SecLists.Org Security Mailing List Archive

Any hacker will tell you that the latest news and exploits are not found on any web site—not even Insecure.Org. No, the cutting edge in security research is and will continue to be the full disclosure mailing lists such as Bugtraq. Here we provide web archives and RSS feeds (now including message extracts), updated in real-time, for many of our favorite lists. Browse the individual lists below, or search them all:

Nmap Development — Unmoderated technical development forum for debating ideas, patches, and suggestions regarding proposed changes to Nmap and related projects.

SIP version detection script Patrik Karlsson (Nov 22)
It's always nice to make a first impression as the "Teletubby that forgets the attachment" ... Well here it is :)

Patrik Karlsson
http://www.cqure.net

SIP version detection script Patrik Karlsson (Nov 22)
Hi all,

I just finished my first nmap script with some great help from Ron Bowes.
Like the e-mail subject states it does version detection for the SIP protocol.
I've done some basic testing and it looks as if it does what it't intended to.

Here's some sample output:

Interesting ports on 192.168.56.3:
PORT STATE SERVICE VERSION
5060/udp open|filtered sip Asterisk PBX

Interesting ports on 192.168.56.4:
PORT STATE...

Re: Pushed in my changes Fyodor (Nov 22)
Thanks Ron! BTW, my proposal actually had two spaces of indention per
level rather than just one, so I changed it to that.

Cheers,
-F

Re: nmap 5 memory usage David Fifield (Nov 20)
I tried this command with the Massif memory profiler. For me it grows to
about 70 MB too. It turns out that almost all of this (over 80%) is from
parsing the nmap-os-db file.

http://www.bamsoftware.com/wiki/Nmap/Memory#a20091120

The OS database has been growing, but the bigger cause is probably the
increase in the size of each test value, which was increased from 128 to
256 in r11074 in November 2008. All test values are allocated the same...

Re: [nmap-svn] r16159 - nmap/nselib Ron (Nov 20)
Sorry, I committed some extra code in this one that I didn't mean to
(should have 'svn diff'ed.. oops).

The code is simply functions that aren't called from anywhere (yet), so,
unless somebody minds, I'm just going to leave it.

commit-mailer () insecure org wrote:

Pushed in my changes Ron (Nov 20)
Nobody had any issues with smb-enum-groups or my updated output, so I
committed the changes into the main trunk. This'll be the last of my
changes for a little while, since I'm sort of out of ideas. I didn't
want to leave stuff sitting my branch, though.

I added smb-enum-groups.nse to the CHANGELOG, but not the updated output
(I didn't want to mess with it too much while Fyodor was updating it).

As for the updated output, I went with...

Re: Removing email addresses from NSE script author field Ron (Nov 20)
Fyodor wrote:

Someone should stop that guy!

Ultimately, I don't care. Whenever I put my email address somewhere, I'm
always aware of the spam risk, so I wasn't too worried. But it's
probably a good idea to get rid of it.

Ron

Re: Removing email addresses from NSE script author field DePriest, Jason R. (Nov 19)
I never thought about them being used to fuel SPAM.

Keeping the names and removing the email addresses should be okay
since anyone who is actively maintaining a script will likely be
reading the nmap-dev list.

Perhaps put information about subscribing to or contacting nmap-dev
instead of individual email addresses?

-Jason

Removing email addresses from NSE script author field Fyodor (Nov 19)
Hi folks. I've noticed NSE author fields in several formats,
including:

p2p-conficker.nse: author = "Ron Bowes (with research from Symantec Security Response)"

http-enum.nse: author = "Ron Bowes <ron () skullsecurity net>, Andrew Orr
<andrew () andreworr ca>, Rob Nicholls
<robert () everythingeverything co uk>"

smb-enum-sessions.nse: author = "Ron...

Nmap's memory use David Fifield (Nov 19)
Hi,

We've had some report recently about Nmap using a lot of memory.

"Port memory bloat"
http://seclists.org/nmap-dev/2009/q3/926
"nmap 5 memory usage"
http://seclists.org/nmap-dev/2009/q4/300

I started looking at ways to improve this. This note is to let you know
what I've found so far and to ask if anyone has tips on memory
profiling.

In the first link above, Pavel Kankovsky observed that it is the Port
class that is...

Re: Bug/Enhancement (ncat/nsock) - Recognize Winsock error codes David Fifield (Nov 19)
Hi Paul, thanks for your suggestion. The next release of Ncat will have
this. When Ncat has a connection error, it will print the error even
without -v, and it will interpret the Windows error codes.

The Nsock messages don't interpret the Windows codes, because as I
recall those strings can be long and contain newlines. Nsock tracing is
a low-level option; we wanted to make the information from common
connection errors visible without excessive...

Re: Scanning 255.255.255.255 from Windows Jon Kibler (Nov 19)
David Fifield wrote:

Although I cannot test right now to verify it, I seem to recall that (at least
for Linux) packets sent to 255.255.255.255/32 usually (always?) have a
destination MAC address of FF:FF:FF:FF:FF:FF. Maybe nmap should simply set the
MAC associated with 255.255.255.255/32 to FF:FF:FF:FF:FF:FF?

Jon

Bug/Enhancement (ncat/nsock) - Recognize Winsock error codes Paul Milliken (Nov 19)
Hi,

I've noticed that ncat doesn't interpret Windows Socket errors,
instead displaying them as "Unknown error". Contrast the following
outputs from Windows and Linux respectively:

C:\tools\nmap-5.00>ncat -v -v -v 10.10.130.140 8888
Ncat version 5.00 ( http://nmap.org/ncat )
NSOCK (0.0620s) TCP connection requested to 10.10.130.140:8888 (IOD #1) EID 8
NSOCK (1.0160s) Callback: CONNECT ERROR [Unknown error (10061)] for
EID 8...

Re: port order in 5.00-2 bensonk (Nov 18)
You can also use netcat (not ncat, sadly) with the -z flag, which says
"do no IO, just connect". This might do what you want in a pretty small
package.

This raises the question -- why doesn't ncat support netcat's -z? Was
it decided that this sort of action should be taken by nmap or nping?

Benson

Re: Scanning 255.255.255.255 from Windows David Fifield (Nov 18)
I looked into this and I can reproduce it. I get the "Failed to
determine dst MAC address" message even without -e, though. I think I
know why: for some reason the routing table has the gateway for
255.255.255.255/32 set to the local IP address. This machine's IP
address is 192.168.0.190 and its Internet gateway is 192.168.0.1.

$ nmap --iflist

Starting Nmap 5.05BETA1 ( http://nmap.org ) at 2009-11-18 21:44 Mountain Standard Time...

Nmap Hackers — Moderated list for the most important new releases and announcements regarding the Nmap Security Scanner and related projects. We recommend that all Nmap users subscribe.

Nmap 5.00 Released! Fyodor (Jul 16)
Hello everyone. I'm delighted to announce the release of Nmap 5.00!
This is the first major release since 4.50 in 2007, and includes about
600 significant changes since then! We consider this the most
important Nmap release since 1997, and we recommend that all current
users upgrade.

There are too many changes to list them all in this email, so here are
the top 5 improvements in Nmap 5:

1) The new Ncat tool aims to be your Swiss Army Knife...

Nmap news: stable release candidate 4.90RC1, SoC team, and new translations Fyodor (Jun 26)
Hi Folks. I'm pleased to announce some exciting Nmap news:

[=================Nmap 4.90RC1==================]

It has been nearly 10 months (and 11 dev releases) since 4.76, the
last stable Nmap release. And we've made many dramatic changes, so it
is time for a new stable version! I've posted a release
candidate--4.90RC1--on the Nmap download page:

http://nmap.org/download.html

Please test it out, and let us know if you find any problems...

Nmap 4.85BETA6 now avail w/Conficker detection Fyodor (Apr 01)
Hi Folks! In case you missed all the news reports yesterday, a couple
great researchers from the Honeynet Project (Tillmann Werner and Felix
Leder) and Dan Kaminsky came up with a way to remotely detect the
Conficker worm which has infected millions of machines worldwide.
Some say 15,000,000 machines infected, but that might just be
exaggerated AV-company BS for all I know. But there are clearly
millions of infections, and this massive botnet...

Nmap News: 4.84BETA4 release, Nmap book news, Summer of Code, Twitter, etc. Fyodor (Mar 27)
Hello everyone. We've seen 848 messages on nmap-dev this year, but
this is my first post to nmap-hackers. So I have a lot of exciting
Nmap news to fit into this one email!

[=================Nmap 4.85BETA4==================]

While the last release I posted to this list was 4.76 in September of
last year, we've had four beta releases since then with hundreds of
important and dramatic changes. I'm pretty happy with the latest
4.85BETA4 release,...

Nmap Network Scanning Book Released! Fyodor (Dec 09)
Nmap Hackers:

After promising you a book on Nmap for years, I'm delighted to finally
announce the release of Nmap Network Scanning! It contains everything
I've learned about network scanning from more than a decade of Nmap
development, plus some bad jokes and (over Time Warner's written
objections) pictures of Trinity hacking the Matrix :). Here is the
abstract:

Nmap Network Scanning is the official guide to the Nmap Security
Scanner, a...

Nmap News: 4.76 release, Defcon presentation online, Is port scanning legal? Fyodor (Sep 23)
Hi everyone. I'm happy to report that the Nmap 4.75 release (with
port frequencies, Zenmap topology, etc.) was a big success. But such
large exposure inevitably leads to bug discovery, so we've
released version 4.76 with about a dozen small fixes and stability
improvements. If 4.75 is working great for you, there is probably no
need to upgrade. But if you encountered problems, or if you are the
type who waits a couple weeks for stabilization...

Nmap 4.75 released Fyodor (Sep 08)
Hi Everyone. I'm delighted to report the release of Nmap 4.75, which
has almost 100 significant improvements since 4.68. Some which I'm
most excited about are:

o While Nmap stands for "Network Mapper", it hasn't been able to
actually draw you a map of the network--until now! Visit
http://nmap.org/book/zenmap-topology.html for details and pretty
pictures of Zenmap's new Scan Topology system.

o I spent much of this summer...

Nmap 4.68 release Fyodor (Jul 31)
Hi All. I'm happy to report that there have been several stable Nmap
releases since I mailed you about Nmap 4.60 in March. The latest
version is 4.68, and I think you'll like it (unless you still use
Win2K, which can be problematic due to IPv6 issues that we hope to
resolve in the next release). Before I give you the full list of 125
improvements, I'll start with a few highlights:

o Added a new --min-rate option that allows specifying a...

Lots of Nmap News Fyodor (Jul 31)
Hi All. I feel derelict for failing to post any Nmap news to this
nmap-hackers list in the last four months, but you can rest assured
that we've been busy on the project! For example, there have been
1,181 posts on the nmap-dev list (not all from me) since my March
nmap-hackers announcements. So you can always join that if you want a
constant flood of Nmap news :). There have also been several stable
Nmap releases since that time, great news...

Nmap accepting applications for Summer of Code developers Fyodor (Mar 24)
It may have taken me four months to send this year's first
nmap-hackers mail, but the second only took me four hours. I want to
let you all know that Nmap has been accepted for the fourth year
running to participate in the Google Summer of Code program. This
generous and innovative program provides $4,500 stipends to hundreds
of university students to create or enhance open source software.
Applications are only accepted for one week, until...

Nmap 4.60 and new movies page Fyodor (Mar 24)
Hi everyone. This is the first nmap-hackers message of the year, but
we haven't been slacking. The nmap-dev list has more than 500 posts
so far this quarter, and we've made many great improvements to Nmap
during the period.

Nmap-hackers is reserved for the most important Nmap news, but that
won't prevent me from starting out this message with something
frivolous :). I recently learned that Nmap was in not just one, but
two major motion...

Bugtraq — The premier general security mailing list. Vulnerabilities are often announced here first, so check frequently!

VMSA-2009-0016 VMware vCenter and ESX update release and vMA patch release address multiple security issue in third party components VMware Security Team (Nov 20)
-----------------------------------------------------------------------
VMware Security Advisory

Advisory ID: VMSA-2009-0016
Synopsis: VMware vCenter and ESX update release and vMA patch
release address multiple security issue in third
party components
Issue date: 2009-11-20
Updated on: 2009-11-20 (initial release of advisory)
CVE numbers: --- JRE ---...

IE7 info (Nov 20)

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
<HTML xmlns="http://www.w3.org/1999/xhtml";>
<HEAD>
<script>
function load(){
var e;
e=document.getElementsByTagName("STYLE")[0];...

[security bulletin] HPSBMA02478 SSRT090251 rev.1 - HP Operations Manager for Windows, Remote Unauthorized Access security-alert (Nov 20)
SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c01931960
Version: 1

HPSBMA02478 SSRT090251 rev.1 - HP Operations Manager for Windows, Remote Unauthorized Access

NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.

Release Date: 2009-11-18
Last Updated: 2009-11-18

Potential Security Impact: Remote unauthorized access

Source: Hewlett-Packard Company, HP Software Security Response Team...

PHP "multipart/form-data" denial of service Bogdan Calin (Nov 20)
Description
------------
PHP version 5.3.1 was just released. This release contains a patch for a
denial of service condition we've reported on 27 October 2009. The
problem is related with PHP's handling of RFC 1867 (Form-based File
Upload in HTML).

When you send a POST request to a PHP script with the content-type of
"multipart/form-data" and include a list of files in that request, PHP
will create a temporary file for each file from...

Firefox 3.5.3 Remote Array Overrun (UPDATE) cxib (Nov 20)
Please update CVE-2009-1563 BID:36851 and BID:36843

Mozilla has changed credit.

http://www.mozilla.org/security/announce/2009/mfsa2009-59.html

and add correct CVE: CVE-2009-0689.

CVE-2009-1563 shouldn't never exists. It is duplicate.

KDE KDELibs 4.3.3 Remote Array Overrun (Arbitrary code execution) cxib (Nov 20)
[ KDE KDELibs 4.3.3 Remote Array Overrun (Arbitrary code execution) ]

Author: Maksymilian Arciemowicz and sp3x
http://SecurityReason.com
Date:
- Dis.: 07.05.2009
- Pub.: 20.11.2009

CVE: CVE-2009-0689
Risk: High
Remote: Yes

Affected Software:
- KDELibs 4.3.3

NOTE: Prior versions may also be affected.

Original URL:
http://securityreason.com/achievement_securityalert/74

--- 0.Description ---
KDELibs is a collection of libraries built on top of...

K-Meleon 1.5.3 Remote Array Overrun (Arbitrary code execution) cxib (Nov 20)
[ K-Meleon 1.5.3 Remote Array Overrun (Arbitrary code execution) ]

Author: Maksymilian Arciemowicz and sp3x
http://SecurityReason.com
Date:
- Dis.: 07.05.2009
- Pub.: 20.11.2009

CVE: CVE-2009-0689
Risk: High
Remote: Yes

Affected Software:
- K-Meleon 1.5.3

NOTE: Prior versions may also be affected.

Original URL:
http://securityreason.com/achievement_securityalert/72

--- 0.Description ---
K-Meleon is an extremely fast, customizable,...

SeaMonkey 1.1.8 Remote Array Overrun (Arbitrary code execution) cxib (Nov 20)
[ SeaMonkey 1.1.8 Remote Array Overrun (Arbitrary code execution) ]

Author: Maksymilian Arciemowicz and sp3x
http://SecurityReason.com
Date:
- Dis.: 07.05.2009
- Pub.: 20.11.2009

CVE: CVE-2009-0689
Risk: High
Remote: Yes

Affected Software:
- SeaMonkey 1.1.18

Fixed in:
- SeaMonkey 2.0

NOTE: Prior versions may also be affected.

Original URL:
http://securityreason.com/achievement_securityalert/71

--- 0.Description ---
The SeaMonkey project is...

Opera 10.01 Remote Array Overrun (Arbitrary code execution) cxib (Nov 20)
[ Opera 10.01 Remote Array Overrun (Arbitrary code execution) ]

Author: Maksymilian Arciemowicz and sp3x
http://SecurityReason.com
Date:
- Dis.: 07.05.2009
- Pub.: 20.11.2009

CVE: CVE-2009-0689
Risk: High
Remote: Yes

Affected Software:
- Opera 10.01
- Opera 10.10 Beta

NOTE: Prior versions may also be affected.

Original URL:
http://securityreason.com/achievement_securityalert/73

--- 0.Description ---
Opera is a Web browser and Internet suite...

NSA Iraqi Computer Attacks And U.S. Defense Gadi Evron (Nov 19)
In a recent article in the National Journal Magazine, the NSA
supposedly admits to using computer attacks in Iraq, attacking
cellular systems. Aside to the hacking part, which is obviously
"cool", the impact on the US cyber defense stance as well as
international relations is staggering.

I spent some time trying to figure out what facts were given in the
story, and analyze it.

Original story:...

AssetsSoSimple supplier_admin.php Supplier Field XSS Bugs NotHugs (Nov 19)
product: AssetsSoSimple
version tested: 0.33
vendor URL: http://assetssosimple.sourceforge.net/
script: supplier_admin.php
field: Supplier

ooo

BugsNotHugs
Shared Vulnerability Disclosure Account

Auto Manager admin.cgi Multiple Field XSS Bugs NotHugs (Nov 19)
vendor: interactivetools.com, inc.,
http://www.interactivetools.com/products/automanager/
product: Auto Manager
version: 2.52
script: admin.cgi
fields: Vehicle, Year, Price, Drive Train, Transmission, Body, Engine,
Description, Color, Miles

***

BugsNotHugs
Shared Vulnerability Disclosure Account

[security bulletin] HPSBMA02477 SSRT090177 rev.2 - HP OpenView Network Node Manager (OV NNM), Remote Denial of Service (DoS) security-alert (Nov 19)
SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c01926980
Version: 2

HPSBMA02477 SSRT090177 rev.2 - HP OpenView Network Node Manager (OV NNM), Remote Denial of Service (DoS)

NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.

Release Date: 2009-11-17
Last Updated: 2009-11-18

Potential Security Impact: Remote Denial of Service (DoS)

Source: Hewlett-Packard Company, HP Software Security Response...

[security bulletin] HPSBPI02472 SSRT090196 rev.1 - Certain HP Color LaserJet Printers, Remote Unauthorized Access to Data, Denial of Service security-alert (Nov 19)
SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c01886100
Version: 1

HPSBPI02472 SSRT090196 rev.1 - Certain HP Color LaserJet Printers, Remote Unauthorized Access to Data, Denial of Service

NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.

Release Date: 2009-11-18
Last Updated: 2009-11-18

Potential Security Impact: Remote unauthorized access to data, Denial of Service (DoS)

Source:...

[USN-860-1] Apache vulnerabilities Jamie Strandboge (Nov 19)
===========================================================
Ubuntu Security Notice USN-860-1 November 19, 2009
apache2 vulnerabilities
CVE-2009-3094, CVE-2009-3095, CVE-2009-3555
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04
Ubuntu 9.10

This advisory also applies to the corresponding versions of
Kubuntu,...

Full Disclosure — An unmoderated high-traffic forum for disclosure of security information. Fresh vulnerabilities sometimes hit this list many hours before they pass through the Bugtraq moderation queue. The relaxed atmosphere of this quirky list provides some comic relief and certain industry gossip. Unfortunately 80% of the posts are worthless drivel, so finding the gems takes patience.

Climategate: how the MSM rep orted the greatest scandal in modern science – Telegraph Blogs Ivan . (Nov 22)
hackers providing a public service......

http://blogs.telegraph.co.uk/news/jamesdelingpole/100017451/climategate-how-the-msm-reported-the-greatest-scandal-in-modern-science/

Re: Millions of PDF invisibly embedded with your internal disk paths Juha-Matti Laurio (Nov 22)
The local path is being disclosed with a simple query too without putting .HTM/.MHT to the string:
http://www.google.com/search?hl=en&q=filetype%3Apdf+file+c

Another issue is the disclosure of user names - you can simply find the author's full name John Smith from the pdf
document and see that his user name is josmith
(C:\Documents and Settings\josmith\Desktop\Misc)

By simply checking some documents from the same domain you'll see that...

Millions of PDF invisibly embedded with your internal disk paths Inferno (Nov 22)
Millions of PDF invisibly embedded with your internal disk paths
----------------------------------------------------------------

I found an interesting privacy issue while analyzing PDF files. This bug
occurs when you are using Internet Explorer to print locally saved web pages
as PDF and affects all IE versions including IE8. It does not matter which
PDF generation software you are using like Adobe Acrobat Professional,
CutePDF, PrimoPDF, etc...

HITB Security Conference 2010 Dubai Call for Papers Hafez Kamal (Nov 22)
The Call for Papers for HITB Security Conference 2010 Dubai is now open!

Talks that are more technical or that discuss new and never before seen
attack methods are of more interest than a subject that has been covered
several times before. Summaries not exceeding 1250 words should be
submitted (in plain text format) to cfp -at- hackinthebox.org for review
and possible inclusion in the programme.

Date: April 19th – 22nd 2010
Venue: Sheraton...

Vulnerabilities in plugins for WordPress MustLive (Nov 21)
Hello Full-Disclosure!

I want to tell you about different vulnerabilities in plugins for WordPress.
About some of them there were posts to Bugtraq list earlier.

This August I made a summary about all vulnerabilities in plugins for
WordPress (http://websecurity.com.ua/3397/), which I found during 2006-2009.

In this list 135 different vulnerabilities are mentioned in 20 plugins for
WordPress. Including Cross-Site Scripting, Insufficient...

[SECURITY] [DSA 1937-1] New gforge packages fix cross-site scripting Steffen Joeris (Nov 21)
------------------------------------------------------------------------
Debian Security Advisory DSA-1937-1 security () debian org
http://www.debian.org/security/ Steffen Joeris
November 21, 2009 http://www.debian.org/security/faq
------------------------------------------------------------------------

Package : gforge
Vulnerability : insufficient input sanitising
Problem type...

[ MDVSA-2009:302 ] php security (Nov 21)
_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2009:302
http://www.mandriva.com/security/
_______________________________________________________________________

Package : php
Date : November 21, 2009
Affected: 2010.0
_______________________________________________________________________

Problem Description:

Some vulnerabilities were...

Re: Pussy and the right to free speech. Sam Haldorf (Nov 20)
http://www.kurtgreenbaum.com/
http://www.kurtgreenbaumisapussy.com/

Damn. This dudes getting some serious blowback.

Why didn't someone take DidKurtGreenbaumRapeAndMurderAYoungGirlIn1990.com?

--- yuri.nate () hushmail com <yuri.nate () hushmail com> schrieb am Fr, 20.11.2009:

Von: yuri.nate () hushmail com <yuri.nate () hushmail com>
Betreff: [Full-disclosure] Pussy and the right to free speech.
An: full-disclosure () lists grok...

[ MDVSA-2009:301 ] kernel security (Nov 20)
_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2009:301
http://www.mandriva.com/security/
_______________________________________________________________________

Package : kernel
Date : November 20, 2009
Affected: Enterprise Server 5.0
_______________________________________________________________________

Problem Description:

Some...

ZDI-09-085: Hewlett-Packard Operations Manager Server Backdoor Account Code Execution Vulnerability ZDI Disclosures (Nov 20)
ZDI-09-085: Hewlett-Packard Operations Manager Server Backdoor Account Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-09-085
November 20, 2009

-- CVE ID:
CVE-2009-3843

-- Affected Vendors:
Hewlett-Packard

-- Affected Products:
Hewlett-Packard OpenView Operations Manager for Windows

-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital...

Re: Meet Kurt Greenbaum, Director of Social Media, St. Louis Post-Dispatch, Reports commenter to employer. Michael Holstein (Nov 20)
Vladis .. not sure about that school since it was K12, but in both your
case and mine .. we *are* the ISP (insofar as we have our own ASN and
valid info on whois).

If K12 is done there like I've seen in a lot of other places, they
probably have a consortium that provides connectivity and each
institution has a CIDR block within the consortium's AS .. and I'm sure
the school had some web-nazi appliance that made it a few-clicks of a
mouse...

VMSA-2009-0016 VMware vCenter and ESX update release and vMA patch release address multiple security issue in third party components VMware Security Team (Nov 20)
-----------------------------------------------------------------------
VMware Security Advisory

Advisory ID: VMSA-2009-0016
Synopsis: VMware vCenter and ESX update release and vMA patch
release address multiple security issue in third
party components
Issue date: 2009-11-20
Updated on: 2009-11-20 (initial release of advisory)
CVE numbers: --- JRE ---...

Pussy and the right to free speech. yuri . nate (Nov 20)
This whole thing is ridiculous. Kurt Greenbaum is an idiot. What
kind of question is that in the first place? Only and idiot would
post “what’s the strangest thing you’ve ever eaten” and not expect
some obvious remarks. And what’s wrong with pussy? Eating pussy
is good! I LOVE eating pussy! All they guys I know, along with
several women I know love to eat pussy. I eat pussy. You eat
pussy. Everyone eats pussy. That’s...

Re: Meet Kurt Greenbaum, Director of Social Media, St. Louis Post-Dispatch, Reports commenter to employer. Valdis . Kletnieks (Nov 20)
On Fri, 20 Nov 2009 01:42:08 +0100, netinfinity said:

Unfortunately, that's exactly what *did* happen. Although for *home*
users, the 'ISP' is the person to complain to, for organizations that run
their own networks (like many businesses and schools, etc) the proper place
to complain is the network management of that organization. He contacted
the admins of the school's network, and said "One of your users is being
a bozo". The...

PHP "multipart/form-data" denial of service Bogdan Calin (Nov 20)
Description
------------
PHP version 5.3.1 was just released. This release contains a patch for a
denial of service condition we've reported on 27 October 2009. The
problem is related with PHP's handling of RFC 1867 (Form-based File
Upload in HTML).

When you send a POST request to a PHP script with the content-type of
"multipart/form-data" and include a list of files in that request, PHP
will create a temporary file for each file from...

Security Basics — A high-volume list which permits people to ask "stupid questions" without being derided as "n00bs". I recommend this list to network security newbies, but be sure to read Bugtraq and other lists as well.

Replicating the Gonzalez Cyber Attacks through Penetration Testing Core Security (Nov 20)
--------------------------------------------------------------------------------
YOU'RE INVITED: IT SECURITY ON DEMAND WEBCAST

"Replicating the Gonzalez Cyber Attacks through Penetration Testing"
Register: http://www.coresecurity.com/Form/generic/campaign/SecurityFocusGonzalez
---------------------------------------------------------------------------------

Recently, we saw the indictment of cybercrime kingpin Albert Gonzalez, one...

Re: How do I find out what hop is not forwarding traffic on a specific port? Chris Brenton (Nov 20)
Agreed. Last host responding is usually the culprit. A little loose
source route trickery may also be helpful. I did a write up on both
techniques a while back located here:
http://www.chrisbrenton.org/2009/08/network-mapping-through-a-firewall-part-1/

HTH,
Chris

Re: How to detect process using ICMP egopfe (Nov 20)
sending out where?
Note that there are a lot of covert channel shell over ICMP. One stupid for example is:
http://billiejoex.altervista.org/Prj_Py_soicmp.shtml

Just analizing icmp would be difficult to identify what is happening, expecially if the payload is encrypted.

I think you machine is compromised. Grab out the HD, mount it read only on another machine and analize it with forensic
tools such Deft Linux.

regards,

Federico...

RE: How do I find out what hop is not forwarding traffic on a specific port? Billy Macdonald (Nov 20)
From Linux you can do this.

traceroute -T -p 80 www.google.com
traceroute -U -p 53 a.root-servers.net.

Note that the DNS one above seems to fail when it actually gets to the DNS server as it's not a valid packet and
therefore discarded by the server.

Good Luck

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Alex Fiuvertiz
Sent: Wednesday, November 18, 2009 3:11 PM
To:...

Re: How do I find out what hop is not forwarding traffic on a specific port? Jon Kibler (Nov 20)
Phunkodelic wrote:

What you want is hping:
http://www.hping.org/

Use something like:
hping --traceroute [--udp] -p DESTPORT DESTIP

I think Fyodor's new nping utility has similar capabilities, too.

Hope this helps!

Jon K

How to detect process using ICMP Tony Raboza (Nov 19)
Hi

I have a Linux server which I now is sending out strange ICMP traffic
to two hosts. My IDS (snort) told me that its a stacheldraht-dos. I
have checked on the server using tcpdump and indeed it is sending out
ICMP. Now, how do I found out which process is doing this? lsof so
far has not been successful.

Thanks.

Best,
Tony

------------------------------------------------------------------------
Securing Apache Web Server with thawte...

Re: How do I find out what hop is not forwarding traffic on a specific port? Alex Fiuvertiz (Nov 19)
Perhaps firewalk will solve that question? I'm not sure I completely
understood the problem, but if you're having a firewall/router in
front of a network and wants to map the firewall's rulebase than
perhaps firewalk could help.
But you will have to know a host on the inside network of the filtering devices.
The method will only work at level 3 firewalls/filtering devices.
You let firewalk calculate the TTL so that TTL is 1 when you get to
the...

Methodology Alex Fiuvertiz (Nov 19)
Hi Security-basics,

It seems like there are a lot of different methodologies out there
when it comes down to perfoming penetration tests.
But how often are people/pentesters out there use the
industry/official "standards" (se example list below)?
Are you/they using them mostly for the client's sake when writing
reports and to make sure you don't overlook anything?

Or are you ignoring them totally and just hack away and have your own...

Detecting Mutating Javascript TSS (Nov 18)
Hi,

I'm looking for people working on detecting mutating Javascript. I've
been working on detecting Javascript encoded in whitespace and
have come up with a few ideas so far:
* Signature detection on the decoder function (lame)
* Analyzing the whitespace to try to find encoded information (decent,
but difficult because there could be so many encoding schemes)
* Building character frequency maps from non-malicious Javascript
libraries and...

Re: Windows Service Accounts Henri Salo (Nov 17)
I would start by making a policy to expire passwords.

---
Henri Salo

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase,
install...

machine authentication on Cisco ACS marco gregorio (Nov 17)
Hi,

Does wpa_supplicant supports machine authentication? If so, how to
configure it?

More specifically, in Cisco's ACS, there is a setting called "Enable
machine access restrictions". Does wpa_supplicant support that?

Thanks,

Marco

Re: Two Factor - Virtual Private Network Nick Owen (Nov 16)
As for the last question, there are a number of options, though the
easiest will probably not be a 100% open source solution, because you
are going to an MS authentication server. What you really want to think
about is what VPN solutions work with what two-factor authentication
solutions using the authentication protocols in my environment.

I discussed this strategy in a recent webinar, which you can see here:...

WAP's with guest access and compatible with IAS Murad Talukdar (Nov 16)
Hi all,
Looking for some decent but cost consciously priced WAPs for a small office
training room.
I'm hoping to get one which has IAS/RADIUS compatible so that it can be used
in conjunction with AD.
But, if it can also have some kind of guest access that would be great.

Otherwise, if this is a security risk, I will setup two, one on a DMZ for
guests and one on a separate VLAN for the in-house users.

I'm looking at the LinksysWAP 2000 initially...

Re: Security Incident Handling / Organization Gleb Paharenko (Nov 16)
Hi, Tony!

I suggest you to start from defining roles and assigning them to
personnel. It is a good practice for security incidents to form ad-hoc
team, which should include IT/helpdesk specialist for technical work
and some one from management, who has enough power for administrative
actions. Later you can allocate a dedicated persons for a roles. For
strategic IT security initiatives you might want to form a security
committee (board) in the...

Windows Service Accounts Abo Sous (Nov 16)
Hi list,

Part of my new job, I'm cleaning up the accounts (both AD and local)
in a windows environment (~2000+ in all). Getting to the local
services accounts, i wonder if you would have some remediation
approach to track such accounts, remove unused ones, and, at a later
stage (long term), to manage those which are hard coded in 3rd party
applications or that need to be remain in the environment.

thanks,
./as...

Penetration Testing — While this list is intended for "professionals", participants frequenly disclose techniques and strategies that would be useful to anyone with a practical interest in security and network auditing.

Replicating the Gonzalez Cyber Attacks through Penetration Testing Core Security (Nov 20)
--------------------------------------------------------------------------------
YOU'RE INVITED: IT SECURITY ON DEMAND WEBCAST

"Replicating the Gonzalez Cyber Attacks through Penetration Testing"
Register: http://www.coresecurity.com/Form/generic/campaign/SecurityFocusGonzalez
---------------------------------------------------------------------------------

Recently, we saw the indictment of cybercrime kingpin Albert Gonzalez, one...

Re: password auditing Kevin L. Shaw, CISSP, GCIH (Nov 19)
Derek:

"an hour or two" is not going to give you a sufficient assessment.
Going through your 200K word dictionary a single time will probably take
longer than that. I would recommend a couple of things based on your
latest note, as well as this comment - without first an enforceable
policy in place; this is really like putting the cart before the horse.
However; I understand the reason why you are doing this so good luck -
but you...

Firewall Type Fingerprinting Zaki Akhmad (Nov 19)
Hello,

Can we do firewall type fingerprinting? With what tools? I want to
know the type of the firewall in front of the web server.

Pentest lab box 16 gigs of ram macubergeek (Nov 19)
All

I'm thinking of building a vmware target box for a pentest practice
lab consisting of:

cheap Dell server with 16 gigs of ram PowerEdge T105
vmware workstation

My question is with the host OS.
I was contemplating the home version of Windows 7 to give me a 64 bit
OS to support the amount of ram I'm planning on
Does anyone have any experience with the latest version of VMware
workstation and if it will run properly on Windows 7?

would...

Re: password auditing Anders Thulin (Nov 19)
Derek Robson wrote:

Be careful: don't fall into the all too common trap that any password that JtR
can crack must be a weak password.

And don't fall into the other trap that any password that contains upper and
lower case letters, digits and spcial characters and is at least 8 characters long
necessarily is a strong password. (This is the 'password policy' fallacy).

And don't assume that password strength alone is the entire truth....

Windows Internationalization? Jon Kibler (Nov 19)
Hi,

I have been approached about doing a pen test job that would involve a target
organization whose native character set is not ASCII. So, I have a few questions
and would appreciate some pointers to help me decide if I really want this
assignment.

Questions that immediately come to mind are:
1) On a Windows system that uses a non-ASCII character set (Chinese, Arabic,
Russian, etc.), how does that effect Windows?
-- Are registry key names...

VideoJak 2.0 Released Abhijeet Hatekar (Nov 19)
Sipera VIPER Lab has released VideoJak 2.0:

http://videojak.sourceforge.net

VideoJak is an IP Video security assessment tool that can target a video stream and/or video call in progress to play a
targeted malicious video clip, resulting in a DoS.
Some key features of the new VideoJak:

* IP Video Replay (as presented at ToorCon 11, DefCon 17)
* Media Blackhole attack.

We welcome all suggestions and feedbacks.

Thanks and Regards,

Abhijeet...

Re: password auditing JoePete (Nov 19)
A few observations:

One of the big reasons for password complexity is the ability to crack
them offline. Essentially, password policy reflects more on the
vulnerability of poorly secured systems (i.e. the ability to get at the
password store) than the feeble-mindedness of employees.

If your Internet facing services (email, intranet, VPN, etc) are a
concern, your best protection is not password complexity but account
lockout. Without account...

Re: Possible Milw0rm replacement? J.Hart, Elec.Eng.Tech. (Nov 19)
Nice.
Yes - it is a learning experience - I never expect the code to be
perfect - that wouldnt be any fun

Elle

CEH or OSCP? Vaibhav Kaushal (Nov 19)
Hi all,

I am really interested in hacking. I know I can learn on my own but I
would like to have a course guiding me properly rather than wandering
here and there for some stupid material.

I think C|EH is great but the OSCP is way better (I prefer being
practical). I went through the websites of both and as far as I have
understood, CEH is only for the professionals working in organizations.
Since I am just an undergraduate student as of...

Re: password auditing Derek Robson (Nov 17)
thanks to everyone for such a big responce.

many of you have pointed me to questions of our policy...
many of you have talked about haveing password quality inforced when
they are set....

we have no real policy around passwords, we have no standards, we do
no quality testing.
we dont force users to change passwords, some have had the same
password for many years.
some still have the default password.

this project is to get some real data about...

Re: password auditing Derek Robson (Nov 17)
as per my last post....

we have no policy for passwords, we plan on getting some policy and
inforcing it.
before we do this we want to get an overview of just how ugly things are.
we want to get real facts about how many users are using the default password.

in many of the meetings we have un-educated managers quoting "facts"
that they cant know until we do this project.

many of the IT staff are keen to get good password policy in...

Re: password auditing Tracy Reed (Nov 17)
On Tue, Nov 17, 2009 at 08:59:29AM -0600, Harris, Michael C. spake thusly:

Probably a good idea. Especially in a big corporation where things can
easily get out of control when the lawyers get their hands on
things. Learn the lesson of poor Randall Schwartz and his felony
convictions due to his work with Intel. In a smaller company (such as
mine) I wouldn't worry so much.

Might be a bit overkill but ok... Seems like all of the servers should
be...

Re: password auditing R. DuFresne (Nov 17)
Yes, this box needs to be locked down as tightly as possible. Afterall
that data it contains is delicate to say the least.

Secondly though, why do passwd's in this env not expire? And why are
there now requirements to force users to choose secure passwd's in the
first place?

Thanks,

Ron DuFresne

Re: Possible Milw0rm replacement? Pedro Drimel (Nov 17)
Note that now some of the applications are available to download
directly from their repositories which is awesome.

2009/11/17 Kevin L. Shaw, CISSP, GCIH <kshaw () eeenterprisesinc com>:

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration...

Info Security News — Carries news items (generally from mainstream sources) that relate to security.

Microsoft denies it built 'backdoor' in Windows 7 InfoSec News (Nov 20)
http://www.computerworld.com/s/article/9141182/Microsoft_denies_it_built_backdoor_in_Windows_7

By Gregg Keizer
Computerworld
November 19, 2009

Microsoft today denied that it has built a backdoor into Windows 7, a
concern that surfaced yesterday after a senior National Security Agency
(NSA) official testified before Congress that the agency had worked on
the operating system.

"Microsoft has not and will not put 'backdoors' into...

Re: FBI Suspects Terrorists Are Exploring Cyber Attacks InfoSec News (Nov 20)
Forwarded from: Richard Forno <rforno (at) infowarrior.org>

The second paragraph undermines the whole article, as such statements
tend to do in all articles warning of cyber or terrorist attacks, just
as any number of 'stories' citing some new DHS or FBI terror threat that
suddenly hits the airwaves periodically during the year.

This entire article simply says -er, repeats- that "terrorists may
consider cyber attacks."...

Bill Would Ban P2P Use By Federal Employees InfoSec News (Nov 20)
http://www.informationweek.com/news/government/policy/showArticle.jhtml?articleID=221900107

By J. Nicholas Hoover
InformationWeek
November 18, 2009

Following a leaked document that disclosed ethics investigations of
members of Congress on a file sharing network, the chairman of the House
Oversight and Government Affairs Committee has introduced a bill that
would ban the use of public peer-to-peer networks by federal employees.

The Secure...

Crypto pioneer and security chief exits Sun InfoSec News (Nov 20)
http://www.theregister.co.uk/2009/11/19/diffie_leaves_sun/

By Gavin Clarke in San Francisco
The Register
19th November 2009

Crypto pioneer and Sun Microsystems' veteran chief security officer
Whitfield Diffie has left the company, with database-giant Oracle's
acquisition still in the air.

According to Technology Review, Diffie is slated to be a visiting
professor at Royal Holloway, University of London, after 18 years at
Sun, latterly in...

Palin Calls E-Mail Hack 'Most Disruptive' Campaign Event InfoSec News (Nov 20)
http://www.wired.com/threatlevel/2009/11/palin-hack-2

By Kim Zetter
Threat Level
Wired.com
November 18, 2009

Never mind the disastrous interview with Katie Couric or the blank
stares in response to Charlie Gibson's question about the Bush Doctrine.
Former vice presidential candidate Sarah Palin calls the hacking of her
Yahoo e-mail account "the most disruptive and discouraging" incident in
last year's presidential campaign....

The Perfect Holiday Gift For Any Security Pro: A Bruce Schneier Action Figure InfoSec News (Nov 20)
http://www.darkreading.com/security/management/showArticle.jhtml?articleID=221900184

By Tim Wilson
DarkReading
Nov 18, 2009

Move over, James Kirk and Luke Skywalker -- there's a new action figure
popping up on top of security professionals' computers -- and this one
is a real guy.

A miniature version of BT Counterpane security guru Bruce Schneier --
complete with beard and ponytail -- is now available from the That's My
Face site.

The...

FC 2010: Call for Posters. Accepted Papers. InfoSec News (Nov 20)
Forwarded from: Conference Mailer <noreply (at) moon.crypto.cs.stonybrook.edu>

Financial Cryptography and Data Security
Tenerife, Canary Islands, Spain
25-28 January 2010

http://fc10.ifca.ai

Dear Colleagues,

We would like to invite you to submit a poster (deadline extended to
December 3rd) and participate in the 2010 Financial Cryptography and
Data Security Conference, January 25-28, 2010 in Tenerife, Canary
Islands, Spain, a...

NSA helped with Windows 7 development InfoSec News (Nov 19)
http://www.computerworld.com/s/article/9141105/NSA_helped_with_Windows_7_development?taxonomyId=17

By Gregg Keizer
Computerworld
November 18, 2009

The National Security Agency (NSA) worked with Microsoft on the
development of Windows 7, an agency official acknowledged yesterday
during testimony before Congress.

"Working in partnership with Microsoft and elements of the Department of
Defense, NSA leveraged our unique expertise and...

PS3s used to capture child pornographers InfoSec News (Nov 19)
http://www.gamespot.com/news/6240562.html

By Tom Magrino
GameSpot
Nov 17, 2009

The PlayStation 3 has been used for a variety of altruistic tasks
following its launch in 2006. Perhaps the most high-profile of these
ventures is the Folding () home project, which uses spare processing power
from idling, networked PS3s to undertake the arduous task of simulating
protein folding in order to study the causes of various diseases.

The latest...

FBI Suspects Terrorists Are Exploring Cyber Attacks InfoSec News (Nov 19)
http://online.wsj.com/article/SB125850773065753011.html

By Siobhan Gorman
Wall Street Journal
November 19, 2009

The Federal Bureau of Investigation is looking at people with suspected
links to al Qaeda who have shown an interest in mounting an attack on
computer systems that control critical U.S. infrastructure, a senior
official told Congress Tuesday.

While there is no evidence that terrorist groups have developed
sophisticated...

Hackers descend upon defense website InfoSec News (Nov 19)
http://english.people.com.cn/90001/90782/90872/6817348.html

People's Daily Online
November 19, 2009

Hackers are trying to penetrate the website of China's Ministry of
National Defense and have made more than 2 million attacks on it within
one month since the site's launch three months ago, People's Daily
reported Wednesday.

The efforts are seen as a sign of the increasing vulnerability facing
China's official websites.

"Since the...

In-Q-Tel Invests In Cybersecurity Company InfoSec News (Nov 19)
http://www.informationweek.com/news/government/security/showArticle.jhtml?articleID=221900133

By J. Nicholas Hoover
InformationWeek
November 18, 2009

The independent venture arm of the U.S. intelligence community,
In-Q-Tel, has invested in cybersecurity company FireEye, the company
announced Wednesday.

In-Q-Tel and FireEye didn't disclose terms of the agreement, or which
intelligence agencies are particularly interested in the technology....

Hospitals tighten security on patient data InfoSec News (Nov 19)
http://fcw.com/articles/2009/11/18/hospitals-beefing-up-cybersecurity-to-comply-with-hitech-survey-says.aspx

By Alice Lipowicz
FCW.com
Nov 18, 2009

More than half of the nation's hospitals and health care providers
surveyed intend to buy more cybersecurity tools to safeguard against
breaches of electronic medical records as a result of requirements in
the economic stimulus law, according to a new survey of 186 health care
providers and...

Pentagon expands exclusive deal with McAfee InfoSec News (Nov 19)
http://www.networkworld.com/news/2009/111809-pentagon-mcafee.html

By Carolyn Duffy Marsan
Network World
11/18/2009

The U.S. Defense Department is expanding its exclusive arrangement with
McAfee, whose security software is at the heart of the military's
cybersecurity efforts.

McAfee was selected three years ago for the Department of Defense's Host
Based Security System (HBSS), which provides standard intrusion
prevention and firewall...

Penetration Testing Grows Up InfoSec News (Nov 19)
http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=221900215

By Kelly Jackson Higgins
DarkReading
Nov 18, 2009

Penetration testing, once considered a risky practice for the enterprise
and even a tool for evil hacking purposes, is becoming more of an
accepted mainstream process in the enterprise mainly due to compliance
requirements and more automated, user-friendly tools -- and most
recently, the imminent...

Firewall Wizards — Tips and tricks for firewall administrators

Re: Message Labs A (Nov 17)
Yeah, its if you are using their mail-filtering service, for them to
be able to send you mail you have to allow the ip ranges.

Most people will lock down the router to only accept email from the
hosted security provider.. to reduce spam.

Aaron

\ /
Putting the F in BOFH!

2009/11/11 Brian Loe <knobdy () gmail com>:

Re: port scanning activity going up recently? Nate Itkin (Nov 17)
Overall illicit activity looks to be down slightly.
see: http://www.dshield.org/submissions.html (select sources, targets,
and reports for 2009)

Cheers,
Nate Itkin

Re: Message Labs shane brennan (Nov 17)
Hi

We use it in work. havent received any notification like that

Shane

Re: Network design change sai (Nov 15)
not good from a security point of view.

I would prefer to connect the routers, at the internet cloud level not the
DMZ level. I'd have the 2 core switches connected as you have.

2 reasons:
[1] gives me redundant internet connectivity in case one of the isps goes
down (assuming multiple isps and routing that can handle one link going
down)
[2] the DMZs should be separate. the more segments you have the better.
connecting the 2 at switch level...

Re: Network design change pkc_mls (Nov 15)
shadow floating a écrit :

If it's possible, I'd rather use a link between both firewalls
to connect the DMZ.

If you connect directly the dmz switches, and if someone can get access
to your dmz, he will get access to the other one as well, as there won't
be any filtering between the DMZs.

do the DMZ share the same network addresses ?

if not, just use an unused interface on each fw, connect both via a
link, then create some routes to allow...

Re: secure firewall rule management program Lan Li (Nov 15)
Athena Security also provides a cleanup tool/basic ops tool. Works with
Cisco, Check Point and Netscreen firewalls. Available for eval download at
http://www.athenasecurity.net/firepac_trial.html

Lan Li

-----Original Message-----

From: firewall-wizards-bounces () listserv icsalabs com

[mailto:firewall-wizards-bounces () listserv icsalabs com] On Behalf Of Marcin
Antkiewicz

Sent: Thursday, November 05, 2009 10:52 PM

To: Firewall Wizards...

Re: OT, sorta: Breaking pipes? Kurt Buff (Nov 15)
We don't use perl/cgi here, but the example is instructive.

This issue at hand is for web browsing by clients - the newish manager
believes that it's just too annoying to add exceptions for the
misbehaving web sites. Of course, it's not just the pipe character.
It's also the other unsafe/unwise characters, and the URLs that are
longer than 1024 characters, etc.

At some point we may be hosting a web site locally, but that hasn't happened.

This...

Message Labs Brian Loe (Nov 15)
Anyone here using message labs? Have you received notice that you MUST
open up your firewall for 8 or so networks?

port scanning activity going up recently? Ken Fox (Nov 15)
Hi all -

Has anyone else noticed a recent spike in port scan activity over the last
few days?

I've been seeing some interesting traffic where multiple source addresses
are probing a number of the same high order destination ports from a small
set of source ports with a number of different but specific packet sizes.

e.g.: source port 3268 -> dest port 50572 packet size 48, 60, 64, and 52
egg: source port 3268...

Re: Network design change shadow floating (Nov 10)
Hi All,
My company has two sites in to 2 different locations that are
connected via high speed link at the core layer ( I've attached a
link to the diagram :
http://img18.imageshack.us/img18/77/questionhk.jpg for ease of
explanation)
in each site I've 1 DMZ , the network team wants to connect the DMZ
switches in both sites for better performance and "security" - the
link under investigation is shown in red in the picture - via...

Re: secure firewall rule management program Marcin Antkiewicz (Nov 10)
Hi Morty,

we are looking at the same, but we are looking for a cleanup/basic ops support
tool right now.

Would you mind sharing the dealbreaking requirements? I am wondering now
what, if anything we have missed.

Re: OT, sorta: Breaking pipes? Chris Myers (Nov 10)
Do you use Perl at all with CGI scripts? If so, this is just an
example of what might be done with anything written with custom
scripts. In this case, it is a specific vendor, but it could happen to
anyone who does not code diligently.

http://www.kb.cert.org/vuls/id/496064

Thank You,

Chris Myers
clmmacunix () charter net

John 1:17
For the Law was given through Moses; grace and truth were realized
through Jesus Christ.

Go Vols!!!!

Re: secure firewall rule management program Morty Abzug (Nov 05)
Thanks! We're looking both at Tufin (mentioned by Rainer Ginsberg)
and at Algosec (mentioned by one of our managers and by Rainer). The
current versions of both products fail to meet several of our
dealbreaking requirements. Both products are relatively new. We're
hopeful that a future version of one or both products will be what we
want.

- Morty

Re: secure firewall rule management program Matthias Leu (Nov 05)
Hi Morty,
have you had a look at Tufin SecureTrack and SecureChange Workflow?
It's not free, but quite good and I think your requirements are fulfilled.

It runs on Linux and is written by security professionals.
SecureTrack is connected to Check Point SmartCenter or MDS/CMA via
OPSEC, other vendors are supported too (e.g. Juniper, Cisco,
Fortinet,...).
Each 'save' gives a new revision, no 'install' necessary. So reports,
and above all, alerts...

OT, sorta: Breaking pipes? Kurt Buff (Nov 05)
All,

At $WORK I admin a nice Sidewinder. Works well. I like it, though I'm
not as fully trained on it as I'd like to be.

However, I'm seeing more complaints from end-users who are
encountering web sites that issue URLs with the pipe/vertical bar -
"|" - character embedded in them. The Sidewinder proxy denies it, as
is proper. The latest occurrence is a really stupid State government
web site that actually puts the pipe character at...

IDS Focus — Technical discussion about Intrusion Detection Systems. You can also read the archives of a previous IDS list

Replicating the Gonzalez Cyber Attacks through Penetration Testing Core Security (Nov 20)
--------------------------------------------------------------------------------
YOU'RE INVITED: IT SECURITY ON DEMAND WEBCAST

"Replicating the Gonzalez Cyber Attacks through Penetration Testing"
Register: http://www.coresecurity.com/Form/generic/campaign/SecurityFocusGonzalez
---------------------------------------------------------------------------------

Recently, we saw the indictment of cybercrime kingpin Albert Gonzalez, one...

CfP EWNI2010: 1st European Workshop on Internet Early Warning and Network Intelligence Till Dörges (Nov 12)
Hi all,

attached the CfP for the 1st European Workshop on Internet Early Warning and Network
Intelligence. If you have any questions please don't hesitate to contact me.

Regards -- Till

Re: Re: PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..". Kismet+Snort? Ray (Nov 02)
Although this also does not meet the PCI requirement, one thing you can do
to rapidly detect transient wireless access points is this:

1. Make sure your network default route leads to your firewall.
2. Monitor the firewall for internal devices trying to do NTP (time sync)
lookups.

This presumes you have an internal time server system and you have properly
configured your internal systems to not go to the Internet for time.

It works because...

Re: Re: PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..". Kismet+Snort? brian_klumpp (Oct 30)
I realize this thread is a little old, but I did want to make a comment in regards to this. As a QSA, *wired* side
scanning alone would be insufficient to meet the intent of the PCI DSS 11.1 requirement. There is this quote from PCI
Council:

"Relying on wired side scanning tools (e.g. tools that scan suspicious hardware MAC addresses on switches) may identify
some unauthorized wireless devices; however, they tend to have high false...

Announcing pcapr Trends kowsik (Oct 01)
With the recent influx of pcaps, the number of protocols and pcaps are
getting to the point where interesting trend analysis makes sense. So
we set out to find the meaning of it all with multi-dimensional data
visualization using Motion Charts.

We wanted to find out
- How does the coverage and #pcaps for a given protocol trend over time?
- When was a protocol first introduced into pcapr?
- What is 42 and what does it have to do with packet...

Web App Security — Provides insights on the unique challenges which make web applications notoriously hard to secure, as well as attack methods including SQL injection, cross-site scripting (XSS), cross-site request forgery, and more.

Replicating the Gonzalez Cyber Attacks through Penetration Testing Core Security (Nov 20)
--------------------------------------------------------------------------------
YOU'RE INVITED: IT SECURITY ON DEMAND WEBCAST

"Replicating the Gonzalez Cyber Attacks through Penetration Testing"
Register: http://www.coresecurity.com/Form/generic/campaign/SecurityFocusGonzalez
---------------------------------------------------------------------------------

Recently, we saw the indictment of cybercrime kingpin Albert Gonzalez, one...

winAUTOPWN 2.0 - Introducing winAUTOPWN GUI - Now you can sleep QUAKER DOOMER (Nov 03)
Dear all,

After a long break and a lot of Unpolished SITA releases of the previous version,
I am finally releasing winAUTOPWN version 2.0

winAUTOPWN or WINDOWS AUTOPWN version 2.0 now has a GUI (winAUTOPWN_GUI.exe) to initiate the main
console winAUTOPWN.exe
winAUTOPWN now supports all console arguments which can also be fed interactively.
This version covers almost all remote exploits from 2009 start uptill October 2009. Though a few are...

[AntiSnatchOr] Eclipse BIRT <= 2.2.1 Reflected XSS Michele Orru (Oct 16)
Eclipse BIRT <= 2.2.1 Reflected XSS

Vendor: Eclipse
Advisory: http://antisnatchor.com/2008/12/18/eclipse-birt-reflected-xss/
Author: Michele "euronymous" Orrù (euronymous AT antisnatchor DOT com)

Quite a common problem in a lot of Java based applications: reflected
XSS in Java stack trace.

A Reflected XSS is present in the _report parameter: here below the modified
request (that is the BIRT 2.2.1 version included in Konakart...

Snitz Forums 2000 Multiple Cross-Site Scripting Vulnerabilities Andrea Fabrizi (Oct 16)
**************************************************************
Application: Snitz Forums 2000
Version affected: 3.4.07
Website: http://forum.snitz.com/
Discovered By: Andrea Fabrizi
Email: andrea.fabrizi () gmail com
Web: http://www.andreafabrizi.it
Vuln: Multiple Cross-Site Scripting
**************************************************************

###### PERMANENT XSS
If [sound] tag is allowed:

[sound]...

[BONSAI] XSS in Achievo - Customized XSS payload included Bonsai - Information Security (Oct 16)
Bonsai Information Security - Advisory
http://www.bonsai-sec.com/research/

Multiple XSS in Achievo

1. *Advisory Information*

Title: Multiple XSS in Achievo
Advisory ID: BONSAI-2009-0101
Advisory URL: http://www.bonsai-sec.com/research/vulnerabilities/achievo-multiple-xss-0101.txt
Date published: 2009-10-13
Vendors contacted: Achievo
Release mode: Coordinated release

2. *Vulnerability Information*...

WASC Announcement: 2008 Web Application Security Statistics Published announcements (Oct 16)
The Web Application Security Consortium (WASC) is pleased to announce
the WASC Web Application Security Statistics Project 2008. This
initiative is a collaborative industry wide effort to pool together
sanitized website vulnerability data and to gain a better understanding
about the web application vulnerability landscape.

The statistics was compiled from web application security assessment
projects which were made by the following companies in...

[AntiSnatchOr] Pentaho Bi-server multiple vulnerabilities Michele Orru (Oct 16)
Pentaho 1.7.0.1062 Multiple Vulnerabilities

Name Multiple Vulnerabilities in Pentaho
Systems Affected Pentaho <= 1.7.0.1062
Severity High
Impact (CVSSv2) High 7/10, vector: (AV:N/AC:L/Au:S/C:P/I:C/A:P)
Vendor http://www.pentaho.com
Advisory http://antisnatchor.com/2009/06/20/pentaho-1701062-multiple-vulnerabilities/
Authors Michele "euronymous" Orrù (euronymous AT antisnatchor DOT com)

Date 20081224

I. BACKGROUND...

[BONSAI] SQL Injection in Achievo Bonsai - Information Security (Oct 16)
Bonsai Information Security - Advisory
http://www.bonsai-sec.com/research/

SQL Injection in Achievo

1. *Advisory Information*

Title: SQL Injection in Achievo
Advisory ID: BONSAI-2009-0102
Advisory URL: http://www.bonsai-sec.com/research/vulnerabilities/achievo-sql-injection-0102.txt
Date published: 2009-10-13
Vendors contacted: Achievo
Release mode: Coordinated release

2. *Vulnerability Information*...

WASC Announcement: Announcing the Web Application Security Scanner Evaluation Criteria v1 announcements (Oct 08)
The Web Application Security Consortium is pleased to announce the release
of version 1 of the Web Application Security Scanner Evaluation Criteria
(WASSEC). The goal of the WASSEC project is to create a vendor-neutral
document to help guide information security professionals during web
application scanner evaluations. The document provides a comprehensive list
of features that should be considered when conducting an evaluation. The
WASSEC...

FBController - (Facebook Control Utility) version 2.0 QUAKER DOOMER (Sep 15)
FBController - The Ultimate Utility to Control Facebook accounts without the
Password.

Let me clear this again like last time that this utility WON'T hack/crack Facebook accounts.
The utility will need biscuits/cookies instead of the password.

Get the target's cookie by sniffing, XSS, social engineering, ARP Poison-Sniffing,
scroogle search, anyhow !
Once you have the cookies you can use FBController and have Full control over the
target's...

Re: How to enable LDAP signing on client side Peter M. Jansson (Sep 15)
The goal of having the server sign LDAP results would be to give
confidence in the integrity if the answers. I don't understand what
the goal of having clients sign queries would be. If you use SSL, the
client-server exchange is kept confidential (subject to some
assumptions) and client-side certificates can be used by the server to
provide access control so rogue clients can't make requests.

How to enable LDAP signing on client side Jianrong Yu (Sep 15)
Hi All,

The link <http://support.microsoft.com/kb/935834> is the step the How to
enable LDAP signing in Windows Server 2008.

How to enable LDAP signing on client side?

Thanks,

Jianrong Yu
Systems Operation
Office of Information technology
Ohio University

nullcon Goa 2010 Call For Papers nullcon nullcon (Sep 13)
Calling all greyhats, whitehats, blackhats, rainbowhats, nohats,
underground, aboveground, in-the-sky, on-the-moon, Grannies,
Grandpas, martians, Doodhwalas, Kaamwalis, Bai, Bhai, Chuck norris Fans,
Mithun Da Fans, Himesh Reshamiya wannabees……..

Call For Paper is officially open for nullcon Goa 2010. It is time for
you to polish your paper, stick up an abstract and send it across.
A live demo/exploit/0day with the presentation might win you...

Running ratproxy from windows command prompt without installing cygwin dec123 (Sep 13)
Hi,
Can anybody tell me how to run ratproxy from windows comand prompt,without
installing cygwin.

Re: Web 2.0 support group Catherine Pagliaro (Sep 09)
The Payment Card Industry Security Standards and Payment Application Data
Security Standards attempt to get programmers to code securely. I
underline attempt. We as payment application developers must follow
owasp.org standards and common sense security best business practises for
developing any type of code, hardening servers and locking down network
systems,as well as assuring our physical environments are locked down to
maintain our PCI DSS...

Daily Dave — This technical discussion list covers vulnerability research, exploit development, and security events/gossip. It was started by ImmunitySec founder Dave Aitel and many security luminaries participate. Many posts simply advertise Immunity products, but you can't really fault Dave for being self-promotional on a list named DailyDave.

Re: Fedora 12 Fail Kees Cook (Nov 19)
I've seen variations on this sentence get repeated in a few places and I
think it's valuable to point out it should read as "Any _local_ user..."
(where "local" is defined by console-kit[1] -- see "ck-list-sessions"
command). This makes it a smaller scope of problem, but it should not
discourage anyone from reading the bug report anyway:
https://bugzilla.redhat.com/show_bug.cgi?id=534047

-Kees

[1]...

Re: Fedora 12 Fail dan (Nov 19)
Michael Graham writes:
-+--------------------
| "I don't particularly care how UNIX has always worked." has already
| turned into a new catchphrase around here.
|

Those who do not understand UNIX are condemned to reinvent it, poorly.

-- Henry Spencer, 1987

Re: Fedora 12 Fail Michael Graham (Nov 18)
"I don't particularly care how UNIX has always worked." has already
turned into a new catchphrase around here.

Fedora 12 Fail Dave Aitel (Nov 18)
Probably the best Linux thread in months:
https://www.redhat.com/archives/fedora-devel-list/2009-November/msg00945.html

To sum it up, Fedora 12 is defaulting to "Any user can install any
package from the repo and then exploit it to get root". So like, if
the repo signs something hilarious like "bob's vulnerable FTP
server.rpm", every Fedora 12 server is vulnerable. Unless you've
uninstalled PolicyKit or something else...

Re: "We're in the top of the league." Nate Lawson (Nov 13)
gold flake wrote:

The government is just a very large company. They experience the same
security problems as other big companies. I'm always annoyed to hear the
"we're under cyber attack via cyber warfare using cyber malware".

Please... you're under attack just like any other big company with
extremely valuable assets. You're not any more special than that. It's
possible the IRS is more valuable a target than Joe Random sergeant's PC.

Re: "We're in the top of the league." gold flake (Nov 12)
I am not from US and was for almost 10 years part of my government's
cyber security setup. I can vouch for the claims regarding "some
foreign power"'s attacks. These are systematic, planned and
relentless attacks that we also faced. The vector was spear phishing
in most cases and the thumb drive method was used to propagate the
malware to the internal segment. The malware called home (mostly
China) and downloaded backdoors,...

Re: "We're in the top of the league." Richard Bejtlich (Nov 12)
Aaron and everyone,

If anyone has doubts, or just wants to read some excellent
unclassified reporting on advanced persistent threat, please check out
this report by Northrop Grumman:

http://taosecurity.blogspot.com/2009/10/report-on-chinese-government-sponsored.html

Sincerely,

Richard

Re: "We're in the top of the league." Dobbins, Roland (Nov 09)
Here's a pretty accurate assessment of the 60 Minutes story, IMHO:

<http://erratasec.blogspot.com/2009/11/brazil-outage-not-caused-by-hackers.html
>

-----------------------------------------------------------------------
Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com>

Injustice is relatively easy to bear; what stings is justice.

-- H.L. Mencken

a brief interlude between exploits dave (Nov 09)
There's been a lot happening in the world, and usually everyone is too
busy to comment on it. Exploit devs sometimes think of the world as the
dark troughs in a storm ocean, where the peaks are the sudden insights
of truth provided by a really good exploit, where all of a sudden you
can see for miles. Or maybe I just made all that up. In any case:

CBS says that someone turned off Brazilian power using cyber attack:...

"We're in the top of the league." Aaron (Nov 09)
Anyone else catch the 60-minutes story about Cyber warfare? There are a lot of interesting anecdotes from Admiral Mike
McConnell (described in the story as the former top spy of the nation), Jim Lewis (director of the Center for Strategic
and International Studies), and Jim Gosler.

Some of the more WTF things admitted were:
- "Some foreign power" was able to penetrate the Pentagon by leaving infected thumbnail drives where military...

MITM Attack on Smartphones whitepaper Mayank Aggarwal (Nov 05)
SMobile has released a detailed report on research indicating that smartphone users are just as susceptible to
man-in-the-middle (MITM) attacks as PC users. This report details the results of attempts to produce MITM attacks to
determine whether it is possible to intercept SSL encrypted communications between various smartphone devices and
servers. Of the devices that were tested, each of the major smartphone operating systems appeared to lack...

Re: PrevX and other projects Shane Macaulay (Oct 30)
The chart on their main page would be a lot more compelling if they had
conversely applied whatever method they used to collect that information.

""""These statistics are provided to show that all vendors miss threats
and cannot be interpreted to compare the effectiveness of one product to
another."""""

That seems to indicate they would show us their failure rate when
compared to these vendors? And...

PrevX and other projects dave (Oct 28)
So you can read one Immunity deliverable linked here:
http://www.prevx.com/ (look for "Independent Review").

Likewise, if you have wondered where all the Immunity Debugger scripts
ran off to, they were on the old Immunity Forum. We ripped the old forum
content out of the old database and imported into the new hotness, so
you can seem them all here:
https://forum.immunityinc.com/. I don't think Google spiders HTTPS sites
for some reason...

B. Aggressive. B. E. Aggressive. (or "One 0day is enough") dave (Oct 27)
When you go into security consulting engagements with a new business
unit you usually face a few questions from the developers and business
owners. "What is it exactly that you're going to tell us?"

We always answer this the same way: "Things that will surprise you."

Most developers have read a lot about security these days - they
understand SQL Injection, Cross Site Scripting, access control, not to
use their own...

Last mile || InfoSys 2010 [ICAS, ICNS, INTENSIVE, LMPCNA] March 7-13, 2010 - Cancun, Mexico Jaime Lloret Mauri (Oct 26)
Last mile || InfoSys 2010 [ICAS, ICNS, INTENSIVE, LMPCNA] March 7-13,
2010 - Cancun, Mexico

INVITATION

Note that we are entering the last few days of submission for the events
collocated in Cancun, Mexico

Please consider to contribute and encourage your team members and fellow
scientists to contribute to the following federated events.

The submission deadline has now been moved to November 1, 2009.

Publisher: CPS ( see:...

Honeypots — Discussions about tracking attackers by setting up decoy honeypots or entire honeynet networks.

nullcon Goa 2010 Call For Papers nullcon nullcon (Sep 27)
Calling all greyhats, whitehats, blackhats, rainbowhats, nohats,
underground, aboveground, in-the-sky, on-the-moon, Grannies, Grandpas,
martians, Doodhwalas, Kaamwalis, Bais, Bhais, Chuck norris Fans,
Mithun Da Fans, Himesh Reshamiya wannabees……..

Call For Paper is officially open for nullcon Goa 2010. It is time for
you to polish your paper, stick up an abstract and send it across. A
live demo/exploit/0day with the presentation might win...

Sebek issues with windows XP/Vista dharm (Sep 24)
Hello ,
Did anybody tried running sebek on windows vista as a
honeypot ? i am trying to install sebek on windows XP /Vista
environment and getting DOB screen error. Any ideas would be
appreciated .
Thanks

Workshop on the Analysis of System Logs - Oct 14 - Call for Participation Greg Bronevetsky (Sep 01)
Workshop on the Analysis of System Logs (WASL) 2009
http://www.systemloganalysis.com
Call for Participation

===============================
October 14, 2009
Big Sky, MT
(at SOSP)
===============================

--------------------------------------------------------------------------

System...

Re: Send strace output through syslog-ng BB () umd (Aug 05)
Well I did not think about this, but it seems to be a great idea. Thanks a
lot.

However, I decided to open a new port and to send syslog data through it so
that it is really easy to administrate. It works great.

Thanks for your help,

Regards,

BB () umd wrote:

Re: Send strace output through syslog-ng Gergely Révay (Aug 05)
Hi,

First of all there is no filter for strace. My first idea for your
problem was to open a new port on the server just for strace, but it's
understandable if you don't want to do it. Also the idea of Chris
sounds good as well if you don't use the facility field generally. But
a third solution that I've found is the following:

You should create a separate log path for the strace output which
should read the logs from the file and replace the...

Re: Send strace output through syslog-ng Chris Brenton (Aug 04)
Hey man,

What about something like:
tail -f /var/log/strace.log | logger -p <facility> &

In the above command you need to specify an unused facility. Then on the
server simply tell syslog-ng which file it should use for storing log
entries with the above specified facility (this can be a new unique
file).

You are suppose to use one of the "local use" facilities for stuff like
this, but I run into conflicts far too often....

Send strace output through syslog-ng BB () umd (Aug 04)
Good afternoon.

I have a honeypot which syslog-ng running. I configured it so that it can
send all the log files to a remote web server. (So that mean I have already
configured syslog-ng on this web server too) No matter with that, it works
great.

Then, on my honeypot, I have a strace command attached to my ssh server. It
gathers strace outputs in a strace.log file. Here is this command :
strace -f -q -p `cat /var/run/sshd.pid` -o...

Running Honeyd on interface IP Evgeniy Arbatov (Jul 22)
Hello,

I have a question concerning the configuration of Honeyd IP address.

I want to make my honeypot visible by the IP address of host computer interface.
I have the following setup, within the same physical host:

1.1.1.1 (interface IP)-> 2.2.2.2 (honeyd IP)

So if I ssh to the honeyd, I want to ssh to 1.1.1.1.

I guess this is something that can be done with iptables, for example like this:

iptables -A FORWARD -s 1.1.1.1 -p tcp --dport...

Extended deadline: Monday, July 6th. Workshop on the Analysis of System Logs (WASL) 2009 Greg Bronevetsky (Jul 01)
Due to multiple requests, the paper submission deadline for the Workshop
on the
Analysis of System Logs has been moved to Monday, July 6th.

Workshop on the Analysis of System Logs (WASL) 2009
http://www.systemloganalysis.com Call for Papers

===============================
October 14, 2009
Big Sky, MT
(at SOSP)...

MS Sec Notification — Beware that MS often uses these security bulletins as marketing propaganda to downplay serious vulnerabilities in their products -- note how most have a prominent and often-misleading "mitigating factors" section.

Microsoft Security Bulletin Major Revisions Microsoft (Nov 10)
********************************************************************
Title: Microsoft Security Bulletin Major Revisions
Issued: November 10, 2009
********************************************************************

Summary
=======
The following bulletins have undergone a major revision increment.
Please see the appropriate bulletin for more details.

* MS09-051 - Critical
* MS09-045 - Critical

Bulletin Information:
=====================

*...

Microsoft Security Bulletin Summary for November 2009 Microsoft (Nov 10)
********************************************************************
Microsoft Security Bulletin Summary for November 2009
Issued: November 10, 2009
********************************************************************

This bulletin summary lists security bulletins released for
November 2009.

The full version of the Microsoft Security Bulletin Summary for
November 2009 can be found at...

Microsoft Security Bulletin Advance Notification for November 2009 Microsoft (Nov 05)
********************************************************************
Microsoft Security Bulletin Advance Notification for November 2009
Issued: November 5, 2009
********************************************************************

This is an advance notification of security bulletins that
Microsoft is intending to release on November 10, 2009.

The full version of the Microsoft Security Bulletin Advance
Notification for November 2009 can be found...

Microsoft Security Bulletin Major Revisions Microsoft (Nov 03)
********************************************************************
Title: Microsoft Security Bulletin Major Revisions
Issued: November 2, 2009
********************************************************************

Summary
=======
The following bulletins have undergone a major revision increment.
Please see the appropriate bulletin for more details.

* MS09-054 - Critical

Bulletin Information:
=====================

* MS09-054 - Critical

-...

Microsoft Security Bulletin Major Revisions Microsoft (Oct 28)
********************************************************************
Title: Microsoft Security Bulletin Major Revisions
Issued: October 28, 2009
********************************************************************

Summary
=======
The following bulletins have undergone a major revision increment.
Please see the appropriate bulletin for more details.

* MS09-062 - Critical

Bulletin Information:
=====================

* MS09-062 - Critical

-...

Microsoft Security Bulletin Major Revisions Microsoft (Oct 27)
********************************************************************
Title: Microsoft Security Bulletin Major Revisions
Issued: October 27, 2009
********************************************************************

Summary
=======
The following bulletins have undergone a major revision increment.
Please see the appropriate bulletin for more details.

* MS09-043 - Critical

Bulletin Information:
=====================

* MS09-043 - Critical

-...

Microsoft Security Bulletin Summary for October 2009 Microsoft (Oct 13)
********************************************************************
Microsoft Security Bulletin Summary for October 2009
Issued: October 13, 2009
********************************************************************

This bulletin summary lists security bulletins released for
October 2009.

The full version of the Microsoft Security Bulletin Summary for
October 2009 can be found at
http://www.microsoft.com/technet/security/bulletin/ms09-oct.mspx....

Microsoft Security Bulletin Major Revision Microsoft (Sep 09)
********************************************************************
Title: Microsoft Security Bulletin Major Revision
Issued: September 9, 2009
********************************************************************

Summary
=======
The following bulletin has undergone a major revision increment.
Please see the appropriate bulletin for more details.

* MS09-048 - Critical

Bulletin Information:
=====================

* MS09-048 - Critical

-...

Microsoft Security Bulletin Summary for September 2009 Microsoft (Sep 08)
********************************************************************
Microsoft Security Bulletin Summary for September 2009
Issued: September 8, 2009
********************************************************************

This bulletin summary lists security bulletins released for
September 2009.

The full version of the Microsoft Security Bulletin Summary for
September 2009 can be found at...

Microsoft Security Bulletin Major Revisions Microsoft (Aug 25)
********************************************************************
Title: Microsoft Security Bulletin Major Revisions
Issued: August 25, 2009
********************************************************************

Summary
=======
The following bulletins have undergone a major revision increment.
Please see the appropriate bulletin for more details.

* MS09-044 - Critical
* MS09-029 - Critical

Bulletin Information:
=====================

*...

Microsoft Security Bulletin Major Revisions Microsoft (Aug 11)
********************************************************************
Title: Microsoft Security Bulletin Major Revisions
Issued: August 11, 2009
********************************************************************

Summary
=======
The following bulletins have undergone a major revision increment.
Please see the appropriate bulletin for more details.

* MS09-035 - Moderate
* MS09-029 - Critical

Bulletin Information:
=====================

*...

Microsoft Security Bulletin Summary for August 2009 Microsoft (Aug 11)
********************************************************************
Microsoft Security Bulletin Summary for August 2009
Issued: August 11, 2009
********************************************************************

This bulletin summary lists security bulletins released for
August 2009.

The full version of the Microsoft Security Bulletin Summary for
August 2009 can be found at
http://www.microsoft.com/technet/security/bulletin/ms09-aug.mspx....

Microsoft Security Bulletin Major Revisions Microsoft (Aug 06)
********************************************************************
Title: Microsoft Security Bulletin Major Revisions
Issued: August 4, 2009
********************************************************************

Summary
=======
The following bulletins have undergone a major revision increment.
Please see the appropriate bulletin for more details.

* MS09-034 - Critical

Bulletin Information:
=====================

* MS09-034 - Critical

-...

Microsoft Security Bulletin Summary for July 2009 Microsoft (Jul 28)
********************************************************************
Microsoft Security Bulletin Summary for July 2009
Issued: July 28, 2009
********************************************************************

This bulletin summary lists out-of-band security bulletins released
on July 28, 2009.

The full version of the Microsoft Security Bulletin Summary for
July 2009 can be found at...

Microsoft Security Bulletin Summary for July 2009 Microsoft (Jul 14)
********************************************************************
Microsoft Security Bulletin Summary for July 2009
Issued: July 14, 2009
********************************************************************

This bulletin summary lists security bulletins released for
July 2009.

The full version of the Microsoft Security Bulletin Summary for
July 2009 can be found at
http://www.microsoft.com/technet/security/bulletin/ms09-jul.mspx.

With the...

Funsec — While most security lists ban off-topic discussion, Funsec is a haven for free community discussion and enjoyment of the lighter, more humorous side of the security community

Re: man-made swine-bird flu, what could POSSIBLY go wrong? Valdis . Kletnieks (Nov 21)
On Fri, 20 Nov 2009 18:15:35 EST, Marc said:

RFC1925, setion 2.3.

talk about an embarrassing breach... Gadi Evron (Nov 21)
http://www.examiner.com/x-25061-Climate-Change-Examiner~y2009m11d20-ClimateGate--Climate-centers-server-hacked-revealing-documents-and-emails

Re: Rethinking FUNSEC Rich Kulawiec (Nov 21)
Yeah, me too. I've never suffered fools [1] gladly, and my patience
with them continues to get shorter every year. This really sucks when
I'm (sporadically) one of them.

---Rsk

[1] By which I mean people who have deliberately made themselves ignorant
and stupid. There are sick or disabled people who don't have a choice,
and they deserve a different reaction: compassion and admiration.

Re: Nice, Gadi Gadi Evron (Nov 21)
Alex Eckelberry wrote:

That's actually Randy. :)

Re: Rethinking FUNSEC Dragos Ruiu (Nov 20)
heh.

cheers,
--dr

Nice, Gadi Alex Eckelberry (Nov 20)
http://www.isotf.org/?page_value=13223

Re: Rethinking FUNSEC chris (Nov 20)
--- On Fri, 11/20/09, Nick FitzGerald <nick () virus-l demon co uk> wrote:

It's working so far...

;~)

-chris

Re: man-made swine-bird flu, what could POSSIBLY go wrong? Marc (Nov 20)
Swine-bird Flu - sure - when pigs fly

Sorry - it was too easy - if this by someone before me, I missed it and
apologize twice.

Re: Rethinking FUNSEC Nick FitzGerald (Nov 20)
Chris Blask to Remo Cornali:

Well I'm offended that you won't tell us!

Regards,

Nick FitzGerald

Re: Onstar - throwing the baby out with the bath water Robert Graham (Nov 20)
Oh, god, I hate that. People who fail to recognize irony are such bombastic morons. Sorry.

Re: Rethinking FUNSEC Robert Graham (Nov 20)
If there was one piece of advice I could give young people, this would be it.

"You know people a few years younger than you seem like immature pricks? Well, in a few years, you are going to think
people the age you are now are immature pricks. Remember this when you post things online: it all gets archived, but
people can't tell the difference between the immature prick you were then and the thoughtful mature person you are now."

In...

Re: Rethinking FUNSEC Richard Golodner (Nov 20)
Remo actually wrote this.

I think that should be the new slogan for Windows 7 and Remo should get
paid by Micro$oft.
Richard

Re: man-made swine-bird flu, what could POSSIBLY go wrong? Paul M. Moriarty (Nov 20)
Meh. I'm waiting for man-bear-pig flu.

Re: Rethinking FUNSEC Alex Eckelberry (Nov 20)
Where is Brian Loe these days???

-----Original Message-----
From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org]

I just looked back to my oldest funsec postings: god I was a cranky
prick! My apologies to anyone I offended then who I wouldn't still want
to offend today.

-chris

Re: Onstar - throwing the baby out with the bath water Alex Eckelberry (Nov 20)
Florian's message, I believe, was rich with irony...

-----Original Message-----
From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org]

Um, no.

That's like letting fire insurance lapse, and then calling up the
insurance company asking to reinstate it as you are standing outside in
your pajamas watching your house burn down. Like insurance, OnStar uses
the money from people who DON'T need the service to pay to support...

CERT Advisories — The Computer Emergency Response Team has been responding to security incidents and sharing vulnerability information since the Morris Worm hit in 1986. This archive combines their technical security alerts, bulletins, tips, and current activity lists.

Cyber Security Tip ST04-016 -- Recognizing and Avoiding Spyware US-CERT Security Tips (Nov 19)
National Cyber Alert System
Cyber Security Tip ST04-016

Recognizing and Avoiding Spyware

Because of its popularity, the internet has become an ideal target for
advertising. As a result, spyware, or adware, has become increasingly
prevalent. When troubleshooting problems with your computer, you may
discover that the source of the problem is spyware software that has been
installed on your machine without your knowledge....

SB09-320 -- Vulnerability Summary for the Week of November 9, 2009 US-CERT Security Bulletins (Nov 16)
Vulnerability Summary for the Week of November 9, 2009

This bulletin provides a summary of new vulnerabilities that have been
recorded by the National Institute of Standards and Technology (NIST)
National Vulnerability Database (NVD) the week of November 9, 2009. It is
available here:

http://www.us-cert.gov/cas/bulletins/SB09-320.html

For instructions on subscribing to or unsubscribing from this
mailing list, visit <...

Current Activity - Microsoft Releases Security Advisory 977544 Current Activity (Nov 16)
US-CERT Current Activity

Microsoft Releases Security Advisory 977544

Original release date: November 16, 2009 at 9:21 am
Last revised: November 16, 2009 at 9:21 am

Microsoft has released security advisory 977544 to address a
vulnerability in the Server Message Block (SMB) protocol. This
vulnerability may allow an attacker to cause a denial-of-service
condition. This vulnerability only affects Windows 7 and Server 2008
software.

US-CERT...

Current Activity - Apple Releases Safari 4.0.4 Current Activity (Nov 12)
US-CERT Current Activity

Apple Releases Safari 4.0.4

Original release date: November 12, 2009 at 8:08 am
Last revised: November 12, 2009 at 8:08 am

Apple has released Safari 4.0.4 to address multiple vulnerabilities in
a number of components. Exploitation of these vulnerabilities may
allow an attacker to execute arbitrary code, cause a denial-of-service
condition, conduct cross-site request forgery, or obtain sensitive
information. These...

TA09-314A -- Microsoft Updates for Multiple Vulnerabilities US-CERT Technical Alerts (Nov 10)
National Cyber Alert System

Technical Cyber Security Alert TA09-314A

Microsoft Updates for Multiple Vulnerabilities

Original release date:
Last revised: --
Source: US-CERT

Systems Affected

* Microsoft Windows and Windows Server
* Microsoft Office Word and Excel

Overview

Microsoft has released updates to address vulnerabilities in
Microsoft Windows and Windows Server and Office...

Current Activity - Microsoft Releases November Security Bulletin Current Activity (Nov 10)
US-CERT Current Activity

Microsoft Releases November Security Bulletin

Original release date: November 10, 2009 at 1:50 pm
Last revised: November 10, 2009 at 1:50 pm

Microsoft has released an update to address vulnerabilities in
Microsoft Windows and Office as part of the Microsoft Security
Bulletin Summary for November 2009. These vulnerabilities may allow an
attacker to execute arbitrary code, cause a denial-of-service
condition, or operate...

Current Activity - Apple Releases Mac OS X v10.6.2 and Security Update 2009-006 Current Activity (Nov 10)
US-CERT Current Activity

Apple Releases Mac OS X v10.6.2 and Security Update 2009-006

Original release date: November 10, 2009 at 8:02 am
Last revised: November 10, 2009 at 8:02 am

Apple has released Mac OS X v10.6.2 and Security Update 2009-006 to
address multiple vulnerabilities in a number of applications. These
vulnerabilities may allow an attacker to execute arbitrary code, cause
a denial-of-service condition, conduct a man-in-the-middle...

SB09-313 -- Vulnerability Summary for the Week of November 2, 2009 US-CERT Security Bulletins (Nov 09)
Vulnerability Summary for the Week of November 2, 2009

This bulletin provides a summary of new vulnerabilities that have been
recorded by the National Institute of Standards and Technology (NIST)
National Vulnerability Database (NVD) the week of November 2, 2009. It is
available here:

http://www.us-cert.gov/cas/bulletins/SB09-313.html

For instructions on subscribing to or unsubscribing from this
mailing list, visit <...

Current Activity - SSL and TLS Vulnerable to Man-in-the-middle Attacks Current Activity (Nov 06)
US-CERT Current Activity

SSL and TLS Vulnerable to Man-in-the-middle Attacks

Original release date: November 6, 2009 at 7:01 pm
Last revised: November 6, 2009 at 7:01 pm

US-CERT is aware of reports of publicly available exploit code for a
vulnerability within the SSL and TLS protocols. Reports indicate that
exploitation of this vulnerability may allow an attacker to conduct a
man-in-the-middle attack, allowing an attacker to inject plaintext...

Current Activity - Microsoft Releases Advance Notification for November Security Bulletin Current Activity (Nov 05)
US-CERT Current Activity

Microsoft Releases Advance Notification for November Security Bulletin

Original release date: November 5, 2009 at 4:17 pm
Last revised: November 5, 2009 at 4:17 pm

Microsoft has issued a Security Bulletin Advance Notification
indicating that its November release cycle will contain six bulletins,
three of which will have a severity rating of Critical. The
notification states that these Critical bulletins are for...

Current Activity - BlackBerry Desktop Manager Vulnerability Current Activity (Nov 05)
US-CERT Current Activity

BlackBerry Desktop Manager Vulnerability

Original release date: November 5, 2009 at 8:45 am
Last revised: November 5, 2009 at 8:45 am

Research in Motion has released Security Advisory KB19701 to address a
vulnerability in BlackBerry Desktop Manager. This vulnerability may
allow an attacker to execute arbitrary code.

US-CERT encourages users to review BlackBerry Security Advisory
KB19701 and apply any necessary...

Cyber Security Tip ST04-015 -- Understanding Denial-of-Service Attacks US-CERT Security Tips (Nov 04)
Cyber Security Tip ST04-015
Understanding Denial-of-Service Attacks

You may have heard of denial-of-service attacks launched against websites,
but you can also be a victim of these attacks. Denial-of-service attacks can
be difficult to distinguish from common network activity, but there are some
indications that an attack is in progress.

What is a denial-of-service (DoS) attack?

In a...

Current Activity - Adobe Releases Update for Shockwave Player Current Activity (Nov 04)
US-CERT Current Activity

Adobe Releases Update for Shockwave Player

Original release date: November 4, 2009 at 9:04 am
Last revised: November 4, 2009 at 9:04 am

Adobe has released Shockwave Player 11.5.2.602 to address multiple
vulnerabilities. Exploitation of these vulnerabilities may allow an
attacker to run malicious code on the user's machine.

US-CERT encourages users and administrators to review Adobe security
bulletin APSB09-16 and...

Current Activity - Sun Releases Update 17 for Java SE 6 Current Activity (Nov 04)
US-CERT Current Activity

Sun Releases Update 17 for Java SE 6

Original release date: November 4, 2009 at 9:04 am
Last revised: November 4, 2009 at 9:04 am

Sun has released update 17 for Java SE JDK 6 and Java SE JRE 6 to
address multiple vulnerabilities. The impacts of these vulnerabilities
include arbitrary code execution, privilege escalation, denial of
service, and information disclosure.

US-CERT encourages users and administrators to...

SB09-306 -- Vulnerability Summary for the Week of October 26, 2009 US-CERT Security Bulletins (Nov 02)
Vulnerability Summary for the Week of October 26, 2009

This bulletin provides a summary of new vulnerabilities that have been
recorded by the National Institute of Standards and Technology (NIST)
National Vulnerability Database (NVD) the week of October 26, 2009. It is
available here:

http://www.us-cert.gov/cas/bulletins/SB09-306.html

For instructions on subscribing to or unsubscribing from this
mailing list, visit <...

Open Source Security — Discussion of security flaws, concepts, and practices in the Open Source community

Re: CVE request: php 5.3.1 update security curmudgeon (Nov 21)
: PHP was updated to version 5.3.1 and did also address security
: issues: http://www.php.net/releases/5_3_1.php
:
: Security Enhancements and Fixes in PHP 5.3.1:
:
: * Added "max_file_uploads" INI directive, which can be set to limit the number of file uploads per-request to 20
by default, to prevent possible DOS via temporary file exhaustion.
: * Added missing sanity checks around exif processing.

This was previously...

CVE request: awstats Craig (Nov 21)
Hi,

I think there isn't a CVE for this issues - which was fixed in 6.95 -
yet (quote from http://awstats.sourceforge.net/docs/awstats_changelog.txt):

- Fix security in awredir.pl script by adding a security key required by
default.
- Enhance security of parameter sanitizing function

best regards,

Craig

Re: CVE Request - MySQL - 5.0.88 Sergei Golubchik (Nov 21)
Hi, Jan!

...

Yes.

Yes.

No, looks safe. It reads one byte and thinks it's a bool:

class Field_num ... { ...
bool unsigned_flag;

while it's somewhere in the middle of a pointer:

class Field_bit ... { ...
uchar *bit_ptr;

The worst that can happen - MySQL could think the value is signed (BIT
values are always unsigned) and during the optimization phase won't
notice that the condition like "unsigned_value > negative_number"...

CVE Request - MySQL - 5.0.88 Jan Lieskovsky (Nov 21)
Hi Josh, Steve, vendors,

MySQL upstream has released latest 5.0.88 version of their Community Server,
fixing one security issue:

Security Fix: MySQL clients linked against OpenSSL did not
check server certificates presented by a server linked against
yaSSL. (Bug#47320: http://bugs.mysql.com/47320)

While the other two (three issues) looks too to be security relevant:

* Error handling was missing for SELECT...

CVE Request - Dovecot - 1.2.8 Jan Lieskovsky (Nov 21)
Hi Josh, Steve, vendors,

Dovecot upstream has released latest 1.2.8 version, fixing
one security issue. Quoting from news:

This is mainly to fix the 0777 base_dir creation issue, which could be
considered a security hole, exploitable by local users. An attacker
could for example replace Dovecot's auth socket and log in as other
users. Gaining root privileges isn't possible though.

This affects only v1.2 users, v1.1 and older versions were...

Re: CVE request: php 5.3.1 update Eren Türkay (Nov 20)
Bogdan Calin disclosed the details about that vulnerability on full-disclosure
mailing list. He didn't disclosed his script but I wrote a PoC that works like
a charm. It makes DoS possible for any server that runs PHP within 1 minute
with a few requests.

Additionally, this vulnerability affects 5.2.11. I guess all products before
PHP 5.3.1 are vulnerable.

I think this deserves CVE Id. Any ideas?

CVE Assignment nginx Josh Bressers (Nov 20)
I've not seen a CVE id for this one anywhere:

CVE-2009-3896

engine x (nginx) contains a null pointer dereference flaw in versions
0.1.0-0.8.13 before versions 0.8.14, 0.7.62, 0.6.39 and 0.5.38.

http://nginx.net/
http://marc.info/?l=nginx&m=125692080328141&w=2
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=552035
http://www.debian.org/security/2009/dsa-1920

Thanks

Re: CVE request: php 5.3.1 update Tomas Hoger (Nov 20)
Link to announcement mail with CVEs:

http://news.php.net/php.announce/79

Reading the upstream bug http://bugs.php.net/bug.php?id=50063 , this is
not a security flaw, rather a safe_mode regression causing uid check to
happen where it should not resulting in over-restrictive safe_mode.

Some links for the other two issues:

http://securityreason.com/securityalert/6601
http://svn.php.net/viewvc?view=revision&revision=288945...

CVE request: v1.2.8 released to fix the 0777 base_dir creation issue Thomas Biege (Nov 20)
Hello.

http://www.dovecot.org/list/dovecot-news/2009-November/000143.html

http://dovecot.org/releases/1.2/dovecot-1.2.8.tar.gz
http://dovecot.org/releases/1.2/dovecot-1.2.8.tar.gz.sig

This is mainly to fix the 0777 base_dir creation issue, which could be
considered a security hole, exploitable by local users. An attacker
could for example replace Dovecot's auth socket and log in as other
users. Gaining root privileges isn't possible though....

Re: CVE request: php 5.3.1 update Joe Orton (Nov 20)
We assigned some CVE names for the new issues here; two correspond to
existing issues fixed earlier in 5.2.11. The CVE names have not made it
to the web site but were used in the e-mail announcement text:

- Added missing sanity checks around exif processing. (CVE-2009-3292, Ilia)
- Fixed a safe_mode bypass in tempnam() identified by Grzegorz Stachowiak.
(CVE-2009-3557, Rasmus)
- Fixed a open_basedir bypass in posix_mkfifo() identified by...

CVE request: php 5.3.1 update Thomas Biege (Nov 20)
Hello,

PHP was updated to version 5.3.1 and did also address security
issues: http://www.php.net/releases/5_3_1.php

Security Enhancements and Fixes in PHP 5.3.1:

* Added "max_file_uploads" INI directive, which can be set to limit the number of file uploads per-request to 20 by
default, to prevent possible DOS via temporary file exhaustion.
* Added missing sanity checks around exif processing.
* Fixed a safe_mode bypass...

CVEs for nginx Craig (Nov 19)
Hi,

are the CVEs for

1.) nginx webdav: http://secunia.com/advisories/36818/

2.) nginx Null Pointer dereference:
http://sysoev.ru/nginx/patch.null.pointer.txt

3.) nginx SSL Renegotiation: http://sysoev.ru/nginx/patch.cve-2009-3555.txt

I know the last one contains a CVE number, nginx uses openssl and the
patch will disable renegotiation, maybe this deserves an own CVE?

Best regards,

Craig

mysql-5.1.41 Oden Eriksson (Nov 19)
Hello.

The new mysql release mentions two security issues that has been addressed,
anyone knows more about that? I guess it would need some CVE assignment as
well.

http://dev.mysql.com/doc/refman/5.1/en/news-5-1-41.html

CVE assignment (libexif) Josh Bressers (Nov 19)
I'm giving libexif CVE-2009-3895. I've not seen an ID for this yet.

Only libexif version 0.6.18 is affected, all other versions are safe.

http://article.gmane.org/gmane.comp.graphics.libexif.devel/806
http://bugs.gentoo.org/show_bug.cgi?id=293190

Thanks.

CVE request: kernel: fuse: prevent fuse_put_request on invalid pointer Eugene Teo (Nov 19)
"fuse_direct_io() has a loop where requests are allocated in each
iteration. if allocation fails, the loop is broken out and follows into
an unconditional fuse_put_request() on that invalid pointer."

Upstream commit:
http://git.kernel.org/linus/f60311d5f7670d9539b424e4ed8b5c0872fc9e83

This can be triggered when the system is low on memory, and when the
fuse_request_alloc() function called from fuse_get_req() fails. The...

NANOG — The North American Network Operators' Group discusses fundamental Internet infrastructure issues such as routing, IP address allocation, and containing malicious activity.

Re: Smartcard and non-password methods (was Re: Password repository) Sean Donelan (Nov 22)
Yep, there are lots of potential technologies out there. I've also
implemented several on your list. I'm trying to stay neutral about the
technology, as long as it works. I suppose my question was more about
market share/mind share. Figure out where everyone else is already go, and
then get in front of that :-).

So where is the market going beyond passwords?

RE: backupdns.com down? Brian Dickson (Nov 22)
Ditto (puck.nether.net +9).

Thanks on behalf of everyone, Jared.

For those wanting further diversity, I also recommend using any or all of:

everydns.net
twisted4life.com
afraid.org

Also easy to use and set-up, IMHO. YMMV.

Brian Dickson

Re: backupdns.com down? Jared Mauch (Nov 22)
Can you please check again? I found something that was causing AXFR to not work for IPv6.

If not, we should take this off-list.

Thanks for all the bug reports and feedback.

- Jared

Partial outage at Peer1 Los Angeles (600 W. 7th) Jeffrey Lyon (Nov 21)
We lost a cabinet in this about 25 minutes ago, anyone else effected?

Re: Smartcard and non-password methods (was Re: Password repository) Joel Jaeggli (Nov 21)
cards and tokens are a proxy for the use of a certificate authentication
system...

You can in fact do certificate auth without the use of cards or tokens
or mix and match physical tokens and other private key storage depending
on need with the same authentication backend (typically ldap).

Since this plays nicely with eap-tls, 802.1x. ike, ssl/tls, and s/mime
it seems like a shoe-in, once you have a uniform authentication system
one is inclined...

Re: Smartcard and non-password methods (was Re: Password repository) Randy Bush (Nov 21)
is there a freebsd pam tacacs+ hack?

randy

Re: Smartcard and non-password methods (was Re: Password repository) Scott Howard (Nov 21)
http://yubico.com/developers/openid/

I'm currently trialing Yubico's for access to a number of Unix systems (via
PAM), and they seem to work very well. Haven't played around with the
OpenID support, so I can't comment on if/how well it works.

Scott.

Re: backupdns.com down? Phil Vandry (Nov 21)
I saw that the FAQ is updated but maybe there is one small thing left
to correct? When I add a zone and give an IPv6 address as the master
IP it just says "Unable to axfr that domain from that IP." and no
connection attempt is logged on my side.

Thanks for the service. Have you thought about making it reciprocal?
If you are prepared to secondary for me then I am prepared to
secondary for you :-)

-Phil

Re: Any Yahoo! mail admins? Big Wave Dave (Nov 21)
I've heard a lot of reports of similar problems from different ISPs
and mail providers. Most seem to indicate the recent association with
Lashback:
http://emailmarketingvoodoo.com/blog/post/lashback-yahoo-team-up/

Dave

Any Yahoo! mail admins? Thom Hooker (Nov 21)
Hi

Could a Yahoo! mail admin contact me off-list please?

We have been getting "421 Temporarily deferred" messages from Yahoo! for
the past 48 hours with no signs of any improvement (despite filling out
their forms) and an ever growing outbound queue.

Thanks
Thom
SMX Ltd
http://smxemail.com

Re: Smartcard and non-password methods (was Re: Password repository) Matthew Palmer (Nov 21)
I don't know. My only experience with it has been as an OpenID
endpoint/provider/whatever, and it was on that basis that I replied
originally.

- Matt

Re: Smartcard and non-password methods (was Re: Password repository) Jeffrey Lyon (Nov 21)
So it works as a standalone password vault also?

Jeff

Re: Smartcard and non-password methods (was Re: Password repository) Matthew Palmer (Nov 21)
I can only find something about the plugin not working on FF 3.5, but I
don't use the plugin since I only use it as an OpenID endpoint. I can't
imagine how the main site wouldn't work in FF 3.5 -- it's just a bit of
javascripty fluff.

- Matt

Re: Smartcard and non-password methods (was Re: Password repository) Jeffrey Lyon (Nov 21)
I was pretty excited about this post until I found out that myvidoop
only works on older version of FF.

Jeff

Re: Smartcard and non-password methods (was Re: Password repository) Stefan (Nov 21)
[Sightly off-topic - solution specific] Some European countries have
long figured out logistics of smartcard distribution and management in
their healthcare systems - some being at the second generation,
already.

In fact this is a subject "dear" to my heart, as I've researched and
attempted a proposal for such systems for a few disparate businesses
(with possible extension into eHR), based on a model similar to the
one of SSL...

Interesting People — David Farber moderates this list for discussion involving internet governance, infrastructure, and any other topics he finds fascinating

The RISKS Forum — Peter G. Neumann moderates this regular digest of current events which demonstrate risks to the public in computers and related systems. Security risks are often discussed.

Risks Digest 25.83 RISKS List Owner (Nov 06)
RISKS-LIST: Risks-Forum Digest Friday 6 November 2009 Volume 25 : Issue 83

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/25.83.html>
The current issue can be...

Risks Digest 25.82 RISKS List Owner (Oct 20)
RISKS-LIST: Risks-Forum Digest Tuesday 20 October 2009 Volume 25 : Issue 82

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/25.82.html>
The current issue can be...

Risks Digest 25.81 RISKS List Owner (Oct 12)
RISKS-LIST: Risks-Forum Digest Monday 12 October 2009 Volume 25 : Issue 81

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/25.81.html>
The current issue can be...

Risks Digest 25.80 RISKS List Owner (Oct 09)
RISKS-LIST: Risks-Forum Digest Friday 9 October 2009 Volume 25 : Issue 80

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/25.80.html>
The current issue can be...

Risks Digest 25.79 RISKS List Owner (Sep 25)
RISKS-LIST: Risks-Forum Digest Friday 25 September 2009 Volume 25 : Issue 79

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/25.79.html>
The current issue can...

Risks Digest 25.78 RISKS List Owner (Sep 14)
RISKS-LIST: Risks-Forum Digest Monday 14 September 2009 Volume 25 : Issue 78

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/25.78.html>
The current issue can...

Risks Digest 25.77 RISKS List Owner (Sep 01)
RISKS-LIST: Risks-Forum Digest Tuesday 1 September 2009 Volume 25 : Issue 77

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/25.77.html>
The current issue can...

Risks Digest 25.76 RISKS List Owner (Aug 15)
RISKS-LIST: Risks-Forum Digest Saturday 15 August 2009 Volume 25 : Issue 76

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/25.76.html>
The current issue can be...

Risks Digest 25.75 RISKS List Owner (Aug 06)
RISKS-LIST: Risks-Forum Digest Thursday 6 August 2009 Volume 25 : Issue 75

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/25.75.html>
The current issue can be...

Risks Digest 25.74 RISKS List Owner (Jul 22)
RISKS-LIST: Risks-Forum Digest Wednesday 22 July 2009 Volume 25 : Issue 74

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/25.74.html>
The current issue can be...

Risks Digest 25.73 RISKS List Owner (Jul 16)
RISKS-LIST: Risks-Forum Digest Thursday 16 July 2009 Volume 25 : Issue 73

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/25.73.html>
The current issue can be...

Risks Digest 25.72 RISKS List Owner (Jul 06)
RISKS-LIST: Risks-Forum Digest Monday 6 July 2009 Volume 25 : Issue 72

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/25.72.html>
The current issue can be...

Data Loss — Data Loss covers large-scale personal data loss and theft incidents. This archive combines the main list (news releases) and the discussion list.

IN: Notre Dame security breach potentially affects employees lyger (Nov 21)
http://www.wndu.com/localnews/headlines/70674717.html

Notre Dame is warning university employees to keep an eye on their bank
accounts after a security breach.

Personal information of some past and current employees - including name,
social security number and birth date - was accidentally put onto a public
website.

University spokesman Dennis Brown says the error was corrected and the
information removed from the website.

[...]

Mass Mutual Unknown Al (Nov 20)

http://www.net-security.org/secworld.php?id=8521

the latest data breach to be discovered happened to MassMutual, a
Massachussets-based insurance company. One of the company's employees
databases was accessed by a (so far) unknown unauthorized individual.

MassMutual stated that maintenance of the database in question was outsorced
to a third-party vendor, who upon the discovery of the breach hired
forensics specialists to investigate and get...

Hospitals tighten security on patient data security curmudgeon (Nov 20)
---------- Forwarded message ----------
From: InfoSec News <alerts () infosecnews org>

http://fcw.com/articles/2009/11/18/hospitals-beefing-up-cybersecurity-to-comply-with-hitech-survey-says.aspx

By Alice Lipowicz
FCW.com
Nov 18, 2009

More than half of the nation's hospitals and health care providers
surveyed intend to buy more cybersecurity tools to safeguard against
breaches of electronic medical records as a result of requirements...

TADGEAR, Inc. breach notice security curmudgeon (Nov 19)
https://www.tadgear.com/content.php?id=38

This notice is to inform our customers of a security incident at TAD Gear.
We recently learned that our database was illegally accessed from an
external source, and it appears that some customer data were taken, which
may include customer names, contact information and credit card data.
The possibility of a security breach came to our attention when certain
customers notified us that unauthorized...

1.5 Million Medical Files At Risk In Health Net Data Breach kirniki (Nov 19)
http://www.courant.com/health/hc-healthbreach1119.artnov19,0,1798384.story

A hard drive with seven years of personal and medical information on
about 1.5 million Health Net customers, including 446,000 in
Connecticut, was lost six months ago and was first reported Wednesday,
state and company officials said.

The insurance company informed the state attorney general's office and
the Department of Insurance Wednesday of the security breach that...

PA: 80, 000 Mailers Sent Out With Recipients' Social Security Numbers In Plain View kirniki (Nov 18)
http://www.wgal.com/news/21655737/detail.html

ELIZABETHTOWN, Pa. -- Check your mailbox. Thousands of Pennsylvanians
could become victims of identity theft just because a piece of mail
has been sent to their homes.

Right on the front of the piece of mail, in plain view, is the
recipient's Social Security number. Tens of thousands of Medicare
recipients may be at risk.

Delores and Frank Ember, of Elizabethtown, simply could not believe
what they...

Germany in 'credit card recall' lyger (Nov 18)
http://news.bbc.co.uk/2/hi/business/8365828.stm

More than 100,000 German credit cards are being replaced after fears that
personal data has been stolen, German press reports say.

The reports say that the Volks- and Raiffeisenbank group alone is
recalling 60,000 cards.

Fraudsters are thought to have stolen data on German customers from a
service provider in Spain. There have been no actual reports of fraud.

[...]

Canada: Personal info at risk when items go missing lyger (Nov 18)
http://www.torontosun.com/news/canada/2009/11/18/11785441-sun.html

The personal information of taxpayers may be at risk because of a series
of security breaches at the Canada Revenue Agency.

Documents obtained by Ottawa researcher Ken Rubin reveal that lost mail,
missing shipments of computers or other data storage devices, and the
theft of computers that might contain tax records, is an ongoing problem.

"Our analysis revealed an...

NE: Personal info jeopardized after Workers' Comp Court computer hacked lyger (Nov 17)
http://journalstar.com/news/local/crime-and-courts/article_b9a02f46-d3a9-11de-85e5-001cc4c002e0.html

The Nebraska State Patrol and FBI are trying to figure out who hacked into
a Nebraska Workers' Compensation Court computer server -- and whether the
hacker took personal information.

The state agency learned last week someone had broken into a server that
temporarily held injury reports, said Glenn Morton, court administrator
for the...

[Dataloss] http://www.guardian.co.uk/uk/2009/nov/17/t-mobile-phone-data-privacy Jon Turner (Nov 17)
http://www.guardian.co.uk/uk/2009/nov/17/t-mobile-phone-data-privacy

The personal details of thousands of mobile phone customers have been stolen
and sold on to rival firms in the biggest data breach of its kind, the
government's privacy <http://www.guardian.co.uk/uk/privacy> watchdog said
today.

An employee of the phone operator T-Mobile sold the personal records of
customers, which included details of when their mobile phone contracts...

Commentary: According to OSF... nothing. (was re: try asking us first) lyger (Nov 16)
http://datalossdb.org/incident_highlights/39-according-to-osf-nothing-was-re-try-asking-us-first

On occasion, we look for news related to things other than data loss
events. Press releases veiled as "news" are a frequent treasure chest of
(not so) great information, so we often use detailed and complicated
techniques to make sure we have as much information as we can gather
about... Open Security Foundation and DataLossDB. In other...

Guam: Stolen laptop reveals unsecured GMH data lyger (Nov 16)
http://www.kuam.com/Global/story.asp?S=11509903

There's been a breach at the Guam Memorial Hospital. A laptop computer
used by the agency's Employee Health Office was stolen in late-October,
but hospital officials didn't realize what information was contained in
the computer until late last week. GMH Spokesperson Connor Murphy says an
investigation is underway to determine how the laptop was stolen from a
locked office.

GMH is required...

TX: Lost hard drive may contain personal data of 60k lyger (Nov 13)
http://www.armytimes.com/news/2009/11/army_breach_111309w/

The Corps of Engineers is investigating the recent loss of an external
hard drive that could pose identify theft problems for as many as 60,000
soldiers and Army civilians.

Maj. Mark Young, a Corps of Engineers spokesman in Washington, said the
security breach occurred in the command's Southwestern Division, which is
headquartered in Dallas, in early November.

"Right now the...

CA: Personal data of Cal Poly Pomona applicants inadvertently put online lyger (Nov 13)
http://latimesblogs.latimes.com/lanow/2009/11/personal-data-of-cal-poly-pomona-applicants-inadvertently-put-online.html

The Social Security numbers, home addresses and phone contacts for at
least 300 students who applied for admission to Cal Poly Pomona six years
ago were unintentionally disclosed online, the university said today.

The applicants were notified this week and urged to contact
credit-reporting agencies, school official said....

Settlement OK’d over hacking into f inancial firm Jake Kouns (Nov 13)
Settlement OK’d over hacking into financial firm
http://billingsgazette.com/news/local/crime-and-courts/article_6341f994-d00d-11de-bfda-001cc4c03286.html

A federal judge approved a settlement Thursday in a class action
lawsuit against D.A. Davidson & Co. over clients’ information that was
compromised by a computer hacker almost two years ago.

Chief U.S. District Judge Richard Cebull called the agreement “fair
and reasonable.”

The...

Metasploit — Development discussion for Metasploit, the premier open source remote exploitation tool

Re: [Semi OT] Auto return address / padding discovery - is it possible? wullie millen (Nov 22)
Thanks for the info HD this will come in very handy.

-will

db_autopwn issue when using db_nmap and db_add_host command Jacky Zhu (Nov 22)
Hello All

I want to test db_autopwn but encountered problem as below when typing
db_nmap or db_addhost command,

I have updated the latest version today and all other functions works
very well except this, does anyone have the same problem?

msf > db_driver postgresql

[*] Using database driver postgresql

msf > db_connect postgres:passwordhere () localhost:5432/postgres

msf > db_add_host 10.0.0.1 ****// the same result when using...

Re: [Semi OT] Auto return address / padding discovery - is it possible? HD Moore (Nov 21)
Unless its in a narrow class of bugs or you can leak addresses, this
isn't an effective way to go. Theoretically you can try to exploit a
windows SEH using a system like:

[PAD][EB 06 XX XX][RET][CODE]

Pick a ret that is within an OS/APP DLL without /SafeSEH, then increase
padding until you get a shell. Even this simplified example doesn't work
well in the wild though - there are often bad characters that transform
or truncate the input or...

[Semi OT] Auto return address / padding discovery - is it possible? Konrads Smelkovs (Nov 21)
Once in a while I stumble across a vulnerable system for which I don't have
ret address. The official solution is then to obtain the same version of OS
and software, load debugger and discover the new address. I wonder how
difficult would it be to use some brute-forcing and try to discover the
return address. Taking a step further, if during testing of a, say,
appliance one would discover a likely stack/heap overflow, to try to guess
the padding?

Re: autopwn Error HD Moore (Nov 21)
The autopwn command itself doesn't launch nmap, the issues you have run
into may be solvable by running "nmap -sT" instead of "nmap -sS" or by
using the auxiliary/scanner/portscan/tcp module instead of nmap
altogether.

-HD

autopwn Error Beenu Arora (Nov 20)
I am getting a strange error when i use data card and use the metasploit
autopwn
Is there any way i can configure metasploit or something to use different
network adapter.

Error is appended below.

*Starting Nmap 5.00 ( http://nmap.org ) at 2009-11-21 10:00 India Standard
Time
WARNING: Using raw sockets because ppp0 is not an ethernet device. This
probably won't work on Windows.

pcap_open_live(ppp0, 100, 0, 2) FAILED. Reported error: Error...

Re: errors using dns_enum Chris Calaf (Nov 20)
osx:
msf auxiliary(dns_enum) > ruby -v
[*] exec: ruby -v

ruby 1.8.7 (2009-06-12 patchlevel 174) [i686-darwin10]
msf auxiliary(dns_enum) > info

Name: DNS Enumeration Module
Version: $Rev: 7500
License: Metasploit Framework License (BSD)

Provided by:
Carlos Perez <carlos_perez () darkoperator com>

Basic options:
Name Current
Setting Required Description...

Re: errors using dns_enum Carlos Perez (Nov 20)
I was not able to replicate the error on my test systems can you send
me a ruby -v on each system and the domain and options so as to
replicate it better

Sent from my Mobile Phone

errors using dns_enum Chris Calaf (Nov 20)
Apologies for the double post but first one did not hit the list.

I'm getting the following error when trying to use dns_enum on both BT4 and
Snow Leopard. I installed the macports version of net-dns. Should I be
installing it via CPAN or some ruby port?

Using ruby 1.9

=[ metasploit v3.4-dev [core:3.4 api:1.0]
+ -- --=[ 448 exploits - 216 auxiliary
+ -- --=[ 192 payloads - 22 encoders - 8 nops
=[ svn r7568 updated today...

Re: Metasploit Framework 3.3 Released! go . hawaii (Nov 19)
Or check this out:

http://www.room362.com/blog/2009/11/3/metasploit-blends-in-new-msfpayloadencode.html

Re: Metasploit Framework 3.3 Released! HD Moore (Nov 19)
You should be able to do:

msfpayload windows/shell_bind_tcp R | msfencode -x notepad.exe -t exe \
-o test.exe

Re: Metasploit Framework 3.3 Released! Jeffs (Nov 19)
That looks like a great new addition! Can you give a semi-working
example of the syntax of using the -x parameter in the msfencode when
used with msfpayload in the usual way?

I've tried various permutations of the syntax and can't get it to
recognize notepad.exe as the "carrier".

Thanks!

HD Moore wrote:

The payload encoding library can now embed Metasploit payloads into
arbitrary executables. The -x parameter to msfencode allows...

errors using dns_enum thelab13 (Nov 19)
I'm getting the following error when trying to use dns_enum on both BT4 and
Snow Leopard. I installed the macports version of net-dns. should I be
installing it via CPAN or some ruby's port?

Using ruby 1.9

=[ metasploit v3.4-dev [core:3.4 api:1.0]
+ -- --=[ 448 exploits - 216 auxiliary
+ -- --=[ 192 payloads - 22 encoders - 8 nops
=[ svn r7568 updated today (2009.11.18)

msf > use auxiliary/gather/dns_enum
msf...

Install silence mode new options . . (Nov 19)
New options to be silently installed via the /S /D=path don't work
completely. When Nmap 5.0 is going to be installed, a dialog box appears,
and all the install process is visible. Same with the PCAP library.
Any way to fix this ?

Where is now the mini-3.3-dev.exe version with only msfconsole ? Which
version may I chose to use metasploit like a PAYLOAD (deploymsf.rb) ?

Thanx in advance.

Sorry for my poor English...

PD: D-Null, very useful...

Re: db_autopwn problem and suggestions wullie millen (Nov 19)
Your right, I very rarely use autopwn but was just thinking while we were
on the subject that if you had a target
with lots of ports it would be usefull to have metasploit send all suitable
exploits automaticlly without trailing through
all the modules looking for ones with a suitable target.

-will

Wireshark — Discussion of the free and open source Wireshark network sniffer. No other sniffer (commercial or otherwise) comes close. This archive combines the Wireshark announcement, users, and developers mailing lists.

VB: [Wireshark-commits] rev 31049: /trunk/epan/dissectors/ /trunk/epan/dissectors/: packet-per.c Anders Broman (Nov 22)
That happens occasionally when copy-pasting from standards documents
I don't know how to avoid it...
Regards
Anders

End to End VoIP delay calculation capricorn 80 (Nov 22)
Hi!
I am looking to calculate the end-to-end delay between two soft phone/hard phone. I have asterisk server and
configured ntp server on the same machine and synchronized it with ntp pool. I have seen that Wireshark can be used to
check the jitter. But I am not sure how can i calculate the end to end.
May be this is not related to the mailing list topic but please help me if anyone has some information.
Regards,...

buildbot failure in Wireshark (development) on Windows-XP-x86 buildbot-no-reply (Nov 22)
The Buildbot has detected a new failure of Windows-XP-x86 on Wireshark (development).
Full details are available at:
http://buildbot.wireshark.org/trunk/builders/Windows-XP-x86/builds/501

Buildbot URL: http://buildbot.wireshark.org/trunk/

Buildslave for this Build: windows-xp-x86

Build Reason:
Build Source Stamp: 31048
Blamelist: etxrab

BUILD FAILED: failed checkapi

sincerely,
-The Buildbot

Re: How to capture MAC layer packets (Wifi Beacons for instance) Guy Harris (Nov 22)
Yes.

Forget Windows 7, but on Ubuntu, if you can put the adapter into
monitor mode, you should be able to see non-data 802.11 frames. (If
your adapter's driver is a mac80211 driver, you might be able to
capture those on the wmaster interface as well.)

Tshark RTP Payload Brian Stewart (Nov 22)

double exclamation mark before udp port number Mark Ryden (Nov 22)
Hello,

Sometime I encounter double exclamation marks (!!) before udp port
number when opening
a wireshark GUI (on linux) with a sniff that I captured on a different
machine from command line with tshark.
This happens with the latest wireshark (and tshark) versions.
Any idea what are these exclamation mark mean ? how should I treat them?

Rgs,
Mark

buildbot failure in Wireshark (development) on Windows-XP-Win64 buildbot-no-reply (Nov 22)
The Buildbot has detected a new failure of Windows-XP-Win64 on Wireshark (development).
Full details are available at:
http://buildbot.wireshark.org/trunk/builders/Windows-XP-Win64/builds/637

Buildbot URL: http://buildbot.wireshark.org/trunk/

Buildslave for this Build: windows-xp-win64

Build Reason:
Build Source Stamp: 31048
Blamelist: etxrab

BUILD FAILED: failed failed slave lost

sincerely,
-The Buildbot

Re: Disabling Port Number Translation Abhijit Bare (Nov 22)
In older Wireshark, you might have to go Edit->Preferences->User
Interface->Columns to reorder the columns.

----- Original Message -----
From: "Lior Zarfati" <lior () g-s co il>
To: "Community support list for Wireshark" <wireshark-users () wireshark org>
Sent: Saturday, November 21, 2009 10:44 AM
Subject: Re: [Wireshark-users] Disabling Port Number Translation

How to capture MAC layer packets (Wifi Beacons for instance) Pedro Rosas (Nov 22)
Hi all,

I am currently working on a project at my university, and I need to capture
some 802.11 frames.

For instance, I need to capture the Beacons sent from the APs usually every
100ms.

When I run Wireshark both on windows 7 and Ubuntu 9.04 I can only capture
packets from higher layers (TCP, HTTP, etc.).

Is it possible to capture the frames from MAC layers of 802.11? For
instance, the beacons?

Thanks in advance.

Best Regards,

Pedro...

Re: '[xxx bytes missing in capture file]' Sake Blok (Nov 22)
This sounds like there is a problem in the wireshark code that
reassembles the data. As wireshark might not see all packets (in
contrary to the endpoints of the tcp conversation), it can be quite
difficult to determine is data was really missing or just out-of-order,
so I guess there are some situations that are not handled correctly. To
solve this, the capture file does need to be available. If there is any
way you could share the capture file...

Re: How to "Follow TCP Stream" Using tshark Mathew Brown (Nov 22)
Hi Richard,

Thanks for the heads up on tcpflow (although I prefer chaosreader
because it allows you to view the 2 way conversation in a single
file). I was just wondering if you could use tshark since the
capability is already in Wireshark and it would be nice to re-use this
capability. Thanks.

(no subject) Patpetan (Nov 21)
Hi.

I've captured VOIP call. When I try to play the RTP stream, I get a message
"wrong timestamp", and I hear silence.

I can't even display a graph.

Thanks in advance for your help.

Ofer.

Re: Disabling Port Number Translation Abhijit Bare (Nov 21)
In older Wireshark, you may have to go to Edit->Preferences->User
Interface->Columns to reorder columns.

- Abhijit

Re: How to "Follow TCP Stream" Using tshark Richard Bejtlich (Nov 21)
Hi Mathew,

I don't know if Tshark can rebuild a TCP stream such that the result
is a representation of the TCP payload, but Tcpflow can.

http://www.circlemud.org/~jelson/software/tcpflow/

Sincerely,

Richard

Using Lua Field Extractors Markus Pilz (Nov 21)
Hi all,

I am using a Lua to obtain data from an SCTP stream. In this scenario, a
single SCTP packet can contain the same field type multiple times.
Although Wireshark displays this correctly, I don't know how to access
these fields via Lua.

Example packet figure:
...[SCTP [M3UA [ ISUP ] ] [ M3UA [ ISUP 2 ] ] ]...

A field extractor only gets the info from the first M3UA/ISUP part. Even
if the listener is set to M3UA or ISUP packets (local...

Snort — Everyone's favorite open source IDS, Snort. This archive combines the snort-announce, snort-devel, snort-users, and snort-sigs lists.

Re: cvs.snort.org is down Joel Esler (Nov 22)
This is one of the features we have not reimplemented after we moved
to thr new snort.org site, as I believe.

It is being redesigned.

J

cvs.snort.org is down James Madison (Nov 21)
cvs.snort.org has been down for a while. How are people getting to the cvs?
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july...

Re: snort vs wireshark Edin Dizdarevic (Nov 21)
Agree, they're both designed to do diffrerent things. IMHO the only
thing in common is their packet capturing capability.

Regards,
Edin

Nigel Houghton schrieb:

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover...

Re: snort vs wireshark Nigel Houghton (Nov 21)
Snort and wireshark can be used as packet sniffers. The similarities end there.

snort vs wireshark mary andrews (Nov 21)
Are there any notable similarites between Snort and Wireshark,
and isnt it unfair to attempt any comparisons,
in that Wireshark is a packet sniffer and leave it at that?

thanks,
m
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application...

Re: TCP Portals: The Handshake's a Lie! Martin Roesch (Nov 20)
You'd probably want to try to modify something like fragroute...

Re: TCP Portals: The Handshake's a Lie! Jason Brvenik (Nov 20)
I don't think netcat will do it. There needs to be a stack
modification to do the handshake in this manner or an app that will do
it while suppressing the existing stack.

I can think of a quick and dirty iptables / libdnet app but don't have
the time to implement at the moment. Someone could probably do it
quickly with iptables and scapy too.

------------------------------------------------------------------------------
Let Crystal Reports...

Re: TCP Portals: The Handshake's a Lie! CunningPike (Nov 20)
I can provide the server - but would need a little hand-holding to make sure
it was replicating this behavior properly. Perhaps a netcat listener of some
kind?

CP

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding....

Detection of traffic IPv6/icmpv6 sofia insat (Nov 20)
Hello everyone,

I want to know if snort can detect and analyze IPv6 traffic ??
and if It analyses the fields of Icmpv6 like code, type ... ??

Thanks,
Sofia

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding....

Re: TCP Portals: The Handshake's a Lie! Jason Brvenik (Nov 20)
My casual read on it was that you would have to be dealing with a
malicious server which deliberately responds to a syn with a syn and
that the likelihood of that is not the greatest. If it does happen the
server is going to be doing a lot of other more malicious things. My
presumptions are:

- An inbound SYN that is not acknowledging a syn at the same time is
going to be blocked by firewalls if properly configured.

- Even a properly configured...

cvs.snort.org Randal T. Rioux (Nov 19)
...has not been working for a while now. Has it moved?

Thanks!
Randy

FYI Originally posted to snort-devel with no bites.

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now....

Possible Content Match problem - Was: Re: how can we alert on web visiting activity? Jason Brvenik (Nov 19)
I would be happy to look into both of these further. The odds are that
it is a configuration / environmental issue so please send me your
snort.conf, local.rules with the example rules in them, and a pcap.

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you...

Re: how can we alert on web visiting activity? Jason Brvenik (Nov 19)
Yes there is. Accepting packets for analysis that have bad checksums (
and thus will not be processed by the targets) presents evasion
opportunities for the attacker.

For the body of work surrounding it check out the first few links in
these google searches.

http://www.google.com/search?q=checksum+ips+evasion
http://www.google.com/search?q=checksum+ids+evasion

------------------------------------------------------------------------------
Let...

is there a windows gui tool to also capture snort alerts? mary andrews (Nov 19)
Now that we captured alerts on the dos screen where snort is running, as
well as inside its logs,

is there a windows tool to install to show us the alerts triggered?

thanks
m
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application...

Re: how can we alert on web visiting activity? Eoin Miller (Nov 19)
This has bit us in the rear as well. Adding the following lines to your
snort.conf file will also act the same as using the "-k" option. Here is
a section of our snort.conf related to this:

---snip---
#
# Dont drop stuff because of the checksum (snort -k)
#
config checksum_mode: none
---snip---

I am sure there is a great reason to allow packets to be ignored due to
bad checksums, but having this be default behavior can cause some...

We're always looking for great network security related lists to archive. To suggest one, mail Fyodor.