SecLists.Org Security Mailing List Archive

Any hacker will tell you that the latest news and exploits are not found on any web site—not even Insecure.Org. No, the cutting edge in security research is and will continue to be the full disclosure mailing lists such as Bugtraq. Here we provide web archives and RSS feeds (now including message extracts), updated in real-time, for many of our favorite lists. Browse the individual lists below, or search them all:

Insecure.Org Lists

Nmap Development — Unmoderated technical development forum for debating ideas, patches, and suggestions regarding proposed changes to Nmap and related projects. Subscribe here.

Updated version detection in http-fingerprints.lua Rewanth Cool (Mar 20)
Hi,

I previously made 3 commits on #764 <https://github.com/nmap/nmap/pull/764>,
#762 <https://github.com/nmap/nmap/pull/762> and #760
<https://github.com/nmap/nmap/pull/760>.

I got suggestions from admins and three developers of nmap asking me to
integrate it with the fingerprints module. Based on their suggestions I
updated the nselib/data/http-fingerprints.lua script.

I tested it against 10 different websites and found it...

Query !! GSOC !! Rewanth Cool (Mar 20)
Hi Dev team,

I'm came across a tool called "fimap" on the github. But unfortunately
that's not in any list of the orgs finalized by GSOC.

About FIMAP:

Fimap refers to File Inclusion mapper similar to SQLmap (SQL mapper) and
Nmap (Network mapper) but for Local File Inclusion and Remote File
Inclusion vulnerabilities instead of SQL and Network vulnerabilities.

Fimap tool was created 7 years ago and was left without any...

nmap wont' run on server 16 Darnell, Russell Matthew (System Operations) (Mar 20)
Hey guys,
Long time user of Nmap. I've got a fresh build of Server 2016 (standard) on a VMware backend. I get some funky errors
when installing. This server only has one disk. I grabbed a fresh copy of the latest stable 7.40 download. I was
trying to run it from the command window

Any pro tips?

Russell

Faulting application name: nmap.exe, version: 7.0.40.0, time stamp: 0x5858be4f
Faulting module name: ntdll.dll, version:...

Traceback Clive Bagley (Mar 20)
Version: 7.12

Traceback (most recent call last):

File "zenmapGUI\App.pyo", line 178, in _destroy_callback

File "zenmapCore\UmitDB.pyo", line 400, in <module>

File "zenmapCore\UmitDB.pyo", line 399, in verify_db

File "zenmapCore\UmitDB.pyo", line 276, in create_db

OperationalError: table scans already exists

Issue regarding nmap-payloads - UDP services still showing as "open|filtered" when a payload is added to evoke a reply Stuart Duncan (Mar 20)
Hi,

I've seen a few threads/bits of info regarding the nmap-payloads file but I
am having issues with adding custom payloads. I know that the open|filtered
outcome is given when no response (ICMP or UDP) has been received.

I added a custom payload within this file and using a network sniffer - I
can see that Nmap correctly sends the payload and also that, I get a
response back - yet Nmap still determines that it is "open|filtered.

I...

A situation where the npcap loopback adapter is not listed by wireshark (and a solution) Carl Hauser (Mar 20)
This really belongs in
https://ask.wireshark.org/questions/46579/wireshark-does-not-see-npcap-loopback-interface
which although old is is the most relevant item that Google searching
finds for the problem of wireshark and dumpcap not finding npcap's
loopback interface. Unfortunately I can't post it there because the
captcha fails every time I try it.

TL;DR: Check to make sure that the Basic Filter Engine (BFE) service is...

NSE Script for CVE 2017-6527 Rewanth Cool (Mar 20)
NSE Script for CVE 2017-6527 which was released on 9th March, 2017.

There is a PR on #783 <https://github.com/nmap/nmap/pull/783> on the same.

Best regards,
Rewanth.

Minor fixes ( Duplicate entries deleted from nselib/data ) Rewanth Cool (Mar 20)
Deleted duplicate entries from all the files in nselib/data folder.

There is a PR on #782 <https://github.com/nmap/nmap/pull/782> regarding the
same.

Best regards,
Rewanth.

Re: [RFC] Nsock connect error handling Daniel Miller (Mar 20)
Thanks for confirming, David. I committed this change in r36653.

Dan

ncat reverse ssl does not work, terminating subprocesses Olivia Nelson (Mar 20)
The client is a windows 7 machine, run cmd.exe and connect back to a
ubuntu server

When I execute a command, the connection interrupts immediately.

Any ideas?

==== server ====

# ./ncat.linux -l -p 8888 --ssl -vv
Ncat: Version 7.40 ( https://nmap.org/ncat )
Ncat: Generating a temporary 1024-bit RSA key. Use --ssl-key and
--ssl-cert to use a permanent one.
Ncat: SHA-1 fingerprint: CC5E 8A28 A19F 9254 2BC5 869C DFDC 47C0 D566 4D87
Ncat:...

Re: ncat reverse ssl does not work, terminating subprocesses Varunram Ganesh (Mar 20)
Hi there,
This is a bug with Ncat and we are tracking it over at https://github.com/nmap/nmap/issues/197. Thanks for your report!
Cheers,Varunram

ncat reverse ssl does not work, terminating subprocesses Olivia Nelson (Mar 20)
The client is a windows 7 machine, run cmd.exe and connect back to a
ubuntu server

When I execute a command, the connection interrupts immediately.

Any ideas?

==== server ====

# ./ncat.linux -l -p 8888 --ssl -vv
Ncat: Version 7.40 ( https://nmap.org/ncat )
Ncat: Generating a temporary 1024-bit RSA key. Use --ssl-key and
--ssl-cert to use a permanent one.
Ncat: SHA-1 fingerprint: CC5E 8A28 A19F 9254 2BC5 869C DFDC 47C0 D566 4D87
Ncat:...

Re: NSE: add script for discovering OSPF neighbors Emiliano Ticci (Mar 19)
Daniel,

Just to be 100% sure you won't release a new version with a buggy library,
I might point out this PR:

https://github.com/nmap/nmap/pull/761

Thanks again,
Emiliano

Re: [RFC][NSE] Incomplete HTTP response body nnposter (Mar 19)
If it ultimately turns out there is a desire for this then there are a
few aspects that could be debated:

* The body fragment is intentionally returned in a unique response
member, "fragment", to have a clear separation from the (complete) body,
forcing a consuming code to acknowledge the intent to operate on less
than the complete body. That said, it would be trivial to store the
fragment in the "body" member.

* The body...

Re: [RFC][NSE] Incomplete HTTP response body Daniel Miller (Mar 19)
My initial thought is that this is very interesting. I can't remember
specifically, but it does seem like I've encountered cases where it would
have been useful. I'll look at the code itself shortly and give feedback.

Dan

On Fri, Mar 17, 2017 at 3:16 PM, nnposter <nnposter () users sourceforge net>
wrote:

Nmap Announce — Moderated list for the most important new releases and announcements regarding the Nmap Security Scanner and related projects. We recommend that all Nmap users subscribe.

Nmap GSoC 2016 Success Report Fyodor (Feb 07)
Happy belated new year from the Nmap Project! I'd like to take this
opportunity to send you the belated results from our 2016 Summer of Code
team. I was going to send them right after the program finished, but some
of the students were still finishing some great things so I decided to
wait. As you may recall from the team intro mail (
http://seclists.org/nmap-announce/2016/2), we had 5 students last year and
I'm happy to report that...

Nmap 7.40 Holiday Release: a dozen new NSE scripts, hundreds of new fingerprints, new Npcap, faster brute forcing, and more... Fyodor (Dec 20)
Happy holidays from the Nmap Project! In case your Christmas break plans
involve a lot of port scanning, we're delighted to announce our holiday
Nmap 7.40 release! This version stuffs your stockings with dozens of new
features, including:

- 12 new NSE scripts
- Hundreds of updated OS and version detection detection signatures
- Faster brute force authentication cracking and other NSE library
improvements
- A much-improved...

Nmap 7.31 stability-focused point release Fyodor (Oct 21)
Hi folks. I'm happy to report that the big Nmap 7.30 release last month
was a great success. We didn't even see as many bugs as expected for such
a large release, but we have collected and fixed the ones which did arise
in the last few weeks into a new 7.31 point release. It includes the
latest updates to our new Npcap driver, a fix for Nping on Windows, and
more.

Nmap 7.31 source code and binary packages for Linux, Windows, and Mac...

Nmap 7.30 Released with new NSE scripts, new Npcap, new Fingerprints, etc. Fyodor (Sep 29)
Hi folks! You may have noticed that we've only been releasing Nmap betas
for the last 6 months because we've had so much new code and so many
features to integrate thanks to hard work from both our regular team and
the 5 Google Summer of Code summer interns. But we spent the last month
focused on stability and I'm pleased to announce Nmap 7.30--our first
stable release since 7.12 back in March.

Even though it's a stable...

Nmap 7.25BETA2 Birthday Release Fyodor (Sep 01)
Hi folks! I'm happy to report that today is Nmap's 19th birthday and
instead of cake, we're celebrating open source style with a new release!
Nmap 7.25BETA1 includes dozens of performance improvements, bug fixes, and
new features. The full list is below, and includes a major LUA upgrade for
NSE scripts, a new overlapped I/O engine for better Windows performance, a
much-improved version of our new Npcap packet capturing driver,...

Nmap 7.25BETA1 Released with our new Npcap driver, 6 new NSE scripts, and more! Fyodor (Jul 19)
Hi folks! As you may know, we've been working for the last 3 years on an
improved Windows packet capturing library named Npcap. It's based on the
original WinPcap (which hasn't been maintained in years), but we rewrote
the driver to use modern APIs (NDIS 6) for better performance. It also
improves security and enables new features. For example, Npcap allows Nmap
to do raw scans (including SYN scans and OS detection) of localhost...

Introducing the 2016 Nmap/Google Summer of Code Team! Fyodor (May 09)
Hello everyone. Google has agreed to sponsor five amazing students to
spend this summer enhancing the Nmap Security Scanner and I'm proud to
introduce our 2015 team:

*Abhishek Singh* will be working as a Feature Creeper and Bug Hunter,
making improvements throughout the Nmap codebase. The project hasn't even
started yet and he's already found and fixed several NSE script bugs and
has other code changes in the works. Abhishek is...

Nmap 7.10 released: 12 new scripts, hundreds of OS/version fingerprints, bug fixes, and more! Fyodor (Mar 17)
Hi Folks! Before I tell you about today's new Nmap release, I wanted to
share some Summer of Code news:

Google posted a fantastic story by one of our Summer of Code alumni about
how the program helped take him from rural China to a full-ride scholarship
at the University of Virginia graduate school! His mentor David and I had
the chance to meet him in San Francisco:...

Nmap Project Seeking Talented Programmers for Google Summer of Code 2016 Fyodor (Feb 29)
Hi folks. I'm delighted to report that Nmap has been accepted by Google to
participate in this year's Summer of Code internship program. This
innovative and extraordinarily generous program provides $5,500 stipends to
college and graduate students anywhere in the world who spend the summer
improving Nmap from home! They gain valuable experience, get paid,
strengthen their résumés, and write code for millions of users. We're one...

Full Disclosure — A public, vendor-neutral forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. The relaxed atmosphere of this quirky list provides some comic relief and certain industry gossip. More importantly, fresh vulnerabilities sometimes hit this list many hours or days before they pass through the Bugtraq moderation queue.

Other Excellent Security Lists

Bugtraq — The premier general security mailing list. Vulnerabilities are often announced here first, so check frequently!

ESA-2017-010: EMC RecoverPoint SSL Stripping Vulnerability EMC Product Security Response Center (Mar 20)
ESA-2017-010: EMC RecoverPoint SSL Stripping Vulnerability

EMC Identifier: ESA-2017-010
CVE Identifier: CVE-2016-6650
Severity Rating: CVSS v3 Base Score: CVSS v3 Score: 6.8 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N).

Affected products:

EMC RecoverPoint versions prior to 5.0

EMC RecoverPoint for Virtual Machines versions prior to 5.0

Summary:
EMC RecoverPoint update contains a fix for a SSL Stripping Vulnerability that may potentially be...

[SECURITY] [DSA 3796-2] sitesummary regression update Sebastien Delafond (Mar 20)
-------------------------------------------------------------------------
Debian Security Advisory DSA-3796-2 security () debian org
https://www.debian.org/security/ Sebastien Delafond
March 20, 2017 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : sitesummary
Debian Bug : 852623

DSA-3796-1 for apache2...

[security bulletin] HPSBUX03596 rev.2 - HPE HP-UX running CIFS Server (Samba), Remote Access Restriction Bypass, Unauthorized Access security-alert (Mar 20)
Note: the current version of the following document is available here:
https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05121842

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c05121842
Version: 2

HPSBUX03596 rev.2 - HPE HP-UX running CIFS Server (Samba), Remote Access
Restriction Bypass, Unauthorized Access

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date:...

CVE-2017-7183 ExtraPuTTY v029_RC2 TFTP Denial Of Service hyp3rlinx (Mar 20)
[+] Credits: John Page AKA hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/EXTRAPUTTY-TFTP-DENIAL-OF-SERVICE.txt
[+] ISR: ApparitionSec

Vendor:
==================
www.extraputty.com

Product:
======================
ExtraPuTTY - v029_RC2
hash: d7212fb5bc4144ef895618187f532773

Also Vulnerable: v0.30 r15
hash: eac63550f837a98d5d52d0a19d938b91

ExtraPuTTY is a fork from 0.67...

[SECURITY] [DSA 3813-1] r-base security update Moritz Muehlenhoff (Mar 20)
-------------------------------------------------------------------------
Debian Security Advisory DSA-3813-1 security () debian org
https://www.debian.org/security/ Moritz Muehlenhoff
March 19, 2017 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : r-base
CVE ID : CVE-2016-8714

Cory Duplantis...

[SECURITY] [DSA 3812-1] ioquake3 security update Moritz Muehlenhoff (Mar 20)
-------------------------------------------------------------------------
Debian Security Advisory DSA-3812-1 security () debian org
https://www.debian.org/security/ Moritz Muehlenhoff
March 18, 2017 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : ioquake3
CVE ID : CVE-2017-6903

It was discovered...

[SECURITY] [DSA 3811-1] wireshark security update Moritz Muehlenhoff (Mar 20)
-------------------------------------------------------------------------
Debian Security Advisory DSA-3811-1 security () debian org
https://www.debian.org/security/ Moritz Muehlenhoff
March 18, 2017 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : wireshark
CVE ID : CVE-2017-5596 CVE-2017-5597...

Cisco Security Advisory: Cisco IOS and IOS XE Software Cluster Management Protocol Remote Code Execution Vulnerability psirt (Mar 20)
Cisco Security Advisory: Cisco IOS and IOS XE Software Cluster Management Protocol Remote Code Execution Vulnerability

Advisory ID: cisco-sa-20170317-cmp

Revision: 1.0

For Public Release: 2017 March 17 16:00 GMT

Last Updated: 2017 March 17 16:00 GMT

CVE ID(s): CVE-2017-3881

CVSS Score v(3): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

+---------------------------------------------------------------------

Summary
=======
A...

MS Internet Information Services XSS / HTML Injection vulnerability David FM (Mar 16)
Cross Site Scripting / HTML injection vulnerability in Microsoft
Internet Information Services web server

==================================

Versions Affected:

MS Internet Information services (All platforms and versions)

==================================

CVE Reference:

CVE-2017-0055

==================================

Vendor Fix:

Microsoft released bulletin MS017-16 and associated patches for each
affected version...

CVE-2017-6805 MobaXterm Personal Edition v9.4 Path Traversal Remote File Disclosure hyp3rlinx (Mar 16)
+] Credits: John Page AKA hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/MOBAXTERM-TFTP-PATH-TRAVERSAL
-REMOTE-FILE-ACCESS.txt
[+] ISR: ApparitionSec

Vendor:
=====================
mobaxterm.mobatek.net

Product:
===============================
MobaXterm Personal Edition v9.4

Enhanced terminal for Windows with X11 server, tabbed SSH client, network tools and much more.

Vulnerability Type:...

SEC Consult SA-20170316-0 :: Authenticated command injection in multiple Ubiquiti Networks products SEC Consult Vulnerability Lab (Mar 16)
SEC Consult Vulnerability Lab Security Advisory < 20170316-0 >
=======================================================================
title: Authenticated Command Injection
product: Multiple Ubiquiti Networks products, e.g.
TS-16-CARRIER, TS-5-POE, TS-8-PRO, AG-HP-2G16,
AG-HP-2G20, AG-HP-5G23, AG-HP-5G27, AirGrid M,
AirGrid M2, AirGrid M5, AR, AR-HP,...

CVE-2017-6911: USB Pratirodh Insecure Password Storage Information Disclosure Vulnerability wsachin092 (Mar 16)
Vulnerability Title: USB Pratirodh Insecure Password Storage Information Disclosure Vulnerability
Affected Product: USB Pratirodh
Product Homepage: https://cdac.in/index.aspx?id=cs_eps_usb_pra
CVE-ID : CVE-2017-6911
Severity: Medium

Description:

USB Pratirodh is prone to sensitive information disclosure. Its Store sensitive information such as username and
password hash in usb.xml file. An attacker with physical access to the system can modify...

[slackware-security] pidgin (SSA:2017-074-01) Slackware Security Team (Mar 15)
[slackware-security] pidgin (SSA:2017-074-01)

New pidgin packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1,
14.2, and -current to fix a security issue.

Here are the details from the Slackware 14.2 ChangeLog:
+--------------------------+
patches/packages/pidgin-2.12.0-i586-1_slack14.2.txz: Upgraded.
This update fixes a minor security issue (out of bounds memory read in
purple_markup_unescape_entity).
For more...

Path Traversal Remote File Disclosure hyp3rlinx (Mar 15)
[+] Credits: John Page AKA hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/MOBAXTERM-TFTP-PATH-TRAVERSAL-REMOTE-FILE-ACCESS.txt
[+] ISR: ApparitionSec

Vendor:
=====================
mobaxterm.mobatek.net

Product:
===============================
MobaXterm Personal Edition v9.4

Enhanced terminal for Windows with X11 server, tabbed SSH client, network tools and much more....

CVE-2017-0045 Windows DVD Maker XML External Entity File Disclosure hyp3rlinx (Mar 15)
[+] Credits: John Page AKA hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-DVD-MAKER-XML-EXTERNAL-ENTITY-FILE-DISCLOSURE.txt
[+] ISR: ApparitionSec

Vendor:
=================
www.microsoft.com

Product:
=================
Windows DVD Maker
v6.1.7

Windows DVD Maker is a feature you can use to make DVDs that you can watch on a computer or on a TV using a regular DVD
player....

Info Security News — Carries news items (generally from mainstream sources) that relate to security.

Web App Security — Provides insights on the unique challenges which make web applications notoriously hard to secure, as well as attack methods including SQL injection, cross-site scripting (XSS), cross-site request forgery, and more.

SpiderFoot 2.9 released Steve Micallef (Mar 16)
Hi all,

SpiderFoot 2.9.0 is now out, totaling almost 60 data collection/analysis
modules for your reconnaissance, footprinting and OSINT needs.

Here's what's new since 2.7.0 was announced here..
- *9* new modules:
- Base64 string finder
- Binary string searches (identifies file meta data)
- Censys.io data collection (device info)
- Cymon.io data collection (threat intel)
- Hunter.io...

Arachni Framework v1.5 & WebUI v0.5.11 have been released (Web Application Security Scanner) Tasos Laskos (Feb 01)
Hey folks,

There's a new version of Arachni, a modular and high-performance Web Application Security Scanner Framework.

The highlights of this release are:

* Added arachni_reproduce utility allowing issues in reports to be reproduced.
* Browser updated to the latest PhantomJS version for improved support of modern webapps.
* New SAX based HTML parser allowing for much faster and lightweight parsing.
* Improved XSS, SQL injection,...

Faraday v2.3: Collaborative Penetration Test and Vulnerability Management Platform Francisco Amato (Jan 31)
We are very proud to present the first 2017 edition of the Faraday
Platform! Faraday v2.3 is ready to download!

Faraday is the Integrated Multiuser Risk Environment you were looking
for! It maps and leverages all the knowledge you generate in real
time, letting you track and understand your audits. Our dashboard for
CISOs and managers uncovers the impact and risk being assessed by the
audit in real-time without the need for a single email....

RVAsec 2017 Call for Presentations (CFP Sullo (Jan 23)
The CFP for RVAsec 2017 is underway!

____________________________________
RVAsec // June 8-9th, 2017 // Richmond, VA

RVAsec is a Richmond, VA based security convention that brings top
industry speakers to the midatlantic region. In its fourth year,
RVAsec 2016 attracted nearly 400 security professionals from across
the country.

Talks must be 50 minutes in length, and submissions will need to
select from one of two tracks: business or...

Faraday v2.2: Collaborative Penetration Test and Vulnerability Management Platform Francisco Amato (Nov 23)
Faraday is the Integrated Multiuser Risk Environment you were looking
for! It maps and leverages all the knowledge you generate in real
time, letting you track and understand your audits. Our dashboard for
CISOs and managers uncovers the impact and risk being assessed by the
audit in real-time without the need for a single email. Developed with
a specialized set of functionalities that help users improve their own
work, the main purpose is to...

MobSF v0.9.3 is Released: Now supports Windows APPX Static Analysis Ajin Abraham (Nov 22)
Hello Folks,

MobSF v0.9.3 is released.

About MobSF

Mobile Security Framework (MobSF) is an intelligent, all-in-one open
source mobile application (Android/iOS/Windows) automated pen-testing
framework capable of performing static and dynamic analysis. It can be
used for effective and fast security analysis of Android, iOS and
Windows mobile Applications and supports both binaries (APK, IPA &
APPX ) and zipped source code. MobSF can also...

Re: IE11 is not following CORS specification for local files Ricardo Iramar dos Santos (Oct 13)
Same attack using XSS as vector.
Imagine that https://xss-doc.appspot.com is a site about gift cards.
The XSS payload below will create a giftcard.htm file in the default
download folder.
If the victim open the file a GET to
https://mail.google.com/mail/u/0/#inbox will be submitted.
After the GET the file will perform a POST to
http://192.168.1.36/req.php using the GET response as a body.
An attacker would be able to read all the emails in the...

Re: IE11 is not following CORS specification for local files Ricardo Iramar dos Santos (Oct 05)
I did a small improvement in this attack.
Using IE File API
(https://msdn.microsoft.com/en-us/library/hh772315(v=vs.85).aspx) an
attacker would be able to create a web page with the content below and
send to a victim.
A local file with the same content that I sent previously would be
created on download default folder.
If the victim perform the three following clicks (Save, Open and Allow
blocked content) an attacker would be able to perform any...

Daily Dave — This technical discussion list covers vulnerability research, exploit development, and security events/gossip. It was started by ImmunitySec founder Dave Aitel and many security luminaries participate. Many posts simply advertise Immunity products, but you can't really fault Dave for being self-promotional on a list named DailyDave.

Startups that Use PHP on HHVM dave aitel (Mar 17)
<image about how great PHP is>

Let's say you're a 20-person startup about to develop a world-crushing
combination of IRC and Sharepoint and Imgur. You don't have any code
yet, or maybe just a POC, but you know the majority of your company
relies on a solid and secure web app. (Mobile apps are basically web
apps for purposes here).

If you read books on SDL, they have an entire (super boring) process for
you to go through,...

Re: Blinken Lights IDS Andre Gironda (Mar 17)
So your entire defense was situated on "Are the

We can still use blinkenlights --
https://blog.cobaltstrike.com/2015/11/11/revolutionary-device-detects-mimikatz-use/

Maybe we know how to measure success --
https://www.blackhat.com/docs/eu-16/materials/eu-16-Hovor-Automating-Incident-Investigations-Sit-Back-And-Relax-Bots-Are-Taking-Over.pdf

Maybe we know how to evolve the defensive process --...

Blinken Lights IDS dave aitel (Mar 16)
Everyone I know lived through the "Blinken-Lights-IDS" phase. This is
back when you had dial-up or perhaps very early Internet and you were
the only person on your switch, and most importantly, you slept and
lived near your computer and switch because you were a poor college
student or similar. So your entire defense was situated on "Are the
lights blinking when I'm not typing on my computer?"

Ask yourself: How far from...

Re: What has Fallen John Strand (Mar 16)
Ok.. Lets step back even further.

At the root of all of this is the issue that old software never goes away.
Every year we add more software. Very rarely do we remove old software.

It is like a giant snowball of crap. Every year it only gets bigger.

What has Fallen Dave Aitel (Mar 14)
No matter how "strategic" everyone says they are in our community, or in
the NatSec policy community adjacent to it, people have the localized
perspectives of a gecko, endlessly chasing moth after useless moth
attracted to the laundry-room-light of Fail that is the software
development world.

If you're going to look even a tiny tiny bit into the future, you have to
step back and say "This entire class of software is broken...

The Value of Offensive Conferences dave aitel (Mar 06)
It's no secret that in order to get ahead, you cannot send your
technical people to BlackHat and Defcon. That's where you send your
sales engineers, which is a sad thing, since I really enjoyed the
earlier days of BH and DefCon, but the smaller conferences are a world
ahead when it comes to the technical innovations in information security
that are going affect you, if you're doing any kind of decent job at
security already.

The...

Re: Improvements Laurens Vets (Mar 01)
See inline.

https://github.com/airbnb/streamalert

There is a lot more that needs to be done to cover the broad range of
capabilities needed for detection and response, but StreamAlert achieves
something very important even for huge companies -- it radically lowers
the operational overhead of maintaining and scaling the infrastructure.
We really want our human capital investment concentrated on the analysis
and response phases of the process;...

Re: SHA1 Kristian Erik Hermansen (Feb 26)
I think almost all versions of OpenVPN clients for mobile devices (windows
phone?, Android, iOS) didn't traditionally support anything greater than
sha1 crypto, so all openvpn mobile clients affected? OpenVPN traditionally
also relied on weak CA configs, so it's like time-warping back 5-10 years
in browser land? And how many OpenVPN clients actually validate their
server side end properly? Some things to consider.

Re: Improvements Dominique Brezinski (Feb 24)
inline...

https://github.com/airbnb/streamalert

There is a lot more that needs to be done to cover the broad range of
capabilities needed for detection and response, but StreamAlert achieves
something very important even for huge companies -- it radically lowers the
operational overhead of maintaining and scaling the infrastructure. We
really want our human capital investment concentrated on the analysis and
response phases of the process; the...

Re: Improvements Oliver Friedrichs (Feb 24)
Since I’m on this list and rarely get to contribute it seems like a good time to jump in (although Phantom
coincidentally almost started by focusing on offense – google “Phantom Access” if you are curious where the name came
from): https://en.wikipedia.org/wiki/Phantom_Access. I’m sure Dave is happy about that since who needs more offense
vendors. :-)

Obviously I am biased, but IMO automation and orchestraton is one of the few new...

Re: SHA1 Ryan Kiser (Feb 24)
While I’m probably not qualified to answer this question in a totally comprehensive way, the following technet article
is illuminating if you ever find yourself wondering what SHA1 is still valid for in Microsoft land.

https://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-sha1-certificates.aspx
<...

Re: SHA1 William Reyor (Feb 24)
I believe this affects mostly certificates and ipsec configurations.

SHA1 Dave Aitel (Feb 23)
So what is it that breaking SHA1 gets you on Windows boxes?

-dave

Re: Improvements Dominique Brezinski (Feb 23)
All the notable, large tech companies and cloud providers roll their own everything. Most of the hyperscale companies
buy very little third-party security product. The things they build are everything from a little python glue to massive
analytics systems backed by software development teams running on tens of thousands of cores, tens of terabytes of ram,
and tens of petabytes of storage.

Automating as much detection through response is the...

Re: Improvements Jimmy D (Feb 23)
That pressure isn’t just from the C-suite. Many of us have been burned (at least indirectly) by a tool author who
either abandoned locally built tools or who tried to use their knowledge of one as as a form of blackmail in salary
negotiations or promotions. Add to that the fact that I pay people to perform specific functions usually aligned with
their core skills. I’ve generally had tremendous respect for my team members (else they’d be...

PaulDotCom — General discussion of security news, research, vulnerabilities, and the PaulDotCom Security Weekly podcast.

Re: [Security Weekly] cheap hosting Robin Wood (Sep 23)
Resurrecting an old thread but they now have an affiliate program and I can
issue my own codes so:

20% off all servers AqUVYbUXag
50% off all big dog (whatever that is) 7E9YRUzEZy

After a month with them, their tech support is OK but not great, the server
has stayed up and not had any problems.

Robin

Re: [Security Weekly] projecting in a bight space Jeremy Pommerening (Aug 28)
I would look for a projector with at least 6000 ANSI Lumens or better. A darker screen (grey) may also help.

Jeremy Pommerening

________________________________
From: Robin Wood <robin () digi ninja>
To: Security Weekly Mailing List <pauldotcom () mail securityweekly com>
Sent: Sunday, August 3, 2014 3:42 AM
Subject: [Security Weekly] projecting in a bight space

I've been looking at the venue for next year's...

[Security Weekly] Two Firefox security bugs related to HTTPS ffbugishere (Aug 17)
Hello world!

We need votes for security bugs!

Adding "Security Exception" for self-signed HTTPS sites cannot be done
permanently
https://bugzilla.mozilla.org/show_bug.cgi?id=1050100

Firefox 31 doesn't supports the industry recommended best HTTPS
ciphers
https://bugzilla.mozilla.org/show_bug.cgi?id=1051210

Other browsers should have the same bugs fixed..

p.s.: We are not related to this group, but we think they worth a
penny...

Re: [Security Weekly] Java and Flash decompilers Will Metcalf (Aug 05)
JPEXS is very nice for flash IMHO.

http://www.free-decompiler.com/flash/

Regards,

Will

Re: [Security Weekly] Java and Flash decompilers Bradley McMahon (Aug 05)
I've used flare before to pull apart a flash site for a client.
http://www.nowrap.de/flare.html

-Brad

Re: [Security Weekly] SecurityCenter alternative Steven McGrath (Aug 04)
SC certainly isn’t cheap (as a former SC customer that moved over to Tenable I can attest to that) however I can point
out that the data aggregation, trending, and custom reporting were huge wins in my book. I guess its a time/money
trade-off. How much time do you want to spend either cobbling together a tool or manually aggregating the data when
there is another tool already out there that can do it out of the box.

I can speak in more...

Re: [Security Weekly] Java and Flash decompilers S. White (Aug 04)
A few I've used in the past:

JAD - http://varaneckas.com/jad/ , http://en.wikipedia.org/wiki/JAD_(JAva_Decompiler)

HP SWFscan

Adobe SWF investigator http://labs.adobe.com/technologies/swfinvestigator/

________________________________
From: Robin Wood <robin () digi ninja>
To: Security Weekly Mailing List <pauldotcom () mail securityweekly com>
Sent: Monday, August 4, 2014 5:54 AM
Subject: [Security Weekly] Java and...

[Security Weekly] DoFler @ BSidesLV Steven McGrath (Aug 04)
This will be the 3rd year that DoFler (the Dashboard of Fail) will be at BSidesLV. This year I wrote a new spiffy
interface for maximum trolling. Let’s be honest now, everyone loves to surf for various forms of horrible on the
internet at cons :D. Also added this year is a little vulnerability analysis (using Tenable’s PVS). Every year I try
to improve it a bit based on everyone’s input, and am always welcome to more feedback.

DB...

Re: [Security Weekly] cheap hosting Robin Wood (Aug 04)
Already sorted but thanks for the info.

Re: [Security Weekly] Java and Flash decompilers Nathan Sweaney (Aug 04)
Here are a few others I've used with varying success in the past:

SWFInvestigator - http://labs.adobe.com/technologies/swfinvestigator/
SWFScan - from Rafal Los at HP, though the link has been deleted. (Careful,
I've seen trojaned copies online.)

Re: [Security Weekly] SecurityCenter alternative Paul Asadoorian (Aug 04)
Thanks all for the informative discussion!

I know, I'm jumping in late, some closing thoughts on the subject:

- SecurityCenter has the unique advantage of consolidating plugin
updates, meaning you could have hundred of Nessus scanners deployed in
your organization, and the scanners get the plugin feed from your
SecurityCenter system. The removes the requirement of Internet access
(From the scanners), and greatly eases the administration...

Re: [Security Weekly] SecurityCenter alternative k41zen (Aug 04)
Thanks for all of your help.

We are in discussions with our Tenable contact about solutions for this issue. They’ve helped me out by enabling me to
move forward to at least deploy this into a Pre-Production environment but the costs of SC are a massive stumbling
block; hence my question about something else. Appreciate we have a big Nessus fan base here of which I am a member
too, but just wondered what could be wrapped around it.

I’ll...

Re: [Security Weekly] SecurityCenter alternative Adrien de Beaupre (Aug 04)
Hi,

I have also written a series of script to collect data from tools such as
nmap and nessus to import into MySQL called OSSAMS:
http://www.ossams.com/wp-content/uploads/2011/10/ossams-parser-SecTor-2011.zip
That leaves report writing as a series of SQL queries.
I also have a series of scripts to kick off scans, as well as a command
like XML-RPC nessus client in python if anyone is interested.

Cheers,
Adrien

Re: [Security Weekly] cheap hosting sec list (Aug 04)
Hey Robin,

If you're still looking, might want to try out getclouder.com - they
spin up Linux containers in 5 seconds and use distributed storage, which
is pretty awesome. It's still in beta, so they offer 3 months free
service, but it has been pretty stable so far from my experience.

[Security Weekly] Java and Flash decompilers Robin Wood (Aug 04)
Hi
I'm trying to put together a list of tools for decompiling Flash and Java
apps. From asking on another list I already have:

Java
JD-GUI
Java Decompiler http://jd.benow.ca/jd-gui/downloads/jd-gui-0.3.6.windows.zip.

Java snoop https://code.google.com/p/javasnoop/

Flash
Trillix
Flashbang https://github.com/cure53/Flashbang

Has anyone here got any others they can suggest?

Ideally I'm looking for free stuff but cheap commercial...

Microsoft Sec Notification — Beware that MS often uses these security bulletins as marketing propaganda to downplay serious vulnerabilities in their products—note how most have a prominent and often-misleading "mitigating factors" section.

Microsoft Security Bulletin Minor Revisions Microsoft (Mar 17)
********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: February 23, 2017
********************************************************************

Summary
=======
The following bulletins and/or bulletin summaries have undergone a
minor revision increment.

Please see the appropriate bulletin for more details.

* MS16-084
* MS16-JUL

Bulletin Information:...

Microsoft Security Bulletin Summary for March 2017 Microsoft (Mar 14)
********************************************************************
Microsoft Security Bulletin Summary for March 2017
Issued: March 14, 2017
********************************************************************

This bulletin summary lists security bulletins released for
March 2017.

The full version of the Microsoft Security Bulletin Summary for
March 2017 can be found at
<https://technet.microsoft.com/library/security/ms17-mar>....

Microsoft Security Advisory Notification Microsoft (Mar 14)
********************************************************************
Title: Microsoft Security Advisory Notification
Issued: March 14, 2017
********************************************************************

Security Advisories Released or Updated Today
==============================================

* Microsoft Security Advisory 3123479
- Title: SHA-1 Hashing Algorithm for Microsoft Root Certificate
Program
-...

Microsoft Security Bulletin Minor Revisions Microsoft (Feb 23)
********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: February 23, 2017
********************************************************************

Summary
=======
The following bulletins and/or bulletin summaries have undergone a
minor revision increment.

Please see the appropriate bulletin for more details.

* MS16-155

Bulletin Information:
=====================

MS16-155...

Microsoft Security Bulletin Minor Revisions Microsoft (Feb 23)

Microsoft Security Bulletin Summary for February 2017 Microsoft (Feb 21)
********************************************************************
Microsoft Security Bulletin Summary for February 2017
Issued: February 21, 2017
********************************************************************

This bulletin summary lists security bulletins released for
February 2017.

The full version of the Microsoft Security Bulletin Summary for
February 2017 can be found at
<https://technet.microsoft.com/library/security/ms17-feb...

Microsoft Security Advisory Notification Microsoft (Jan 27)
********************************************************************
Title: Microsoft Security Advisory Notification
Issued: January 27, 2017
********************************************************************

Security Advisories Released or Updated Today
==============================================

* Microsoft Security Advisory 4010983
- Title: Vulnerability in ASP.NET Core MVC 1.1.0 Could Allow Denial of
Service
-...

Microsoft Security Advisory Notification Microsoft (Jan 10)
********************************************************************
Title: Microsoft Security Advisory Notification
Issued: January 10, 2017
********************************************************************

Security Advisories Released or Updated Today
==============================================

* Microsoft Security Advisory 3214296
- Title: Vulnerabilities in Identity Model Extensions Token Signing
Verification
-...

Microsoft Security Bulletin Summary for January 2017 Microsoft (Jan 10)
********************************************************************
Microsoft Security Bulletin Summary for January 2017
Issued: January 10, 2017
********************************************************************

This bulletin summary lists security bulletins released for
January 2017.

The full version of the Microsoft Security Bulletin Summary for
January 2017 can be found at
<https://technet.microsoft.com/library/security/ms17-jan>....

Microsoft Security Bulletin Releases Microsoft (Dec 19)
********************************************************************
Title: Microsoft Security Bulletin Releases
Issued: December 19, 2016
********************************************************************

Summary
=======

The following bulletins have undergone a major revision increment.

* MS16-155 - Important

Bulletin Information:
=====================

MS16-155

- Title: Security Update for .NET Framework (3205640)
-...

Microsoft Security Bulletin Summary for December 2016 Microsoft (Dec 13)
********************************************************************
Microsoft Security Bulletin Summary for December 2016
Issued: December 13, 2016
********************************************************************

This bulletin summary lists security bulletins released for
December 2016.

The full version of the Microsoft Security Bulletin Summary for
December 2016 can be found at
<https://technet.microsoft.com/library/security/ms16-dec...

Microsoft Security Bulletin Releases Microsoft (Dec 13)
********************************************************************
Title: Microsoft Security Bulletin Releases
Issued: December 13, 2016
********************************************************************

Summary
=======

The following bulletins have undergone a major revision increment.

October
* MS16-118 - Critical
* MS16-120 - Critical
* MS16-122 - Critical
* MS16-123 - Important
* MS16-124 - Important
* MS16-126 - Moderate

November
*...

Microsoft Security Bulletin Minor Revisions Microsoft (Dec 13)
********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: November 23, 2016
********************************************************************

Summary
=======
The following bulletins and/or bulletin summaries have undergone a
minor revision increment.

Please see the appropriate bulletin for more details.

* MS16-130
* MS16-140

Bulletin Information:...

Microsoft Security Bulletin Minor Revisions Microsoft (Nov 23)
********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: November 23, 2016
********************************************************************

Summary
=======
The following bulletins and/or bulletin summaries have undergone a
minor revision increment.

Please see the appropriate bulletin for more details.

* MS16-130
* MS16-140

Bulletin Information:...

Microsoft Security Bulletin Releases Microsoft (Nov 16)
********************************************************************
Title: Microsoft Security Bulletin Releases
Issued: November 15, 2016
********************************************************************

Summary
=======

The following bulletins have undergone a major revision increment.

* MS16-133 - Important

Bulletin Information:
=====================

MS16-133

- Title: Security Update for Microsoft Office (3199168)
-...

Funsec — While most security lists ban off-topic discussion, Funsec is a haven for free community discussion and enjoyment of the lighter, more humorous side of the security community

Verizon: 1.5M of Contact Records Stolen, Now on Sale Jeffrey Walton (Mar 26)
http://www.mobipicker.com/verizon-1-5m-contact-records-stolen-now-sale/:

A business to business telecommunication giant,
Verizon Enterprise Solutions, a Basking Ridge,
New Jersey-based company, has been the latest
victim of a cyber crime that stole 1.5 million contact
records of the customers of Verizon...

I don't quite understand this double talk. Could someone explain to me:

A spokesperson from Verizon said that...

Statement on Lavabit Citation in Apple Case Jeffrey Walton (Mar 16)
(From John Young on another list):
http://www.facebook.com/KingLadar/posts/10156714933135038

As many of you already know, the government cited the Lavabit case in
a footnote. The problem is their description insinuates a precedent
that was never created. Obviously I was somewhat disturbed by their
misrepresentation. So I decided to draft a statement. And keep in
mind, these are the same people who say "trust us." Click continue to
read...

The NSA's back door has given every US secret to our enemies Jeffrey Walton (Feb 29)
http://www.businessinsider.com/john-mcafee-nsa-back-door-gives-every-us-secret-to-enemies-2016-2

Deng Xiaoping, in 1979 - his second year as supreme leader of China -
perceived a fundamental truth that has yet to be fully grasped by most
Western leaders: Software, if properly weaponized, could be far more
destructive than any nuclear arsenal.

Under Deng’s leadership, China began one of the most ambitious and
sophisticated meta- software...

Can Spies Break Apple Crypto? Jeffrey Walton (Feb 27)
Here's an interesting exchange between Cryptome and Michael Froomkin,
Law Professor at University of Miami, on the All Writs Act
(http://cryptome.org/2016/02/can-spies-break-apple-crypto.htm):

-----

A. Michael Froomkin:

The factual posture in the key Supreme Court precedent, New York
Telephone, involved a situation where only the subject of the order
was capable of providing the assistance at issue. This is the basis
for Apple's...

The FBI's iPhone Problem: Tactical vs. Strategic Thinking Jeffrey Walton (Feb 23)
http://www.technewsworld.com/story/83130.html

I'm an ex-sheriff, and I've been in and out of security jobs for much
of my life, so I've got some familiarity with the issues underlying
the drama between the FBI and Apple. FBI officials -- and likely those
in every other three-letter agency and their counterparts all over the
world -- would like an easier way to do their jobs. Wouldn't we all?

If they could put cameras in...

Wanted: Cryptography Products for Worldwide Survey Jeffrey Walton (Jan 01)
(http://www.schneier.com/crypto-gram/archives/2015/1215.html):

In 1999, Lance Hoffman, David Balenson, and others published a survey
of non-US cryptographic products. The point of the survey was to
illustrate that there was a robust international market in these
products, and that US-only export restrictions on strong encryption
did nothing to prevent its adoption and everything to disadvantage US
corporations. This was an important contribution...

CERT Advisories — The Computer Emergency Response Team has been responding to security incidents and sharing vulnerability information since the Morris Worm hit in 1986. This archive combines their technical security alerts, tips, and current activity lists.

IRS Warns of Last-Minute Tax Scams US-CERT (Mar 17)
U.S. Department of Homeland Security US-CERT

National Cyber Awareness System:

IRS Warns of Last-Minute Tax Scams [
https://www.us-cert.gov/ncas/current-activity/2017/03/17/IRS-Warns-Last-Minute-Tax-Scams ] 03/17/2017 11:21 PM EDT
Original release date: March 17, 2017

The Internal Revenue Service (IRS) has released an alert warning of phishing email scams targeting last-minute tax
filers. The alert describes common features of these cyber...

Microsoft Ending Support for Windows Vista US-CERT (Mar 16)
U.S. Department of Homeland Security US-CERT

National Cyber Awareness System:

Microsoft Ending Support for Windows Vista [
https://www.us-cert.gov/ncas/current-activity/2017/03/17/Microsoft-Ending-Support-Windows-Vista ] 03/17/2017 12:45 AM
EDT
Original release date: March 17, 2017

All software products have a lifecycle. After April 11, 2017, Microsoft is ending support for the Windows Vista
operating system. After this date, this product...

Microsoft SMBv1 Vulnerability US-CERT (Mar 16)
U.S. Department of Homeland Security US-CERT

National Cyber Awareness System:

Microsoft SMBv1 Vulnerability [ https://www.us-cert.gov/ncas/current-activity/2017/03/16/Microsoft-SMBv1-Vulnerability
] 03/16/2017 06:12 PM EDT
Original release date: March 16, 2017

Microsoft has released a security update to address a vulnerability in implementations of Server Message Block 1.0
(SMBv1). Exploitation of this vulnerability could allow a remote...

TA17-075A: HTTPS Interception Weakens TLS Security US-CERT (Mar 16)
U.S. Department of Homeland Security US-CERT

National Cyber Awareness System:

TA17-075A: HTTPS Interception Weakens TLS Security [ https://www.us-cert.gov/ncas/alerts/TA17-075A ] 03/16/2017 08:40
AM EDT
Original release date: March 16, 2017

Systems Affected

All systems behind a hypertext transfer protocol secure (HTTPS) interception product are potentially affected.

Overview

Many organizations use HTTPS interception products for several...

Drupal Releases Security Update US-CERT (Mar 15)
U.S. Department of Homeland Security US-CERT

National Cyber Awareness System:

Drupal Releases Security Update [
https://www.us-cert.gov/ncas/current-activity/2017/03/15/Drupal-Releases-Security-Update ] 03/15/2017 08:21 PM EDT
Original release date: March 15, 2017

Drupal has released an advisory to address vulnerabilities in Drupal core 8.x versions prior to 8.2.7. A remote
attacker could exploit some of these vulnerabilities to take...

Cisco Releases Security Updates US-CERT (Mar 15)
U.S. Department of Homeland Security US-CERT

National Cyber Awareness System:

Cisco Releases Security Updates [
https://www.us-cert.gov/ncas/current-activity/2017/03/15/Cisco-Releases-Security-Updates ] 03/15/2017 08:26 PM EDT
Original release date: March 15, 2017

Cisco has released several updates to address vulnerabilities affecting multiple products. A remote attacker could
exploit these vulnerabilities to take control of an affected...

VMware Releases Security Updates US-CERT (Mar 14)
U.S. Department of Homeland Security US-CERT

National Cyber Awareness System:

VMware Releases Security Updates [
https://www.us-cert.gov/ncas/current-activity/2017/03/14/VMware-Releases-Security-Updates ] 03/14/2017 03:52 PM EDT
Original release date: March 14, 2017

VMware has released security updates to address a vulnerability in Workstation and Fusion. A remote attacker could
exploit this vulnerability and take control of an affected...

Adobe Releases Security Updates US-CERT (Mar 14)
U.S. Department of Homeland Security US-CERT

National Cyber Awareness System:

Adobe Releases Security Updates [
https://www.us-cert.gov/ncas/current-activity/2017/03/14/Adobe-Releases-Security-Updates ] 03/14/2017 03:35 PM EDT
Original release date: March 14, 2017

Adobe has released security updates to address vulnerabilities in Adobe Flash Player and Shockwave Player. Exploitation
of some of these vulnerabilities may allow a remote...

Microsoft Releases March 2017 Security Bulletin US-CERT (Mar 14)
U.S. Department of Homeland Security US-CERT

National Cyber Awareness System:

Microsoft Releases March 2017 Security Bulletin [
https://www.us-cert.gov/ncas/current-activity/2017/03/14/Microsoft-Releases-March-2017-Security-Bulletin ] 03/14/2017
01:22 PM EDT
Original release date: March 14, 2017

Microsoft has released 17 updates to address vulnerabilities in Microsoft software. Exploitation of some of these
vulnerabilities could allow a...

IRS Releases Tax-Time Guide US-CERT (Mar 09)
U.S. Department of Homeland Security US-CERT

National Cyber Awareness System:

IRS Releases Tax-Time Guide [ https://www.us-cert.gov/ncas/current-activity/2017/03/09/IRS-Releases-Tax-Time-Guide ]
03/09/2017 09:29 PM EST
Original release date: March 09, 2017

The Internal Revenue Service (IRS) has released tax-time advice intended to help the public protect their personal and
financial data and computers. Recommendations include using strong...

Google Releases Security Update for Chrome US-CERT (Mar 09)
U.S. Department of Homeland Security US-CERT

National Cyber Awareness System:

Google Releases Security Update for Chrome [
https://www.us-cert.gov/ncas/current-activity/2017/03/09/Google-Releases-Security-Update-Chrome ] 03/09/2017 05:46 PM
EST
Original release date: March 09, 2017

Google has released Chrome version 57.0.2987.98 for Windows, Mac, and Linux. This version addresses multiple
vulnerabilities that, if exploited, may allow an...

Apache Software Foundation Releases Security Updates US-CERT (Mar 08)
U.S. Department of Homeland Security US-CERT

National Cyber Awareness System:

Apache Software Foundation Releases Security Updates [
https://www.us-cert.gov/ncas/current-activity/2017/03/08/Apache-Software-Foundation-Releases-Security-Updates ]
03/08/2017 06:32 PM EST
Original release date: March 08, 2017

The Apache Software Foundation has released security updates to address a vulnerability in Struts 2. A remote attacker
could exploit...

National Consumer Protection Week US-CERT (Mar 08)
U.S. Department of Homeland Security US-CERT

National Cyber Awareness System:

National Consumer Protection Week [
https://www.us-cert.gov/ncas/current-activity/2017/03/08/National-Consumer-Protection-Week ] 03/08/2017 03:11 AM EST
Original release date: March 08, 2017

March 5-11 is National Consumer Protection Week (NCPW), an event to encourage people and businesses to learn more about
avoiding scams and understanding consumer rights....

Mozilla Releases Security Update US-CERT (Mar 07)
U.S. Department of Homeland Security US-CERT

National Cyber Awareness System:

Mozilla Releases Security Update [
https://www.us-cert.gov/ncas/current-activity/2017/03/07/Mozilla-Releases-Security-Update ] 03/07/2017 04:12 PM EST
Original release date: March 07, 2017

Mozilla has released a security update to address multiple vulnerabilities in Firefox. A remote attacker could exploit
some of these vulnerabilities to take control of an...

WordPress Releases Security Update US-CERT (Mar 06)
U.S. Department of Homeland Security US-CERT

National Cyber Awareness System:

WordPress Releases Security Update [
https://www.us-cert.gov/ncas/current-activity/2017/03/06/WordPress-Releases-Security-Update ] 03/06/2017 03:41 PM EST
Original release date: March 06, 2017

WordPress 4.7.2 and prior versions are affected by multiple vulnerabilities. A remote attacker could exploit some of
these vulnerabilities to take control of an affected...

Open Source Security — Discussion of security flaws, concepts, and practices in the Open Source community

CVE-2017-5644 - Possible DOS (Denial of Service) in Apache POI versions prior to 3.15 Dominik Stadler (Mar 20)
Hi,

Vendor: The Apache Software Foundation

Versions affected: all versions prior to version 3.15
Apache POI in versions prior to release 3.15 allows remote attackers to
cause a denial of service (CPU consumption)
via a specially crafted OOXML file, aka an XML Entity Expansion (XEE)
attack.

Users with applications which accept content from external or untrusted
sources are advised to upgrade to
Apache POI 3.15 or newer.

Thanks to Xiaolong Zhu...

Re: CVE Request: Irssi use after free in netjoin condition (2017/03) Ailin Nemui (Mar 20)
-------- Forwarded Message --------
From: cve-request () mitre org
Subject: Re: [scr308011] Irssi - 1.0.0, 1.0.1
Date: Mon, 20 Mar 2017 09:14:07 -0400

Use CVE-2017-7191.

--
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
http://cve.mitre.org/cve/request_id.html ]

libpcre: invalid memory read in _pcre32_xclass (pcre_xclass.c) Agostino Sarubbo (Mar 20)
Description:
libpcre is a perl-compatible regular expression library.

A fuzz on libpcre1 through the pcretest utility revealed an invalid memory read. Upstream says that this bug is fixed
by one of the previous commit. However I’m providing as usual the stacktrace and the
reproducer, so if you are not running the latest upstream release, like happen on debian/rhel based distros, you may
want to check better the status of this bug.

The...

libpcre: heap-based bufffer overflow in regexflip8_or_16 (pcretest.c) Agostino Sarubbo (Mar 20)
Description:
libpcre is a perl-compatible regular expression library.

A fuzz on libpcre1 through the pcretest utility revealed an heap overflow in the utility itself. Will follow a feedback
from upstream.

I am not going to do anything about this one. (a) It is concerned with a feature of pcretest that has been dropped from
pcre2test, and (b) the input contains binary zeros, which are not supported in
pcretest input. This is documented for...

libpcre: two stack-based buffer overflow write in pcre32_copy_substring (pcre_get.c) Agostino Sarubbo (Mar 20)
Description:
libpcre is a perl-compatible regular expression library.

A fuzz on libpcre1 through the pcretest utility revealed two stack overflow write. Upstream says that these bugs are
fixed by one of the previous commit. However I’m providing as usual the stacktrace
and the reproducer, so if you are not running the latest upstream release, like happen on debian/rhel based distros,
you may want to check better the status of this bug.

The...

libpcre: invalid memory read in match (pcre_exec.c) Agostino Sarubbo (Mar 20)
Description:
libpcre is a perl-compatible regular expression library.

A fuzz on libpcre1 through the pcretest utility revealed an invalid read in the library. For who is interested in a
detailed description of the bug, will follow a feedback from upstream:

This was a genuine bug in the 32-bit library. Thanks for finding it. The crash was caused by trying to find a Unicode
property for a code value greater than 0x10ffff, the Unicode maximum,...

libpcre: NULL pointer dereference in main (pcretest.c) Agostino Sarubbo (Mar 20)
Description:
libpcre is a perl-compatible regular expression library.

A fuzz on libpcre1 through the pcretest utility revealed a null pointer dereference in the utility itself. For the
nature of the crash, it is not security relevant because the library is not affected
but if you have a web application that calls directly the pcretest utility to parse untrusted data, then you are
affected.
Also, it is important share the details because some...

libpcre: invalid memory read in phar (pcretest.c) Agostino Sarubbo (Mar 20)
Description:
libpcre is a perl-compatible regular expression library.

A fuzz on libpcre1 through the pcretest utility revealed an invalid read in the utility itself. For the nature of the
crash, it is not security relevant because the library is not affected but if you
have a web application that calls directly the pcretest utility to parse untrusted data, then you are affected.
Also, it is important share the details because some...

git: CVE-2014-9938: does not sanitize branch names in $PS1 allowing command execution Salvatore Bonaccorso (Mar 19)
Hi

MITRE has assigned CVE-2014-9938 for an older issue in the contrib
script in git, where git-prompt.sh did not sanitize branch name in
$PS1 exploitable for command execution by a malicious repository.

The upstream fix is

https://github.com/git/git/commit/8976500cbbb13270398d3b3e07a17b8cc7bff43f

Regards,
Salvatore

Re: CVE-2016-3631 - libtiff 4.0.6 illegel read Alan Coopersmith (Mar 18)
While this CVE is not listed in the libtiff 4.0.7 release notes, that
version appears to resolve it via this release note item:
'The libtiff tools rgb2ycbcr and thumbnail are only built in the build
tree for testing.'

I still can't find a bug id specifically for this one in the libtiff bug
tracker, but for the similar CVE-2016-3634 this removal is listed as the
resolution in...

Re: Dealing with CVEs that apply to unspecified package versions Jerome Athias (Mar 18)
We also have this "Is File Version Comparison Sufficient Over Time?"
discussion in the OVAL Developer ml.
Yes, a reference to a commit is good to have, if you have time/resources
for manual vulnerability analysis
There is a trade-off, but I guess the point here is more on how to increase
automation for mitigation/remediation of software vulnerabilities.
Operation Rosehub is one example illustrating why it's important

Re: Dealing with CVEs that apply to unspecified package versions Brian May (Mar 18)
Ludovic Courtès <ludo () gnu org> writes:

I am not sure the software version helps that much. It can lead to
incorrect decision. For example, for security flaw B upstream might say
versions before Y.Y.Y are not applicable - lets say version X.X.X <
Y.Y.Y and as such as OK, because the do not contain the vulnerable
code. In fact, somebody could check the code and mark this security flaw
as not applicable.

Meanwhile, somebody else gets...

CVE-2017-6967 xrdp PAM auth_start_session() Seth Arnold (Mar 17)
Hello, CVE-2017-6967 has been assigned to xrdp for an incorrect placement
of auth_start_session().

Full details are at:
https://github.com/neutrinolabs/xrdp/issues/350
https://github.com/neutrinolabs/xrdp/pull/694
https://github.com/neutrinolabs/xrdp/pull/695
https://bugs.launchpad.net/ubuntu/+source/xrdp/+bug/1672742

I believe this is the change upstream has chosen to use:...

Re: CVE-2017-3305 - The Riddle vulnerability in MySQL client (public disclosure) Solar Designer (Mar 17)
That's very nice, but per oss-security list content guidelines technical
detail should also be included in postings. Attached as text/plain, for
archival.

http://oss-security.openwall.org/wiki/mailing-lists/oss-security#list-content-guidelines

Alexander
Technical section

DISCLAIMER: THE FOLLOWING SECTION IS UNIMPORTANT FOR THE MAJORITY OF
PEOPLE AS IT IS NOT USEFUL FOR THE MEDIA OR ANY OTHER NEWS RELATED
WEBSITES DUE TO BORING...

CVE-2017-3305 - The Riddle vulnerability in MySQL client (public disclosure) Pali Rohár (Mar 17)
Hi!

There is a new vulnerability in MySQL client versions 5.5 and 5.6 which
is related to SSL/TLS encryption and to older BACKRONYM vulnerability.

As it is common, new vulnerability should have a name, logo and website.
So enjoy the *Riddle* at http://riddle.link/

Affected are only Oracle's MySQL clients in all versions 5.5 and 5.6
when SSL/TLS encryption is used. Verification of encryption parameters
and existence of SSL/TLS layer by...

Educause Security Discussion — Securing networks and computers in an academic environment.

PGP key signing at #security17 Ken Connelly (Mar 17)
For those of you heading to Denver for the Security Professionals
Conference in May, please consider participating in the PGP key signing
event on Tuesday evening at 6:30. The event is sponsored by REN-ISAC
but is open to all SPC attendees.

The agenda abstract:
https://events.educause.edu/security-professionals-conference/2017/agenda/pgp-key-signing

And the details:
http://www.ren-isac.net/events/educause_security17_keysigning.html

The actual...

Re: End Point protection McHugh, Susan (Mar 17)
We will be deploying the Sophos suite in April. They really have some nice products for the price.

Susan McHugh, MBA
CIO, Information Technology Services
P: 978-630-9174
E: s_mchugh () mwcc mass edu<mailto:s_mchugh () mwcc mass edu>

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Hugh
Burley
Sent: Friday, March 17, 2017 12:58 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject:...

Re: End Point protection Christian Emond (Mar 17)
And I can add with the recent Invincea acquisition, it is going to be interesting to see the new functionalities for
the future releases.
https://blogs.sophos.com/2017/02/08/sophos-grows-anti-malware-ensemble-with-invincea/
[screen-shot-2017-02-08-at-14-26-30]

Re: End Point protection Hugh Burley (Mar 17)
I continue to recommend Sophos as a strong player for end point security. They have a full set of tools running under
one fairly user friendly console. Their NGAV solution is X-Intercept.

PANs traps also looks like an interesting option in that space with the added advantage of integrating with their
WildFire solution at the perimeter. We are just going through an evaluation of these two options.

Hugh Burley
Manager Information Security...

Re: End Point protection Nicholas Garigliano (Mar 17)
In doing some research along similar lines I found this webcast and the
accompanying doc by Barbara Filkins to be informative:
http://www.sans.org/webcasts/ready-replace-av-criteria-evaluate-ngav-solutions-102827
.

Nick Garigliano
Network Security Engineer
Enterprise & Network Solutions
Nazareth College
585 389-2109

On Fri, Mar 17, 2017 at 8:11 AM, Warner, David F <DWarner () commnet edu>
wrote:

Re: End Point protection Baillio, Aaron (Mar 17)
We're about 4 months in to deployment of Cylance through Dell. There are pros and cons by going through Dell, but the
Cylance product is phenomenal. I couldn't be happier with this next gen product. Our customers are happier with the
smaller resource footprint and the security team is happier that 95% or more of threats will actually be captured and
remediated.

We did a rip and replace of a traditional AV product. We conducted a...

Re: End Point protection Warner, David F (Mar 17)
McAfee Endpoint Security includes many protections beyond VirusScan.

*************************************************
David Warner
Senior Security Specialist

Connecticut State Colleges and Universities (CSCU)
*************************************************

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Urrea,
Nick
Sent: Thursday, March 16, 2017 3:01 PM
To: SECURITY () LISTSERV...

Re: End Point protection Shen, Philip *HS (Mar 16)
+1 for ESET at my former job highly recommend plus has HIPS based firewall.

Phil

________________________________
From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Haas, Mike
<mhaas () LRHSD ORG>
Sent: Thursday, March 16, 2017 6:10 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] End Point protection

We have malwarebytes in addition to eset on our desktops....

Re: End Point protection Haas, Mike (Mar 16)
We have malwarebytes in addition to eset on our desktops.

Sent from my iPhone
-------------------------
Michael Haas
Information Technology Coordinator
Lenape Regional High School District

Hi all,
While reading your comments, a question comes to my mind.

For those of you who are going to implement a NGAV, is it to replace your traditional AV or it is seen as a complement?
And does it cover all your Workstations and Servers(Physical and...

Re: End Point protection Christian Emond (Mar 16)
Hi all,
While reading your comments, a question comes to my mind.

For those of you who are going to implement a NGAV, is it to replace your traditional AV or it is seen as a complement?
And does it cover all your Workstations and Servers(Physical and Virtual)?

Thanks,

Re: End Point protection Ludwig, Linda (Mar 16)
We are in the process of implementing Palo Alto Traps. Very impressive.

Linda

*********************************
Linda L. Ludwig
Information Security Awareness Specialist
ITS, Forum
Grinnell College
Grinnell, IA 50112
641-269-4901
Fax: 641-269-4828
ludwigl () grinnell edu<mailto:ludwigl () grinnell edu>

*********************************
"Phishing" is a scam designed to steal your personal data.
If you receive an email asking for...

Re: End Point protection Rob Milman (Mar 16)
I would recommend that you take a look at Palo Alto Traps and Bromium as well. I have heard good things about both, but
have not had the opportunity to experience either of them myself.

Regards,

Rob Milman

[cid:image001.gif@01D29E5F.8ADE9390]

Rob Milman
Security & Compliance Analyst
Information Systems

Southern Alberta Institute of Technology
EH Crandell Building, GA 214
1301 - 16 Avenue NW, Calgary AB, T2M 0L4

(Office) 403.774.5401...

Register Soon for the Security Professionals Conference: Early Bird discount ends April 3 Jesse Bowling (Mar 16)
Greetings,

I am pleased to formally announce the 15th annual Security Professionals Conference, which will convene in Denver, May
1-3, 2017. This year we are very fortunate to have Jack Daniel, joining us for our opening keynote session. Discounted
“Early Bird” registration is available until April 3, so I encourage you to register now
(https://events.educause.edu/security-professionals-conference/2017/registration)!

With a conference...

End Point protection Urrea, Nick (Mar 16)
We at UC Hastings are going to implement new advanced end point protection.

We are looking at MalwareBytes, Sentinel One, Carbon Black, Cisco AMP, FireEye, Symantec, etc.

Any recommendations for vendor and/or your experiences with advanced end point protection would be greatly appreciated?

Thanks

---
Nicholas Urrea
UC Hastings College of the Law
Director of Information and Network Security
e: urrean () uchastings edu<mailto:urrean ()...

Job Posting - Information Security Engineer Edson, Jeremy (Mar 13)
Colleagues,

Marquette University is searching for an Information Security Engineer to
join our expanding InfoSec team. The role of the Information Security
Engineer is to proactively identify, promote, and implement information
security best practices in Marquette University's computing environment. The
Information Security Engineer will leverage contemporary technologies to
mitigate information security threats and will provide expertise,...

Internet Issues and Infrastructure

NANOG — The North American Network Operators' Group discusses fundamental Internet infrastructure issues such as routing, IP address allocation, and containing malicious activity.

Re: BGP Route Reflector - Route Server, Router, etc Saku Ytti (Mar 20)
When talking to your vendors, ask what they do with ORR+ADD_PATH 2.
Obviously desired behaviour is to advertise 1st and 2nd best from ORR
POV.

If you need ORR, you're clearly moving to out-of-path reflection,
which is great. But you probably want that ADD_PATH 2, to retain
full-mesh like convergence times.

Re: [NOC] ARIN contact needed: something bad happens with legacy IPv4 block's reverse delegations William Herrin (Mar 20)
On Mon, Mar 20, 2017 at 3:27 PM, Brett Frankenberger <rbf+nanog () panix com>
wrote:

Hi Brett,

The last I tried it, the servers which the glue claims are authoritative
for a zone could assert that they themselves are not authoritative and
offer new glue for completely different servers asserted to be
authoritative. I had to fake a parent zone in Bind. This was before DNSSEC.

Regards,
Bill Herrin

Google G Suite Email Contact Jason Canady (Mar 20)
Is anyone here from Google's G Suite or email department? I recently
acquired a brand who's domain is being blocked by Google Mail ("G
Suite"). I have followed all of the steps to be compliant (SPF and
DKIM), but email is still going into customer's Spam folder at Google.
There is not a massive amount of emails sent, just basic communication
such as monthly invoices, support tickets, etc.

If anyone has a contact,...

Re: [NOC] ARIN contact needed: something bad happens with legacy IPv4 block's reverse delegations Brett Frankenberger (Mar 20)
Hypotheically:

10.11.0.0/16 (11.10.in-addr.arpa) is managed by ARIN
10.11.16.0/20 is ARIN space
10.11.32.0/20 is RIPE space

If ARIN delegated 32.11.10.in-addr.arpa through 47.11.10.in-addr.arpa
to a RIPE nameserver, there's no good way for RIPE to then delegate,
say, 10.11.34.0/24 (34.11.10.in-addr.arpa) to the nameserver of the
entity to which RIPE has allocated 10.11.34.0. (Sure, it can be done,
using the same techniques as are used for...

AS 9583 (Sify Corp) contact required Scott Larson (Mar 20)
Beginning at 10am UTC today, AS 9583 began announcing routes for our
(AS 40041) IP space, the most significant damage of which has so far been
caused in the UK. We're currently playing whack-a-mole on an ISP and
exchange level, but having zero luck tracking down a contact capable of a
proper resolution to this issue. Please contact me off list if you are that
person or know who they are.

*[image: userimage]Scott Larson[image: los...

Re: BGP Route Reflector - Route Server, Router, etc James Bensley (Mar 20)
Yes, which means we all know what we have do to. Everyone needs to
join in to increase the pressure.

Cheers,
James.

Re: Purchased IPv4 Woes Bob Evans (Mar 20)
I am for naming the companies that extort for via RBLs. Spamming is so
wide spread even the domain name company Godaddy leveraged it as a profit
center.

Godaddy, in it's early beginnings. Years ago.

I know from experience that this happens....Godaddy demanded money from me
for spamming. I had to pay $150 or $250 ?

I had several domains with them that were not even being used, beyond a
webpage placeholder and I ran my own DNS server for my...

Re: Purchased IPv4 Woes Rob McEwen (Mar 20)
I have no idea which blacklist is allegedly charging $2500 for
investigating a listing. (I wonder if he meant to type $25.00?) Either
way, I don't know who that is.

But I will say that, in general, many requesting a delisting from a
blacklist OFTEN assume that a particular hoster that is blocking their
messages MUST therefore be caused by the particular "known" blacklist
they found themselves to be on. But, in many such...

Re: IPv6 oddness in Comcast land... Casey Russell (Mar 20)
(I first sent this directly to Valdis instead of the list, so my apologies
to Valdis for getting this twice)

Greetings,

I'm afraid I can't hand the ultimate solution, but I can point you in a
direction.

Sounds like you probably have an IPv6 neighbor discovery problem.
Most likely (since that's where the change occurred) it's between your WRT
and the Comcast CPE (I assume a cable modem) or the first active piece of
the...

Re: Purchased IPv4 Woes Steve Atkins (Mar 20)
This reads like you're leaving out some critical details of the story.

Cheers,
Steve

Re: Purchased IPv4 Woes Josh Reynolds (Mar 20)
Just because he choose poorly with his email provider doesn't mean he
should be allowed to be exploited Mike, although a friendly ribbing is
still justified IMO ;)

Re: Purchased IPv4 Woes Mike Hammett (Mar 20)
He did mention Hotmail.

-----
Mike Hammett
Intelligent Computing Solutions

Midwest Internet Exchange

The Brothers WISP

----- Original Message -----

From: "Josh Reynolds" <josh () kyneticwifi com>
To: "Justin Wilson" <lists () mtin net>
Cc: "NANOG" <nanog () nanog org>
Sent: Monday, March 20, 2017 9:06:00 AM
Subject: Re: Purchased IPv4 Woes

Would you mind naming the company so that...

Re: Purchased IPv4 Woes Josh Reynolds (Mar 20)
Would you mind naming the company so that they can be publicly shamed? That
is nothing sort of extortion.

Re: BGP Route Reflector - Route Server, Router, etc Greg Hankins (Mar 20)
Mark is spot on, this is an important point. We just added ORR to SR OS
15.0.R1 on the 7x50/VSR.

Greg

Re: BGP Route Reflector - Route Server, Router, etc Youssef Bengelloun-Zahr (Mar 20)
Same old same.

Y.

2017-03-20 11:35 GMT+01:00 Mark Tinka <mark.tinka () seacom mu>:

Interesting People — David Farber moderates this list for discussion involving internet governance, infrastructure, and any other topics he finds fascinating

David Rockefeller, billionaire philanthropist, dies aged 101 | US news | The Guardian Dave Farber (Mar 20)
https://www.theguardian.com/us-news/2017/mar/20/david-rockefeller-dies-jp-morgan-chase-philanthropy

-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/18849915-ae8fa580
Modify Your Subscription: https://www.listbox.com/member/?member_id=18849915&id_secret=18849915-aa268125
Unsubscribe Now:...

Re Body language analysis software spots criminals in the crowd Dave Farber (Mar 20)
Begin forwarded message:

> From: David <wb8foz () panix com>
> Date: March 20, 2017 at 12:00:02 AM EDT
> To: dave () farber net
> Subject: Re: Fwd: [IP] Body language analysis software spots criminals in the crowd
>
>
>
>> Detecting “non-standard and potentially dangerous human behavior” is
>> worrisome. How does society evolve if nonconforming behavior is too-easily
>> detected. Reminds me of...

Federal R&D Spending. Dave Farber (Mar 20)
---------- Forwarded message ---------
From: Sidney Karin <skarin () ucsd edu>
Date: Sun, Mar 19, 2017 at 9:19 PM
Subject: Federal R&D Spending.
To: Dave Farber <farber () gmail com>

Dave,

(For IP if you like.)

There are several elephants in the room. Regardless of the merits of John
Gilmore’s observations
and the various rebuttals, non-Defense discretionary spending is about
600B$, a bit greater than
Defense spending at...

Re Trump's budget calls for sensible cuts in research Dave Farber (Mar 20)
---------- Forwarded message ---------
From: Dave Crocker <dcrocker () gmail com>
Date: Sun, Mar 19, 2017 at 8:41 PM
Subject: Re: [IP] Re Trump's budget calls for sensible cuts in research
To: <dave () farber net>, ip <ip () listbox com>

On 3/19/2017 1:02 PM, Dave Farber wrote:
> The lower the government budget, and the closer the match between
> government spending and government revenues, the more we each have to...

Fwd: Body language analysis software spots criminals in the crowd Dave Farber (Mar 19)
I agree djf

---------- Forwarded message ---------
From: Bob Frankston <Bob19-0501 () bobf frankston com>
Date: Sun, Mar 19, 2017 at 8:07 PM
Subject: RE: [IP] Body language analysis software spots criminals in the
crowd
To: <dave () farber net>

Detecting “non-standard and potentially dangerous human behavior” is
worrisome. How does society evolve if nonconforming behavior is too-easily
detected. Reminds me of Project Sesame in...

Re Trump's budget calls for sensible cuts in research Dave Farber (Mar 19)
Begin forwarded message:

> From: Jim Turner <jameshturnerjr () gmail com>
> Date: March 19, 2017 at 7:10:18 PM EDT
> To: David Farber <dave () farber net>
> Subject: Re: [IP] Re Trump's budget calls for sensible cuts in research
>
> John's arguments ignore the huge amount of good that Federal research has done. It is easy to do a caricature like
> John has of NIDA and to pretend that it is typical of...

Body language analysis software spots criminals in the crowd Dave Farber (Mar 19)
Begin forwarded message:

> From: Joly MacFie <joly () punkcast com>
> Date: March 19, 2017 at 6:58:44 PM EDT
> To: dave <dave () farber net>
> Subject: Body language analysis software spots criminals in the crowd
> Reply-To: joly () punkcast com
>
>
> http://rbth.com/science_and_tech/2017/03/17/stop-thief-body-language-analysis-software-spots-criminals-in-the-crowd_721921
>
> The data analysis...

Re Trump's budget calls for sensible cuts in research Dave Farber (Mar 19)
---------- Forwarded message ---------
From: Jonathan M. Smith <jms () cis upenn edu>
Date: Sun, Mar 19, 2017 at 5:48 PM
Subject: Re: [IP] Re Trump's budget calls for sensible cuts in research
To: Dave Farber <dave () farber net>
Cc: <gnu () toad com>

Dave:
An interesting analysis of science funding (that is not dissimilar from
John’s
argument) is Terence Kealey’s “The Economic Laws of Scientific Research”;
I read...

Re Trump's budget calls for sensible cuts in research Dave Farber (Mar 19)
---------- Forwarded message ---------
From: Harry Hochheiser <harry () alum mit edu>
Date: Sun, Mar 19, 2017 at 5:29 PM
Subject: Re: [IP] Re Trump's budget calls for sensible cuts in research
To: Dave Farber <dave () farber net>
Cc: ip <ip () listbox com>

Dave:

John raises some interesting points.

It's worth noting that there are mechanisms by which the NIH will accept
community input that is used to guide research...

Re Trump's budget calls for sensible cuts in research Dave Farber (Mar 19)
Begin forwarded message:

> From: John Gilmore <gnu () toad com>
> Date: March 19, 2017 at 3:49:28 PM EDT
> To: dave () farber net
> Cc: "ip" <ip () listbox com>
> Subject: Re: [IP] Re Trump's budget calls for sensible cuts in research
>
>> The way to fix the NIDA problem is to fix its charter (or for
>> congress to get out of the research-direction business), NOT to
>> simply lop...

Any IPer know of any support sites for Google Glasses? David Farber (Mar 19)
-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/18849915-ae8fa580
Modify Your Subscription: https://www.listbox.com/member/?member_id=18849915&id_secret=18849915-aa268125
Unsubscribe Now:...

Govt. Cybersecurity Contractor Hit in W-2 Phishing Scam dfarber (Mar 19)
Begin forwarded message:

From: Lauren Weinstein <lauren () vortex com>
Subject: [ NNSquad ] Govt. Cybersecurity Contractor Hit in W-2 Phishing Scam
Date: March 19, 2017 at 12:27:21 PM EDT
To: nnsquad () nnsquad org

Govt. Cybersecurity Contractor Hit in W-2 Phishing Scam

https://krebsonsecurity.com/2017/03/govt-cybersecurity-contractor-hit-in-w-2-phishing-scam/

On Thursday, March 16, the CEO of Defense Point Security, LLC...

Why transaction laundering is turning into a huge financial blindspot David Farber (Mar 19)
Begin forwarded message:

From: Dewayne Hendricks <dewayne () warpspeed com>
Subject: [Dewayne-Net] Why transaction laundering is turning into a huge financial blindspot
Date: March 19, 2017 at 1:13:14 PM EDT
To: Multiple recipients of Dewayne-Net <dewayne-net () warpspeed com>
Reply-To: dewayne-net () warpspeed com

[Note: This item comes from friend David Rosenthal. DLH]

Why transaction laundering is turning into a huge financial...

ICE shows up at courthouses to intimidate witnesses, restraining order seekers, and arrest petty criminals David Farber (Mar 19)
Begin forwarded message:

From: Kimi Wei <kimi () thewei com>
Subject: ICE shows up at courthouses to intimidate witnesses, restraining order seekers, and arrest petty criminals
Date: March 19, 2017 at 9:13:17 AM EDT

California chief justice to ICE: Stop ‘stalking’ immigrants at courthouses...

Re WikiLeaks won't share CIA exploits unless companies meet terms Dave Farber (Mar 18)
Begin forwarded message:

> From: Dave Farber <farber () gmail com>
> Date: March 18, 2017 at 3:54:03 PM EDT
> To: Ip Ip <ip () v2 listbox com>
> Subject: WikiLeaks won't share CIA exploits unless companies meet terms
>
>
>
>
> Begin forwarded message:
>
>> From: Lauren Weinstein <lauren () vortex com>
>> Date: March 18, 2017 at 3:10:02 PM EDT
>> To: nnsquad () nnsquad...

The RISKS Forum — Peter G. Neumann moderates this regular digest of current events which demonstrate risks to the public in computers and related systems. Security risks are often discussed.

Risks Digest 30.18 RISKS List Owner (Mar 15)
RISKS-LIST: Risks-Forum Digest Wednesday 15 March 2017 Volume 30 : Issue 18

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.18>
The current issue can also be...

Risks Digest 30.17 RISKS List Owner (Mar 04)
RISKS-LIST: Risks-Forum Digest Saturday 4 March 2017 Volume 30 : Issue 17

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.17>
The current issue can also be...

Risks Digest 30.16 RISKS List Owner (Feb 26)
RISKS-LIST: Risks-Forum Digest Sunday 26 February 2017 Volume 30 : Issue 16

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.16>
The current issue can also be...

Risks Digest 30.15 RISKS List Owner (Feb 21)
RISKS-LIST: Risks-Forum Digest Tuesday 21 February 2017 Volume 30 : Issue 15

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.15>
The current issue can also...

Risks Digest 30.14 RISKS List Owner (Feb 17)
RISKS-LIST: Risks-Forum Digest Friday 17 February 2017 Volume 30 : Issue 14

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.14>
The current issue can also be...

Risks Digest 30.13 RISKS List Owner (Feb 07)
RISKS-LIST: Risks-Forum Digest Tuesday 7 February 2017 Volume 30 : Issue 13

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.13>
The current issue can also be...

Risks Digest 30.12 RISKS List Owner (Feb 01)
RISKS-LIST: Risks-Forum Digest Wednesday 1 February 2017 Volume 30 : Issue 12

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.12>
The current issue can also...

Risks Digest 30.11 RISKS List Owner (Jan 28)
RISKS-LIST: Risks-Forum Digest Saturday 28 January 2017 Volume 30 : Issue 11

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.11>
The current issue can also...

Risks Digest 30.10 RISKS List Owner (Jan 22)
RISKS-LIST: Risks-Forum Digest Sunday 22 January 2017 Volume 30 : Issue 10

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.10>
The current issue can also be...

Risks Digest 30.09 RISKS List Owner (Jan 17)
RISKS-LIST: Risks-Forum Digest Tuesday 17 January 2017 Volume 30 : Issue 09

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.09>
The current issue can also be...

Risks Digest 30.08 RISKS List Owner (Jan 10)
RISKS-LIST: Risks-Forum Digest Tuesday 10 January 2017 Volume 30 : Issue 08

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.08>
The current issue can also be...

Risks Digest 30.07 RISKS List Owner (Jan 08)
RISKS-LIST: Risks-Forum Digest Sunday 8 January 2017 Volume 30 : Issue 07

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.07>
The current issue can also be...

Risks Digest 30.06 RISKS List Owner (Dec 30)
RISKS-LIST: Risks-Forum Digest Friday 30 December 2016 Volume 30 : Issue 06

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.06>
The current issue can also be...

Risks Digest 30.05 RISKS List Owner (Dec 26)
RISKS-LIST: Risks-Forum Digest Monday 26 December 2016 Volume 30 : Issue 05

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.05>
The current issue can also be...

Risks Digest 30.04 RISKS List Owner (Dec 20)
RISKS-LIST: Risks-Forum Digest Tuesday 20 December 2016 Volume 30 : Issue 04

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.04>
The current issue can also...

BreachExchange — BreachExchange focuses on all things data breach. Topics include actual data breaches, cyber insurance, risk management, metrics and more. This archive includes its predecessor, the Data Loss news and discussion lists.

Open Source Tool Development

Wireshark — Discussion of the free and open source Wireshark network sniffer. No other sniffer (commercial or otherwise) comes close. This archive combines the Wireshark announcement, users, and developers mailing lists.

Snort — Everyone's favorite open source IDS, Snort. This archive combines the snort-announce, snort-devel, snort-users, and snort-sigs lists.

Re: Can't get Snort to run on Win2008 Ed Borgoyn (eborgoyn) (Mar 20)
Matt,
On line 333 of snort.conf there probably is the ‘lzma’ keyword. Please remove this keyword, leaving the rest of the
line intact. This keyword is not recognized if/when snort is not built with the lzma decompression libraries. For
some reason the default windows build doesn’t have lzma support but still has the lzma keyword in the snort.conf. Give
this a try.
Ed Borgoyn
Cisco Snort Development Team

I'm having...

Can't get Snort to run on Win2008 Matt H (Mar 20)
I'm having trouble getting Snort working on a Windows server. I followed these steps (though on a 2008 server)
http://www.javaguicodexample.com/snortiisphpbaseperladodb6.html
but when I runsnort -i 1 -c C:\Snort\etc\snort.conf -b -N -K none -A nonethe output is:
Running in IDS mode

--==Initializing Snort ==--Initializing Output Plugins!Initializing Preprocessors!Initializing Plug-ins! ...
cutting out a bunchHttpInspect...

Re: maldet alert from TCP-IDS James Lay (Mar 20)
Just whitelist the tarball in maldet and drive on. Running malware
detection tools against security rules/sigs/products is just asking for
trouble.
James

Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs...

Re: Fwd: maldet alert from TCP-IDS Geoffrey Serrao (Mar 20)
Part 2 of my previous message:

AUTHORS: ASCII text
community.rules: ASCII text, with very long lines
LICENSE: ASCII text
sid-msg.map: empty
snort.conf: ASCII text, with very long lines
VRT-License.txt: UTF-8 Unicode text

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!...

Re: Fwd: maldet alert from TCP-IDS Geoffrey Serrao (Mar 20)
It might have something to do with the fact that the rule texts contain the
same bytes that the Maldect signatures are looking for.

It reminds me of scanning antivirus definitions with an A/V. You might get
some false positives.

I just downloaded the community ruleset from snort.org and I couldn't find
anything out of the ordinary:

------------------------------------------------------------------------------
Check out the vibrant tech...

Re: maldet alert from TCP-IDS Joel Esler (jesler) (Mar 20)
I’m willing to bet that it’s a false positive in “Maldect” as a result of poorly written detection. The rulesets
inherently look for bad things, so when things (Maldect) that are designed to look for bad things, look at other things
that are designed to detect bad things (our ruleset) the possibility does exist that you’d receive an alert.

Can you give us more about the alert?

Fwd: maldet alert from TCP-IDS Scott Spangler (Mar 20)
Dear Snort Signature Community:

Please see the contents below, as I wanted to bring to your attention, that
a recent Pulledpork download of Snort community-rules contained a malware
virus. The malware virus was immediately quarantined using Linux Maldect on
the Snort IDS host.

Regards,

Scott Spangler

---------- Forwarded message ----------
From: root <root@tcp-ids.localdomain>
Date: Fri, Mar 17, 2017 at 11:28 PM
Subject: maldet alert...

process .gzip pcaps using snort Angelos Marnerides (Mar 20)
Hi,

I have a quite huge number of gzipped pcaps (approx. 500GB compressed size
of pcaps) and I've tried to run (on a single file just to test and then I
would write a shell script to run through all) through snort by first
piping the gzip process to snort...however it seems that this doesn't work.
:

gunzip -c file1.pcap.gz | snort -c /etc/snort/snort.conf -r
Is there any other way round to do this and of course being optimal in...

Re: Snort-devel Digest, Vol 128, Issue 1 Russ (Mar 17)
Got it. I'll add this to our backlog but it won't be high priority just
because we have so much to do already. Patches / pull requests are
always welcome though. Especially for Snort++. ;)

Thanks
Russ

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

Re: Snort-devel Digest, Vol 128, Issue 1 Da Pozzo Matteo (Mar 17)
Hi Russ,

Thank you for your feedback.

An example could be when the sensor is placed inline but intercepts the DNS request originated by a client that is
infected but the DNS query is intercepted from the internal DNS server to Internet DNS Server/root name servers so in
this case we can see that the malicious DNS request was originated by the internal DNS Server and then we are not able
to identify the real infected client. However we can...

Re: EDNS-Client-Subnet ECS Russ (Mar 17)
Can you give an example of your use case(s)? Are you looking just to
log extra data with an event like XFF or are you looking for a way to
match on the content?

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot_______________________________________________
Snort-devel mailing list...

Re: BROWSER-OTHER TRUFFLEHUNTER SFVRT-1024 attack attempt (3:42014:1) alerts Joel Esler (jesler) (Mar 17)
Charlie,

Can you submit that to us with a pcap so we can take a look?

http://blog.snort.org/2016/11/reporting-false-positives-with-snortorg.html<http://blog.snort.org/2016/11/reporting-false-positives-with-snortorg.html?m=1>

Re: BROWSER-OTHER TRUFFLEHUNTER SFVRT-1024 attack attempt (3:42014:1) alerts Charlie Dyer (Mar 17)
Following on from the previous message, the repeating http://<host> in the
URI is only present in the http.request.full_uri, it does not repeat when
using http.request.uri.
It also repeats in the Sourcefire GUI under Full Request URI.

Was this a hastily released rule as I cannot see the SID in any recent
release.

On Fri, Mar 17, 2017 at 7:47 AM, Charlie Dyer <charlierwdyer () gmail com>
wrote:...

BROWSER-OTHER TRUFFLEHUNTER SFVRT-1024 attack attempt (3:42014:1) alerts Charlie Dyer (Mar 17)
Hello

Below are a list of hosts that are the destination of HTTP GETs that are
triggering the above rule, obviously not much detail on why, can't really
post all the URI data but here are a few:

http://media.rightmove.co.ukhttp://
media.rightmove.co.uk/dir/1k/505/58618708/505_BAI170129_IMG_06_0000_max_656x437.JPG

http://ib.adnxs.comhttp://
ib.adnxs.com/setuid?entity=43&code=4044211960863159294...

Re: Snort 3 rules not loading Stephen Stark (Mar 16)
Thanks. That was it. I must of missed the -Q for in line mode.

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs...

More Lists

Related Resources

We're always looking for great network security related lists to archive. To suggest one, mail Fyodor.