Vulnerability Development mailing list archives
Re: Another new worm???
From: jlegate () SITESMITH COM (Jason Legate)
Date: Thu, 22 Jun 2000 14:48:09 -0700
AFAIK, the TODs are not signed, but after speaking with an ex-aol employee, she has said that they use a private lan, with a backdoor phone number. They have internal logins, and a defender key (http://www.axent.com/Axent/Public/Main?nav=Products). The keys are challenged after login via DUN, and then they TCP/IP to aol. After that, the details she gave me were sketchy, but I think they use FTP on the backend to update the TODs. Even if they are signed, if many people have the key to sign, that's A Bad Thing, in my opinion, since there's more people to try and trojan to obtain said key. Even if a passphrase was needed, if you do manage to trojan a trusted user, you can caputure keysequences and find the method with which to "spoof" a TOD. -j On Thu, Jun 22, 2000 at 02:33:16PM -0500, David Knaack wrote:
From: Frank Town <frank_smiles () HOTMAIL COM>Actully not to say everyone is wrong but about 5 years ago when i used to hang out on aol, we made these things called password stealers<nsip>They are simple to get rid of, at least they were im nto sure about now. Most just add a line to your win.ini in the run lineAt least one of the new breed of AOL PWS use more advanced techniques. I've seen one file infector (specific to AOL.EXE) and one that trojans runonce.exe. However, to my knowledge these particular samples were not released in the wild, and were not self propagating. AOL could be a truly frightening security issue. Given their history of lax security, I can imagine an advanced hacker or AOL insider writing an AOL extension and then using the server push (TOD update) feature to install malicious software on all AOL clients. One could launch a truly massive DDoS using tens or hundreds of thousands of AOL clients. A hacker with access to a large hub could intercept connections to the AOL servers and act as a transparent proxy, with the ability to deliver TOD's to AOL clients. I do not know if AOL TODs are cryptographically signed, but I would be surprised if they were. All very advanced hacking, but doable. DK
-- /--------------------------/ Jason Legate \------------------------\ | jlegate () sitesmith com | SiteSmith, Inc. | | 24x7 Call Center | http://www.sitesmith.com | | 888.898.7667 | PGP Key ID - 0xE29C48B | +---------------------------------+--------------------------------+ | Fingerprint - 769E 8DB4 C4DB C555 2697 51C6 3181 7D6E E299 C48B | \------------------------------------------------------------------/ <HR NOSHADE> <UL> <LI>application/pgp-signature attachment: stored </UL>
Current thread:
- Fwd: ShowFile CGI Security Vulnerability, (continued)
- Fwd: ShowFile CGI Security Vulnerability Barry Russell (Jun 21)
- Re: Fwd: ShowFile CGI Security Vulnerability Blue Boar (Jun 21)
- Re: Another new worm??? Blue Boar (Jun 21)
- Re: Another new worm??? Crispin Cowan (Jun 22)
- Fwd: ShowFile CGI Security Vulnerability Barry Russell (Jun 21)
- Re: Another new worm??? Harmer, Mike (Jun 21)
- Re: Another new worm??? Frank Town (Jun 21)
- Re: Another new worm??? Justin Lintz (Jun 21)
- Re: Another new worm??? Steve Mosher (Jun 22)
- Re: Another new worm??? Michael S Hines (Jun 23)
- Re: Another new worm??? David Knaack (Jun 22)
- Re: Another new worm??? Jason Legate (Jun 22)
- Re: Another new worm??? David Knaack (Jun 22)
- Re: Another new worm??? Jason Legate (Jun 22)
- Red Hat 6.2's ftp segmentation fault Paulo Ribeiro (Jun 22)
- Re: Red Hat 6.2's ftp segmentation fault Osvaldo J. Filho (Jun 23)
- Re: Red Hat 6.2's ftp segmentation fault Michal Zalewski (Jun 23)
- Re: Red Hat 6.2's ftp segmentation fault Jeff Bachtel (Jun 23)
- Re: Red Hat 6.2's ftp segmentation fault Philip Rowlands (Jun 23)
- Re: Red Hat 6.2's ftp segmentation fault Bluefish (Jun 24)
- Re: Red Hat 6.2's ftp segmentation fault Jim Kinney (Jun 24)
- Re: Red Hat 6.2's ftp segmentation fault Blue Boar (Jun 24)
- Re: Another new worm??? Justin Lintz (Jun 21)