[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Faux Anonymous hackers to Facebook: 'We're not playing'
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: Re: [Full-disclosure] Faux Anonymous hackers to Facebook: 'We're not playing'
- From: Dave <mrx@xxxxxxxxxxxxxxxxxxx>
- Date: Wed, 25 Jan 2012 22:19:27 +0000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 25/01/2012 20:16, adam wrote:
> If we cared, we'd visit that site of our own volition. Secondly, even if we
> were interested: most of the people on these lists are intelligent enough
> not to click on links from spammers. Third, even if the content were
> interesting, even if this were the place for it and even if you hadn't
> spammed: "pay and register" is incentive enough for me *not* to join and *
> not* to ever visit that site again.
>
> Short version: this purpose of this list isn't for you to spam your new
> state-of-the-art website. Instead, it's typically to discuss/disclose
> issues/concepts related to computer/network security. Once in a while,
> there are discussions about the overflowing stupidity that some site
> owners/coders have. For example, people that stupidly (and blindly) inject
> code (e.g. for tracking purposes) into every single file on their site,
> regardless of extension:
>
> http://www.karmacyberintel.net/robots.txt
>
> Another one is blatantly disclosing paths in robots.txt that aren't even
> linked to and would never be found anyway (at least by bots that honor
> robots.txt, which ends up being the exact opposite of the desired effect).
> An example of how/why this can be a problem:
>
> md5sum of tiny_mce.js off your server is 9754385dabfc67c8b6d49ad4acba25c3,
> if we perform a simple Google search - we can determine that you're likely
> running version 3.3.1 of Wordpress. From there, we have enough information
> to perform a targeted attack on your server. Except, we don't need to
> because you've already made it more than easy enough for us.
>
> Pretty much every single field on http://www.karmacyberintel.net/pay/ is
> vulnerable to SQL injection, which could easily allow anyone to completely
> compromise the database and possibly the entire site. On top of that,
> register.php also allows for session fixation attacks, as a result of
> header/cookie manipulation. If that weren't bad enough, the admin section
> for your karma theme is also vulnerable to cross-site scripting.
>
> Not to mention, all the problems with with how you've configured SSL and
> everything else. If you're going to spam, at least make sure the website
> you're spamming has been tested and determined to be *somewhat* secure.
>
Thanks for the smile.
If one is not certain that ones own house is not made of glass, it's best to
not throw stones.
D
>
> On Tue, Jan 24, 2012 at 11:31 PM, karma cyberintel <
> karmacyberintel1@xxxxxxxxx> wrote:
>
>> *UPDATE* After attacking several government sites to protest
>> controversial US legislation in past weeks, hacktivist group Anonymous is
>> setting its sights on one of the Internet's biggest targets: Facebook. Or
>> maybe not.
>>
>> Sources Form karmacyberintel.net
>>
>> for more details
>>
>>
>> http://www.karmacyberintel.net/2012/01/faux-anonymous-hackers-to-facebook-were-not-playing/
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEVAwUBTyB/77Ivn8UFHWSmAQLoYAf8CbOtPVtl7nyo+ujnkf1qeWf7hGzjU5lJ
xWr8kd/N37n50u3a6PXfy9p7TC+wQ2MNoJCZ6Y02sPZ6KxlUXXOC/K8iXigFK1yh
rVrNaDLSR8+WgfOdskl7mYZXvHG7n2u8p3MNOll0D9MG1vn179P/oV3JXawSyHMZ
EhhWPjjiJZfNwPhPBTQnQMhg3HoWYsJKrVR5CIu/EKiAPaS2xG7l+DojADZmPsIU
B9BvSqLzJoVFUQ5zVF3KzPJLqIimqgH6HmK18Nmhs/kcBaxjVRL88XcfP1bYtl/Y
kg22lkaRU5IIxDviy5ztxkBERKu7SyuBjcrE6B23rBia9xeCrloMdQ==
=U0gT
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/