| |
| Current Topic: Computer Security |
|
The Register | Slammer worm crashed Ohio nuke plant net |
|
|
|---|
| Topic: Computer Security |
10:58 am EDT, Aug 21, 2003 |
] The Slammer worm penetrated a private computer network at
] Ohio's Davis-Besse nuclear power plant in January and
] disabled a safety monitoring system for nearly five
] hours, despite a belief by plant personnel that the
] network was protected by a firewall, SecurityFocus has
] learned. Luckily the plant was offline due to other problems and has been since Feb 2002. But systems like this really should have better protection than what is described here. The Register | Slammer worm crashed Ohio nuke plant net |
|
'Good' Worm Fixes Infected Computers (TechNews.com) |
|
|
|---|
| Topic: Computer Security |
10:49 pm EDT, Aug 19, 2003 |
] A new Internet worm emerged today that is designed to
] seek out and fix any computer that remains vulnerable to
] "Blaster," the worm that attacked more than 500,000
] computers worldwide last week. 'Good' Worm Fixes Infected Computers (TechNews.com) |
|
SecurityFocus HOME Columnists: The Sad Tale of a Security Whistleblower |
|
|
|---|
| Topic: Computer Security |
5:20 pm EDT, Aug 18, 2003 |
] Bret McDanel was dissatisfied with his former employer,
] Tornado Development, Inc. Tornado provided internet
] access and web-based e-mail to its clients. However,
] McDanel apparently discovered a flaw in the web-mail that
] would permit malicious users to piggyback a previous
] secure session I hate hearing about people getting fines and having to serve jailtime for discovering a hole. In this case though he may have stepped over the line by informing all of their customers. SecurityFocus HOME Columnists: The Sad Tale of a Security Whistleblower |
|
SecurityFocus HOME News: RPC DCOM Worm Hits the Net |
|
|
|---|
| Topic: Computer Security |
10:14 am EDT, Aug 12, 2003 |
] A malicious worm that exploits last month's RPC
] DCOM vulnerability struck the Internet Monday
] afternoon, targeting unpatched Windows 2000 and
] Windows XP machines.
]
] The worm, dubbed "Blaster" and "LovSan" by security
] and anti-virus companies, attacks vulnerable
] machines over TCP port 135, then spawns a shell
] and initiates a TFTP file transfer to retrieve the
] worm's code. Well get ready the worm is set to DoS windowsupdate.microsoft.com starting this Saturday, 09/15/2003. For more information Symantec has a good write up on the worm at http://www.sarc.com/avcenter/venc/data/w32.blaster.worm.html SecurityFocus HOME News: RPC DCOM Worm Hits the Net |
|
Disclosure of Major Software Exploits by Students? |
|
|
|---|
| Topic: Computer Security |
5:34 pm EDT, Aug 11, 2003 |
] "I am a U.S. university student who has recently come
] across 2 remote exploits for a homework program used by
] colleges nationwide. Both vulnerabilities allow students
] to give themselves arbitrary scores, and possibly execute
] arbitrary code. To further emphasize the scope of this
] vulnerability, I have written and -selftested
] proof-of-concept exploit code. Naturally, I want to share
] this information with their software engineers, and would
] even be nice enough and suggest a means to fixing it.
] However, with the state of current intellectual property
] and reverse-engineering laws, I hesitate to do so out of
] fear of litigation or academic disciplinary action. As an
] ethical geek, what do -you- do?" this sounds familiar. Disclosure of Major Software Exploits by Students? |
|
Interz0ne Press Release - re: Blackboard Settlement |
|
|
|---|
| Topic: Computer Security |
8:15 pm EDT, Jul 20, 2003 |
From speech_freedom2002@yahoo.com Wed Jul 16 10:59:47 2003
Date: Wed, 16 Jul 2003 06:14:52 -0400
From: Rockit [speech_freedom2002@yahoo.com]
Reply-To: root@se2600.org
To: root@se2600.org
Subject: [se2600] Interz0ne Press Release re: Blackboard Settlement Interz0ne Press Release: Censorship via lawsuit wins again. Lawyers working for Blackboard Inc., the maker of a card transaction, vending and ID system used by approximately 275 colleges and universities globally, as well as an undiscosed number of government and military installations, succeeded in silencing two college students who have found numerous flaws in Blackboard's flagship product over the last two years. Georgia Tech student Billy Hoffman, along with University of Alabama student Virgil Griffith, initially kept the discoveries quiet while attempting to report them to Blackboard engineers, along with possible fixes. Traditionally, the discoverers of such flaws allow the vendors time to fix problems before going public; this provides the vendors with essentially free quality control labor while the discoverers get later bragging rights and items to pad their resumes. This unofficial system has worked well in the past, to the extent that Blackboard even boasts of working with the hacker community on their website. Instead of taking an interest in news of these flaws, however, Blackboard engineers first dismissed Hoffman as a know-nothing "kid", then attempted to have him expelled from Georgia Tech after he voiced his concerns about Tech's Blackboard system to campus administrators and student organizations. Hoffman responded by first publishing his (and later Griffith's) findings, and then updating his articles via talks at various vendor and security conferences. It was at such a conference, Interz0ne II in Atlanta, that Hoffman and Griffith were planning to discuss the most severe problems they had uncovered to date, including a demonstration of several easy-to-assemble hardware devices that could supposedly allow anyone with malicious intent free reign on a Blackboard system. Hoffman and Griffith never gave their talk. Instead, they and the convention organizers were served with both restraining orders and cease and desist orders. Court dates soon followed, along with legal threats. Several months after the convention, both Hoffman and Griffith settled out of court. They refuse to discuss the issue, so one can assume that the settlement includes an NDA. Blackboard spokesdrone Michael Stanton stated to AP reporters on Monday, July 14th (a day before the settlement was officially filed) that "...the claims [Hoffman and Griffith] were making were silly," that "...they really didn't do a lot of the things they were claiming to [have done]" and that the settlement reaffirms that Blackboard's systems are secure. Bullshit. The settlement does nothing of the sort. If Hoffman and Griffith's clai... [ Read More (0.4k in body) ] Interz0ne Press Release - re: Blackboard Settlement |
|
Group claims Linux advance on Xbox | CNET News.com |
|
|
|---|
| Topic: Computer Security |
1:56 pm EDT, Jun 30, 2003 |
] A group of Xbox security researchers say they have found
] a way to run Linux on the Xbox game console without a
] so-called mod chip and will go public with the technique
] if Microsoft won't talk to them about releasing an
] official Linux boot loader. ] Muir says the release of the claimed series of exploits,
] one of which is in the Xbox Dashboard utility, factory-
] installed on the Xbox hard drive, could be disastrous for
] games companies intent on preventing piracy. If genuine,
] the exploits would let anyone with even a slight technical
] knowledge "reflash" the Xbox BIOS, allowing users to
] pirate games. The only hardware modification necessary is
] a dollop of solder on the write-enable pads on the
] motherboard. Very interesting.. This is a nightmare situation for Microsoft. If they do nothing, exploits will be released enabling mass-piracy of their games. If they release a Linux bootloader, then they have allowed Linux onto their platform. They sell these consoles at below cost and make their money on games. Razors and blades. From an economic standpoint, either presented option is totally unacceptable. Also, if Microsoft plays along, there is no guarantee that the exploits will not get released, or more likely, discovered by others.. Infact, I believe they are only being baited, and these exploits will be released anyway. I can't envision Microsoft giving into any demands, of any type, let alone a signed linux bootloader for the XBox.. Expect Microsoft to create a third option. Expect lawsuits. Expect someone to get arrested. The DMCA will play an obvious role. I could see them attacking Huang just for drill.. This will be a developing story.. Group claims Linux advance on Xbox | CNET News.com |
|
Secret Handshakes from Pairing-Based Key Agreements |
|
|
|---|
| Topic: Computer Security |
3:29 pm EDT, Jun 11, 2003 |
This scheme allows Alice to ask Bob if Bob is a warez site, but if it turns out that Bob is the RIAA he cannot prove that Alice asked for warez, and if it turns out that Alice is the RIAA she cannot prove that Bob is a warez site. Secret Handshakes from Pairing-Based Key Agreements |
|
Secunia - Advisories - Microsoft Browser Fall Down Go Boom 5 Line HTML Funfun |
|
|
|---|
| Topic: Computer Security |
11:45 pm EDT, May 4, 2003 |
] A vulnerability identified in a library included in
] Windows XP and Internet Explorer version 4.0 and newer
] can be exploited to cause a DoS (Denial of Service) on
] certain applications.
]
] The vulnerability is caused due to a NULL pointer
] dereference bug in Microsoft Shell Light-Weight Utility
] Library ("shlwapi.dll"). A malicious person can exploit
] the vulnerability by constructing a special HTML
] document, which will crash applications using the
] vulnerable library.
]
] An example was provided in the original advisory:
] Secunia - Advisories - Microsoft Browser Fall Down Go Boom 5 Line HTML Funfun |
|
Harvard Crimson | Swipe Card Hack Prompts Complaint |
|
|
|---|
| Topic: Computer Security |
11:40 am EDT, Apr 21, 2003 |
From: Joe Klein [jsklein@x]
To: SE2600 List [root at don't-you-dare se2600.org]
Subject: RE: [se2600] RE: Swipe Card Hack Prompts Complaint
Date: Thu, 17 Apr 2003 13:42:46 -0400 Response send to author: Ms. Kicenuik,
Thank you for the article, but I think you have been misinformed.
Fact 1: Banks and other financial institutes are required by law to secure financial transactions between and over networks. Even on the Internet, financial transactions are secured using ssl encryption. Blackboard, now acting like a financial network, is not using secure communications.
Fact 2: BlackBoard has other products which have had vulnerabilities over the last 4 years. Apparently, they have a history of slow response to security problems.
Fact 3: Harvard signed a contract, releasing BlackBoard of all liability, in the used of their product. Any financial loss because of the lack of security in the BlackBoard systems, will be absorbed by Harvard.
Fact 4: This problem was reported to the BlackBoard company 6 months ago. This delay of addressing the security vulnerability only exposes blackboard customers and not Blackboard company.
Fact 5: The majority of hackers are not caught, so focusing on prosecution of the crime and not securing the system, would be considered a lack of due diligence. There for holding the Blackboard customers again, liable for all loss.
Here is the backup information which substantiates the above facts.
Fact 1:
http://www.nist.gov/public_affairs/releases/g01-111.htm
http://www.federalreserve.gov//boarddocs/rptcongress/annual98/ann98.pdf
Fact 2:
http://www.avet.com.pl/pipermail/bugdev/2003-January/001972.html
http://www.kb.cert.org/vuls/id/ADHR-5KCKAQ
http://www.securiteam.com/securitynews/5FP0P0K8UC.html
http://www.securitytracker.com/alerts/2003/Jan/1005961.html
http://icat.nist.gov/icat.cfm?cvename=CAN-2002-1007
http://www.securiteam.com/securitynews/5EP0B2A7QO.html
http://www.safermag.com/html/safer27/alerts/21.html
2003-01-25: Blackboard Learning System search.pl SQL Injection
Variant Vulnerability
2003-01-21: Blackboard Learning System search.pl SQL Injection
Vulnerability
2002-07-01: Blackboard Cross-Site Scripting Vulnerability
2000-07-18: Blackboard CourseInfo 4.0 Database Modification
Vulnerability
2000-07-10: Blackboard CourseInfo 4.0 Plaintext Administrator
Password Vulnerability Fact 3:
http://www.uky.edu/Purchasing/uk-0215-2pct.pdf
http://www.rsc-sw-scotland.ac.uk/mleresponses/blackboard.htm Fact 4:
http://www.edifyingfellowship.org/~overcode/bb-faq.html Fact 5:
http://news.com.com/2009-1017-912708.html
http://abcnews.go.com/sections/tech/DailyNews/microsoft_hacked001031.htm
l Now here is the challenge to you, how about writing an article which
addresses the facts. Snagged from the SE2600 mailing list. Harvard Crimson | Swipe Card Hack Prompts Complaint |
|
