Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [Full-Disclosure] Name One Web Site Compromised by Download.Ject?

from [Edge, Ronald D] Network Security [Permanent Link]
Subject: RE: [Full-Disclosure] Name One Web Site Compromised by Download.Ject?
Date: Wed, 30 Jun 2004 14:49:07 -0500 
-----Original Message-----
From: Morning Wood [mailto:se_cur_ity@hotmail.com] 
Sent: Wednesday, June 30, 2004 12:56 PM
To: Edge, Ronald D; full-disclosure@lists.netsys.com
Subject: Re: [Full-Disclosure] Name One Web Site Compromised 
by Download.Ject?


Legal liability question:  Has anyone contacted an attorney 

yet about 

damage done by either of these two possibly negligent actions


are you serious? this "hunt" is laughable. Why is this any 
different than anything else?

...

The problem is UNPATCHED BROWSERS period.
They could have just as well compromised HP 4550 printers and 
embeded a malicious  script that contained the same IE bug.

...

my 2bits

m.wood


Uh, actually, I think you sorta missed the point of my post, 
which was pretty much the purpose of this list, namely, full
disclosure. Not only are we not getting full disclosure on just
what sites were involved, we are not getting ANY worth speaking of.

Thus it is part of the same coverup of the growing trend of 
computer exploits over the past 15 years with the growth of the
Internet that has been so assiduously pursued by businesses, mainly
to hide their own embarrassment and potential liability exposure.

Now the criminal activity has reached a fever pitch
since the beginning of the MSBlast exploits and their followups,
and now we see the next major phase, three major exposures of
trojans loaded from web sites to browsers (not just IE, see latest
exploit of help features in multiple browsers). Covering up like
this by not naming and exposing the sites just isn't going to 
cut it much longer. Just as companies sticking their heads in the
sand and hiding the fact does not ultimately help, it harms.

Back to the point: full-exposure just happens to be the name of
this list. My point had little to do with the specific exploits,
and everything to do with legal and social context of the what I
see as a pathetic coopting of the media to hide the identities of
compromised web sites, which according to rumor include some
major league sites.

My 02.5 cents worth.

Ron.

Ronald D. Edge
Director of Information Systems
Indiana University Intercollegiate Athletics
edge@indiana.edu  (812)855-9010
http://iuhoosiers.com

Corporate IT's reaction to spyware has been surprising: it's been
largely swept under the rug. The problem is that you can't hide an
elephant by sweeping it under the rug. It leaves quite a bulge.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: [Full-Disclosure] PIX vs CheckPoint, James Patterson Wicks
Next by Date:  Re: [Full-Disclosure] PIX vs CheckPoint, Jim Burwell
Previous by Thread:  RE: [Full-Disclosure] Name One Web Site Compromised by Download.Ject?, Carlos Kramer
Next by Thread:  RE: [Full-Disclosure] Name One Web Site Compromised by Download.Ject?, Paul Schmehl
Indexes:  [Date] [Thread] [Top] [All Lists]