Loading ...
Sorry, an error occurred while loading the content.

Re: [midatlanticretro] Fwd:

Expand Messages
  • David Riley
    ... I was talking more about vulnerabilities in client machines, especially in terms of vulnerable Flash, Java, etc. which are increasingly popular targets for
    Message 1 of 17 , May 15, 2013
    View Source
    • 0 Attachment
      On May 15, 2013, at 12:42, Dave McGuire <Mcguire@...> wrote:

       

      On 05/15/2013 11:43 AM, David Riley wrote:
      >> Damnit ... this stuff shouldn't happen on Linux.
      >
      > Bear in mind the aforementioned possibility that someone may have
      > just hacked your webmail, if you use webmail. Otherwise, yes, it
      > happens on Linux just like it happens on the Mac; as both platforms
      > increase their marketshare relative to Windows, they start to become
      > more attractive targets to misanthropes. It's still a far less
      > frequent occurrence, but it's a non-zero probability now.

      I've never really bought into that argument. It's more a
      matter of configuration management and crazy features being added to
      mail clients. My network sees *daily* attacks on its outward-facing
      machines...that has been the case as long as I can remember. No issues
      here.

      I was talking more about vulnerabilities in client machines, especially in terms of vulnerable Flash, Java, etc. which are increasingly popular targets for t3h h4x0rz.

      I wonder what actually did happen to Evan's setup.

      I've put my two cents in. Web mail hijacking, especially if he uses Gmail as a frontend, seems like a good possibility, but only if he uses web mail as a frontend for his personal mail (which I don't know and am not going to pry).


      - Dave
    • Evan Koblentz
      ... I very rarely do webmal. Usually POP3 via Thunderbird-on-Ubuntu and via my BlackBerry. Only webmail I do is once in a while via my (ahem) Degnanco account.
      Message 2 of 17 , May 15, 2013
      View Source
      • 0 Attachment
        >> Bear in mind the aforementioned possibility that someone may have just hacked your webmail,

        I very rarely do webmal. Usually POP3 via Thunderbird-on-Ubuntu and via my BlackBerry. Only webmail I do is once in a while via my (ahem) Degnanco account.
      • Dave McGuire
        ... So did someone grab your password? What actually happened, any idea? The chances of that being a virus are pretty close to zero. -Dave -- Dave McGuire,
        Message 3 of 17 , May 15, 2013
        View Source
        • 0 Attachment
          On 05/15/2013 02:36 PM, Evan Koblentz wrote:
          >>> Bear in mind the aforementioned possibility that someone may have just
          >>> hacked your webmail,
          >
          > I very rarely do webmal. Usually POP3 via Thunderbird-on-Ubuntu and via my
          > BlackBerry. Only webmail I do is once in a while via my (ahem) Degnanco
          > account.

          So did someone grab your password? What actually happened, any idea? The
          chances of that being a virus are pretty close to zero.

          -Dave

          --
          Dave McGuire, AK4HZ
          New Kensington, PA
        • Dave McGuire
          ... I agree, especially Flash. Java, not so much...but then who runs applets anymore anyway. For non-applet-based apps, there really aren t any vectors for
          Message 4 of 17 , May 15, 2013
          View Source
          • 0 Attachment
            On 05/15/2013 01:18 PM, David Riley wrote:
            >> >> Damnit ... this stuff shouldn't happen on Linux.
            >> >
            >> > Bear in mind the aforementioned possibility that someone may have
            >> > just hacked your webmail, if you use webmail. Otherwise, yes, it
            >> > happens on Linux just like it happens on the Mac; as both platforms
            >> > increase their marketshare relative to Windows, they start to become
            >> > more attractive targets to misanthropes. It's still a far less
            >> > frequent occurrence, but it's a non-zero probability now.
            >>
            >> I've never really bought into that argument. It's more a
            >> matter of configuration management and crazy features being added to
            >> mail clients. My network sees *daily* attacks on its outward-facing
            >> machines...that has been the case as long as I can remember. No issues
            >> here.
            >>
            > I was talking more about vulnerabilities in client machines, especially in
            > terms of vulnerable Flash, Java, etc. which are increasingly popular targets
            > for t3h h4x0rz.

            I agree, especially Flash. Java, not so much...but then who runs applets
            anymore anyway. For non-applet-based apps, there really aren't any vectors
            for incursion.

            >> I wonder what actually did happen to Evan's setup.
            >>
            > I've put my two cents in. Web mail hijacking, especially if he uses Gmail as
            > a frontend, seems like a good possibility, but only if he uses web mail as a
            > frontend for his personal mail (which I don't know and am not going to pry).

            Yes, I agree here as well.

            -Dave

            --
            Dave McGuire, AK4HZ
            New Kensington, PA
          • Wesley Furr
            I would have to disagree...every foggy morning lately there have been serious Java flaws revealed...and patches that don t seem to address them all. That,
            Message 5 of 17 , May 15, 2013
            View Source
            • 0 Attachment
              I would have to disagree...every foggy morning lately there have been
              serious Java flaws revealed...and patches that don't seem to address them
              all. That, coupled with an update process that is far from easy or
              automatic for the average user, and you've got a serious security hole.
              It's bad enough that at work we have stopped automatically installing it on
              new PC's. Sure, most people may not use applets, but that doesn't mean they
              don't have an old version installed in their browser that is riddled with
              security holes, waiting on them to visit the wrong web site...

              Wesley


              -----Original Message-----

              I agree, especially Flash. Java, not so much...but then who runs applets
              anymore anyway. For non-applet-based apps, there really aren't any vectors
              for incursion.
            • Dave McGuire
              ... Actual external-access security holes IN THE JVM...the JVM which, by the way, doesn t do any network communication unless the program it s running opens a
              Message 6 of 17 , May 15, 2013
              View Source
              • 0 Attachment
                On 05/15/2013 06:59 PM, Wesley Furr wrote:
                > I would have to disagree...every foggy morning lately there have been
                > serious Java flaws revealed...and patches that don't seem to address them
                > all.

                Actual external-access security holes IN THE JVM...the JVM which, by
                the way, doesn't do any network communication unless the program it's
                running opens a socket...seriously?

                > That, coupled with an update process that is far from easy or
                > automatic for the average user, and you've got a serious security hole.

                It amounts to clicking two buttons on any release of Linux less than
                maybe five years old. It even tells you when updates are needed. I
                honestly hope I never meet the dolt for whom this is "far from easy".

                > It's bad enough that at work we have stopped automatically installing it on
                > new PC's. Sure, most people may not use applets, but that doesn't mean they
                > don't have an old version installed in their browser that is riddled with
                > security holes, waiting on them to visit the wrong web site...

                Well I have to agree with you there. But people who manage a
                network-connected system that poorly will get what they've got coming.
                ;) I don't think Evan falls into that category.

                -Dave

                --
                Dave McGuire, AK4HZ
                New Kensington, PA
              • Cory Smelosky
                ... I GENERALLY don t fit in to that category. I DO use dictionary words or a known-compromised password for systems that are local where compromise is
                Message 7 of 17 , May 15, 2013
                View Source
                • 0 Attachment
                  On Wed, 15 May 2013, Dave McGuire wrote:

                  >
                  > On 05/15/2013 06:59 PM, Wesley Furr wrote:
                  >> I would have to disagree...every foggy morning lately there have been
                  >> serious Java flaws revealed...and patches that don't seem to address them
                  >> all.
                  >
                  > Actual external-access security holes IN THE JVM...the JVM which, by
                  > the way, doesn't do any network communication unless the program it's
                  > running opens a socket...seriously?
                  >
                  >> That, coupled with an update process that is far from easy or
                  >> automatic for the average user, and you've got a serious security hole.
                  >
                  > It amounts to clicking two buttons on any release of Linux less than
                  > maybe five years old. It even tells you when updates are needed. I
                  > honestly hope I never meet the dolt for whom this is "far from easy".
                  >
                  >> It's bad enough that at work we have stopped automatically installing it on
                  >> new PC's. Sure, most people may not use applets, but that doesn't mean they
                  >> don't have an old version installed in their browser that is riddled with
                  >> security holes, waiting on them to visit the wrong web site...
                  >
                  > Well I have to agree with you there. But people who manage a
                  > network-connected system that poorly will get what they've got coming.
                  > ;) I don't think Evan falls into that category.
                  >

                  I GENERALLY don't fit in to that category.

                  I DO use dictionary words or a known-compromised password for systems that
                  are local where compromise is unlikely, or I really don't care if people
                  get in to them/I want them in to it.

                  > -Dave
                  >
                  > --
                  > Dave McGuire, AK4HZ
                  > New Kensington, PA
                  >
                  >
                  > ------------------------------------
                  >
                  > Yahoo! Groups Links
                  >
                  >
                  >
                  >

                  --
                  Cory Smelosky
                  http://gewt.net/ Personal stuff
                  http://gimme-sympathy.org Experiments
                • B. Degnan
                  Guys please take this thread offline, thnaks. ... them ... hole. ... it on ... mean they ... with ... that
                  Message 8 of 17 , May 15, 2013
                  View Source
                  • 0 Attachment
                    Guys please take this thread offline, thnaks.

                    -------- Original Message --------
                    > From: "Cory Smelosky" <b4@...>
                    > Sent: Wednesday, May 15, 2013 8:07 PM
                    > To: "Dave McGuire" <Mcguire@...>
                    > Subject: Re: [midatlanticretro] Fwd:
                    >
                    > On Wed, 15 May 2013, Dave McGuire wrote:
                    >
                    > >
                    > > On 05/15/2013 06:59 PM, Wesley Furr wrote:
                    > >> I would have to disagree...every foggy morning lately there have been
                    > >> serious Java flaws revealed...and patches that don't seem to address
                    them
                    > >> all.
                    > >
                    > > Actual external-access security holes IN THE JVM...the JVM which, by
                    > > the way, doesn't do any network communication unless the program it's
                    > > running opens a socket...seriously?
                    > >
                    > >> That, coupled with an update process that is far from easy or
                    > >> automatic for the average user, and you've got a serious security
                    hole.
                    > >
                    > > It amounts to clicking two buttons on any release of Linux less than
                    > > maybe five years old. It even tells you when updates are needed. I
                    > > honestly hope I never meet the dolt for whom this is "far from easy".
                    > >
                    > >> It's bad enough that at work we have stopped automatically installing
                    it on
                    > >> new PC's. Sure, most people may not use applets, but that doesn't
                    mean they
                    > >> don't have an old version installed in their browser that is riddled
                    with
                    > >> security holes, waiting on them to visit the wrong web site...
                    > >
                    > > Well I have to agree with you there. But people who manage a
                    > > network-connected system that poorly will get what they've got coming.
                    > > ;) I don't think Evan falls into that category.
                    > >
                    >
                    > I GENERALLY don't fit in to that category.
                    >
                    > I DO use dictionary words or a known-compromised password for systems
                    that
                    > are local where compromise is unlikely, or I really don't care if people

                    > get in to them/I want them in to it.
                    >
                    > > -Dave
                    > >
                    > > --
                    > > Dave McGuire, AK4HZ
                    > > New Kensington, PA
                    > >
                    > >
                    > > ------------------------------------
                    > >
                    > > Yahoo! Groups Links
                    > >
                    > >
                    > >
                    > >
                    >
                    > --
                    > Cory Smelosky
                    > http://gewt.net/ Personal stuff
                    > http://gimme-sympathy.org Experiments
                    >
                    >
                    > ------------------------------------
                    >
                    > Yahoo! Groups Links
                    >
                    >
                    >
                  • Brian Schenkenberger, VAXman-
                    ... DITTO! -- VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)ORG Well I speak to machines with the voice of humanity.
                    Message 9 of 17 , May 15, 2013
                    View Source
                    • 0 Attachment
                      "B. Degnan" <billdeg@...> writes:

                      >Guys please take this thread offline, thnaks.

                      DITTO!

                      --
                      VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)ORG

                      Well I speak to machines with the voice of humanity.
                    • Wesley Furr
                      In doing reading about some of the malware that is out there that I ve run across (we re talking Windows systems here), it has been noted that several of the
                      Message 10 of 17 , May 15, 2013
                      View Source
                      • 0 Attachment
                        In doing reading about some of the malware that is out there that I've run
                        across (we're talking Windows systems here), it has been noted that several
                        of the serious ones often use Java as an attack vector. I'm honestly not a
                        Java expert...but presumably it summons the java browser plugin and then
                        takes advantage of it that way...and all that takes is to get them to visit
                        a malware-ridden web page.

                        Again, I'm talking about Windows. To update in Windows, you have to
                        actually click the pop-up in the system tray that says "please update
                        me"...and most average users don't pay any attention to things like that.
                        Then after you click on it, you have to say yes, please install the update.
                        Then it disappears for a short time. Then it pops up in the system tray and
                        says "hey, now I'm ready to install that update you just let me download".
                        Then when you click on it (again, if the user does so) it comes up and goes
                        through a typical full install looking process...you know the ones, ok, yes,
                        sure ok, yep, next, yep, ok, whatever...finish. Perhaps easy...but still
                        cumbersome...and far from automatic...which is what it takes for probably
                        90% of the average users out there to actually do an update. Not talking
                        about the knowledgeable folks such as frequent this forum...think about your
                        mother or grandmother for a minute...are they likely to notice and act on
                        that process?

                        Wesley


                        -----Original Message-----

                        Actual external-access security holes IN THE JVM...the JVM which, by the
                        way, doesn't do any network communication unless the program it's running
                        opens a socket...seriously?

                        It amounts to clicking two buttons on any release of Linux less than
                        maybe five years old. It even tells you when updates are needed. I
                        honestly hope I never meet the dolt for whom this is "far from easy".
                      • Dave
                        ... You don t. There are three settings:- 1. As you describe 2. Download then prompt. This is what I have on mine. 3. Download and install. Modern windows
                        Message 11 of 17 , May 16, 2013
                        View Source
                        • 0 Attachment
                          On 16/05/2013 02:25, Wesley Furr wrote:
                          > In doing reading about some of the malware that is out there that I've run
                          > across (we're talking Windows systems here), it has been noted that several
                          > of the serious ones often use Java as an attack vector. I'm honestly not a
                          > Java expert...but presumably it summons the java browser plugin and then
                          > takes advantage of it that way...and all that takes is to get them to visit
                          > a malware-ridden web page.
                          >
                          > Again, I'm talking about Windows. To update in Windows, you have to
                          > actually click the pop-up in the system tray that says "please update
                          > me"...and most average users don't pay any attention to things like that.
                          > Then after you click on it, you have to say yes, please install the update.
                          You don't. There are three settings:-

                          1. As you describe
                          2. Download then prompt. This is what I have on mine.
                          3. Download and install. Modern windows systems set this by default. For
                          most "users" this is sensible. Recent versions set this as a default

                          However Java has its own updater which has similar options. These days I
                          run with Java disabled in the browser. It doesn't seem to break much...

                          Dave
                          G4UGM
                        Your message has been successfully submitted and would be delivered to recipients shortly.