The US is spying on us .. Huh? Why didn't you tell us before ! http://www.youtube.com/watch?v=8JCVucx5HzI
Greetz: jimjones, matt, scut of teso:)) Kcrookie Am 29.06.2013 um 23:05 schrieb [email protected]: > RUSTLE LEAGUE WHITE HAT SECURITY RESEARCH TEAM REVEALS HOLE IN NSA WEBSITE; > CONTACTS VENDOR, HOLE PATCHED. > > RUSTLE RESEARCH ETHICAL R&D WHITEHAT RED TEAM > VULNERABILITY ALERT AND ASSESSMENT > RED TEAM ALERT LEVEL AT MAGENTA > > ETHICAL DISCLOSURE NOTICE: Press release withheld until holes were patched. > > Breaking: NSA Website Vulnerable To Attack via Third Party Software, > Illustrate Dangers of Security Outsourcing > Ethical Hackers Exploit XSS Vulnerabilities in NSA Software Made by third > party. > > Field researchers curiously perusing nsa.gov stumbled upon XSS > vulnerabilities on the main NSA forward facing webserver. Both > vulnerabilities were found in shoddily outsourced third party software > written in Coldfusion--which we all know is the worlds greatest mark-up > language. > > "Anyone with an internet connection can use the XSS vulnerability to > impersonate NSA personnel and web traffic," says Horace Grant, a researcher > with Rustle Research. "Why are unreliable third parties creating the software > that guards our national secrets?" > > These exploits are ironic given the multiple, recently revealed NSA security > faux pas. The obvious Booz Allen Hamilton/NSA partnership allowed CIA > operative and possible Communist spy, Edward Snowden, to infiltrate the NSA > and leak the PRISM slides. Hilarious outsourcing of basic webapps to ma'n'pa > crapshoot ColdFusion developers have now given an even graver look at the > egregious outsourcing of even the most minute government projects. > > Why the focus on ColdFusion? The Adobe product is made by a company well > known for holding a monopoly on online media. A simple google query, such as > "michael hastings adobe" yields many results, all requiring Adobe products to > view. Recently deceased, journalist Michael Hastings was researching > government secrets. Many say he was investigating not only the NSA, but > Wikileaks FBI informant Sigurdur Thordarson, who has close ties with the > Democratic People's Republic of Korea. Rumors say Hastings' car was hacked by > a 0day ColdFusion exploit, sending him to his fiery grave. Anyone in the know > realizes that Siggi was the one who sent FBI assassins after Hastings, who > was also researching Adrian Lamo and th3j35t3r. > > One of the NSA vulnerabilities exploited by ethical white hat hackers this > week exists in the "Careers" section of the nsa.gov website. Internet users > who enter data into the "Feedback" fields now are treated to a jovial visual > representation of their data pooped back at them, in such elegant fashion as: > http://i.imgur.com/1cyISex.png > > The other, more insidious, yet still trivial bug in nsa.gov, is an XSS attack > that allows URL redirection. When the "Mail to a Friend" notice is queried, > and nsa.gov is appended at the end of the address. It is then exempted and > allowed to redirect to the provided address. For example: > http://www.nsa.gov/applications/links/notices.cfm?address=http://wikipaste.eu/nsa.gov > > Other possible uses of these exploits include dropping a malicious website > into the url by using simple disguising methods, redirect, and executing > arbitrary code. An attacker could also pretend to be an NSA employee and send > a malicious payload via email to real NSA employees, unbeknownst to them -- > or simply trick more people into seeing goatse because that shit's funny as > fuck. > > The holes have since been patched. > > http://rustleleague.com/advisory.html > > greetz: adobe, YAN, jimjones, chippy, zeekilled > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
