ezmlm warning

From: pen-test-help@securityfocus.com
Date: Thu Oct 27 2005 - 10:53:21 EDT

• Next message: Mike: "Generíc Víagra Superstore"
• Previous message: Jeffrey Leggett: "RE: Backdoor:Win32/Hackdef.E"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi! This is the ezmlm program. I'm managing the
pen-test@securityfocus.com mailing list.

I'm working for my owner, who can be reached
at pen-test-owner@securityfocus.com.

Messages to you from the pen-test mailing list seem to
have been bouncing. I've attached a copy of the first bounce
message I received.

If this message bounces too, I will send you a probe. If the probe bounces,
I will remove your address from the pen-test mailing list,
without further notice.

I've kept a list of which messages from the pen-test mailing list have
bounced from your address.

Copies of these messages may be in the archive.

To retrieve a set of messages 123-145 (a maximum of 100 per request),
send an empty message to:
   <pen-test-get.123_145@securityfocus.com>

To receive a subject and author list for the last 100 or so messages,
send an empty message to:
   <pen-test-index@securityfocus.com>

Here are the message numbers:

   1078478314
   1078478315
   1078478313

--- Enclosed is a copy of the bounce message I received.

Return-Path: <>
Received: (qmail 27611 invoked from network); 15 Oct 2005 18:42:41 -0000
Received: from outgoing.securityfocus.com (HELO outgoing3.securityfocus.com) (205.206.231.27)
  by lists.securityfocus.com with SMTP; 15 Oct 2005 18:42:41 -0000
Received: from mail.securityfocus.com (mail.securityfocus.com [205.206.231.9])
        by outgoing3.securityfocus.com (Postfix) with SMTP id 952DD239977
        for <pen-test-return-1078478314-pentest=darklab.net@lists.securityfocus.com>; Sat, 15 Oct 2005 18:33:39 -0600 (MDT)
Received: (qmail 24462 invoked by alias); 16 Oct 2005 00:47:27 -0000
Received: (qmail 23927 invoked from network); 16 Oct 2005 00:47:18 -0000
Received: from outgoing.securityfocus.com (HELO outgoing3.securityfocus.com) (205.206.231.27)
  by mail.securityfocus.com with SMTP; 16 Oct 2005 00:47:18 -0000
Received: by outgoing3.securityfocus.com (Postfix)
        id 313202398E3; Sat, 15 Oct 2005 18:33:29 -0600 (MDT)
Date: Sat, 15 Oct 2005 18:33:29 -0600 (MDT)
From: MAILER-DAEMON@securityfocus.com (Mail Delivery System)
Subject: Undelivered Mail Returned to Sender
To: pen-test-return-1078478314-pentest=darklab.net@securityfocus.com
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
        boundary="016DC23958C.1129422803/outgoing3.securityfocus.com"
Message-Id: <20051016003329.313202398E3@outgoing3.securityfocus.com>

This is a MIME-encapsulated message.

--016DC23958C.1129422803/outgoing3.securityfocus.com
Content-Description: Notification
Content-Type: text/plain

This is the Postfix program at host outgoing3.securityfocus.com.

I'm sorry to have to inform you that your message could not be
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to <postmaster>

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

                        The Postfix program

<pentest@darklab.net>: host resalehost.networksolutions.com[216.168.224.53]
    refused to talk to me: 421 4.4.1 cacy-fpe-srv-1.symantec.com Unable to
    contact destination

--016DC23958C.1129422803/outgoing3.securityfocus.com
Content-Description: Delivery report
Content-Type: message/delivery-status

Reporting-MTA: dns; outgoing3.securityfocus.com
X-Postfix-Queue-ID: 016DC23958C
X-Postfix-Sender: rfc822; pen-test-return-1078478314@securityfocus.com
Arrival-Date: Thu, 13 Oct 2005 18:20:38 -0600 (MDT)

Final-Recipient: rfc822; pentest@darklab.net
Action: failed
Status: 4.0.0
Diagnostic-Code: X-Postfix; host
    resalehost.networksolutions.com[216.168.224.53] refused to talk to me: 421
    4.4.1 cacy-fpe-srv-1.symantec.com Unable to contact destination

--016DC23958C.1129422803/outgoing3.securityfocus.com
Content-Description: Undelivered Message
Content-Type: message/rfc822

Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])
        by outgoing3.securityfocus.com (Postfix) with QMQP
        id 016DC23958C; Thu, 13 Oct 2005 18:20:38 -0600 (MDT)
Mailing-List: contact pen-test-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <pen-test.list-id.securityfocus.com>
List-Post: <mailto:pen-test@securityfocus.com>
List-Help: <mailto:pen-test-help@securityfocus.com>
List-Unsubscribe: <mailto:pen-test-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:pen-test-subscribe@securityfocus.com>
Delivered-To: mailing list pen-test@securityfocus.com
Delivered-To: moderator for pen-test@securityfocus.com
Received: (qmail 25157 invoked from network); 12 Oct 2005 22:17:56 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
        s=beta; d=gmail.com;
        h=received:message-id:date:reply-to:organization:user-agent:x-accept-language:mime-version:to:subject:references:in-reply-to:x-enigmail-version:content-type:from;
        b=N2Af4XMrqq6KnERYOlJyVydrln7rkGLi6MH/IXk678U+w8+18JpnVest2CVHc/wANgSDZenKdbOy10pcwZCLMLyjQyEF48fMrlY8QFqU3jRE78l+iP1kb4qu7hyNJg7UqOS/B090mQlrlQAjPyZvaQnzi6YJ9/O2Q1Myfsdz9F8=
Message-ID: <434DE4B3.4090500@chrisclymer.com>
Date: Thu, 13 Oct 2005 00:38:11 -0400
Reply-To: chris@chrisclymer.com
Organization: Youngstown Linux Users Group
User-Agent: Mozilla Thunderbird 1.0 (X11/20041206)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: "lists AT dawes DOT za DOT net"@smtp.enginuiti.com,
        pen-test@securityfocus.com
Subject: Re: Password "security" - was"Passwords with Lan Manager (LM) under
 Windows" and "Whitespace in passwords"
References: <Pine.BSO.4.58.0510111129420.13385@voodoo.mediaservice.net> <434CABCD.1050205@dawes.za.net>
In-Reply-To: <434CABCD.1050205@dawes.za.net>
X-Enigmail-Version: 0.92.0.0
Content-Type: multipart/mixed;
 boundary="------------080508020305030304080105"
From: Chris Clymer <cclymer@gmail.com>

--------------080508020305030304080105
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Rogan Dawes wrote:
> [The original poster seemed to be concerned about the laptop being stolen]
>
>>> As I said, by using SYSKEY with a password-on-boot, I was hoping to
>>> protect the cache entries stored on the laptops. Without the SYSKEY
>>> password, the machine won't boot, so an attacker could not dump the
>>> cache (CacheDump) or get access to the LSA (LSADump2). I also assume
>>> that booting with another OS would not give the attacker access to the
>>> EFS files because AES is pretty strong, the cache entries are encrypted
>>> with a secret (NL$KM) which is stored in the LSA and the LSA is not
>>> accessible because the system key is password protected by a password
>>> which is not stored locally anymore. I don't assume my reasoning is
>>> foolproof, I just want to make sure deploying SYSKEY with a
>>> password-on-boot will render our laptops harder to penetrate.
>>
>>
>
> Have you thought about implementing a BIOS password on the hard drive?
>
> Granted, there is no mechanism for locking out passwords, but I don't
> think that there are too many BIOS's that would allow you to automate a
> brute force attack . . . .
>
> As far as I know, there is no method to override the hard drive password
> once it is set . . . (although maybe reformatting the whole disk might
> have some effect)
>
> Regards,
>
> Rogan
>

BIOS passwords are trivial to get rid of for an attacker with physical
access to the machine. Just need to clear the CMOS. Every board has
its own method, there can be a jumper to be set, or yanking the battery.
 Google is sure to reveal the right method for any model of laptop.

As far as EFS...I believe it is tied into the standard windows
authentication. I seem to recall(from these lists?) that it just uses
the user's login password from the SAMS file to encrypt. If you can
boot another OS(after getting around the BIOS password) you can get to
the SAMS, which means game over. I did read a few things about putting
your EFS key onto a floppy or other removable media. I'm not sure if
this takes care of these other vectors in XP or not. It was clear that
in win2k the administrator user always maintains the ability to read efs
files...and as mentioned, reading and changing the SAMS from a live disk
is trivial.

It is best to assume that if an attacker gets physical access in any
situation, its game over. Does that sensitive data need to be on a
laptop where its out of your control and often in harms way? Why not
keep it on a company server and only allow access through a secure VPN?

I'm working on a paper about a much different way of preventing these
kinds of attacks. Mine is mostly aimed at recovering a stolen laptop,
but it uses a lot of misdirection which could be useful hiding sensitive
data. The method is to prompt the user with a standard login screen,
and have a bad password fail into booting a "fake" install which runs in
emulation. As far as the attacker is concerned, they are inside a
standard windows install, and hopefully look around a bit at interesting
things we have left lying around. Underneath this emulated windows is
another OS, such as linux, which is running various scripts to log the
attacker's keystrokes, his activities, and to dial home with as much
information as possible should be connect to the internet.
- --
          Chris Clymer - Chris@ChrisClymer.com
PGP: E546 19B6 D1EC 47A7 CAA0 8623 C807 398C CD27 15B8

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.7 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDTeSzyAc5jM0nFbgRAkueAJ4992RFKqIopCSjGqn984RZ8kHM4gCfSeH4
t0NtsHCnSzmk4BvoLNIa/i8=
=208N
-----END PGP SIGNATURE-----

--------------080508020305030304080105
Content-Type: text/x-vcard; charset=utf-8;
 name="chris.vcf"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="chris.vcf"

begin:vcard
fn:Chris Clymer
n:Clymer;Chris
org:Youngstown Linux User Group
adr:;;252 Colonial Drive;Canfield;Ohio;44406;United States of America
email;internet:chris@chrisclymer.com
title:Founder
tel;cell:330.507.3651
x-mozilla-html:FALSE
url:http://www.chrisclymer.com
version:2.1
end:vcard

--------------080508020305030304080105
Content-Type: text/plain; charset=us-ascii

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
--------------080508020305030304080105--

--016DC23958C.1129422803/outgoing3.securityfocus.com--

• Next message: Mike: "Generíc Víagra Superstore"
• Previous message: Jeffrey Leggett: "RE: Backdoor:Win32/Hackdef.E"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:06 EDT