SecLists.Org Security Mailing List Archive

Any hacker will tell you that the latest news and exploits are not found on any web site—not even Insecure.Org. No, the cutting edge in security research is and will continue to be the full disclosure mailing lists such as Bugtraq. Here we provide web archives and RSS feeds (now including message extracts), updated in real-time, for many of our favorite lists. Browse the individual lists below, or search them all:

Insecure.Org Lists

Nmap Development — Unmoderated technical development forum for debating ideas, patches, and suggestions regarding proposed changes to Nmap and related projects. Subscribe here.

[no subject] bate martins (Feb 08)
Hi, i am Bate Martin and am comfortable with python and am new in the
mailing list..Any help on how to get started in contributing to Nmap
development?..Thanks

Re: bug report for map 7.40 Daniel Miller (Feb 07)
Ruga,

Upon further investigation, it looks like we are properly handling
LibreSSL's API. Most likely your error is because of Xcode's bundled
OpenSSL 0.9.8 libraries. It's always tricky to get Nmap to build properly
on OS X for that reason; we have a build guide of sorts in the macosx
directory of the source that may be helpful. But if you can provide the
full output of configure && make, we can get a better picture of...

Re: bug report for map 7.40 Daniel Miller (Feb 07)
Ruga,

Thanks for reporting this. I've entered a bug on our issue tracker [1] to
track this. For now, Nmap will not compile against LibreSSL since we have
added compatibility for OpenSSL 1.1.0.

Dan

[1] http://issues.nmap.org/685

bug report for map 7.40 Ruga (Feb 07)
Hello,

This is on macOS 10.12.3 with Xcode 8.2.1, non-Apple clang 3.9.0 and libressl 2.4.5.
Configuration and compilation errors are attached to this message.

Thank you for your time._______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

Re: Nmap 7.40 Error Modifying Profile Vincent Hotmail (Feb 07)
Hello Dan,

You are correct. I have 3 additional entries (not modifying the existing or standard ones) in my profile.

The 3 addtional entries are as follows. It was working for the IPMI and SSH profiles, but when I added the "iLo HP"
then it started to error. Maybe my space causes the problem in "iLo HP"?

IPMI
nmap -p 22,80,443,623,5120,5123,5900,5901,7578,8889 -T4 -v -Pn 10.179.13.227

SSH
nmap -p 22,80,443,8080,8443 -T4...

Re: Parsing JSON Daniel Miller (Feb 06)
David,

I saw that; the documentation for the json.lua library had not been updated
since we changed its tests to those that use unittest.lua, so I removed it.
Instead, you can use the nsedebug.tostr [1] function to see the structure
that was parsed.

Dan

[1] https://nmap.org/nsedoc/lib/nsedebug.html#tostr

Re: Parsing JSON David Muscut (Feb 06)
Thanks Dan. A follow up question, the json.lua documentation says "If you
want to parse JSON, you can test it by pasting sample JSON into the TESTS
table and run the test method". Can you show an example of how you run "the
test method"?

thanks,

- D

Re: Parsing JSON Daniel Miller (Feb 06)
David,

I just missed you in IRC. I don't see any problem with parsing this with
json.lua. To get the rendered title, I would use this:

local status, parsed = json.parse('[{"id":1,...')
title = parsed[1].title.rendered

Note that your data is wrapped in a single-element array, and Lua uses
1-indexed tables as arrays. So the first element is index 1, and "title" is
a key in the object at that index.

Dan

Nmap and Zenmap on Mobile Devices SWAPNIL DAS (Feb 06)
Hi,

I was going through the project ideas for GSOC 2017. There I found the idea
"Nmap and Zenmap on Mobile Devices (Android)".

I would like to ask on how to approach for it. Is there any existing
repository dedicated to it (someone has done work on it earlier) ? or
anyone have to work from scratch for it. Also if possible please state the
platform to use (e.g - Android studio).

I am good with Python and android development so I think...

Parsing JSON David Muscut (Feb 06)
Can someone point me to a code example of how I can parse out the 'id'
and 'title' values using the Nmap json.lua library for the following code:...

Re: possible bug, nmap v7.40 Varunram Ganesh (Feb 02)
Try accepting all ICMP in the filer. If that doesn't work, I read somewhere that it *might* be an issue with the
iptable_nat module in the linux kernel - https://bugzilla.redhat.com/show_bug.cgi?id=1402695. A similar issue was also
reported earlier in http://seclists.org/nmap-dev/2016/q4/131. It has been updated in future releases of the linux
kernel. Dunno about Debian though. ...

Re: Nmap http-open-redirect problem Daniel Miller (Feb 02)
Diago,

The http-open-redirect script crawls the website looking for links. If any
of the links have a parameter that was echoed back in a Location header,
then that parameter is changed to "http://scanme.nmap.org/"; and the query
is retried. If the Location header comes back with that URL, then it's an
open redirect.

What is likely the case is that there is not an existing link on your page
that links to redirect.php with a...

Re: possible bug, nmap v7.40 Daniel Miller (Feb 02)
Yes, I have seen this happening. It's slowing down scans a lot, and I
suspect it has something to do with the conntrack module that is used for
the "ESTABLISHED" and "RELATED" matches, but I can't figure out what the
cause is. If you do a very slow scan (-T2) nothing goes wrong, so it's a
rate limit of some sort. We really need to figure out what the problem is
and how to work around it!

Dan

possible bug, nmap v7.40 cyb (Feb 02)
Hi,

I'm experiencing a problem using nmap (v7.40) with iptables on kali (Debian
4.8.15-1kali1 (2016-12-23) x86_64 GNU/Linux).

I have messages like:
*sendto in send_ip_packet_sd: sendto(4, packet, 44, 0, 45.33.32.156, 16) =>
Operation not permitted*
if my firewall is activated.

I'm using VPN with OpenVPN and nmap works fine after startup with VPN == on
and iptabels == off, but if I'm activating firewall (script vpnfw.sh...

Nmap http-open-redirect problem Diago (Feb 02)
I wanted to test if my site represents any open redirect vulnerability, I have tried with Nmap script
https://nmap.org/nsedoc/scripts/http-open-redirect.html it starts the tests and finds only open ports. I wanted to made
sure this script works so I created a /redirect.php on my website so when someone enters my site.
com/redirect.php?redirect_url=http://anothersite. com it redirects to that, so this way I'm sure my site is vulnerable
to...

Nmap Announce — Moderated list for the most important new releases and announcements regarding the Nmap Security Scanner and related projects. We recommend that all Nmap users subscribe.

Nmap GSoC 2016 Success Report Fyodor (Feb 07)
Happy belated new year from the Nmap Project! I'd like to take this
opportunity to send you the belated results from our 2016 Summer of Code
team. I was going to send them right after the program finished, but some
of the students were still finishing some great things so I decided to
wait. As you may recall from the team intro mail (
http://seclists.org/nmap-announce/2016/2), we had 5 students last year and
I'm happy to report that...

Nmap 7.40 Holiday Release: a dozen new NSE scripts, hundreds of new fingerprints, new Npcap, faster brute forcing, and more... Fyodor (Dec 20)
Happy holidays from the Nmap Project! In case your Christmas break plans
involve a lot of port scanning, we're delighted to announce our holiday
Nmap 7.40 release! This version stuffs your stockings with dozens of new
features, including:

- 12 new NSE scripts
- Hundreds of updated OS and version detection detection signatures
- Faster brute force authentication cracking and other NSE library
improvements
- A much-improved...

Nmap 7.31 stability-focused point release Fyodor (Oct 21)
Hi folks. I'm happy to report that the big Nmap 7.30 release last month
was a great success. We didn't even see as many bugs as expected for such
a large release, but we have collected and fixed the ones which did arise
in the last few weeks into a new 7.31 point release. It includes the
latest updates to our new Npcap driver, a fix for Nping on Windows, and
more.

Nmap 7.31 source code and binary packages for Linux, Windows, and Mac...

Nmap 7.30 Released with new NSE scripts, new Npcap, new Fingerprints, etc. Fyodor (Sep 29)
Hi folks! You may have noticed that we've only been releasing Nmap betas
for the last 6 months because we've had so much new code and so many
features to integrate thanks to hard work from both our regular team and
the 5 Google Summer of Code summer interns. But we spent the last month
focused on stability and I'm pleased to announce Nmap 7.30--our first
stable release since 7.12 back in March.

Even though it's a stable...

Nmap 7.25BETA2 Birthday Release Fyodor (Sep 01)
Hi folks! I'm happy to report that today is Nmap's 19th birthday and
instead of cake, we're celebrating open source style with a new release!
Nmap 7.25BETA1 includes dozens of performance improvements, bug fixes, and
new features. The full list is below, and includes a major LUA upgrade for
NSE scripts, a new overlapped I/O engine for better Windows performance, a
much-improved version of our new Npcap packet capturing driver,...

Nmap 7.25BETA1 Released with our new Npcap driver, 6 new NSE scripts, and more! Fyodor (Jul 19)
Hi folks! As you may know, we've been working for the last 3 years on an
improved Windows packet capturing library named Npcap. It's based on the
original WinPcap (which hasn't been maintained in years), but we rewrote
the driver to use modern APIs (NDIS 6) for better performance. It also
improves security and enables new features. For example, Npcap allows Nmap
to do raw scans (including SYN scans and OS detection) of localhost...

Introducing the 2016 Nmap/Google Summer of Code Team! Fyodor (May 09)
Hello everyone. Google has agreed to sponsor five amazing students to
spend this summer enhancing the Nmap Security Scanner and I'm proud to
introduce our 2015 team:

*Abhishek Singh* will be working as a Feature Creeper and Bug Hunter,
making improvements throughout the Nmap codebase. The project hasn't even
started yet and he's already found and fixed several NSE script bugs and
has other code changes in the works. Abhishek is...

Nmap 7.10 released: 12 new scripts, hundreds of OS/version fingerprints, bug fixes, and more! Fyodor (Mar 17)
Hi Folks! Before I tell you about today's new Nmap release, I wanted to
share some Summer of Code news:

Google posted a fantastic story by one of our Summer of Code alumni about
how the program helped take him from rural China to a full-ride scholarship
at the University of Virginia graduate school! His mentor David and I had
the chance to meet him in San Francisco:...

Nmap Project Seeking Talented Programmers for Google Summer of Code 2016 Fyodor (Feb 29)
Hi folks. I'm delighted to report that Nmap has been accepted by Google to
participate in this year's Summer of Code internship program. This
innovative and extraordinarily generous program provides $5,500 stipends to
college and graduate students anywhere in the world who spend the summer
improving Nmap from home! They gain valuable experience, get paid,
strengthen their résumés, and write code for millions of users. We're one...

Full Disclosure — A public, vendor-neutral forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. The relaxed atmosphere of this quirky list provides some comic relief and certain industry gossip. More importantly, fresh vulnerabilities sometimes hit this list many hours or days before they pass through the Bugtraq moderation queue.

Authentication bypass vulnerability in Western Digital My Cloud Securify B.V. (Feb 08)
------------------------------------------------------------------------
Authentication bypass vulnerability in Western Digital My Cloud
------------------------------------------------------------------------
Remco Vermeulen, Januari 2017

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
It was discovered that Western Digital My Cloud is...

Executable installers are vulnerable^WEVIL (case 48): SumatraPDF-3.1.2-installer.exe allows escalation of privilege Stefan Kanthak (Feb 07)
Hi @ll,

the executable installer [°] and the "portable" version
of SumatraPDF 3.1.2 (available from
<https://www.sumatrapdfreader.org/download-free-pdf-viewer.html>)
are vulnerable to DLL hijacking [']:

The executable installers SumatraPDF-3.1.2-install.exe and
SumatraPDF-3.1.2-64-install.exe load and execute (tested on
a fully patched Windows 7 SP1) at least Version.dll, OLEACC.dll,
CryptBase.dll, NTMARTA.dll,...

Responsive Filemanger <= 9.11.0 - Arbitrary File Disclosure/Deletion Wiswat A (Feb 07)
[+] Exploit Title: Responsive Filemanger <= 9.11.0 - Arbitrary File
Disclosure/Deletion
[+] Date: 7 Feb 2017
[+] Vulnerability and Exploit Author: Wiswat Aswamenakul
[+] Vendor Homepage: http://www.responsivefilemanager.com/
[+] Affected version: only tested on 9.11.0 and 9.7.3 (other versions
might be affected)
[+] Tested on: Ubuntu 14.04, PHP 5.5.9
[+] Category: webapps

[+] Description
Responsive filemanger is a PHP based file manager that...

SEC Consult SA-20170207 :: Path Traversal, Backdoor accounts & KNX group address password bypass in JUNG Smart Visu server SEC Consult Vulnerability Lab (Feb 07)
SEC Consult Vulnerability Lab Security Advisory < 20170207-0 >
=======================================================================
title: Path Traversal, Backdoor accounts & KNX group address
password bypass
product: JUNG Smart Visu Server
vulnerable version: Firmware v1.0.804/1.0.830/1.0.832
fixed version: Firmware v1.0.900
CVE number: -
impact: Critical...

Call for Papers: FIRST Amsterdam Technical Colloquium (TC) April 2017 Jeff Bollinger (Feb 07)
We would like to announce a "Save the Date" and "Call for Speakers" for
the annual FIRST Amsterdam Technical Colloquium (TC). The main event,
hosted by Cisco Systems in Amsterdam, Netherlands will be a plenary
style conference held on the 25th and 26th of April 2017. We are also
offering an optional, free, training on Monday April 24th.

The event website: https://www.first.org/events/colloquia/amsterdam2017

Event...

interpreter bugs Andrzej Dyjak (Feb 07)
Greetings FD,

I've recently published fuzzing results for various interpreters [1].

FD members might find them interesting.

/ad

[1] https://github.com/dyjakan/interpreter-bugs

Remote DoS against OpenBSD http server (up to 6.0) Pierre Kim (Feb 06)
## Advisory Information

Title: Remote DoS against OpenBSD http server (up to 6.0)
Advisory URL: https://pierrekim.github.io/advisories/CVE-2017-5850-openbsd.txt
Blog URL: https://pierrekim.github.io/blog/2017-02-07-openbsd-httpd-CVE-2017-5850.html
Date published: 2017-02-07
Vendors contacted: OpenBSD
Release mode: Released
CVE: CVE-2017-5850

## Product Description

The OpenBSD project produces a FREE, multi-platform 4.4BSD-based
UNIX-like...

IVPN Client for Windows 2.6.6120.33863 Privilege Escalation Kacper Szurek (Feb 06)
# Exploit: IVPN Client for Windows 2.6.6120.33863 Privilege Escalation
# Date: 06.02.2017
# Software Link: https://www.ivpn.net/
# Exploit Author: Kacper Szurek
# Contact: https://twitter.com/KacperSzurek
# Website: https://security.szurek.pl/
# Category: local

1. Description

It is possible to run `openvpn` as `SYSTEM` with custom openvpn.conf.

Using `--up cmd` we can execute any command....

Teleopti WFM <= 7.1.0 Multiple Vulnerabilities Graph-X (Feb 06)
#############################################################
# Advisory Title: Teleopti WFM (Multiple Vulnerabilities)
# Date: 2/4/2017
# Researcher: Graph-X ((email: graphx () sigaint org))
# Vendor Homepage: http://www.teleopti.com
# Version: <= 7.1.0
# CVE: is dead
#############################################################
Disclosure Timeline...

[KIS-2017-01] PEAR HTML_AJAX <= 0.5.7 (PHP Serializer) PHP Object Injection Vulnerability Egidio Romano (Feb 06)
---------------------------------------------------------------------------
PEAR HTML_AJAX <= 0.5.7 (PHP Serializer) PHP Object Injection Vulnerability
---------------------------------------------------------------------------

[-] Software Link:

https://pear.php.net/package/HTML_AJAX

[-] Affected Versions:

All versions from 0.3.0 to 0.5.7.

[-] Vulnerability Description:

The vulnerable code is located within the HTML_AJAX_Serializer_PHP...

ZoneMinder - multiple vulnerabilities John Marzella (Feb 04)
==========================================================================
Product: ZoneMinder
Versions: Multiple versions - see inline
Vulnerabilities: File disclosure, XSS, CSRF, Auth bypass & Info disclosure
CVE-IDs: CVE-2017-5595, CVE-2017-5367, CVE-2017-5368, CVE-2016-10140
Author: John Marzella
Date: 03/02/2017
==========================================================================

CVE-2016-10140 - Auth bypass and Info disclosure -...

HP Printers Wi-Fi Direct Improper Access Control Info (Feb 02)
HP Printers Wi-Fi Direct Improper Access Control

--------------------------------------------------------------------------------
1. Advisory Information

Title: HP Printers Wi-Fi Improper Access Control
Advisory ID: NESESO-2017-0111
Advisory URL: http://neseso.com/advisories/NESESO-2017-0111.pdf
Date published: 2017-02-01
Date of last update: 2017-02-01
Vendors contacted: Hewlett Packard
Release mode: User Release...

[FOXMOLE SA 2016-07-05] ZoneMinder - Multiple Issues FOXMOLE Advisories (Feb 02)
=== FOXMOLE - Security Advisory 2016-07-05 ===

Zoneminder multiple vulnerabilities
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Affected Versions
=================
Zoneminder 1.29,1.30

Issue Overview
==============
Vulnerability Type: SQL Injection, Cross Site Scripting, Session Fixation, No CSRF Protection
Technical Risk: high
Likelihood of Exploitation: medium
Vendor: Zoneminder
Vendor URL: https://zoneminder.com/
Credits: FOXMOLE employee Tim Herres...

Re: Multiple vulnerabilities found in the Dlink DWR-932B (backdoor, backdoor accounts, weak WPS, RCE ...) Pierre Kim (Feb 02)
Hello,

Following the advisory posted to FD and Buqtraq about the Dlink DWR-932B router,
the complete version on analyzing the security on the corrected
firmware for Dlink 932B LTE
routers is posted here:
https://pierrekim.github.io/blog/2017-02-02-update-dlink-dwr-932b-lte-routers-vulnerabilities.html

Please find a text-only version below sent to security mailing lists.

=== text-version of the advisory ===

An update on this post:

MITRE...

Re: Free ebook to learn ethical hacking techniques elendil el (Feb 02)
Hi,

Thanks for sharing, though I am not sure this is the right mailing list to
do so (imo).
However, you seem to raise an interesting point. @List: Do we have stuff
going on the mainframe guys ? 0days, vulns, exploits, etc ?
I've gone through FD archives but could not get something.

Thanks !

2017-01-29 12:11 GMT+01:00 Sparc Flow <sparc.flow () protonmail com>:

Other Excellent Security Lists

Bugtraq — The premier general security mailing list. Vulnerabilities are often announced here first, so check frequently!

ESA-2017-001: EMC Isilon InsightIQ Authentication Bypass Vulnerability EMC Product Security Response Center (Feb 07)
ESA-2017-001: EMC Isilon InsightIQ Authentication Bypass Vulnerability

EMC Identifier: ESA-2017-001

CVE Identifier: CVE-2017-2765

Severity Rating: CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected products:
EMC Isilon InsightIQ 4.1.0
EMC Isilon InsightIQ 4.0.1
EMC Isilon InsightIQ 4.0.0
EMC Isilon InsightIQ 3.2.2
EMC Isilon InsightIQ 3.2.1
EMC Isilon InsightIQ...

SEC Consult SA-20170207 :: Path Traversal, Backdoor accounts & KNX group address password bypass in JUNG Smart Visu server SEC Consult Vulnerability Lab (Feb 07)
SEC Consult Vulnerability Lab Security Advisory < 20170207-0 >
=======================================================================
title: Path Traversal, Backdoor accounts & KNX group address
password bypass
product: JUNG Smart Visu Server
vulnerable version: Firmware v1.0.804/1.0.830/1.0.832
fixed version: Firmware v1.0.900
CVE number: -
impact: Critical...

[security bulletin] HPESBUX03699 SSRT110304 rev.1 - HP-UX BIND, Multiple Remote Denial of Service (DoS) HPE Product Security Response Team (Feb 06)
Note: the current version of the following document is available here:
https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05381687

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c05381687
Version: 1

HPESBUX03699 SSRT110304 rev.1 - HP-UX BIND, Multiple Remote Denial of Service
(DoS)

NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.

Release Date: 2017-01-27
Last Updated:...

Teleopti WFM <= 7.1.0 Multiple Vulnerabilities Graph-X (Feb 06)
#############################################################
# Advisory Title: Teleopti WFM (Multiple Vulnerabilities)
# Date: 2/4/2017
# Researcher: Graph-X ((email: graphx () sigaint org))
# Vendor Homepage: http://www.teleopti.com
# Version: <= 7.1.0
# CVE: is dead
#############################################################
Disclosure Timeline...

[SECURITY] [DSA 3781-1] svgsalamander security update Moritz Muehlenhoff (Feb 05)
-------------------------------------------------------------------------
Debian Security Advisory DSA-3781-1 security () debian org
https://www.debian.org/security/ Moritz Muehlenhoff
February 05, 2017 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : svgsalamander
CVE ID : CVE-2017-5617

Luc Lynx...

ZoneMinder - multiple vulnerabilities john (Feb 05)
==========================================================================
Product: ZoneMinder
Versions: Multiple versions - see inline
Vulnerabilities: File disclosure, XSS, CSRF, Auth bypass & Info disclosure
CVE-IDs: CVE-2017-5595, CVE-2017-5367, CVE-2017-5368, CVE-2016-10140
Author: John Marzella
Date: 03/02/2017
==========================================================================

CVE-2016-10140 - Auth bypass and Info disclosure -...

[FOXMOLE SA 2016-07-05] ZoneMinder - Multiple Issues FOXMOLE Advisories (Feb 02)
=== FOXMOLE - Security Advisory 2016-07-05 ===

Zoneminder multiple vulnerabilities
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Affected Versions
=================
Zoneminder 1.29,1.30

Issue Overview
==============
Vulnerability Type: SQL Injection, Cross Site Scripting, Session Fixation, No CSRF Protection
Technical Risk: high
Likelihood of Exploitation: medium
Vendor: Zoneminder
Vendor URL: https://zoneminder.com/
Credits: FOXMOLE employee Tim Herres...

Ghostscript 9.20 Filename Command Execution hyp3rlinx (Feb 01)
[+]#################################################################################################
[+] Credits: John Page AKA hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/GHOSTSCRIPT-FILENAME-COMMAND-EXECUTION.txt
[+] ISR: ApparitionSec
[+]################################################################################################

Vendor:
===============...

[security bulletin] HPSBST03588 rev 1. - HPE StoreVirtual 4000 Storage and StoreVirtual VSA Software running LeftHand OS, Remote Arbitrary Command Execution security-alert (Feb 01)
Note: the current version of the following document is available here:
https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05382958

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c05382958
Version: 1

HPSBST03588 rev 1. - HPE StoreVirtual 4000 Storage and StoreVirtual VSA
Software running LeftHand OS, Remote Arbitrary Command Execution

NOTICE: The information in this Security Bulletin should be acted upon as
soon as...

Cisco Security Advisory: Cisco Prime Home Authentication Bypass Vulnerability Cisco Systems Product Security Incident Response Team (Feb 01)
Cisco Security Advisory: Cisco Prime Home Authentication Bypass Vulnerability

Advisory ID: cisco-sa-20170201-prime-home

Revision 1.0

For Public Release 2017 February 1 16:00 UTC (GMT)

+---------------------------------------------------------------------

Summary
=======

A vulnerability in the web-based GUI of Cisco Prime Home could allow an unauthenticated,
remote attacker to bypass authentication and execute actions with administrator...

ESA-2017-003: EMC Network Configuration Manager (NCM) Multiple Vulnerabilities EMC Product Security Response Center (Feb 01)
----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

ESA-2017-003: EMC Network Configuration Manager (NCM) Multiple Vulnerabilities

EMC Identifier: ESA-2017-003
CVE Identifier: CVE-2017-2767, CVE-2017-2768
Severity Rating: CVSS v3 Base Score: See below for scores

Affected products:
EMC Software: EMC Network Configuration Manager (NCM) 9.3.x
EMC Software: EMC Network Configuration Manager (NCM) 9.4.0.x
EMC Software: EMC Network Configuration...

[SECURITY] [DSA 3779-1] wordpress security update Sebastien Delafond (Feb 01)
-------------------------------------------------------------------------
Debian Security Advisory DSA-3779-1 security () debian org
https://www.debian.org/security/ Sebastien Delafond
February 01, 2017 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : wordpress
CVE ID : CVE-2017-5488 CVE-2017-5489...

[security bulletin] HPESBHF03700 rev.1 - HPE iMC PLAT, Remote Disclosure of Information, Denial of Service (DoS) security-alert (Jan 31)
Note: the current version of the following document is available here:
https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05382418

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c05382418
Version: 1

HPESBHF03700 rev.1 - HPE iMC PLAT, Remote Disclosure of Information, Denial
of Service (DoS)

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2017-01-31
Last Updated:...

[SECURITY] [DSA 3778-1] ruby-archive-tar-minitar security update Salvatore Bonaccorso (Jan 31)
-------------------------------------------------------------------------
Debian Security Advisory DSA-3778-1 security () debian org
https://www.debian.org/security/ Salvatore Bonaccorso
January 31, 2017 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : ruby-archive-tar-minitar
CVE ID : CVE-2016-10173...

[security bulletin] HPESBGN03696 rev.1 - HPE Helion Eucalyptus, Remote Escalation of Privilege security-alert (Jan 31)
Note: the current version of the following document is available here:
https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05382868

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c05382868
Version: 1

HPESBGN03696 rev.1 - HPE Helion Eucalyptus, Remote Escalation of Privilege

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2017-01-31
Last Updated: 2017-01-31...

Penetration Testing — While this list is intended for "professionals", participants frequenly disclose techniques and strategies that would be useful to anyone with a practical interest in security and network auditing.

[ERPSCAN-16-035] SAP Solman - user accounts disclosure ERPScan inc (Dec 20)
Application: SAP Solman

Versions Affected: SAP Solman 7.1-7.31

Vendor URL: http://SAP.com

Bugs: Information Disclosure

Sent: 12.07.2016

Reported: 13.07.2016

Vendor response: 13.07.2016

Date of Public Advisory: 13.09.2016

Reference: SAP Security Note 2344524

Author: Roman Bezhan (ERPScan)

Description

1. ADVISORY INFORMATION

Title:[ERPSCAN-16-035] SAP Solman – user accounts disclosure

Advisory ID:[ERPSCAN-16-035]

Risk: high...

Faraday v2.2: Collaborative Penetration Test and Vulnerability Management Platform Francisco Amato (Nov 23)
Faraday is the Integrated Multiuser Risk Environment you were looking
for! It maps and leverages all the knowledge you generate in real
time, letting you track and understand your audits. Our dashboard for
CISOs and managers uncovers the impact and risk being assessed by the
audit in real-time without the need for a single email. Developed with
a specialized set of functionalities that help users improve their own
work, the main purpose is to...

[ERPSCAN-16-031] SAP NetWeaver AS ABAP – directory traversal using READ DATASET ERPScan inc (Nov 22)
Application: SAP NetWeaver AS ABAP

Versions Affected: SAP NetWeaver AS ABAP 7.4

Vendor URL: http://SAP.com

Bugs: Directory traversal

Sent: 22.04.2016

Reported: 23.04.2016

Vendor response: 23.04.2016

Date of Public Advisory: 09.08.2016

Reference: SAP Security Note 2312966

Author: Daria Prosochkina (ERPScan)

Description

1. ADVISORY INFORMATION

Title: [ERPSCAN-16-031] SAP NetWeaver AS ABAP – directory traversal
using READ DATASET...

[ERPSCAN-16-032] SAP Telnet Console – Directory traversal vulnerability ERPScan inc (Nov 22)
Application: SAP NetWeaver AS JAVA

Versions Affected: SAP NetWeaver AS JAVA 7.1 to 7.5

Vendor URL: http://SAP.com

Bugs: Directory traversal

Sent: 04.12.2015

Reported: 05.12.2015

Vendor response: 05.12.2015

Date of Public Advisory: 09.08.2016

Reference: SAP Security Note 2280371

Author: Mathieu Geli (ERPScan)

Description

1. ADVISORY INFORMATION

Title: [ERPSCAN-16-032] SAP Telnet Console – Directory traversal vulnerability...

[ERPSCAN-16-033] SAP NetWeaver AS JAVA icman - DoS vulnerability ERPScan inc (Nov 22)
Application: SAP NetWeaver AS JAVA

Versions Affected: SAP NetWeaver AS JAVA 7.4

Vendor URL: http://SAP.com

Bug: Denial of Service

Sent: 22.04.2016

Reported: 23.04.2016

Vendor response: 23.04.2016

Date of Public Advisory: 09.08.2016

Reference: SAP Security Note 2313835

Author: Vahagn Vardanyan (ERPScan)

Description

1. ADVISORY INFORMATION

Title: [ERPSCAN-16-033] SAP NetWeaver AS JAVA icman – DoS vulnerability

Advisory...

[ERPSCAN-16-034] SAP NetWeaver AS JAVA - XXE vulnerability in BC-BMT-BPM-DSK component ERPScan inc (Nov 22)
Application: SAP NetWeaver AS JAVA

Versions Affected: SAP NetWeaver AS JAVA 7.4

Vendor URL: http://SAP.com

Bug: XXE

Sent: 09.03.2016

Reported: 10.03.2016

Vendor response: 10.03.2016

Date of Public Advisory: 09.08.2016

Reference: SAP Security Note 2296909

Author: Vahagn Vardanyan (ERPScan)

Description

1. ADVISORY INFORMATION

Title: [ERPSCAN-16-034] SAP NetWeaver AS JAVA – XXE vulnerability in
BC-BMT-BPM-DSK component

Advisory...

MobSF v0.9.3 is Released: Now supports Windows APPX Static Analysis Ajin Abraham (Nov 22)
Hello Folks,

MobSF v0.9.3 is released.

About MobSF

Mobile Security Framework (MobSF) is an intelligent, all-in-one open
source mobile application (Android/iOS/Windows) automated pen-testing
framework capable of performing static and dynamic analysis. It can be
used for effective and fast security analysis of Android, iOS and
Windows mobile Applications and supports both binaries (APK, IPA &
APPX ) and zipped source code. MobSF can also...

Info Security News — Carries news items (generally from mainstream sources) that relate to security.

Web App Security — Provides insights on the unique challenges which make web applications notoriously hard to secure, as well as attack methods including SQL injection, cross-site scripting (XSS), cross-site request forgery, and more.

Arachni Framework v1.5 & WebUI v0.5.11 have been released (Web Application Security Scanner) Tasos Laskos (Feb 01)
Hey folks,

There's a new version of Arachni, a modular and high-performance Web Application Security Scanner Framework.

The highlights of this release are:

* Added arachni_reproduce utility allowing issues in reports to be reproduced.
* Browser updated to the latest PhantomJS version for improved support of modern webapps.
* New SAX based HTML parser allowing for much faster and lightweight parsing.
* Improved XSS, SQL injection,...

Faraday v2.3: Collaborative Penetration Test and Vulnerability Management Platform Francisco Amato (Jan 31)
We are very proud to present the first 2017 edition of the Faraday
Platform! Faraday v2.3 is ready to download!

Faraday is the Integrated Multiuser Risk Environment you were looking
for! It maps and leverages all the knowledge you generate in real
time, letting you track and understand your audits. Our dashboard for
CISOs and managers uncovers the impact and risk being assessed by the
audit in real-time without the need for a single email....

RVAsec 2017 Call for Presentations (CFP Sullo (Jan 23)
The CFP for RVAsec 2017 is underway!

____________________________________
RVAsec // June 8-9th, 2017 // Richmond, VA

RVAsec is a Richmond, VA based security convention that brings top
industry speakers to the midatlantic region. In its fourth year,
RVAsec 2016 attracted nearly 400 security professionals from across
the country.

Talks must be 50 minutes in length, and submissions will need to
select from one of two tracks: business or...

Faraday v2.2: Collaborative Penetration Test and Vulnerability Management Platform Francisco Amato (Nov 23)
Faraday is the Integrated Multiuser Risk Environment you were looking
for! It maps and leverages all the knowledge you generate in real
time, letting you track and understand your audits. Our dashboard for
CISOs and managers uncovers the impact and risk being assessed by the
audit in real-time without the need for a single email. Developed with
a specialized set of functionalities that help users improve their own
work, the main purpose is to...

MobSF v0.9.3 is Released: Now supports Windows APPX Static Analysis Ajin Abraham (Nov 22)
Hello Folks,

MobSF v0.9.3 is released.

About MobSF

Mobile Security Framework (MobSF) is an intelligent, all-in-one open
source mobile application (Android/iOS/Windows) automated pen-testing
framework capable of performing static and dynamic analysis. It can be
used for effective and fast security analysis of Android, iOS and
Windows mobile Applications and supports both binaries (APK, IPA &
APPX ) and zipped source code. MobSF can also...

Re: IE11 is not following CORS specification for local files Ricardo Iramar dos Santos (Oct 13)
Same attack using XSS as vector.
Imagine that https://xss-doc.appspot.com is a site about gift cards.
The XSS payload below will create a giftcard.htm file in the default
download folder.
If the victim open the file a GET to
https://mail.google.com/mail/u/0/#inbox will be submitted.
After the GET the file will perform a POST to
http://192.168.1.36/req.php using the GET response as a body.
An attacker would be able to read all the emails in the...

Re: IE11 is not following CORS specification for local files Ricardo Iramar dos Santos (Oct 05)
I did a small improvement in this attack.
Using IE File API
(https://msdn.microsoft.com/en-us/library/hh772315(v=vs.85).aspx) an
attacker would be able to create a web page with the content below and
send to a victim.
A local file with the same content that I sent previously would be
created on download default folder.
If the victim perform the three following clicks (Save, Open and Allow
blocked content) an attacker would be able to perform any...

Daily Dave — This technical discussion list covers vulnerability research, exploit development, and security events/gossip. It was started by ImmunitySec founder Dave Aitel and many security luminaries participate. Many posts simply advertise Immunity products, but you can't really fault Dave for being self-promotional on a list named DailyDave.

Bug Bounties dave aitel (Feb 08)
<death threats for bug bounties image>
(https://myasides.com/bug-bounty-programs/)

So occasionally I get into it on Twitter with the bug bounties crowd,
and they call me a hater. But mostly what I hate is the hype around bug
bounties. . . which is considerable. If you've been dipping your toe
into the policy world you can't avoid it, but even from outside there
you get to see the DoD launch a bug bounties program (at INFILTRATE...

Learning the Wrong Lessons from team-offense.. Haroon Meer (Feb 08)
Heya(s)

The kind folks at t2.fi (which is a pretty great conference) have uploaded
the video of our talk: "Learning the wrong lessons from Offense" (
http://t2.fi/2017/02/05/haroon-meer-keynote-2016/)

The central premise is that there are lessons to learn from offense, but
that for the most part we have been looking to learn the wrong ones..

Like much of our stuff, it features thoughts stolen from Adam Shostack,
Halvar, Dino, four,...

Confusion and hosts and reputation dave aitel (Feb 07)
So I've spent some time today trying to understand the various hoopla
around "domain fronting". And it's a TOCTOU bug that cloud providers
could fix, but hopefully won't. Previous state of the art in bypassing
WebSense and Cisco's proxy and FortiGate and the rest was just to hack
some random PHP website. This never gets old, and is a good warm-up for
real hacking.

The basic understanding is that when you make an...

Re: Webex and RCE Kristian Erik Hermansen (Jan 30)
Other than this new remote code execution, wasn't it widely known that even
older versions of WebEx would download sub-resource JAR files over
unencrypted HTTP and just run them without verification? As such, remote
code execution for WebEx (on a hostile network) has been going on a long
time and, as with anything, surely there are additional vectors no one has
found yet and others have kept their lips sealed about ;) Yeah, this is why
many...

Re: Webex and RCE Ryan Duff (Jan 26)
It should also be worth noting that Cisco's "fix" for this is to only allow
this behavior from "https://*.webex.com"; or "https://*.webex.com.cn";.

First off, I really hope those domains aren't at all vulnerable to XSS or
this could still be exploited. But the largest issue here in my eyes is
that their "fix" is to basically say "now, only Cisco can arbitrarily
execute code on your...

Webex and RCE dave aitel (Jan 24)
Trainings tend to be about the past. They are more war stories than
distilled wisdom. Like when we teach you how to do a client-side and
then a kernel exploit
<http://infiltratecon.com/training.html#click-here-for-ring0>, that's
because that's the attack path that's been most successful for us in the
past.

But a lot of hacking is less brute force than that - a lot of it is just
knowing where to look, or gaining expertise in...

Re: #HackingTogether.org Dave Aitel (Jan 23)
Just as a secondary note, we always offer non-alcoholic cocktails at
INFILTRATE for similar reasons...

-dave

Exploits are chameleons dave aitel (Jan 23)
To mathematicians, exploits are proofs to theorems. To foreign policy
people who specialize in export control, they are "dual-use items", and
to people in information security they are simply ground truths of our
shifting domains.

To state it more simply: Vendor advisories lie to you. Or they present
"alternative truths", sometimes on purpose, sometimes not. Exploits are
your only way to dispel this action in a definitive...

#HackingTogether.org Rob Fuller (Jan 23)
I'm soo late to this game but I made a video to describe my feelings about
it and help where I can to spread the word:

https://www.youtube.com/watch?v=Wggu_qaYJaQ

part of http://hackingtogether.org/

We on this list are for the most part already participating in a social
group that has support. I'm not saying we don't have problems, but the ones
that don't have such support, who aren't part of any groups or you only see...

Reliability dave aitel (Jan 17)
There are so many angles on reliability in hacking. Because I wrote some
of the early CANVAS code that still, to my chagrin, is still in the
tree, occasionally I get pulled in to explain why some piece of CANVAS
works the way it does. In particular, one of our customers noticed some
forensics artifacts that were unacceptable. But while we were doing
that, the exploit team was pushing out local exploits this month for
Linux and Windows, the COW...

a serious inquiry about how organizations handle e.g. traumatic impacts Richard Thieme (Jan 17)
My speech on "Playing Through the Pain: The Impact of Dark Knowledge and
Secrets on intelligence and Security Professionals" continues to gain
momentum (over 6000 views on you tube of the def con talk and more on
the O'Reilly site). The Def Con video is at
https://www.youtube.com/watch?v=IowHTVxHpAs. The talk will given again
in Columbus Ohio (4/21/17) for a regional ISSA meeting and in Dublin for
SOURCE Dublin.

Discussing a...

It's dangerous to go alone: Crypto-Analysis dave aitel (Jan 09)
<crypto class image>

So I've been writing a bit about the larger "War on Crypto" here:
https://cybersecpolitics.blogspot.com/2017/01/the-csis-paper-review-part-1.html

I know a lot of you hate reading policy stuff (and I'm not fond of how
much a part of my life it has become) but the CSIS paper had a "who's
who" of the policy world on it and is worth critiquing in a larger space
(here on this list, if you...

YSTS 11th Edition - CFP Luiz Eduardo (Jan 09)
Where: Sao Paulo, Brazil

When: May 22nd, 2017

Call for Papers Opens: December 30th, 2016

Call for Papers Close: February 28th, 2017

http://www.ysts.org

@ystscon

ABOUT THE CONFERENCE

you Sh0t the Sheriff is a very unique, one-day, event dedicated to
bringing cutting edge talks to the top-notch professionals of the
Information Security Community.

The conference’s main goal is to bring the attendees to the current
state of the information...

Just so you don't have to... Dave Aitel (Dec 17)
I went through the Shadowbroker.zip file they released. It's like, super
old boring crap but the following readme's were mistakenly included it
seems. I'll hit a few enters if you don't want to read it because you have
clearance.
-dave

# as of: 2010-07-29 18:01:21 EDT

# EBBISLAND
# (Exploit for Solaris 2.6, 2.7, 2.8, 2.9 and 2.10)

# First ensure that the vulnerable rpc service is running. You must
# be able to reach the...

Results from the 2016 Volatility Plugin Contest are in! Andrew Case (Dec 07)
We are excited to announce that the results of the 2016 Volatility
Plugin Contest are in:

https://volatility-labs.blogspot.com/2016/12/results-from-2016-volatility-plugin.html

We received a record number of submissions this year, and we are looking
forward to seeing these plugins be adopted in the field.

We also wanted to thank Airbnb again for their donation of $999 to the
prize pool. It is great to see organizations supporting open source...

PaulDotCom — General discussion of security news, research, vulnerabilities, and the PaulDotCom Security Weekly podcast.

Re: [Security Weekly] cheap hosting Robin Wood (Sep 23)
Resurrecting an old thread but they now have an affiliate program and I can
issue my own codes so:

20% off all servers AqUVYbUXag
50% off all big dog (whatever that is) 7E9YRUzEZy

After a month with them, their tech support is OK but not great, the server
has stayed up and not had any problems.

Robin

Re: [Security Weekly] projecting in a bight space Jeremy Pommerening (Aug 28)
I would look for a projector with at least 6000 ANSI Lumens or better. A darker screen (grey) may also help.

Jeremy Pommerening

________________________________
From: Robin Wood <robin () digi ninja>
To: Security Weekly Mailing List <pauldotcom () mail securityweekly com>
Sent: Sunday, August 3, 2014 3:42 AM
Subject: [Security Weekly] projecting in a bight space

I've been looking at the venue for next year's...

[Security Weekly] Two Firefox security bugs related to HTTPS ffbugishere (Aug 17)
Hello world!

We need votes for security bugs!

Adding "Security Exception" for self-signed HTTPS sites cannot be done
permanently
https://bugzilla.mozilla.org/show_bug.cgi?id=1050100

Firefox 31 doesn't supports the industry recommended best HTTPS
ciphers
https://bugzilla.mozilla.org/show_bug.cgi?id=1051210

Other browsers should have the same bugs fixed..

p.s.: We are not related to this group, but we think they worth a
penny...

Re: [Security Weekly] Java and Flash decompilers Will Metcalf (Aug 05)
JPEXS is very nice for flash IMHO.

http://www.free-decompiler.com/flash/

Regards,

Will

Re: [Security Weekly] Java and Flash decompilers Bradley McMahon (Aug 05)
I've used flare before to pull apart a flash site for a client.
http://www.nowrap.de/flare.html

-Brad

Re: [Security Weekly] SecurityCenter alternative Steven McGrath (Aug 04)
SC certainly isn’t cheap (as a former SC customer that moved over to Tenable I can attest to that) however I can point
out that the data aggregation, trending, and custom reporting were huge wins in my book. I guess its a time/money
trade-off. How much time do you want to spend either cobbling together a tool or manually aggregating the data when
there is another tool already out there that can do it out of the box.

I can speak in more...

Re: [Security Weekly] Java and Flash decompilers S. White (Aug 04)
A few I've used in the past:

JAD - http://varaneckas.com/jad/ , http://en.wikipedia.org/wiki/JAD_(JAva_Decompiler)

HP SWFscan

Adobe SWF investigator http://labs.adobe.com/technologies/swfinvestigator/

________________________________
From: Robin Wood <robin () digi ninja>
To: Security Weekly Mailing List <pauldotcom () mail securityweekly com>
Sent: Monday, August 4, 2014 5:54 AM
Subject: [Security Weekly] Java and...

[Security Weekly] DoFler @ BSidesLV Steven McGrath (Aug 04)
This will be the 3rd year that DoFler (the Dashboard of Fail) will be at BSidesLV. This year I wrote a new spiffy
interface for maximum trolling. Let’s be honest now, everyone loves to surf for various forms of horrible on the
internet at cons :D. Also added this year is a little vulnerability analysis (using Tenable’s PVS). Every year I try
to improve it a bit based on everyone’s input, and am always welcome to more feedback.

DB...

Re: [Security Weekly] cheap hosting Robin Wood (Aug 04)
Already sorted but thanks for the info.

Re: [Security Weekly] Java and Flash decompilers Nathan Sweaney (Aug 04)
Here are a few others I've used with varying success in the past:

SWFInvestigator - http://labs.adobe.com/technologies/swfinvestigator/
SWFScan - from Rafal Los at HP, though the link has been deleted. (Careful,
I've seen trojaned copies online.)

Re: [Security Weekly] SecurityCenter alternative Paul Asadoorian (Aug 04)
Thanks all for the informative discussion!

I know, I'm jumping in late, some closing thoughts on the subject:

- SecurityCenter has the unique advantage of consolidating plugin
updates, meaning you could have hundred of Nessus scanners deployed in
your organization, and the scanners get the plugin feed from your
SecurityCenter system. The removes the requirement of Internet access
(From the scanners), and greatly eases the administration...

Re: [Security Weekly] SecurityCenter alternative k41zen (Aug 04)
Thanks for all of your help.

We are in discussions with our Tenable contact about solutions for this issue. They’ve helped me out by enabling me to
move forward to at least deploy this into a Pre-Production environment but the costs of SC are a massive stumbling
block; hence my question about something else. Appreciate we have a big Nessus fan base here of which I am a member
too, but just wondered what could be wrapped around it.

I’ll...

Re: [Security Weekly] SecurityCenter alternative Adrien de Beaupre (Aug 04)
Hi,

I have also written a series of script to collect data from tools such as
nmap and nessus to import into MySQL called OSSAMS:
http://www.ossams.com/wp-content/uploads/2011/10/ossams-parser-SecTor-2011.zip
That leaves report writing as a series of SQL queries.
I also have a series of scripts to kick off scans, as well as a command
like XML-RPC nessus client in python if anyone is interested.

Cheers,
Adrien

Re: [Security Weekly] cheap hosting sec list (Aug 04)
Hey Robin,

If you're still looking, might want to try out getclouder.com - they
spin up Linux containers in 5 seconds and use distributed storage, which
is pretty awesome. It's still in beta, so they offer 3 months free
service, but it has been pretty stable so far from my experience.

[Security Weekly] Java and Flash decompilers Robin Wood (Aug 04)
Hi
I'm trying to put together a list of tools for decompiling Flash and Java
apps. From asking on another list I already have:

Java
JD-GUI
Java Decompiler http://jd.benow.ca/jd-gui/downloads/jd-gui-0.3.6.windows.zip.

Java snoop https://code.google.com/p/javasnoop/

Flash
Trillix
Flashbang https://github.com/cure53/Flashbang

Has anyone here got any others they can suggest?

Ideally I'm looking for free stuff but cheap commercial...

Microsoft Sec Notification — Beware that MS often uses these security bulletins as marketing propaganda to downplay serious vulnerabilities in their products—note how most have a prominent and often-misleading "mitigating factors" section.

Microsoft Security Advisory Notification Microsoft (Jan 27)
********************************************************************
Title: Microsoft Security Advisory Notification
Issued: January 27, 2017
********************************************************************

Security Advisories Released or Updated Today
==============================================

* Microsoft Security Advisory 4010983
- Title: Vulnerability in ASP.NET Core MVC 1.1.0 Could Allow Denial of
Service
-...

Microsoft Security Advisory Notification Microsoft (Jan 10)
********************************************************************
Title: Microsoft Security Advisory Notification
Issued: January 10, 2017
********************************************************************

Security Advisories Released or Updated Today
==============================================

* Microsoft Security Advisory 3214296
- Title: Vulnerabilities in Identity Model Extensions Token Signing
Verification
-...

Microsoft Security Bulletin Summary for January 2017 Microsoft (Jan 10)
********************************************************************
Microsoft Security Bulletin Summary for January 2017
Issued: January 10, 2017
********************************************************************

This bulletin summary lists security bulletins released for
January 2017.

The full version of the Microsoft Security Bulletin Summary for
January 2017 can be found at
<https://technet.microsoft.com/library/security/ms17-jan>....

Microsoft Security Bulletin Releases Microsoft (Dec 19)
********************************************************************
Title: Microsoft Security Bulletin Releases
Issued: December 19, 2016
********************************************************************

Summary
=======

The following bulletins have undergone a major revision increment.

* MS16-155 - Important

Bulletin Information:
=====================

MS16-155

- Title: Security Update for .NET Framework (3205640)
-...

Microsoft Security Bulletin Summary for December 2016 Microsoft (Dec 13)
********************************************************************
Microsoft Security Bulletin Summary for December 2016
Issued: December 13, 2016
********************************************************************

This bulletin summary lists security bulletins released for
December 2016.

The full version of the Microsoft Security Bulletin Summary for
December 2016 can be found at
<https://technet.microsoft.com/library/security/ms16-dec...

Microsoft Security Bulletin Releases Microsoft (Dec 13)
********************************************************************
Title: Microsoft Security Bulletin Releases
Issued: December 13, 2016
********************************************************************

Summary
=======

The following bulletins have undergone a major revision increment.

October
* MS16-118 - Critical
* MS16-120 - Critical
* MS16-122 - Critical
* MS16-123 - Important
* MS16-124 - Important
* MS16-126 - Moderate

November
*...

Microsoft Security Bulletin Minor Revisions Microsoft (Dec 13)
********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: November 23, 2016
********************************************************************

Summary
=======
The following bulletins and/or bulletin summaries have undergone a
minor revision increment.

Please see the appropriate bulletin for more details.

* MS16-130
* MS16-140

Bulletin Information:...

Microsoft Security Bulletin Minor Revisions Microsoft (Nov 23)
********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: November 23, 2016
********************************************************************

Summary
=======
The following bulletins and/or bulletin summaries have undergone a
minor revision increment.

Please see the appropriate bulletin for more details.

* MS16-130
* MS16-140

Bulletin Information:...

Microsoft Security Bulletin Releases Microsoft (Nov 16)
********************************************************************
Title: Microsoft Security Bulletin Releases
Issued: November 15, 2016
********************************************************************

Summary
=======

The following bulletins have undergone a major revision increment.

* MS16-133 - Important

Bulletin Information:
=====================

MS16-133

- Title: Security Update for Microsoft Office (3199168)
-...

Microsoft Security Bulletin Summary for November 2016 Microsoft (Nov 08)
********************************************************************
Microsoft Security Bulletin Summary for November 2016
Issued: November 8, 2016
********************************************************************

This bulletin summary lists security bulletins released for
November 2016.

The full version of the Microsoft Security Bulletin Summary for
November 2016 can be found at
<https://technet.microsoft.com/library/security/ms16-nov...

Microsoft Security Bulletin Minor Revisions Microsoft (Nov 08)
********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: November 8, 2016
********************************************************************

Summary
=======
The following bulletins and/or bulletin summaries have undergone a
minor revision increment.

Please see the appropriate bulletin for more details.

* MS16-035
* MS16-091
* MS16-101

Bulletin Information:...

Microsoft Security Bulletin Summary for October 2016 Microsoft (Oct 27)
********************************************************************
Microsoft Security Bulletin Summary for October 2016
Issued: October 27, 2016
********************************************************************

This is a notification of an out-of-band security bulletin that was
added to the October Security Bulletin Summary on October 27, 2016.

The full version of the Microsoft Security Bulletin Summary for
October 2016 can be found at...

Microsoft Security Bulletin Minor Revisions Microsoft (Oct 12)
********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: October 12, 2016
********************************************************************

Summary
=======
The following bulletins and/or bulletin summaries have undergone a
minor revision increment.

Please see the appropriate bulletin for more details.

* MS16-121

Bulletin Information:
=====================

MS16-121...

Microsoft Security Bulletin Releases Microsoft (Oct 11)
********************************************************************
Title: Microsoft Security Bulletin Releases
Issued: October 11, 2016
********************************************************************

Summary
=======

The following bulletins have undergone a major revision increment.

* MS16-101 - Important

Bulletin Information:
=====================

MS16-101

- Title: Security Update for Windows Authentication Methods (3178465)
-...

Microsoft Security Bulletin Summary for October 2016 Microsoft (Oct 11)
********************************************************************
Microsoft Security Bulletin Summary for October 2016
Issued: October 11, 2016
********************************************************************

This bulletin summary lists security bulletins released for
October 2016.

The full version of the Microsoft Security Bulletin Summary for
April 2016 can be found at
<https://technet.microsoft.com/library/security/ms16-oct>....

Funsec — While most security lists ban off-topic discussion, Funsec is a haven for free community discussion and enjoyment of the lighter, more humorous side of the security community

Verizon: 1.5M of Contact Records Stolen, Now on Sale Jeffrey Walton (Mar 26)
http://www.mobipicker.com/verizon-1-5m-contact-records-stolen-now-sale/:

A business to business telecommunication giant,
Verizon Enterprise Solutions, a Basking Ridge,
New Jersey-based company, has been the latest
victim of a cyber crime that stole 1.5 million contact
records of the customers of Verizon...

I don't quite understand this double talk. Could someone explain to me:

A spokesperson from Verizon said that...

Statement on Lavabit Citation in Apple Case Jeffrey Walton (Mar 16)
(From John Young on another list):
http://www.facebook.com/KingLadar/posts/10156714933135038

As many of you already know, the government cited the Lavabit case in
a footnote. The problem is their description insinuates a precedent
that was never created. Obviously I was somewhat disturbed by their
misrepresentation. So I decided to draft a statement. And keep in
mind, these are the same people who say "trust us." Click continue to
read...

The NSA's back door has given every US secret to our enemies Jeffrey Walton (Feb 29)
http://www.businessinsider.com/john-mcafee-nsa-back-door-gives-every-us-secret-to-enemies-2016-2

Deng Xiaoping, in 1979 - his second year as supreme leader of China -
perceived a fundamental truth that has yet to be fully grasped by most
Western leaders: Software, if properly weaponized, could be far more
destructive than any nuclear arsenal.

Under Deng’s leadership, China began one of the most ambitious and
sophisticated meta- software...

Can Spies Break Apple Crypto? Jeffrey Walton (Feb 27)
Here's an interesting exchange between Cryptome and Michael Froomkin,
Law Professor at University of Miami, on the All Writs Act
(http://cryptome.org/2016/02/can-spies-break-apple-crypto.htm):

-----

A. Michael Froomkin:

The factual posture in the key Supreme Court precedent, New York
Telephone, involved a situation where only the subject of the order
was capable of providing the assistance at issue. This is the basis
for Apple's...

The FBI's iPhone Problem: Tactical vs. Strategic Thinking Jeffrey Walton (Feb 23)
http://www.technewsworld.com/story/83130.html

I'm an ex-sheriff, and I've been in and out of security jobs for much
of my life, so I've got some familiarity with the issues underlying
the drama between the FBI and Apple. FBI officials -- and likely those
in every other three-letter agency and their counterparts all over the
world -- would like an easier way to do their jobs. Wouldn't we all?

If they could put cameras in...

Wanted: Cryptography Products for Worldwide Survey Jeffrey Walton (Jan 01)
(http://www.schneier.com/crypto-gram/archives/2015/1215.html):

In 1999, Lance Hoffman, David Balenson, and others published a survey
of non-US cryptographic products. The point of the survey was to
illustrate that there was a robust international market in these
products, and that US-only export restrictions on strong encryption
did nothing to prevent its adoption and everything to disadvantage US
corporations. This was an important contribution...

CERT Advisories — The Computer Emergency Response Team has been responding to security incidents and sharing vulnerability information since the Morris Worm hit in 1986. This archive combines their technical security alerts, tips, and current activity lists.

Open Source Security — Discussion of security flaws, concepts, and practices in the Open Source community

Re: Re: Firejail local root exploit Thomas Deutschmann (Feb 09)
Hi,

I just received the CVE for the incomplete fix from MITRE via new
webform. Please see the forwarded message below:

-------- Forwarded Message --------
Subject: Re: [scr292978] firejail - Affected <0.9.44.6
Date: Thu, 9 Feb 2017 10:18:58 -0500

The CVE ID is provided below, after the text associated with your
https://cveform.mitre.org submission. The text reflects the current
status of the CVE at MITRE, and may already have minor changes...

Re: mupdf: heap-based buffer overflow in fz_subsample_pixmap Agostino Sarubbo (Feb 09)
The upstream commit which fixes the issue:

http://www.ghostscript.com/cgi-bin/findgit.cgi?
2c4e5867ee699b1081527bc6c6ea0e99a35a5c27

Re: MITRE is adding data intake to its CVE ID process Peter Bex (Feb 09)
I'm also concerned about this. Last time I asked a MITRE employee
about this as a result of the automated mail that oss-security
sends out when it detects a CVE request, and I did not receive a
reply.

So far I've only requested CVE IDs for projects that have no
obvious CNA.

For me, having to use a Google docs form is unacceptable. I try to
avoid Google in my life as much as possible. I'd rather avoid
requesting a CVE ID, or...

Re: MITRE is adding data intake to its CVE ID process Jeremy Stanley (Feb 09)
[...]

[...]

Agreed, having tried to figure out the form it seems geared toward
requesting CVE IDs for vulnerabilities you've found in someone
else's software, and not for maintainers of software to request CVE
IDs for vulnerabilities which have been disclosed to them. The
little detail callout icons for the vendor and product fields link
to the CNA coverage list[0] which in turn instructs, "For open
source software products not...

[OpenStack OSSN 0065] Users of Glance may be able to replace active image data Luke Hinds (Feb 09)
Users of Glance may be able to replace active image data
---

### Summary ###
When Glance has been configured with the "show_multiple_locations"
option enabled with default policy for set and delete locations, it is
possible for a non-admin user having write access to the image metadata
to replace active image data.

### Affected Services / Software ###
Glance, Havana, Icehouse, Juno, Kilo, Liberty, Mitaka, Newton, Ocata

### Discussion...

A note about the multiple crashes in zziplib Agostino Sarubbo (Feb 09)
Hello all,

I posted several crashes about zziplib.

The latest release was done ~5 years ago and the upstream bugs place seems to
be dead. However, I will forward them on their website.

I didn't receive any type of feedback from the maintainer so I don't know if
some of them are duplicates.
In any case there are problems where the same codebase was used in more
places, e.g.:...

zziplib: assertion failure in seeko.c Agostino Sarubbo (Feb 09)
Description:
zziplib is an intentionally lightweight library that offers the ability to
easily extract data from files archived in a single zip file.

A fuzz on it discovered an a NULL pointer access.

The complete ASan output:

# unzzipcat-seeko $FILE
/tmp/portage/dev-libs/zziplib-0.13.62-
r1/work/zziplib-0.13.62/zzip/fseeko.c:313: ZZIP_ENTRY
*zzip_entry_findfirst(FILE *): Assertion `0 <= root && root < mapsize' failed....

zziplib: load of misaligned address in memdisk.c Agostino Sarubbo (Feb 09)
Description:
zziplib is an intentionally lightweight library that offers the ability to
easily extract data from files archived in a single zip file.

A fuzz on it discovered the load of a misaligned address. It can cause
undefined behavior.

The complete ASan output:

# unzzipcat-mem $FILE
/tmp/portage/dev-libs/zziplib-0.13.62-
r1/work/zziplib-0.13.62/zzip/memdisk.c:250:33: runtime error: load of
misaligned address 0x00000295d17d for type...

zziplib: NULL pointer dereference in main (unzzipcat.c) Agostino Sarubbo (Feb 09)
Description:
zziplib is an intentionally lightweight library that offers the ability to
easily extract data from files archived in a single zip file.

A fuzz on it discovered an a NULL pointer access.

The complete ASan output:

# unzzipcat $FILE
==22686==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc
0x7f6de98b259a bp 0x7ffddc25a080 sp 0x7ffddc259f98 T0)
==22686==The signal is caused by a READ memory access.
==22686==Hint:...

zziplib: NULL pointer dereference in zzip_mem_entry_new (memdisk.c) Agostino Sarubbo (Feb 09)
Description:
zziplib is an intentionally lightweight library that offers the ability to
easily extract data from files archived in a single zip file.

A fuzz on it discovered an NULL pointer access.

The complete ASan output:

# unzzipcat-mem $FILE
==7955==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000001a (pc
0x7fcfc78e3c50 bp 0x7ffdf55d4f70 sp 0x7ffdf55d4e40 T0)
==7955==The signal is caused by a READ memory access.
==7955==Hint:...

zziplib: NULL pointer dereference in prescan_entry (fseeko.c) Agostino Sarubbo (Feb 09)
Description:
zziplib is an intentionally lightweight library that offers the ability to
easily extract data from files archived in a single zip file.

The unzzipcat-seeko utility provided by the package, by default, without any
crafted zip shows a NULL pointer access. For completeness I’m attaching my
reproducer.

The complete ASan output:

# unzzipcat-seeko $FILE
==3376==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc...

zziplib: invalid memory read in zzip_mem_entry_extra_block (memdisk.c) Agostino Sarubbo (Feb 09)
Description:
zziplib is an intentionally lightweight library that offers the ability to
easily extract data from files archived in a single zip file.

A fuzz on it discovered an invalid memory read.

The complete ASan output:

# unzzipcat-mem $FILE
==7950==ERROR: AddressSanitizer: SEGV on unknown address 0x603000014e32 (pc
0x7f414b4c8693 bp 0x7fff48f3ff70 sp 0x7fff48f3fe40 T0)
==7950==The signal is caused by a READ memory access.
#0...

zziplib: out of bounds read in zzip_mem_entry_new (memdisk.c) Agostino Sarubbo (Feb 09)
Description:
zziplib is an intentionally lightweight library that offers the ability to
easily extract data from files archived in a single zip file.

A fuzz on it discovered an out of bounds read.

The complete ASan output:

# unzzipcat-mem $FILE
==7934==ERROR: AddressSanitizer: unknown-crash on address 0x7f439a704000 at pc
0x0000004bb815 bp 0x7fff911ebe30 sp 0x7fff911eb5e0
READ of size 59396 at 0x7f439a704000 thread T0
#0 0x4bb814 in...

zziplib: NULL pointer dereference in main (unzzipcat-mem.c) Agostino Sarubbo (Feb 09)
Description:
zziplib is an intentionally lightweight library that offers the ability to
easily extract data from files archived in a single zip file.

A fuzz on it discovered an a NULL pointer access.

The complete ASan output:

# unzzipcat-mem $FILE
==7919==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc
0x7f9a138fb59a bp 0x7ffe1c0b0050 sp 0x7ffe1c0aff78 T0)
==7919==The signal is caused by a READ memory access....

zziplib: heap-based buffer overflow in zzip_mem_entry_extra_block (memdisk.c) Agostino Sarubbo (Feb 09)
Description:
zziplib is an intentionally lightweight library that offers the ability to
easily extract data from files archived in a single zip file.

A fuzz on it discovered an heap overflow.

The complete ASan output:

# unzzipcat-mem $FILE
==7970==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60300000f2c8 at pc 0x7f59277fd153 bp 0x7fff136e1e30 sp 0x7fff136e1e28...

Educause Security Discussion — Securing networks and computers in an academic environment.

Re: Notifications of external emails Valdis Kletnieks (Feb 08)
On Wed, 08 Feb 2017 11:43:30 -0500, Frank Barton said:

Not sure what can be done for a DKIM that covers Subject: if you rewrite it.

The simple trick to avoid breaking S/MIME is to restructure the message,
and wrap it in more mime:

--multipart/related
-- your informational message header here
-- the original S/Mime/pgp/whatever here
-- text/plain message body
-- application/digital-signature

I'm pretty sure that MailMan is...

Re: Consistent threads for compromised accounts Jim Cheetham (Feb 08)
Quoting Frank Barton (2017-02-09 05:53:33)

Agreed, this is a very common practice. Sometimes the test addresses are interleaved into the main outbound runs as
well. We maintain lists of test addresses and use these to detect active compromises.

Duo rollout question Lawrence Furnival (Feb 08)
We are starting our rollout of Duo for certain groups of users. Like most
schools we have had some “issues". Some of those have been confirmed to
have been caused by malware but with others it is not so clear. As long as
our users might be using the same password at our institution as with their
Yahoo email or be subject to simple phishing, we can’t be sure.

I am wondering if our Duo rollout might give us a window to determine an...

Sr. Compliance Analyst Opening Dan Lewis (Feb 08)
The University of West Georgia is searching for a Senior Compliance Analyst
to help navigate us through the challenges of PCI DSS. We are located in
Carrollton, GA – approx. 50 miles west of Atlanta.

Our beautiful campus has expanded to 645 acres as has our enrollment which
surpassed 13,300 in Fall 2016 – our strategic goal is for 15,000 students
by 2020.

The job posting can be reviewed at the following link:...

Re: Notifications of external emails Miller, Richard H (Feb 08)
We also flag external e-mails. You will need to develop a mechanism to manage a whitelist since many legitimate e-mails
be originate from contractors, other institutions or ESPs outside of your organization

Richard H. Miller, CISSP, IEEE(SM)
Network Security Architect
IT-Network Engineering & Security
IT Helpdesk 713-798-8737

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of...

Re: [EXTERNAL] Re: [SECURITY] Notifications of external emails Frank Barton (Feb 08)
Alan, yes. it does break pretty much any kind of digital signature (with
the exception of the inline PGP signatures)

Frank

Re: [EXTERNAL] Re: [SECURITY] Notifications of external emails Alan Amesbury (Feb 08)
Interesting approach, but doesn't this break DKIM signatures?

Re: Notifications of external emails Johnson, Kyle A (Feb 08)
We have added the below orange bulletin to every email that comes in from an
external source. I have really tried to increase the awareness around here
by holding presentations, sending out emails, etc. We also haven't had any
push back since we added this feature. It isn't perfect, but it can only
help raise awareness.

Kyle Johnson, GSEC, CEH

Information Security Officer

<mailto:kajohnson () indianatech edu> kajohnson ()...

Re: Notifications of external emails Adam Maynard (Feb 08)
You can setup a rule to convert all html URL's into plaintext. This idea got a lot of pushback where I am, but if
you're already modifying messages it should be easy.

User awareness training is usually the best way to reduce phishing though. Any technical control won't be perfect. You
can block know phishing pages/sources, by there's new ones created constantly.

-Adam

From: The EDUCAUSE Security Constituent Group Listserv...

Re: Notifications of external emails Thomas Carter (Feb 08)
Appending a footer is something we’re also considering, but I fear that by the time the user read to the bottom of the
message, they had already fallen for the phishing.

Thomas Carter
Network & Operations Manager / IT
Austin College
900 North Grand Avenue
Sherman, TX 75090
Phone: 903-813-2564
www.austincollege.edu<http://www.austincollege.edu/>
[http://www.austincollege.edu/images/AusColl_Logo_Email.gif]

From: The EDUCAUSE Security...

Keynote speakers - 2017 ND Cyber Security Conference Theresa Semmens (Feb 08)
This is a great opportunity to visit Fargo and earn CPEs. Students attend for free! Please share with anyone who
might be interested.

[cid:A9C82A90-F1DF-4755-B15C-46CB03826023]

Keynote speakers announced for 2017 ND Cyber Security Conference

There is a growing lineup of experts who will share their strategies, best practices and innovative solutions at the
2017 ND Cyber Security Conference<https://www.ndsu.edu/conferences/cybersecurity/...

Re: Project RedCAP Shankar, Anurag (Feb 08)
Frank,

We have a large instance of REDCap here at Indiana University. Please email me or call me and we can talk more if you
like.

Regards,

Anurag

---

Anurag Shankar, Ph.D. Email: ashankar [at] iu.edu Phone: +1 (812) 856-6978

Center for Applied Cybersecurity Research, Pervasive Technology Institute, Indiana University

2719 E. 10th Street, Suite 231, Bloomington, IN 47408

From: The EDUCAUSE Security Constituent Group Listserv...

Project RedCAP Frank Barton (Feb 08)
Good morning folks, I apologize for cross-posting, I hope my rationale will
be clear momentarily.

We have been asked about setting up, and locally hosting a Project RedCAP
instance. I am wondering if there are any other institutions that are
either hosting RedCAP internally, or have looked into it and decided not to.

I'm looking for information about the IT support requirements/experiences
and for concerns or experiences about the security...

Re: [EXTERNAL] Re: [SECURITY] Notifications of external emails Klein Keane, Justin (Feb 08)
Hello,

We’ve done the same thing (adding “[EXTERNAL]” to the subject line of incoming emails) here at Main Line Health for
nearly a year now.

We run regular internal phishing tests and based on metrics we’ve noticed that the subject line addition hasn’t
noticeably affected failure rates of people clicking links or opening attachments. It has positively affected rates of
reporting suspicious e-mail to our help desk, however, so...

Consistent threads for compromised accounts Frank Barton (Feb 08)
Good morning folks, we've been phished pretty heavily here at Husson, and
we've been able to determine a couple of red-flags. I'm not sure that I
want to publish those that we've found, but I'm wondering if anybody else
has seen similar threads.

- We've seen some "test" messages that seem to get sent to specific
accounts when the account is first compromised
- send-as addresses are changed (often...

Internet Issues and Infrastructure

NANOG — The North American Network Operators' Group discusses fundamental Internet infrastructure issues such as routing, IP address allocation, and containing malicious activity.

Re: Bandwidth Savings (Keenan Singh) Keenan Singh (Feb 09)
Hi Ramy

I reached out to FB and they are looking for a min of 5G Traffic coming
from your AS to qualify for a Cache. Not sure how they came up with 5G as
normally everyone else would ask for 1G Traffic.

Can anyone one else confirm, maybe some one from FB is here and can clarify?

Keenan

Hello Luke and all,

I stumbled upon some news about Facebook edge network servers, does anybody
know anything about the caches the FB use and the ISPs can...

Re: Bandwidth Savings (Keenan Singh) Ramy Hashish (Feb 09)
Hello Luke and all,

I stumbled upon some news about Facebook edge network servers, does anybody
know anything about the caches the FB use and the ISPs can host? and is
Facebook a part of SVA alliance?

Thanks,

Ramy

Hi Luke,

Re: IoT security clinton mielke (Feb 08)
Yup! All the mapping Ive done is over port 80. Id have a lot more than I
currently have if I was looking at other ports, probably.

Re: IoT security valdis . kletnieks (Feb 08)
On Wed, 08 Feb 2017 21:04:07 -0800, clinton mielke said:

Do enough of these poorly designed devices punch themselves a UPNP hole
in the CPE firewall and make themselves detectable, to make this a viable
approach?

Re: IoT security clinton mielke (Feb 08)
Having spent the last few months systematically scanning ~700k of these
hosts, Im thinking the following could be considered:

As an ISP, scan your customers netrange, and notify customers with known
vulnerable devices. With regards to the current Mirai threat, theres only a
handful of devices that are the most critical importance. IE, biggest
fraction of the infected host pie.

Maybe someday I'll get around to parsing my database and...

Re: American Airlines down Brett Watson (Feb 08)
I was delayed at LAX but apparently a global reboot of Windows actually worked and I'm on my plane.

-b

Re: American Airlines down Otto Monnig (Feb 08)
Downdetector spiking at 20:00. Reports that captains cannot get flight plans because computers are down.

Re: American Airlines down Phil Rosenthal (Feb 08)
http://www.flyertalk.com/forum/american-airlines-aadvantage/1820617-aa-com-technical-outage-8feb17.html
<http://www.flyertalk.com/forum/american-airlines-aadvantage/1820617-aa-com-technical-outage-8feb17.html>

Re: American Airlines down Michael Voity (Feb 08)
Looks like it _just_ came back.....

Sent from my iPhone

American Airlines down Michael Voity (Feb 08)
Hello

Stuck at DCA after NANOG because America airlines system are down.

Anyone know anything?

Mike

Sent from my iPhone

Re: IoT security Carl Byington (Feb 08)
I strongly suspect that when the problem gets bad *enough*, someone will
do exactly that. Yes, it is illegal in many places. Since when has the
fact that any particular act is illegal been sufficient to deter
*everyone*?

People still drive while drunk.

Re: IoT security Michael Yoon (Feb 08)
Very clear illustration, thanks for sharing.

It would seem solution would involve non market regulation (EPA for
pollution), or aligning with market forces such as aligning impact to buyer
of security with risk of public access to compromised information (like
videos from IP cameras).

Michael Yoon

In a recent article (
https://www.schneier.com/blog/archives/2017/02/security_and_th.html), Bruce
Schneier sums up the IoT security mitigation issue...

Re: ATT-Level 3 Peering Justin Wilson (Feb 08)
I had a very clueless ATT salesperson tell me yesterday that “Our company policy is we don’t do BGP sessions.” I have
a client wanting to use ATT as an upstream and they won’t do BGP (mainly due to clueless sales). If this is the level
of comp tenancy then good luck. :-)

Justin Wilson
j2sw () mtin net

---
http://www.mtin.net Owner/CEO
xISP Solutions- Consulting – Data Centers - Bandwidth

http://www.midwest-ix.com COO/Chairman...

Re: Telia network quality John Zettlemoyer (Feb 08)
We've been using Telia for about 3 years in Philly, and have great success. Most of our European customers noticed
faster services right away when we turned them up.

John Zettlemoyer
Sr. Director of I.T. Infrastructure :: WCiT LLC
856.310.1375 x221 :: john () wcit net :: www.wcit.net

Philadelphia now has an IX!
www.peering.exchange

Re: IoT security William Herrin (Feb 08)
Okay, so within the confines of lawful activity, how?

'Cause I'm guessing that coordinated criminal activity is going to be
a community non-starter. At least when it's this unambiguous. ;)

Regards,
Bill Herrin

Interesting People — David Farber moderates this list for discussion involving internet governance, infrastructure, and any other topics he finds fascinating

The RISKS Forum — Peter G. Neumann moderates this regular digest of current events which demonstrate risks to the public in computers and related systems. Security risks are often discussed.

Risks Digest 30.13 RISKS List Owner (Feb 07)
RISKS-LIST: Risks-Forum Digest Tuesday 7 February 2017 Volume 30 : Issue 13

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.13>
The current issue can also be...

Risks Digest 30.12 RISKS List Owner (Feb 01)
RISKS-LIST: Risks-Forum Digest Wednesday 1 February 2017 Volume 30 : Issue 12

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.12>
The current issue can also...

Risks Digest 30.11 RISKS List Owner (Jan 28)
RISKS-LIST: Risks-Forum Digest Saturday 28 January 2017 Volume 30 : Issue 11

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.11>
The current issue can also...

Risks Digest 30.10 RISKS List Owner (Jan 22)
RISKS-LIST: Risks-Forum Digest Sunday 22 January 2017 Volume 30 : Issue 10

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.10>
The current issue can also be...

Risks Digest 30.09 RISKS List Owner (Jan 17)
RISKS-LIST: Risks-Forum Digest Tuesday 17 January 2017 Volume 30 : Issue 09

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.09>
The current issue can also be...

Risks Digest 30.08 RISKS List Owner (Jan 10)
RISKS-LIST: Risks-Forum Digest Tuesday 10 January 2017 Volume 30 : Issue 08

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.08>
The current issue can also be...

Risks Digest 30.07 RISKS List Owner (Jan 08)
RISKS-LIST: Risks-Forum Digest Sunday 8 January 2017 Volume 30 : Issue 07

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.07>
The current issue can also be...

Risks Digest 30.06 RISKS List Owner (Dec 30)
RISKS-LIST: Risks-Forum Digest Friday 30 December 2016 Volume 30 : Issue 06

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.06>
The current issue can also be...

Risks Digest 30.05 RISKS List Owner (Dec 26)
RISKS-LIST: Risks-Forum Digest Monday 26 December 2016 Volume 30 : Issue 05

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.05>
The current issue can also be...

Risks Digest 30.04 RISKS List Owner (Dec 20)
RISKS-LIST: Risks-Forum Digest Tuesday 20 December 2016 Volume 30 : Issue 04

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.04>
The current issue can also...

Risks Digest 30.03 RISKS List Owner (Dec 19)
RISKS-LIST: Risks-Forum Digest Monday 19 December 2016 Volume 30 : Issue 03

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.03>
The current issue can also be...

Risks Digest 30.02 RISKS List Owner (Dec 15)
RISKS-LIST: Risks-Forum Digest Thursday 15 December 2016 Volume 30 : Issue 02

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.02>
The current issue can also...

Risks Digest 30.01 RISKS List Owner (Dec 14)
RISKS-LIST: Risks-Forum Digest Wednesday 14 December 2016 Volume 30 : Issue 01

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.01>
The current issue can also...

Risks Digest 29.96 RISKS List Owner (Dec 10)
RISKS-LIST: Risks-Forum Digest Saturday 10 December 2016 Volume 29 : Issue 96

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/29.96>
The current issue can also...

Risks Digest 29.95 RISKS List Owner (Nov 29)
RISKS-LIST: Risks-Forum Digest Tuesday 29 November 2016 Volume 29 : Issue 95

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/29.95>
The current issue can also...

BreachExchange — BreachExchange focuses on all things data breach. Topics include actual data breaches, cyber insurance, risk management, metrics and more. This archive includes its predecessor, the Data Loss news and discussion lists.

How to calculate the ROI of cyber threat defense Audrey McNeil (Feb 09)
http://www.securityinfowatch.com/article/12302438/how-to-
calculate-the-roi-of-cyber-threat-defense

As any executive knows, keeping a close watch on the bottom line is a
critical element of ongoing success. For CIOs, CTOs and CISOs, finding a
way to keep costs down while maximizing protection against potential
security breaches is a familiar struggle. The difficulty often lies in the
paradox that exists when one is essentially investing in...

A company’s biggest cybersecurity threat is often inside the building Audrey McNeil (Feb 09)
http://www.information-management.com/news/security/a-companys-biggest-
cybersecurity-threat-is-often-inside-the-building-10030875-1.html

Think about cyber threats and most people picture sinister, anonymous geeks
feverishly typing away in a dark room as they hunt for confidential data or
strive to disrupt critical systems. But while there is truth to that image,
and an all-too-real peril, a more common and challenging security danger
may be...

Sports Direct hacked last year, and still hasn't told its staff of data breach Audrey McNeil (Feb 09)
https://www.theregister.co.uk/2017/02/08/sports_direct_
fails_to_inform_staff_over_hack_and_data_breach/

Sports Direct has left its 30,000-strong workforce in the dark over a data
breach in the autumn when a hacker accessed internal systems containing
staffers' personal information.

The Register can reveal the UK's largest sports retail business was the
subject of a digital break-in during September, when an attacker exploited
public...

19 laptops containing customer information have been stolen from fintech company GoCardless Audrey McNeil (Feb 09)
http://www.businessinsider.com/gocardless-laptops-stolen-
19-fintech-credit-checking-2017-2

LONDON — Fintech business GoCardless is offering some customers free credit
monitoring for a year after admitting 19 laptops containing personal
information were stolen from its offices.

The stolen laptops contained personal data on an unspecified number of
customers, such as email addresses, passport numbers, dates of birth, and
names, according to...

The who and how of cyber-attacks: types of attackers and their methods Audrey McNeil (Feb 09)
http://www.out-law.com/en/articles/2017/february/the-
who-and-how-of-cyber-attacks-types-of-attackers-and-their-methods/

Having looked at the 10 things you always wanted to know about
cybersecurity but were afraid to ask, we will share our findings in a
themed series. Here we look at the kinds of people behind cybersecurity
breaches and the methods they use.

Who are the attackers?

The sources of attacks are many and varied. The attackers...

Start-ups: Cyber security advice you need to hear Audrey McNeil (Feb 08)
http://www.bmmagazine.co.uk/columns/opinion/startups-
cyber-security-advice-need-hear/

For most big businesses this problem can be met head on by enlisting and
recruiting IT security experts and implementing software that safeguards
them from attacks; investments which are often costly, making them
unattainable for many start-up businesses.

It shouldn’t be a surprise to hear then that cyber attacks are becoming
much more frequent. As the...

Third Circuit Finds FCRA Violation Alone Confers Standing for Data Breach Suit Audrey McNeil (Feb 08)
http://www.jdsupra.com/legalnews/third-circuit-finds-fcra-violation-99611/

The United States Court of Appeals for the Third Circuit recently ruled
that a data breach class action may proceed on the basis of a Fair Credit
Reporting Act (FCRA) violation alone, even where the putative class members
do not allege that they were actually harmed by the breach. The ruling,
which both relies on and distinguishes the Supreme Court’s recent analysis
of...

Don’t Just Mitigate Ransomware Audrey McNeil (Feb 08)
http://ww2.cfo.com/the-cloud/2017/02/dont-just-mitigate-ransomware/

Almost every day, it seems, there’s news of another ransomware attack on a
prominent organization. In fact, according to one study, almost 40% of all
businesses experienced an attack from the summer of 2015 to the summer of
2016. To protect our companies against ransomware and its potentially
disastrous technological and financial consequences, we have to understand
what’s...

Safeguarding Your Company from Cyber Tax Crimes - Take Action Now! Audrey McNeil (Feb 08)
http://www.jdsupra.com/legalnews/safeguarding-your-company-from-cyber-79246/

As if tax season was not bad enough, the U.S. Internal Revenue Services
("IRS") recently issued an urgent alert warning that cybercriminal phishing
scams are utilizing a new, more dangerously effective method for
large-scale thefts of sensitive tax information from tax preparers,
businesses, and payroll companies. Once cybercriminals have this sensitive
tax...

Sizing Up Health Data Breaches Reported in 2017 So Far Audrey McNeil (Feb 08)
http://www.databreachtoday.com/sizing-up-health-data-
breaches-reported-in-2017-so-far-a-9673

Some 22 relatively small health data breaches reported in 2017 have been
added so far to the official federal tally of breaches affecting 500 or
more individuals.

Meanwhile, some breaches reported to federal regulators last year are still
being added to Department of Health and Human Services' Office for Civil
Rights' "wall of...

How to: the CIO's guide to fending off anticipated cyber attacks Audrey McNeil (Feb 07)
http://opensources.info/how-to-the-ciorsquos-guide-to-
fending-off-anticipated-cyber-attacks/

CIO’s and CISO’s should make it a their number one objective to ensure
staff have the knowledge, tools and ability to keep themselves and the
organisation safe from the myriad of threats that are looking to jump over
low barriers or get through chinks in the security armour

The end of last year signalled a stream of stark warnings from cyber...

State Data Breach Notification Statutes: A Year in Review and Preparing for 2017 Audrey McNeil (Feb 07)
http://www.natlawreview.com/article/state-data-breach-
notification-statutes-year-review-and-preparing-2017

Following on the heels of an active 2015, where eight states enacted
changes to their data breach notification laws, another five states amended
their statutes in 2016, adding complexity to the current “patchwork” system
of breach notification legislation. Several trends have emerged from these
recent enactments. States are broadening...

What Is Data Theft? Audrey McNeil (Feb 07)
http://safety.lovetoknow.com/personal-safety-protection/what-is-data-theft

There were over 450 data breaches in the United States that led to nearly
12.7 million records to be exposed in 2016. Data theft is a growing problem
in the United States and around the globe. While it's impossible to
innoculate yourself completely from data theft, you can take steps today to
protect yourself and your family from these potentially harmful attacks....

15,000 Vulnerabilities Disclosed In 2016 – Major Vendors Continue To Be Affected Audrey McNeil (Feb 07)
https://www.riskbasedsecurity.com/2017/02/15000-
vulnerabilities-disclosed-in-2016-major-vendors-continue-to-be-affected/

Risk Based Security today announced the release of the annual VulnDB
QuickView report that shows 2016 broke the previous all-time record for the
highest number of reported vulnerabilities. The 15,000 vulnerabilities
cataloged during 2016 by Risk Based Security eclipsed the total covered by
the CVE and National Vulnerability...

Business Cybersecurity: Two Recent Court Decisions Highlight the Need to Take Preemptive Action Against Data Breaches Audrey McNeil (Feb 07)
http://www.jdsupra.com/legalnews/business-cybersecurity-two-recent-
court-31300/

Nowadays, the prudent business owner should be cognizant of cybersecurity
and the public relations and legal costs that can arise from a data breach.
By holding personal information of customers, employees, or anyone else,
the business assumes the legal and public relations obligations to keep
that information secure.

Cybersecurity is an ongoing battle against...

Open Source Tool Development

Wireshark — Discussion of the free and open source Wireshark network sniffer. No other sniffer (commercial or otherwise) comes close. This archive combines the Wireshark announcement, users, and developers mailing lists.

capture issue with passive network tap - ETHERNET FRAME CHECK SEQUENCE INCORRECT - now with attachments Dennis Schneck (Feb 09)

Request to edit the Wireshark Wiki page Partners (Feb 09)
Hi Team,

I would like to be a part of the EditorGroup to edit the wiki page.
My Username is Packtpartner

Looking forward to your positive reply.

Regards,

Sherwin Silveira
Key Partner Executive
Skype: packt.sherwins

www.packtpub.com

Packt Publishing Private Limited. Registered Address: Plot No. 103, Arena House, 3rd Floor, Road No.12, Opp. Goldfinch
Hotel, MIDC, Andheri East, Mumbai...

Re: Remove our bundled crypto library (in favor of Libgcrypt)? Peter Wu (Feb 09)
[..]

Thanks Pascal, having Libgcrypt 1.7 for Windows (separate from GnUTLS)
would be great.

I pushed the initial version of the patch at
https://code.wireshark.org/review/20030

One of the macOS buildbots is also missing Libgcrypt, that also needs
to be fixed before merging the final patch.

Re: Remove our bundled crypto library (in favor of Libgcrypt)? Bálint Réczey (Feb 09)
Hi All,

2017-02-09 11:34 GMT+01:00 Bálint Réczey <balint () balintreczey hu>:

Seeing the Qt libs made me curious and ran another test on Debian
Jessie with packaged 2.2.2 :
rbalint@chaos:~/Downloads$ time wireshark-gtk -X lua_script:exit.lua

real 0m0.304s
user 0m0.244s
sys 0m0.044s
rbalint@chaos:~/Downloads$ time wireshark -X lua_script:exit.lua

real 0m0.906s
user 0m0.556s
sys 0m0.128s

Cheers,
Balint

Re: Remove our bundled crypto library (in favor of Libgcrypt)? Bálint Réczey (Feb 09)
Hi Guy,

2017-02-08 19:51 GMT+01:00 Guy Harris <guy () alum mit edu>:

perf would show that.

rbalint@chaos:~/Downloads$ cat exit.lua
os.exit(1)
rbalint@chaos:~/Downloads$ wireshark -X lua_script:exit.lua
rbalint@chaos:~/Downloads$ perf record -g -- wireshark -X lua_script:exit.lua
[ perf record: Woken up 1 times to write data ]
[ perf record: Captured and wrote 0.249 MB perf.data (~10883 samples) ]
rbalint@chaos:~/Downloads$ perf report...

Re: How to breakdown the dns queries and show total number against each domain Abdul Khader (Feb 08)
Dear Peter Wu,

Thanks for the detailed reply.

Thanks all for the quick and swift responses.

Abdul Khader

Re: Remove our bundled crypto library (in favor of Libgcrypt)? Peter Wu (Feb 08)
Could you clarify this concern? I did not observe an attempt by
Libgcrypt to obtain entropy at startup and neither did it consume
entropy during decryption. So the contribution to wall-clock time should
be (near) zero. How would this affect CPU time?

Or maybe I am misunderstanding your question?

Re: Remove our bundled crypto library (in favor of Libgcrypt)? Guy Harris (Feb 08)
I'm concerned with consuming CPU and wall-clock time - i.e., slowing *shark startup - not entropy.

Re: wireshark analysis for packet loss samira afzal (Feb 08)
Thanks for your reply and information

Re: How to breakdown the dns queries and show total number against each domain Jeff Morriss (Feb 08)
As mentioned by Graham yesterday you need to use the "unsubscribe" option
at the bottom of each email in order to unsubscribe from this mailing list.

Re: How to breakdown the dns queries and show total number against each domain Sherry Herdman (Feb 08)
I would like the community to stop contacting me...

Re: How to breakdown the dns queries and show total number against each domain Peter Wu (Feb 08)
Hi Abdul,

Using the "tshark" program, you can produce a text file with all names
from DNS queries. Using coreutils tools (sort and uniq), you can then
for obtain a report. For example:

tshark -r dns.pcapng -Y dns.flags.response==0 -Tfields -e dns.qry.name | sort | uniq -c | sort -n

Note that it happens quite often that two queries are done for each
name, an A and AAAA lookup (for IPv4 and IPv6 addresses respectively).
This can...

Re: Remove our bundled crypto library (in favor of Libgcrypt)? Peter Wu (Feb 08)
I am only familiar with Libgcrypt which is not that hard to use. Have
you tried both libraries? What were your experiences?

License-wise they are similar. Based on development activity (commit
count), it seems that Nettle is mostly developed by one person while
Libgcrypt has more.

An actual look at the Nettle documentation shows that Nettle provides
direct access to crypto routines (aes128_encrypt, aes256_encrypt,
aes_decrypt,...

Re: How to breakdown the dns queries and show total number against each domain Hugo van der Kooij (Feb 08)
Abdul,

While you can do that manually by creating the proper filters and then count requests.
It seems to me a rather cumbersome procedure.

Met vriendelijke groet / With kind regards,
Hugo

Hugo van der Kooij
network engineer

QSight IT

T : +31 15 888 0 345

F : +31 15 888 0 445
E : hugo.van.der.kooij () qsight nl
I : http://www.qsight.nl

Arnhem - Delft - Veldhoven

-----Oorspronkelijk bericht-----
Van: wireshark-users-bounces () wireshark...

Re: RST In video streaming over TCP socket? Jaap Keuter (Feb 07)
Hi,

a) you could have a look at RFC 4571 where the same problem is addressed for RTP

b) Yes, MMT packets have a defined start and end. These have to be conveyed across the transport. Datagram transports
(like UDP) have that, stream transports (like TCP) don’t. The notion of needing MTU at this level is incorrect IMHO,
this should be left and dealt with at the network layer. Receive buffer size has nothing to do with message boundary.

c)...

Snort — Everyone's favorite open source IDS, Snort. This archive combines the snort-announce, snort-devel, snort-users, and snort-sigs lists.

Re: http_inspect missing requests Russ (Feb 09)
The raw and rebuilt packets undergo detection. Check your shutdown
stats under "Limits" for each run. You may be hitting the match limit.
See doc/README.counts for details.

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot

Issue with snort and Coldfusion sdesort (Feb 09)
Hello. Please forgive me in advance as I have very little experience with snort and pfsense.

I am running snort 3.2.9.1_14 on a pfSense box we just put online. I have a Windows Coldfusion server and a MS SQL
server running, among others, behind pfSense. I am running VRT free, GPLv2 and ET Open rules. I have quite a few rule
categories enabled, including IIS/Coldfusion/os windows/webapp/ MSSQL, etc. Obviously these servers are part of...

Re: Snort and GTP encapsulation info Ana Serrano Mamolar (Feb 09)
Thanks Joel,

I didn't know this tool until know, very useful. Now, I have run it with my last snort.u2 log, but I can not get any
gtp information.

As I said I have already enabled gtp in my config file. Should I use any special option when running Snort to obtain
this gtp information?

Thanks

________________________________
From: Joel Esler (jesler) <jesler () cisco com>
Sent: 08 February 2017 20:06:32
To: Ana Serrano Mamolar
Cc:...

Re: http_inspect missing requests Felix Erlacher (Feb 09)
Thanks for the insightful and clarifying answer.
Does a similar behavior apply to the rule application engine as well?
As explained in my last mail, http_inspect states for both traces 10 GET
requests. So I assume that is what the application engine analyzes. But
the number of alerts differs, although the payload, and thus the
searched pattern in the http_header, is the same in both traces.

Thanks and greets

felix

Re: (no subject) Al Lewis (allewi) (Feb 08)
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users

Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi () cisco com<mailto:allewi () cisco com>

From: Scott Tolbert <floridapapa911 () gmail com<mailto:floridapapa911 () gmail com>>
Date: Wednesday, February 8, 2017 at 10:06 PM
To: Johnny Green <johnny.b.green1 () gmail com<...

Re: (no subject) Al Lewis (allewi) (Feb 08)
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users

Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi () cisco com<mailto:allewi () cisco com>

From: Johnny Green <johnny.b.green1 () gmail com<mailto:johnny.b.green1 () gmail com>>
Date: Wednesday, February 8, 2017 at 9:48 PM
To: 'snort-users' <Snort-users () lists...

Re: (no subject) Scott Tolbert (Feb 08)
Remove from list

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users...

(no subject) Johnny Green (Feb 08)
Remove from list
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users...

Re: Alert log Al Lewis (allewi) (Feb 08)
The link for you to remove yourself is at the bottom of the email.

Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi () cisco com<mailto:allewi () cisco com>

From: Nikolai Shields <shields.nikolai () gmail com<mailto:shields.nikolai () gmail com>>
Date: Wednesday, February 8, 2017 at 7:04 PM
To: Dawit Admassu <dadmassu () stevenson edu<mailto:dadmassu () stevenson edu>>
Cc:...

Re: Barnyard2 loads src IP and dst IP as digital in MySQL Maxim (Feb 08)
Hi, IPv4 address are actually 32-bit integers, you can covert these integers to decimal format using MySQL inet_ntoa
function, for example,
select inet_ntoa(3232235693) as ip from xxx;

At 2017-02-08 17:48:52, "Ian" <snort_list () fishnet co uk> wrote:

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites,...

Re: Alert log Nikolai Shields (Feb 08)
Please remove me from this list

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:...

Re: Snort and GTP encapsulation info Joel Esler (jesler) (Feb 08)
It may not be a field that is inserted into the db. It may be in the unified2 output file that you can access with
u2spewfoo in the contrib/ directory.

Snort and GTP encapsulation info Ana Serrano Mamolar (Feb 08)
Hi all,

Again with an encapsulation question.

I am trying to understand how Snort manage GTP encapsulation, that I know that is supported. I already enable gtp in my
config file by " config enable_gtp".

I run Snort with different pcaps that I have that include GTP and trying to see which info I obtained from Snort with a
very silly rule to be sure that is triggerred.

My question is the following: Does somebody know where in the...

Re: http_inspect missing requests Russ (Feb 08)
The http_inspect preprocessor has evolved over the years to become more
stateful but retains some stateless processing which your new pcaps are
exercising since they lack a full TCP session with 3-way handshake.
Processing the bald data segments can lead to bogus results along with
diminished performance.

Consider the pcap with 10 fully overlapping segments. Snort processed
them all. Within the context of a normal session, only one would...

Re: http_inspect missing requests James Lay (Feb 08)
Wow did I hose my analysis of that 8-| Totally didn't even look INSIDE
the actual packet...go me!!

Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:...

More Lists

Related Resources

We're always looking for great network security related lists to archive. To suggest one, mail Fyodor.