Full Disclosure mailing list archives
n3td3v's year in brief: 2006
From: n3td3v <crewxsecurity () googlemail com>
Date: Fri, 29 Dec 2006 22:46:01 +0000
The year was pretty sober in terms of mass drama or global security incidents, no router or mail server exploitation threatened international infrastructure. The year saw tension between microsoft and its patch tuesday policy become less as strong as the security community kept pushing for critical zero-day to be patched ahead of a pending Tuesday. Zero-day code was put onto Full-Disclosure mailing list where we seen an individual trying to do a live auction via e-mail We saw word and powerpoint applications being exploited as hackers look for unique zero-day to draw attention to previously unearthed vulnerabilities. 2006 saw because of this the start of a new trend of Mac tiger OS vulnerabilities to lever vulnerabilities onto mailing lists. We saw a new move by microsoft to try and profit from its security flaws, by protecting its vista kernal from security firms Symantec and others We saw laptop security, both socially and technically being brought into the media arena where both the theft of a laptop or the electronic hi-jacking of a device could allow a company to be compromised and have its trade secrets revealed. We seen a desperate approach to javascripting, where folks in the security industry began to post ways to use JS in port scanning, via web-based interfaces. We saw a new trend started by H D Moore to blackmail software vendors, microsoft to take security more seriously and to respond to their e-mail more seriously. The month of bugs trend now carries on with LMH threatening Apple by an upcoming month of Apple bugs, a trend n3td3v has told LMH not to proceed with. 2006 saw the second Myspace worm appear, with a conflict between Apple and Myspace in its introduction of a patch for Apple's movie viewer application. 2006 saw Securityfocus push its media agenda towards encouraging a "social network" threat. 2006 saw Securityfocus report that n3td3v was a group of 3 people, two guys and a girl... all false and unfounded. A mailing list post on the Funsec mailing list was taken by "editor-at-large" robert lemos in his increasing personal grudge against n3td3v to damage his reputation further by reporting on the n3td3v agenda. What robert lemos failed to report is that every single message sent to the Full-Disclosure mailing list is approved by the list owner John Cartwright. Robert Lemos failed to report that, adding to the robert lemos agenda to make n3td3v look like a malicious blackhat Robert Lemos also got quotes from peopel within the industry to try and suggest n3td3v is withholding Windows XP zero-day, to hint further that n3td3v is blackhat and mailicious. Robert Lemos in his report also tried to suggest n3td3v was hiding and was a bad person. The nature of the article was designed to try and lever the true indent of n3td3v, even though n3td3v has broken no moral, ethical or international law. Due to the Robert Lemos grudge, Lemos carried the headline "Security Troll" to suggest that n3td3v was posting untrue security information to Full-Disclosure list to get a reaction. Little is Lemos aware John Cartwright and n3td3v would communicate via e-mail to discuss which content should be accepted to the mailing list. No where in the article does it mention anything about John Cartwright. Little did Lemos report that the companies n3td3v helps have the full name, photos and geographical location of n3td3v. n3td3v is not anonymous, but for obvious personal saftey measures which all internet users should take is never to post such contact information to a public discussion on the internet. Not only is this wise from a personal saftey angle, but is a good idea in terms of indentity theft and stalker like activites and blackmail attempts. The article suggested it was wrong to post to a security mailing list as an anonymous user and that it was morally and unethical to do so. Little does Lemos know the underground connections and helpful information is passed to high-profile security consultants within the security industry and n3td3v's on-going commitments to pass on intelligence tips on the bad guys in the blackhat community. All the bad was talked of n3td3v, other than the true valued service n3td3v and its intelligence sources offer to vendors... such as the ones mentioned in the article as Google, Yahoo and Microsoft. In 2006 we saw the slow down in mailing list postings of critical zero-day and the increased posting of XSS (cross-site scripting). In 2006, we saw the introduction of a splinter group called ZERT, who released patches for critical flaws ahead of Microsoft's patch tuesday policy. In 2006, we saw further reporting of RFID as a real threat to consumer privacy and its use by the intelligence services to spy on terrorist suspects. And of course in 2006 Steve Irwin died, the celebrity Crocodile Hunter, which also got a mention on the Full-Dislcosure mailing list. In 2006 we saw the media increasingly finding it difficult to bring fresh news to technical users within the security community, so much so both news.com and securityfocus.com started publishing "suggestive" potential security incidents which could happen, instead of a balanced out "risk assessment" of the reality of a threat. We saw Symantec's Norton software get a bad feedback by average AV users on news.com as being a "memory hog" application. We saw microsoft's introduction of Microsoft OneCare at low pricing, shaking up others such as Symantec We saw security companies begin to roll out free security software which anger further the profit margins of Symantec We saw Google add credit's to its security site giving thanks to noticed security researchers within the industry who have helped GOOG. We saw the break-down of Yahoo's executive structure and admitted its current business strategy and framework have failed with high-profile employee shake-ups and firing. In 2006, there was no real threat to security in terms of new methodology. Generally, 2006 was slow, and has confirmed to hackers that the industry is in need of new technique in the hacker-agenda and that current advisories are just the "same old" attack vectors. Hackers are now focusing on "brand new" than "same old" and 2007 is sure to show security professionals that the old is out and the new is in. A pending public release of Vista won't bring up anything new in terms of unique attack technique, but we're expecting the news of vista kernal protection being cracked by security firms and the underground elite to be released to media outlets in timing with the consumer version of vista being made avaliable to the world market. IE7 is not trusted yet by corporate networks as its default browser, as testing is on-going, and with that it could be up till 2008 before the software is fully implemented and trusted by e-commerce. Same goes for Vista, hence the reason for business getting Vista become the public, if only to give businesses a head-start for compatibility testing. 2006 will see high-profile hacker Gary Mckinnon being sent to U.S on charges of breaking into dot-mil infrasturcture. Media outlets suggest he was a hacker, however the individual only used script kid-like tactics to compromise systems with default passwords not changed by U.S government network admins. Digg-dot-com saw an increase presence in 2006 as a source of breaking security news and invaluable average user feedback of news events in relation to the comments section under Digg submissions, both useful for e-commerce and government to shape its security policy and media response agenda and network posture. 2006 saw the DHS (department of homeland security) attempt to become increased with its cyber security alerts and advisory, although the world already has made its mind -up in respect of the DHS and its "incident response" lack of readiness in both the real world and electronically. 2006 saw the intelligence services require further funding to continue needed efforts to combat both cyber terrorism and mainland terrorism threats. 2006 saw the continued use og blogging as a way to comunicate coverage to the internet in terms of security research and media coverage response. 2006 saw SANS for example continue to use its Internet Storm Blog as a commentry media of whats posted to the Full-Disclosure mailing lsit, as did SecuriTeam, with noted comment from Gadi Evron conitnued. Funsec remained a favorite for some to post outage and misc media reports to the media and professional scene,,, where the likes of Lemos hangs out for "treat bites" to fuel his securityfocus news feed. Overall, the trend of "money" or/and "career benefits" for zero-day continues with hackers/researchers not wanting to give exploit code for free. Generally, researchers want something in return, either something to be done within a corporation in terms of security policy, money given for exploit/vulnerability intelligence, a career opportunity, or a promise of the affected vendor letting and crediting the researcher to the media for Lemos or/and Evers to pick-up and broadcast on its productivity news outlet homepage. Script kiddie hood continues to be a real threat with the zone-h scene still being exploited, with continued defacements of dot-mil and dot-com targets falling victim. The Yahoo Finance portal web just one victim of the zone-h scene, as well as nasa sites were noted by n3td3v in 2006. The priority of "what should we patch first" is an increased problem behind the scenes within corporations, with money-over-moral playing a key role in how long vulnerabilities are left live on software and web-based services. 2007 is sure to bring suprises that none of us are able to predict apart from folks like n3td3v who continue its dialog between security consultants and its contacts working within corporate social circles. Finally, the article on n3td3v won't be laid to rest... it has been taken very seriously and n3td3v holds the article as a blantant abuse of journalistic policy to bring a personal grudge by a news editor towards an individual who only has whitehat values. n3td3v will get justice for "that article" by lawful means, and holds Robert Lemos personally responsible for any personal saftey or career damage which may be caused by his media report to blantantly ruin n3td3v's reputation and career prospects if the true indent was ever to be revealed through the article published and authorised by the securityfocus news editor. 2007 awaits... n3td3v [media dork reference] http://news.com.com/5208-1002_3-0.html?forumID=1&threadID=23884&messageID=223146&start=-1 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- n3td3v's year in brief: 2006 n3td3v (Dec 30)