SecLists.Org Security Mailing List Archive

Any hacker will tell you that the latest news and exploits are not found on any web site—not even Insecure.Org. No, the cutting edge in security research is and will continue to be the full disclosure mailing lists such as Bugtraq. Here we provide web archives and RSS feeds (now including message extracts), updated in real-time, for many of our favorite lists. Browse the individual lists below, or search them all:

Insecure.Org Lists

Nmap Development — Unmoderated technical development forum for debating ideas, patches, and suggestions regarding proposed changes to Nmap and related projects. Subscribe here.

RE: PacketSendPackets and latency David Atkins (Mar 22)
Hi,

Where would I attach the flag –d2 ? code example might help! Been trawling the driver code to see if can work out where
this might happen bit it’s not leaping out at me.

I have a reasonably simple test app that could demonstrate it,

Thanks

David

From: Varunram Ganesh [mailto:vrg2009 () ymail com]
Sent: Wednesday, March 22, 2017 6:28 PM
To: Nmap-dev
Cc: david () suitcasetv com
Subject: Re: PacketSendPackets and latency

Hi David,...

Re: PacketSendPackets and latency Varunram Ganesh via dev (Mar 22)
Hi David,

Thanks for your report! Could you add the flag -d2 and attach the script output?

Cheers,
Varunram_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

PacketSendPackets and latency David Atkins (Mar 22)
Hi,

I'm trying to send test data using the PacketSendPackets() function using
Sync = true, this works great except that I am getting a large latency when
making back to back calls, sending a 30Mbyte buffer results in the send
packet timing being really accurate but that the time spent entering the
call is significant and if I send back to back buffers I get 13ms of pause
between bursts of packets.

I assume it's because the...

Re: NSE Script Contribution - http-vuln-headers Vinamra Bhatia (Mar 22)
Hi all!
Can someone plz review the script once. Its been pending for long.
I also opened up a pull request for the same on the github repo.
https://github.com/nmap/nmap/pull/793

Cheers
Vinamra Bhatia
CS Sophomore
BITS Pilani

Re: dev Digest, Vol 144, Issue 31 Rewanth Cool (Mar 22)
Re: Handled the overflow errors in Ncat by modifying the output. (Varunram
Ganesh)

Hi Varunram,
That PR is not suitable for a merge as there are some other files also
included in that PR. So I made a new one and closed the previous PR.

Best regards,
Rewanth.

Re: Handled the overflow errors in Ncat by modifying the output. Varunram Ganesh via dev (Mar 22)
Hi Rewanth,
I think you already mentioned it at http://seclists.org/nmap-dev/2017/q1/204.
Cheers,Varunram

Updated and modified the list of SQL errors Rewanth Cool (Mar 22)
Updated and modified the list of SQL errors in the
nselib/data/http-sql-errors.lst file with the most common and recent errors.

There is a PR on #776 <https://github.com/nmap/nmap/pull/776> regarding the
same.

Best regards,
Rewanth.

Handled the overflow errors in Ncat by modifying the output. Rewanth Cool (Mar 22)
If the timeout value is greater than the maximum limit in Ncat, it displays
wrong error messages.

There is a PR on #791 <https://github.com/nmap/nmap/pull/791> regarding the
same.
This PR handles this overflow and closes the issue #741
<https://github.com/nmap/nmap/issues/741>.

Best regards,
Rewanth.

Detect ExpressJS Server and preference of data file when executing script Vinamra Bhatia (Mar 22)
I saw that there was no detection for ExpressJS in
http-devframework-fingerprint.lua, so i added that in this pull request
https://github.com/nmap/nmap/pull/790

Also, when i was trying to use my local copy of nmap scripts using
--script=./nmap/scripts/http-devframework, the fetchfile function in the
script tries to fetch the copy of http-devframework-fingerprint.lua from
/usr/local/share/nmap/nselib/data/ while I thought that it would do so from...

Re: Additions to mac-prefixes Varunram Ganesh via dev (Mar 22)
Oops, forgot to attach the file earlier._______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

Additions to mac-prefixes Varunram Ganesh via dev (Mar 22)
Greetings list,
The attached file contains a few of the mac-prefixes that are missing from our db. Since there was no way to submit
these via the website, I thought I'd post it here to receive feedback.
Cheers,

Varunram_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

RE: nmap wont' run on server 16 Rob Nicholls (Mar 21)
Hi Russell,

I assume you've installed Server 2016 Standard with the Desktop Experience?
And presumably the install didn't report any issues during installation?
I've installed Server 2016 Standard as a Hyper-V VM and just downloaded and
installed Nmap 7.40 using all the default settings and there were no errors
during installation and everything looks okay (I can scan a physical host on
the same subnet and it returns accurate...

Re: Minor fixes ( Duplicate entries deleted from nselib/data ) nnposter (Mar 21)
Committed as r36657.

Cheers,
nnposter

Re: Ncat/Nsock notification of connection reset Henri Doreau (Mar 21)
2017-03-18 23:15 GMT+01:00 Henri Doreau <henri.doreau () gmail com>:

Please find the aforementioned patch attached. Requires adjustments &
cleanup but should be a good starting point.

Regards

Re: Issue regarding nmap-payloads - UDP services still showing as "open|filtered" when a payload is added to evoke a reply Daniel Miller (Mar 21)
Stuart,

If Nmap correctly sends the payload, then there are only a few
possibilities:

The response may be misaddressed. This could happen if the payload contains
a port number to which the service will respond which is different than the
source address of the probe.

The service might not be responding, but you say that is not the case.

The response may be blocked by something like a firewall or IPS.

Or there may be a bug in Nmap. Providing...

Nmap Announce — Moderated list for the most important new releases and announcements regarding the Nmap Security Scanner and related projects. We recommend that all Nmap users subscribe.

Nmap GSoC 2016 Success Report Fyodor (Feb 07)
Happy belated new year from the Nmap Project! I'd like to take this
opportunity to send you the belated results from our 2016 Summer of Code
team. I was going to send them right after the program finished, but some
of the students were still finishing some great things so I decided to
wait. As you may recall from the team intro mail (
http://seclists.org/nmap-announce/2016/2), we had 5 students last year and
I'm happy to report that...

Nmap 7.40 Holiday Release: a dozen new NSE scripts, hundreds of new fingerprints, new Npcap, faster brute forcing, and more... Fyodor (Dec 20)
Happy holidays from the Nmap Project! In case your Christmas break plans
involve a lot of port scanning, we're delighted to announce our holiday
Nmap 7.40 release! This version stuffs your stockings with dozens of new
features, including:

- 12 new NSE scripts
- Hundreds of updated OS and version detection detection signatures
- Faster brute force authentication cracking and other NSE library
improvements
- A much-improved...

Nmap 7.31 stability-focused point release Fyodor (Oct 21)
Hi folks. I'm happy to report that the big Nmap 7.30 release last month
was a great success. We didn't even see as many bugs as expected for such
a large release, but we have collected and fixed the ones which did arise
in the last few weeks into a new 7.31 point release. It includes the
latest updates to our new Npcap driver, a fix for Nping on Windows, and
more.

Nmap 7.31 source code and binary packages for Linux, Windows, and Mac...

Nmap 7.30 Released with new NSE scripts, new Npcap, new Fingerprints, etc. Fyodor (Sep 29)
Hi folks! You may have noticed that we've only been releasing Nmap betas
for the last 6 months because we've had so much new code and so many
features to integrate thanks to hard work from both our regular team and
the 5 Google Summer of Code summer interns. But we spent the last month
focused on stability and I'm pleased to announce Nmap 7.30--our first
stable release since 7.12 back in March.

Even though it's a stable...

Nmap 7.25BETA2 Birthday Release Fyodor (Sep 01)
Hi folks! I'm happy to report that today is Nmap's 19th birthday and
instead of cake, we're celebrating open source style with a new release!
Nmap 7.25BETA1 includes dozens of performance improvements, bug fixes, and
new features. The full list is below, and includes a major LUA upgrade for
NSE scripts, a new overlapped I/O engine for better Windows performance, a
much-improved version of our new Npcap packet capturing driver,...

Nmap 7.25BETA1 Released with our new Npcap driver, 6 new NSE scripts, and more! Fyodor (Jul 19)
Hi folks! As you may know, we've been working for the last 3 years on an
improved Windows packet capturing library named Npcap. It's based on the
original WinPcap (which hasn't been maintained in years), but we rewrote
the driver to use modern APIs (NDIS 6) for better performance. It also
improves security and enables new features. For example, Npcap allows Nmap
to do raw scans (including SYN scans and OS detection) of localhost...

Introducing the 2016 Nmap/Google Summer of Code Team! Fyodor (May 09)
Hello everyone. Google has agreed to sponsor five amazing students to
spend this summer enhancing the Nmap Security Scanner and I'm proud to
introduce our 2015 team:

*Abhishek Singh* will be working as a Feature Creeper and Bug Hunter,
making improvements throughout the Nmap codebase. The project hasn't even
started yet and he's already found and fixed several NSE script bugs and
has other code changes in the works. Abhishek is...

Nmap 7.10 released: 12 new scripts, hundreds of OS/version fingerprints, bug fixes, and more! Fyodor (Mar 17)
Hi Folks! Before I tell you about today's new Nmap release, I wanted to
share some Summer of Code news:

Google posted a fantastic story by one of our Summer of Code alumni about
how the program helped take him from rural China to a full-ride scholarship
at the University of Virginia graduate school! His mentor David and I had
the chance to meet him in San Francisco:...

Nmap Project Seeking Talented Programmers for Google Summer of Code 2016 Fyodor (Feb 29)
Hi folks. I'm delighted to report that Nmap has been accepted by Google to
participate in this year's Summer of Code internship program. This
innovative and extraordinarily generous program provides $5,500 stipends to
college and graduate students anywhere in the world who spend the summer
improving Nmap from home! They gain valuable experience, get paid,
strengthen their résumés, and write code for millions of users. We're one...

Full Disclosure — A public, vendor-neutral forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. The relaxed atmosphere of this quirky list provides some comic relief and certain industry gossip. More importantly, fresh vulnerabilities sometimes hit this list many hours or days before they pass through the Bugtraq moderation queue.

SEC Consult SA-20170322-0 :: Multiple vulnerabilities in Solare Datensysteme Solar-Log devices SEC Consult Vulnerability Lab (Mar 22)
SEC Consult Vulnerability Lab Security Advisory < 20170322-0 >
=======================================================================
title: Multiple vulnerabilities
product: Solare Datensysteme GmbH
Solar-Log 250/300/500/800e/1000/1000 PM+/1200/2000
vulnerable version: Firmware 2.8.4-56 / 3.5.2-85
fixed version: Firmware 3.5.3-86
CVE number: -
impact: Critical...

Adium vulnerable to remote code execution via libpurple erythronium23 (Mar 21)
Adium is a popular instant messaging client for MacOS (OSX) that
incorporates libpurple. The current release (1.5.10.2) is vulnerable
to CVE-2017-2640 in libpurple, which permits execution of arbitrary
code on the client.

The Adium team has been aware of the vulnerability since at least
March 15, but has not released an advisory to its users, for reasons
unknown.

A post to the official developer's mailing list, which included
vulnerability...

Re: Remote code execution via CSRF vulnerability in the web UI of Deluge 1.3.13 Thomas Deutschmann (Mar 20)
I requested a CVE via MITRE web form and received the following ID:

Re: SEC Consult SA-20170316-0 :: Authenticated command injection in multiple Ubiquiti Networks products Carlos Silva (Mar 20)
Hi.

It's supposed to be fixed in SW 1.3.4:
https://dl.ubnt.com/firmwares/TOUGHSwitch/v1.3.4/changelog.txt

and XW 6.0.1:
https://dl.ubnt.com/firmwares/XW-fw/v6.0.1/changelog.txt

(don't know about the rest of them)

Re: 0-Day: Dahua backdoor Generation 2 and 3 bashis (Mar 20)
Greetings,

With my newfound knowledge of vulnerable devices out there with an unbelievable number of more than 1 million Dahua /
OEM units,
where knowledge comes from a report made by NSFOCUS and my own research on shodan.io.

With this knowledge, I will not release the Python PoC to the public as before said of April 5, as it is not necessary
when the PoC has already been verified by IPVM and other independent security researchers.
However,...

Re: TS Session Hijacking / Privilege escalation all windows versions Kevin Beaumont (Mar 20)
So this is a pretty big issue, which it looks like the Mimikatz guys
flagged in an all French blog post in 2011 but it flew under the radar.

I've written about it here:
https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6#.o2af8u9op

Now, you might well say 'If you have SYSTEM you already own the box' - and
you're right. But with one command...

Cookie based privilege escalation in DIGISOL DG-HR1400 1.00.02 wireless router. Indrajith AN (Mar 20)
Title:
======

Cookie based privilege escalation in DIGISOL DG-HR1400 1.00.02 wireless router.

CVE Details:
============
CVE-2017-6896

Reference:
==========

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6896
https://vuldb.com/sv/?id.97954
https://www.indrajithan.com/DIGISOL_router_previlage_escaltion

Credit:
======

Name: Indrajith.A.N
Website: https://www.indrajithan.com

Date:
====

13-03-2017

Vendor:
======

DIGISOL router is a...

CVE-2017-7183 ExtraPuTTY v029_RC2 TFTP Denial Of Service hyp3rlinx (Mar 20)
[+] Credits: John Page AKA hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/EXTRAPUTTY-TFTP-DENIAL-OF-SERVICE.txt
[+] ISR: ApparitionSec

Vendor:
==================
www.extraputty.com

Product:
======================
ExtraPuTTY - v029_RC2
hash: d7212fb5bc4144ef895618187f532773

Also Vulnerable: v0.30 r15
hash: eac63550f837a98d5d52d0a19d938b91

ExtraPuTTY is a fork from 0.67 version of PuTTY....

TS Session Hijacking / Privilege escalation all windows versions Alexander Korznikov (Mar 18)
Terminal Services / Console Session Hijacking can lead to Privilege
Escalation.

Vulnerability Details.

A privileged user, which can gain command execution with NT
AUTHORITY/SYSTEM rights can hijack any currently logged in user's session,
without any knowledge about his credentials.
Terminal Services session can be either in connected or disconnected state.

This is high risk vulnerability which allows any local admin to hijack a
session...

[CVE-2017-6878]:MetInfo5.3.15 Stored Cross Site Scripting 陈彦羽 (Mar 18)
Hello:
The following is my application vulnerabilities.
－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－
－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－
[CVE-2017-6878]:MetInfo5.3.15 Stored Cross Site Scripting
Application: MetInfo
Versions Affected: 5.3.15
Vendor URL: http://www.metinfo.cn/
Software Link:...

HumHub 0.20.1 / 1.0.0-beta.3: Code Execution Curesec Research Team (CRT) (Mar 17)
Security Advisory - Curesec Research Team

1. Introduction

Affected Product: HumHub 0.20.1 / 1.0.0-beta.3
Fixed in: 1.0.0
Fixed Version https://www.humhub.org/en/download/default/form?version=1.0.0
Link: &type=zip
Vendor Website: https://www.humhub.org/
Vulnerability Code Execution
Type:
Remote Yes
Exploitable:
Reported to 01/10/2016
vendor:
Disclosed to 03/17/2017
public:
Release mode:...

HumHub 1.0.1: XSS Curesec Research Team (CRT) (Mar 17)
Security Advisory - Curesec Research Team

1. Introduction

Affected Product: HumHub 1.0.1 and earlier
Fixed in: 1.1.1
Fixed Version https://www.humhub.org/en/download/default/form?version=1.1.1
Link: &type=zip
Vendor Website: https://www.humhub.org/
Vulnerability XSS
Type:
Remote Yes
Exploitable:
Reported to 01/10/2016
vendor:
Disclosed to 03/17/2017
public:
Release mode: Coordinated...

phplist 3.2.6: XSS Curesec Research Team (CRT) (Mar 17)
Security Advisory - Curesec Research Team

1. Introduction

Affected phplist 3.2.6
Product:
Fixed in: 3.3.1
Fixed Version https://sourceforge.net/projects/phplist/files/phplist/3.3.1/
Link: phplist-3.3.1.zip/download
Vendor Website: https://www.phplist.org/
Vulnerability XSS
Type:
Remote Yes
Exploitable:
Reported to 01/10/2017
vendor:
Disclosed to 02/20/2017
public:
Release mode: Coordinated Release...

phplist 3.2.6: SQL Injection Curesec Research Team (CRT) (Mar 17)
Security Advisory - Curesec Research Team

1. Introduction

Affected phplist 3.2.6
Product:
Fixed in: 3.3.1
Fixed Version https://sourceforge.net/projects/phplist/files/phplist/3.3.1/
Link: phplist-3.3.1.zip/download
Vendor Website: https://www.phplist.org/
Vulnerability SQL Injection
Type:
Remote Yes
Exploitable:
Reported to 01/10/2017
vendor:
Disclosed to 02/20/2017
public:
Release mode: Coordinated...

Skype Insecure Library Loading Vulnerability (api-ms-win-core-winrt-string-l1-1-0.dll) Sachin Wagh (Mar 16)
Vulnerability Title: Skype Insecure Library Loading Vulnerability
(api-ms-win-core-winrt-string-l1-1-0.dll)
Affected Product: Skype
Vendor Homepage: https://www.microsoft.com/en-us/
MSRC Case 32355 TRK:0001002846
CVE-ID : CVE-2017-6517
Severity: Medium

*Description:*

Microsoft Skype contains a DLL hijacking vulnerability that could allow an
unauthenticated attacker to execute arbitrary code on the targeted system.
This vulnerability exists due...

Other Excellent Security Lists

Bugtraq — The premier general security mailing list. Vulnerabilities are often announced here first, so check frequently!

APPLE-SA-2017-03-22-1 iTunes for Windows 12.6 Apple Product Security (Mar 22)
APPLE-SA-2017-03-22-1 iTunes for Windows 12.6

iTunes for Windows 12.6 is now available and addresses the following:

iTunes
Available for: Windows 7 and later
Impact: Multiple issues in SQLite
Description: Multiple issues existed in SQLite. These issues were
addressed by updating SQLite to version 3.15.2.
CVE-2013-7443
CVE-2015-3414
CVE-2015-3415
CVE-2015-3416
CVE-2015-3717
CVE-2015-6607
CVE-2016-6153

iTunes
Available for: Windows 7 and later...

Cisco Security Advisory: Cisco IOx Data in Motion Stack Overflow Vulnerability psirt (Mar 22)
Cisco Security Advisory: Cisco IOx Data in Motion Stack Overflow Vulnerability

Advisory ID: cisco-sa-20170322-iox

Revision: 1.0

For Public Release: 2017 March 22 16:00 GMT

Last Updated: 2017 March 22 16:00 GMT

CVE ID(s): CVE-2017-3853

CVSS Score v(3): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

+---------------------------------------------------------------------

Summary
=======
A vulnerability in the Data-in-Motion (DMo) process...

Cisco Security Advisory: Cisco IOS XE Software for Cisco ASR 920 Series Routers Zero Touch Provisioning Denial of Service Vulnerability psirt (Mar 22)
Cisco Security Advisory: Cisco IOS XE Software for Cisco ASR 920 Series Routers Zero Touch Provisioning Denial of
Service Vulnerability

Advisory ID: cisco-sa-20170322-ztp

Revision: 1.0

For Public Release: 2017 March 22 16:00 GMT

Last Updated: 2017 March 22 16:00 GMT

CVE ID(s): CVE-2017-3859

CVSS Score v(3): 8.6 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

+---------------------------------------------------------------------

Summary...

Cisco Security Advisory: Cisco IOS and IOS XE Software Layer 2 Tunneling Protocol Denial of Service Vulnerability psirt (Mar 22)
Cisco Security Advisory: Cisco IOS and IOS XE Software Layer 2 Tunneling Protocol Denial of Service Vulnerability

Advisory ID: cisco-sa-20170322-l2tp

Revision: 1.0

For Public Release: 2017 March 22 16:00 GMT

Last Updated: 2017 March 22 16:00 GMT

CVE ID(s): CVE-2017-3857

CVSS Score v(3): 8.6 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

+---------------------------------------------------------------------

Summary
=======
A vulnerability in...

Cisco Security Advisory: Cisco IOS and IOS XE Software DHCP Client Denial of Service Vulnerability psirt (Mar 22)
Cisco Security Advisory: Cisco IOS and IOS XE Software DHCP Client Denial of Service Vulnerability

Advisory ID: cisco-sa-20170322-dhcpc

Revision: 1.0

For Public Release: 2017 March 22 16:00 GMT

Last Updated: 2017 March 22 16:00 GMT

CVE ID(s): CVE-2017-3864

CVSS Score v(3): 8.6 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

+---------------------------------------------------------------------

Summary
=======
A vulnerability in the DHCP...

SEC Consult SA-20170322-0 :: Multiple vulnerabilities in Solare Datensysteme Solar-Log devices SEC Consult Vulnerability Lab (Mar 22)
SEC Consult Vulnerability Lab Security Advisory < 20170322-0 >
=======================================================================
title: Multiple vulnerabilities
product: Solare Datensysteme GmbH
Solar-Log 250/300/500/800e/1000/1000 PM+/1200/2000
vulnerable version: Firmware 2.8.4-56 / 3.5.2-85
fixed version: Firmware 3.5.3-86
CVE number: -
impact: Critical...

Defense in depth -- the Microsoft way (part 47): "AppLocker bypasses are not serviced via monthly security roll-ups" Stefan Kanthak (Mar 21)
Hi @ll,

Windows 8 and newer versions (Windows 7 and Windows Server 2008 R2
with KB2532445 or KB3125574 installed too) don't allow unprivileged
callers to circumvent AppLocker and SAFER rules via

LoadLibraryEx(TEXT("<arbitrary DLL>"), NULL, LOAD_IGNORE_CODE_AUTHZ_LEVEL);

See <https://msdn.microsoft.com/en-us/library/ms684179.aspx>
and <https://support.microsoft.com/kb/2532445>

| LOAD_IGNORE_CODE_AUTHZ_LEVEL...

[ERPSCAN-16-041] SAP NETWEAVER DIRECTORY CREATION OUTSIDE OF THE JVM ERPScan inc (Mar 21)
Application: SAP NetWeaver
Versions Affected: SAP NetWeaver AS JAVA UMEADMIN component
Vendor URL: http://SAP.com
Bugs: Directory traversal
Reported: 04.12.2015
Vendor response: 05.12.2015
Date of Public Advisory: 13.12.2016
Reference: SAP Security Note 2310790
Author: Mathieu Geli (ERPScan)

Description

1. ADVISORY INFORMATION
Title: [ERPSCAN-16-041] SAP NETWEAVER DIRECTORY CREATION OUTSIDE OF THE JVM
Advisory ID: [ERPSCAN-16-041]
Risk: medium...

ESA-2017-010: EMC RecoverPoint SSL Stripping Vulnerability EMC Product Security Response Center (Mar 20)
ESA-2017-010: EMC RecoverPoint SSL Stripping Vulnerability

EMC Identifier: ESA-2017-010
CVE Identifier: CVE-2016-6650
Severity Rating: CVSS v3 Base Score: CVSS v3 Score: 6.8 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N).

Affected products:

EMC RecoverPoint versions prior to 5.0

EMC RecoverPoint for Virtual Machines versions prior to 5.0

Summary:
EMC RecoverPoint update contains a fix for a SSL Stripping Vulnerability that may potentially be...

[SECURITY] [DSA 3796-2] sitesummary regression update Sebastien Delafond (Mar 20)
-------------------------------------------------------------------------
Debian Security Advisory DSA-3796-2 security () debian org
https://www.debian.org/security/ Sebastien Delafond
March 20, 2017 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : sitesummary
Debian Bug : 852623

DSA-3796-1 for apache2...

[security bulletin] HPSBUX03596 rev.2 - HPE HP-UX running CIFS Server (Samba), Remote Access Restriction Bypass, Unauthorized Access security-alert (Mar 20)
Note: the current version of the following document is available here:
https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05121842

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c05121842
Version: 2

HPSBUX03596 rev.2 - HPE HP-UX running CIFS Server (Samba), Remote Access
Restriction Bypass, Unauthorized Access

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date:...

CVE-2017-7183 ExtraPuTTY v029_RC2 TFTP Denial Of Service hyp3rlinx (Mar 20)
[+] Credits: John Page AKA hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/EXTRAPUTTY-TFTP-DENIAL-OF-SERVICE.txt
[+] ISR: ApparitionSec

Vendor:
==================
www.extraputty.com

Product:
======================
ExtraPuTTY - v029_RC2
hash: d7212fb5bc4144ef895618187f532773

Also Vulnerable: v0.30 r15
hash: eac63550f837a98d5d52d0a19d938b91

ExtraPuTTY is a fork from 0.67...

[SECURITY] [DSA 3813-1] r-base security update Moritz Muehlenhoff (Mar 20)
-------------------------------------------------------------------------
Debian Security Advisory DSA-3813-1 security () debian org
https://www.debian.org/security/ Moritz Muehlenhoff
March 19, 2017 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : r-base
CVE ID : CVE-2016-8714

Cory Duplantis...

[SECURITY] [DSA 3812-1] ioquake3 security update Moritz Muehlenhoff (Mar 20)
-------------------------------------------------------------------------
Debian Security Advisory DSA-3812-1 security () debian org
https://www.debian.org/security/ Moritz Muehlenhoff
March 18, 2017 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : ioquake3
CVE ID : CVE-2017-6903

It was discovered...

[SECURITY] [DSA 3811-1] wireshark security update Moritz Muehlenhoff (Mar 20)
-------------------------------------------------------------------------
Debian Security Advisory DSA-3811-1 security () debian org
https://www.debian.org/security/ Moritz Muehlenhoff
March 18, 2017 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : wireshark
CVE ID : CVE-2017-5596 CVE-2017-5597...

Penetration Testing — While this list is intended for "professionals", participants frequenly disclose techniques and strategies that would be useful to anyone with a practical interest in security and network auditing.

Info Security News — Carries news items (generally from mainstream sources) that relate to security.

Web App Security — Provides insights on the unique challenges which make web applications notoriously hard to secure, as well as attack methods including SQL injection, cross-site scripting (XSS), cross-site request forgery, and more.

Faraday v2.4: Collaborative Penetration Test and Vulnerability Management Platform Francisco Amato (Mar 21)
March is already rolling and so is our work. Today we feel so happy to
share a new release, Faraday v2.4!

Before preparing an upcoming release, we try to focus not only on
improving the product but also on perfecting the user experience. We
want to go beyond optimizing your everyday work, inspiring you to do
more!

Faraday is the Integrated Multiuser Risk Environment you were looking
for! It maps and leverages all the knowledge you generate in...

SpiderFoot 2.9 released Steve Micallef (Mar 16)
Hi all,

SpiderFoot 2.9.0 is now out, totaling almost 60 data collection/analysis
modules for your reconnaissance, footprinting and OSINT needs.

Here's what's new since 2.7.0 was announced here..
- *9* new modules:
- Base64 string finder
- Binary string searches (identifies file meta data)
- Censys.io data collection (device info)
- Cymon.io data collection (threat intel)
- Hunter.io...

Arachni Framework v1.5 & WebUI v0.5.11 have been released (Web Application Security Scanner) Tasos Laskos (Feb 01)
Hey folks,

There's a new version of Arachni, a modular and high-performance Web Application Security Scanner Framework.

The highlights of this release are:

* Added arachni_reproduce utility allowing issues in reports to be reproduced.
* Browser updated to the latest PhantomJS version for improved support of modern webapps.
* New SAX based HTML parser allowing for much faster and lightweight parsing.
* Improved XSS, SQL injection,...

Faraday v2.3: Collaborative Penetration Test and Vulnerability Management Platform Francisco Amato (Jan 31)
We are very proud to present the first 2017 edition of the Faraday
Platform! Faraday v2.3 is ready to download!

Faraday is the Integrated Multiuser Risk Environment you were looking
for! It maps and leverages all the knowledge you generate in real
time, letting you track and understand your audits. Our dashboard for
CISOs and managers uncovers the impact and risk being assessed by the
audit in real-time without the need for a single email....

RVAsec 2017 Call for Presentations (CFP Sullo (Jan 23)
The CFP for RVAsec 2017 is underway!

____________________________________
RVAsec // June 8-9th, 2017 // Richmond, VA

RVAsec is a Richmond, VA based security convention that brings top
industry speakers to the midatlantic region. In its fourth year,
RVAsec 2016 attracted nearly 400 security professionals from across
the country.

Talks must be 50 minutes in length, and submissions will need to
select from one of two tracks: business or...

Faraday v2.2: Collaborative Penetration Test and Vulnerability Management Platform Francisco Amato (Nov 23)
Faraday is the Integrated Multiuser Risk Environment you were looking
for! It maps and leverages all the knowledge you generate in real
time, letting you track and understand your audits. Our dashboard for
CISOs and managers uncovers the impact and risk being assessed by the
audit in real-time without the need for a single email. Developed with
a specialized set of functionalities that help users improve their own
work, the main purpose is to...

MobSF v0.9.3 is Released: Now supports Windows APPX Static Analysis Ajin Abraham (Nov 22)
Hello Folks,

MobSF v0.9.3 is released.

About MobSF

Mobile Security Framework (MobSF) is an intelligent, all-in-one open
source mobile application (Android/iOS/Windows) automated pen-testing
framework capable of performing static and dynamic analysis. It can be
used for effective and fast security analysis of Android, iOS and
Windows mobile Applications and supports both binaries (APK, IPA &
APPX ) and zipped source code. MobSF can also...

Re: IE11 is not following CORS specification for local files Ricardo Iramar dos Santos (Oct 13)
Same attack using XSS as vector.
Imagine that https://xss-doc.appspot.com is a site about gift cards.
The XSS payload below will create a giftcard.htm file in the default
download folder.
If the victim open the file a GET to
https://mail.google.com/mail/u/0/#inbox will be submitted.
After the GET the file will perform a POST to
http://192.168.1.36/req.php using the GET response as a body.
An attacker would be able to read all the emails in the...

Re: IE11 is not following CORS specification for local files Ricardo Iramar dos Santos (Oct 05)
I did a small improvement in this attack.
Using IE File API
(https://msdn.microsoft.com/en-us/library/hh772315(v=vs.85).aspx) an
attacker would be able to create a web page with the content below and
send to a victim.
A local file with the same content that I sent previously would be
created on download default folder.
If the victim perform the three following clicks (Save, Open and Allow
blocked content) an attacker would be able to perform any...

Daily Dave — This technical discussion list covers vulnerability research, exploit development, and security events/gossip. It was started by ImmunitySec founder Dave Aitel and many security luminaries participate. Many posts simply advertise Immunity products, but you can't really fault Dave for being self-promotional on a list named DailyDave.

Startups that Use PHP on HHVM dave aitel (Mar 17)
<image about how great PHP is>

Let's say you're a 20-person startup about to develop a world-crushing
combination of IRC and Sharepoint and Imgur. You don't have any code
yet, or maybe just a POC, but you know the majority of your company
relies on a solid and secure web app. (Mobile apps are basically web
apps for purposes here).

If you read books on SDL, they have an entire (super boring) process for
you to go through,...

Re: Blinken Lights IDS Andre Gironda (Mar 17)
So your entire defense was situated on "Are the

We can still use blinkenlights --
https://blog.cobaltstrike.com/2015/11/11/revolutionary-device-detects-mimikatz-use/

Maybe we know how to measure success --
https://www.blackhat.com/docs/eu-16/materials/eu-16-Hovor-Automating-Incident-Investigations-Sit-Back-And-Relax-Bots-Are-Taking-Over.pdf

Maybe we know how to evolve the defensive process --...

Blinken Lights IDS dave aitel (Mar 16)
Everyone I know lived through the "Blinken-Lights-IDS" phase. This is
back when you had dial-up or perhaps very early Internet and you were
the only person on your switch, and most importantly, you slept and
lived near your computer and switch because you were a poor college
student or similar. So your entire defense was situated on "Are the
lights blinking when I'm not typing on my computer?"

Ask yourself: How far from...

Re: What has Fallen John Strand (Mar 16)
Ok.. Lets step back even further.

At the root of all of this is the issue that old software never goes away.
Every year we add more software. Very rarely do we remove old software.

It is like a giant snowball of crap. Every year it only gets bigger.

What has Fallen Dave Aitel (Mar 14)
No matter how "strategic" everyone says they are in our community, or in
the NatSec policy community adjacent to it, people have the localized
perspectives of a gecko, endlessly chasing moth after useless moth
attracted to the laundry-room-light of Fail that is the software
development world.

If you're going to look even a tiny tiny bit into the future, you have to
step back and say "This entire class of software is broken...

The Value of Offensive Conferences dave aitel (Mar 06)
It's no secret that in order to get ahead, you cannot send your
technical people to BlackHat and Defcon. That's where you send your
sales engineers, which is a sad thing, since I really enjoyed the
earlier days of BH and DefCon, but the smaller conferences are a world
ahead when it comes to the technical innovations in information security
that are going affect you, if you're doing any kind of decent job at
security already.

The...

Re: Improvements Laurens Vets (Mar 01)
See inline.

https://github.com/airbnb/streamalert

There is a lot more that needs to be done to cover the broad range of
capabilities needed for detection and response, but StreamAlert achieves
something very important even for huge companies -- it radically lowers
the operational overhead of maintaining and scaling the infrastructure.
We really want our human capital investment concentrated on the analysis
and response phases of the process;...

Re: SHA1 Kristian Erik Hermansen (Feb 26)
I think almost all versions of OpenVPN clients for mobile devices (windows
phone?, Android, iOS) didn't traditionally support anything greater than
sha1 crypto, so all openvpn mobile clients affected? OpenVPN traditionally
also relied on weak CA configs, so it's like time-warping back 5-10 years
in browser land? And how many OpenVPN clients actually validate their
server side end properly? Some things to consider.

Re: Improvements Dominique Brezinski (Feb 24)
inline...

https://github.com/airbnb/streamalert

There is a lot more that needs to be done to cover the broad range of
capabilities needed for detection and response, but StreamAlert achieves
something very important even for huge companies -- it radically lowers the
operational overhead of maintaining and scaling the infrastructure. We
really want our human capital investment concentrated on the analysis and
response phases of the process; the...

Re: Improvements Oliver Friedrichs (Feb 24)
Since I’m on this list and rarely get to contribute it seems like a good time to jump in (although Phantom
coincidentally almost started by focusing on offense – google “Phantom Access” if you are curious where the name came
from): https://en.wikipedia.org/wiki/Phantom_Access. I’m sure Dave is happy about that since who needs more offense
vendors. :-)

Obviously I am biased, but IMO automation and orchestraton is one of the few new...

Re: SHA1 Ryan Kiser (Feb 24)
While I’m probably not qualified to answer this question in a totally comprehensive way, the following technet article
is illuminating if you ever find yourself wondering what SHA1 is still valid for in Microsoft land.

https://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-sha1-certificates.aspx
<...

Re: SHA1 William Reyor (Feb 24)
I believe this affects mostly certificates and ipsec configurations.

SHA1 Dave Aitel (Feb 23)
So what is it that breaking SHA1 gets you on Windows boxes?

-dave

Re: Improvements Dominique Brezinski (Feb 23)
All the notable, large tech companies and cloud providers roll their own everything. Most of the hyperscale companies
buy very little third-party security product. The things they build are everything from a little python glue to massive
analytics systems backed by software development teams running on tens of thousands of cores, tens of terabytes of ram,
and tens of petabytes of storage.

Automating as much detection through response is the...

Re: Improvements Jimmy D (Feb 23)
That pressure isn’t just from the C-suite. Many of us have been burned (at least indirectly) by a tool author who
either abandoned locally built tools or who tried to use their knowledge of one as as a form of blackmail in salary
negotiations or promotions. Add to that the fact that I pay people to perform specific functions usually aligned with
their core skills. I’ve generally had tremendous respect for my team members (else they’d be...

PaulDotCom — General discussion of security news, research, vulnerabilities, and the PaulDotCom Security Weekly podcast.

Re: [Security Weekly] cheap hosting Robin Wood (Sep 23)
Resurrecting an old thread but they now have an affiliate program and I can
issue my own codes so:

20% off all servers AqUVYbUXag
50% off all big dog (whatever that is) 7E9YRUzEZy

After a month with them, their tech support is OK but not great, the server
has stayed up and not had any problems.

Robin

Re: [Security Weekly] projecting in a bight space Jeremy Pommerening (Aug 28)
I would look for a projector with at least 6000 ANSI Lumens or better. A darker screen (grey) may also help.

Jeremy Pommerening

________________________________
From: Robin Wood <robin () digi ninja>
To: Security Weekly Mailing List <pauldotcom () mail securityweekly com>
Sent: Sunday, August 3, 2014 3:42 AM
Subject: [Security Weekly] projecting in a bight space

I've been looking at the venue for next year's...

[Security Weekly] Two Firefox security bugs related to HTTPS ffbugishere (Aug 17)
Hello world!

We need votes for security bugs!

Adding "Security Exception" for self-signed HTTPS sites cannot be done
permanently
https://bugzilla.mozilla.org/show_bug.cgi?id=1050100

Firefox 31 doesn't supports the industry recommended best HTTPS
ciphers
https://bugzilla.mozilla.org/show_bug.cgi?id=1051210

Other browsers should have the same bugs fixed..

p.s.: We are not related to this group, but we think they worth a
penny...

Re: [Security Weekly] Java and Flash decompilers Will Metcalf (Aug 05)
JPEXS is very nice for flash IMHO.

http://www.free-decompiler.com/flash/

Regards,

Will

Re: [Security Weekly] Java and Flash decompilers Bradley McMahon (Aug 05)
I've used flare before to pull apart a flash site for a client.
http://www.nowrap.de/flare.html

-Brad

Re: [Security Weekly] SecurityCenter alternative Steven McGrath (Aug 04)
SC certainly isn’t cheap (as a former SC customer that moved over to Tenable I can attest to that) however I can point
out that the data aggregation, trending, and custom reporting were huge wins in my book. I guess its a time/money
trade-off. How much time do you want to spend either cobbling together a tool or manually aggregating the data when
there is another tool already out there that can do it out of the box.

I can speak in more...

Re: [Security Weekly] Java and Flash decompilers S. White (Aug 04)
A few I've used in the past:

JAD - http://varaneckas.com/jad/ , http://en.wikipedia.org/wiki/JAD_(JAva_Decompiler)

HP SWFscan

Adobe SWF investigator http://labs.adobe.com/technologies/swfinvestigator/

________________________________
From: Robin Wood <robin () digi ninja>
To: Security Weekly Mailing List <pauldotcom () mail securityweekly com>
Sent: Monday, August 4, 2014 5:54 AM
Subject: [Security Weekly] Java and...

[Security Weekly] DoFler @ BSidesLV Steven McGrath (Aug 04)
This will be the 3rd year that DoFler (the Dashboard of Fail) will be at BSidesLV. This year I wrote a new spiffy
interface for maximum trolling. Let’s be honest now, everyone loves to surf for various forms of horrible on the
internet at cons :D. Also added this year is a little vulnerability analysis (using Tenable’s PVS). Every year I try
to improve it a bit based on everyone’s input, and am always welcome to more feedback.

DB...

Re: [Security Weekly] cheap hosting Robin Wood (Aug 04)
Already sorted but thanks for the info.

Re: [Security Weekly] Java and Flash decompilers Nathan Sweaney (Aug 04)
Here are a few others I've used with varying success in the past:

SWFInvestigator - http://labs.adobe.com/technologies/swfinvestigator/
SWFScan - from Rafal Los at HP, though the link has been deleted. (Careful,
I've seen trojaned copies online.)

Re: [Security Weekly] SecurityCenter alternative Paul Asadoorian (Aug 04)
Thanks all for the informative discussion!

I know, I'm jumping in late, some closing thoughts on the subject:

- SecurityCenter has the unique advantage of consolidating plugin
updates, meaning you could have hundred of Nessus scanners deployed in
your organization, and the scanners get the plugin feed from your
SecurityCenter system. The removes the requirement of Internet access
(From the scanners), and greatly eases the administration...

Re: [Security Weekly] SecurityCenter alternative k41zen (Aug 04)
Thanks for all of your help.

We are in discussions with our Tenable contact about solutions for this issue. They’ve helped me out by enabling me to
move forward to at least deploy this into a Pre-Production environment but the costs of SC are a massive stumbling
block; hence my question about something else. Appreciate we have a big Nessus fan base here of which I am a member
too, but just wondered what could be wrapped around it.

I’ll...

Re: [Security Weekly] SecurityCenter alternative Adrien de Beaupre (Aug 04)
Hi,

I have also written a series of script to collect data from tools such as
nmap and nessus to import into MySQL called OSSAMS:
http://www.ossams.com/wp-content/uploads/2011/10/ossams-parser-SecTor-2011.zip
That leaves report writing as a series of SQL queries.
I also have a series of scripts to kick off scans, as well as a command
like XML-RPC nessus client in python if anyone is interested.

Cheers,
Adrien

Re: [Security Weekly] cheap hosting sec list (Aug 04)
Hey Robin,

If you're still looking, might want to try out getclouder.com - they
spin up Linux containers in 5 seconds and use distributed storage, which
is pretty awesome. It's still in beta, so they offer 3 months free
service, but it has been pretty stable so far from my experience.

[Security Weekly] Java and Flash decompilers Robin Wood (Aug 04)
Hi
I'm trying to put together a list of tools for decompiling Flash and Java
apps. From asking on another list I already have:

Java
JD-GUI
Java Decompiler http://jd.benow.ca/jd-gui/downloads/jd-gui-0.3.6.windows.zip.

Java snoop https://code.google.com/p/javasnoop/

Flash
Trillix
Flashbang https://github.com/cure53/Flashbang

Has anyone here got any others they can suggest?

Ideally I'm looking for free stuff but cheap commercial...

Microsoft Sec Notification — Beware that MS often uses these security bulletins as marketing propaganda to downplay serious vulnerabilities in their products—note how most have a prominent and often-misleading "mitigating factors" section.

Microsoft Security Bulletin Minor Revisions Microsoft (Mar 17)
********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: February 23, 2017
********************************************************************

Summary
=======
The following bulletins and/or bulletin summaries have undergone a
minor revision increment.

Please see the appropriate bulletin for more details.

* MS16-084
* MS16-JUL

Bulletin Information:...

Microsoft Security Bulletin Summary for March 2017 Microsoft (Mar 14)
********************************************************************
Microsoft Security Bulletin Summary for March 2017
Issued: March 14, 2017
********************************************************************

This bulletin summary lists security bulletins released for
March 2017.

The full version of the Microsoft Security Bulletin Summary for
March 2017 can be found at
<https://technet.microsoft.com/library/security/ms17-mar>....

Microsoft Security Advisory Notification Microsoft (Mar 14)
********************************************************************
Title: Microsoft Security Advisory Notification
Issued: March 14, 2017
********************************************************************

Security Advisories Released or Updated Today
==============================================

* Microsoft Security Advisory 3123479
- Title: SHA-1 Hashing Algorithm for Microsoft Root Certificate
Program
-...

Microsoft Security Bulletin Minor Revisions Microsoft (Feb 23)
********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: February 23, 2017
********************************************************************

Summary
=======
The following bulletins and/or bulletin summaries have undergone a
minor revision increment.

Please see the appropriate bulletin for more details.

* MS16-155

Bulletin Information:
=====================

MS16-155...

Microsoft Security Bulletin Minor Revisions Microsoft (Feb 23)

Microsoft Security Bulletin Summary for February 2017 Microsoft (Feb 21)
********************************************************************
Microsoft Security Bulletin Summary for February 2017
Issued: February 21, 2017
********************************************************************

This bulletin summary lists security bulletins released for
February 2017.

The full version of the Microsoft Security Bulletin Summary for
February 2017 can be found at
<https://technet.microsoft.com/library/security/ms17-feb...

Microsoft Security Advisory Notification Microsoft (Jan 27)
********************************************************************
Title: Microsoft Security Advisory Notification
Issued: January 27, 2017
********************************************************************

Security Advisories Released or Updated Today
==============================================

* Microsoft Security Advisory 4010983
- Title: Vulnerability in ASP.NET Core MVC 1.1.0 Could Allow Denial of
Service
-...

Microsoft Security Advisory Notification Microsoft (Jan 10)
********************************************************************
Title: Microsoft Security Advisory Notification
Issued: January 10, 2017
********************************************************************

Security Advisories Released or Updated Today
==============================================

* Microsoft Security Advisory 3214296
- Title: Vulnerabilities in Identity Model Extensions Token Signing
Verification
-...

Microsoft Security Bulletin Summary for January 2017 Microsoft (Jan 10)
********************************************************************
Microsoft Security Bulletin Summary for January 2017
Issued: January 10, 2017
********************************************************************

This bulletin summary lists security bulletins released for
January 2017.

The full version of the Microsoft Security Bulletin Summary for
January 2017 can be found at
<https://technet.microsoft.com/library/security/ms17-jan>....

Microsoft Security Bulletin Releases Microsoft (Dec 19)
********************************************************************
Title: Microsoft Security Bulletin Releases
Issued: December 19, 2016
********************************************************************

Summary
=======

The following bulletins have undergone a major revision increment.

* MS16-155 - Important

Bulletin Information:
=====================

MS16-155

- Title: Security Update for .NET Framework (3205640)
-...

Microsoft Security Bulletin Summary for December 2016 Microsoft (Dec 13)
********************************************************************
Microsoft Security Bulletin Summary for December 2016
Issued: December 13, 2016
********************************************************************

This bulletin summary lists security bulletins released for
December 2016.

The full version of the Microsoft Security Bulletin Summary for
December 2016 can be found at
<https://technet.microsoft.com/library/security/ms16-dec...

Microsoft Security Bulletin Releases Microsoft (Dec 13)
********************************************************************
Title: Microsoft Security Bulletin Releases
Issued: December 13, 2016
********************************************************************

Summary
=======

The following bulletins have undergone a major revision increment.

October
* MS16-118 - Critical
* MS16-120 - Critical
* MS16-122 - Critical
* MS16-123 - Important
* MS16-124 - Important
* MS16-126 - Moderate

November
*...

Microsoft Security Bulletin Minor Revisions Microsoft (Dec 13)
********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: November 23, 2016
********************************************************************

Summary
=======
The following bulletins and/or bulletin summaries have undergone a
minor revision increment.

Please see the appropriate bulletin for more details.

* MS16-130
* MS16-140

Bulletin Information:...

Microsoft Security Bulletin Minor Revisions Microsoft (Nov 23)
********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: November 23, 2016
********************************************************************

Summary
=======
The following bulletins and/or bulletin summaries have undergone a
minor revision increment.

Please see the appropriate bulletin for more details.

* MS16-130
* MS16-140

Bulletin Information:...

Microsoft Security Bulletin Releases Microsoft (Nov 16)
********************************************************************
Title: Microsoft Security Bulletin Releases
Issued: November 15, 2016
********************************************************************

Summary
=======

The following bulletins have undergone a major revision increment.

* MS16-133 - Important

Bulletin Information:
=====================

MS16-133

- Title: Security Update for Microsoft Office (3199168)
-...

Funsec — While most security lists ban off-topic discussion, Funsec is a haven for free community discussion and enjoyment of the lighter, more humorous side of the security community

Verizon: 1.5M of Contact Records Stolen, Now on Sale Jeffrey Walton (Mar 26)
http://www.mobipicker.com/verizon-1-5m-contact-records-stolen-now-sale/:

A business to business telecommunication giant,
Verizon Enterprise Solutions, a Basking Ridge,
New Jersey-based company, has been the latest
victim of a cyber crime that stole 1.5 million contact
records of the customers of Verizon...

I don't quite understand this double talk. Could someone explain to me:

A spokesperson from Verizon said that...

Statement on Lavabit Citation in Apple Case Jeffrey Walton (Mar 16)
(From John Young on another list):
http://www.facebook.com/KingLadar/posts/10156714933135038

As many of you already know, the government cited the Lavabit case in
a footnote. The problem is their description insinuates a precedent
that was never created. Obviously I was somewhat disturbed by their
misrepresentation. So I decided to draft a statement. And keep in
mind, these are the same people who say "trust us." Click continue to
read...

The NSA's back door has given every US secret to our enemies Jeffrey Walton (Feb 29)
http://www.businessinsider.com/john-mcafee-nsa-back-door-gives-every-us-secret-to-enemies-2016-2

Deng Xiaoping, in 1979 - his second year as supreme leader of China -
perceived a fundamental truth that has yet to be fully grasped by most
Western leaders: Software, if properly weaponized, could be far more
destructive than any nuclear arsenal.

Under Deng’s leadership, China began one of the most ambitious and
sophisticated meta- software...

Can Spies Break Apple Crypto? Jeffrey Walton (Feb 27)
Here's an interesting exchange between Cryptome and Michael Froomkin,
Law Professor at University of Miami, on the All Writs Act
(http://cryptome.org/2016/02/can-spies-break-apple-crypto.htm):

-----

A. Michael Froomkin:

The factual posture in the key Supreme Court precedent, New York
Telephone, involved a situation where only the subject of the order
was capable of providing the assistance at issue. This is the basis
for Apple's...

The FBI's iPhone Problem: Tactical vs. Strategic Thinking Jeffrey Walton (Feb 23)
http://www.technewsworld.com/story/83130.html

I'm an ex-sheriff, and I've been in and out of security jobs for much
of my life, so I've got some familiarity with the issues underlying
the drama between the FBI and Apple. FBI officials -- and likely those
in every other three-letter agency and their counterparts all over the
world -- would like an easier way to do their jobs. Wouldn't we all?

If they could put cameras in...

Wanted: Cryptography Products for Worldwide Survey Jeffrey Walton (Jan 01)
(http://www.schneier.com/crypto-gram/archives/2015/1215.html):

In 1999, Lance Hoffman, David Balenson, and others published a survey
of non-US cryptographic products. The point of the survey was to
illustrate that there was a robust international market in these
products, and that US-only export restrictions on strong encryption
did nothing to prevent its adoption and everything to disadvantage US
corporations. This was an important contribution...

CERT Advisories — The Computer Emergency Response Team has been responding to security incidents and sharing vulnerability information since the Morris Worm hit in 1986. This archive combines their technical security alerts, tips, and current activity lists.

Open Source Security — Discussion of security flaws, concepts, and practices in the Open Source community

Re: information about pwn2own Kernel problem Luedtke, Nicholas (HPE Linux Security) (Mar 22)
Is this an Ubuntu specific issue? Or does it affect the upstream kernels
as well?

Re: information about pwn2own Kernel problem Tyler Hicks (Mar 22)
Hi Marcus

ZDI disclosed the information to the Ubuntu Security team a little less
than 48 hours ago.

The Ubuntu Kernel team has triaged the issue and came up with a
potential fix. That fix is undergoing internal review and I'll be
disseminating it via the usual channels once that is complete.

Tyler

Multiple Unauthenticated blind SQL injections in Wordpress Plugin Membership Simplified v1.58 Larry W. Cashdollar (Mar 22)
Title: Multiple Unauthenticated blind SQL injections in Wordpress Plugin Membership Simplified v1.58
Author: Larry W. Cashdollar, @_larry0
Date: 2017-03-17
CVE-ID:[CVE-2017-1002009][CVE-2017-1002010]
Download Site: http://membership.officeautopilot.com/get-it-now/
Vendor: http://membership.officeautopilot.com/
Vendor Notified: 2017-03-17
Vendor Contact:...

information about pwn2own Kernel problem Marcus Meissner (Mar 22)
Hi,

Has anyone any more information on the pwn2own Ubuntu Kernel issue?

CVE-2017-7184

Ciao, Marcus

Re: elfutils: memory allocation failure in allocate_elf (common.h) Agostino Sarubbo (Mar 22)
This is CVE-2016-10254

Re: elfutils: memory allocation failure in __libelf_set_rawdata_wrlock (elf_getdata.c) Agostino Sarubbo (Mar 22)
This is CVE-2016-10255

subscription-manager: CVE-2017-2663 unsafe dbus interface Cedric Buissart (Mar 21)
Hi,

CVE-2017-2663 has been assigned for the following issue :

Subscription-manager's new DBus interface provides methods that can be used
for malicious usage. It allows an unprivileged local user to have access to
information known to root only, and/or to modify subscription-manager
configuration file, allowing, for example, privilege escalation.

-> Upstream patch :
* Lock down Facts object to be accessible to root only....

Jenkins plugins -- multiple vulnerabilities Daniel Beck (Mar 20)
Jenkins is an open source automation server which enables developers around
the world to reliably build, test, and deploy their software. The following
plugin releases published today contain fixes for security vulnerabilities:

- Active Directory 2.3
- DistFork Plugin 1.6.0
- Email Extension (email-ext) 2.57.1
- Mailer Plugin 1.20
- SSH Slaves 1.15

Users of these plugins should upgrade them to the indicated versions.

Additionally, one plugin...

Two Content Injection vulnerabilities in Wordpress Plugin DTracker v1.5 Larry W. Cashdollar (Mar 20)
Title: Two Content Injection vulnerabilities in Wordpress Plugin DTracker v1.5
Author: Larry W. Cashdollar, @_larry0
Date: 2017-03-08
CVE-ID:[CVE-2017-1002006][CVE-2017-1002007]
Download Site: https://wordpress.org/plugins/dtracker/
Vendor: https://profiles.wordpress.org/dijo/
Vendor Notified: 2017-03-09
Vendor Contact: plugins () wordpress org
Advisory: http://www.vapidlabs.com/advisory.php?v=186
Description: Track the details of the users...

CVE-2017-5644 - Possible DOS (Denial of Service) in Apache POI versions prior to 3.15 Dominik Stadler (Mar 20)
Hi,

Vendor: The Apache Software Foundation

Versions affected: all versions prior to version 3.15
Apache POI in versions prior to release 3.15 allows remote attackers to
cause a denial of service (CPU consumption)
via a specially crafted OOXML file, aka an XML Entity Expansion (XEE)
attack.

Users with applications which accept content from external or untrusted
sources are advised to upgrade to
Apache POI 3.15 or newer.

Thanks to Xiaolong Zhu...

Re: CVE Request: Irssi use after free in netjoin condition (2017/03) Ailin Nemui (Mar 20)
-------- Forwarded Message --------
From: cve-request () mitre org
Subject: Re: [scr308011] Irssi - 1.0.0, 1.0.1
Date: Mon, 20 Mar 2017 09:14:07 -0400

Use CVE-2017-7191.

--
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
http://cve.mitre.org/cve/request_id.html ]

libpcre: invalid memory read in _pcre32_xclass (pcre_xclass.c) Agostino Sarubbo (Mar 20)
Description:
libpcre is a perl-compatible regular expression library.

A fuzz on libpcre1 through the pcretest utility revealed an invalid memory read. Upstream says that this bug is fixed
by one of the previous commit. However I’m providing as usual the stacktrace and the
reproducer, so if you are not running the latest upstream release, like happen on debian/rhel based distros, you may
want to check better the status of this bug.

The...

libpcre: heap-based bufffer overflow in regexflip8_or_16 (pcretest.c) Agostino Sarubbo (Mar 20)
Description:
libpcre is a perl-compatible regular expression library.

A fuzz on libpcre1 through the pcretest utility revealed an heap overflow in the utility itself. Will follow a feedback
from upstream.

I am not going to do anything about this one. (a) It is concerned with a feature of pcretest that has been dropped from
pcre2test, and (b) the input contains binary zeros, which are not supported in
pcretest input. This is documented for...

libpcre: two stack-based buffer overflow write in pcre32_copy_substring (pcre_get.c) Agostino Sarubbo (Mar 20)
Description:
libpcre is a perl-compatible regular expression library.

A fuzz on libpcre1 through the pcretest utility revealed two stack overflow write. Upstream says that these bugs are
fixed by one of the previous commit. However I’m providing as usual the stacktrace
and the reproducer, so if you are not running the latest upstream release, like happen on debian/rhel based distros,
you may want to check better the status of this bug.

The...

libpcre: invalid memory read in match (pcre_exec.c) Agostino Sarubbo (Mar 20)
Description:
libpcre is a perl-compatible regular expression library.

A fuzz on libpcre1 through the pcretest utility revealed an invalid read in the library. For who is interested in a
detailed description of the bug, will follow a feedback from upstream:

This was a genuine bug in the 32-bit library. Thanks for finding it. The crash was caused by trying to find a Unicode
property for a code value greater than 0x10ffff, the Unicode maximum,...

Educause Security Discussion — Securing networks and computers in an academic environment.

Re: Email Security Product That Supports Customer Entry of Malicious Messages Davis, Kevin (Mar 22)
Out of curiosity — is anyone using Office 365’s Advanced Threat Protection for URL rewrite and other capabilities, or
compared it to Proofpoint? After some recent phishing we are interested in looking at both solutions but will need to
be very cost-sensitive in whatever we do….

Kevin

Re: Email Security Product That Supports Customer Entry of Malicious Messages Valdis Kletnieks (Mar 22)
On Wed, 22 Mar 2017 20:39:24 -0000, "Flynn, Gary - flynngn" said:

I presume that breaks any S/MIME or PGP signatures on the mail, correct?

Re: Email Security Product That Supports Customer Entry of Malicious Messages Pifer, Michael (Mar 22)
Gary;

Like you, we are on Proofpoint, and have had some messages not be identified as phishing early on, and end users being
allowed to visit the site.

I have been able to in all cases submit a ticket to Proofpoint with high priority about the link being a phishing link,
and then have them back trace the users who did click the link and visit the site to follow-up with and pretty quickly
block the site as a phishing site.

Have you submitted...

Re: Email Security Product That Supports Customer Entry of Malicious Messages Flynn, Gary - flynngn (Mar 22)
Proofpoint and similar solutions rewrite the URLs in email messages before
delivering them to user mailboxes. The rewritten URLs point to the email
security device. When a user clicks the URL, they are taken to the email
security device.

. If the email security device has determined that the message or
link is malicious, the user is shown a warning message and blocked from
reaching the original URL destination. Happiness. Go fight some...

Re: Email Security Product That Supports Customer Entry of Malicious Messages Justin Harwood (Mar 22)
Hi Gary,

Are you saying that you want a product that can block the URLs in the emails that your spam filtering solution didn't
catch and forwarded to your users (without rewriting the emails) mailboxes. That being said, you have emails in users
mailboxes that have malicious URLs? If that's the case, I'm not sure if you will find anything like that since the
mailboxes have the email, and are left to put these IPs/DNS into...

Email Security Product That Supports Customer Entry of Malicious Messages Flynn, Gary - flynngn (Mar 22)
Hi,

We use Proofpoint and most of the time it works great. It has protected us
from major attacks many times.

It's URL rewrite component is missing one feature that would make it much
better. As with any blacklist oriented security product, some malicious
messages get through. Unfortunately, the product does not allow us to teach
our appliance about those messages so it can block the URL and provide us
exposure information.

Is anyone...

Re: Repeat offenders during phishing campaign Brad Judy (Mar 21)
Small plug – for those going to Educause SPC, there will be a panel session of four of us talking about our experiences
with self-phishing from different institutional perspectives.

My personal take on repeat offenders is that some different educational approach is needed (since the first one didn’t
work). That could be in-person follow-up, or it could be that you create a separate campaign for offenders that lands
then on a different...

Re: Repeat offenders during phishing campaign Steven Alexander (Mar 21)
Monthly. The idea is to provide continuous reinforcement and help users learn. If you only do it 1-2 times a year,
they aren’t getting that.

Steven Alexander
Director of IT Security
Kern Community College District

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Urrea,
Nick
Sent: Tuesday, March 21, 2017 1:51 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY]...

Re: Repeat offenders during phishing campaign Urrea, Nick (Mar 21)
How often would the group suggest a phishing campaign be run? Annual, Bi-Annual?

---
Nicholas Urrea
UC Hastings College of the Law
Director of Information and Network Security

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of James
Valente
Sent: Tuesday, March 21, 2017 1:42 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Repeat offenders during phishing campaign...

Re: Repeat offenders during phishing campaign James Valente (Mar 21)
We’ve only ran a very small number of simulated phishing attacks but none have captured credentials thusfar, so in the
past we haven’t considered them compromised because we’ve lacked the tracking to do so. Because of this, the only users
I’ve considered compromised have been “actual” compromises or leaked credentials.

I’m prepping for a phishing exercise using GoPhish soon and I’ll be capturing usernames for better reporting...

Re: Repeat offenders during phishing campaign Frank Barton (Mar 21)
James, (et.al.) When a user falls for a [simulated] phish, do you consider
their account to be compromised? our procedure for a compromised account is
to immediately lock it down until we have gone through our set of cleaning
checks. This can take some time, and, if an account is compromised outside
of normal hours, we typically lock it out, and then clean the next day.

If this matches your process (at least generally) do you find that the time...

Re: Repeat offenders during phishing campaign James Valente (Mar 21)
I've inquired about forcing users to attend education training but we're not
allowed to mandate any training like this, especially for faculty.

However, we are allowed to request they attend training. I sent out a bunch
of emails to repeat offenders last week with training material, and a little
note hoping the guilt of the workload created by them falling for a phish
(because they only see the inconvenience of having a password...

Re: Repeat offenders during phishing campaign Rob Milman (Mar 21)
Thanks Ben,

I have 17 repeat offenders so far(pretty low since we are phishing all our staff). We are using SANS STH Phishing that
does train the clickers on what they should have looked for in the message. The repeat offenders have technically had
that training at least twice and some may have had my more in depth awareness training if I've hit their
school/department in the last year.

Rob

From: The EDUCAUSE Security Constituent Group...

Re: Repeat offenders during phishing campaign Ben Woelk (Mar 21)
Rob,
Define "small number!" That's going to impact what you can do.
Are the offenders automatically forwarded to learning content about phishing or otherwise notified they've taken the
bait?

Ben Woelk '07 CISSP
ISO Program Manager
Information Security Office
Rochester Institute of Technology
ROS 10-A204
151 Lomb Memorial Drive
Rochester, New York 14623
585.475.4122
585.475.7920 fax
ben.woelk () rit edu<...

Re: Repeat offenders during phishing campaign McCrary, Barbara (Mar 21)
I find that a discreet discussion one on one with the offenders goes a long way to improving their education. I make
the conversation an indictment against the criminals that cause these concerns and solicit their support and help to
combat the insidious and constant attack on "our" intelligence. Soon I have an ally in the ranks that rather than
falling for the phishing, actually begins reporting them to me.

Then I strengthen the...

Internet Issues and Infrastructure

NANOG — The North American Network Operators' Group discusses fundamental Internet infrastructure issues such as routing, IP address allocation, and containing malicious activity.

Re: Americas II Landing Station (Hollywood, Florida). Christopher Morrow (Mar 22)
don't most of the oceanic cable systems operate basically like:

1) some consortium pays/builds the stations and link(s)
2) that consortium (cabal?) is the only set of providers able to sell on
the link(s)
3) sale on links and provisioning to the links happens away from the
station, and back at 'network pops' owned by the individual consortium
members.

So, if you are a consortium member you already have gear a the station, if
you...

Americas II Landing Station (Hollywood, Florida). Faisal Imtiaz (Mar 22)
Hello,

I am looking for a contact who may be able to help us with getting more info (on getting space/power) so that we can
terminate our Dark Fiber transport there.

Not sure who is responsible for this facility, most of the Tel# I am finding are disconnected.

Many Thanks in advance.

Regards.

Faisal Imtiaz
Snappy Internet & Telecom
7266 SW 48 Street
Miami, FL 33155
Tel: 305 663 5518 x 232

Help-desk: (305)663-5518 Option 2 or Email:...

Re: Facebook more specific via Level3 ? Radu-Adrian Feurdean (Mar 22)
Yes, DNS resolvers on our network. Forwarding only for facebook.com and
fbcdn.com, in order to eliminate bad performance associated with "direct
recursion".

Re: Facebook more specific via Level3 ? Jürgen Jaritsch (Mar 22)
Hi Mike,

Im running some DNS on my own for a few hundred users from an private
community project. But this issue is also affecting DNS from smaller/other
ISPs which do NOT use any forwarder but the root DNS.

Best regards

Jürgen

Re: Facebook more specific via Level3 ? Mike Hammett (Mar 22)
Are your DNS resolvers on your network? No DNS forwarding?

-----
Mike Hammett
Intelligent Computing Solutions

Midwest Internet Exchange

The Brothers WISP

----- Original Message -----

From: "Radu-Adrian Feurdean" <nanog () radu-adrian feurdean net>
To: "Jürgen Jaritsch" <juergen () jaritsch at>, "Doug Porter" <dsp () fb com>, nanog () nanog org
Sent: Wednesday, March 22, 2017 5:02:12 AM...

AW: Facebook more specific via Level3 ? Jürgen Jaritsch (Mar 22)
Hi,

This is exactly what I've implemented yesterday on my end :).

Best regards
Jürgen

-----Ursprüngliche Nachricht-----
Von: Radu-Adrian Feurdean [mailto:nanog () radu-adrian feurdean net]
Gesendet: Mittwoch, 22. März 2017 11:02
An: Jürgen Jaritsch <juergen () jaritsch at>; Doug Porter <dsp () fb com>; nanog () nanog org
Betreff: Re: Facebook more specific via Level3 ?

Hi, the load-balancing definitely doesn't...

Re: Facebook more specific via Level3 ? Radu-Adrian Feurdean (Mar 22)
Hi, the load-balancing definitely doesn't choose the *nearest* mirror.
We are in France and unless we do dirty tricks, we *always* get directed
to US sites (as far as LA), with horrible performance. Everything since
end of December. As a consequence we let the dirty tricks in place
(query facebook.com and fbcdn.com on 8.8.8.8 instead of regular
recursive resolving) and we get directed to Frankfurt or Amsterdam
(never London or Paris).

Re: Google G Suite Email Contact Plamen G Georgiev (Mar 21)
Did you try on their support page
<https://gsuite.google.com/intl/en_ie/support/#connect>?

Re: Facebook more specific via Level3 ? Doug Porter (Mar 21)
Many of our prefixes are only announced to peers in the metro
they originate in. Please stop obsessing about this detail; it's
not the problem.

We target traffic two ways. One is relatively traditional dns
global load balancing, using the resolver ip. The other
method---which steers the vast majority of our traffic---vends
urls that send people to a specific PoP based on their client ip.

It appears you're having a targeting...

AW: Facebook more specific via Level3 ? Jürgen Jaritsch (Mar 21)
Hi Luke,

please see https://mailman.nanog.org/pipermail/nanog/2017-March/090658.html ... I did some tests a few min ago and yes,
I'm receiving the 31.13.77.x and 31.13.76.x via DNS for www.facebook.com.

Best regards
Jürgen

-----Ursprüngliche Nachricht-----
Von: Luke Guillory [mailto:lguillory () reservetele com]
Gesendet: Dienstag, 21. März 2017 20:38
An: Jürgen Jaritsch <juergen () jaritsch at>; nanog () nanog org
Betreff:...

RE: Facebook more specific via Level3 ? Luke Guillory (Mar 21)
Are they replying with that subnet via dns when requests are being made?

Luke Guillory
Network Operations Manager

Tel: 985.536.1212
Fax: 985.536.0300
Email: lguillory () reservetele com

Reserve Telecommunications
100 RTC Dr
Reserve, LA 70084

AW: Facebook more specific via Level3 ? Jürgen Jaritsch (Mar 21)
Hi Doug,

looks like this is also affecting other prefixes:

157.240.3.0/24 *[BGP/170] 18w5d 16:50:37, MED 0, localpref 150
AS path: 3356 32934 I, validation-state: unverified
> to 80.239.128.178 via ae9.0

I understand that FB is using some type of DNS geo-loadbalancing and other
mechanism to redirect users to (possibly) nearer mirrors. The used DNS is
directly requesting the root DNS and not any...

Re: Facebook more specific via Level3 ? Jürgen Jaritsch (Mar 21)
Hi,

the point is: Level3 is exporting this prefix to the EU since ~1 week
Telia is learning it from Level3 and they also started to re-export it:

Telia Looking Glass
(http://lg.telia.net/?query=bgp&protocol=IPv4&addr=31.13.71.0/24+exact&route
r=Vienna)

Command: show route protocol bgp 31.13.71.36 table inet.0
31.13.71.0/24 *[BGP/170] 18w5d 16:40:16, MED 0, localpref 150
AS path: 3356 32934 I,...

Re: Facebook more specific via Level3 ? Doug Porter (Mar 21)
This specific, and many others, are only announced to peers in the
metro they originate in. To receive this prefix directly you'll
need to peer with us in Los Angeles.

It appears you're in Austria though, which means there's likely
no use in you peering with us in LA. We globally load balance
people to the best point of presence. You shouldn't see much, if
any, traffic to or from the above prefix.

Please reach out to noc...

Re: Facebook more specific via Level3 ? Jay Nakamura (Mar 21)
I see that specific route both of my upstreams and not going through level
3.

Network Next Hop MED LocPrf Weight Path
*>x 31.13.70.0/24 x.x.x.x 0 80 0 6461 32934 i
*i 31.13.70.0/24 x.x.x.x 0 80 0 209 32934 i
* 31.13.70.0/24 x.x.x.x 10 80 0 209 32934 i

On Tue, Mar 21, 2017 at 12:56 PM, Jürgen Jaritsch <juergen () jaritsch...

Interesting People — David Farber moderates this list for discussion involving internet governance, infrastructure, and any other topics he finds fascinating

AT&T pulls Google, YouTube ads over extremist videos Dave Farber (Mar 22)
Begin forwarded message:

> From: Lauren Weinstein <lauren () vortex com>
> Date: March 22, 2017 at 2:40:03 PM EDT
> To: nnsquad () nnsquad org
> Subject: [ NNSquad ] AT&T pulls Google, YouTube ads over extremist videos
>
>
> AT&T pulls Google, YouTube ads over extremist videos
>
> http://www.usatoday.com/story/tech/news/2017/03/22/att-pulls-google-youtube-ads-over-offensive-content/99497194/
>
>...

Two major US technology firms 'tricked out of $100m' Dave Farber (Mar 22)
Begin forwarded message:

> From: Mohammad Irshid <w () moeirs com>
> Date: March 22, 2017 at 12:55:01 PM EDT
> To: ip <ip () listbox com>, dave () farber net
> Subject: Two major US technology firms 'tricked out of $100m'
>
> http://www.bbc.com/news/technology-39351215
>
> A Lithuanian man has been charged with tricking two US technology firms into wiring him $100m (£80.3m) through an
> email...

What Prompted the Electronic Devices Ban Dave Farber (Mar 22)
Begin forwarded message:

> From: Gene Spafford <spaf () purdue edu>
> Date: March 22, 2017 at 1:27:54 PM EDT
> To: ip () listbox com
> Cc: Dave Farber <dave () farber net>
> Subject: What Prompted the Electronic Devices Ban
>
> This gives a less political take on the electronic device ban, along with some history and discussion of in-flight
> explosive devices.
>
>...

WIRED: Inside the Hunt for Russia’s Most Notorious Hacker Dave Farber (Mar 22)
---------- Forwarded message ---------
From: Allan Davidson <alland () soundbytesradio com>
Date: Wed, Mar 22, 2017 at 4:21 AM
Subject: Fwd: WIRED: Inside the Hunt for Russia’s Most Notorious Hacker
To: Dave Farber <dave () farber net>

Hi Dave — for IP?

*https://www.wired.com/2017/03/russian-hacker-spy-botnet/
<https://www.wired.com/2017/03/russian-hacker-spy-botnet/>*

Begin forwarded message:

*From: *Allan Davidson...

Ban on Electronic Devices on Planes from Muslim-Majority Countries Originated with Information Gleaned in Raid in Yemen Dave Farber (Mar 22)
---------- Forwarded message ---------
From: <jonathan.spira () accuramediagroup com>
Date: Wed, Mar 22, 2017 at 1:45 AM
Subject: Ban on Electronic Devices on Planes from Muslim-Majority Countries
Originated with Information Gleaned in Raid in Yemen
To: dfarber <dave () farber net>

Dave

Of possible interest to IPers

*Ban on Electronics Originated with Information Gleaned in Raid in Yemen*
<...

Re Airline Electronics Ban Is Protectionism, Not Security | Sascha Segan | PCMag.com Dave Farber (Mar 22)
---------- Forwarded message ---------
From: Abe Singer <abe () oyvay nu>
Date: Tue, Mar 21, 2017 at 9:29 PM
Subject: Re: [IP] Re Airline Electronics Ban Is Protectionism, Not Security
| Sascha Segan | PCMag.com
To: Dave Farber <dave () farber net>

Inconvenience aside, this requirement imposes a risk to all who check
their laptops. The opportunities for theft from luggage have skyrocketed
since TSA required all luggage to be...

A retired police chief is detained at JFK for one reason: His name is Hassan Dave Farber (Mar 21)
---------- Forwarded message ---------
From: Dewayne Hendricks <dewayne () warpspeed com>
Date: Tue, Mar 21, 2017 at 5:34 PM
Subject: [Dewayne-Net] A retired police chief is detained at JFK for one
reason: His name is Hassan
To: Multiple recipients of Dewayne-Net <dewayne-net () warpspeed com>

A retired police chief is detained at JFK for one reason: His name is Hassan
By Petula Dvorak
Mar 20 2017
<...

Re Airline Electronics Ban Is Protectionism, Not Security | Sascha Segan | PCMag.com Dave Farber (Mar 21)
---------- Forwarded message ---------
From: Malin, Bradley A <b.malin () vanderbilt edu>
Date: Tue, Mar 21, 2017 at 3:34 PM
Subject: RE: [IP] Re Airline Electronics Ban Is Protectionism, Not Security
| Sascha Segan | PCMag.com
To: dave () farber net <dave () farber net>

Not to forget that Etihad and Turkish Airways consistently ranked at the
top of the world’s best airlines, often with American spokesmen (um… Kobe
Bryant!)....

Re Airline Electronics Ban Is Protectionism, Not Security | Sascha Segan | PCMag.com Dave Farber (Mar 21)
Begin forwarded message:

> From: "Bob Frankston" <bob19-0501 () bobf frankston com>
> Date: March 21, 2017 at 3:18:14 PM EDT
> To: dave () farber net, " 'ip'" <ip () listbox com>
> Subject: RE: [IP] Airline Electronics Ban Is Protectionism, Not Security | Sascha Segan | PCMag.com
>
> I notice Ataturk is on the list. This is a major hub for world travel and
> cripples Turkish...

[IP] DAVID FARBER (Mar 21)
Hearing Wednesday: EFF Testifying Before House Committee That Use of Facial Recognition by Law Enforcement Poses
Critical Threat to Privacy
One Out of Two Americans Already in a Face Recognition Database Accessible to Law Enforcement

WASHINGTON, D.C.—On Wednesday, March 22, Electronic Frontier Foundation (EFF) Senior Staff Attorney Jennifer Lynch will
testify at a hearing before the House Committee on Oversight and Government Reform about...

Re Experts criticize US electronic devices ban on some flights from Middle East Dave Farber (Mar 21)
Begin forwarded message:

> From: Mohammad Irshid <him () moeirs com>
> Date: March 21, 2017 at 12:32:10 PM EDT
> To: ip <ip () listbox com>
> Cc: dave () farber net, dewayne () warpspeed com
> Subject: Re: [IP] Experts criticize US electronic devices ban on some flights from Middle East
>
> They have a valid point to ban such devices (and a valid fear), if and only if, threats mentioned are real and they
>...

Airline Electronics Ban Is Protectionism, Not Security | Sascha Segan | PCMag.com Dave Farber (Mar 21)
http://www.pcmag.com/commentary/352511/airline-electronics-ban-is-protectionism-not-security

-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/18849915-ae8fa580
Modify Your Subscription: https://www.listbox.com/member/?member_id=18849915&id_secret=18849915-aa268125
Unsubscribe Now:...

MIT Media Lab experiment on propagation of civic activities through personal networks Dave Farber (Mar 21)
Begin forwarded message:

> From: Chunka Mui <chunka.mui () devilsadvocategroup com>
> Date: March 21, 2017 at 9:56:04 AM EDT
> To: Dave Farber <farber () gmail com>
> Subject: MIT Media Lab experiment on propagation of civic activities through personal networks
>
> Dave,
>
> IP’ers be interested in participating in an experiment launched by Andy Lippman and his colleagues at the MIT Media
> Lab to...

Experts criticize US electronic devices ban on some flights from Middle East Dave Farber (Mar 21)
Begin forwarded message:

> From: Dewayne Hendricks <dewayne () warpspeed com>
> Date: March 21, 2017 at 9:14:29 AM EDT
> To: Multiple recipients of Dewayne-Net <dewayne-net () warpspeed com>
> Subject: [Dewayne-Net] Experts criticize US electronic devices ban on some flights from Middle East
> Reply-To: dewayne-net () warpspeed com
>
> Experts criticize US electronic devices ban on some flights from Middle East...

Why Radical Deregulation Is Happening So Fast At The FCC Dave Farber (Mar 21)
---------- Forwarded message ---------
From: Dewayne Hendricks <dewayne () warpspeed com>
Date: Tue, Mar 21, 2017 at 7:37 AM
Subject: [Dewayne-Net] Why Radical Deregulation Is Happening So Fast At The
FCC
To: Multiple recipients of Dewayne-Net <dewayne-net () warpspeed com>

Why Radical Deregulation Is Happening So Fast At The FCC
By Andrew Jay Schwartzman
Mar 19 2017
<...

The RISKS Forum — Peter G. Neumann moderates this regular digest of current events which demonstrate risks to the public in computers and related systems. Security risks are often discussed.

Risks Digest 30.19 RISKS List Owner (Mar 21)
RISKS-LIST: Risks-Forum Digest Tuesday 21 March 2017 Volume 30 : Issue 19

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.19>
The current issue can also be...

Risks Digest 30.18 RISKS List Owner (Mar 15)
RISKS-LIST: Risks-Forum Digest Wednesday 15 March 2017 Volume 30 : Issue 18

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.18>
The current issue can also be...

Risks Digest 30.17 RISKS List Owner (Mar 04)
RISKS-LIST: Risks-Forum Digest Saturday 4 March 2017 Volume 30 : Issue 17

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.17>
The current issue can also be...

Risks Digest 30.16 RISKS List Owner (Feb 26)
RISKS-LIST: Risks-Forum Digest Sunday 26 February 2017 Volume 30 : Issue 16

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.16>
The current issue can also be...

Risks Digest 30.15 RISKS List Owner (Feb 21)
RISKS-LIST: Risks-Forum Digest Tuesday 21 February 2017 Volume 30 : Issue 15

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.15>
The current issue can also...

Risks Digest 30.14 RISKS List Owner (Feb 17)
RISKS-LIST: Risks-Forum Digest Friday 17 February 2017 Volume 30 : Issue 14

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.14>
The current issue can also be...

Risks Digest 30.13 RISKS List Owner (Feb 07)
RISKS-LIST: Risks-Forum Digest Tuesday 7 February 2017 Volume 30 : Issue 13

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.13>
The current issue can also be...

Risks Digest 30.12 RISKS List Owner (Feb 01)
RISKS-LIST: Risks-Forum Digest Wednesday 1 February 2017 Volume 30 : Issue 12

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.12>
The current issue can also...

Risks Digest 30.11 RISKS List Owner (Jan 28)
RISKS-LIST: Risks-Forum Digest Saturday 28 January 2017 Volume 30 : Issue 11

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.11>
The current issue can also...

Risks Digest 30.10 RISKS List Owner (Jan 22)
RISKS-LIST: Risks-Forum Digest Sunday 22 January 2017 Volume 30 : Issue 10

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.10>
The current issue can also be...

Risks Digest 30.09 RISKS List Owner (Jan 17)
RISKS-LIST: Risks-Forum Digest Tuesday 17 January 2017 Volume 30 : Issue 09

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.09>
The current issue can also be...

Risks Digest 30.08 RISKS List Owner (Jan 10)
RISKS-LIST: Risks-Forum Digest Tuesday 10 January 2017 Volume 30 : Issue 08

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.08>
The current issue can also be...

Risks Digest 30.07 RISKS List Owner (Jan 08)
RISKS-LIST: Risks-Forum Digest Sunday 8 January 2017 Volume 30 : Issue 07

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.07>
The current issue can also be...

Risks Digest 30.06 RISKS List Owner (Dec 30)
RISKS-LIST: Risks-Forum Digest Friday 30 December 2016 Volume 30 : Issue 06

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.06>
The current issue can also be...

Risks Digest 30.05 RISKS List Owner (Dec 26)
RISKS-LIST: Risks-Forum Digest Monday 26 December 2016 Volume 30 : Issue 05

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.05>
The current issue can also be...

BreachExchange — BreachExchange focuses on all things data breach. Topics include actual data breaches, cyber insurance, risk management, metrics and more. This archive includes its predecessor, the Data Loss news and discussion lists.

5 Cybersecurity Strategies Businesses Need to Implement in 2017 Audrey McNeil (Mar 22)
http://tech.co/5-cybersecurity-business-strategies-2017-03

Despite the prominence of cyber-attacks nationally, from
politics-to-healthcare, most companies are doing little to protect
themselves from hackers. According to Symantec, there were more than 429
million identities exposed in 2015 alone. Companies are at a higher risk of
breaches now more than ever – 2016 breaches increased 40 percent from the
last year.

If a business is hacked the...

Companies Must Be More Transparent About Security Moving Forward Audrey McNeil (Mar 22)
https://cloudtweaks.com/2017/03/companies-transparent-security/

You may remember, Home Depot was affected by a sizeable data breach in
2014. The incident is widely considered one of the largest point-of-sale
heists of all time because over 56 million credit cards were involved, read
and compromised. Needless to say, it led to an unprecedented amount of
customers affected by such a breach.

Home Depot became aware of the breach in early September...

What should password managers not do? Leak your passwords? What a great idea, LastPass Audrey McNeil (Mar 22)
https://www.theregister.co.uk/2017/03/21/lastpass_vulnerabilities/

Password vault LastPass has patched critical security flaws that malicious
websites could exploit to steal millions of victims' passphrases.

The programming cockup was spotted by Tavis Ormandy, a white-hat hacker on
Google's crack Project Zero security team. He found that the LastPass
Chrome extension had an exploitable content script that evil webpages could
attack to...

Shift your perspective on cybercrime to realize how well you’re doing Audrey McNeil (Mar 22)
http://www.csoonline.com/article/3183456/leadership-management/shift-your-
perspective-on-cybercrime-to-realize-how-well-you-re-doing.html

A report recently surfaced placing the global impact of cybercrime at a
staggering $450B. Naturally, it pressed on the tender wound and supplied
further evidence that we are woefully unprepared, globally, to tackle such
a complex challenge.

In 2016 "cybercrime cost the global economy over $450 billion,...

Is Your Business Insuring Cyber Risks? Audrey McNeil (Mar 21)
http://www.themetropreneur.com/columbus/insuring-cyber-risks/

What cyber risks is your company exposed to and what insurance options are
available? How much of your customers’ or clients’ personal financial or
health information is stored in electronic form in your company’s computer
systems?

As you collect more pieces of electronic information, the risks of that
information falling into the wrong hands can also increase. This is...

Data breaches: Playing by a new set of rules? Audrey McNeil (Mar 21)
https://www.helpnetsecurity.com/2017/03/16/data-breaches-new-rules/

Tell me, what’s your response when you hear that a company that was
breached are now losing customers? I suppose it’s at this point the word
reasonable makes an appearance. Whether this is the regulator, or in fact
data subjects whose personal data is now being packaged and sold to
identity thieves.

The key question is whether the company who lost all that data took...

McShame: McDonald's API Leaks Data for 2.2 Million Users Audrey McNeil (Mar 21)
http://www.databreachtoday.com/blogs/mcshame-mcdonalds-
api-leaks-data-for-22-million-users-p-2426

Things are getting messy at McDonald's in India, and that's not just for
consumers of the Maharaja Mac - a double-stacked grilled chicken
monstrosity with jalapenos and habanero sauce.

McDonald's has acknowledged that a leaky API exposed personal information
for users of its McDelivery mobile app in India. The flaw, found by...

How cyberattacks can cost your business if you’re not protected Audrey McNeil (Mar 21)
http://www.bizjournals.com/sanantonio/news/2017/03/20/
how-cyberattacks-can-cost-your-business-if-you-re.html

Technology plays a critical role in everyday life and is a part of
everything we do — from the way we socialize to the way we conduct
business. As we progress and move forward, so does technology,
unfortunately, leaving us vulnerable to potential cyber risks.

Hackers have become some of the most dangerous criminals in the business...

Cyber insurance: What and why? Audrey McNeil (Mar 21)
https://www.helpnetsecurity.com/2017/03/20/cyber-insurance/

High-profile cyber-attacks are fast becoming the norm in modern society,
with 2016 being arguably the worst year for major security breaches.
National Crime Agency statistics released earlier in the year reinforced
this, revealing how last year saw cybercrime overtake more traditional
forms of crime in the UK for the first time.

Logic suggests that this trend is only progressing in one...

Decoding The Minds Of Hackers Audrey McNeil (Mar 21)
http://www.huffingtonpost.co.uk/chris-pogue/decoding-the-
minds-of-hac_b_15421486.html

When I became an officer with the US Army, I was expected to give orders.
Ensuring I gave the right ones meant that I needed to question everything,
and gather as much information as I could in order to come up with the best
possible solution based on the information I had. This was the only way I
could make decisions that would provide the greatest likelihood...

How Cybersecurity Affects the Evolving Healthcare CISO Role Audrey McNeil (Mar 20)
http://healthitsecurity.com/news/how-cybersecurity-affects-the-evolving-
healthcare-ciso-role

March 14, 2017 - The healthcare C-suite continues to evolve, along with the
increasingly complex cybersecurity threats. Healthcare CISOs must now have
knowledge in many areas, and understand just how far data breach
repercussions can go.

The Chief Information Security Officer (CISO) role has greatly increased
over the past few years, according to...

The Impact of the Vault 7 Breach Will Be with Us for Years Audrey McNeil (Mar 20)
https://dzone.com/articles/the-impact-of-the-vault-7-
breach-will-be-with-us-f

It’s safe to say that the security teams at the US Central Intelligence
Agency are busy assessing the damage to their cyber surveillance
capabilities now that Wikileaks has dumped what is believed to be the
Agency’s hacker toolkit into the wild. For any Nation-State, it’s a
devastating event to have their secret weapons suddenly made public for all
to see and...

Cobol plays major role in U.S. government breaches Audrey McNeil (Mar 20)
http://www.computerworld.com/article/3181809/government-it/
cobol-plays-major-role-in-us-government-breaches.html

New research is turning on its head the idea that legacy systems -- such as
Cobol and Fortran -- are more secure because hackers are unfamiliar with
the technology.

New research found that these outdated systems, which may not be encrypted
or even documented, were more susceptible to threats.

By analyzing publicly available federal...

Embrace the Machine & Other Goals for CISOs Audrey McNeil (Mar 20)
http://www.darkreading.com/threat-intelligence/embrace-
the-machine-and-other-goals-for-cisos/a/d-id/1328433

Depending on how you look at it, the past year was either tough for
security professionals or it showed the world how complex and interesting
this field really is. After all, we're not working to identify some
deterministic software bug — we're combatting real adversaries who are
constantly testing our defenses.

Like many of...

How to protect your business from cyber-attack Audrey McNeil (Mar 20)
https://www.standardmedia.co.ke/business/article/2001233062/how-to-protect-
your-business-from-cyber-attack

The digital age, which brought the world ever closer to trade, innovation
and accountability, has also brought new and dangerous cyber threats that
do not recognise borders and cost businesses as much as US$525 billion
every single year, according to UK officials. SMEs are not immune to cyber
security attacks; any data loss or incident...

Open Source Tool Development

Wireshark — Discussion of the free and open source Wireshark network sniffer. No other sniffer (commercial or otherwise) comes close. This archive combines the Wireshark announcement, users, and developers mailing lists.

Adding decryption keys at "runtime" (dissection time) Michael Mann (Mar 21)
There are currently two outstanding patches (https://code.wireshark.org/review/20585 and
https://code.wireshark.org/review/20656) that want to modify a UAT at runtime for additional decryption
keys/information found during dissection. In this case the UAT is providing all of the "static" keys, but apparently
these dissectors can have some at runtime too. Are there currently dissectors that handle such a case so these patches
can...

Re: cannot install - damaged .pkg - OSX 2.2.5 & 2.1.1 Guy Harris (Mar 21)
...

That sounds as if your *system* is damaged; when Installer starts up, the run-time linker is trying to load a library
at run time, but the library isn't on your system.

On my macOS Sierra system, Installer does refer to that library:

$ otool -L /System/Library/CoreServices/Installer.app/Contents/MacOS/Installer | egrep Java...

Re: cannot install - damaged .pkg - OSX 2.2.5 & 2.1.1 Graham Bloice (Mar 21)
Have you checked the integrity of the installers you downloaded?

The file hashes for the 2.2.5 installers can be found here:
https://www.wireshark.org/download/SIGNATURES-2.2.5.txt

cannot install - damaged .pkg - OSX 2.2.5 & 2.1.1 f1rstango (Mar 21)
Hi I tried to install the latest 2 OSX versions of wireshark from your website but when I clicked on either .pkg,
Installer quit. So I tried Unarchiver, which extracted the files but wouldn’t open the .pkg’s inside. A popup that said
the files are damaged and they should be moved to the trash.

What do I do next? Here is a copy of the Installer report:

Process: Installer [4395]
Path:...

Re: Indicating dependencies between Gerrit changes Peter Wu (Mar 20)
That was already done in this case, but since there were no merge
conflicts and Gerrit is not configured to follow the patch order, it was
possible that the patch got cherry-picked without merging the base
patches first.

If that is not configurable for each patch, separately, maybe I should
post a comment next time?

How to capture packets on a remote machine? Shiyao Ma (Mar 19)
Hi,

On my local side, wireshark (latest) is running on macOS 10.12.

On the remote machine, debian (sid), the package wireshark (2.2.5) is
installed.

I tried using the "ssh remote capture".

But wireshark errs:

"Capturing from a pipe doesn't support pcapng format."

How to solve that.?

Regards.

Indicating dependencies between Gerrit changes Guy Harris (Mar 18)
It looks as if there's a way in Gerrit to say "this change depends on this other change":

https://www.mediawiki.org/wiki/Gerrit/Advanced_usage#Create_a_dependency

Re: MPEG2-TS, DVB-SI, and DVB-GSE Dissectors Jaap Keuter (Mar 18)
Post here? No, submit to Gerrit: https://code.wireshark.org/review
Why? because: https://wiki.wireshark.org/Development/Workflow
With more detail here: https://wiki.wireshark.org/CreatingPatches and here:
https://wiki.wireshark.org/Development/SubmittingPatches

Regards,
Jaap

Re: MPEG2-TS, DVB-SI, and DVB-GSE Dissectors Paul Williamson (Mar 18)
That's correct. The original authors were apparently only interested in
dissecting GSE, and that was consistent with my use cases, so I left it
that way.

I don't know much about MPEG2-TS. I assume you'd mostly want to dissect the
logical channels that carry IP packets. I'm guessing there isn't much
utility in a detailed dissection of audio or video channels.

I think factoring GSE out makes sense if you can cleanly...

Re: MPEG2-TS, DVB-SI, and DVB-GSE Dissectors Alexander Adolf (Mar 18)
Hello Martin,

Good seeing you again! I believe to remember it was the meeting in Munich?

Yu did indeed. ;)

Which I hadn't expected anyway.

I'm studying this at the moment. But there's always the moment when you're convinced you had followed all instructions
meticulously, but it still won't work. That's when a little hint from a more experienced developer comes handy.

Sounds like a plan. My first patch should...

Re: MPEG2-TS, DVB-SI, and DVB-GSE Dissectors Alexander Adolf (Mar 18)
Hello Paul,

Many thanks for your swift response, and apologies for the delay in getting back to you.

Glad you found the hint useful. ;-)

As I'm the editor of these docs, please don't hesitate to drop me any questions. I'm happy to assist wherever I can.

Adding the reassembly seems like a good starting point. Happy to look into this.

I've briefly looked at packet-dvb-s2-bb.c ,and it seems it does BBFrame ans well as some...

Re: Filtering on (negated) frame.time_relative filters out wrong frame.number Miroslav Rovis (Mar 18)
I made the follow-up:
http://www.croatiafidelis.hr/foss/cap/cap-170313-git-devuan-mail/git-devuan-mail-3.php

but reading it from top is huge excess and impertinent to point the
developers to, so I'm writing this notice about it. :-)

Pls. just find (somewhere in the middle of the page):

$ tshark -o "ssl.keylog_file: dump_170317_0928_g0n_SSLKEYLOGFILE.txt" -r \
dump_170317_0928_g0n.pcap -Y \
'(!(frame.time_relative...

Capture code in GUIs replicated Joerg Mayer (Mar 18)
Hello,

is anyone who understand both GUIs willing to unify the capture code
common to ui/gtk/capture_dlg.c:insert_new_rows() and
ui/qt/manage_interfaces_dialog.cpp:addRemoteInterfaces()?
Found this while playing with bug 13448.

Thanks
Jörg

Re: Filtering on (negated) frame.time_relative filters out wrong frame.number Miroslav Rovis (Mar 17)
Posted:

The Test Sample for the (Imaginary or Not) Bug
http://www.croatiafidelis.hr/foss/cap/cap-170313-git-devuan-mail/git-devuan-mail-2.php

And I haven't done the testing yet. This is all preparation for what I
tested (and named the thread title by) at:

Filtering on (negated) frame.time_relative
https://www.wireshark.org/lists/wireshark-users/201703/msg00030.html

Now that needs to be done on this complete capture. Just this time,
since...

Re: R13 S1AP message "Reroute NAS Request" is not decoding completely using 2.3.0 Pascal Quantin (Mar 17)
2017-03-17 17:48 GMT+01:00 Pascal Quantin <pascal.quantin () gmail com>:

Fix under review here: https://code.wireshark.org/review/#/c/20595/

Regards,
Pascal.

Snort — Everyone's favorite open source IDS, Snort. This archive combines the snort-announce, snort-devel, snort-users, and snort-sigs lists.

Snort dont pass traffic tantioification . (Mar 22)
Hi,

I have configured my snort as IPS with this instruction
http://sublimerobots.com/2016/02/snort-ips-inline-mode-on-ubuntu/.
But I have a problem with my snort network configuration, my snort can't
pass the traffic properly. I have configured like in that instruction, but
any traffic can't pass in my network. What is wrong with my network
configuration? This is my network bridge configuration

# The First bridged interface
auto...

Re: Using snort -r for default detection against 1000s of PCAPs Victor Roemer (Mar 22)
For (2) add |--daq pcap| to the command line options.

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

Re: Using snort -r for default detection against 1000s of PCAPs Al Lewis (allewi) (Mar 22)
You need to pass in a config file with “-c”

Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi () cisco com

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

Using snort -r for default detection against 1000s of PCAPs Jeremy Gin (Mar 22)
Hello,

I am completely new to Snort and I am using it in a research project in
which I am calculating detection rates and resource usage of Snort out of
the box against 8-10 attacks captured in >1000 PCAPs that I have created in
my lab environment.

Based on my understanding of Snort’s documentation, I need to use the
“snort -r <name>.pcap” command. I like this command because it seems easily
scriptable in Python: run the command,...

Re: Unable to connect to UNIX socket at SNORT.sock: Connection refused with Fedora RPM Stanford Prescott (Mar 22)
I have no experience with systemd. My firewall distro that snort is
installed on doesn't use it. However, your error message indicates that
snort thinks SNORT.sock is in */etc/snort/rules* rather than
*/etc/snort/rules/iplists*. Also, my SNORT.sock has owner nobody.nobody and
permissions of 0770. When I tried to have SNORT.sock be "root", snort could
not connect to the socket.

My config -cs_dir: statement in snort.conf does not...

Re: Unable to connect to UNIX socket at SNORT.sock: Connection refused with Fedora RPM Robert Kudyba (Mar 22)
Ah yes I changed it to:
config cs_dir: /etc/snort/rules/iplists/

So snort starts when using the snort command but not via systemd. Still errors about the SNORT.sock file. When the file
exists (I simply did a ‘touch’ command and made sure permissions were 777 and owned by snort) this happens:

Mar 22 14:16:12 twiki.cis.fordham.edu systemd[1]: Started Snort NIDS Daemon.
Mar 22 14:16:13 twiki.cis.fordham.edu snort[19194]: ERROR: Control...

Re: Unable to connect to UNIX socket at SNORT.sock: Connection refused with Fedora RPM Stanford Prescott (Mar 22)
I don't have access to my snort.conf atm, but I believe you just put the
directory for SNORT.sock. I may have mislead by saying path but I believe
it is just the directory for the config. statement.

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

Re: Unable to connect to UNIX socket at SNORT.sock: Connection refused with Fedora RPM Robert Kudyba (Mar 22)
No but I just added it:
config cs_dir: /etc/snort/rules/iplists/SNORT.sock

pulledpork.pl -v -c /etc/snort/pulledpork.conf
[…]
Writing Blacklist File /etc/snort/rules/iplists/default.blacklist....
Writing Blacklist Version 842490936 to /etc/snort/rules/iplistsIPRVersion.dat....
Issuing reputation socket reload command
Command: /usr/bin/snort_control /etc/snort/rules/iplists 1361
Unable to connect to UNIX socket at...

Re: Unable to connect to UNIX socket at SNORT.sock: Connection refused with Fedora RPM Stanford Prescott (Mar 22)
Did you tell snort where the path to the control socket is in snort.conf?

*config cs_dir: <path/to/snort control socket>*

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

Re: Unable to connect to UNIX socket at SNORT.sock: Connection refused with Fedora RPM Stanford Prescott (Mar 22)
I encountered this when trying to get the snort_control socket to load the
reputation blacklist using pulledpork. The issue I had was that the
SNORT.sock socket was not in the same directory as the reputation lists
directory. Once I directed the SNORT.sock to be In the reputation lists
directory, it seemed to load without errors.

Also, you need to tell snort where snort_control is in snort.conf or on the
command line. I put it in snort.conf...

Re: Abnormal JPEG file detection rule rmkml (Mar 21)
Dear Demantos,
Could you share a pcap for testing/replay ?
Could you test by adding "flowbits:unset,jpeg_detect" on sid 10000007 ?
Best Regards
@Rmkml

----- Mail original -----
De: "Jim McKibben" <jmckibben () riskanalytics com>
À: "demantos(Cho Hoon)" <demantos () gmail com>
Cc: "snort-sigs" <snort-sigs () lists sourceforge net>
Envoyé: Mardi 21 Mars 2017 13:44:01
Objet: Re:...

Unable to connect to UNIX socket at SNORT.sock: Connection refused with Fedora RPM Robert Kudyba (Mar 21)
We're using the Fedora RPM via dnf, PulledPork v0.7.3, and when running:

pulledpork.pl -c /etc/snort/pulledpork.conf

This appears:

Issuing reputation socket reload command
Unable to connect to UNIX socket at /etc/snort/rules/iplists/SNORT.sock: Connection refused
I just posted this on GitHub <https://github.com/shirkdog/pulledpork/issues/255> but wanted to see if this is a known
issue and/or a work-around available....

Re: Snort Subscriber Rules Update 2017-03-21 Joel Esler (jesler) (Mar 21)
All of those people have been removed from the list. Thanks Nathan for attempting to educate.

Re: Snort Alert Processing Survey Gregory (Greg) Nowicki (Mar 21)
Snort/Sguil/Sancp/Barnyard/Mysql, etc.

Greg

Re: FW: Snort Subscriber Rules Update 2017-03-21 Hamer, Cyprille (Mar 21)
ALREADY DONE WITHOUT SUCCESS => still receiving the e-mail.

-----Original Message-----
From: lists () packetmail net [mailto:lists () packetmail net]
Sent: Tuesday, March 21, 2017 3:09 PM
To: Snort-sigs () lists sourceforge net
Subject: Re: [Snort-sigs] FW: Snort Subscriber Rules Update 2017-03-21

You should remove yourselves via these methods below, which appear in the E-Mail
headers of the mailing list messages:

List-Unsubscribe: <...

More Lists

Related Resources

We're always looking for great network security related lists to archive. To suggest one, mail Fyodor.