lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4F207FEF.2070704@propergander.org.uk>
Date: Wed, 25 Jan 2012 22:19:27 +0000
From: Dave <mrx@...pergander.org.uk>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Faux Anonymous hackers to Facebook: 'We're
 not playing'

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 25/01/2012 20:16, adam wrote:
> If we cared, we'd visit that site of our own volition. Secondly, even if we
> were interested: most of the people on these lists are intelligent enough
> not to click on links from spammers. Third, even if the content were
> interesting, even if this were the place for it and even if you hadn't
> spammed: "pay and register" is incentive enough for me *not* to join and *
> not* to ever visit that site again.
> 
> Short version: this purpose of this list isn't for you to spam your new
> state-of-the-art website. Instead, it's typically to discuss/disclose
> issues/concepts related to computer/network security. Once in a while,
> there are discussions about the overflowing stupidity that some site
> owners/coders have. For example, people that stupidly (and blindly) inject
> code (e.g. for tracking purposes) into every single file on their site,
> regardless of extension:
> 
> http://www.karmacyberintel.net/robots.txt
> 
> Another one is blatantly disclosing paths in robots.txt that aren't even
> linked to and would never be found anyway (at least by bots that honor
> robots.txt, which ends up being the exact opposite of the desired effect).
> An example of how/why this can be a problem:
> 
> md5sum of tiny_mce.js off your server is 9754385dabfc67c8b6d49ad4acba25c3,
> if we perform a simple Google search - we can determine that you're likely
> running version 3.3.1 of Wordpress. From there, we have enough information
> to perform a targeted attack on your server. Except, we don't need to
> because you've already made it more than easy enough for us.
> 
> Pretty much every single field on http://www.karmacyberintel.net/pay/ is
> vulnerable to SQL injection, which could easily allow anyone to completely
> compromise the database and possibly the entire site. On top of that,
> register.php also allows for session fixation attacks, as a result of
> header/cookie manipulation. If that weren't bad enough, the admin section
> for your karma theme is also vulnerable to cross-site scripting.
> 
> Not to mention, all the problems with with how you've configured SSL and
> everything else. If you're going to spam, at least make sure the website
> you're spamming has been tested and determined to be *somewhat* secure.
> 



Thanks for the smile.

If one is not certain that ones own house is not made of glass, it's best to not throw stones.

D
> 
> On Tue, Jan 24, 2012 at 11:31 PM, karma cyberintel <
> karmacyberintel1@...il.com> wrote:
> 
>> *UPDATE* After attacking several government sites to protest
>> controversial US legislation in past weeks, hacktivist group Anonymous is
>> setting its sights on one of the Internet's biggest targets: Facebook. Or
>> maybe not.
>>
>> Sources Form karmacyberintel.net
>>
>> for more details
>>
>>
>> http://www.karmacyberintel.net/2012/01/faux-anonymous-hackers-to-facebook-were-not-playing/
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
> 
> 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEVAwUBTyB/77Ivn8UFHWSmAQLoYAf8CbOtPVtl7nyo+ujnkf1qeWf7hGzjU5lJ
xWr8kd/N37n50u3a6PXfy9p7TC+wQ2MNoJCZ6Y02sPZ6KxlUXXOC/K8iXigFK1yh
rVrNaDLSR8+WgfOdskl7mYZXvHG7n2u8p3MNOll0D9MG1vn179P/oV3JXawSyHMZ
EhhWPjjiJZfNwPhPBTQnQMhg3HoWYsJKrVR5CIu/EKiAPaS2xG7l+DojADZmPsIU
B9BvSqLzJoVFUQ5zVF3KzPJLqIimqgH6HmK18Nmhs/kcBaxjVRL88XcfP1bYtl/Y
kg22lkaRU5IIxDviy5ztxkBERKu7SyuBjcrE6B23rBia9xeCrloMdQ==
=U0gT
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ