Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

[Full-Disclosure] RE: Full-disclosure digest, Vol 1 #649 - 5 msgs
From: "Hillier, Paul" <Paul.Hillier () landg com>
Date: Wed, 12 Mar 2003 09:45:25 -0000

Firewall disablers

http://cryptome.org/dirty-antisec.htm

AntiSecTM is an Anti-Firewall application 
AntiSecTM searches for all known firewalls 
AntiSecTM kills the running process 
AntiSecTM replaces the running icon seamlessly 
AntiSecTM allows stealth FTP connection 
AntiSecTM effectively kills target's security 

[Firewall icons shown:] 

Boshield.ico
Esafe.ico
cyberwall.ico
Atguard1.ico
Blackice.ico
zonealarm.ico
lockdown2000.ico
neverhack.ico
Jammer1.ico
eTrust Intrusion Detection.ico 

http://cryptome.org/dirty-antisec.zip

courtesy of www.whitetigersecurity.com


-----Original Message-----
From: full-disclosure-request () lists netsys com
[mailto:full-disclosure-request () lists netsys com]
Sent: 11 March 2003 17:00
To: full-disclosure () lists netsys com
Subject: Full-disclosure digest, Vol 1 #649 - 5 msgs


Send Full-Disclosure mailing list submissions to
        full-disclosure () lists netsys com

To subscribe or unsubscribe via the World Wide Web, visit
        http://lists.netsys.com/mailman/listinfo/full-disclosure
or, via email, send a message with subject or body 'help' to
        full-disclosure-request () lists netsys com

You can reach the person managing the list at
        full-disclosure-admin () lists netsys com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Full-Disclosure digest..."


Today's Topics:

   1. Re: Bypassing Black Ice PC protection? (Darwin)
   2. Re: Bypassing Black Ice PC protection? (Curt Wilson)
   3. Problem installing Linksys network card with Suse Linux 7.2 (it misc)
   4. Problem installing Linksys network card with Suse Linux 7.2 (it misc)
   5. RE: Security Certifications (Curt Purdy)

--__--__--

Message: 1
From: "Darwin" <darwin () netmadeira com>
To: <netw3_security () hushmail com>, <incidents () securityfocus com>
Cc: <full-disclosure () lists netsys com>
Subject: Re: [Full-disclosure] Bypassing Black Ice PC protection?
Date: Tue, 11 Mar 2003 01:19:41 -0000

----- Original Message -----
From: "Curt Wilson" <netw3_security () hushmail com>

Recently seen: what appears to be an attacker bypassing Black Ice PC
protection through unknown methods.

Check this article:
http://security-archive.merton.ox.ac.uk/bugtraq-200302/0268.html

It describes a way to bypass personal firewalls.

Cheers,

Paulo


--__--__--

Message: 2
Date: Mon, 10 Mar 2003 19:58:05 -0800
To: incidents () securityfocus com, darwin () netmadeira com
Cc: full-disclosure () lists netsys com
Subject: Re: [Full-disclosure] Bypassing Black Ice PC protection?
From: "Curt Wilson" <netw3_security () hushmail com>
Reply-To: netw3_security () hushmail com




This e-mail (and any attachments) may contain privileged and/or confidential information. If you are not the intended 
recipient please do not disclose, copy, distribute, disseminate or take any action in reliance on it. If you have 
received this message in error please reply and tell us and then delete it. Should you wish to communicate with us by 
e-mail we cannot guarantee the security of any data outside our own computer systems. For the protection of Legal & 
General's systems and staff, incoming emails will be automatically scanned.
 
Any information contained in this message may be subject to applicable terms and conditions and must not be construed 
as giving investment advice within or outside the United Kingdom.
 
Representative only of the Legal & General marketing group, members of which are regulated by the Financial Services 
Authority for the purposes of advising on life assurance and investment products bearing Legal & General's name. 
Legal & General Group PLC, Temple Court, 11 Queen Victoria Street, London, EC4N 4TP. 
Registered in England no: 166055.

-----BEGIN PGP SIGNED MESSAGE-----


Paulo + everyone, the techniques mentioned in that bugtraq message mentioned
here are applicable from WITHIN the host protected by a personal firewall,
so if a malicious applet or some other malware took control of the system
from a local administrator for instance, the firewall could be easily
bypassed from that side. This is not what I'm seeing. What I've seen is an
Internet based attacker getting TCP SYN packets through Black Ice PC
Protection, reaching an application (FTP server). If the IP was blocked at
the systems 'edge', then the FTP server log should not have shown any such
IP address entry, becase as far as the FTP server *should* know, there was
no connection attempt. The attacker did not actually start a session with
the FTP server due to IP based access control within the server itself.
Still, seeing Black Ice be 'melted' as a friend said, is troubling. I've
double the firewall rules and there is nothing that specifies that this IP
should be allowed through.

Since the attacker, or the attackers script more likely was rejected by the
FTP application, I don't know how likely it is that this specific attacker
will come back so I can capture his methods in more detail.

I'll be working on reproducing this behavior myself, but if anyone has
additional info please drop me a line. If I can reproduce then I'll talk to
ISS.

On Mon, 10 Mar 2003 17:19:41 -0800 Darwin <darwin () netmadeira com> wrote:
----- Original Message -----
From: "Curt Wilson" <netw3_security () hushmail com>

Recently seen: what appears to be an attacker bypassing Black Ice PC
protection through unknown methods.

Check this article:
http://security-archive.merton.ox.ac.uk/bugtraq-200302/0268.html

It describes a way to bypass personal firewalls.

Cheers,

Paulo

-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify

wmMEARECACMFAj5tXf8cHG5ldHczX3NlY3VyaXR5QGh1c2htYWlsLmNvbQAKCRBGd/Yw
aRH3K0ymAJwNzbMhGMbrjHWj7DtyANnTbMHsyQCdEm3afn5aJ+LJ+DYFswwpu28I7Hg=
=X9zB
-----END PGP SIGNATURE-----


--__--__--

Message: 3
Date: Mon, 10 Mar 2003 22:25:34 -0800 (PST)
From: it misc <itmisc () yahoo com>
To: full-disclosure () lists netsys com
Subject: [Full-disclosure] Problem installing Linksys network card with Suse
Linux 7.2

--0-483483029-1047363934=:59676
Content-Type: text/plain; charset=us-ascii


Hi:

I am trying to configure my Linksys network card to work with Suse Linux
7.2.

I downloaded the latest tulip.c from
ftp://ftp.scyld.com/pub/network/tulip.c. I put it into directory
/usr/src/linux/drivers/net. As I recompile the Kernel, I ran into errors.

System Information: Pentium II 412MHz, 224MB RAM, 10GB Western Digital hard
drive.

If anyone ran into similar problem and was able to fixed it, please help me
out.

Thank you very much for your help.

Henry Tran



---------------------------------
Do you Yahoo!?
Yahoo! Web Hosting - establish your business online
--0-483483029-1047363934=:59676
Content-Type: text/html; charset=us-ascii

<P>Hi:</P>
<P>I am trying to configure my Linksys network card to work with Suse Linux
7.2.</P>
<P>I downloaded the latest tulip.c from <A
href="ftp://ftp.scyld.com/pub/network/tulip.c";>ftp://ftp.scyld.com/pub/netwo
rk/tulip.c</A>. I put it&nbsp;into directory /usr/src/linux/drivers/net. As
I recompile the Kernel, I ran into errors.</P>
<P>System Information: Pentium II 412MHz, 224MB RAM, 10GB Western Digital
hard drive.</P>
<P>If anyone ran into similar problem and was able to fixed it, please help
me out.</P>
<P>Thank you very much for your help.</P>
<P>Henry Tran</P><p><br><hr size=1>Do you Yahoo!?<br>
<a href="http://webhosting.yahoo.com/ps/wh3/prod/";>Yahoo! Web Hosting</a> -
establish your business online
--0-483483029-1047363934=:59676--

--__--__--

Message: 4
Date: Mon, 10 Mar 2003 22:51:43 -0800 (PST)
From: it misc <itmisc () yahoo com>
To: full-disclosure () lists netsys com
Subject: [Full-disclosure] Problem installing Linksys network card with Suse
Linux 7.2

--0-788992053-1047365503=:63348
Content-Type: text/plain; charset=us-ascii


Hi:

I am trying to configure my Linksys network card to work with Suse Linux
7.2.

I downloaded the latest tulip.c from
ftp://ftp.scyld.com/pub/network/tulip.c. I put it into directory
/usr/src/linux/drivers/net. As I recompile the Kernel, I ran into errors.

Network card Info: EtherFast 10/100 LAN Card, LNE100TX Version 4.0

System Info: Pentium II 412MHz, 224MB RAM, 10GB Western Digital hard drive.

I appreciate any help.

Thank you very much.

Henry Tran



---------------------------------
Do you Yahoo!?
Yahoo! Web Hosting - establish your business online
--0-788992053-1047365503=:63348
Content-Type: text/html; charset=us-ascii

<P>Hi:</P>
<P>I am trying to configure my Linksys network card to work with Suse Linux
7.2.</P>
<P>I downloaded the latest tulip.c from <A
href="ftp://ftp.scyld.com/pub/network/tulip.c";>ftp://ftp.scyld.com/pub/netwo
rk/tulip.c</A>. I put it into directory /usr/src/linux/drivers/net. As I
recompile the Kernel, I ran into errors.</P>
<P>Network card Info: EtherFast 10/100 LAN Card, LNE100TX Version 4.0</P>
<P>System Info: Pentium II 412MHz, 224MB RAM, 10GB Western Digital hard
drive.</P>
<P>I appreciate any help.</P>
<P>Thank you very much.</P>
<P>Henry Tran</P><p><br><hr size=1>Do you Yahoo!?<br>
<a href="http://webhosting.yahoo.com/ps/wh3/prod/";>Yahoo! Web Hosting</a> -
establish your business online
--0-788992053-1047365503=:63348--

--__--__--

Message: 5
From: "Curt Purdy" <purdy () tecman com>
To: "'B3r3n'" <B3r3n () argosnet com>, "'hellNbak'" <hellnbak () nmrc org>,
   "'Ron DuFresne'" <dufresne () winternet com>
Cc: "'Rizwan Ali Khan'" <rizwanalikhan74 () yahoo com>,
   <full-disclosure () lists netsys com>, <security-basics () securityfocus com>,
   <certification () securityfocus com>
Subject: RE: [Full-disclosure] Security Certifications
Date: Tue, 11 Mar 2003 06:33:06 -0600

hilarious.  cept the fee is $450, not $2k.

Curt Purdy CISSP, MCSE+I, CNE, CCDA
Senior Systems Engineer
Information Security Engineer
DP Solutions

----------------------------------------

If you spend more on coffee than on IT security, you will be hacked.
What's more, you deserve to be hacked.
-- White House cybersecurity adviser Richard Clarke


-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com]On Behalf Of B3r3n
Sent: Friday, March 07, 2003 1:01 PM
To: hellNbak; Ron DuFresne
Cc: Rizwan Ali Khan; full-disclosure () lists netsys com;
security-basics () securityfocus com; certification () securityfocus com
Subject: Re: [Full-disclosure] Security Certifications


Guys,

Never read the CISSP trojan? Nice no?

_________________________________________
Security Advisory MA-2003-01     CISSP - Trojan Security Certification


Original Release Date: Thursday January 16, 2003
Last Revised: --
Source: --

Systems Affected

         o Information Security Community
         o Information Technology Employers
         o Information Security Consultants


Overview

It has recently been identified that The International Information Systems
Security Certification Consortium (CISSP) has developed and released a
potentially destructive trojan application, which masquerades as a valid
standard for professional certification in the field of information
security.


I. Description

Delivered in the benign form of a six hour examination, the CISSP prompts
target user with a series of 250 questions regarding the following topics:

         o Access Control Systems & Methodology
         o Applications & Systems Development
         o Business Continuity Planning
         o Cryptography
         o Law, Investigation & Ethics
         o Operations Security
         o Physical Security
         o Security Architecture & Models
         o Security Management Practices
         o Telecommunications, Network & Internet Security

This rather large payload, commonly referred to as the Common Body of
Knowledge (CBK), may cause a Denial of Service situation, leaving the
target overwhelmed and unable to respond to further requests during the
duration of the attack.  If the target handles the Denial of Service attack
appropriately,
and is unaffected, the CISSP trojan discontinues this attack, and
self-mutates into a certification of added IS credibility. If accepted by
the target, this certification begins to cause the following symptoms:

         o Increase in self-confidence
         o Increase in salary requirements
         o False sense of accomplishment
         o False sense of self-improvement

Despite the symptoms, the target experiences no real benefit
whatsoever.  The affected target then is made to transfer funds in excess
of $2,000 (US) to a remote bank account owned by ISC2.  Finally, the
affected target promotes itself to a "Certified Information Security
Expert" sans authentication.
The affected target may then infect others, eventually creating a massive
army of unskilled, prefabricated, shrink-wrapped, not for resale,
half-assed security engineers, consultants, and
"research scientists".


II. Impact

An abundance of sub-par information security engineers, consultants, and
"research scientists".

A negative impact on the economy, specifically within the Information
Technology sector.


III. Solution

Avoid any certifications issued by ISC2 until a patch is distributed.
Obtain information security related certifications from valid sources.
Employers are encouraged to recognize the CISSP as a trojan certification.


Appendix A - Vendor Information

International Information Security Certification Consortium, Inc.

(ISC)2 is the premier organization dedicated to providing information
security professionals and practitioners worldwide with the standard for
professional certification.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html



--__--__--

_______________________________________________
Full-Disclosure mailing list
Full-Disclosure () lists netsys com
http://lists.netsys.com/mailman/listinfo/full-disclosure


End of Full-Disclosure Digest


This e-mail (and any attachments) may contain privileged and/or confidential information. If you are not the intended 
recipient please do not disclose, copy, distribute, disseminate or take any action in reliance on it. If you have 
received this message in error please reply and tell us and then delete it. Should you wish to communicate with us by 
e-mail we cannot guarantee the security of any data outside our own computer systems. For the protection of Legal & 
General's systems and staff, incoming emails will be automatically scanned.
 
Any information contained in this message may be subject to applicable terms and conditions and must not be construed 
as giving investment advice within or outside the United Kingdom.
 
Representative only of the Legal & General marketing group, members of which are regulated by the Financial Services 
Authority for the purposes of advising on life assurance and investment products bearing Legal & General's name. 
Legal & General Group PLC, Temple Court, 11 Queen Victoria Street, London, EC4N 4TP. 
Registered in England no: 166055.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
  • [Full-Disclosure] RE: Full-disclosure digest, Vol 1 #649 - 5 msgs Hillier, Paul (Mar 12)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]