OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Alert: Cart32 secret password backdoor (CISADV000427)
From: Steve (steveSECURESOLUTIONS.ORG)
Date: Thu Apr 27 2000 - 08:30:41 CDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Mike.

You are definitely right, in part anyways. It is no secret (sorry
guys its not) that the hacker community, white, grey and blackhat all
subscribe to and monitor this list. And, so do people like yourself,
sysadmins who want to know the latest exploits and issues so that
they can better protect themselves.

This list is a full disclosure mailing list, meaning any information
I am sent about an exploit I publish. Unlike certain other mailing
lists or organizations, I do not hold any information back under the
excuse that I am protecting the community.

Typically, and organization like Cerberus will contact the vendor and
give them a fair amount of time to respond before they post to the
world. *Most* of the time, the vendor has responded and a fix
usually follows the advisory. Occasionally, we will receive
vulnerability reports that the vendor has not been contacted about,
this is unfortunate, but most of the vendors do monitor mailing lists
like this.

I am a firm believer that there are probably a lot of issues out
there that we do not even know about. It is almost a certainty that
greyhat and blackhat groups keep a certain amount of discoveries to
themselves, so, we really don't know if this has been a known issue
or not. Most of the skilled grey and blackhats will not rely on a
mailing list to give them ideas.

I encourage everyone to participate in this mailing list no matter
who you are or what your background is, if you have an exploit I want
it posted here to notify everyone and hopefully push the vendors into
fixing them. Subscribing to the "Security by Obscurity" or some
other twisted belief will do nothing to benefit the community and
will only close the doors to the hacker community that this list
relies on.

I hope this sheds some light on things.

Regards;

Steve Manzuik
Moderator
Win2K Security Advice

>
> I find this digest to be as useful as the next sys-admin not
> knowing about
> the security flaws that all the advisories find and Microsoft fixes
> eventually, however this one piqued my interest the most.
>
> Let's assume that people seeking to hack systems ALSO subscribe to
> this digest, since that would make sense, and they probably know
> about the MS IIS
> flaws. This particular is different.
>
> Giving the backdoor password out was a bad idea...nice to know from
> a sys-admin's point of view and easy enough to fix. However from
> a Hacker's
> point of view, it's gold, especially with the prize being Credit
> cards.
>
> We'll assume they didn't know about it in the first place and now
> they do,
> and for those admins (such as myself) who work in a different
> timezone, the
> time-difference for mails for me to read and for the hackers around
> the world to exploit the problem and possibly create havoc with
> the treasure they can find.
>
> I'm sure the client's running these programs as well wouldn't
> like this fact
> published also, since it's a definite security risk and
> detrimental to their
> business.
>
> Cheers,
> Mike Kalinovich
> Sr. NT Sys Admin
> www.WebHosting.Com Inc.
> ____________________________________________________________________
> ____ Get Your Private, Free E-mail from MSN Hotmail at
> http://www.hotmail.com

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBOQhA9TV9eGvIXwM6EQIUkwCdHYT6cA4d3PXTq7g7Iom6Wvrdu6gAoI5o
4U3fDozFB72YdSUJE6gmehH0
=ykom
-----END PGP SIGNATURE-----

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net