lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 25 Jan 2012 14:16:01 -0600
From: adam <adam@...sy.net>
To: karma cyberintel <karmacyberintel1@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Faux Anonymous hackers to Facebook: 'We're
	not playing'

If we cared, we'd visit that site of our own volition. Secondly, even if we
were interested: most of the people on these lists are intelligent enough
not to click on links from spammers. Third, even if the content were
interesting, even if this were the place for it and even if you hadn't
spammed: "pay and register" is incentive enough for me *not* to join and *
not* to ever visit that site again.

Short version: this purpose of this list isn't for you to spam your new
state-of-the-art website. Instead, it's typically to discuss/disclose
issues/concepts related to computer/network security. Once in a while,
there are discussions about the overflowing stupidity that some site
owners/coders have. For example, people that stupidly (and blindly) inject
code (e.g. for tracking purposes) into every single file on their site,
regardless of extension:

http://www.karmacyberintel.net/robots.txt

Another one is blatantly disclosing paths in robots.txt that aren't even
linked to and would never be found anyway (at least by bots that honor
robots.txt, which ends up being the exact opposite of the desired effect).
An example of how/why this can be a problem:

md5sum of tiny_mce.js off your server is 9754385dabfc67c8b6d49ad4acba25c3,
if we perform a simple Google search - we can determine that you're likely
running version 3.3.1 of Wordpress. From there, we have enough information
to perform a targeted attack on your server. Except, we don't need to
because you've already made it more than easy enough for us.

Pretty much every single field on http://www.karmacyberintel.net/pay/ is
vulnerable to SQL injection, which could easily allow anyone to completely
compromise the database and possibly the entire site. On top of that,
register.php also allows for session fixation attacks, as a result of
header/cookie manipulation. If that weren't bad enough, the admin section
for your karma theme is also vulnerable to cross-site scripting.

Not to mention, all the problems with with how you've configured SSL and
everything else. If you're going to spam, at least make sure the website
you're spamming has been tested and determined to be *somewhat* secure.


On Tue, Jan 24, 2012 at 11:31 PM, karma cyberintel <
karmacyberintel1@...il.com> wrote:

> *UPDATE* After attacking several government sites to protest
> controversial US legislation in past weeks, hacktivist group Anonymous is
> setting its sights on one of the Internet's biggest targets: Facebook. Or
> maybe not.
>
> Sources Form karmacyberintel.net
>
> for more details
>
>
> http://www.karmacyberintel.net/2012/01/faux-anonymous-hackers-to-facebook-were-not-playing/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ