Tuesday, March 16, 2004

Washington Post... queries Kerry?

Deliver us from evilThe Washington Post -- not exactly known as a mouthpiece of the right -- recently posted a stunning op-ed piece on John Kerry's two-faced voting record. The "junior senator from France" (props to the Don Imus show) has now skirted several of the central issues that he, himself, has raised: the "world leaders" who are rooting for him to beat the President in the general election; the linkage between Al Qaeda and Iraq now that the attack on Spain has exposed the truth; the Pakistani nuclear network that ran wild during the Clinton years; and, most importantly, the voting record that the Post terms "fuzzy" (as opposed to "lobbyist-driven", or "whichever agenda suits him politically at any given instant"):

The most important confusion surrounds Mr. Kerry's position on Iraq. In 1991 he voted against the first Persian Gulf War, saying more support was needed from Americans for a war that he believed would prove costly. In 1998, when President Clinton was considering military steps against Iraq, he strenuously argued for action, with or without allies. Four years later he voted for a resolution authorizing invasion but criticized Mr. Bush for not recruiting allies. Last fall he voted against funding for Iraqi reconstruction, but argued that the United States must support the establishment of a democratic government.

Mr. Kerry's attempts to weave a thread connecting and justifying all these positions are unconvincing. He would do better to offer a more honest accounting. His estimation of the cost of expelling Iraq from Kuwait in 1991 was simply wrong; and if President Bush was mistaken to think in 2003 that there was an urgent need to stop Saddam Hussein from stockpiling weapons of mass destruction, Mr. Kerry made the same error in 1998.

Time for Clarity

Google Hacks - Whickety WhacksGood SecurityFocus column on the use of Google by blackhat-types. Bottom line: there's a lot of crap getting spidered out there... that shouldn't be anywhere near an extranet or DMZ. That's why the vast majority of companies need a Brooke Paul type as their CISO (i.e., someone familiar with the people, the processes and the technologies). But I guess there aren't a lot of those folks around.

...Let's try our search, but stick to the .edu top-level domain, so we're looking for "budget filetype:xls site:edu". 15,200 hits. Not bad. Things are starting to look very interesting...

The title of these directory listings almost always start with "Index of", so let's try a new query that I guarantee will generate results that should make you sit up and worry: "intitle:"index of" site:edu password". 2,940 results, and many, if not most, would be completely useless to a potential attacker. Many, however, would yield passwords in plain text, while others could be cracked using common tools like Crack and John the Ripper.

Googling Up Passwords and GoogleDorks (good amalgamation of various Google- and security-related hacks).

Win2K LDAP brute-forcer

A casual read-through of GoogleDorks yielded this egregious -- if true -- brute-force attack on Windows 2000's LDAP listener. I didn't check to see whether it's been patched or not, but it's worth noting in case you're running Win2K:

Title: Win2K LDAP authentication bruteforcer - ...I noticed when playing around with LDAP on Win2k that LDAP authentication requests came back with different response codes when using an existing username vs a non-existing one. Using this technique, you can enumerate usernames on the server. In addition, LDAP authentications don't seem to count as invalid logins as far as the 2k user is concerned. This means you can remotely determine usernames, and attempt passwords to your heart's content without bothering the set lockouts. Nice.

Macromedia Flash MX 2004 for DummiesInternet Explorer ever suck up 100% of your CPU for no apparent reason? It could be Macromedia Flash ads -- it was for me on one of my slower machines -- and it was driving me crazy. I found this solution on Ozone Asylum (caution: you should be comfortable editing the registry to use this little hack):

Foolproof way to disable flash in win XP without any pop-up errors, messages, or prompts. Feels like Flash was never even invented. Click Start, Run, type regedit. Go to following dir:

HKEY_LOCAL_MACHINESOFTWARE/MicrosoftInternet Explorer/ActiveX Compatibility

Click Edit, New, Key. Name New Key: {D27CDB6E-AE6D-11CF-96B8-444553540000} (including the {})

Now create [a] new DWORD value inside this key. Rename this DWORD value to "Compatibility Flags". Set Value Data to 400 and Base to Hexadecimal. To enable flash simply delete the key.

Internet Explorer (IE): Disabling Flash

No comments: