lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 23 Nov 2010 15:06:48 +0000
From: Benji <me@...ji.com>
To: "Mikhail A. Utin" <mutin@...monwealthcare.org>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: virus in email RTF message MS OE almost
	disabled

*throws his The CISSP Prep Guide: Gold Edition away, picks up Security for
Dummies*


On Tue, Nov 23, 2010 at 3:03 PM, Mikhail A. Utin <mutin@...monwealthcare.org
> wrote:

> This my final reply.
> For still interested:
> - it happened on my home PC
> - immediately disconnected (for a few interested people I can forward email
> to taste this thing after receiving appropriate paperwork)
> - it is beyond MS released SPs for Office and Windows
> - using this list is OK as we discuss vulnerabilities
> - using corporate email is not prohibited to discuss professional topics
> - public emails, charts/IM, social sites are prohibited by policies
>
> Sorry, I was looking for a few short ideas and mostly for known cases, but
> not lecturing. I'll fix it, not a big deal. Expect others as having some
> knowledge as well and do not waste time. BTW, certifications help in all
> covered matters, believe me. Even in understanding that other may know
> something and do have certain experience.
>
> If you know such cases, please, reply. Otherwise do not waste your and
> computer energy.
>
> Thank you
>
> Mikhail A. Utin, CISSP
> Information Security Analyst
> Commonwealth Care Alliance
> 30 Winter St.
> Boston, MA
> TEL: (617) 426-0600 x.288
> FAX: (617) 249-2114
> http://www.commonwealthcare.org
> mutin@...monwealthcare.org
>
>
> -----Original Message-----
> From: Ryan Sears [mailto:rdsears@....edu]
> Sent: Monday, November 22, 2010 5:41 PM
> To: Thor (Hammer of God)
> Cc: full-disclosure@...ts.grok.org.uk; Mikhail A. Utin
> Subject: Re: [Full-disclosure] virus in email RTF message MS OE almost
> disabled
>
> Yeah I've got to go with Thor on this one.
>
> You endangered your entire infrastructure by exposing internal defects in
> your (or your staffs) knowledge. That's a big no-no. Every company
> presumably has people in it who aren't the 'sharpest tools in the shed' so
> to speak, but in one email you've divulged more then enough information to
> mount a social-engineering attack to gain access to not only your home
> computer, but assuming you're using the same passwords for everything,
> *everything you run*.
>
> Don't ask questions about this kind of stuff on FULL-DISCLOSURE. This is a
> security mailing list, and you asking if you got a virus is equivalent to
> installing that retardo purple dancing monkey and being suprised it's
> backdoored your computer. You're going to be endlessly flamed for it,
> because you're wasting people's time to make you look like a fool.
>
> The fact that you're looking for newly installed executables is a joke,
> really. Most modern initial exploitation vectors have been built to run
> fully in memory, never hitting the disk. Also thanks to DLL migration you
> can instantly exploit then migrate to something like explorer.exe. You
> should've been looking for network connections as opposed to an entry in
> your uninstall menu saying 'l33t M$0FFICE expl0itz lul!'.
>
> While Thor's response might have been a bit sharp-tonged, I share his
> frustrations and agree with him whole-heartedly. Too many times our most
> important information is stored in the hands of people who either don't
> think about security, or blatantly ignore it. This is not only disturbing,
> but sad as well. What's the point in protecting my information on my private
> network if it's going to be poached when it enters YOUR hands? Hackers look
> for the path of least resistance, and operate on the old adage 'work smart,
> not hard'.
>
> You sir, are a classic example of why certifications and titles are a bad
> idea, and are currently failing our industry. How can you call yourself a
> 'genius' if you aren't actually one? How can a CISSP *not* know about basic
> virus/exploitation behavior? You're the equivalent to the people who go to a
> garage sale, buy a purple heart then tell everyone to call him 'sarge'. I'd
> say spend 10 min googling for some file format analyzers (which aren't the
> greatest but MIGHT catch blatant stuff like that assuming there's something
> there), then spend another 10 finding a professional to help you re-order
> your infrastructure, and look at your company through the eyes of a hacker,
> not just someone who read a few paragraphs on security then decided to call
> them-self a 'security professional'.
>
> Sorry if I seem impatient, but this is the *exact* behavior that all of our
> infrastructures should be not only curving,  but cauterizing with fire. If
> you don't understand about file-format vectors of attack, LEARN ABOUT THEM.
> Don't expect to get spoon-fed answers, but we live in a time where *any*
> question can be answered within a minute of googling, and that's if your
> google-fu ISN'T strong.
>
> Google-fu. That's how you become half-decent at anything now-a-days. There
> are vast communities centered around everything from web attacks, ring-0
> level exploits, wireless hacking, embedded devices, and everything else
> in-between. We all start off as n00bs, but the difference is the people who
> actually want to learn do, because they enjoy learning about it, and go seek
> the knowledge relevant to them. If you wanted any real help, you should've
> enclosed the file in question, not just said there was some mystery file
> that caused some cpu load. Welcome to Windows. That happens quite often.
>
> Ryan Sears
>
> ----- Original Message -----
> From: "Thor (Hammer of God)" <thor@...merofgod.com>
> To: "Mikhail A. Utin" <mutin@...monwealthcare.org>
> Cc: full-disclosure@...ts.grok.org.uk
> Sent: Monday, November 22, 2010 4:52:07 PM GMT -05:00 US/Canada Eastern
> Subject: Re: [Full-disclosure] virus in email RTF message MS OE almost
> disabled
>
> Keep it on the list.  No need for private emails if you need assistance -
> give everyone a chance!
>
> My response was far more useful than your post - "I got pwned by an Office
> virus by opening an attachment in OE - What could it be??"  Jeeze dude.  And
> I didn't give any "adice" about "Noton."  I said to get someone
> professional, which you *clearly* need to do.
>
> You should look up these guys:
> http://www.rubos.com/pisa.html
>
> Apparently they are Information System Security Professionals, and they are
> in the same town as you.  One even has a CISSP, so you KNOW that he knows
> what he is doing.  Funny thing is that he has the exact same name as you do.
>  What are the chances of that?  If these guys formed the company to sell
> services to businesses and individuals to comply with legal security and
> privacy requirements, then they should be able to figure out how to find an
> Office virus on XP, right?
>
> You can even join them as "Security professionals and experienced
> Information Sestems professionals are welcome."  I'm not sure what a
> "Sestems professional" is, but it must be very important work.
>
> Waste of time indeed.  Apple Stores are hiring "geniuses" for the holidays
> - even they know how to use XP and could help.
>
> t
>
>
>
>
>
> From: Mikhail A. Utin [mailto:mutin@...monwealthcare.org]
> Sent: Monday, November 22, 2010 1:26 PM
> To: Thor (Hammer of God)
> Subject: RE: virus in email RTF message MS OE almost disabled
>
> Your email is useless. It is on my home PC. If you have better adice than
> using Noton SW, then please use your mind to get something minigful.
> If you can name the virus or where to find its instance, it would be a
> help. Otherwise do not waste you and my time.
>
> From: Thor (Hammer of God) [mailto:thor@...merofgod.com]
> Sent: Monday, November 22, 2010 3:17 PM
> To: Mikhail A. Utin; full-disclosure@...ts.grok.org.uk
> Subject: RE: virus in email RTF message MS OE almost disabled
>
> You know, every time I start to get a bit of hope for what looks like an
> upward trend of businesses and organizations taking security seriously, I
> see crap like this.  Your organization is a Medicare prescription contractor
> with a national network of 61,022 contracted pharmacies, and not only are
> you running unpatched versions of old OS's and opening email attachments
> because they "look OK," but you have to post to Full Disclosure asking help
> for trivial virus detection and removal advice?   Now that everyone on FD
> knows that you are vulnerable and that you open email attachments, you've
> probably just caused the organization to be pwned 9 ways from Sunday.
>
> To answer your question, call a professional and have them do it.  And in
> the future, don't send out emails like this from your organization email
> announcing the state of your security.  That's what Hotmail is for.
>
> t
>
> From: full-disclosure-bounces@...ts.grok.org.uk [mailto:
> full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Mikhail A. Utin
> Sent: Monday, November 22, 2010 7:18 AM
> To: full-disclosure@...ts.grok.org.uk
> Subject: [Full-disclosure] virus in email RTF message MS OE almost disabled
>
> Hello,
> Opening looking OK email message in my MS OE I've very likely got new kind
> of virus, which exploits MS Office flaw recently announced. Immediately
> after, my OE started consuming huge memory when I switched between folders
> or messages. I've not seen any process in Task Manager taking up to 1 GB
> memory (physical is 512M). I did not find any newly installed executables
> either. When I shut down OE, the computer works fine.
> Any thoughts?
> Thank you
>
> Mikhail
> CONFIDENTIALITY NOTICE: This email communication and any attachments may
> contain confidential
> and privileged information for the use of the designated recipients named
> above. If you are
> not the intended recipient, you are hereby notified that you have received
> this communication
> in error and that any review, disclosure, dissemination, distribution or
> copying of it or its
> contents is prohibited. If you have received this communication in error,
> please reply to the
> sender immediately or by telephone at (617) 426-0600 and destroy all copies
> of this communication
> and any attachments. For further information regarding Commonwealth Care
> Alliance's privacy policy,
> please visit our Internet web site at http://www.commonwealthcare.org.
>
> CONFIDENTIALITY NOTICE: This email communication and any attachments may
> contain confidential
> and privileged information for the use of the designated recipients named
> above. If you are
> not the intended recipient, you are hereby notified that you have received
> this communication
> in error and that any review, disclosure, dissemination, distribution or
> copying of it or its
> contents is prohibited. If you have received this communication in error,
> please reply to the
> sender immediately or by telephone at (617) 426-0600 and destroy all copies
> of this communication
> and any attachments. For further information regarding Commonwealth Care
> Alliance's privacy policy,
> please visit our Internet web site at http://www.commonwealthcare.org.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
> CONFIDENTIALITY NOTICE: This email communication and any attachments may
> contain confidential
> and privileged information for the use of the designated recipients named
> above. If you are
> not the intended recipient, you are hereby notified that you have received
> this communication
> in error and that any review, disclosure, dissemination, distribution or
> copying of it or its
> contents is prohibited. If you have received this communication in error,
> please reply to the
> sender immediately or by telephone at (617) 426-0600 and destroy all copies
> of this communication
> and any attachments. For further information regarding Commonwealth Care
> Alliance's privacy policy,
> please visit our Internet web site at http://www.commonwealthcare.org.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ