[Full-Disclosure] RE: Full-Disclosure digest, Vol 1 #649 - 5 msgs

From: Hillier, Paul (Paul.Hillier@landg.com)
Date: 03/12/03

  • Next message: NetBSD Security Officer: "[Full-Disclosure] NetBSD Security Advisory 2003-003 Buffer Overflow in file(1)"
    From: "Hillier, Paul" <Paul.Hillier@landg.com>
    To: "'full-disclosure@lists.netsys.com'" <full-disclosure@lists.netsys.com>
    Date: Wed, 12 Mar 2003 09:45:25 -0000
    

    Firewall disablers

    http://cryptome.org/dirty-antisec.htm

    AntiSecTM is an Anti-Firewall application
    AntiSecTM searches for all known firewalls
    AntiSecTM kills the running process
    AntiSecTM replaces the running icon seamlessly
    AntiSecTM allows stealth FTP connection
    AntiSecTM effectively kills target's security

    [Firewall icons shown:]

    Boshield.ico
    Esafe.ico
    cyberwall.ico
    Atguard1.ico
    Blackice.ico
    zonealarm.ico
    lockdown2000.ico
    neverhack.ico
    Jammer1.ico
    eTrust Intrusion Detection.ico

    http://cryptome.org/dirty-antisec.zip

    courtesy of www.whitetigersecurity.com

    -----Original Message-----
    From: full-disclosure-request@lists.netsys.com
    [mailto:full-disclosure-request@lists.netsys.com]
    Sent: 11 March 2003 17:00
    To: full-disclosure@lists.netsys.com
    Subject: Full-Disclosure digest, Vol 1 #649 - 5 msgs

    Send Full-Disclosure mailing list submissions to
            full-disclosure@lists.netsys.com

    To subscribe or unsubscribe via the World Wide Web, visit
            http://lists.netsys.com/mailman/listinfo/full-disclosure
    or, via email, send a message with subject or body 'help' to
            full-disclosure-request@lists.netsys.com

    You can reach the person managing the list at
            full-disclosure-admin@lists.netsys.com

    When replying, please edit your Subject line so it is more specific
    than "Re: Contents of Full-Disclosure digest..."

    Today's Topics:

       1. Re: Bypassing Black Ice PC protection? (Darwin)
       2. Re: Bypassing Black Ice PC protection? (Curt Wilson)
       3. Problem installing Linksys network card with Suse Linux 7.2 (it misc)
       4. Problem installing Linksys network card with Suse Linux 7.2 (it misc)
       5. RE: Security Certifications (Curt Purdy)

    --__--__--

    Message: 1
    From: "Darwin" <darwin@netmadeira.com>
    To: <netw3_security@hushmail.com>, <incidents@securityfocus.com>
    Cc: <full-disclosure@lists.netsys.com>
    Subject: Re: [Full-Disclosure] Bypassing Black Ice PC protection?
    Date: Tue, 11 Mar 2003 01:19:41 -0000

    ----- Original Message -----
    From: "Curt Wilson" <netw3_security@hushmail.com>

    > Recently seen: what appears to be an attacker bypassing Black Ice PC
    protection through unknown methods.

    Check this article:
    http://security-archive.merton.ox.ac.uk/bugtraq-200302/0268.html

    It describes a way to bypass personal firewalls.

    Cheers,

    Paulo

    --__--__--

    Message: 2
    Date: Mon, 10 Mar 2003 19:58:05 -0800
    To: incidents@securityfocus.com, darwin@netmadeira.com
    Cc: full-disclosure@lists.netsys.com
    Subject: Re: [Full-Disclosure] Bypassing Black Ice PC protection?
    From: "Curt Wilson" <netw3_security@hushmail.com>
    Reply-To: netw3_security@hushmail.com

    This e-mail (and any attachments) may contain privileged and/or confidential information. If you are not the intended recipient please do not disclose, copy, distribute, disseminate or take any action in reliance on it. If you have received this message in error please reply and tell us and then delete it. Should you wish to communicate with us by e-mail we cannot guarantee the security of any data outside our own computer systems. For the protection of Legal & General's systems and staff, incoming emails will be automatically scanned.
     
    Any information contained in this message may be subject to applicable terms and conditions and must not be construed as giving investment advice within or outside the United Kingdom.
     
    Representative only of the Legal & General marketing group, members of which are regulated by the Financial Services Authority for the purposes of advising on life assurance and investment products bearing Legal & General's name.
    Legal & General Group PLC, Temple Court, 11 Queen Victoria Street, London, EC4N 4TP.
    Registered in England no: 166055.

    -----BEGIN PGP SIGNED MESSAGE-----

    Paulo + everyone, the techniques mentioned in that bugtraq message mentioned
    here are applicable from WITHIN the host protected by a personal firewall,
    so if a malicious applet or some other malware took control of the system
    from a local administrator for instance, the firewall could be easily
    bypassed from that side. This is not what I'm seeing. What I've seen is an
    Internet based attacker getting TCP SYN packets through Black Ice PC
    Protection, reaching an application (FTP server). If the IP was blocked at
    the systems 'edge', then the FTP server log should not have shown any such
    IP address entry, becase as far as the FTP server *should* know, there was
    no connection attempt. The attacker did not actually start a session with
    the FTP server due to IP based access control within the server itself.
    Still, seeing Black Ice be 'melted' as a friend said, is troubling. I've
    double the firewall rules and there is nothing that specifies that this IP
    should be allowed through.

    Since the attacker, or the attackers script more likely was rejected by the
    FTP application, I don't know how likely it is that this specific attacker
    will come back so I can capture his methods in more detail.

    I'll be working on reproducing this behavior myself, but if anyone has
    additional info please drop me a line. If I can reproduce then I'll talk to
    ISS.

    On Mon, 10 Mar 2003 17:19:41 -0800 Darwin <darwin@netmadeira.com> wrote:
    >----- Original Message -----
    >From: "Curt Wilson" <netw3_security@hushmail.com>
    >
    >> Recently seen: what appears to be an attacker bypassing Black Ice PC
    protection through unknown methods.
    >
    >Check this article:
    >http://security-archive.merton.ox.ac.uk/bugtraq-200302/0268.html
    >
    >It describes a way to bypass personal firewalls.
    >
    >Cheers,
    >
    >Paulo

    -----BEGIN PGP SIGNATURE-----
    Version: Hush 2.2 (Java)
    Note: This signature can be verified at https://www.hushtools.com/verify

    wmMEARECACMFAj5tXf8cHG5ldHczX3NlY3VyaXR5QGh1c2htYWlsLmNvbQAKCRBGd/Yw
    aRH3K0ymAJwNzbMhGMbrjHWj7DtyANnTbMHsyQCdEm3afn5aJ+LJ+DYFswwpu28I7Hg=
    =X9zB
    -----END PGP SIGNATURE-----

    --__--__--

    Message: 3
    Date: Mon, 10 Mar 2003 22:25:34 -0800 (PST)
    From: it misc <itmisc@yahoo.com>
    To: full-disclosure@lists.netsys.com
    Subject: [Full-Disclosure] Problem installing Linksys network card with Suse
    Linux 7.2

    --0-483483029-1047363934=:59676
    Content-Type: text/plain; charset=us-ascii

    Hi:

    I am trying to configure my Linksys network card to work with Suse Linux
    7.2.

    I downloaded the latest tulip.c from
    ftp://ftp.scyld.com/pub/network/tulip.c. I put it into directory
    /usr/src/linux/drivers/net. As I recompile the Kernel, I ran into errors.

    System Information: Pentium II 412MHz, 224MB RAM, 10GB Western Digital hard
    drive.

    If anyone ran into similar problem and was able to fixed it, please help me
    out.

    Thank you very much for your help.

    Henry Tran

    ---------------------------------
    Do you Yahoo!?
    Yahoo! Web Hosting - establish your business online
    --0-483483029-1047363934=:59676
    Content-Type: text/html; charset=us-ascii

    <P>Hi:</P>
    <P>I am trying to configure my Linksys network card to work with Suse Linux
    7.2.</P>
    <P>I downloaded the latest tulip.c from <A
    href="ftp://ftp.scyld.com/pub/network/tulip.c">ftp://ftp.scyld.com/pub/netwo
    rk/tulip.c</A>. I put it&nbsp;into directory /usr/src/linux/drivers/net. As
    I recompile the Kernel, I ran into errors.</P>
    <P>System Information: Pentium II 412MHz, 224MB RAM, 10GB Western Digital
    hard drive.</P>
    <P>If anyone ran into similar problem and was able to fixed it, please help
    me out.</P>
    <P>Thank you very much for your help.</P>
    <P>Henry Tran</P><p><br><hr size=1>Do you Yahoo!?<br>
    <a href="http://webhosting.yahoo.com/ps/wh3/prod/">Yahoo! Web Hosting</a> -
    establish your business online
    --0-483483029-1047363934=:59676--

    --__--__--

    Message: 4
    Date: Mon, 10 Mar 2003 22:51:43 -0800 (PST)
    From: it misc <itmisc@yahoo.com>
    To: full-disclosure@lists.netsys.com
    Subject: [Full-Disclosure] Problem installing Linksys network card with Suse
    Linux 7.2

    --0-788992053-1047365503=:63348
    Content-Type: text/plain; charset=us-ascii

    Hi:

    I am trying to configure my Linksys network card to work with Suse Linux
    7.2.

    I downloaded the latest tulip.c from
    ftp://ftp.scyld.com/pub/network/tulip.c. I put it into directory
    /usr/src/linux/drivers/net. As I recompile the Kernel, I ran into errors.

    Network card Info: EtherFast 10/100 LAN Card, LNE100TX Version 4.0

    System Info: Pentium II 412MHz, 224MB RAM, 10GB Western Digital hard drive.

    I appreciate any help.

    Thank you very much.

    Henry Tran

    ---------------------------------
    Do you Yahoo!?
    Yahoo! Web Hosting - establish your business online
    --0-788992053-1047365503=:63348
    Content-Type: text/html; charset=us-ascii

    <P>Hi:</P>
    <P>I am trying to configure my Linksys network card to work with Suse Linux
    7.2.</P>
    <P>I downloaded the latest tulip.c from <A
    href="ftp://ftp.scyld.com/pub/network/tulip.c">ftp://ftp.scyld.com/pub/netwo
    rk/tulip.c</A>. I put it into directory /usr/src/linux/drivers/net. As I
    recompile the Kernel, I ran into errors.</P>
    <P>Network card Info: EtherFast 10/100 LAN Card, LNE100TX Version 4.0</P>
    <P>System Info: Pentium II 412MHz, 224MB RAM, 10GB Western Digital hard
    drive.</P>
    <P>I appreciate any help.</P>
    <P>Thank you very much.</P>
    <P>Henry Tran</P><p><br><hr size=1>Do you Yahoo!?<br>
    <a href="http://webhosting.yahoo.com/ps/wh3/prod/">Yahoo! Web Hosting</a> -
    establish your business online
    --0-788992053-1047365503=:63348--

    --__--__--

    Message: 5
    From: "Curt Purdy" <purdy@tecman.com>
    To: "'B3r3n'" <B3r3n@argosnet.com>, "'hellNbak'" <hellnbak@nmrc.org>,
       "'Ron DuFresne'" <dufresne@winternet.com>
    Cc: "'Rizwan Ali Khan'" <rizwanalikhan74@yahoo.com>,
       <full-disclosure@lists.netsys.com>, <security-basics@securityfocus.com>,
       <certification@securityfocus.com>
    Subject: RE: [Full-Disclosure] Security Certifications
    Date: Tue, 11 Mar 2003 06:33:06 -0600

    hilarious. cept the fee is $450, not $2k.

    Curt Purdy CISSP, MCSE+I, CNE, CCDA
    Senior Systems Engineer
    Information Security Engineer
    DP Solutions

    ----------------------------------------

    If you spend more on coffee than on IT security, you will be hacked.
    What's more, you deserve to be hacked.
    -- White House cybersecurity adviser Richard Clarke

    -----Original Message-----
    From: full-disclosure-admin@lists.netsys.com
    [mailto:full-disclosure-admin@lists.netsys.com]On Behalf Of B3r3n
    Sent: Friday, March 07, 2003 1:01 PM
    To: hellNbak; Ron DuFresne
    Cc: Rizwan Ali Khan; full-disclosure@lists.netsys.com;
    security-basics@securityfocus.com; certification@securityfocus.com
    Subject: Re: [Full-Disclosure] Security Certifications

    Guys,

    Never read the CISSP trojan? Nice no?

    _________________________________________
    Security Advisory MA-2003-01 CISSP - Trojan Security Certification

    Original Release Date: Thursday January 16, 2003
    Last Revised: --
    Source: --

    Systems Affected

             o Information Security Community
             o Information Technology Employers
             o Information Security Consultants

    Overview

    It has recently been identified that The International Information Systems
    Security Certification Consortium (CISSP) has developed and released a
    potentially destructive trojan application, which masquerades as a valid
    standard for professional certification in the field of information
    security.

    I. Description

    Delivered in the benign form of a six hour examination, the CISSP prompts
    target user with a series of 250 questions regarding the following topics:

             o Access Control Systems & Methodology
             o Applications & Systems Development
             o Business Continuity Planning
             o Cryptography
             o Law, Investigation & Ethics
             o Operations Security
             o Physical Security
             o Security Architecture & Models
             o Security Management Practices
             o Telecommunications, Network & Internet Security

    This rather large payload, commonly referred to as the Common Body of
    Knowledge (CBK), may cause a Denial of Service situation, leaving the
    target overwhelmed and unable to respond to further requests during the
    duration of the attack. If the target handles the Denial of Service attack
    appropriately,
    and is unaffected, the CISSP trojan discontinues this attack, and
    self-mutates into a certification of added IS credibility. If accepted by
    the target, this certification begins to cause the following symptoms:

             o Increase in self-confidence
             o Increase in salary requirements
             o False sense of accomplishment
             o False sense of self-improvement

    Despite the symptoms, the target experiences no real benefit
    whatsoever. The affected target then is made to transfer funds in excess
    of $2,000 (US) to a remote bank account owned by ISC2. Finally, the
    affected target promotes itself to a "Certified Information Security
    Expert" sans authentication.
    The affected target may then infect others, eventually creating a massive
    army of unskilled, prefabricated, shrink-wrapped, not for resale,
    half-assed security engineers, consultants, and
    "research scientists".

    II. Impact

    An abundance of sub-par information security engineers, consultants, and
    "research scientists".

    A negative impact on the economy, specifically within the Information
    Technology sector.

    III. Solution

    Avoid any certifications issued by ISC2 until a patch is distributed.
    Obtain information security related certifications from valid sources.
    Employers are encouraged to recognize the CISSP as a trojan certification.

    Appendix A - Vendor Information

    International Information Security Certification Consortium, Inc.

    (ISC)2 is the premier organization dedicated to providing information
    security professionals and practitioners worldwide with the standard for
    professional certification.

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

    --__--__--

    _______________________________________________
    Full-Disclosure mailing list
    Full-Disclosure@lists.netsys.com
    http://lists.netsys.com/mailman/listinfo/full-disclosure

    End of Full-Disclosure Digest

    This e-mail (and any attachments) may contain privileged and/or confidential information. If you are not the intended recipient please do not disclose, copy, distribute, disseminate or take any action in reliance on it. If you have received this message in error please reply and tell us and then delete it. Should you wish to communicate with us by e-mail we cannot guarantee the security of any data outside our own computer systems. For the protection of Legal & General's systems and staff, incoming emails will be automatically scanned.
     
    Any information contained in this message may be subject to applicable terms and conditions and must not be construed as giving investment advice within or outside the United Kingdom.
     
    Representative only of the Legal & General marketing group, members of which are regulated by the Financial Services Authority for the purposes of advising on life assurance and investment products bearing Legal & General's name.
    Legal & General Group PLC, Temple Court, 11 Queen Victoria Street, London, EC4N 4TP.
    Registered in England no: 166055.

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: NetBSD Security Officer: "[Full-Disclosure] NetBSD Security Advisory 2003-003 Buffer Overflow in file(1)"

    Relevant Pages

    • Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
      ... [Full-disclosure] 3rd party patch for XP for MS09-048? ... It's not a security platform. ... "We use a third-party vendor firewall product. ...
      (Full-Disclosure)
    • Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
      ... [Full-disclosure] 3rd party patch for XP for MS09-048? ... It's not a security platform. ... "We use a third-party vendor firewall product. ...
      (Full-Disclosure)
    • Risks Digest 24.59
      ... ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ... Workshop on Web Security, ... FDA - MedWatch - Medical Device Safety - Change in Daylight ... Subject: REVIEW: "FISMA Certification and Accreditation Handbook", ...
      (comp.risks)
    • RE: CISSP-ISSMP
      ... the materials and touched the technology. ... trough a certification process and get certified. ... I am proud to be a certified security professional:) ... Certs are sort of new to the scene. ...
      (Pen-Test)
    • RE: CISSP-ISSMP
      ... management say "that's nice", and move on. ... education, certification, experience, know-how, abilities, and ... Many 'security jobs' are nothing shy than that of an overly glorified ... Download FREE whitepaper on how a managed service ...
      (Pen-Test)