SecLists.Org Security Mailing List Archive

Any hacker will tell you that the latest news and exploits are not found on any web site—not even Insecure.Org. No, the cutting edge in security research is and will continue to be the full disclosure mailing lists such as Bugtraq. Here we provide web archives and RSS feeds (now including message extracts), updated in real-time, for many of our favorite lists. Browse the individual lists below, or search them all:

Insecure.Org Lists

Nmap Development — Unmoderated technical development forum for debating ideas, patches, and suggestions regarding proposed changes to Nmap and related projects. Subscribe here.

Rewanth's GSOC status report #7 of 17 Rewanth Cool (Jun 26)
Hello all,

Accomplishments this week

- Wrote an NSE script for Openwebnet discovery.
- Removed ambiguous list of extensions from httpspider
- Modified the http-vuln-cve2014-3704 for successful exploitation.
- Commented on few PR's and issues on Github.
- Reviewed PR and addressed the required changes on Github.

Priorities

- Merge Openwebnet with master branch
- Merge http-vuln-cve2014-3704 with master branch
- Start working on the new...

Vinamra Bhatia - GSoC status report #7 of 17 Vinamra Bhatia (Jun 26)
Hello All,

This is my 7th week status report for GSoC 2017.

Accomplishments :

1. Fixed Redirection issue in url_parse in http library :
https://github.com/nmap/nmap/pull/918
2. Worked on redirect-cookie support for http library :
https://github.com/nmap/nmap/pull/919 https://github.com/nmap/nmap/pull/913
3. Solved a minor bug in http-site-generator.
https://github.com/nmap/nmap/pull/920
4. Started working on a script for TR-069 vulnerability....

Re: telnet-brute script nnposter (Jun 26)
Hello Julio,

Please submit a new issue at GitHub
(https://github.com/nmap/nmap/issues) and provide detail about:

* How specifically the script is misbehaving
* What your nmap command line looks like
* What the target is
* Whether it is possible to log in with a regular telnet client

Please attempt to run the script as follows:

* Use a user list with only one correct username and a password list
with only two lines: a bad password and then a...

Evangelos Deirmentzoglou GSoC status report #7 of 17 Evangelos Deirme (Jun 26)
Hey everyone,

This is my report for the 7th week of GSoC 2017.

---Status Report #7 of 17---

26 June 2017

Accomplishments:

- Provided support for the pull request 910. Fixed a lot of stuff.
- Continued studying the ncrack engine.

Priorities:
- Develop the discussed feature for ncrack
- Start developing a new ncrack module

Thanks,

Evangelos Deirmentzoglou

Wai Tuck's GSOC status report #7 of 17 Wong Wai Tuck (Jun 26)
Hey all!

I have received some feedback for exploit.lua and have looked at several
scripts and now I have a much clearer idea of what to write in the coming
weeks.

This week has been productive and I had a lot of great fun working with
Puppet!

Accomplishments
- Wrote and committed http-vuln-cve2017-8917.nse as of revision 36825.
- Wrote a script to detect the naive signing misconfiguration in Puppet
servers
- Wrote some improvements for...

telnet-brute script julio (Jun 26)
Hi all.

I have a problems with a 7.50 and telnet-brute script , this not finish
or freeze when i put arguments, i tried the same command with nmap 7.01
and works.
if you need something (debug or log) please tell me how help.

Thanks.
Julio.

Where can i find TODO list for ncrack windows os michael johns (Jun 25)
Where can i find TODO list for ncrack windows os , thank you

[NSE] New Belkin Wemo Switch Scripts: wemo-info.nse and wemo-switch.nse Pedro Joaquín (Jun 24)
Hello NMap Community,

Hope you are all doing well.This email is regarding a submission of two new
NSE Scripts.

Belkin Wemo Switch Smart Plug is a network controlled power outlet. The
script wemo-switch.nse turns the power of the connected device ON or OFF
and the script wemo-info.nse gathers information such as nearby wireless
networks.

wemo-info.nse :
https://github.com/hkm/nmap-nse-scripts/blob/master/wemo-info.nse

wemo-switch.nse :...

Nmap error Antonio Zunic (Jun 22)
Version: 7.50
Traceback (most recent call last):
File "zenmapGUI\App.pyo", line 190, in _destroy_callback
File "zenmapCore\UmitDB.pyo", line 308, in cleanup
OperationalError: unable to open database file

nmap supports TCP Fast Open? Stephen Fung (Jun 22)
Hi,

Does nmap support TCP Fast Open or understand the corresponding TCP option?

nmap

====

# nmap -sS -Pn -p 80 aa.bb.212.39 -ddddd

[....]

SENT (3.2777s) TCP [xx.yy.190.22:57408 > aa.bb.212.39:80 S seq=2165075824
ack=0 off=6 res=0 win=1024 csum=0x2275 urp=0 <mss 1460>] IP [ver=4 ihl=5
tos=0x00 iplen=44 id=10606 foff=0 ttl=38 proto=6 csum=0xcaba]

**TIMING STATS** (3.2780s): IP, probes...

Increasing the Speed of Nmap Script Scanning Alex Holland (Jun 22)
Hello,

I am working on discovering all hosts that respond to a single port with a
single nmap script. As such I'm working on increasing the speed of script
scanning so that I can perform multiple of these scans in a reasonable time
frame.

Currently I am seeding nmap by using IP's obtained through zmap that
respond to a specified port. I have a list of 1% of these hosts,
approximately 66,000 IP's and I would like this scan to run...

NSE for CVE-2017-8917 Wong Wai Tuck (Jun 22)
Hey all

While exploring SQLi for the exploit library, I have written a small script
to detect CVE-2017-8917 (which detects an SQLi vulnerability in Joomla!
versions 3.7.x before 3.7.1).

You can check out the script in action here [1] and the pull request here
[2].

Feel free to leave feedback on the PR!

Thank you!

[1]: https://www.youtube.com/watch?v=qShkNVs_2rE
[2]: https://github.com/nmap/nmap/pull/916

Wai Tuck

Re: Request for Feedback: exploit.lua Paulino Calderon (Jun 21)
Hey,

This is a very interesting idea. A library where we can share code commonly found in exploitation scripts will
certainly help get rid of all the duplicated code (Like in the LFI/RFI scripts you mentioned). LFI/RFI is a good place
to start and probably where most code can be re-used from the scripts we have.

For the shell command argument if the command is not set manually, it would be great if it also uses the os information
available...

Re: nmap nse script telnet-brute nnposter (Jun 21)
Thank you for reporting the issue and working with us on the resolution.

Cheers,
nnposter

Re: nmap nse script telnet-brute bgqueengeek (Jun 21)
Thank you nnposter.

Your revised telnet-brute script works as you described!

Nmap Announce — Moderated list for the most important new releases and announcements regarding the Nmap Security Scanner and related projects. We recommend that all Nmap users subscribe.

Nmap 7.50 Released! 14 new NSE scripts, 300+ fingerprints, new Npcap, and more Fyodor (Jun 13)
Dear Nmap Community:

The Nmap project is delighted to announce the release of Nmap 7.50! It is
our first big release since last December and has hundreds of improvements
that we hope you will enjoy.

One of the things we have been worked the hardest on recently is our Npcap
packet capturing driver and library for Windows (https://nmap.org/npcap/).
It is a replacement for WinPcap, which served us well for many years, but
is no longer maintained....

Introducing the 2017 Nmap/Google Summer of Code Team! Fyodor (May 18)
Nmap community:

Thanks for all of your applications and referrals of talented students to
the Summer of Code program. Google has agreed to sponsor four students to
spend this summer enhancing the Nmap Security Scanner and I'm proud to
introduce our 2017 team! We normally mentor coders working all over the
Nmap/Zenmap/Ncat/Nping spectrum, but this year we're doubling down on the
Nmap Scripting Engine component. All four of our...

Nmap Project Seeking Talented Programmers for GSoC 2017 Fyodor (Mar 27)
Hi folks. I'm delighted to report that Nmap has been accepted by Google to
participate in this year's Summer of Code internship program. This
innovative and extraordinarily generous program provides $5,500 stipends to
college and graduate students anywhere in the world who spend the summer
improving Nmap from home! They gain valuable experience, get paid,
strengthen their résumés, and write code for millions of users. We're one...

Nmap GSoC 2016 Success Report Fyodor (Feb 07)
Happy belated new year from the Nmap Project! I'd like to take this
opportunity to send you the belated results from our 2016 Summer of Code
team. I was going to send them right after the program finished, but some
of the students were still finishing some great things so I decided to
wait. As you may recall from the team intro mail (
http://seclists.org/nmap-announce/2016/2), we had 5 students last year and
I'm happy to report that...

Nmap 7.40 Holiday Release: a dozen new NSE scripts, hundreds of new fingerprints, new Npcap, faster brute forcing, and more... Fyodor (Dec 20)
Happy holidays from the Nmap Project! In case your Christmas break plans
involve a lot of port scanning, we're delighted to announce our holiday
Nmap 7.40 release! This version stuffs your stockings with dozens of new
features, including:

- 12 new NSE scripts
- Hundreds of updated OS and version detection detection signatures
- Faster brute force authentication cracking and other NSE library
improvements
- A much-improved...

Nmap 7.31 stability-focused point release Fyodor (Oct 21)
Hi folks. I'm happy to report that the big Nmap 7.30 release last month
was a great success. We didn't even see as many bugs as expected for such
a large release, but we have collected and fixed the ones which did arise
in the last few weeks into a new 7.31 point release. It includes the
latest updates to our new Npcap driver, a fix for Nping on Windows, and
more.

Nmap 7.31 source code and binary packages for Linux, Windows, and Mac...

Nmap 7.30 Released with new NSE scripts, new Npcap, new Fingerprints, etc. Fyodor (Sep 29)
Hi folks! You may have noticed that we've only been releasing Nmap betas
for the last 6 months because we've had so much new code and so many
features to integrate thanks to hard work from both our regular team and
the 5 Google Summer of Code summer interns. But we spent the last month
focused on stability and I'm pleased to announce Nmap 7.30--our first
stable release since 7.12 back in March.

Even though it's a stable...

Nmap 7.25BETA2 Birthday Release Fyodor (Sep 01)
Hi folks! I'm happy to report that today is Nmap's 19th birthday and
instead of cake, we're celebrating open source style with a new release!
Nmap 7.25BETA1 includes dozens of performance improvements, bug fixes, and
new features. The full list is below, and includes a major LUA upgrade for
NSE scripts, a new overlapped I/O engine for better Windows performance, a
much-improved version of our new Npcap packet capturing driver,...

Nmap 7.25BETA1 Released with our new Npcap driver, 6 new NSE scripts, and more! Fyodor (Jul 19)
Hi folks! As you may know, we've been working for the last 3 years on an
improved Windows packet capturing library named Npcap. It's based on the
original WinPcap (which hasn't been maintained in years), but we rewrote
the driver to use modern APIs (NDIS 6) for better performance. It also
improves security and enables new features. For example, Npcap allows Nmap
to do raw scans (including SYN scans and OS detection) of localhost...

Introducing the 2016 Nmap/Google Summer of Code Team! Fyodor (May 09)
Hello everyone. Google has agreed to sponsor five amazing students to
spend this summer enhancing the Nmap Security Scanner and I'm proud to
introduce our 2015 team:

*Abhishek Singh* will be working as a Feature Creeper and Bug Hunter,
making improvements throughout the Nmap codebase. The project hasn't even
started yet and he's already found and fixed several NSE script bugs and
has other code changes in the works. Abhishek is...

Nmap 7.10 released: 12 new scripts, hundreds of OS/version fingerprints, bug fixes, and more! Fyodor (Mar 17)
Hi Folks! Before I tell you about today's new Nmap release, I wanted to
share some Summer of Code news:

Google posted a fantastic story by one of our Summer of Code alumni about
how the program helped take him from rural China to a full-ride scholarship
at the University of Virginia graduate school! His mentor David and I had
the chance to meet him in San Francisco:...

Nmap Project Seeking Talented Programmers for Google Summer of Code 2016 Fyodor (Feb 29)
Hi folks. I'm delighted to report that Nmap has been accepted by Google to
participate in this year's Summer of Code internship program. This
innovative and extraordinarily generous program provides $5,500 stipends to
college and graduate students anywhere in the world who spend the summer
improving Nmap from home! They gain valuable experience, get paid,
strengthen their résumés, and write code for millions of users. We're one...

Full Disclosure — A public, vendor-neutral forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. The relaxed atmosphere of this quirky list provides some comic relief and certain industry gossip. More importantly, fresh vulnerabilities sometimes hit this list many hours or days before they pass through the Bugtraq moderation queue.

Freeware Advanced Audio Decoder 2 (FAAD2) multiple vulnerabilities qflb.wu (Jun 27)
Freeware Advanced Audio Decoder 2 (FAAD2) multiple vulnerabilities

================
Author : qflb.wu
===============

Introduction:
=============
FAAD2 is a decoder for a lossy sound compression scheme specified in MPEG-2 Part 7 and MPEG-4 Part 3 standards and
known as Advanced Audio Coding (AAC).

Affected version:
=====
2.7

Vulnerability Description:
==========================
1.
the mp4ff_read_stsd function in common/mp4ff/mp4atom.c in...

DefenseCode Security Advisory: IBM DB2 Command Line Processor Buffer Overflow DefenseCode (Jun 26)
DefenseCode Security Advisory
IBM DB2 Command Line Processor Buffer Overflow

Advisory ID: DC-2017-04-002
Advisory Title: IBM DB2 Command Line Processor Buffer Overflow
Advisory URL:
http://www.defensecode.com/advisories/IBM_DB2_Command_Line_Processor_Buffer_Overflow.pdf
Software: IBM DB2
Version: V9.7, V10.1, V10.5 and V11.1 on all platforms
Vendor Status: Vendor Contacted / Fixed (CVE-2017-1297)
Release Date: 26.06.2017
Risk:...

Vulnerabilities in D-Link DIR-100 MustLive (Jun 26)
Hello list!

There are Brute Force and Cross-Site Request Forgery vulnerabilities in
D-Link DIR-100.

-------------------------
Affected products:
-------------------------

Vulnerable is the next model: D-Link DIR-100, Firmware v1.01. All other
versions also must be vulnerable.

----------
Details:
----------

Brute Force (WASC-11):

http://site/public/login.htm

No protection from BF attacks in login form.

Cross-Site Request Forgery...

malicious hypervisor aka root-kit hypervisor threat is rel Mikhail Utin (Jun 26)
We would like to post and discuss at once Malicious Hypervisor threat that exists since 2006 but was ignored.

In 2006, Michigan University (MU) team with the participation of Microsoft research team published an article
describing the development of the most advanced malware - "SubVirt: Implementing malware with virtual machines".

The research has been supported by US government and Intel Corporation. The research is the proof of...

Microsoft Skype v7.2, v7.35 & v7.36 - Stack Buffer Overflow Vulnerability Vulnerability Lab (Jun 26)
Document Title:
===============
Microsoft Skype v7.2, v7.35 & v7.36 - Stack Buffer Overflow Vulnerability

References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2071

MSRC ID: 38778
TRK ID: 0461000724

Vulnerability Magazine:
https://www.vulnerability-db.com/?q=articles/2017/05/28/stack-buffer-overflow-zero-day-vulnerability-uncovered-microsoft-skype-v72-v735

Video:...

Vaadin Javascript Injection Caleb Cushing (Jun 22)
first time poster, so I'm not sure if this is the best venue, format, etc.

https://github.com/vaadin/framework/issues/8731

using vaadin 7.7.6
using example
https://vaadin.com/docs/-/part/framework/components/components-combobox.html
but with malicious text that assumes humans are adding the planet names
via a form.

// List of planets
List<Planet> planets = new ArrayList<>();
planets.add(new Planet(1, "<iframe...

OffensiveCon Berlin 2018 Call for Papers Moritz Jodeit (Jun 22)
========================================
OffensiveCon Berlin 2018 Call for Papers
========================================

[OVERVIEW]
We are pleased to announce the CFP for the first edition of
OffensiveCon Berlin which is a highly technical international
security conference focused on offensive security only. The aim of
OffensiveCon is to bring the community of hackers together, for
networking and sharing knowledge. The conference is...

PayPal Inc BB #149 - (Gift) Insufficient Authentication Vulnerability Vulnerability Lab (Jun 22)
Document Title:
===============
PayPal Inc BB #149 - (Gift) Insufficient Authentication Vulnerability

References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=1973

ID EIBBP-34368

Release Date:
=============
2017-06-21

Vulnerability Laboratory ID (VL-ID):
====================================
1973

Common Vulnerability Scoring System:
====================================
4.2

Vulnerability Class:...

SEC Consult SA-20170622-0 :: XXE, SQLi, XSS & local file disclosure in Cisco Prime Infrastructure SEC Consult Vulnerability Lab (Jun 22)
SEC Consult Vulnerability Lab Security Advisory < 20170622-0 >
=======================================================================
title: XML External Entity Injection (XXE),
SQL Injection, Cross Site Scripting,
Local File Disclosure
product: Cisco Prime Infrastructure
vulnerable version: 1.1 through 3.1.6
fixed version: 3.1.6 Update 1 (patch), 3.1.7 (future...

Reflected XSS in WordPress Download Manager could allow an attacker to do almost anything an admin can (WordPress plugin) dxw Security (Jun 20)
Details
================
Software: WordPress Download Manager
Version: 2.9.46,2.9.51
Homepage: https://wordpress.org/plugins/download-manager/
Advisory report: https://security.dxw.com/advisories/xss-download-manager/
CVE: Awaiting assignment
CVSS: 5.8 (Medium; AV:N/AC:M/Au:N/C:P/I:P/A:N)

Description
================
Reflected XSS in WordPress Download Manager could allow an attacker to do almost anything an admin can

Vulnerability...

Path traversal in Photo Gallery may allow admins to read most files on the filesystem (WordPress plugin) dxw Security (Jun 20)
Details
================
Software: Photo Gallery
Version: 1.3.34,1.3.42
Homepage: https://wordpress.org/plugins/photo-gallery/
Advisory report:
https://security.dxw.com/advisories/path-traversal-in-photo-gallery-may-allow-admins-to-read-most-files-on-the-filesystem/
CVE: Awaiting assignment
CVSS: 4 (Medium; AV:N/AC:L/Au:S/C:P/I:N/A:N)

Description
================
Path traversal in Photo Gallery may allow admins to read most files on the...

Freeware Advanced Audio Coder (FAAC) multiple vulnerabilities qflb.wu (Jun 20)
Freeware Advanced Audio Coder (FAAC) multiple vulnerabilities

================
Author : qflb.wu
===============

Introduction:
=============
FAAC is an encoder for a lossy sound compression scheme specified in MPEG-2 Part 7 and MPEG-4 Part 3 standards and
known as Advanced Audio Coding (AAC). This encoder is useful for producing files that can be played back on iPod.
Moreover, iPod does not understand other sound compression schemes in video...

APC UPS Daemon <= 3.14.14 Local Privilege Escalation Richard Young (Jun 16)
[+] Credits: fragsh3ll aka Richard Young
[+] Contact: https://twitter.com/fragsh3ll

Vendor
==========
http://www.apcupsd.org

Product
===========
APC UPS Daemon <= 3.14.14

Vulnerability Type
=====================
Privilege Escalation

Vendor Description
=====================
Apcupsd can be used for power mangement and controlling most of APC’s UPS
models on Unix and Windows machines. Apcupsd works with most of APC’s
Smart-UPS models as...

New BlackArch Linux ISOs (2017.06.13) released! Black Arch (Jun 13)
Dear list,

We've released the new BlackArch Linux ISOs along with many
improvements. They include more than 1800 tools now. The armv6h,
armv7h and aarch64 repositories are filled with about 1700 tools.

A short ChangeLog of the Live-ISOs:

- add more than 100 new tools
- update blackarch installer to version 0.5.1 (bugfixes + features)
- fix several tools (dependencies, installs)
- include linux kernel 4.11.3
- updated all...

t2'17: Call For Papers 2017 (Helsinki, Finland) Tomi Tuominen (Jun 13)
#
# t2'17 - Call For Papers (Helsinki, Finland) - October 26 - 27, 2017
#

Do you have a fear of being naked[0] in front of other people? Can you
name a president[1] who has climbed a palm tree during an official state
visit? Do you prefer small and efficient airports? Would you like to
present world class research to a highly technical audience? If not sure
yet, please continue reading.

t2 infosec is warmly welcoming you to Helsinki, on...

Other Excellent Security Lists

Bugtraq — The premier general security mailing list. Vulnerabilities are often announced here first, so check frequently!

[SECURITY] [DSA 3899-1] vlc security update Salvatore Bonaccorso (Jun 27)
-------------------------------------------------------------------------
Debian Security Advisory DSA-3899-1 security () debian org
https://www.debian.org/security/ Salvatore Bonaccorso
June 27, 2017 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : vlc
CVE ID : CVE-2017-8310 CVE-2017-8311...

[slackware-security] kernel (SSA:2017-177-01) Slackware Security Team (Jun 27)
[slackware-security] kernel (SSA:2017-177-01)

New kernel packages are available for Slackware 14.2 and -current to
fix security issues.

Here are the details from the Slackware 14.2 ChangeLog:
+--------------------------+
patches/packages/linux-4.4.74/*: Upgraded.
This kernel fixes two "Stack Clash" vulnerabilities reported by Qualys.
The first issue may allow attackers to execute arbitrary code with elevated
privileges. Failed...

[CVE-2017-8831] Double-Fetch Vulnerability in Linux-4.10.1/drivers/media/pci/saa7164/saa7164-bus.c wpengfeinudt (Jun 26)
Hi all,

I found this double-fetch vulnerability when I was doing my research on double fetch issue analysis, and Id like to
make an announcement here.

This was found in Linux kernel file Linux-4.10.1/drivers/media/pci/saa7164/saa7164-bus.c. The kernel (driver) use
memcpy_fromio() to fetch twice the same block of device data from I/O memory to the kernel, and malicious data change
by the peripheral device between the two fetches will cause...

DefenseCode Security Advisory: IBM DB2 Command Line Processor Buffer Overflow DefenseCode (Jun 26)
DefenseCode Security Advisory
IBM DB2 Command Line Processor Buffer Overflow

Advisory ID: DC-2017-04-002
Advisory Title: IBM DB2 Command Line Processor Buffer Overflow
Advisory URL:
http://www.defensecode.com/advisories/IBM_DB2_Command_Line_Processor_Buffer_Overflow.pdf
Software: IBM DB2
Version: V9.7, V10.1, V10.5 and V11.1 on all platforms
Vendor Status: Vendor Contacted / Fixed (CVE-2017-1297)
Release Date: 26.06.2017
Risk:...

Microsoft Skype v7.2, v7.35 & v7.36 - Stack Buffer Overflow Vulnerability Vulnerability Lab (Jun 26)
Document Title:
===============
Microsoft Skype v7.2, v7.35 & v7.36 - Stack Buffer Overflow Vulnerability

References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2071

MSRC ID: 38778
TRK ID: 0461000724

Vulnerability Magazine:
https://www.vulnerability-db.com/?q=articles/2017/05/28/stack-buffer-overflow-zero-day-vulnerability-uncovered-microsoft-skype-v72-v735

Video:...

[CVE-2017-8831] Double-Fetch Vulnerability in Linux-4.10.1/drivers/media/pci/saa7164/saa7164-bus.c wpengfeinudt (Jun 25)
Hi all,

I found this double-fetch vulnerability when I was doing my research on double fetch issue analysis, and Id like to
make an announcement here.

This was found in Linux kernel file Linux-4.10.1/drivers/media/pci/saa7164/saa7164-bus.c. The kernel (driver) use
memcpy_fromio() to fetch twice the same block of device data from I/O memory to the kernel, and malicious data change
by the peripheral device between the two fetches will cause...

[CVE-2017-8813] Double-Fetch Vulnerability in Linux-4.10.1/drivers/media/pci/saa7164/saa7164-bus.c wpengfeinudt (Jun 22)
Hi all,

I found this double-fetch vulnerability when I was doing my research on double fetch issue analysis, and Id like
to make an announcement here.

This was found in Linux kernel file Linux-4.10.1/drivers/media/pci/saa7164/saa7164-bus.c. The kernel (driver) use
memcpy_fromio() to fetch twice the same block of device data from I/O memory to the kernel, and malicious data change
by the peripheral device between the two fetches...

[SECURITY] [DSA 3893-1] jython security update Salvatore Bonaccorso (Jun 22)
-------------------------------------------------------------------------
Debian Security Advisory DSA-3893-1 security () debian org
https://www.debian.org/security/ Salvatore Bonaccorso
June 22, 2017 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : jython
CVE ID : CVE-2016-4000
Debian Bug :...

[slackware-security] openvpn (SSA:2017-172-01) Slackware Security Team (Jun 22)
[slackware-security] openvpn (SSA:2017-172-01)

New openvpn packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1,
14.2, and -current to fix security issues.

Here are the details from the Slackware 14.2 ChangeLog:
+--------------------------+
patches/packages/openvpn-2.3.17-i586-1_slack14.2.txz: Upgraded.
This update fixes several denial of service issues discovered
by Guido Vranken.
For more information, see:...

Sitecore 7.1-7.2 Cross Site Scripting Vulnerability hamedizadi (Jun 22)
Sitecore 7.1-7.2 Cross Site Scripting Vulnerability

Information
--------------------
Author: Hamed Izadi
Email: ("hamedizadi", "@", "gmail", ".com");
Name: XSS Vulnerability in Sitecore
Affected Software : Sitecore.NET
Affected Versions: v7.2-7.1 and possibly below
Vendor Homepage : http://www.sitecore.net/
Vulnerability Type : Cross-site Scripting
Severity : Important

Description
--------------------
By...

[SECURITY] [DSA 3890-1] spip security update Salvatore Bonaccorso (Jun 22)
-------------------------------------------------------------------------
Debian Security Advisory DSA-3890-1 security () debian org
https://www.debian.org/security/ Salvatore Bonaccorso
June 21, 2017 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : spip
CVE ID : CVE-2017-9736
Debian Bug : 864921...

ESA-2017-053: EMC Isilon OneFS Privilege Escalation Vulnerability EMC Product Security Response Center (Jun 20)
ESA-2017-053: EMC Isilon OneFS Privilege Escalation Vulnerability

EMC Identifier: ESA-2017-053

CVE Identifier: CVE-2017-4988

Severity Rating: CVSS v3 Base Score:
Base Score=> 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)

Affected products:
EMC Isilon OneFS 8.0.1.0
EMC Isilon OneFS 8.0.0 - 8.0.0.3
EMC Isilon OneFS 7.2.0 - 7.2.1.4
EMC Isilon OneFS 7.1.x

Summary:
EMC Isilon OneFS is affected by a...

ESA-2017-054: EMC Avamar Multiple Vulnerabilities EMC Product Security Response Center (Jun 20)
ESA-2017-054: EMC Avamar Multiple Vulnerabilities

EMC Identifier: ESA-2017-054
CVE Identifiers:
CVE-2017-4989, CVE-2017-4990

Affected products:
EMC Avamar Server Software 7.4.1-58, 7.4.0-242 (CVE-2017-4990)
EMC Avamar Server Software 7.3.1-125, 7.3.0-233, 7.3.0-226 (CVE-2017-4989, CVE-2017-4990)
EMC Avamar Server Software 7.2.1-32, 7.2.1-31, 7.2.0-401 (CVE-2017-4989)
Severity Rating: See below for individual scores...

CVE-2017-3167: Apache httpd 2.x ap_get_basic_auth_pw authentication bypass Jacob Champion (Jun 20)
CVE-2017-3167: ap_get_basic_auth_pw authentication bypass

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
httpd 2.2.0 to 2.2.32
httpd 2.4.0 to 2.4.25

Description:
Use of the ap_get_basic_auth_pw() by third-party modules outside of the
authentication phase may lead to authentication requirements being
bypassed.

Mitigation:
2.2.x users should either apply the patch available at...

CVE-2017-7659: mod_http2 null pointer dereference Jim Jagielski (Jun 19)
CVE-2017-7659: mod_http2 null pointer dereference

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
httpd 2.4.24 (unreleased)
httpd 2.4.25

Description:
A maliciously constructed HTTP/2 request could cause mod_http2 to
dereference a NULL pointer and crash the server process.

Mitigation:
2.4.25 users of mod_http2 should upgrade to 2.4.26.

Credit:
The Apache HTTP Server security team would like to thank Robert...

Penetration Testing — While this list is intended for "professionals", participants frequenly disclose techniques and strategies that would be useful to anyone with a practical interest in security and network auditing.

Info Security News — Carries news items (generally from mainstream sources) that relate to security.

Web App Security — Provides insights on the unique challenges which make web applications notoriously hard to secure, as well as attack methods including SQL injection, cross-site scripting (XSS), cross-site request forgery, and more.

Faraday v2.5: Collaborative Penetration Test and Vulnerability Management Platform Francisco Amato (May 29)
Faraday is the Integrated Multiuser Risk Environment you were looking
for! It maps and leverages all the knowledge you generate in real
time, letting you track and understand your audits. Our dashboard for
CISOs and managers uncovers the impact and risk being assessed by the
audit in real-time without the need for a single email. Developed with
a specialized set of functionalities that helps users improve their
own work, the main purpose is to...

Ruxcon 2017 Call For Presentations cfp (Apr 20)
Ruxcon 2017 Call For Presentations
Melbourne, Australia, October 21-22
CQ Function Centre

http://www.ruxcon.org.au

The Ruxcon team is pleased to announce the first round of Call For Presentations for Ruxcon 2017.

This year the conference will take place over the weekend of the 21st and 22nd of October at the CQ Function Centre,
Melbourne, Australia.

The deadline for submissions is the 30th of June, 2017.

.[x]. About Ruxcon .[x].

Ruxcon is...

Faraday v2.4: Collaborative Penetration Test and Vulnerability Management Platform Francisco Amato (Mar 21)
March is already rolling and so is our work. Today we feel so happy to
share a new release, Faraday v2.4!

Before preparing an upcoming release, we try to focus not only on
improving the product but also on perfecting the user experience. We
want to go beyond optimizing your everyday work, inspiring you to do
more!

Faraday is the Integrated Multiuser Risk Environment you were looking
for! It maps and leverages all the knowledge you generate in...

SpiderFoot 2.9 released Steve Micallef (Mar 16)
Hi all,

SpiderFoot 2.9.0 is now out, totaling almost 60 data collection/analysis
modules for your reconnaissance, footprinting and OSINT needs.

Here's what's new since 2.7.0 was announced here..
- *9* new modules:
- Base64 string finder
- Binary string searches (identifies file meta data)
- Censys.io data collection (device info)
- Cymon.io data collection (threat intel)
- Hunter.io...

Arachni Framework v1.5 & WebUI v0.5.11 have been released (Web Application Security Scanner) Tasos Laskos (Feb 01)
Hey folks,

There's a new version of Arachni, a modular and high-performance Web Application Security Scanner Framework.

The highlights of this release are:

* Added arachni_reproduce utility allowing issues in reports to be reproduced.
* Browser updated to the latest PhantomJS version for improved support of modern webapps.
* New SAX based HTML parser allowing for much faster and lightweight parsing.
* Improved XSS, SQL injection,...

Faraday v2.3: Collaborative Penetration Test and Vulnerability Management Platform Francisco Amato (Jan 31)
We are very proud to present the first 2017 edition of the Faraday
Platform! Faraday v2.3 is ready to download!

Faraday is the Integrated Multiuser Risk Environment you were looking
for! It maps and leverages all the knowledge you generate in real
time, letting you track and understand your audits. Our dashboard for
CISOs and managers uncovers the impact and risk being assessed by the
audit in real-time without the need for a single email....

RVAsec 2017 Call for Presentations (CFP Sullo (Jan 23)
The CFP for RVAsec 2017 is underway!

____________________________________
RVAsec // June 8-9th, 2017 // Richmond, VA

RVAsec is a Richmond, VA based security convention that brings top
industry speakers to the midatlantic region. In its fourth year,
RVAsec 2016 attracted nearly 400 security professionals from across
the country.

Talks must be 50 minutes in length, and submissions will need to
select from one of two tracks: business or...

Daily Dave — This technical discussion list covers vulnerability research, exploit development, and security events/gossip. It was started by ImmunitySec founder Dave Aitel and many security luminaries participate. Many posts simply advertise Immunity products, but you can't really fault Dave for being self-promotional on a list named DailyDave.

Re: Encrypted Malware Traffic Detection == hilarious? Robert Graham (Jun 25)
There are two kinds of AI/ML:1. the kind that recognizes what humans recognize (faces, cars, etc.)2. the kind that
recognizes things humans can't see (stock market trends, etc.)
The first item is real, and is slowly changing the world. The second is bogus, snake oil, emperors without clothes.
As long as I've been in the field of network intrusion detection (more than 2 decades), there have been a stream of
papers every year promising...

Re: Encrypted Malware Traffic Detection == hilarious? Jim Bieda (Jun 25)
Here's the blog entry from Blake Anderson (one of the authors of the paper).

https://blogs.cisco.com/security/detecting-encrypted-malware
-traffic-without-decryption?CAMPAIGN=Security&Country_Site=
us&POSITION=Social+Media&REFERRING_SITE=Facebook&CREATIVE=Cisco%20Security

There is an open source version of this tooling that extracts of the TLS
features from pcap flows and generates 'enhanced' netflow (pcap2flow)...

Re: Encrypted Malware Traffic Detection == hilarious? Thorsten Holz (Jun 21)
More details are available in a technical report:
https://arxiv.org/pdf/1607.01639.pdf

Starting on page 8, the evaluation is explained in more detail. 99%
reflects the accuracy, but the 1-in-10,000 false discovery rate (FDR) is
much lower even in their tests. Furthermore, all these results were
obtained in synthetic tests where the ratio of malicious traffic to benign
traffic was almost 1:1 ("In total, there were 225,740 malicious and...

Re: Encrypted Malware Traffic Detection == hilarious? Dave Aitel (Jun 21)
To be fair, the advantage of the network position is it avoids interference
with your host-protection programs (aka, implants). And evading on the host
is possible too. But both are probably necessary at some level.

Re: Encrypted Malware Traffic Detection == hilarious? Dominique Brezinski (Jun 21)
Let me tell a little story about statistical analysis of network traffic. I
may or may not have been associated with someone that built a very
large-scale, statistics-based detection mechanism using un-sampled network
flow and HTTP proxy logs. 3200 cores chugged through the trailing X weeks
of traffic, for hundreds of thousands of hosts, building usage profiles and
then measured the distance of the current day's activity for each host from...

Encrypted Malware Traffic Detection == hilarious? dave aitel (Jun 21)
Let's talk about the giant pile of wrong that is this reporting on
Cisco's new marketing campaign
<http://www.cnbc.com/2017/06/20/cisco-introduces-encrypted-traffic-analytics-to-detect-malwre.html>
around detecting encrypted malware traffic. "This is a seminal moment in
networking" is the quote from their CEO that CNBC decided to run. Let's
revisit the basics of this "new" technology: do statistical...

OffensiveCon Berlin 2018 Call for Papers Moritz Jodeit (Jun 21)
========================================
OffensiveCon Berlin 2018 Call for Papers
========================================

[OVERVIEW]
We are pleased to announce the CFP for the first edition of
OffensiveCon Berlin which is a highly technical international
security conference focused on offensive security only. The aim of
OffensiveCon is to bring the community of hackers together, for
networking and sharing knowledge. The conference is...

INFILTRATE 2017 Video: Stephanie Archibald - Sierra Had a Little Lamb dave aitel (Jun 16)
https://vimeo.com/215195101

In the Last Dancer, which is one of the great books on hacking you can
download here
<https://www.immunityinc.com/downloads/TheLastDancer.pdf>there's a page,
which I'm going to copy in its entirely below. But it's about implants.
And I have no fucking idea how Daniel Keys Moran, who is a professional
database engineer, not a hacker, knew the things he knew about hacking
when he wrote this in like,...

Re: Biggest Rocks and Glassiest Houses allison nixon (Jun 14)
I have some anec-data from a narrow view of this problem.

When it comes to DDOS protection, and the proportion of infrastructure that
are behind reasonable, or *really really good* ddos protection, I suspect
the USA is at the top right now. It's never been a better time to get DDOS
attacked as an American. Almost every time I've observed some major company
getting knocked over it's either outside north america or it was some...

Biggest Rocks and Glassiest Houses dave aitel (Jun 14)
Ok, so what I was hoping to do was convince Tenable and Qualys to dig
into their data today and answer a simple question that confounds the
entire policy world. They say a few pithy things, and without any data
whatsoever, as is their truest love. The most common thing they say,
such as on the Steptoe podcast, is "We (the US) have the biggest rocks,
and the glassiest houses." By this they mean that instability in
cyberspace effects the...

Re: t2'17: Call For Papers 2017 (Helsinki, Finland) Dave Aitel (Jun 13)
Just for calling me a cyber policies person I might do an entire keynote on
writing Solaris exploits. :)

-dave

t2'17: Call For Papers 2017 (Helsinki, Finland) Tomi Tuominen (Jun 13)
#
# t2'17 - Call For Papers (Helsinki, Finland) - October 26 - 27, 2017
#

Do you have a fear of being naked[0] in front of other people? Can you
name a president[1] who has climbed a palm tree during an official state
visit? Do you prefer small and efficient airports? Would you like to
present world class research to a highly technical audience? If not sure
yet, please continue reading.

t2 infosec is warmly welcoming you to Helsinki, on...

Andrew Johnson / Sacha Faust - Cloud Post Exploitation Techniques @ Infiltrate 2017 Dave Aitel (May 30)
https://vimeo.com/214855977

So imagine if instead of trying to use SMB everywhere inside corporate
networks it had used Active Directory techniques, or maybe a bit of both?

And in addition, people have poorly understood the risks of the way the
Active Directory model was ported to the cloud. Amazon and Azure and Google
all kinda work the same, and all present similar risks, and MANY of these
risks are fogged up by the difficulties of working...

Platform Risk dave aitel (May 25)
COM SECURITY TALK from INFILTRATE 2017: https://vimeo.com/214856542

Ok, so I have a concept that I've tried to explain a bunch of times and
failed every time. And it's how not just codebases decompose, but also
whole platforms. And when that platform cracks, everything built on it
has to be replaced from scratch. Immunity has already gone through our
data, like every other consulting company, and found that the process of
the SDL is 10...

Finding new bugs in 2027 Dave Aitel (May 09)
https://vimeo.com/215511922

I could talk about the people giving this INFILTRATE talk on Binary Ninja
at great length. But INFILTRATE is not about the people in that way! And of
course, like every conference, INFILTRATE has a policy of not letting talks
become product pitches. But the design behind the Binary Ninja product is
something very interesting. The progress of this kind of fundamental
technology influences how easy or hard it is going...

PaulDotCom — General discussion of security news, research, vulnerabilities, and the PaulDotCom Security Weekly podcast.

Re: [Security Weekly] cheap hosting Robin Wood (Sep 23)
Resurrecting an old thread but they now have an affiliate program and I can
issue my own codes so:

20% off all servers AqUVYbUXag
50% off all big dog (whatever that is) 7E9YRUzEZy

After a month with them, their tech support is OK but not great, the server
has stayed up and not had any problems.

Robin

Re: [Security Weekly] projecting in a bight space Jeremy Pommerening (Aug 28)
I would look for a projector with at least 6000 ANSI Lumens or better. A darker screen (grey) may also help.

Jeremy Pommerening

________________________________
From: Robin Wood <robin () digi ninja>
To: Security Weekly Mailing List <pauldotcom () mail securityweekly com>
Sent: Sunday, August 3, 2014 3:42 AM
Subject: [Security Weekly] projecting in a bight space

I've been looking at the venue for next year's...

[Security Weekly] Two Firefox security bugs related to HTTPS ffbugishere (Aug 17)
Hello world!

We need votes for security bugs!

Adding "Security Exception" for self-signed HTTPS sites cannot be done
permanently
https://bugzilla.mozilla.org/show_bug.cgi?id=1050100

Firefox 31 doesn't supports the industry recommended best HTTPS
ciphers
https://bugzilla.mozilla.org/show_bug.cgi?id=1051210

Other browsers should have the same bugs fixed..

p.s.: We are not related to this group, but we think they worth a
penny...

Re: [Security Weekly] Java and Flash decompilers Will Metcalf (Aug 05)
JPEXS is very nice for flash IMHO.

http://www.free-decompiler.com/flash/

Regards,

Will

Re: [Security Weekly] Java and Flash decompilers Bradley McMahon (Aug 05)
I've used flare before to pull apart a flash site for a client.
http://www.nowrap.de/flare.html

-Brad

Re: [Security Weekly] SecurityCenter alternative Steven McGrath (Aug 04)
SC certainly isn’t cheap (as a former SC customer that moved over to Tenable I can attest to that) however I can point
out that the data aggregation, trending, and custom reporting were huge wins in my book. I guess its a time/money
trade-off. How much time do you want to spend either cobbling together a tool or manually aggregating the data when
there is another tool already out there that can do it out of the box.

I can speak in more...

Re: [Security Weekly] Java and Flash decompilers S. White (Aug 04)
A few I've used in the past:

JAD - http://varaneckas.com/jad/ , http://en.wikipedia.org/wiki/JAD_(JAva_Decompiler)

HP SWFscan

Adobe SWF investigator http://labs.adobe.com/technologies/swfinvestigator/

________________________________
From: Robin Wood <robin () digi ninja>
To: Security Weekly Mailing List <pauldotcom () mail securityweekly com>
Sent: Monday, August 4, 2014 5:54 AM
Subject: [Security Weekly] Java and...

[Security Weekly] DoFler @ BSidesLV Steven McGrath (Aug 04)
This will be the 3rd year that DoFler (the Dashboard of Fail) will be at BSidesLV. This year I wrote a new spiffy
interface for maximum trolling. Let’s be honest now, everyone loves to surf for various forms of horrible on the
internet at cons :D. Also added this year is a little vulnerability analysis (using Tenable’s PVS). Every year I try
to improve it a bit based on everyone’s input, and am always welcome to more feedback.

DB...

Re: [Security Weekly] cheap hosting Robin Wood (Aug 04)
Already sorted but thanks for the info.

Re: [Security Weekly] Java and Flash decompilers Nathan Sweaney (Aug 04)
Here are a few others I've used with varying success in the past:

SWFInvestigator - http://labs.adobe.com/technologies/swfinvestigator/
SWFScan - from Rafal Los at HP, though the link has been deleted. (Careful,
I've seen trojaned copies online.)

Re: [Security Weekly] SecurityCenter alternative Paul Asadoorian (Aug 04)
Thanks all for the informative discussion!

I know, I'm jumping in late, some closing thoughts on the subject:

- SecurityCenter has the unique advantage of consolidating plugin
updates, meaning you could have hundred of Nessus scanners deployed in
your organization, and the scanners get the plugin feed from your
SecurityCenter system. The removes the requirement of Internet access
(From the scanners), and greatly eases the administration...

Re: [Security Weekly] SecurityCenter alternative k41zen (Aug 04)
Thanks for all of your help.

We are in discussions with our Tenable contact about solutions for this issue. They’ve helped me out by enabling me to
move forward to at least deploy this into a Pre-Production environment but the costs of SC are a massive stumbling
block; hence my question about something else. Appreciate we have a big Nessus fan base here of which I am a member
too, but just wondered what could be wrapped around it.

I’ll...

Re: [Security Weekly] SecurityCenter alternative Adrien de Beaupre (Aug 04)
Hi,

I have also written a series of script to collect data from tools such as
nmap and nessus to import into MySQL called OSSAMS:
http://www.ossams.com/wp-content/uploads/2011/10/ossams-parser-SecTor-2011.zip
That leaves report writing as a series of SQL queries.
I also have a series of scripts to kick off scans, as well as a command
like XML-RPC nessus client in python if anyone is interested.

Cheers,
Adrien

Re: [Security Weekly] cheap hosting sec list (Aug 04)
Hey Robin,

If you're still looking, might want to try out getclouder.com - they
spin up Linux containers in 5 seconds and use distributed storage, which
is pretty awesome. It's still in beta, so they offer 3 months free
service, but it has been pretty stable so far from my experience.

[Security Weekly] Java and Flash decompilers Robin Wood (Aug 04)
Hi
I'm trying to put together a list of tools for decompiling Flash and Java
apps. From asking on another list I already have:

Java
JD-GUI
Java Decompiler http://jd.benow.ca/jd-gui/downloads/jd-gui-0.3.6.windows.zip.

Java snoop https://code.google.com/p/javasnoop/

Flash
Trillix
Flashbang https://github.com/cure53/Flashbang

Has anyone here got any others they can suggest?

Ideally I'm looking for free stuff but cheap commercial...

Microsoft Sec Notification — Beware that MS often uses these security bulletins as marketing propaganda to downplay serious vulnerabilities in their products—note how most have a prominent and often-misleading "mitigating factors" section.

The following CVEs have undergone a major revision increment: Microsoft (Jun 27)
********************************************************************
Title: Microsoft Security Update Releases
Issued: June 27, 2017
********************************************************************

Summary
=======

The following CVEs have undergone a major revision increment:

* CVE-2017-0173 * CVE-2017-0299 * CVE-2017-8482 * CVE-2017-8522
* CVE-2017-0193 * CVE-2017-0300 * CVE-2017-8483 * CVE-2017-8523
* CVE-2017-0215 *...

The following CVE was released on June 23, 2017: Microsoft (Jun 23)
********************************************************************
Title: Microsoft Security Update Releases
Issued: June 23, 2017
********************************************************************

Summary
=======

The following CVE was released on June 23, 2017:

CVE-2017-8558

- Impact: Remote Code Execution
- Version Number: 1.0

Other Information
=================

Recognize and avoid fraudulent email to Microsoft customers:...

The following CVEs have undergone a major revision increment: Microsoft (Jun 23)
********************************************************************
Title: Microsoft Security Update Releases
Issued: June 23, 2017
********************************************************************

Summary
=======

The following CVEs have undergone a major revision increment:

* CVE-2017-0173 * CVE-2017-0299 * CVE-2017-8482 * CVE-2017-8522
* CVE-2017-0193 * CVE-2017-0300 * CVE-2017-8483 * CVE-2017-8523
* CVE-2017-0215 *...

The following CVEs have been added to June 2017 security release. Microsoft (Jun 21)
********************************************************************
Title: Microsoft Security Update Minor Revisions
Issued: June 21, 2017
********************************************************************

Summary
=======

The following CVEs have been added to June 2017 security release.

* CVE-2017-8575
* CVE-2017-8576
* CVE-2017-8579

Revision Information:
=====================

- CVE-2017-8575 | Microsoft Graphics Component...

The following CVEs have undergone a major revision increment: Microsoft (Jun 21)
********************************************************************
Title: Microsoft Security Update Releases
Issued: June 21, 2017
********************************************************************

Summary
=======

The following CVEs have undergone a major revision increment:

* CVE-2017-0173 * CVE-2017-0299 * CVE-2017-8482 * CVE-2017-8522
* CVE-2017-0193 * CVE-2017-0300 * CVE-2017-8483 * CVE-2017-8523
* CVE-2017-0215 *...

The following bulletins have undergone a major revision increment. Microsoft (Jun 13)
********************************************************************
Title: Microsoft Security Update Releases
Issued: June 13, 2017
********************************************************************

Summary
=======

The following bulletins have undergone a major revision increment.

* MS16-095
* MS16-AUG

Revision Information:
=====================

MS16-095

- Title: Cumulative Security Update for Internet Explorer (3177356)
- https:...

Security Advisories Released or Updated Today Microsoft (Jun 13)
********************************************************************
Title: Microsoft Security Advisory Notification
Issued: June 13, 2017
********************************************************************

Security Advisories Released or Updated Today
==============================================

* Microsoft Security Advisory 4025685
- Title: Guidance related to June 2016 security update release
-...

The following CVE has been revised in the May 2017 Security Updates. Microsoft (Jun 13)
********************************************************************
Title: Microsoft Security Update Minor Revisions
Issued: June 13, 2017
********************************************************************

Summary
=======

The following CVE has been revised in the May 2017 Security Updates.

* CVE-2017-0222

Revision Information:
=====================

CVE-2017-0222

- Title: CVE-2017-0222 | Internet Explorer Memory Corruption...

The following CVEs have undergone a major revision increment. Microsoft (Jun 13)
********************************************************************
Title: Microsoft Security Update Releases
Issued: June 13, 2017
********************************************************************

Summary
=======

The following CVEs have undergone a major revision increment.

* CVE-2017-0167
* CVE-2016-3326

Revision Information:
=====================

CVE-2017-0167

- Title: CVE-2017-0167 | Windows Kernel Information Disclosure...

This summary lists security updates released for June 2017 Microsoft (Jun 13)
********************************************************************
Microsoft Security Update Summary for June 2017
Issued: June 13, 2017
********************************************************************

This summary lists security updates released for June 2017.

Complete information for the June 2017 security update release can
Be found at
<https://portal.msrc.microsoft.com/en-us/security-guidance>.

Critical Security Updates...

Microsoft Security Update Releases Microsoft (May 26)
********************************************************************
Title: Microsoft Security Update Releases
Issued: May 25, 2017
********************************************************************

Summary
=======

The following CVEs have been added to May 2017 release.

* CVE-2017-8535
* CVE-2017-8536
* CVE-2017-8537
* CVE-2017-8538
* CVE-2017-8539
* CVE-2017-8540
* CVE-2017-8541
* CVE-2017-8542

Revision Information:
=====================...

Microsoft Security Update Releases Microsoft (May 19)
********************************************************************
Title: Microsoft Security Update Releases
Issued: May 19, 2017
********************************************************************

Summary
=======

The following CVE has undergone a major revision increment.

* CVE-2017-0223

Revision Information:
=====================

CVE-2017-0223

- Title: CVE-2017-0223 | Microsoft Edge Elevation of Privilege
Vulnerability
-...

Title: Microsoft Security Advisory Notification Microsoft (May 11)
********************************************************************
Title: Microsoft Security Advisory Notification
Issued: May 11, 2017
********************************************************************

Security Advisories Released or Updated Today
==============================================

* Microsoft Security Advisory 4021279
- Title: Vulnerabilities in .NET Core, ASP.NET Core Could Allow
Elevation of Privilege
-...

Microsoft Security Update Summary for May 2017 Microsoft (May 09)
********************************************************************
Microsoft Security Update Summary for May 2017
Issued: May 9, 2017
********************************************************************

This summary lists security updates released for May 2017.

Complete information for the May 2017 security update release can
Be found at
<https://portal.msrc.microsoft.com/en-us/security-guidance>.

Critical Security Updates...

Microsoft Security Advisory Notification Microsoft (May 08)
********************************************************************
Title: Microsoft Security Advisory Notification
Issued: May 8, 2017
********************************************************************

Security Advisories Released or Updated Today
==============================================

* Microsoft Security Advisory 4022344
- Title: Security Update for Microsoft Malware Protection Engine
-...

Funsec — While most security lists ban off-topic discussion, Funsec is a haven for free community discussion and enjoyment of the lighter, more humorous side of the security community

Verizon: 1.5M of Contact Records Stolen, Now on Sale Jeffrey Walton (Mar 26)
http://www.mobipicker.com/verizon-1-5m-contact-records-stolen-now-sale/:

A business to business telecommunication giant,
Verizon Enterprise Solutions, a Basking Ridge,
New Jersey-based company, has been the latest
victim of a cyber crime that stole 1.5 million contact
records of the customers of Verizon...

I don't quite understand this double talk. Could someone explain to me:

A spokesperson from Verizon said that...

Statement on Lavabit Citation in Apple Case Jeffrey Walton (Mar 16)
(From John Young on another list):
http://www.facebook.com/KingLadar/posts/10156714933135038

As many of you already know, the government cited the Lavabit case in
a footnote. The problem is their description insinuates a precedent
that was never created. Obviously I was somewhat disturbed by their
misrepresentation. So I decided to draft a statement. And keep in
mind, these are the same people who say "trust us." Click continue to
read...

The NSA's back door has given every US secret to our enemies Jeffrey Walton (Feb 29)
http://www.businessinsider.com/john-mcafee-nsa-back-door-gives-every-us-secret-to-enemies-2016-2

Deng Xiaoping, in 1979 - his second year as supreme leader of China -
perceived a fundamental truth that has yet to be fully grasped by most
Western leaders: Software, if properly weaponized, could be far more
destructive than any nuclear arsenal.

Under Deng’s leadership, China began one of the most ambitious and
sophisticated meta- software...

Can Spies Break Apple Crypto? Jeffrey Walton (Feb 27)
Here's an interesting exchange between Cryptome and Michael Froomkin,
Law Professor at University of Miami, on the All Writs Act
(http://cryptome.org/2016/02/can-spies-break-apple-crypto.htm):

-----

A. Michael Froomkin:

The factual posture in the key Supreme Court precedent, New York
Telephone, involved a situation where only the subject of the order
was capable of providing the assistance at issue. This is the basis
for Apple's...

The FBI's iPhone Problem: Tactical vs. Strategic Thinking Jeffrey Walton (Feb 23)
http://www.technewsworld.com/story/83130.html

I'm an ex-sheriff, and I've been in and out of security jobs for much
of my life, so I've got some familiarity with the issues underlying
the drama between the FBI and Apple. FBI officials -- and likely those
in every other three-letter agency and their counterparts all over the
world -- would like an easier way to do their jobs. Wouldn't we all?

If they could put cameras in...

Wanted: Cryptography Products for Worldwide Survey Jeffrey Walton (Jan 01)
(http://www.schneier.com/crypto-gram/archives/2015/1215.html):

In 1999, Lance Hoffman, David Balenson, and others published a survey
of non-US cryptographic products. The point of the survey was to
illustrate that there was a robust international market in these
products, and that US-only export restrictions on strong encryption
did nothing to prevent its adoption and everything to disadvantage US
corporations. This was an important contribution...

CERT Advisories — The Computer Emergency Response Team has been responding to security incidents and sharing vulnerability information since the Morris Worm hit in 1986. This archive combines their technical security alerts, tips, and current activity lists.

Multiple Petya Ransomware Infections Reported US-CERT (Jun 27)
U.S. Department of Homeland Security US-CERT

National Cyber Awareness System:

Multiple Petya Ransomware Infections Reported [
https://www.us-cert.gov/ncas/current-activity/2017/06/27/Multiple-Petya-Ransomware-Infections-Reported ] 06/27/2017
12:56 PM EDT
Original release date: June 27, 2017

US-CERT has received multiple reports of Petya ransomware infections occurring in networks in many countries around the
world. Ransomware [...

NIST Releases New Digital Identity Guidelines US-CERT (Jun 26)
U.S. Department of Homeland Security US-CERT

National Cyber Awareness System:

NIST Releases New Digital Identity Guidelines [
https://www.us-cert.gov/ncas/current-activity/2017/06/26/NIST-Releases-New-Digital-Identity-Guidelines ] 06/26/2017
10:48 PM EDT
Original release date: June 26, 2017

The National Institute of Standards and Technology (NIST) has released the Digital Identity Guidelines document
suite.The four-volume suite offers...

IRS Warns of Summertime Scams US-CERT (Jun 26)
U.S. Department of Homeland Security US-CERT

National Cyber Awareness System:

IRS Warns of Summertime Scams [ https://www.us-cert.gov/ncas/current-activity/2017/06/26/IRS-Warns-Summertime-Scams ]
06/26/2017 01:47 PM EDT
Original release date: June 26, 2017

The Internal Revenue Service (IRS) has released an alert warning of various types of scams targeting taxpayers this
summer. The alert describes common features of these cyber crimes,...

FTC Releases Alert on Tech-Support Scams US-CERT (Jun 23)
U.S. Department of Homeland Security US-CERT

National Cyber Awareness System:

FTC Releases Alert on Tech-Support Scams [
https://www.us-cert.gov/ncas/current-activity/2017/06/23/FTC-Releases-Alert-Tech-Support-Scams ] 06/23/2017 04:09 PM
EDT
Original release date: June 23, 2017

The Federal Trade Commission (FTC) has released an alert on technical-support scams. In these schemes, deceptive
tech-support operations [...

IC3 Issues Internet Crime Report for 2016 US-CERT (Jun 21)
U.S. Department of Homeland Security US-CERT

National Cyber Awareness System:

IC3 Issues Internet Crime Report for 2016 [
https://www.us-cert.gov/ncas/current-activity/2017/06/21/IC3-Issues-Internet-Crime-Report-2016 ] 06/21/2017 06:40 PM
EDT
Original release date: June 21, 2017

The Internet Crime Complaint Center (IC3) has released its 2016 Internet Crime Report, describing the numbers and types
of cyber crimes reported to IC3. Business...

Drupal Releases Security Updates US-CERT (Jun 21)
U.S. Department of Homeland Security US-CERT

National Cyber Awareness System:

Drupal Releases Security Updates [
https://www.us-cert.gov/ncas/current-activity/2017/06/21/Drupal-Releases-Security-Updates ] 06/21/2017 05:30 PM EDT
Original release date: June 21, 2017

Drupal has released an advisory to address several vulnerabilities in Drupal versions 7.x and 8.x. A remote attacker
could exploit one of these vulnerabilities to take control of...

Cisco Releases Security Updates US-CERT (Jun 21)
U.S. Department of Homeland Security US-CERT

National Cyber Awareness System:

Cisco Releases Security Updates [
https://www.us-cert.gov/ncas/current-activity/2017/06/21/Cisco-Releases-Security-Updates ] 06/21/2017 03:45 PM EDT
Original release date: June 21, 2017

Cisco has released updates to address several vulnerabilities affecting multiple products. A remote attacker could
exploit one of these vulnerabilities to take control of a system....

Google Releases Security Updates for Chrome US-CERT (Jun 15)
U.S. Department of Homeland Security US-CERT

National Cyber Awareness System:

Google Releases Security Updates for Chrome [
https://www.us-cert.gov/ncas/current-activity/2017/06/15/Google-Releases-Security-Updates-Chrome ] 06/15/2017 09:27 PM
EDT
Original release date: June 15, 2017

Google has released Chrome version 59.0.3071.104 for Windows, Mac, and Linux. This version addresses several
vulnerabilities, including one that an attacker...

Mozilla Releases Security Update US-CERT (Jun 15)
U.S. Department of Homeland Security US-CERT

National Cyber Awareness System:

Mozilla Releases Security Update [
https://www.us-cert.gov/ncas/current-activity/2017/06/15/Mozilla-Releases-Security-Update ] 06/15/2017 09:29 PM EDT
Original release date: June 15, 2017

Mozilla has released a security update to address multiple vulnerabilities in Thunderbird. A remote attacker could
exploit some of these vulnerabilities to take control of an...

ISC Releases Security Updates for BIND US-CERT (Jun 14)
U.S. Department of Homeland Security US-CERT

National Cyber Awareness System:

ISC Releases Security Updates for BIND [
https://www.us-cert.gov/ncas/current-activity/2017/06/15/ISC-Releases-Security-Updates-BIND ] 06/15/2017 01:26 AM EDT
Original release date: June 15, 2017

The Internet Systems Consortium (ISC) has released updates that address two vulnerabilities in BIND. An attacker could
exploit one of these vulnerabilities to take...

Mozilla Releases Security Updates US-CERT (Jun 13)
U.S. Department of Homeland Security US-CERT

National Cyber Awareness System:

Mozilla Releases Security Updates [
https://www.us-cert.gov/ncas/current-activity/2017/06/13/Mozilla-Releases-Security-Updates ] 06/13/2017 04:52 PM EDT
Original release date: June 13, 2017

Mozilla has released security updates to address multiple vulnerabilities in Firefox and Firefox ESR. A remote attacker
could exploit some of these vulnerabilities to take...

Microsoft Releases June 2017 Security Updates US-CERT (Jun 13)
U.S. Department of Homeland Security US-CERT

National Cyber Awareness System:

Microsoft Releases June 2017 Security Updates [
https://www.us-cert.gov/ncas/current-activity/2017/06/13/Microsoft-Releases-June-2017-Security-Updates ] 06/13/2017
04:56 PM EDT
Original release date: June 13, 2017

Microsoft has released updates to address vulnerabilities in Microsoft software. A remote attacker could exploit some
of these vulnerabilities to take...

Adobe Releases Security Updates US-CERT (Jun 13)
U.S. Department of Homeland Security US-CERT

National Cyber Awareness System:

Adobe Releases Security Updates [
https://www.us-cert.gov/ncas/current-activity/2017/06/13/Adobe-Releases-Security-Updates ] 06/13/2017 04:51 PM EDT
Original release date: June 13, 2017

Adobe has released security updates to address vulnerabilities in Adobe Flash Player, Shockwave Player, Captivate, and
Digital Editions. A remote attacker could exploit some of...

TA17-164A: HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure US-CERT (Jun 13)
U.S. Department of Homeland Security US-CERT

National Cyber Awareness System:

TA17-164A: HIDDEN COBRA North Koreas DDoS Botnet Infrastructure [ https://www.us-cert.gov/ncas/alerts/TA17-164A ]
06/13/2017 11:45 AM EDT
Original release date: June 13, 2017

Systems Affected

Networked Systems

Overview

This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and
the Federal Bureau of...

TA17-163A: CrashOverride Malware US-CERT (Jun 12)
U.S. Department of Homeland Security US-CERT

National Cyber Awareness System:

TA17-163A: CrashOverride Malware [ https://www.us-cert.gov/ncas/alerts/TA17-163A ] 06/12/2017 05:44 PM EDT
Original release date: June 12, 2017

Systems Affected

Industrial Controls Systems

Overview

The National Cybersecurity and Communications Integration Center (NCCIC) is aware of public reports from ESET and
Dragos outlining a new, highly capable Industrial...

Open Source Security — Discussion of security flaws, concepts, and practices in the Open Source community

Re: CoreOS membership to linux-distros Euan Kemp (Jun 27)
To clarify your example, we're primarily concerned with preparing
updates for our distribution's kernel and userland, not for containers.

We'd be happy to help when we're able to, but our intent is mainly
consumption for the security of our users.
We'll, of course, respect embargoes.

- Euan

Re: CoreOS membership to linux-distros Kurt Seifried (Jun 27)
My main question would be what expertise do you have in helping with
security issues, e.g. kernel/glibc/other engineering talent? Or do you
simply need this as a consumer of such data (e.g. so you can get containers
ready to respin for embargoed issues, and to be clear, I'm not opposed to
this type of consumption if it's in the public interest, you won't break
embargoes, etc.).

CoreOS membership to linux-distros Euan Kemp (Jun 27)
Hello.

We, the Container Linux team at CoreOS[0], would like to request
membership to the linux-distros list.

We've requested membership once before[1], but at the time new members
weren't being added iirc.

Based on Solar's comments in the Stack Clash thread, this seems like a
good time to renew this discussion.

To preempt some possible questions:

Q: What’s Container Linux?
Container Linux (formerly called CoreOS) is a linux...

CVE-2017-9445: Out-of-bounds write in systemd-resolved with crafted TCP payload Chris Coulson (Jun 27)
Hi,

I recently discovered an out-of-bounds write in systemd-resolved in
Ubuntu, which is possible to trigger with a specially crafted TCP payload.

Details from the Ubuntu bug follow:
https://launchpad.net/bugs/1695546

----
Certain sizes passed to dns_packet_new can cause it to allocate a buffer
that's too small. A page-aligned number - sizeof(DnsPacket) +
sizeof(iphdr) + sizeof(udphdr) will do this - so, on x86 this will be a
page-aligned...

Re: malicious hypervisor threat was ignored but it is real Solar Designer (Jun 27)
Hi Mikhail,

The concern is legitimate and there are relevant PoC's (perhaps starting
with Joanna Rutkowska's Blue Pill), but as a moderator for oss-security
I find your message inappropriate for this list: no focus on Open Source
(relevance yes, focus no), effectively no substance (only references to
others' work and general reasoning about how the attacks are possible),
promotion of your company and resource, a couple of...

malicious hypervisor threat was ignored but it is real Mikhail Utin (Jun 27)
In 2006, Michigan University (MU) team with the participation of Microsoft research team published an article
describing the development of the most advanced malware - "SubVirt: Implementing malware with virtual machines".

The research has been supported by US government and Intel Corporation. The research is the proof of concept –
virtualization technology can be used to develop a malware (Malicious Hypervisor – MH) which can...

CVE-2017-8797 Linux kernel: nfsd: remote DoS Ari Kauppi (Jun 27)
Hi,

Linux kernel NFSv4 server is vulnerable to a remote DoS attack.

The NFSv4 server in the Linux kernel does not properly validate layout type
when processing NFSv4 pNFS LAYOUTGET operand. The provided input
value is not properly validated and is used for array dereferencing. OOPS
is triggered which leads to DoS of knfsd and eventually to soft-lockup of
whole system.

In addition, on normal processing path there is a C undefined behavior...

Re: civilized discussion (Re: More CONFIG_VMAP_STACK vulnerabilities, refcount_t UAF, and an ignored Secure Boot bypass / rootkit method) Kyle R (Jun 27)
+1 for Solar always having a level-head when moderating this list.

________________________________
From: Kurt Seifried <kseifrie () redhat com>
Sent: Monday, June 26, 2017 2:26:46 PM
To: oss-security () lists openwall com
Subject: Re: [oss-security] civilized discussion (Re: More CONFIG_VMAP_STACK vulnerabilities, refcount_t UAF, and an
ignored Secure Boot bypass / rootkit method)

To be clear solar has always been a sane and polite...

Re: Re: More CONFIG_VMAP_STACK vulnerabilities, refcount_t UAF, and an ignored Secure Boot bypass / rootkit meth PaX Team (Jun 27)
Since your professional job is to issue CVEs and you did so in our case based
on an erroneous judgement call, I believe it falls into this category.

You have yet to explain why it is so. The Qualys advisory and their explicit
reject requests state the exact opposite.

I will stop emailing you when you live up to your professional obligation
and make sure that the CVE you issued in error is rescinded.

You said that the requestor has to ask for...

Re: Re: More CONFIG_VMAP_STACK vulnerabilities, refcount_t UAF, and an ignored Secure Boot bypass / rootkit meth PaX Team (Jun 27)
I completely agree with you but then I can't explain why you chose to insult
our projects last week and still have not remedied it (both the CVE and your
insulting tweet are still up). I find it curious how you can preach about
professionalism after being the very instigator of the recent splat (heck,
instead of answering, you called it a conspiracy theory when I asked you in
private why you issued the CVE to begin with which then forced us...

re: two vulns in uClibc-0.9.33.2 fefe (Jun 26)
Use -fsanitize=address , otherwise it do not crash.

I think glibc is also affected, if some servers, like php server, use glibc or uclibc to parser regular expression
which is inputed by users, it can case DDOS.

Re: Re: More CONFIG_VMAP_STACK vulnerabilities, refcount_t UAF, and an ignored Secure Boot bypass / rootkit meth Kurt Seifried (Jun 26)
So as per the private email thread we had previously I'm not going to be
interacting with you beyond what is strictly neccesary for CVE and other
professional purposes.

One the CVE REJECT side, CVE-2017-1000377 looks legitimate, although I'm
inclined to agree with Qualys and REJECT it so that you stop emailing. I
did contact MITRE, I haven't had time to reply to them yet (they are
also wondering why the CVE needs REJECT'ing),...

OpenVPN fuzzers released Guido Vranken (Jun 26)
I've published the fuzzers that I used to find the recent set of
vulnerabilities in OpenVPN:
https://github.com/guidovranken/openvpn/tree/fuzzing

Not all of OpenVPN's code is covered by this set of fuzzers. It is
entirely conceivable that more vulnerabilities exist, but more fuzzers
have to be written in order to find them. The helper functions and IO
abstractions I've written should simplify this effort. So here is your...

Re: civilized discussion (Re: More CONFIG_VMAP_STACK vulnerabilities, refcount_t UAF, and an ignored Secure Boot bypass / rootkit method) Kurt Seifried (Jun 26)
To be clear solar has always been a sane and polite person, but I don't know what the list policy is, in part because I
don't think this has really come up before(that I can remember).

-Kurt

civilized discussion (Re: More CONFIG_VMAP_STACK vulnerabilities, refcount_t UAF, and an ignored Secure Boot bypass / rootkit method) Solar Designer (Jun 26)
Hi all,

Yes, I too would like the discussions in here to stay civilized.

Brad wrote to Linus:

and I hope that Linus won't reply (as far as I can see, he did not so
far) and this does in fact end that thread.

At Openwall, we also host the kernel-hardening mailing list, but we
currently moderate it similarly - that is, we're not preventing
occasional/infrequent threads like this right away, letting a sensible
number of messages to...

Educause Security Discussion — Securing networks and computers in an academic environment.

Email retention Gregory A Jackson (Jun 23)
Yeah, I know, everyone’s favorite.

If anyone is particularly happy with their email retention policy-especially for faculty and staff-I’d welcome private
(or even public) communication.

My sense is that most institutions either (a) leave all email in users’ inboxes so long as users remain employed, or
possibly (b) leave it in folders other than “inbox” but purge inbox after 30-60 days (that is, users can keep mail by
moving it to...

Re: Phishing take down notices. Ford, Bryan (Jun 22)
Thank you everyone for your responses looks like Google reporting seems pretty popular. Not surprised by phishtank glad
to know Keith can help out with that. Will have
to look at the others some great ideas.

Thanks

Bryan

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Keith
Hartranft
Sent: Wednesday, June 21, 2017 2:36 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re:...

Re: viruses that have been cleaned or quarantined Kevin Wilcox (Jun 22)
This is why we have such a difficult time with teaching our users the
right way to do things. They don't want to rebuild a system so they go
online to find some argument as to why they shouldn't have to, then we
(the royal we, the InfoSec/SecOps community we) have to spend time
telling them why this comment they found on a forum or mailing list is
being interpreted incorrectly instead of just getting on with proper
remediation....

Re: viruses that have been cleaned or quarantined Tim Doty (Jun 22)
I agree, it is a touchy subject.

Or not. Without forensics, how do you really know that nothing was executed?

As you say, this discussion is pretty much missing any context. The
problem is, the more context that is applied the more specific and the
less generalizable any comment is.

But for what its worth, my approach is based on accepting that, in
general, we cannot know for certain whether or not a machine is infected
and then taking...

Re: viruses that have been cleaned or quarantined Frank Barton (Jun 22)
This is a touchy subject in some cases, and I think there is a certain
amount of subjectivity that needs to be brought into context.

If the infection was contained before it was able to launch/take hold (i.e.
AV prevented a file from being downloaded, or accessed after download),
then "cleaning" is somewhat of a mis-nomer. remove the infected file, and
you're all set.

Survey about Higher Education Cloud Vendor Assessment Tool Nick Lewis (Jun 22)
Hi everyone,

The Higher Education Cloud Vendor Assessment Tool (HECVAT) attempts to generalize higher education information security
and data protection questions and issues regarding third party and/or cloud services for consistency and ease of use
and to ensure that such services are appropriately assessed for security and privacy needs, including some that are
unique to higher education.

The HECVAT was created by a working group composed...

Re: viruses that have been cleaned or quarantined Garmon, Joel (Jun 22)
Very good thread.

There is another nuance that I consider in reviewing AV alerts -- was it
caught in a real time scan (meaning the first time the file was downloaded
or used and stopped before executing) or in a periodic scan (daily or
weekly scan which means the virus has been on the system for a while and
already executed)

We also have special groups for departments that handle PII and have alerts
set up so we know when any virus hits these...

Re: Phishing take down notices. Philip Webster (Jun 21)
Using your local CERT is definitely an option worth discussing. I've also
generally had good responses and turn-arounds using the Netcraft toolbar.

Cheers
Phil

Philip Webster, IT Security Specialist, Griffith University

Re: viruses that have been cleaned or quarantined Belford, Jason C. (jcb3zr) (Jun 21)
Sounds like we are revisiting this 2013 ShmooCon presentation (still relevant):

https://www.youtube.com/watch?v=lb1XDMbQOiM&ab_channel=Christiaan008

It shows where stuff can hide that cannot be detected that can later be used to re-infect the machine. File hashes nor
traditional AV are not going to help you. Just wipe the drive!

--J

—

Jason C. Belford, CISSP

Chief Information Security Officer

E jason.belford () virginia edu

P...

Re: viruses that have been cleaned or quarantined Ken Connelly (Jun 21)
25% is being overly kind and generous. Otherwise, I'm with Kevin on
this one. "Cleaning" is not an option. Wipe, reformat, and
reinstall/reimage is the only way to go. That might seem like overkill,
but it saves time, headache, and gnashing of teeth in the long run.

-ken

Re: viruses that have been cleaned or quarantined Kevin Wilcox (Jun 21)
Chelsie -

I see no difference between AV and IDS. The idea that AV can "clean" a
system is one that I'd like to see eradicated.

That's not to say that it's impossible - just that it takes known-good
cryptographic hash values for every file on the system, a trusted
off-system scanning agent and good alerting when something changes.
That's before having the same thing in place for registry hives, the
ability to...

Re: Phishing take down notices. Joel Anderson (Jun 21)
Depending on the site, we *may* report to the domain owner, but always
report to the "Google Report" page. We log internally when we block DNS for
suspect sites. We also use that to report to the Anti-Phishing Email Reply
(APER) group. Many of the "free website provider" sites are responsive and
take down pages - I report to them.

viruses that have been cleaned or quarantined Chelsie Power (Jun 21)
Hi everyone.

If your virus scanner has cleaned or quarantined a virus/malware/etc., do you do any additional scanning or followup on
the endpoint? I know virus definitions, though up to date, may potentially just be catching a virus that have lived on
the machine for several months and had only been recently identified. Do you trust that "cleaned" means it took care of
any damage that had been done, if any?

Thank you for your...

Re: Phishing take down notices. Keith Hartranft (Jun 21)
Bryan,

We did a presentation via Educause/RI last September called School of
Phish. Via Google Safebrowsing reporting and Phishtank these get into
Browser blocks very quickly if reported and verified. I'm kkh288 in PT and
would be happy to add verification assistance if you let me know your
reporting "handle". We track a few other edu reporters here that our team
assists with.

https://www.phishtank.com/user.php?username=kkh288...

Re: Phishing take down notices. Haas, Mike (Jun 21)
I submit it to google "report phishing page" , send an email to the US-CERT report phishing site email alias and also
submit it to our AV vendor

Sent from my iPhone
-------------------------
Michael Haas
Information Technology Coordinator
Lenape Regional High School District

How are you reporting a takedown notice for a phishing site. Presently we have no standard for takedown notices. We
will notify the Domain owner most times, but...

Internet Issues and Infrastructure

NANOG — The North American Network Operators' Group discusses fundamental Internet infrastructure issues such as routing, IP address allocation, and containing malicious activity.

Re: Point 2 point IPs between ASes Job Snijders (Jun 27)
Yes, "longer than /64" subnets are fine for point2point. If the equipment
on both sides supports RFC 6164 I'd use a /127, otherwise a /126.

I was thinking, if someone is using RFC7404 for point to point IP between

I wouldn't use link-local in context of Inter-Domain Routing. Too hard to
troubleshoot, many networks expect globally unique IP addresses for their
BGP neighbors, you want to be able to call a NOC and have the IPs...

Re: Point 2 point IPs between ASes Niels Bakker (Jun 27)
* KShah () primustel ca (Krunal Shah) [Tue 27 Jun 2017, 22:28 CEST]:

Whatever you want.

If you can protect the loopback IP from DDoS you can equally protect
linknet IPs.

-- Niels.

Point 2 point IPs between ASes Krunal Shah (Jun 27)
Hello,

What subnet mask you are people using for point to point IPs between two ASes? Specially with IPv6, We have a transit
provider who wants us to use /64 which does not make sense for this purpose. isn’t it recommended to use /127 as per
RFC 6164 like /30 and /31 are common for IPv4.

I was thinking, if someone is using RFC7404 for point to point IP between two ASes and establish BGP over link local
addresses. This way you have your own...

someone at chef.io ? Jim Mercer (Jun 27)
hi,

can someone from chef.io reach out to me?

seems we got blocked for downloads somehow.

--jim

Re: Long AS Path Jakob Heitz (jheitz) (Jun 27)
The reason that a private ASN in the public routing table is an error is that the AS Path is used to prevent loops. You
may have private AS 65000 in your organization and I may have another private AS 65000 in my organization. If my ASN
65000 is in the AS path of a route sent to you, then your AS 65000 will drop it, thinking it were looping back.

BTW, this is different from a confederation member AS.

Thanks,
Jakob.

RE: Long AS Path Jerry Cloe (Jun 26)
Superstition has no basis in reality (i.e. black cat walks past DC door)

Pro-Active is based on experience and knowledge (i.e. when disk space is 90% full for a regularly growing volume, we
need to clean or add more before it hits 100%)

I mean this as a rhetorical question as we could talk until the end of
time about this; what is the difference between operating on
superstition and trying to be pro-active? Both for me fall under the...

SAFNOG-3: Call for Papers Now Out! Mark Tinka (Jun 26)
Hello all.

It gives me great pleasure to announce that the SAFNOG-3 Call for Papers
is now out.

You may review the CfP and all relevant submission details at the link
below:

http://safnog.org/papers.html

We are working hard to put together an exciting, educational,
informative and memorable agenda for this year's meeting.

We look forward to receiving your submissions, and seeing you in Durban
for our next meeting.

Cheers,

Mark...

Netflix fast.com performance Amos Rosenboim (Jun 26)
Hello,

Lately we have been troubleshooting complaints from customers of several ISPs about
relatively low results when testing to Netflix's fast.com
When we started troubleshooting we notice the following:
1. When the latency to the fast.com test server is ~70ms results are significantly lower than speedtest.net results or
Google fiber results.
2. When latency to the fast.com server is low (10-20ms, over DSL link) the results are similar...

Re: Long AS Path Mel Beckman (Jun 26)
Michael,

Filtering private ASNs is actually part of the standard. It's intrinsic in the term "private ASN". A private ASN in the
public routing table is a clear error, so filtering them is reasonable. Long AS paths are not a clear error.'

I'm surprised nobody here who complains about long paths is has followed my suggestion: call the ASN operator and ask
them why they do it, and report the results here.

Until...

RE: Long AS Path Michael Hare (Jun 26)
Couldn't one make the same argument with respect to filtering private ASNs from the global table? Unlike filtering of
RFC1918 and the like a private ASN in the path isn't likely to leak RFC1918 like traffic, yet I believe several major
ISPs have done just that. This topic was discussed ~1 year ago on NANOG.

I do filter private ASNs but have not yet filtered long AS paths. Before I did it I had to contact a major CDN because
I...

Re: Long AS Path Hunter Fuller (Jun 26)
This could just be ignorance, but based on this thread, I'm not sure what
risk we would be managing, as DFZ router operators, by filtering those
paths. They seem silly, but harmless (similar to, for instance, painting a
nyan cat on a graph by announcing prefixes at certain times).

Re: Long AS Path James Bensley (Jun 25)
Hi Mel,

I mean this as a rhetorical question as we could talk until the end of
time about this; what is the difference between operating on
superstition and trying to be pro-active? Both for me fall under the
category of "risk management".

Cheers,
James.

Centurylink contact for Boise? Brielle (Jun 24)
Hey all, apologies for formatting since I'm on my iPhone.

Is there anyone on list that happens to know a contact for CenturyLink who can help with some major network issues
going on in Boise?

Nearly every customer I have with a DSL line is reporting severe and inconsistent connectivity issues with Microsoft,
Reddit, Adobe, and even my servers in Washington state off of Westin.

Biggest problem is that for every customer it's a...

Re: Long AS Path Mel Beckman (Jun 24)
James,

By "experienced by someone else" I mean someone who is not one of your customers.

The better strategy, I think, is to not filter long paths unless you have a reason to see their creating a problem.
Otherwise you're just operating on superstition, no?

-mel via cell

Re: Long AS Path James Bensley (Jun 24)
James,

The question is whether you would actually hear of any problems. Chances
are that the problem would be experienced by somebody else, who has no idea
that your filtering was causing it.

-mel beckman

Hi Mel,

For us this the answer is almost definitely a yes. We are an MSP (managed
service provider) as opportunities to a traditional ISP, so our customers
know they can open a ticket with us for pretty much anything and we'll try
and...

Interesting People — David Farber moderates this list for discussion involving internet governance, infrastructure, and any other topics he finds fascinating

More on liberal arts etc Dave Farber (Jun 27)
Begin forwarded message:

> From: Karl Auerbach <karl () cavebear com>
> Date: June 27, 2017 at 4:25:11 PM EDT
> To: dave () farber net, ip <ip () listbox com>
> Subject: Re: [IP] More on liberal arts etc
>
>
> With regard to liberal arts ... As you know I have backgrounds in both computer/networking technology and law.
>
> One snowy evening in DC I was riding the Metro through Alexandria and I overheard...

More on liberal arts etc Dave Farber (Jun 27)
---------- Forwarded message ---------
From: Douglas Comer <comer () cs purdue edu>
Date: Tue, Jun 27, 2017 at 2:57 PM
Subject: Re:
To: Dave Farber <farber () gmail com>

Dave,

> Rick says:
> I realise this could devolve quickly into another STEM-v-STEAM
argument...

The situation should not be viewed as STEM-v-STEM, but rather as the need
for STEM+STEAM.

I attended a small "Liberal Arts" college, where the...

Casas en Cuotas desde $10.474. Ultimas Unidades! Umbrales de la Merced (Jun 27)
Su Cliente de Mail NO soporta mensajes en formato HTML.

Para ver correctamente el contenido del correo COPIE y PEGUE la siguiente URL
en su Navegador Web (Chrome / Internet Explorer / FireFox / Safari)

https://app.embluemail.com/Online/VO.aspx?6c4h-R-ek4eo,8kbKwIKEi-R-9i:,i,9-R-0

AP Mobile: New cyberattack causes mass disruption in Europe Dave Farber (Jun 27)
When are we going to recognize that while the Internet was a major addition to the world, it was no designed to be
secure. It uses components that were no designed to be secure BUT I claimed in a Stanford talk

https://youtu.be/wCl-bKaER-s

That there is a path to fix at least those critical areas that make them much much more robust.

Dave

New cyberattack causes mass disruption in Europe

PARIS (AP) - A new and highly virulent outbreak of...

✚ "50% DE DESCUENTO" ✚ no responder (Jun 27)
Su Cliente de Mail NO soporta mensajes en formato HTML.

Para ver correctamente el contenido del correo COPIE y PEGUE la siguiente URL
en su Navegador Web (Chrome / Internet Explorer / FireFox / Safari)

https://app.embluemail.com/Online/VO.aspx?6c4h-R-ek4eo,5gbKwIKEi-R-9i:,i,9-R-0

Re I remember this The Magical Apple Spin-Off That Almost Invented the iPhone in 1993 Dave Farber (Jun 27)
---------- Forwarded message ---------
From: Charles Arthur <charles.arthur () gmail com>
Date: Tue, Jun 27, 2017 at 8:52 AM
Subject: Re: [IP] I remember this The Magical Apple Spin-Off That Almost
Invented the iPhone in 1993
To: <dave () farber net>, <dewayne () warpspeed com>

I visited General Magic in 1993 or 1994 to write an article for New
Scientist. It really was born in a mansion rather than a garage.

Here’s how the...

Re pro-crypto Aussie (prime) minister (Re: Australia to seek greater powers on encrypted messaging at 'Five eyes' meeting) Dave Farber (Jun 27)
---------- Forwarded message ---------
From: David Magda <dmagda () ee ryerson ca>
Date: Tue, Jun 27, 2017 at 9:23 AM
Subject: pro-crypto Aussie (prime) minister (Re: [IP] Australia to seek
greater powers on encrypted messaging at 'Five eyes' meeting)
To: <dave () farber net>

Cory Doctorow had a pretty take down on all this (as he usually does when
these types of topics comes up):

> The Australian Attorney General and a...

I remember this The Magical Apple Spin-Off That Almost Invented the iPh =?utf-8?Q?one_=E2=80=A6_in_1993_= Dave Farber (Jun 27)
Begin forwarded message:

> From: Dewayne Hendricks <dewayne () warpspeed com>
> Date: June 27, 2017 at 7:41:21 AM EDT
> To: Multiple recipients of Dewayne-Net <dewayne-net () warpspeed com>
> Subject: [Dewayne-Net] The Magical Apple Spin-Off That Almost Invented the iPh =?utf-8?Q?one_=E2=80=A6_in_1993_=
> Reply-To: dewayne-net () warpspeed com
>
> The Magical Apple Spin-Off That Almost Invented the iPhone … in...

Google Fined €2.42 Billion by EU for Skewing Search Results - Bloomberg Dave Farber (Jun 27)
Google Fined €2.42 Billion by EU for Skewing Search Results - Bloomberg
https://www.bloomberg.com/news/articles/2017-06-27/google-fined-2-42-billion-by-eu-for-skewing-search-results

-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/18849915-ae8fa580
Modify Your Subscription:...

Re Liberal Arts in the Data Age Dave Farber (Jun 26)
Begin forwarded message:

> From: Richard Forno <rforno () infowarrior org>
> Date: June 26, 2017 at 2:08:24 PM EDT
> To: Dave Crocker <dcrocker () bbiw net>
> Cc: Dave Farber <dave () farber net>, ip <ip () listbox com>
> Subject: Re: [IP] Liberal Arts in the Data Age
>
>
> Good point Dave. Moreover, I would argue that the liberal arts helps provide students the broader ability to
>...

Re Liberal Arts in the Data Age Dave Farber (Jun 26)
Begin forwarded message:

> From: Dave Farber <farber () gmail com>
> Date: June 26, 2017 at 10:28:56 AM EDT
> To: Ip Ip <ip () v2 listbox com>
> Subject: Liberal Arts in the Data Age
>
>
>
>
> Begin forwarded message:
>
>> From: Richard Forno <rforno () infowarrior org>
>> Date: June 26, 2017 at 10:16:08 AM EDT
>> To: Infowarrior List <infowarrior () attrition org>...

EDIFICIO EN POZO - FIDEICOMISO AL COSTO a PAGAR EN 24 CUOTAS EN PESOS ( UVI ) !!! Marmol & Blejman (Jun 26)
Su Cliente de Mail NO soporta mensajes en formato HTML.

Para ver correctamente el contenido del correo COPIE y PEGUE la siguiente URL
en su Navegador Web (Chrome / Internet Explorer / FireFox / Safari)

https://app.embluemail.com/Online/VO.aspx?6c4h-R-ek4eo5adbKwIKEi-R-9i:,i,9-R-0

Las mesas de las que todos hablan! no responder (Jun 26)
Su Cliente de Mail NO soporta mensajes en formato HTML.

Para ver correctamente el contenido del correo COPIE y PEGUE la siguiente URL
en su Navegador Web (Chrome / Internet Explorer / FireFox / Safari)

https://app.embluemail.com/Online/VO.aspx?6c4h-R-ek4eo5,ibKwIKEi-R-9i:,i,9-R-0

Liberal Arts in the Data Age Dave Farber (Jun 26)
Begin forwarded message:

> From: Richard Forno <rforno () infowarrior org>
> Date: June 26, 2017 at 10:16:08 AM EDT
> To: Infowarrior List <infowarrior () attrition org>
> Cc: Dave Farber <dave () farber net>
> Subject: Liberal Arts in the Data Age
>
> IMO there is great truth in what JM says. -- rick
>
>
> Liberal Arts in the Data Age
> JM Olejarz
> From the July–August 2017 Issue...

♀ "Tu Plan de Salud por solo 7,60 por mes ♂ no responder (Jun 26)
Su Cliente de Mail NO soporta mensajes en formato HTML.

Para ver correctamente el contenido del correo COPIE y PEGUE la siguiente URL
en su Navegador Web (Chrome / Internet Explorer / FireFox / Safari)

https://app.embluemail.com/Online/VO.aspx?6c4h-R-ek4en4,hbKwIKEi-R-9i:,i,9-R-0

The RISKS Forum — Peter G. Neumann moderates this regular digest of current events which demonstrate risks to the public in computers and related systems. Security risks are often discussed.

Risks Digest 30.34 RISKS List Owner (Jun 24)
RISKS-LIST: Risks-Forum Digest Saturday 24 June 2017 Volume 30 : Issue 34

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.34>
The current issue can also be...

Risks Digest 30.32 RISKS List Owner (Jun 10)
RISKS-LIST: Risks-Forum Digest Saturday 10 June 2017 Volume 30 : Issue 32

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.32>
The current issue can also be...

Risks Digest 30.31 RISKS List Owner (Jun 08)
RISKS-LIST: Risks-Forum Digest Thursday 8 June 2017 Volume 30 : Issue 31

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.31>
The current issue can also be...

Risks Digest 30.30 RISKS List Owner (Jun 05)
RISKS-LIST: Risks-Forum Digest Monday 5 June 2017 Volume 30 : Issue 30

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.30>
The current issue can also be...

Risks Digest 30.29 RISKS List Owner (May 13)
RISKS-LIST: Risks-Forum Digest Saturday 13 May 2017 Volume 30 : Issue 29

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.29>
The current issue can also be...

Risks Digest 30.28 RISKS List Owner (May 09)
RISKS-LIST: Risks-Forum Digest Tuesday 9 May 2017 Volume 30 : Issue 28

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.28>
The current issue can also be...

Risks Digest 30.27 RISKS List Owner (May 05)
RISKS-LIST: Risks-Forum Digest Friday 5 May 2017 Volume 30 : Issue 27

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.27>
The current issue can also be found...

Risks Digest 30.26 RISKS List Owner (Apr 30)
RISKS-LIST: Risks-Forum Digest Sunday 30 April 2017 Volume 30 : Issue 26

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.26>
The current issue can also be...

Risks Digest 30.25 RISKS List Owner (Apr 18)
RISKS-LIST: Risks-Forum Digest Tuesday 18 April 2017 Volume 30 : Issue 25

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.25>
The current issue can also be...

Risks Digest 30.24 RISKS List Owner (Apr 15)
RISKS-LIST: Risks-Forum Digest Saturday 15 April 2017 Volume 30 : Issue 24

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.24>
The current issue can also be...

Risks Digest 30.23 RISKS List Owner (Apr 06)
RISKS-LIST: Risks-Forum Digest Thursday 6 April 2017 Volume 30 : Issue 23

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.23>
The current issue can also be...

Risks Digest 30.22 RISKS List Owner (Apr 03)
RISKS-LIST: Risks-Forum Digest Monday 3 April 2017 Volume 30 : Issue 22

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.22>
The current issue can also be...

Risks Digest 30.21 RISKS List Owner (Apr 01)
RISKS-LIST: Risks-Forum Digest Saturday 1 April 2017 Volume 30 : Issue 21

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.21>
The current issue can also be...

Risks Digest 30.20 RISKS List Owner (Mar 30)
RISKS-LIST: Risks-Forum Digest Thursday 30 March 2017 Volume 30 : Issue 20

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.20>
The current issue can also be...

Risks Digest 30.19 RISKS List Owner (Mar 21)
RISKS-LIST: Risks-Forum Digest Tuesday 21 March 2017 Volume 30 : Issue 19

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.19>
The current issue can also be...

BreachExchange — BreachExchange focuses on all things data breach. Topics include actual data breaches, cyber insurance, risk management, metrics and more. This archive includes its predecessor, the Data Loss news and discussion lists.

WannaCry Wakeup Call Not Heard? Inga Goddijn (Jun 27)
https://www.riskbasedsecurity.com/2017/06/wannacry-wakeup-call-not-heard/

t has been reported that Petya is spreading
<https://www.wired.com/story/petya-ransomware-outbreak-eternal-blue/> by
using a code execution vulnerability in Microsoft Office and WordPad
(CVE-2017-0199) and then taking advantage of EternalBlue (CVE-2017-0145),
which is the same vulnerability exploited by WannaCry.

Most people would agree that WannaCry was a pretty...

Heaps of Windows 10 internal builds, private source code leak online Audrey McNeil (Jun 27)
https://www.theregister.co.uk/2017/06/23/windows_10_leak/

A massive trove of Microsoft's internal Windows operating system builds and
chunks of its core source code have leaked online.

The data – some 32TB of official and non-public installation images and
software blueprints that compress down to 8TB – were uploaded to
betaarchive.com, the latest load of files provided just earlier this week.
It is believed the confidential data in...

Japan sees surge in demand for cyber insurance as attacks increase Audrey McNeil (Jun 27)
http://www.straitstimes.com/asia/east-asia/japan-sees-
surge-in-demand-for-cyber-insurance-as-attacks-increase

There has been a sharp increase in the number of policyholders - mainly
companies - taking out cyber insurance, which compensates losses caused by
cyber attacks.

The number of victims whose personal information was stolen last year from
companies and other entities rose by more than 10 million from the previous
year.

The estimated...

Threats to information security Audrey McNeil (Jun 27)
http://www.herald.co.zw/threats-to-information-security/

Imagine the nuclear codes of the world’s deadliest nuclear warheads in the
hands of cyber criminals. Or imagine your hard earned money just vanishes
from your electronic wallet without a trace.

If that is thought provoking, then it’s a clear indication of how intense
and critical information security is. This article will touch on threats to
information security. These are negative...

How cybercriminals use the deep and dark web to target financial organisations Audrey McNeil (Jun 27)
http://www.bobsguide.com/guide/news/2017/Jun/26/how-
cybercriminals-use-the-deep-and-dark-web-to-target-financial-organisations/

Financial organisations face a barrage of threats from a range of different
sources online. There is no doubt that the industry is a prime target for
threat actors ranging from cybercriminals, to hacktivists, to nation
states. In response, financial organisations should prioritise and
implement effective cybersecurity...

Security Think Tank: Apply risk-based approach to patch management Audrey McNeil (Jun 27)
http://www.computerweekly.com/opinion/Security-Think-Tank-
Apply-risk-based-approach-to-patch-management

The old mantra of “patch everything” is long gone. Many organisations
cannot keep up with the multiplicity of systems and applications that need
patching as IT becomes ever more pervasive, bring your own device (BYOD)
increases, and testing all the combinations of devices, apps and operating
systems becomes impossible, given the resources...

Regulators enlist corporate lawyers in joint response to cyberattacks Audrey McNeil (Jun 27)
http://www.abajournal.com/news/article/cybersecurity_law_breach_response/

Responding quickly to an identity theft, ransomware or other computer
attack means having a plan in place. And as participants in the National
Institute on Cybersecurity Law learned, that includes a plan to send in the
feds.

“Figure out if you have to report that breach to my office or other
regulators, state and federal,” was the advice from Iliana Peters, who’s...

Anthem to pay record $115 million to settle U.S. lawsuits over data breach Inga Goddijn (Jun 26)
https://www.reuters.com/article/us-anthem-cyber-settlement-idUSKBN19E2ML

Anthem Inc (ANTM.N), the largest U.S. health insurance company, has agreed
to settle litigation over hacking in 2015 that compromised about 79 million
people's personal information for $115 million, which lawyers said would be
the largest settlement ever for a data breach.

The deal, announced Friday by lawyers for people whose information was
compromised, must still...

Hollywood Studio Hit By Cyber Extortion Says: 'Don't Trust Hackers' Audrey McNeil (Jun 26)
http://www.databreachtoday.com/blogs/hollywood-studio-
hit-by-cyber-extortion-says-dont-trust-hackers-p-2500

The back story behind the ransom attack that led to the unauthorized early
release of the Netflix TV series "Orange Is the New Black" is a cautionary
tale in dealing with cyber extortionists such as The Dark Overlord.

In an exclusive story, the publication Variety tells the tale of Larson
Studios, a Hollywood post-production...

Learning the lessons from cyber attacks Audrey McNeil (Jun 26)
http://www.itsecurityguru.org/2017/06/23/learning-lessons-cyber-attacks/

Cybercriminals have been known to target businesses across all sectors.
Recent high-profile cyber attacks have successfully breached well-known
brands including telecoms providers, retailers and banks. Evidently, all
industries are potentially vulnerable. As businesses become ever more
negatively affected by cyber attacks, lessons need to be learnt and
effective cyber...

Nayana ransom payment a wake-up call for cyber hygiene Audrey McNeil (Jun 26)
http://www.computerweekly.com/blog/Eyes-on-APAC/Naraya-
ransom-payment-a-wake-up-call-for-cyber-hygiene

When one is confronted by a criminal or terrorist demanding a ransom in
exchange for a loved one who has been held hostage, the general rule of
thumb is not to pay up and go to the police.

That’s the sensible thing to do, lest you create more incentives for
kidnappings and inadvertently finance terrorist and criminal groups. Why
then,...

WannaCry? You’re Not Alone: The 5 Stages of Security Grief Audrey McNeil (Jun 23)
http://www.darkreading.com/perimeter/wannacry-youre-not-
alone-the-5-stages-of-security-grief/a/d-id/1329178?_mc=sm_dr&hootPostID=
c8c9faa8acde3b94c6281b12d9e3ca5b

As breach after breach hits the news, security professionals cope with the
classic experiences of denial, anger, bargaining, depression, and
acceptance.

When it comes to securing the enterprise, the attackers have the advantage.
Defenders are required to protect against every...

Cyber insurance claims: What happens when a breach occurs? Audrey McNeil (Jun 23)
http://www.propertycasualty360.com/2017/06/22/cyber-insurance-claims-
what-happens-when-a-breach?t=information-security?ref=channel-news

The claims process following a data breach is something an increasing
number of insurers — and insureds — need to understand more clearly, and in
his presentation at the recent New York Chapter meeting of the
International Information System Security Certification Consortium,
Markel’s Director of U.S....

It’s time to think differently about cyber security. Here’s how Audrey McNeil (Jun 23)
https://www.weforum.org/agenda/2017/06/how-to-win-the-cyber-war/

Whilst the Fourth Industrial Revolution is opening up new opportunities for
organizations to embrace emerging technologies, rethink business models and
improve the lives of employees and customers, it also has a darker side –
increased security risks.

The recent unprecedented WannaCry ransomware attack that affected
organizations in over 150 countries highlights the exploding...

The Internet of Things and the Threat it Poses to GDPR Compliance Audrey McNeil (Jun 23)
https://www.cso.com.au/article/621039/internet-things-threat-it-poses-gdpr-
compliance/

The pending General Data Protection Regulation (GDPR) is already
significantly impacting businesses across Europe. Organisations need to
take action now to make certain they are adequately capturing, integrating,
certifying, publishing, monitoring and of course, protecting their data to
ensure compliance when GDPR enters into application in May 2018.

With...

Open Source Tool Development

Wireshark — Discussion of the free and open source Wireshark network sniffer. No other sniffer (commercial or otherwise) comes close. This archive combines the Wireshark announcement, users, and developers mailing lists.

Re: Waiting for something to happen on a pipe/socket on Windows Roland Knall (Jun 27)
This is one of the best and most comprehensive explanations for Windows
sockets I read so far.

@Stig - You could take a look at extcap_spawn.c, there you will find code,
also in extcap.c for implementing waiting on that thing, Windows likes to
call a "Named Pipe"

cheers,
Roland

Waiting for something to happen on a pipe/socket on Windows Guy Harris (Jun 27)
(Sending to a broader list, in case anybody has answers.)

Sadly, Windows' handling of "wait for something to happen" is a bit clumsier than UN*X's.

UN*Xes have select() and poll(), with the possible addition of some other similar mechanisms such as Linux's epoll() or
*BSD/Darwin's kqueues. You can wait for a device, a socket, or a pipe with them. (Sadly, in the general case, you
can't wait for a process or...

Re: Compilation error Red Hat 3.4.3-9.EL4 Jakub Zawadzki (Jun 27)
Hello,

W dniu 2017-06-27 05:33, Guy Harris napisał(a):

I would say that mix of (1) and (3).

It all depends what's position of blocks in compressed file (we don't
have control on it),
attaching sample code for checking.

I think it's possible to craft gzipped capture file where block always
finish in middle of byte.

Jakub./* file_wrappers.c
*
* Wiretap Library
* Copyright (c) 1998 by Gilbert Ramirez <gram () alumni rice...

Re: Compilation error Red Hat 3.4.3-9.EL4 Guy Harris (Jun 26)
So does that mean "we can still do transparent access, but it won't work with some valid gzipped files", or does it
mean "we can still do transparent access on all valid gzipped files as long as the code is careful", or does it mean
"we can still do transparent access on all valid gzipped files, but it won't be as efficient as it would be with
inflatePrime()"?

Given that the...

Re: linux package requirements for wireshark build Guy Harris (Jun 26)
And, in fact, as per that log, it did confuse the configure script, because...

...you *weren't* missing zlib-devel - you were missing the *64-bit version* of zlib-devel.

I have a fix:

https://code.wireshark.org/review/#/c/22396/

which will cause the configuration process to fail if you can't link with zlib, but the CMake version of the fix found
a bug in the way we configure libz on Windows, which I filed as bug 13850; that...

Re: linux package requirements for wireshark build Maynard, Chris (Jun 26)
The last line of tools/install_rpms_for_devel.sh is:

echo "This tool has been obsoleted by tools/rpm-setup.sh"

So would it be better to use tools/rpm-setup.sh instead?

Whichever one is recommend, maybe it would be a good idea to mention it in the Wireshark developer’s guide, such as in
Section 3.11.2[1], for example?
- Chris
[1]: https://www.wireshark.org/docs/wsdg_html_chunked/ChSrcBinary.html#ChSrcRpm

From: Wireshark-dev [...

Re: Wireshark build failing with unresolved external symbols Anders Broman (Jun 26)
Linking with gnutls missing in cmake.txt?
/Anders

Den 26 juni 2017 21:03 skrev "Paul Offord" <Paul.Offord () advance7 com>:

Wireshark build failing with unresolved external symbols Paul Offord (Jun 26)
Hi,

I have built a fresh git repo, pulled the master branch and then pulled the code for Gerrit change 19666 -
https://code.wireshark.org/review/#/c/19666/

My build is now failing with:

8> Creating library C:/Development/wsbuild64/run/Debug/wireshark.lib and object
C:/Development/wsbuild64/run/Debug/wireshark.exp
8>epan.obj : error LNK2019: unresolved external symbol gnutls_check_version referenced in function...

Re: linux package requirements for wireshark build Jeff Morriss (Jun 26)
On Sat, Jun 24, 2017 at 11:11 PM, Alan Partis <alpartis () thundernet com>
wrote:

I generally just run `tools/install_rpms_for_devel.sh` to install all the
necessary dependencies.

You could also take a look in `packaging/rpm/SPECS/wireshark.spec.in` or
the various README files but the above script is there to simplify your
life...

Re: linux package requirements for wireshark build Alan Partis (Jun 26)
No message preview for long message of 595888 bytes.

Re: If Wireshark is started with -i option it does not set wanted interface if the interface is a pipe Anders Broman (Jun 26)
Hi,
I did a git bisect and this is the commit that broke it:

wireshark -i /tmp/Vnfcscfv1_fee0_eth1_Oc2th -i /tmp/Vnfcscfv1_fee1_eth1_c6nZw -i /tmp/Vnfcscfv1_fee2_eth1_leNWM -i
/tmp/Vnfcscfv1_fee3_eth1_F37Bh

40a5fb567a9bd1bb02d38ca33efe64392230d27d is the first bad commit
commit 40a5fb567a9bd1bb02d38ca33efe64392230d27d
Author: Peter Wu <peter () lekensteyn nl>
Date: Fri Mar 10 03:46:53 2017 +0100

Restore interface selection after...

Re: Building CORBA dissectors Andy Ling (Jun 26)
It depends when you think it got broken. I built a CORBA dissector using 2.2.5. I haven’t tried the latest build though.

I’m using Windows 7. Generally I don’t actually use the idl2wrs script. I use commands based on it. So to generate the
.c files I use something like..

C:\Python27\omniorb\omniORB-4.1.6\bin\x86_win32\omniidl.exe -p C:\wireshark-2.2.5\tools -b wireshark_be myCorba.idl >
packet-myCorba.c

HTH

Andy Ling

From:...

Re: Building CORBA dissectors Michael Mann (Jun 26)
I'm guessing you didn't get a response because no one is building CORBA dissectors outside of the 3 or 4 that are in
the source tree. Those are generated with idl2wrs, but then the C output is part of source control (partially because
I'm not sure all platforms could generate the C dissector as part of the build process).
If the CORBA dissectors that are currently in Wireshark source don't generate correctly, I can...

Building CORBA dissectors David Hagood (Jun 26)
I've asked about this before, but gotten no responses:

Has anybody tried to build a CORBA dissector from IDL with the current
git head? It seems the idl2wrs program has been changed, and it no
longer seems to be able to process IDL correctly.

Re: Including Qt5 libs in my plugin project Paul Offord (Jun 26)
Hi,

How can I add the moc generation and QT5 library inclusions to the Makefile.am?

Thanks and regards…Paul

From: Wireshark-dev [mailto:wireshark-dev-bounces () wireshark org] On Behalf Of Pascal Quantin
Sent: 24 June 2017 21:17
To: Developer support list for Wireshark <wireshark-dev () wireshark org>
Subject: Re: [Wireshark-dev] Including Qt5 libs in my plugin project

Hi Paul,

2017-06-24 21:48 GMT+02:00 Paul Offord <Paul.Offord...

Snort — Everyone's favorite open source IDS, Snort. This archive combines the snort-announce, snort-devel, snort-users, and snort-sigs lists.

Snort Subscriber Rules Update 2017-06-27 Research (Jun 27)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the browser-firefox,
browser-ie, browser-plugins, browser-webkit, exploit-kit, file-flash,
file-image, file-multimedia, file-office, file-other, file-pdf,
malware-cnc, os-windows, policy-other, protocol-scada, server-apache
and server-webapp rule sets to provide coverage for emerging...

Re: Is snort rules 2.9.0 compatible with 2.8.4? Joel Esler (jesler) via Snort-sigs (Jun 27)
They are not. Snort 2.8.4 has been out of date for years. Please upgrade.

snort.conf Rashid CORIA (Jun 27)
Hi,

Can you help me about this error please :
When I run the following command line:

Sudo snort -T -c /etc/snort/snort.conf -I enss3

I have an error :

....
Reputation config:
ERROR: Faile to allocate memory for local segment
Fatal Error, Quitting..

Rashid CORIA

Is snort rules 2.9.0 compatible with 2.8.4? Ahmet Ercin (Jun 27)
Where can I check that whether rules for 2.9.0 are compatible with 2.8.4?

Re: Telnet rule doesn't work rmkml (Jun 24)
Hello Paul,
It's fire for me,
could you share a pcap please ?
could you check if fire on your side by adding "-k none" please ? (disable checksum check)
could you check replace $TELNET_SERVERS and $EXTERNAL_NET by ANY please ? (only for testing)
Best Regards
@Rmkml

Re: config files Russ via Snort-devel (Jun 24)
snort.lua is your main configuration file. The default snort.lua is
intentionally lean so that you can very easily see what is going on.

snort_defaults.lua is included in snort.lua to provide all the external
defaults. In particular, all lists are provided there. The gtp
defaults, for example, span nearly 500 lines in snort_defaults.lua, and
can be used with just one line in snort.lua like this:

gtp_inspect = default_gtp

That is...

Telnet rule doesn't work Paul Li (Jun 24)
I'm using Snort 2.9.9 on Ubuntu 16.04. Trying to build a telnet login
detection rule as the following:

alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"TELNET login
incorrect"; content:"Login incorrect"; nocase;classtype:bad-unknown;
sid:429; rev:2; priority:1;)

This rule looks good to me but it doesn't fire when failed TELNET occurs.
Any thing missing in this rule?

NOTE: At the same time, I created a...

config files Skip Carter (Jun 23)
I have a practical question about the lua config files: What is the
philosophy about what belongs in snort_defaults.lua vs snort_config.lua
vs snort.lua ? They are 3 different files for some reason.

The command line is getting awfully busy, cant I put a lot of that in
one of the lua scripts ?

Running Pulledpork on CentOS bobby via Snort-users (Jun 23)
I am trying to run Pulledpork on CentOS, and am getting this error:

The specified Snort binary does not exist!
Please correct the value or specify the FULL rules tarball name in the
pulledpork.conf!
at /usr/local/bin/pulledpork.pl line 1978.

Any guidance is appreciated.

Snort SSL decryption Rajkumar via Snort-users (Jun 23)
Hi,

Does Snort have any predefined preprocessor that does SSL
decryption(given private key of server), if not, what would be you best
recommendations for making snort work on decrypted traffic?

Raj

Re: Getting started Russ via Snort-devel (Jun 23)
Hey Skip, thanks for your interest. The pid file is located in the log
path which defaults to the working directory. You can set that path
with snort -l and enable the pid file with snort --create-pidfile. See
snort -? for these and other options.

Russ

Getting started Skip Carter (Jun 22)
I am a long time snort user, and even wrote a book about it for the
defunct Syngress publishing. I have been using 3.0.0-a4-228 for about
3 weeks now but have still much to learn about it. I am happy to work
with alpha code and all that it means if my efforts help in small way
to get to full release code.

Let me start with an easy question: where is the pid file ? I use this
file for all sorts of auxillary purposes and I miss it. Past...

Re: TCP-Flags are wrong in Preprocessor Matthias Wübbeling (Jun 22)
Victor,

That did the trick.

Thank you very much.
- Matthias

Snort Subscriber Rules Update 2017-06-22 Research (Jun 22)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the browser-ie,
browser-plugins, browser-webkit, file-flash, file-image,
file-multimedia, file-other, indicator-obfuscation,
indicator-shellcode, malware-cnc, os-windows, protocol-ftp,
protocol-scada, server-apache and server-webapp rule sets to provide
coverage for emerging threats...

Re: missing libsf_engine.so Victor Roemer via Snort-users (Jun 22)
Hi Jeff,

Do you have a |C:\Snort\lib\snort_dynamicengine\libsf_engine.dll| file
instead?

If so, edit your |snort.conf| file, line 250 and change path to that of
the |dll| extension.

More Lists

Related Resources

We're always looking for great network security related lists to archive. To suggest one, mail Fyodor.