From jericho at attrition.org Sun Jan 1 00:46:15 2006 From: jericho at attrition.org (security curmudgeon) Date: Sun, 1 Jan 2006 00:46:15 -0500 (EST) Subject: [attrition] One Billion Internet Users Message-ID: [1,000,000,000 on the net, and seemingly 999,999,000 are complete morons that are better off playing in traffic.] http://www.useit.com/alertbox/internet_growth.html "Jakob Nielsen's Alertbox, December 19, 2005: One Billion Internet Users The Internet is growing at an annualized rate of 18% and now has one billion users. A second billion users will follow in the next ten years, bringing a dramatic change in worldwide usability needs. Some time in 2005, we quietly passed a dramatic milestone in Internet history: the one-billionth user went online. Because we have no central register of Internet users, we don't know who that user was, or when he or she first logged on. Statistically, we're likely talking about a 24-year-old woman in Shanghai. According to Morgan Stanley estimates, 36% of Internet users are now in Asia and 24% are in Europe. Only 23% of users are in North America, where it all started in 1969 when two computers -- one in Los Angeles, the other in Palo Alto -- were networked together. It took 36 years for the Internet to get its first billion users. The second billion will probably be added by 2015; most of these new users will be in Asia. The third billion will be harder, and might not be reached until 2040. In 2002, NUA estimated that we had 605 million Internet users. Since then, Internet use has grown by 18% per year -- certainly not as fast as the 1990s, but still respectable. Overall, the Internet's growth has been truly remarkable. Ten years ago, the 'net was mostly used by geeks; now it's the default way to do business in many countries. In our U.S. and European B2B studies, many business professionals said they visit a company's website as the first step in researching potential vendors." From jericho at attrition.org Mon Jan 2 23:18:55 2006 From: jericho at attrition.org (security curmudgeon) Date: Mon, 2 Jan 2006 23:18:55 -0500 (EST) Subject: [attrition] Security Rant: US-CERT: A disgrace to vulnerability statistics Message-ID: http://www.osvdb.org/blog/?p=79 US-CERT: A disgrace to vulnerability statistics Posted in Vulnerability Statistics on January 2nd, 2006 by jericho Several people have asked OSVDB about their thoughts on the recent US-CERT Cyber Security Bulletin 2005 Summary. Producing vulnerability statistics is trivial to do. All it takes is your favorite data set, a few queries, and off you go. Producing meaningful and useful vulnerability statistics is a real chore. Ive long been interested in vulnerability statistics, especially related to how they are used and the damage they cause. Creating and maintaining a useful statitistcs project has been on the OSVDB to-do list for some time, and I personally have not followed up with some folks that had the same interest (Ejovi et al). Until I see such statistics done right, I will of course continue to voice my opinion at other efforts. [..] Ok, on to the fun part.. the statistics! Unfortunately, the bulletin is very lacking on wording, explanation, details or additional disclaimers. We get two very brief paragraphs, and the list of vulnerabilities that link to their summary entries. Very unfortunate. No, let me do one better. US-CERT, you are a disgrace to vulnerability databases. I cant fathom why you even bothered to create this list, and why anyone in their right mind would actually use, reference or quote this trash. The only statistics provided by this bulletin: [..] A decade later, and the security community still lacks any meaningful statistics for vulnerabilities. Why cant these outfits with commercial or federal funding actually do a good job and produce solid data that helps instead of confuses and misleads?! From jericho at attrition.org Thu Jan 5 17:38:41 2006 From: jericho at attrition.org (security curmudgeon) Date: Thu, 5 Jan 2006 17:38:41 -0500 (EST) Subject: [attrition] Survey on Vuln Disclosure: Request for Participation Message-ID: If you are interested in vulnerability disclosure, work in the security field, or administrate computers for your company, it would be great to help Rick Forno with his project. ---------- Forwarded message ---------- From: Richard Forno Date: Thu, 05 Jan 2006 14:29:05 -0500 Subject: Survey on Vuln Disclosure: Request for Participation As part of my doctoral studies, I am seeking community input regarding how secrecy and openness can be balanced in the analysis and alerting of security vulnerabilities to protect critical national infrastructures. To answer this question, my thesis is investigating: 1. How vulnerabilities are analyzed, understood and managed throughout the vulnerability lifecycle process. 2. The ways that the critical infrastructure security community interact to exchange security-related information and the outcome of such interactions to date. 3. The nature of and influences upon collaboration and information-sharing within the critical infrastructure protection community, particularly those handling internet security concerns. 4. The relationship between secrecy and openness in providing and exchanging security-related information. The survey is located at http://www.infowarrior.org/survey.html and should take 10-15 minutes to complete. Participation is both voluntary and anonymous. Thank you for your help with this endeavor, and for helping distribute this request for participation to other interested parties/lists. Thanks again for your help, Rick -infowarrior.org From jericho at attrition.org Tue Jan 10 22:49:43 2006 From: jericho at attrition.org (security curmudgeon) Date: Tue, 10 Jan 2006 22:49:43 -0500 (EST) Subject: [attrition] "http" leads to Microsoft? Message-ID: Perhaps this is known, but it caught me off guard. I discovered this when I sent a URL to a friend, but typo'd the first part. Instead of a regular URL, I sent him "http//attrition.org" (note the lack of colon). Instead of him getting the web page, it would load Microsoft's home page instead. To test this further, load Firefox and type in "http" by itself and hit enter. Watch as you land on http://www.microsoft.com =) Why does this happen? Firefox can't resolve 'http', so it sends your request to google.com, searches for 'http' and delivers you the first result (also works via the "I'm feeling lucky" feature). You can see the same thing happen if you search Google for 'http' (first result) [0]. I don't know about you, but i'm not feeling lucky when I land on Microsoft after typing in 'http'. This is the company that didn't see the Internet as something of interest or potential until 1995, years after HTTP was developed and starting to gain wide spread acceptance. In 1995, Microsoft finally added "internet" to their Encarta Encyclopedia [1] and released Internet Explorer [2]. security curmudgeon http://attrition.org/ [0] http://www.google.com/search?hl=en&lr=&q=http&btnG=Search [1] I can't find a public reference for this, can anyone else? Just some odd tidbit I remember reading last decade. [2] http://www.microsoft.com/windows/WinHistoryIE.mspx From jericho at attrition.org Wed Jan 11 07:29:45 2006 From: jericho at attrition.org (security curmudgeon) Date: Wed, 11 Jan 2006 07:29:45 -0500 (EST) Subject: [attrition] DHS & Your Tax Dollars Message-ID: http://www.osvdb.org/blog/?p=83 DHS & Your Tax Dollars http://news.com.com/Homeland+Security+helps+secure+open-source+code/2100-1002_3-6025579.html Through its Science and Technology Directorate, the department has given $1.24 million in funding to Stanford University, Coverity and Symantec to hunt for security bugs in open-source software and to improve Coveritys commercial tool for source code analysis, representatives for the three grant recipients told CNET News.com. The Homeland Security Department grant will be paid over a three-year period, with $841,276 going to Stanford, $297,000 to Coverity and $100,000 to Symantec, according to San Francisco-based technology provider Coverity, which plans to announce the award publicly on Wednesday. The project, while generally welcomed, has come in for some criticism from the open-source community. The bug database should help make open-source software more secure, but in a roundabout way, said Ben Laurie, a director of the Apache Foundation who is also involved with OpenSSL. A more direct way would be to provide the code analysis tools to the open-source developers themselves, he said. So DHS uses $1.24 million dollars to fund a university and two commercial companies. The money will be used to develop source code auditing tools that will remain private. Coverity and Symantec will use the software on open-source software (which is good), but is arguably a huge PR move to help grease the wheels of the money flow. Coverity and Symantic will also be able to use these tools for their customers, which will pay them money for this service. Why exactly do my tax dollars pay for the commercial development of tools that are not released to the public? As Ben Laurie states, why cant he get a copy of these tax payer funded tools to run on the code his team develops? Why must they submit their code to a commercial third party for review to get any value from this software? Given the date of this announcement, coupled with the announcement of Stanfords PHP-CHECKER makes me wonder when the funds started rolling. There are obviously questions to be answered regarding Stanfords project (that I already asked). This also makes me wonder what legal and ethical questions should be asked about tax dollars being spent by the DHS, for a university to fund the development of a security tool that could potentially do great good if released for all to use. Its too bad there is more than a year long wait for FOIA requests made to the DHS. From jericho at attrition.org Wed Jan 11 10:08:51 2006 From: jericho at attrition.org (security curmudgeon) Date: Wed, 11 Jan 2006 10:08:51 -0500 (EST) Subject: [attrition] why is eBay (and others) exempt .. Message-ID: .. from RFC guidelines and a somewhat friendly method for someone to complain? Report a problem to abuse at ebay.com and you get this type of message. Notice the tracking number in the subject line? It is hitting their system, being assigned some kind of ticket or tracking ID number, getting forwarded to safeharbor at ebay.com, then bounced as undeliverable. Sites this big not maintaining an abuse@ contact as per RFC standards (RFC 2142 (section 4)) is disgusting. Not maintaining custom addresses that they originaly set up is even more disgusting. Follow their URL below and you end up here: http://pages.ebay.com/help/contact_us/_base/result_6_1_12.html?item=&dsturl=http%3A%2F%2Fpages.ebay.com%2Fhelp%2Fcontact_us%2F_base%2Findex.html&tier0=%5Bobject+Object%5D&tier1=result_6_1_12&continue=Continue+%3E# Which gives you three options. The first two are 'instant help' FAQ pages: Filing an online fraud alert Feedback abuse, withdrawal, and removal The third is "Customer Support Option(s)" which has one link "Email". Clicking this link requires a) you register as a new ebay user b) sign in as an existing ebay user c) sign in via Microsoft Passport So if someone is spamming an ebay.com auction URL to a million people, only a registered ebay member can file a complaint, via a web page, and expect to wait "24-48 hours for a response". This is completely irresponsible. ---------- Forwarded message ---------- From: eBay Safe Harbor To: security curmudgeon Date: Wed, 11 Jan 2006 06:56:43 -0800 Subject: Your message to safeharbor at ebay.com was not received (KMM200419105V91401L0KM) Thank you for writing to the eBay SafeHarbor Team. The address you wrote to (safeharbor at ebay.com) is no longer in service. Please re-send your email to us through the Contact Us page listed below. http://pages.ebay.com/help/contact_us/_base/index.html Using this service will help us direct your email to the right department and quickly respond to your inquiry. Choosing the most appropriate topic from this page will help us answer your question faster. REPORTING SPOOF If you received this message after attempting to report an email that appears to have come from eBay but actually directs you to another site, you must forward the message to us again by using the forward function of your email program. Make certain that spoof at ebay.com is in the "to" field. Do not alter the subject line, add text to your message or forward the email as an attachment. We appreciate your assistance in this matter and apologize for any inconvenience this may have caused you. Sincerely, eBay SafeHarbor Team Tips to Avoid Spoof: To help our members better protect themselves from spoof Web sites, we have developed a new feature for the eBay Toolbar called "Account Guard." Account Guard includes an indicator of when you are on an eBay or PayPal Website, buttons to report fake eBay Websites, and a password notification feature that warns you when you may be entering your eBay password into an unverified site. To learn more about the eBay Toolbar with Account Guard, open a new browser and type www.ebay.com/ebay_toolbar into the address bar. Note that eBay will never send you an email that includes a download as an attachment or a link that goes to a page with a download. eBay also recommends that you ensure that your Web browser, operating system, and virus protection software are up to date. Check for updates at the "Windows Update" link on www.microsoft.com and scan your computer for viruses often. From: security curmudgeon To: abuse at aol.com Cc: abuse at ebay.com Date: Wed, 11 Jan 2006 09:55:44 -0500 (EST) Subject: SPAM: Save Harriet (fwd) ---------- Forwarded message ---------- Return-Path: X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on forced.attrition.org X-Spam-Level: X-Spam-Status: No, score=0.6 required=4.7 tests=HTML_MESSAGE,NO_REAL_NAME, SPF_PASS autolearn=disabled version=3.1.0 X-Original-To: jericho at attrition.org Delivered-To: jericho at attrition.org Received: from imo-d21.mx.aol.com (imo-d21.mx.aol.com [205.188.144.207]) by forced.attrition.org (Postfix) with ESMTP id B18D14CAD5 for ; Wed, 11 Jan 2006 09:54:00 -0500 (EST) Received: from Beavinsons2 at aol.com by imo-d21.mx.aol.com (mail_out_v38_r6.3.) id 4.13d.22b8a31e (14374) for ; Wed, 11 Jan 2006 09:54:21 -0500 (EST) From: Beavinsons2 at aol.com Message-ID: <13d.22b8a31e.30f6761d at aol.com> Date: Wed, 11 Jan 2006 09:54:21 EST Subject: Save Harriet To: jericho at attrition.org MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="-----------------------------1136991261" X-Mailer: 9.0 Security Edition for Windows sub 2340 Hello, We could use your support. We have an auction on eBay right now getting huge media attention this week. I found a cremated body in an abandoned property auction. I have a campaign on right now called "SAVE HARRIET" were we are trying to raise money to do something with her ashes Please view the auction and put on your website _http://cgi1.ebay.com/ws/eBayISAPI.dll?MakeTrack&item=5654721626_ (http://cgi1.ebay.com/ws/eBayISAPI.dll?MakeTrack&item=5654721626) Please watch the auction and see the results of the campaign. this is the link just to the auction without watching it _http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=5654721626&ru=http%3A%2F%2 Fsearch.ebay.com%3A80%2F%2Fsearch%2Fsearch.dll%3Ffrom%3DR40%26satitle%3D565472 1626%26fvi%3D1_ (http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=5654721626&ru=http://search.ebay.com:80//search/search.dll?from=R40&satitle= 5654721626&f vi=1) Tim From jericho at attrition.org Thu Jan 19 03:50:00 2006 From: jericho at attrition.org (security curmudgeon) Date: Thu, 19 Jan 2006 03:50:00 -0500 (EST) Subject: [attrition] Amusing quote.. Message-ID: Via Ruminations: --------------------------------- http://www.ruminate.com ------------------------------------------------------------------ The biggest problem of cryogenics isn't whether future advances in technology will enable you to be unfrozen and brought back to life 10,000 years from now; it's whether 250 consecutive generations of security guards earning $6.50 an hour will remember to check the thermostat every night. (The Covert Comic) http://www.covertcomic.com From jericho at attrition.org Thu Jan 26 01:32:48 2006 From: jericho at attrition.org (security curmudgeon) Date: Thu, 26 Jan 2006 01:32:48 -0500 (EST) Subject: [attrition] OSVDB - 2005 Recap and Status Update Message-ID: ---------- Forwarded message ---------- From: jkouns Date: Thu, 26 Jan 2006 00:48:01 -0500 Subject: OSVDB - 2005 Recap and Status Update OSVDB - 2005 Recap and Status Update The Open Source Vulnerability Database (OSVDB), a project to catalog and describe the world's security vulnerabilities, has had a challenging yet successful year. The project is fortunate to have the continued support of some devoted volunteers, yet remains challenged to keep up with the increasing number of vulnerability reports, as well as work on the back-log of historical information. Volunteers are continually sought to help us achieve our short and long-term goals. Despite resource constraints, there have been many exciting successes in 2005: * A major project goal of obtaining 501(c)3 non-profit status from the U.S. IRS was achieved. Obtaining non-profit status was critical to the long-term viability of the project. This status allows OSVDB to take charitable donations to help cover operating expenses, while providing a tax benefit to donor companies and individuals. * The vulnerability database has grown to over 22,000 entries thanks to the dedicated work of Brian Martin, OSVDB Content Manager. At the end of December, over 10,000 of those vulnerabilities were worked on by volunteers to provide more detailed and cross-referenced information. Our volunteer "Data Manglers" and Brian have helped ensure OSVDB is the most complete resource for vulnerability information on the Internet. * OSVDB started a blog in April, as a way for us to keep the public better informed on the project's status. Very quickly we realized the blog was a perfect place to discuss and comment on various aspects of vulnerabilities, and has become a successful mechanism for communicating with the security industry. If you have suggestions for topics, or would like to join the discussion, please visit the OSVDB blog at: http://osvdb.org/blog/. * We are pleased to welcome Kevin Johnson as leader of the OSVDB development team. Kevin joins OSVDB with a strong background in information security, and as leader of the BASE project, has a proven track-record managing open source teams. We are very excited about Kevin joining the project, and hope to provide more information soon regarding the OSVDB development road map. If you are interested in becoming a part of the new OSVDB development team, please contact us! We would like to also recognize our sponsors and thank them for their support. Digital Defense, Churchill & Harriman, Audit My PC, and Opengear have all provided important resources to OSVDB over the past year. We would also like to thank Renaud Deraison of the Nessus Project and HD Moore of the Metasploit Project for their support. Lastly, we of course want to thank our volunteers, and note that several of them have contributed to Nessus Network Auditing, available from Syngress Publishing. We are very pleased with the progress and growth of OSVDB over the past year, but do not want to downplay the importance of recruiting new volunteers, as well as retaining our current ones, in order to get through the considerable back-log of vulnerabilities that need further work. This task is daunting, but will not only help retain valuable historical vulnerability information, but will also allow OSVDB to generate meaningful statistics for past and current years. We have had a great year, and are looking forward to another one! We are of course still seeking assistance to help keep OSVDB successful--the project has many ideas in need of financial and volunteer support to implement. For more information on supporting OSVDB through volunteering or sponsorship, please contact moderators at osvdb.org. Sponsors/References: Audit My PC: http://www.auditmypc.com/ Churchill & Harriman: http://www.chus.com/ Digital Defense: http://www.digitaldefense.net/ Opengear: http://www.opengear.com/ Nessus Network Auditing: http://www.syngress.com/catalog/?pid=2850 ### More Information: Jake Kouns Open Source Vulnerability Database Project +1.804.306.8412 jkouns at osvdb.org From lyger at attrition.org Tue Jan 31 18:38:22 2006 From: lyger at attrition.org (lyger) Date: Tue, 31 Jan 2006 18:38:22 -0500 (EST) Subject: [attrition] Data Loss Mailing List Announcement Message-ID: In what has become a near weekly occurance, large companies are collecting your personal information (sometimes without your knowledge or consent), and subsequently letting it fall into the hands of the bad guys. This is your personal information; name, address, social security number, credit card number, bank account numbers, and more. Data Loss is a mail list that covers topics such as news releases regarding large-scale data loss, data theft, and identify theft incidents. Discussion about incidents, indictments, legislation, and recovery of lost or stolen data is encouraged. To subscribe to Data Loss, send a mail to: dataloss-subscribe at attrition.org To unsubscribe from this list, send a mail to: dataloss-unsubscribe at attrition.org