SecLists.Org Security Mailing List Archive

Any hacker will tell you that the latest news and exploits are not found on any web site—not even Insecure.Org. No, the cutting edge in security research is and will continue to be the full disclosure mailing lists such as Bugtraq. Here we provide web archives and RSS feeds (now including message extracts), updated in real-time, for many of our favorite lists. Browse the individual lists below, or search them all:

Insecure.Org Lists

Nmap Development — Unmoderated technical development forum for debating ideas, patches, and suggestions regarding proposed changes to Nmap and related projects. Subscribe here.

Question regarding hping2? Epworth, Paul (Aug 05)
Hi,

I have found I can use hpin2 from the command line
Buy if I try to use hping2 -c 5 -I 1 -p 80 -S Playground

[cid:image002.png@01D0CECE.85332210]

If I use hping2 and the hostname i get the output below.

[cid:image001.png@01D0CECE.226AE500]

[cid:image003.png@01D0CECE.D0AFEE80]

I was hoping to be able to use the the example from the book.

Nmap Network Security Scanning Page 262, 263

Hping2 displays leng=46 ip=192.168.0.40 ttl=128...

Andrew's Status Report - #14 of 17 Andrew Jason Farabee (Aug 04)
Accomplishments:
* Started working on refactoring http digest authentication from ncat
into nsock (there was a typo in my last report which should have said
I finished implementing http basic proxy authentication instead of
http digest proxy authetnication. )
* Fixed a bug in nmap-nsock-proxyauth's implementation of http
authentication that was causing nsock to ignore 407 http code
reposonses due to mismatched messages following the code....

Yang's Status Report - #14 of 17 食肉大灰兔V5 (Aug 04)
Hi list,

Accomplishments
* Bug Fix: Npcap causes BAD_POOL_CALLER BSoD if you use Npcap and VMware
Workstation together..
https://github.com/nmap/npcap/commit/9503346936b0ab1b4af87473ac057b0bcf3b017b

* Bug Fix: "Npcap Loopback Adapter" can be successfully renamed in Win10
RTM Chinese version now.
https://github.com/nmap/npcap/commit/14a05039339376c8de6ad5c37c859c32b7f6de37

* New Feature: WSKTest can send custom IPv4 or IPv6 packet...

Re: Gyani's Status Report - #14 of 17 Gyanendra Mishra (Aug 03)
Sorry about the previous email.

Accomplishments :
* This week I continued work on the osinfo library : The library exposes a
function "get_os_info" and has three other classes "UTILITY', "CPE",
"MICROSOFT". The UTILITY class contains functions to fetch the family,
vendor and version of the operating system. The MICROSOFT class contains
parsing specific to the Microsoft Operating systems. The CPE class...

Gyani's Status Report - #14 of 17 Gyanendra Mishra (Aug 03)
Hi list,

Accomplishments
* This week I continued work on the osinfo library : The library exposes a
function "get_os_info" and has three other classes "UTILITY', "CPE",
"MICROSOFT". The UTILITY class contains functions to fetch the family,
vendor and version of the operating system.

Jiayi's Status Report - #13 of 17 Jiayi Ye (Aug 03)
Hi,

Accomplishments:
* Updated smb.lua. Added smb2_find_files to make smb-ls.se support smb2
protocol.
Added smb2_lock_file, which was
sent by the client to either lock or unlock portions of a file.
Tested the library and fixed some bugs. [1]
* Worked on issue 171. Firstly I split smb-check-vulns.nse into six files.
Then I ported these
vulnerability scripts to the vulns library. And I was trying to set up
vuln environment for
testing...

Re: can't remember last time NMAP ran without crashing Daniel Miller (Aug 02)
Steve,

Thanks for the report. Zenmap stores the Nmap XML output in a temporary
file which should be C:\TEMP\zenmap-*.xml. There may be some helpful
information there regarding which phase of the scan is crashing. Do you
know if it crashes right away, or if it takes several minutes or an hour or
more before it crashes?

Alternatively (and this is probably the best option), copy the scan command
from Zenmap (from the Command: input box after...

can't remember last time NMAP ran without crashing steve (Aug 02)

I will have to use another app if this one won't cooperate.

The always happens on the slow, comprehensive scan. I am trying to do
the most thorough scan for devices on my home network to get the most
information.

I have since reimaged this Dell E6400 laptop having a 512GB SSD & 8GB
RAM w/ Windows 7 64-bit, from what it was before (256GB SSD & 2GB RAM w/
Windows 7 32-bit) and it's still crashing.

Do you have a 64-bit...

Gioacchino's status report #14 of 17 Gioacchino Mazzurco (Aug 02)
Hi!

This week after fixing the last bug discovered by my mentor I have committed
the mass reverse DNS ipv6 support #51 and the fix for #185 (make nmap had
missing dependencies) to the main SVN, after doing this I have realized next
week there is Battlemesh, and I have a talk about nmap and the work I have
done during GSoC on schedule, so I started to prepare for the talk and for the
travel, moreover I am preparing an NSE workshop so we have...

Re: NMAP 6.49 BETA 4 Not Valid Daniel Miller (Aug 02)
Tim,

We did not build any of the Nmap 6.49BETA-series releases with support for
Windows XP. Microsoft has stopped supporting this 14-year-old OS, and we
did not notice that support had dropped from Visual Studio by default. You
can read more in another mailing list thread [1], but we are currently
weighing our options.

Dan

[1] http://seclists.org/nmap-dev/2015/q3/60

Update to Previous Bug Report Tim Naami (Aug 02)
I get the C:\Program Files\Nmap\Nxxx.exe is not a valid Win32 application
for:

ncat.exe
nmap-update.exe
nmap.exe
nping.exe

if I double click in the Windows GUI or execute from a command line.

The Uninstall launches as does the Zenmap.exe GUI. What is common among
those that might be causing this?

NMAP 6.49 BETA 4 Not Valid Tim Naami (Aug 02)
I just downloaded and installed *nmap-6.49BETA4-setup.exe*. I would not
consider myself an UBER user of NMAP but I am fairly familiar with it and
use it quite often (several times a week).

When I run the ZeNMAP GUI I get the following error:

Error executing command
[Error 193] %1 is not a valid Win32 application

Google says it is a problem with the path and starting a service, which did
not make sense. Since I was not doing a big scan I went...

Re: Bug in latest build Daniel Miller (Aug 01)
Forrest,

Thanks for catching this! We mistakenly used an implementation-specific
name to reference the IPv6 address within a struct in6_addr instead of the
POSIX-defined [1] s6_addr name. Should be fixed in r35039, but let us know
if you have any other problems.

Dan

[1]
http://pubs.opengroup.org/onlinepubs/000095399/basedefs/netinet/in.h.html

Bug in latest build Forrest Aldrich (Aug 01)
All,

Just attempted to build from SVN and received the following compiler error:

g++ -c -I./liblinear -I./liblua -I./libdnet-stripped/include -I./nbase
-I./nsock/include -DHAVE_CONFIG_H -DNMAP_NAME=\"Nmap\"
-DNMAP_URL=\"https://nmap.org\"; -DNMAP_PLATFORM=\"i686-pc-linux-gnu\"
-DNMAPDATADIR=\"/usr/local/share/nmap\" -D_FORTIFY_SOURCE=2 -g -O2 -Wall
-fno-strict-aliasing nmap_dns.cc -o nmap_dns.o...

Re: [NSE] smb-ls fixes and improvements Pierre LALET (Jul 30)
Hi Dan, hi list,

PR #106 (https://github.com/nmap/nmap/pull/106) is ready, with, as
suggested, NSEDoc updated for each module.

Nmap Announce — Moderated list for the most important new releases and announcements regarding the Nmap Security Scanner and related projects. We recommend that all Nmap users subscribe.

Nmap 6.49BETA1 released! New scripts, new signatures, new ASCII art! Fyodor (Jun 04)
Hi Folks. I'm happy to announce the release of Nmap 6.49BETA1. This
version has hundreds of improvements, including:

* 25 new NSE scripts (total is now 494)

* Integrated all of your latest OS detection and version/service detection
submissions (including IPv6). This allows Nmap to properly identify Linux
3.18, Windows 8.1, OS X 10.10, Android 5, etc. We now have more than 10,000
service detection signatures!

* Infrastructure...

Introducing the 2015 Nmap/Google Summer of Code Team! Fyodor (May 07)
Hello everyone. Google has agreed to sponsor five amazing students to
spend this summer enhancing the Nmap Security Scanner and I'm proud to
introduce our 2015 team:

*Andrew Farabee* will be working to refactor parts of the Nmap codebase in
ways which enable more functionality while also improving performance and
hopefully easing code maintenance too! His first task involves adding a
SOCKS proxy name resolution feature to enable scanning...

Nmap Project Seeking Talented Programmers for Google Summer of Code Fyodor (Mar 25)
Hi folks. I'm delighted to report that Nmap has been accepted by Google to
participate in this year's Summer of Code internship program. This
innovative and extraordinarily generous program provides $5,500 stipends to
college and graduate students anywhere in the world who spend the summer
improving Nmap from home! They gain valuable experience, get paid,
strengthen their résumés, and write code for millions of users. We're...

Nmap Project Seeking Talented Programmers for Google Summer of Code--Last Day to Apply! Fyodor (Mar 20)
Hi folks. I'm delighted to report that Nmap has been accepted by Google to
participate in this year's Summer of Code internship program. This
innovative and extraordinarily generous program provides $5,500 stipends to
college and graduate students anywhere in the world who spend the summer
improving Nmap from home! They gain valuable experience, get paid,
strengthen their résumés, and write code for millions of users. We're...

Full Disclosure — A public, vendor-neutral forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. The relaxed atmosphere of this quirky list provides some comic relief and certain industry gossip. More importantly, fresh vulnerabilities sometimes hit this list many hours or days before they pass through the Bugtraq moderation queue.

Comment form CSRF in WordPress 4.2.2 allows admin impersonation via comments dxw Security (Aug 05)
Details
================
Software: WordPress
Version: 3.8.1,3.8.2,4.2.2
Homepage: http://wordpress.org/
Advisory report:
https://security.dxw.com/advisories/comment-form-csrf-allows-admin-impersonation-via-comments-in-wordpress-4-2-2/
CVE: Awaiting assignment
CVSS: 4.3 (Medium; AV:N/AC:M/Au:N/C:N/I:P/A:N)

Description
================
Comment form CSRF in WordPress 4.2.2 allows admin impersonation via comments

Vulnerability
================...

Re: Mozilla extensions: a security nightmare Mario Vilas (Aug 05)
%APPDATA% is within the user's home directory - by default it should not be
writeable by other users. If this is the case then the problem is one of
bad file permissions, not the location.

Incidentally, many other browsers and tons of software also store
executable code in %APPDATA%.

I think "security nightmare" may be a bit of an overstatement here. I'll
refrain from panicking about this "issue" for the time...

SEC Consult SA-20150805-0 :: Websense Content Gateway Stack Buffer Overflow in handle_debug_network SEC Consult Vulnerability Lab (Aug 05)
SEC Consult Vulnerability Lab Security Advisory < 20150805-0 >
=======================================================================
title: Stack buffer overflow in handle_debug_network
product: Websense Triton Content Manager
vulnerable version: 8.0.0 build 1165
fixed version: V8.0.0 HF02
CVE number: CVE-2015-5718
impact: high
homepage: www.websense.com...

Mozilla extensions: a security nightmare Stefan Kanthak (Aug 05)
Hi @ll,

Mozilla Thunderbird 38 and newer installs and activates per default
the 'Lightning' extension.

Since extensions live in the (Firefox and) Thunderbird profiles
(which are stored beneath %APPDATA% in Windows) and 'Lightning' comes
(at least for Windows) with a DLL and some Javascript, Thunderbird
with 'Lightning' violates one of the mandatory and basic requirements
of the now 20 year old "Designed for...

Re: Symantec Endpoint Protection Markus Wulftange (Aug 03)
Hi Brandon,

we found two injection points. One in the BinaryFileHandler class:

POST /servlet/ConsoleServlet HTTP/1.1
Host: 192.168.40.133:8443
Content-Type: application/x-www-form-urlencoded
Content-Length: 51
Cookie: JSESSIONID=D739FA0884EB78B31B1D23AEA899C175

ActionType=BinaryFile&Action=EXISTS&GUID=0'or'1'='1

And one in the ExpRecordHandler class:

POST /servlet/ConsoleServlet...

New BlackArch Linux ISOs (version 2015.07.31) Black Arch (Aug 03)
Hi,

Today we released new BlackArch Linux ISOs. The new ISOs include over
1230
tools for i686 and x86_64 and over 1010 tools for armv6h and armv7h.

A detailed ChangeLog can be found here: https://www.blackarch.org/blog.html

If you're not already familiar with BlackArch Linux, please read
the
DESCRIPTION section below.

[ DOWNLOAD ]

You can download the new ISOs here: https://www.blackarch.org/download.html
<...

CODEBLUE.JP - Security Conference in Tokyo Calling for Papers by Sep.10 Kana Shinoda (Aug 02)
Dear all,

CODE BLUE in Tokyo is looking for innovative and creative research topics
regarding information security to be presented at the conference.

CODE BLUE is an international conference in Tokyo with the cutting eges
talks from all over the world, and is a place for all participants to
exchange information and interact beyond borders and languages.

We will support the travel airfare/accommodation/honorarium for one speaker
per a session....

Vulnerability in VirtueMart for Joomla MustLive (Aug 01)
Hello list!

This is Brute Force vulnerability in VirtueMart for Joomla. Which is at
order details page.

-------------------------
Affected products:
-------------------------

Vulnerable are VirtueMart 3.0.9 for Joomla and previous versions.

----------
Details:
----------

Brute Force (WASC-11):

http://site/index.php?option=com_virtuemart&view=orders&layout=details&order_number=1&order_pass=p_11111

Weak password due to limit...

Re: Symantec Endpoint Protection Brandon Perry (Aug 01)
Do you have example requests for the SQL injections?

Symantec Endpoint Protection Markus Wulftange (Aug 01)
Code White found several vulnerabilities in Symantec Endpoint Protection
(SEP), affecting versions 12.1 prior to 12.1 RU6 MP1.

SEP Manager (SEPM):

* CVE-2015-1486: Authentication Bypass
* CVE-2015-1487: Arbitrary File Write
* CVE-2015-1488: Arbitrary File Read
* CVE-2015-1489: Privilege Escalation
* CVE-2015-1490: Path Traversal
* CVE-2015-1491: SQL Injection

SEP clients:

* CVE-2015-1492: Binary Planting

Official Symantec advisory SYM15-007:...

PhotoPost PHP 4.8c Cookie Based Stored XSS (Cross-site Scripting) Web Application 0-Day Bug Jing Wang (Aug 01)
PhotoPost PHP 4.8c Cookie Based Stored XSS (Cross-site Scripting) Web
Application 0-Day Bug

Exploit Title: PhotoPost PHP __utmz Cookie Stored XSS Web Security
Vulnerability
Product: PhotoPost PHP
Vendor: PhotoPost
Vulnerable Versions: 4.8c 4.8.6 4.8.5 4.8.2 3.1.1 vB3
Tested Version: 4.8c vB3
Advisory Publication: July 25, 2015
Latest Update: July 28, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference:
Impact CVSS Severity...

Fwd: CVE_for_Vulnerability_theholidaycalendar Luciano Pedreira (Jul 30)
---------- Forwarded message ----------
From: Luciano Pedreira <lpedreira () gmail com>
Date: 2015-07-20 10:06 GMT-03:00
Subject: CVE_for_Vulnerability_theholidaycalendar
To: cve-assign () mitre org

Dear,

In a recent research conducted in the "The Holiday Calendar" plugin (
http://www.theholidaycalendar.com /
https://wordpress.org/plugins/the-holiday-calendar) I found vulnerability
related at Cross Site Scripting.

. The Holiday...

Assessing The Computer Network Operation (CNO) Capabilities of the Islamic Republic of Iran - Report Dancho Danchev (Jul 30)
Hello,

01. Who's who on Iran's Cyber Warfare Scene - the most comprehensive
analysis of Iran's cyber warface scene, ever performed
02. Where do they go to school? - in-depth analysis of Iran's academic
incubators of the next generation of cyber warriors
03. Who's buying them books? - in-depth geopolitically relevant
analysis of Iran's cyber warfare doctrine
04. How do they own and compromise? - complimentary copies...

Reflected XSS in Flickr Justified Gallery could allows unauthenticated attackers to do almost anything an admin can do (WordPress plugin) dxw Security (Jul 28)
Details
================
Software: Flickr Justified Gallery
Version: 3.3.6
Homepage: https://wordpress.org/plugins/flickr-justified-gallery/
Advisory report:
https://security.dxw.com/advisories/reflected-xss-in-flickr-justified-gallery-could-allows-unauthenticated-attackers-to-do-almost-anything-an-admin-can-do/
CVE: Awaiting assignment
CVSS: 5.8 (Medium; AV:N/AC:M/Au:N/C:P/I:P/A:N)

Description
================
Reflected XSS in Flickr Justified...

CSRF and XSS vulnerabilities in D-Link DCS-2103 MustLive (Jul 28)
Hello list!

There are Cross-Site Request Forgery and Cross-Site Scripting
vulnerabilities in D-Link DCS-2103 (IP camera).

-------------------------
Affected products:
-------------------------

Vulnerable is the next model: D-Link DCS-2103, Firmware 1.0.0. Version 1.20
and previous versions also must be vulnerable.

----------
Details:
----------

Cross-Site Request Forgery (WASC-09):

CSRF vulnerabilities in all sections of admin panel. E.g....

Other Excellent Security Lists

Bugtraq — The premier general security mailing list. Vulnerabilities are often announced here first, so check frequently!

[security bulletin] HPSBUX03388 SSRT102180 rev.1 - HP-UX running OpenSSL, Remote Disclosure of Information security-alert (Aug 05)
Note: the current version of the following document is available here:
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04760669

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c04760669
Version: 1

HPSBUX03388 SSRT102180 rev.1 - HP-UX running OpenSSL, Remote Disclosure of
Information

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2015-08-05
Last...

Re: [FD] Mozilla extensions: a security nightmare Ansgar Wiechers (Aug 05)
Nonsense. That only becomes an issue if anyone other than the user
putting the code into the location is supposed to be running something
from that location.

Otherwise you'd have to prevent users from putting scripts or
standalone executables anywhere they have write access. Which is
somewhat less than desirable (or feasible) in most environments.

The problem with browser extensions is that they're exposed to input
from the outside...

Re: [FD] Mozilla extensions: a security nightmare Stefan Kanthak (Aug 05)
"Mario Vilas" <mvilas () gmail com> wrote:

Did I mention OTHER users?
Clearly not, so your "argument" is moot.

Cf. <http://seclists.org/fulldisclosure/2013/Aug/198>

EVERY program which stores executable code in user-writable locations
is CRAPWARE and EVIL since it undermines the security boundary created
by privilege separation and installation of executables in write-protected
locations.
Both are BASIC...

SEC Consult SA-20150805-0 :: Websense Content Gateway Stack Buffer Overflow in handle_debug_network SEC Consult Vulnerability Lab (Aug 05)
SEC Consult Vulnerability Lab Security Advisory < 20150805-0 >
=======================================================================
title: Stack buffer overflow in handle_debug_network
product: Websense Triton Content Manager
vulnerable version: 8.0.0 build 1165
fixed version: V8.0.0 HF02
CVE number: CVE-2015-5718
impact: high
homepage: www.websense.com...

[SECURITY] [DSA 3328-2] wordpress regression update Thijs Kinkhorst (Aug 04)
-------------------------------------------------------------------------
Debian Security Advisory DSA-3328-2 security () debian org
https://www.debian.org/security/ Thijs Kinkhorst
August 04, 2015 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : wordpress
CVE ID : CVE-2015-3429 CVE-2015-5622...

Mozilla extensions: a security nightmare Stefan Kanthak (Aug 04)
Hi @ll,

Mozilla Thunderbird 38 and newer installs and activates per default
the 'Lightning' extension.

Since extensions live in the (Firefox and) Thunderbird profiles
(which are stored beneath %APPDATA% in Windows) and 'Lightning' comes
(at least for Windows) with a DLL and some Javascript, Thunderbird
with 'Lightning' violates one of the mandatory and basic requirements
of the now 20 year old "Designed for...

[SECURITY] [DSA 3328-1] wordpress security update Thijs Kinkhorst (Aug 04)
-------------------------------------------------------------------------
Debian Security Advisory DSA-3328-1 security () debian org
https://www.debian.org/security/ Thijs Kinkhorst
August 04, 2015 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : wordpress
CVE ID : CVE-2015-3429 CVE-2015-5622...

[SECURITY] [DSA 3327-1] squid3 security update Salvatore Bonaccorso (Aug 04)
-------------------------------------------------------------------------
Debian Security Advisory DSA-3327-1 security () debian org
https://www.debian.org/security/ Salvatore Bonaccorso
August 03, 2015 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : squid3
CVE ID : CVE-2015-5400
Debian Bug :...

[SECURITY] [DSA 3326-1] ghostscript security update Salvatore Bonaccorso (Aug 03)
-------------------------------------------------------------------------
Debian Security Advisory DSA-3326-1 security () debian org
https://www.debian.org/security/ Salvatore Bonaccorso
August 02, 2015 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : ghostscript
CVE ID : CVE-2015-3228
Debian Bug :...

[SECURITY] [DSA 3325-1] apache2 security update Stefan Fritsch (Aug 03)
-------------------------------------------------------------------------
Debian Security Advisory DSA-3325-1 security () debian org
https://www.debian.org/security/ Stefan Fritsch
August 01, 2015 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : apache2
CVE ID : CVE-2015-3183 CVE-2015-3185...

[SECURITY] [DSA 3324-1] icedove security update Alessandro Ghedini (Aug 03)
-------------------------------------------------------------------------
Debian Security Advisory DSA-3324-1 security () debian org
https://www.debian.org/security/ Alessandro Ghedini
August 01, 2015 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : icedove
CVE ID : CVE-2015-2721 CVE-2015-2724...

[SECURITY] [DSA 3323-1] icu security update Laszlo Boszormenyi (Aug 03)
-------------------------------------------------------------------------
Debian Security Advisory DSA-3323-1 security () debian org
https://www.debian.org/security/ Laszlo Boszormenyi
August 01, 2015 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : icu
CVE ID : CVE-2014-6585 CVE-2014-8146...

Multiple XSS vulnerabilities in FortiSandbox WebUI hyp3rlinx (Aug 03)
[+] Credits: John Page aka hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source: http://hyp3rlinx.altervista.org/advisories/AS-FORTISANDBOX-0801.txt

Vendor:
================================
www.fortinet.com
PSIRT ID: 1418018

Product:
==================================
FortiSandbox 3000D v2.02 build0042

Vulnerability Type:
===================
XSS

CVE Reference:
==============
Pending

Advisory Information:...

[SECURITY] [DSA 3322-1] ruby-rack security update Salvatore Bonaccorso (Aug 03)
-------------------------------------------------------------------------
Debian Security Advisory DSA-3322-1 security () debian org
https://www.debian.org/security/ Salvatore Bonaccorso
July 31, 2015 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : ruby-rack
CVE ID : CVE-2015-3225
Debian Bug :...

phpFileManager 0.9.8 Remote Command Execution hyp3rlinx (Jul 31)
[+] Credits: John Page ( hyp3rlinx )

[+] Domains: hyp3rlinx.altervista.org

[+] Source: http://hyp3rlinx.altervista.org/advisories/AS-PHPFILEMANAGER0728.txt

Vendor:
================================
phpfm.sourceforge.net

Product:
================================
phpFileManager version 0.9.8

Vulnerability Type:
========================
Remote Command Execution

CVE Reference:
==============
N/A

Advisory Information:...

Penetration Testing — While this list is intended for "professionals", participants frequenly disclose techniques and strategies that would be useful to anyone with a practical interest in security and network auditing.

Info Security News — Carries news items (generally from mainstream sources) that relate to security.

Web App Security — Provides insights on the unique challenges which make web applications notoriously hard to secure, as well as attack methods including SQL injection, cross-site scripting (XSS), cross-site request forgery, and more.

SpiderFoot 2.5.0 released Steve Micallef (Aug 02)
Hi all,

SpiderFoot 2.5.0 is now available, with more modules, added
functionality and bug fixes since 2.3.0 was last announced on this list.
SpiderFoot is an open source intelligence gathering / reconnaissance
tool utilising over 40 data sources and methods, all driven through a
snappy web UI.

Here's what's new since 2.3.0..
- *8* new modules:
- Darkweb search (Onion.city)
- DuckDuckGo
- Wayback...

Arachni Framework v1.2 & WebUI v0.5.7.1 have been released (Web Application Security Scanner) Tasos Laskos (Jul 17)
Hey folks,

There's a new version of Arachni, a modular and high-performance Web Application Security Scanner.

The highlights of this release are:

* Many optimizations to reduce RAM and CPU consumption.
* SSL interception for websites with HSTS.
* Support for tracking jQuery delegated events.
* Support for custom waiting rules prior to page loads, based on CSS selectors.
* Many new web framework fingerprinters, as well as improvements to...

CFP: Passwords 2015, Dec 7-9, Cambridge, UK Per Thorsheim (Jul 13)
=========================================================================
Passwords 2015
The 9th International Conference on Passwords
7, 8, 9 December 2015
University of Cambridge, United Kingdom
http://www.cl.cam.ac.uk/events/passwords2015/
https://passwordscon.org/
=========================================================================

The Passwords conference was launched in 2010 as a response to the
lack of robustness and usability of...

Ruxcon 2015 Final Call For Presentations cfp (Jul 06)
Ruxcon 2015 Final Call For Presentations
Melbourne, Australia, October 24-25
CQ Function Centre

http://www.ruxcon.org.au

The Ruxcon team is pleased to announce the first round of Call For Presentations for Ruxcon 2015.

This year the conference will take place over the weekend of the 24th and 25th of October at the CQ Function Centre,
Melbourne, Australia.

The deadline for submissions is the 15th of September, 2015.

.[x]. About Ruxcon .[x]....

Whitepaper: RPO exploitation techniques Takeshi Terada (Jul 01)
Dear all,

MBSD released a whitepaper on RPO (Relative Path Overwrite) attack techniques.
http://www.mbsd.jp/Whitepaper/rpo.pdf

TOC
1. Introduction
2. Path manipulation techniques
2.1. Loading another file on IIS/ASP.NET
2.2. Loading another file on Safari/Firefox
2.3. Loading another file on WebLogic/IE
2.4. Loading file with query string on WebLogic+Apache
2.5. Attack possibility in other environments
3. Forcing...

t2'15: Call for Papers 2015 (Helsinki / Finland) Tomi Tuominen (Jun 01)
#
# t2'15 - Call For Papers (Helsinki, Finland) - October 29 - 30, 2015
#

Why spend your valuable conference time in the longest lines you have seen in your life, getting a sun burn or totally
lost in the canals with your rental boat, being deprived of chewing gum or waking up in Nong Palai without any
recollection how you got there? Helsinki offers you the safe and comfortable low-temperature alternative with a chance
of first snow....

hardwear.io - Hardware Security Conference Call for Papers Hardwear Team (May 29)
Dear Hackers and Security Gurus,

hardwear is seeking innovative research on hardware security. If you
have done interesting research on attacks or mitigation on any
Hardware and want to showcase it to the security community, just
submit your research paper. Please find all the relevant details for
the submission below.

About hardwear.io
----------------------------
Somewhere in the mid of last year, amidst all the news and concerns
surrounding...

SQL Injection within popular Magento blog extension (CVE-2015-3428) AppCheck Advisories (May 29)
Background
======================

The aheadWorks Blog extension for Magento prior to version 1.3.10 is vulnerable to a critical SQL Injection security
flaw. A remote unauthenticated attacker could exploit this vulnerability to take complete control of the affected
Magento server and database. With almost 80,000 downloads at the time of writing, the affected component is the most
popular blog component available via Magento Connect.

Advisory...

Re: Call for Papers: RAID 2015 Skander Iversen (May 28)
Dear colleagues,

deadline to RAID 2015 has been extended to June 5th.
We kindly encourage to consider submitting your research work there.

Best regards,

sk

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

Breakpoint 2015 Call For Presentations cfp (May 18)
Breakpoint 2015 Call For Papers
Melbourne, Australia, October 22th-23th
Intercontinental Rialto
http://www.ruxconbreakpoint.com

.[x]. Introduction .[x].

We are pleased to announce Call For Presentations for Breakpoint 2015.

Breakpoint showcases the work of expert security researchers from around the
world on a wide range of topics. This conference is organised by the Ruxcon
team and offers a specialised security conference to complement...

44CON CFP Open Steve (May 13)
44CON London is the UK's largest combined annual Security Conference and Training event. Taking place on the evening of
the 9th and all day on the 10th and 11th of September at the ILEC Conference Centre near Earls Court, London, we will
have a fully dedicated conference facility, including secure wi-fi with high bandwidth Internet access, catering,
private bar and daily Gin O’Clock break.

_____ _____...

Call for Papers: RAID 2015 Skander Iversen (May 11)
Dear colleagues,

I would like to announce the following CFP.
Please kindly consider submitting to this conference.

This year's RAID will take in marvelous Kyoto, Japan.

-----------------------------------------
RAID 2015
Kyoto, Japan, November 2-4, 2015
http://www.raid2015.org/

Call for Papers
---------------
The 18th International Symposium on Research in Attacks, Intrusions and Defenses
(RAID 2015) aims at bringing together leading...

Arachni Framework v1.1 & WebUI v0.5.7 have been released (Web Application Security Scanner) Tasos Laskos (May 01)
Hey folks,

There's a new version of Arachni, an Open Source, modular and high-performance
Web Application Security Scanner Framework.

The highlights of this release are:

* More sensible default options.
* Approximately 7-fold performance increase (YMMV depending on webapp characteristics).
* Support for JSON and XML input vectors.
* Overhauled custom-404 detection heuristics (addresses some edge-case false-positives).
* HTTP updates:
*...

whitepaper: Identifier based XSSI attacks Takeshi Terada (Apr 21)
Hello list members,

We released a new technical whitepaper titled:
"Identifier based XSSI attacks"

URL:
http://www.mbsd.jp/Whitepaper/xssi.pdf

Summary:
Some new attack techniques and browser vulnerabilities regarding XSSI
(Cross-Site Script Inclusion) are explained. In the attacks, a method
of treating data as a client side script's identifier was employed to
steal the cross-origin data such as CSV, JSON and so on.

Relevant CVE...

Ruxcon 2015 Call For Presentations cfp (Apr 13)
Ruxcon 2015 Call For Presentations
Melbourne, Australia, October 24-25
CQ Function Centre

http://www.ruxcon.org.au

The Ruxcon team is pleased to announce the first round of Call For Presentations for Ruxcon 2015.

This year the conference will take place over the weekend of the 24th and 25th of October at the CQ Function Centre,
Melbourne, Australia.

The deadline for submissions is the 30th of June, 2015.

.[x]. About Ruxcon .[x].

Ruxcon is...

Daily Dave — This technical discussion list covers vulnerability research, exploit development, and security events/gossip. It was started by ImmunitySec founder Dave Aitel and many security luminaries participate. Many posts simply advertise Immunity products, but you can't really fault Dave for being self-promotional on a list named DailyDave.

Re: The old speak: Wassenaar, Google, and why Spender is right Michal Zalewski (Aug 05)
To be perfectly clear, I actually strongly agree that indiviual bugs
don't deserve PR releases, media packets, and flashy conference
presentations. All that is just a product of human nature and a couple
of twisted incentives.

At the same time, I don't subscribe to the absolutist view that
vulnerabilities don't matter, chiefly because I see ample evidence of
such findings making developers more interested in security and
improving...

Re: The old speak: Wassenaar, Google, and why Spender is right Michal Zalewski (Aug 05)
I am fairly confident that many core components that we depend on have
gotten a lot harder to compromise over the years; we are obviously not
at a point where there are no bugs left (and we're certainly not at a
point where optimal design practices or mitigation frameworks are
bulletproof, either), but at least subjectively, I feel that at any
given time, far fewer people would be able to compromise my web server
than in the 90s, and far...

Re: The old speak: Wassenaar, Google, and why Spender is right Michal Zalewski (Aug 02)
To be very frank... I think you're a bit guilty of the same
oversimplification that you attribute to the 0-day crowds :-)

Containment and detection matters. So does proper system design. And
yup, every enterprise should plan for getting owned, instead of
assuming that the AV software on their workstations will be able to
stop bad guys in their tracks.

But squashing bugs matters, too - not on an individual scale, but
because all other...

The old speak: Wassenaar, Google, and why Spender is right Bas Alberts (Aug 02)
This will be a long and ranty one as well as the first DD post I've made
in a non-Immunity capacity (I think).

So anyone that knows me on any personal level knows that I'm a non
disclosure kind of guy. Now I could get into the why and how, but what
it really boils down to is that I subscribe to a fairly peculiar belief
system in which freedom and security are, generally speaking, mutually
exclusive.

I think that in an effort to...

Re: Remember The Titans Ben Hawkes (Aug 01)
Perfect timing! I'd encourage everyone to go and be distracted by Mateusz'
just-released blog post:
http://googleprojectzero.blogspot.com/2015/07/one-font-vulnerability-to-rule-them-all.html

As far as distractions go, I'm really proud of the work that Mateusz has
done on fonts recently, as it exactly encapsulates everything that Project
Zero is about: cutting edge attack research on high priority targets
performed in the public...

Re: Remember The Titans Andreas Lindh (Jul 31)
I don't want to come off as some Google fanboi or anything, and I
don't always agree with P0's methods, but Google's business model
pretty much starts and ends with people using the internet (and not
just Google's own services). Making (or appearing to make, whatever
your opinion is) the internet safer by finding and getting bugs fixed
seems like a pretty good start in that regard.

Andreas

Re: Remember The Titans Michal Zalewski (Jul 31)
Interestingly, history sorta repeats itself:
https://lwn.net/Articles/6137/

Now... while I generally agree with you that some of the
most-publicized work is usually just a distraction and that it gets
picked up by the press based primarily on how much effort is put into
marketing the research and whether it superficially touches one of the
"cool" topics (IoT, mobile, privacy), this one snippet caught my eye:

While folks tend to have...

Remember The Titans Dave Aitel (Jul 31)
I went back a couple days ago and re-read the latest Qualys exploit, as you
should: http://seclists.org/oss-sec/2015/q3/185 . "Hi, here is a program
that uses RLIMIT_FSIZE to like, own all the systems you probably have in
your enterprise!" Unix is neat!

But equally important is the Qihoo360 talk from Syscan 15. This is
available here: https://www.youtube.com/watch?v=5imoFfjZjx0 . Notice how
they beat up all of Microsoft's very...

"Technical Keynotes and Invited Talks" Dave Aitel (Jul 28)
https://vimeo.com/album/3416096/video/130242081

So last year the INFILTRATE OpenCFP process worked flawlessly. You don't
get different talks than you would have picked using some really complex
spreadsheet and voting system, like most conferences do, than by using an
OpenCFP and having the public choose what they want to see. And of course,
we don't even validate that the people voting are also coming to the
conference, but it...

Getting Learned Up Dave Aitel (Jul 27)
Right now in Columbia we have some intrepid students going through our
Client-Side and Ring0 exploitation class. But if you are not sucking
down the firehose that is an Immunity Training, taught by Lurene and
Facundo who have trouble blinking without seeing a WinDBG frameset on
the back of their eyelids, then you probably are like "I wish I knew more."

And lo and behold: INFILTRATE Videos are being released today. Boom!
HERE THEY ARE:...

An experiment...gone right. Dave Aitel (Jul 21)
So I wanted to thank all the Anonymous and non-anonymous people (esp.
Scott Arciszewski aka @voodooKobra) who helped me write the Immunity BIS
comments yesterday. It's a pretty amazing testimony to both our
community and technology that you can literally crowdsource via a Google
Doc a process like that, and come out far better, far faster, than any
team in a room could do so alone.

This article has a roundup of some of the comments....

The Crypto Summit and "Just say no" Dave Aitel (Jul 21)
(this is long and dry, sorry in advance, but I felt it was impt stuff).

So last week in DC I attended the Crypto Summit
<https://www.accessnow.org/page/content/crypto-summit/>, put together by
"Access". It was a series of panels, one of which was an entertaining
bloodbath. Watch that one here: https://youtu.be/SZSr9Ao8zBY . This one
as well had some funny moments:https://youtu.be/A0OotbJoGSg
<https://youtu.be/A0OotbJoGSg>...

Re: BIS Cyber Regulations James Gannon (Jul 20)
My commerts are posted here: http://www.regulations.gov/#!documentDetail;D=BIS-2015-0011-0085
And in blog post form here: http://www.netgov.ch/wassenaar-comments/

Like Dave I totally encourage anyone to send a comment, no matter how small, this is important for the future of our
industry.

J

-----Original Message-----
From: dailydave-bounces () lists immunityinc com [mailto:dailydave-bounces () lists immunityinc com] On Behalf Of Dave
Aitel...

BIS Cyber Regulations Dave Aitel (Jul 20)
Like many people, today I'm sending some fairly long comments about the
new "cyber regulations" coming out of the Commerce Dept. You can too!
And they don't have to be long. All you have to do is send a friendly
email as they suggest:

This link will give you easy instructions....

Capstone disassembly engine 3.0.4 is out! Nguyen Anh Quynh (Jul 20)
Greetings,

We are excited to announce version 3.0.4 of Capstone disassembly framework!

This stable release fixes some potential security issues in the core, so
existing users are strongly recommended to upgrade.

Summary of important changes in v3.0.4:

- Fixed memory corruption bugs of X86, Arm, Mips, PowerPC & XCore
architectures.
- Properly handle some X86 instructions: OUT, SSE.
- Improve Python binding with more installation options.
-...

PaulDotCom — General discussion of security news, research, vulnerabilities, and the PaulDotCom Security Weekly podcast.

Re: [Security Weekly] cheap hosting Robin Wood (Sep 23)
Resurrecting an old thread but they now have an affiliate program and I can
issue my own codes so:

20% off all servers AqUVYbUXag
50% off all big dog (whatever that is) 7E9YRUzEZy

After a month with them, their tech support is OK but not great, the server
has stayed up and not had any problems.

Robin

Re: [Security Weekly] projecting in a bight space Jeremy Pommerening (Aug 28)
I would look for a projector with at least 6000 ANSI Lumens or better. A darker screen (grey) may also help.

Jeremy Pommerening

________________________________
From: Robin Wood <robin () digi ninja>
To: Security Weekly Mailing List <pauldotcom () mail securityweekly com>
Sent: Sunday, August 3, 2014 3:42 AM
Subject: [Security Weekly] projecting in a bight space

I've been looking at the venue for next year's...

[Security Weekly] Two Firefox security bugs related to HTTPS ffbugishere (Aug 17)
Hello world!

We need votes for security bugs!

Adding "Security Exception" for self-signed HTTPS sites cannot be done
permanently
https://bugzilla.mozilla.org/show_bug.cgi?id=1050100

Firefox 31 doesn't supports the industry recommended best HTTPS
ciphers
https://bugzilla.mozilla.org/show_bug.cgi?id=1051210

Other browsers should have the same bugs fixed..

p.s.: We are not related to this group, but we think they worth a
penny...

Re: [Security Weekly] Java and Flash decompilers Will Metcalf (Aug 05)
JPEXS is very nice for flash IMHO.

http://www.free-decompiler.com/flash/

Regards,

Will

Re: [Security Weekly] Java and Flash decompilers Bradley McMahon (Aug 05)
I've used flare before to pull apart a flash site for a client.
http://www.nowrap.de/flare.html

-Brad

Re: [Security Weekly] SecurityCenter alternative Steven McGrath (Aug 04)
SC certainly isn’t cheap (as a former SC customer that moved over to Tenable I can attest to that) however I can point
out that the data aggregation, trending, and custom reporting were huge wins in my book. I guess its a time/money
trade-off. How much time do you want to spend either cobbling together a tool or manually aggregating the data when
there is another tool already out there that can do it out of the box.

I can speak in more...

Re: [Security Weekly] Java and Flash decompilers S. White (Aug 04)
A few I've used in the past:

JAD - http://varaneckas.com/jad/ , http://en.wikipedia.org/wiki/JAD_(JAva_Decompiler)

HP SWFscan

Adobe SWF investigator http://labs.adobe.com/technologies/swfinvestigator/

________________________________
From: Robin Wood <robin () digi ninja>
To: Security Weekly Mailing List <pauldotcom () mail securityweekly com>
Sent: Monday, August 4, 2014 5:54 AM
Subject: [Security Weekly] Java and...

[Security Weekly] DoFler @ BSidesLV Steven McGrath (Aug 04)
This will be the 3rd year that DoFler (the Dashboard of Fail) will be at BSidesLV. This year I wrote a new spiffy
interface for maximum trolling. Let’s be honest now, everyone loves to surf for various forms of horrible on the
internet at cons :D. Also added this year is a little vulnerability analysis (using Tenable’s PVS). Every year I try
to improve it a bit based on everyone’s input, and am always welcome to more feedback.

DB...

Re: [Security Weekly] cheap hosting Robin Wood (Aug 04)
Already sorted but thanks for the info.

Re: [Security Weekly] Java and Flash decompilers Nathan Sweaney (Aug 04)
Here are a few others I've used with varying success in the past:

SWFInvestigator - http://labs.adobe.com/technologies/swfinvestigator/
SWFScan - from Rafal Los at HP, though the link has been deleted. (Careful,
I've seen trojaned copies online.)

Re: [Security Weekly] SecurityCenter alternative Paul Asadoorian (Aug 04)
Thanks all for the informative discussion!

I know, I'm jumping in late, some closing thoughts on the subject:

- SecurityCenter has the unique advantage of consolidating plugin
updates, meaning you could have hundred of Nessus scanners deployed in
your organization, and the scanners get the plugin feed from your
SecurityCenter system. The removes the requirement of Internet access
(From the scanners), and greatly eases the administration...

Re: [Security Weekly] SecurityCenter alternative k41zen (Aug 04)
Thanks for all of your help.

We are in discussions with our Tenable contact about solutions for this issue. They’ve helped me out by enabling me to
move forward to at least deploy this into a Pre-Production environment but the costs of SC are a massive stumbling
block; hence my question about something else. Appreciate we have a big Nessus fan base here of which I am a member
too, but just wondered what could be wrapped around it.

I’ll...

Re: [Security Weekly] SecurityCenter alternative Adrien de Beaupre (Aug 04)
Hi,

I have also written a series of script to collect data from tools such as
nmap and nessus to import into MySQL called OSSAMS:
http://www.ossams.com/wp-content/uploads/2011/10/ossams-parser-SecTor-2011.zip
That leaves report writing as a series of SQL queries.
I also have a series of scripts to kick off scans, as well as a command
like XML-RPC nessus client in python if anyone is interested.

Cheers,
Adrien

Re: [Security Weekly] cheap hosting sec list (Aug 04)
Hey Robin,

If you're still looking, might want to try out getclouder.com - they
spin up Linux containers in 5 seconds and use distributed storage, which
is pretty awesome. It's still in beta, so they offer 3 months free
service, but it has been pretty stable so far from my experience.

[Security Weekly] Java and Flash decompilers Robin Wood (Aug 04)
Hi
I'm trying to put together a list of tools for decompiling Flash and Java
apps. From asking on another list I already have:

Java
JD-GUI
Java Decompiler http://jd.benow.ca/jd-gui/downloads/jd-gui-0.3.6.windows.zip.

Java snoop https://code.google.com/p/javasnoop/

Flash
Trillix
Flashbang https://github.com/cure53/Flashbang

Has anyone here got any others they can suggest?

Ideally I'm looking for free stuff but cheap commercial...

Microsoft Sec Notification — Beware that MS often uses these security bulletins as marketing propaganda to downplay serious vulnerabilities in their products—note how most have a prominent and often-misleading "mitigating factors" section.

Microsoft Security Bulletin Summary for July 2015 Microsoft (Jul 29)
********************************************************************
Microsoft Security Bulletin Summary for July 2015
Issued: July 29, 2015
********************************************************************

This is to notify customers of a revision to the Bulletin Summary
for July 2015 to reflect the addition of a Windows 10 update for
MS15-074 and MS15-078, which was released July 29, 2015.

The full version of the Microsoft Security...

Microsoft Security Bulletin Minor Revisions Microsoft (Jul 29)
********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: July 29, 2015
********************************************************************

Summary
=======
The following bulletins have undergone a minor revision increment.

Please see the appropriate bulletin for more details.

* MS15-069 - Important

Bulletin Information:
=====================

MS15-069 - Important

-...

Microsoft Security Bulletin Releases Microsoft (Jul 29)
********************************************************************
Title: Microsoft Security Bulletin Releases
Issued: July 29, 2015
********************************************************************

Summary
=======

The following bulletins have undergone a major revision increment.

* MS15-074 - Important
* MS15-078 - Critical

Bulletin Information:
=====================

MS15-074 - Important

- Title: VVulnerability in Windows...

Microsoft Security Advisory Notification Microsoft (Jul 29)
********************************************************************
Title: Microsoft Security Advisory Notification
Issued: July 29, 2015
********************************************************************

Security Advisories Updated or Released Today
==============================================

* Microsoft Security Advisory (2755801)
- Title: Update for Vulnerabilities in Adobe Flash Player in
Internet Explorer
-...

Microsoft Security Bulletin Minor Revisions Microsoft (Jul 22)
********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: July 22, 2015
********************************************************************

Summary
=======
The following bulletins have undergone a minor revision increment.

Please see the appropriate bulletin for more details.

* MS15-058 - Important
* MS15-065 - Critical

Bulletin Information:
=====================...

Microsoft Security Bulletin Releases Microsoft (Jul 22)
********************************************************************
Title: Microsoft Security Bulletin Releases
Issued: July 22, 2015
********************************************************************

Summary
=======

The following bulletins have undergone a major revision increment.

* MS15-006 - Important

Bulletin Information:
=====================

MS15-006 - Important

- Title: Vulnerability in Windows Error Reporting Could Allow...

Microsoft Security Bulletin Summary for July 2015 Microsoft (Jul 20)
********************************************************************
Microsoft Security Bulletin Summary for July 2015
Issued: July 20, 2015
********************************************************************

This is a notification of an out-of-band security bulletin that was
added to the July Security Bulletin Summary on July 20, 2015.

The full version of the Microsoft Security Bulletin Summary for
July 2015 can be found at
<...

Microsoft Security Advisory Notification Microsoft (Jul 15)
********************************************************************
Title: Microsoft Security Advisory Notification
Issued: July 15, 2015
********************************************************************

Security Advisories Updated or Released Today
==============================================

* Microsoft Security Advisory (2755801)
- Title: Update for Vulnerabilities in Adobe Flash Player in
Internet Explorer
-...

Microsoft Security Bulletin Summary for July 2015 Microsoft (Jul 14)
********************************************************************
Microsoft Security Bulletin Summary for July 2015
Issued: July 14, 2015
********************************************************************

This bulletin summary lists security bulletins released for
July 2015.

The full version of the Microsoft Security Bulletin Summary for
July 2015 can be found at
<https://technet.microsoft.com/library/security/ms15-jul>.

Critical...

Microsoft Security Advisory Notification Microsoft (Jul 14)
********************************************************************
Title: Microsoft Security Advisory Notification
Issued: July 14, 2015
********************************************************************

Security Advisories Updated or Released Today
==============================================

* Microsoft Security Advisory (3057154)
- Title: Update to Harden Use of DES Encryption
-...

Microsoft Security Advisory Notification Microsoft (Jun 23)
********************************************************************
Title: Microsoft Security Advisory Notification
Issued: June 23, 2015
********************************************************************

Security Advisories Updated or Released Today
==============================================

* Microsoft Security Advisory (2755801)
- Title: Update for Vulnerabilities in Adobe Flash Player in
Internet Explorer
-...

Microsoft Security Bulletin Minor Revisions Microsoft (Jun 23)
********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: June 23, 2015
********************************************************************

Summary
=======
The following bulletins have undergone a minor revision increment.

Please see the appropriate bulletin for more details.

* MS15-044 - Critical
* MS15-049 - Critical

Bulletin Information:
=====================...

Microsoft Security Bulletin Minor Revisions Microsoft (Jun 17)
********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: June 17, 2015
********************************************************************

Summary
=======
The following bulletins have undergone a minor revision increment.

Please see the appropriate bulletin for more details.

* MS14-051 - Critical
* MS15-048 - Important

Bulletin Information:
=====================...

Microsoft Security Bulletin Summary for June 2015 Microsoft (Jun 09)
********************************************************************
Microsoft Security Bulletin Summary for June 2015
Issued: June 9, 2015
********************************************************************

This bulletin summary lists security bulletins released for
June 2015.

The full version of the Microsoft Security Bulletin Summary for
June 2015 can be found at
<https://technet.microsoft.com/library/security/ms15-jun>.

Critical...

Microsoft Security Advisory Notification Microsoft (Jun 09)
********************************************************************
Title: Microsoft Security Advisory Notification
Issued: June 9, 2015
********************************************************************

Security Advisories Updated or Released Today
==============================================

* Microsoft Security Advisory (2962393)
- Title: Update to Default Cipher Suite Priority Order
-...

Funsec — While most security lists ban off-topic discussion, Funsec is a haven for free community discussion and enjoyment of the lighter, more humorous side of the security community

Re: Wait ... Windows 10 is a P2P torrent? Steve Pirk (Aug 01)
I can hear some of the smarmy replies already... "Hey, it's free... Quit
your bitching." :)
They could have modeled it like most bittorrent clients by pointing out an
easy way to disable or limit your uploads within the application, not as an
obscure OS configuration setting.

Live and learn... At least they are moving towards open source.

Wait ... Windows 10 is a P2P torrent? Rob, grandpa of Ryan, Trevor, Devon & Hannah (Aug 01)
http://thenextweb.com/microsoft/2015/07/30/windows-10-steals-your-bandwidth-
to-send-other-people-updates/

====================== (quote inserted randomly by Pegasus Mailer)
rslade () vcn bc ca slade () victoria tc ca rslade () computercrime org
The trouble with the world is that the stupid are cocksure and
the intelligent are full of doubt. - Bertrand Russell
victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links...

NSA is missing a trick, here ... Rob, grandpa of Ryan, Trevor, Devon & Hannah (Jul 31)
http://www.nytimes.com/2015/08/04/science/for-sympathetic-ear-more-chinese-
turn-to-smartphone-program.html

"Since Xiaoice collects vast amounts of intimate details on individuals, the
program inevitably raises questions about users privacy."

Siri, Cortona, Xiaoice, etc. At least with Facebook you have to semi-deliberately
share your deepest secrets with the world. But who is going to remember (or
guard) what they say to a...

It's good that people in San Francisco are taking computer security seriously ... Rob, grandpa of Ryan, Trevor, Devon & Hannah (Jul 23)
http://pzfeed.com/san-francisco-residents-hiring-witch-to-help-protect-computers-
from-evil-spirits-and-viruses/

====================== (quote inserted randomly by Pegasus Mailer)
rslade () vcn bc ca slade () victoria tc ca rslade () computercrime org
The world is full of smart people who have information about
every imaginable topic, and until the Internet came along, there
wasn't any practical to put it together....

Re: Mixed feelings ... Blanchard, Michael (InfoSec) (Jul 22)
A company is a company, whether or not they fit *your* moral compass is immaterial really.... it's still a security
breach

Michael P. Blanchard
Principal Security Engineer, CISSP, GCIH, CCSA-NGX, MCSE
Cyber Security Services
EMC ² Corporation
32 Coslin Drive
Southboro, MA 01772

-----Original Message-----
From: funsec [mailto:funsec-bounces () lists linuxbox org] On Behalf Of Rob, grandpa of Ryan, Trevor, Devon & Hannah
Sent: Monday,...

Possible legal protection for Ashley Madison clients Rob, grandpa of Ryan, Trevor, Devon & Hannah (Jul 20)
http://www.japantimes.co.jp/news/2015/06/10/national/crime-legal/surprise-tokyo-
court-ruling-endorses-adultery-experts

====================== (quote inserted randomly by Pegasus Mailer)
rslade () vcn bc ca slade () victoria tc ca rslade () computercrime org
Surely our priorities, encouraged by the handy histrionic soap
box that is social media, are increasingly sorely misplaced, our
common sense increasingly co-opted by no sense....

Mixed feelings ... Rob, grandpa of Ryan, Trevor, Devon & Hannah (Jul 20)
I know that it's wrong to hack a company, and then threaten to publish all the
private and confidential information obtained in the breach, but I have to admit
that I'm feeling a bit conflicted about feeling outraged when it comes to Ashley
Madison ...

http://www.cbc.ca/news/business/ashley-madison-infamous-infidelity-website-target-
of-data-hack-1.3159643

====================== (quote inserted randomly by Pegasus Mailer)
rslade...

server change - new email for funsec Gadi Evron (Jul 12)
Hi folks, we migrated servers. The new address to send email to is:
funsec () lists linuxbox org

Please also update your filters accodingly.

:)

Thanks,
Gadi.

Ruxcon 2015 Final Call For Presentations cfp (Jul 12)
Ruxcon 2015 Final Call For Presentations
Melbourne, Australia, October 24-25
CQ Function Centre

http://www.ruxcon.org.au

The Ruxcon team is pleased to announce the first round of Call For Presentations for Ruxcon 2015.

This year the conference will take place over the weekend of the 24th and 25th of October at the CQ Function Centre,
Melbourne, Australia.

The deadline for submissions is the 15th of September, 2015.

.[x]. About Ruxcon .[x]....

Re: Sorry Dean Webb (Jul 12)
Hello all,

Michal's comment made me recall this recent article from The Bulletin
of Atomic Scientists:
http://thebulletin.org/how-next-us-nuclear-accident-could-happen8441

We can become numb to automation, and then it becomes a blind spot for
us. We assume that things will work because they're in production, yet
they may not have had sufficient testing at boundary conditions to see
how they perform under stress.

Consider also the...

Re: Sorry David Chess (Jul 12)
And this happened:

https://twitter.com/sarahoconnor_/status/616282747200479232

notsp: RISKS v28 is75 is malware Rob, grandpa of Ryan, Trevor, Devon & Hannah (Jul 07)
Today my Avast antiviral became convinced that the July 7 issue of the RISKS
Forum Digest is malware, and quarantined it.

Since the first article in this particular Digest is the excellent summary of the
"Keys Under Doormats" report, and since there has recently been evidence that
the NSA has been trying to install backdoors into antiviral software, is it possible
that the NSA is using it's backdoor to try and suppress access...

Re: Sorry Dan Kaminsky (Jul 06)
True-ish -- it's moving from a body (and two eyes) to no body (but no
eyes). Works better on average and much worse in unusual circumstances.

--Dan

Re: Sorry Michal Zalewski (Jul 03)
Industrial processes are terrifying. Many people die or lose limbs
every year when operating all sorts of factory-floor machinery;
everything from CNC machining centers to metal forming presses can and
does kill. I suspect we find this tragic story captivating is because
robotic arms are menacingly anthropomorphic, whereas machining centers
are not? But I bet that by fully automating production lines, they on
balance save lives.

/mz

Re: Sorry Jim Duncan (Jul 03)
Absolutely. Reading this, my thoughts are that any such robotic system has additional object and motion sensors: if
there's _anything_ in the operating area that's _not_ supposed to be there, you shut down. Immediately. Ditto if you
grasp something of the wrong texture or you lift something of unexpected mass. Full stop. Alarms. Logs. Shut down.

Jim

CERT Advisories — The Computer Emergency Response Team has been responding to security incidents and sharing vulnerability information since the Morris Worm hit in 1986. This archive combines their technical security alerts, tips, and current activity lists.

Alert - Upcoming Mail Delivery Changes US-CERT Alerts (May 10)
National Cyber Awareness System
US-CERT Alert - Upcoming Mail Delivery Changes

Thank you for being a subscriber to our US-CERT Alerts product. We
are striving to keep our capabilities at the leading edge of
communication. You may have noticed we've redesigned and upgraded our
website recently and as a part of that process, on May 14th, we are
migrating to GovDelivery as our email subscription service. As a
current subscriber you will...

Current Activity - Upcoming Mail Delivery Changes Current Activity (May 10)
National Cyber Awareness System

Thank you for being a subscriber to our US-CERT Current Activity
product. We are striving to keep our capabilities at the leading edge
of communication. You may have noticed we've redesigned and upgraded
our website recently and as a part of that process, on May 14th, we
are migrating to GovDelivery as our email subscription service. As a
current subscriber you will need to do nothing. You will notice a...

Current Activity - Microsoft Releases Advance Notification for May 2013 Security Bulletin Current Activity (May 09)
National Cyber Awareness System
Microsoft Releases Advance Notification for May 2013 Security Bulletin

Original release date: May 09, 2013

Microsoft has issued a Security Bulletin Advanced Notification
indicating that its May release will contain 10 bulletins. These
bulletins will have the severity rating of critical and important and
will be for Microsoft Windows, Office, Internet Explorer, .NET
Framework, Lync, and Windows Essentials. These...

Current Activity - Adobe Releases Security Advisory for ColdFusion Current Activity (May 09)
National Cyber Awareness System
Adobe Releases Security Advisory for ColdFusion

Original release date: May 09, 2013

Adobe has identified a critical vulnerability affecting ColdFusion 10,
9.0.2, 9.0.1, 9.0, and earlier versions for Windows, Macintosh, and
UNIX. This vulnerability (CVE-2013-3336) could permit an unauthorized
user to remotely retrieve files stored on a server. There are reports
that an exploit of this vulnerability is publicly...

Current Activity - Microsoft Releases Security Advisory for Internet Explorer Current Activity (May 07)
National Cyber Awareness System
Microsoft Releases Security Advisory for Internet Explorer

Original release date: May 07, 2013

Microsoft is investigating public reports of a remote code execution
vulnerability in Internet Explorer 8 and is aware of attacks that
attempt to exploit this vulnerability. This vulnerability may allow an
attacker to execute arbitrary code if a user accesses a specially
crafted website. Microsoft is actively working...

Current Activity - Cisco Releases Security Advisories Current Activity (Apr 25)
National Cyber Awareness System
Cisco Releases Security Advisories

Original release date: April 25, 2013

Cisco has released three security advisories to address vulnerabilities
affecting Cisco NX-OS-based products, Cisco Device Manager, and Cisco
Unified Computing System. These vulnerabilities may allow an attacker to
bypass authentication controls, execute arbitrary code, obtain sensitive
information, or cause a denial-of-service condition....

Current Activity - Apple Releases Security Updates for Safari Current Activity (Apr 18)
National Cyber Awareness System
Apple Releases Security Updates for Safari

Original release date: April 18, 2013

Apple has released security updates for Safari 6.0.4 WebKit to address
multiple vulnerabilities. These vulnerabilities could allow a remote
attacker to execute arbitrary code or cause a denial-of-service
condition.

Safari 6.0.4 WebKit updates are available for the following versions:
* OS X Lion v10.7.5
* OS X Lion Server v10.7.5...

Alert TA13-107A: Oracle has released multiple updates for Java SE US-CERT Alerts (Apr 18)
National Cyber Awareness System
TA13-107A: Oracle has released multiple updates for Java SE

Original release date: April 17, 2013

Systems Affected

* JDK and JRE 7 Update 17 and earlier
* JDK and JRE 6 Update 43 and earlier
* JDK and JRE 5.0 Update 41 and earlier
* JavaFX 2.2.7 and earlier

Overview

Oracle has released a Critical Patch Update (CPU) for Java SE. Oracle
strongly recommends that customers apply CPU fixes as soon as possible....

Current Activity - Scams Exploiting Boston Marathon Explosion Current Activity (Apr 17)
National Cyber Awareness System
Scams Exploiting Boston Marathon Explosion

Original release date: April 17, 2013

Malicious actors are exploiting the April 15 explosions at the Boston
Marathon in attempts to collect money intended for charities and to
spread malicious code. Fake websites and social networking accounts have
been set up to take advantage of those interested in learning more
details about the explosions or looking to contribute to...

Current Activity - Malicious Actors May Take Advantage of Boston Marathon Explosion Current Activity (Apr 17)
National Cyber Awareness System
Malicious Actors May Take Advantage of Boston Marathon Explosion

Original release date: April 17, 2013

Historically, scammers, spammers, and other malicious actors capitalize
on major news events by registering domain names related to the events.
Malicious actors may attempt to exploit the April 15, 2013 explosions at
the Boston Marathon in this way. Some may use fake domains to take
advantage of those interested...

Current Activity - Oracle Releases April 2013 Security Advisory Current Activity (Apr 17)
National Cyber Awareness System
Oracle Releases April 2013 Security Advisory

Original release date: April 17, 2013

Oracle has released its Critical Patch Update for April 2013 to address
128 vulnerabilities across multiple products. This update contains the
following security fixes:
* 4 for Oracle Database Server
* 29 for Oracle Fusion Middleware
* 6 for Oracle E-Business Suite
* 3 for Oracle Supply Chain Products Suite
* 11 for Oracle...

Current Activity - WordPress Sites Targeted by Mass Brute-force Botnet Attack Current Activity (Apr 15)
National Cyber Awareness System
WordPress Sites Targeted by Mass Brute-force Botnet Attack

Original release date: April 15, 2013

US-CERT is aware of an ongoing campaign targeting the content management
software WordPress, a free and open source blogging tool and web
publishing platform based on PHP and MySQL. All hosting providers
offering WordPress for web content management are potentially targets.
Hackers reportedly are utilizing over 90,000...

Current Activity - Microsoft Releases April 2013 Security Bulletin Current Activity (Apr 09)
National Cyber Awareness System
Microsoft Releases April 2013 Security Bulletin

Original release date: April 04, 2013 | Last revised: April 09, 2013

Microsoft has released updates to address vulnerabilities in Microsoft
Windows, Office, Internet Explorer, Server Software, and Security
Software as part of the Microsoft Security Bulletin summary for April
2013. These vulnerabilities could allow remote code execution, elevation
of privilege,...

Current Activity - Microsoft Releases Advance Notification for April 2013 Security Bulletin Current Activity (Apr 04)
National Cyber Awareness System
Microsoft Releases Advance Notification for April 2013 Security Bulletin

Original release date: April 04, 2013

Microsoft has issued a Security Bulletin Advance Notification indicating
that its April release will contain nine bulletins. These bulletins will
have the severity rating of critical and important and will be for
Microsoft Windows, Office, Internet Explorer, Server Software, and
Security Software. These...

Current Activity - Mozilla Releases Multiple Updates Current Activity (Apr 03)
National Cyber Awareness System
Mozilla Releases Multiple Updates

Original release date: April 03, 2013

The Mozilla Foundation has released updates to address multiple
vulnerabilities. These vulnerabilities could allow an attacker to
initiate a cross-site scripting attack or obtain sensitive information,
enable privilege escalation or execute arbitrary code, or cause a
denial-of-service condition.

Updates to the following products are...

Open Source Security — Discussion of security flaws, concepts, and practices in the Open Source community

CVEs fixed in Ranger 0.5 Velmurugan Periasamy (Aug 05)
Ranger Community:

Please see below details.

CVE-2015-0265: Apache Ranger code injection vulnerability
----------------------------------------------------------------------------
---
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: 0.4.0 version of Apache Ranger
Users affected: All admin users of ranger policy admin tool
Description: Unauthorized users can send some javascript code to be executed
in ranger policy...

CVE Request: SuiteCRM Post-Auth Race Condition Shell Upload Remote Code Execution. Darren Martyn (Aug 05)
Hello List,
I am requesting a CVE to be issued for the SuiteCRM product. There
exists a race condition in the image upload verification component which
leads to a race condition wherein an uploaded piece of PHP code exists
on disc temporarily before being deleted, which can be leveraged to gain
code execution. This vulnerability was introduced in version 7.2.2, as a
patch to fix a prior code execution issue found in 7.2.1.

Github issue:...

CVE Request: PCRE Library Heap Overflow Vulnerability Guanxing Wen (Aug 05)
PCRE is a regular expression C library inspired by the regular expression
capabilities in the Perl programming language. The PCRE library is
incorporated into a number of prominent programs, such as Adobe Flash,
Apache, Nginx, PHP.

PCRE library is prone to a vulnerability which leads to Heap Overflow.
During the compilation of a malformed regular expression, more data is
written on the malloced block than the expected size output by...

Re: CVE Request - Go net/http library - HTTP smuggling cve-assign (Aug 05)
For purposes of CVE assignments, we feel that this needs to be
categorized separately from the other parts of the report. The primary
factor is that there are different sets of affected versions. This
behavior apparently was not present in all versions of Go: it was
added in February 2012. Also, it is not really an error in determining
the semantics of a set of headers; it's a security-relevant error in
interpretation of the syntax of an...

Re: CVE Request: cacti multiple SQL injections Alessandro Ghedini (Aug 05)
Ping?

Re: CVE Request - Go net/http library - HTTP smuggling Jason Buberel (Aug 04)
Florian,

We believe that this is a potentially exploitable issue. We would like a
CVE-ID in order to release a 1.4.3 build that has the fixes applied to the
current stable release (1.4.2) for linux distro coordination.

Commits have been made to the Go master branch to fix the problem:

https://github.com/golang/go/commit/117ddcb83d7f42d6aa72241240af99ded81118e9
https://github.com/golang/go/commit/300d9a21583e7cf0149a778a0611e76ff7c6680f...

CVE-2015-3290: Linux privilege escalation due to nested NMIs interrupting espfix64 Andy Lutomirski (Aug 04)
And here's a real advisory:

If an NMI returns via espfix64 and is interrupted during espfix64 setup
by another NMI, the return state is corrupt. This is exploitable for
reliable privilege escalation on any Linux x86_64 system in which
untrusted code can arrange for espfix64 to be invoked and for NMIs to be
nested.

Glossing over a lot of details, the basic structure of Linux' nested NMI
handling is:

nmi_handler:
if...

Re: CVE request: WordPress 4.2.3 and earlier multiple vulnerabilities cve-assign (Aug 04)
The correct parsing of that sentence is like:

WordPress 4.2.4 fixes three cross-site scripting vulnerabilities and
[a potential SQL injection that could be used to compromise a site
(CVE-2015-2213)]

not like:

[WordPress 4.2.4 fixes three cross-site scripting vulnerabilities and
a potential SQL injection that could be used to compromise a site]
(CVE-2015-2213)

See below for the set of 6 CVE IDs that correspond to the currently...

CVE request: WordPress 4.2.3 and earlier multiple vulnerabilities Henri Salo (Aug 04)
Can I get CVE for WordPress 4.2.3 and earlier multiple vulnerabilities, thank
you.

https://wordpress.org/news/2015/08/wordpress-4-2-4-security-and-maintenance-release/

"""
WordPress 4.2.4 is now available. This is a security release for all previous
versions and we strongly encourage you to update your sites immediately.

This release addresses six issues, including three cross-site scripting
vulnerabilities and a potential SQL...

Re: Linux x86_64 NMI security issues Jason A. Donenfeld (Aug 04)
Andy -- we've been sitting at the edge of our seats in anticipation!
Is it publication time yet?

Jason

Re: CVE Request: Information disclosure in pcre Huzaifa Sidhpurwala (Aug 04)
This should have been "which can lead to information disclosure"

Reference:
https://bugzilla.redhat.com/show_bug.cgi?id=1187225

CVE Request: Information disclosure in pcre Huzaifa Sidhpurwala (Aug 04)
Hi All,

It was reported that pcre_exec in PHP pcre extenstion partially
initialize a buffer when an invalid regex is processed, which can lead
to an arbitrary code execution.

https://bugs.exim.org/show_bug.cgi?id=1537

This patch has been committed upstream via:
http://vcs.pcre.org/pcre/code/trunk/pcre_exec.c?r1=1502&r2=1510

And is a part of upstream release pcre-8.37

This was initially reported by ZDI (ZDI-CAN-2547), but it seems there...

Re: CVE Request: freeradius: the EAP-PWD module performs insufficient validation on packets received from an EAP peer Huzaifa Sidhpurwala (Aug 04)
Copying cve-assign this time to see if this gets picked up :)

Xen Security Advisory 140 (CVE-2015-5165) - QEMU leak of uninitialized heap memory in rtl8139 device model Xen . org security team (Aug 03)
Xen Security Advisory CVE-2015-5165 / XSA-140
version 2

QEMU leak of uninitialized heap memory in rtl8139 device model

UPDATES IN VERSION 2
====================

CVE assigned.

Public release.

Updated status of the patches.

ISSUE DESCRIPTION
=================

The QEMU model of the RTL8139 network card did not sufficiently
validate inputs in the C+ mode offload emulation. This results in...

Xen Security Advisory 139 (CVE-2015-5166) - Use after free in QEMU/Xen block unplug protocol Xen . org security team (Aug 03)
Xen Security Advisory CVE-2015-5166 / XSA-139
version 2

Use after free in QEMU/Xen block unplug protocol

UPDATES IN VERSION 2
====================

CVE assigned.

Public release.

Updated status of the patches.

ISSUE DESCRIPTION
=================

When unplugging an emulated block device the device was not fully
unplugged, meaning a second unplug attempt would attempt to unplug the
device a...

Secure Coding — The Secure Coding list (SC-L) is an open forum for the discussion on developing secure applications. It is moderated by the authors of Secure Coding: Principles and Practices.

Silver Bullet 112: Matthew Green and Steve Bellovin on Crypto Back Doors Gary McGraw (Jul 23)
hi sc-l,

For the latest episode of Silver Bullet, we spoke to two of the fifteen co-authors of the Keys Under Doormats paper
describing the technical peril of implementing crypto back doors as FBI Director Comey has suggested. Steve Bellovin
comes at the problem with years of experience and direct involvement in the first crypto wars. Matthew Green comes to
the problem with a solid understanding of applied cryptography in real world...

Re: Silver Bullet 111: Marcus Ranum Gunnar Peterson (Jul 16)
In case anyone needs a summer project, I wonder what percentage of issues discussed in the 111 shows are still issues
today?

-gunnar

Re: Silver Bullet 111: Marcus Ranum Kevin W. Wall (Jul 10)
Ah, I see...so the dirty trick is that you are finally doing reruns.
Syndication can't be far behind. ;-)

-kevin
Sent from my Droid; please excuse typos.

Silver Bullet 111: Marcus Ranum Gary McGraw (Jul 07)
hi sc-l,

Silver Bullet episode 111 is a sneaky one based around a “dirty brilliant trick." The episode features Marcus Ranum,
inventor of the proxy firewall and all around security guru. We talk about perimeter security, software security,
security progress (or lack of such) and whether hackers are necessary for security.

http://bit.ly/sb111-mjr (or for purists http://www.cigital.com/silver-bullet/show-111/)

So what was the trick?...

Ruxcon 2015 Final Call For Presentations cfp (Jul 07)
Ruxcon 2015 Final Call For Presentations
Melbourne, Australia, October 24-25
CQ Function Centre

http://www.ruxcon.org.au

The Ruxcon team is pleased to announce the first round of Call For Presentations for Ruxcon 2015.

This year the conference will take place over the weekend of the 24th and 25th of October at the CQ Function Centre,
Melbourne, Australia.

The deadline for submissions is the 15th of September, 2015.

.[x]. About Ruxcon .[x]....

Silver Bullet 110: Paul Dorey Gary McGraw (Jun 04)
hi sc-l,

Silver Bullet episode 110 features Paul Dorey. Paul was one of the original CSOs of Europe, ultimately serving as the
CSO of BP. He and I are on an Advisory Board together, and most recently, Paul and I did a “fernside chat” at the
BSIMM Europe Conference. We talk about the CSO job, software security, and a few other things on this episode:

http://bit.ly/SB-dorey

As always, your feedback is welcome. Please post, tweet,...

Breakpoint 2015 Call For Presentations cfp (May 20)
Breakpoint 2015 Call For Papers
Melbourne, Australia, October 22th-23th
Intercontinental Rialto
http://www.ruxconbreakpoint.com

.[x]. Introduction .[x].

We are pleased to announce Call For Presentations for Breakpoint 2015.

Breakpoint showcases the work of expert security researchers from around the
world on a wide range of topics. This conference is organised by the Ruxcon
team and offers a specialised security conference to complement...

RSA Antidote: Bart Preneel on Silver Bullet 109 Gary McGraw (Apr 27)
hi sc-l,

Lots of us have RSA Conference goo leaking out of our ears by now. Yerg. Here’s a quick antidote from a serious
cryptographer. Bart Preneel is a professor at KL Leuven University (founded in 1425). He is an exceptional
cryptographer and a huge supporter of software security in Europe.

http://bit.ly/SB-bart

As always, your feedback is welcome. Two more days of RSA to go. Please send reinforcements.

gem

Ruxcon 2015 Call For Presentations cfp (Apr 14)
Ruxcon 2015 Call For Presentations
Melbourne, Australia, October 24-25
CQ Function Centre

http://www.ruxcon.org.au

The Ruxcon team is pleased to announce the first round of Call For Presentations for Ruxcon 2015.

This year the conference will take place over the weekend of the 24th and 25th of October at the CQ Function Centre,
Melbourne, Australia.

The deadline for submissions is the 30th of June, 2015.

.[x]. About Ruxcon .[x].

Ruxcon is...

Educause Security Discussion — Securing networks and computers in an academic environment.

Re: SIEM Solution Diana Bentley (Aug 05)
Hello,

Thank you to all those who participated so generously with their time and thoughts! This information will prove
invaluable to our research.

We are attaching the results to the survey.

Re: AUSCert Eder Plansky Silva (Aug 05)
Hi Peter,

I have experience with AusCERT for about a year. I am currently in
Australia and using their member services.
Feel free to contact me if you want more details.

All the best
Ed

Re: AUSCert Peter Lundstedt (Aug 04)
Thanks for the replies John & Ken, that's helpful. I'm going reach out to them directly for some additional
information.

Peter Lundstedt | Information Security Analyst
Drake Technology Services (DTS) | Drake University

T 515.271.4173
E peter.lundstedt () drake edu

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of John
Kristoff
Sent:...

Re: AUSCert John Kristoff (Aug 04)
AusCERT is a member organization for its region. Along with CERT/CC it
was one oldest, most prestigious CERTs in the world. They have been
very actively involved with the security community, but things began to
get a little complicated when national governments decided to get into
the act so you don't hear about them as much as you once did. AusCERT
did not escape much of reshaping of the early CERTS, but they still
largely do what they...

Re: AUSCert Ken Connelly (Aug 04)
They are an Australian organization, and pretty good at what they do as
far as I hear. I'm actually surprised that they also do business in New
Zealand.

- ken

AUSCert Peter Lundstedt (Aug 04)
I'm doing some information gathering on AUSCert<https://auscert.org.au/>. They advertise themselves as a premier
incident handling, monitoring, and data feed service with experience in higher ed, but every bit of information I can
find references Australia / New Zealand only, including all their pricing. Does anyone know if their offering is
available in the U.S. and does anyone have experience with their services?

Peter...

2015 Higher Education CISO Survey Cathy Hubbs (Aug 03)
Good morning colleagues,
The initial response to the Higher Education CISO survey has been outstanding. I hope you can find the time to add your
voice to the results so that we can all learn more about this critical position you occupy. I encourage you to forward
this message to fellow higher education CISOs. As a reminder, all participants will receive a free copy of the entire
report. The initial invitation is below.

Thank you for your...

Re: Blocking URLs McClenon, Brady (Jul 31)
How would they “know where everyone at your institution goes on the net?” Wouldn’t they just know that some on device
with IP address x.x.x.x requested a lookup of a given FQDN? There’s no release of PII to let them know who is on the
other end. Also, we use OpenDNS as forwarders on our DNS servers, so they only know than the request came from a
device using our DNS servers. I don’t see any privacy or compliancy issues.

Brady...

Re: Blocking URLs randy (Jul 31)
OpenDNS and RPZ are good solutions. A cautionary note about OpenDNS - they
basically become your institution's DNS primary. Which means they will know
where everyone at your institution goes on the net. There are FERPA, ITAR,
PCI, GLB, HIPAA issues that you need to examine when considering OpenDNS.

-Randy Marchany
VA Tech IT Security Office

Re: Blocking URLs Robert Lau (Jul 31)
We see many phishing sites hosted at Google, Qualtrics, Wix, etc. Layer 3 blocks simply do not work for them or cause
significant collateral damage. Plus, blocking at our border, or using OpenDNS, does not protect people reading email on
random, unmanaged devices outside our network.

Any day now, we will be enabling TAP on our Proofpoint mail gateways. TAP will rewrite all (or possibly only suspicious
URLs) found in email and will protect...

Re: Blocking URLs Tevlin, Dave (Jul 31)
Just to throw this into the mix on OpenDNS. Cisco announced their intent to
acquire OpenDNS yesterday.

Small FYI.

Dave

Re: Blocking URLs Chris Green (Jul 31)
I am looking into OpenDNS now. Am I safe in assuming they used to offer a freemium model, but no more? Can anyone tell
me what we would be looking at in cost to support roughly 1,500 users?

Thanks,

-C.

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Pratt,
Benjamin E.
Sent: Friday, July 31, 2015 11:58 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Blocking URLs...

Re: Blocking URLs Andre DiMino (Jul 31)
We use OpenDNS to block phish domains.
We are also able to determine which hosts may have visited these domains
prior to blocking.

Re: Blocking URLs Ricardo Fitipaldi (Jul 31)
If you run your own DNS servers then RPZ may help a bit, however your can't
block full url.

RF
*Ricardo Fitipaldi, *Security Analyst
San Diego State University
☎: 619-594-0099
http://security.sdsu.edu

Re: Blocking URLs Pratt, Benjamin E. (Jul 31)
At the EDUCAUSE Security Professionals Conference there was a session about using OpenDNS for blocking these types of
attacks. There are also many other options for controlling DNS to reduce this risk but if someone isn't using your DNS,
or is going directly to IPs, then it's not effective.

Internet Issues and Infrastructure

NANOG — The North American Network Operators' Group discusses fundamental Internet infrastructure issues such as routing, IP address allocation, and containing malicious activity.

[NANOG-announce] UPDATE - 2015 NANOG Elections General Information Valerie Wittkop (Aug 05)
Hello NANOG Members,

It has come to my attention there was a bad link in the message sent last week announcing the opening of the 2015
Election Process. I apologize for not catching the error before the message was sent and causing more noise to your
inbox now. Please note the corrected link (relating to completing the Online Process) below.

Why?

If you care about NANOG and think that you would like to take a turn at volunteering your time...

Re: Bright House IMAP highwater warning real? Robert Drake (Aug 05)
That's not even mentioning that the term "High Water" and even "bytes"
is just confusing to end users who probably don't know computer
terminology. At best, they can expect calls to support over these emails.

OTOH, 99% of their users probably have an inbox full of spam and don't
use their ISP provided mailbox, having switched to a third-party email
provider years ago. So the "Please" in the...

Re: Mac compatible SFP+/XFP programmer Hibler, Florian (Aug 05)
+1 on the Flexoptix Flexbox.
https://www.flexoptix.net/en/produkte/transceiver-accessories/flexbox-v3-transceiver-programmer.html

Best regards,
Florian

Re: Exploits start against flaw that could hamstring huge swaths of Internet | Ars Technica Jared Mauch (Aug 04)
Here's an example dnsdist config you might find helpful:

This sends queries to the first two servers unless
they are for domains in the "nether" pool list. They go to
other servers.

You can restrict access based on the Acl.

newServer("x.x.223.10")
newServer("x.x.223.20")
;setServerPolicy(firstAvailable) -- first server within its QPS limit
setServerPolicy(leastOutstanding)...

Re: RES: Exploits start against flaw that could hamstring huge swaths of Joel Maslak (Aug 04)
Maybe we can give them a new title. I'm thinking, "System Programmer."

Re: RES: Exploits start against flaw that could hamstring huge swaths of Randy Bush (Aug 04)
i love the devops movement; operators discover that those computers can
be programmed. wowzers!

maybe in a decade or two, we will discover mathematics. nah.

randy

Re: Exploits start against flaw that could hamstring huge swaths of Internet | Ars Technica Randy Bush (Aug 04)
for some folk, complexity is a career. i worked for circuitzilla
for 15 months; it's embedded in their culture.

randy

AW: Mac compatible SFP+/XFP programmer Jürgen Jaritsch (Aug 04)
I can also suggest you the Multi-Fiber-Tool from Solid Optics:

http://www.solid-optics.com/tools/multi-fiber-tool/so-multi-fiber-tool-id1768.html

Works great but I've never tested it with an Mac ... MacOS is at least listed as supported.

Best regards

Jürgen Jaritsch
Head of Network & Infrastructure

ANEXIA Internetdienstleistungs GmbH

Telefon: +43-5-0556-300
Telefax: +43-5-0556-500

E-Mail: jj () anexia at
Web:...

RE: [BULK] Verizon exiting California Matthew Black (Aug 04)
I don't live in a new suburban community with modern utilities. Well, the 50 year-old water main on my street was
replaced about 10 years ago. We haven't suffered major flooding like UCLA experienced last year. My house was built in
1930. Much of that telco copper is pushing 70 years old or more. Some is above ground and some is underground. Until
recently, the underground vault would flood whenever it rained. The b-box uses...

DropBox peering issue in SF bay area ? Rare and Odd Bob Evans (Aug 04)
Anyone from dropbox please contact
noc () fiberInternetCenter com

Multiple peering session - peering sessions are up/established - prefixes
are received - but no website and customers complaining to us.

Thank You
Bob Evans
CTO

Re: Mac compatible SFP+/XFP programmer Eric Rosenberry (Aug 04)
I can attest to the quality of the Flexbox. It is fantastic! All of our
employees have Mac's and they work great.

Originally you had to use Java in FireFox to make it work, but they now
have a "Chrome app" that works in Chrome which is even easier (don't have
to get the right Java version loaded and click through a million security
warnings).

The workflow for how the box works is fantastic- You just go to their
website and...

Re: RES: Exploits start against flaw that could hamstring huge swaths Baldur Norddahl (Aug 04)
Den 04/08/2015 19.18 skrev "Christopher Morrow" <morrowc.lists () gmail com>:

of

Maybe not but a code review can tell what methods are used to safe guard
against security bugs, the general quality of the code, the level of
automated testing etc. History can give hints to the same. If it had a lot
of bugs discovered it is likely it is not good quality in a security
perspective and more bugs can be expected.

It is called due...

Re: multipath tcp now in production use for linux based mobile devices Geoffrey Keating (Aug 04)
"Darden, Patrick" <Patrick.Darden () p66 com> writes:

...

It's not so much the statefulness of the firewall that's the problem,
it's that if the firewall wants to work at higher layers than TCP, in
particular at the TLS layer, it can't because it doesn't have all the
data.

Operators should probably consider that if they block or disable
MPTCP, the device using it might decide that network is broken or...

Re: Exploits start against flaw that could hamstring huge swaths of Joe Abley (Aug 04)
9.10.2-P3 is marked "current stable", and 9.9.7-P2 is marked
"current-stable ESV" at:

https://www.isc.org/downloads/

The bind-users is probably a place where this kind of thread would at
least go off-track in a different set of ways:

https://lists.isc.org/mailman/listinfo/bind-users

Joe

RE: multipath tcp now in production use for linux based mobile devices Darden, Patrick (Aug 04)
So, obviously, MPTCP can cause problems with Stateful Firewalls (as in asymmetric routing, out of state packets, etc.).
Cisco's take on how to deal with MPTCP is just as interesting as MPTCP itself is.

http://www.cisco.com/c/en/us/support/docs/ip/transmission-control-protocol-tcp/116519-technote-mptcp-00.html

Yep, for regular ASAs they advise you to let everything with option 30 set in the header have a free pass to your
network (turn...

The RISKS Forum — Peter G. Neumann moderates this regular digest of current events which demonstrate risks to the public in computers and related systems. Security risks are often discussed.

Risks Digest 28.84 RISKS List Owner (Aug 04)
RISKS-LIST: Risks-Forum Digest Tuesday 4 August 2015 Volume 28 : Issue 84

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/28.84.html>
The current issue can be...

Risks Digest 28.83 RISKS List Owner (Aug 03)
RISKS-LIST: Risks-Forum Digest Sunday 2 August 2015 Volume 28 : Issue 83

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/28.83.html>
The current issue can be...

Risks Digest 28.82 RISKS List Owner (Jul 30)
RISKS-LIST: Risks-Forum Digest Wednesday 29 July 2015 Volume 28 : Issue 82

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/28.82.html>
The current issue can be...

Risks Digest 28.81 RISKS List Owner (Jul 25)
RISKS-LIST: Risks-Forum Digest Saturday 25 July 2015 Volume 28 : Issue 81

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/28.81.html>
The current issue can be...

Risks Digest 28.80 RISKS List Owner (Jul 22)
RISKS-LIST: Risks-Forum Digest Wednesday 22 July 2015 Volume 28 : Issue 80

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/28.80.html>
The current issue can be...

Risks Digest 28.79 RISKS List Owner (Jul 20)
RISKS-LIST: Risks-Forum Digest Monday 20 July 2015 Volume 28 : Issue 79

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/28.79.html>
The current issue can be...

Risks Digest 28.78 RISKS List Owner (Jul 14)
RISKS-LIST: Risks-Forum Digest Tuesday 14 July 2015 Volume 28 : Issue 78

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/28.78.html>
The current issue can be...

Risks Digest 28.77 RISKS List Owner (Jul 11)
RISKS-LIST: Risks-Forum Digest Saturday 11 July 2015 Volume 28 : Issue 77

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/28.77.html>
The current issue can be...

Risks Digest 28.76 RISKS List Owner (Jul 09)
RISKS-LIST: Risks-Forum Digest Wednesday 8 July 2015 Volume 28 : Issue 76

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/28.76.html>
The current issue can be...

Risks Digest 28.75 RISKS List Owner (Jul 07)
RISKS-LIST: Risks-Forum Digest Tuesday 7 July 2015 Volume 28 : Issue 75

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/28.75.html>
The current issue can be...

Risks Digest 28.74 RISKS List Owner (Jul 01)
RISKS-LIST: Risks-Forum Digest Wednesday 1 July 2015 Volume 28 : Issue 74

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/28.74.html>
The current issue can be...

Risks Digest 28.73 RISKS List Owner (Jun 26)
RISKS-LIST: Risks-Forum Digest Friday 26 June 2015 Volume 28 : Issue 73

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/28.73.html>
The current issue can be...

Risks Digest 28.72 RISKS List Owner (Jun 22)
RISKS-LIST: Risks-Forum Digest Monday 22 June 2015 Volume 28 : Issue 72

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/28.72.html>
The current issue can be...

Risks Digest 28.71 RISKS List Owner (Jun 20)
RISKS-LIST: Risks-Forum Digest Saturday 20 June 2015 Volume 28 : Issue 71

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/28.71.html>
The current issue can be...

Risks Digest 28.70 RISKS List Owner (Jun 16)
RISKS-LIST: Risks-Forum Digest Tuesday 16 June 2015 Volume 28 : Issue 70

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/28.70.html>
The current issue can be...

Data Loss — Data Loss covers large-scale personal data loss and theft incidents. This archive combines the main list (news releases) and the discussion list.

The insider data hack: A legal perspective Audrey McNeil (Aug 04)
http://www.itproportal.com/2015/07/27/the-insider-data-hack-legal-perspective/

Data security is a critical risk area for businesses of all sizes. Yet one
aspect of a company’s data security strategy that is often considered in
less detail is the threat posed by employees – the insider threat.

This includes both accidental loss of data through negligence and
deliberate misuse or theft of data by employees. Insiders can be current or
former...

Will The US Experience A Massive Cyber-attack Soon? Audrey McNeil (Aug 04)
http://techaeris.com/2015/07/26/will-the-us-experience-a-massive-cyber-attack-soon/

er the past year the cases of major cybersecurity breaches have seemed to
increase and it does not seem to be slowing down. Companies like Target,
British Airways. Lenovo, Sony, the Internal Revenue Service, the US Postal
Service, the US Government and now Ashley Madison have all felt the sting
of hackers. The hits keep on coming but is this just the tip of the...

With continuing breaches, mHealth should learn from past thefts Audrey McNeil (Aug 04)
http://searchhealthit.techtarget.com/news/4500250556/With-continuing-breaches-mHealth-should-learn-from-past-thefts

With breaches in healthcare not slowing down anytime soon -- consider the
recent UCLA health system data breach -- experts at the recent mHealth +
Telehealth World Congress discussed security breaches, what healthcare
organization can learn from those breaches and the value of stolen
protected health information (PHI)....

Breach of Data Security: Protect your Small Business Audrey McNeil (Aug 04)
http://www.freshbusinessthinking.com/business_advice.php?CID=0&AID=15229&Title=Breach+of+Data+Security%3A+Protect+your+Small%#.Vbaiw7NViko

Hacking is once again in the news after the adultery site Ashley Madison
suffered an attack by the “Impact Team” that claims to have stolen details
of names, addresses, credit card details and sexual preferences and
threatens to publish them unless the site is shut down.

Chris Froome, the Sky...

HIPAA limits less than people think Audrey McNeil (Aug 04)
http://www.nwaonline.com/news/2015/jul/27/hipaa-limits-less-than-people-think-201/?features-style

How do people use, misuse or abuse HIPAA, the federal regulations
protecting patients' confidential health information? Three anecdotes from
the past few years:

• Patricia Gross and a close friend had taken refuge in a cafe at Brigham
and Women's Hospital in Boston, where Gross' husband was dying of cancer.
She was lamenting his...

Study: 1 in 5 big firms attacked by hackers Audrey McNeil (Aug 04)
http://www.thelocal.de/20150727/one-in-five-big-german-firms-has-been-hacked

Companies with more than €1 billion in returns were the most at risk
according to the report by international professional services firm Ernst
and Young, with one-fifth reporting concrete evidence of cyber attacks.

The report said what was more troubling was that one in five attacks were
only detected by accident and companies seem to largely be relying on
simple...

More CEOs, boards taking IT risk management seriously: Survey Audrey McNeil (Jul 31)
http://www.firstpost.com/business/ceos-boards-taking-risk-management-seriously-survey-2358610.html

Information security governance practices are maturing, said Gartner's
latest annual end-user survey for privacy, IT risk management, information
security, business continuity or regulatory compliance. Gartner surveyed
964 respondents in large organisations across seven countries.

“Increasing awareness of the impact of digital business...

Cyber insecurity has to be addressed Audrey McNeil (Jul 31)
http://www.theday.com/article/20150723/OP03/150729646

The alarm bells are getting louder. #SonyHack, #HackingTeam, #OPMHack, and
now #AshleyMadisonHack. In the space of a few months, four data breaches
have punctured a media sphere that has become jaded to the idea of the loss
of data. Why?

We were spellbound by the internal emails revealed by the #SonyHack, which
has had lingering and far-reaching effects on Hollywood, including the
souring of...

Some Good News for Data Breach Victims, For A Change Audrey McNeil (Jul 31)
http://www.forbes.com/sites/daniellecitron/2015/07/21/some-good-news-for-data-breach-victims-for-a-change/

Hackers breach a company’s database, stealing consumers’ confidential
financial information, real names, and home addresses. If consumers spend
considerable time and money to minimize their risk of fraud, have they
suffered harm? Does the increased risk of identity theft count as harm?

Most of the time, the answer is no. Most federal...

Detecting a Data Breach Audrey McNeil (Jul 31)
http://www.forensicmag.com/articles/2015/07/detecting-data-breach

Almost every week we learn about a data breach where attackers went
unnoticed for a significant period of time. In 2014, the average number of
days was 205. Most recently, in the Adult Friend Finder breach, there is
evidence that a third party detected the compromise at least two months
before the breach was publicly reported.

These numbers are not surprising to most seasoned...

Hacker profiling: who is attacking me? Audrey McNeil (Jul 31)
http://www.information-age.com/technology/security/123459862/hacker-profiling-who-attacking-me

Sophisticated cyber attacks have evolved rapidly in the last year,
crippling online networks and causing serious financial, operational and
reputational damage on firms, regardless of industry or nationality.

Many executives rank a large-scale attack as the most important risk facing
their firm. The biggest concern generally isn’t the financial...

UCLA Health Faces Lawsuit - Already Audrey McNeil (Jul 31)
http://www.govinfosecurity.com/ucla-health-faces-lawsuit-already-a-8427

A lawsuit seeking class-action status was filed against UCLA Health on the
first business day after the healthcare organization revealed it was the
victim of a cyberattack. The breach potentially compromised information on
4.5 million individuals.

The suit, filed in the U.S. District Court in the central district of
California on July 20, alleges privacy-related violations...

Compliance Doesn't Have to be Painful Audrey McNeil (Jul 30)
http://www.infosecurity-magazine.com/opinions/compliance-doesnt-have-to-be/

Perhaps the most surprising fact about last year’s slew of data breaches is
that the organizations that made headlines were considered compliant with
at least one of the common security frameworks, such as PCI-DSS or HIPAA.

Observers may scratch their heads and wonder if these standards do any good
at all. But compliance is not pointless – organizations are just...

Healthcare Hacker Attacks: The Impact Audrey McNeil (Jul 30)
http://www.databreachtoday.com/healthcare-hacker-attacks-impact-a-8420

The recent string of major hacker attacks in the healthcare sector,
including the cyber-attack on UCLA Health, calls attention to the urgent
need for organizations to step up their security programs.

Security experts say healthcare organizations need to carefully reassess
their risks and then take appropriate security measures, which, in many
cases, will include implementing...

UCLA Health Responds to massive cyberattack Audrey McNeil (Jul 30)
http://www.insidecounsel.com/2015/07/21/ucla-health-responds-to-massive-cyberattack

As many as 4.5 million individuals may have been impacted by a cyber-attack
at UCLA Health.

The attackers accessed parts of the organization’s network that contained
personal and medical information.

Yet, there is no evidence the cyber-attackers accessed or acquired any
personal or medical information.

The FBI is investigating the attack, and UCLA also hired...

Open Source Tool Development

Metasploit — Development discussion for Metasploit, the premier open source remote exploitation tool

Ruxcon 2015 Final Call For Presentations cfp (Jul 06)
Ruxcon 2015 Final Call For Presentations
Melbourne, Australia, October 24-25
CQ Function Centre

http://www.ruxcon.org.au

The Ruxcon team is pleased to announce the first round of Call For Presentations for Ruxcon 2015.

This year the conference will take place over the weekend of the 24th and 25th of October at the CQ Function Centre,
Melbourne, Australia.

The deadline for submissions is the 15th of September, 2015.

.[x]. About Ruxcon .[x]....

Breakpoint 2015 Call For Presentations cfp (May 17)
Breakpoint 2015 Call For Papers
Melbourne, Australia, October 22th-23th
Intercontinental Rialto
http://www.ruxconbreakpoint.com

.[x]. Introduction .[x].

We are pleased to announce Call For Presentations for Breakpoint 2015.

Breakpoint showcases the work of expert security researchers from around the
world on a wide range of topics. This conference is organised by the Ruxcon
team and offers a specialised security conference to complement...

Ruxcon 2015 Call For Presentations cfp (Apr 13)
Ruxcon 2015 Call For Presentations
Melbourne, Australia, October 24-25
CQ Function Centre

http://www.ruxcon.org.au

The Ruxcon team is pleased to announce the first round of Call For Presentations for Ruxcon 2015.

This year the conference will take place over the weekend of the 24th and 25th of October at the CQ Function Centre,
Melbourne, Australia.

The deadline for submissions is the 30th of June, 2015.

.[x]. About Ruxcon .[x].

Ruxcon is...

Re: rev2self vs drop_token? Rufe Glick (Apr 02)

Re: rev2self vs drop_token? Matt Weeks (Apr 01)
1. Meterpreter can hold a token that it will use when spawning off any new
threads or processes using Meterpreter functionality. drop_token tells
meterpreter to release that token and go back to the Windows token.

Windows itself natively handles various tokens as well; say you had
exploited a process that runs as SYSTEM serving a named pipe that had
called ImpersonateNamedPipeClient; you would be running as the impersonated
user, which may not...

Wireshark — Discussion of the free and open source Wireshark network sniffer. No other sniffer (commercial or otherwise) comes close. This archive combines the Wireshark announcement, users, and developers mailing lists.

Re: unicode replacement character in online docs Gerald Combs (Aug 05)
It was a server misconfiguration. It should be fixed.

The fixed version shows non-breaking space, at least for the first page of
the Developer's Guide.

What's odd is that we're managing to generate documentation encoded as
ISO-8859-1.

Re: Error when compiling extcap/androiddump.c with (released) MSVC 2015 Michal Labedzki (Aug 05)
Hello,

Try this one: https://code.wireshark.org/review/#/c/9876/

Re: unicode replacement character in online docs Evan Huus (Aug 05)
Yup, and that's new AFAIK. Anybody know if something's change on the
server or on the build bot with respect to character encoding?

Based on the byte-values of something I expect should be a copyright
symbol, it looks like it's using ISO8859-1 and/or Windows-1252.

unicode replacement character in online docs Hadriel Kaplan (Aug 05)
Anyone else seeing the unicode replacement character all over the
online auto-generated docs? (user guide and developer guide)

I don't recall having seen them there before, though maybe they've
always been there.

https://www.wireshark.org/docs/wsdg_html_chunked/index.html
https://www.wireshark.org/docs/wsug_html_chunked/index.html

-hadriel

Error when compiling extcap/androiddump.c with (released) MSVC 2015 Anders Broman (Aug 05)
Hi,
I get:

androiddump.c
extcap/androiddump.c(736): error C2220: warning treated as error - no 'object' f
ile generated
extcap/androiddump.c(736): warning C4477: 'fprintf' : format string '%I64i' requ
ires an argument of type '__int64', but variadic argument 3 has type 'ssize_t'
extcap/androiddump.c(736): note: to simplify migration, consider the temporary u
se of /Wv:18 flag with the version of...

Re: Npcap 0.03 call for test Yang Luo (Aug 05)
Hello Jim,

Thanks for test. I have confirmed and fixed this "Malformed Packets" issue,
this is because the packet read function *NPF_TapExForEachOpen* didn't copy
the 2nd MDL data if the data has crossed the buffer boundary. Latest
installer that has this bug fixed is:
https://svn.nmap.org/nmap-exp/yang/NPcap-LWF/npcap-nmap-0.03-r4.exe
<https://svn.nmap.org/nmap-exp/yang/NPcap-LWF/npcap-nmap-0.03-r4.exe>

This is still the...

Wireshark fails to start with wpcap.dll built by Visual Studio 2010 Yang Luo (Aug 05)
Hi list,

The original WinPcap DLL, wpcap.dll is built by VS 2005, I have updated it
to VS 2010 using VS automatic conversion wizard without changing one line
of code. But when I launched Wireshark on Win8.1 x64, I encountered an app
crash error:

-------------------------------------------------------------------------
Problem signature:
Problem Event Name: APPCRASH
Application Name: dumpcap.exe
Application Version: 1.99.9.58
Application...

Re: Multiple syn's , syn/ack and ack received for single connection? asad (Aug 04)
Got it, I will perform test through direct access to actual server and see
response.

I'm trying to scrap internet for hints and techniques using wireshark I can
catch a slow server conditions.

Do you know what filters I can you on wireshark Graph IO UI options to
catch slow response. ? tcp.rtt ,tcp.time_delta perhaps.

regards

Re: Multiple syn's , syn/ack and ack received for single connection? T B (Aug 04)
Introducing the reverse proxy adds a bit of complexity when analyzing a
problem at the network layer. In particular, your RTTs as well as
negotiated TCP options only reflect communication to the proxy and not the
actual server with the content. To fully understand what's happening in
this scenario, you'd probably need a capture on the other side of the proxy
as well.

Re: Multiple syn's , syn/ack and ack received for single connection? asad (Aug 04)
TB indeed diversity is beautiful thing but so is present "by the book"
acknowledge where the classical case is discussed as a rule of thumb. Only
in forums like this one expects to see lot of variations in responses.

Coming back to my original question, parallel connections in my cases
doesn't seem to improve server response time which theoretically speaking
isn't having parallel performance impact.

The time between GER...

Re: Multiple syn's , syn/ack and ack received for single connection? Saulpaugh, Chris (Aug 04)
TB is correct. A lot will depend on the server, app, and coding as to whether you see serial or parallel
processing/streaming.

Sent from my iPhone

Can't speak to your anecdotal experiences, but it definitely can and does happen in parallel depending on the
browser/client. There is also nothing non-"classical" about this behavior. Each connection operates in exactly the
classical way, there are just more of them. :)

Thanks,...

Re: Multiple syn's , syn/ack and ack received for single connection? asad (Aug 04)
This is to just update the community that T B user is indeed right, I
re-run the test on new set of websites and this time I picked more dynamic
basic contents e.g bbc,axn etc. I saw that for those Big site as to say,
the browser indeed requests in parallel, and the case was similar to what i
experienced in my own environment. Thanks T B for bringing my attention on
this behavior of browsers.

Re: Multiple syn's , syn/ack and ack received for single connection? T B (Aug 04)
Can't speak to your anecdotal experiences, but it definitely can and does
happen in parallel depending on the browser/client. There is also nothing
non-"classical" about this behavior. Each connection operates in exactly
the classical way, there are just more of them. :)

Re: Multiple syn's , syn/ack and ack received for single connection? asad (Aug 04)
Thanks, for the fast response.

I have tested the same by visiting home-pages of other websites as well and
none had such behavior parallel requests by browser. It mostly works as
classical.

syn
syn-ack
ack

Now, consecutive syn's. Yes you were right, down the packet-capture I see
all the syn,syn-ack and ack packets. Thanks for mentioning.

regards
asad

Re: Multiple syn's , syn/ack and ack received for single connection? T B (Aug 04)
A web browser can make multiple connections to the same server to fetch
different resources in parallel. The other syn/ack responses are probably
in the capture as well, but further down. The sockets should be processed
in the order they're received, but there are lots of reasons why it might
not all happen immediately. None of this seems strange so far.

Hope this helps.

Snort — Everyone's favorite open source IDS, Snort. This archive combines the snort-announce, snort-devel, snort-users, and snort-sigs lists.

Re: Integer overflow in perfmonitor preprocessor Hui cao (Aug 05)
Hi Mike,

Thanks for reporting this issue. We will fix this issue the future release.

Best,
Hui.

------------------------------------------------------------------------------

Integer overflow in perfmonitor preprocessor Mike Cox (Aug 05)
Just an output bug. Snort 2.9.7.5 is affected and probably previous
versions. In src/preprocessors/spp_perfmonitor.c there is this code:

ParseError("Perfmonitor: Invalid argument to \"%s\". The "
"value must be an integer between 0 and %d.",
PERFMON_ARG__PKT_COUNT, UINT32_MAX)

But the printf '%d' is signed and UINT32_MAX is unsigned so you...

Re: Vulnerability DNS BIND9 attack DoS Vuong D. Chieu (Aug 05)
Dear sir.
Now. on internet public vulnerability DNS BIND9
https://www.exploit-db.com/exploits/37721/

you can write rule detect attack DoS on OS DNS using BIND9

i had writent rule but it do not run.
alert udp any any -> any any (sid:1000010; gid:1; content:"|07 76 65 72 73 69 6F 6E 04 62 69 6E 64 00|"; msg:"DoS DNS
BIND9"; classtype:successful-dos; rev:3; )

you can see me some analys about attack DoS. I can write it....

Vulnerability DNS BIND9 attack DoS Vuong D. Chieu (Aug 05)
Dear sir.
Now. on internet public vulnerability DNS BIND9
https://www.exploit-db.com/exploits/37721/

you can write rule detect attack DoS on OS DNS using BIND9

thanks
----------------------------------------
Vuong Dinh Chieu (Mr.)
Vietnam Computer Emergency Response Team (VNCERT)
Ministry of Information and Communications (MIC)
Add: 18 Nguyen Du, Hanoi Website: http://www.vncert.gov.vn
Tel: +84-4-3640-4424 Mobile: +84-97...

dataset mehdi maleki (Aug 04)
I need good dataset(same darpa but new) that has these property:

1)Be public & free

2)Has identification list file for checking my IDS performance

3)Has a multistage attack

Sent from Yahoo Mail on Android

------------------------------------------------------------------------------

low detection rate mehdi maleki (Aug 04)
hi

I've installed snort(security onion) with snortrules-snapshot-2973.tar.gz and community-rules.tar.tar

ruleset. then i tcpreplay darp dataset(inside & outside tcpdump files from Wednesday of week4 of 1999 darpa
dataset:http://www.ll.mit.edu/ideval/data/1999/testing/week4/index.html). i checked snorby database for result. only 4
of 21 attacks was detected(0.19 % detection rate). why detection rate is very low? darpa is old why snort...

Snort Subscriber Rules Update 2015-08-04 Research (Aug 04)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the browser-plugins,
file-office, file-pdf, malware-cnc, os-windows and server-webapp rule
sets to provide coverage for emerging threats from these technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Re: Daemonlogger -- Response to Marty Roesch Marty Roesch (maroesch) (Aug 04)
Thanks, I’ve been meaning to get a new release going for a while. Maybe
this will get me off my butt and working on it again. :)

Marty

Re: Barnyard2 alternatives? Jim Hranicky (Aug 04)
[...]

I created a patch that disables the reference table. There's already a
directive to disable the sig_reference table (we don't really use
either). You should be able to specify both like so after you install
the patch.

output database: log, mysql, user=user dbname=snortdb host=localhost \
disable_signature_reference_table=1 disable_reference_table=1

Barnyard starts up much quicker this way, within a couple of minutes.

Re: Barnyard2 alternatives? Doug Burks (Aug 04)
The Sguil database stores the same alert payload data that the Snorby
database does. In addition, Sguil makes it very easy to pivot to full
packet capture. You can also easily add a hook to Sguil/Squert to
search for relevant Bro logs.

Re: Barnyard2 alternatives? Richard Monk (Aug 04)
We took a look at Sguil/Squert and were unimpressed with the feature set (in
fact, we're slowly getting rid of snorby for the same reason). I'll take a look
again.

Right now, we like having the packet data that comes with "native" DB storage,
although we're spinning up full packet capture/Bro to offset needing that as well.

ELSA/Splunk are on the table, but that would be a big change for us in terms of
our workflow...

Re: Barnyard2 alternatives? Doug Burks (Aug 04)
Hi Richard,

Yes, we've also experienced performance issues when running multiple
barnyard2 instances connecting to the same database with the database
output plugin. However, the barnyard2 output plugins for Sguil and
syslog seem to work well for us. Have you considered replacing Snorby
with Sguil/Squert or some standard log collector like ELSA?

Barnyard2 alternatives? Richard Monk (Aug 04)
Hi folks!

TL;DR: Barnyard2 takes forever to start and I have a hundred instances that need
to start on a system. Pigsty doesn't work, are there alternates?

I took a look through the mailing list archive and have been doing some Google
searches, and so far I've come up empty with a solution to my problem. I
apologize if this has been asked before.

Currently, we have a sensornet that uses snort + barnyard2 + snorby for
monitoring,...

Re: Getting snort to block something James Lay (Aug 03)
Good call....guess she got it figured out since the thread went dark.

James

------------------------------------------------------------------------------

Re: Getting snort to block something Joel Esler (jesler) (Aug 03)
Smells like pfsense if I had to guess.

Hello everyone,

I just set up snort and am trying to test it using the
emerging-games.rule to block battle.net<http://battle.net>
However, I am not able to get it to block battle.net<http://battle.net>
I have my snort interface enabled, and in the alert settings I have
everything checked off. (Send Alerts to system log, block offenders,
kill states) I also have the Which ip to block set to...

More Lists

Related Resources

We're always looking for great network security related lists to archive. To suggest one, mail Fyodor.