SecLists.Org Security Mailing List Archive

Any hacker will tell you that the latest news and exploits are not found on any web site—not even Insecure.Org. No, the cutting edge in security research is and will continue to be the full disclosure mailing lists such as Bugtraq. Here we provide web archives and RSS feeds (now including message extracts), updated in real-time, for many of our favorite lists. Browse the individual lists below, or search them all:

Insecure.Org Lists

Nmap Development — Unmoderated technical development forum for debating ideas, patches, and suggestions regarding proposed changes to Nmap and related projects. Subscribe here.

New VA Modules: OpenVAS: 2, Nessus: 18 New VA Module Alert Service (May 23)
This report describes any new scripts/modules/exploits added to Nmap,
OpenVAS, Metasploit, and Nessus since yesterday.

== OpenVAS plugins (2) ==

r16419 2013/gb_nginx_http_parse_bof_vuln.nasl
http://wald.intevation.org/scm/viewvc.php/trunk/openvas-plugins/scripts/2013/gb_nginx_http_parse_bof_vuln.nasl?root=openvas&view=markup
Nginx Chunked Transfer Encoding Stack Based Buffer Overflow
Vulnerability

r16419...

Re: New VA Modules: Nessus: 13 Edson Ticona (May 23)
El 14/05/2013 04:57, "New VA Module Alert Service" <postmaster () insecure org>
escribió:

Re: [NSE] IKE information extraction Jesper Kückelhahn (May 22)
Hi Patrik,

I guess I missed your point about using a mutex; I initially didn't think
about implementing it in the ike lib, which makes more sense. I've attached
a patch against SVN that includes mutex. Thanks again for the pointer.

I've also attached an updated ike-info.nse that extracts more information,
specifically the use of aggressive mode authentification and pre-shared
keys (CVE-2002-1623).

- Jesper

New VA Modules: OpenVAS: 29, Nessus: 7 New VA Module Alert Service (May 22)
This report describes any new scripts/modules/exploits added to Nmap,
OpenVAS, Metasploit, and Nessus since yesterday.

== OpenVAS plugins (29) ==

r16404 865620 2013/gb_fedora_2013_7128_tinc_fc17.nasl
http://wald.intevation.org/scm/viewvc.php/trunk/openvas-plugins/scripts/2013/gb_fedora_2013_7128_tinc_fc17.nasl?root=openvas&view=markup
Fedora Update for tinc FEDORA-2013-7128

r16404 870997 2013/gb_RHSA-2013_0827-01_openswan.nasl...

Re: [NSE] IKE information extraction Jesper Kückelhahn (May 21)
Hi Patrik,

I've looked a bit more into to this, and using a mutex scheme, requires that the two scripts (version detection and
information extraction) sets the mutex. This would solve the problem of both these scripts trying to bind to UDP 500,
but would require other scripts binding to this port to also use this mutex, which could lead to transparency issues.

Would it make more sense to extend the 'bind' method of new_socket,...

New VA Modules: Nessus: 14 New VA Module Alert Service (May 21)
This report describes any new scripts/modules/exploits added to Nmap,
OpenVAS, Metasploit, and Nessus since yesterday.

== Nessus plugins (14) ==

66520 opera_check_adobe_reader_enabled.nasl
http://nessus.org/plugins/index.php?view=single&id=66520
Adobe Reader Enabled in Browser (Opera)

66519 firefox_check_adobe_reader_enabled.nasl
http://nessus.org/plugins/index.php?view=single&id=66519
Adobe Reader Enabled in Browser (Mozilla Firefox)...

Re: [NSE] IKE information extraction Jesper Kückelhahn (May 21)
Hi Patrik,

Thanks for the pointer. I'll look into using this for for the script.

- Jesper

Re: [NSE] IKE information extraction Jesper Kückelhahn (May 21)
Hi Anne,

Thank you for your interest in testing the script. Unfortunately I don't
have any systems available for testing purposes, but if you find any I'd be
very interested in any feedback.

- Jesper

Re: nmaprc.lua? Fyodor (May 21)
Good point! I added this to the list of nmaprc ideas at
https://svn.nmap.org/nmap/todo/nmap.txt

Cheers,
Fyodor

Re: [NSE] IKE information extraction Patrik Karlsson (May 21)
Jesper,

I don't think there is a way to tell if the port is in use or not but if
you want to avoid that the scripts run at the same time you could use a
mutex. There some more information here;
http://nmap.org/book/nse-parallelism.html

/Patrik

On Mon, May 20, 2013 at 6:38 PM, Jesper Kückelhahn <dev.kyckel () gmail com>wrote:

Nmap IPC facilities? Jacek Wielemborek (May 20)
Hi,

I recently had an idea and I thought it'd be nice to get some feedback
from you guys. On the #nmap IRC channel I was discussing introducing
better facilities to interact with Nmap scanning processes. At first,
I was thinking of ways to add more interactivity to the program, like
a keystroke to pause the current task or skip one of hosts.

I found out that there used to be "interactive mode" in Nmap, removed
by David in 2010...

Re: [NSE] IKE information extraction stripes (May 20)
If you have a system I can test it against, I'll test the patch.

-Anne

[NSE] IKE information extraction Jesper Kückelhahn (May 20)
Hi list,

I've attached a script for extracting information from an IKE service and a
patch for ike.lua.

The IKE response might contain useful information such as the internal IP
address, domain name or username, which the script displays. Also matched
vendor IDs are displayed.

The ike.lua.patch adds extra functionality to support the extraction (and
some minor refactoring).

Example outputs:

PORT STATE SERVICE REASON VERSION...

New VA Modules: Nessus: 6 New VA Module Alert Service (May 20)
This report describes any new scripts/modules/exploits added to Nmap,
OpenVAS, Metasploit, and Nessus since yesterday.

== Nessus plugins (6) ==

66506 suse_acroread-8571.nasl
http://nessus.org/plugins/index.php?view=single&id=66506
SuSE 10 Security Update : Acrobat Reader (ZYPP Patch Number 8571)

66505 suse_11_acroread-130516.nasl
http://nessus.org/plugins/index.php?view=single&id=66505
SuSE 11.2 Security Update : Acrobat Reader (SAT...

Re: Nmap under OpenVZ venet? NStorm (May 20)
Hello.

Checked out revision 30907.
Seems to be working fine now (on a host with venet NOARP device):
# nmap --iflist
Starting Nmap 6.26SVN ( http://nmap.org ) at 2013-05-20 11:06 MSK
************************INTERFACES************************
DEV (SHORT) IP/MASK TYPE UP MTU MAC
lo (lo) 127.0.0.1/8 loopback up 16436
lo (lo) ::1/128 loopback up 16436
venet0 (venet0) 192.168.9.39/32 other up 1500...

Nmap Announce — Moderated list for the most important new releases and announcements regarding the Nmap Security Scanner and related projects. We recommend that all Nmap users subscribe.

Nmap Project Seeking Talented Programmers for Google Summer of Code Fyodor (Apr 26)
Hi Folks. I'm happy to announce that the Nmap Project has again been
accepted into the Google Summer of Code program. This innovative and
extraordinarily generous program provides $5,000 stipends to college and
graduate students who spend the summer improving Nmap! They gain valuable
experience, get paid, strengthen their résumés, and write code for millions
of users.

Previous SoC students helped create the Nmap Scripting Engine, Zenmap...

Nmap 6.25 holiday season release! 85 new scripts, better performance, Windows 8 enhancements, and more Fyodor (Nov 30)
Hi folks. It has been more than five months since the Nmap 6.01
release, and I'm pleased to announce a new version for you to enjoy
during the holidays! Nmap 6.25 contains hundreds of improvements,
including 85 new NSE scripts, nearly 1,000 new OS and service
detection fingerprints, performance enhancements such as the new
kqueue and poll I/O engines, better IPv6 traceroute support, Windows 8
improvements, and much more! It also includes...

Nmap 6.01 Released Fyodor (Jun 22)
Hi folks! I'm happy to report that the Nmap 6.00 release
(http://nmap.org/6 ) last month was a huge success, with hundreds of
thousands of downloads and a bunch of positive articles and reviews.
But any release this big is going to uncover a few issues, so we've
released Nmap 6.01 to address them. This should also appease the more
conservative users who always wait for the first patch update before
installing a major software release....

Nmap 6 Released! Fyodor (May 21)
Hi folks! After almost three years of work, 3,924 code commits, and
more than a dozen point releases since Nmap 5, I'm delighted to
announce the release of Nmap 6! It includes a more powerful Nmap
Scripting Engine, 289 new scripts, better web scanning, full IPv6
support, the Nping packet prober, faster scans, and much more!

For the top 6 improvements in Nmap 6, see the release notes:

http://nmap.org/6

Or you can go straight to the...

Last Chance to Apply for the Nmap/Google Summer of Code! Fyodor (Apr 04)
Hi Folks. I'm happy to announce that the Nmap Project has again been
accepted into the Google Summer of Code program. This innovative and
extraordinarily generous program provides $5,000 stipends to college
and graduate students who want to spend the summer improving Nmap!
They gain valuable experience, get paid, strengthen their résumé, and
write code for millions of users.

Previous SoC students helped create the Nmap Scripting Engine,...

Nmap 5.61TEST5 released with 43 new scripts, improved OS & version detection, and more! Fyodor (Mar 09)
Hi folks! We've been working hard for the last 2 months since
5.61TEST4, and I'm pleased to announce the results: Nmap 5.61TEST5.
This release has 43 new scripts, including new brute forcers for http
proxies, SOCKS proxies, Asterisk IAX2, Membase, MongoDB, Nessus
XMLRPC, Redis, the WinPcap remote capture daemon, the VMWare auth
daemon, and old-school rsync. Better check that your passwords are
strong! Some other fun scripts are...

Other Excellent Security Lists

Bugtraq — The premier general security mailing list. Vulnerabilities are often announced here first, so check frequently!

[waraxe-2013-SA#105] - Multiple Vulnerabilities in Spider Catalog Wordpress Plugin come2waraxe (May 22)
[waraxe-2013-SA#105] - Multiple Vulnerabilities in Spider Catalog Wordpress Plugin
===================================================================================

Author: Janek Vind "waraxe"
Date: 22. May 2013
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-105.html

Description of vulnerable software:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Spider Catalog is the best WordPress...

[waraxe-2013-SA#104] - Multiple Vulnerabilities in Spider Event Calendar Wordpress Plugin come2waraxe (May 22)
[waraxe-2013-SA#104] - Multiple Vulnerabilities in Spider Event Calendar Wordpress Plugin
===================================================================================

Author: Janek Vind "waraxe"
Date: 22. May 2013
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-104.html

Description of vulnerable software:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Spider Event Calendar is a...

Trend Micro DirectPass 1.5.0.1060 - Multiple Vulnerabilities Vulnerability Lab (May 22)
Title:
======
Trend Micro DirectPass 1.5.0.1060 - Multiple Vulnerabilities

Date:
=====
2013-05-21

References:
===========
http://www.vulnerability-lab.com/get_content.php?id=894

Article: http://www.vulnerability-lab.com/dev/?p=580

Trend Micro (Reference): http://esupport.trendmicro.com/solution/en-US/1096805.aspx
Trend Micro Solution ID: 1096805

Video: http://www.vulnerability-lab.com/get_content.php?id=951

VL-ID:
=====
894

Common...

VUPEN Security Research - Microsoft Internet Explorer 10-9 Object Confusion Sandbox Bypass (MS13-037 / Pwn2Own) VUPEN Security Research (May 22)
VUPEN Security Research - Microsoft Internet Explorer 10-9 Object
Confusion Sandbox Bypass (MS13-037 / Pwn2Own)

Website : http://www.vupen.com

Twitter : http://twitter.com/vupen

I. BACKGROUND
---------------------

"Microsoft Internet Explorer is a web browser developed by Microsoft and
included as part of the Microsoft Windows line of operating systems with
more than 60% of the worldwide usage share of web browsers." (Wikipedia)...

VUPEN Security Research - Microsoft Internet Explorer 10-9-8-7-6 VML Remote Integer Overflow (MS13-037 / Pwn2Own) VUPEN Security Research (May 22)
VUPEN Security Research - Microsoft Internet Explorer 10-9-8-7-6 VML
Remote Integer Overflow (MS13-037 / Pwn2Own)

Website : http://www.vupen.com

Twitter : http://twitter.com/vupen

I. BACKGROUND
---------------------

"Microsoft Internet Explorer is a web browser developed by Microsoft and
included as part of the Microsoft Windows line of operating systems with
more than 60% of the worldwide usage share of web browsers." (Wikipedia)...

[ MDVSA-2013:166 ] krb5 security (May 22)
_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2013:166
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : krb5
Date : May 21, 2013
Affected: Business Server 1.0, Enterprise Server 5.0
_______________________________________________________________________

Problem...

[slackware-security] kernel (SSA:2013-140-01) Slackware Security Team (May 21)
[slackware-security] kernel (SSA:2013-140-01)

New Linux kernel packages are available for Slackware 13.37 and 14.0 to fix
a security issue.

Here are the details from the Slackware 14.0 ChangeLog:
+--------------------------+
patches/packages/linux-3.2.45/*: Upgraded.
Upgraded to new kernels that fix CVE-2013-2094, a bug that can allow local
users to gain a root shell. Be sure to upgrade your initrd and reinstall
LILO after upgrading...

Sony PS3 Firmware v4.31 - Code Execution Vulnerability Vulnerability Lab (May 21)
Title:
======
Sony PS3 Firmware v4.31 - Code Execution Vulnerability

Date:
=====
2013-05-12

References:
===========
http://www.vulnerability-lab.com/get_content.php?id=767

VL-ID:
=====
767

Common Vulnerability Scoring System:
====================================
6.5

Introduction:
=============
The PlayStation 3 is the third home video game console produced by Sony Computer Entertainment and the successor to the
PlayStation 2 as part of the...

CVE-2013-3496. Local privilege escalation vulnerability in Infotecs products (ViPNet Client\Coordinator, SafeDisk, Personal Firewall) chudakovma (May 21)
CVE-2013-3496. Local privilege escalation vulnerability in Infotecs products (ViPNet Client\Coordinator, SafeDisk,
Personal Firewall)

CVE reference:
CVE-2013-3496

Credit:
Maksim Chudakov (@MChudakov)
Andrey Kurtasanov(andreykurtasanov () gmail com)

Severity:
Medium

Local\Remote:
Local

Vulnerability Class:
Privilege Escalation

Vendor URL:
http://www.infotecs.biz/

Affected OS:
Windows

Vulnerable systems:
ViPNet Client 3.2.10 (15632) and...

Revision of "IPv6 Stable Privacy Addresses" (Fwd: I-D Action: draft-ietf-6man-stable-privacy-addresses-07.txt) Fernando Gont (May 21)
Folks,

We have published a revision of our IETF I-D "A method for Generating
Stable Privacy-Enhanced Addresses with IPv6 Stateless Address
Autoconfiguration (SLAAC)".

This revision is available at:
<http://tools.ietf.org/html/draft-ietf-6man-stable-privacy-addresses-07>.

This proposal is key for the mitigation of address-scanning attacks,
while at the same time preventing host-tracking.

Stay tuned for more IPv6 security news...

Defense in depth -- the Microsoft way Stefan Kanthak (May 21)
Hi @ll,

the "Microsoft Installer" creates for applications installed via an
.MSI the following uninstall information in the Windows registry
(see <http://msdn.microsoft.com/library/aa372105.aspx>):

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall]
"UninstallString"="MsiExec.Exe /X{<GUID>}"
"ModifyPath"="MsiExec.Exe /I{<GUID>}"

Note the unqualified path...

Static analysis tool exposition (SATE) V Call for participation aure (May 21)
NIST is preparing the fifth Static Analysis Tool Exposition (SATE V). Briefly, participating tool makers run their
static analyzer on a set of programs. Researchers led by NIST analyze the tool reports and present the results and
experiences at a workshop. A detailed plan is available at:

http://samate.nist.gov/SATE.html

We plan to provide test cases by June 3rd. Tool makers will have until August 1st (if at all possible; September 1st at...

CONFidence - May, 28-29, Krakow, Poland - a conference adventure that never stops! Sławomir Jabs (May 17)
Everything has a story, everything evolves, adapts to changing circumstances
but does your IT Sec strategy evolve with the development of the digital
world?

Are you wiling to gamble on the security of you systems?

Join the upcoming CONFidence conference and meet both renown speakers and
specialists who deal with the IT security on a daily basis. People like,
you, who never stop asking questions and play with risks all the time...

We will...

[slackware-security] ruby (SSA:2013-136-02) Slackware Security Team (May 17)
[slackware-security] ruby (SSA:2013-136-02)

New ruby packages are available for Slackware 13.1, 13.37, 14.0, and -current
to fix a security issue.

Here are the details from the Slackware 14.0 ChangeLog:
+--------------------------+
patches/packages/ruby-1.9.3_p429-i486-1_slack14.0.txz: Upgraded.
This update fixes a security issue in DL and Fiddle included in Ruby where
tainted strings can be used by system calls regardless of the $SAFE...

[slackware-security] mozilla-thunderbird x86_64 packages (SSA:2013-136-01) Slackware Security Team (May 17)
[slackware-security] mozilla-thunderbird x86_64 packages (SSA:2013-136-01)

New mozilla-thunderbird packages are available for Slackware64 13.37 and
14.0. These were accidentally omitted from the last upload.

Here are the details from the Slackware64 14.0 ChangeLog:
+--------------------------+
patches/packages/mozilla-thunderbird-17.0.6-x86_64-1_slack14.0.txz: Upgraded.
Here's the package that was missing from the last batch. The...

Full Disclosure — A lightly moderated high-traffic forum for disclosure of security information. Fresh vulnerabilities sometimes hit this list many hours before they pass through the Bugtraq moderation queue. The relaxed atmosphere of this quirky list provides some comic relief and certain industry gossip. Unfortunately, most of the posts are worthless drivel, so finding the gems takes patience.

SEC Consult whitepaper :: Blackberry Z10 Research Primer - "Dissecting Blackberry 10 - An initial analysis" SEC Consult Vulnerability Lab (May 23)
SEC Consult Vulnerability Lab released a new whitepaper titled:
Blackberry Z10 Research Primer - "Dissecting Blackberry 10 - An
initial analysis"

Abstract:
---------
In 2013, Blackberry has presented a brand new operating system which
significantly differs from others presented on the smartphone market.
A very high security level is announced, and the expectations are
corresponding. Some analytics consider this as the last chance for...

SEC Consult SA-20130523-0 :: JavaScript Execution in IBM WebSphere DataPower Services SEC Consult Vulnerability Lab (May 23)
SEC Consult Vulnerability Lab Security Advisory < 20130523-0 >
=======================================================================
title: JavaScript Execution in WebSphere DataPower Services
product: IBM WebSphere DataPower Integration Appliance XI50
vulnerable version: 3.8.2, 4.0, 4.0.1, 4.0.2, 5.0.0
fixed version: not available, config changes
CVE number: CVE-2013-0499
impact:...

[ANN] Struts 2.3.14.1 GA (fast track | security) Lukasz Lenart (May 23)
The Apache Struts group is pleased to announce that Struts 2.3.14.1 is
available as a "General Availability" release. The GA designation is
our highest quality grade.

Apache Struts 2 is an elegant, extensible framework for creating
enterprise-ready Java web applications. The framework is designed to
streamline the full development cycle, from building, to deploying, to
maintaining applications over time.

Two security issues were...

Re: Sony PS3 Firmware v4.31 - Code Execution Vulnerability Julius Kivimäki (May 23)
Doubt it, PS3 doesn't really seem to have the concept of "system commands".

2013/5/22 Milan Berger <m.berger () project-mindstorm net>

Re: Pentesting Distributions or Projects for Raspberry Pi Jay Turla (May 23)
Hey, that's nice dude :)

Thanks for the link!

~Jay

[waraxe-2013-SA#104] - Multiple Vulnerabilities in Spider Event Calendar Wordpress Plugin Janek Vind (May 23)
[waraxe-2013-SA#104] - Multiple Vulnerabilities in Spider Event Calendar Wordpress Plugin
===================================================================================

Author: Janek Vind "waraxe"
Date: 22. May 2013
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-104.html

Description of vulnerable software:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Spider Event Calendar is a...

[waraxe-2013-SA#105] - Multiple Vulnerabilities in Spider Catalog Wordpress Plugin Janek Vind (May 23)
[waraxe-2013-SA#105] - Multiple Vulnerabilities in Spider Catalog Wordpress Plugin
===================================================================================

Author: Janek Vind "waraxe"
Date: 22. May 2013
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-105.html

Description of vulnerable software:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Spider Catalog is the best WordPress...

Re: Pentesting Distributions or Projects for Raspberry Pi Carlos Pantelides (May 23)
Jay:

and installer kits for Raspberry PI aside from the distributions and
kits mentioned in this article:
http://resources.infosecinstitute.com/pentesting-distributions-and-installer-kits-for-your-raspberry-pi/ ?
Nice link.

I've added a slight modification to w3af in order to turn on and off some leds and give feedback in a head-less
uncontrolled scan scenario.

http://seguridad-agile.blogspot.com/2013/05/w3af-on-raspberry-pi.html...

[SECURITY] [DSA 2672-1] kfreebsd-9 security update Florian Weimer (May 22)
-------------------------------------------------------------------------
Debian Security Advisory DSA-2672-1 security () debian org
http://www.debian.org/security/ Florian Weimer
May 22, 2013 http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : kfreebsd-9
Vulnerability : interpretation conflict
Problem...

[SECURITY] [DSA 2671-1] request-tracker4 security update Salvatore Bonaccorso (May 22)
-------------------------------------------------------------------------
Debian Security Advisory DSA-2671-1 security () debian org
http://www.debian.org/security/ Salvatore Bonaccorso
May 22, 2013 http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : request-tracker4
Vulnerability : several
Problem type :...

[SECURITY] [DSA 2670-1] request-tracker3.8 security update Salvatore Bonaccorso (May 22)
-------------------------------------------------------------------------
Debian Security Advisory DSA-2670-1 security () debian org
http://www.debian.org/security/ Salvatore Bonaccorso
May 22, 2013 http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : request-tracker3.8
Vulnerability : several
Problem type...

Re: Sony PS3 Firmware v4.31 - Code Execution Vulnerability Milan Berger (May 22)
Hi,

didn't test the POC yet, but I guess the fun is here:

Injecting system commands..

Pentesting Distributions or Projects for Raspberry Pi Jay Turla (May 22)
Hey there guys,

Do you know other projects, distributions, and installer kits for Raspberry
PI aside from the distributions and kits mentioned in this article:
http://resources.infosecinstitute.com/pentesting-distributions-and-installer-kits-for-your-raspberry-pi/
?

I am very much interested in trying out new projects :)

Also lately I have been addicted to RetroPie (
https://github.com/petrockblog/RetroPie-Setup) ahahhaha although it is not...

Re: Sony PS3 Firmware v4.31 - Code Execution Vulnerability Julius Kivimäki (May 22)
So, wanna tell me what exactly is critical about you being able to inject
marquee tags into your savefile names?

2013/5/21 Vulnerability Lab <research () vulnerability-lab com>

Re: exploitation ideas under memory pressure You Got Pwned (May 22)
Hey Tavis,

very interesting work! You're right: the list ist getting worse every year.
So keep going!!!

2013/5/20 Tavis Ormandy <taviso () cmpxchg8b com>

Security Basics — A high-volume list which permits people to ask "stupid questions" without being derided as "n00bs". I recommend this list to network security newbies, but be sure to read Bugtraq and other lists as well.

Penetration Testing — While this list is intended for "professionals", participants frequenly disclose techniques and strategies that would be useful to anyone with a practical interest in security and network auditing.

RE: WASC Announcement: Static Analysis Technologies Evaluation Criteria Published Debasis Mohanty (May 19)
Good initiative! I feel one of the important element that is missing is the
"scoring mechanism". Based on what would you distinguish one product from
the other?

I created similar evaluation criteria nearly 7-8 years back for evaluating
SCA products using a QFD. That was the time I was introduced to 6-sigma and
thought a QFD is a best approach to have appropriate scoring for various
pilot parameters. However I never released it to the...

CONFidence - May, 28-29, Krakow, Poland - a conference adventure that never stops! Sławomir Jabs (May 19)
Everything has a story, everything evolves, adapts to changing circumstances
but does your IT Sec strategy evolve with the development of the digital
world?

Are you wiling to gamble on the security of you systems?

Join the upcoming CONFidence conference and meet both renown speakers and
specialists who deal with the IT security on a daily basis. People like,
you, who never stop asking questions and play with risks all the time...

We will...

[HITB-Announce] HITB Magazine Issue 010 Hafez Kamal (May 14)
Hi everyone,

A small reminder that article submissions for HITB Magazine Issue 010
are due tomorrow (15th May 2013). If you're interested in submitting
please send your > 3000 word article to editorial () hackinthebox org

Topics of interest include, but are not limited to the following:

Next generation attacks and exploits
Apple / OS X security vulnerabilities
SS7/Backbone telephony networks
VoIP security
Data...

SpiderFoot 2.0 released Steve Micallef (May 10)
Hi everyone,

SpiderFoot is a free, open-source footprinting tool, enabling you to
perform various scans against a given domain name in order to obtain
information such as sub-domains, e-mail addresses, owned netblocks, web
server versions and so on. The main objective of SpiderFoot is to
automate the footprinting process to the greatest extent possible,
freeing up a penetration tester's time to focus their efforts on the
security...

WASC Announcement: Static Analysis Technologies Evaluation Criteria Published announcements (May 10)
The Web Application Security Consortium (WASC) is pleased to announce the
Static Analysis Technologies Evaluation Criteria. The goal of the SATEC
project is to create a vendor-neutral set of criteria to help guide
application security professionals during the process of acquiring a
static code analysis technology that is intended to be used during
source-code driven security programs. This document provides a
comprehensive list of criteria that...

Ruxcon 2013 Call For Papers cfp (May 07)
Ruxcon 2013 Call For Presentations
Melbourne, Australia, October 26th-27th
CQ Function Centre
http://www.ruxcon.org.au/call-for-papers/

The Ruxcon team is pleased to announce the Call For Presentations for Ruxcon 2013.

This year the conference will take place over the weekend of the 26th and 27th
of October at the CQ Function Centre, Melbourne, Australia.

.[x]. About Ruxcon .[x].

Ruxcon is ia premier technical computer security conference...

[TOOL] TOPERA v2 released cr0hn (May 07)
Hi everybody,

We just released TOPERA v2:

TOPERA is a new security tool for IPv6, with the particularity that their attacks can't be detected by Snort.

This new version of TOPERA include these improvements:

1 - Slow HTTP attacks (Slowloris over IPv6).
2 - Improved TCP port scanner.

New project page:

http://toperaproject.github.io/topera/

Regards!...

[HITB-Announce] #HITB2013KUL Call for Papers Hafez Kamal (May 01)
Hi everyone - This is a Call for Papers for the 11th annual HITB
Security Conference in Malaysia, #HITB2013KUL which takes place on the
16th and 17th of October in Kuala Lumpur.

Keynote speakers for the conference will be Joe Sullivan (Chief Security
Officer, Facebook) and Andy Ellis (Chief Security Officer, Akamai)

We're looking for talks that are highly technical, but most importantly,
material which is new and cutting edge. Submissions...

Breakpoint 2013 Call For Papers cfp (May 01)
Breakpoint 2013 Call For Papers
Melbourne, Australia, October 24th-25th
Intercontinental Rialto
http://www.ruxconbreakpoint.com

.[x]. Introduction .[x].

The Ruxcon team is pleased to announce Call For Papers for Breakpoint 2013.

Breakpoint showcases the work of expert security researchers from around the
world on a wide range of topics. This conference is organised by the Ruxcon
team and offers a specialised security conference to...

Arachni v0.4.2 has been released (Open Source Web Application Security Scanner Framework) Tasos Laskos (Apr 29)
Hey folks,

This is just to let you know that there's a new version of Arachni.

Arachni is a modular and high-performance (Open Source) Web Application Security Scanner Framework written in Ruby.

The change-log is quite sizeable but the gist is:
* Brand new web interface -- allowing for team collaboration.
* Significant decreases in memory usage.
* Issue remarks – Providing extra context to logged issues.
* Improved payloads...

TXDNS v2.4 released Arley Silveira (Apr 17)
TXDNS v 2.4 is out and available to download from
http://txdns.net/

This new version adds support for reverse grinding.

Ex:
txdns -r 10-20.1.60-70.1-254,192.168.15.0/24

Cheers
Arley Silveira.
------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without...

A survey on qunatifying severity of vulnerabilities in softwares Khalid Khan Afridi (Apr 17)
Hello!

I am currently performing my master thesis on the topic of quantifying the
severity of
software vulnerabilities.

As you have done significant work in this area, I would be glad if you
could spare a few
minutes of your time to answer a survey on the topic. It should not
require more than 15-20
minutes to complete.

The survey can be found at: http://secsurvey.ics.kth.se/index.php

Thank you for your attention!

Best Regards,
Khalid Khan...

Hackersh 0.1 Release Announcement Itzik Kotler (Apr 03)
Hi All,

I am pleased to announce the first version of Hackersh
(http://www.hackersh.org).

Hackersh ("Hacker Shell") is a free and open source shell (command
interpreter) written in Python with built-in security commands, and
out-of-the-box wrappers for various security tools, using Pythonect as
its scripting engine. Pythonect is a new, experimental,
general-purpose high-level dataflow programming language based on
Python. It aims to...

Info Security News — Carries news items (generally from mainstream sources) that relate to security.

Firewall Wizards — Tips and tricks for firewall administrators

Re: Linked-in and its Phishing-like contacts option! lordchariot (May 01)
Yeah, I was trying to make this non-product specific, but most vendors can actually do this to some degree or another.

Here's how we do it on my product:

https://mcafee.box.com/MWG7-FeatureDemo-Part2

The problem with doing it at a network layer with an IDS is the SSL decryption. Almost everything nowadays is HTTPS, so
it's game over if you cannot open up the encryption.

e²

_____________________________________

From:...

Re: Linked-in and its Phishing-like contacts option! Jon Robinson (May 01)
It's not free but Palo Alto Networks does this.You can search here to see
which applications/sites they can control:
http://apps.paloaltonetworks.com/applipedia/

Jon Robinson
Digital Scepter
desk (951) 461-7868
mobile (562) 682-0821
jon () digitalscepter com

Re: Linked-in and its Phishing-like contacts option! Mathew Want (May 01)
Read only access to the sites. I like that idea a lot.

Has anyone else come across this requirement or found a good way to do it
at a control point level? Perhaps at the IDS layer?

M@

Re: OpenBSD IPSEC VPN question Chris Buechler (May 01)
You can, but that's a different circumstance. That would be IPsec
transport mode, which in combination with gif, GRE or similar
tunneling indeed doesn't have such requirements/quirks since there is
a route in the routing table in that case. Tunnel mode is more common,
which is what's applicable to the subject of this thread. Routing
table changes have no impact on whether traffic in BSD traverses a
tunnel mode IPsec connection,...

Re: OpenBSD IPSEC VPN question Paul D. Robertson (May 01)
It's been a while since I've done it, but Linux used to make an ipsec0 interface that was handled with the standard
routing table. Possibly in *BSD you need to use a gre or gif tunnel to achieve the same thing?

Paul

Re: OpenBSD IPSEC VPN question Chris Buechler (May 01)
This is true of all the BSDs with IPsec (and maybe Linux and other
*nix OSes but not sure of those). Traffic that doesn't have a specific
source IP set gets the source IP that's closest to the destination per
the routing table. IPsec doesn't have a routing table entry, traffic
follows the SPD. So it ends up getting the IP that's nearest the
default gateway, which is most always a public IP, which is most
always not going to...

Re: OpenBSD IPSEC VPN question David Lang (Apr 30)
That's what I would expect as well, but the person reporting the problem is
claiming that this is not the case on OpenBSD, that there are no routes visible
and connections _from_ the firewall need to explicitly set their source IP
address.

This doesn't sound right to me, but I am not an OpenBSD expert.

David Lang_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com...

Re: OpenBSD IPSEC VPN question Paul D. Robertson (Apr 30)
I'd expect a connect() to bind implicitly to IP_ADDR_ANY and have the system fill in the source address by default
based on the destination route if the client doesn't specify an explicit bind address and for traffic destined to go
through the VPN to do so- it sounds like it doesn't- but without more data, I'd be wary of troubleshooting it (NAT,
filtering...)

However, I'd also advocate being able to explicitly set the...

Breakpoint 2013 Call For Papers cfp (Apr 30)
Breakpoint 2013 Call For Papers
Melbourne, Australia, October 24th-25th
Intercontinental Rialto
http://www.ruxconbreakpoint.com

.[x]. Introduction .[x].

The Ruxcon team is pleased to announce Call For Papers for Breakpoint 2013.

Breakpoint showcases the work of expert security researchers from around the
world on a wide range of topics. This conference is organised by the Ruxcon
team and offers a specialised security conference to...

Re: OpenBSD IPSEC VPN question Bennett Todd (Apr 30)
When you've got a vpn up, you're multi-homed, the Unix way for a client to
choose a network to use, when there are multiple choices, is to specify the
src ip to bind to.

I think that's the behavior I'd expect anywhere.

Re: Linked-in and its Phishing-like contacts option! David Lang (Apr 30)
when you say turn off webmail, do you mean to cut off access to public webmail
servers from inside your network? or do you man to not run things like OWA that
expose your company mail to the Internet?

David Lang

firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Re: Proxy advantage David Lang (Apr 30)
If you start with the premise that the only thing that's a firewall is a packet
filter, especially with deep packet inspection being optionsl, then you are
going to be in rather bad shape.

I have run a fairly large organization with proxy firewalls (800+ people, 100+
separate networks), it can be done. In some areas it bypasses whole classes of
problems.

Even for user desktops you can do it, but you need to get a good proxy, not just...

Re: firewall-wizards Digest, Vol 64, Issue 3 phishing David Lang (Apr 30)
Except with the "Cloud" you as an organization give up a lot of the tools that
have been used in the past to secure things.

Plus, you have the DevOps approach being misinterpreted by management to mean
"engineers can do everything, they can bypass those annoying ops and security
folks to get things done"

It's going to be an interesting few years as everyone learns that you still need
admins and security folks in the...

Re: Linked-in and its Phishing-like contacts option! lordchariot (Apr 30)
I have a lot of requests from customers to try to make the web read-only. The main use cases are for social network,
blogs/wikis, and commenting on posts. The fundamental ways to do this are to 1) have MITM SSL decryption, and 2) block
the POST method for specific sites. Most commercial proxies can do this and even squid does SSL MITM.

By blocking POST to certain categories of sites and only allowing the POST for the */logon pages, users can...

OpenBSD IPSEC VPN question David Lang (Apr 30)
I'm seeing some odd reports on the rsyslog mailing list where someone is climing
that when using an IPSEC VPN on OpenBSD they have to explicitly set the source
IP address for all connections out from the firewall (tunnel endpoint) or else
the connection won't go through the tunnel. The person reporting this is
proposing modifications to rsyslog to have it force the local IP address for
outbound connections as a work-around for this...

Web App Security — Provides insights on the unique challenges which make web applications notoriously hard to secure, as well as attack methods including SQL injection, cross-site scripting (XSS), cross-site request forgery, and more.

CONFidence - May, 28-29, Krakow, Poland - a conference adventure that never stops! Sławomir Jabs (May 17)
Everything has a story, everything evolves, adapts to changing circumstances
but does your IT Sec strategy evolve with the development of the digital
world?

Are you wiling to gamble on the security of you systems?

Join the upcoming CONFidence conference and meet both renown speakers and
specialists who deal with the IT security on a daily basis. People like,
you, who never stop asking questions and play with risks all the time...

We will...

RE: WASC Announcement: Static Analysis Technologies Evaluation Criteria Published Debasis Mohanty (May 17)
Good initiative! I feel one of the important element that is missing is the
"scoring mechanism". Based on what would you distinguish one product from
the other?

I created similar evaluation criteria nearly 7-8 years back for evaluating
SCA products using a QFD. That was the time I was introduced to 6-sigma and
thought a QFD is a best approach to have appropriate scoring for various
pilot parameters. However I never released it to the...

[HITB-Announce] HITB Magazine Issue 010 Hafez Kamal (May 14)
Hi everyone,

A small reminder that article submissions for HITB Magazine Issue 010
are due tomorrow (15th May 2013). If you're interested in submitting
please send your > 3000 word article to editorial () hackinthebox org

Topics of interest include, but are not limited to the following:

Next generation attacks and exploits
Apple / OS X security vulnerabilities
SS7/Backbone telephony networks
VoIP security
Data...

WASC Announcement: Static Analysis Technologies Evaluation Criteria Published announcements (May 11)
The Web Application Security Consortium (WASC) is pleased to announce the
Static Analysis Technologies Evaluation Criteria. The goal of the SATEC
project is to create a vendor-neutral set of criteria to help guide
application security professionals during the process of acquiring a
static code analysis technology that is intended to be used during
source-code driven security programs. This document provides a
comprehensive list of criteria that...

SpiderFoot 2.0 released Steve Micallef (May 06)
Hi everyone,

SpiderFoot is a free, open-source footprinting tool, enabling you to
perform various scans against a given domain name in order to obtain
information such as sub-domains, e-mail addresses, owned netblocks, web
server versions and so on. The main objective of SpiderFoot is to
automate the footprinting process to the greatest extent possible,
freeing up a penetration tester's time to focus their efforts on the
security...

[HITB-Announce] #HITB2013KUL Call for Papers Hafez Kamal (May 01)
Hi everyone - This is a Call for Papers for the 11th annual HITB
Security Conference in Malaysia, #HITB2013KUL which takes place on the
16th and 17th of October in Kuala Lumpur.

Keynote speakers for the conference will be Joe Sullivan (Chief Security
Officer, Facebook) and Andy Ellis (Chief Security Officer, Akamai)

We're looking for talks that are highly technical, but most importantly,
material which is new and cutting edge. Submissions...

Breakpoint 2013 Call For Papers cfp (May 01)
Breakpoint 2013 Call For Papers
Melbourne, Australia, October 24th-25th
Intercontinental Rialto
http://www.ruxconbreakpoint.com

.[x]. Introduction .[x].

The Ruxcon team is pleased to announce Call For Papers for Breakpoint 2013.

Breakpoint showcases the work of expert security researchers from around the
world on a wide range of topics. This conference is organised by the Ruxcon
team and offers a specialised security conference to...

Arachni v0.4.2 has been released (Open Source Web Application Security Scanner Framework) Tasos Laskos (Apr 29)
Hey folks,

This is just to let you know that there's a new version of Arachni.

Arachni is a modular and high-performance (Open Source) Web Application Security Scanner Framework written in Ruby.

The change-log is quite sizeable but the gist is:
* Brand new web interface -- allowing for team collaboration.
* Significant decreases in memory usage.
* Issue remarks – Providing extra context to logged issues.
* Improved payloads...

Administrivia - slow moderation this week Andrew van der Stock (Apr 28)
Hi all,

I'm going to be in Milan this week.

Not that there are many messages to moderate, but moderation will be
iffy / slow this next week, particularly during the bits where various
planes are flapping their wings and going "whoosh".

Normal moderation service will resume May 5.

thanks,
Andrew

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here -...

A survey on qunatifying severity of vulnerabilities in softwares Khalid Khan Afridi (Apr 18)
Hello!

I am currently performing my master thesis on the topic of quantifying the
severity of
software vulnerabilities.

As you have done significant work in this area, I would be glad if you
could spare a few
minutes of your time to answer a survey on the topic. It should not
require more than 15-20
minutes to complete.

The survey can be found at: http://secsurvey.ics.kth.se/index.php

Thank you for your attention!

Best Regards,
Khalid Khan...

Defcon DCG Kerala Information Security Meet 2013 Ajin Abraham (Apr 07)
Defcon DCG Kerala Information Security Meet 2013
=====================================
Defcon DCG Kerala (DC0497) is a Defcon USA registered group for
promoting and demonstrating research and development in the field of
Information Security. We are a group of Information Security
Enthusiasts actively interested in promoting information security.
Defcon Kerala Information Security Meet will be a platform for
security analysts, ethical hackers,...

c0c0n 2013 - Call For Papers and Call For Workshops c0c0n International Information Security Conference (Apr 06)
/ _ \ / _ \ |__ \ / _ \/_ |___ \
___| | | | ___| | | |_ __ ) | | | || | __) |
/ __| | | |/ __| | | | '_ \ / /| | | || ||__ <
| (__| |_| | (__| |_| | | | | / /_| |_| || |___) |
\___|\___/ \___|\___/|_| |_| |____|\___/ |_|____/

###################################################
c0c0n 2013 - Call For Papers and Call For Workshops
###################################################

August 22-24, 2013 -...

winAUTOPWN v3.4 Released - Completing 4 years !! QUAKER DOOMER (Mar 27)
Dear all,

This is to announce release of winAUTOPWN version 3.4.
Conceived and released in 2009, WINDOWS AUTOPWN grows strong completing its 4th year.
Visit: http://winautopwn.co.nr

++++++++++++++++++++
About winAUTOPWN:

winAUTOPWN is a unique exploit framework which aids in auto (hacking) / shell gaining as well as in exploiting
vulnerabilities to conduct Remote Command Execution, Remote File/Shell Upload, Remote File Inclusion and...

Unauthorized Access: Bypassing PHP strcmp() Danux (Mar 03)
Hope you enjoy it.

http://danuxx.blogspot.com/2013/03/unauthorized-access-bypassing-php-strcmp.html

NoSuchCon CFP 2.0 / 15-17 May 2013 / Paris, France Jonathan Brossard (Feb 25)
*******************************************************************************

PARENTAL ADVISORY: 100% technical content
*******************************************************************************

+--------------------------------------------------------------+
= =
= NoSuchCon - CFP 2.0 =
=...

Daily Dave — This technical discussion list covers vulnerability research, exploit development, and security events/gossip. It was started by ImmunitySec founder Dave Aitel and many security luminaries participate. Many posts simply advertise Immunity products, but you can't really fault Dave for being self-promotional on a list named DailyDave.

Starters. Dave Aitel (May 23)
And....we're back!

I got a few emails asking where DD went, and the answer is "after
INFILTRATE there's lots of work to do". We'll have quite a few
announcements and blog posts and dissertations on social insects and
their relationship to trojan protocols coming in the following days!

For a starter, this blog post is a good morning read!...

WhiteHat Security report, or what use is SCA for web apps? Vitaly Osipov (May 23)
A while ago I've read an article absolutely not about security but
about how great it is to work in small friendly teams -
http://pragprog.com/magazines/2012-12/agile-in-the-small

It contains an awesome quote:

"...most best practices are just crutches for having a heterogeneous
skill mix in one’s team."

Please hold that quote in mind while I turn to the figures recently
released by WhiteHat Security
(...

D2Sec's Elliot Dave Aitel (May 06)
http://www.d2sec.com/news/driving_d2_elliot_with_immunity_canvas.html

There's a lot of different kinds of exploits - and many people ignore
the web exploits that are not for Wordpress. This is usually a mistake
because, especially as we look at #OpUSA and #OpIsreal and the like, a
lot of people are running all sorts of web applications with all sorts
of esoteric web vulnerabilities on them. Which is why our close and
continuing friends over...

SyScan 2013 Dave Aitel (May 02)
It's really only after you finish writing a keynote that you know what
it's about. In a sense, everyone around you writes it with you as you
talk through it with people. The one I delivered at SyScan itself was
funnier. . . although even so, not very funny. Not everything is funny!
Even things that include Buffy.

"Things Buffy the Vampire Slayer Taught Me About CyberWar - SyScan 2013
Keynote)"...

Yet Another Java Security Warning Bypass Esteban Guillardoy (Apr 25)
Hi everyone!

I wrote a blog post about another Java Security Warning Bypass that
you may find interesting ;)

Just go to the Immunity blog and enjoy:
http://immunityproducts.blogspot.com/2013/04/yet-another-java-security-warning-bypass.html

Cheers
Esteban

Answering Lurene's Question Dave Aitel (Apr 21)
So the kids are in NY so I've gotten a full night's sleep for the first
time in about a while, and parts of my brain I didn't realize were
malfunctioning now have blood and oxygen and whatever soupy hormones
they need to start sparking back up. I'm working on my SyScan talk,
which is due next week, so I wanted to warm up by answering a question
for Lurene.

----

Imagine it's 2030 and we finally understand a few things...

Students teaching trainers Alex McGeorge (Apr 17)
Aloha list,

We do a lot of teaching at Immunity and it's something I think we've
gotten pretty good at over the years. Part of improving your teaching
offerings is doing some hard reflection on what did and didn't work for
the most recent class which is what we're in the process of doing for
web hacking right now. Most of those lessons only make sense from an
internal perspective but there are some things that other people...

Re: Linux Hangman Rules Michal Zalewski (Apr 17)
[lcamtuf () raccoon ~]$ gdb
(gdb) shell id
uid=500(lcamtuf) gid=500(lcamtuf) groups=100(users),500(lcamtuf)

Oh no!

/mz

Linux Hangman Rules Dave Aitel (Apr 17)
http://blog.ioactive.com/2013/04/can-gdbs-list-source-code-be-used-for.html

So reading the above blog is amusing for many reasons. But it did make a
lot of people sit around looking at the funniest games you could play on
modern Linux. For example, Linux Hangman.

Linux Hangman Rules
You take turns putting setuid root onto files in /usr/bin /usr/sbin/,
etc. and if your opponent can use that to get root, even via a
convoluted scenario, then you...

Re: Recent experiences with ZDI? Jim Manico (Apr 17)
Here is a pretty comprehensive list of bug bounty programs to help kick
start the conversation.

http://bugcrowd.com/list-of-bug-bounty-programs/

- Jim

Recent experiences with ZDI? patrick patrick (Apr 15)
Hi guys,

I haven´t had dealings with ZDI in years, but I´ve heard some rumors of
people getting screwed over by them recently.

Can somebody confirm or deny this?

Is there currently a safe&legal alternative to get rewarded for bughunting?

Thanks
P

Android Application (Dalvik) Memory Analysis & the Chuli Malware Joe Sylve (Apr 15)
Hello,

We wanted to take the opportunity to point you to a blog post which gives a
preview of some of the research we've been working on at 504ENSICS Labs in
the area of Android memory analysis. We think our results will be of great
interest to the DFIR community and look forward to your feed back.

The blog post can be found here:

http://www.504ensics.com/android-application-dalvik-memory-analysis-the-chuli-malware/

---
Joe T. Sylve,...

top game Dave Aitel (Mar 22)
In some parallel universe you can hear Yoda say to a younger Disciple,
"How are you going to control EIP if you can't even control your own anger?"

Perhaps not Yoda. Perhaps Halvar.

Regardless, if for whatever reason you wanted to hear more about
Brazilian Jiu Jitsu or INFILTRATE, then you can hit up the podcast I did
this morning with Ryan Naraine
here:...

Gifts Dave Aitel (Mar 21)
Angel <http://en.wikipedia.org/wiki/Angel_%28Buffyverse%29>: And
Buffy, be careful with this gift. A lot of things that seem strong
and good and powerful, they can be painful.
Buffy <http://en.wikipedia.org/wiki/Buffy_Summers>: Like, say...
immortality?
Angel: Exactly. I'm dying to get rid of that.

We put the 32 bit (or we will shortly) version of the PTRACE exploit
into CANVAS Early Updates. I know there...

Re: RSA Shawn (Mar 21)
I putted these slides into one tar file:
http://hfg-resources.googlecode.com/files/RSA-US-2013.tar.bz2

PaulDotCom — General discussion of security news, research, vulnerabilities, and the PaulDotCom Security Weekly podcast.

Re: SQL cheat sheat Joel Gunderson (May 23)
Additionally, not necessarily related directly to SQL injection, but make
sure that there is a sufficient authentication/authorization framework in
place, if possible. This will help reduce the threat population to begin
with.

Re: Avoiding IPS Detection Wicked Clown (May 22)
I am not 100% sure about probing networks, but here are some ways to bypass
IPS/IDS in general that works against some big hitters:

1) send the protocol over a different allowed port, for example.. use FTP
over MYSQL.
2) Most IPS/IDS will ignore the first 4k of data on network, so if you send
data out of the network just do it in 3k chunks, yes you will have to keep
re-establish the connection.. but if you do a snatch and grab for example
the...

GPS tracking devices Jesse Gardner (May 22)
Hi there, I had an interesting question at work yesterday and
thought some of you might have faced this scenario...

My work sends important devices & systems through common shipping
services (FedEx, UPS, etc.); our operations folks mentioned the
desire to have better/real-time tracking information available
through some sort of GPS/LoJack tracking device.

Have you ever used any devices like this? Do you have any
suggestions on...

Re: Howto update (security patches) Java on Windows 8 Carlos Perez (May 22)
Another method is to use the WSUS Package Publisher http://wsuspackagepublisher.codeplex.com/ , still you will need a
software inventory solution or build your own, that is just basics for security, no way to be able to be effective at
determining risk if you do not have a host and software inventory. The modification of the MSI is so it removes Java 6
if you do not use it, also remember there are more that one packaged version of Java, you...

Re: Howto update (security patches) Java on Windows 8 Guillaume Ross (May 22)
In the GPO itself you can mark a package to be installed after the removal of a previous version as well.

I don't recommend using GPOs to push software, especially software that is updated so often and found vulnerable so
often, because you will have little information on how successful the deployment is.
One day or another, you will end up with a bunch of workstations still running an old Java, or maybe stuck without
Java. (One could...

Re: Avoiding IPS Detection Dan King (May 22)
Run tests to see if heavily fragmented packets trigger anything. If not,
use fragmentation (out of order works really well)

Also scan really really slowly. A lot of IPS/IDS trigger on volume of
traffic.

Re: SQL cheat sheat Guillaume Ross (May 22)
IMO - if we are discussing solely SQLi - the MOST important thing is to use parameterized queries.
Then, validate user input (though that is important for way more than SQLi).

Depending on the language you are using and the RDBMS you are accessing there are different ways to parameterize
queries, but they are typically easy and user friendly. Sometimes they can have a positive performance impact depending
on the way the query optimizer works...

Re: Little Snitch Guillaume Ross (May 22)
I have not tested Hands Off but I do remember seeing that one of the advantages it had over Little Snitch was inbound
monitoring and management - which Little Snitch added in version 3.
They both look relatively user friendly and seem to work in very similar ways.

It would be very interesting to see an in depth comparison indeed, especially now that LS has inbound functionality
too..

Guillaume

Re: [GPWN-list] Avoiding IPS Detection Tim Tomes (May 21)
OK, let me provide a little more detail. You've done reconnaissance,
and there wasn't enough information to make precise targetted attacks.
You need to probe the network (i.e. nmap scans) to find available
services. You can't go to your local coffee shop or use a service like
anonymizer because they are detecting and blocking too aggressively to
experience the benefits of either. Your only choice is avoidance.

I know some of you...

Re: Ec-council (Certified Ethical Hacker) gets Hacked Carlos Perez (May 21)
Well that case was not indexing, he did automated an went further than that with no permission and his chat logs do not
reflect it was to responsibly notify AT&T, plus challenging the judge was not as smart idea
http://www.justice.gov/usao/nj/Press/files/pdffiles/2011/Spitler,%20Daniel%20et%20al.%20Complaint.pdf he did got way to
much time in the puns in the ass for it.

Re: Ec-council (Certified Ethical Hacker) gets Hacked Patrick Laverty (May 21)
Maybe not but apparently it's enough to get you 3 1/2 years in jail if you
do it to AT&T.

Re: Ec-council (Certified Ethical Hacker) gets Hacked yersinia (May 21)
Hi to all

I'm part of the EC-COUNCIL group on linkedin. There were two posts on
this topic. The most recent (11 hours ago) is the following

"

**Updated** Message from EC-Council

On May 16th, 2013, EC-Council was notified of an article that stated
an alleged hack had taken place on EC-Council Servers. Upon
notification, EC-Council immediately investigated the issue. Contrary
to the news reported by E Hacking News this week,...

Avoiding IPS Detection Tim Tomes (May 21)
I'm compiling a list of preferred methods for probing networks while
avoiding IDS/IPS detection. Any and all input is appreciated. Thanks.

Re: [GPWN-list] Avoiding IPS Detection Jamil Ben Alluch (May 21)
Hello Tim,

You could take a look at these links, they provide some information:
http://en.wikipedia.org/wiki/Intrusion_detection_system_evasion_techniques
http://insecure.org/stf/secnet_ids/secnet_ids.html

Hope this helps.

Best regards,

Re: Ec-council (Certified Ethical Hacker) gets Hacked allison nixon (May 21)
where are all those ethical hackers who could have notified them of the
indexing problem? that's a pretty obvious flaw.

oh right, it would be unethical to test that...

Microsoft Sec Notification — Beware that MS often uses these security bulletins as marketing propaganda to downplay serious vulnerabilities in their products—note how most have a prominent and often-misleading "mitigating factors" section.

Microsoft Security Bulletin Minor Revisions Microsoft (May 22)
********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: May 22, 2013
********************************************************************

Summary
=======
The following bulletins have undergone minor revision increments.
Please see the bulletins for more details.

* MS12-081
* MS13-037
* MS13-MAY

Bulletin Information:
=====================

* MS12-081 - Critical

-...

Microsoft Security Bulletin Minor Revisions Microsoft (May 16)
********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: May 15, 2013
********************************************************************

Summary
=======
The following bulletins have undergone minor revision increments.
Please see the bulletins for more details.

* MS13-045

Bulletin Information:
=====================

* MS13-045 - Important

-...

Microsoft Security Advisory Notification Microsoft (May 14)
********************************************************************
Title: Microsoft Security Advisory Notification
Issued: May 14, 2013
********************************************************************

Security Advisories Updated or Released Today
==============================================

* Microsoft Security Advisory (2846338)
- Title: Vulnerability in Microsoft Malware Protection Engine
Could Allow Remote Code Execution
-...

Microsoft Security Bulletin Minor Revisions Microsoft (May 14)
********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: May 14, 2013
********************************************************************

Summary
=======
The following bulletins have undergone minor revision increments.
Please see the bulletins for more details.

* MS13-009

Bulletin Information:
=====================

* MS13-009 - Critical

-...

Microsoft Security Bulletin Summary for May 2013 Microsoft (May 14)
********************************************************************
Microsoft Security Bulletin Summary for May 2013
Issued: May 14, 2013
********************************************************************

This bulletin summary lists security bulletins released for
May 2013.

The full version of the Microsoft Security Bulletin Summary for
May 2013 can be found at
http://technet.microsoft.com/security/bulletin/ms13-may.

With the release of...

Microsoft Security Bulletin Advance Notification for May 2013 Microsoft (May 09)
********************************************************************
Microsoft Security Bulletin Advance Notification for May 2013
Issued: May 9, 2013
********************************************************************

This is an advance notification of security bulletins that
Microsoft is intending to release on May 14, 2013.

The full version of the Microsoft Security Bulletin Advance
Notification for May 2013 can be found at...

Microsoft Security Advisory Notification Microsoft (May 08)
********************************************************************
Title: Microsoft Security Advisory Notification
Issued: May 8, 2013
********************************************************************

Security Advisories Updated or Released Today
==============================================

* Microsoft Security Advisory (2847140)
- Title: Vulnerability in Internet Explorer Could Allow
Remote Code Execution
-...

Microsoft Security Advisory Notification Microsoft (May 04)
********************************************************************
Title: Microsoft Security Advisory Notification
Issued: May 3, 2013
********************************************************************

Security Advisories Updated or Released Today
==============================================

* Microsoft Security Advisory (2847140)
- Title: Vulnerability in Internet Explorer Could Allow
Remote Code Execution
-...

Microsoft Security Bulletin Minor Revisions Microsoft (Apr 26)
********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: April 26, 2013
********************************************************************

Summary
=======
The following bulletins have undergone minor revision increments.
Please see the bulletins for more details.

* MS12-043

Bulletin Information:
=====================

* MS12-043 - Critical

-...

Microsoft Security Bulletin Minor Revisions Microsoft (Apr 24)
********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: April 24, 2013
********************************************************************

Summary
=======
The following bulletins have undergone minor revision increments.
Please see the bulletins for more details.

* MS13-028
* MS13-031
* MS13-036
* MS13-APR

Bulletin Information:
=====================

*...

Microsoft Security Bulletin Re-Releases Microsoft (Apr 23)
********************************************************************
Title: Microsoft Security Bulletin Re-Releases
Issued: April 23, 2013
********************************************************************

Summary
=======
The following bulletins have undergone a major revision increment.
Please see the appropriate bulletin for more details.

* MS13-036 - Important
* MS13-apr

Bulletin Information:
=====================

* MS13-036 -...

Microsoft Security Bulletin Minor Revisions Microsoft (Apr 18)
********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: April 17, 2013
********************************************************************

Summary
=======
The following bulletins have undergone minor revision increments.
Please see the bulletins for more details.

* MS13-036

Bulletin Information:
=====================

* MS13-036 - Important

-...

Microsoft Security Bulletin Minor Revisions Microsoft (Apr 16)
********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: April 16, 2013
********************************************************************

Summary
=======
The following bulletins have undergone minor revision increments.
Please see the bulletins for more details.

* MS13-034

Bulletin Information:
=====================

* MS13-034 - Important

-...

Microsoft Security Bulletin Summary for April 2013 Microsoft (Apr 09)
********************************************************************
Microsoft Security Bulletin Summary for April 2013
Issued: April 9, 2013
********************************************************************

This bulletin summary lists security bulletins released for
April 2013.

The full version of the Microsoft Security Bulletin Summary for
April 2013 can be found at
http://technet.microsoft.com/security/bulletin/ms13-apr.

With the...

Microsoft Security Bulletin Advance Notification for April 2013 Microsoft (Apr 04)
********************************************************************
Microsoft Security Bulletin Advance Notification for April 2013
Issued: April 4, 2013
********************************************************************

This is an advance notification of security bulletins that
Microsoft is intending to release on April 9, 2013.

The full version of the Microsoft Security Bulletin Advance
Notification for April 2013 can be found at...

Funsec — While most security lists ban off-topic discussion, Funsec is a haven for free community discussion and enjoyment of the lighter, more humorous side of the security community

Re: US CERT: Washington, DC Radio Station Web Site Compromises Paul Ferguson (May 21)
I don't recall seeing a US-CERT advisory when a particular website has
been compromised.

I think that it is only "of government interest" because these
particular watering hole attacks used comprised websites in the
Washington, D.C., area which are highly popular with people living in
that area -- namely government employees and government contractors.

See also:...

Re: US CERT: Washington, DC Radio Station Web Site Compromises Jeffrey Walton (May 21)
Thanks Paul.

Have you ever seen US CERT issue against a website? Or is this new
reporting introduced with the recent email procedure change.

Jeff

Re: US CERT: Washington, DC Radio Station Web Site Compromises Paul Ferguson (May 21)
No conspiracy theories here -- just "yet another" watering hole attack.

See also:

https://en.wikipedia.org/wiki/Watering_Hole

It has become a fairly common attack/victimization methodology.

- ferg

US CERT: Washington, DC Radio Station Web Site Compromises Jeffrey Walton (May 21)
This is kind of interesting.... I've don't believe I have ever
received a US CERT bulletin calling out a website for distributing the
flyby goodness.

I wonder if the radio station does not fully support the current
regime. Could it be more tactics like we have recently seen at the
IRS?

https://www.us-cert.gov/ncas/alerts/TA13-141A

Internet Census 2012 data search engine launched Juha-Matti Laurio (May 21)
http://www.exfiltrated.com/querystart.php

Juha-Matti

OT: Attorney General Eric Holder on 'Too Big to Jail' Jeffrey Walton (May 18)
http://www.americanbanker.com/issues/178_45/transcript-attorney-general-eric-holder-on-too-big-to-jail-1057295-1.html

The following is a transcript of Attorney General Eric Holder's
remarks before the Senate Judiciary Committee, in which he discusses
the idea that some banks are 'Too Big to Jail.'

Sen. Chuck Grassley, R-Iowa: In the case of bank prosecution. I'm
concerned we have a mentality of 'too big to jail' in...

Re: [funsec] Skype with care â€“ Microsof t is reading everything you write Jeffrey Walton (May 17)
That's not really practical in many cases. What do consumers have when
all carriers and handset manufacturers do it? Its certainly not
choice.

All are likely doing it to some degree or another. Again, no choice.

Monopolistic policy and practice in industry used to be kept in check.
Case studies include the steel, railroad, and oil barons. For the old
steel, railroad, and oil barons, the interesting thing (in my opinion)
was why it...

Re: Skype with care â€“ Microsof t is reading everything you write Blanchard, Michael (InfoSec) (May 17)
There is always a clause in ALL of those ELUA's stating that they can change at anytime, without notice usually too.
Your only recourse is to stop using the product if you don’t like the EULA. Sucks yes, but until a better product
comes along that is as widely adopted, well, we're stuck.... Who's to say what Apple is doing with Facetime?

Those folks that complain about "evil empires" are the cause of their own...

Re: [funsec] Skype with care â€“ Microsof t is reading everything you write Jeffrey Walton (May 17)
In the US, they call those "Material Adverse Change" (MACs).

Its a bitch we have to accept those adverse changes just to get bug
fixes and security patches for defective products. It seems like
illegal tying to me, and I wonder why the FTC has not stepped in. In
the US, politicians are bought and sold like trading cards, so I don't
expect it to change anytime soon.

Jeff

Re: [funsec] Skype with care â Microsoft is re ading everything you write Rob, grandpa of Ryan, Trevor, Devon & Hannah (May 17)
As it happens, I'm currently reviewing an intriguing book ("Boilerplate") that
addresses all kinds of issues around "agreements" and consent. Particularly for
those of us who joined Skype before MS bought it, and therefore "agreed" to a
very different set of rules ...

====================== (quote inserted randomly by Pegasus Mailer)
rslade () vcn bc ca slade () victoria tc ca rslade ()...

Re: Skype with care Joel Esler (May 17)
Skype is a free tool.

You get, what you pay for. Same with Google and their products, etc.

Re: Skype with care Jeffrey Walton (May 16)
Nice, but I don't agree with some of Bott's conclusions. Especially
the one made about visiting a site/fetching a header. If its just host
reputation, all the reputation service needs is the URL, without the
need to visit the host.

Do you think a M$ engineer tossed us a bread crumb to let us know the
degree of invasion? Why else take the risk of leaking interception
results like this originating from encrypted traffic that users expect...

Re: Skype with care Juha-Matti Laurio (May 16)
A different point of view also:

http://www.zdnet.com/is-microsoft-reading-your-skype-instant-messages-7000015388/

Juha-Matti

Jeffrey Walton [noloader () gmail com] kirjoitti:

Re: [funsec] Skype with care – Microsoft is reading everything you write Jeffrey Walton (May 16)
A couple of follow ups on this....

"Skype backdoor confirmation,"
http://lists.randombit.net/pipermail/cryptography/2013-May/004224.html

and

"All Your Skype Are Belong To Us,"
http://financialcryptography.com/mt/archives/001430.html

They're not even trying any more Rich Kulawiec (May 16)
Domains registered by the Discovery Channel yesterday:

19kidsandcounting.net
40yearchildanewcase.com
40yearchildanewcase.net
7littlejohnstons.com
7littlejohnstons.net
900poundmantheraceagainsttime.com
900poundmantheraceagainsttime.net
alaskathelastfrontier.net
americasworsttattoos.net
amishmafia.net
backyardoil.net
beringseagoldundertheice.net...

CERT Advisories — The Computer Emergency Response Team has been responding to security incidents and sharing vulnerability information since the Morris Worm hit in 1986. This archive combines their technical security alerts, tips, and current activity lists.

Alert - Upcoming Mail Delivery Changes US-CERT Alerts (May 10)
National Cyber Awareness System
US-CERT Alert - Upcoming Mail Delivery Changes

Thank you for being a subscriber to our US-CERT Alerts product. We
are striving to keep our capabilities at the leading edge of
communication. You may have noticed we've redesigned and upgraded our
website recently and as a part of that process, on May 14th, we are
migrating to GovDelivery as our email subscription service. As a
current subscriber you will...

Current Activity - Upcoming Mail Delivery Changes Current Activity (May 10)
National Cyber Awareness System

Thank you for being a subscriber to our US-CERT Current Activity
product. We are striving to keep our capabilities at the leading edge
of communication. You may have noticed we've redesigned and upgraded
our website recently and as a part of that process, on May 14th, we
are migrating to GovDelivery as our email subscription service. As a
current subscriber you will need to do nothing. You will notice a...

Current Activity - Microsoft Releases Advance Notification for May 2013 Security Bulletin Current Activity (May 09)
National Cyber Awareness System
Microsoft Releases Advance Notification for May 2013 Security Bulletin

Original release date: May 09, 2013

Microsoft has issued a Security Bulletin Advanced Notification
indicating that its May release will contain 10 bulletins. These
bulletins will have the severity rating of critical and important and
will be for Microsoft Windows, Office, Internet Explorer, .NET
Framework, Lync, and Windows Essentials. These...

Current Activity - Adobe Releases Security Advisory for ColdFusion Current Activity (May 09)
National Cyber Awareness System
Adobe Releases Security Advisory for ColdFusion

Original release date: May 09, 2013

Adobe has identified a critical vulnerability affecting ColdFusion 10,
9.0.2, 9.0.1, 9.0, and earlier versions for Windows, Macintosh, and
UNIX. This vulnerability (CVE-2013-3336) could permit an unauthorized
user to remotely retrieve files stored on a server. There are reports
that an exploit of this vulnerability is publicly...

Current Activity - Microsoft Releases Security Advisory for Internet Explorer Current Activity (May 07)
National Cyber Awareness System
Microsoft Releases Security Advisory for Internet Explorer

Original release date: May 07, 2013

Microsoft is investigating public reports of a remote code execution
vulnerability in Internet Explorer 8 and is aware of attacks that
attempt to exploit this vulnerability. This vulnerability may allow an
attacker to execute arbitrary code if a user accesses a specially
crafted website. Microsoft is actively working...

Current Activity - Cisco Releases Security Advisories Current Activity (Apr 25)
National Cyber Awareness System
Cisco Releases Security Advisories

Original release date: April 25, 2013

Cisco has released three security advisories to address vulnerabilities
affecting Cisco NX-OS-based products, Cisco Device Manager, and Cisco
Unified Computing System. These vulnerabilities may allow an attacker to
bypass authentication controls, execute arbitrary code, obtain sensitive
information, or cause a denial-of-service condition....

Current Activity - Apple Releases Security Updates for Safari Current Activity (Apr 18)
National Cyber Awareness System
Apple Releases Security Updates for Safari

Original release date: April 18, 2013

Apple has released security updates for Safari 6.0.4 WebKit to address
multiple vulnerabilities. These vulnerabilities could allow a remote
attacker to execute arbitrary code or cause a denial-of-service
condition.

Safari 6.0.4 WebKit updates are available for the following versions:
* OS X Lion v10.7.5
* OS X Lion Server v10.7.5...

Alert TA13-107A: Oracle has released multiple updates for Java SE US-CERT Alerts (Apr 18)
National Cyber Awareness System
TA13-107A: Oracle has released multiple updates for Java SE

Original release date: April 17, 2013

Systems Affected

* JDK and JRE 7 Update 17 and earlier
* JDK and JRE 6 Update 43 and earlier
* JDK and JRE 5.0 Update 41 and earlier
* JavaFX 2.2.7 and earlier

Overview

Oracle has released a Critical Patch Update (CPU) for Java SE. Oracle
strongly recommends that customers apply CPU fixes as soon as possible....

Current Activity - Scams Exploiting Boston Marathon Explosion Current Activity (Apr 17)
National Cyber Awareness System
Scams Exploiting Boston Marathon Explosion

Original release date: April 17, 2013

Malicious actors are exploiting the April 15 explosions at the Boston
Marathon in attempts to collect money intended for charities and to
spread malicious code. Fake websites and social networking accounts have
been set up to take advantage of those interested in learning more
details about the explosions or looking to contribute to...

Current Activity - Malicious Actors May Take Advantage of Boston Marathon Explosion Current Activity (Apr 17)
National Cyber Awareness System
Malicious Actors May Take Advantage of Boston Marathon Explosion

Original release date: April 17, 2013

Historically, scammers, spammers, and other malicious actors capitalize
on major news events by registering domain names related to the events.
Malicious actors may attempt to exploit the April 15, 2013 explosions at
the Boston Marathon in this way. Some may use fake domains to take
advantage of those interested...

Current Activity - Oracle Releases April 2013 Security Advisory Current Activity (Apr 17)
National Cyber Awareness System
Oracle Releases April 2013 Security Advisory

Original release date: April 17, 2013

Oracle has released its Critical Patch Update for April 2013 to address
128 vulnerabilities across multiple products. This update contains the
following security fixes:
* 4 for Oracle Database Server
* 29 for Oracle Fusion Middleware
* 6 for Oracle E-Business Suite
* 3 for Oracle Supply Chain Products Suite
* 11 for Oracle...

Current Activity - WordPress Sites Targeted by Mass Brute-force Botnet Attack Current Activity (Apr 15)
National Cyber Awareness System
WordPress Sites Targeted by Mass Brute-force Botnet Attack

Original release date: April 15, 2013

US-CERT is aware of an ongoing campaign targeting the content management
software WordPress, a free and open source blogging tool and web
publishing platform based on PHP and MySQL. All hosting providers
offering WordPress for web content management are potentially targets.
Hackers reportedly are utilizing over 90,000...

Current Activity - Microsoft Releases April 2013 Security Bulletin Current Activity (Apr 09)
National Cyber Awareness System
Microsoft Releases April 2013 Security Bulletin

Original release date: April 04, 2013 | Last revised: April 09, 2013

Microsoft has released updates to address vulnerabilities in Microsoft
Windows, Office, Internet Explorer, Server Software, and Security
Software as part of the Microsoft Security Bulletin summary for April
2013. These vulnerabilities could allow remote code execution, elevation
of privilege,...

Current Activity - Microsoft Releases Advance Notification for April 2013 Security Bulletin Current Activity (Apr 04)
National Cyber Awareness System
Microsoft Releases Advance Notification for April 2013 Security Bulletin

Original release date: April 04, 2013

Microsoft has issued a Security Bulletin Advance Notification indicating
that its April release will contain nine bulletins. These bulletins will
have the severity rating of critical and important and will be for
Microsoft Windows, Office, Internet Explorer, Server Software, and
Security Software. These...

Current Activity - Mozilla Releases Multiple Updates Current Activity (Apr 03)
National Cyber Awareness System
Mozilla Releases Multiple Updates

Original release date: April 03, 2013

The Mozilla Foundation has released updates to address multiple
vulnerabilities. These vulnerabilities could allow an attacker to
initiate a cross-site scripting attack or obtain sensitive information,
enable privilege escalation or execute arbitrary code, or cause a
denial-of-service condition.

Updates to the following products are...

Open Source Security — Discussion of security flaws, concepts, and practices in the Open Source community

CVE-2013-2069 livecd-tools: improper handling of passwords Brian C. Lane (May 23)
https://bugzilla.redhat.com/show_bug.cgi?id=964299

The livecd-tools package provides support for reading and executing
Kickstart files in order to create a system image. It was discovered
that livecd-tools gave the root user an empty password rather than
leaving the password locked in situations where no 'rootpw' directive
was used or when the 'rootpw --lock' directive was used within the
Kickstart file, which could allow...

Re: CVE Request (minor) -- Python 3.2: DoS when matching certificate with many '*' wildcard characters {was: [oss-security] CVE Request (minor) -- python-backports-ssl_match_hostname: Denial of service when matching certificate with many '*' wildcard characters } Tomas Hoger (May 23)
There are surely differences in other parts of python code, but in this
case, affected functionality is the same in python 3 and
python-backports-ssl_match_hostname (the latter just contains a
functionality copied from the former). Given that affected code is
identical, I don't believe differences in other parts of codebases not
related to the flaw should force split. I.e. I'd follow:

AB4) If there are multiple products, vendors,...

Re: Fwd: [Full-disclosure] Thttpd 2.25b Directory Traversal Vulnerability Oden Eriksson (May 22)
onsdagen den 22 maj 2013 15.31.44 skrev Matthias Weckbecker:

Whoops. You're right.

Re: Fwd: [Full-disclosure] Thttpd 2.25b Directory Traversal Vulnerability The Doctor (May 22)
For what it's worth, I'm getting the same results with the same
version of thttpd.

$ lynx -dump drwho.virtadpt.net:80/../../../../../../../../etc/passwd
root:*:0:0:Charlie &:/root:/bin/ksh
daemon:*:1:1:The devil himself:/root:/sbin/nologin
operator:*:2:5:System &:/operator:/sbin/nologin
bin:*:3:7:Binaries Commands and Source,,,:/:/sbin/nologin
smmsp:*:25:25:Sendmail Message Submission
Program:/nonexistent:/sbin/nologin...

CVE-2013-2073 transifex-client: Does not validate HTTPS server certificate (fixed in transifex-client v0.9) Jan Lieskovsky (May 22)
Hello Steve, vendors,

It was found that Transifex command-line client, a command line tool for Transifex
translation management, did not perform X.509 certificate verification when using
secured SSL connection. A man-in-the-middle attacker could use this flaw to spoof
a Transifex server via an arbitrary certificate.

The CVE identifier of CVE-2013-2073 has been allocated to this issue.

Acknowledgements:
This issue was discovered by Florian...

Re: Fwd: [Full-disclosure] Thttpd 2.25b Directory Traversal Vulnerability Tavis Ormandy (May 22)
Matthias Weckbecker wrote:

I can't reproduce here.

It's probably not a good sign that he posted some non-shadow passwords in
the output :)

Tavis.

Re: Fwd: [Full-disclosure] Thttpd 2.25b Directory Traversal Vulnerability George Theall (May 22)
This seems like a configuration issue rather than a vulnerability. The code in libhttpd.c seems to filter directory
traversal sequences. And I was able to reproduce this only if thttpd was serving files out of the system root directory
(e.g., "thttpd -d /"), in which case the directory traversal sequences are irrelevant.

George

Re: Fwd: [Full-disclosure] Thttpd 2.25b Directory Traversal Vulnerability Zate (May 22)
I got the same results. Locally without http it shows me the local
/etc/passwd and /etc/system, remotely against the reported version I get
file not found with both lynx -dump and GET.

Zate

Re: Fwd: [Full-disclosure] Thttpd 2.25b Directory Traversal Vulnerability Matthias Weckbecker (May 22)
That's weird. But you've tried it *with* 'http://'? Otherwise you
don't even generate a HTTP request.

$ lynx -dump "127.0.0.1:/../../../etc/passwd"
vs
$ lynx -dump "http://127.0.0.1/../../../etc/passwd";

I don't think this report is valid.

Matthias

Re: Fwd: [Full-disclosure] Thttpd 2.25b Directory Traversal Vulnerability Vitezslav Cizek (May 22)
* Dne Středa 22. květen 2013, 13:44:09 [CEST] Oden Eriksson napsal:

Are you sure?
I fail to reproducet the problem.

How do you use lynx?
Do you prepend "http://"; to the url?
Otherwise lynx won't connect over network
and will default to local filesystem.

For example:
$ lynx -dump "google.com:80/../../../../etc/passwd"
wil get you you're local /etc/passwd

Vita

Re: CVE request: dovecot : "APPEND" Parameters Processing Denial of Service Vulnerability Timo Sirainen (May 22)
A logged in user can cause his own IMAP connection process to eat 100% CPU, so it won't immediately hang other users.
By default users can log in max. 10 times from the same IP, so attacker requires many IPs to cause a real DoS. And of
course a valid user account, which means it will be immediately visible to admin who is causing the system to slow down.

I'm not against it, but I don't see this as that big of an issue,...

Re: CVE request: dovecot : "APPEND" Parameters Processing Denial of Service Vulnerability Jan Lieskovsky (May 22)
Thank you for the report, Agostino.

Cc-ing Timo to clarify on the point below yet.

----- Original Message -----

Timo, in relation with the previous (similar) one (thanks to Tomas Hoger for
pointing out):
[1] http://thread.gmane.org/gmane.comp.security.oss.general/8916/focus=8934
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695138#15

this time the CVE identifier should be allocated / issue is valid, right?

While in the former [1],...

Re: Fwd: [Full-disclosure] Thttpd 2.25b Directory Traversal Vulnerability Oden Eriksson (May 22)
onsdagen den 22 maj 2013 13.06.18 skrev Matthias Weckbecker:

Confirmed here. Needed to use "lynx -dump ...".

Fwd: [Full-disclosure] Thttpd 2.25b Directory Traversal Vulnerability Matthias Weckbecker (May 22)
Hi,

has anybody possibly already confirmed this? It might also be worth
to assign a CVE to this if it turns out to be a reproducible issue.

Thanks,
Matthias

---------- Forwarded Message ----------

Subject: [Full-disclosure] Thttpd 2.25b Directory Traversal Vulnerability
Date: Sunday 19 May 2013
From: "metropolis haxor" <metrOpolis () linuxmail org>
To: full-disclosure () lists grok org uk

Hi guys,
You can find the software...

Re: CVE request: dovecot : "APPEND" Parameters Processing Denial of Service Vulnerability Huzaifa Sidhpurwala (May 22)
Note: I found a similar commit in dovecot-2.2 repo:

http://hg.dovecot.org/dovecot-2.2/rev/0b7039a614f7

the commit message says " imap: Fixed assert-crash on invalid APPEND
parameters."

I am not very familiar with the dovecot code, but taking a brief look
suggests that parsing APPEND in some way could result in hitting assert.

Secure Coding — The Secure Coding list (SC-L) is an open forum for the discussion on developing secure applications. It is moderated by the authors of Secure Coding: Principles and Practices.

SecAppDev hits the road Kenneth R. van Wyk (May 22)
Greetings SC-L subscribers,

I suspect many of you have heard of SecAppDev (http://secappdev.org) over the years. It's a non-profit training event
that has hitherto been held in Leuven, Belgium for 1 week each Feb/Mar. Well, we're excited to say that this year we've
added a second event: SecAppDev Dublin!

Yes, SecAppDev will be hitting the road for its first foray outside of Belgium. For one week in July (15th-19th), we'll...

2013 OWASP Mobile Top 10 Call For Data Jim Manico (May 21)
Hello All,

We are pleased to announce the 2013 call for data to help refresh the Mobile Top 10 Risks for 2013 and publish a more
formal publication. We are encouraging everyone to get involved.

The current Mobile Top Ten Risks are located here:

https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab.3DTop_Ten_Mobile_Risks

- What do we need? -

Right now we are looking for data that represents the current state of mobile...

CFP: Workshop on Risk Perception in IT Security and Privacy at SOUPS Larry Koved (May 20)
Short position statements due next Thursday, May 30

Workshop on Risk Perception in IT Security and Privacy

A workshop of the Symposium On Usable Privacy and Security (SOUPS)
http://cups.cs.cmu.edu/soups/2013/

For full details, please see: http://cups.cs.cmu.edu/soups/2013/risk.html

This workshop is an opportunity to bring together researchers and
practitioners to share experiences, concerns and ideas about how to
address the gap between...

Correction: W2SP 2013 - Web 2.0 Security and Privacy workshop - Final call for participation Larry Koved (May 20)
*** My apologies for another email. Only ONE week until the workshop! ***

Call for participation: Only ONE week until the workshop!

The workshop and program chairs invite you to participate in the 7th W2SP
workshop.

The goal of this one-day workshop is to bring together researchers and
practitioners from academia and industry to focus on understanding Web
security and privacy issues, and to establish new collaborations in these
areas....

W2SP 2013 - Web 2.0 Security and Privacy workshop - Final call for participation Larry Koved (May 20)
Call for participation: Only three weeks until the workshop!

The workshop and program chairs invite you to participate in the 7th W2SP
workshop.

The goal of this one-day workshop is to bring together researchers and
practitioners from academia and industry to focus on understanding Web
security and privacy issues, and to establish new collaborations in these
areas.

The list of this year's accepted papers / presentations can be found...

MoST 2013 - Mobile Security and Technology workshop - final call for participation Larry Koved (May 20)
Call for participation: One week until the workshop!

The workshop and program chairs invite you to participate in the 2nd MoST
workshop.

Mobile Security Technologies (MoST) brings together researchers,
practitioners, policy makers, and hardware and software developers of
mobile systems to explore the latest understanding and advances in the
security and privacy for mobile devices, applications, and systems.

The list of this year's...

SearchSecurity: BSIMM4 Gary McGraw (May 11)
hi sc-l,

Sammy Migues, Jacob West and I wrote an introductory article about BSIMM4 for SearchSecurity. It was just posted on
SearchSecurity: http://bit.ly/11qlIBi
(or http://searchsecurity.techtarget.com/feature/BSIMM4-measures-and-advances-secure-application-development)

This article provides a great way to get up to speed on the BSIMM project in its BSIMM4 instantiation. The BSIMM
Community is expanding rapidly, and we're looking...

Ruxcon 2013 Call For Papers cfp (May 08)
Ruxcon 2013 Call For Presentations
Melbourne, Australia, October 26th-27th
CQ Function Centre
http://www.ruxcon.org.au/call-for-papers/

The Ruxcon team is pleased to announce the Call For Presentations for Ruxcon 2013.

This year the conference will take place over the weekend of the 26th and 27th
of October at the CQ Function Centre, Melbourne, Australia.

.[x]. About Ruxcon .[x].

Ruxcon is ia premier technical computer security conference...

Silver Bullet 85:Mobile Security with Jim Routh and Scott Matsumoto Gary McGraw (May 03)
hi sc-l,

Is mobile security a brand new day or the same old same old? The answer depends on how you look at the problem. If
you are a practitioner in the trenches, there are many new and interesting shiny bits to mobile security. If you are a
security veteran, things look very familiar. In this episode of Silver Bullet, Jim Routh, Scott Matsumoto and I take
on the Necker Cube of mobile security. Jim Routh is the ultimate security...

CFP: Workshop on Risk Perception in IT Security and Privacy Larry Koved (May 03)
Workshop on Risk Perception in IT Security and Privacy

A workshop of the Symposium On Usable Privacy and Security (SOUPS)
http://cups.cs.cmu.edu/soups/2013/

For full details, please see: http://cups.cs.cmu.edu/soups/2013/risk.html

This workshop is an opportunity to bring together researchers and
practitioners to share experiences, concerns and ideas about how to
address the gap between user perception of IT risks and security /...

W2SP 2013 - Web 2.0 Security and Privacy workshop - call for participation Larry Koved (May 03)
Only three weeks until the workshop.

Call for participation!

The workshop and program chairs invite you to participate in the 7th W2SP
workshop.

The goal of this one-day workshop is to bring together researchers and
practitioners from academia and industry to focus on understanding Web
security and privacy issues, and to establish new collaborations in these
areas.

The list of this year's accepted papers / presentations can be found...

MoST 2013 - Mobile Security and Technology workshop - call for participation Larry Koved (May 03)
Three weeks until the workshop.

Call for participation!

The workshop and program chairs invite you to participate in the 2nd MoST
workshop.

Mobile Security Technologies (MoST) brings together researchers,
practitioners, policy makers, and hardware and software developers of
mobile systems to explore the latest understanding and advances in the
security and privacy for mobile devices, applications, and systems.

The list of this year's...

Breakpoint 2013 Call For Papers cfp (May 01)
Breakpoint 2013 Call For Papers
Melbourne, Australia, October 24th-25th
Intercontinental Rialto
http://www.ruxconbreakpoint.com

.[x]. Introduction .[x].

The Ruxcon team is pleased to announce Call For Papers for Breakpoint 2013.

Breakpoint showcases the work of expert security researchers from around the
world on a wide range of topics. This conference is organised by the Ruxcon
team and offers a specialised security conference to...

Re: BSIMM Diagrams Craig Heath (Apr 23)
Thanks Ivan! Unfortunately I wasn't able to look at this straight away,
and when I go to the link now I get "ME-ERR-002 Sorry, we couldn't find the
page you were looking for."

Would you be able to put it up again?

Cheers!

- Craig.

Comparing a firm's BSIMM measurement against a benchmark Iván Arce (Apr 20)
Hello

I've updated the BSIMM visualizations I posted about yesterday.

Here are two sample visualizations to compare a firm's measurement
against a benchmark ("Earth").

The first one uses the size of the boxes to indicate how prevalent is
the activity (percentage of firms where the activity was observed) and
color to indicate that the activity was observed at the firm.

http://www-958.ibm.com/v/298285

In the second treemap...

Educause Security Discussion — Securing networks and computers in an academic environment.

Re: email address as directory information Shalla, Kevin (May 21)
We have defined e-mail as part of directory information. Not doing so would have seriously hampered students'
communicating with each other. We do get FOIA requests, but we do charge for that, and they're not overwhelming.

Kevin

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of John
Forker
Sent: Friday, May 17, 2013 11:17 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject:...

UTM Firewall vs IPS appliance John Kaftan (May 20)
Hello:

We are looking at refreshing our firewalls and are wondering what others
are doing in terms of IPS. Is the UTM firewall winning over a separate IPS
appliance? What are you using and why?

I could see a few different factors when considering this decision.

1. Budget. Single appliance is likely less expensive than 2.
2. Culture. If security is a separate dept than networking perhaps it
would make more sense to have the security team...

Re: Question About Password Resets Schumacher, Adam J. (May 17)
We have two mechanisms in place. One is a two-factor online reset process. When a person activates their account,
they must provide answers to security questions as well as either an external email or cell phone number to which we
send a reset code. Once they've answered the questions and entered the code, they can set a new password.

The other mechanism is for individuals who either can't remember the answers to their questions,...

Re: Palo Alto Firewall and Sorenson VP 200 (Video Phones) Peter Setlak (May 17)
Harry,

We use PA 5050's on our edge. We do not use Sorenson video phones. However,
we did experience an issue with Jumbo Frames with a device on our network.
Are the video phones wired? Are they on 1Gb or 100Mb ports? Try 100Mb and
see if that fixes the issue. There are also settings on the FW to allow
jumbo frames (which we did not adjust as we're hesitant to change the
entire edge for one device). Otherwise, are the video phones...

Palo Alto Firewall and Sorenson VP 200 (Video Phones) Harry Zahlis (May 17)
Our District just purchased and implemented a new Palo Alto Networks firewall. We have run across an issue which has
stumped a lot of people.

Our deaf faculty and students use a device provided by Sorenson (Sorenson ntouch VP-200) for telecommunication. At
first we opened the specific ports required by the Sorenson devices but we could not place phone calls. We opened all
ports, TCP and UDP in both directions (any-any) and we still cannot...

email address as directory information John Forker (May 17)
We are deliberating over whether we should or shouldn't include student
email addresses in our list of directory information elements as allowed
by FERPA. If you institution has chosen not to include email addresses as
part of directory information, how do you control unauthorized access in a
way that doesn't stymy collaboration among students and among students and
industry representatives If your institution has chosen email...

REN-ISAC and SANS partner for highly discounted technical and awareness training; WEBCAST May 21 Doug Pearson (May 17)
SANS and REN-ISAC are partnering to bring exceptional security awareness
and technical training to the education community at substantially
discounted pricing.

An interactive webcast is scheduled for Tuesday, May 21 to explain the
program and provide opportunity for Q&A.

The special pricing is available during a purchase commitment window,
June 1 through July 31, for:

- SANS Securing The Human security awareness training,
- SANS...

Re: Question About Password Resets Valdis Kletnieks (May 16)
On Thu, 16 May 2013 11:00:00 -0500, Jim Pardonek said:

No matter what you end up doing, remember to leave a flag for "this account
may not be reset by phone/self-serve/whatever", so you can flag high-value
or high-risk accounts as "tough noogies, they have to come in with official ID".

And remember - it doesn't have to be a high-priv account. I've heard of
plenty of incidents of stalkers and ex-SO's social...

Re: Question About Password Resets David Curry (May 16)
We require everyone to provide their university identification number,
their username, and their date of birth. If the person is (or ever has
been) an employee, we also require the last four digits of their SSN/ITIN.

If the individual does not know his or her username he or she can look it
up by providing identification number and last name.

If the individual does not know his or her identification number, the
various departments (Human...

Re: Question About Password Resets David Seidl (May 16)
Jim
We use a voice recognition process - our helpdesk finds a co-worker who is known to us who we can conference in with
that person to identify them. It's not ideal, but we can almost always find someone who we do know and recognize. If
that fails - and it does at times - we don't feel as bad about making them come in with their ID in hand.
David

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV...

Re: Question About Password Resets Roger A Safian (May 16)
We have security questions and answers set when the accounts are created. I'm not a fan of them myself, but, I
recognize their usefulness in situations like this. If those fail, the user would need to contact a department chair,
program coordinator, etc. and have that person contact our help desk in order to authorize the change.

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf...

Question About Password Resets Jim Pardonek (May 16)
We've recently had some issues with our current password reset process, particularly when a faculty or staff member is
out of town and calls for a password reset. We also have an issue because our campuses are spread out geographically
which makes it difficult for someone to come in person. I apologize if this has been discussed before, but I was
wondering what other institutions are doing regarding password resets via telephone? Or do...

Job Openings - Appalachian State University - CISO and Director of Information Analytics Anthony J. Santucci (May 15)
Greetings!

We have two new positions at AppState that are currently being advertised.
Please pass this along to anyone you think might be interested in coming to
the beautiful Blue Ridge Mountains of North Carolina!

Chief Information Security Officer
http://hrs.appstate.edu/employment/epa-jobs/801

Reporting to the Associate Vice Chancellor and Chief Information Officer of
Information Technology Services, the Chief Information Security Officer...

clickable links in instant messaging programs Fowler, Becky Thurmond (May 15)
I'm trying to gauge what other institutions are doing regarding clickable links in instant messaging programs. We
currently block links that are sent through our Microsoft Lync implementation but we'd like to determine what other
peer institutions are doing.

Does your university block clickable links through technical means? Do you allow clickable links but display a pop-up
or warning message? Or do you deal with this issue...

Job: Info Sec Analyst in Salem, MA George Moore (May 14)
Greetings:
I'm hiring an Information Security Analyst (ISA) for Salem State University in Salem Massachusetts. An ideal candidate
is motivated and enthusiastic about security. The ISA is responsible for monitoring the university network for security
vulnerabilities and compromised systems. The candidate accomplishes these goals by monitoring intrusion detection
systems, performing vulnerability assessments and management of network...

Internet Issues and Infrastructure

NANOG — The North American Network Operators' Group discusses fundamental Internet infrastructure issues such as routing, IP address allocation, and containing malicious activity.

Re: Reclaiming legacy allocation transferred to APNIC? James M Keller (May 23)
Thanks for the off-list responses. I'll follow up if I run into a dead
end on this.

Verizon Business Support Stephen Amato (May 23)

Can an Admin from Verizon Business please contact me off-list to resolve a
routing/bogon issue?

Thank you,

Steve

Re: Reclaiming legacy allocation transferred to APNIC? John Curran (May 23)
James -

Can you send me specifics when you have a moment?

Thanks!
/John

John Curran
President and CEO
ARIN

Reclaiming legacy allocation transferred to APNIC? James M Keller (May 23)
All,

$DAYJOB has a legacy block assignment that was transferred to APNIC from
ARIN under the Early Registration transfer project back in 2003...

ARIN whois queried directly still shows the /16 block has ARIN contact
information, but walking it down from the /8 APNIC has no data other
then the /8 block information and the ERX comment. However on the ERX
page listing the transferes, the specific /16 block isn't listed under
the /8 as it...

peeringdb accuracy research Job Snijders (May 23)
Dear fellow networkers,

I need your help!

For the good of PeeringDB I am researching the accuracy of the current PeeringDB
data set. We plan to compare three sources of information: peeringdb itself,
publicly available listings from IXP operators ... and the ultimate source of
truth: user submitted information, e.g. your "show bgp sum".

Why? I'd rather trust 10 sightings in the wild than one entry in PeeringDB! :-)

What can you...

Re: Dear NANOG Gods joe mcguckin (May 23)
Find a used computer/network equipment vendor near you. They'll have the right sized boxes & can foam encapsulate your
gear. Most companies have been
willing to box up equipment for me at no (or little) charge.

Joe McGuckin
ViaNet Communications

joe () via net
650-207-0372 cell
650-213-1302 office
650-969-2124 fax

Please take the RIPE NCC Survey 2013 Mirjam Kuehne (May 22)
Hello,

The RIPE NCC asks all members and other interested parties to take
a survey for the RIPE NCC and the RIPE community.

This survey will help us to assess our services and activities, identify
areas for improvement, and help shape our strategy
for the coming years.

The survey is open to anyone and is carried out by the Oxford Internet
Institute, which guarantees anonymity for participants and independent
assessment of the results. It...

Re: Bermuda connectivity Daniel White (May 22)
Peter,

I will contact you offline to discuss GlobeNet's offerings from either 111 8th or 60 Hudson to Bermuda.

Thanks
Dan

-----Original Message-----

Message: 1
Date: Tue, 21 May 2013 16:18:10 -0400
From: Christopher Morrow <morrowc.lists () gmail com>
To: NANOG <nanog () nanog org>
Subject: Re: Bermuda connectivity
Message-ID:
<CAL9jLaabmJBQSAssnxiUFWo_u8PrASDxt4Nv2Tua=VU7uJC9rw () mail gmail com>
Content-Type:...

Re: Dear NANOG Gods Måns Nilsson (May 22)
Subject: Re: Dear NANOG Gods Date: Tue, May 21, 2013 at 02:56:22PM -0400 Quoting Joe Abley (jabley () hopcount ca):

If survivability is important, I like CP Cases:

http://www.cpcases.com/prodrange.asp?prodrangeid=15&typeid=3

More expensive than SKB, but they bounce when dropped. And preserve the
stuff inside.

One probably should opt for removing PSU and drives if shipping is
expected to be very rough.

Re: DNS Track at NANOG 58 Mehmet Akcin (May 22)
Hello everyone,

DNS Track will be on June 5, 2013 Wednesday 4:45pm-6:15pm in Crescent City Ball Room.

I still have some slots available if you would like to talk about an interesting DNS related subject. , We've got a
very good coverage with rate-limiting, reflection attacks, dns software updates, and some other interesting topics
already. (i will be sending an agenda before the track )

look forward to see you all there. please contact...

Re: Bermuda connectivity Martin Hannigan (May 22)
Hola,

I don't have any direct knowledge about Bermuda telecom (I do highly
recommend it as a destination though), but the ask sounds like IPL or waves
to me so cable systems are the logical place to start. NY. Banking. BDA. <

http://www.cablemap.info/

Looks like GlobeNet since Wikipedia is labeling the C&W Gemini cable
decommissioned.

YMMV, and Best,

-M<

Re: Bermuda connectivity Christopher Morrow (May 21)
<queue mail from martin hannigan>

Re: Dear NANOG Gods Joe Abley (May 21)
Since some people were interested (on- and off-list), see below.

Re: Bermuda connectivity Christer Swartz (May 21)
Contact either Logic Communications or TeleBermuda. I used to work for the former.

--- Christer

Re: Dear NANOG Gods Justin M. Streiner (May 21)
There a number of vendors that can either custom-build cases, or might
have something off-the-shelf that will work, and meet ATA300/Milspec
standards.

Calzone Cases - http://www.calzonecases.com/
Jan-Al Cases - http://www.janalcase.com/
Pelican-Hardigg - http://www.pelican.com/

NOTE: I use several different types of road/flight cases for transporting
audio gear for $sidejob.

Fair warning: A case that provides the level of cushioning and...

The RISKS Forum — Peter G. Neumann moderates this regular digest of current events which demonstrate risks to the public in computers and related systems. Security risks are often discussed.

Risks Digest 27.28 RISKS List Owner (May 17)
RISKS-LIST: Risks-Forum Digest Friday 17 May 2013 Volume 27 : Issue 28

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/27.28.html>
The current issue can be...

Risks Digest 27.27 RISKS List Owner (May 05)
RISKS-LIST: Risks-Forum Digest Saturday 4 April 2013 Volume 27 : Issue 27

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/27.27.html>
The current issue can be...

Risks Digest 27.26 RISKS List Owner (Apr 24)
RISKS-LIST: Risks-Forum Digest Tuesday 23 April 2013 Volume 27 : Issue 26

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/27.26.html>
The current issue can be...

Risks Digest 27.25 RISKS List Owner (Apr 19)
RISKS-LIST: Risks-Forum Digest Friday 19 April 2013 Volume 27 : Issue 25

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/27.25.html>
The current issue can be...

Risks Digest 27.24 RISKS List Owner (Apr 07)
RISKS-LIST: Risks-Forum Digest Sunday 7 April 2013 Volume 27 : Issue 24

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/27.24.html>
The current issue can be...

Risks Digest 27.23 RISKS List Owner (Mar 31)
RISKS-LIST: Risks-Forum Digest Saturday 30 March 2013 Volume 27 : Issue 23

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/27.23.html>
The current issue can be...

Risks Digest 27.22 RISKS List Owner (Mar 24)
RISKS-LIST: Risks-Forum Digest Saturday 23 March 2013 Volume 27 : Issue 22

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/27.22.html>
The current issue can be...

Risks Digest 27.21 RISKS List Owner (Mar 22)
RISKS-LIST: Risks-Forum Digest Thursday 21 March 2013 Volume 27 : Issue 21

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/27.21.html>
The current issue can be...

Risks Digest 27.20 RISKS List Owner (Mar 18)
RISKS-LIST: Risks-Forum Digest Monday 18 March 2013 Volume 27 : Issue 20

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/27.20.html>
The current issue can be...

Risks Digest 27.19 RISKS List Owner (Mar 12)
RISKS-LIST: Risks-Forum Digest Monday 11 March 2013 Volume 27 : Issue 19

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/27.19.html>
The current issue can be...

Risks Digest 27.18 RISKS List Owner (Mar 06)
RISKS-LIST: Risks-Forum Digest Wednesday 6 March 2013 Volume 27 : Issue 18

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/27.18.html>
The current issue can be...

Risks Digest 27.17 RISKS List Owner (Feb 25)
RISKS-LIST: Risks-Forum Digest Sunday 24 February 2013 Volume 27 : Issue 17

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/27.17.html>
The current issue can be...

Risks Digest 27.16 RISKS List Owner (Feb 14)
RISKS-LIST: Risks-Forum Digest Thursday 14 February 2013 Volume 27 : Issue 16

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/27.16.html>
The current issue can...

Risks Digest 27.15 RISKS List Owner (Jan 29)
RISKS-LIST: Risks-Forum Digest Tuesday 29 January 2013 Volume 27 : Issue 15

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/27.15.html>
The current issue can be...

Risks Digest 27.14 RISKS List Owner (Jan 23)
RISKS-LIST: Risks-Forum Digest Tuesday 22 January 2013 Volume 27 : Issue 14

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/27.14.html>
The current issue can be...

Data Loss — Data Loss covers large-scale personal data loss and theft incidents. This archive combines the main list (news releases) and the discussion list.

NYPD detective charged with hacking Erica Absetz (May 22)
Edwin Vargas, a detective with the New York City Police Department
(NYPD) has been arrested on hacking charges. Vargas was arrested this
morning outside his residence in Bronxville, New York.

Manhattan U.S. Attorney Preet Bharara said, “As alleged, Detective
Edwin Vargas paid thousands of dollars for the ability to illegally
invade the privacy of his fellow officers and others. He is also
alleged to have illegally obtained information about...

Former Elgin Deputy Police Chief Charged With ID Theft Erica Absetz (May 22)
http://chicago.cbslocal.com/2013/05/21/former-elgin-deputy-police-chief-charged-with-id-theft/

ST. CHARLES, Ill. (STMW) – Elgin’s former deputy police chief was
indicted Tuesday for illegally accessing emails and using police
resources for personal research.

A Kane County grand jury indicted Robert Beeter, 51, of Elgin, on 16
counts of felony identity theft and four counts of official
misconduct, according to a statement from the Kane...

Idaho State University Settles HIPAA Security Case for $400, 000 Erica Absetz (May 22)
http://www.phiprivacy.net/?p=12728

Idaho State University (ISU) has agreed to pay $400,000 to the U.S.
Department of Health Human Services (HHS) to settle alleged violations
of the Health Insurance Portability and Accountability Act of 1996
(HIPAA) Security Rule. The settlement involves the breach of
unsecured electronic protected health information (ePHI) of
approximately 17,500 patients at ISU’s Pocatello Family Medicine
Clinic. That...

There’s no excuse for careless hand ling of sensitive personal information Erica Absetz (May 21)
http://www.buffalonews.com/apps/pbcs.dll/article?AID=/20130521/OPINION/130529888/1074

Is there something in the air here, or have leaders in Western New
York never heard of identity theft? The carelessness with which
records containing personal information are being strewn about the
landscape – literal and digital – is as astonishing as it is
disturbing.

Last week, it was Dent Neurologic Institute acknowledging that it
emailed out private...

How anticipating a health data breach can boost security Erica Absetz (May 21)
http://healthitsecurity.com/2013/05/20/how-anticipating-a-health-data-breach-can-boost-security/

A healthcare chief information officer (CIO) saying that he expects to
experience a healthdata breach is not only unusual, but may produce
shock and awe in some parts of the healthcare industry. However,
having this type of outlook, regardless of whether the CIO ends up
having to deal with a breach or not, can prepare organizations for the
worst...

Hackers Who Breached Google in 2010 A ccessed Company’s Surveillance Database Erica Absetz (May 21)
http://www.wired.com/threatlevel/2013/05/google-surveillance-database/

Hackers who breached Google’s network in 2010 obtained access to the
company’s system for tracking surveillance requests from law
enforcement, according to a news report.

The hackers gained access to a database that Google used to process
court orders from law enforcement agencies seeking information about
customer accounts, including classified FISA orders that are used...

Response from TerraCom, Inc. Erica Absetz (May 20)
http://www.knoxnews.com/news/2013/may/18/response-terracom-inc/

"On April 26, 2013, the companies were made aware of the fact that
Scripps Howard News Service was able to access personal data files of
applicants seeking enrollment in the program.

We deeply regret that this incident occurred, and we are sorry that
personal data of Lifeline applicants was recently accessed by Scripps
Howard News Service. This is a very serious matter and we...

Information for 10K job applicants exposed in security breach Erica Absetz (May 20)
http://www.wsoctv.com/news/news/local/piedmont-compromise/nXtt3/

STATESVILLE, N.C. —

A local healthcare company is now trying to contact 10,000 job
applicants whose private information was exposed in a major security
breach.

The applicants at Piedmont HealthCare had more than just their
applications stolen; they had their Social Security numbers
compromised.

Earlier this week, experts told Eyewitness News that having a Social
Security...

Yahoo Japan says 22 million user IDs may have been stolen Erica Absetz (May 20)
http://www.networkworld.com/news/2013/052013-yahoo-japan-says-22-million-269914.html?source=nww_rss

IDG News Service - Yahoo Japan, the country's largest Web portal, said
up to 22 million user IDs may have been leaked during a hack that was
discovered last week.

The company emphasized that the IDs are already public information,
and no passwords or other private data were affected. Yahoo Japan IDs
are used along with password to log in to...

PHH Data Breach Exposes Employee Information Erica Absetz (May 16)
http://www.americanbanker.com/issues/178_94/phh-data-breach-exposes-employee-information-1059140-1.html

WASHINGTON — A temporary worker for PHH Corp. potentially gained
access to employees' personal information, including Social Security
numbers and dates of birth, according to a letter from the company's
chief executive.

In a letter posted on the California Department of Justice's website,
Glen Messina, the $9.3 billion-asset...

Oops: Google search reveals private Telstra customer data Erica Absetz (May 16)
http://www.theage.com.au/it-pro/security-it/oops-google-search-reveals-private-telstra-customer-data-20130516-2jnmw.html

The personal information of thousands of Telstra customers has been
found online using a Google search.

Lee Gaywood, 31, of Chelsea Heights in Victoria, contacted Fairfax
Media about the information being freely accessible to anyone online
after conducting a specific Google search that turned up Telstra
spreadsheets.

The...

Hackers steal physio clinic files Erica Absetz (May 15)
http://www.goldcoast.com.au/article/2013/05/15/451894_crime-and-court-news.html

A MERMAID Waters physiotherapy clinic is the second medical practice
on the Gold Coast to be held to ransom by an international hacker
demanding $5000 to unlock patient files.

The scam, which has affected businesses across the country, put more
than 8000 patient files at risk at the busy Q Super Centre practice on
Monday.

Back in Motion Physiotherapy owner Brad...

Mass email by Dent Neurologic inadvertently breaches privacy of 10, 200 patients Erica Absetz (May 15)
http://www.buffalonews.com/apps/pbcs.dll/article?AID=/20130514/CITYANDREGION/130519516/1003

Confidential information about more than 10,200 patients of Dent
Neurologic Institute was inadvertently sent to more than 200 patients
Monday in an email attachment.

The personal information – including patients’ names and home
addresses, their doctors’ names, last appointment dates and their
email addresses – was contained on an Excel patient...

Unions eye medical privacy violation Erica Absetz (May 15)
http://bostonherald.com/news_opinion/local_coverage/2013/05/unions_eye_medical_privacy_violation

Police, fire and EMS unions are accusing the Boston Public Health
Commission of going behind the backs of bombing victims to collect
private medical information about those who sought “primary care and
other outpatient” help days and weeks after the bombings.

The commission has sent letters to 13 area hospitals and 25 health
clinics seeking...

(wtop.com) Fwd: NOTICE OF HACKING INCIDENT AND POSSIBLE MALWARE ATTACK (fwd) security curmudgeon (May 15)
-------- Original Message --------
Subject: NOTICE OF HACKING INCIDENT AND POSSIBLE MALWARE ATTACK
Date: Sun, 12 May 2013 11:02:41 -0600
From: WTOP <website () community wtop com>
Reply-To: Hubbard Radio, DC
<reply-fecc167275600d7f-28697_HTML-79048353-1066862-0 () community wtop com>
To:

To view this email as a web page, go here.
http://click.community.wtop.com/?qs=[..]

Forward to a Friend...

Open Source Tool Development

Metasploit — Development discussion for Metasploit, the premier open source remote exploitation tool

Re: Wmic through the windows api egypt (May 17)
Extensions should be submitted as a pull request in the meterpreter
repo: https://github.com/rapid7/meterpreter
If you have already written the ruby side, that should be a pull
request on the framework repo, with a link to the meterpreter pull
request in the description.

Thanks!
egypt

Re: Wmic through the windows api Abuse 007 (May 16)
Hi Brian,

Perhaps you need to allocate some memory in a process, write your custom
data structure there, and then make the call with a pointer/reference to
the custom data structure in the memory you allocated for it.

Cheers,
B

Ruxcon 2013 Call For Papers cfp (May 07)
Ruxcon 2013 Call For Presentations
Melbourne, Australia, October 26th-27th
CQ Function Centre
http://www.ruxcon.org.au/call-for-papers/

The Ruxcon team is pleased to announce the Call For Presentations for Ruxcon 2013.

This year the conference will take place over the weekend of the 26th and 27th
of October at the CQ Function Centre, Melbourne, Australia.

.[x]. About Ruxcon .[x].

Ruxcon is ia premier technical computer security conference...

Breakpoint 2013 Call For Papers cfp (Apr 30)
Breakpoint 2013 Call For Papers
Melbourne, Australia, October 24th-25th
Intercontinental Rialto
http://www.ruxconbreakpoint.com

.[x]. Introduction .[x].

The Ruxcon team is pleased to announce Call For Papers for Breakpoint 2013.

Breakpoint showcases the work of expert security researchers from around the
world on a wide range of topics. This conference is organised by the Ruxcon
team and offers a specialised security conference to...

Re: framework Digest, Vol 63, Issue 13 Vlad Ovtchinikov (Apr 27)
Try exploit-db.com

Sent from my iPhone

Re: framework Digest, Vol 63, Issue 13 Prabhu (Apr 27)
Hi,
I surfed privilege Esclation exploits in unix/local and linux/local
category, I found most of them works only with linux kernel 2.4 and 2.6.
But I am looking exploits for kernel 3.0 and above, could some one suggest
me a exploit to handle this.

Re: help Joshua Smith (Apr 25)
You beat me Tod, I was gonna say
$ msfconsole

but seriously man, you need to give more details.

Re: help Tod Beardsley (Apr 25)
http://ifconfig.me

Re: framework Digest, Vol 63, Issue 12 Michael Schierl (Apr 25)
Am 25.04.2013 19:59, schrieb Tod Beardsley:

Seconded.

Also, please note that a piece of shellcode is not an exploit (just like
a pinch of gunpowder is not a firearm, or like a satellite is not a
space rocket). In fact the shellcode is usually the easiest part for a
new exploit as Metasploit ships lots of them to easily integrate into
any exploit.

When you have installed Metasploit, have a look at the unix/local/ and
linux/local/ category if...

help gri sma (Apr 25)
how to use external ip on metasploit

Re: framework Digest, Vol 63, Issue 12 Tod Beardsley (Apr 25)
please don't run random blobs of shellcode you find on the internet.
It's not healthy.

That's kind of why we do Metasploit.

If you would like to start using Metasploit, please see
http://metasploit.pro and pick the right version for your needs.

Thanks!

Re: framework Digest, Vol 63, Issue 12 Prabhu (Apr 25)
Hi,

I picked a exploit from below link, and I compile it manually in test
environment. I end up with a error message stating that
error: lvalue required as left operand of assignment

http://www.shell-storm.org/shellcode/files/shellcode-548.php

Could you suggest me a shellcode to proceed.

Re: framework Digest, Vol 63, Issue 11 Prabhu (Apr 25)
Hi Tod,

Thank you for response, I'm looking at this exploit. could you help me to
sort this.

http://pastebin.com/GC824ayU

Re: framework Digest, Vol 63, Issue 11 h4lp.php () gmail com (Apr 24)
did you find somethings at exploit-db or 1337day?
and maybe you should tell what did you do and how ,more and your metasploit 's version

Prabhu <flyingcolours47 () gmail com>编写：

Re: framework Digest, Vol 63, Issue 11 Tod Beardsley (Apr 24)
Which Metasploit module is giving you trouble?

Wireshark — Discussion of the free and open source Wireshark network sniffer. No other sniffer (commercial or otherwise) comes close. This archive combines the Wireshark announcement, users, and developers mailing lists.

Wireshark (1.8.2) decrypting (SIP)TLS Traffic Max Mühlbronner (May 23)
Hi list,

I just tried to decrypt SIP TLS traffic in wireshark (preferences -->
SSL , imported priv key for server ip/port) and was at least able to see
decrypted packets in the ssl-logfile when enabling SSL debugging in
wireshark. I also made sure to capture the initial handshake, but the
decrypted SIP traffic does never shows up in wireshark/packet list?

One thing i noticed is: i have to choose a protocol like...

Wireshark 1.10.0rc2 is now available Wireshark announcements (May 22)
I'm proud to announce the release of Wireshark 1.10.0rc2.

__________________________________________________________

What is Wireshark?

Wireshark is the world's most popular network protocol
analyzer. It is used for troubleshooting, analysis, development
and education.
__________________________________________________________

What's New

Bug Fixes

The following bugs have been fixed:
* Redirecting...

Wireshark 1.10.0rc2 is now available Gerald Combs (May 22)
I'm proud to announce the release of Wireshark 1.10.0rc2.

__________________________________________________________

What is Wireshark?

Wireshark is the world's most popular network protocol
analyzer. It is used for troubleshooting, analysis, development
and education.
__________________________________________________________

What's New

Bug Fixes

The following bugs have been fixed:
* Redirecting...

Re: What is the use of pointer "cap_file_" in QtShark Gerald Combs (May 22)
The intent was to associate a capture_file with a MainWindow instead of
with the entire application. I've been trying to avoid the use of
globals.h and the global cfile variable in particular in the Qt code in
case we ever manage to support having more than one capture file open.
Using it to determine if we have an open capture file followed from that.

Re: What is the use of pointer "cap_file_" in QtShark Guy Harris (May 22)
Currently, yes.

We make no claim that Wireshark will, forever, have only one main window and only one capture file open, so it should
not be treated as if it is, inherently, just a pointer to cfile.

Yes, it's defined there, but tshark.c, as the name suggests, is not linked into Wireshark, it's linked into TShark; the
cfile in QtShark is defined in ui/qt/main.cpp (and in GTKShark is defined in ui/gtk/main.c).

No, we keep it around...

What is the use of pointer "cap_file_" in QtShark Richard Turner (May 22)
In Wireshark/ui/qt/main_window.h there is a private member variable
defined as:

capture_file *cap_file_;

I think it's a pointer to the global variable "cfile" (defined in tshark.c).

Is it true that we keep this pointer only to verify the validity of
cfile (we set cap_file_ to NULL when the capture file is closed)?

Regards,
-Richard Turner

Add an option to tshark to give the prefix or whole tempfile name? Anders Broman (May 22)
Hi,
We have some automated scripts that uses tshark occasionally dumpcap crashes and leaves huge files in /tmp to fix that
we write to a named file which
Causes its own problems. A solution could be to provide tshark with the name or the prefix of the tempfile to be able
to clean up or over write the file.
Would someone be willing to implement this? I think it should be possible to use long option names tempfilename?

Regards
Anders

Re: Keep getting "unresolved external symbol" error when trying to use "summary_fill_in" Richard Turner (May 22)
Thanks all of you! Problem resolved. (By updating summary.h to latest
SVN version)

Regards,
Richard Turner

Re: Keep getting "unresolved external symbol" error when trying to use "summary_fill_in" Guy Harris (May 22)
Or pick up the current top-of-trunk SVN version, wherein summary.h has the extern "C" stuff in it (it belongs there,
not in code that includes summary.h).

Re: Keep getting "unresolved external symbol" error when trying to use "summary_fill_in" Guy Harris (May 22)
So, whatever build tools you're using to build QtShark have been told to include "summary.c" in the top-level directory
as one of the source files in the build, right?

If not, make it so. (ui/qt/QtShark.pro *appears* to do that, but maybe there's something subtle I'm missing. If
you're *not* using ui/qt/QtShark.pro, you're on your own.)

Re: Keep getting "unresolved external symbol" error when trying to use "summary_fill_in" Alexis La Goutte (May 22)
Hi,

it is problem of linking a C Library with C++
You need to use this fix :

+/* linking C functions */
+extern "C"
+{
+#include "../summary.h"
+}

Re: Keep getting "unresolved external symbol" error when trying to use "summary_fill_in" Richard Turner (May 22)
I'm sorry, but this won't work on my environment.

I still get the same error :

C:\Turner\Workspace\Wireshark\ui\build-QtShark-Qt4_8_4-Release\main.obj:-1:
error: LNK2019: Unresolved external symbol "__declspec(dllimport) void
__cdecl summary_fill_in_capture(struct _capture_file *,struct
capture_options_tag *,struct _summary_tally *)"...

Re: Keep getting "unresolved external symbol" error when trying to use "summary_fill_in" Pascal Quantin (May 22)
Le 22/05/2013 07:30, Anders Broman a écrit :

The line
#include "ws_symbol_export.h"
should be added at the beginning of summary.h also

Regards,
Pascal.

Re: Keep getting "unresolved external symbol" error when trying to use "summary_fill_in" Anders Broman (May 22)
Richard Turner skrev 2013-05-22 07:19:

Try changing summary.h as follows
WS_DLL_PUBLIC extern void
summary_fill_in(capture_file *cf, summary_tally *st);

#ifdef HAVE_LIBPCAP
WS_DLL_PUBLIC extern void
summary_fill_in_capture(capture_file *cf, capture_options *capture_opts,
summary_tally *st);
#endif

Regards
Anders

Keep getting "unresolved external symbol" error when trying to use "summary_fill_in" Richard Turner (May 22)
Hello,

I'm trying to implement the statistics summary window in QtShark, but
when I use these two functions I keep getting LNK2019 "unresolved
external symbol" error from my VS2010 compiler:

summary_fill_in(&cfile, &summary);
summary_fill_in_capture(&cfile, &global_capture_opts, &summary);

both are located in summary.c

I've tested using the two functions in main.cpp(which properly included
the...

Snort — Everyone's favorite open source IDS, Snort. This archive combines the snort-announce, snort-devel, snort-users, and snort-sigs lists.

Re: Ultrasurf and Hotspot Shield pattern waldo kitty (May 23)
RE: ultrasurf
you can't really... maybe with a man-in-the-middle configuration but who wants
to go thru all that? some corporations do, though... in reality, the best you
can do is to enforce company policy and remove the ultrasurf executable from
users machines (AD logon scripts anyone?)... here are some links concerning
ultrasurf courtesy of uncle google... there should be enough pointers in there
to help you get started ;)...

Ultrasurf and Hotspot Shield pattern Ozgur Karatas (May 23)
Hello all,

I using Snort (Version 2.9.3.1 IPv6 GRE (Build 40)) and I try Snort IPQ mode:

$ iptables -A FORWARD -j QUEUE
$ snort -d -D --daq ipq -Q -c /etc/snort/snort.conf

Snort sniffed incoming and outgoing TCP/UDP traffic. My Snort server running bridge mode. How can I stop ultrasurf and
hotspotshield traffic? I dont formulate to snort pattern.

Help me please,

Regards

Ozgur...

Re: Enabling Debug option Russ Combs (May 23)
spp_arpspoof.c is only using DEBUG_PLUGIN and DEBUG_INIT so you could:

export SNORT_DEBUG=0x21

to get those messages. However, I suggest breaking on ARPspoofInit()
and DetectARPattacks() and stepping through the code instead.

------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service
that...

Re: Sanity Check for password change - unsuccessful attempt rmkml (May 22)
Hi Khawaja,

thx you for sharing rule,

I have "changepw" but not on 88/tcp to_client side, found on 464/tcp
to_server side...

Anyone fire this rule please?

Regards
@Rmkml

Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of...

Re: Sanity Check for password change - unsuccessful attempt Joel Esler (May 22)
In order to look at something like this, you'd/we'd need a pcap to analyze.

Sanity Check for password change - unsuccessful attempt Khawaja, Kaleem (May 22)
All,

My first attempt at writing this rule and will appreciate the keen eyes
of the experts here. If you can do a quick sanity check for me and let
me know if the syntax and the logic will work.

Basically trying to alert on unsuccessful attempts for changing
passwords in AD.

alert tcp any 88 -> any any (msg:"Password Change attempt - 20130522";
flow:to_client,established; content:"|05|"; offset:14; depth:1;...

Enabling Debug option Mohamed Makthum (May 22)
Hello Everyone,

I am trying to test arpspoof preprocessor
but it isn't working. The preprocessor isn't generating any alert msgs when
arp replies spoofed. Kindly let me know how can I know whether particular
preprocessor is initialized or not . How do I debug ?

I have made a build using -enable-debug option. I have read several
questions where it is mentioned to use export env variable SNORT_DEBUG but I...

Re: HTTP Inspect with only a GET request. Joel Esler (May 22)
Thanks for clarifying my clarification Russ. :D

Re: [Dynamic Preprocessor] How to log packet and output alert: genSnortEvent or alertAdd? Russ Combs (May 22)
Use alertAdd() to raise the alert. Check dpx.c for an example.

------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd...

Re: HTTP Inspect with only a GET request. Russ Combs (May 22)
No, which is why I said, in IDS mode, you need the ack.

But you can leave the IPS setting in your conf. It will be give a
warning and otherwise be ignored in passive mode:

"WARNING: tcp normalizations disabled because not inline."

------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance...

Re: HTTP Inspect with only a GET request. James Lay (May 22)
Will this work even if you're not running IPS mode? I've always wondered to leave the IPS mode jazz in my config or
not..thanks Joel.

James

------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service
that delivers powerful full stack analytics. Optimize and monitor your
browser,...

Re: HTTP Inspect with only a GET request. Joel Esler (May 22)
To clarify, this will work if you use "preprocessor normalize_tcp: ips" directive in your snort.conf.

Re: Blacklist DNS Alert Mustafa Qasim (May 22)
It's looks more like Potentially Unwanted Application (PUA) or Adware
category. However it doesn't have any positive or legitimate web
presence/history. It's safe to block it. Anyone can use AWS infrastructure
to host malicious content like people do setup launchpads using free
webhsoting and dynamicdns providers.

www.scumware.org/report/d1js21szq85hyn.cloudfront.net...

Blacklist DNS Alert Josh Bitto (May 22)
I'm getting this alert on my IPS from my DNS server (internal IP) out to this particular IP address.

[1:26554:1] BLACKLIST DNS request for known malware domain d1js21szq85hyn.cloudfront.net - Win.Adware.BProtector

Does anyone know if could be a false positive? I've tried looking to see if this domain is blacklisted...it looks like
it's from amazon. It shows the source as my DNS server so I'm trying to determine the...

Re: HTTP Inspect with only a GET request. Russ Combs (May 22)
Presently, not without the ACK.

------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt!...

OpenVAS — Development and announcements regarding OpenVAS, a free network security scanner which forked from Nessus. This is a combination of the English openvas-announce, openvas-devel, openvas-discuss, and openvas-plugins lists.

Re: SVN trunk: Breaking openvas-administrator btb (May 23)
ah, of course. that was silly of me to find the db file but not look in it. i assumed based on filename.

thanks
-ben

Re: openvasmd using all CPU YanQian (May 23)
Hi,Paula,

Yes, same logs here,

base gpgme:MESSAGE:2013-05-23 00h15.03 CST:29860: Setting GnuPG homedir to '/etc/openvas/gnupg'
base gpgme:MESSAGE:2013-05-23 00h15.03 CST:29860: Using OpenPGP engine version '2.0.14'
md crypt: INFO:2013-05-23 00h15.03 CST:29860: starting key generation ...
md main:WARNING:2013-05-22 16h19.01 utc:29810: cleanup_manage_process: attempt to close db with open statement(s)

regards,
YanQian...

Re: SVN trunk: Breaking openvas-administrator btb (May 23)
this seems to now be working:

openvas-check-setup 2.2.2
Test completeness and readiness of OpenVAS-7

Step 1: Checking OpenVAS Scanner ...
OK: OpenVAS Scanner is present in version 4.0+beta1.
OK: OpenVAS Scanner CA Certificate is present as /opt/openvas/var/lib/openvas/CA/cacert.pem.
OK: NVT collection in /opt/openvas/var/lib/openvas/plugins contains 30717 NVTs.
OK: Signature checking of NVTs is enabled in...

SVN trunk: breaking scanner users directory. Jan-Oliver Wagner (May 23)
Hi,

I just removed the handling of the "users" directory.

The only thing you need to do is to get the dname
properly placed again. Either

cp /var/lib/openvas/users/om/auth/dname /var/lib/openvas/dname

or

openvas-mkcert-client -n -i

will do the job.

If you are using .auth.conf, then you need to copy this as well:

cp /var/lib/openvas/users/.auth.conf /var/lib/openvas/auth.conf

In case you experience any other sort of problem,...

Re: SVN trunk: Breaking openvas-administrator Hani Benhabiles (May 23)
Hi,

You are probably looking for the users table in tasks.db.

$ sqlite3 /usr/var/lib/openvas/mgr/tasks.db "SELECT * FROM users;"

That is the DB where most Manager data is stored (beside secinfo stuff
like cpe, cve, dfn cert etc,. which are in the other two DBs.)

Cheers,

Hani.

Re: SVN trunk: Breaking openvas-administrator Jan-Oliver Wagner (May 22)
Am Montag 20 Mai 2013 22:40:06 schrieb btb:

openvas-check-setup:

I've comitted new version 2.2.2 of openvas-check-setup.
Please try it.

The user tests are currently missing. As Matt pointed out, it is work in
progress.

Re: openvasmd using all CPU Paula Gonzalez Muñoz (May 22)
Hi YanQian,

do you have the same message I got at openvasmd.log?

Regards,
Paula

2013/5/22 YanQian <yankaiqian () live cn>

Re: openvasmd using all CPU YanQian (May 22)
Hi, Paula,

I tried the way you said in RHEL6, start openvas-manager without "--disable-encrypted-credentials", but CPU usuage
still rise to 99% when I run omp command to add credentials (could not finish, just hang there).
so it didn't work for me.

regards,YanQian

Date: Tue, 21 May 2013 11:05:50 +0200
Subject: Re: [Openvas-discuss] openvasmd using all CPU
From: p.gonmu () gmail com
To: yankaiqian () live cn
CC: openvas-discuss...

Re: SVN trunk: Breaking openvas-administrator btb (May 22)
experimenting a bit with another computer running version 6, i can see with strace that maybe there is an sqlite db
somewhere for this:

[...]

open("/usr/lib/x86_64-linux-gnu/libsqlite3.so.0", O_RDONLY|O_CLOEXEC) = 3

[...]

but i'm not able to see it open a file. i only see three databases so far in my poking around:

var/lib/openvas/cert-data/cert.db
var/lib/openvas/scap-data/scap.db
var/lib/openvas/mgr/tasks.db

but nothing...

Re: SVN trunk: Breaking openvas-administrator btb (May 22)
i'm familiar with var/lib/openvas/users/, but i gather this is not what is meant by the db? where can i read about
inserting a user into the db by hand?

-ben

Re: trouble building gsa from trunk btb (May 22)
thanks.

i've checked out 16419, and can report that gsa now appears to build as expected.

-ben

Re: trouble building gsa from trunk Michael Wiegand (May 22)
* btb [17. May 2013]:

This should be fixed with the patch I committed in SVN revision 16383.

You may test it by doing an "svn revert src/CMakeLists.txt" and building
again.

Regards,

Michael

Re: SVN trunk: Breaking openvas-administrator Matthew Mundell (May 21)
If you migrate from an existing install the old users will be preserved.
Otherwise you could insert the first user into the db by hand.

Re: SVN trunk: Breaking openvas-administrator btb (May 21)
i see, thanks. so while this is still being worked out, i can't do much testing beyond just building the software?

-ben

Re: openvasmd using all CPU Paula Gonzalez Muñoz (May 21)
Hello,

I have found a workaround for this behaviour (it works on gentoo with
kernel 3.4 on a server profile). The first credential you create you do it
using CLI with this command:

omp -u your_openvas_user -w your_password --xml="<create_lsc_credential>
<name>init</name><login>init</login><password>init</password></create_lsc_credential>"

The credential can be whatever you want (you...

More Lists

Related Resources

We're always looking for great network security related lists to archive. To suggest one, mail Fyodor.