The truth is that you cannot implement true security mainly
because you will hit on the accessibility side. It is all about
achieving the balance between security and accessibility. Moreover,
you cannot implement security in depth mainly because you cannot
Subject: Re: [Full-disclosure] Remote Desktop Command Fixation Attacks
Thor, with no disrespect but you are wrong. Security in depth does not
work and I am not planning to support my argument in any way. This is
just my personal humble opinion. I've seen only failure of the
principles you mentioned. Security in depth works only in a perfect
world. The truth is that you cannot implement true security mainly
because you will hit on the accessibility side. It is all about
achieving the balance between security and accessibility. Moreover,
you cannot implement security in depth mainly because you cannot
context of the guest machines without knowing those administrator
credentials. Also remember that since I am talking about a non-privileged
user on the host, there will be limits on what this user could do to
accomplish some of the other attacks mentioned.
3. It's not just the ability to access the guest OS's that is significant
here, it's the *automated* access that is key. There are endless ways you
could own a guest OS manually. But with the API just a few lines of code
could enumerate all open guests and execute commands in each. This attack
requires no interaction or trial-and-error in attacking the guest OS's, nor
does it require any login credentials on any guest OS. This is all
If an admin who doesn't follow bugtraq doesn't know about the issue it's
not full disclosure to him. It's like when you hear about a "known
issue" from Microsoft. If I didn't know about it, how in the heck is
it a known issue? Just because someone in Redmond knows about it
doesn't mean the rest of us do.
I have captcha on a blog site I run. I get folks able to bypass the
filter and post spam comments that get filtered and then a week later or
so gets deleted off and the CPU use on the site sucks. But that could
also be the software I'm running.
On 1/15/10 6:40 PM, Thor (Hammer of God) wrote:
> I could only imagine. The other problem is that many people seem to think I'm saying something against the Chinese *people* themselves, based on the "f* you round-eye* messages I've received (and they call ME racist). They don't seem to get the clear distinction (to me) between the Chinese people and China's network. It's the machines I'm concerned with the attacks coming from those machine. Just because the machine is sourced in China doesn't mean the attacker is - so I have to do the best I can to defend against the machines. However, that unfortunately comes across to those who choose not to think it through as me saying something against the Chinese themselves.
>
> Then again, as you well know, people will take any opportunity they can just to be ugly and confrontational, and to have something to rail about. In the face of the reality of China's horribly infected network, when I suggest blocking that traffic (as many others have and do), they seize the opportunity to call me prejudice and a racist.
The Chinese network is indeed very infected, which in turn causes the
rest of the world great computerized harm. Nobody disputes this.
The solution of blocking China, however, is one which harms both people
outside of China, as well as those inside of China. Therefore, it
listen on port 445/tcp)
(Note 2: If you load 'conn.html' with Internet Explorer and
'conn.html' is stored on a local drive (e.g.:c:\conn.html) it is
possible Internet Explorer will prompt you to allow execution of the
javascript code within 'conn.html'. This is not a limitation of the
attack, it is just an extra protection implemented by Internet Explorer,
the 'conn.html' does not even need to contain javascript code, it uses
it just because it is convenient, you could just as easily 'hard-code'
all <IMG> tags. Also, loading the html file from the a local disk is not
a real attack scenario, all of this is for demonstration purposes).
Sunday, September 21, 2008
By Nelson Brito <nbrito@sekure.org>
-[ Introduction
It is just a matter of time to get things worse on the Internet. We saw
worms getting more and more sophisticated in last decade, and, believe me,
it could be worst. Nowadays we have botnets and a lot of worms and the
respective variants, but what if a stealth worm reaches the Internet today?
Are we prepared to deal with this kind of threat? Are we walk to the right
direction to get this kind of threat controlled in a short period of time?
On 10/12/07, Thor (Hammer of God) <thor@hammerofgod.com> wrote:
> CIL:
>
> > Thor, with no disrespect but you are wrong. Security in depth does not
> > work and I am not planning to support my argument in any way. This is
> > just my personal humble opinion. I've seen only failure of the
> > principles you mentioned. Security in depth works only in a perfect
> > world. The truth is that you cannot implement true security mainly
> > because you will hit on the accessibility side. It is all about
> > achieving the balance between security and accessibility. Moreover,
> > you cannot implement security in depth mainly because you cannot
CIL:
> Thor, with no disrespect but you are wrong. Security in depth does not
> work and I am not planning to support my argument in any way. This is
> just my personal humble opinion. I've seen only failure of the
> principles you mentioned. Security in depth works only in a perfect
> world. The truth is that you cannot implement true security mainly
> because you will hit on the accessibility side. It is all about
> achieving the balance between security and accessibility. Moreover,
> you cannot implement security in depth mainly because you cannot
> Cc: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
> Subject: RE: [Full-disclosure] 3rd party patch for XP for MS09-048?
>
> Yes, they used the bulletin to soft-pedal the description, but at the
> same time I think they send a message about XP users being on shaky
> ground. Just because they've got 4+ years of Extended Support Period
> left doesn't mean they're going to get first-class treatment.
>
> Larry Seltzer
> Contributing Editor, PC Magazine
> larry_seltzer@ziffdavis.com
Yes, they used the bulletin to soft-pedal the description, but at the
same time I think they send a message about XP users being on shaky
ground. Just because they've got 4+ years of Extended Support Period
left doesn't mean they're going to get first-class treatment.
Larry Seltzer
Contributing Editor, PC Magazine
larry_seltzer@ziffdavis.com
http://blogs.pcmag.com/securitywatch/
webapps - via google dork which reveals me a lot of SVNs with this
vulnerable captcha script (and so I found a lot of different webapps with
it). I don't know nothing about Dunia soccer and other systems, such as
WeBAM, TooFAST, ArcManager, MiniManager for Project
MANGOS, NoCMS, HoloCMS, GunCMS, PhoenixCMS PHP Edition and phpCOIN (which I
wrote to Bugtraq and I'd write about others). I just found these holes
(concerned with CaptchaSecurityImages) in their source codes in online SVNs.
> The vulnerability ...or rather the bug is in the captcha code, this is
> just a site using it, right?
Cc: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
Subject: RE: [Full-disclosure] 3rd party patch for XP for MS09-048?
Yes, they used the bulletin to soft-pedal the description, but at the
same time I think they send a message about XP users being on shaky
ground. Just because they've got 4+ years of Extended Support Period
left doesn't mean they're going to get first-class treatment.
Larry Seltzer
Contributing Editor, PC Magazine
larry_seltzer@ziffdavis.com
> 1. Functionality
>
> Do you have clients who need to interconnect with China's
> networks, or expect people to connect to you from China?
>
> If so, the cost of security by blocking may be unjustifiable.
Absolutely - If possible, please read the article at:
http://www.securityfocus.com/infocus/1900/1
It's dated, but the concepts hold true. The entire implementation is based on research and analysis, and of course, business applicability. To be sure, I receive significant US-based attack traffic, but I can't block that for business reasons. Unfortunately, many people see "block China" and immediately say "oh, that's unrealistic and ineffective." This is not an Internet based suggestion - it is a simply a toolset one may use to implement country-by-country, protocol-by-protocol based access policy. It's the same thing we do now from a protocol standpoint, but this simply allows one to aggregate data by geographic location. I have no business need for traffic to/from China and many other countries (which I also block) so even in the absence of hard attack traffic, "least privilege" dictates that it is valid to disallow traffic from sources that are not needed.
I've used Tim's block sets for awhile in my own FOAD rule, but I ended up having to adjust the policy because of the toolsets I provide to the folks that are trying to do a good day's work in those same locations.
Yes; there are plenty of good folks, computers and networks in China and other countries, but the sad fact is these countries also represent the network-sources (even if, as has been stated; not the "true" source) of the majority of attacks. My own firewall logs validate this.
How you use the lists Tim provides is a matter of personal choice according to your capabilities and priorities. If your firewall is smart enough to ignore anyone trying to bash your network or play silly buggers in the upper layers, then you may feel that an IP-based block set is overkill. If, like so many your firewall operates primarily at L4 and below, this data may prove very valuable.
Frankly, I like that someone has taken the time to do the numbers and produce the data; even if I can't use it the way I'd prefer.
Jim
- -----------/
At this point, the victim's browser will be served with
'setFirstScript.htm'. This page will just redirect the browser to
another page ('frameset.htm'), which simply defines the frames where the
last page ('object.htm') referencing the 'index.dat' file will be loaded
into.
The HTML code used for loading the index.dat file and rendering it as
This would make the software better, so that they could still use it in
their applications.
How can't they understand that?
Why not just share the knowledge and just ask for some time (fixed
amount? or just "when a solution will be found") before public release
of the details of the attacks?
Why not release the details and switch to another system if OpenSSH is
not what they need anymore?
> This would make the software better, so that they could still use it in
> their applications.
>
> How can't they understand that?
>
> Why not just share the knowledge and just ask for some time (fixed
> amount? or just "when a solution will be found") before public release
> of the details of the attacks?
>
> Why not release the details and switch to another system if OpenSSH is
> not what they need anymore?
> only when you need it--a virtual offline machine. Another situation for
> myself is I keep all my hacking/pen-testing tools on a vm that I can use
> when I need them, and quickly move to any vm host I need to run them on. I
> don't necessarily want to make that virtual machine accessible from the
> network. Anyway, it is absurd to say you will never log in to the console,
> sometimes you just have to.
No offense, but regarding your offline root CA -- doesn't hosting the vm on
a network-connected machine kind of defeat the purpose? That's only two
degrees from massive insecurity, this vector isn't the biggest problem you
have.
described as user error. You can not blame a vendor for including tools
to manage services. That would be the same as claiming that a unix root
user should not be able to do a rm -rf / it's up to users how stupid
they want to be, and you can't solve user ignorance with technical
solutions.
So, my conclusion is that your find is just the OS working like it
should be. Microsoft put the sc command in the OS on purpose and it is
even described and explained by ms in the books and on sites as msdn and
technet so it's not a 'secret command' of any kind, heck you could use
net stop "some service" or do far worse with the REG and registry
commands or even wmi scripting and/or powershell than disabeling
Yeah, I know what it is and what it's for ;) That was just my subtle way of trying to make a point. To be more explicit:
1) If you are publishing a vulnerability for which there is no patch, and for which you have no intention of making a patch for, don't tell me it's mitigated by ancient, unusable default firewall settings, and don't withhold explicit details. Say "THERE WILL BE NO PATCH, EVER. HERE'S EVERYTHING WE KNOW SO YOU CAN DETERMINE YOUR OWN RISK." Also, don't say 'you can deploy firewall settings via group policy to mitigate exposure' when the firewall obviously must be accepting network connections to get the settings in the first place. If all it takes is any listening service, then you have issues. It's like telling me that "the solution is to take the letter 'f' out of the word "solution."
2) Think things through. If you are going to try to boot sales of Win7 to corporate customers by providing free XP VM technology and thus play up how important XP is and how many companies still depend upon it for business critical application compatibility, don't deploy that technology in an other-than-default configuration that is subject to a DoS exploit while downplaying the extent that the exploit may be leveraged by saying that a "typical" default configuration mitigates it while choosing not to ever patch it. Seems like simple logic points to me.
t
> -----Original Message-----
> From: Susan Bradley [mailto:sbradcpa@pacbell.net]
When you've got a systemic vulnerability, in this case the TCP/IP stack itself, exploitation information must be explicit and definitive. I'm fine with risk classification, and I appreciate efforts to categorize risk into manageable exposure metrics, but we shouldn't have to infer potential vulnerability information from vague disclosure data. I know many response teams base patch paths on the published severity, but one also has to be able to make decisions on their own. For me, no big deal. But it's not that simple for others.
But there's not enough information for me to make that call. Is it for ANY "listening service?" TCP or UPD? Does the "statefull" firewall introduced in subsequent versions stop it?
The answers are "yes," "yes," and "no." They should just say that. Is it "low" because the firewall doesn't have any exceptions by default? If so, that's silly. Everyone using XP for anything has incoming connections for something, and well known if on a domain. I feel sorry for Diebold and NEC with all the ATMs out there running XP, but fortunately, I'm not responsible for clients using their systems anymore :)
Anyway, the DoS suxx0rz, but I'm more irritated with the lack of real, straight-forward, no-nonsense information and technical sleight of hand. The information should be painfully obvious, not obviously painful.
t
Just a few cents - DoS in webbrowsers doesn't fall under the category of
"vulnerabilities" rather more of "annoyances". Although I don't deny the
fact that certain DoS attacks *may lead* or *may serve as hints* to other
more serious exploits, but that's a different topic and with ASLR in the
scene, a very grey area of discussion.
Case in point: XSS can be of various kinds and most of them (I'm talking of
about 99.99%) can be attributed to the design of the web
technologies/protocols specifications (http, ajax, etc etc...you name it)
and the browsers can only do that much. Hence its not feasible for a
(Bottom line, yes, the marketing team definitely got a hold of that
bulletin)
Thor (Hammer of God) wrote:
> Yeah, I know what it is and what it's for ;) That was just my subtle way of trying to make a point. To be more explicit:
>
> 1) If you are publishing a vulnerability for which there is no patch, and for which you have no intention of making a patch for, don't tell me it's mitigated by ancient, unusable default firewall settings, and don't withhold explicit details. Say "THERE WILL BE NO PATCH, EVER. HERE'S EVERYTHING WE KNOW SO YOU CAN DETERMINE YOUR OWN RISK." Also, don't say 'you can deploy firewall settings via group policy to mitigate exposure' when the firewall obviously must be accepting network connections to get the settings in the first place. If all it takes is any listening service, then you have issues. It's like telling me that "the solution is to take the letter 'f' out of the word "solution."
>
> 2) Think things through. If you are going to try to boot sales of Win7 to corporate customers by providing free XP VM technology and thus play up how important XP is and how many companies still depend upon it for business critical application compatibility, don't deploy that technology in an other-than-default configuration that is subject to a DoS exploit while downplaying the extent that the exploit may be leveraged by saying that a "typical" default configuration mitigates it while choosing not to ever patch it. Seems like simple logic points to me.
>
Next Page>>
|
|
|
