[News] New worm feeds on latest Microsoft bug - Linux

This is a discussion on [News] New worm feeds on latest Microsoft bug - Linux ; One day after Microsoft issued a rare emergency Windows security patch, the bad guys have a few new ways to take advantage of the bug.....a new worm, called Gimmiv.... This vulnerability lies in the Windows Server service.... "It is downloaded ...

+ Reply to Thread
Page 1 of 3 1 2 3 LastLast
Results 1 to 20 of 44

Thread: [News] New worm feeds on latest Microsoft bug

  1. [News] New worm feeds on latest Microsoft bug


    One day after Microsoft issued a rare emergency Windows security
    patch, the bad guys have a few new ways to take advantage of the
    bug.....a new worm, called Gimmiv....

    This vulnerability lies in the Windows Server service.... "It is
    downloaded onto a target machine via social engineering and then
    proceeds to scan and exploit machines on the same network..." The
    worm then loads software that steals passwords, security experts
    say....

    Greenbaum predicted that the attack code will soon be used to build
    botnet networks of infected computers.


    http://www.nytimes.com/external/idg/...orm-feeds.html

  2. Re: [News] New worm feeds on latest Microsoft bug

    On Sun, 26 Oct 2008 14:40:58 -0700 (PDT), nessuno@wigner.berkeley.edu
    wrote:

    >
    > One day after Microsoft issued a rare emergency Windows security
    > patch, the bad guys have a few new ways to take advantage of the
    > bug.....a new worm, called Gimmiv....
    >
    > This vulnerability lies in the Windows Server service.... "It is
    > downloaded onto a target machine via social engineering


    Key words: Social Engineering.......

    Which is exactly what is going to happen to Linux if it ever becomes common
    enough to make it worth the hacker's time.

    Ask Schestowitz about how his Linux server was hacked and 0wned...


    --
    Moshe Goldfarb
    Collector of soaps from around the globe.
    Please visit The Hall of Linux Idiots:
    http://linuxidiots.blogspot.com/
    Please Visit www.linsux.org

  3. Re: [News] New worm feeds on latest Microsoft bug

    Moshe Goldfarb. wrote:

    > On Sun, 26 Oct 2008 14:40:58 -0700 (PDT), nessuno@wigner.berkeley.edu
    > wrote:
    >
    >>
    >> One day after Microsoft issued a rare emergency Windows security
    >> patch, the bad guys have a few new ways to take advantage of the
    >> bug.....a new worm, called Gimmiv....
    >>
    >> This vulnerability lies in the Windows Server service.... "It is
    >> downloaded onto a target machine via social engineering

    >
    > Key words: Social Engineering.......


    Yes. And after that, it *will* (not "may", not "can") infect every unpatched
    Windows machine on the same network, without any user intervention
    whatsoever.

    > Which is exactly what is going to happen to Linux if it ever becomes
    > common enough to make it worth the hacker's time.


    Blah blah. Sure, Linux users may fall victim to social engineering
    attacks -- although the humble x bit will usually prevent any "click-oops"
    which is so typical for Windows.
    But much more importantly, the attacker must find a commonly used,
    exploitable network service. And you know what? On a typical Linux desktop
    machine, there are no receiving network services running. And if that's not
    enough: on a typical Linux desktop machine, the a firewall will make the
    machine invisible on the network. So please try a little harder to come up
    with a plausible way that Linux could become as insecure as Windows.


    Richard Rasker
    --
    http://www.linetec.nl

  4. Re: [News] New worm feeds on latest Microsoft bug

    On Sun, 26 Oct 2008 23:02:40 +0100, Richard Rasker wrote:

    So please try a little harder to come up
    > with a plausible way that Linux could become as insecure as Windows.
    >
    >
    > Richard Rasker


    Simple.... a rogue program in one of the many repositories for Linux
    software.
    Do you *really know* what say the mediaubuntu is downloading to your
    machine?
    What about the various restricted repositories that Ubuntu users need to
    add in order to play mp3, libdvdcss etc...

    How do you really know what is in there and what you are loading on to your
    machine?

    Answer: you don't.

    Mint Linux was infected as were others earlier this year.
    It will happen more as Linux user numbers increase, if they do.



    --
    Moshe Goldfarb
    Collector of soaps from around the globe.
    Please visit The Hall of Linux Idiots:
    http://linuxidiots.blogspot.com/
    Please Visit www.linsux.org

  5. Re: [News] New worm feeds on latest Microsoft bug

    The racist, liar and software thief Gary Stewart (flatfish) nymshifted:

    > On Sun, 26 Oct 2008 14:40:58 -0700 (PDT), nessuno@wigner.berkeley.edu
    > wrote:
    >
    >>
    >> One day after Microsoft issued a rare emergency Windows security
    >> patch, the bad guys have a few new ways to take advantage of the
    >> bug.....a new worm, called Gimmiv....
    >>
    >> This vulnerability lies in the Windows Server service.... "It is
    >> downloaded onto a target machine via social engineering

    >
    > Key words: Social Engineering.......


    And completely wrong.
    It is a vulnerability in the windows RPC code, and absolutely no user
    interaction is needed

    --
    You're genuinely bogus.


  6. Re: [News] New worm feeds on latest Microsoft bug

    On Sun, 26 Oct 2008 23:23:26 +0100, Peter Köhlmann wrote:

    > The racist, liar and software thief Gary Stewart (flatfish) nymshifted:
    >
    >> On Sun, 26 Oct 2008 14:40:58 -0700 (PDT), nessuno@wigner.berkeley.edu
    >> wrote:
    >>
    >>>
    >>> One day after Microsoft issued a rare emergency Windows security
    >>> patch, the bad guys have a few new ways to take advantage of the
    >>> bug.....a new worm, called Gimmiv....
    >>>
    >>> This vulnerability lies in the Windows Server service.... "It is
    >>> downloaded onto a target machine via social engineering

    >>
    >> Key words: Social Engineering.......

    >
    > And completely wrong.
    > It is a vulnerability in the windows RPC code, and absolutely no user
    > interaction is needed


    That's not what the article says.
    It has to make it to the first machine.

    --
    Moshe Goldfarb
    Collector of soaps from around the globe.
    Please visit The Hall of Linux Idiots:
    http://linuxidiots.blogspot.com/
    Please Visit www.linsux.org

  7. Re: [News] New worm feeds on latest Microsoft bug

    Moshe Goldfarb. wrote:

    > On Sun, 26 Oct 2008 23:23:26 +0100, Peter Köhlmann wrote:
    >
    >> The racist, liar and software thief Gary Stewart (flatfish) nymshifted:
    >>
    >>> On Sun, 26 Oct 2008 14:40:58 -0700 (PDT), nessuno@wigner.berkeley.edu
    >>> wrote:
    >>>
    >>>>
    >>>> One day after Microsoft issued a rare emergency Windows security
    >>>> patch, the bad guys have a few new ways to take advantage of the
    >>>> bug.....a new worm, called Gimmiv....
    >>>>
    >>>> This vulnerability lies in the Windows Server service.... "It is
    >>>> downloaded onto a target machine via social engineering
    >>>
    >>> Key words: Social Engineering.......

    >>
    >> And completely wrong.
    >> It is a vulnerability in the windows RPC code, and absolutely no user
    >> interaction is needed

    >
    > That's not what the article says.


    I don't care what the article says. It is a RPC error, thus *no* user
    interaction is needed.
    In principle a machine with a running firewall should be safe, but a small
    error in setting the firewall will make the machine wide open.
    If you have file- and printer sharing enabled, very easily you can enable
    also the access from the outside. Then all bets are off.
    The problem is in a code area which is not protected by "/GS security
    cookies"

    > It has to make it to the first machine.


    Wrong

    And actually it is quite similar to the 2006 vulnerability in RPC,
    when "Vanebot" or "Mocbot" were infecting windows machines without any user
    interaction at all
    --
    Howe's Law: Everyone has a scheme that will not work.


  8. Re: [News] New worm feeds on latest Microsoft bug

    On Sun, 26 Oct 2008 23:45:22 +0100, Peter Köhlmann wrote:

    > Moshe Goldfarb. wrote:
    >
    >> On Sun, 26 Oct 2008 23:23:26 +0100, Peter Köhlmann wrote:
    >>
    >>> The racist, liar and software thief Gary Stewart (flatfish) nymshifted:
    >>>
    >>>> On Sun, 26 Oct 2008 14:40:58 -0700 (PDT), nessuno@wigner.berkeley.edu
    >>>> wrote:
    >>>>
    >>>>>
    >>>>> One day after Microsoft issued a rare emergency Windows security
    >>>>> patch, the bad guys have a few new ways to take advantage of the
    >>>>> bug.....a new worm, called Gimmiv....
    >>>>>
    >>>>> This vulnerability lies in the Windows Server service.... "It is
    >>>>> downloaded onto a target machine via social engineering
    >>>>
    >>>> Key words: Social Engineering.......
    >>>
    >>> And completely wrong.
    >>> It is a vulnerability in the windows RPC code, and absolutely no user
    >>> interaction is needed

    >>
    >> That's not what the article says.

    >
    > I don't care what the article says. It is a RPC error, thus *no* user
    > interaction is needed.
    > In principle a machine with a running firewall should be safe, but a small
    > error in setting the firewall will make the machine wide open.
    > If you have file- and printer sharing enabled, very easily you can enable
    > also the access from the outside. Then all bets are off.
    > The problem is in a code area which is not protected by "/GS security
    > cookies"
    >
    >> It has to make it to the first machine.

    >
    > Wrong
    >
    > And actually it is quite similar to the 2006 vulnerability in RPC,
    > when "Vanebot" or "Mocbot" were infecting windows machines without any user
    > interaction at all


    I'll take your word for it but the term social engineering should have been
    left out of the article.

    --
    Moshe Goldfarb
    Collector of soaps from around the globe.
    Please visit The Hall of Linux Idiots:
    http://linuxidiots.blogspot.com/
    Please Visit www.linsux.org

  9. Re: [News] New worm feeds on latest Microsoft bug

    Peter Köhlmann wrote:
    > Moshe Goldfarb. wrote:
    >
    >> On Sun, 26 Oct 2008 23:23:26 +0100, Peter Köhlmann wrote:
    >>
    >>> The racist, liar and software thief Gary Stewart (flatfish) nymshifted:
    >>>
    >>>> On Sun, 26 Oct 2008 14:40:58 -0700 (PDT), nessuno@wigner.berkeley.edu
    >>>> wrote:
    >>>>
    >>>>>
    >>>>> One day after Microsoft issued a rare emergency Windows security
    >>>>> patch, the bad guys have a few new ways to take advantage of the
    >>>>> bug.....a new worm, called Gimmiv....
    >>>>>
    >>>>> This vulnerability lies in the Windows Server service.... "It is
    >>>>> downloaded onto a target machine via social engineering
    >>>> Key words: Social Engineering.......
    >>> And completely wrong.
    >>> It is a vulnerability in the windows RPC code, and absolutely no user
    >>> interaction is needed

    >> That's not what the article says.


    >
    > I don't care what the article says. It is a RPC error, thus *no* user
    > interaction is needed.
    > In principle a machine with a running firewall should be safe, but a small
    > error in setting the firewall will make the machine wide open.
    > If you have file- and printer sharing enabled, very easily you can enable
    > also the access from the outside. Then all bets are off.


    What are you talking about? RPC is on TCP port 135, and if that port is
    closed on the host based firewall/packet filter running on the machine,
    then nothing is going to happen on that port. And that port is closed by
    default on a host based FW/packet filter.

    The Windows Networking ports are 137-139 UDP and (NT ONLY 445 TCP). And
    those are the ports that are open for MS File & Print Sharing, and code
    execution does NOT happen on those ports.

    Remote Procedure Call allows COM based code execution and communications
    on a remote client or server machine to be executed remotely, but that
    is based on the RPC/DCOM port TCP 135 being opened on the machine.

    You DO NOT know what you are talking about.


  10. Re: [News] New worm feeds on latest Microsoft bug

    Moshe Goldfarb. wrote:

    > On Sun, 26 Oct 2008 23:45:22 +0100, Peter Köhlmann wrote:
    >
    >> Moshe Goldfarb. wrote:
    >>
    >>> On Sun, 26 Oct 2008 23:23:26 +0100, Peter Köhlmann wrote:
    >>>
    >>>> The racist, liar and software thief Gary Stewart (flatfish) nymshifted:
    >>>>
    >>>>> On Sun, 26 Oct 2008 14:40:58 -0700 (PDT), nessuno@wigner.berkeley.edu
    >>>>> wrote:
    >>>>>
    >>>>>>
    >>>>>> One day after Microsoft issued a rare emergency Windows security
    >>>>>> patch, the bad guys have a few new ways to take advantage of the
    >>>>>> bug.....a new worm, called Gimmiv....
    >>>>>>
    >>>>>> This vulnerability lies in the Windows Server service.... "It is
    >>>>>> downloaded onto a target machine via social engineering
    >>>>>
    >>>>> Key words: Social Engineering.......
    >>>>
    >>>> And completely wrong.
    >>>> It is a vulnerability in the windows RPC code, and absolutely no user
    >>>> interaction is needed
    >>>
    >>> That's not what the article says.

    >>
    >> I don't care what the article says. It is a RPC error, thus *no* user
    >> interaction is needed.
    >> In principle a machine with a running firewall should be safe, but a
    >> small error in setting the firewall will make the machine wide open.
    >> If you have file- and printer sharing enabled, very easily you can enable
    >> also the access from the outside. Then all bets are off.
    >> The problem is in a code area which is not protected by "/GS security
    >> cookies"
    >>
    >>> It has to make it to the first machine.

    >>
    >> Wrong
    >>
    >> And actually it is quite similar to the 2006 vulnerability in RPC,
    >> when "Vanebot" or "Mocbot" were infecting windows machines without any
    >> user interaction at all

    >
    > I'll take your word for it


    You better do.

    > but the term social engineering should have
    > been left out of the article.
    >


    Maybe. And on the other hand, you should perhaps tried to see if other, more
    technical oriented news than "NYT" have to say something about it before
    blubbering your bull****
    Even MS might be a better source for real info than NYT in this case
    --
    Failure is not an option. It comes bundled with your Microsoft product.


  11. Re: [News] New worm feeds on latest Microsoft bug

    Linux Pimps wrote:

    > Peter Köhlmann wrote:
    >> Moshe Goldfarb. wrote:
    >>
    >>> On Sun, 26 Oct 2008 23:23:26 +0100, Peter Köhlmann wrote:
    >>>
    >>>> The racist, liar and software thief Gary Stewart (flatfish) nymshifted:
    >>>>
    >>>>> On Sun, 26 Oct 2008 14:40:58 -0700 (PDT), nessuno@wigner.berkeley.edu
    >>>>> wrote:
    >>>>>
    >>>>>>
    >>>>>> One day after Microsoft issued a rare emergency Windows security
    >>>>>> patch, the bad guys have a few new ways to take advantage of the
    >>>>>> bug.....a new worm, called Gimmiv....
    >>>>>>
    >>>>>> This vulnerability lies in the Windows Server service.... "It is
    >>>>>> downloaded onto a target machine via social engineering
    >>>>> Key words: Social Engineering.......
    >>>> And completely wrong.
    >>>> It is a vulnerability in the windows RPC code, and absolutely no user
    >>>> interaction is needed
    >>> That's not what the article says.

    >
    >>
    >> I don't care what the article says. It is a RPC error, thus *no* user
    >> interaction is needed.
    >> In principle a machine with a running firewall should be safe, but a
    >> small error in setting the firewall will make the machine wide open.
    >> If you have file- and printer sharing enabled, very easily you can enable
    >> also the access from the outside. Then all bets are off.

    >
    > What are you talking about? RPC is on TCP port 135, and if that port is
    > closed on the host based firewall/packet filter running on the machine,
    > then nothing is going to happen on that port. And that port is closed by
    > default on a host based FW/packet filter.
    >
    > The Windows Networking ports are 137-139 UDP and (NT ONLY 445 TCP). And
    > those are the ports that are open for MS File & Print Sharing, and code
    > execution does NOT happen on those ports.
    >
    > Remote Procedure Call allows COM based code execution and communications
    > on a remote client or server machine to be executed remotely, but that
    > is based on the RPC/DCOM port TCP 135 being opened on the machine.
    >
    > You DO NOT know what you are talking about.


    Idiot
    --
    Failure is not an option. It comes bundled with your Microsoft product.


  12. Re: [News] New worm feeds on latest Microsoft bug

    Moshe Goldfarb. wrote:
    > On Sun, 26 Oct 2008 23:45:22 +0100, Peter Köhlmann wrote:
    >
    >> Moshe Goldfarb. wrote:
    >>
    >>> On Sun, 26 Oct 2008 23:23:26 +0100, Peter Köhlmann wrote:
    >>>
    >>>> The racist, liar and software thief Gary Stewart (flatfish) nymshifted:
    >>>>
    >>>>> On Sun, 26 Oct 2008 14:40:58 -0700 (PDT), nessuno@wigner.berkeley.edu
    >>>>> wrote:
    >>>>>
    >>>>>>
    >>>>>> One day after Microsoft issued a rare emergency Windows security
    >>>>>> patch, the bad guys have a few new ways to take advantage of the
    >>>>>> bug.....a new worm, called Gimmiv....
    >>>>>>
    >>>>>> This vulnerability lies in the Windows Server service.... "It is
    >>>>>> downloaded onto a target machine via social engineering
    >>>>> Key words: Social Engineering.......
    >>>> And completely wrong.
    >>>> It is a vulnerability in the windows RPC code, and absolutely no user
    >>>> interaction is needed
    >>> That's not what the article says.

    >> I don't care what the article says. It is a RPC error, thus *no* user
    >> interaction is needed.
    >> In principle a machine with a running firewall should be safe, but a small
    >> error in setting the firewall will make the machine wide open.
    >> If you have file- and printer sharing enabled, very easily you can enable
    >> also the access from the outside. Then all bets are off.
    >> The problem is in a code area which is not protected by "/GS security
    >> cookies"
    >>
    >>> It has to make it to the first machine.

    >> Wrong
    >>
    >> And actually it is quite similar to the 2006 vulnerability in RPC,
    >> when "Vanebot" or "Mocbot" were infecting windows machines without any user
    >> interaction at all

    >
    > I'll take your word for it but the term social engineering should have been
    > left out of the article.
    >


    No don't take his word for it, because TCP port 135 is the RPC/DCOM
    port. If that port is protected on the machine by a host based firewall,
    which that port is closed by default by a host based firewall running on
    the machine, then the machine cannot be attacked using RPC, period.



  13. Re: [News] New worm feeds on latest Microsoft bug

    Peter Köhlmann wrote:
    > Linux Pimps wrote:
    >
    >> Peter Köhlmann wrote:
    >>> Moshe Goldfarb. wrote:
    >>>
    >>>> On Sun, 26 Oct 2008 23:23:26 +0100, Peter Köhlmann wrote:
    >>>>
    >>>>> The racist, liar and software thief Gary Stewart (flatfish) nymshifted:
    >>>>>
    >>>>>> On Sun, 26 Oct 2008 14:40:58 -0700 (PDT), nessuno@wigner.berkeley.edu
    >>>>>> wrote:
    >>>>>>
    >>>>>>>
    >>>>>>> One day after Microsoft issued a rare emergency Windows security
    >>>>>>> patch, the bad guys have a few new ways to take advantage of the
    >>>>>>> bug.....a new worm, called Gimmiv....
    >>>>>>>
    >>>>>>> This vulnerability lies in the Windows Server service.... "It is
    >>>>>>> downloaded onto a target machine via social engineering
    >>>>>> Key words: Social Engineering.......
    >>>>> And completely wrong.
    >>>>> It is a vulnerability in the windows RPC code, and absolutely no user
    >>>>> interaction is needed
    >>>> That's not what the article says.
    >>> I don't care what the article says. It is a RPC error, thus *no* user
    >>> interaction is needed.
    >>> In principle a machine with a running firewall should be safe, but a
    >>> small error in setting the firewall will make the machine wide open.
    >>> If you have file- and printer sharing enabled, very easily you can enable
    >>> also the access from the outside. Then all bets are off.

    >> What are you talking about? RPC is on TCP port 135, and if that port is
    >> closed on the host based firewall/packet filter running on the machine,
    >> then nothing is going to happen on that port. And that port is closed by
    >> default on a host based FW/packet filter.
    >>
    >> The Windows Networking ports are 137-139 UDP and (NT ONLY 445 TCP). And
    >> those are the ports that are open for MS File & Print Sharing, and code
    >> execution does NOT happen on those ports.
    >>
    >> Remote Procedure Call allows COM based code execution and communications
    >> on a remote client or server machine to be executed remotely, but that
    >> is based on the RPC/DCOM port TCP 135 being opened on the machine.
    >>
    >> You DO NOT know what you are talking about.

    >
    > Idiot



    You stupid fool, you know nothing about RPC and how it works, you know
    nothing about COM or DCOM object communications over TCP 135 the
    COM/DCOM port you moron.

  14. Re: [News] New worm feeds on latest Microsoft bug

    On Mon, 27 Oct 2008 00:19:58 +0100, Peter Köhlmann wrote:

    > Moshe Goldfarb. wrote:
    >
    >> On Sun, 26 Oct 2008 23:45:22 +0100, Peter Köhlmann wrote:
    >>
    >>> Moshe Goldfarb. wrote:
    >>>
    >>>> On Sun, 26 Oct 2008 23:23:26 +0100, Peter Köhlmann wrote:
    >>>>
    >>>>> The racist, liar and software thief Gary Stewart (flatfish) nymshifted:
    >>>>>
    >>>>>> On Sun, 26 Oct 2008 14:40:58 -0700 (PDT), nessuno@wigner.berkeley.edu
    >>>>>> wrote:
    >>>>>>
    >>>>>>>
    >>>>>>> One day after Microsoft issued a rare emergency Windows security
    >>>>>>> patch, the bad guys have a few new ways to take advantage of the
    >>>>>>> bug.....a new worm, called Gimmiv....
    >>>>>>>
    >>>>>>> This vulnerability lies in the Windows Server service.... "It is
    >>>>>>> downloaded onto a target machine via social engineering
    >>>>>>
    >>>>>> Key words: Social Engineering.......
    >>>>>
    >>>>> And completely wrong.
    >>>>> It is a vulnerability in the windows RPC code, and absolutely no user
    >>>>> interaction is needed
    >>>>
    >>>> That's not what the article says.
    >>>
    >>> I don't care what the article says. It is a RPC error, thus *no* user
    >>> interaction is needed.
    >>> In principle a machine with a running firewall should be safe, but a
    >>> small error in setting the firewall will make the machine wide open.
    >>> If you have file- and printer sharing enabled, very easily you can enable
    >>> also the access from the outside. Then all bets are off.
    >>> The problem is in a code area which is not protected by "/GS security
    >>> cookies"
    >>>
    >>>> It has to make it to the first machine.
    >>>
    >>> Wrong
    >>>
    >>> And actually it is quite similar to the 2006 vulnerability in RPC,
    >>> when "Vanebot" or "Mocbot" were infecting windows machines without any
    >>> user interaction at all

    >>
    >> I'll take your word for it

    >
    > You better do.


    Only because I at least admit I am light on security, unlike others in this
    group who proclaim to be experts on everything.

    >> but the term social engineering should have
    >> been left out of the article.
    >>

    >
    > Maybe. And on the other hand, you should perhaps tried to see if other, more
    > technical oriented news than "NYT" have to say something about it before
    > blubbering your bull****
    > Even MS might be a better source for real info than NYT in this case


    Don't talk to me.
    Talk to your com padre, Linux advocate "par excellence", Richard Rasker.
    He posted it not me.


    --
    Moshe Goldfarb
    Collector of soaps from around the globe.
    Please visit The Hall of Linux Idiots:
    http://linuxidiots.blogspot.com/
    Please Visit www.linsux.org

  15. Re: [News] New worm feeds on latest Microsoft bug

    On Sun, 26 Oct 2008 19:26:13 -0400, Linux Pimps wrote:

    > Moshe Goldfarb. wrote:
    >> On Sun, 26 Oct 2008 23:45:22 +0100, Peter Köhlmann wrote:
    >>
    >>> Moshe Goldfarb. wrote:
    >>>
    >>>> On Sun, 26 Oct 2008 23:23:26 +0100, Peter Köhlmann wrote:
    >>>>
    >>>>> The racist, liar and software thief Gary Stewart (flatfish) nymshifted:
    >>>>>
    >>>>>> On Sun, 26 Oct 2008 14:40:58 -0700 (PDT), nessuno@wigner.berkeley.edu
    >>>>>> wrote:
    >>>>>>
    >>>>>>>
    >>>>>>> One day after Microsoft issued a rare emergency Windows security
    >>>>>>> patch, the bad guys have a few new ways to take advantage of the
    >>>>>>> bug.....a new worm, called Gimmiv....
    >>>>>>>
    >>>>>>> This vulnerability lies in the Windows Server service.... "It is
    >>>>>>> downloaded onto a target machine via social engineering
    >>>>>> Key words: Social Engineering.......
    >>>>> And completely wrong.
    >>>>> It is a vulnerability in the windows RPC code, and absolutely no user
    >>>>> interaction is needed
    >>>> That's not what the article says.
    >>> I don't care what the article says. It is a RPC error, thus *no* user
    >>> interaction is needed.
    >>> In principle a machine with a running firewall should be safe, but a small
    >>> error in setting the firewall will make the machine wide open.
    >>> If you have file- and printer sharing enabled, very easily you can enable
    >>> also the access from the outside. Then all bets are off.
    >>> The problem is in a code area which is not protected by "/GS security
    >>> cookies"
    >>>
    >>>> It has to make it to the first machine.
    >>> Wrong
    >>>
    >>> And actually it is quite similar to the 2006 vulnerability in RPC,
    >>> when "Vanebot" or "Mocbot" were infecting windows machines without any user
    >>> interaction at all

    >>
    >> I'll take your word for it but the term social engineering should have been
    >> left out of the article.
    >>

    >
    > No don't take his word for it, because TCP port 135 is the RPC/DCOM
    > port. If that port is protected on the machine by a host based firewall,
    > which that port is closed by default by a host based firewall running on
    > the machine, then the machine cannot be attacked using RPC, period.


    That much I do know.
    I believe Peter did say it would be blocked by most firewalls.

    My contention is with the social engineering part which is going to be the
    downfall of Linux.

    --
    Moshe Goldfarb
    Collector of soaps from around the globe.
    Please visit The Hall of Linux Idiots:
    http://linuxidiots.blogspot.com/
    Please Visit www.linsux.org

  16. Re: [News] New worm feeds on latest Microsoft bug

    Moshe Goldfarb. wrote:

    > On Sun, 26 Oct 2008 23:02:40 +0100, Richard Rasker wrote:
    >
    > So please try a little harder to come up
    >> with a plausible way that Linux could become as insecure as Windows.
    >>
    >>
    >> Richard Rasker

    >
    > Simple.... a rogue program in one of the many repositories for Linux
    > software.


    No, not so simple ...

    > Do you *really know* what say the mediaubuntu is downloading to your
    > machine?
    > What about the various restricted repositories that Ubuntu users need to
    > add in order to play mp3, libdvdcss etc...


    One word: keys. A checksum of every downloaded file is compared to a key on
    a separate server. So any distributor of rogue software must not only
    compromise a package mirror, but also the key server. The only realistic
    way to spread malicious software this way is to get further upstream -- but
    that's exceedingly diffcult.
    Then of course you could try creating a complete application which has
    concealed malware aboard, but this is even less plausible: the application
    must be something a lot of people want to install -- and even in the
    unlikely event that you succeed in creating something hugely popular, your
    cunning plan will fall apart as soon as anyone bothers to dive into the
    source code. The chance of which is a solid 100% if you actually create
    something that appeals to a lot of people.

    > How do you really know what is in there and what you are loading on to
    > your machine?
    >
    > Answer: you don't.


    Answer: you do. At least you do know that what's downloaded onto your
    machine has the same checksum as what the software creator put online.
    And so far, it's virtually impossible to

    > Mint Linux was infected as were others earlier this year.


    If this has actually led to infections, then Mint has made severe mistakes
    in its package management and distribution -- e.g. no key checks, or no use
    of keys and key servers at all.

    > It will happen more as Linux user numbers increase, if they do.


    I seriously doubt it -- these attacks all have to do with Linux servers
    being compromised, usually through bad PHP code. For all intents and
    purposes, desktop Linux isn't attacked at all. Sure, with an increasing
    popularity of desktop Linux there will inevitably be more attacks -- but
    I'm very confident that we won't see this endless malware mess that's been
    rampant in the Windows world for well over a decade now. Linux really is
    better designed, with nothing like the old one-user no-network computer
    legacy which made Windows so terribly insecure -- although the ultimate
    cause of this legacy was of course plain incompetence in designing the OS
    in the first place.

    Richard Rasker
    --
    http://www.linetec.nl

  17. Re: [News] New worm feeds on latest Microsoft bug

    Moshe Goldfarb. wrote:
    > On Sun, 26 Oct 2008 19:26:13 -0400, Linux Pimps wrote:
    >
    >> Moshe Goldfarb. wrote:
    >>> On Sun, 26 Oct 2008 23:45:22 +0100, Peter Köhlmann wrote:
    >>>
    >>>> Moshe Goldfarb. wrote:
    >>>>
    >>>>> On Sun, 26 Oct 2008 23:23:26 +0100, Peter Köhlmann wrote:
    >>>>>
    >>>>>> The racist, liar and software thief Gary Stewart (flatfish) nymshifted:
    >>>>>>
    >>>>>>> On Sun, 26 Oct 2008 14:40:58 -0700 (PDT), nessuno@wigner.berkeley.edu
    >>>>>>> wrote:
    >>>>>>>
    >>>>>>>>
    >>>>>>>> One day after Microsoft issued a rare emergency Windows security
    >>>>>>>> patch, the bad guys have a few new ways to take advantage of the
    >>>>>>>> bug.....a new worm, called Gimmiv....
    >>>>>>>>
    >>>>>>>> This vulnerability lies in the Windows Server service.... "It is
    >>>>>>>> downloaded onto a target machine via social engineering
    >>>>>>> Key words: Social Engineering.......
    >>>>>> And completely wrong.
    >>>>>> It is a vulnerability in the windows RPC code, and absolutely no user
    >>>>>> interaction is needed
    >>>>> That's not what the article says.
    >>>> I don't care what the article says. It is a RPC error, thus *no* user
    >>>> interaction is needed.
    >>>> In principle a machine with a running firewall should be safe, but a small
    >>>> error in setting the firewall will make the machine wide open.
    >>>> If you have file- and printer sharing enabled, very easily you can enable
    >>>> also the access from the outside. Then all bets are off.
    >>>> The problem is in a code area which is not protected by "/GS security
    >>>> cookies"
    >>>>
    >>>>> It has to make it to the first machine.
    >>>> Wrong
    >>>>
    >>>> And actually it is quite similar to the 2006 vulnerability in RPC,
    >>>> when "Vanebot" or "Mocbot" were infecting windows machines without any user
    >>>> interaction at all
    >>> I'll take your word for it but the term social engineering should have been
    >>> left out of the article.
    >>>

    >> No don't take his word for it, because TCP port 135 is the RPC/DCOM
    >> port. If that port is protected on the machine by a host based firewall,
    >> which that port is closed by default by a host based firewall running on
    >> the machine, then the machine cannot be attacked using RPC, period.

    >
    > That much I do know.
    > I believe Peter did say it would be blocked by most firewalls.
    >
    > My contention is with the social engineering part which is going to be the
    > downfall of Linux.
    >


    But he turned around and said that if MS File and Print sharing were
    open on the FW, a possible mistake he indicates, then the RPC exploit
    can take place. RPC uses TCP port 135 and not UDP 137-139 and TCP 445
    (NT only) the Windows Networking Ports.

    Something/a program has to be listening on a port on the other end.

    So the RPC exploit is not spreading from one machine to the next if the
    machine has TCP port 135 closed, which is the default state on a FW.

    The social engineering means that a user of a machine was initially
    involved in the compromise.

  18. Re: [News] New worm feeds on latest Microsoft bug

    On Sun, 26 Oct 2008 19:44:36 -0400, Linux Pimps wrote:

    > Moshe Goldfarb. wrote:
    >> On Sun, 26 Oct 2008 19:26:13 -0400, Linux Pimps wrote:
    >>
    >>> Moshe Goldfarb. wrote:
    >>>> On Sun, 26 Oct 2008 23:45:22 +0100, Peter Köhlmann wrote:
    >>>>
    >>>>> Moshe Goldfarb. wrote:
    >>>>>
    >>>>>> On Sun, 26 Oct 2008 23:23:26 +0100, Peter Köhlmann wrote:
    >>>>>>
    >>>>>>> The racist, liar and software thief Gary Stewart (flatfish) nymshifted:
    >>>>>>>
    >>>>>>>> On Sun, 26 Oct 2008 14:40:58 -0700 (PDT), nessuno@wigner.berkeley.edu
    >>>>>>>> wrote:
    >>>>>>>>
    >>>>>>>>>
    >>>>>>>>> One day after Microsoft issued a rare emergency Windows security
    >>>>>>>>> patch, the bad guys have a few new ways to take advantage of the
    >>>>>>>>> bug.....a new worm, called Gimmiv....
    >>>>>>>>>
    >>>>>>>>> This vulnerability lies in the Windows Server service.... "It is
    >>>>>>>>> downloaded onto a target machine via social engineering
    >>>>>>>> Key words: Social Engineering.......
    >>>>>>> And completely wrong.
    >>>>>>> It is a vulnerability in the windows RPC code, and absolutely no user
    >>>>>>> interaction is needed
    >>>>>> That's not what the article says.
    >>>>> I don't care what the article says. It is a RPC error, thus *no* user
    >>>>> interaction is needed.
    >>>>> In principle a machine with a running firewall should be safe, but a small
    >>>>> error in setting the firewall will make the machine wide open.
    >>>>> If you have file- and printer sharing enabled, very easily you can enable
    >>>>> also the access from the outside. Then all bets are off.
    >>>>> The problem is in a code area which is not protected by "/GS security
    >>>>> cookies"
    >>>>>
    >>>>>> It has to make it to the first machine.
    >>>>> Wrong
    >>>>>
    >>>>> And actually it is quite similar to the 2006 vulnerability in RPC,
    >>>>> when "Vanebot" or "Mocbot" were infecting windows machines without any user
    >>>>> interaction at all
    >>>> I'll take your word for it but the term social engineering should have been
    >>>> left out of the article.
    >>>>
    >>> No don't take his word for it, because TCP port 135 is the RPC/DCOM
    >>> port. If that port is protected on the machine by a host based firewall,
    >>> which that port is closed by default by a host based firewall running on
    >>> the machine, then the machine cannot be attacked using RPC, period.

    >>
    >> That much I do know.
    >> I believe Peter did say it would be blocked by most firewalls.
    >>
    >> My contention is with the social engineering part which is going to be the
    >> downfall of Linux.
    >>

    >
    > But he turned around and said that if MS File and Print sharing were
    > open on the FW, a possible mistake he indicates, then the RPC exploit
    > can take place. RPC uses TCP port 135 and not UDP 137-139 and TCP 445
    > (NT only) the Windows Networking Ports.


    Yes he did.

    > Something/a program has to be listening on a port on the other end.


    Correct.

    > So the RPC exploit is not spreading from one machine to the next if the
    > machine has TCP port 135 closed, which is the default state on a FW.


    Correct.

    > The social engineering means that a user of a machine was initially
    > involved in the compromise.


    That's what I suggested.
    He said no.
    The article says yes.


    --
    Moshe Goldfarb
    Collector of soaps from around the globe.
    Please visit The Hall of Linux Idiots:
    http://linuxidiots.blogspot.com/
    Please Visit www.linsux.org

  19. Re: [News] New worm feeds on latest Microsoft bug

    Linux Pimps wrote:

    > Peter Köhlmann wrote:
    >> Linux Pimps wrote:
    >>
    >>> Peter Köhlmann wrote:
    >>>> Moshe Goldfarb. wrote:
    >>>>
    >>>>> On Sun, 26 Oct 2008 23:23:26 +0100, Peter Köhlmann wrote:
    >>>>>
    >>>>>> The racist, liar and software thief Gary Stewart (flatfish)
    >>>>>> nymshifted:
    >>>>>>
    >>>>>>> On Sun, 26 Oct 2008 14:40:58 -0700 (PDT),
    >>>>>>> nessuno@wigner.berkeley.edu wrote:
    >>>>>>>
    >>>>>>>>
    >>>>>>>> One day after Microsoft issued a rare emergency Windows security
    >>>>>>>> patch, the bad guys have a few new ways to take advantage of the
    >>>>>>>> bug.....a new worm, called Gimmiv....
    >>>>>>>>
    >>>>>>>> This vulnerability lies in the Windows Server service.... "It is
    >>>>>>>> downloaded onto a target machine via social engineering
    >>>>>>> Key words: Social Engineering.......
    >>>>>> And completely wrong.
    >>>>>> It is a vulnerability in the windows RPC code, and absolutely no user
    >>>>>> interaction is needed
    >>>>> That's not what the article says.
    >>>> I don't care what the article says. It is a RPC error, thus *no* user
    >>>> interaction is needed.
    >>>> In principle a machine with a running firewall should be safe, but a
    >>>> small error in setting the firewall will make the machine wide open.
    >>>> If you have file- and printer sharing enabled, very easily you can
    >>>> enable also the access from the outside. Then all bets are off.
    >>> What are you talking about? RPC is on TCP port 135, and if that port is
    >>> closed on the host based firewall/packet filter running on the machine,
    >>> then nothing is going to happen on that port. And that port is closed by
    >>> default on a host based FW/packet filter.
    >>>
    >>> The Windows Networking ports are 137-139 UDP and (NT ONLY 445 TCP). And
    >>> those are the ports that are open for MS File & Print Sharing, and code
    >>> execution does NOT happen on those ports.
    >>>
    >>> Remote Procedure Call allows COM based code execution and communications
    >>> on a remote client or server machine to be executed remotely, but that
    >>> is based on the RPC/DCOM port TCP 135 being opened on the machine.
    >>>
    >>> You DO NOT know what you are talking about.

    >>
    >> Idiot

    >
    >
    > You stupid fool, you know nothing about RPC and how it works, you know
    > nothing about COM or DCOM object communications over TCP 135 the
    > COM/DCOM port you moron.


    Fine. And now go playing on the motorway again, idiot
    --
    Microsoft's Guide To System Design:
    Let it get in YOUR way. The problem for your problem.


  20. Re: [News] New worm feeds on latest Microsoft bug

    On Mon, 27 Oct 2008 00:36:17 +0100, Richard Rasker wrote:

    > Moshe Goldfarb. wrote:
    >
    >> On Sun, 26 Oct 2008 23:02:40 +0100, Richard Rasker wrote:
    >>
    >> So please try a little harder to come up
    >>> with a plausible way that Linux could become as insecure as Windows.
    >>>
    >>>
    >>> Richard Rasker

    >>
    >> Simple.... a rogue program in one of the many repositories for Linux
    >> software.

    >
    > No, not so simple ...
    >
    >> Do you *really know* what say the mediaubuntu is downloading to your
    >> machine?
    >> What about the various restricted repositories that Ubuntu users need to
    >> add in order to play mp3, libdvdcss etc...

    >
    > One word: keys. A checksum of every downloaded file is compared to a key on
    > a separate server. So any distributor of rogue software must not only
    > compromise a package mirror, but also the key server. The only realistic
    > way to spread malicious software this way is to get further upstream -- but
    > that's exceedingly diffcult.
    > Then of course you could try creating a complete application which has
    > concealed malware aboard, but this is even less plausible: the application
    > must be something a lot of people want to install -- and even in the
    > unlikely event that you succeed in creating something hugely popular, your
    > cunning plan will fall apart as soon as anyone bothers to dive into the
    > source code. The chance of which is a solid 100% if you actually create
    > something that appeals to a lot of people.
    >
    >> How do you really know what is in there and what you are loading on to
    >> your machine?
    >>
    >> Answer: you don't.

    >
    > Answer: you do. At least you do know that what's downloaded onto your
    > machine has the same checksum as what the software creator put online.
    > And so far, it's virtually impossible to
    >
    >> Mint Linux was infected as were others earlier this year.

    >
    > If this has actually led to infections, then Mint has made severe mistakes
    > in its package management and distribution -- e.g. no key checks, or no use
    > of keys and key servers at all.
    >
    >> It will happen more as Linux user numbers increase, if they do.

    >
    > I seriously doubt it -- these attacks all have to do with Linux servers
    > being compromised, usually through bad PHP code. For all intents and
    > purposes, desktop Linux isn't attacked at all. Sure, with an increasing
    > popularity of desktop Linux there will inevitably be more attacks -- but
    > I'm very confident that we won't see this endless malware mess that's been
    > rampant in the Windows world for well over a decade now. Linux really is
    > better designed, with nothing like the old one-user no-network computer
    > legacy which made Windows so terribly insecure -- although the ultimate
    > cause of this legacy was of course plain incompetence in designing the OS
    > in the first place.
    >
    > Richard Rasker


    All the checks and balanaces in the world will not compensate for ignorant
    users, social engineering etc.
    Does Linux make it more difficult?
    Probably, but it will happen.

    Even from my own experience, too much trust is put in Linux and what is up
    in the sky to download.

    I want to play mp3 files, I see a post to add this that and the other
    repository to my Ubuntu package manager and I do.
    And that is exactly what most people will do.

    I have no clue what is coming down, I just want to play mp3 files for
    example.

    It's going to happen when Linux is a big enough desktop target, which is
    where most of the infections are coming from in the Windows world.


    --
    Moshe Goldfarb
    Collector of soaps from around the globe.
    Please visit The Hall of Linux Idiots:
    http://linuxidiots.blogspot.com/
    Please Visit www.linsux.org

+ Reply to Thread
Page 1 of 3 1 2 3 LastLast