SecLists.Org Security Mailing List Archive

Any hacker will tell you that the latest news and exploits are not found on any web site—not even Insecure.Org. No, the cutting edge in security research is and will continue to be the full disclosure mailing lists such as Bugtraq. Here we provide web archives and RSS feeds (now including message extracts), updated in real-time, for many of our favorite lists. Browse the individual lists below, or search them all:

Insecure.Org Lists

Nmap Development — Unmoderated technical development forum for debating ideas, patches, and suggestions regarding proposed changes to Nmap and related projects. Subscribe here.

Re: Happy "21th" birthday, Nmap! Fyodor (Sep 01)
Good catch and thanks for the patch! It looks like Dan already applied
it. Happy 21st, Nmap! Dan also recently fixed a Y3K bug affecting dates
after January 3001 (https://github.com/nmap/nmap/issues/1303). All fixed,
with just 982 years to spare!

Cheers,
Fyodor

Happy "21th" birthday, Nmap! David Fifield (Sep 01)
This reminds me of a bug that I thought I reported before, but now I
cannot find. COBOL had Y2K, Unix has its year 2038, and Nmap has its
year 2018 problem--its "21th" birthday.

$ ./nmap -v
Starting Nmap 7.70SVN ( https://nmap.org ) at 2018-09-01 10:22 MDT
Happy 21th Birthday to Nmap, may it live to be 121!

Here's a patch that will instead give the correct "21st", "22nd",
"23rd", and so on into the...

Happy birthday, Nmap! Dave Horsfall (Aug 31)
My records show that NMAP was released on this day in 1997. It's a
wonderful network scanner, which just keeps better and better.

-- Dave, merely a happy Nmap user

Re: Npcap Denis (Aug 31)
Adapter have next configuration:
[image: image.png]

Npcap Denis (Aug 31)
Hello, i'm using npcap for my program. It works like this:
- program(npcap) listen game and sending packets to main server.
- server receive raw/game packets and sending to all clients.
But this works until the game starts.

The game sends it like this:

*(A)-192.0.30.30(B)-192.0.50.50*
*(A)* -> *255.255.255.255*
*255.255.255.255* -> *(B)*
*(B)* -> *255.255.255.255*
*255.255.255.255* -> *(A)*

After the game starts, *(A)* sending...

Re: trivial PR: double the key length of self-signed cert in ncat #1310 David Fifield (Aug 29)
Looks good to me. The world has advanced since 2009 and r13218 when I
decided to set it to 1024 :)

Re: Nmap new version past 7.70 due to CVE-2018-15173 Fyodor (Aug 29)
On Mon, Aug 27, 2018 at 5:55 PM Shashi Guruprasad <sguruprasad () fortinet com>
wrote:

Hi Shashi. Thanks for your mail. Even though someone applied for a CVE
number for this, it's not actually a very serious issue. Apparently some
systems are so low in resources that they can't handle our previous depth
limit in matching service banners to our service detection signatures. On
one of those rare systems (we haven't been...

trivial PR: double the key length of self-signed cert in ncat #1310 Adrian Vollmer (Aug 29)
Hey there,

as per the contributor guidelines I'm letting you know that I
submitted a PR on Github. It's a trivial change, doubling the key
length of the private key that is generated when you use '--ssl' in
ncat without specifying your own key and certificate.

In the latest version of Debian Unstable, OpenSSL does not accept
certificates using such a short key of 1024 bit. So I suggest making
it 2048....

Nmap new version past 7.70 due to CVE-2018-15173 Shashi Guruprasad (Aug 27)
Hi Fyodor, or Daniel Miller,

Would it be possible to release a new version of nmap for fix CVE-2018-15173? Qualys is reporting this vulnerability in
our system despite installing 7.70-1. I can build from source, but it will mean that I will need to do this all the
time in the future…

Thanks and regards,
Shashi
[GH#1147]<http://issues.nmap.org/1147>[GH#1108]<http://issues.nmap.org/1108> Reduced LibPCRE resource limits so that...

Re: Google Summer of Code 2019 Fyodor (Aug 24)
On Fri, Aug 24, 2018 at 9:57 AM Jeffrey Rowell <jrowell3 () msudenver edu>
wrote:

Hi Jeff. After participating in all of the first 13 years of GSoC, we
decided to take a year off last year, as described at
http://seclists.org/nmap-dev/2018/q1/23.

We haven't decided yet on whether to come back for 2019. A lot of it
depends on how much interest we have from prospective students and
mentors. Of course it is also subject to Google...

Google Summer of Code 2019 Jeffrey Rowell (Aug 24)
Hello all,

I have used Nmap throughout my penetration testing and defense class at school, and I was wondering if Nmap will have a
project for GSOC 2019. I am looking to apply to GSOC next summer and would love to apply to Nmap if there is a project
available! However I did not see an Nmap project from GSOC 2018 so I was wondering if there is going to be any more
GSOC Nmap projects in the future? Any info is very much appreciated!

Much...

Re: Re: New script for brute-force discovery passwords and users in CMS Made Simple in version 2.2.6 George Chatzisofroniou (Aug 20)
I personally favor the extension of current NSE functionality. Instead
of iterating through the `known_apps` table, we can introduce an
argument `--http-form-brute.app` that will assume the target
installation. Extending `http-form-brute` to support a two-step login
process would be a great addition that could work against other
applications too.

George

mysql-dump-hashes.nse compatibility patch (v5.7) Robbe Van der Gucht (Aug 19)
Hi all,

authentication_string and the password field is no longer present.
Because of this the mysql-dump-hashes.nse script doesn't work any more
against recent MySQL server installations. Attached you'll find my
proposed fix.

The patch is a simple fall back. If the first query referring to the
the 'password' field fails it will attempt to use the
'authentication_string' field.

I tested this fix against MySQL...

Network World Christian Heinrich (Aug 17)
https://www.networkworld.com/article/3296740/lan-wan/what-is-nmap-why-you-need-this-network-mapper.amp.html

[no subject] istanbul istanbul (Aug 14)

Nmap Announce — Moderated list for the most important new releases and announcements regarding the Nmap Security Scanner and related projects. We recommend that all Nmap users subscribe.

Nmap 7.70 released! Better service and OS detection, 9 new NSE scripts, new Npcap, and much more. Fyodor (Mar 20)
Nmap Community,

We're excited to make our first Nmap release of 2018--version 7.70! It
includes hundreds of new OS and service fingerprints, 9 new NSE scripts
(for a total of 588), a much-improved version of our Npcap windows packet
capturing library/driver, and service detection improvements to make -sV
faster and more accurate. And those are just a few of the dozens of
improvements described below.

Nmap 7.70 source code and binary...

Nmap GSoC 2017 Success Reports Fyodor (Oct 10)
Hello Nmap Community,

Nmap celebrated its 20th birthday last month and we also just completed our
13th Google Summer of Code. We focused on a fairly small team of four
students this year (http://seclists.org/nmap-announce/2017/2), and I'm
happy to report that every one passed! And they all have code integrated
into Nmap 7.60 already, with even more to follow for the next release.
Also this year, for the first time, every student wrote a...

Nmap 7.60 released! SSH support, SMB2/SMB3 improvements, 14 more scripts, new Npcap, GSoC work, and more Fyodor (Aug 01)
Hello everyone. I'm back from Defcon and excited to announce the new Nmap
7.60 release! It has only been a month and a half since 7.50, but we still
packed a lot into this one. Mostly because we have such an awesome GSoC
team of 8 students and mentors working on so many cool projects. The
program hasn't even ended yet, but much of their work has already been
integrated into this release.

One of the things I'm most excited...

Nmap 7.50 Released! 14 new NSE scripts, 300+ fingerprints, new Npcap, and more Fyodor (Jun 13)
Dear Nmap Community:

The Nmap project is delighted to announce the release of Nmap 7.50! It is
our first big release since last December and has hundreds of improvements
that we hope you will enjoy.

One of the things we have been worked the hardest on recently is our Npcap
packet capturing driver and library for Windows (https://nmap.org/npcap/).
It is a replacement for WinPcap, which served us well for many years, but
is no longer maintained....

Introducing the 2017 Nmap/Google Summer of Code Team! Fyodor (May 18)
Nmap community:

Thanks for all of your applications and referrals of talented students to
the Summer of Code program. Google has agreed to sponsor four students to
spend this summer enhancing the Nmap Security Scanner and I'm proud to
introduce our 2017 team! We normally mentor coders working all over the
Nmap/Zenmap/Ncat/Nping spectrum, but this year we're doubling down on the
Nmap Scripting Engine component. All four of our...

Nmap Project Seeking Talented Programmers for GSoC 2017 Fyodor (Mar 27)
Hi folks. I'm delighted to report that Nmap has been accepted by Google to
participate in this year's Summer of Code internship program. This
innovative and extraordinarily generous program provides $5,500 stipends to
college and graduate students anywhere in the world who spend the summer
improving Nmap from home! They gain valuable experience, get paid,
strengthen their résumés, and write code for millions of users. We're one...

Nmap GSoC 2016 Success Report Fyodor (Feb 07)
Happy belated new year from the Nmap Project! I'd like to take this
opportunity to send you the belated results from our 2016 Summer of Code
team. I was going to send them right after the program finished, but some
of the students were still finishing some great things so I decided to
wait. As you may recall from the team intro mail (
http://seclists.org/nmap-announce/2016/2), we had 5 students last year and
I'm happy to report that...

Full Disclosure — A public, vendor-neutral forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. The relaxed atmosphere of this quirky list provides some comic relief and certain industry gossip. More importantly, fresh vulnerabilities sometimes hit this list many hours or days before they pass through the Bugtraq moderation queue.

Sensitive Data Exposure via WiFi Broadcasts in Android OS [CVE-2018-9489] Nightwatch Cybersecurity Research (Aug 31)
[Blog post here:
https://wwws.nightwatchcybersecurity.com/2018/08/29/sensitive-data-exposure-via-wifi-broadcasts-in-android-os-cve-2018-9489/]

TITLE

Sensitive Data Exposure via WiFi Broadcasts in Android OS [CVE-2018-9489]

SUMMARY

System broadcasts by Android OS expose information about the user’s
device to all applications running on the device. This includes the
WiFi network name, BSSID, local IP addresses, DNS server information
and the...

CA20180829-03: Security Notice for CA Release Automation Williams, Ken (Aug 31)
CA20180829-03: Security Notice for CA Release Automation

Issued: August 29, 2018
Last Updated: August 29, 2018

CA Technologies Support is alerting customers to a potential risk with
CA Release Automation. A vulnerability exists that can allow an
attacker to potentially execute arbitrary code.

The vulnerability, CVE-2018-15691, has a high risk rating and concerns
insecure deserialization of a specially crafted serialized object,
which...

CA20180829-02: Security Notice for CA Unified Infrastructure Management Williams, Ken (Aug 31)
CA20180829-02: Security Notice for CA Unified Infrastructure Management

Issued: August 29, 2018
Last Updated: August 29, 2018

CA Technologies Support is alerting customers to multiple potential
risks with CA Unified Infrastructure Management. Multiple
vulnerabilities exist that can allow an attacker, who has access to
the network on which CA UIM is running, to run arbitrary CA UIM
commands on machines where the CA UIM probes are running....

CA20180829-01: Security Notice for CA PPM Williams, Ken (Aug 31)
CA20180829-01: Security Notice for CA PPM

Issued: August 29, 2018
Last Updated: August 29, 2018

CA Technologies Support is alerting customers to multiple potential
risks with CA PPM (formerly CA Clarity PPM). Multiple vulnerabilities
exist that can allow an attacker to conduct a variety of attacks.

The first vulnerability, CVE-2018-13822, has a medium risk rating and
concerns an SSL password being stored in plain text, which can allow
an...

Argus Surveillance DVR - 4.0.0.0 / Unauthenticated Directory Traversal File Disclosure hyp3rlinx (Aug 31)
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/ARGUS-SURVEILLANCE-DVR-v4-UNAUTHENTICATED-PATH-TRAVERSAL-FILE-DISCLOSURE.txt
[+] ISR: Apparition Security

Greetz: ***Greetz: indoushka | Eduardo | GGA***

[Vendor]
www.argussurveillance.com

[Product]
Argus Surveillance DVR - 4.0.0.0

Our DVR software provides scheduled, continuous or activated upon motion
detection...

Argus Surveillance DVR - 4.0.0.0 / SYSTEM Privilege Escalation hyp3rlinx (Aug 31)
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/ARGUS-SURVEILLANCE-DVR-v4-SYSTEM-PRIVILEGE-ESCALATION.txt
[+] ISR: ApparitionSec

Greetz: ***Greetz: indoushka | Eduardo | GGA***

[Vendor]
www.argussurveillance.com

[Product]
Argus Surveillance DVR - 4.0.0.0

Our DVR software provides scheduled, continuous or activated upon motion
detection video recording. You can...

DSA-2018-128: RSA BSAFE Micro Edition Suite and Crypto-C Micro Edition Multiple Security Vulnerabilities secure (Aug 28)
DSA-2018-128: RSA BSAFE Micro Edition Suite and Crypto-C Micro Edition Multiple Security Vulnerabilities

Dell EMC Identifier: DSA-2018-128

CVE Identifier: CVE-2018-11054, CVE-2018-11055, CVE-2018-11056, CVE-2018-11057, CVE-2018-11058

Severity: High

Severity Rating: View details below for individual CVSS Score for each CVE.

Affected Products:

RSA BSAFE Crypto-C Micro Edition versions prior to 4.0.5.3 (CVE-2018-11056, CVE-2018-11058)
RSA...

CVE-2018-12710 Kevin R (Aug 27)

Re: Jetty 6.1.6 Cross-Site Scripting (XSS) Simon Waters (Aug 24)
The demise of the MortBay and Codehaus websites doesn't help, this isn't
the sort of forensics I expected to do.

https://web.archive.org/web/20090709110650/http://jira.codehaus.org/browse/JETTY-980

Suggests semicolon after any directory listing, led to inclusion of the
text after into the document.

echo -e "GET /cometd/dijit/;<script>alert(document.title);</script>
HTTP/1.0\n\n" | nc 127.0.0.1 8080

The patch...

Re: Jetty 6.1.6 Cross-Site Scripting (XSS) Simon Waters (Aug 24)
Is this CVE-2009-1524? If so fixed in 6.1.17, April 2009.

DSA-2018-132: RSA NetWitness Platform Server-Side Template Injection Vulnerability secure (Aug 24)
DSA-2018-132: RSA NetWitness Platform Server-Side Template Injection Vulnerability

Dell EMC Identifier: DSA-2018-132

CVE Identifier: CVE-2018-11061

Severity Rating: CVSS v3 Base Score: 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)

Severity: Critical

Affected Products:

RSA NetWitness Platform versions prior to 11.1.0.2
RSA Security Analytics versions prior to 10.6.6

Summary:

RSA NetWitness Platform contains fixes for a server-side template...

DSA-2018-144: RSA Archer SQL Injection Vulnerability within embedded WorkPoint component secure (Aug 24)
DSA-2018-144: RSA Archer SQL Injection Vulnerability within embedded WorkPoint component

Dell EMC Identifier: DSA-2018-144

CVE Identifier: CVE-2018-11065

Severity Rating: CVSS:3 Base Score: 2.7 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

Severity: Low

Affected Products:
* RSA Archer versions 6.1.x, 6.2.x, 6.3.x prior to 6.3.0.7 and 6.4.x prior to 6.4.0.1

Summary:
RSA Archer contains a fix for a SQL injection vulnerability, in...

Couchbase Server - Remote Code Execution x ksi (Aug 24)
Hey,

Description:
Couchbase Server [1] exposes REST API [2] which by default is
available on TCP/8091 and/or TCP/18091.
Authenticated users can send arbitrary Erlang code to 'diag/eval'
endpoint of the API. The code will be subsequently executed in the
underlying operating system with privileges of the user which was used
to start Couchbase.
The 'diag/eval' endpoint was found to be referenced in the official
documentation...

Mutiny Monitoring Appliance < 6.1.0-5263 - Command Injection (CVE-2018-15529) Reggie Dodd (Aug 24)
[Title]
Mutiny Monitoring Appliance < 6.1.0-5263 - Command Injection
(CVE-2018-15529)

[Product]
Mutiny Monitoring Appliance
https://www.mutiny.com/

[CVE]
CVE-2018-15529

[Credit]
Reginald Dodd

[Description]
A command injection vulnerability in maintenance.cgi in Mutiny "Monitoring
Appliance" before 6.1.0-5263 allows authenticated users, with access to the
admin interface, to inject arbitrary commands within the filename of a...

Re: Jetty 6.1.6 Cross-Site Scripting (XSS) 1n3--- via Fulldisclosure (Aug 24)
Nice find! I figured as much, but good to see there's a patch out
there somewhere...

It's likely CVE-2009-1524, but the description is vague and no public
PoC was released as far as I can tell.

The demise of the MortBay and Codehaus websites doesn't help, this
isn't the sort of forensics I expected to do.

https://web.archive.org/web/20090709110650/http://jira.codehaus.org/browse/JETTY-980

Suggests semicolon after any...

Other Excellent Security Lists

Bugtraq — The premier general security mailing list. Vulnerabilities are often announced here first, so check frequently!

Info Security News — Carries news items (generally from mainstream sources) that relate to security.

Daily Dave — This technical discussion list covers vulnerability research, exploit development, and security events/gossip. It was started by ImmunitySec founder Dave Aitel and many security luminaries participate. Many posts simply advertise Immunity products, but you can't really fault Dave for being self-promotional on a list named DailyDave.

Re: Voting Village at Defcon Dave Aitel (Aug 25)
https://www.propublica.org/article/defcon-teen-did-not-hack-a-state-election

The whole thing was a sham. I know darktangent is on this list. Something
to think about for next year ...

-dave

Re: Cymothoa Exigua " (Aug 24)
I think it is worth noting that she claims multiple people felt the same
way and expressed similar independent opinions before she synthesized them
for a wider audience. What that probably means is that such comments are
not her feelings alone. What IS clear is that crypto technology is a double
edged sword and you must choose which edge of the blade you wish to wield.

Re: Voting Village at Defcon Chris Eng (Aug 23)
What even is the point of setting up “replica websites” that are only replicas in the sense that they ostensibly
perform the same function as the real sites, but otherwise do not share common code/technology and are essentially
known sacrificial sites with security bugs intentionally placed in them?

We know how much of the media operates. Did this coverage surprise anybody? Especially with quotes like this:

“These websites are so easy...

Cymothoa Exigua Dave Aitel (Aug 23)
The world is full of horrors, and one of those is Cymothoa Exigua
<https://www.google.com/search?q=fish+tongue+parasite&safe=off&source=lnms&tbm=isch&sa=X&ved=0ahUKEwi4vtLso4PdAhUGq1kKHen0D9oQ_AUICigB&biw=1440&bih=809>.
Another one of those, is groups of people who think they, somehow, have
cracked the code to developing technology in an "ethical" way, and if you
just obeyed them, everything would be...

Re: Voting Village at Defcon Kevin T. Neely (Aug 23)
Sure, it's SQLi, but I'm not sure why you'd minimize her effort. According
to the village's Twitter account, she changed the vote tallys from a
replica of the site. https://twitter.com/VotingVillageDC It would be nice
if the media reported on the recommendations that come from the findings,
but we all know that's not how the media operates.

K

Re: information operations efforts and data carving Jukka Ruohonen (Aug 23)
This was a good take on things. I generally also applaud the constructive
criticism instead of the ranting strategy...

But it is still social media. Now I've seen quite a few papers recently
about vulnerabilities viz. Twitter. Some of these are relevant; there have
been some information leakages about things I consider relevant myself
(i.e., open source). But now people are attaching the "zero-day" label to
their papers, which...

Hammerhead repost for Halvar Dave Aitel (Aug 13)
From:
https://web.archive.org/web/20040131120103/http://www.immunitysec.com:8010/29/2002
- Fishing for Obscurity

Some sharks and fish have a unique sixth sense – they can generate and
detect electrical fields, even minute ones. According to the font of all
natural knowledge, the Discovery channel (as opposed to Dawson's Creek, the
font for all social knowledge), a hammer head shark's funny looking head is
actually a voltmeter of...

Voting Village at Defcon Dave Aitel (Aug 13)
https://www.usatoday.com/story/tech/nation-now/2018/08/13/11-year-old-hacks-replica-florida-election-site-changes-results/975121002/

So I don't know a ton about the details of voting machines, but I'm pretty
sure what happened at the DEFCON voting village is not being represented at
all accurately in the media, and I'm curious why nobody in the community is
pushing back on it, specifically I think we have a duty not to be used as...

information operations efforts and data carving Dave Aitel (Aug 09)
Previously Unreleased Work:
https://docs.google.com/presentation/d/1tMlJvnUv_Qbh5mx2RYbyuTHTHr9c9ShIKBzz_JDGn_s/edit?usp=sharing
Paper on the 3M Tweets from Clemson:
https://www.cyxtera.com/blog/data-carving-the-internet-research-agency-tweets

So what you see a lot in some papers is this sort of thing (this one is
from the original Clemson paper):
[image: image.png]I always get flashbacks of that XKCD Correlation vs
Causation comic <...

FINAL CALL FOR PAPERS - INTEL SECURITY CONFERENCE (iSecCon) 2018 Branco, Rodrigo (Aug 09)
CALL FOR PAPERS - INTEL SECURITY CONFERENCE (iSecCon) 2018

[ - Introduction - ]

It is a pleasure to invite you to submit abstracts to iSecCon 2018, the annual Security Conference at Intel.

This prestigious conference aims to bring together esteemed speakers from the industry, government and academia to
share knowledge and leading-edge ideas about security and related topics. This is an
excellent opportunity to network with like-minded people...

Assessment Dave Aitel (Jul 20)
So soon after the Immunity deal closed we had this big all hands conference
call with everyone in the larger Cyxtera group on it, and Chris Day, who
runs the group I'm in, said, "Hey Dave, can you give everyone a quick
rundown as to what Immunity is, now that we're all one big team?" and I'll
be honest, I totally bombed.

Immunity has never done corporate verbiage. There's a tendency to be
extremely bland and generic...

Capstone disassembler framework v3.0.5 is out! Nguyen Anh Quynh (Jul 20)
Greetings,

We are very happy to announce version 3.0.5 of Capstone disassembler
framework!

In no particular order, we would like to thank CrowdStrike, CMC Infosec &
Jurriaan Bremer for sponsoring this release!

This stable version fixes some security issues in the core, as well as many
improvements, so existing users are strongly recommended to upgrade.

More details are available at http://capstone-engine.org/Version-3.0.5.html

(For those...

Peach season Dave Aitel (Jul 13)
As Ryan Naraine has pointed out I never did an announcement on this mailing list when Cyxtera<https://www.cyxtera.com>
and Immunity finally closed our deal. Partially that's because these things are in some ways anti-climactic, and
partially because I and a lot of the team at Immunity immediately went on a binge of experimenting with various large
toolkits we'd never had access to before.

For example, this one:...

CALL FOR PAPERS - INTEL SECURITY CONFERENCE (iSecCon) 2018 Branco, Rodrigo (Jul 09)

SAINTCON 2018 CFP - Sep 25-28, Provo Utah Troy Jessup (Jun 12)
SAINTCON 2018 - Call for Papers

INTRODUCTION
SAINTCON is Utah's best annual Security Conference and Training Event. The Conference spans 4 days and includes a
large variety of content and events making it very diverse and covers a large variety of security related areas of
interest. SAINTCON is a community conference administered by the Utah Chapter of the Security Advisory and Incident
Network Team (UtahSAINT).

Site:...

Microsoft Sec Notification — Beware that MS often uses these security bulletins as marketing propaganda to downplay serious vulnerabilities in their products—note how most have a prominent and often-misleading "mitigating factors" section.

Microsoft Security Advisory Notification Microsoft (Aug 24)
********************************************************************
Title: Microsoft Security Advisory Notification
Issued: August 24, 2018
********************************************************************

Security Advisories Released or Updated on August 24, 2018
===================================================================

* Microsoft Security Advisory ADV180018

- Title: Microsoft guidance to mitigate L1TF variant
-...

Microsoft Security Update Releases Microsoft (Aug 21)
********************************************************************
Title: Microsoft Security Update Releases
Issued: August 21, 2018
********************************************************************

Summary
=======

The following CVEs have undergone a major revision increment:

* CVE-2018-8273

Revision Information:
=====================

- CVE-2018-8273 | Microsoft SQL Server Remote Code Execution
Vulnerability
-...

Microsoft Security Update Releases Microsoft (Aug 20)
********************************************************************
Title: Microsoft Security Update Releases
Issued: August 20, 2018
********************************************************************

Summary
=======

The following CVEs have undergone a major revision increment:

* CVE-2018-0952

Revision Information:
=====================

- CVE-2018-8273 | Diagnostic Hub Standard Collector Elevation of
Privilege Vulnerability
-...

Microsoft Security Advisory Notification Microsoft (Aug 15)
********************************************************************
Title: Microsoft Security Advisory Notification
Issued: August 15, 2018
********************************************************************

Security Advisories Released or Updated on August 15, 2018
===================================================================

* Microsoft Security Advisory ADV180002

- Title: Guidance to mitigate speculative execution side-channel...

Microsoft Security Update Releases Microsoft (Aug 15)
********************************************************************
Title: Microsoft Security Update Releases
Issued: August 15, 2018
********************************************************************

Summary
=======

The following CVEs have undergone a major revision increment:

* CVE-2018-8202
* CVE-2018-8284

Revision Information:
=====================

- CVE-2018-8202 | .NET Framework Elevation of Privilege
Vulnerability
-...

Microsoft Security Update Summary for August 14, 2018 Microsoft (Aug 14)
********************************************************************
Microsoft Security Update Summary for August 14, 2018
Issued: August 14, 2018
********************************************************************

This summary lists security updates released for August 14, 2018.

Complete information for the August 2018 security update release can
Be found at
<https://portal.msrc.microsoft.com/en-us/security-guidance>.

Critical Security...

Microsoft Security Advisory Notification Microsoft (Aug 14)
********************************************************************
Title: Microsoft Security Advisory Notification
Issued: August 14, 2018
********************************************************************

Security Advisories Released or Updated on August 14, 2018
===================================================================

* Microsoft Security Advisory ADV180018

- Title: Microsoft guidance to mitigate L1TF variant
-...

Microsoft Security Advisory Notification Microsoft (Aug 08)
********************************************************************
Title: Microsoft Security Advisory Notification
Issued: August 8, 2018
********************************************************************

Security Advisories Released or Updated on August 8, 2018
===================================================================

* Microsoft Security Advisory ADV180012

- Title: Microsoft Guidance for Speculative Store Bypass
-...

Microsoft Security Advisory Notification Microsoft (Aug 01)
********************************************************************
Title: Microsoft Security Advisory Notification
Issued: August 1, 2018
********************************************************************

Security Advisories Released or Updated on August 1, 2018
===================================================================

* Microsoft Security Advisory ADV180002

- Title: Guidance to mitigate speculative execution side-channel...

Microsoft Security Update Releases Microsoft (Aug 01)
********************************************************************
Title: Microsoft Security Update Releases
Issued: August 1, 2018
********************************************************************

Summary
=======

The following CVEs have undergone a major revision increment:

* CVE-2018-8172
* CVE-2018-8202

Revision Information:
=====================

- CVE-2018-8172 | Visual Studio Remote Code Execution
Vulnerability
-...

Microsoft Security Update Minor Revisions Microsoft (Aug 01)
********************************************************************
Title: Microsoft Security Update Minor Revisions
Issued: August1, 2018
********************************************************************

Summary
=======

The following CVEs have undergone a minor revision increment:

* CVE-2018-8202 - Version 4.1
* CVE-2018-8284 - Version 2.2
* CVE-2018-8356 - Version 3.1

Revision Information:
=====================

-...

Microsoft Security Advisory Notification Microsoft (Jul 27)
********************************************************************
Title: Microsoft Security Advisory Notification
Issued: July 26, 2018
********************************************************************

Security Advisories Released or Updated on July 26, 2018
===================================================================

* Microsoft Security Advisory ADV180012

- Title: Microsoft Guidance for Speculative Store Bypass
-...

Microsoft Security Update Releases Microsoft (Jul 26)
********************************************************************
Title: Microsoft Security Update Releases
Issued: July 26, 2018
********************************************************************

Summary
=======

The following CVE has undergone a major revision increment:

* CVE-2018-8202

Revision Information:
=====================

- https://portal.msrc.microsoft.com/en-us/security-guidance
- Reason for Revision: Microsoft is aware of...

Microsoft Security Update Releases Microsoft (Jul 24)
********************************************************************
Title: Microsoft Security Update Releases
Issued: July 24, 2018
********************************************************************

Summary
=======

The following CVE has undergone a major revision increment:

* CVE-2018-8308

Revision Information:
=====================

- https://portal.msrc.microsoft.com/en-us/security-guidance/
advisory/CVE-2018-8308
- Reason for...

Microsoft Security Update Releases Microsoft (Jul 19)
********************************************************************
Title: Microsoft Security Update Releases
Issued: July 19, 2018
********************************************************************

Summary
=======

The following CVEs have undergone a major revision increment:

* CVE-2018-8202
* CVE-2018-8260
* CVE-2018-8284
* CVE-2018-8356

Revision Information:
=====================

-...

Funsec — While most security lists ban off-topic discussion, Funsec is a haven for free community discussion and enjoyment of the lighter, more humorous side of the security community

Verizon: 1.5M of Contact Records Stolen, Now on Sale Jeffrey Walton (Mar 26)
http://www.mobipicker.com/verizon-1-5m-contact-records-stolen-now-sale/:

A business to business telecommunication giant,
Verizon Enterprise Solutions, a Basking Ridge,
New Jersey-based company, has been the latest
victim of a cyber crime that stole 1.5 million contact
records of the customers of Verizon...

I don't quite understand this double talk. Could someone explain to me:

A spokesperson from Verizon said that...

Statement on Lavabit Citation in Apple Case Jeffrey Walton (Mar 16)
(From John Young on another list):
http://www.facebook.com/KingLadar/posts/10156714933135038

As many of you already know, the government cited the Lavabit case in
a footnote. The problem is their description insinuates a precedent
that was never created. Obviously I was somewhat disturbed by their
misrepresentation. So I decided to draft a statement. And keep in
mind, these are the same people who say "trust us." Click continue to
read...

The NSA's back door has given every US secret to our enemies Jeffrey Walton (Feb 29)
http://www.businessinsider.com/john-mcafee-nsa-back-door-gives-every-us-secret-to-enemies-2016-2

Deng Xiaoping, in 1979 - his second year as supreme leader of China -
perceived a fundamental truth that has yet to be fully grasped by most
Western leaders: Software, if properly weaponized, could be far more
destructive than any nuclear arsenal.

Under Deng’s leadership, China began one of the most ambitious and
sophisticated meta- software...

Can Spies Break Apple Crypto? Jeffrey Walton (Feb 27)
Here's an interesting exchange between Cryptome and Michael Froomkin,
Law Professor at University of Miami, on the All Writs Act
(http://cryptome.org/2016/02/can-spies-break-apple-crypto.htm):

-----

A. Michael Froomkin:

The factual posture in the key Supreme Court precedent, New York
Telephone, involved a situation where only the subject of the order
was capable of providing the assistance at issue. This is the basis
for Apple's...

The FBI's iPhone Problem: Tactical vs. Strategic Thinking Jeffrey Walton (Feb 23)
http://www.technewsworld.com/story/83130.html

I'm an ex-sheriff, and I've been in and out of security jobs for much
of my life, so I've got some familiarity with the issues underlying
the drama between the FBI and Apple. FBI officials -- and likely those
in every other three-letter agency and their counterparts all over the
world -- would like an easier way to do their jobs. Wouldn't we all?

If they could put cameras in...

Wanted: Cryptography Products for Worldwide Survey Jeffrey Walton (Jan 01)
(http://www.schneier.com/crypto-gram/archives/2015/1215.html):

In 1999, Lance Hoffman, David Balenson, and others published a survey
of non-US cryptographic products. The point of the survey was to
illustrate that there was a robust international market in these
products, and that US-only export restrictions on strong encryption
did nothing to prevent its adoption and everything to disadvantage US
corporations. This was an important contribution...

CERT Advisories — The Computer Emergency Response Team has been responding to security incidents and sharing vulnerability information since the Morris Worm hit in 1986. This archive combines their technical security alerts, tips, and current activity lists.

Open Source Security — Discussion of security flaws, concepts, and practices in the Open Source community

glusterfs: multiple flaws Siddharth Sharma (Sep 04)
Hello,

We were informed about several security flaws affecting glusterfs.
All of the following bugs were reported by Michael Hanselmann (hansmi.ch).

CVE count: 12

CVE-2018-10904
==============

It was found that glusterfs server does not properly sanitize file paths in the
"trusted.io-stats-dump" extended attribute which is used by the
"debug/io-stats" translator. An attacker can use this flaw to create files and
execute...

Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? Marcus Meissner (Sep 03)
Hi,

I am still holding back CVE requesting as CERT promised to do this.

If they do not reply with a plan until tomorrow I will proceed with requesting.

Ciao, Marcus

Re: Linux kernel: CVE-2018-14619 kernel: crash (possible privesc) in kernel crypto subsystem. Wade Mealing (Sep 03)
It sure is, lets hope it drives up the quality of the code and ensures
that higher
quality code is accepted upstream. A man can dream right ?

You've had questions about why I bring up flaws regarding older code,
such as that tty
(http://seclists.org/oss-sec/2015/q2/560) exploit so I'm glad to have
this chance to spend
some time explaining you why I work in this way.

This flaw does crash the system, its easy for the user to do so, and...

CVE-2018-10853 kernel: kvm: guest userspace to guest kernel write P J P (Sep 02)
Hello,

A flaw was found in the way Linux kernel KVM hypervisor emulated instructions
such as sgdt/sidt/fxsave/fxrstor. It did not check current privilege(CPL)
level while emulating unprivileged instructions.

An unprivileged guest user/process could use this flaw to potentially escalate
privileges inside guest.

Upstream patch:
-> https://git.kernel.org/linus/3c9fa24ca7c9c47605672916491f79e8ccacb9e6

Issue introduced in: (kernel...

Re: Travis CI MITM RCE zugtprgfwprz (Sep 01)
Ah, fair enough. Thanks for clarifying this, you're making good points.
The robustness issue is indeed something I completely disregarded.

Luckily, we've already arrived at a point where keys can be as short as
hash values. Ed25519 keys are 32 bytes, i.e., the same length as a
SHA256 hash. So there's that :-)

All the best,
Cheers,
Joe

Re: Travis CI MITM RCE zugtprgfwprz (Sep 01)
Hmm, not so sure. Let's say we're talking about RSA-4096, then we have a
security level of around 144 bit. Bruteforcing a second preimage SHA-1
(pretending it's an ideal hash function for a second) would have
complexity of around 159 bit. I.e., even for RSA-4096, it would be
easier to create the *identical* private key by factoring the modulus
(thus obviously creating a keypair with the identical fingerprint) than
just randomly...

Re: Travis CI MITM RCE Daniel Kahn Gillmor (Aug 31)
sorry, i think i wasn't clear enough about my complaint. I'm not
claiming that fingerprints are broken, or that second preimage attacks
against sha-1 are possible today. I'm saying that they're ill-suited to
many of the specific use cases where they show up.

If all i send you is a fingerprint, you *still* need to get the public
key somewhere. This is a point of potential failure.

In nearly every case where we're...

Re: Travis CI MITM RCE vines (Aug 31)
True, yes, harder to brute-force a identical private key, than a key with an identical fingerprint.

However, if someone hadn't considered the possibility of a SHA1 collision attack, and a signature verification fails,
despite the fingerprint they see matching, what % of GPG users would skip signature verification?
Perhaps due to confusion/self-doubt/inexperience/other.
Admittedly, this could be stepping into the realm of social...

Re: Travis CI MITM RCE zugtprgfwprz (Aug 30)
Hi Daniel,

I agree about the "key ID" part, but not about the "fingerprint" part.
Pinning a cryptographic hash over a public key isn't a security
antipattern by any strech of the imagination. Sure, you could argue that
the SHA-1 used by GPG isn't state-of-the-art anymore, but we're not
talking about collision attacks, but second preimage attacks. Far worse
for the attacker.

The way you phrased it, however, all...

Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? Tavis Ormandy (Aug 29)
I should note, just add `userdict /setpagedevice undef` at the top if you
want to test it with ImageMagick.

Tavis.

Re: Re: More Ghostscript Issues: Should we disable PS coders in policy.xml by default? Tavis Ormandy (Aug 29)
Thanks Marcus, here are some more necessary commits:

http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=520bb0ea7519aa3e79db78aaf0589dae02103764
# 699654 D /invalidaccess checks stop working after a failed restore
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5b5536fa88a9e885032bc0df3852c3439399a5c0
# 699670 gssetresolution memory corruption...

Re: [ANNOUNCE] Apache Traffic Server vulnerability with header variable access in the ESI plugin - CVE-2018-8040 Bryan Call (Aug 29)
There was an error in the Version Affected section. This also effects version 7.1.3 and users running 7.x should
upgrade to 7.1.4 or later versions.

Thank you,

-Bryan

[ANNOUNCE] Apache Traffic Server vulnerability with multiple HTTP smuggling and cache poisoning attacks - CVE-2018-8004 Bryan Call (Aug 29)
CVE-2018-8004: Apache Traffic Server vulnerability with multiple HTTP smuggling and cache poisoning attacks

Reported By:
Régis Leroy

Vendor:
The Apache Software Foundation

Version Affected:
ATS 6.0.0 to 6.2.2
ATS 7.0.0 to 7.1.3

Description:
There are multiple HTTP smuggling and cache poisoning issues when clients making malicious requests interact with ATS.

Mitigation:
6.x users should upgrade to 6.2.3 or later versions
7.x users should...

[ANNOUNCE] Apache Traffic Server vulnerability with multi-range requests - CVE-2018-8005 Bryan Call (Aug 29)
CVE-2018-8005: Apache Traffic Server vulnerability with multi-range requests

Vendor:
The Apache Software Foundation

Version Affected:
ATS 6.0.0 to 6.2.2
ATS 7.0.0 to 7.1.3

Description:
When the there are multiple ranges in a range request ATS will read the entire object from cache. This can cause
performance problems with large objects in cache.

Mitigation:
6.x users should upgrade to 6.2.3 or later versions
7.x users should upgrade to...

[ANNOUNCE] Apache Traffic Server vulnerability with method ACLs - CVE-2018-1318 Bryan Call (Aug 29)
CVE-2018-1318: Apache Traffic Server vulnerability with method ACLs

Reported By:
Leif Hedstrom

Vendor:
The Apache Software Foundation

Version Affected:
ATS 6.0.0 to 6.2.2
ATS 7.0.0 to 7.1.3

Description:
Adding method ACLs in remap.config can cause a segfault when the user makes a carefully crafted request.

Mitigation:
6.x users should upgrade to 6.2.3 or later versions
7.x users should upgrade to 7.1.4 or later versions

References:...

Educause Security Discussion — Securing networks and computers in an academic environment.

Re: KnowBe4 Training and Phishing Sim McClenon, Brady (Sep 04)
We are an O365 campus and have just started using the Report Message add-in from Microsoft. You can deploy it to all
click-to-run Outlook users, by selected groups or all users.

https://appsource.microsoft.com/en-us/product/office/wa104381180

It reports all messages to MS, but with a mail flow rule, we send a copy to us as well. Instructions are at the bottom
of this article....

Re: Whitelisting chaos Michael Schalip (Sep 04)
Tracked through both service requests (ticket system) and change management (integrated with ticket system). Track -
initial review - some changes require a "2-person" rule - audit periodically - and review "periodically", (some were
done every 30 days - some every 90 days - some annually - depended on what it was accessing, and how often it was being
utilized.)

M

From: The EDUCAUSE Security Constituent Group Listserv [...

Re: Whitelisting chaos Michael Young (Sep 04)
Our policy is not to white list.

White listing extends a trust to an IP address (range), account base and infrastructure which you have no control over,
and opens your institution up to compromise at the other location being able to send spam and/or phishing to your users.

We tell them that if they're using a reputable service and managing their email addresses appropriately they shouldn't
have any issues. If there are issues,...

Re: policy management software Boyd, Daniel (Sep 04)
If you are an Office 365 customer, they now provide a mechanism within O365 to present policies (called "Terms of Use")
to end users upon authentication. The system records these and the user can check to see (if for some reason they
forgot) when they accepted the policy as can admins. It will intercept any login to O365 - Sharepoint, Outlook,
OneDrive, whatever, and redirect, whether on desktop or mobile, to the policy.

Definitely...

Re: Whitelisting chaos Jason Todd (Aug 31)
I guess our secret is just documentation and review.

Each request is tracked in our ticketing system. We review our configs periodically and having tickets associated with
the exceptions and special rules allows us to follow-up with the requestor to see if the services requiring the change
is still in use.

Email whitelisting is kind of funny. We get requests asking us to whitelist entire marketing platform ranges a few
times a year. I...

Whitelisting chaos Thomas Carter (Aug 31)
Everyone everywhere wants everything they ever interact with whitelisted in the firewall or email filters (this may be
a bit of hyperbole). How do you handle these requests? How do you keep up with them all, who requested them, etc? Do
they have an expiration time or are they reviewed to see if they are still valid?

What's your secret to minimizing the mess that this can easily become?
Thomas Carter
Network & Operations Manager / IT...

policy management software Mark Reboli (Aug 31)
We are looking at different policy management software packages to maintain user agreement to policies. I was wondering
if anyone had good experience with a particular package. In short it would need to:

Present the policy
If changes were made to the policy it would highlight them in some fashion or call them out
Have a user sing off that is trackable to the user
Would like a tie-in...

Re: KnowBe4 Training and Phishing Sim Taylor Randle (Aug 31)
+1 for the Phish Alert Button. We deployed it immediately and have had a lot of success with it.

Taylor Randle
Director of Client Services & IT Security

[Description: Description: Description:
https://www.parker.edu/uploadedImages/0000_Home/0012_Images/Email_Signature/Parker_H_RGB.png]

2540 Walnut Hill Lane, Dallas, TX 75229
T: 214.902.2439 | F: 214.902.2431
trandle () parker edu<mailto:trandle () parker edu>
www.parker.edu<...

Re: KnowBe4 Training and Phishing Sim Manjak, Martin (Aug 31)
We are in our third year as KnowBe4 customers. I’ll echo Walter’s comments, and add that perhaps the biggest benefit to
our campus is the Phish Alert widget that can be added to the Outlook Client, or your OWA instance, that lets students
and staff (not licensed per seat like the training and phishing campaigns) report suspicious messages by clicking on
the add-on.

You can configure it to forward the message to your designated unit (ours...

Re: KnowBe4 Training and Phishing Sim WALTER KERNER (Aug 31)
Hi. We have just started with Knowbe4 this semester so we've only started
to get our feet wet with it. We have the platinum level. I can say that
in setting up with white hat phishing exercise I find the console very easy
to use and almost 100% customizable. The customer service so far has been
awesome - our rep is very helpful and available to answer questions.

Walter Kerner

Assistant Vice-President and CISO

[image: blue]

333 7th...

Re: KnowBe4 Training and Phishing Sim Weston Woolworth (Aug 31)
Hi Chris,

We started with Gold because it had a lower price and had a number of good resources, however we shifted over to
Diamond recently – primarily for their FERPA training, and other relevant modules to us as Higher Ed. For the most part
though, Gold was highly effective.

WESTON WOOLWORTH
Director of IT Operations
661.362.2345 | wwoolworth () masters edu<mailto:wwoolworth () masters edu>
[Machine generated alternative text: THE...

KnowBe4 Training and Phishing Sim Davis, Chris (Aug 31)
For those of you that have KB4, what level of their package do you have and are you satisfied with it? We are looking
at the options they offer and are trying to determine which level is appropriate for us. While I like the offerings in
the Platinum package, specifically the custom tailored training that responds to how people interact with the phishing
sims, I am also wondering if it is really necessary and is it worth the cost. Any input...

Re: [External] [SECURITY] ISO27001 vs NIST 800-171 WALTER KERNER (Aug 31)
Let me add that in a previous role in an international company, colleagues
in other countries were much more comfortable with the ISO than NIST
standard just because it was perceived as being less US-centric.

Walter Kerner

Assistant Vice-President and CISO

[image: blue]

333 7th Avenue, 13th Floor

New York, NY 10001

Voice: 212-217-3415

*From:* The EDUCAUSE Security Constituent Group Listserv [mailto:
SECURITY () LISTSERV EDUCAUSE EDU] *On...

Re: ISO27001 vs NIST 800-171 Don Murdoch (Aug 31)
James,
I used to work for a Virginia consulting firm, and we did some work for a few U’s on the eastern
seaboard. All of the work was centered around 800-171. To comply, we need to understand who the assessor is and what
they would assess against – That’s 171 for CUI. For getting the job done in a more comprehensive fashion that should
“wrap 171”, you could follow the IS0 std. It would be in your best interest to start...

Re: [External] [SECURITY] ISO27001 vs NIST 800-171 Shankar, Anurag (Aug 31)
Hi Chris,

The biggest difference from my view is that, while ISO 27001 has a hundred-odd controls set, it is really a framework
aimed at measuring/improving the high-level cybersecurity management structure for an organization (to protect data
confidentiality, integrity, and availability). NIST 800-171 is a more typical physical, admin, and technical control
set (also around a hundred) designed to protect data confidentiality only.

As for...

Internet Issues and Infrastructure

NANOG — The North American Network Operators' Group discusses fundamental Internet infrastructure issues such as routing, IP address allocation, and containing malicious activity.

Re: automatic rtbh trigger using flow data Paweł Małachowski (Sep 04)
For one of our customers I've deployed good old pmacct + MySQL
(using memory engine) backend for DDoS detection purposes.
It has some drawbacks (e.g. one has to frequently delete old
records to keep tables fit and fast) but it allows asking complex
SQL queries against these short term data (e.g. different detection
logic per subnets) or precompute with triggers.

Beware of high cardinality issues when facing random src IP floods.

BTW, once...

Netflix - wide ranges of wrongly blocked IP ranges Jürgen Jaritsch (Sep 04)
Dear list,

is anyone else experiencing massive issues with Netflix caused by wrongly
blocked IP ranges? Looks like Netflix started to block wide ranges of Colts
IP assignments (EU & Switzerland).

Im in touch with ~400 affected customers which are no longer able to play
any video on the website (Ooops, something went wrong - Streaming error.
Looks like youre using a Proxy blablabla).

Is someone from Netflixs NOC on the list?...

Re: Service provider story about tracking down TCP RSTs Tarko Tikan (Sep 02)
hey,

Consumer CPEs are typically some BCM reference design where initial TCP
handshake is handled by linux kernel and everything following (including
NAT) is handled in SOC.

I've seen those systems not decrement TTL at all, decrement TTL before
checking if packet is destined to itself etc. This case is weird as
typically the hardware part is faulty, not the kernel.

Re: Service provider story about tracking down TCP RSTs William Herrin (Sep 02)
Thanks Bjørn,

I've added several notes in "issues and criticisms" based on that information.

Regards,
Bill Herrin

Re: Service provider story about tracking down TCP RSTs Bjørn Mork (Sep 02)
William Herrin <bill () herrin us> writes:

I can see the effect on syn cookies being disussed there, but I don't
think that covers all concerns wrt more predicatable sequence numbers.

See RFC6528, including its references.

Bjørn

Re: Service provider story about tracking down TCP RSTs William Herrin (Sep 02)
Hi Bjørn,

In the "issues and criticisms" section.

Regards,
Bill Herrin

Re: Service provider story about tracking down TCP RSTs nanog (Sep 02)
But why did the TLS Hello has a TTL lower that the TCP Syn ?

Do you have any information on that ?

Re: Service provider story about tracking down TCP RSTs Bjørn Mork (Sep 02)
William Herrin <bill () herrin us> writes:

I didn't see a security section in your document. Did you consider the
side effects of this sequence number abuse?

Bjørn

Re: automatic rtbh trigger using flow data Baldur Norddahl (Sep 02)
I would redirect the packet to a VRF with one global drop UDP ACL. That
scales perfectly. There is probably many ways to implement such a feature.

søn. 2. sep. 2018 11.07 skrev Ryan Hamel <Ryan.Hamel () quadranet com>:

RE: automatic rtbh trigger using flow data Ryan Hamel (Sep 02)
Baldur,

Modifying the routing table with a next-hop change from a community, is different than having a line card filtering
packets at layer 4, of course most if not all carriers will support it. Instead of doing normal TCAM route lookups,
you’re getting into packet inspection territory, which is something completely different.

Just quickly reading the ASR 9K documentation, it can only support 3K rules per system. Juniper – 8K,...

Re: automatic rtbh trigger using flow data Baldur Norddahl (Sep 02)
This is not true. Some of our transits do RTBH for free. For example Cogent.

They will not do FlowSpec. Maybe their equipment can not do it or for some
other reason.

However RTBH is a simple routing hack that can be implemented on any
router. The traffic is dropped right at the edge and is never transported
on the transit provider network. In that sense it also protects the transit
network.

RTBH only for UDP would also be a very simple hack on...

Re: Service provider story about tracking down TCP RSTs James Bensley (Sep 02)
Hi Garrett,

It is available via the NANOG list archives:
https://mailman.nanog.org/pipermail/nanog/2018-September/096871.html

I've shared this story to non-list member using that URL.

Thanks for the write up Frank!

Cheers,
James.

Re: Service provider story about tracking down TCP RSTs Lee (Sep 01)
The "New Jersey" description is more of a caricature than a valid description:
"I have intentionally caricatured the worse-is-better philosophy to
convince you that it is obviously a bad philosophy and that the
New Jersey approach is a bad approach."

I mentally did a 's/New Jersey/Microsoft/' and it made a lot more sense.

That it's not always a trivial matter to build another layer.
That your retry...

RE: automatic rtbh trigger using flow data Michel Py (Sep 01)
I would not have guessed :P

I agree. In the end, it tends to favor who has the biggest one.
I meant the biggest bandwidth, of course.

I the foreseeable future, no blacklist system is going to replace what Arbor and consorts can provide : a pipe big
enough to either route the DDOS attack to null0 or even better route it to somewhere it can be analyzed further.

Michel.

TSI Disclaimer: This message and any files or text attached to it are...

Re: automatic rtbh trigger using flow data Hugo Slabbert (Sep 01)
If I can tag an RTBH community on a /32, what's the additional lost revenue
in letting me be more granular and get down to the specific flows I want
dropped?

"drop all traffic to x/32" would drop *more* traffic than "drop any traffic
from address y to x/32, protocol TCP, port n".

What now? Unless I'm misunderstanding what you're saying, it's right in
the spec[1]:

A flow specification NLRI must...

Interesting People — David Farber moderates this list for discussion involving internet governance, infrastructure, and any other topics he finds fascinating

The RISKS Forum — Peter G. Neumann moderates this regular digest of current events which demonstrate risks to the public in computers and related systems. Security risks are often discussed.

Risks Digest 30.81 RISKS List Owner (Aug 25)
RISKS-LIST: Risks-Forum Digest Saturday 25 August 2018 Volume 30 : Issue 81

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.81>
The current issue can also be...

Risks Digest 30.80 RISKS List Owner (Aug 18)
RISKS-LIST: Risks-Forum Digest Saturday 18 August 2018 Volume 30 : Issue 80

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.80>
The current issue can also be...

Risks Digest 30.79 RISKS List Owner (Aug 08)
RISKS-LIST: Risks-Forum Digest Wednesday 8 August 2018 Volume 30 : Issue 79

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.79>
The current issue can also be...

Risks Digest 30.78 RISKS List Owner (Aug 01)
RISKS-LIST: Risks-Forum Digest Wednesday 1 August 2018 Volume 30 : Issue 78

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.78>
The current issue can also be...

Risks Digest 30.77 RISKS List Owner (Jul 30)
RISKS-LIST: Risks-Forum Digest Monday 30 July 2018 Volume 30 : Issue 77

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.77>
The current issue can also be...

Risks Digest 30.76 RISKS List Owner (Jul 20)
RISKS-LIST: Risks-Forum Digest Friday 20 July 2018 Volume 30 : Issue 76

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.76>
The current issue can also be...

Risks Digest 30.75 RISKS List Owner (Jul 14)
RISKS-LIST: Risks-Forum Digest Saturday 14 July 2018 Volume 30 : Issue 75

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> and
<http://catless.ncl.ac.uk/Risks/30.75>
The current issue can also be...

Risks Digest 30.74 RISKS List Owner (Jul 05)
RISKS-LIST: Risks-Forum Digest Thursday 5 July 2018 Volume 30 : Issue 74

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.74>
The current issue can also be...

Risks Digest 30.73 RISKS List Owner (Jun 26)
RISKS-LIST: Risks-Forum Digest Tuesday 26 June 2018 Volume 30 : Issue 73

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.73>
The current issue can also be...

Risks Digest 30.72 RISKS List Owner (Jun 12)
RISKS-LIST: Risks-Forum Digest Tuesday 12 June 2018 Volume 30 : Issue 72

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.72>
The current issue can also be...

Risks Digest 30.71 RISKS List Owner (Jun 05)
RISKS-LIST: Risks-Forum Digest Tuesday 5 May 2018 Volume 30 : Issue 71

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.71>
The current issue can also be...

Risks Digest 30.70 RISKS List Owner (May 26)
RISKS-LIST: Risks-Forum Digest Saturday 26 May 2018 Volume 30 : Issue 70

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.70>
The current issue can also be...

Risks Digest 30.69 RISKS List Owner (May 16)
RISKS-LIST: Risks-Forum Digest Wednesday 16 May 2018 Volume 30 : Issue 69

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.69>
The current issue can also be...

Risks Digest 30.68 RISKS List Owner (May 05)
RISKS-LIST: Risks-Forum Digest Saturday 5 May 2018 Volume 30 : Issue 68

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.68>
The current issue can also be...

Risks Digest 30.67 RISKS List Owner (Apr 29)
RISKS-LIST: Risks-Forum Digest Sunday 29 April 2018 Volume 30 : Issue 67

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.67>
The current issue can also be...

BreachExchange — BreachExchange focuses on all things data breach. Topics include actual data breaches, cyber insurance, risk management, metrics and more. This archive includes its predecessor, the Data Loss news and discussion lists.

Open Source Tool Development

Wireshark — Discussion of the free and open source Wireshark network sniffer. No other sniffer (commercial or otherwise) comes close. This archive combines the Wireshark announcement, users, and developers mailing lists.

Re: Dissector H.265 : when it will be available Pascal Quantin (Sep 04)
Hi Asaf,

master branch corresponds to the upcoming Wireshark 3.0 version (while all
the 2.6.x versions come from the master-2.6 branch). Based on
https://www.wireshark.org/lists/wireshark-dev/201802/msg00012.html it
should be out around November.

Best regards,
Pascal.

Le mar. 4 sept. 2018 à 13:45, Asaf Kave <kaveasaf () gmail com> a écrit :

Dissector H.265 : when it will be available Asaf Kave (Sep 04)
Hi everyone,

Lately (prior release 2.6.3\2.6.2) i added dissector for the H.265/HEVC
protocol to the master branch.
I looked in the product cycle / road-map, but didn't find information.

Does anyone know when it's suppose to be release ?

Thank's
Asaf

Lua dissector: How to set sub-field bit widths using preferences? David Aldrich (Sep 03)
Our protocol includes a 16-bit field which is sub-divided into 4
sub-fields. The width of those sub-fields is variable so I want to specify
the widths using Wireshark preferences. I understand how to create and
read Wireshark preferences but I am unsure of how to apply them in this
circumstance.

My code structure looks like this:

my_protocol = Proto("...", "...")

-- Create a preference
my_protocol.prefs.ru_port_id_width...

Re: Gerrit - code review window João Valverde (Sep 02)
The way the changeset windows layout changes with resizing is pretty
jarring too and leaves huge amounts of empty space sometimes.

Re: Gerrit - code review window João Valverde (Sep 02)
Word wrap is called "fit to screen" in the preferences but yeah, I miss
the horizontal scroll-bar.

Re: Can a Lua dissector access Wireshark preferences? David Aldrich (Aug 31)
Thanks for your help.

Re: Can a Lua dissector access Wireshark preferences? Jeff Morriss (Aug 30)
For the preference side of it see:

https://wiki.wireshark.org/LuaAPI/Pref

On Thu, Aug 30, 2018 at 12:43 PM Maynard, Chris <Christopher.Maynard () igt com>
wrote:

Re: Can a Lua dissector access Wireshark preferences? Maynard, Chris (Aug 30)
If you look at the documentation for ProtoField.new and friends[1], you can see that there’s a “mask” argument. That
specifies how many bits applies to this field.

So for example, below there are 2 fields, field1 is the upper nibble of a byte, field2 is the lower nibble of a byte:

local foo_field1 = ProtoField.uint8("foo.field1", "Field1", base.DEC, nil, 0xf0)
local foo_field2 =...

Re: Making .deb packages on Ubuntu 18.04 requires packages not installed by debian-setup.sh João Valverde (Aug 30)
+1 to --install-deb-deps or similar.

(also replacing vagrant_build.sh with debian-setup.sh).

Re: Making .deb packages on Ubuntu 18.04 requires packages not installed by debian-setup.sh Anders Broman (Aug 30)
Den tors 30 aug. 2018 17:34Dario Lombardo <lomato () gmail com> skrev:

Sounds good to me.
Regards
Anders

Can a Lua dissector access Wireshark preferences? David Aldrich (Aug 30)
Hi

For my lua dissector, I want to be able to specify the bit width of a data
field using a Wireshark Preference.

Is that possible? If so, where would I find some help on how to do it?

Best regards

David

Re: Making .deb packages on Ubuntu 18.04 requires packages not installed by debian-setup.sh Dario Lombardo (Aug 30)
They've been recently removed by me since they're not needed anymore to
build wireshark. I'm not sure about adding them to the script: that would
force anyone using it and just building (like me and all the debian based
CI platforms that rely on it) to have autotools back. Perhaps a new cmd
line switch (atm we have --install-optional)? Like --install-deb-deps or
similar?

On Thu, Aug 30, 2018 at 5:14 PM Anders Broman...

Making .deb packages on Ubuntu 18.04 requires packages not installed by debian-setup.sh Anders Broman (Aug 30)
Hi,
As the title says trying to build .deb packages on a vanilla Ubuntu 18.04 fails:

dpkg-checkbuilddeps: error: Unmet build dependencies: debhelper (>= 9) po-debconf python-ply docbook-xsl (>=
1.64.1.0-0) docbook-xml libxml2-utils quilt
dpkg-buildpackage: warning: build dependencies/conflicts unsatisfied; aborting
dpkg-buildpackage: warning: (Use -d flag to override.)

That the debhelper drags in autotools seems a bit unfortunate....

Re: Add an external tool Jaap Keuter (Aug 29)
Hi,

Done.

Wireshark 2.2.17 is now available Wireshark announcements (Aug 29)
I'm proud to announce the release of Wireshark 2.2.17.

__________________________________________________________________

What is Wireshark?

Wireshark is the world's most popular network protocol analyzer. It is
used for troubleshooting, analysis, development and education.
__________________________________________________________________

What's New

This is the final release of Wireshark 2.2. It will reach...

Snort — Everyone's favorite open source IDS, Snort. This archive combines the snort-announce, snort-devel, snort-users, and snort-sigs lists.

Re: Snort Line 326 Error wkitty42--- via Snort-users (Sep 04)
uncle google knows the answer... start here and read the three posts in the
thread... you might note the date of those posts, too ;)

http://seclists.org/snort/2016/q4/229

FWIW: the search term was:
https://www.google.com/search?q=ERROR%3A+C%3A\snort\etc\snort.conf(326)

Snort Line 326 Error Brian via Snort-users (Sep 03)
Team,

Good Afternoon.

have installed snort on three different machines, and I get the same error
each time.

ERROR: C:\snort\etc\snort.conf(326) => Invalid keyword '}' for server
configuration.

Fatal Error, Quitting.

Could not set the event message file.

c:\Snort\bin>

Line 326 = decompress_pdf { deflate }

It appears this error is common.

Thanks.

Re: Issue: Output on console not displayed on Snort computer wkitty42--- via Snort-users (Aug 31)
first off, there is no need to mask RFC-1918 IP numbers... they are not
accessible outside of the local network...

you do not state what your NIC is... try adding "-k none" to your command line...

perhaps your NIC has offloading capabilities? disable them if so... you need the
NIC to hand everything to snort...

Issue: Output on console not displayed on Snort computer Benjamin Sanchez Murillo via Snort-users (Aug 31)
Hello,

I am trying to configure Snort on Ubuntu by following the Snort Set Guide
Snort_2.9.9.x_on_Ubuntu_14-16.pdf by Noah Dietrich. I am stock on section
12 Writing a Simple Rule to Test Snort Detection, page 11. Please let me
know if you can help me solve my issue below. Thank you!

-----------------------------------------------
1) Issue:
Output on console not displayed on Snort computer (Ubuntu: 192.168.1.X)
when I ping it from another...

Re: Snort3 and barnyard2 oleg gv via Snort-users (Aug 30)
Thanks a lot!

чт, 30 авг. 2018 г. в 15:25, Joel Esler (jesler) <jesler () cisco com>:

Snort Subscriber Rules Update 2018-08-30 Research via Snort-sigs (Aug 30)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the file-other, file-pdf
and server-webapp rule sets to provide coverage for emerging threats
from these technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Re: Snort3 and barnyard2 Joel Esler (jesler) via Snort-users (Aug 30)
Pulledpork, the supported rule downloader, generates the Sid-msg.map for you. This is done to ensure that any local
rules and 3rd party rules are accounted for as well.

Sent from my iPhone

But in rules archive for snort3 no sid-msg.map file exists.
(https://snort.org/downloads/registered/snortrules-snapshot-3000.tar.gz)

So the only way is to use snort2 rules with snort3 and barnyard ?

вт, 28 авг. 2018 г. в 21:16, Russ via...

Re: Snort3 and barnyard2 oleg gv via Snort-users (Aug 30)
But in rules archive for snort3 no sid-msg.map file exists. (
https://snort.org/downloads/registered/snortrules-snapshot-3000.tar.gz)

So the only way is to use snort2 rules with snort3 and barnyard ?

вт, 28 авг. 2018 г. в 21:16, Russ via Snort-users <
snort-users () lists snort org>:

kljl sama stuff via Snort-users (Aug 30)

Standard SNORT performance benchmarks Li, Charlie (Aug 29)
Hi All,

I am new to SNORT and I wanted to compare SNORT performance on different platforms. So I am wondering if there are
standard SNORT performance benchmarks.

What I meant is to have a set of standard SNORT configurations and rules, then tested against a set of standard PCAP
files or live traffic. So the results are comparable among different platforms.

I am more interested in throughput and latency.

Regards,
Charlie Li

(no subject) Michael Hensel via Snort-sigs (Aug 29)

Snort Blog: Snort 3 beta available now! Joel Esler (jesler) via Snort-sigs (Aug 29)

cabeçalha intacta Luiz Eduardo via Snort-users (Aug 29)

Snort3 does not use config sections oleg gv via Snort-users (Aug 29)
Hello,

snort3 does not use config sections which read from config file (-c
snort.lua).

But when using cmd line - all is ok. So I can load rules only by -R option
, and not by ips = {...} section.

My config:
require("snort_config")
HOME_NET = "any"
EXTERNAL_NET = "any"
dofile("/var/lib/idsm/support/snort_defaults.lua")
dofile("/var/lib/idsm/support/file_magic.lua")
gtp_inspect = default_gtp...

Snort3 does not write to alert_full.txt in daemon mode oleg gv via Snort-users (Aug 29)
Hello,
Snort3 does not write to alert_full.txt in daemon mode.

When not in daemon mode (no -D) - it writes it to stdout.

I run snort3:
/usr/bin/snort -D -M --daq-dir /usr/local/lib/snort/daqs --daq-dir
/usr/local/lib/snort_extra/daqs --daq-dir /usr/local/daqm/lib/daq
--create-pidfile -y -t / -l /var/log/idsm/ --plugin-path
/usr/local/lib/snort_extra -c /tmp/snort-config --daq afpacket -i ethernet1
-R /tmp/rules.txt -A alert_full --lua...

More Lists

Related Resources

We're always looking for great network security related lists to archive. To suggest one, mail Fyodor.