From: kondrak Date: Sun Mar 31, 2002 4:45am Subject: Spy Software.. Good day to all, RE: Spyware Trojans and '0 dayz warez' are the job of the anti-virus software. (Yours IS up to date isn't it?) They're more agile detecting strange things at disk, memory and OS level. "Spyware", is usually loaded as an adjunct of loading a popular program, (like Gator, Kazza or the like). Some programs, like Bearshare, (a GNU file sharing program) have clickouts on loading, where you can prefer to NOT allow the program to load the spyware. (Support that model!) Spyware is more corporate oriented, used to gather personal identifying signs and sell this to the hucksters who run this slimy business model, running roughshod over privacy concerns is NOT a way to engender yourselves IMHO. (Electronic stalking?) There is noting to suggest that this type of computer intrusion can not be effectively stopped with a combination of spyware detection and removal, and a properly maintained fairewall. There are a few good anti-spyware programs out there, and I advocate the LavaSoft free detector, its well done IMHO. Some companies have taken spamware to an art, anything AOL oriented these days, (and not saying they're the only practitioner) such as Netscape 6.1, and upgrades of benign programs like WinAmp are infested with spyware. Running the detector like AdAware, is good, but like anti-viri software, it needs to have fresh definitions for detection freshness, Ad Aware has that exact availability, theres a link there to the "auto-check-for new definitions' software as well. I'm not a salesman for Ad Aware, though at this point some my think that ;) ...but I've used it with great success in cleaning corporate networks, and personal machines of this scourge. I personally, totally, disagree with implementing a spy scheme in a computer for corporate purposes, (amongst others). If you want my stats, then you fully inform, and ask permission on bended knee, NOT plant it now and ask later...(Opt out, default, by law!) Informed consent and explicit permission. Ok, FYI: A punch up of Google tonite shows this for spyware: http://www.google.com/search?num=30&meta=hl%3D%26lr%3D&q=spyware I see 94,200 references, check some out... Spyware is a major concern of corporations, for two reasons, A) Obviously: Security, who wants some alien piece of software "phoning home", with whatever intent, or data payload. And equally important, B) as networks become more congested in an enterprise: bandwidth. Spyware is eating up packets of data that surely can be more productively utilized. Good luck in your endevors.... Marc Reference URL's: Ad Aware: http://www.lavasoftusa.com/aaw.html Reference Update, spyware definitions: http://www.wyvernworks.com/Lavasoft/refupdate.exe At 21:26 3/30/02 +0000, you wrote: >Yes, several, but should you relly on them? >The best way is to *dig* in the OS and see what is running ... >For example, if it is (and I hope it's not) some 0-day spy trojan or >logging application, it's not known, so shareware or commercial software >will not spot it probably. > >FM > >» -----Original Message----- >» From: Richard Gray [mailto:laspy1@y...] >» Sent: domingo, 24 de Março de 2002 21:32 >» To: tscm-l@yahoogroups.com >» Subject: [TSCM-L] Spy Software Detection Help >» >» >» Is there any software that will detect logging and spyware >» programs installed on a computer? >» >» Ricky >» >» >» _________________________________ >» Richard T. Gray Jr. >» Legal Investigator >» License No. 1914-050896-LA >» >» Gray & Associates, LLC >» PO Box 2368 >» Crowley, LA 70527 >» 337-785-0046 Voice >» 800-394-8216 Fax >» www.la-pi.com >» ricky@l... >» "When you need to know!" >» >» -----Original Message----- >» From: Marko Radovic [mailto:radovic_marko@y...] >» Sent: Friday, March 22, 2002 2:12 AM >» To: TSCM-L@yahoogroups.com >» Subject: [TSCM-L] ISO 17799 >» >» >» Hello, >» >» I would like to thank all the pepople who privided >» help and information cocerning ISO 17799 standard. >» >» Any additional information about standard is welcome. >» >» Marko >» >» __________________________________________________ >» Do You Yahoo!? >» Everything you'll ever need on one web page >» from News and Sport to Email and Music Charts http://uk.my.yahoo.com >» >» >» >» Yahoo! Groups Sponsor >» >» ADVERTISEMENT >» >» » web/S=1705 >» 007140:HM/A=847665/R=0/*http://ads.x10.com/?bHlhaG9vbW9uc3Rlcj >» cuZGF0=101 >» 6803186%3eM=215002.1818248.3328688.1261774/D=egroupweb/S=17050 >» 07140:HM/A >» =847665/R=1> >» >» » 74/D=egrou >» pmail/S=1705007140:HM/A=847665/rand=398610181> >» >» ======================================================== >» TSCM-L Technical Security Mailing List >» "In a multitude of counselors there is strength" >» >» To subscribe to the TSCM-L mailing list visit: >» http://www.yahoogroups.com/community/TSCM-L >» >» It is by caffeine alone I set my mind in motion. >» It is by the juice of Star Bucks that thoughts acquire speed, >» the hands acquire shaking, the shaking is a warning. It is by >» caffeine alone I set my mind in motion. >» =================================================== TSKS >» >» Your use of Yahoo! Groups is subject to the Yahoo! Terms of >» Service . >» >» >» >» >» [Non-text portions of this message have been removed] >» >» >» >» ------------------------ Yahoo! Groups Sponsor >» ---------------------~--> Tiny Wireless Camera under $80! >» Order Now! FREE VCR Commander! Click Here - Only 1 Day Left! >» http://us.click.yahoo.com/nuyOHD/7.PDAA/yigFAA» /kgFolB/TM >» >» >» -------------------------------------------------------------- >» -------~-> >» >» ======================================================== >» TSCM-L Technical Security Mailing List >» "In a multitude of counselors there is strength" >» >» To subscribe to the TSCM-L mailing list visit: >» http://www.yahoogroups.com/community/TSCM-L >» >» It is by caffeine alone I set my mind in motion. >» It is by the juice of Star Bucks that thoughts acquire >» speed, the hands acquire shaking, the shaking is a warning. >» It is by caffeine alone I set my mind in motion. >» =================================================== TSKS >» >» Your use of Yahoo! Groups is subject to >» http://docs.yahoo.com/info/terms/ >» >» >» > > > > >======================================================== > TSCM-L Technical Security Mailing List > "In a multitude of counselors there is strength" > > To subscribe to the TSCM-L mailing list visit: > http://www.yahoogroups.com/community/TSCM-L > > It is by caffeine alone I set my mind in motion. > It is by the juice of Star Bucks that thoughts acquire speed, > the hands acquire shaking, the shaking is a warning. > It is by caffeine alone I set my mind in motion. >=================================================== TSKS > >Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ [Non-text portions of this message have been removed] 5104 From: Matthew Paulsen Date: Sun Mar 31, 2002 11:49am Subject: RE: Spy Software Detection Help I'm sure I've missed things and flubbed some area or point here or there. I just wanted to throw out a few ideas for people if their thinking about actually approaching network security in some sort of specific manner that may actually accomplish more than the basic firewall and garden hose approach that most companies take to it. There's software just as good as tripwire that's free off the web - see sourceforge.net and other free disty sites (even tripwire.org is a contender for Tripwire's own apps that aren't linux based.. geeze.. ouch). But if you need the support that Tripwire can provide since it's packaged, it's good to get. Also, you should log all aspects of the system, except for successful log writes, which creates a circular log error (or in some systems, a successful success write can create the circular log of death, so be careful). A compromised system that is being used successfully is just at risk as a non-compromised system that isn't being used successfully. Hence, log everything as much as possible and learn how to read those log files. There are also good content filtering software and application filtering systems available that can provide promiscuous scanning for known strings which don't have to be client side resident, but it's good to bunny up (my Easter term of the year) on a few levels to make sure your safe. For a good starting configuration, you should have a packet analyzer outside your network (I like sniffer pro from NAI, others have their own preferences), then an inline av scanner for mail (NAI external for me, then I switch to CAI or Symantec for internal as well as NAI for some areas. I don't like vendor dependance in this area, since two or more -IS- better than one in this circumstance), etc, that's protocol layer resident which can strip and reassemble, and sequester if necessary, then a firewall (first I use a UN*X type), then a contextual (application and protocol switching) switch with av integrated - a good natural firewall in some cases for those that still use IPX with IP/IPX tunnelling applications (not so good with some databases though), then a proxy server (I like to switch to a non-Un*x type, such as Novell or Microsoft, confuses the prey), then another packet analyzer for internal traffic analysis, then the workstations should have personal firewalls which perform application scanning as well as a good AV application. All systems should use a combination of encrypted file services as well as PGP or some variant - I prefer a twofish/PGP system, I mount a virtual filesystem using twofish, then encrypt and sign stuff - docs, spreadsheets, etc, dump it in the twofish encrypted filesystem and dismount that filesystem - takes two passwords to get to it and their only in my brain, safe and secure, the filesystems can be stored on EFS/DFS systems as well and backed up to tape, so your DRP is good to go. Consider it a lockbox in a safe if you will, works great. You may want to have another firewall if you're feeling up to it, and you may have a more advanced setup if you're hosting web services and databases - always strip your db server off the web server and isolate calls between the two to specific IP's on separate subnets using strange ports of call (I've wanted to say that for so long). You may need to have other things for other services - vpn's may need secureID cards, etc. SSL, PKI, etc. You should also have scanners on servers as well for basic services - f,ps/news/mail, etc. Get Win2K or Linux or something else that does have a modicum of security available on all your computers rather than 9x and toss that and the macs out the door (as well as your marketing department that won't give up those g3's - shudder-). Don't give out admin access and lock them down with security apps and utilities. But either way, nothing beats a well educated individual and a good admin group, so budgeting more $$$ for personnel and training should be a first step before the above steps are even contemplated. Lastly, you should hire a TSCM person with a network security person and a physical security person. That way you actually cover all your bases on a security sweep at once. Doing 1 or 2 of the 3 is pointless. You get an F either way you do it if you don't hire all 3. Your leak could be a person stealing hard drives from the server room, bugging your room or emailing your competitor with your latest secret project. Matt (Plug - I do networkie stuff like the above. If you need to hire someone.. hire me.. 503-228-4156x2#) -----Original Message----- From: Graham Bignell [mailto:lorax@e...] Sent: Saturday, March 30, 2002 8:07 PM To: Richard Gray Cc: tscm-l@yahoogroups.com Subject: Re: [TSCM-L] Spy Software Detection Help On Sun, 24 Mar 2002, Richard Gray wrote: > Is there any software that will detect logging and spyware programs > installed on a computer? Others have reffered to virus-scanner like software which will work great unless the spyware is written to hide itself or is new. A solution that will detect logging/spyware programs working on a system or inside a network is the use of Tripwire (http://tripwire.com) or similar tool which detects any change to files and a proper firewall. Proper Firewall Configuration (IMO) means that everything not denied is logged. Unfortunatly, typical spyware behavior is to use HTTP or DNS as carrier protocols, which is basically invisible to a packet filtering firewall that simply blocks on IP. This is where "personal firewall" systems can come in quite handy, as they run under the same OS as the spyware, and are so able to view system internals and identify which application it is that attempts use of the network. --- Graham "Lorax" Bignell - 416 366 9755 1024D/57A07181 = CF49 889B 9266 030C F0FD 7298 30B6 98D5 57A0 7181 Yahoo! Groups Sponsor ADVERTISEMENT ======================================================== TSCM-L Technical Security Mailing List "In a multitude of counselors there is strength" To subscribe to the TSCM-L mailing list visit: http://www.yahoogroups.com/community/TSCM-L It is by caffeine alone I set my mind in motion. It is by the juice of Star Bucks that thoughts acquire speed, the hands acquire shaking, the shaking is a warning. It is by caffeine alone I set my mind in motion. =================================================== TSKS Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service. [Non-text portions of this message have been removed] 5105 From: Matthew Paulsen Date: Sun Mar 31, 2002 0:47pm Subject: RE: Spy Software Detection Help I wouldn't consider a TSCM professional to be a physical security expert any more than a network security person to be a TSCM professional. Knowledge of the fields is one thing, expertise is another. I'd hope that a physical security expert be involved in non-tscm related services such as air, maritime and ground protection services. Typical companies that come to mind would be Brinks, ADT and similar firms, which typically don't provide TSCM services, or if they do, only as a small portion of their overall business plan. They would hopefully employ a 3rd party for a separate analysis of physical protection (a blind) and provide two separate compiled reports for a good system to be developed. Matt -----Original Message----- From: Graham Bignell [mailto:lorax@e...] Sent: Sunday, March 31, 2002 10:31 AM To: Matthew Paulsen Cc: tscm-l@yahoogroups.com Subject: RE: [TSCM-L] Spy Software Detection Help On Sun, 31 Mar 2002, Matthew Paulsen wrote: > Lastly, you should hire a TSCM person with a network security person and a > physical security person. That way you actually cover all your bases on a > security sweep at once. Doing 1 or 2 of the 3 is pointless. You get an F > either way you do it if you don't hire all 3. Your leak could be a person > stealing hard drives from the server room, bugging your room or emailing > your competitor with your latest secret project. I would hope that anyone billing themselves as a TSCM practitioner[1] would be considered a professional in physical security as well as computer systems. If someone is just going to be waving a magic wand around doing their rain dance, well they might miss that KeyGhost or the script hidden in the cron which dials a second number after the days accounting is sent to the bank. [1]: I have wondered why JMA, SU et. al. don't whip up a little international association for the licencing of TSCM, and register something as a servicemark. Such as the way the title "Engineer" is protected in Ontario by the APEO / CCOPE. (I will now mention MCSE as the worst case scenario for such an appellation.) --- Graham "Lorax" Bignell - 416 366 9755 1024D/57A07181 = CF49 889B 9266 030C F0FD 7298 30B6 98D5 57A0 7181 5106 From: Graham Bignell Date: Sun Mar 31, 2002 0:30pm Subject: RE: Spy Software Detection Help On Sun, 31 Mar 2002, Matthew Paulsen wrote: > Lastly, you should hire a TSCM person with a network security person and a > physical security person. That way you actually cover all your bases on a > security sweep at once. Doing 1 or 2 of the 3 is pointless. You get an F > either way you do it if you don't hire all 3. Your leak could be a person > stealing hard drives from the server room, bugging your room or emailing > your competitor with your latest secret project. I would hope that anyone billing themselves as a TSCM practitioner[1] would be considered a professional in physical security as well as computer systems. If someone is just going to be waving a magic wand around doing their rain dance, well they might miss that KeyGhost or the script hidden in the cron which dials a second number after the days accounting is sent to the bank. [1]: I have wondered why JMA, SU et. al. don't whip up a little international association for the licencing of TSCM, and register something as a servicemark. Such as the way the title "Engineer" is protected in Ontario by the APEO / CCOPE. (I will now mention MCSE as the worst case scenario for such an appellation.) --- Graham "Lorax" Bignell - 416 366 9755 1024D/57A07181 = CF49 889B 9266 030C F0FD 7298 30B6 98D5 57A0 7181 5107 From: Fernando Martins Date: Sun Mar 31, 2002 3:40pm Subject: RE: Spy Software.. '0 day warez' ? That's new ... Since warez is the illegall copy and distribution of commercial software, how can it be 0-day? Also, if your anti-virus is not updated, or even if it is, in the early days many virii/trojan can not be removed or cleaned, just detected. Knowing the OS is the issue, for example regarding vbs kind of virus you don't need even a anti-virus software to protect you, if the OS hardening was well done. I suppose this is not the common kind of issue for the list, so I rest my case here ;) FM » -----Original Message----- » From: kondrak [mailto:kondrak@s...] » Sent: domingo, 31 de Março de 2002 11:45 » To: TSCM-L@yahoogroups.com » Subject: [TSCM-L] Spy Software.. » » » Good day to all, » RE: Spyware » » Trojans and '0 dayz warez' are the job of the anti-virus » software. (Yours » IS up to date isn't it?) They're more agile detecting strange » things at » disk, memory and OS level. » » "Spyware", is usually loaded as an adjunct of loading a » popular program, » (like Gator, Kazza or the like). » Some programs, like Bearshare, (a GNU file sharing program) » have clickouts » on loading, where you can prefer to NOT allow the program to load the » spyware. (Support that model!) » Spyware is more corporate oriented, used to gather personal » identifying » signs and sell this to the hucksters who run this slimy » business model, » running roughshod over privacy concerns is NOT a way to » engender yourselves » IMHO. (Electronic stalking?) There is noting to suggest that » this type of » computer intrusion can not be effectively stopped with a » combination of » spyware detection and removal, and a properly maintained fairewall. » » There are a few good anti-spyware programs out there, and I » advocate the » LavaSoft free detector, its well done IMHO. » » Some companies have taken spamware to an art, anything AOL » oriented these » days, (and not saying they're the only practitioner) such as » Netscape 6.1, » and upgrades of benign programs like WinAmp are infested with » spyware. » Running the detector like AdAware, is good, but like » anti-viri software, it » needs to have fresh definitions for detection freshness, Ad » Aware has that » exact availability, theres a link there to the "auto-check-for new » definitions' software as well. » » I'm not a salesman for Ad Aware, though at this point some my » think that ;) ...but I've used it with great success in » cleaning corporate networks, and » personal machines of this scourge. » I personally, totally, disagree with implementing a spy scheme in a » computer for corporate purposes, (amongst others). If you » want my stats, » then you fully inform, and ask permission on bended knee, NOT » plant it now » and ask later...(Opt out, default, by law!) Informed consent » and explicit » permission. » » » Ok, FYI: A punch up of Google tonite shows this for spyware: » http://www.google.com/search?num=30&meta=hl%3D%26lr%3D&q=spyware » » I see 94,200 references, check some out... » » Spyware is a major concern of corporations, for two reasons, » A) Obviously: Security, who wants some alien piece of » software "phoning » home", with whatever intent, or data payload. » » And equally important, » B) as networks become more congested in an enterprise: » bandwidth. Spyware » is eating up packets of data that surely can be more » productively utilized. » » » Good luck in your endevors.... » » Marc » » » Reference URL's: » » Ad Aware: http://www.lavasoftusa.com/aaw.html » Reference Update, spyware definitions: » http://www.wyvernworks.com/Lavasoft/refupdate.exe » » » » » » » At 21:26 3/30/02 +0000, you wrote: » >Yes, several, but should you relly on them? » >The best way is to *dig* in the OS and see what is running ... For » >example, if it is (and I hope it's not) some 0-day spy trojan or » >logging application, it's not known, so shareware or commercial » >software will not spot it probably. » > » >FM » > » >» -----Original Message----- » >» From: Richard Gray [mailto:laspy1@y...] » >» Sent: domingo, 24 de Março de 2002 21:32 » >» To: tscm-l@yahoogroups.com » >» Subject: [TSCM-L] Spy Software Detection Help » >» » >» » >» Is there any software that will detect logging and spyware » >» programs installed on a computer? » >» » >» Ricky » >» » >» » >» _________________________________ » >» Richard T. Gray Jr. » >» Legal Investigator » >» License No. 1914-050896-LA » >» » >» Gray & Associates, LLC » >» PO Box 2368 » >» Crowley, LA 70527 » >» 337-785-0046 Voice » >» 800-394-8216 Fax » >» www.la-pi.com » >» ricky@l... » >» "When you need to know!" » >» » >» -----Original Message----- » >» From: Marko Radovic [mailto:radovic_marko@y...] » >» Sent: Friday, March 22, 2002 2:12 AM » >» To: TSCM-L@yahoogroups.com » >» Subject: [TSCM-L] ISO 17799 » >» » >» » >» Hello, » >» » >» I would like to thank all the pepople who privided » >» help and information cocerning ISO 17799 standard. » >» » >» Any additional information about standard is welcome. » >» » >» Marko » >» » >» __________________________________________________ » >» Do You Yahoo!? » >» Everything you'll ever need on one web page » >» from News and Sport to Email and Music Charts » http://uk.my.yahoo.com » >» » » >» » >» Yahoo! Groups Sponsor » >» » >» ADVERTISEMENT » >» » >» » web/S=1705 » >» 007140:HM/A=847665/R=0/*http://ads.x10.com/?bHlhaG9vbW9uc3Rlcj » >» cuZGF0=101 » >» 6803186%3eM=215002.1818248.3328688.1261774/D=egroupweb/S=17050 » >» 07140:HM/A » >» =847665/R=1> » >» » >» » 74/D=egrou » >» pmail/S=1705007140:HM/A=847665/rand=398610181> » >» » >» ======================================================== » >» TSCM-L Technical Security Mailing List » >» "In a multitude of counselors there is strength" » >» » >» To subscribe to the TSCM-L mailing list visit: » >» http://www.yahoogroups.com/community/TSCM-L » >» » >» It is by caffeine alone I set my mind in motion. » >» It is by the juice of Star Bucks that thoughts acquire speed, » >» the hands acquire shaking, the shaking is a warning. It is by » >» caffeine alone I set my mind in motion. » >» =================================================== TSKS » >» » >» Your use of Yahoo! Groups is subject to the Yahoo! Terms of » >» Service . » >» » >» » >» » >» » >» [Non-text portions of this message have been removed] » >» » >» » >» » >» ------------------------ Yahoo! Groups Sponsor » >» ---------------------~--> Tiny Wireless Camera under $80! » >» Order Now! FREE VCR Commander! Click Here - Only 1 Day Left! » >» http://us.click.yahoo.com/nuyOHD/7.PDAA/yigFAA» /kgFolB/TM » >» » >» » >» -------------------------------------------------------------- » >» -------~-> » >» » >» ======================================================== » >» TSCM-L Technical Security Mailing List » >» "In a multitude of counselors there is strength" » >» » >» To subscribe to the TSCM-L mailing list visit: » >» http://www.yahoogroups.com/community/TSCM-L » >» » >» It is by caffeine alone I set my mind in motion. » >» It is by the juice of Star Bucks that thoughts acquire » >» speed, the hands acquire shaking, the shaking is a warning. » >» It is by caffeine alone I set my mind in motion. » >» =================================================== TSKS » >» » >» Your use of Yahoo! Groups is subject to » >» http://docs.yahoo.com/info/terms/ » >» » >» » >» » > » > » > » > » >======================================================== » > TSCM-L Technical Security Mailing List » > "In a multitude of counselors there is strength" » > » > To subscribe to the TSCM-L mailing list visit: » > http://www.yahoogroups.com/community/TSCM-L » > » > It is by caffeine alone I set my mind in motion. » > It is by the juice of Star Bucks that thoughts acquire speed, » > the hands acquire shaking, the shaking is a warning. » > It is by caffeine alone I set my mind in motion. » >=================================================== TSKS » > » >Your use of Yahoo! Groups is subject to » >http://docs.yahoo.com/info/terms/ » » » [Non-text portions of this message have been removed] » » » » ------------------------ Yahoo! Groups Sponsor » ---------------------~--> Access Your PC from Anywhere Check » Email & Transfer files - Free Download » http://us.click.yahoo.com/Z8IZpD/3XkDAA/yigFAA» /kgFolB/TM » » » -------------------------------------------------------------- » -------~-> » » ======================================================== » TSCM-L Technical Security Mailing List » "In a multitude of counselors there is strength" » » To subscribe to the TSCM-L mailing list visit: » http://www.yahoogroups.com/community/TSCM-L » » It is by caffeine alone I set my mind in motion. » It is by the juice of Star Bucks that thoughts acquire » speed, the hands acquire shaking, the shaking is a warning. » It is by caffeine alone I set my mind in motion. » =================================================== TSKS » » Your use of Yahoo! Groups is subject to » http://docs.yahoo.com/info/terms/ » » » 5108 From: Fernando Martins Date: Sun Mar 31, 2002 3:43pm Subject: RE: Spy Software Detection Help > Lastly, you should hire a TSCM person with a network security > person and a physical security person. That way you actually > cover all your bases on a security sweep at once. Doing 1 or > 2 of the 3 is pointless. You get an F either way you do it > if you don't hire all 3. Your leak could be a person > stealing hard drives from the server room, bugging your room > or emailing your competitor with your latest secret project. > > Matt > (Plug - I do networkie stuff like the above. If you need to > hire someone.. hire me.. 503-228-4156x2#) Duh ... I can make all 3 for half the price :> You are right, at least until now and including all kind of entities, I don't know one that had the 3 jobs well done. FM 5109 From: Fernando Martins Date: Sun Mar 31, 2002 4:01pm Subject: RE: Spy Software Detection Help > I wouldn't consider a TSCM professional to be a physical > security expert any more than a network security person to be > a TSCM professional. Knowledge of the fields is one thing, > expertise is another. I'd hope that a physical security > expert be involved in non-tscm related services such as air, > maritime and ground protection services. Typical companies > that come to mind would be Brinks, ADT and similar firms, > which typically don't provide TSCM services, or if they do, > only as a small portion of their overall business plan. They > would hopefully employ a 3rd party for a separate analysis of > physical protection (a blind) and provide two separate > compiled reports for a good system to be developed. I agree, but there are companies that at least electronic and physical security are part of their portfolio. Probably in the future all the 3 areas can be covered by one company, at least one I hope it will ;) Lets take for example a CCTV system, that is managed along with a access control system, using Unix and Windows servers, protected with firewalls and IDS's (at least), that can be remotely controled using VPN. Consider that the VPN includes TEMPEST technology. A TSCM service to check all system may also be needed, if it's a high security system, witch is easy to be considering the solutions in this virtual system. In my point of view, the less people involved the better, so if all this can be done by one single company, great. At least as a security consultant, and trying not to be the known moron type, I have to know how to design and execute a project as this one. The usual 20 cents ;) FM 5110 From: Steve Uhrig Date: Sun Mar 31, 2002 6:52pm Subject: Anyone know of -- a distance learning center? I'm looking for a place who already has the infrastructure set up for distance learning, to whom I could work with setting up some classes offered through them. If anyone knows of such a place, please get with me off list. Tks .. Steve ******************************************************************* Steve Uhrig, SWS Security, Maryland (USA) Mfrs of electronic surveillance equip mailto:Steve@s... website http://www.swssec.com tel +1+410-879-4035, fax +1+410-836-1190 "In God we trust, all others we monitor" ******************************************************************* 5111 From: Secdep Date: Mon Apr 1, 2002 0:10am Subject: South Africa - New Security Industry Categories The following providers of security services in South Africa have been given notice by the Minister for Safety & Security to register under the new Private Security Industry Regulation Act, 2001 (Act No 56 of 2001): a.. Locksmiths; b.. Private Investigators; c.. Security training providers; d.. Manufacturers, importers & distributors of monitoring devices as defined in the Interception & Monitoring Prohibition Act, 1992; e.. Installers & repairers of security equipment or persons servicing security equipment; f.. Labour brokers & others making persons available to render a security service; g.. Persons who monitor the signals or transmissions from electronic security equipment; & h.. Persons who manage or control the rendering of security services. The Minister for Safety & Security, Steve Tswete, determined through a notice published in terms of the Private Security Industry Regulation Act, 2001 that every category or class of security service providers (as mentioned above) need to be registered before 01 October 2002 if they intend to render a security service from this date. http://www.sira-sa.co.za --- From the desk of Raymond van Staden Van Staden and Associates cc Tel: +27 (0)31 916-1262 Fax: +27 (0)31 916-1263 Email: raymond@v... Internet: http://www.vanstaden.co.za [Non-text portions of this message have been removed] 5112 From: Date: Mon Apr 1, 2002 9:34am Subject: Truce called in Spyware wars Truce called in Spyware warsWinWhatWhere no longer breaks anti-spyware productBy Bob Sullivan MSNBC Martch 27 ­ In the latest chapter of Spyware vs. Anti-spyware, the maker of snooping program WinWhatWhere backed away from evasive programming tactics Wednesday. Richard Eaton, president of WinWhatWhere Corp., said his software would no longer insert stray code into Anti-spyware program Who's Watching Me to break the program. The announcement comes after MSNBC.com revealed WinWhatWhere and competitor SpectorSoft Corp. both intentionally break the anti-Spyware program. SO-CALLED SPYWARE programs have been controversial for years. Programs like Spector and WinWhatWhere can be secretly installed on any machine ­ even from afar ­ and quietly watch every keystroke and mouse motion. Information gleaned by the spy software can then be remotely e-mailed to the real spy. As a counter-measure, some programmers have developed "anti-spy" programs like Trapware.com's Who's Watching Me. But developer Wes Austin revealed to MSNBC.com on Monday that spyware developers had recently started writing code to break his software, so Who's Watching Me didn't blow their cover. WinWhatWhere did so by inserting stray text into a file critical for Who's Watching Me's operations; Spector simply crashes the anti-spy program. But Wednesday, Eaton said he had a change of heart. Who's Watching WinWhatWhere? "I got to thinking writing to their file wasn't a very nice thing to do," Eaton said. "The thought of writing into another program's files, well, I guess that's not playing fair. You don't want anyone to think your program is doing something malicious." So as of Wednesday, WinWhatWhere no longer inserts the stray text into Who's Watching Me files. Asked if he would try to circumvent Who's Watching Me another way, Eaton said only: "I can't say." SpectorSoft has not announced any changes to its program. HAVE A GREAT DAY !!! ---------- http://www.msnbc.com/news/730650.asp?cp1=1 [Non-text portions of this message have been removed] 5113 From: Secdep Date: Mon Apr 1, 2002 10:52am Subject: Vehicle Tracking Device Can a anyone identify the manufacturer of a vehicle tracking device, found on a fuel tank of a car in South Africa. There is small identification plate on the side with the following; M7722 Ser. No 386 ID R154DL The device is 12cm (Length) by 3cm (Breadth), 2cm in height over batteries, 3cm in height over antenna. Resembles a miniature coffin, Has a base plate with 6 small powerful magnets Metal construction with a aluminium cover over the batteries & a moulded hard plastic cover over the antenna. Powered by two 3.6 Volt Batteries (AA size) The antenna is coiled foil on a small PC Board. It is transmitting short signals at 10 second intervals. Transmitting on 862.288 Mhz Raymond VAN STADEN --- From the desk of Raymond van Staden Van Staden and Associates cc Tel: +27 (0)31 916-1262 Fax: +27 (0)31 916-1263 Email: raymond@v... Internet: http://www.vanstaden.co.za [Non-text portions of this message have been removed] 5114 From: James M. Atkinson Date: Mon Apr 1, 2002 10:45am Subject: Highly Classified Indexing Methods and Procedures Major leak of classified materials. Visit this link before the government forces them to take it down: http://www.google.com/technology/pigeonrank.html Looks like one of the most sophisticated methods available, and it has major applications in the TSCM world. -jma -- -------------------------------------------------------------------------------------------------- The First, The Largest, The Most Popular, and The Most Complete TSCM, Bug Sweep, Spy Hunting, and Counterintelligence Site on the Internet. -------------------------------------------------------------------------------------------------- James M. AtkinsonPh: (978) 546-3803 Granite Island GroupFax: (978) 546-9467 127 Eastern Avenue #291http://www.tscm.com/ Gloucester, MA 01931-8008mailto:jmatk@t... -------------------------------------------------------------------------------------------------- "...three shall be the number to count, and the number to be counted shall be three.....four shall thou not count......five is right out". - M. Python -------------------------------------------------------------------------------------------------- 5115 From: Graham Bignell Date: Sun Mar 31, 2002 8:57pm Subject: RE: Spy Software.. On Sun, 31 Mar 2002, Fernando Martins wrote: > '0 day warez' ? That's new ... Since warez is the illegall copy and > distribution of commercial software, how can it be 0-day? No, not new... "0D w4r3Z" is as old as the basement BBS. "zero day" refers to something that is aquired and distributed before it is officially released. --- Graham "Lorax" Bignell - 416 366 9755 1024D/57A07181 = CF49 889B 9266 030C F0FD 7298 30B6 98D5 57A0 7181 5116 From: Fernando Martins Date: Mon Apr 1, 2002 1:54pm Subject: RE: Spy Software.. > -----Original Message----- > From: Graham Bignell [mailto:lorax@e...] > Sent: segunda-feira, 1 de Abril de 2002 3:58 > To: Fernando Martins > Cc: TSCM-L@yahoogroups.com > Subject: RE: [TSCM-L] Spy Software.. > > > On Sun, 31 Mar 2002, Fernando Martins wrote: > > > '0 day warez' ? That's new ... Since warez is the illegall copy and > > distribution of commercial software, how can it be 0-day? > > No, not new... "0D w4r3Z" is as old as the basement BBS. > "zero day" refers to something that is aquired and > distributed before it is officially released. So, zero day warez is the illegall copy of beta versions of commercial software. Yeah, it make sense and was the first time I saw that expression. I just use to refer 0-day for exploits, and about warez I don't use to make a diference between beta versions and final versions, it's all warez. But regarding anti-virus or spy software, I still can't make a connection with '0-day warez' ... Can Carnivore be and example and do anti-virus software detect and clean that? :> FM 5117 From: A Grudko Date: Mon Apr 1, 2002 5:21pm Subject: Re: Vehicle Tracking Device - Original Message - From: Secdep > Can a anyone identify the manufacturer of a vehicle tracking device, found on a fuel tank of a car in South Africa. > There is small identification plate on the side with the following; > M7722 > Ser. No 386 > ID R154DL I'm not doubting my friend Raymond's information for a moment, but can anyone understand the mentality of leaving such evidence on a device? There was a proposal here over a decade ago that all legal covert surveilance devices be 'tagged' but I don't think it went through. I stand to be corrected. Andy Grudko D.P.M., Grad I.S, (S.A.) - Grudko Associates - www.grudko.com , Est. 1981 International business intelligence and investigations - ICQ 146498943 Johannesburg (+27 11) 465 9673 - 465 1487 (Fax), Pretoria (+27 12) 244 0255 - 244 0256 (Fax) SACI, WAD, CALI, SAMLF, UKPIN, AFIO (OS), IWWA, PRETrust, AmChamCom When you need it done right - first time 5118 From: Michael Puchol Date: Mon Apr 1, 2002 6:00pm Subject: Re: Vehicle Tracking Device Hi Raymond, Can you send me a picture of the device? I've done a lot of work on AVL, so I could try dig something out. Cheers, Mike ----- Original Message ----- From: "Secdep" To: "TSCM-L" Sent: Monday, April 01, 2002 6:52 PM Subject: [TSCM-L] Vehicle Tracking Device > Can a anyone identify the manufacturer of a vehicle tracking device, found on a fuel tank of a car in South Africa. > > There is small identification plate on the side with the following; > > M7722 > Ser. No 386 > ID R154DL > > The device is 12cm (Length) by 3cm (Breadth), 2cm in height over batteries, 3cm in height over antenna. Resembles a miniature coffin, Has a base plate with 6 small powerful magnets > > Metal construction with a aluminium cover over the batteries & a moulded hard plastic cover over the antenna. > > Powered by two 3.6 Volt Batteries (AA size) > > The antenna is coiled foil on a small PC Board. > > It is transmitting short signals at 10 second intervals. > > Transmitting on 862.288 Mhz > > Raymond VAN STADEN > > --- > > From the desk of Raymond van Staden > Van Staden and Associates cc > > Tel: +27 (0)31 916-1262 > Fax: +27 (0)31 916-1263 > > Email: raymond@v... > Internet: http://www.vanstaden.co.za > > > > [Non-text portions of this message have been removed] > > > > ======================================================== > TSCM-L Technical Security Mailing List > "In a multitude of counselors there is strength" > > To subscribe to the TSCM-L mailing list visit: > http://www.yahoogroups.com/community/TSCM-L > > It is by caffeine alone I set my mind in motion. > It is by the juice of Star Bucks that thoughts acquire speed, > the hands acquire shaking, the shaking is a warning. > It is by caffeine alone I set my mind in motion. > =================================================== TSKS > > Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ > > 5119 From: James M. Atkinson Date: Mon Apr 1, 2002 11:11pm Subject: Re: Highly Classified Indexing Methods and Procedures [snicker, snicker, snicker] Happy April Fools Day. -jma At 11:45 AM -0500 4/1/02, James M. Atkinson wrote: >Major leak of classified materials. > >Visit this link before the government forces them to take it down: > >http://www.google.com/technology/pigeonrank.html > >Looks like one of the most sophisticated methods available, and >it has major applications in the TSCM world. > >-jma -- -------------------------------------------------------------------------------------------------- The First, The Largest, The Most Popular, and The Most Complete TSCM, Bug Sweep, Spy Hunting, and Counterintelligence Site on the Internet. -------------------------------------------------------------------------------------------------- James M. AtkinsonPh: (978) 546-3803 Granite Island GroupFax: (978) 546-9467 127 Eastern Avenue #291http://www.tscm.com/ Gloucester, MA 01931-8008mailto:jmatk@t... -------------------------------------------------------------------------------------------------- "...three shall be the number to count, and the number to be counted shall be three.....four shall thou not count......five is right out". - M. Python -------------------------------------------------------------------------------------------------- 5120 From: Perry Myers Date: Tue Apr 2, 2002 6:38pm Subject: RE: Spy Software Detection Help You are correct Fernando! I have tried several of them and Ad-Aware by Lavasoft and a couple of the other so called spy detectors and they have not found Spector software or the E-Blaster. For Eblaster, the best solution is a personal firewall, something like Zone Alarms by Zone Labs. Perry D. Myers, CFE President & CEO E-mail: perry@d... MSI Detective Services Myers Service, Inc. Corporate Headquarters 2076 N. Elston Ave. Suite 200 Chicago, IL. 60614-3940 Phone 773-342-8300 Facsimile 773-486-4430 Professional Investigators Since 1959 Investigations Nationwide 24 Hour Availability www.detectiveservices.com -----Original Message----- From: Fernando Martins [mailto:fernando.martins@e...] Sent: Saturday, March 30, 2002 3:27 PM To: tscm-l@yahoogroups.com Subject: RE: [TSCM-L] Spy Software Detection Help Yes, several, but should you relly on them? The best way is to *dig* in the OS and see what is running ... For example, if it is (and I hope it's not) some 0-day spy trojan or logging application, it's not known, so shareware or commercial software will not spot it probably. FM » -----Original Message----- » From: Richard Gray [mailto:laspy1@y...] » Sent: domingo, 24 de Março de 2002 21:32 » To: tscm-l@yahoogroups.com » Subject: [TSCM-L] Spy Software Detection Help » » » Is there any software that will detect logging and spyware » programs installed on a computer? » » Ricky » » » _________________________________ » Richard T. Gray Jr. » Legal Investigator » License No. 1914-050896-LA » » Gray & Associates, LLC » PO Box 2368 » Crowley, LA 70527 » 337-785-0046 Voice » 800-394-8216 Fax » www.la-pi.com » ricky@l... » "When you need to know!" » » -----Original Message----- » From: Marko Radovic [mailto:radovic_marko@y...] » Sent: Friday, March 22, 2002 2:12 AM » To: TSCM-L@yahoogroups.com » Subject: [TSCM-L] ISO 17799 » » » Hello, » » I would like to thank all the pepople who privided » help and information cocerning ISO 17799 standard. » » Any additional information about standard is welcome. » » Marko » » __________________________________________________ » Do You Yahoo!? » Everything you'll ever need on one web page » from News and Sport to Email and Music Charts http://uk.my.yahoo.com » » » » Yahoo! Groups Sponsor » » ADVERTISEMENT » » » » » » ======================================================== » TSCM-L Technical Security Mailing List » "In a multitude of counselors there is strength" » » To subscribe to the TSCM-L mailing list visit: » http://www.yahoogroups.com/community/TSCM-L » » It is by caffeine alone I set my mind in motion. » It is by the juice of Star Bucks that thoughts acquire speed, » the hands acquire shaking, the shaking is a warning. It is by » caffeine alone I set my mind in motion. » =================================================== TSKS » » Your use of Yahoo! Groups is subject to the Yahoo! Terms of » Service . » » » » » [Non-text portions of this message have been removed] » » » » ------------------------ Yahoo! Groups Sponsor » ---------------------~--> Tiny Wireless Camera under $80! » Order Now! FREE VCR Commander! Click Here - Only 1 Day Left! » http://us.click.yahoo.com/nuyOHD/7.PDAA/yigFAA» /kgFolB/TM » » » -------------------------------------------------------------- » -------~-> » » ======================================================== » TSCM-L Technical Security Mailing List » "In a multitude of counselors there is strength" » » To subscribe to the TSCM-L mailing list visit: » http://www.yahoogroups.com/community/TSCM-L » » It is by caffeine alone I set my mind in motion. » It is by the juice of Star Bucks that thoughts acquire » speed, the hands acquire shaking, the shaking is a warning. » It is by caffeine alone I set my mind in motion. » =================================================== TSKS » » Your use of Yahoo! Groups is subject to » http://docs.yahoo.com/info/terms/ » » » ======================================================== TSCM-L Technical Security Mailing List "In a multitude of counselors there is strength" To subscribe to the TSCM-L mailing list visit: http://www.yahoogroups.com/community/TSCM-L It is by caffeine alone I set my mind in motion. It is by the juice of Star Bucks that thoughts acquire speed, the hands acquire shaking, the shaking is a warning. It is by caffeine alone I set my mind in motion. =================================================== TSKS Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 5121 From: Michael Puchol Date: Wed Apr 3, 2002 3:39am Subject: Re: Spy Software Detection Help I have one question on this subject: if the FBI is being grilled over the Scarfo case and use of keyloggers, the legality of which questioned, etc. the these spyware manufacturers should go straight to jail, do not pass 'Go', shouldn't they? I mean, they're planting software on your computer, most times without your knowledge, which is used to send personal information about you to external persons or companies...not something I thought was even remotely legal... All the best, Mike 5122 From: David Alexander Date: Wed Apr 3, 2002 5:11am Subject: re: spy software >"zero day" refers to something that is aquired and distributed before it is >officially released. With my Information Security hat on: I think that the wrong meaning of zero day is being referred to here. A "zero day" item is the holy grail of hackers. It refers to a security vulnerability that is not yet known to the software company that wrote the operating system or application, the users or the security community. It is a means of entry that no-one knows exists and is not being guarded against. There is no patch and no alarm bells will ring if it is used. Imagine someone came up with a new way of bugging a room using a completely new method. Until what to look for and how to detect it was publicised it would most likely go unnoticed by most people. Hackers trade such things for usernames & passwords, ex-directory modem numbers, new hacking tools and utilities, valid credit card numbers and locations of 'open machines' they can use to launch attacks from. In terms of value, a zero day vulnerability is the equivalent of a straight royal flush in poker - nothing is worth more. regards _______________________________ David Alexander M.INSTIS Global Infrastructure Director Bookham Technology plc Tel: +44 (0) 1327 356264 Mobile: +44 (0) 7799 881284 Fax: +44 (0) 1327 356775 http://www.bookham.com ======================================================================= This e-mail is intended for the person it is addressed to only. The information contained in it may be confidential and/or protected by law. If you are not the intended recipient of this message, you must not make any use of this information, or copy or show it to any person. Please contact us immediately to tell us that you have received this e-mail, and return the original to us. Any use, forwarding, printing or copying of this message is strictly prohibited. No part of this message can be considered a request for goods or services. ======================================================================= Any questions about Bookham's E-Mail service should be directed to postmaster@b.... 5123 From: Matthew Paulsen Date: Wed Apr 3, 2002 10:32am Subject: RE: Spy Software Detection Help That's why there's a EULA. You click yes in most cases which obsolves them when you install the primary application. Always read the EULA. -----Original Message----- From: Michael Puchol [mailto:mpuchol@s...] Sent: Wednesday, April 03, 2002 1:39 AM To: tscm-l@yahoogroups.com Subject: Re: [TSCM-L] Spy Software Detection Help I have one question on this subject: if the FBI is being grilled over the Scarfo case and use of keyloggers, the legality of which questioned, etc. the these spyware manufacturers should go straight to jail, do not pass 'Go', shouldn't they? I mean, they're planting software on your computer, most times without your knowledge, which is used to send personal information about you to external persons or companies...not something I thought was even remotely legal... All the best, Mike Yahoo! Groups Sponsor ADVERTISEMENT ======================================================== TSCM-L Technical Security Mailing List "In a multitude of counselors there is strength" To subscribe to the TSCM-L mailing list visit: http://www.yahoogroups.com/community/TSCM-L It is by caffeine alone I set my mind in motion. It is by the juice of Star Bucks that thoughts acquire speed, the hands acquire shaking, the shaking is a warning. It is by caffeine alone I set my mind in motion. =================================================== TSKS Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service. [Non-text portions of this message have been removed] 5124 From: Graham Bignell Date: Wed Apr 3, 2002 7:31am Subject: Re: re: spy software On Wed, 3 Apr 2002, David Alexander wrote: > >"zero day" refers to something that is aquired and distributed before it is > >officially released. > > I think that the wrong meaning of zero day is being referred to here. A > "zero day" item is the holy grail of hackers. It refers to a security > vulnerability that is not yet known to the software company that wrote the > operating system or application, the users or the security community. It is > a means of entry that no-one knows exists and is not being guarded against. > There is no patch and no alarm bells will ring if it is used. No, "zero day warez" is what was mentioned, which is correct. What you are reffering to is a "zero day exploit" which is also correct, but much less common as these windows of vunerability are usually quite short lived before the community at large becomes aware of the problem. (It is difficult to test an exploit in isolation or without a target, and someone must know it exists before they can use it.) In the case of a new software vunerability being used to access a computer system, I would expect alarm bells to ring when something went "wrong" (requiring vigilance) such as an application failing, file deletion, or other state change that can be detected. Like with a listening device collecting insider information, you might not know it is there, but become rather suspicious when the competition keeps beating you to market on everything discussed in the room. -- "Zero Day" made a lot of COBOL programmers fairly wealthy. :) --- Graham "Lorax" Bignell - 416 366 9755 1024D/57A07181 = CF49 889B 9266 030C F0FD 7298 30B6 98D5 57A0 7181 5125 From: The Dog's Bollix Date: Wed Apr 3, 2002 8:09am Subject: Spy Software - How to locate eBlaster etc.... The simplest, most effective way is to usea product called SpyCop. It is not freeware, and it works. I have no affiliation to them except to say that their product will ocate Spector and eBlaster and any other key-logger out there for Windoze. Now, I have noticed one flaw, if SpyCop is installed before eBlaster or Spector it gets corrupted when one of these spy programs is installed. It can be downloaded from any of the downlaod sites. --- Perry Myers wrote: > You are correct Fernando! I have tried several of > them and Ad-Aware by > Lavasoft and a couple of the other so called spy > detectors and they have > not found Spector software or the E-Blaster. For > Eblaster, the best > solution is a personal firewall, something like Zone > Alarms by Zone > Labs. > > Perry D. Myers, CFE > President & CEO > E-mail: perry@d... > > MSI Detective Services > Myers Service, Inc. > Corporate Headquarters > 2076 N. Elston Ave. Suite 200 > Chicago, IL. 60614-3940 > Phone 773-342-8300 > Facsimile 773-486-4430 > > Professional Investigators Since 1959 > Investigations Nationwide > 24 Hour Availability > www.detectiveservices.com > > > -----Original Message----- > From: Fernando Martins > [mailto:fernando.martins@e...] > Sent: Saturday, March 30, 2002 3:27 PM > To: tscm-l@yahoogroups.com > Subject: RE: [TSCM-L] Spy Software Detection Help > > > Yes, several, but should you relly on them? > The best way is to *dig* in the OS and see what is > running ... > For example, if it is (and I hope it's not) some > 0-day spy trojan or > logging application, it's not known, so shareware or > commercial software > will not spot it probably. > > FM > > » -----Original Message----- > » From: Richard Gray [mailto:laspy1@y...] > » Sent: domingo, 24 de Março de 2002 21:32 > » To: tscm-l@yahoogroups.com > » Subject: [TSCM-L] Spy Software Detection Help > » > » > » Is there any software that will detect logging and > spyware > » programs installed on a computer? > » > » Ricky > » > » > » _________________________________ > » Richard T. Gray Jr. > » Legal Investigator > » License No. 1914-050896-LA > » > » Gray & Associates, LLC > » PO Box 2368 > » Crowley, LA 70527 > » 337-785-0046 Voice > » 800-394-8216 Fax > » www.la-pi.com > » ricky@l... > » "When you need to know!" > » > » -----Original Message----- > » From: Marko Radovic > [mailto:radovic_marko@y...] > » Sent: Friday, March 22, 2002 2:12 AM > » To: TSCM-L@yahoogroups.com > » Subject: [TSCM-L] ISO 17799 > » > » > » Hello, > » > » I would like to thank all the pepople who privided > » help and information cocerning ISO 17799 standard. > » > » Any additional information about standard is > welcome. > » > » Marko > » > » __________________________________________________ > » Do You Yahoo!? > » Everything you'll ever need on one web page > » from News and Sport to Email and Music Charts > http://uk.my.yahoo.com > » > » > » > » Yahoo! Groups Sponsor > » > » ADVERTISEMENT > » > » > » web/S=1705 > » > 007140:HM/A=847665/R=0/*http://ads.x10.com/?bHlhaG9vbW9uc3Rlcj > » cuZGF0=101 > » > 6803186%3eM=215002.1818248.3328688.1261774/D=egroupweb/S=17050 > » 07140:HM/A > » =847665/R=1> > » > » > » 74/D=egrou > » pmail/S=1705007140:HM/A=847665/rand=398610181> > » > » > ======================================================== > » TSCM-L Technical Security Mailing List > » "In a multitude of counselors there is > strength" > » > » To subscribe to the TSCM-L mailing list > visit: > » > http://www.yahoogroups.com/community/TSCM-L > » > » It is by caffeine alone I set my mind in motion. > » It is by the juice of Star Bucks that thoughts > acquire speed, > » the hands acquire shaking, the shaking is a > warning. It is by > » caffeine alone I set my mind in motion. > » > =================================================== > TSKS > » > » Your use of Yahoo! Groups is subject to the Yahoo! > Terms of > » Service . > » > » > » > » > » [Non-text portions of this message have been > removed] > » > » > » > » ------------------------ Yahoo! Groups Sponsor > » ---------------------~--> Tiny Wireless Camera > under $80! > » Order Now! FREE VCR Commander! Click Here - Only 1 > Day Left! > » http://us.click.yahoo.com/nuyOHD/7.PDAA/yigFAA» > /kgFolB/TM > » > » > » > -------------------------------------------------------------- > » -------~-> > » > » > ======================================================== > » TSCM-L Technical Security Mailing List > » "In a multitude of counselors there is > strength" > » > » To subscribe to the TSCM-L mailing list > visit: > » http://www.yahoogroups.com/community/TSCM-L > » > » It is by caffeine alone I set my mind in motion. > » It is by the juice of Star Bucks that thoughts > acquire > » speed, the hands acquire shaking, the shaking is > a warning. > » It is by caffeine alone I set my mind in motion. > » > =================================================== > TSKS > » > » Your use of Yahoo! Groups is subject to > » http://docs.yahoo.com/info/terms/ > » > » > » > > > > > ======================================================== > TSCM-L Technical Security Mailing List > "In a multitude of counselors there is strength" > > To subscribe to the TSCM-L mailing list visit: > === message truncated === __________________________________________________ Do You Yahoo!? Yahoo! Tax Center - online filing with TurboTax http://taxes.yahoo.com/ 5126 From: Date: Wed Apr 3, 2002 10:49am Subject: Re: Spy Software Detection Help Just to jump into the discussion....I purchased a copy of SpyCop and downloaded the free version of Ad-Aware. Then, I downloaded the demo version of Ghost Key. SpyCop found it, but Ad-Aware did not. Only problem I have with SpyCop is that it is painfully slow. Martin Brown Brown & Sikes, Inc. Dallas, TX Perry Myers wrote: > You are correct Fernando! I have tried several of them and Ad-Aware by > Lavasoft and a couple of the other so called spy detectors and they have > not found Spector software or the E-Blaster. For Eblaster, the best > solution is a personal firewall, something like Zone Alarms by Zone > Labs. > > Perry D. Myers, CFE > President & CEO > E-mail: perry@d... > > MSI Detective Services > Myers Service, Inc. > Corporate Headquarters > 2076 N. Elston Ave. Suite 200 > Chicago, IL. 60614-3940 > Phone 773-342-8300 > Facsimile 773-486-4430 > > Professional Investigators Since 1959 > Investigations Nationwide > 24 Hour Availability > www.detectiveservices.com > > -----Original Message----- > From: Fernando Martins [mailto:fernando.martins@e...] > Sent: Saturday, March 30, 2002 3:27 PM > To: tscm-l@yahoogroups.com > Subject: RE: [TSCM-L] Spy Software Detection Help > > Yes, several, but should you relly on them? > The best way is to *dig* in the OS and see what is running ... > For example, if it is (and I hope it's not) some 0-day spy trojan or > logging application, it's not known, so shareware or commercial software > will not spot it probably. > > FM > > » -----Original Message----- > » From: Richard Gray [mailto:laspy1@y...] > » Sent: domingo, 24 de Março de 2002 21:32 > » To: tscm-l@yahoogroups.com > » Subject: [TSCM-L] Spy Software Detection Help > » > » > » Is there any software that will detect logging and spyware > » programs installed on a computer? > » > » Ricky > » > » > » _________________________________ > » Richard T. Gray Jr. > » Legal Investigator > » License No. 1914-050896-LA > » > » Gray & Associates, LLC > » PO Box 2368 > » Crowley, LA 70527 > » 337-785-0046 Voice > » 800-394-8216 Fax > » www.la-pi.com > » ricky@l... > » "When you need to know!" > » > » -----Original Message----- > » From: Marko Radovic [mailto:radovic_marko@y...] > » Sent: Friday, March 22, 2002 2:12 AM > » To: TSCM-L@yahoogroups.com > » Subject: [TSCM-L] ISO 17799 > » > » > » Hello, > » > » I would like to thank all the pepople who privided > » help and information cocerning ISO 17799 standard. > » > » Any additional information about standard is welcome. > » > » Marko > » > » __________________________________________________ > » Do You Yahoo!? > » Everything you'll ever need on one web page > » from News and Sport to Email and Music Charts http://uk.my.yahoo.com > » > » > » > » Yahoo! Groups Sponsor > » > » ADVERTISEMENT > » > » » web/S=1705 > » 007140:HM/A=847665/R=0/*http://ads.x10.com/?bHlhaG9vbW9uc3Rlcj > » cuZGF0=101 > » 6803186%3eM=215002.1818248.3328688.1261774/D=egroupweb/S=17050 > » 07140:HM/A > » =847665/R=1> > » > » » 74/D=egrou > » pmail/S=1705007140:HM/A=847665/rand=398610181> > » > » ======================================================== > » TSCM-L Technical Security Mailing List > » "In a multitude of counselors there is strength" > » > » To subscribe to the TSCM-L mailing list visit: > » http://www.yahoogroups.com/community/TSCM-L > » > » It is by caffeine alone I set my mind in motion. > » It is by the juice of Star Bucks that thoughts acquire speed, > » the hands acquire shaking, the shaking is a warning. It is by > » caffeine alone I set my mind in motion. > » =================================================== TSKS > » > » Your use of Yahoo! Groups is subject to the Yahoo! Terms of > » Service . > » > » > » > » > » [Non-text portions of this message have been removed] > » > » > » > » ------------------------ Yahoo! Groups Sponsor > » ---------------------~--> Tiny Wireless Camera under $80! > » Order Now! FREE VCR Commander! Click Here - Only 1 Day Left! > » http://us.click.yahoo.com/nuyOHD/7.PDAA/yigFAA» /kgFolB/TM > » > » > » -------------------------------------------------------------- > » -------~-> > » > » ======================================================== > » TSCM-L Technical Security Mailing List > » "In a multitude of counselors there is strength" > » > » To subscribe to the TSCM-L mailing list visit: > » http://www.yahoogroups.com/community/TSCM-L > » > » It is by caffeine alone I set my mind in motion. > » It is by the juice of Star Bucks that thoughts acquire > » speed, the hands acquire shaking, the shaking is a warning. > » It is by caffeine alone I set my mind in motion. > » =================================================== TSKS > » > » Your use of Yahoo! Groups is subject to > » http://docs.yahoo.com/info/terms/ > » > » > » > > ======================================================== > TSCM-L Technical Security Mailing List > "In a multitude of counselors there is strength" > > To subscribe to the TSCM-L mailing list visit: > http://www.yahoogroups.com/community/TSCM-L > > It is by caffeine alone I set my mind in motion. > It is by the juice of Star Bucks that thoughts acquire speed, > the hands acquire shaking, the shaking is a warning. > It is by caffeine alone I set my mind in motion. > =================================================== TSKS > > Your use of Yahoo! Groups is subject to > http://docs.yahoo.com/info/terms/ > > > ======================================================== > TSCM-L Technical Security Mailing List > "In a multitude of counselors there is strength" > > To subscribe to the TSCM-L mailing list visit: > http://www.yahoogroups.com/community/TSCM-L > > It is by caffeine alone I set my mind in motion. > It is by the juice of Star Bucks that thoughts acquire speed, > the hands acquire shaking, the shaking is a warning. > It is by caffeine alone I set my mind in motion. > =================================================== TSKS > > Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ [Non-text portions of this message have been removed] 5127 From: McIntyre Date: Wed Apr 3, 2002 11:35am Subject: Black Hat Briefings (Vegas) Call for Papers Well folks, less than one more month (May 1st, 2002) before the BlackHat 2002 Call for Papers closes! I hope to see several list members either speak at, or attend the show: Papers and presentations are now being accepted for the Black Hat Briefings 2002 conference. The conference is held from July 31-August 1, 2002 at the Caesars Palace Hotel and Resort in Las Vegas, NV, USA. Papers and requests to speak will be received and reviewed until May 1, 2002. Please read the full announcement at: http://www.blackhat.com/html/bh-usa-02/bh-usa-02-cfp.html 5128 From: Fernando Martins Date: Wed Apr 3, 2002 3:05pm Subject: RE: re: spy software > What you are reffering to is a "zero day exploit" which is > also correct, but much less common as these windows of > vunerability are usually quite short lived before the > community at large becomes aware of the problem. IF the comunity becomes aware ... > (It is difficult to test an exploit in isolation or without a > target, and someone must know it exists before they can use it.) Yeah, it can be, specially if it is from somebody else or if the source is not available or if one can't code. But it's very easy to get a target ... Just setup another box in your lab, test a system against know vulnerabilities, TRY to discover new ones, and create exploits to use them. It's quite simple, the method ;> > In the case of a new software vunerability being used to > access a computer system, I would expect alarm bells to ring > when something went "wrong" (requiring vigilance) such as an > application failing, file deletion, or other state change > that can be detected. Like with a listening device > collecting insider information, you might not know it is > there, but become rather suspicious when the competition > keeps beating you to market on everything discussed in the room. Yeah, there are IDS's (intrusion detection systems), but also ways to cheat them ... It can be very simple as with any alarm system, if you know how it can ring so many times nobody, at least in a period of time, will care, you can get in. In this area (as in others) IT Security and Physical Security are just the same, in methods. Again, as I said in other mail, it can be a great advantage if a company have knowledge in more then one field in security, and the 'holy grail' is to rock on all 3: IT, electronics and physical. FM 5129 From: Fernando Martins Date: Wed Apr 3, 2002 3:05pm Subject: RE: re: spy software > I think that the wrong meaning of zero day is being referred > to here. A "zero day" item is the holy grail of hackers. It > refers to a security vulnerability that is not yet known to > the software company that wrote the operating system or > application, the users or the security community. It is a > means of entry that no-one knows exists and is not being > guarded against. There is no patch and no alarm bells will > ring if it is used. I think that the holy grail of hackers is not a "zero day", but a remote "root", but assuming that it is, is refered to a way to exploit a vulnerability and not the vulnerability itself. It can even be a known vulnerability, but that nobody else knows a way how to exploit it. > Hackers trade such things for usernames & passwords, > ex-directory modem numbers, new hacking tools and utilities, > valid credit card numbers and locations of 'open machines' > they can use to launch attacks from. Credit card numbers? I think criminals do that ... If I know how to use a gun it doesn't mean that I'm an assassin, does it? Let's say, a hacker can build an exploit that can compromise a web site, a criminal will take advantage of that knowledge to steal classified/confidencial/personal information, or DoS the site, or any other illegall activity. It's about time to people in any field of security know what a hacker is and that not all hackers are criminals! FM 5130 From: Dragos Ruiu Date: Wed Apr 3, 2002 0:33pm Subject: zero-day (was Re: re: spy software) On Wed, 3 Apr 2002 08:31:37 -0500 (EST) Graham Bignell wrote: > No, "zero day warez" is what was mentioned, which is correct. What > you are reffering to is a "zero day exploit" which is also correct, > but much less common as these windows of vunerability are usually > quite short lived before the community at large becomes aware of the > problem. (It is difficult to test an exploit in isolation or without > a target, and someone must know it exists before they can use it.) Clarification: warez kiddiez use term 0day to mean new release of game/movie/etc... I would like to contest your "short lived" hypothesis. Myself, some of the Honeynet members as well as a few other groups have been keeping statistics on vulnerabilities for formally researching the sizes of these "windows." We have been trying to note when the exploits get caught in the wild, when the vulnerability is discovered vs. when the useable exploits for it get written, when the gossip starts in the haxor groups, when the information gets circulated in the ivory tower "security information cartels" and when the public advisories are released vs. the the private and public distribution of the tools to exploit them. It's quite a complicated informational ecosystem with surprising linkages and leakages, and so far the data is all over the map making it difficult to discern trends because it varies so much on a case by case basis. We are trying to pull all this together into some papers in the future. I have seen no evidence that these windows are decreasing in size and becoming "short lived." As a matter of fact I would even postuate that the opposite phenomenon may be in effect as the general awareness of security has also increased the recognition of the value of this knowledge, as well as increased the market for and viability of converting this intellectual property into other forms of currency. :-) I know of several security firms and vendors that are willing to and _have_ handed over cash and other rewards in exchange for this kind of information, and the number of small clusters and groupings of individuals, organizations, and even nation-states exchanging this information is on the rise. The haxor "scene" itself seems to be suffering from some increasing fragmentation and compartmentalization too. Must cause great fun and headaches for the SigInt folks. :-) :-P As a pretty sensationalistic case in point, the recent fairly wide ranging CERT advisory on the broad and multiple vulnerabilities in equipment utilizing the SNMP protocol is acknowledged to have been been in circulation in the "underground" for well over two years, enough time it is reputed, for certain groups and individuals to amass practical exploits for over 75% of the targets listed (which was well, uh, almost everything :-). It is certain that some vendor organizations had notification at least six months in advance of its publication. The "antisec" movement seems to be picking up converts instead of shrinking. Ph33r. As they say: All your base r belong to us. :-) cheers, --dr (P.s. if that doesn't convince you, my own _verified_ vulnerability clock on SNMP ASN overflows puts it at >4 years. b00m! ;) -- --dr pgpkey: http://dragos.com/dr-dursec.asc CanSecWest/core02 - May 1-3 2002 - Vancouver B.C. - http://cansecwest.com 5131 From: Dries 'Doris' Bessels Date: Wed Apr 3, 2002 11:56pm Subject: Yahoo - Important news A recent change in Yahoo accounts: Yahoo! has added a new section to your "Account Info" that requests spammers to send you unsolicited e-mail. They have set this on for everybody. Everybody's default settings are initially set to "yes" meaning that everybody who uses Yahoo is allegedly requesting advertisers to send unsolicited e-mail to them! Follow these instructions to turn these settings off: 1. Go to http://groups.yahoo.com 2. Click on "Account Info" in the upper-right corner 3. Click on "Edit your marketing preferences" down under "Member Information" under "Yahoo! Mail Address" 4. Click all the buttons to "No" for Special Offers and Marketing Communications 5. Scroll down to make sure you get all the checkboxes 6. Look at the very bottom of the page to click "No" for U.S. Mail and Phone calls 7. Press the "Save Changes" button 8. Click "continue" to confirm your changes 9. Click the "Finished" button The following comes from http://help.yahoo.com/help/us/privacy/privacy-23.html : Yahoo! is notifying users of these changes to marketing preferences via email. Your new marketing preferences will not take effect until 60 days after the date the email is sent to you, so you have plenty of time to decide what you want to receive and what you don't. To change your preferences, go to the Marketing Preferences page. YAHOO! PRIVACY POLICY See also: http://privacy.yahoo.com/ and http://help.yahoo.com/us/privacy/ Kind regards Dries Dries 'Doris' Bessels Ride to work, work to ride Amsterdam, The Netherlands FLSTC '00 (Yellow) E-mail : Dries@D... http://www.driesbessels.com Cellphone: +31-6-4402-8346 http://www.flimm.com [Non-text portions of this message have been removed] 5132 From: zack <10-33@c...> Date: Thu Apr 4, 2002 8:18am Subject: Re: Spy Software Detection help Try this program, I am very satisfied with it and its free http://personal.atl.bellsouth.net/mia/k/r/kryp/ Also try http://www.analogx.com/contents/download/network/cookie.htm feel free to look around. This might also interest you http://www.copscops.com/downloads.htm At 09:12 PM 4/3/2002 +0000, you wrote: >Subject: Re: Spy Software Detection Help > >Just to jump into the discussion....I purchased a copy of SpyCop and >downloaded the free version of Ad-Aware. Then, I downloaded the demo version >of Ghost Key. SpyCop found it, but Ad-Aware did not. Only problem I have >with SpyCop is that it is painfully slow. visit http://www.copscops.com Washington DC Police Department http://mpdc.dc.gov/main.shtm "Unity... Resolve... Freedom. These are the hallmarks of the American spirit." George W Bush President of the United States of America God Bless The USA .. NEVER forget 9-11-01 http://www.copscops.com/blessusa.htm [Non-text portions of this message have been removed]