lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
From: lorenzohgh at nsrg-security.com (Lorenzo Hernandez Garcia-Hierro)
Subject: Explanations about the NASA security issues and confused people

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all,
Some people is a little confused with the NASA related security
issues and my advisory,
so i'm explaining the confusing things:

1.- Every time NASA staff was knowing what i was doing , i sent
messages to administrators before doing anything.

2.- John R. Ray of the NASA Competency Center ( Information
Technologies Security ) contacted me for solve the issues.

3.- The report was completely closed to public access when the
systems were vulnerable

4.- I provided an accesscode to see the advisory for the NASA staff.

5.- I was everytime testing the vulnerabilities and when i found that
the most important were patched i make public with some restrictions
the advisory.

6.- Of course , i wrote a disclaimer that can be found in the main
web site and http://advisories.nsrg-security.com/disclaimer.txt

7.- A mail log that has all the exchanged mail between NASA staff and
me ( and action log too with dates and details ) is available at:
     http://advisories.nsrg-security.com/Nasa.gov-MV/mail-log.txt
     So ,please , be careful saying that i made it public without
contacting before the NASA staff.

8.- In the report there is no private information about NASA nor
working exploits against important security holes like sql
injections.

9.- ScreenShots are modified for remove private url addresses ( like
www.nasa.gov portal admin access )

10.- Some people was saying that i wanted fame doing it , definately
not , i made it for demostrate that web security is a real problem
and a thing that must be included in security policies of the
enterprises.
The next generation of hackers will can make damage against servers
with the only help of a web navigator, the web browser will be a
really dangerous hacking tool, and it is not the future , it is now ,
just see last advisories about phpnuke , etc

11.- The communication between NASA staff and me was completely clear
except that i didn't received response after i sent a message
confirmand that the report was finished an they had the access code
to see it.

CONCLUSIONS

It was a completely clear job between NASA staff and me , they were
really fast patching ( one day ) and really fast replying my first
email.

The important thing is that NASA staff knows now wich risk has web
applications security and how to solve web application securiuty
issues.

Everything in this life has a final mean , in this case : web
security must be treated as other security issues , if not , you are
in risk

How much times i must rewrite this mail ? 

Best regards and thanks to all members of Ful-Disclosure,
- -------------------------------
0x00->Lorenzo Hernandez Garcia-Hierro
0x01->\x74\x72\x75\x6c\x75\x78
0x02->The truth is out there,
0x03-> outside your mind .
__________________________________
PGP: Keyfingerprint
4ACC D892 05F9 74F1 F453  7D62 6B4E B53E 9180 5F5B
ID: 0x91805F5B
**********************************
\x6e\x73\x72\x67
\x73\x65\x63\x75\x72\x69\x74\x79
\x72\x65\x73\x65\x61\x72\x63\x68
http://www.nsrg-security.com
______________________

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2 - not licensed for commercial use: www.pgp.com

iQA/AwUBP5mrUGtOtT6RgF9bEQJIUgCgmaM3jY+shypYqaZcVpVmCsmJga8An2zo
UcSSgu3EGINIJ0nLEK7Cczii
=GsOj
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ