SecLists.Org Security Mailing List Archive

Any hacker will tell you that the latest news and exploits are not found on any web site—not even Insecure.Org. No, the cutting edge in security research is and will continue to be the full disclosure mailing lists such as Bugtraq. Here we provide web archives and RSS feeds (now including message extracts), updated in real-time, for many of our favorite lists. Browse the individual lists below, or search them all:

Insecure.Org Lists

Nmap Development — Unmoderated technical development forum for debating ideas, patches, and suggestions regarding proposed changes to Nmap and related projects. Subscribe here.

New VA Modules: OpenVAS: 4, Nessus: 12 New VA Module Alert Service (May 24)
This report describes any new scripts/modules/exploits added to Nmap,
OpenVAS, Metasploit, and Nessus since yesterday.

== OpenVAS plugins (4) ==

r16437 2013/gb_pcoweb_default_root_password.nasl
http://wald.intevation.org/scm/viewvc.php/trunk/openvas-plugins/scripts/2013/gb_pcoweb_default_root_password.nasl?root=openvas&view=markup
CAREL pCOWeb Default root Password

r16437 2013/gb_multiple_dvr_dir_traversal_05_2013.nasl...

[NSE] SSL certificate chain and verification Patrik Karlsson (May 24)
Hi,

The attached patch is an attempt to add the SSL certificate chain and a
potential warning generated upon cert verification to the cert NSE table.
It also updates the ssl-cert script to output the chain and any warning
received. Running against a server with a self-signed cert should now
generate a warning, while running against a site signed by a trusted CA
should not.

In the event you find that this works, is useful and want it committed I...

New VA Modules: OpenVAS: 2, Nessus: 18 New VA Module Alert Service (May 23)
This report describes any new scripts/modules/exploits added to Nmap,
OpenVAS, Metasploit, and Nessus since yesterday.

== OpenVAS plugins (2) ==

r16419 2013/gb_nginx_http_parse_bof_vuln.nasl
http://wald.intevation.org/scm/viewvc.php/trunk/openvas-plugins/scripts/2013/gb_nginx_http_parse_bof_vuln.nasl?root=openvas&view=markup
Nginx Chunked Transfer Encoding Stack Based Buffer Overflow
Vulnerability

r16419...

Re: New VA Modules: Nessus: 13 Edson Ticona (May 23)
El 14/05/2013 04:57, "New VA Module Alert Service" <postmaster () insecure org>
escribió:

Re: [NSE] IKE information extraction Jesper Kückelhahn (May 22)
Hi Patrik,

I guess I missed your point about using a mutex; I initially didn't think
about implementing it in the ike lib, which makes more sense. I've attached
a patch against SVN that includes mutex. Thanks again for the pointer.

I've also attached an updated ike-info.nse that extracts more information,
specifically the use of aggressive mode authentification and pre-shared
keys (CVE-2002-1623).

- Jesper

New VA Modules: OpenVAS: 29, Nessus: 7 New VA Module Alert Service (May 22)
This report describes any new scripts/modules/exploits added to Nmap,
OpenVAS, Metasploit, and Nessus since yesterday.

== OpenVAS plugins (29) ==

r16404 865620 2013/gb_fedora_2013_7128_tinc_fc17.nasl
http://wald.intevation.org/scm/viewvc.php/trunk/openvas-plugins/scripts/2013/gb_fedora_2013_7128_tinc_fc17.nasl?root=openvas&view=markup
Fedora Update for tinc FEDORA-2013-7128

r16404 870997 2013/gb_RHSA-2013_0827-01_openswan.nasl...

Re: [NSE] IKE information extraction Jesper Kückelhahn (May 21)
Hi Patrik,

I've looked a bit more into to this, and using a mutex scheme, requires that the two scripts (version detection and
information extraction) sets the mutex. This would solve the problem of both these scripts trying to bind to UDP 500,
but would require other scripts binding to this port to also use this mutex, which could lead to transparency issues.

Would it make more sense to extend the 'bind' method of new_socket,...

New VA Modules: Nessus: 14 New VA Module Alert Service (May 21)
This report describes any new scripts/modules/exploits added to Nmap,
OpenVAS, Metasploit, and Nessus since yesterday.

== Nessus plugins (14) ==

66520 opera_check_adobe_reader_enabled.nasl
http://nessus.org/plugins/index.php?view=single&id=66520
Adobe Reader Enabled in Browser (Opera)

66519 firefox_check_adobe_reader_enabled.nasl
http://nessus.org/plugins/index.php?view=single&id=66519
Adobe Reader Enabled in Browser (Mozilla Firefox)...

Re: [NSE] IKE information extraction Jesper Kückelhahn (May 21)
Hi Patrik,

Thanks for the pointer. I'll look into using this for for the script.

- Jesper

Re: [NSE] IKE information extraction Jesper Kückelhahn (May 21)
Hi Anne,

Thank you for your interest in testing the script. Unfortunately I don't
have any systems available for testing purposes, but if you find any I'd be
very interested in any feedback.

- Jesper

Re: nmaprc.lua? Fyodor (May 21)
Good point! I added this to the list of nmaprc ideas at
https://svn.nmap.org/nmap/todo/nmap.txt

Cheers,
Fyodor

Re: [NSE] IKE information extraction Patrik Karlsson (May 21)
Jesper,

I don't think there is a way to tell if the port is in use or not but if
you want to avoid that the scripts run at the same time you could use a
mutex. There some more information here;
http://nmap.org/book/nse-parallelism.html

/Patrik

On Mon, May 20, 2013 at 6:38 PM, Jesper Kückelhahn <dev.kyckel () gmail com>wrote:

Nmap IPC facilities? Jacek Wielemborek (May 20)
Hi,

I recently had an idea and I thought it'd be nice to get some feedback
from you guys. On the #nmap IRC channel I was discussing introducing
better facilities to interact with Nmap scanning processes. At first,
I was thinking of ways to add more interactivity to the program, like
a keystroke to pause the current task or skip one of hosts.

I found out that there used to be "interactive mode" in Nmap, removed
by David in 2010...

Re: [NSE] IKE information extraction stripes (May 20)
If you have a system I can test it against, I'll test the patch.

-Anne

[NSE] IKE information extraction Jesper Kückelhahn (May 20)
Hi list,

I've attached a script for extracting information from an IKE service and a
patch for ike.lua.

The IKE response might contain useful information such as the internal IP
address, domain name or username, which the script displays. Also matched
vendor IDs are displayed.

The ike.lua.patch adds extra functionality to support the extraction (and
some minor refactoring).

Example outputs:

PORT STATE SERVICE REASON VERSION...

Nmap Announce — Moderated list for the most important new releases and announcements regarding the Nmap Security Scanner and related projects. We recommend that all Nmap users subscribe.

Nmap Project Seeking Talented Programmers for Google Summer of Code Fyodor (Apr 26)
Hi Folks. I'm happy to announce that the Nmap Project has again been
accepted into the Google Summer of Code program. This innovative and
extraordinarily generous program provides $5,000 stipends to college and
graduate students who spend the summer improving Nmap! They gain valuable
experience, get paid, strengthen their résumés, and write code for millions
of users.

Previous SoC students helped create the Nmap Scripting Engine, Zenmap...

Nmap 6.25 holiday season release! 85 new scripts, better performance, Windows 8 enhancements, and more Fyodor (Nov 30)
Hi folks. It has been more than five months since the Nmap 6.01
release, and I'm pleased to announce a new version for you to enjoy
during the holidays! Nmap 6.25 contains hundreds of improvements,
including 85 new NSE scripts, nearly 1,000 new OS and service
detection fingerprints, performance enhancements such as the new
kqueue and poll I/O engines, better IPv6 traceroute support, Windows 8
improvements, and much more! It also includes...

Nmap 6.01 Released Fyodor (Jun 22)
Hi folks! I'm happy to report that the Nmap 6.00 release
(http://nmap.org/6 ) last month was a huge success, with hundreds of
thousands of downloads and a bunch of positive articles and reviews.
But any release this big is going to uncover a few issues, so we've
released Nmap 6.01 to address them. This should also appease the more
conservative users who always wait for the first patch update before
installing a major software release....

Nmap 6 Released! Fyodor (May 21)
Hi folks! After almost three years of work, 3,924 code commits, and
more than a dozen point releases since Nmap 5, I'm delighted to
announce the release of Nmap 6! It includes a more powerful Nmap
Scripting Engine, 289 new scripts, better web scanning, full IPv6
support, the Nping packet prober, faster scans, and much more!

For the top 6 improvements in Nmap 6, see the release notes:

http://nmap.org/6

Or you can go straight to the...

Last Chance to Apply for the Nmap/Google Summer of Code! Fyodor (Apr 04)
Hi Folks. I'm happy to announce that the Nmap Project has again been
accepted into the Google Summer of Code program. This innovative and
extraordinarily generous program provides $5,000 stipends to college
and graduate students who want to spend the summer improving Nmap!
They gain valuable experience, get paid, strengthen their résumé, and
write code for millions of users.

Previous SoC students helped create the Nmap Scripting Engine,...

Nmap 5.61TEST5 released with 43 new scripts, improved OS & version detection, and more! Fyodor (Mar 09)
Hi folks! We've been working hard for the last 2 months since
5.61TEST4, and I'm pleased to announce the results: Nmap 5.61TEST5.
This release has 43 new scripts, including new brute forcers for http
proxies, SOCKS proxies, Asterisk IAX2, Membase, MongoDB, Nessus
XMLRPC, Redis, the WinPcap remote capture daemon, the VMWare auth
daemon, and old-school rsync. Better check that your passwords are
strong! Some other fun scripts are...

Other Excellent Security Lists

Bugtraq — The premier general security mailing list. Vulnerabilities are often announced here first, so check frequently!

CFP: IEEE SafeConfig: 6th Symposium on Security Analytics and Automation James Joshi (May 23)
CALL FOR PAPERS

IEEE SafeConfig 2013
--------------------
6th Symposium on Security Analytics and Automation (www.safeconfig.org)

(collocated with IEEE Conference on Communications and Network Security)

Washington, D.C., USA
October 14, 2013

Sponsors: IEEE (COMSOC).

Important Dates

Abstract Registration Deadline: June 25
Manuscript Submission: July 1, 2013
Review Notification: August 7, 2013
Camera Ready: August 15, 2012
Conference Dates:...

SEC Consult SA-20130523-0 :: JavaScript Execution in IBM WebSphere DataPower Services SEC Consult Vulnerability Lab (May 23)
SEC Consult Vulnerability Lab Security Advisory < 20130523-0 >
=======================================================================
title: JavaScript Execution in WebSphere DataPower Services
product: IBM WebSphere DataPower Integration Appliance XI50
vulnerable version: 3.8.2, 4.0, 4.0.1, 4.0.2, 5.0.0
fixed version: not available, config changes
CVE number: CVE-2013-0499
impact:...

[ANN] Struts 2.3.14.1 GA (fast track | security) Lukasz Lenart (May 23)
The Apache Struts group is pleased to announce that Struts 2.3.14.1 is
available as a "General Availability" release. The GA designation is
our highest quality grade.

Apache Struts 2 is an elegant, extensible framework for creating
enterprise-ready Java web applications. The framework is designed to
streamline the full development cycle, from building, to deploying, to
maintaining applications over time.

Two security issues were...

APPLE-SA-2013-05-22-1 QuickTime 7.7.4 Apple Product Security (May 23)
APPLE-SA-2013-05-22-1 QuickTime 7.7.4

QuickTime 7.7.4 is now available and addresses the following:

QuickTime
Available for: Windows 7, Vista, XP SP2 or later
Impact: Opening a maliciously crafted TeXML file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the handling of
TeXML files. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2013-1015...

[SECURITY] [DSA 2672-1] kfreebsd-9 security update Florian Weimer (May 23)
-------------------------------------------------------------------------
Debian Security Advisory DSA-2672-1 security () debian org
http://www.debian.org/security/ Florian Weimer
May 22, 2013 http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : kfreebsd-9
Vulnerability : interpretation conflict
Problem...

[waraxe-2013-SA#105] - Multiple Vulnerabilities in Spider Catalog Wordpress Plugin come2waraxe (May 22)
[waraxe-2013-SA#105] - Multiple Vulnerabilities in Spider Catalog Wordpress Plugin
===================================================================================

Author: Janek Vind "waraxe"
Date: 22. May 2013
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-105.html

Description of vulnerable software:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Spider Catalog is the best WordPress...

[waraxe-2013-SA#104] - Multiple Vulnerabilities in Spider Event Calendar Wordpress Plugin come2waraxe (May 22)
[waraxe-2013-SA#104] - Multiple Vulnerabilities in Spider Event Calendar Wordpress Plugin
===================================================================================

Author: Janek Vind "waraxe"
Date: 22. May 2013
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-104.html

Description of vulnerable software:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Spider Event Calendar is a...

Trend Micro DirectPass 1.5.0.1060 - Multiple Vulnerabilities Vulnerability Lab (May 22)
Title:
======
Trend Micro DirectPass 1.5.0.1060 - Multiple Vulnerabilities

Date:
=====
2013-05-21

References:
===========
http://www.vulnerability-lab.com/get_content.php?id=894

Article: http://www.vulnerability-lab.com/dev/?p=580

Trend Micro (Reference): http://esupport.trendmicro.com/solution/en-US/1096805.aspx
Trend Micro Solution ID: 1096805

Video: http://www.vulnerability-lab.com/get_content.php?id=951

VL-ID:
=====
894

Common...

VUPEN Security Research - Microsoft Internet Explorer 10-9 Object Confusion Sandbox Bypass (MS13-037 / Pwn2Own) VUPEN Security Research (May 22)
VUPEN Security Research - Microsoft Internet Explorer 10-9 Object
Confusion Sandbox Bypass (MS13-037 / Pwn2Own)

Website : http://www.vupen.com

Twitter : http://twitter.com/vupen

I. BACKGROUND
---------------------

"Microsoft Internet Explorer is a web browser developed by Microsoft and
included as part of the Microsoft Windows line of operating systems with
more than 60% of the worldwide usage share of web browsers." (Wikipedia)...

VUPEN Security Research - Microsoft Internet Explorer 10-9-8-7-6 VML Remote Integer Overflow (MS13-037 / Pwn2Own) VUPEN Security Research (May 22)
VUPEN Security Research - Microsoft Internet Explorer 10-9-8-7-6 VML
Remote Integer Overflow (MS13-037 / Pwn2Own)

Website : http://www.vupen.com

Twitter : http://twitter.com/vupen

I. BACKGROUND
---------------------

"Microsoft Internet Explorer is a web browser developed by Microsoft and
included as part of the Microsoft Windows line of operating systems with
more than 60% of the worldwide usage share of web browsers." (Wikipedia)...

[ MDVSA-2013:166 ] krb5 security (May 22)
_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2013:166
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : krb5
Date : May 21, 2013
Affected: Business Server 1.0, Enterprise Server 5.0
_______________________________________________________________________

Problem...

[slackware-security] kernel (SSA:2013-140-01) Slackware Security Team (May 21)
[slackware-security] kernel (SSA:2013-140-01)

New Linux kernel packages are available for Slackware 13.37 and 14.0 to fix
a security issue.

Here are the details from the Slackware 14.0 ChangeLog:
+--------------------------+
patches/packages/linux-3.2.45/*: Upgraded.
Upgraded to new kernels that fix CVE-2013-2094, a bug that can allow local
users to gain a root shell. Be sure to upgrade your initrd and reinstall
LILO after upgrading...

Sony PS3 Firmware v4.31 - Code Execution Vulnerability Vulnerability Lab (May 21)
Title:
======
Sony PS3 Firmware v4.31 - Code Execution Vulnerability

Date:
=====
2013-05-12

References:
===========
http://www.vulnerability-lab.com/get_content.php?id=767

VL-ID:
=====
767

Common Vulnerability Scoring System:
====================================
6.5

Introduction:
=============
The PlayStation 3 is the third home video game console produced by Sony Computer Entertainment and the successor to the
PlayStation 2 as part of the...

CVE-2013-3496. Local privilege escalation vulnerability in Infotecs products (ViPNet Client\Coordinator, SafeDisk, Personal Firewall) chudakovma (May 21)
CVE-2013-3496. Local privilege escalation vulnerability in Infotecs products (ViPNet Client\Coordinator, SafeDisk,
Personal Firewall)

CVE reference:
CVE-2013-3496

Credit:
Maksim Chudakov (@MChudakov)
Andrey Kurtasanov(andreykurtasanov () gmail com)

Severity:
Medium

Local\Remote:
Local

Vulnerability Class:
Privilege Escalation

Vendor URL:
http://www.infotecs.biz/

Affected OS:
Windows

Vulnerable systems:
ViPNet Client 3.2.10 (15632) and...

Revision of "IPv6 Stable Privacy Addresses" (Fwd: I-D Action: draft-ietf-6man-stable-privacy-addresses-07.txt) Fernando Gont (May 21)
Folks,

We have published a revision of our IETF I-D "A method for Generating
Stable Privacy-Enhanced Addresses with IPv6 Stateless Address
Autoconfiguration (SLAAC)".

This revision is available at:
<http://tools.ietf.org/html/draft-ietf-6man-stable-privacy-addresses-07>.

This proposal is key for the mitigation of address-scanning attacks,
while at the same time preventing host-tracking.

Stay tuned for more IPv6 security news...

Full Disclosure — A lightly moderated high-traffic forum for disclosure of security information. Fresh vulnerabilities sometimes hit this list many hours before they pass through the Bugtraq moderation queue. The relaxed atmosphere of this quirky list provides some comic relief and certain industry gossip. Unfortunately, most of the posts are worthless drivel, so finding the gems takes patience.

Analysis of the Carna Botnet (Internet Census 2012) Parth Shukla (May 24)
Dear All,

I have made my presentation on the Carna Botnet freely available for view
and/or download: http://bit.ly/auscertcarna

This presentation is on the Compromised Devices of the Carna Botnet (also
known as Internet Census 2012). This analysis is done from data obtained
directly from the researcher. The data used is NOT publicly available for
download.

This was recently presented at the AusCERT Conference 2013. Info:...

Open challenge to Design the logo for Ground Zero Summit Ground Zero (May 24)
Hello All!
The GroundZero Summit(G0S) is an
international platform for Information Security professionals showcasing their
research, products and case studies to industry leaders, policy makers,
investigators and decision makers from various Government Department of India
and abroad.
G0S is a largest collaborative platform
in Asia founded together by leading Cyber Security thought leaders and
Government of India to address the Cyber Security...

Shakacon V Speaker Selections Shakacon (May 24)
Aloha from Hawaii:

The Shakacon CFP committee is pleased to announce the Shakacon V speaker
line up. Please join us June 27-28, 2013 in beautiful Honolulu, HI .

www.shakacon.org/speakers.html

Rahul Kashyap, Chief Security Architect, Head of Security Research -
Bromium
How Trustworthy are your Sand (de)fences?

Max Sobell, Senior Consultant - Intrepidus Group
Android 4.0: Ice Cream "Sudo Make Me a" Sandwich

Jason Shirk,...

Re: Sony PS3 Firmware v4.31 - Code Execution Vulnerability Gary Driggs (May 24)
A full reading of the original post reveals the following plain text
transmission:

"Successful exploitation of the vulnerability can result in persistent
but local system command executions, psn session hijacking, persistent
phishing attacks, external redirect out of the vulnerable module,
stable persistent save game preview listing context manipulation"

Show In Browser 0.0.3 Ruby Gem /tmp file injection vulnerability Larry W. Cashdollar (May 24)
TITLE: Show In Browser 0.0.3 Ruby Gem /tmp file injection vulnerability.

DATE: 5/15/2023

AUTHOR: Larry W. Cashdollar (@_larry0)

DOWNLOAD: https://rubygems.org/gems/show_in_browser

DESCRIPTION: Opens arbitrary text in your browser

VENDOR: Jonathan Leung

FIX: N/A

CVE: 2013-2105

DETAILS: The following code uses the temporary file "/tmp/browser.html" insecurely.

2 FILE_LOCATION = "/tmp/browser.html"

3 4 class <<...

little proof-of-concept for remote traffic statistics using the IP ID field Jann Horn (May 23)
Hello,
I built a small C helper for remotely generating traffic statistics using the
IP ID field. Well, hping3 does all the interesting stuff. This program will
just, every five minutes, send 20 SYN packets in intervals of 100ms to port 80
of the target machine, then sum up the ID differences and output a line with
the current unix time and the number of packets the remote machine seems to
have sent during the two seconds of measuring....

Question on SMBRelay through Meterpreter sd (May 23)
Hi guys,

Does anyone here have any experience with SMBRelay? Specifically running this module on a meterpreter session?

Imagine I run: run autoroute -s 10.1.13.0/24 and the IP of the meterpreter client is 10.1.13.26. If I set the SRVHOST
to listen on this address would that work?

I have tried this an received an error saying that port 445/139 are busy. But if I elevated to SYSTEM, closed these
ports and then ran SMBRelay. Would...

XSS and FPD vulnerabilities in I Love It New theme for WordPress MustLive (May 23)
Hello list!

These are Cross-Site Scripting and Full path disclosure vulnerabilities in I
Love It New theme for WordPress. This is commercial (premium) theme. Earlier
I've wrote about vulnerabilities in VideoJS
(http://seclists.org/fulldisclosure/2013/May/21) and in multiple web
applications.

-------------------------
Affected products:
-------------------------

All versions of I Love It New theme for WordPress. The theme contains...

[SECURITY] [DSA 2692-1] libxxf86vm security update Moritz Muehlenhoff (May 23)
-------------------------------------------------------------------------
Debian Security Advisory DSA-2692-1 security () debian org
http://www.debian.org/security/ Moritz Muehlenhoff
May 23, 2013 http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : libxxf86vm
Vulnerability : several
Problem type : remote...

[SECURITY] [DSA 2691-1] libxinerama security update Moritz Muehlenhoff (May 23)
-------------------------------------------------------------------------
Debian Security Advisory DSA-2691-1 security () debian org
http://www.debian.org/security/ Moritz Muehlenhoff
May 23, 2013 http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : libxinerama
Vulnerability : several
Problem type :...

[SECURITY] [DSA 2690-1] libxxf86dga security update Moritz Muehlenhoff (May 23)
-------------------------------------------------------------------------
Debian Security Advisory DSA-2690-1 security () debian org
http://www.debian.org/security/ Moritz Muehlenhoff
May 23, 2013 http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : libxxf86dga
Vulnerability : several
Problem type :...

[SECURITY] [DSA 2673-1] libdmx security update Moritz Muehlenhoff (May 23)
-------------------------------------------------------------------------
Debian Security Advisory DSA-2673-1 security () debian org
http://www.debian.org/security/ Moritz Muehlenhoff
May 23, 2013 http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : libdmx
Vulnerability : several
Problem type : remote...

[SECURITY] [DSA 2674-1] libxv security update Moritz Muehlenhoff (May 23)
-------------------------------------------------------------------------
Debian Security Advisory DSA-2674-1 security () debian org
http://www.debian.org/security/ Moritz Muehlenhoff
May 23, 2013 http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : libxv
Vulnerability : several
Problem type : remote...

[SECURITY] [DSA 2675-1] libxvmc security update Moritz Muehlenhoff (May 23)
-------------------------------------------------------------------------
Debian Security Advisory DSA-2675-1 security () debian org
http://www.debian.org/security/ Moritz Muehlenhoff
May 23, 2013 http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : libxvmc
Vulnerability : several
Problem type : remote...

[SECURITY] [DSA 2676-1] libxfixes security update Moritz Muehlenhoff (May 23)
-------------------------------------------------------------------------
Debian Security Advisory DSA-2676-1 security () debian org
http://www.debian.org/security/ Moritz Muehlenhoff
May 23, 2013 http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : libxfixes
Vulnerability : several
Problem type : remote...

Security Basics — A high-volume list which permits people to ask "stupid questions" without being derided as "n00bs". I recommend this list to network security newbies, but be sure to read Bugtraq and other lists as well.

Penetration Testing — While this list is intended for "professionals", participants frequenly disclose techniques and strategies that would be useful to anyone with a practical interest in security and network auditing.

RE: WASC Announcement: Static Analysis Technologies Evaluation Criteria Published Debasis Mohanty (May 19)
Good initiative! I feel one of the important element that is missing is the
"scoring mechanism". Based on what would you distinguish one product from
the other?

I created similar evaluation criteria nearly 7-8 years back for evaluating
SCA products using a QFD. That was the time I was introduced to 6-sigma and
thought a QFD is a best approach to have appropriate scoring for various
pilot parameters. However I never released it to the...

CONFidence - May, 28-29, Krakow, Poland - a conference adventure that never stops! Sławomir Jabs (May 19)
Everything has a story, everything evolves, adapts to changing circumstances
but does your IT Sec strategy evolve with the development of the digital
world?

Are you wiling to gamble on the security of you systems?

Join the upcoming CONFidence conference and meet both renown speakers and
specialists who deal with the IT security on a daily basis. People like,
you, who never stop asking questions and play with risks all the time...

We will...

[HITB-Announce] HITB Magazine Issue 010 Hafez Kamal (May 14)
Hi everyone,

A small reminder that article submissions for HITB Magazine Issue 010
are due tomorrow (15th May 2013). If you're interested in submitting
please send your > 3000 word article to editorial () hackinthebox org

Topics of interest include, but are not limited to the following:

Next generation attacks and exploits
Apple / OS X security vulnerabilities
SS7/Backbone telephony networks
VoIP security
Data...

SpiderFoot 2.0 released Steve Micallef (May 10)
Hi everyone,

SpiderFoot is a free, open-source footprinting tool, enabling you to
perform various scans against a given domain name in order to obtain
information such as sub-domains, e-mail addresses, owned netblocks, web
server versions and so on. The main objective of SpiderFoot is to
automate the footprinting process to the greatest extent possible,
freeing up a penetration tester's time to focus their efforts on the
security...

WASC Announcement: Static Analysis Technologies Evaluation Criteria Published announcements (May 10)
The Web Application Security Consortium (WASC) is pleased to announce the
Static Analysis Technologies Evaluation Criteria. The goal of the SATEC
project is to create a vendor-neutral set of criteria to help guide
application security professionals during the process of acquiring a
static code analysis technology that is intended to be used during
source-code driven security programs. This document provides a
comprehensive list of criteria that...

Ruxcon 2013 Call For Papers cfp (May 07)
Ruxcon 2013 Call For Presentations
Melbourne, Australia, October 26th-27th
CQ Function Centre
http://www.ruxcon.org.au/call-for-papers/

The Ruxcon team is pleased to announce the Call For Presentations for Ruxcon 2013.

This year the conference will take place over the weekend of the 26th and 27th
of October at the CQ Function Centre, Melbourne, Australia.

.[x]. About Ruxcon .[x].

Ruxcon is ia premier technical computer security conference...

[TOOL] TOPERA v2 released cr0hn (May 07)
Hi everybody,

We just released TOPERA v2:

TOPERA is a new security tool for IPv6, with the particularity that their attacks can't be detected by Snort.

This new version of TOPERA include these improvements:

1 - Slow HTTP attacks (Slowloris over IPv6).
2 - Improved TCP port scanner.

New project page:

http://toperaproject.github.io/topera/

Regards!...

[HITB-Announce] #HITB2013KUL Call for Papers Hafez Kamal (May 01)
Hi everyone - This is a Call for Papers for the 11th annual HITB
Security Conference in Malaysia, #HITB2013KUL which takes place on the
16th and 17th of October in Kuala Lumpur.

Keynote speakers for the conference will be Joe Sullivan (Chief Security
Officer, Facebook) and Andy Ellis (Chief Security Officer, Akamai)

We're looking for talks that are highly technical, but most importantly,
material which is new and cutting edge. Submissions...

Breakpoint 2013 Call For Papers cfp (May 01)
Breakpoint 2013 Call For Papers
Melbourne, Australia, October 24th-25th
Intercontinental Rialto
http://www.ruxconbreakpoint.com

.[x]. Introduction .[x].

The Ruxcon team is pleased to announce Call For Papers for Breakpoint 2013.

Breakpoint showcases the work of expert security researchers from around the
world on a wide range of topics. This conference is organised by the Ruxcon
team and offers a specialised security conference to...

Arachni v0.4.2 has been released (Open Source Web Application Security Scanner Framework) Tasos Laskos (Apr 29)
Hey folks,

This is just to let you know that there's a new version of Arachni.

Arachni is a modular and high-performance (Open Source) Web Application Security Scanner Framework written in Ruby.

The change-log is quite sizeable but the gist is:
* Brand new web interface -- allowing for team collaboration.
* Significant decreases in memory usage.
* Issue remarks – Providing extra context to logged issues.
* Improved payloads...

TXDNS v2.4 released Arley Silveira (Apr 17)
TXDNS v 2.4 is out and available to download from
http://txdns.net/

This new version adds support for reverse grinding.

Ex:
txdns -r 10-20.1.60-70.1-254,192.168.15.0/24

Cheers
Arley Silveira.
------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without...

A survey on qunatifying severity of vulnerabilities in softwares Khalid Khan Afridi (Apr 17)
Hello!

I am currently performing my master thesis on the topic of quantifying the
severity of
software vulnerabilities.

As you have done significant work in this area, I would be glad if you
could spare a few
minutes of your time to answer a survey on the topic. It should not
require more than 15-20
minutes to complete.

The survey can be found at: http://secsurvey.ics.kth.se/index.php

Thank you for your attention!

Best Regards,
Khalid Khan...

Hackersh 0.1 Release Announcement Itzik Kotler (Apr 03)
Hi All,

I am pleased to announce the first version of Hackersh
(http://www.hackersh.org).

Hackersh ("Hacker Shell") is a free and open source shell (command
interpreter) written in Python with built-in security commands, and
out-of-the-box wrappers for various security tools, using Pythonect as
its scripting engine. Pythonect is a new, experimental,
general-purpose high-level dataflow programming language based on
Python. It aims to...

Info Security News — Carries news items (generally from mainstream sources) that relate to security.

Firewall Wizards — Tips and tricks for firewall administrators

Re: Linked-in and its Phishing-like contacts option! lordchariot (May 01)
Yeah, I was trying to make this non-product specific, but most vendors can actually do this to some degree or another.

Here's how we do it on my product:

https://mcafee.box.com/MWG7-FeatureDemo-Part2

The problem with doing it at a network layer with an IDS is the SSL decryption. Almost everything nowadays is HTTPS, so
it's game over if you cannot open up the encryption.

e²

_____________________________________

From:...

Re: Linked-in and its Phishing-like contacts option! Jon Robinson (May 01)
It's not free but Palo Alto Networks does this.You can search here to see
which applications/sites they can control:
http://apps.paloaltonetworks.com/applipedia/

Jon Robinson
Digital Scepter
desk (951) 461-7868
mobile (562) 682-0821
jon () digitalscepter com

Re: Linked-in and its Phishing-like contacts option! Mathew Want (May 01)
Read only access to the sites. I like that idea a lot.

Has anyone else come across this requirement or found a good way to do it
at a control point level? Perhaps at the IDS layer?

M@

Re: OpenBSD IPSEC VPN question Chris Buechler (May 01)
You can, but that's a different circumstance. That would be IPsec
transport mode, which in combination with gif, GRE or similar
tunneling indeed doesn't have such requirements/quirks since there is
a route in the routing table in that case. Tunnel mode is more common,
which is what's applicable to the subject of this thread. Routing
table changes have no impact on whether traffic in BSD traverses a
tunnel mode IPsec connection,...

Re: OpenBSD IPSEC VPN question Paul D. Robertson (May 01)
It's been a while since I've done it, but Linux used to make an ipsec0 interface that was handled with the standard
routing table. Possibly in *BSD you need to use a gre or gif tunnel to achieve the same thing?

Paul

Re: OpenBSD IPSEC VPN question Chris Buechler (May 01)
This is true of all the BSDs with IPsec (and maybe Linux and other
*nix OSes but not sure of those). Traffic that doesn't have a specific
source IP set gets the source IP that's closest to the destination per
the routing table. IPsec doesn't have a routing table entry, traffic
follows the SPD. So it ends up getting the IP that's nearest the
default gateway, which is most always a public IP, which is most
always not going to...

Re: OpenBSD IPSEC VPN question David Lang (Apr 30)
That's what I would expect as well, but the person reporting the problem is
claiming that this is not the case on OpenBSD, that there are no routes visible
and connections _from_ the firewall need to explicitly set their source IP
address.

This doesn't sound right to me, but I am not an OpenBSD expert.

David Lang_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com...

Re: OpenBSD IPSEC VPN question Paul D. Robertson (Apr 30)
I'd expect a connect() to bind implicitly to IP_ADDR_ANY and have the system fill in the source address by default
based on the destination route if the client doesn't specify an explicit bind address and for traffic destined to go
through the VPN to do so- it sounds like it doesn't- but without more data, I'd be wary of troubleshooting it (NAT,
filtering...)

However, I'd also advocate being able to explicitly set the...

Breakpoint 2013 Call For Papers cfp (Apr 30)
Breakpoint 2013 Call For Papers
Melbourne, Australia, October 24th-25th
Intercontinental Rialto
http://www.ruxconbreakpoint.com

.[x]. Introduction .[x].

The Ruxcon team is pleased to announce Call For Papers for Breakpoint 2013.

Breakpoint showcases the work of expert security researchers from around the
world on a wide range of topics. This conference is organised by the Ruxcon
team and offers a specialised security conference to...

Re: OpenBSD IPSEC VPN question Bennett Todd (Apr 30)
When you've got a vpn up, you're multi-homed, the Unix way for a client to
choose a network to use, when there are multiple choices, is to specify the
src ip to bind to.

I think that's the behavior I'd expect anywhere.

Re: Linked-in and its Phishing-like contacts option! David Lang (Apr 30)
when you say turn off webmail, do you mean to cut off access to public webmail
servers from inside your network? or do you man to not run things like OWA that
expose your company mail to the Internet?

David Lang

firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Re: Proxy advantage David Lang (Apr 30)
If you start with the premise that the only thing that's a firewall is a packet
filter, especially with deep packet inspection being optionsl, then you are
going to be in rather bad shape.

I have run a fairly large organization with proxy firewalls (800+ people, 100+
separate networks), it can be done. In some areas it bypasses whole classes of
problems.

Even for user desktops you can do it, but you need to get a good proxy, not just...

Re: firewall-wizards Digest, Vol 64, Issue 3 phishing David Lang (Apr 30)
Except with the "Cloud" you as an organization give up a lot of the tools that
have been used in the past to secure things.

Plus, you have the DevOps approach being misinterpreted by management to mean
"engineers can do everything, they can bypass those annoying ops and security
folks to get things done"

It's going to be an interesting few years as everyone learns that you still need
admins and security folks in the...

Re: Linked-in and its Phishing-like contacts option! lordchariot (Apr 30)
I have a lot of requests from customers to try to make the web read-only. The main use cases are for social network,
blogs/wikis, and commenting on posts. The fundamental ways to do this are to 1) have MITM SSL decryption, and 2) block
the POST method for specific sites. Most commercial proxies can do this and even squid does SSL MITM.

By blocking POST to certain categories of sites and only allowing the POST for the */logon pages, users can...

OpenBSD IPSEC VPN question David Lang (Apr 30)
I'm seeing some odd reports on the rsyslog mailing list where someone is climing
that when using an IPSEC VPN on OpenBSD they have to explicitly set the source
IP address for all connections out from the firewall (tunnel endpoint) or else
the connection won't go through the tunnel. The person reporting this is
proposing modifications to rsyslog to have it force the local IP address for
outbound connections as a work-around for this...

Web App Security — Provides insights on the unique challenges which make web applications notoriously hard to secure, as well as attack methods including SQL injection, cross-site scripting (XSS), cross-site request forgery, and more.

CONFidence - May, 28-29, Krakow, Poland - a conference adventure that never stops! Sławomir Jabs (May 17)
Everything has a story, everything evolves, adapts to changing circumstances
but does your IT Sec strategy evolve with the development of the digital
world?

Are you wiling to gamble on the security of you systems?

Join the upcoming CONFidence conference and meet both renown speakers and
specialists who deal with the IT security on a daily basis. People like,
you, who never stop asking questions and play with risks all the time...

We will...

RE: WASC Announcement: Static Analysis Technologies Evaluation Criteria Published Debasis Mohanty (May 17)
Good initiative! I feel one of the important element that is missing is the
"scoring mechanism". Based on what would you distinguish one product from
the other?

I created similar evaluation criteria nearly 7-8 years back for evaluating
SCA products using a QFD. That was the time I was introduced to 6-sigma and
thought a QFD is a best approach to have appropriate scoring for various
pilot parameters. However I never released it to the...

[HITB-Announce] HITB Magazine Issue 010 Hafez Kamal (May 14)
Hi everyone,

A small reminder that article submissions for HITB Magazine Issue 010
are due tomorrow (15th May 2013). If you're interested in submitting
please send your > 3000 word article to editorial () hackinthebox org

Topics of interest include, but are not limited to the following:

Next generation attacks and exploits
Apple / OS X security vulnerabilities
SS7/Backbone telephony networks
VoIP security
Data...

WASC Announcement: Static Analysis Technologies Evaluation Criteria Published announcements (May 11)
The Web Application Security Consortium (WASC) is pleased to announce the
Static Analysis Technologies Evaluation Criteria. The goal of the SATEC
project is to create a vendor-neutral set of criteria to help guide
application security professionals during the process of acquiring a
static code analysis technology that is intended to be used during
source-code driven security programs. This document provides a
comprehensive list of criteria that...

SpiderFoot 2.0 released Steve Micallef (May 06)
Hi everyone,

SpiderFoot is a free, open-source footprinting tool, enabling you to
perform various scans against a given domain name in order to obtain
information such as sub-domains, e-mail addresses, owned netblocks, web
server versions and so on. The main objective of SpiderFoot is to
automate the footprinting process to the greatest extent possible,
freeing up a penetration tester's time to focus their efforts on the
security...

[HITB-Announce] #HITB2013KUL Call for Papers Hafez Kamal (May 01)
Hi everyone - This is a Call for Papers for the 11th annual HITB
Security Conference in Malaysia, #HITB2013KUL which takes place on the
16th and 17th of October in Kuala Lumpur.

Keynote speakers for the conference will be Joe Sullivan (Chief Security
Officer, Facebook) and Andy Ellis (Chief Security Officer, Akamai)

We're looking for talks that are highly technical, but most importantly,
material which is new and cutting edge. Submissions...

Breakpoint 2013 Call For Papers cfp (May 01)
Breakpoint 2013 Call For Papers
Melbourne, Australia, October 24th-25th
Intercontinental Rialto
http://www.ruxconbreakpoint.com

.[x]. Introduction .[x].

The Ruxcon team is pleased to announce Call For Papers for Breakpoint 2013.

Breakpoint showcases the work of expert security researchers from around the
world on a wide range of topics. This conference is organised by the Ruxcon
team and offers a specialised security conference to...

Arachni v0.4.2 has been released (Open Source Web Application Security Scanner Framework) Tasos Laskos (Apr 29)
Hey folks,

This is just to let you know that there's a new version of Arachni.

Arachni is a modular and high-performance (Open Source) Web Application Security Scanner Framework written in Ruby.

The change-log is quite sizeable but the gist is:
* Brand new web interface -- allowing for team collaboration.
* Significant decreases in memory usage.
* Issue remarks – Providing extra context to logged issues.
* Improved payloads...

Administrivia - slow moderation this week Andrew van der Stock (Apr 28)
Hi all,

I'm going to be in Milan this week.

Not that there are many messages to moderate, but moderation will be
iffy / slow this next week, particularly during the bits where various
planes are flapping their wings and going "whoosh".

Normal moderation service will resume May 5.

thanks,
Andrew

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here -...

A survey on qunatifying severity of vulnerabilities in softwares Khalid Khan Afridi (Apr 18)
Hello!

I am currently performing my master thesis on the topic of quantifying the
severity of
software vulnerabilities.

As you have done significant work in this area, I would be glad if you
could spare a few
minutes of your time to answer a survey on the topic. It should not
require more than 15-20
minutes to complete.

The survey can be found at: http://secsurvey.ics.kth.se/index.php

Thank you for your attention!

Best Regards,
Khalid Khan...

Defcon DCG Kerala Information Security Meet 2013 Ajin Abraham (Apr 07)
Defcon DCG Kerala Information Security Meet 2013
=====================================
Defcon DCG Kerala (DC0497) is a Defcon USA registered group for
promoting and demonstrating research and development in the field of
Information Security. We are a group of Information Security
Enthusiasts actively interested in promoting information security.
Defcon Kerala Information Security Meet will be a platform for
security analysts, ethical hackers,...

c0c0n 2013 - Call For Papers and Call For Workshops c0c0n International Information Security Conference (Apr 06)
/ _ \ / _ \ |__ \ / _ \/_ |___ \
___| | | | ___| | | |_ __ ) | | | || | __) |
/ __| | | |/ __| | | | '_ \ / /| | | || ||__ <
| (__| |_| | (__| |_| | | | | / /_| |_| || |___) |
\___|\___/ \___|\___/|_| |_| |____|\___/ |_|____/

###################################################
c0c0n 2013 - Call For Papers and Call For Workshops
###################################################

August 22-24, 2013 -...

winAUTOPWN v3.4 Released - Completing 4 years !! QUAKER DOOMER (Mar 27)
Dear all,

This is to announce release of winAUTOPWN version 3.4.
Conceived and released in 2009, WINDOWS AUTOPWN grows strong completing its 4th year.
Visit: http://winautopwn.co.nr

++++++++++++++++++++
About winAUTOPWN:

winAUTOPWN is a unique exploit framework which aids in auto (hacking) / shell gaining as well as in exploiting
vulnerabilities to conduct Remote Command Execution, Remote File/Shell Upload, Remote File Inclusion and...

Unauthorized Access: Bypassing PHP strcmp() Danux (Mar 03)
Hope you enjoy it.

http://danuxx.blogspot.com/2013/03/unauthorized-access-bypassing-php-strcmp.html

NoSuchCon CFP 2.0 / 15-17 May 2013 / Paris, France Jonathan Brossard (Feb 25)
*******************************************************************************

PARENTAL ADVISORY: 100% technical content
*******************************************************************************

+--------------------------------------------------------------+
= =
= NoSuchCon - CFP 2.0 =
=...

Daily Dave — This technical discussion list covers vulnerability research, exploit development, and security events/gossip. It was started by ImmunitySec founder Dave Aitel and many security luminaries participate. Many posts simply advertise Immunity products, but you can't really fault Dave for being self-promotional on a list named DailyDave.

Re: The underlying structure is foamy Moses Hernandez (May 24)
Cyberwar. I am not sure that it conjures the right picture on my head
because there would be a dark skies and a dystopian society with only Mel
Gibson, Harrison Ford, and just for the heck of it Patrick Swayze from Road
House. Do I believe that people are going to replace their fleet with
something else? Yes. A scramjet based one. Nothing says dystopia like a
scramjet drone army.

I think this new notion that large companies are pushing, the one...

Re: The underlying structure is foamy Thomas Lim (May 24)
Dave

Ben, like you and Halvar, are all iconoclasts. It's impossible to find
anyone else in this Universe that will come close to looking like the 3
of you and/or have the kind of cognitive "computing power" that you 3
possess. Unlike me who is a Chinese, common, prevalent (you cannot get
rid of us, can't you?) and who cannot read, write and pronounce properly
the lingua franca of planet Earth.

Ben is really a mystique. His...

The underlying structure is foamy Dave Aitel (May 23)
So Ben Nagy, who is nothing if not an iconoclast, disagrees with my and
Halvar's general tenets that the easiest analogy to what is happening in
the cyber space is the creation of a new Navy (or set of Navy's). But he
refuses to argue with it when it's not words on paper. So I figured I'd
put down some words on paper.

The first and most basic premise is that the Internet has replaced the
oceans as the global Commons. While...

Automated Volatility plugin Generation with Dalvik Inspector Joe Sylve (May 23)
Hello,

We wanted to take the opportunity to point you to a blog post which gives a
preview of some of the research we've been working on at 504ENSICS Labs in
the area of Android memory analysis. This time we are demoing a feature
that will allow automatted volatility plugin generation with our Dalvik
Inspector tool. We think our results will be of great interest to the DFIR
community and look forward to your feed back. We plan on...

Starters. Dave Aitel (May 23)
And....we're back!

I got a few emails asking where DD went, and the answer is "after
INFILTRATE there's lots of work to do". We'll have quite a few
announcements and blog posts and dissertations on social insects and
their relationship to trojan protocols coming in the following days!

For a starter, this blog post is a good morning read!...

WhiteHat Security report, or what use is SCA for web apps? Vitaly Osipov (May 23)
A while ago I've read an article absolutely not about security but
about how great it is to work in small friendly teams -
http://pragprog.com/magazines/2012-12/agile-in-the-small

It contains an awesome quote:

"...most best practices are just crutches for having a heterogeneous
skill mix in one’s team."

Please hold that quote in mind while I turn to the figures recently
released by WhiteHat Security
(...

D2Sec's Elliot Dave Aitel (May 06)
http://www.d2sec.com/news/driving_d2_elliot_with_immunity_canvas.html

There's a lot of different kinds of exploits - and many people ignore
the web exploits that are not for Wordpress. This is usually a mistake
because, especially as we look at #OpUSA and #OpIsreal and the like, a
lot of people are running all sorts of web applications with all sorts
of esoteric web vulnerabilities on them. Which is why our close and
continuing friends over...

SyScan 2013 Dave Aitel (May 02)
It's really only after you finish writing a keynote that you know what
it's about. In a sense, everyone around you writes it with you as you
talk through it with people. The one I delivered at SyScan itself was
funnier. . . although even so, not very funny. Not everything is funny!
Even things that include Buffy.

"Things Buffy the Vampire Slayer Taught Me About CyberWar - SyScan 2013
Keynote)"...

Yet Another Java Security Warning Bypass Esteban Guillardoy (Apr 25)
Hi everyone!

I wrote a blog post about another Java Security Warning Bypass that
you may find interesting ;)

Just go to the Immunity blog and enjoy:
http://immunityproducts.blogspot.com/2013/04/yet-another-java-security-warning-bypass.html

Cheers
Esteban

Answering Lurene's Question Dave Aitel (Apr 21)
So the kids are in NY so I've gotten a full night's sleep for the first
time in about a while, and parts of my brain I didn't realize were
malfunctioning now have blood and oxygen and whatever soupy hormones
they need to start sparking back up. I'm working on my SyScan talk,
which is due next week, so I wanted to warm up by answering a question
for Lurene.

----

Imagine it's 2030 and we finally understand a few things...

Students teaching trainers Alex McGeorge (Apr 17)
Aloha list,

We do a lot of teaching at Immunity and it's something I think we've
gotten pretty good at over the years. Part of improving your teaching
offerings is doing some hard reflection on what did and didn't work for
the most recent class which is what we're in the process of doing for
web hacking right now. Most of those lessons only make sense from an
internal perspective but there are some things that other people...

Re: Linux Hangman Rules Michal Zalewski (Apr 17)
[lcamtuf () raccoon ~]$ gdb
(gdb) shell id
uid=500(lcamtuf) gid=500(lcamtuf) groups=100(users),500(lcamtuf)

Oh no!

/mz

Linux Hangman Rules Dave Aitel (Apr 17)
http://blog.ioactive.com/2013/04/can-gdbs-list-source-code-be-used-for.html

So reading the above blog is amusing for many reasons. But it did make a
lot of people sit around looking at the funniest games you could play on
modern Linux. For example, Linux Hangman.

Linux Hangman Rules
You take turns putting setuid root onto files in /usr/bin /usr/sbin/,
etc. and if your opponent can use that to get root, even via a
convoluted scenario, then you...

Re: Recent experiences with ZDI? Jim Manico (Apr 17)
Here is a pretty comprehensive list of bug bounty programs to help kick
start the conversation.

http://bugcrowd.com/list-of-bug-bounty-programs/

- Jim

Recent experiences with ZDI? patrick patrick (Apr 15)
Hi guys,

I haven´t had dealings with ZDI in years, but I´ve heard some rumors of
people getting screwed over by them recently.

Can somebody confirm or deny this?

Is there currently a safe&legal alternative to get rewarded for bughunting?

Thanks
P

PaulDotCom — General discussion of security news, research, vulnerabilities, and the PaulDotCom Security Weekly podcast.

Re: SQL cheat sheat Joel Gunderson (May 23)
Additionally, not necessarily related directly to SQL injection, but make
sure that there is a sufficient authentication/authorization framework in
place, if possible. This will help reduce the threat population to begin
with.

Re: Avoiding IPS Detection Wicked Clown (May 22)
I am not 100% sure about probing networks, but here are some ways to bypass
IPS/IDS in general that works against some big hitters:

1) send the protocol over a different allowed port, for example.. use FTP
over MYSQL.
2) Most IPS/IDS will ignore the first 4k of data on network, so if you send
data out of the network just do it in 3k chunks, yes you will have to keep
re-establish the connection.. but if you do a snatch and grab for example
the...

GPS tracking devices Jesse Gardner (May 22)
Hi there, I had an interesting question at work yesterday and
thought some of you might have faced this scenario...

My work sends important devices & systems through common shipping
services (FedEx, UPS, etc.); our operations folks mentioned the
desire to have better/real-time tracking information available
through some sort of GPS/LoJack tracking device.

Have you ever used any devices like this? Do you have any
suggestions on...

Re: Howto update (security patches) Java on Windows 8 Carlos Perez (May 22)
Another method is to use the WSUS Package Publisher http://wsuspackagepublisher.codeplex.com/ , still you will need a
software inventory solution or build your own, that is just basics for security, no way to be able to be effective at
determining risk if you do not have a host and software inventory. The modification of the MSI is so it removes Java 6
if you do not use it, also remember there are more that one packaged version of Java, you...

Re: Howto update (security patches) Java on Windows 8 Guillaume Ross (May 22)
In the GPO itself you can mark a package to be installed after the removal of a previous version as well.

I don't recommend using GPOs to push software, especially software that is updated so often and found vulnerable so
often, because you will have little information on how successful the deployment is.
One day or another, you will end up with a bunch of workstations still running an old Java, or maybe stuck without
Java. (One could...

Re: Avoiding IPS Detection Dan King (May 22)
Run tests to see if heavily fragmented packets trigger anything. If not,
use fragmentation (out of order works really well)

Also scan really really slowly. A lot of IPS/IDS trigger on volume of
traffic.

Re: SQL cheat sheat Guillaume Ross (May 22)
IMO - if we are discussing solely SQLi - the MOST important thing is to use parameterized queries.
Then, validate user input (though that is important for way more than SQLi).

Depending on the language you are using and the RDBMS you are accessing there are different ways to parameterize
queries, but they are typically easy and user friendly. Sometimes they can have a positive performance impact depending
on the way the query optimizer works...

Re: Little Snitch Guillaume Ross (May 22)
I have not tested Hands Off but I do remember seeing that one of the advantages it had over Little Snitch was inbound
monitoring and management - which Little Snitch added in version 3.
They both look relatively user friendly and seem to work in very similar ways.

It would be very interesting to see an in depth comparison indeed, especially now that LS has inbound functionality
too..

Guillaume

Re: [GPWN-list] Avoiding IPS Detection Tim Tomes (May 21)
OK, let me provide a little more detail. You've done reconnaissance,
and there wasn't enough information to make precise targetted attacks.
You need to probe the network (i.e. nmap scans) to find available
services. You can't go to your local coffee shop or use a service like
anonymizer because they are detecting and blocking too aggressively to
experience the benefits of either. Your only choice is avoidance.

I know some of you...

Re: Ec-council (Certified Ethical Hacker) gets Hacked Carlos Perez (May 21)
Well that case was not indexing, he did automated an went further than that with no permission and his chat logs do not
reflect it was to responsibly notify AT&T, plus challenging the judge was not as smart idea
http://www.justice.gov/usao/nj/Press/files/pdffiles/2011/Spitler,%20Daniel%20et%20al.%20Complaint.pdf he did got way to
much time in the puns in the ass for it.

Re: Ec-council (Certified Ethical Hacker) gets Hacked Patrick Laverty (May 21)
Maybe not but apparently it's enough to get you 3 1/2 years in jail if you
do it to AT&T.

Re: Ec-council (Certified Ethical Hacker) gets Hacked yersinia (May 21)
Hi to all

I'm part of the EC-COUNCIL group on linkedin. There were two posts on
this topic. The most recent (11 hours ago) is the following

"

**Updated** Message from EC-Council

On May 16th, 2013, EC-Council was notified of an article that stated
an alleged hack had taken place on EC-Council Servers. Upon
notification, EC-Council immediately investigated the issue. Contrary
to the news reported by E Hacking News this week,...

Avoiding IPS Detection Tim Tomes (May 21)
I'm compiling a list of preferred methods for probing networks while
avoiding IDS/IPS detection. Any and all input is appreciated. Thanks.

Re: [GPWN-list] Avoiding IPS Detection Jamil Ben Alluch (May 21)
Hello Tim,

You could take a look at these links, they provide some information:
http://en.wikipedia.org/wiki/Intrusion_detection_system_evasion_techniques
http://insecure.org/stf/secnet_ids/secnet_ids.html

Hope this helps.

Best regards,

Re: Ec-council (Certified Ethical Hacker) gets Hacked allison nixon (May 21)
where are all those ethical hackers who could have notified them of the
indexing problem? that's a pretty obvious flaw.

oh right, it would be unethical to test that...

Microsoft Sec Notification — Beware that MS often uses these security bulletins as marketing propaganda to downplay serious vulnerabilities in their products—note how most have a prominent and often-misleading "mitigating factors" section.

Microsoft Security Bulletin Minor Revisions Microsoft (May 23)
********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: May 23, 2013
********************************************************************

Summary
=======
The following bulletins have undergone minor revision increments.
Please see the bulletins for more details.

* MS12-044

Bulletin Information:
=====================

* MS12-044 - Important

-...

Microsoft Security Bulletin Minor Revisions Microsoft (May 22)
********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: May 22, 2013
********************************************************************

Summary
=======
The following bulletins have undergone minor revision increments.
Please see the bulletins for more details.

* MS12-081
* MS13-037
* MS13-MAY

Bulletin Information:
=====================

* MS12-081 - Critical

-...

Microsoft Security Bulletin Minor Revisions Microsoft (May 16)
********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: May 15, 2013
********************************************************************

Summary
=======
The following bulletins have undergone minor revision increments.
Please see the bulletins for more details.

* MS13-045

Bulletin Information:
=====================

* MS13-045 - Important

-...

Microsoft Security Advisory Notification Microsoft (May 14)
********************************************************************
Title: Microsoft Security Advisory Notification
Issued: May 14, 2013
********************************************************************

Security Advisories Updated or Released Today
==============================================

* Microsoft Security Advisory (2846338)
- Title: Vulnerability in Microsoft Malware Protection Engine
Could Allow Remote Code Execution
-...

Microsoft Security Bulletin Minor Revisions Microsoft (May 14)
********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: May 14, 2013
********************************************************************

Summary
=======
The following bulletins have undergone minor revision increments.
Please see the bulletins for more details.

* MS13-009

Bulletin Information:
=====================

* MS13-009 - Critical

-...

Microsoft Security Bulletin Summary for May 2013 Microsoft (May 14)
********************************************************************
Microsoft Security Bulletin Summary for May 2013
Issued: May 14, 2013
********************************************************************

This bulletin summary lists security bulletins released for
May 2013.

The full version of the Microsoft Security Bulletin Summary for
May 2013 can be found at
http://technet.microsoft.com/security/bulletin/ms13-may.

With the release of...

Microsoft Security Bulletin Advance Notification for May 2013 Microsoft (May 09)
********************************************************************
Microsoft Security Bulletin Advance Notification for May 2013
Issued: May 9, 2013
********************************************************************

This is an advance notification of security bulletins that
Microsoft is intending to release on May 14, 2013.

The full version of the Microsoft Security Bulletin Advance
Notification for May 2013 can be found at...

Microsoft Security Advisory Notification Microsoft (May 08)
********************************************************************
Title: Microsoft Security Advisory Notification
Issued: May 8, 2013
********************************************************************

Security Advisories Updated or Released Today
==============================================

* Microsoft Security Advisory (2847140)
- Title: Vulnerability in Internet Explorer Could Allow
Remote Code Execution
-...

Microsoft Security Advisory Notification Microsoft (May 04)
********************************************************************
Title: Microsoft Security Advisory Notification
Issued: May 3, 2013
********************************************************************

Security Advisories Updated or Released Today
==============================================

* Microsoft Security Advisory (2847140)
- Title: Vulnerability in Internet Explorer Could Allow
Remote Code Execution
-...

Microsoft Security Bulletin Minor Revisions Microsoft (Apr 26)
********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: April 26, 2013
********************************************************************

Summary
=======
The following bulletins have undergone minor revision increments.
Please see the bulletins for more details.

* MS12-043

Bulletin Information:
=====================

* MS12-043 - Critical

-...

Microsoft Security Bulletin Minor Revisions Microsoft (Apr 24)
********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: April 24, 2013
********************************************************************

Summary
=======
The following bulletins have undergone minor revision increments.
Please see the bulletins for more details.

* MS13-028
* MS13-031
* MS13-036
* MS13-APR

Bulletin Information:
=====================

*...

Microsoft Security Bulletin Re-Releases Microsoft (Apr 23)
********************************************************************
Title: Microsoft Security Bulletin Re-Releases
Issued: April 23, 2013
********************************************************************

Summary
=======
The following bulletins have undergone a major revision increment.
Please see the appropriate bulletin for more details.

* MS13-036 - Important
* MS13-apr

Bulletin Information:
=====================

* MS13-036 -...

Microsoft Security Bulletin Minor Revisions Microsoft (Apr 18)
********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: April 17, 2013
********************************************************************

Summary
=======
The following bulletins have undergone minor revision increments.
Please see the bulletins for more details.

* MS13-036

Bulletin Information:
=====================

* MS13-036 - Important

-...

Microsoft Security Bulletin Minor Revisions Microsoft (Apr 16)
********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: April 16, 2013
********************************************************************

Summary
=======
The following bulletins have undergone minor revision increments.
Please see the bulletins for more details.

* MS13-034

Bulletin Information:
=====================

* MS13-034 - Important

-...

Microsoft Security Bulletin Summary for April 2013 Microsoft (Apr 09)
********************************************************************
Microsoft Security Bulletin Summary for April 2013
Issued: April 9, 2013
********************************************************************

This bulletin summary lists security bulletins released for
April 2013.

The full version of the Microsoft Security Bulletin Summary for
April 2013 can be found at
http://technet.microsoft.com/security/bulletin/ms13-apr.

With the...

Funsec — While most security lists ban off-topic discussion, Funsec is a haven for free community discussion and enjoyment of the lighter, more humorous side of the security community

Re: Safe online banking Nick FitzGerald (May 24)
Rob wrote:

With apologies to the master...

They forgot the "-- and even then I have my doubts."

Regards,

Nick FitzGerald

Safe online banking Rob, grandpa of Ryan, Trevor, Devon & Hannah (May 24)
http://www.theonion.com/articles/after-checking-your-bank-account-remember-to-
log-o,32260/

====================== (quote inserted randomly by Pegasus Mailer)
rslade () vcn bc ca slade () victoria tc ca rslade () computercrime org
I refuse to believe corporations are people until Texas executes
one. - http://twitter.com/#!/ararubyan/status/115479037849239553
victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links...

REVIEW: "Cloud Crash", Phil Edwards Rob, grandpa of Ryan, Trevor, Devon & Hannah (May 24)
BKCLDCRS.RVW 20101009

"Cloud Crash", Phil Edwards, 2011, 978-1466408425, U$9.99
%A Phil Edwards PhilEdwardsInc.com philipjedwards () gmail com
%C Seattle, WA
%D 2011
%G 978-1466408425 1466408421
%I CreateSpace Independent Publishing Platform/Amazon
%O U$9.99
%O http://www.amazon.com/exec/obidos/ASIN/1466408421/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/1466408421/robsladesinte-21
%O...

Re: US CERT: Washington, DC Radio Station Web Site Compromises Paul Ferguson (May 21)
I don't recall seeing a US-CERT advisory when a particular website has
been compromised.

I think that it is only "of government interest" because these
particular watering hole attacks used comprised websites in the
Washington, D.C., area which are highly popular with people living in
that area -- namely government employees and government contractors.

See also:...

Re: US CERT: Washington, DC Radio Station Web Site Compromises Jeffrey Walton (May 21)
Thanks Paul.

Have you ever seen US CERT issue against a website? Or is this new
reporting introduced with the recent email procedure change.

Jeff

Re: US CERT: Washington, DC Radio Station Web Site Compromises Paul Ferguson (May 21)
No conspiracy theories here -- just "yet another" watering hole attack.

See also:

https://en.wikipedia.org/wiki/Watering_Hole

It has become a fairly common attack/victimization methodology.

- ferg

US CERT: Washington, DC Radio Station Web Site Compromises Jeffrey Walton (May 21)
This is kind of interesting.... I've don't believe I have ever
received a US CERT bulletin calling out a website for distributing the
flyby goodness.

I wonder if the radio station does not fully support the current
regime. Could it be more tactics like we have recently seen at the
IRS?

https://www.us-cert.gov/ncas/alerts/TA13-141A

Internet Census 2012 data search engine launched Juha-Matti Laurio (May 21)
http://www.exfiltrated.com/querystart.php

Juha-Matti

OT: Attorney General Eric Holder on 'Too Big to Jail' Jeffrey Walton (May 18)
http://www.americanbanker.com/issues/178_45/transcript-attorney-general-eric-holder-on-too-big-to-jail-1057295-1.html

The following is a transcript of Attorney General Eric Holder's
remarks before the Senate Judiciary Committee, in which he discusses
the idea that some banks are 'Too Big to Jail.'

Sen. Chuck Grassley, R-Iowa: In the case of bank prosecution. I'm
concerned we have a mentality of 'too big to jail' in...

Re: [funsec] Skype with care â€“ Microsof t is reading everything you write Jeffrey Walton (May 17)
That's not really practical in many cases. What do consumers have when
all carriers and handset manufacturers do it? Its certainly not
choice.

All are likely doing it to some degree or another. Again, no choice.

Monopolistic policy and practice in industry used to be kept in check.
Case studies include the steel, railroad, and oil barons. For the old
steel, railroad, and oil barons, the interesting thing (in my opinion)
was why it...

Re: Skype with care â€“ Microsof t is reading everything you write Blanchard, Michael (InfoSec) (May 17)
There is always a clause in ALL of those ELUA's stating that they can change at anytime, without notice usually too.
Your only recourse is to stop using the product if you don’t like the EULA. Sucks yes, but until a better product
comes along that is as widely adopted, well, we're stuck.... Who's to say what Apple is doing with Facetime?

Those folks that complain about "evil empires" are the cause of their own...

Re: [funsec] Skype with care â€“ Microsof t is reading everything you write Jeffrey Walton (May 17)
In the US, they call those "Material Adverse Change" (MACs).

Its a bitch we have to accept those adverse changes just to get bug
fixes and security patches for defective products. It seems like
illegal tying to me, and I wonder why the FTC has not stepped in. In
the US, politicians are bought and sold like trading cards, so I don't
expect it to change anytime soon.

Jeff

Re: [funsec] Skype with care â Microsoft is re ading everything you write Rob, grandpa of Ryan, Trevor, Devon & Hannah (May 17)
As it happens, I'm currently reviewing an intriguing book ("Boilerplate") that
addresses all kinds of issues around "agreements" and consent. Particularly for
those of us who joined Skype before MS bought it, and therefore "agreed" to a
very different set of rules ...

====================== (quote inserted randomly by Pegasus Mailer)
rslade () vcn bc ca slade () victoria tc ca rslade ()...

Re: Skype with care Joel Esler (May 17)
Skype is a free tool.

You get, what you pay for. Same with Google and their products, etc.

Re: Skype with care Jeffrey Walton (May 16)
Nice, but I don't agree with some of Bott's conclusions. Especially
the one made about visiting a site/fetching a header. If its just host
reputation, all the reputation service needs is the URL, without the
need to visit the host.

Do you think a M$ engineer tossed us a bread crumb to let us know the
degree of invasion? Why else take the risk of leaking interception
results like this originating from encrypted traffic that users expect...

CERT Advisories — The Computer Emergency Response Team has been responding to security incidents and sharing vulnerability information since the Morris Worm hit in 1986. This archive combines their technical security alerts, tips, and current activity lists.

Alert - Upcoming Mail Delivery Changes US-CERT Alerts (May 10)
National Cyber Awareness System
US-CERT Alert - Upcoming Mail Delivery Changes

Thank you for being a subscriber to our US-CERT Alerts product. We
are striving to keep our capabilities at the leading edge of
communication. You may have noticed we've redesigned and upgraded our
website recently and as a part of that process, on May 14th, we are
migrating to GovDelivery as our email subscription service. As a
current subscriber you will...

Current Activity - Upcoming Mail Delivery Changes Current Activity (May 10)
National Cyber Awareness System

Thank you for being a subscriber to our US-CERT Current Activity
product. We are striving to keep our capabilities at the leading edge
of communication. You may have noticed we've redesigned and upgraded
our website recently and as a part of that process, on May 14th, we
are migrating to GovDelivery as our email subscription service. As a
current subscriber you will need to do nothing. You will notice a...

Current Activity - Microsoft Releases Advance Notification for May 2013 Security Bulletin Current Activity (May 09)
National Cyber Awareness System
Microsoft Releases Advance Notification for May 2013 Security Bulletin

Original release date: May 09, 2013

Microsoft has issued a Security Bulletin Advanced Notification
indicating that its May release will contain 10 bulletins. These
bulletins will have the severity rating of critical and important and
will be for Microsoft Windows, Office, Internet Explorer, .NET
Framework, Lync, and Windows Essentials. These...

Current Activity - Adobe Releases Security Advisory for ColdFusion Current Activity (May 09)
National Cyber Awareness System
Adobe Releases Security Advisory for ColdFusion

Original release date: May 09, 2013

Adobe has identified a critical vulnerability affecting ColdFusion 10,
9.0.2, 9.0.1, 9.0, and earlier versions for Windows, Macintosh, and
UNIX. This vulnerability (CVE-2013-3336) could permit an unauthorized
user to remotely retrieve files stored on a server. There are reports
that an exploit of this vulnerability is publicly...

Current Activity - Microsoft Releases Security Advisory for Internet Explorer Current Activity (May 07)
National Cyber Awareness System
Microsoft Releases Security Advisory for Internet Explorer

Original release date: May 07, 2013

Microsoft is investigating public reports of a remote code execution
vulnerability in Internet Explorer 8 and is aware of attacks that
attempt to exploit this vulnerability. This vulnerability may allow an
attacker to execute arbitrary code if a user accesses a specially
crafted website. Microsoft is actively working...

Current Activity - Cisco Releases Security Advisories Current Activity (Apr 25)
National Cyber Awareness System
Cisco Releases Security Advisories

Original release date: April 25, 2013

Cisco has released three security advisories to address vulnerabilities
affecting Cisco NX-OS-based products, Cisco Device Manager, and Cisco
Unified Computing System. These vulnerabilities may allow an attacker to
bypass authentication controls, execute arbitrary code, obtain sensitive
information, or cause a denial-of-service condition....

Current Activity - Apple Releases Security Updates for Safari Current Activity (Apr 18)
National Cyber Awareness System
Apple Releases Security Updates for Safari

Original release date: April 18, 2013

Apple has released security updates for Safari 6.0.4 WebKit to address
multiple vulnerabilities. These vulnerabilities could allow a remote
attacker to execute arbitrary code or cause a denial-of-service
condition.

Safari 6.0.4 WebKit updates are available for the following versions:
* OS X Lion v10.7.5
* OS X Lion Server v10.7.5...

Alert TA13-107A: Oracle has released multiple updates for Java SE US-CERT Alerts (Apr 18)
National Cyber Awareness System
TA13-107A: Oracle has released multiple updates for Java SE

Original release date: April 17, 2013

Systems Affected

* JDK and JRE 7 Update 17 and earlier
* JDK and JRE 6 Update 43 and earlier
* JDK and JRE 5.0 Update 41 and earlier
* JavaFX 2.2.7 and earlier

Overview

Oracle has released a Critical Patch Update (CPU) for Java SE. Oracle
strongly recommends that customers apply CPU fixes as soon as possible....

Current Activity - Scams Exploiting Boston Marathon Explosion Current Activity (Apr 17)
National Cyber Awareness System
Scams Exploiting Boston Marathon Explosion

Original release date: April 17, 2013

Malicious actors are exploiting the April 15 explosions at the Boston
Marathon in attempts to collect money intended for charities and to
spread malicious code. Fake websites and social networking accounts have
been set up to take advantage of those interested in learning more
details about the explosions or looking to contribute to...

Current Activity - Malicious Actors May Take Advantage of Boston Marathon Explosion Current Activity (Apr 17)
National Cyber Awareness System
Malicious Actors May Take Advantage of Boston Marathon Explosion

Original release date: April 17, 2013

Historically, scammers, spammers, and other malicious actors capitalize
on major news events by registering domain names related to the events.
Malicious actors may attempt to exploit the April 15, 2013 explosions at
the Boston Marathon in this way. Some may use fake domains to take
advantage of those interested...

Current Activity - Oracle Releases April 2013 Security Advisory Current Activity (Apr 17)
National Cyber Awareness System
Oracle Releases April 2013 Security Advisory

Original release date: April 17, 2013

Oracle has released its Critical Patch Update for April 2013 to address
128 vulnerabilities across multiple products. This update contains the
following security fixes:
* 4 for Oracle Database Server
* 29 for Oracle Fusion Middleware
* 6 for Oracle E-Business Suite
* 3 for Oracle Supply Chain Products Suite
* 11 for Oracle...

Current Activity - WordPress Sites Targeted by Mass Brute-force Botnet Attack Current Activity (Apr 15)
National Cyber Awareness System
WordPress Sites Targeted by Mass Brute-force Botnet Attack

Original release date: April 15, 2013

US-CERT is aware of an ongoing campaign targeting the content management
software WordPress, a free and open source blogging tool and web
publishing platform based on PHP and MySQL. All hosting providers
offering WordPress for web content management are potentially targets.
Hackers reportedly are utilizing over 90,000...

Current Activity - Microsoft Releases April 2013 Security Bulletin Current Activity (Apr 09)
National Cyber Awareness System
Microsoft Releases April 2013 Security Bulletin

Original release date: April 04, 2013 | Last revised: April 09, 2013

Microsoft has released updates to address vulnerabilities in Microsoft
Windows, Office, Internet Explorer, Server Software, and Security
Software as part of the Microsoft Security Bulletin summary for April
2013. These vulnerabilities could allow remote code execution, elevation
of privilege,...

Current Activity - Microsoft Releases Advance Notification for April 2013 Security Bulletin Current Activity (Apr 04)
National Cyber Awareness System
Microsoft Releases Advance Notification for April 2013 Security Bulletin

Original release date: April 04, 2013

Microsoft has issued a Security Bulletin Advance Notification indicating
that its April release will contain nine bulletins. These bulletins will
have the severity rating of critical and important and will be for
Microsoft Windows, Office, Internet Explorer, Server Software, and
Security Software. These...

Current Activity - Mozilla Releases Multiple Updates Current Activity (Apr 03)
National Cyber Awareness System
Mozilla Releases Multiple Updates

Original release date: April 03, 2013

The Mozilla Foundation has released updates to address multiple
vulnerabilities. These vulnerabilities could allow an attacker to
initiate a cross-site scripting attack or obtain sensitive information,
enable privilege escalation or execute arbitrary code, or cause a
denial-of-service condition.

Updates to the following products are...

Open Source Security — Discussion of security flaws, concepts, and practices in the Open Source community

Re: plone, rrdtool, zenoss bugs Kurt Seifried (May 24)
The original reporter never replied =( [ping!]

Any ways:

It just doesn't sound like much of a problem (user logs in, passes
some mucky data to rrdtool causing it to crash, the system is fine,
that instance of rrdtool dies and gets cleaned up). No real trust
boundary gets violated/no DoS in any meaningful way as I understand
it. Unless an exploitable scenario comes to light I don't think this
is an issue really.

Re: plone, rrdtool, zenoss bugs Henri Salo (May 24)
Hard to say how many and which applications are using this library with user
input. At least original reporter pointed out Zenoss-case. I can find out if
there is others if that is needed, but obviously it's impossible to list all use
cases.

---
Henri Salo

Re: CVE request: MediaWiki chunked uploads vulnerability Kurt Seifried (May 24)
Nope, see below. email me if you want to become the official mediawiki
requester.

1.20.6

Download:

http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.6.patch.gz.sig

1.19.7

Download:

http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.7.patch.gz.sig

Please use CVE-2013-2114 for this issue.

Re: plone, rrdtool, zenoss bugs Kurt Seifried (May 24)
Ho likely is an attacker to be able to pass a format string to it though?

Re: CVE request: dovecot : "APPEND" Parameters Processing Denial of Service Vulnerability Kurt Seifried (May 24)
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695138#15

Yeah, we can't guarantee that can we. For all we know someone used it
in a major deployment/system image/who knows.

Please use CVE-2013-2111 for this issue.

[OSSA 2013-013] Keystone client local information disclosure (CVE-2013-2013) Jeremy Stanley (May 23)
OpenStack Security Advisory: 2013-013
CVE: CVE-2013-2013
Date: May 23, 2013
Title: Keystone client local information disclosure
Reporter: Jake Dahn (Nebula)
Products: python-keystoneclient
Affects: All versions

Description:
Jake Dahn from Nebula reported a vulnerability that the keystone
client only allows passwords to be updated in a clear text
command-line argument, which may enable other local users to obtain
sensitive information by listing...

Fwd: [ANNOUNCE] X.Org Security Advisory: Protocol handling issues in X Window System client libraries Alan Coopersmith (May 23)
-------- Original Message --------
Subject: [ANNOUNCE] X.Org Security Advisory: Protocol handling issues in X
Window System client libraries
Date: Thu, 23 May 2013 08:05:22 -0700
From: Alan Coopersmith <alan.coopersmith () oracle com>
To: xorg-announce () lists x org
CC: xorg () lists x org, xorg-devel () lists x org

X.Org Security Advisory: May 23, 2013
Protocol handling issues in X Window System client libraries...

CVE-2013-2069 livecd-tools: improper handling of passwords Brian C. Lane (May 23)
https://bugzilla.redhat.com/show_bug.cgi?id=964299

The livecd-tools package provides support for reading and executing
Kickstart files in order to create a system image. It was discovered
that livecd-tools gave the root user an empty password rather than
leaving the password locked in situations where no 'rootpw' directive
was used or when the 'rootpw --lock' directive was used within the
Kickstart file, which could allow...

Re: CVE Request (minor) -- Python 3.2: DoS when matching certificate with many '*' wildcard characters {was: [oss-security] CVE Request (minor) -- python-backports-ssl_match_hostname: Denial of service when matching certificate with many '*' wildcard characters } Tomas Hoger (May 23)
There are surely differences in other parts of python code, but in this
case, affected functionality is the same in python 3 and
python-backports-ssl_match_hostname (the latter just contains a
functionality copied from the former). Given that affected code is
identical, I don't believe differences in other parts of codebases not
related to the flaw should force split. I.e. I'd follow:

AB4) If there are multiple products, vendors,...

Re: Fwd: [Full-disclosure] Thttpd 2.25b Directory Traversal Vulnerability Oden Eriksson (May 22)
onsdagen den 22 maj 2013 15.31.44 skrev Matthias Weckbecker:

Whoops. You're right.

Re: Fwd: [Full-disclosure] Thttpd 2.25b Directory Traversal Vulnerability The Doctor (May 22)
For what it's worth, I'm getting the same results with the same
version of thttpd.

$ lynx -dump drwho.virtadpt.net:80/../../../../../../../../etc/passwd
root:*:0:0:Charlie &:/root:/bin/ksh
daemon:*:1:1:The devil himself:/root:/sbin/nologin
operator:*:2:5:System &:/operator:/sbin/nologin
bin:*:3:7:Binaries Commands and Source,,,:/:/sbin/nologin
smmsp:*:25:25:Sendmail Message Submission
Program:/nonexistent:/sbin/nologin...

CVE-2013-2073 transifex-client: Does not validate HTTPS server certificate (fixed in transifex-client v0.9) Jan Lieskovsky (May 22)
Hello Steve, vendors,

It was found that Transifex command-line client, a command line tool for Transifex
translation management, did not perform X.509 certificate verification when using
secured SSL connection. A man-in-the-middle attacker could use this flaw to spoof
a Transifex server via an arbitrary certificate.

The CVE identifier of CVE-2013-2073 has been allocated to this issue.

Acknowledgements:
This issue was discovered by Florian...

Re: Fwd: [Full-disclosure] Thttpd 2.25b Directory Traversal Vulnerability Tavis Ormandy (May 22)
Matthias Weckbecker wrote:

I can't reproduce here.

It's probably not a good sign that he posted some non-shadow passwords in
the output :)

Tavis.

Re: Fwd: [Full-disclosure] Thttpd 2.25b Directory Traversal Vulnerability George Theall (May 22)
This seems like a configuration issue rather than a vulnerability. The code in libhttpd.c seems to filter directory
traversal sequences. And I was able to reproduce this only if thttpd was serving files out of the system root directory
(e.g., "thttpd -d /"), in which case the directory traversal sequences are irrelevant.

George

Re: Fwd: [Full-disclosure] Thttpd 2.25b Directory Traversal Vulnerability Zate (May 22)
I got the same results. Locally without http it shows me the local
/etc/passwd and /etc/system, remotely against the reported version I get
file not found with both lynx -dump and GET.

Zate

Secure Coding — The Secure Coding list (SC-L) is an open forum for the discussion on developing secure applications. It is moderated by the authors of Secure Coding: Principles and Practices.

SecAppDev hits the road Kenneth R. van Wyk (May 22)
Greetings SC-L subscribers,

I suspect many of you have heard of SecAppDev (http://secappdev.org) over the years. It's a non-profit training event
that has hitherto been held in Leuven, Belgium for 1 week each Feb/Mar. Well, we're excited to say that this year we've
added a second event: SecAppDev Dublin!

Yes, SecAppDev will be hitting the road for its first foray outside of Belgium. For one week in July (15th-19th), we'll...

2013 OWASP Mobile Top 10 Call For Data Jim Manico (May 21)
Hello All,

We are pleased to announce the 2013 call for data to help refresh the Mobile Top 10 Risks for 2013 and publish a more
formal publication. We are encouraging everyone to get involved.

The current Mobile Top Ten Risks are located here:

https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab.3DTop_Ten_Mobile_Risks

- What do we need? -

Right now we are looking for data that represents the current state of mobile...

CFP: Workshop on Risk Perception in IT Security and Privacy at SOUPS Larry Koved (May 20)
Short position statements due next Thursday, May 30

Workshop on Risk Perception in IT Security and Privacy

A workshop of the Symposium On Usable Privacy and Security (SOUPS)
http://cups.cs.cmu.edu/soups/2013/

For full details, please see: http://cups.cs.cmu.edu/soups/2013/risk.html

This workshop is an opportunity to bring together researchers and
practitioners to share experiences, concerns and ideas about how to
address the gap between...

Correction: W2SP 2013 - Web 2.0 Security and Privacy workshop - Final call for participation Larry Koved (May 20)
*** My apologies for another email. Only ONE week until the workshop! ***

Call for participation: Only ONE week until the workshop!

The workshop and program chairs invite you to participate in the 7th W2SP
workshop.

The goal of this one-day workshop is to bring together researchers and
practitioners from academia and industry to focus on understanding Web
security and privacy issues, and to establish new collaborations in these
areas....

W2SP 2013 - Web 2.0 Security and Privacy workshop - Final call for participation Larry Koved (May 20)
Call for participation: Only three weeks until the workshop!

The workshop and program chairs invite you to participate in the 7th W2SP
workshop.

The goal of this one-day workshop is to bring together researchers and
practitioners from academia and industry to focus on understanding Web
security and privacy issues, and to establish new collaborations in these
areas.

The list of this year's accepted papers / presentations can be found...

MoST 2013 - Mobile Security and Technology workshop - final call for participation Larry Koved (May 20)
Call for participation: One week until the workshop!

The workshop and program chairs invite you to participate in the 2nd MoST
workshop.

Mobile Security Technologies (MoST) brings together researchers,
practitioners, policy makers, and hardware and software developers of
mobile systems to explore the latest understanding and advances in the
security and privacy for mobile devices, applications, and systems.

The list of this year's...

SearchSecurity: BSIMM4 Gary McGraw (May 11)
hi sc-l,

Sammy Migues, Jacob West and I wrote an introductory article about BSIMM4 for SearchSecurity. It was just posted on
SearchSecurity: http://bit.ly/11qlIBi
(or http://searchsecurity.techtarget.com/feature/BSIMM4-measures-and-advances-secure-application-development)

This article provides a great way to get up to speed on the BSIMM project in its BSIMM4 instantiation. The BSIMM
Community is expanding rapidly, and we're looking...

Ruxcon 2013 Call For Papers cfp (May 08)
Ruxcon 2013 Call For Presentations
Melbourne, Australia, October 26th-27th
CQ Function Centre
http://www.ruxcon.org.au/call-for-papers/

The Ruxcon team is pleased to announce the Call For Presentations for Ruxcon 2013.

This year the conference will take place over the weekend of the 26th and 27th
of October at the CQ Function Centre, Melbourne, Australia.

.[x]. About Ruxcon .[x].

Ruxcon is ia premier technical computer security conference...

Silver Bullet 85:Mobile Security with Jim Routh and Scott Matsumoto Gary McGraw (May 03)
hi sc-l,

Is mobile security a brand new day or the same old same old? The answer depends on how you look at the problem. If
you are a practitioner in the trenches, there are many new and interesting shiny bits to mobile security. If you are a
security veteran, things look very familiar. In this episode of Silver Bullet, Jim Routh, Scott Matsumoto and I take
on the Necker Cube of mobile security. Jim Routh is the ultimate security...

CFP: Workshop on Risk Perception in IT Security and Privacy Larry Koved (May 03)
Workshop on Risk Perception in IT Security and Privacy

A workshop of the Symposium On Usable Privacy and Security (SOUPS)
http://cups.cs.cmu.edu/soups/2013/

For full details, please see: http://cups.cs.cmu.edu/soups/2013/risk.html

This workshop is an opportunity to bring together researchers and
practitioners to share experiences, concerns and ideas about how to
address the gap between user perception of IT risks and security /...

W2SP 2013 - Web 2.0 Security and Privacy workshop - call for participation Larry Koved (May 03)
Only three weeks until the workshop.

Call for participation!

The workshop and program chairs invite you to participate in the 7th W2SP
workshop.

The goal of this one-day workshop is to bring together researchers and
practitioners from academia and industry to focus on understanding Web
security and privacy issues, and to establish new collaborations in these
areas.

The list of this year's accepted papers / presentations can be found...

MoST 2013 - Mobile Security and Technology workshop - call for participation Larry Koved (May 03)
Three weeks until the workshop.

Call for participation!

The workshop and program chairs invite you to participate in the 2nd MoST
workshop.

Mobile Security Technologies (MoST) brings together researchers,
practitioners, policy makers, and hardware and software developers of
mobile systems to explore the latest understanding and advances in the
security and privacy for mobile devices, applications, and systems.

The list of this year's...

Breakpoint 2013 Call For Papers cfp (May 01)
Breakpoint 2013 Call For Papers
Melbourne, Australia, October 24th-25th
Intercontinental Rialto
http://www.ruxconbreakpoint.com

.[x]. Introduction .[x].

The Ruxcon team is pleased to announce Call For Papers for Breakpoint 2013.

Breakpoint showcases the work of expert security researchers from around the
world on a wide range of topics. This conference is organised by the Ruxcon
team and offers a specialised security conference to...

Re: BSIMM Diagrams Craig Heath (Apr 23)
Thanks Ivan! Unfortunately I wasn't able to look at this straight away,
and when I go to the link now I get "ME-ERR-002 Sorry, we couldn't find the
page you were looking for."

Would you be able to put it up again?

Cheers!

- Craig.

Comparing a firm's BSIMM measurement against a benchmark Iván Arce (Apr 20)
Hello

I've updated the BSIMM visualizations I posted about yesterday.

Here are two sample visualizations to compare a firm's measurement
against a benchmark ("Earth").

The first one uses the size of the boxes to indicate how prevalent is
the activity (percentage of firms where the activity was observed) and
color to indicate that the activity was observed at the firm.

http://www-958.ibm.com/v/298285

In the second treemap...

Educause Security Discussion — Securing networks and computers in an academic environment.

Re: email address as directory information Shalla, Kevin (May 21)
We have defined e-mail as part of directory information. Not doing so would have seriously hampered students'
communicating with each other. We do get FOIA requests, but we do charge for that, and they're not overwhelming.

Kevin

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of John
Forker
Sent: Friday, May 17, 2013 11:17 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject:...

UTM Firewall vs IPS appliance John Kaftan (May 20)
Hello:

We are looking at refreshing our firewalls and are wondering what others
are doing in terms of IPS. Is the UTM firewall winning over a separate IPS
appliance? What are you using and why?

I could see a few different factors when considering this decision.

1. Budget. Single appliance is likely less expensive than 2.
2. Culture. If security is a separate dept than networking perhaps it
would make more sense to have the security team...

Re: Question About Password Resets Schumacher, Adam J. (May 17)
We have two mechanisms in place. One is a two-factor online reset process. When a person activates their account,
they must provide answers to security questions as well as either an external email or cell phone number to which we
send a reset code. Once they've answered the questions and entered the code, they can set a new password.

The other mechanism is for individuals who either can't remember the answers to their questions,...

Re: Palo Alto Firewall and Sorenson VP 200 (Video Phones) Peter Setlak (May 17)
Harry,

We use PA 5050's on our edge. We do not use Sorenson video phones. However,
we did experience an issue with Jumbo Frames with a device on our network.
Are the video phones wired? Are they on 1Gb or 100Mb ports? Try 100Mb and
see if that fixes the issue. There are also settings on the FW to allow
jumbo frames (which we did not adjust as we're hesitant to change the
entire edge for one device). Otherwise, are the video phones...

Palo Alto Firewall and Sorenson VP 200 (Video Phones) Harry Zahlis (May 17)
Our District just purchased and implemented a new Palo Alto Networks firewall. We have run across an issue which has
stumped a lot of people.

Our deaf faculty and students use a device provided by Sorenson (Sorenson ntouch VP-200) for telecommunication. At
first we opened the specific ports required by the Sorenson devices but we could not place phone calls. We opened all
ports, TCP and UDP in both directions (any-any) and we still cannot...

email address as directory information John Forker (May 17)
We are deliberating over whether we should or shouldn't include student
email addresses in our list of directory information elements as allowed
by FERPA. If you institution has chosen not to include email addresses as
part of directory information, how do you control unauthorized access in a
way that doesn't stymy collaboration among students and among students and
industry representatives If your institution has chosen email...

REN-ISAC and SANS partner for highly discounted technical and awareness training; WEBCAST May 21 Doug Pearson (May 17)
SANS and REN-ISAC are partnering to bring exceptional security awareness
and technical training to the education community at substantially
discounted pricing.

An interactive webcast is scheduled for Tuesday, May 21 to explain the
program and provide opportunity for Q&A.

The special pricing is available during a purchase commitment window,
June 1 through July 31, for:

- SANS Securing The Human security awareness training,
- SANS...

Re: Question About Password Resets Valdis Kletnieks (May 16)
On Thu, 16 May 2013 11:00:00 -0500, Jim Pardonek said:

No matter what you end up doing, remember to leave a flag for "this account
may not be reset by phone/self-serve/whatever", so you can flag high-value
or high-risk accounts as "tough noogies, they have to come in with official ID".

And remember - it doesn't have to be a high-priv account. I've heard of
plenty of incidents of stalkers and ex-SO's social...

Re: Question About Password Resets David Curry (May 16)
We require everyone to provide their university identification number,
their username, and their date of birth. If the person is (or ever has
been) an employee, we also require the last four digits of their SSN/ITIN.

If the individual does not know his or her username he or she can look it
up by providing identification number and last name.

If the individual does not know his or her identification number, the
various departments (Human...

Re: Question About Password Resets David Seidl (May 16)
Jim
We use a voice recognition process - our helpdesk finds a co-worker who is known to us who we can conference in with
that person to identify them. It's not ideal, but we can almost always find someone who we do know and recognize. If
that fails - and it does at times - we don't feel as bad about making them come in with their ID in hand.
David

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV...

Re: Question About Password Resets Roger A Safian (May 16)
We have security questions and answers set when the accounts are created. I'm not a fan of them myself, but, I
recognize their usefulness in situations like this. If those fail, the user would need to contact a department chair,
program coordinator, etc. and have that person contact our help desk in order to authorize the change.

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf...

Question About Password Resets Jim Pardonek (May 16)
We've recently had some issues with our current password reset process, particularly when a faculty or staff member is
out of town and calls for a password reset. We also have an issue because our campuses are spread out geographically
which makes it difficult for someone to come in person. I apologize if this has been discussed before, but I was
wondering what other institutions are doing regarding password resets via telephone? Or do...

Job Openings - Appalachian State University - CISO and Director of Information Analytics Anthony J. Santucci (May 15)
Greetings!

We have two new positions at AppState that are currently being advertised.
Please pass this along to anyone you think might be interested in coming to
the beautiful Blue Ridge Mountains of North Carolina!

Chief Information Security Officer
http://hrs.appstate.edu/employment/epa-jobs/801

Reporting to the Associate Vice Chancellor and Chief Information Officer of
Information Technology Services, the Chief Information Security Officer...

clickable links in instant messaging programs Fowler, Becky Thurmond (May 15)
I'm trying to gauge what other institutions are doing regarding clickable links in instant messaging programs. We
currently block links that are sent through our Microsoft Lync implementation but we'd like to determine what other
peer institutions are doing.

Does your university block clickable links through technical means? Do you allow clickable links but display a pop-up
or warning message? Or do you deal with this issue...

Job: Info Sec Analyst in Salem, MA George Moore (May 14)
Greetings:
I'm hiring an Information Security Analyst (ISA) for Salem State University in Salem Massachusetts. An ideal candidate
is motivated and enthusiastic about security. The ISA is responsible for monitoring the university network for security
vulnerabilities and compromised systems. The candidate accomplishes these goals by monitoring intrusion detection
systems, performing vulnerability assessments and management of network...

Internet Issues and Infrastructure

NANOG — The North American Network Operators' Group discusses fundamental Internet infrastructure issues such as routing, IP address allocation, and containing malicious activity.

Re: Mailman reverting settings Rich Kulawiec (May 24)
1. The mailman-users list is here:

http://mail.python.org/mailman/listinfo/mailman-users

2. Blocking one IP address is not usually sufficient.
If you don't need email from India (or any other country for
that matter) to reach that list, then you should block the
entire country from that VM. See http://ipdeny.com/ for lists.

---rsk

Re: Geoip lookup shawn wilson (May 24)
I knew this would come up. Actually I'm surprised and glad it waited until
I got a solution first.

I'll address a few points:
- this is mainly to stop stupid things from sending packets from countries
we will probably never want to do business with (I'm looking mainly at that
big country under APNIC).
- I'd prefer a solution that blocks all traffic that is routed through
those countries so that they could never see data from...

Re: Geoip lookup Jean-Francois Mezei (May 24)
Correct.
But the fact remains that a lot of services assume geolocation works and
do so in terms of restricting access to their content (oftent due to
legacy content rights that require geolocation).

One extreme example. A sports equipment retailer operates under a
different banner in the province of Québec than in the rest of Canada.
They geolocate the user's province and prevent québeckers from accessing
the "rest of canada"...

RE: Geoip lookup Paul Kelly :: Blacknight (May 24)
In theory Maxmind is quite accurate. From 1 x /20 that we own we tag different space with the country: flag in the RIPE
db. Maxmind picks this up after approx 30 days and says it's in Country X vrs country Y.

e.g.

$ geoiplookup 81.17.247.64
GeoIP Country Edition: US, United States
$ geoiplookup 81.17.247.1
GeoIP Country Edition: IE, Ireland

Obviously the RIPE db structure makes this simple. As for other RIRs it's not as easy. Like...

Re: Geoip lookup Owen DeLong (May 24)
That was exactly my point, Bill... If you have operations in RIPE and ARIN regions, it is entirely possible for you to
obtain addresses from RIPE or ARIN and use them in both locations, or, obtain addresses from both RIPE and ARIN and use
them in their respective regions, or mix and match in just about any imaginable way. Thus, IP addresses don't reside in
regions, either. They are merely issued somewhat regionally.

Owen

Re: Geoip lookup bmanning (May 24)
Just because I have operations in one region does not preclude me from having operations
in other regions. YMMV of course.

/bill

Re: Geoip lookup Owen DeLong (May 24)
Really? Which ones? I thought they were only issued to organizations that had operations in regions.

Owen

Re: Geoip lookup Andreas Larsen (May 24)
If we continue to support and build tools around this geolocation based
ip-dravel, we give people a false notion that this is something we should
do.
Identify users with some other means that Geoip

Couple of things comes to mind.

* normal postage mail that they have to collect at their home and send
back confirming that they are indeed in the country from where their IP is
* Passports scanned.
* Fingerprinting

Or just get rid of the whole...

Re: Geoip lookup David Conrad (May 24)
Sure, but pragmatically, it's an 80% solution.

True, according to (at least some of) the RIRs they reside in regions...

Regards,
-drc

Re: Widespread Outages Jason Hellenthal (May 24)
That's a no.

Not quite sure what you would see in these statistics given the weather conditions around the US.

Might be more useful looking at a direct route from a specific point to destination where it might seem like things are
awry. Looking glasses would be of more help to determine that.

Though I can say mobile YouTube traffic has been quirky lately.

Re: Geoip lookup Andreas Larsen (May 24)
The whole idea of Geoip is flawed. IP dosen't reside in countries, they
are routable adresses that can reside everywhere, I guess soon on mars
even.

Med vänlig hälsning
Andreas Larsen

IP-Only Telecommunication AB| Postadress: 753 81 UPPSALA | Besöksadress:
S:t Persgatan 6, Uppsala |
Telefon: +46 (0)18 843 10 00 | Direkt: +46 (0)18 843 10 56
www.ip-only.se

Den 2013-05-24 02:54 skrev Rob Seastrom <rs () seastrom com>:

Re: Geoip lookup Rob Seastrom (May 24)
This may be just a case of getting what you pay for, but Maxmind marks
entire netblocks as proxies, puts 'em in the wrong country, and
ignores repeated efforts by the registrant of the address space to set
the record straight. The problem comes when people actually do stuff
with the information, like block access to legitimate web sites
because the're in "proxy space" and therefore assumed to be bad guys
(believe it or not...

Re: Geoip lookup shawn wilson (May 23)
Actually, I can't find anything better, so I think i'm going to query
the bottom of ranges like so:
% dig +short 0.0.66.77.origin.asn.cymru.com TXT
"16245 | 77.66.0.0/17 | DK | ripencc | 2007-01-24"
% dig +short 0.0.65.77.origin.asn.cymru.com TXT
"13110 | 77.65.0.0/17 | PL | ripencc | 2007-01-17"

According to their web site, they won't block me if I don't do
anything stupid "If you are planning on...

Re: Geoip lookup Joe Abley (May 23)
Could be. You've looked at this more than I have, now -- I was mainly trying to point out that bulk data retrieval is a
possible option so you could avoid whois-hammering :-)

Joe

Re: Geoip lookup chip (May 23)
I've used the MaxMind Lite geo-ip database plus some perl modules and a BGP
table to get something fairly close. Anything in the BGP table that was
larger than a /20 I split into /20's. For my use case, this was close
enough. I then grabbed 30 or so IP's within the range and geo-ip mapped
them. You can then apply some algebra and get a general idea of where
things are or are not.

Things I used:...

The RISKS Forum — Peter G. Neumann moderates this regular digest of current events which demonstrate risks to the public in computers and related systems. Security risks are often discussed.

Risks Digest 27.28 RISKS List Owner (May 17)
RISKS-LIST: Risks-Forum Digest Friday 17 May 2013 Volume 27 : Issue 28

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/27.28.html>
The current issue can be...

Risks Digest 27.27 RISKS List Owner (May 05)
RISKS-LIST: Risks-Forum Digest Saturday 4 April 2013 Volume 27 : Issue 27

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/27.27.html>
The current issue can be...

Risks Digest 27.26 RISKS List Owner (Apr 24)
RISKS-LIST: Risks-Forum Digest Tuesday 23 April 2013 Volume 27 : Issue 26

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/27.26.html>
The current issue can be...

Risks Digest 27.25 RISKS List Owner (Apr 19)
RISKS-LIST: Risks-Forum Digest Friday 19 April 2013 Volume 27 : Issue 25

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/27.25.html>
The current issue can be...

Risks Digest 27.24 RISKS List Owner (Apr 07)
RISKS-LIST: Risks-Forum Digest Sunday 7 April 2013 Volume 27 : Issue 24

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/27.24.html>
The current issue can be...

Risks Digest 27.23 RISKS List Owner (Mar 31)
RISKS-LIST: Risks-Forum Digest Saturday 30 March 2013 Volume 27 : Issue 23

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/27.23.html>
The current issue can be...

Risks Digest 27.22 RISKS List Owner (Mar 24)
RISKS-LIST: Risks-Forum Digest Saturday 23 March 2013 Volume 27 : Issue 22

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/27.22.html>
The current issue can be...

Risks Digest 27.21 RISKS List Owner (Mar 22)
RISKS-LIST: Risks-Forum Digest Thursday 21 March 2013 Volume 27 : Issue 21

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/27.21.html>
The current issue can be...

Risks Digest 27.20 RISKS List Owner (Mar 18)
RISKS-LIST: Risks-Forum Digest Monday 18 March 2013 Volume 27 : Issue 20

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/27.20.html>
The current issue can be...

Risks Digest 27.19 RISKS List Owner (Mar 12)
RISKS-LIST: Risks-Forum Digest Monday 11 March 2013 Volume 27 : Issue 19

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/27.19.html>
The current issue can be...

Risks Digest 27.18 RISKS List Owner (Mar 06)
RISKS-LIST: Risks-Forum Digest Wednesday 6 March 2013 Volume 27 : Issue 18

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/27.18.html>
The current issue can be...

Risks Digest 27.17 RISKS List Owner (Feb 25)
RISKS-LIST: Risks-Forum Digest Sunday 24 February 2013 Volume 27 : Issue 17

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/27.17.html>
The current issue can be...

Risks Digest 27.16 RISKS List Owner (Feb 14)
RISKS-LIST: Risks-Forum Digest Thursday 14 February 2013 Volume 27 : Issue 16

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/27.16.html>
The current issue can...

Risks Digest 27.15 RISKS List Owner (Jan 29)
RISKS-LIST: Risks-Forum Digest Tuesday 29 January 2013 Volume 27 : Issue 15

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/27.15.html>
The current issue can be...

Risks Digest 27.14 RISKS List Owner (Jan 23)
RISKS-LIST: Risks-Forum Digest Tuesday 22 January 2013 Volume 27 : Issue 14

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/27.14.html>
The current issue can be...

Data Loss — Data Loss covers large-scale personal data loss and theft incidents. This archive combines the main list (news releases) and the discussion list.

Open Source Tool Development

Metasploit — Development discussion for Metasploit, the premier open source remote exploitation tool

Re: Wmic through the windows api egypt (May 17)
Extensions should be submitted as a pull request in the meterpreter
repo: https://github.com/rapid7/meterpreter
If you have already written the ruby side, that should be a pull
request on the framework repo, with a link to the meterpreter pull
request in the description.

Thanks!
egypt

Re: Wmic through the windows api Abuse 007 (May 16)
Hi Brian,

Perhaps you need to allocate some memory in a process, write your custom
data structure there, and then make the call with a pointer/reference to
the custom data structure in the memory you allocated for it.

Cheers,
B

Ruxcon 2013 Call For Papers cfp (May 07)
Ruxcon 2013 Call For Presentations
Melbourne, Australia, October 26th-27th
CQ Function Centre
http://www.ruxcon.org.au/call-for-papers/

The Ruxcon team is pleased to announce the Call For Presentations for Ruxcon 2013.

This year the conference will take place over the weekend of the 26th and 27th
of October at the CQ Function Centre, Melbourne, Australia.

.[x]. About Ruxcon .[x].

Ruxcon is ia premier technical computer security conference...

Breakpoint 2013 Call For Papers cfp (Apr 30)
Breakpoint 2013 Call For Papers
Melbourne, Australia, October 24th-25th
Intercontinental Rialto
http://www.ruxconbreakpoint.com

.[x]. Introduction .[x].

The Ruxcon team is pleased to announce Call For Papers for Breakpoint 2013.

Breakpoint showcases the work of expert security researchers from around the
world on a wide range of topics. This conference is organised by the Ruxcon
team and offers a specialised security conference to...

Re: framework Digest, Vol 63, Issue 13 Vlad Ovtchinikov (Apr 27)
Try exploit-db.com

Sent from my iPhone

Re: framework Digest, Vol 63, Issue 13 Prabhu (Apr 27)
Hi,
I surfed privilege Esclation exploits in unix/local and linux/local
category, I found most of them works only with linux kernel 2.4 and 2.6.
But I am looking exploits for kernel 3.0 and above, could some one suggest
me a exploit to handle this.

Re: help Joshua Smith (Apr 25)
You beat me Tod, I was gonna say
$ msfconsole

but seriously man, you need to give more details.

Re: help Tod Beardsley (Apr 25)
http://ifconfig.me

Re: framework Digest, Vol 63, Issue 12 Michael Schierl (Apr 25)
Am 25.04.2013 19:59, schrieb Tod Beardsley:

Seconded.

Also, please note that a piece of shellcode is not an exploit (just like
a pinch of gunpowder is not a firearm, or like a satellite is not a
space rocket). In fact the shellcode is usually the easiest part for a
new exploit as Metasploit ships lots of them to easily integrate into
any exploit.

When you have installed Metasploit, have a look at the unix/local/ and
linux/local/ category if...

help gri sma (Apr 25)
how to use external ip on metasploit

Re: framework Digest, Vol 63, Issue 12 Tod Beardsley (Apr 25)
please don't run random blobs of shellcode you find on the internet.
It's not healthy.

That's kind of why we do Metasploit.

If you would like to start using Metasploit, please see
http://metasploit.pro and pick the right version for your needs.

Thanks!

Re: framework Digest, Vol 63, Issue 12 Prabhu (Apr 25)
Hi,

I picked a exploit from below link, and I compile it manually in test
environment. I end up with a error message stating that
error: lvalue required as left operand of assignment

http://www.shell-storm.org/shellcode/files/shellcode-548.php

Could you suggest me a shellcode to proceed.

Re: framework Digest, Vol 63, Issue 11 Prabhu (Apr 25)
Hi Tod,

Thank you for response, I'm looking at this exploit. could you help me to
sort this.

http://pastebin.com/GC824ayU

Re: framework Digest, Vol 63, Issue 11 h4lp.php () gmail com (Apr 24)
did you find somethings at exploit-db or 1337day?
and maybe you should tell what did you do and how ,more and your metasploit 's version

Prabhu <flyingcolours47 () gmail com>编写：

Re: framework Digest, Vol 63, Issue 11 Tod Beardsley (Apr 24)
Which Metasploit module is giving you trouble?

Wireshark — Discussion of the free and open source Wireshark network sniffer. No other sniffer (commercial or otherwise) comes close. This archive combines the Wireshark announcement, users, and developers mailing lists.

Re: [Wireshark-commits] rev 49551: /trunk/epan/ /trunk/epan/: req_resp_hdrs.c Evan Huus (May 24)
The capture in question (which I can't share unfortunately) still
takes far too long to load. Trunk builds take ~8 seconds (~10 before
this commit) whereas 1.8 builds load it in about 0.6 seconds.

It consists of many thousands of packets containing very short
payloads that look enough like HTTP to fool the heuristics, but never
end "properly" (with an \r\n \r\n). The desegmentation logic loops
through each line, then requests more...

manual address resolution is broken Ed Beroset (May 23)
Today I was analyzing some capture files and wanted to use manual name resolution to make things a little to interpret,
but I found out that manual name resolution no longer works. The bug has already been reported
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8462 and a patch submitted, but I'm not sure that patch is the
right way to resolve things since it basically undoes (incompletely) a deliberate change that was done some...

Wireshark (1.8.2) decrypting (SIP)TLS Traffic Max Mühlbronner (May 23)
Hi list,

I just tried to decrypt SIP TLS traffic in wireshark (preferences -->
SSL , imported priv key for server ip/port) and was at least able to see
decrypted packets in the ssl-logfile when enabling SSL debugging in
wireshark. I also made sure to capture the initial handshake, but the
decrypted SIP traffic does never shows up in wireshark/packet list?

One thing i noticed is: i have to choose a protocol like...

Wireshark 1.10.0rc2 is now available Wireshark announcements (May 22)
I'm proud to announce the release of Wireshark 1.10.0rc2.

__________________________________________________________

What is Wireshark?

Wireshark is the world's most popular network protocol
analyzer. It is used for troubleshooting, analysis, development
and education.
__________________________________________________________

What's New

Bug Fixes

The following bugs have been fixed:
* Redirecting...

Wireshark 1.10.0rc2 is now available Gerald Combs (May 22)
I'm proud to announce the release of Wireshark 1.10.0rc2.

__________________________________________________________

What is Wireshark?

Wireshark is the world's most popular network protocol
analyzer. It is used for troubleshooting, analysis, development
and education.
__________________________________________________________

What's New

Bug Fixes

The following bugs have been fixed:
* Redirecting...

Re: What is the use of pointer "cap_file_" in QtShark Gerald Combs (May 22)
The intent was to associate a capture_file with a MainWindow instead of
with the entire application. I've been trying to avoid the use of
globals.h and the global cfile variable in particular in the Qt code in
case we ever manage to support having more than one capture file open.
Using it to determine if we have an open capture file followed from that.

Re: What is the use of pointer "cap_file_" in QtShark Guy Harris (May 22)
Currently, yes.

We make no claim that Wireshark will, forever, have only one main window and only one capture file open, so it should
not be treated as if it is, inherently, just a pointer to cfile.

Yes, it's defined there, but tshark.c, as the name suggests, is not linked into Wireshark, it's linked into TShark; the
cfile in QtShark is defined in ui/qt/main.cpp (and in GTKShark is defined in ui/gtk/main.c).

No, we keep it around...

What is the use of pointer "cap_file_" in QtShark Richard Turner (May 22)
In Wireshark/ui/qt/main_window.h there is a private member variable
defined as:

capture_file *cap_file_;

I think it's a pointer to the global variable "cfile" (defined in tshark.c).

Is it true that we keep this pointer only to verify the validity of
cfile (we set cap_file_ to NULL when the capture file is closed)?

Regards,
-Richard Turner

Add an option to tshark to give the prefix or whole tempfile name? Anders Broman (May 22)
Hi,
We have some automated scripts that uses tshark occasionally dumpcap crashes and leaves huge files in /tmp to fix that
we write to a named file which
Causes its own problems. A solution could be to provide tshark with the name or the prefix of the tempfile to be able
to clean up or over write the file.
Would someone be willing to implement this? I think it should be possible to use long option names tempfilename?

Regards
Anders

Re: Keep getting "unresolved external symbol" error when trying to use "summary_fill_in" Richard Turner (May 22)
Thanks all of you! Problem resolved. (By updating summary.h to latest
SVN version)

Regards,
Richard Turner

Re: Keep getting "unresolved external symbol" error when trying to use "summary_fill_in" Guy Harris (May 22)
Or pick up the current top-of-trunk SVN version, wherein summary.h has the extern "C" stuff in it (it belongs there,
not in code that includes summary.h).

Re: Keep getting "unresolved external symbol" error when trying to use "summary_fill_in" Guy Harris (May 22)
So, whatever build tools you're using to build QtShark have been told to include "summary.c" in the top-level directory
as one of the source files in the build, right?

If not, make it so. (ui/qt/QtShark.pro *appears* to do that, but maybe there's something subtle I'm missing. If
you're *not* using ui/qt/QtShark.pro, you're on your own.)

Re: Keep getting "unresolved external symbol" error when trying to use "summary_fill_in" Alexis La Goutte (May 22)
Hi,

it is problem of linking a C Library with C++
You need to use this fix :

+/* linking C functions */
+extern "C"
+{
+#include "../summary.h"
+}

Re: Keep getting "unresolved external symbol" error when trying to use "summary_fill_in" Richard Turner (May 22)
I'm sorry, but this won't work on my environment.

I still get the same error :

C:\Turner\Workspace\Wireshark\ui\build-QtShark-Qt4_8_4-Release\main.obj:-1:
error: LNK2019: Unresolved external symbol "__declspec(dllimport) void
__cdecl summary_fill_in_capture(struct _capture_file *,struct
capture_options_tag *,struct _summary_tally *)"...

Re: Keep getting "unresolved external symbol" error when trying to use "summary_fill_in" Pascal Quantin (May 22)
Le 22/05/2013 07:30, Anders Broman a écrit :

The line
#include "ws_symbol_export.h"
should be added at the beginning of summary.h also

Regards,
Pascal.

Snort — Everyone's favorite open source IDS, Snort. This archive combines the snort-announce, snort-devel, snort-users, and snort-sigs lists.

Re: Snorby - Full Packet Capture johnny.venter (May 24)
Thanks Jeremy, that did it. I enabled the "server" portion of OpenFPC on the Snort box and the "client" version on the
Snorby box.

Another question: I will have multiple Snort servers in the near future. Snorby only allows one (1) OpenFPC URL. If I
have multiple Snort servers, how can I grab the packet capture from each Snort server? Do I need on Snorby server per
Snort server?

Thanks.

---- On Thu, 23 May 2013...

Re: Rule Management UI Jaime Nebrera (May 24)
I don't think so. We will never officially support this, but could be it
does

Jaime Nebrera - ENEO Tecnología
Sent with mobile, sorry for typos
El 24/05/2013 01:32, "Michael Steele" <michaels () winsnort com> escribió:

------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring...

Re: Binary log capture looks incomplete. beenph (May 24)
By default snort tag packet limit is 256
#define MAX_TAG_NODES 256

Unless you use the configuration option tagged_packet_limit to up that value.

-elz

------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service
that delivers powerful full stack analytics. Optimize and monitor your
browser,...

Re: Preprocessing rule blocking waldo kitty (May 24)
yes, that will limit is to one alert every minute...

to disable it completely, you might comment the rule out in your
preproc_rules/preprocessor.rules file if you are using that... i /think/ that's
where the stub is located...

Re: Rule Management UI Michael Steele (May 23)
Does it work with Windows. While BASE is pretty much dead as far as
developing goes; it's still a very viable option for viewing alerts and much
more.

Best regards,
Michael...

WINSNORT.com Management Team Member

Re: Binary log capture looks incomplete. James Lay (May 23)
Ah...flowbits and tag I'm not real familiar with, so I'll defer to the
(much) smarter people in this group :)

James

------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with...

Re: Binary log capture looks incomplete. Shields, Joseph (NIH/NIEHS) [C] (May 23)
James,
My understanding from reading the Snort manual is that in the rule these settings affect logging:
1) flowbits:set,tagged; Tells snort that the session should be logged when this rule is positive.
2) tag:session,0,packets,1000,seconds; Tells snort to not limit the size (set to zero) and to log for up to 1000
seconds.

I am not setting the dump type format, so it ought to use the default which I believe is tcpdump.

I am now...

Re: Binary log capture looks incomplete. James Lay (May 23)
Joseph,

How are you logging this...with:

output log_tcpdump: tcpdump.log

or

output unified2: filename unified

?

As I understand it, (someone please correct me if I'm way off) Snort
will capture the packet (or re-assembled packets) that fired the rule.
Snort won't capture the whole conversation or file. For example, VRT
rule 25513 will capture the packet(s) that match
content:"application/octet-stream"; and...

Re: Syndicasec Stage Two traffic sig James Lay (May 23)
Thanks Rm...good catch..how's this lookin:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Trojan.Win32.Syndicasec Stage Two traffic"; flow:to_server,established;
content:"POST"; http_method; content:"HTTP/1.0";
content:"cstype=server|26|authname="; http_client_body; metadata:policy
balanced-ips drop, policy security-ips drop, service http;
reference:url,...

Re: Syndicasec Stage Two traffic sig rmkml (May 23)
Hi James,

Big thx you again for sharing malware rules!

Warn: change http_uri to http_client_body please

content HTTP/1.0 with http_header not fire for me.

Regards
@Rmkml

------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service
that delivers powerful full stack analytics. Optimize and...

Syndicasec Stage Two traffic sig James Lay (May 23)
Yay:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Trojan.Win32.Syndicasec Stage Two traffic"; flow:to_server,established;
content:"POST"; http_method; content:"HTTP/1.0";
content:"cstype=server|26|authname="; http_uri; metadata:policy
balanced-ips drop, policy security-ips drop, service http;
reference:url,http://www.welivesecurity.com/2013/05/23/syndicasec-in-the-sin-bin;...

New Skpe worm sig James Lay (May 23)
Slow Thursday:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Trojan.Win32.Gapz C2 traffic"; flow:to_server,established;
content:"|2f|images|2f|gx.php"; http_uri; metadata:policy balanced-ips
drop, policy security-ips drop, service http;
reference:url,http://bartblaze.blogspot.com/2013/05/another-skype-worm.html;
classtype:trojan-activity; sid:10000071; rev:1;)

Could add the UA that's in...

Re: Binary log capture looks incomplete. Shields, Joseph (NIH/NIEHS) [C] (May 23)
I sent the below question to the user list yesterday but did not see any replies to it. I think I have an idea about
what is going on here. I had my own rule to look for a specific event. In watching the snort-sigs user list I saw
last week a rule that looked like it might be more effective, so I added it to the rule set. What I've noticed when
trying to look at the binary captures this week is that it looks like the transmission is...

Re: [Snort-sigs] distance, within, and negated matches L0rd Ch0de1m0rt (May 23)
Hello. Thank you Patrick for the response. One point of clarity and one
thing that I noticed is that non-relative negated content matches seem to
*reset* the pointer so that is something to keep in mind... You should
always put non-relative negated content matches before or after your
relative content matches or it won't work as you expect!

Cheers,

Lord C.

On Sun, Jul 1, 2012 at 4:52 PM, Patrick Mullen <pmullen () sourcefire...

Preprocessing rule blocking SnortFan (May 23)
Hi All,
If I want to limit or block all reporting on Snort Alert [137:1:0]

Would this work to limit it to one for every minute via the threshold.conf. Is there an easy way to block it all
together?

event_filter \
gen_id 137, sig_id 1, \
type limit, track by_src, \
count 1, seconds 60

Thanks,
Ed

Sent from a mobile device.
------------------------------------------------------------------------------
Try New Relic Now &...

OpenVAS — Development and announcements regarding OpenVAS, a free network security scanner which forked from Nessus. This is a combination of the English openvas-announce, openvas-devel, openvas-discuss, and openvas-plugins lists.

task configuration reset when editing Paula Gonzalez Muñoz (May 24)
hello,

Yesterday I tried to edit a task and i noticed that when you click on the
edit button the target and the scan configured are reseted to "localhost"
and "empty" respectively. Is this a desired behavior or is it a bug?

Regards,
Paula

question about filters Paula Gonzalez Muñoz (May 24)
Hello,

when I run a task for multiple ips and I select all threat levels to be
shown (high, medium, low, log and false positive) I only get the full
report for the first, the others only show information until the low level
but nothing about logs and false positives. Is there any way to set it so I
see everything using the filter tool?

Regards,
Paula

Re: cli not building Michael Wiegand (May 24)
* btb [23. May 2013]:

You are not doing anything wrong, but your compiler warns you about the
possible use of what it thinks are uninitialized variables.

Warnings are treated as error when building in the (default) "Debug"
build type and thus break your build process. You can change this
behaviour by adding a "-DCMAKE_BUILD_TYPE=Release" to your cmake call.

Alternatively, you could try building with the attached patch,...

cli not building btb (May 23)
from revision 16442

-- Configuring openvas-cli ...
-- The C compiler identification is GNU 4.7.3
-- Check for working C compiler: /usr/bin/cc
-- Check for working C compiler: /usr/bin/cc -- works
-- Detecting C compiler ABI info
-- Detecting C compiler ABI info - done
-- Found PkgConfig: /usr/bin/pkg-config (found version "0.26")
-- Install prefix: /opt/openvas
-- checking for module 'libopenvas>=6.0.0'
-- found...

Re: SVN trunk: Breaking openvas-administrator btb (May 23)
ah, of course. that was silly of me to find the db file but not look in it. i assumed based on filename.

thanks
-ben

Re: openvasmd using all CPU YanQian (May 23)
Hi,Paula,

Yes, same logs here,

base gpgme:MESSAGE:2013-05-23 00h15.03 CST:29860: Setting GnuPG homedir to '/etc/openvas/gnupg'
base gpgme:MESSAGE:2013-05-23 00h15.03 CST:29860: Using OpenPGP engine version '2.0.14'
md crypt: INFO:2013-05-23 00h15.03 CST:29860: starting key generation ...
md main:WARNING:2013-05-22 16h19.01 utc:29810: cleanup_manage_process: attempt to close db with open statement(s)

regards,
YanQian...

Re: SVN trunk: Breaking openvas-administrator btb (May 23)
this seems to now be working:

openvas-check-setup 2.2.2
Test completeness and readiness of OpenVAS-7

Step 1: Checking OpenVAS Scanner ...
OK: OpenVAS Scanner is present in version 4.0+beta1.
OK: OpenVAS Scanner CA Certificate is present as /opt/openvas/var/lib/openvas/CA/cacert.pem.
OK: NVT collection in /opt/openvas/var/lib/openvas/plugins contains 30717 NVTs.
OK: Signature checking of NVTs is enabled in...

SVN trunk: breaking scanner users directory. Jan-Oliver Wagner (May 23)
Hi,

I just removed the handling of the "users" directory.

The only thing you need to do is to get the dname
properly placed again. Either

cp /var/lib/openvas/users/om/auth/dname /var/lib/openvas/dname

or

openvas-mkcert-client -n -i

will do the job.

If you are using .auth.conf, then you need to copy this as well:

cp /var/lib/openvas/users/.auth.conf /var/lib/openvas/auth.conf

In case you experience any other sort of problem,...

Re: SVN trunk: Breaking openvas-administrator Hani Benhabiles (May 23)
Hi,

You are probably looking for the users table in tasks.db.

$ sqlite3 /usr/var/lib/openvas/mgr/tasks.db "SELECT * FROM users;"

That is the DB where most Manager data is stored (beside secinfo stuff
like cpe, cve, dfn cert etc,. which are in the other two DBs.)

Cheers,

Hani.

Re: SVN trunk: Breaking openvas-administrator Jan-Oliver Wagner (May 22)
Am Montag 20 Mai 2013 22:40:06 schrieb btb:

openvas-check-setup:

I've comitted new version 2.2.2 of openvas-check-setup.
Please try it.

The user tests are currently missing. As Matt pointed out, it is work in
progress.

Re: openvasmd using all CPU Paula Gonzalez Muñoz (May 22)
Hi YanQian,

do you have the same message I got at openvasmd.log?

Regards,
Paula

2013/5/22 YanQian <yankaiqian () live cn>

Re: openvasmd using all CPU YanQian (May 22)
Hi, Paula,

I tried the way you said in RHEL6, start openvas-manager without "--disable-encrypted-credentials", but CPU usuage
still rise to 99% when I run omp command to add credentials (could not finish, just hang there).
so it didn't work for me.

regards,YanQian

Date: Tue, 21 May 2013 11:05:50 +0200
Subject: Re: [Openvas-discuss] openvasmd using all CPU
From: p.gonmu () gmail com
To: yankaiqian () live cn
CC: openvas-discuss...

Re: SVN trunk: Breaking openvas-administrator btb (May 22)
experimenting a bit with another computer running version 6, i can see with strace that maybe there is an sqlite db
somewhere for this:

[...]

open("/usr/lib/x86_64-linux-gnu/libsqlite3.so.0", O_RDONLY|O_CLOEXEC) = 3

[...]

but i'm not able to see it open a file. i only see three databases so far in my poking around:

var/lib/openvas/cert-data/cert.db
var/lib/openvas/scap-data/scap.db
var/lib/openvas/mgr/tasks.db

but nothing...

Re: SVN trunk: Breaking openvas-administrator btb (May 22)
i'm familiar with var/lib/openvas/users/, but i gather this is not what is meant by the db? where can i read about
inserting a user into the db by hand?

-ben

Re: trouble building gsa from trunk btb (May 22)
thanks.

i've checked out 16419, and can report that gsa now appears to build as expected.

-ben

More Lists

Related Resources

We're always looking for great network security related lists to archive. To suggest one, mail Fyodor.