SecLists.Org Security Mailing List Archive

Any hacker will tell you that the latest news and exploits are not found on any web site—not even Insecure.Org. No, the cutting edge in security research is and will continue to be the full disclosure mailing lists such as Bugtraq. Here we provide web archives and RSS feeds (now including message extracts), updated in real-time, for many of our favorite lists. Browse the individual lists below, or search them all:

Insecure.Org Lists

Nmap Development — Unmoderated technical development forum for debating ideas, patches, and suggestions regarding proposed changes to Nmap and related projects. Subscribe here.

Re: [NSE] http-drupal-modules.nse Hani Benhabiles (May 17)
After tests done by Patrik, I have added added fallback to GET request
methods + response body matching for servers that return non 404 status
codes for non-existing files as r28601.

Cheers,
Hani.

Re: [NSE] http-drupal-modules.nse Hani Benhabiles (May 17)
I have committed this after fixing all remaining issues as r28586.

Cheers,
Hani.

[NSE] http caching not taking checking headers difference Hani Benhabiles (May 16)
Hi list,

While writing an http script, I found out that when sending two requests
as in the code below causes the second to not be sent.

local response = http.get(host, port, '/', { ['header'] = { ['Foo'] =
bar }})
local response2 = http.get(host, port, '/', { ['header'] = { ['Foo'] =
bar2 }})

When investigating it, I found that it was due to the http cache system
checking the...

Re: Sean Rivera's status report - #3 of 17 David Fifield (May 16)
I don't know of anything built into Python. You should just make your
own table. (And also a reverse table, which ideally should be built
automatically from the forward table for easier maintenance.)

There's an RFC or something that has the whole list of language codes,
but I don't want to actually build that table into the script. Rather,
just add entries for the language codes that are actually in
nmap-service-probes, and add a...

Re: Sean Rivera's status report - #3 of 17 sean rivera (May 16)
Thanks for clearing that up that makes a lot more sense. I do have one
other question though. How should I go about matching the language and the
two letter code? Would it be worth it to set up a lookup table that has all
supported languages and then use that for comparison? Do you know of any
inherent Python functionality that could help?

Thanks
~Sean Rivera
Software Engineer

Re: HTTP fingerprint NSE? David Fifield (May 16)
Leave them in http-fingerprints.lua. People running http-enum will still
want to see them.

David Fifield

Re: HTTP fingerprint NSE? stripes (May 16)
For the ones that already have scripts, should they be left in the http-fingerprints.lua or should they be cleaned up
as the NSEs are written?

Ok, cool.. that gives me a start :)

Ok, thanks. I'll see what I can get started on.

-Anne

New VA Modules: NSE: 1, OpenVAS: 7, MSF: 1, Nessus: 5 New VA Module Alert Service (May 16)
This report describes any new scripts/modules/exploits added to Nmap,
OpenVAS, Metasploit, and Nessus since yesterday.

== Nmap Scripting Engine scripts (1) ==

r28586 http-drupal-modules http://nmap.org/nsedoc/scripts/http-drupal-modules.html
https://svn.nmap.org/nmap/scripts/http-drupal-modules.nse
Enumerates the installed Drupal modules by using a list of known
modules.

== OpenVAS plugins (7) ==

r13461 802851...

Re: svn update failures Patrik Karlsson (May 16)
Is there any particular reason for having the server root directory
password protected? If that's what's causing the error, which seems likely
given the last error message, simply having it return a 404 or 200 could
perhaps solve the problem.

//Patrik

Re: svn update failures Forrest Aldrich (May 16)
I'm still having the same trouble.

Okay, so if I'm going to have to type in a username for each update
tree, which anonymous one should I use?

Forrest

# svn update
U nmap-service-probes
D scripts/asn-to-prefix.nse
U scripts/rexec-brute.nse
U scripts/http-domino-enum-passwords.nse
U scripts/firewalk.nse
U scripts/dns-cache-snoop.nse
U scripts/acarsd-info.nse
U scripts/lltd-discovery.nse
U...

Re: [nmap-svn] r28585 - nmap/todo Patrick Donnelly (May 15)
My earlier thoughts on the subject (for those reading nmap-svn and curious):

http://seclists.org/nmap-dev/2011/q4/186

I think callbacks in general will be, from a programmatic perspective,
inconsistent with the rest of our libraries. In particular, the nsock
binding does not expose the callback mechanism to scripts. I would
like to see a design that avoids callbacks.

One possibility is to keep http.get as a "blocking" call but...

New VA Modules: NSE: 4, OpenVAS: 87, MSF: 3, Nessus: 14 New VA Module Alert Service (May 15)
This report describes any new scripts/modules/exploits added to Nmap,
OpenVAS, Metasploit, and Nessus since yesterday.

== Nmap Scripting Engine scripts (4) ==

r28568 ajp-request http://nmap.org/nsedoc/scripts/ajp-request.html
https://svn.nmap.org/nmap/scripts/ajp-request.nse
Request an URI over the Apache JServe Protocol and displays or
alternatively stores the result in a file. Different AJP methods such
as; GET, HEAD, TRACE, PUT or DELETE may...

Re: [NSE] http-drupal-modules.nse Patrik Karlsson (May 15)
I've had a chance to test this now and ran into some problems due to how
the file drupal-modules.lst is formatted.
When looking into the problem it turned out that each module ended with a a
line-feed making breaking the path in the request to the server.
Re-formatting the file to unix format solved the problem for me.

Also, as a general observation (not specific to this script) I find
pipelining great, as it's really quick, when it...

Re: ncat usage Dave Henderson (May 15)
Any thoughts on this Fyodor? It appears as though I've stumped the
other members of this mailing list too, unfortunately. :( Any help
would greatly be appreciated!

Thanks,
Dave

Re: ncat usage Dave Henderson (May 15)
bump for help

Nmap Hackers — Moderated list for the most important new releases and announcements regarding the Nmap Security Scanner and related projects. We recommend that all Nmap users subscribe.

Last Chance to Apply for the Nmap/Google Summer of Code! Fyodor (Apr 04)
Hi Folks. I'm happy to announce that the Nmap Project has again been
accepted into the Google Summer of Code program. This innovative and
extraordinarily generous program provides $5,000 stipends to college
and graduate students who want to spend the summer improving Nmap!
They gain valuable experience, get paid, strengthen their résumé, and
write code for millions of users.

Previous SoC students helped create the Nmap Scripting Engine,...

Nmap 5.61TEST5 released with 43 new scripts, improved OS & version detection, and more! Fyodor (Mar 09)
Hi folks! We've been working hard for the last 2 months since
5.61TEST4, and I'm pleased to announce the results: Nmap 5.61TEST5.
This release has 43 new scripts, including new brute forcers for http
proxies, SOCKS proxies, Asterisk IAX2, Membase, MongoDB, Nessus
XMLRPC, Redis, the WinPcap remote capture daemon, the VMWare auth
daemon, and old-school rsync. Better check that your passwords are
strong! Some other fun scripts are...

Updates on Download.Com caught adding malware to Nmap installer Fyodor (Dec 06)
Hi Folks. A lot has happened since yesterday's email about
Download.com's antics (http://seclists.org/nmap-hackers/2011/5) and I
wanted to send a quick update.

First of all, several people complained about my angry tone and my
telling Download.com to "F*ck" themselves. I appologize to anyone
offended. But if you ever spend more than 14 years creating free
software as a gift to the community, only to have it used as bait by...

C|Net Download.Com is now bundling Nmap with malware! Fyodor (Dec 05)
Hi Folks. I've just discovered that C|Net's Download.Com site has
started wrapping their Nmap downloads (as well as other free software
like VLC) in a trojan installer which does things like installing a
sketchy "StartNow" toolbar, changing the user's default search engine
to Microsoft Bing, and changing their home page to Microsoft's MSN.

The way it works is that C|Net's download page (screenshot attached)...

SecTools.Org relaunched based on your survey responses! Fyodor (Nov 04)
Hi folks! Remember the latest Nmap survey that almost 3,000 of you
filled out? Well, it took a while, but I'm happy to report that we've
tabulated the results and launched a new version of the SecTools.Org
top security tools list! In addition to updating the data, we've
dramatically improved the site. It now includes user ratings and
reviews, tracks release dates, offers searching and sorting, and even
lets you nominate your...

Nmap 5.59BETA1 Released! Fyodor (Jun 30)
Hi Folks. Other than the recent informal IPv6 commemorative edition,
we haven't had a real Nmap release in more than four months since
5.51. That is in part because we've been so busy with seven (!)
full-time Google Summer of Code students cranking out tons of
excellent code! But I think we've pulled this together into a release
we can be proud of, and I'm happy to announce Nmap 5.59BETA1!

This version includes:
o 40 new...

Happy World IPv6 Day From the Nmap Project! Fyodor (Jun 08)
Hi Folks. You have probably heard that today is World IPv6 Day, with
sites like Google, Facebook, and Yahoo publishing IPv6 records for
their main web sites. I'm happy to report that the Nmap Project is
celebrating in several ways:

==Scanme Updated to IPv6==

You probably know that we run the machine scanme.nmap.org as a system
people are allowed to use as a target for test scans and the like.
That system now has native IPv6 support. So...

Nmap 5.51 and SoC Opportunity Fyodor (Apr 05)
Hi Folks! I'm happy to report that the Nmap 5.50 release was a big
success, with nearly 300,000 downloads in the first two weeks. That
much attention inevitably uncovers some bugs, so we released Nmap 5.51
in February to address them. You can find the release notes at
(http://seclists.org/nmap-dev/2011/q1/518) and the downloads at
http://nmap.org/download.html.

I also wanted to let you know about a serious potential competitive
threat to...

Nmap 5.50: Now with Gopher protocol support! Fyodor (Jan 28)
Hi folks! It has been a year since the last Nmap stable release
(5.21) and six months since development version 5.35DC1, so I'm
pleased to release Nmap 5.50! I'm sure you'll find that it was worth
the wait!

A primary focus of this release is the Nmap Scripting Engine, which
has allowed Nmap to expand up the protocol stack and take network
discovery to the next level. Nmap can now query all sorts of
application protocols,...

Other Excellent Security Lists

Bugtraq — The premier general security mailing list. Vulnerabilities are often announced here first, so check frequently!

[SECURITY] [DSA 2473-1] openoffice.org security update Florian Weimer (May 17)
-------------------------------------------------------------------------
Debian Security Advisory DSA-2473-1 security () debian org
http://www.debian.org/security/ Florian Weimer
May 16, 2012 http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : openoffice.org
Vulnerability : buffer overflow
Problem...

FlashPeak SlimBrowser TITLE Denial Of Service Vulnerability demonalex (May 16)
Title: FlashPeak SlimBrowser TITLE Denial Of Service Vulnerability
Software : FlashPeak SlimBrowser

Software Version : 6.0.1.38

Vendor: FlashPeak Inc.(www.flashpeak.com/)

Vulnerability Published : 2012-05-16

Vulnerability Update Time :

Status :

Impact : Medium(CVSS2 Base : 5.0, AV:N/AC:L/Au:N/C:N/I:N/A:P)

Bug Description :
FlashPeak SlimBrowser is a web browser Software for FREE.
FlashPeak SlimBrowser contains one denial of service...

[PRE-SA-2012-03] Linux kernel: Buffer overflow in HFS plus filesystem Timo Warns (May 16)
PRE-CERT Security Advisory
==========================

* Advisory: PRE-SA-2012-03
* Released on: 10 May 2012
* Affected product: Linux Kernel 3.3.x <= 3.3.4
2.6.x <= 2.6.35.13
* Impact: code execution / privilege escalation
* Origin: HFS plus file system
* Credit: Timo Warns (PRESENSE Technologies GmbH)
* CVE Identifier: CVE-2012-2319

Summary
-------

The Linux kernel contains a vulnerability in the driver...

The story of the Linux kernel 3.x... pi3 (May 16)
The story of the Linux kernel 3.x...

In 2005 everybody was exited about possibility of bypass ASLR on all
Linux 2.6 kernels because of the new concept called VDSO (Virtual
Dynamic Shared Object). More information about this story can be found
at the following link:
http://www.trilithium.com/johan/2005/08/linux-gate/

In short, VDSO was mmap'ed by the kernel in the user space memory always
at the same fixed address. Because of that...

CVE-2012-2334 Vulnerabilities related to malformed Powerpoint files in OpenOffice.org 3.3.0 Rob Weir (May 16)
CVE-2012-2334 Vulnerabilities related to malformed Powerpoint files
in OpenOffice.org 3.3.0

Reference: http://www.openoffice.org/security/cves/CVE-2012-2334.html

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:

OpenOffice.org 3.3 and 3.4 Beta, on all platforms.
Earlier versions may be also affected.

Description:

A review of the code in filter/source/msfilter msdffimp.cxx revealed
some unchecked memory...

CVE-2012-2149 OpenOffice.org memory overwrite vulnerability Rob Weir (May 16)
CVE-2012-2149 OpenOffice.org memory overwrite vulnerability

Reference: http://www.openoffice.org/security/cves/CVE-2012-2149.html

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:

OpenOffice.org 3.3 and 3.4 Beta, on all platforms.
Earlier versions may be also affected.

Description:

Effected versions of OpenOffice.org use a customized libwpd that has a
memory overwrite vulnerability that could be exploited by a...

CVE-2012-1149 OpenOffice.org integer overflow error in vclmi.dll module when allocating memory for an embedded image object Rob Weir (May 16)
CVE-2012-1149 OpenOffice.org integer overflow error in vclmi.dll module
when allocating memory for an embedded image object

Reference: http://www.openoffice.org/security/cves/CVE-2012-1149.html

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:

OpenOffice.org 3.3 and 3.4 Beta, on all platforms.
Earlier versions may be also affected.

Description:

The vulnerability is caused due to an integer overflow error in the...

Re: Trigerring Java code from a SVG image Nicolas Grégoire (May 16)
There's probably some others softwares implementing this feature, but
not browsers (luckily !).

Regards,
Nicolas

[SECURITY] [DSA 2472-1] gridengine security update Florian Weimer (May 16)
-------------------------------------------------------------------------
Debian Security Advisory DSA-2472-1 security () debian org
http://www.debian.org/security/ Florian Weimer
May 15, 2012 http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : gridengine
Vulnerability : privilege escalation
Problem...

Apple Quicktime Memory Corruption (CVE-2012-0671) Rodrigo Rubira Branco $BSDaemon$ (May 16)
Qualys Vulnerability & Malware Research Labs (VMRL)
http://www.qualys.com
http://www.dissect.pe

Memory corruption when Apple Quicktime parsers .pct file
CVE-2012-0671

INTRODUCTION

Apple Quicktime does not properly parse .pct media files, which causes
a corruption in module DllMain by opening a malformed file with an
invalid value located in PoC repro01.pct at offset 0x20E.

This problem was confirmed in the following versions of Quicktime...

APPLE-SA-2012-05-15-1 QuickTime 7.7.2 Apple Product Security (May 16)
APPLE-SA-2012-05-15-1 QuickTime 7.7.2

QuickTime 7.7.2 is now available and addresses the following:

QuickTime
Available for: Windows 7, Vista, XP SP2 or later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple stack overflows existed in QuickTime's
handling of TeXML files. These issues do not affect OS X systems.
CVE-ID
CVE-2012-0663 :...

Liferay 6.1 json webservices are subject to cross-site request forgery attacks Jelmer Kuperus (May 15)
Liferay 6.1 json webservices are subject to cross-site request forgery attacks

Description:

Liferay Portal is an enterprise portal written in Java

If a user is currently logged in to the portal (or has ticked the
remember me box) then with a
little help of social engineering (like sending a link via
email/chat), an attacker can read most
data the logged in user is priviliged to see. The reason for this is
that the new json webservices
let you...

[ MDVSA-2012:075 ] ffmpeg security (May 15)
_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2012:075
http://www.mandriva.com/security/
_______________________________________________________________________

Package : ffmpeg
Date : May 15, 2012
Affected: 2010.1
_______________________________________________________________________

Problem Description:

Multiple vulnerabilities has been...

Liferay 6.1 can be compromised without having an account on the portal Jelmer Kuperus (May 15)
Liferay 6.1 can be compromised without having an account on the portal

Description:

Liferay Portal is an enterprise portal written in Java

Liferay in it's default configuration exposes a number of remotely
accessible webservices.
Access to these services is restricted by an ip block.

It is possible to circumvent this ip block in the following way :...

Guests can view names and emailadresses of all Liferay users in liferay 6.1 Jelmer Kuperus (May 15)
Guests can view names and emailadresses of all Liferay users in liferay 6.1

Description:

Liferay Portal is an enterprise portal written in Java

As an unauthenticated user it is possible to retrieve the names and
email adresses of all Liferay users.
To retrieve a list of all users simply issue the following request

http://vulnerablehost/c/search/open_search?p=1&c=5000&keywords=entryClassName:com.liferay.portal.model.User

Getting to...

Full Disclosure — A lightly moderated high-traffic forum for disclosure of security information. Fresh vulnerabilities sometimes hit this list many hours before they pass through the Bugtraq moderation queue. The relaxed atmosphere of this quirky list provides some comic relief and certain industry gossip. Unfortunately, most of the posts are worthless drivel, so finding the gems takes patience.

Re: Vulnerability in is Dopewars Charles Morris (May 17)
You should have went to a CERT with this, shouldn't vendor
coordination be of urgency here?

Vulnerability in is Dopewars Григорий Братислава (May 17)
Hello Full-Disclosure!! !! !!

Is like to warn you about is vulnerability in Dopewars. I'm is
discover vulnerability perhaps 10 years ago but is posting now.

Is problem exist when carry more than is 50 cocaines and is Officer
Hardass (pitifully armed) is kill 2 of is your bitches. Is when this
happen player is obviously targeted!

Is exploit will happen only when player is in is Brooklyn (not Queens)
and is has identity given to Officer...

Re: Google Accounts Security Vulnerability Thor (Hammer of God) (May 17)
That's what I said. :D

Timothy "Thor" Mullen
www.hammerofgod.com
Thor's Microsoft Security Bible

-----Original Message-----
From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of
Mike Hearn
Sent: Wednesday, May 16, 2012 1:38 PM
To: full-disclosure () lists grok org uk
Cc: mgray () emitcode com
Subject: Re: [Full-disclosure] Google Accounts Security...

Re: The story of the Linux kernel 3.x... valdis . kletnieks (May 17)
On Wed, 16 May 2012 23:49:40 +0200, Adam Zabrocki said:

You're assuming it's a *mistake* rather than something intentional.

Remember that the distro does *not* know what you run on the kernel, so they
need to build one that covers all the bases. So they really need to make a
choice. Which is going to result in more nasty phone calls and e-mails:
leaving COMPAT_VDSO set (which is probably the 12,934th most security crucial
security...

[ MDVSA-2012:078 ] imagemagick security (May 17)
_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2012:078
http://www.mandriva.com/security/
_______________________________________________________________________

Package : imagemagick
Date : May 17, 2012
Affected: 2011.
_______________________________________________________________________

Problem Description:

Multiple vulnerabilities has...

Security BSidesDetroit Kyle Creyts (May 17)
http://www.securitybsides.com/w/page/33949981/BSidesDetroit

Only two weeks left before the opening day.

Talks/schedule listed on page above.

New Open Source Web Application Vulnerability Scanner Available Dermot Blair (May 17)
Hi All,

There is a new web application vulnerability scanner available. It is
called WebVulScan and it is open source. Here is the link for it if you
want to check it out: http://code.google.com/p/webvulscan/

Regards,

Dermot Blair

Re: Google Accounts Security Vulnerability Mike Hearn (May 17)
Hi there full-disclosure,

I wanted to respond to the recent post covering the Google real time
anti-hijacking system and explain a bit more about what this system is
and how it works. For background I am the tech lead of the relevant
team, and Daniel Margolis works on it with me.

Firstly, I'd like to note that despite what Michael may have observed
with his account, performing a programmatic login does not whitelist
for web access. Most of...

Re: Google Accounts Security Vulnerability Mike Hearn (May 17)
I understand your concerns, however they are not valid. You can be
assured of the following:

1) We do not see this system as a replacement for passwords. If we
block a login the user is notified and asked if it was them, if it
wasn't we ask them to pick a new password. In very high confidence
cases we will immediately force the user to choose a new password,
because passwords are still the first line of defense.

2) We do not see this...

[SECURITY] [DSA 2474-1] ikiwiki security update Raphael Geissert (May 17)
-------------------------------------------------------------------------
Debian Security Advisory DSA-2474-1 security () debian org
http://www.debian.org/security/ Raphael Geissert
May 16, 2012 http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : ikiwiki
Vulnerability : cross-site scripting
Problem type...

Re: Google Accounts Security Vulnerability Michael J. Gray (May 17)
The point of my article is to specifically show that Google has a system in place which gives the perception of a
particular type of security; that is if their password happens to be compromised, that the attack will be limited
unless the attacker has very specific knowledge about the user and their account. This being circumvented renders the
system useless, especially if it's able to be bypassed on an individual basis as I had described...

Re: The story of the Linux kernel 3.x... Adam Zabrocki (May 17)
Dnia 2012-05-16, śro o godzinie 14:39 -0700, Dan Kaminsky pisze:

As I refered before VSYSCALL is at fixed address but it became as
known issue:
https://lkml.org/lkml/2011/8/9/274

Best regards,
Adam

Re: The story of the Linux kernel 3.x... Adam Zabrocki (May 17)
Dnia 2012-05-16, śro o godzinie 23:09 +0200, Tavis Ormandy pisze:

Again I wasn't clear (mail sent from mobile phone so I was lazy to type
on this small keyboard), I was refering to VSYSCALL not VDSO. My
mistake ;p

Best regards,
Adam

Re: The story of the Linux kernel 3.x... Adam Zabrocki (May 17)
Hi Tavis,

Yes this is stock kernels and yes you must believe it is so simple mistake ;)
All systems was installed as VM in default installation using official ISOs.

And of course this is configuration mistake not kernel problem(!) - my mistake
if I wasn't clear in the write-up.

Anyway Suse ISO which I used:

$ md5sum /media/pi3/openSUSE-12.1-DVD-x86_64.iso
4cfe8229111ef723ae7aa541fd2c87b7 /media/pi3/openSUSE-12.1-DVD-x86_64.iso
$ md5sum...

DDIVRT-2012-44 Epicor Returns Management SOAP-Based Blind SQL Injection ddivulnalert (May 17)
Title
-----
DDIVRT-2012-44 Epicor Returns Management SOAP-Based Blind SQL Injection

Severity
--------
High

Date Discovered
---------------
April 12, 2012

Discovered By
-------------
Digital Defense, Inc. Vulnerability Research Team
Credit: Chris Graham and r () b13$

Vulnerability Description
-------------------------
Digital Defense, Inc. (DDI) has discovered a blind SQL injection vulnerability in the Epicor Returns Management
software SOAP...

Security Basics — A high-volume list which permits people to ask "stupid questions" without being derided as "n00bs". I recommend this list to network security newbies, but be sure to read Bugtraq and other lists as well.

Re: Enterprise Password & Session Management Tool Mlungwana, Buyani (May 17)
Check out cyberark its pretty good

----- Original Message -----
From: indiandiamonds () gmail com [mailto:indiandiamonds () gmail com]
Sent: Thursday, May 17, 2012 06:25 PM
To: security-basics () securityfocus com <security-basics () securityfocus com>
Subject: Enterprise Password & Session Management Tool

Could you suggest a tool that can be used for Enterprise password management, for all network devices, as well as
proovide...

Enterprise Password & Session Management Tool indiandiamonds (May 17)
Could you suggest a tool that can be used for Enterprise password management, for all network devices, as well as
proovide Remote sessions to vendors into company network.

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how
it benefits your company...

Re: Open Source Web Security & Content Filtering Francois Yang (May 17)
Anwar,
could you tell us what it is that you're looking to accomplish?
what do you want this Open Source Web Security & Content Filtering to do?
URL filtering, reverse proxy, application firewall, etc...?
let us know so that we can better answer your question.

Frank

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance...

Open Source Web Security & Content Filtering Anwar Khan (May 17)
Dear All,

Can anyone suggest "Open Source Web Security & Content Filtering"
Software which is free to use except "Squid"

I know Squid can help, but i want to know if any other good one is
available, otherwise last option will be Squid only :(

Regards,
Anwar

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the...

[Free article] Reuse your skills: Penetration testing for auditing maciej . kozuszek (May 17)
Hello list,

I'd like to share with you a free article written by Jeremy Faircloth, author of 'Penetration Tester's Open Source
Toolkid 3rd Ed'.

Access to the article requires no free account or download. You can read it here:

http://pentestlab.org/reuse-your-skills-penetration-testing-for-auditing/

Enjoy the content!

Warm regards,
Maciej

------------------------------------------------------------------------
Securing...

RE: Tool to find rouge wireless access points? David Gillett (May 16)
An AP typically has two interfaces -- the radio, and the Ethernet
connection. A few of the largest "enterprise" manufacturers will configure
them to use consecutive MAC addresses within the prefix allocated to the
manufacturer. But a lot of consumer/SOHO gear uses a radio from one source
and an Ethernet ASIC from another, and retains the MAC addresses supplied by
those manufacturers.

So the MAC address of the radio side (ESSID,...

RE: Tool to find rouge wireless access points? Dan Lynch (May 16)
I read the opposite, like so: I have a network with no wireless access, and multiple physical locations. How do I
detect if a user somewhere has connected a wireless access point to a network jack? I could visit each location and use
a wifi detector, but then how would I know if an AP I detected is connected to my network, and not the doctor's office
next door? Is there a way to scan the *wired* network for connected APs?

The netdisco...

Re: website monitoring Don Thomas (May 16)
http://www.site24x7.com/

Regards,
Don Thomas

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase,
install and use a thawte...

RE: Tool to find rouge wireless access points? Erik Muttersbach (May 16)
Some time ago I have read about the idea to use clock skew in wireless
networks to characterize (or: fingerprint, if you want) the access points in
your network.

More information here:
http://ansr.cs.utah.edu/home/sites/default/files/files/papers/www.cs.utah.ed
u/~kasera/myPapers/fast%20and%20accurate%20detection%20clock%20skew.pdf
and here: http://www.cs.dartmouth.edu/~cja/papers/toorcon11_ver6a.pdf

This looked quite interesting, but I...

RE: Tool to find rouge wireless access points? Vincent Yeo (May 16)
Hi Jon,

If you are detecting any AP that is going to connect to your network, have you implement port security on your network?
Or go by mac address filtering? Mac address should be able to determine which brand of network is connected to it.

Correct me if I m wrong. I m still learning. :)

Thanks,
Vincent Yeo

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Brandon Edmunds...

Re: website monitoring --Clarification Gareth Fletcher (May 15)
Hi GMF

Yeah we use AlertSite which alerts us and it also sends alerts to
another external company (here in New Zealand), who then keep calling
our on call engineers until someone answers (in case our internal
monitoring is also down for some reason).

Handy when something hits the fan... Or there's a meteoroid...

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital...

Re: Tool to find rouge wireless access points? Brandon Edmunds (May 15)
repost for group:

Nessus will do this. There is a plugin just for this.

More rudimentary, is that you can use a wireless scanner to capture
traffic. Use strings and a perl script to pull hostnames from the
traffic and then compare those hostnames to your inventory (I told you
it was rudimentary, but this will tell you either you have a your
clients connecting to a rogue ap that they set up, or they are
connecting to one circumventing your...

Re: website monitoring --Clarification flanny16 (May 15)
More details that I should have provided in the first post.
Externally on the internet we require a website monitor service to notify us if any of our websites, whether http or
https or SMTP goes offline. an example of this is if one of our datacenters were to go down,then which of our services
is not available. can this service offer a notification page stating that there is an issue with the website and we are
working on it?

thx to all who...

RE: Tool to find rouge wireless access points? Mike Saldivar (May 15)
Jon,

Just to clarify, you keep talking about APs of a different color:

http://dictionary.reference.com/browse/rouge?s=t

http://dictionary.reference.com/browse/rogue?s=t

The Net Disco tool isn't too difficult to set up if you know your way around Linux
http://www.netdisco.org/

It'll SNMP walk your entire network and tell you what's connected, and where. If the rogue AP has SNMP enabled, it'll
find it and tell you the...

RE: Tool to find rouge wireless access points? Estell Kauffman (May 15)
Jon,

If you are running lightweight APs off a controller most of the controller software I've seen includes rogue AP
detection. The APs themselves act as detectors reporting the beacons and related information back to the controller.
The controller itself is generally able to see the wired side of the network and can then identify the rogue. Some
controllers also include the ability to shut down rogue APs.

The only other tool I've...

Penetration Testing — While this list is intended for "professionals", participants frequenly disclose techniques and strategies that would be useful to anyone with a practical interest in security and network auditing.

Securing Citrix Adrián Puente Z. (May 16)
Hi everyone!

I am looking for a good reference to secure a Citrix server to avoid a user to gain acces to the operating system. So
far I have some ideas like restricting the execution of the cmd.exe and (maybe) explorer.exe from with a group policy
in the domain.

If you know about any document I can look at or have any experience about this that want to share I will be very
thankful. Thanks in advance.

Regards,

---
Adrián Puente Z....

Re: Question of Likelihood Pete Herzog (May 16)
Hi,

Have you looked into the OSSTMM ravs- attack surface classification
and metrics? It would help you categorize the order in the way you
want here- by what they do and not some guessed weighting or priority
system. Basically it would let you prioritize by 5 vulnerability
classifications and that way if something provides access in any way
it's classified as a higher priority than something that just gives an
exposure.

Sincerely,...

sslcaudit 1.0 released Alexandre Bezroutchko (May 15)
Hello,

I would like to announce the release of sslcaudit 1.0.

The goal of sslcaudit project is to develop a utility to automate
testing SSL/TLS clients for
resistance against MITM attacks. It is useful for testing thick clients,
mobile applications,
appliances, pretty much anything communicating over SSL/TLS over TCP.

PDF user-guide is available here:
http://www.gremwell.com/sslcaudit_files/doc/sslcaudit-user-guide-1.0.pdf
Download and...

Re: Question of Likelihood Justin Rogosky (May 14)
Hi,

Carnal 0wnage is doing a blog series about this very subject.
http://carnal0wnage.attackresearch.com/2012/04/from-low-to-pwned-0-intro.html

My opinion is that if you are doing a report, it would be of more
value to list the vulnerabilities separately with the reformatted tool
output (or other methodology you are applying to list them as "low").
But add a separate section that shows how the various "enabling"...

Question of Likelihood Pen Testar (May 14)
I'm testing an app with sensitive information that is full of holes. Reflected and persisted XSS, CRSF, various
injection attacks… you name it.

You also have a bunch of vulns that aren’t typically of high likelihood, but in the presence of the other vulns above
(I’ll call them the “enabling” vulns), some of these lows are easier to exploit. When you rank, do you rank each vuln
independently or in context of others?

I can see...

t2'12: Call for Papers 2012 (Helsinki / Finland) Tomi Tuominen (May 12)
# t2'12 - Call For Papers #
Helsinki, Finland
October 25 - 26, 2012

We are pleased to announce the annual t2'12 infosec conference, which
will take place in Helsinki, Finland, from October 25 to 26, 2012.

We are looking for original, preferably technical presentations in the
fields of information security. Presentations should last a minimum of
60 minutes and a maximum of two...

A survey on web application attacks Hannes Holm (May 11)
Hi pen-test subscribers,

I am researching the domain consensus regarding the effectiveness of different web application firewalls (WAF)s and
would be glad if you could spare a few minutes of your time to answer a survey on the topic.

By completing this survey you will:

* Help build valuable domain consensus on the topic of WAF effectiveness.
* Be able to compare your answers to the answers of others.
* Have the chance to win a 100...

Announce: Italian Hacker Game Cracca al Tesoro - Crack A Treasure Aspy (May 04)
It is the 6 th edition of the game.

It 's very much like a treasure hunt but more... hight tech!
The team need to find five hidden access point within a city, crack
them, then find the servers behind them, hack them to find clues to
the next target ...

Next date: Genoa, Italy, May 12
Joining is free.

Web Site
http://www.wardriving.it

nullcon Delhi 2012 Call for Paper/Call for Event nullcon (May 01)
Hi All,

For the very first time nullcon now comes to Delhi - to showcase cutting
edge security technologies and discuss new attack vectors and security
threats among the Corporate world and the Government sector. The event
brings together thought leaders,Corporates, Government and security
professionals all under one roof.

Prototype:
-------------
We are introducing a new sub-event - Prototype at nullcon Delhi 2012. The
event provides...

xSQL Scanner 1.6 - Released Rodrigo Matuck (May 01)
Hi

Everyone

New version of xSQL Scanner is available with following features:

- PostgreSQL support added;
- SQL PortScan updated;
- Exceptions fixed;
- Progressbar bug fixed;
- MSSQL 7 DoS module added.
- MSSQL Empty password exploit module added.
- Session support added
- Visual modified
- Minor Bugs fixed
- Auto-detect feature fixed

Also i uploaded the xTSCrack with bugs fixed.

http://www.4shared.com/zip/4YrGt7hG/xsqlscanner-16.html...

[Tool update] VoIP Hopper 2.04 released Jason Ostrom (Apr 29)
VoIP Hopper 2.04 security tool is released:

http://voiphopper.sourceforge.net

New Avaya, Alcatel-Lucent, and LLDP-MED spoofing support. Thanks to Nicolas Roux of France for his Alcatel source
contribution and debugging help. The Alcatel support has only been partially tested on a production network - I'm
requesting the help from anyone who has access to Alcatel-Lucent to test the three new modes of VoIP Hopper, and please
let me know....

Anti-fingerprinting techniques cr0hn (Apr 25)
Hello everybody!

I just released the slides of a course about anti-fingerprinting
techniques. The course talking about:
– A brief introduction of FreeBSD.
– How fingerprinting works.
– How defeat the fingerprinting test.
– Practical examples for evade the test for some services:
+ Web server.
+ FTP server.
+ SSH server.
- A long section dedicated for WordPress.
+ Fingerprinting methods.
+ Tools to test it.
+ Protection techniques.

I...

[HITB-Announce] HITB Magazine Issue 008 (now with print edition!) Hafez Kamal (Apr 23)
The 8th issue of the HITB Quarterly Magazine is now available for download!

http://magazine.hitb.org/

This edition is a little bit 'lighter' than previous issues as the
editorial team is busy working on an extra special release for our 10th
year anniversary conference in October, HITBSecConf2012 - Malaysia.

http://conference.hitb.org/hitbsecconf2012kul/

For the first time ever though, we're making print editions of the
magazine...

[New tool] - Exploit Pack - Web Security noreply () exploitpack com (Apr 23)
Exploit Pack - Web Security Edition

This tool allows you to take control of remote browsers, steal social
network credentials, obtain persistence on it, DDoS and more.
Demo: http://www.youtube.com/watch?v=B_AYyRFNokI

Main features:
- Hacking of Gmail, Yahoo, Facebook, Live, Linkedin
- Session persistence
- 0day exploits included
- Remote browser control
- DDoS by creating botnets
- Launch remote exploits
- Steal credentials

Questions? support...

Ruxcon 2012 Call For Papers cfp (Apr 19)
Ruxcon 2012 Call For Papers

The Ruxcon team is pleased to announce the call for papers for the 2012 annual Ruxcon conference.

This year the conference will take place over the weekend of 20th and 21st of October at the CQ Function Centre,
Melbourne, Australia.

The deadline for submissions is the 15th of July.

* What is Ruxcon?

Ruxcon is the premier technical computer security conference in the Australia. The conference aims to bring...

Info Security News — Carries news items (generally from mainstream sources) that relate to security.

Web App Security — Provides insights on the unique challenges which make web applications notoriously hard to secure, as well as attack methods including SQL injection, cross-site scripting (XSS), cross-site request forgery, and more.

t2'12: Call for Papers 2012 (Helsinki / Finland) Tomi Tuominen (May 14)
# t2'12 - Call For Papers #
Helsinki, Finland
October 25 - 26, 2012

We are pleased to announce the annual t2'12 infosec conference, which
will take place in Helsinki, Finland, from October 25 to 26, 2012.

We are looking for original, preferably technical presentations in the
fields of information security. Presentations should last a minimum of
60 minutes and a maximum of two...

A survey on web application attacks Hannes Holm (May 14)
Hi webappsec subscribers,

I am researching the domain consensus regarding the effectiveness of different web application firewalls (WAF)s and
would be glad if you could spare a few minutes of your time to answer a survey on the topic.

By completing this survey you will:

* Help build valuable domain consensus on the topic of WAF effectiveness.
* Be able to compare your answers to the answers of others.
* Have the chance to win a 100 USD...

Abusing Password Managers with XSS mastah yeti (Apr 25)
New post on abusing password managers through xss.
http://labs.neohapsis.com/2012/04/25/abusing-password-managers-with-xss/

[HITB-Announce] HITB Magazine Issue 008 (now with print edition!) Hafez Kamal (Apr 23)
The 8th issue of the HITB Quarterly Magazine is now available for download!

http://magazine.hitb.org/

This edition is a little bit 'lighter' than previous issues as the
editorial team is busy working on an extra special release for our 10th
year anniversary conference in October, HITBSecConf2012 - Malaysia.

http://conference.hitb.org/hitbsecconf2012kul/

For the first time ever though, we're making print editions of the
magazine...

Ruxcon 2012 Call For Papers cfp (Apr 20)
Ruxcon 2012 Call For Papers

The Ruxcon team is pleased to announce the call for papers for the 2012 annual Ruxcon conference.

This year the conference will take place over the weekend of 20th and 21st of October at the CQ Function Centre,
Melbourne, Australia.

The deadline for submissions is the 15th of July.

* What is Ruxcon?

Ruxcon is the premier technical computer security conference in the Australia. The conference aims to bring...

Passwords^12 : Call for Presentations Per Thorsheim (Apr 18)
For the third time I am happy to announce a Call for Presentations for
Passwords^12.

Passwords^12 will be held at the University of Oslo (Norway) on December
3-4, 2012. The 2-day conference will be free and open for anyone to
attend. Please do note that our primary audience will be academics and
security professionals with deep technical knowledge. This is a
conference with international speakers and participants, presenting
fresh ideas and...

winAUTOPWN v3.0 Released QUAKER DOOMER (Apr 18)
Dear all,

This is to announce release of winAUTOPWN version 3.0

The improved GUI extension - WINAUTOPWN ACTIVE SYSTEMS TRANSGRESSOR GUI [ C4 - WAST ] is a
Systems and Network Exploitation Framework built on the famous winAUTOPWN as a backend.
C4 - WAST gives users the freedom to select individual exploits and use them.

A complete list of all Exploits in winAUTOPWN is available inside MISC\CHANGELOG.TXT
A complete list of User Interface...

SEC Consult whitepaper :: The Source Is A Lie SEC Consult Vulnerability Lab (Apr 18)
SEC Consult Vulnerability Lab released a new whitepaper titled:
"The Source Is A Lie"

Abstract:
---------
Backdoors have always been a concern of the security community. In
recent years the idea of not trusting the developer has gained momentum
and manifested itself in various forms of source code review. For Java,
being one of the most popular programming languages, numerous tools and
papers have been written to help during reviews....

OWASP ZAP 1.4.0 released psiinon (Apr 08)
Hi folks,

I'm very pleased to announce that version 1.4.0 of the OWASP Zed
Attack Proxy (ZAP) has now been released.

This release adds the following main features:
* Syntax highlighting
* fuzzdb integration
* Parameter analysis
* Enhanced XSS scanner
* A port of some of the Watcher checks
* Plugable extensions

And a load of bugfixes!

For more information and to download this release please visit the ZAP
homepage:...

Re: Time based Blind SQL injection martin . mngoma (Mar 30)
Hi guys

Just off the topic, can any of you help me.

I need a vulnerability scanner that can scan WCF web services (silver light technologies )as acunetix does not support
wcf yet.

All help will be appreciated

Thanks
Martin
Sent from my BlackBerry® wireless device

-----Original Message-----
From: Yiannis Koukouras <ikoukouras () gmail com>
Sender: listbounce () securityfocus com
Date: Thu, 29 Mar 2012 21:04:00
To: Danux<danuxx ()...

Re: Time based Blind SQL injection Yiannis Koukouras (Mar 29)
So, the only difference, from other tools out there, is the support of TAB(%09)?

Am I missing something?

Thanks for sharing! :)

Cheers,
Ioannis (Yiannis) Koukouras
CISSP, CISA, CISM, OSCP
MSc in Computer Systems Security
BEng in Electronic Engineering
http://www.linkedin.com/in/ikoukouras
---

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website...

Re: Time based Blind SQL injection Yiannis Koukouras (Mar 29)
Cool, I just wanted to be sure I didn't miss anything else...

Again thanx for sharing! :)

Ioannis (Yiannis) Koukouras
CISSP, CISA, CISM, OSCP
MSc in Computer Systems Security
BEng in Electronic Engineering
http://www.linkedin.com/in/ikoukouras

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!...

winAUTOPWN v2.9 - As [ C4 - WAST ] QUAKER DOOMER (Mar 21)
Dear all,

It has been more than 3 YEARS since the first version of winAUTOPWN.
This is to announce release of winAUTOPWN version 2.9

This version introduces an improved GUI extension - WINAUTOPWN ACTIVE SYSTEMS
TRANSGRESSOR GUI [ C4 - WAST ]
C4 - WAST gives the user the freedom to select individual exploits and use them.
Note that the legacy winAUTOPWN feature to fire all exploits available for open ports
discovered is still present and has...

Re: FBController - (Facebook Control Utility) version 4.0 { With 0-DAY Features } Alex (Mar 15)
You probably should purchase an ad if you're going to try to sell
something. Just some friendly guidence. Good luck!

Alex Fernandez-Gatti
"Laws control the lesser man. Right conduct controls the greater
one." - Chinese Proverb

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!...

FBController - (Facebook Control Utility) version 4.0 { With 0-DAY Features } QUAKER DOOMER (Mar 15)
FBConTroller v4.0 - (Facebook Control Utility) version 4.0 - With 0-DAY Features

After an exile of almost 2 years and 3 months, FBController is back !
FBController - The Ultimate Utility to Control Facebook accounts without the Password is
now version 4.0

Let me clear this again like every time that this utility WON'T hack/crack Facebook
accounts. The utility will need biscuits/cookies instead of the password. If you have your...

Daily Dave — This technical discussion list covers vulnerability research, exploit development, and security events/gossip. It was started by ImmunitySec founder Dave Aitel and many security luminaries participate. Many posts simply advertise Immunity products, but you can't really fault Dave for being self-promotional on a list named DailyDave.

Ten years. Dave Aitel (May 17)
Immunity is ten years old now - and like any ten year old, it is
interested mostly in shiny things that bleep and bloop. :>

But also like any ten year old we are growing and always hungry, and so
if you're interested in working in the new DC office or Miami Beach HQ,
please let me know. We only have one perk and that is this: We'll keep
you entirely focused on breaking into things in one way or another.

-dave

New INFILTRATE 2012 Movie is up! With surprise introduction by Halvar! Dave Aitel (May 14)
OH: "So....static analysis! Let's talk about it!" (Long pause follows.)

That's pretty much straight out of most parties I go to! Luckily, there
are a few people who can go into static analysis to great levels of
depth, and some of them give talks at INFILTRATE. :>

http://www.immunityinc.com/infiltratemovies/movies/JulienVanegue.mp4

-dave

Re: Mobile Phone Security Survey Hamid (May 14)
There were some issues regarding some optional questions that has been
marked as mandatory mistakenly. Thanks to quick feedbacks they are
fixed now.

Hamid

Mobile Phone Security Survey Hamid (May 11)
Hello DD!

Few weeks ago I had a writeup about (in)security trends in mobile phones
and now I've reached to a point that I need results of a survey to
validate and confirm some facts that are going to be covered in paper.

I would appreciate your help by participating in this survey, or be even
more awesome and spread it among your friends that are not security geeks!

Survey link:

http://goo.gl/pQO02

Thank you!
Hamid

With a real team, it's not about the numbers Dave Aitel (May 01)
I find articles like the recent one in Forbes
<http://www.forbes.com/sites/andygreenberg/2012/03/21/meet-the-hackers-who-sell-spies-the-tools-to-crack-your-pc-and-get-paid-six-figure-fees/>
quite funny in a way - and likewise talks about "rootite" and bug mining and so forth. Part of this is because
philosophically I know that teams who focus on the money tend to lose. Obviously you need a lot of money to get things
done in...

72 hours Shari Bermudez (Apr 26)
Just a reminder that there are only 72 business hours remaining before
registration closes for the WebHacking and Master training classes.
Sign up today. Call 786-220-0600 or email training () immunityinc com
The 20% discount offer for re-tweeting still stands.

http://immunityinc.com/education-currentschedule.shtml

Spooked at RSA 2012 Dave Aitel (Apr 26)
So we put my RSA 2012 talk up, along with the comments from the viewers that RSA collected.

I 100% agree with every comment in the feedback form, which include such bon mots such as "You reek of pride". Frankly,
I am quite proud of what the offensive community has been able to do over the last ten years. And I was a bit hurried
during the actual talk (the one below is from my 6am-dry-run-in-hotel-room since they didn't record...

What's happening at SyScan'12 Singapore Thomas Lim (Apr 25)
Dear Dailydave readers

Do you know what's going to happen at SyScan'12 Singapore next week?

BEER, BEER, BEER, BEER, BEER, BEER, BEER, BEER....

13 AWESOME SPEAKERS:
a. Stefan Esser (i0n1c)
b. Chris Valasek (nudeaberdasher)
c. Tarjei Mandt (kernelpool)
d. Alex Ionescu
e. Edgar Barbosa (0pC0de)
f. Jon Oberheide
g. Brett Moore (antic0de)
h. James Burton (Jayji)
i. Seung Jin Lee (Beist)
j. Ryan MacArthur (Backpacker)
k. Loukas (snare)
l....

Save yourself 20% by tweeting Shari Bermudez (Apr 23)
Want to come to our June Master or WebHacking class but do not want to
pay full price? You can save yourself 20% in ~5 minutes by following
these simple steps:

(1) If you are not already doing so, follow us on Twitter @immunityinc
and/or @infiltratecon.

(2) ReTweet this tweet from today: "RT and receive 20% off June
training classes when you sign up before 4/27! ow.ly/asvSG e-mail
admin () immunityinc for info!"

(3) Email training...

TIME IS RUNNING OUT Shari Bermudez (Apr 20)
Time is running out to sign up for our June WebHacking and Master
Training Classes. If you are thinking about reserving your seat but
have not done so, the time to sign up is now.

_June 4-6, 2012 - WebHacking Class: _
Immunity's WebHacking course focuses on understanding common web
hacking techniques by having students exploit vulnerable systems.
Security professionals with some hands on web hacking experience will
get the most out of...

RIT! Dave Aitel (Apr 18)
Chris and Miguel are heading up to RIT today and will be around tomorrow
recruiting for Immunity. If you're at or near RIT and you want to hear
about the fun stuff they're working (which you can help work on!) then
send admin () immunityinc com <mailto:admin () immunityinc com> a quick email
and they'll vector you in! I hear there will be real wings served the
way only upstate NY knows how. I miss those wings, I have to say....

Re: CISPA == MAPP Richard Bejtlich (Apr 18)
Hi Allison,

I have a different view -- I'll try not to step on too many toes. :)

The problem is people are approaching this as a technical problem.
It's a trust problem.

The incentive is to not share. There is no incentive for a company to
tell anyone that they've been breached.

The bill in question doesn't say the government is entitled to your
information. They're trying to improve the incentives for companies
to...

Hack Cup 2012 Nicolas Waisman (Apr 18)
Immunity is excited to announce our third annual Hack Cup this year in
Las Vegas! As always, it will be held on the first day of DefCon (July,
27th).

Anyone interested in playing indoor soccer is welcome to join! The
dynamic will be the same as previous years:

o The tournament will go from 9:00-13:00.

o We will have 12 teams of five players each, playing 15-minute matches
in four different groups. We recommend that you have at least 2-5...

DC Saturday night drinks! Dave Aitel (Apr 17)
So Justine and I will be bar hopping somewhere near Dupont Circle
Saturday night (possibly for only one hop :>). If you want to hang out
and discuss the intricate details of Buffy the Vampire Slayer, then
catch me on Twitter (@daveaitel) and I'll vector you in.

*Oz*: We should figure out what kinda deal this is. I mean, is it
a-a gathering, a shindig or a hootenanny?
*Cordelia*: What's the difference?
*Oz*: Well, a...

Re: CISPA == MAPP allison nixon (Apr 17)
Every truly meaningful resource of shared knowledge we use- public
blacklists, CVE, open source tools- none of them came about due to a law
mandating them.

Swift coordination between companies to respond to new threats is a
technical problem and not a legal problem. The incentive to share is there,
and sharing systems are getting better over time without government "help".

I welcome any information sharing from the government but I...

PaulDotCom — General discussion of security news, research, vulnerabilities, and the PaulDotCom Security Weekly podcast.

Re: [GPWN-list] Breaking In, the data and my interpretation John Hoyt (May 17)
Thank Robin for putting this together, and writing up the results. I'm
going to keep this bookmarked as the go to reference when I get asked about
how to get into infosec.

-John

Re: Breaking In, the data and my interpretation Robin Wood (May 17)
Here is part two of my conclusions, enjoy:

http://www.digininja.org/projects/breaking_in_part_2.php

Robin

Video tutorial: Stack-Based Buffer Overflow No Reply (May 15)
I've made a video tutorial about buffer overflows take a look and share it
if you like it!

Video tutorial: http://www.youtube.com/watch?v=yPKCSXK8ZYo

Enjoy!

Re: VMware Player and promiscuous mode? Pat Moloney (May 15)
Esx has a flag in the configuration also to deny promisc. Check the
txt configuration for in the vm.

Note: promisc will not work on a wireless interface on a windows host.
I tried that and remember it failing.

Re: VMware Player and promiscuous mode? Steve Passino (May 14)
Not sure if this applies to vmplayer - but check your network settings
to make sure the VM is granted access to run the network card in promisc
mode.

With virtualbox, I know there is a setting to allow/disallow the virtual
network interface the ability to go into promisc - making a bit of a
guess here that vmplayer has the same set of controls......

Re: VMware Player and promiscuous mode? Todd Haverkos (May 14)
Timothy Ouellette <touellette83 () gmail com> writes:

Hi Timothy,

I'm not sure if what you're attempting is possible (and I'd argue
that's a feature as, when using virtual machines defensively, or for
malware analysis, I surely wouldn't want a compromised guest OS having
access to host machine network traffic). On the other hand, I'm not
sure what that noPromisc setting really intends to do.

When I want...

Re: WiFi Pineapple Mark IV Sherwyn (May 11)
For that price point its not bad. I had one years ago when it was just the
La Fonera with Jasager might be time to get the new hardware.

As for Mubix I believe he still does a few segment on Hak5 here and there.

Re: WiFi Pineapple Mark IV Hevnsnt (May 11)
I have a couple of them (from Darren) and so far the hardware is pretty sweet. The software is in active dev and their
forums are pretty active. I think there is a good chance that this project will end well.

-bill (@hevnsnt)

WiFi Pineapple Mark IV xgermx (May 11)
http://hakshop.myshopify.com/products/markiv-first-dibs

Has anyone gotten their hands on one of these?
I remember Darren from the early days of Hak5; it's good to see that
he's doing well.
Mubix, are you still in contact with Darren?

Re: Security of CORS, Would you trust it? subzer0girl (May 10)
Thank you !

Breakpoint 2012 Call For Papers cfp (May 10)
. ______________________________________
._\\. Breakpoint 2012 (___.
: Intercontinental Rialto :
: Melbourne, Australia :
: October 17th-18th :
:__ . ___:
)____________________________________\\...

Re: Security of CORS, Would you trust it? Pat (May 09)
Hi Sub,

I have yet to see it in use by a developer. Its has to be a
very specific scenario to actually use it. Most developers are still facing
the older browser issues and any project I have been involved in has always
been trying to degrade functionality gracefully for older browsers.

So from a protocol standpoint it looks very well thought out around
permissions and sending cookies and credentials. Unfortunately without
seeing some real...

Security of CORS, Would you trust it? subzer0girl (May 09)
Anyone have an opinion on the Security of CORS ? Would you trust it as
your only security mechanism ?

Sub

"Quest One Identity Manager" based on MS .Net on Linux? Alex Kornilov (May 08)
Hi

Does anybody run "Quest One Identity Manager" on Linux (production
environment)? We have huge troubles getting it running :(
Product is based on Microsoft .Net framework :(

Alex

Re: Auto Searching Nessus Plugins Ben Jackson (May 03)
You can use Perl :) -- Script attached

bbj () roscoe:~$ perl nessussearch.pl 55532
Microsoft System Center Configuration Manager Client Installed
bbj () roscoe:~$

I would recommend Paul's approach and have something cached locally
though, no sense in hammering Nessus' servers.

Shouts to byte_bucket post posting his simple command line solution in
the IRC channel to start me down this path.

Honeypots — Discussions about tracking attackers by setting up decoy honeypots or entire honeynet networks.

[HITB-Announce] HITB Magazine Issue 008 (now with print edition!) Hafez Kamal (Apr 23)
The 8th issue of the HITB Quarterly Magazine is now available for download!

http://magazine.hitb.org/

This edition is a little bit 'lighter' than previous issues as the
editorial team is busy working on an extra special release for our 10th
year anniversary conference in October, HITBSecConf2012 - Malaysia.

http://conference.hitb.org/hitbsecconf2012kul/

For the first time ever though, we're making print editions of the
magazine...

[HITB-Announce] HITB2012AMS SIGINT - Call for Submissions Hafez Kamal (Mar 08)
This is a call for submissions for the HITB SIGINT sessions at
HITB2012AMS - The third annual HITB conference in Amsterdam taking place
at the Okura from the 21st - 25th of May.

The HITB SIGINT (Signal Intelligence/Interrupt) sessions are designed to
provide a quick 15 - 30 minute overview for material and research that's
up and coming - stuff that isn't quite ready for the mainstream tracks
of the conference but deserve a mention...

2012 Honeynet Project Security Workshop Guillaume Arcas (Feb 02)
Hi.

The Honeynet Project holds its second Public Event on March 19 - 20,
2012 at Facebook HQ, SF Bay Area, Ca (USA).

Public event consists on a one-day technical presentations and a one-day
hands-on tutorial trainings.

All details available here:
https://honeynet.org/SecurityWorkshops/2012_SF_Bay_Area

Regards,

Guillaume Arcas
-------------------------
PR - The Honeynet Project

[HONEYPOTS] Cyber Warfare / Network Defense Simulation Teóphilo Athos Brauns (Jan 24)
Hi,

I would like to ask if you guys have any suggestions (including
articles, references, books, sites, ideas, anything) on how to build a
"Poor man's Cyber Warfare / Network Defense Simulation" for:

1 - study
2 - forensic analysis
3 - vulnerabilities replication
4 - worm/virus spreading
5 - DLP (data leak/loss prevention) study

For my first attempts I used a dual-quad xeon server with 32GB ram and
managed to create a whole...

Cyber Warfare / Network Defense Simulation Teóphilo Athos Brauns (Jan 24)
Hi,

I would like to ask if you guys have any suggestions (including
articles, references, books, sites, ideas, anything) on how to build a
"Poor man's Cyber Warfare / Network Defense Simulation" for:

1 - study
2 - forensic analysis
3 - vulnerabilities replication
4 - worm/virus spreading
5 - DLP (data leak/loss prevention) study
6 - ???

For my first attempts I used a dual-quad xeon server with 32GB ram and
managed to create a...

Microsoft Sec Notification — Beware that MS often uses these security bulletins as marketing propaganda to downplay serious vulnerabilities in their products—note how most have a prominent and often-misleading "mitigating factors" section.

Microsoft Security Bulletin Minor Revisions Microsoft (May 16)
********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: May 16, 2012
********************************************************************

Summary
=======
The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

* MS12-034 - Critical

Bulletin Information:
=====================

* MS12-034 - Critical

-...

Microsoft Security Bulletin Re-Releases Microsoft (May 11)
********************************************************************
Title: Microsoft Security Bulletin Re-Releases
Issued: May 11, 2012
********************************************************************

Summary
=======
The following bulletins have undergone a major revision increment.
Please see the appropriate bulletin for more details.

* MS12-035 - Critical
* MS12-MAY

Bulletin Information:
=====================

* MS12-035 - Critical...

Microsoft Security Bulletin Minor Revisions Microsoft (May 11)
********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: May 11, 2012
********************************************************************

Summary
=======
The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

* MS11-100 - Critical

Bulletin Information:
=====================

* MS11-100 - Critical

-...

Microsoft Security Bulletin Minor Revisions Microsoft (May 09)
********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: May 09, 2012
********************************************************************

Summary
=======
The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

* MS12-029 - Critical
* MS12-030 - Important
* MS12-032 - Important
* MS12-MAY

Bulletin...

Microsoft Security Bulletin Summary for May 2012 Microsoft (May 08)
********************************************************************
Microsoft Security Bulletin Summary for May 2012
Issued: May 8, 2012
********************************************************************

This bulletin summary lists security bulletins released for
May 2012.

The full version of the Microsoft Security Bulletin Summary for
May 2012 can be found at
http://technet.microsoft.com/security/bulletin/ms12-may.

With the release of the...

Microsoft Security Bulletin Advance Notification for May 2012 Microsoft (May 03)
********************************************************************
Microsoft Security Bulletin Advance Notification for May 2012
Issued: May 3, 2012
********************************************************************

This is an advance notification of security bulletins that
Microsoft is intending to release on May 8, 2012.

The full version of the Microsoft Security Bulletin Advance
Notification for May 2012 can be found at...

Microsoft Security Bulletin Re-Releases Microsoft (Apr 26)
********************************************************************
Title: Microsoft Security Bulletin Re-Releases
Issued: April 26, 2012
********************************************************************

Summary
=======
The following bulletins have undergone a major revision increment.
Please see the appropriate bulletin for more details.

* MS12-027 - Critical
* MS12-APR

Bulletin Information:
=====================

* MS12-027 -...

Microsoft Security Bulletin Minor Revisions Microsoft (Apr 25)
********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: April 25, 2012
********************************************************************

Summary
=======
The following bulletin has undergone a minor revision increment.
Please see the appropriate bulletin for more details.

* MS12-028 - Important

Bulletin Information:
=====================

* MS12-028 - Important

-...

Microsoft Security Bulletin Minor Revisions Microsoft (Apr 18)
********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: April 18, 2012
********************************************************************

Summary
=======
The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

* MS12-017 - Important
* MS12-026 - Important

Bulletin Information:
=====================

*...

Microsoft Security Bulletin Minor Revisions Microsoft (Apr 13)
********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: March 13, 2012
********************************************************************

Summary
=======
The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

* MS11-030 - Critical
* MS11-025 - Important
* MS11-067 - Important

Bulletin Information:...

Microsoft Security Bulletin Advance Notification for April 2012 Microsoft (Apr 05)
********************************************************************
Microsoft Security Bulletin Advance Notification for April 2012
Issued: April 5, 2012
********************************************************************

This is an advance notification of security bulletins that
Microsoft is intending to release on April 10, 2012.

The full version of the Microsoft Security Bulletin Advance
Notification for April 2012 can be found at...

Microsoft Security Bulletin Minor Revisions Microsoft (Mar 14)
********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: March 14, 2012
********************************************************************

Summary
=======
The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

* MS12-022 - Important

Bulletin Information:
=====================

* MS12-022 - Important

-...

Microsoft Security Bulletin Summary for March 2012 Microsoft (Mar 13)
********************************************************************
Microsoft Security Bulletin Summary for March 2012
Issued: March 13, 2012
********************************************************************

This bulletin summary lists security bulletins released for
March 2012.

The full version of the Microsoft Security Bulletin Summary for
March 2012 can be found at
http://technet.microsoft.com/security/bulletin/ms12-mar.

With the...

Microsoft Security Bulletin Re-Releases Microsoft (Mar 13)
********************************************************************
Title: Microsoft Security Bulletin Re-Releases
Issued: March 13, 2012
********************************************************************

Summary
=======
The following bulletins have undergone a major revision increment.
Please see the appropriate bulletin for more details.

* MS10-058 - Important

Bulletin Information:
=====================

* MS10-058 - Important

-...

Microsoft Security Bulletin Minor Revisions Microsoft (Mar 13)
********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: March 13, 2012
********************************************************************

Summary
=======
The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

* MS11-030 - Critical
* MS11-025 - Important
* MS11-067 - Important

Bulletin Information:...

Funsec — While most security lists ban off-topic discussion, Funsec is a haven for free community discussion and enjoyment of the lighter, more humorous side of the security community

(Redundant) Backup is good Rob, grandpa of Ryan, Trevor, Devon & Hannah (May 15)
An example:
http://www.youtube.com/watch?v=EL_g0tyaIeE

====================== (quote inserted randomly by Pegasus Mailer)
rslade () vcn bc ca slade () victoria tc ca rslade () computercrime org
The client interface is the boundary of trustworthiness.
- Tony Buckland, UBC
victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links...

Nigerian funds transfer safe Rob, grandpa of Ryan, Trevor, Devon & Hannah (May 15)
I've always been a bit worried that those offers I've gotten from Nigerian
individuals and banks might be "too good to be true." So it's really nice that the
FBI has taken time from it's busy schedule to assure me, even before I asked, that
the sca... I mean, deal, is safe.

(Now all I have to worry about is that the FBI is eeking to wiretap the whole
Internet. Must be an expensive proposition. Maybe they are...

Error in Finnish e-prescription software randomly added characters when Return was used Juha-Matti Laurio (May 13)
Finnish Medical Journal (in Finnish):
http://www.laakarilehti.fi/uutinen.html?opcode=show/news_id=12029/type=1

Google translation:
http://translate.google.com/translate?hl=en?sl=fi&tl=en&u=http%3A//www.laakarilehti.fi/uutinen.html%3Fopcode%3Dshow/news_id%3D12029/type%3D1

It is reported that using Return key in Effica e-prescription software randomly caused the program to add or destroy
characters typed by the doctor.
According to the...

Re: .secure TLD valdis . kletnieks (May 12)
On Fri, 11 May 2012 21:23:01 -0400, Ben April said:

Read between the lines. The guy scored $9M in startup funding, and
only has to pay ICANN $185K for the .secure TLD. And then he gets to
collect *more* money from anybody silly enough to buy into the TLD.

Step 3: Profit!

PCI DSS and BEAST Drsolly (May 12)
I just spent two effortful days getting my Secure Server to pass the PCI
DSS. The big problem is the BEAST vulnerability. And it's a corker. What
you have to do to get your certification, is disable most of the strong
crypto that you accept, and only accept some of the weaker ones (a bit of
research on the web will give you that info).

Having done that, and gotten my certification renewed, my QA told me that
some of the big banks...

Re: .secure TLD Bruce Ediger (May 12)
What happened to "The map is not the territory"?

After that, I want to know what happened to "The tap is not
meritorious".

Re: .secure TLD Nick FitzGerald (May 11)
Ben April wrote:

Well, the whole idea is somewhere between hilarious and blatantly
ignorant on its face, so that's funny (as in "funny sad" -- these folk
do seem to think they're doing something useful that will make a
difference) right off the bat...

If they really want to "assure security" they won't let any of their
registered domains install any currently-popular web-apps, PHP or,
realistically, even...

.secure TLD Ben April (May 11)
http://www.darkreading.com/authentication/167901072/security/security-management/240000187/new-i-secure-i-internet-domain-on-tap.html

If they really wanted to be secure they would require the
implementation of RFC 3514

Terrorist toddlers (Toddler terrorists?) Robert Slade (May 11)
http://www.vancouversun.com/travel/toddler+JetBlue+employees+pull+month+from+flight+over+list/6606185/story.html

Re: As you were ... Paul Ferguson (May 10)
I knew it! :-)

- ferg

- Sent from my Android device.

As you were ... Rob, grandpa of Ryan, Trevor, Devon & Hannah (May 10)
Apparently the Mayan's were as bad as anyone else changing their minds on the
date of the end of the world ...

http://www.sciencedaily.com/releases/2012/05/120510141905.htm

====================== (quote inserted randomly by Pegasus Mailer)
rslade () vcn bc ca slade () victoria tc ca rslade () computercrime org
The evening news is where they begin with 'Good evening,' and
then proceed to tell you why it isn't....

7 Ways Oracle Puts Database Customers At Risk Juha-Matti Laurio (May 10)
A very good coverage:

http://www.darkreading.com/database-security/167901020/security/news/232901381/7-ways-oracle-puts-database-customers-at-risk.html

Juha-Matti

Re: Seriously? Nick FitzGerald (May 05)
Mike B wrote:

But of course -- everyone knows that Android is based on Linux and
_everyone_ knows Linux, _like all other Unix-y OSes, BSDs and thus
Apple-OSes_, are inherently virus-immune.

Fred Cohen sure made those early PC users look stupid...

http://all.net/books/Dissertation.pdf

Oh, wait, I was misremembering that, wasn't I???

...

Android, like Apple-OSes, shows the fallacy of all that historic BS.
Make a "Unix...

Re: Seriously? Nick FitzGerald (May 05)
Dan Kaminsky wrote:

The numbing incoherence in the use of language?

Absolutely!

Let's allow a bunch of semi-quasi-literate, recent, CompSci or SW Eng
graduates write the technical bits of a press release about some
"exciting" new [or not] malware development _then_ have the marketing
wonks "tidy it up" for release.

What could _possibly_ go wrong with that?

Regards,

Nick FitzGerald

Re: Seriously? michael.blanchard (May 05)
I was actually referring to the type of article that claims "XYZ is a new threat".... I remember recently along with
this "drive by is new" that there was a "memory viruses are the new threat"....

There are too many "security professionals" that get their recent news from C-net or information week :-(

Mike B

From: Blanchard, Michael (InfoSec)
Sent: Saturday, May 05, 2012 11:55 PM
To: 'dan ()...

CERT Advisories — The Computer Emergency Response Team has been responding to security incidents and sharing vulnerability information since the Morris Worm hit in 1986. This archive combines their technical security alerts, tips, and current activity lists.

Current Activity - Apple Releases QuickTime 7.7.2 Current Activity (May 16)
US-CERT Current Activity

Apple Releases QuickTime 7.7.2

Original release date: Wednesday, May 16, 2012 at 10:23 am
Last revised: Wednesday, May 16, 2012 at 10:23 am

Apple has released QuickTime 7.7.2 to address multiple vulnerabilities.
These vulnerabilities may allow an attacker to execute arbitrary code or
cause a denial-of-service condition.

US-CERT encourages users and administrators to review Apple Support
Article HT5261 and apply any...

Current Activity - Google Releases Google Chrome 19 Current Activity (May 15)
US-CERT Current Activity

Google Releases Google Chrome 19

Original release date: Tuesday, May 15, 2012 at 2:13 pm
Last revised: Tuesday, May 15, 2012 at 2:13 pm

Google has released Google Chrome 19 for Linux, Mac, Windows, and Chrome
Frame to address multiple vulnerabilities. These vulnerabilities may
allow an attacker to execute arbitrary code or cause a denial-of-service
condition.

US-CERT encourages users and administrators to review the...

Current Activity - Apple Releases Multiple Security Updates Current Activity (May 10)
US-CERT Current Activity

Apple Releases Multiple Security Updates

Original release date: Thursday, May 10, 2012 at 2:30 pm
Last revised: Thursday, May 10, 2012 at 2:30 pm

Apple has released security updates for Apple OS X and Safari to address
multiple vulnerabilities for the following products:

* Safari 5.1.7 for Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion
Server v10.7.4, OS X Lion v10.7.4, Windows 7, Vista, XP SP2 or later
* OS X...

Alert TA12-129A -- Microsoft Updates for Multiple Vulnerabilities US-CERT Alerts (May 08)
National Cyber Alert System

Technical Cyber Security Alert TA12-129A

Microsoft Updates for Multiple Vulnerabilities

Original release date: May 08, 2012
Last revised: --
Source: US-CERT

Systems Affected

* Microsoft Windows
* Microsoft .NET Framework
* Microsoft Office
* Microsoft Silverlight

Overview

Select Microsoft software products contain multiple
vulnerabilities....

Current Activity - Microsoft Releases May Security Bulletin Current Activity (May 08)
US-CERT Current Activity

Microsoft Releases May Security Bulletin

Original release date: Tuesday, May 8, 2012 at 03:38 pm
Last revised: Tuesday, May 8, 2012 at 03:38 pm

Microsoft has released updates to address vulnerabilities in Microsoft
Windows, Office, .NET Framework, and Silverlight as part of the
Microsoft Security Bulletin Summary for May 2012. These vulnerabilities
may allow an attacker to execute arbitrary code or operate with...

Current Activity - Adobe Releases Security Advisory for Adobe Flash Player Current Activity (May 04)
US-CERT Current Activity

Adobe Releases Security Advisory for Adobe Flash Player

Original release date: Friday, May 4, 2012 at 11:06 am
Last revised: Friday, May 4, 2012 at 11:06 am

Adobe has released a Security Advisory for Adobe Flash Player to address
a vulnerability affecting the following software versions:

* Adobe Flash Player 11.2.202.233 and earlier versions for Windows,
Macintosh, and Linux operating systems * Adobe Flash Player...

Current Activity - Microsoft Releases Advance Notification for May Security Bulletin Current Activity (May 03)
US-CERT Current Activity

Microsoft Releases Advance Notification for May Security Bulletin

Original release date: Thursday, May 3, 2012 at 03:49 pm
Last revised: Thursday, May 3, 2012 at 03:49 pm

Microsoft has issued a Security Bulletin Advance Notification indicating
that its May release will contain seven bulletins. These bulletins will
have the severity ratings of critical and important and will be for
Microsoft Windows, Office, .NET...

Current Activity - Google Releases Chrome 18.0.1025.168 Current Activity (May 01)
US-CERT Current Activity

Google Releases Chrome 18.0.1025.168

Original release date: Tuesday, May 1, 2012 at 09:58 am
Last revised: Tuesday, May 1, 2012 at 09:58 am

Google has released Chrome 18.0.1025.168 for Linux, Macintosh, Windows,
and Google Chrome Frame to address multiple vulnerabilities. These
vulnerabilities may allow an attacker to execute arbitrary code or cause
a denial-of-service condition.

US-CERT encourages users and...

Current Activity - RuggedCom Rugged Operating System Vulnerability Current Activity (Apr 24)
US-CERT Current Activity

RuggedCom Rugged Operating System Vulnerability

Original release date: Tuesday, April 24, 2012 at 4:14 pm
Last revised: Tuesday, April 24, 2012 at 4:14 pm

RuggedCom Rugged Operating System (ROS), used in RuggedCom network
infrastructure devices, contains a hard-coded user account with a
predictable password.

This user account cannot be manually disabled. An attacker who
successfully guesses the password may be able to...

Current Activity - DNSChanger Malware Current Activity (Apr 24)
US-CERT Current Activity

DNSChanger Malware

Original release date: Tuesday, April 24, 2012 at 2:20 pm
Last revised: Tuesday, April 24, 2012 at 2:20 pm

US-CERT encourages users and administrators to ensure their systems are
not infected with the DNSChanger malware by utilizing tools and
resources available at the DNS Changer Working Group (DCWG) website.
Computers testing positive for infection of DNSChanger malware will need
to be cleaned of...

Current Activity - Oracle Releases Critical Patch Update for April 2012 Current Activity (Apr 18)
US-CERT Current Activity

Oracle Releases Critical Patch Update for April 2012

Original release date: Wednesday, April 18, 2012 at 9:55 am
Last revised: Wednesday, April 18, 2012 at 9:55 am

Oracle has released its Critical Patch Update for April 2012 to address
88 vulnerabilities across multiple products. This updates contains the
following security fixes:

* 6 for Oracle Database Server * 11 for Oracle Fusion Middleware * 6
for Oracle...

Current Activity - Apple Releases Flashback Malware Security Updates Current Activity (Apr 16)
US-CERT Current Activity

Apple Releases Flashback Malware Security Updates

Original release date: Monday, April 16, 2012 at 3:11 pm
Last revised: Monday, April 16, 2012 at 3:11 pm

Apple has released security updates to address Flashback malware in the
following products:

* OS X Lion v10.7.3 * OS X Lion Server v10.7.3 * Mac OS X v10.6.8 * Mac
OS X Server v10.6.8

Apple has released a malware removal tool for the most common variant of
the...

Current Activity - HP ProCurve 5400 zl Switches Security Bulletin Current Activity (Apr 12)
US-CERT Current Activity

HP ProCurve 5400 zl Switches Security Bulletin

Original release date: Thursday, April 12, 2012 at 2:51 pm
Last revised: Thursday, April 12, 2012 at 2:51 pm

Hewlett-Packard (HP) has released a security bulletin to address a
security vulnerability affecting HP 5400 zl series switches purchased
after April 30, 2011. These switches contain a compact flash card that
may be infected with malware.

US-CERT encourages users...

Current Activity - Samba Releases Updates for 3.0.x - 3.6.3 Current Activity (Apr 11)
US-CERT Current Activity

Samba Releases Updates for 3.0.x - 3.6.3

Original release date: Wednesday, April 11, 2012 at 11:00 am
Last revised: Wednesday, April 11, 2012 at 11:00 am

Samba has released an update to address a vulnerability in Samba
versions 3.6.3 and all previous versions. Exploitation of this
vulnerability may allow a remote attacker to use anonymous connections
to execute arbitrary code with root privileges.

US-CERT encourages...

Alert TA12-101B -- Adobe Reader and Acrobat Security Updates and Architectural Improvements US-CERT Alerts (Apr 11)
National Cyber Awareness System

Technical Cyber Security Alert TA12-101B

Adobe Reader and Acrobat Security Updates and Architectural Improvements

Original release date: April 10, 2012
Last revised: --
Source: US-CERT

Systems Affected

* Adobe Reader X (10.1.2) and earlier 10.x versions for Windows and Macintosh
* Adobe Reader 9.5 and earlier 9.x versions for Windows, Macintosh, and UNIX
* Adobe...

Open Source Security — Discussion of security flaws, concepts, and practices in the Open Source community

CVE Request: Planeshift buffer overflow Andres Gomez (May 17)
Name: Stack-based buffer overflow in Planeshift 0.5.9 and earlier
Software: Planeshift 0.5.9
Software link: http://www.planeshift.it/
Vulnerability Type: Buffer overflow

Vulnerability Details:

There is a buffer overflow in planeshift/src/client/chatbubbles.cpp line
223:

.
.
.

// align
csString align = chatNode->GetAttributeValue("align");
align.Downcase();
if (align ==...

Format string security flaw in pidgin-otr Ian Goldberg (May 16)
Off-the-Record Messaging (OTR) Security Advisory 2012-01

Format string security flaw in pidgin-otr

Versions 3.2.0 and earlier of the pidgin-otr plugin contain a format
string security flaw. This flaw could potentially be exploited by
a remote attacker to cause arbitrary code to be executed on the user's
machine.

The flaw is in pidgin-otr, not in libotr. Other applications which use
libotr are not affected.

CVE-2012-2369 has been...

Re: CVE-request: WordPress wp-facethumb plugin reflected XSS vulnerability Kurt Seifried (May 15)
Plugin URL: http://wordpress.org/extend/plugins/wp-facethumb/ (will show
up very soon. WP admins disabled this until fix is done)

Please use CVE-2012-2371 for this issue.

CVE-request: WordPress wp-facethumb plugin reflected XSS vulnerability Henri Salo (May 15)
Hello,

WordPress plugin wp-facethumb version 0.1 is affected to reflected XSS vulnerability. This issue is fixed in version
0.2. Could I get 2012 CVE-identifier for this issue, thanks.

Changelog: http://plugins.svn.wordpress.org/wp-facethumb/trunk/readme.txt
Original advisory: http://cxsecurity.com/issue/WLB-2012050106
My report to developer: http://wordpress.org/support/topic/plugin-wp-facethumb-reflected-xss-vulnerability-cwe-79
Plugin URL:...

Re: CVE request: sympa (try again) Kurt Seifried (May 15)
Please include links with more direct information (e.g. sympa
changelog/code commits).

Re: CVE request: sympa (try again) micah anderson (May 15)
This is the CVE-2012-2352 that you assigned, upstream Sympa has now
created a page for security issues, this is one is detailed on there:

https://www.sympa.org/security_advisories#security_advisories

These issues were fixed a very long time ago, there was a security
advisory in 2010, here is the French CERT advisory for them:

http://www.certa.ssi.gouv.fr/site/CERTA-2010-AVI-505/

It appears that besides this most recent CVE, the only CVEs...

Re: CVE Request: gdk-pixbuf Integer overflow in XBM file loader Kurt Seifried (May 15)
Classic, -1, and this is why we should never trust user input =).
Please use CVE-2012-2370 for this issue.

CVE Request: gdk-pixbuf Integer overflow in XBM file loader Sean Amoss (May 15)
Hello,

I have not seen a CVE assigned for this issue yet:

"It's possible to crash any application with memory allocation error, or
potentially corrupt heap because width/height parameters isn't properly
verified."

References:
https://bugs.gentoo.org/show_bug.cgi?id=412033
https://bugs.launchpad.net/ubuntu/+source/gdk-pixbuf/+bug/681150

Upstream bug:
https://bugzilla.gnome.org/show_bug.cgi?id=672811

Upstream commit:...

Re: Automatic binary hardening with Autoconf Sebastian Krahmer (May 15)
You never know. I'd even say that the cat gets the most untrusted input
ever. Everything and the world has been piped
through cat since epoch. And similar surprises will happen to all the
non threatening programs that are not seen as risk like file, ls, ps etc.
until one realizes that some procmail/cups or whatever filter is using it.
And then, Murphy is entering the dance floor.

Sebastian

Re: Automatic binary hardening with Autoconf Marcus Meissner (May 15)
...

The stack random number is coming via AT_RANDOM ELF aux vector, but
yes, the %gs:xxx -> stack write based setup is of course swallowing time.

Yes, some stuff can get the -fstack-protector-all treatment for this to facilitate
all function, but of course most of your notes still apply.

It is a heuristic, and getting it more complete might be easy, or might get
difficult.

SUSE has changed binutils on our request to default to "-z...

Re: Automatic binary hardening with Autoconf Steve Grubb (May 15)
Should be "without". Big difference in meaning. :-)

Re: Automatic binary hardening with Autoconf Steve Grubb (May 15)
I think there are conflicting goals in projects like this. There are times when
someone may want to go all out and harden everything as much as possible. But
there is a cost to that...either startup or runtime. Not all programs have the
same threat model and consequence if attacked successfully. Apps that are at
greatest risk are: set[ug]id/fs based capabilities, network facing apps,
daemons, or parsers of untrusted media. It would be hard...

Re: Using FreeBSD Capsicum for program and library sandboxing Ben Laurie (May 15)
Thanks.

If you want to see the libtiff work, it's here:
https://github.com/benlaurie/libtiff

So far, I've wrapped enough (transparently!) to make a couple of
trivial applications work. These are slightly cut-down versions of a
couple of apps provided with libtiff. They're cut down because they
add custom tags, which means registering callbacks, and I haven't
designed how to wrap that yet :-)

Before I do, I want to move onto...

Using FreeBSD Capsicum for program and library sandboxing Solar Designer (May 14)
Hi,

A couple of days ago, Ben Laurie posted to the Secure Coding list about
using FreeBSD's experimental Capsicum support in the kernel to sandbox
bzip2 and libtiff ("wrapping it such that the calling application is
unaware it is wrapped") - as two initial examples, I presume. I found
this very interesting.

Ben's blog post on bzip2, showing 13 steps (separate git commits, kind
of a tutorial) that were needed to sandbox...

Automatic binary hardening with Autoconf Solar Designer (May 14)
Hi,

I'd like this sort of topics to be brought up in here, so I'll start by
referring to some blog posts.

Here's an interesting one by Keegan McAllister:

http://mainisusuallyafunction.blogspot.com/2012/05/automatic-binary-hardening-with.html

This suggests (and shows how) individual programs that use autoconf may
automatically enable the usual set of compile-time hardening settings
that are otherwise normally provided by builds...

Secure Coding — The Secure Coding list (SC-L) is an open forum for the discussion on developing secure applications. It is moderated by the authors of Secure Coding: Principles and Practices.

MetriSec 2012 submission date is May 30th James Walden (May 14)
MetriSec 2012
8th International Workshop on
SECURITY MEASUREMENTS AND METRICS

Affiliated with the International Symposium on
Empirical Software Engineering and Measurement (ESEM)

September 21, 2012
Lund, Sweden

WORKSHOP OVERVIEW

Quantitative assessment is a major stumbling block for software and
system security. Although some security metrics exist, they are rarely
adequate. The engineering importance of metrics is intuitive: you
cannot...

Re: Re (badware vs. "goodware"): SearchSecurity: Badware versus malware Goertzel, Karen [USA] (May 14)
Agent software is all well and good.

But if you secretly implant the agents, and design them to be undetectable, and do not inform the intended user of the
system that they are there, they are spyware - and at best, unethical. And, by my definition at least, unethical = bad.

===
Karen Mercedes Goertzel, CISSP
Lead Associate
Booz Allen Hamilton
703.698.7454
goertzel_karen () bah com

"I love deadlines. I like the whooshing sound they...

Containing bad code Ben Laurie (May 13)
Given the recent discussion, I thought the list might be interested in:
http://www.links.org/?p=1242. I'm currently working on transparently
wrapping libtiff (that is, wrapping it such that the calling application is
unaware it is wrapped).

Using Capsicum For Sandboxing <http://www.links.org/?p=1242>

FreeBSD 9.0 <http://www.freebsd.org/releases/9.0R/announce.html>, released
in January 2012, has experimental
Capsicum<...

Re: SearchSecurity: Badware versus malware Tom Brennan (May 13)
OWASP Has started month awareness proble/solution see updated:
http://www.owasp.com

Point you ask...... As a united community we raise visibility for the problem that results in a ecosystem - lets make
noise about it together, monthly and globally from the builder / breaker & defender perspectives

Re: SearchSecurity: Badware versus malware Ben Laurie (May 12)
Well, it certainly does _suggest_ it: "All of the things that we do to
improve software security are aimed explicitly at the badware
problem."

It doesn't say it, though, I agree.

Re: SearchSecurity: Badware versus malware Gary McGraw (May 12)
The article does not suggest otherwise.

gem

Re: SearchSecurity: Badware versus malware Ben Laurie (May 11)
Fixing badware universally would plug one hole - and it's certainly a
hole worth plugging. But it won't eliminate malware - it seems it is
not hard to persuade users to install it for you, for example.

MoST 2012 (SPW) registration Larry Koved (May 11)
On behalf of the workshop co-chairs and program chair, we would like to
invite you participate in the Mobile Security Technologies (MoST)
Workshop.

The workshop will be held at the The Westin St. Francis Hotel, San
Francisco.

Workshop registration site:
http://www.regonline.com/Register/Checkin.aspx?EventID=1072068

MoST is part of the Security and Privacy Workshops (SPW)
event (http://www.ieee-security.org/TC/SPW2012/),
co-located with...

Re: SearchSecurity: Badware versus malware Goertzel, Karen [USA] (May 11)
In other words, flaws and defects caused through developer error, ignorance, negligence etc. can be exploited to cause
harm. So even if one could prevent actual intentional malicious inclusions in software, one hasn't eliminated the
problem of exploitable flawed logic.

The megachallenge, of course, is looking for what one doesn't actually know is there. Which is why software security
testing is so hard.

===
Karen Mercedes Goertzel,...

Re: SearchSecurity: Badware versus malware Peter G. Neumann (May 10)
The differences are marginal.

My book has a pervasive theme:
Many things that could happen accidentally could be triggered
intentionally.
Many things that happen intentionally could be triggered accidentally.

Trying to reduce one without the other may be foolhardy in most realistic
threat models.

Breakpoint 2012 Call For Papers cfp (May 10)
. ______________________________________
._\\. Breakpoint 2012 (___.
: Intercontinental Rialto :
: Melbourne, Australia :
: October 17th-18th :
:__ . ___:
)____________________________________\\...

SearchSecurity: Badware versus malware Gary McGraw (May 08)
hi sc-l,

What’s worse, bad software or malicious software? In fact, what’s the difference?

My second column for SearchSecurity is all about that. Read it today. And pass it on.
http://searchsecurity.techtarget.com/opinion/Gary-McGraw-Eliminating-badware-addresses-malware-problem

Bottom line: Talking about malware may be more fun and entertaining than talking about endless security bugs, but if
we’re going to combat malware we have to...

c0c0n 2012 CFP - Extended Deadline: May 15, 2012 c0c0n International Information Security Conference (May 08)
c0c0n 2012 CFP - Extended Deadline: May 15, 2012

Thanks to everyone for all the paper submissions. The CFP Review Committee
will be evaluating the same for selection. Based on the requests received,
we are extending the CFP deadline to May 15, 2012 in the hope of receiving
few more paper submissions.

####################################################
c0c0n 2012 - Call For Papers and Call For Workshops...

Silver Bullet 73: Robert Vamosi Gary McGraw (May 04)
hi sc-l,

This morning we released episode 73 of Silver Bullet. The new show is an interview with Robert Vamosi. Robert is a
well-known security reporter, having worked for a bunch of esteemed publications including Forbes, c!net, and
threatpost. Robert also wrote a book called "When Gadgets Betray Us" which many of you will find interesting. Have a
listen:
http://www.cigital.com/silver-bullet/show-073/

As always, thanks to...

nullcon Delhi 2012 Call for Paper/Call for Event nullcon (May 04)
Hi All,

For the very first time nullcon now comes to Delhi - to showcase cutting
edge security technologies and discuss new attack vectors and security
threats among the Corporate world and the Government sector. The event
brings together thought leaders,Corporates, Government and security
professionals all under one roof.

Prototype:
-------------
We are introducing a new sub-event - Prototype at nullcon Delhi 2012. The
event provides...

Educause Security Discussion — Securing networks and computers in an academic environment.

Re: Hard Disk Degaussers SCHALIP, MICHAEL (May 15)
We use "The Terminator"......sounds silly, but - we also wind up selling the ground up bits for $.50 - $.60/lb......who
would have thought that shredded hard drives are worth more ground up than in one piece....?? And - they are disposed
of through a certified recycler......very "green".....

Thanks,

Michael

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of...

Hard Disk Degaussers Kern, Paul (May 15)
We are looking for a good hard disk degausser, and possibly a shredder as well. Does anyone have any suggestions? I
am looking at the Garner TS-1 Degausser, and it looks interesting.

Paul Kern
Associate Security Officer
South Dakota Board of Regents (RIS)
605.367.7594
Paul.Kern () sdbor edu<mailto:Paul.Kern () sdbor edu>

IT Security Administrator Position at SUNY Oneonta Bidwell, Lesley (May 15)
IT SECURITY ADMINISTRATOR
(SENIOR PROGRAMMER / ANALYST)

The Division of Finance and Administration at SUNY Oneonta invites applications for the position of Information
Technology (IT) Security Administrator. Expectations include administration of a comprehensive IT Security Program,
overseeing compliance with security standards and regulations, and working with the College community to assure the
confidentiality, integrity and availability...

Managing 3rd party supplier risk, infosecurity vendor assessments, etc John Hoben (May 11)
How are you handling information security risk management with your
respective third party vendors?

We've worked with banking, finance, securities, insurance (BFSI), health
care and other for profit sectors on developing solutions / providing
onsite information security assessments and wondered where this risk
management need is in the educational area priority list and how it is
being handled.

Please let me know if there is interest...

Security Analyst - Medical University of South Carolina (Charleston, SC) Richard H Gadsden (May 11)
The Medical University of South Carolina is hiring a Security Analyst to
join our team in the Information Security Office.

About MUSC:

Founded in 1824, and located in the historic seaport city of Charleston,
MUSC is the state's only free standing academic health sciences center,
providing a full range of professional education, clinical services and
biomedical research.

Job Summary:

The Security Analyst II reports to the Senior...

Re: IPv6 and DHCP Kern, Paul (May 10)
I agree with John. I think SLAAC is most appropriate in very small, private (meaning personal) networks such as home
networks. For larger networks, especially those that must be closely monitored and managed (think log checking,
firewall rules, etc.), I think DHCPv6 is the future. This is especially if you have a network that requires Option
82-type capabilities. I don't think SLAAC offers any mechanism for tracking or controlling IP...

Re: IPv6 and DHCP John Ladwig (May 10)
I think even within the IETF there's no longer a strong assumption that IPv6 will be "self-managing" in all, or even
most, networks.

Since we're in a security forum, I think it's pretty easy for us to realize that "self-managing networks" would need an
awful lot of bolt-around management/monitoring tricks to keep up with the normal sorts of incident response that we
deal with daily in IPv4 networks.

My...

IPv6 and DHCP Martin Manjak (May 10)
If you're running IPv6, and you've tested, or deployed, DHCP tools, we
are interested in what you may have discovered.

Our staff were using the following as a starting place for looking into
this issue: https://en.wikipedia.org/wiki/IP_address_management

Granted, we could have a debate about whether it makes sense to manage
an addressing protocol designed to be self-administering. But I think we
have to first determine whether or not...

Re: Acquiring/Capturing Memory Louis APONTE (May 10)
Lance

I do not have much occasion to capture memory outside of a wayward process misbehaving or failing. The activity monitor
feature where you can pick the process and then sample a particular PID in memory really works well. It is limited to
a few hundred samples with a millisecond between samples for about 3 seconds. I do not think this is what you are
looking for, but it may help someone else supporting Macs. I think it was available...

Acquiring/Capturing Memory Lance Pritchard (May 10)
Can anyone recommend a utility/tool to acquire memory from Mac OS for
forensic analysis. Free is preferred, but welcome all input.

Thanks

Lance

lance.pritchard () utsa edu

210-458-7218

Re: E-mail Archiving Policy & Software (E-mail Management Platform i.e. Netmail.com, etc.) Drew Perry (May 10)
At Murray State University, we use MailArchiva for email archive. Our email
policy is very simple and is available at
https://sites.google.com/a/murraystate.edu/information-security/policy/email
It is of note that we currently do not actively monitor email content,
however we often retroactively review messages in case of a spam or
phishing compromise. We also utilize the system for litigation holds.

Drew Perry
Security Analyst
Murray State...

E-mail Archiving Policy & Software (E-mail Management Platform i.e. Netmail.com, etc.) Carlos Lobato (May 10)
All,

If you have an e-mail archiving policy and use an "E-mail Management Platform/software" to monitor i.e. ensure
compliance, would you share a copy of your policy and let us know the name of the tool your University uses.

Thanks,

Carlos S. Lobato, CISA, CIA
IT Compliance Officer

New Mexico State University
Information and Communication Technologies
MSC 3AT PO Box 30001
Las Cruces, NM 88003-8001

Phone: 575-646-5902
Fax:...

Information Security Officer - Boston, MA Sabourin, Justin (May 10)
Wentworth is accepting applications for an Information Security Officer position.

Full details are available at http://jobs.wit.edu/hr using the generic username and password below. Yes, I appreciate
the irony.

Job Title

Information Security Officer

Requisition Number

0573

Job Description

To view full position description please click here<http://jobs.wit.edu/hr> and login.
Username: positionview
Password: wentworth

The ISO is...

Webcast May 21 regarding the next discounted pricing window for SANS training Beth Young (May 09)
SANS, REN-ISAC, and CACR training partnership program

Substantially discounted pricing is available for exceptional SANS
training programs:

- Securing The Human security awareness training
- OnDemand technical training, and
- Voucher Credits for live training

... during the purchasing window of June 1 - July 31

This opportunity is made possible through a partnership of REN-ISAC, the
Indiana University Center for Applied Cybersecurity...

Re: Guest Wireless Restrictions Childs, Aaron (May 08)
Good Afternoon Mark,

At Westfield we've had Guest access on our wireless for a while. They get a splash screen with a copy of our
acceptable use policy which they must click accept at the bottom. We restrict it to web browsing (http & https) and
the establishment of VPN connections. All other traffic is blocked.

Have a good day,
Aaron

Aaron Childs, CCNA
Associate Director, Networking
Information Technology
www.westfield.ma.edu/it...

Internet Issues and Infrastructure

NANOG — The North American Network Operators' Group discusses fundamental Internet infrastructure issues such as routing, IP address allocation, and containing malicious activity.

Re: Cogent for ISP bandwidth Darius Jahandarie (May 17)
So the moral of the story is to make sure you always make your Cogent
calls from your home phone? :-)

Re: Cogent for ISP bandwidth Robert Bonomi (May 17)
Marshall Eubanks <marshall.eubanks () gmail com> wrote:

a) The "previously established business relationship" exemption expires 6
months after the 'business relationship' ends. (This is in the 'fine
print' of the actual rules0 As the relationship in question ended
several years ago, according to the prior poster, this exemption would
not apply.

b) Nothing in the Do-not-call rules applies to...

Re: Cogent for ISP bandwidth Darius Jahandarie (May 17)
"Because of limitations in the jurisdiction of the FTC and FCC, calls
from or on behalf of political organizations, charities, and telephone
surveyors would still be permitted, as would calls from companies with
which you have an existing business relationship, or those to whom
you’ve provided express agreement in writing to receive their calls.
However, if you ask a company with which you have an existing business
relationship to place...

Re: Cogent for ISP bandwidth Marshall Eubanks (May 17)
Also, (from http://www.fcc.gov/encyclopedia/do-not-call-list )

The Do-Not-Call registry does not prevent all unwanted calls. It does
not cover the following:

calls from organizations with which you have established a
business relationship;

And, in this case, there is a previously established business relationship.

Regards
Marshall

Re: [routing-wg] RPKI performance metrics; your help requested Christopher Morrow (May 16)
there was no [1]...

startssl.com - free certs. (that work)

Re: Cogent for ISP bandwidth PC (May 16)
While there may be other grounds for telling them not to call you, the
do not call list is not one of them as it does not apply to business
to business solicitations.

"The national Do-Not-Call list protects home voice or personal
wireless phone numbers only. While you may be able to register a
business number, your registration will not make telephone
solicitations to that number unlawful."...

Re: [routing-wg] RPKI performance metrics; your help requested Randy Bush (May 16)
no. that is the exact point. the graph to which i pointed is on rob's
site. these are data each relying party can collect and see for
themselves and their point of view in the universe, not some central
authority. ripe/ncc thinks it is the center of the universe. we do
not. we know it is in freemont [0], a neighborhood of seattle.

so that url is very intentionally rob's relying party instance. i have
one at...

Re: [routing-wg] RPKI performance metrics; your help requested Christopher Morrow (May 16)
the text talks about rpki.net
the link is for 'not rpki.net'

how does this work? <insert clownposse here>

rpki.net redirects to https://trac.rpki.net and poops out an ssl error :(
security is 'hard'...

Could someone make:
1) rpki.net function as http redirecting to https with the right
cert (or put a SAN in the current cert?)
2) put the graphs at 'not rpki.net' on rpki.net (too)
3) indicate whether or...

Re: Cogent for ISP bandwidth Darius Jahandarie (May 16)
You know, if you're in the U.S., on the No Call list, and you tell
them specifically not to call you again, they're doing something
illegal and can be fined up to $16,000 dollars for it. Though I hear
that the FTC doesn't actually enforce it too well. May want to try
waving the stick at them at least.

RE: Cogent for ISP bandwidth Paul Stewart (May 16)
I liked Cogent when we had them years ago but due to routing instability
(off the charts) and unplanned down time every single month we dropped
them..... they call me every 3-6 months (different person each time) and I
tell them to go away....

Paul

-----Original Message-----
From: Tim Vollebregt [mailto:tim () interworx nl]
Sent: Tuesday, May 15, 2012 2:33 PM
To: nanog list
Subject: Re: Cogent for ISP bandwidth

+1 for Cogent in the mix :)...

Re: [routing-wg] RPKI performance metrics; your help requested Randy Bush (May 16)
oh, and the docco for install and config of the relying party software
is at
https://trac.rpki.net/wiki/doc/RPKI/RP

randy

Re: [routing-wg] RPKI performance metrics; your help requested Randy Bush (May 16)
good stuff. though you know how much i like centralization :)

of course you have seen the centralized rpki.net measurements presented
by rob at iepg
http://iepg.org/2012-03-ietf83/a-few-months-in-the-life-of-an-rpki-validator.pdf
and the measurements of an experiment using bit torrent instead of rsync
http://iepg.org/2012-03-ietf83/rpki-bittorrent-experiment.pdf
and sidr/paris. oops, good luck finding it, and he was cut short anyway
due...

Re: pbx recco Randy Bush (May 16)
been running it since pre 1. have large complex configs with confs,
follow-me (my original need), extensions and sip/iax peering with
strange things all over the developing world.

i still think config sucks. and changing syntax regulary may look like
improvement to those with the copious spare time to track it. but for
someone trying to run a stable install yet get the security patch of the
week, it sucks bigtime.

randy

Re: Cogent for ISP bandwidth Jeroen van Aart (May 16)
Ameen Pishdadi wrote:

That's a really flawed comparison, as often is the case when using car
analogies (amongst others).

A kia is much safer to drive, more economical and it is much more
reliable than a ferrari. The ferrari may get you there quicker, if you
didn't kill yourself along the way, or you got pulled over or if the car
didn't break down (or all of the above).

So for a better price you have more reliability, more...

Re: ASN source when using "-A with traceroute" Alain Hebert (May 16)
( I coudln't resist )

http://traceroute.sourceforge.net/

#define DEF_RADB_SERVER "whois.radb.net"
#define DEF_RADB_SERVICE "whois"

const char *get_as_path (const char *query) {

server = getenv ("RA_SERVER");
if (!server) server = DEF_RADB_SERVER;

service = getenv ("RA_SERVICE");
if (!service) service = DEF_RADB_SERVICE;

n = snprintf (buf,...

The RISKS Forum — Peter G. Neumann moderates this regular digest of current events which demonstrate risks to the public in computers and related systems. Security risks are often discussed.

Risks Digest 26.84 RISKS List Owner (May 16)
RISKS-LIST: Risks-Forum Digest Wednesday 16 May 2012 Volume 26 : Issue 84

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/26.84.html>
The current issue can be...

Risks Digest 26.83 RISKS List Owner (May 12)
RISKS-LIST: Risks-Forum Digest Saturday 12 May 2012 Volume 26 : Issue 83

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/26.83.html>
The current issue can be...

Risks Digest 26.82 RISKS List Owner (May 09)
RISKS-LIST: Risks-Forum Digest Wednesday 9 May 2012 Volume 26 : Issue 82

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/26.82.html>
The current issue can be...

Risks Digest 26.81 RISKS List Owner (May 04)
RISKS-LIST: Risks-Forum Digest Friday 4 May 2012 Volume 26 : Issue 81

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/26.81.html>
The current issue can be found...

Risks Digest 26.80 RISKS List Owner (Apr 25)
RISKS-LIST: Risks-Forum Digest Wednesday 25 April 2012 Volume 26 : Issue 80

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/26.80.html>
The current issue can be...

Risks Digest 26.79 RISKS List Owner (Apr 17)
RISKS-LIST: Risks-Forum Digest Tuesday 17 April 2012 Volume 26 : Issue 79

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/26.79.html>
The current issue can be...

Risks Digest 26.78 RISKS List Owner (Apr 10)
RISKS-LIST: Risks-Forum Digest Tuesday 10 April 2012 Volume 26 : Issue 78

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/26.78.html>
The current issue can be...

Risks Digest 26.77 RISKS List Owner (Apr 04)
RISKS-LIST: Risks-Forum Digest Wednesday 4 April 2012 Volume 26 : Issue 77

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/26.77.html>
The current issue can be...

Risks Digest 26.76 RISKS List Owner (Mar 31)
RISKS-LIST: Risks-Forum Digest Sunday 1 April 2012 Volume 26 : Issue 76

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/26.76.html>
The current issue can be...

Risks Digest 26.75 RISKS List Owner (Mar 18)
RISKS-LIST: Risks-Forum Digest Sunday 18 March 2012 Volume 26 : Issue 75

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/26.75.html>
The current issue can be...

Risks Digest 26.74 RISKS List Owner (Feb 24)
RISKS-LIST: Risks-Forum Digest Friday 24 February 2012 Volume 26 : Issue 74

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/26.74.html>
The current issue can be...

Risks Digest 26.73, WITH TWO ADDED COMMENTS! PLEASE READ THIS ONE. RISKS List Owner (Feb 24)
RISKS-LIST: Risks-Forum Digest Friday 24 February 2012 Volume 26 : Issue 73

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/26.73.html>
The current issue can be...

Risks Digest 26.73 RISKS List Owner (Feb 24)
RISKS-LIST: Risks-Forum Digest Friday 24 February 2012 Volume 26 : Issue 73

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/26.73.html>
The current issue can be...

Risks Digest 26.72 RISKS List Owner (Feb 12)
RISKS-LIST: Risks-Forum Digest Sunday 12 February 2012 Volume 26 : Issue 72

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/26.72.html>
The current issue can be...

Risks Digest 26.70 RISKS List Owner (Jan 02)
RISKS-LIST: Risks-Forum Digest Monday 2 January 2012 Volume 26 : Issue 70

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/26.70.html>
The current issue can be...

Data Loss — Data Loss covers large-scale personal data loss and theft incidents. This archive combines the main list (news releases) and the discussion list.

UNC Charlotte: 350, 000 SSNs exposed in decade-long breach (fwd) security curmudgeon (May 15)
---------- Forwarded message ----------
From: InfoSec News <alerts () infosecnews org>

https://www.computerworld.com/s/article/9227078/UNC_Charlotte_350_000_SSNs_exposed_in_decade_long_breach

By Jeremy Kirk
IDG News Service
May 10, 2012

Two issues exposed financial data and Social Security numbers for 350,000
people, although it is thought the information has not been abused, the
University of North Carolina at Charlotte said.

The...

Identity Theft Concerns Follow Security Breach Jake Kouns (May 15)
http://www.foxcharlotte.com/news/local/Identity-Theft-Concerns-Follow-Security-Breach-151217185.html

YORK, S.C.--York County says there could be nearly 17,000 potential
victims after a security breach.

The County Manager says a backup web server was breached last August.

The problem was tracked to a suspected hacker overseas.

York County says South Carolina and a private hosting program is now
monitoring their servers.

Experts say the...

Hackers Infiltrate Opening Ceremony's Online Boutique, Compromise Security security curmudgeon (May 15)
---------- Forwarded message ----------
From: InfoSec News <alerts () infosecnews org>

http://blogs.artinfo.com/silhouettes/2012/05/09/hackers-infiltrate-opening-ceremonys-online-boutique/

By Ann Binlot
ARTINFO.com
May 9, 2012

We recently got hold of a piece of mail bearing bad news from the edgy
boundary-pushing boutique Opening Ceremony stating that "a hacker placed
malicious software on our website."

The letter -- dated...

DiscoverCard stores passwords in plaintext, e-mails them on request security curmudgeon (May 08)
---------- Forwarded message ----------
From: RISKS List Owner <risko () csl sri com>
Date: Fri, 4 May 2012 12:48:03 PDT
Subject: [RISKS] Risks Digest 26.81

RISKS-LIST: Risks-Forum Digest Friday 4 May 2012 Volume 26 : Issue 81

------------------------------

Date: Sun, 29 Apr 2012 23:14:26 -0400
From: Gregory Marton <gremio () acm org>
Subject: DiscoverCard stores passwords in plaintext, e-mails them on request

I just had the...

Chinese hackers steal private data from 760 firms security curmudgeon (May 08)
---------- Forwarded message ----------
From: InfoSec News <alerts () infosecnews org>

http://www.thejakartapost.com/news/2012/05/08/chinese-hackers-steal-private-data-760-firms.html

The Jakarta Post
05/08/2012

China-based hackers are reportedly targeting US-based Google Inc and Intel
Corp.

An attack hackers launched on iBahn could help them access secret e-mails,
even encrypted ones, according to a US senior intelligence official...

3.2m in Mass. have had data lost, stolen security curmudgeon (May 08)
http://articles.boston.com/2012-04-24/business/31393508_1_data-breaches-card-numbers-personal-data

3.2m in Mass. have had data lost, stolen
April 24, 2012|Jenn Abelson, Globe Staff

Nearly half of Massachusetts residents have had their personal information
lost or stolen as a result of about 1,800 data breaches over the past four
years, according to a new report from the state.s Office of Consumer
Affairs and Business Regulation.

Banks,...

Global Breach: Did It Start in 2011? security curmudgeon (May 04)
---------- Forwarded message ----------
From: InfoSec News <alerts () infosecnews org>

http://www.bankinfosecurity.com/global-breach-did-start-in-2011-a-4732

By Tracy Kitten
Bank Info Security
May 2, 2012

Evidence is mounting that Global Payments Inc. may have been breached
months earlier than initially reported.

One affected card issuer told BankInfoSecurity that Visa issued an updated
alert about the breach on April 26, noting that...

follow-up: Processor Warns of Hacking Trend security curmudgeon (May 01)
---------- Forwarded message ----------
From: InfoSec News <alerts () infosecnews org>

http://www.bankinfosecurity.com/processor-warns-hacking-trend-a-4720

By Tracy Kitten
Bank Info Security
April 30, 2012

Over the past year, First Data, the largest payments processor in the
U.S., has seen an uptick in "trolling" - hackers sniffing networks for
remote access into point-of-sale systems that are open or loosely
protected.

The...

Hosting firm suffers 'innocent' intrusion after billing system hacked security curmudgeon (May 01)
---------- Forwarded message ----------
From: InfoSec News <alerts () infosecnews org>

http://www.theregister.co.uk/2012/04/30/eukhost_billing_system_compromise/

By Brid-Aine Parnell
The Register
30th April 2012

Web-hosting firm eUKHost has been hacked by Pakistani hacking team
UrduHack, which appeared to have gained access to its billing system.

The company sent out an email to customers and announced on its website
over the weekend...

Police find 15, 400 Aussie credit cards on hacker forums security curmudgeon (Apr 30)
---------- Forwarded message ----------
From: InfoSec News <alerts () infosecnews org>

http://www.itnews.com.au/News/298770,police-find-15400-aussie-credit-cards-on-hacker-forums.aspx

By Darren Pauli
iTnews.com.au
April 30, 2012

International sting hits 36 underground sites.

More than 15,000 Australian credit cards worth an estimated $3.75 million
in total were salvaged from underground hacker forums in a global police
sting.

The...

fringe: The Nightly Turbo: Phil Ivey Divorce Case Update, TwoPlusTwo Hacked, and More security curmudgeon (Apr 30)
---------- Forwarded message ----------
From: InfoSec News <alerts () infosecnews org>

http://www.pokernews.com/news/2012/04/the-nightly-turbo-phil-ivey-divorce-case-twoplustwo-hacked-12535.htm

By Brett Collson
Poker News Global
April 26 2012

[...]

TwoPlusTwo Forums Hacked

The TwoPlusTwo forums went offline on Thursday, and it had nothing to do
with the flow of traffic resulting from the Full Tilt Poker developments
this week....

Hospitals seeing more patient data breaches blitz (Apr 30)
Yeah, put that sensitive data in one of the Mickey-Mouse clouds....
Its always been about making that very data easy to steal, part of the
police-state spying.

When my doctor wrote down information on a piece of paper in my file, it got locked up at night.
NO such assurances are there today. You buy HIPPA compliant software, and some nurse-aid who doesn't know anything about
computers and has a password of "nurse" is supposed to...

UK public sector accounts for bulk of data breach fines security curmudgeon (Apr 30)
http://www.bbc.co.uk/news/technology-17843371

25 April 2012 Last updated at 16:18
UK public sector accounts for bulk of data breach fines

The UK's private sector accounted for more than a third of all reported
data breaches over 11 months, but less than 1% of the resulting fines,
according to a Freedom of Information request.

The data was issued by the Information Commissioner's Office after a
request by satellite system-maker...

2 Medicaid Data Breaches, 1 Weak Link: Employees security curmudgeon (Apr 30)
---------- Forwarded message ----------
From: InfoSec News <alerts () infosecnews org>

http://www.informationweek.com/news/healthcare/security-privacy/232900817

By Ken Terry
InformationWeek
April 24, 2012

For the second time in less than a month, there has been a major data
security breach at a state Medicaid agency. The South Carolina Department
of Health and Human Services (SCDHHS) discovered on April 10 that an
employee of the...

Law firms see big money in healthcare breach cases (fwd) security curmudgeon (Apr 30)
---------- Forwarded message ----------
From: InfoSec News <alerts () infosecnews org>

http://www.csoonline.com/article/704288/law-firms-see-big-money-in-healthcare-breach-cases

By Taylor Armerding
CSO
April 16, 2012

Cybercriminals are not the only ones looking to make money from health
data breaches.

In California, where a unique state law provides for damages of $1,000 per
person per violation of the Confidentiality of Medical...

Open Source Tool Development

Metasploit — Development discussion for Metasploit, the premier open source remote exploitation tool

Re: Discovery scan through proxies? Sean Carolan (May 16)
Absolutely, this is awesome.

Re: Discovery scan through proxies? Jonathan Cran (May 15)
Sean -- yes, definitely. this is probably something best implemented with
some scripting / rpc, or at a lower layer with specific routes / network -
are you using pro or the framework? Assuming pro (but the same principles
apply for the framework), you could also use an RC file to set the PROXIES:

<discover_all.rc>
# run first scan without a proxy
pro_discover 10.0.0.0/24
set PROXIES socks4:localhost:1080
# run second scan through a pivot...

Discovery scan through proxies? Sean Carolan (May 15)
Hello all:

Is it possible to set up a discovery scan with some logic built in to
use proxies where appropriate? Or alternatively, create separate
scans for different networks that use proxy machines to reach inside
each remote network?

thanks

Sean

Meterpreter reverse_tcp pivot + socks4a proxy dies Lukas Kuzmiak (May 14)
Hey there,

I'm using linux/x86/meterpreter/reverse_tcp payload in an exploit on a
remote host, once the meterpreter session is established, I set up a route
using autoroute command to pivot through this host.

As I want to play with a web application through this pivot I'm using this
socks4a proxy in Firefox. However the meterpreter session dies _very_
often, both servers are in datacenters on 100mbps with latency of ~20ms and...

msf pro vpn issue. Ivan Leoni (May 13)
MSF Pro (las update) vpn creation, is ignoring the dhcp checkbox and always
try to get the ip from the dhcp server.

some logs:

*framework.log*
[05/13/2012 14:09:28] [d(0)] core: Reloading module pro/tunnel...
[05/13/2012 14:09:28] [w(0)] core: The module pro/tunnel is ambiguous with
pro/tunnel.
[05/13/2012 14:09:41] [w(0)] core: Exception caught in
DHCP::Client.acquire: execution expired
[05/13/2012 14:09:41] [w(0)] core:...

Breakpoint 2012 Call For Papers cfp (May 10)
. ______________________________________
._\\. Breakpoint 2012 (___.
: Intercontinental Rialto :
: Melbourne, Australia :
: October 17th-18th :
:__ . ___:
)____________________________________\\...

Using custom java meterpreter payloads pasknel ribeiro (May 02)
How can I use custom meterpreter payloads to java exploits (example:
java_atomicreferencearray)?

I created a jar file with msfvenom using java/meterpreter/reverse_tcp as
the payload and used SmokeScreen to perform Code Obfuscation in the jar
file.

The jar file works fine but how can i use this with a java exploit?

I tried using the 'generic/custom' payload and setting the PAYLOADFILE
attribute to the jar file but it did not work :(...

Fwd: nullcon Delhi 2012 Call for Paper/Call for Event nullcon (Apr 29)
Hi All,

For the very first time nullcon now comes to Delhi - to showcase cutting
edge security technologies and discuss new attack vectors and security
threats among the Corporate world and the Government sector. The event
brings together thought leaders,Corporates, Government and security
professionals all under one roof.

Prototype:
-------------
We are introducing a new sub-event - Prototype at nullcon Delhi 2012. The
event provides...

Re: asm to hex, with a random string David3 Gonnella (Apr 27)
Thanks, you answered to my confusing question by saying that "all
operations end up as bytecode". That is just enough to understand
that i was wrong, and I should have study that book properly,
since it is here..

Re: asm to hex, with a random string AK (Apr 27)
Hi David3,
I do not fully understand your email (English is a second language for
me at best). My questions are inline:

Documented on "Shellcoder's handbook". I do not understand your last
sentence, ALL operations end up as bytecode, not just the complex ones.

I will send in your personal email a blog post that I have written for
asm <-> shellcode (note the <->). I can also send it to the list,
although this has been...

Re: asm to hex, with a random string David3 Gonnella (Apr 27)
Sorry for my typo error, the last sentence
"you can do that on the assembly" should be replaced with
"you CAN'T do that on the assembly" :)....thanks

Re: asm to hex, with a random string David3 Gonnella (Apr 27)
After some study i realized that if you want clever assembly you
have to rely on C, just because more complex operations in the end
are associations of hexes that vary on architectures

You can just compile and link you program on two different architecture,
get the hexes from the final bin and you have the logic you wrote as i
would when i was asking.

Well, that question was not clear also to me, just because was done like
when you are...

Re: asm to hex, with a random string AK (Apr 27)
The question is not entirely clear to me but if by string you mean
something along the lines of changing for example /bin/bash to /tmp/tcsh
or something, indeed you can do that, provided that you keep endianess
and other factors in mind. Why is this useful?

Re: Java AtomicReferenceArray Type exploit and java meterpreter question Balint Varga-Perke (Apr 25)
Just a quick test with Help.java:

45 Class perm_c=Class.forName("Perm"+"issions");
46 Constructor perm_ct=perm_c.getConstructor(new Class[0]);
47 Permissions perm =
(Permissions)perm_ct.newInstance(new Object[0]);

This makes detection ratio drop from 14/42->5/42 on VirusTotal for
Help.class

Re: Java AtomicReferenceArray Type exploit and java meterpreter question Joshua Smith (Apr 23)
++your_rant

-Josh

Wireshark — Discussion of the free and open source Wireshark network sniffer. No other sniffer (commercial or otherwise) comes close. This archive combines the Wireshark announcement, users, and developers mailing lists.

Wireshark multiview feature demo Mikael Wikström (May 17)
Hi,

first of all I thank you all for a great piece of software.

I'd like to suggest a feature that would make wireshark even more
useful, so I thought I would describe it and see if any one else would
find it interesting.

The basic concept is to be able to view a pcap file in multiple
windows and have them track each other. Or more accurately have one
track the second one. If I then used display filters in window1 and
select a packet,...

Re: Stop criteria using capture or display filters Christopher Maynard (May 16)
Senthil Kumar S <senthilkumar.s () > writes:

certain condition.

rrespect to duration, files, file size and multiple files mode.

tshark stops capturing.

tshark stops capturing.

This functionality is not yet available, although it has been requested and is
being tracked in https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2039. You
might want to add yourself to the "CC List" for the bug, and then you will be
automatically...

Crash in airpcap_ui_dlg.c Gisle Vanem (May 16)
When I did this:

1. Open menu 'Capture | Interfaces' and select 'Options | Manage Interfaces'.
2. Click 'Local Interfaces' with the intention to hide the interface
'MS Tunnel interface driver', I got a crash at airpcap_channel_offset_changed_cb().

I'm not sure how the right way (TM) of hiding an interface is supposed to work. But
this is the offending snippet:

void...

Re: Linking reassemble_test.exe Gisle Vanem (May 16)
"Jeff Morriss" <jeff.morriss.ws () gmail com> wrote:

Ops, you're right. Somehow my $(REASSEMBLE_TEST_OBJ) included reassemble.obj
etc. Hence the link failure.

--gv

Re: Looking for explanation of build files Beth (May 16)
*That*s the one I needed - thanks! I read it long ago but not recently.
That has just the info I was looking for.

On Wed, May 16, 2012 at 11:31 AM, Stephen Fisher
<steve () stephen-fisher com>wrote:

Re: Linking reassemble_test.exe Jeff Morriss (May 16)
Gisle Vanem wrote:

Yes, but it's not built as part of the normal build process. It only
gets built if you ask for it ("make reassemble_test"). The buildbot
that does the run tests builds and runs it, but the others don't.

Hmmm, reassemble_test doesn't use that symbol directly, it's used within
libwireshark, so technically I don't think it should need to be exported.

And I just managed to build/link it on...

Linking reassemble_test.exe Gisle Vanem (May 16)
Isn't reassemble_test.exe among the targets on Windows?
(or any OS; I dont understand the 'EXTRA_DIST' stuff in
epan/Makefile.am).

Can't seems to make it link because of a missing export of
'proto_registrar_get_name' in epan/libwireshark.def. Hence, I think
patch should fix it:

--- SVN-Latest\epan\libwireshark.def Tue May 15 00:17:00 2012
+++ epan\libwireshark.def Wed May 16 17:27:51 2012
@@ -801,6 +801,7...

Re: Looking for explanation of build files Stephen Fisher (May 16)
---- On Wed, 16 May 2012 07:59:22 -0600 Beth wrote ----

We use GNU Autotools by default (on Unix), so the main documentation will be something like this:
http://www.gnu.org/savannah-checkouts/gnu/automake/manual/html_node/Autotools-Introduction.html. Since autotools is so
complex, that documentation can be confusing. We also use the command line tool nmake on Windows. We've also
introduced other methods of building such as cmake....

Stop criteria using capture or display filters Senthil Kumar S (May 16)
Hi All,

I have an automation requirement, that needs tshark to be stoped upon meeting certain condition.

Is there any stopping condition I can apply through capture filter so that tshark stops capturing.

ex: Upon receiving a TCP SYN packet (condition applied in capture filter), tshark stops capturing.

Please let me know any option like this is available.

Regards,
Senthil kumar

________________________________
SASKEN BUSINESS DISCLAIMER:...

Looking for explanation of build files Beth (May 16)
They always say, the best way to discover how little you understand
something is to try to explain it to someone else!

I'm trying to write up site-specific instructions for my colleagues on how
to write a Wireshark plugin, and I realize I
don't know which of the build files in a plugin source folder are necessary
vs. which ones are auto-generated or irrelevant.
The build complains if certain files are missing, e.g. Makefile.nmake or...

Coverity updates Gerald Combs (May 15)
Coverity recently changed Scan's[1] build process from one where they do
all the work for each project to one where each project is responsible
for building an intermediate representation and submitting it to
Coverity. I was able to get the cov-build tool up and running on the
Clang buildbot, so we once again have successful runs.

[1] http://scan.coverity.com/about.html

Re: ANSI escape codes Stephen Fisher (May 15)
---- On Tue, 15 May 2012 05:00:14 -0600 Marek Tews wrote ----

I don't think so. What is the protocol?

ANSI escape codes Marek Tews (May 15)
I create my dissector and I found ANSI escape codes in strings.

Is there already something ready to dissection ANSI escape codes?

Marek

Re: SNMP OctetString display Bruynooghe, Joost (May 15)
That's what I have:

TShark 1.4.8
..., with SMI 0.4.8,...

Yes, I have that enabled (and the MIBs added in path and modules).
The OIDs etc are correctly expanded to human-readable text in the Wireshark display.
Numeric and enumerated values are decoded correctly, it's only the OctetString values I had an issue with.

This is what I was missing. The MIBs I have only defined the SYNTAX as "OCTET STRING". After changing that to...

Re: TNS data dissector Andrej van der Zee (May 15)
Hi Martijn,

Thanks for your reply.

As far as I can see in Wireshark, it does not dissect the data inside
a TNS packet, it shows it as binary. For example, I would like to be
able to see the SQL queries going over the wire.

Cheers,
Andrej

Snort — Everyone's favorite open source IDS, Snort. This archive combines the snort-announce, snort-devel, snort-users, and snort-sigs lists.

Re: Snort & Pulled Pork questions Weir, Jason (May 17)
Thanks Joel any ETA?

Jason

From: Joel Esler [mailto:jesler () sourcefire com]
Sent: Thursday, May 17, 2012 11:36 AM
To: Weir, Jason
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Snort & Pulled Pork questions

What we are going to start doing is releasing a version of the Shared
Object rules for the new version so people can upgrade right away. The
text rules will always work.

J

Working on updating to the latest...

Re: Snort & Pulled Pork questions Heine Lysemose (May 17)
Sounds great!

/Lysemose

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/...

Re: Snort & Pulled Pork questions Joel Esler (May 17)
What we are going to start doing is releasing a version of the Shared Object rules for the new version so people can
upgrade right away. The text rules will always work.

J

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include...

Snort & Pulled Pork questions Weir, Jason (May 17)
Working on updating to the latest version of snort (2.9.2.3) and using
pulledpork (0.6.1).

For those of us that are not paying subscribers of the VRT rule set
updating to the latest issue within the first 30 days causes issues..

I updated from 2.9.2.2 to 2.9.2.3 yesterday, when pulled pork runs it
detects the snort version and attempts to download the correct rule set,
well for me there is no rule set and won't be for 30 days..

Now I can...

Re: How to detect OS with Snort? Borja Luaces (May 17)
Hello all,

The problem is that I can NOT install anything in the snort system.

I can ONLY use snort rules.

I am making tests with the preproccesor http_inspect.

Re: How to detect OS with Snort? Jason Haar (May 17)
...except I wouldn't trust either to make blocking decisions. I've used
p0f for years and even though it's very useful, it still gets a lot of
packets wrong - eg Windows systems declared as Linux - and 3 packets
later being Windows. Great metadata - but I wouldn't block/alert on it

Perfmonitor Issue Abdelmonaim Mokadem (May 16)
Hi all,

I have an issue using the perfmonitor preprocessor for snort inline to
provide the "Max performance snort stats" with the following parameters:

preprocessor perfmonitor: time 300 pktcnt 5000 events max console

Here are the options used to launch snort :

-A none \

--dynamic-engine-lib "${SNORT_ENG}"

--dynamic-preprocessor-lib-dir "${SNORT_DYNPPDIR}"...

Re: How to detect OS with Snort? Olaf Schreck (May 16)
Or OpenBSDs pf firewall which has this functionality built in.

/minor nitpick

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats....

Re: [commercial] False positive Philip Edwards (May 16)
Thanks.

However i knew that i had the source and destination port the wrong way round. It was a deliberate ploy :)
My question really is why is the sameip feature of the rule firing when the source and destination port are clearly
different.

Phil.

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat...

Re: False positive Garcia-Zamora, Manuel (May 16)
The ports are not within the standard , I think, so it is a bad formed packet

https://en.wikipedia.org/wiki/DHCP

this will be an DHCP offer or acknowledgement from source 0.0.0.0 what is wrong.

Regards,

-----Original Message-----
From: Joel Esler [mailto:jesler () sourcefire com]
Sent: 16 May 2012 14:41
To: Philip Edwards
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] False positive

Is there any way you can provide...

Re: False positive Joel Esler (May 16)
Is there any way you can provide some pcaps to illustrate your FP?

Re: How to detect OS with Snort? Joel Esler (May 16)
User Agents can be spoofed. Easily. Trivially.

In OpenSource land, p0f is the best tool to go about detecting OSes.

False positive Philip Edwards (May 16)
Hi,

I have recently installed snort on ubuntu and am just attempting to tune out the noise.
For some reason the BAD-TRAFFIC (same source and destination) rule is firing on DHCP broadcasts.

The source is 0.0.0.0 port 67 and the destination is 255.255.255.255 port 68.

Since the source and destination are different can anyone clue me in?

Thanks

Phil Edwards
------------------------------------------------------------------------------
Live...

Snort 2.9.2.3 Now Available Snort Releases (May 15)
Snort 2.9.2.3 is now available on snort.org, at
http://www.snort.org/snort-downloads/ in the Latest Release section.

2.9.0 RC & later packages are signed with a new PGP key
(that is signed with the previous key).

Snort 2.9.2.3 includes changes for the following:

* Update to GTP preprocessor to better handle GTPv1 data.

* Update to DNP3 preprocessor to add stricter checking on
packets before processing by dnp3. Improved checking...

Snort 2.9.2.3 Now Available Snort Releases (May 15)
Snort 2.9.2.3 is now available on snort.org, at
http://www.snort.org/snort-downloads/ in the Latest Release section.

2.9.0 RC & later packages are signed with a new PGP key
(that is signed with the previous key).

Snort 2.9.2.3 includes changes for the following:

* Update to GTP preprocessor to better handle GTPv1 data.

* Update to DNP3 preprocessor to add stricter checking on
packets before processing by dnp3. Improved checking...

OpenVAS — Development and announcements regarding OpenVAS, a free network security scanner which forked from Nessus. This is a combination of the English openvas-announce, openvas-devel, openvas-discuss, and openvas-plugins lists.

gsd segfault on startup Andrew Simmons (May 17)
Hi,

gsd v1.2.2, on Fedora 16, segfaults for me:

$ gsd
loaded the Generic plugin
Segmentation fault

Strace gives:

[...]
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=118, ...}) = 0
close(10) = 0
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x80000009} ---
+++ killed by SIGSEGV +++
Segmentation fault

I'm baffled. Any suggestions?

thanks
Andrew

Re: gsad - libmicrohttpd problems Juan José Pavlik Salles (May 16)
Miguel, you should check this
http://lists.wald.intevation.org/pipermail/openvas-discuss/2011-November/003613.html

2012/3/23 Miguel Lucero <miguel.lucero () gmail com>

Re: 64 bits packages missing in Ubuntu 10.04, 10.10 and 11.04 Stephan Kleine (May 16)
They don't compile. See

https://build.opensuse.org/project/monitor?project=security%3AOpenVAS%3AUNSTABLE%3Av5

for details.

regards,
Stephan

Open-VAS scanner issue sankar . mindtree (May 16)
Hi,

I have installed openvas from atomic repo, when I execute the
openvas-cehck-status It is giving the below error message.

openvas-check-setup 2.1.3
Test completeness and readiness of OpenVAS-4

Please report us any non-detected problems and
help us to improve this check routine:
http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss

Send us the log-file (/tmp/openvas-check-setup.log) to help analyze the
problem....

Re: Plugin to check for SSL Weak Ciphers Stefan Schwarz (May 16)
Am 16.05.2012 13:53, schrieb Matthew Mundell:

Should be worth for more detailed investigation.
I definitely did --update, so OTP worked fine.
But only --rebuild also got OMP to work.

Stefan

Re: Plugin to check for SSL Weak Ciphers Matthew Mundell (May 16)
--update should work the same as --rebuild. Might just take longer.

Re: OTP doc Matthew Mundell (May 16)
Yes, OTP is the same as it was back then.

Re: Plugin to check for SSL Weak Ciphers Stefan Schwarz (May 16)
Am 16.05.2012 11:21, schrieb Michael Meyer:

Blame on me :-(
I do my nvt-syncing by script and the script ends with "openvasmd
--update" , which is not sufficient for openvasmd.
Adding "openvasmd --rebuild" now works as desired.

Thanks for help,
Stefan

Re: OTP doc RizThon (May 16)
So does that mean that OTP hasn't evolved since then
(openvas-compendium-1.0.1.pdf dates back to 2009-01-15) or the doc
hasn't been updated (in that case what source file(s) should I check
to see how OTP is implemented)?
Thanks.

Re: Plugin to check for SSL Weak Ciphers Michael Meyer (May 16)
*** Stefan Schwarz wrote:

When did you run "openvasmd --rebuild" for the last time? The
difference betwenn OTP and OMP looks like there are many NVTs
not in the manager database.

Micha

Re: Plugin to check for SSL Weak Ciphers Stefan Schwarz (May 16)
Am 13.05.2012 13:42, schrieb Michael Meyer:

To be more detailed about this problem:

When starting openvassd, log tells me that plugin 103441 gets loaded:
[Wed May 16 07:28:56 2012][21355] Loading
gb_secpod_ssl_ciphers_noweak_report.nasl

When connecting with openvas-client (OTP) this plugin is loaded and can
be selected. Also a scan using this plugin shows the execution:
[Wed May 16 07:32:57 2012][21419] user xyz: launching...

Openvas 5 "bad login". 直樹 (May 15)
Hi all,

I've got the server and clients on the same box and while *openvas-check-setup
--v5* clears I cannot login from gsd, omp, or greenbone. All result in a
"bad login attempt from X" message in the scanner logs. Manager logs
indicate we handshake and connect with the scanner.

Packages;
libopenvas_base5-5.0.1-2.1.x86_64
libopenvas_misc5-5.0.1-2.1.x86_64
openvas-scanner-3.3.1-5.1.x86_64
libopenvas_hg5-5.0.1-2.1.x86_64...

Re: Install Error Message OpenVAS-5 using Fedora 15 on a Virtual Machine! Ryan Schulze (May 15)
Did you install a C compiler (i.e. gcc)?

cant install openvas on backtrack arm Edu (May 15)
i cant install openvas on backtrack 5 arm. shows dependencies issues. probably because repositories.

please help.

From my Android phone on T-Mobile. The first nationwide 4G network._______________________________________________
Openvas-discuss mailing list
Openvas-discuss () wald intevation org
http://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

help automating wapiti + dirb scans Miguel Lucero (May 15)
After fighting with my install $PATH to get wapiti and dirb scanning.., I'm
now interested in getting some useful output from these two plugins...

I would like to have dirb create a set of URLs to feed into wapiti for
scanning but I'm not sure how to go about this within openvas. I'd very
much like to get this into a scheduled scan inside openvas but I don't see
a way to get it to work because the nasl wrappers don't...

More Lists

Related Resources

We're always looking for great network security related lists to archive. To suggest one, mail Fyodor.