| |
| Current Topic: Computer Security |
|
XBOX Dashboard local vulnerability |
|
|
|---|
| Topic: Computer Security |
5:11 am EDT, Jul 4, 2003 |
] The XBOX Dashboard is what appears when you turn the XBOX
] on without a disc in the DVD drive. It will let you
] adjust system settings, manage your save games, play and
] rip audio CDs and configure your XBOX Live account. It is
] the heart of the XBOX and its most vulnerable point,
] because it lacks several security restrictions which are
] enforced on games. This includes the lack of the
] reboot-on-eject-button "feature", which is obligatory for
] all games. ] The existance of an exploitable vulnerability
] within the dashboard could totally compromises the XBOX
] security system. It will make the box independent from
] Microsoft signed code and therefore this information is
] released to the public now on the 4th of July 2003, the
] day of the XBOX Independence. From the Full Disclosure mailing list. XBOX Dashboard local vulnerability |
|
Group claims Linux advance on Xbox | CNET News.com |
|
|
|---|
| Topic: Computer Security |
10:32 pm EDT, Jun 27, 2003 |
] A group of Xbox security researchers say they have found
] a way to run Linux on the Xbox game console without a
] so-called mod chip and will go public with the technique
] if Microsoft won't talk to them about releasing an
] official Linux boot loader. ] Muir says the release of the claimed series of exploits,
] one of which is in the Xbox Dashboard utility, factory-
] installed on the Xbox hard drive, could be disastrous for
] games companies intent on preventing piracy. If genuine,
] the exploits would let anyone with even a slight technical
] knowledge "reflash" the Xbox BIOS, allowing users to
] pirate games. The only hardware modification necessary is
] a dollop of solder on the write-enable pads on the
] motherboard. Very interesting.. This is a nightmare situation for Microsoft. If they do nothing, exploits will be released enabling mass-piracy of their games. If they release a Linux bootloader, then they have allowed Linux onto their platform. They sell these consoles at below cost and make their money on games. Razors and blades. From an economic standpoint, either presented option is totally unacceptable. Also, if Microsoft plays along, there is no guarantee that the exploits will not get released, or more likely, discovered by others.. Infact, I believe they are only being baited, and these exploits will be released anyway. I can't envision Microsoft giving into any demands, of any type, let alone a signed linux bootloader for the XBox.. Expect Microsoft to create a third option. Expect lawsuits. Expect someone to get arrested. The DMCA will play an obvious role. I could see them attacking Huang just for drill.. This will be a developing story.. Group claims Linux advance on Xbox | CNET News.com |
|
Security Implications of IPv6 - Mike Warfield |
|
|
|---|
| Topic: Computer Security |
2:56 am EDT, Jun 11, 2003 |
The size of the IP6 address space makes scanning for victim computers in a properly managed network as difficult as a brute force attack on an encryption system. Of course, it also makes scanning your own network for backdoors and trojans just as difficult. Furthermore, crackers are using IPv6 to encapsulate traffic, hiding it from intrusion detection systems. This is a fun paper if you are into network security. Security Implications of IPv6 - Mike Warfield |
|
Secret Handshakes from Pairing-Based Key Agreements |
|
|
|---|
| Topic: Computer Security |
7:26 pm EDT, Jun 10, 2003 |
This scheme allows Alice to ask Bob if Bob is a warez site, but if it turns out that Bob is the RIAA he cannot prove that Alice asked for warez, and if it turns out that Alice is the RIAA she cannot prove that Bob is a warez site. Secret Handshakes from Pairing-Based Key Agreements |
|
IE beta plugs document leaks | CNET News.com |
|
|
|---|
| Topic: Computer Security |
10:59 pm EDT, May 22, 2003 |
] Microsoft released a plug-in for Internet Explorer that
] is designed to protect sensitive documents from
] unauthorized editing or copying--an early step in its
] effort to encourage corporations to use its software to
] share sensitive information.
]
] The Rights Management Add-on, available in a beta, or
] test version, allows permitted users to view files, the
] company said. The Web browser plug-in is meant to help
] companies protect sensitive documents, e-mail and other
] Web-based data from being manipulated, forwarded or
] copied by unauthorized individuals. IE beta plugs document leaks | CNET News.com |
|
The Register | 'Relax, It Was a Honeypot' |
|
|
|---|
| Topic: Computer Security |
8:15 pm EDT, May 19, 2003 |
] I fully expected ISS to respond with a "we have
] identified the administrator that failed to patch the
] system in question, and have forced him to drink
] buttermilk while watching home movies of Janet Reno in a
] leather teddy. We are confident that this will not happen
] again."
]
] But they didn't.
]
] Instead, ISS revealed that the hacked site, the one from
] which students and universities around the world
] downloaded free versions of BlackICE to protect
] themselves from hackers, was in reality a cleverly
] disguised, purposefully vulnerable honeypot,
] strategically placed in this hostile environment to
] collect and analyze the actions of evil hackers. The Register | 'Relax, It Was a Honeypot' |
|
CNN.com - N. Korean training hackers, Seoul says - May. 16, 2003 |
|
|
|---|
| Topic: Computer Security |
6:08 pm EDT, May 16, 2003 |
] North Korea is training around 100 computer hackers each
] year to boost its cyber-warfare capabilities, pushing the
] South to fortify its own computer security, a South
] Korean military official said on Friday. The main reason this seems offbase to me is the "100 hackers each year" thing. I have a feeling tracking down 100 computers in North Korea is a hell of a challenge, let alone 100 hax0rs with clue. Not to mention a decent net connection for them to search out tools over, keep up to date on discovered sploits, etc.. The thing that is going to make a cracker a danger isn't a set selection of skills that the other 99 also have, but rather the ability to think on their feet and learn on the fly.. That takes time and experience. I see this situation being very hard to cultivate, as it would require their cracker-corps to be constantally working on their skills, finding new sploits, etc.. It would require access to many of the devices/software they are interested in hacking, which is going to be nearly impossible for them.. I immagine the resources for this all are very slim.. That number also leads to believe that their intent is not to have their hacker-corps working out of North Korea, but rather send them out of the country and have them work elsewhere. North Korea proper would likely be very easy to cut off from the rest of the world in the event of a conflict, rendering their hacker teams useless.. They would have to be stationed in many places outside North Korea to be useful. Now, if North Korea had crackers spread out all over the globe, working toegether to form some l33t North Korea cracker-corps, this might be logical.. Otherwise, its very unlikely to exist, or be a real danger. Of course, that also implies that North Korea has their shit together, something I don't think is likely. Its more likely that they have 100 people in North Korea who are being called "hackers" and being "trained on hacking", even though most of them have never actually used a real computer for more then 5 min. This is probably another case of North Korea trying to give the impression to South Korea (and everyone else) it is more dangerous then it actually is.. They have 4 skilled and loyal hax0r kiddies, and somehow it became "100 every year".. Don't they have 300 nukes aimed at the US right now? Heh. Two or three maybe. (And more on the way, but that's another story..) There is also another option.. North Korea has zero to do with this, and South Korea is just trying too pump up some fear in order to get its people to take computer security more seriously.. Slammer did really take them for a spin. They have reason to be concerned. CNN.com - N. Korean training hackers, Seoul says - May. 16, 2003 |
|
NYPOST.COM World News: 9/11 PLOT HIDDEN IN E-PORN By NILES LATHEM |
|
|
|---|
| Topic: Computer Security |
5:34 pm EDT, May 10, 2003 |
] Chilling details of al Qaeda's secret communications
] system - and the possibility of widespread knowledge that
] the devastating attacks on New York and Washington were
] in the works - were unveiled in a courtroom in Milan,
] where a group of Islamic militants are on trial for
] supporting al Qaeda's terrorist activities.
]
] According to reports in the Corriere della Sera newspaper
] and on ABC News' Web site, the secret communications were
] discovered during a November 2001 raid on the Via
] Quaranta mosque in Milan, where police confiscated 11
] computers. ] Investigators believe cell members were using a process
] called stenography, in which special software allows a
] text message to be hidden inside a small part of a
] computer photograph. NYPOST.COM World News: 9/11 PLOT HIDDEN IN E-PORN By NILES LATHEM |
|
Secunia - Advisories - Microsoft Browser Fall Down Go Boom 5 Line HTML Funfun |
|
|
|---|
| Topic: Computer Security |
4:01 am EDT, May 3, 2003 |
] A vulnerability identified in a library included in
] Windows XP and Internet Explorer version 4.0 and newer
] can be exploited to cause a DoS (Denial of Service) on
] certain applications.
]
] The vulnerability is caused due to a NULL pointer
] dereference bug in Microsoft Shell Light-Weight Utility
] Library ("shlwapi.dll"). A malicious person can exploit
] the vulnerability by constructing a special HTML
] document, which will crash applications using the
] vulnerable library.
]
] An example was provided in the original advisory:
]
] <html>
] <form>
] <input type crash>
] </form>
] </html> Bahaha! Trustworthy Computing... Bahahaha!! Secunia - Advisories - Microsoft Browser Fall Down Go Boom 5 Line HTML Funfun |
|
Harvard Crimson | Swipe Card Hack Prompts Complaint |
|
|
|---|
| Topic: Computer Security |
5:02 pm EDT, Apr 17, 2003 |
From: Joe Klein [jsklein@x]
To: SE2600 List [root at don't-you-dare se2600.org]
Subject: RE: [se2600] RE: Swipe Card Hack Prompts Complaint
Date: Thu, 17 Apr 2003 13:42:46 -0400 Response send to author: Ms. Kicenuik,
Thank you for the article, but I think you have been misinformed.
Fact 1: Banks and other financial institutes are required by law to secure financial transactions between and over networks. Even on the Internet, financial transactions are secured using ssl encryption. Blackboard, now acting like a financial network, is not using secure communications.
Fact 2: BlackBoard has other products which have had vulnerabilities over the last 4 years. Apparently, they have a history of slow response to security problems.
Fact 3: Harvard signed a contract, releasing BlackBoard of all liability, in the used of their product. Any financial loss because of the lack of security in the BlackBoard systems, will be absorbed by Harvard.
Fact 4: This problem was reported to the BlackBoard company 6 months ago. This delay of addressing the security vulnerability only exposes blackboard customers and not Blackboard company.
Fact 5: The majority of hackers are not caught, so focusing on prosecution of the crime and not securing the system, would be considered a lack of due diligence. There for holding the Blackboard customers again, liable for all loss.
Here is the backup information which substantiates the above facts.
Fact 1:
http://www.nist.gov/public_affairs/releases/g01-111.htm
http://www.federalreserve.gov//boarddocs/rptcongress/annual98/ann98.pdf
Fact 2:
http://www.avet.com.pl/pipermail/bugdev/2003-January/001972.html
http://www.kb.cert.org/vuls/id/ADHR-5KCKAQ
http://www.securiteam.com/securitynews/5FP0P0K8UC.html
http://www.securitytracker.com/alerts/2003/Jan/1005961.html
http://icat.nist.gov/icat.cfm?cvename=CAN-2002-1007
http://www.securiteam.com/securitynews/5EP0B2A7QO.html
http://www.safermag.com/html/safer27/alerts/21.html
2003-01-25: Blackboard Learning System search.pl SQL Injection
Variant Vulnerability
2003-01-21: Blackboard Learning System search.pl SQL Injection
Vulnerability
2002-07-01: Blackboard Cross-Site Scripting Vulnerability
2000-07-18: Blackboard CourseInfo 4.0 Database Modification
Vulnerability
2000-07-10: Blackboard CourseInfo 4.0 Plaintext Administrator
Password Vulnerability Fact 3:
http://www.uky.edu/Purchasing/uk-0215-2pct.pdf
http://www.rsc-sw-scotland.ac.uk/mleresponses/blackboard.htm Fact 4:
http://www.edifyingfellowship.org/~overcode/bb-faq.html Fact 5:
http://news.com.com/2009-1017-912708.html
http://abcnews.go.com/sections/tech/DailyNews/microsoft_hacked001031.htm
l Now here is the challenge to you, how about writing an article which
addresses the facts. Snagged from the SE2600 mailing list. Harvard Crimson | Swipe Card Hack Prompts Complaint |
|
