SecLists.Org Security Mailing List Archive

Any hacker will tell you that the latest news and exploits are not found on any web site—not even Insecure.Org. No, the cutting edge in security research is and will continue to be the full disclosure mailing lists such as Bugtraq. Here we provide web archives and RSS feeds (now including message extracts), updated in real-time, for many of our favorite lists. Browse the individual lists below, or search them all:

Insecure.Org Lists

Nmap Development — Unmoderated technical development forum for debating ideas, patches, and suggestions regarding proposed changes to Nmap and related projects. Subscribe here.

Re: nmap crash (ssh-publickey-acceptance) Daniel Miller (Nov 03)
Darren,

Good news and bad news. The good: I found why publickey checking wasn't
working; the helper function wasn't written to return the result of the
libssh2 call, so the result was always 'nil', which is false. So that's
cleared up in r37074, with a couple other fixes in subsequent revisions.

The bad: the results you provided don't really narrow down the problem to a
reasonable search space. I have some ideas...

Re: Talk on NSE's use of coroutines at Lua Workshop 2017 Patrick Donnelly (Nov 03)
Slides are available from: https://www.lua.org/wshop17/Donnelly.pdf

Re: nmap crash (ssh-publickey-acceptance) Daniel Miller (Nov 02)
Thanks for reporting this! It seems to be a double-free occuring during NSE
garbage collection/shutdown, specifically in the nsock_pool_delete
function. I can't readily see how this could be happening, so can you give
a little more info?

1. output of nmap --version

2. Does the error occur if you do not use -sV?

3. Does the error occur if you only use -sV (i.e. not --script
ssh-publickey-acceptance)

4. If the previous 2 tests show that...

nmap crash (ssh-publickey-acceptance) Darren Martyn (Nov 02)
Attached is a log with loads of debug info. Got partially through redacting
hostnames, then stopped bothering because its a publicly routable host I
own anyway.

Re: Talk on NSE's use of coroutines at Lua Workshop 2017 Patrick Donnelly (Nov 02)
Video is now available: https://www.youtube.com/watch?v=lRPMrWt-ojw

Re: [PATCH] configure.ac: fix AC_CHECK_HEADER call to test for libssh2 Max Filippov (Nov 02)
I've opened an issue (#1058) and a pull request (1059) on github for this.

[PATCH] configure.ac: fix AC_CHECK_HEADER call to test for libssh2 Max Filippov (Nov 02)
Building nmap as a part of the buildroot fails because in the
configure.ac test for libssh2 -lm is passed as an argument to
AC_CHECK_HEADER() instead of the AC_CHECK_LIB().

---

The patch below fixes this configure.ac bit and includes regenerated
configure script. Please consider applying this fix. For more details
please see the thread by the following URL:

http://lists.busybox.net/pipermail/buildroot/2017-November/205936.html

---
Index:...

Port state detection sometimes fails when scanning a single port in aggresive timing Andres Marin Lopez (Oct 29)
Hi!
I have detected that nmap 7.60 when scanning a single port fails to detect
the state of the port in aggressive timing strategy. I discovered with -T3
in Version 7.50 but in version 7.60 it only happens using -T5. With
--packet-trace I see that nmap does not wait to receive the SYN,ACK, though
tcpdump shows it.

This does not happen if you scan two or more ports, so it may be a bug in
the code.

Here follow the traces with new version of...

Crash report 2017-10-25 Al Hesse via dev (Oct 29)
Version: 7.40Traceback (most recent call last): File "zenmapGUI\App.pyo", line 178, in _destroy_callback File
"zenmapCore\UmitDB.pyo", line 400, in <module> File "zenmapCore\UmitDB.pyo", line 396, in verify_dbDatabaseError:
database disk image is malformed

Re: Crash Report Ronald Belill (Oct 29)
Daniel,

You are correct. The file 'C:\\Program Files
(x86)\\Nmap/scripts/skypev2-version.nse'
does not exist. I will re-install and try again.

Thank You,

Ronald J. Belill
*Director of Networking and Security*
Baker College System
O: 810-766-4118 | M:810-343-0876

Using NMAP commands in hacking simulator Feras Zaben (Oct 29)
Dear Sir,

We are building a hacking tool simulator for students to give the
awareness of ethical hacker based on CEH counsil, the tool will demonstrate
the commands used for gathering information of virtual target network (not
real).

We would like to use the NMAP commands to give some expected results
(predefined data), and we need to confirm the legal use of the NMAB
commands in our simulator, kindly advise.

Zenmap Bug Mohammad almehairbi (Oct 29)
Hello there,

I was reading a book about nmap I got an error when I opened zenmap > new profile > scripts tag

It says "There was an error getting the list of scripts from Nmap. "

I have tryed to track the error in the source file but didn't work with me also searched in the web about it with no
results. it would be great to help out on this.

My details

OS: Kali GNU/Linux Rolling 64-bit

nmap version: Nmap version 7.60

I...

Re: How to find out if SMTP mailserver supports STARTTLS or (only) SSL/TLS ? Dave Horsfall (Oct 29)
Telnet to it and see what the banner says? You can't do it stealthily, if
that's what you're after; you have to connect to it.

zenmap error fred (Oct 29)
I installed version 7.60 of nmap/zenmap on my mac running macOS Sierra
10.12.6 and received the following error.

thanks,
fred

Version: 7.60
Traceback (most recent call last):
File "/Applications/Zenmap.app/Contents/Resources/bin/zenmap", line 195,
in <module>
zenmapGUI.App.run()
File
"/Applications/Zenmap.app/Contents/Resources/lib/python2.7/site-packages/zenmapGUI/App.py",
line 312, in run...

Re: customized nmap packages Daniel Miller (Oct 26)
Paul,

You can use these options to the configure script when building from
source: --without-ncat --without-nping --without-ndiff --without-zenmap
--without-nmap-update --without-liblua --without-libssh2 --without-openssl

Note that this will disable all NSE scripts and a lot of the -sV version
detection, since Nmap will be unable to probe SSL/TLS services. Most of the
size of the Nmap binary is due to the IPv6 OS fingerprinting model, and
there...

Nmap Announce — Moderated list for the most important new releases and announcements regarding the Nmap Security Scanner and related projects. We recommend that all Nmap users subscribe.

Nmap GSoC 2017 Success Reports Fyodor (Oct 10)
Hello Nmap Community,

Nmap celebrated its 20th birthday last month and we also just completed our
13th Google Summer of Code. We focused on a fairly small team of four
students this year (http://seclists.org/nmap-announce/2017/2), and I'm
happy to report that every one passed! And they all have code integrated
into Nmap 7.60 already, with even more to follow for the next release.
Also this year, for the first time, every student wrote a...

Nmap 7.60 released! SSH support, SMB2/SMB3 improvements, 14 more scripts, new Npcap, GSoC work, and more Fyodor (Aug 01)
Hello everyone. I'm back from Defcon and excited to announce the new Nmap
7.60 release! It has only been a month and a half since 7.50, but we still
packed a lot into this one. Mostly because we have such an awesome GSoC
team of 8 students and mentors working on so many cool projects. The
program hasn't even ended yet, but much of their work has already been
integrated into this release.

One of the things I'm most excited...

Nmap 7.50 Released! 14 new NSE scripts, 300+ fingerprints, new Npcap, and more Fyodor (Jun 13)
Dear Nmap Community:

The Nmap project is delighted to announce the release of Nmap 7.50! It is
our first big release since last December and has hundreds of improvements
that we hope you will enjoy.

One of the things we have been worked the hardest on recently is our Npcap
packet capturing driver and library for Windows (https://nmap.org/npcap/).
It is a replacement for WinPcap, which served us well for many years, but
is no longer maintained....

Introducing the 2017 Nmap/Google Summer of Code Team! Fyodor (May 18)
Nmap community:

Thanks for all of your applications and referrals of talented students to
the Summer of Code program. Google has agreed to sponsor four students to
spend this summer enhancing the Nmap Security Scanner and I'm proud to
introduce our 2017 team! We normally mentor coders working all over the
Nmap/Zenmap/Ncat/Nping spectrum, but this year we're doubling down on the
Nmap Scripting Engine component. All four of our...

Nmap Project Seeking Talented Programmers for GSoC 2017 Fyodor (Mar 27)
Hi folks. I'm delighted to report that Nmap has been accepted by Google to
participate in this year's Summer of Code internship program. This
innovative and extraordinarily generous program provides $5,500 stipends to
college and graduate students anywhere in the world who spend the summer
improving Nmap from home! They gain valuable experience, get paid,
strengthen their résumés, and write code for millions of users. We're one...

Nmap GSoC 2016 Success Report Fyodor (Feb 07)
Happy belated new year from the Nmap Project! I'd like to take this
opportunity to send you the belated results from our 2016 Summer of Code
team. I was going to send them right after the program finished, but some
of the students were still finishing some great things so I decided to
wait. As you may recall from the team intro mail (
http://seclists.org/nmap-announce/2016/2), we had 5 students last year and
I'm happy to report that...

Nmap 7.40 Holiday Release: a dozen new NSE scripts, hundreds of new fingerprints, new Npcap, faster brute forcing, and more... Fyodor (Dec 20)
Happy holidays from the Nmap Project! In case your Christmas break plans
involve a lot of port scanning, we're delighted to announce our holiday
Nmap 7.40 release! This version stuffs your stockings with dozens of new
features, including:

- 12 new NSE scripts
- Hundreds of updated OS and version detection detection signatures
- Faster brute force authentication cracking and other NSE library
improvements
- A much-improved...

Nmap 7.31 stability-focused point release Fyodor (Oct 21)
Hi folks. I'm happy to report that the big Nmap 7.30 release last month
was a great success. We didn't even see as many bugs as expected for such
a large release, but we have collected and fixed the ones which did arise
in the last few weeks into a new 7.31 point release. It includes the
latest updates to our new Npcap driver, a fix for Nping on Windows, and
more.

Nmap 7.31 source code and binary packages for Linux, Windows, and Mac...

Nmap 7.30 Released with new NSE scripts, new Npcap, new Fingerprints, etc. Fyodor (Sep 29)
Hi folks! You may have noticed that we've only been releasing Nmap betas
for the last 6 months because we've had so much new code and so many
features to integrate thanks to hard work from both our regular team and
the 5 Google Summer of Code summer interns. But we spent the last month
focused on stability and I'm pleased to announce Nmap 7.30--our first
stable release since 7.12 back in March.

Even though it's a stable...

Nmap 7.25BETA2 Birthday Release Fyodor (Sep 01)
Hi folks! I'm happy to report that today is Nmap's 19th birthday and
instead of cake, we're celebrating open source style with a new release!
Nmap 7.25BETA1 includes dozens of performance improvements, bug fixes, and
new features. The full list is below, and includes a major LUA upgrade for
NSE scripts, a new overlapped I/O engine for better Windows performance, a
much-improved version of our new Npcap packet capturing driver,...

Nmap 7.25BETA1 Released with our new Npcap driver, 6 new NSE scripts, and more! Fyodor (Jul 19)
Hi folks! As you may know, we've been working for the last 3 years on an
improved Windows packet capturing library named Npcap. It's based on the
original WinPcap (which hasn't been maintained in years), but we rewrote
the driver to use modern APIs (NDIS 6) for better performance. It also
improves security and enables new features. For example, Npcap allows Nmap
to do raw scans (including SYN scans and OS detection) of localhost...

Introducing the 2016 Nmap/Google Summer of Code Team! Fyodor (May 09)
Hello everyone. Google has agreed to sponsor five amazing students to
spend this summer enhancing the Nmap Security Scanner and I'm proud to
introduce our 2015 team:

*Abhishek Singh* will be working as a Feature Creeper and Bug Hunter,
making improvements throughout the Nmap codebase. The project hasn't even
started yet and he's already found and fixed several NSE script bugs and
has other code changes in the works. Abhishek is...

Nmap 7.10 released: 12 new scripts, hundreds of OS/version fingerprints, bug fixes, and more! Fyodor (Mar 17)
Hi Folks! Before I tell you about today's new Nmap release, I wanted to
share some Summer of Code news:

Google posted a fantastic story by one of our Summer of Code alumni about
how the program helped take him from rural China to a full-ride scholarship
at the University of Virginia graduate school! His mentor David and I had
the chance to meet him in San Francisco:...

Nmap Project Seeking Talented Programmers for Google Summer of Code 2016 Fyodor (Feb 29)
Hi folks. I'm delighted to report that Nmap has been accepted by Google to
participate in this year's Summer of Code internship program. This
innovative and extraordinarily generous program provides $5,500 stipends to
college and graduate students anywhere in the world who spend the summer
improving Nmap from home! They gain valuable experience, get paid,
strengthen their résumés, and write code for millions of users. We're one...

Full Disclosure — A public, vendor-neutral forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. The relaxed atmosphere of this quirky list provides some comic relief and certain industry gossip. More importantly, fresh vulnerabilities sometimes hit this list many hours or days before they pass through the Bugtraq moderation queue.

KL-001-2017-022 : Splunk Local Privilege Escalation KoreLogic Disclosures (Nov 03)
KL-001-2017-022 : Splunk Local Privilege Escalation

Title: Splunk Local Privilege Escalation
Advisory ID: KL-001-2017-022
Publication Date: 2017.11.03
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2017-022.txt

1. Vulnerability Details

Affected Vendor: Splunk
Affected Product: Splunk Enterprise
Affected Version: 6.6.x
Platform: Embedded Linux
CWE Classification: CWE-280: Improper Handling of...

[RT-SA-2016-008] XML External Entity Expansion in Ladon Webservice RedTeam Pentesting GmbH (Nov 03)
Advisory: XML External Entity Expansion in Ladon Webservice

Attackers who can send SOAP messages to a Ladon webservice via the HTTP
interface of the Ladon webservice can exploit an XML external entity expansion
vulnerability and read local files, forge server side requests or overload the
service with exponentially growing memory payloads.

Details
=======

Product: Ladon Framework for Python
Affected Versions: 0.9.40 and previous
Fixed...

SSD Advisory – Cisco UCS Platform Emulator Remote Code Execution Maor Shwartz (Nov 01)
SSD Advisory – Cisco UCS Platform Emulator Remote Code Execution

Full report: https://blogs.securiteam.com/index.php/archives/3362
Twitter: @SecuriTeam_SSD
Weibo: SecuriTeam_SSD

Vulnerabilities Summary
The following advisory describes two remote code execution vulnerabilities
found in Cisco UCS Platform Emulator version 3.1(2ePE1).

Cisco UCS Platform Emulator is the Cisco UCS Manager application bundled
into a virtual machine (VM). The VM...

SSD Advisory – GraphicsMagick Multiple Vulnerabilities Maor Shwartz (Nov 01)
SSD Advisory – GraphicsMagick Multiple Vulnerabilities

Full report: https://blogs.securiteam.com/index.php/archives/3494
Twitter: @SecuriTeam_SSD
Weibo: SecuriTeam_SSD

Vulnerabilities summary
The following advisory describes two (2) vulnerabilities found in
GraphicsMagick.

GraphicsMagick is “The swiss army knife of image processing. Comprised of
267K physical lines (according to David A. Wheeler’s SLOCCount) of source
code in the base...

CVE-2017-15918: Sera 1.2 local root privesc and password disclosure Mark Wadham (Nov 01)
Sera is a free app for mac and iOS that lets you unlock your mac
automatically
when your iphone is within a configured proximity.

Unfortunately to facilitate this it stores the users login password in
their
home directory at:

~/Library/Preferences/no.ignitum.SeraOSX.plist

This makes root privilege escalation trivial and worse than that even
facilitates dumping the keychain as we can easily obtain the user's
login
password. If they are...

APPLE-SA-2017-10-31-12 Additional information for APPLE-SA-2017-09-25-9 macOS Server 5.4 Apple Product Security (Nov 01)
APPLE-SA-2017-10-31-12
Additional information for APPLE-SA-2017-09-25-9 macOS Server 5.4

macOS Server 5.4 addresses the following:

FreeRadius
Available for: macOS High Sierra 10.13
Impact: Multiple issues in FreeRADIUS
Description: Multiple issues existed in FreeRADIUS before 2.2.10.
These were addressed by updating FreeRADIUS to version 2.2.10.
CVE-2017-10978
CVE-2017-10979

Postfix
Available for: macOS High Sierra 10.13
Impact: Multiple...

APPLE-SA-2017-10-31-11 Additional information for APPLE-SA-2017-09-20-3 tvOS 11 Apple Product Security (Nov 01)
APPLE-SA-2017-10-31-11
Additional information for APPLE-SA-2017-09-20-3 tvOS 11

tvOS 11 addresses the following:

802.1X
Available for: Apple TV (4th generation)
Impact: An attacker may be able to exploit weaknesses in TLS 1.0
Description: A protocol security issue was addressed by enabling TLS
1.1 and TLS 1.2.
CVE-2017-13832: an anonymous researcher
Entry added October 31, 2017

CFNetwork Proxies
Available for: Apple TV (4th generation)...

APPLE-SA-2017-10-31-10 Additional information for APPLE-SA-2017-09-20-2 watchOS 4 Apple Product Security (Nov 01)
APPLE-SA-2017-10-31-10
Additional information for APPLE-SA-2017-09-20-2 watchOS 4

watchOS 4 addresses the following:

802.1X
Available for: All Apple Watch models
Impact: An attacker may be able to exploit weaknesses in TLS 1.0
Description: A protocol security issue was addressed by enabling TLS
1.1 and TLS 1.2.
CVE-2017-13832: an anonymous researcher
Entry added October 31, 2017

CFNetwork Proxies
Available for: All Apple Watch models
Impact:...

APPLE-SA-2017-10-31-9 Additional information for APPLE-SA-2017-09-19-1 iOS 11 Apple Product Security (Nov 01)
APPLE-SA-2017-10-31-9
Additional information for APPLE-SA-2017-09-19-1 iOS 11

iOS 11 addresses the following:

802.1X
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: An attacker may be able to exploit weaknesses in TLS 1.0
Description: A protocol security issue was addressed by enabling TLS
1.1 and TLS 1.2.
CVE-2017-13832: an anonymous researcher
Entry added October 31, 2017

Bluetooth
Available for:...

APPLE-SA-2017-10-31-8 Additional information for APPLE-SA-2017-09-25-1 macOS High Sierra 10.13 Apple Product Security (Nov 01)
APPLE-SA-2017-10-31-8
Additional information for APPLE-SA-2017-09-25-1
macOS High Sierra 10.13

macOS High Sierra 10.13 addresses the following:

802.1X
Available for: OS X Mountain Lion 10.8 and later
Impact: An attacker may be able to exploit weaknesses in TLS 1.0
Description: A protocol security issue was addressed by enabling TLS
1.1 and TLS 1.2.
CVE-2017-13832: an anonymous researcher
Entry added October 31, 2017

apache
Available for: OS X...

APPLE-SA-2017-10-31-7 iCloud for Windows 7.1 Apple Product Security (Nov 01)
APPLE-SA-2017-10-31-7 iCloud for Windows 7.1

iCloud for Windows 7.1 is now available and addresses the following:

WebKit
Available for: Windows 7 and later
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed with
improved memory handling.
CVE-2017-13785: Ivan Fratric of Google Project Zero
CVE-2017-13784: Ivan Fratric of Google Project Zero...

APPLE-SA-2017-10-31-6 iTunes 12.7.1 for Windows Apple Product Security (Nov 01)
APPLE-SA-2017-10-31-6 iTunes 12.7.1 for Windows

iTunes 12.7.1 for Windows is now available and addresses the
following:

WebKit
Available for: Windows 7 and later
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed with
improved memory handling.
CVE-2017-13785: Ivan Fratric of Google Project Zero
CVE-2017-13784: Ivan Fratric of Google Project Zero...

APPLE-SA-2017-10-31-5 Safari 11.1 Apple Product Security (Nov 01)
APPLE-SA-2017-10-31-5 Safari 11.1

Safari 11.1 is now available and addresses the following:

Safari
Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and
macOS High Sierra 10.13
Impact: Visiting a malicious website may lead to address bar spoofing
Description: An inconsistent user interface issue was addressed with
improved state management.
CVE-2017-13789: xisigr of Tencent's Xuanwu Lab (tencent.com)
CVE-2017-13790: Zhiyang...

APPLE-SA-2017-10-31-4 watchOS 4.1 Apple Product Security (Nov 01)
APPLE-SA-2017-10-31-4 watchOS 4.1

watchOS 4.1 is now available and addresses the following:

CoreText
Available for: All Apple Watch models
Impact: Processing a maliciously crafted text file may lead to an
unexpected application termination
Description: A denial of service issue was addressed through improved
memory handling.
CVE-2017-13849: Ro of SavSec

Kernel
Available for: All Apple Watch models
Impact: An application may be able to execute...

APPLE-SA-2017-10-31-3 tvOS 11.1 Apple Product Security (Nov 01)
APPLE-SA-2017-10-31-3 tvOS 11.1

tvOS 11.1 is now available and addresses the following:

CoreText
Available for: Apple TV 4K and Apple TV (4th generation)
Impact: Processing a maliciously crafted text file may lead to an
unexpected application termination
Description: A denial of service issue was addressed through improved
memory handling.
CVE-2017-13849: Ro of SavSec

Kernel
Available for: Apple TV 4K and Apple TV (4th generation)
Impact: An...

Other Excellent Security Lists

Bugtraq — The premier general security mailing list. Vulnerabilities are often announced here first, so check frequently!

[SECURITY] [DSA 4015-1] openjdk-8 security update Moritz Muehlenhoff (Nov 03)
-------------------------------------------------------------------------
Debian Security Advisory DSA-4015-1 security () debian org
https://www.debian.org/security/ Moritz Muehlenhoff
November 02, 2017 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : openjdk-8
CVE ID : CVE-2017-10274 CVE-2017-10281...

APPLE-SA-2017-10-31-6 iTunes 12.7.1 for Windows Apple Product Security (Nov 01)
APPLE-SA-2017-10-31-6 iTunes 12.7.1 for Windows

iTunes 12.7.1 for Windows is now available and addresses the
following:

WebKit
Available for: Windows 7 and later
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed with
improved memory handling.
CVE-2017-13785: Ivan Fratric of Google Project Zero
CVE-2017-13784: Ivan Fratric of Google Project Zero...

APPLE-SA-2017-10-31-11 Additional information for APPLE-SA-2017-09-20-3 tvOS 11 Apple Product Security (Nov 01)
APPLE-SA-2017-10-31-11
Additional information for APPLE-SA-2017-09-20-3 tvOS 11

tvOS 11 addresses the following:

802.1X
Available for: Apple TV (4th generation)
Impact: An attacker may be able to exploit weaknesses in TLS 1.0
Description: A protocol security issue was addressed by enabling TLS
1.1 and TLS 1.2.
CVE-2017-13832: an anonymous researcher
Entry added October 31, 2017

CFNetwork Proxies
Available for: Apple TV (4th generation)...

APPLE-SA-2017-10-31-2 macOS High Sierra 10.13.1, Security Update 2017-001 Sierra, Security Update 2017-004 El Capitan Apple Product Security (Nov 01)
APPLE-SA-2017-10-31-2 macOS High Sierra 10.13.1,
Security Update 2017-001 Sierra, Security Update 2017-004 El Capitan

macOS High Sierra 10.13.1, Security Update 2017-001 Sierra, Security
Update 2017-004 El Capitan are now available and address the
following:

802.1X
Available for: macOS Sierra 10.12.6, OS X El Capitan 10.11.6
Impact: An attacker may be able to exploit weaknesses in TLS 1.0
Description: A protocol security issue was addressed by...

APPLE-SA-2017-10-31-12 Additional information for APPLE-SA-2017-09-25-9 macOS Server 5.4 Apple Product Security (Nov 01)
APPLE-SA-2017-10-31-12
Additional information for APPLE-SA-2017-09-25-9 macOS Server 5.4

macOS Server 5.4 addresses the following:

FreeRadius
Available for: macOS High Sierra 10.13
Impact: Multiple issues in FreeRADIUS
Description: Multiple issues existed in FreeRADIUS before 2.2.10.
These were addressed by updating FreeRADIUS to version 2.2.10.
CVE-2017-10978
CVE-2017-10979

Postfix
Available for: macOS High Sierra 10.13
Impact: Multiple...

APPLE-SA-2017-10-31-3 tvOS 11.1 Apple Product Security (Nov 01)
APPLE-SA-2017-10-31-3 tvOS 11.1

tvOS 11.1 is now available and addresses the following:

CoreText
Available for: Apple TV 4K and Apple TV (4th generation)
Impact: Processing a maliciously crafted text file may lead to an
unexpected application termination
Description: A denial of service issue was addressed through improved
memory handling.
CVE-2017-13849: Ro of SavSec

Kernel
Available for: Apple TV 4K and Apple TV (4th generation)
Impact: An...

APPLE-SA-2017-10-31-10 Additional information for APPLE-SA-2017-09-20-2 watchOS 4 Apple Product Security (Nov 01)
APPLE-SA-2017-10-31-10
Additional information for APPLE-SA-2017-09-20-2 watchOS 4

watchOS 4 addresses the following:

802.1X
Available for: All Apple Watch models
Impact: An attacker may be able to exploit weaknesses in TLS 1.0
Description: A protocol security issue was addressed by enabling TLS
1.1 and TLS 1.2.
CVE-2017-13832: an anonymous researcher
Entry added October 31, 2017

CFNetwork Proxies
Available for: All Apple Watch models
Impact:...

APPLE-SA-2017-10-31-7 iCloud for Windows 7.1 Apple Product Security (Nov 01)
APPLE-SA-2017-10-31-7 iCloud for Windows 7.1

iCloud for Windows 7.1 is now available and addresses the following:

WebKit
Available for: Windows 7 and later
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed with
improved memory handling.
CVE-2017-13785: Ivan Fratric of Google Project Zero
CVE-2017-13784: Ivan Fratric of Google Project Zero...

APPLE-SA-2017-10-31-9 Additional information for APPLE-SA-2017-09-19-1 iOS 11 Apple Product Security (Nov 01)
APPLE-SA-2017-10-31-9
Additional information for APPLE-SA-2017-09-19-1 iOS 11

iOS 11 addresses the following:

802.1X
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: An attacker may be able to exploit weaknesses in TLS 1.0
Description: A protocol security issue was addressed by enabling TLS
1.1 and TLS 1.2.
CVE-2017-13832: an anonymous researcher
Entry added October 31, 2017

Bluetooth
Available for:...

APPLE-SA-2017-10-31-4 watchOS 4.1 Apple Product Security (Nov 01)
APPLE-SA-2017-10-31-4 watchOS 4.1

watchOS 4.1 is now available and addresses the following:

CoreText
Available for: All Apple Watch models
Impact: Processing a maliciously crafted text file may lead to an
unexpected application termination
Description: A denial of service issue was addressed through improved
memory handling.
CVE-2017-13849: Ro of SavSec

Kernel
Available for: All Apple Watch models
Impact: An application may be able to execute...

[SECURITY] [DSA 4012-1] libav security update Moritz Muehlenhoff (Nov 01)
-------------------------------------------------------------------------
Debian Security Advisory DSA-4012-1 security () debian org
https://www.debian.org/security/ Moritz Muehlenhoff
October 31, 2017 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : libav
CVE ID : CVE-2015-8365 CVE-2017-7208...

[security bulletin] HPESBHF03785 rev.1 - HPE B-Series SAN Network Advisor Software, Multiple Remote Vulnerabilities HPE Product Security Response Team (Nov 01)
Note: the current version of the following document is available here:
https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03785en_us

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: hpesbhf03785en_us
Version: 1

HPESBHF03785 rev.1 - HPE B-Series SAN Network Advisor Software, Multiple Remote Vulnerabilities

NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.

Release Date:...

[SECURITY] [DSA 4009-1] shadowsocks-libev security update Moritz Muehlenhoff (Nov 01)
-------------------------------------------------------------------------
Debian Security Advisory DSA-4009-1 security () debian org
https://www.debian.org/security/ Moritz Muehlenhoff
October 29, 2017 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : shadowsocks-libev
CVE ID : CVE-2017-15924

Niklas...

[VulnWatch] Advisory 02/2002: PHP remote vulnerability e-matters Security (Nov 01)
e-matters GmbH
www.e-matters.de

-= Security Advisory =-

Advisory: Remote Compromise/DOS Vulnerability in PHP
Release Date: 2002/07/22
Last Modified: 2002/07/22
Author: Stefan Esser [s.esser () e-matters de]

Application: PHP 4.2.0, 4.2.1
Severity: A vulnerability within the multipart/form-data handler
could allow remote compromise of...

[slackware-security] wget (SSA:2017-300-02) Slackware Security Team (Nov 01)
[slackware-security] wget (SSA:2017-300-02)

New wget packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1,
14.2, and -current to fix security issues.

Here are the details from the Slackware 14.2 ChangeLog:
+--------------------------+
patches/packages/wget-1.19.2-i586-1_slack14.2.txz: Upgraded.
This update fixes stack and heap overflows in in HTTP protocol handling.
For more information, see:...

Penetration Testing — While this list is intended for "professionals", participants frequenly disclose techniques and strategies that would be useful to anyone with a practical interest in security and network auditing.

SpiderFoot 2.11 released Steve Micallef (Aug 14)
Hi all,

For the folks here interested in OSINT, recon and threat intel, I'm
pleased to announce SpiderFoot 2.11 is now out.

SpiderFoot now has over 100 modules to collect data utilising APIs from
SHODAN, BuiltWith, RIPE, AlienVault OTX, Robtex, HaveIBeenPwned? as well
as typical recon techniques like DNS brute-forcing, port scanning, web
spidering and more. It's open source, written in Python, documented and
usable with both a...

Faraday v2.6: Collaborative Penetration Test and Vulnerability Management Platform Francisco Amato (Jul 24)
Faraday is the Integrated Multiuser Risk Environment you were looking
for! It maps and leverages all the knowledge you generate in real
time, letting you track and understand your audits. Our dashboard for
CISOs and managers uncovers the impact and risk being assessed by the
audit in real-time without the need for a single email. Developed with
a specialized set of functionalities that helps users improve their
own work, the main purpose is to...

File Upload in Integration Gateway (PSIGW) ERPScan inc (Jul 20)
1. ADVISORY INFORMATION
Title: File Upload in Integration Gateway (PSIGW)
Advisory ID: [ERPSCAN-17-039]
Advisory URL: https://erpscan.com/advisories/erpscan-17-039-file-upload-integration-gateway-psigw-peoplesoft/
Risk: High
Date published: 18.07.2017
Vendor contacted: Oracle

2. VULNERABILITY INFORMATION
Class: File Upload
Impact: Remote command execution on the server
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: CVE-2017-10061...

Multiple XSS (POST request) Vulnerabilities in TestServlet (PeopleSoft) ERPScan inc (Jul 20)
1. ADVISORY INFORMATION
Title: Multiple XSS (POST request) Vulnerabilities in TestServlet (PeopleSoft)
Advisory ID: [ERPSCAN-17-037]
Advisory URL: https://erpscan.com/advisories/erpscan-17-037-multiple-xss-vulnerabilities-testservlet-peoplesoft/
Risk: Medium
Date published: 18.07.2017
Vendor contacted: Oracle

2. VULNERABILITY INFORMATION
Class: XSS [CWE-79]
Impact: Modify displayed content from a Web site, steal authentication
information of a...

Directory Traversal vulnerability in Integration Gateway (PSIGW) ERPScan inc (Jul 20)
1. ADVISORY INFORMATION
Title: Directory Traversal vulnerability in Integration Gateway (PSIGW)
Advisory ID: [ERPSCAN-17-038]
Advisory URL: https://erpscan.com/advisories/erpscan-17-038-directory-traversal-vulnerability-integration-gateway-psigw/
Risk: High
Date published: 18.07.2017
Vendor contacted: Oracle

2. VULNERABILITY INFORMATION
Class: Directory Traversal
Impact: Read, delete, rewrite file from the system
Remotely Exploitable: Yes
CVE...

[HITB-Announce] HITB GSEC 2017 CommSec CFP Closes July 31st Hafez Kamal (Jul 15)
REMINDER: CFP Submission dateline is on the 31st of July 2017 23:59 SGT

Alongside HITBGSEC 2017 Singapore, we are calling on the community of hackers, makers, builders and breakers to send us
their 30 minute talk abstracts for consideration to be included in a separate 2-day single-track of talks (24th and
25th August). Access to these track of talks is completely FREE TO ATTEND and we are encouraging everyone to come! If
you're in...

ekoparty: Call for Papers 2017! Open! Francisco Amato (Jul 12)
ekoparty security conference
Training September 25-26, 2017
Conference September 27-29, 2017
Buenos Aires

Submit at: http://cfp.ekoparty.org

We are really proud to announce the thirteenth edition of the Ekoparty
Security Conference.

Once again, in this unique event, security specialist from all over
Latin America and the World will have the chance to get acquainted
with the most important researches of the year.

Ekoparty has become the most...

Info Security News — Carries news items (generally from mainstream sources) that relate to security.

Web App Security — Provides insights on the unique challenges which make web applications notoriously hard to secure, as well as attack methods including SQL injection, cross-site scripting (XSS), cross-site request forgery, and more.

Daily Dave — This technical discussion list covers vulnerability research, exploit development, and security events/gossip. It was started by ImmunitySec founder Dave Aitel and many security luminaries participate. Many posts simply advertise Immunity products, but you can't really fault Dave for being self-promotional on a list named DailyDave.

IoT bill in US congress Charisse Castagnoli (Nov 03)
The IoT protection part of this bill is not interesting, but the amendments to the Computer Fraud and Abuse Act and the
DMCA are useful for researchers of IoT vulnerabilities

Feel free to write or call in support.

https://www.congress.gov/bill/115th-congress/senate-bill/1691/text
<https://www.congress.gov/bill/115th-congress/senate-bill/1691/text>

Relevant sections:
(2) COMPUTER FRAUD AND ABUSE ACT.—Section 1030 of title 18, United...

Re: Keynotes Moses Hernandez (Oct 30)
I have always wondered at what point does the CEO stop thinking strategy and start thinking culture. Does it happen all
at once, throughout the day, or does it come in shifts? Unless you believe CEO is all about strategy and not culture.
Does the culture in the company become a strategic and immutable (no pun intended) asset? I’ve been torn on this
concept in leadership, maybe because strategy and culture are actually two sides of the same...

Keynotes dave aitel (Oct 16)
So I'm about to do V6 of my T2 keynote - usually it takes about 10 full
runs until a keynote is good. This is why we are very very careful about
asking people to do keynotes. They typical first run of a keynote gets
feedback like "This is terrible. Just terrible. Awful". (Except Halvar's).

In any case, I've sent out versions of it to lots of different people
for feedback and I've noticed a few things. Probably the...

Re: Eulogy Ryan Duff (Oct 10)
Yeah he was. The tragedy is how few will know everything he's done for his
country. But that's how it is.

He'll definitely be remembered by anyone who had the pleasure of working
with him.

-Ryan

Re: Eulogy Matt Georgy (Oct 06)
He was a great guy and a real patriot. He will be missed.

Eulogy dave aitel (Oct 06)
It's 11am. I'm pretty drunk right now. Lee would have liked to have
known that his passing was noticed.

For those of you who knew him.

-dave

Re: Equitablefax the grugq (Oct 03)
Hey

I wasn’t either since it doesn’t impact me, but I had to research it for this week’s news segment on Risky.Biz ==>
https://risky.biz/RB471/

During the research it became clear that the public narrative and the facts were diverging quite a bit. In particular
this “failure to patch” story line. Yes, they were slow to patch. However, their upstream provider didn’t even make the
patch available until weeks after the compromise...

Re: Equitablefax spacerog () spacerogue net (Oct 03)
Thank you for this timeline because honestly I haven't been paying that
close attention.

Based on this it looks like Equifax did actually patch, just not fast
enough, and by the time they got around to it the bad guys where already
inside. Based on this list the delta from patch release to install was
<91 days. Am I reading this correctly?

If so then the absolute shit ton of criticism heaped on Equifax for not
patching is IMO...

Re: Equitablefax Arrigo Triulzi (Oct 03)
Just in passing: "Equifax is ISO/IEC 27001:2013 certified by a reputable independent third party.”[0]. Asset management
is a core part of ISO27001:2013.

Cheers,

Arrigo

[0] https://www.equifax.com/assets/WFS/the_work_number_best_practices_in_data_security.pdf (1st page)

Twitter dave aitel (Sep 29)
Right now everyone is going on and on about how Russians spent 256K on
ads on Twitter to influence the election. Much less understood is how
great Twitter ads are for targeting phishing attacks! I wrote this whole
article while back here
<https://tindertipsforgirls.blogspot.com/2016/03/paying-for-okcupid-is-stupid.html>
on it. People are genuinely good at phishing now. The "Fake RedTube
subscription <...

Re: Equitablefax the grugq (Sep 29)
I’m not going to address any of the points in the excellent post by Katie but rather put some facts together in a
timeline so people can see the Equihax event better. The “if only bug bounty” claptrap is, as Katie points out (much
more politely), complete bullshit.

Timeline of events:

2017-03-06: Apache announces struts bug
2017-03-07: PoC exploit released to public

2017-03-10: Equihax compromised via struts exploit. Genius hackers use...

Re: Why people aren't stealing ADFS secrets? James Pleger (Sep 28)
I'm not holding out much hope on the OneLogin side, the breach they had earlier this year sounded really bad. Maybe
that event woke up the other identity providers though.

http://www.zdnet.com/article/onelogin-security-chief-new-details-data-breach/

Re: Equitablefax Katie M (Sep 28)
I actually tried helping coordinate one of the new bugs that someone found
and wanted to report to Equifax. Unfortunately, before they had time to
even look up from their current conflagration, eyebrows still singed, a
reporter published it.

At this instant, even one bug report, while completely helpful in the
micro-sense, is process-wise another tax on the resources they have working
on the big breach. It still has to go into the queue of their...

Re: Why people aren't stealing ADFS secrets? Kyle Creyts (Sep 27)
Or other SAML IDP private keys. ADFS is good, but stealing them from IDP
vendors might be much more efficient, and open many more doors. One hopes
that Google, OneLogin, Okta, and friends all do the needful to compartment
and protect these private keys.

On Wed, Sep 27, 2017 at 1:00 PM Konrads Smelkovs <konrads.smelkovs () gmail com>
wrote:

Re: Equitablefax Katie M (Sep 27)
Having a bug bounty program wouldn't have helped Equifax. Only Equifax
could have helped Equifax. The root cause of the problem wasn't that they
didn't know about the bug, it was that they face the same patch
prioritization risk vs resource balance that all orgs gamble with. They
lost that gamble, which is what every breach represents: a lost bet on the
tradeoffs. Simply knowing about a bug, via a bug bounty or otherwise, is
just...

PaulDotCom — General discussion of security news, research, vulnerabilities, and the PaulDotCom Security Weekly podcast.

Re: [Security Weekly] cheap hosting Robin Wood (Sep 23)
Resurrecting an old thread but they now have an affiliate program and I can
issue my own codes so:

20% off all servers AqUVYbUXag
50% off all big dog (whatever that is) 7E9YRUzEZy

After a month with them, their tech support is OK but not great, the server
has stayed up and not had any problems.

Robin

Re: [Security Weekly] projecting in a bight space Jeremy Pommerening (Aug 28)
I would look for a projector with at least 6000 ANSI Lumens or better. A darker screen (grey) may also help.

Jeremy Pommerening

________________________________
From: Robin Wood <robin () digi ninja>
To: Security Weekly Mailing List <pauldotcom () mail securityweekly com>
Sent: Sunday, August 3, 2014 3:42 AM
Subject: [Security Weekly] projecting in a bight space

I've been looking at the venue for next year's...

[Security Weekly] Two Firefox security bugs related to HTTPS ffbugishere (Aug 17)
Hello world!

We need votes for security bugs!

Adding "Security Exception" for self-signed HTTPS sites cannot be done
permanently
https://bugzilla.mozilla.org/show_bug.cgi?id=1050100

Firefox 31 doesn't supports the industry recommended best HTTPS
ciphers
https://bugzilla.mozilla.org/show_bug.cgi?id=1051210

Other browsers should have the same bugs fixed..

p.s.: We are not related to this group, but we think they worth a
penny...

Re: [Security Weekly] Java and Flash decompilers Will Metcalf (Aug 05)
JPEXS is very nice for flash IMHO.

http://www.free-decompiler.com/flash/

Regards,

Will

Re: [Security Weekly] Java and Flash decompilers Bradley McMahon (Aug 05)
I've used flare before to pull apart a flash site for a client.
http://www.nowrap.de/flare.html

-Brad

Re: [Security Weekly] SecurityCenter alternative Steven McGrath (Aug 04)
SC certainly isn’t cheap (as a former SC customer that moved over to Tenable I can attest to that) however I can point
out that the data aggregation, trending, and custom reporting were huge wins in my book. I guess its a time/money
trade-off. How much time do you want to spend either cobbling together a tool or manually aggregating the data when
there is another tool already out there that can do it out of the box.

I can speak in more...

Re: [Security Weekly] Java and Flash decompilers S. White (Aug 04)
A few I've used in the past:

JAD - http://varaneckas.com/jad/ , http://en.wikipedia.org/wiki/JAD_(JAva_Decompiler)

HP SWFscan

Adobe SWF investigator http://labs.adobe.com/technologies/swfinvestigator/

________________________________
From: Robin Wood <robin () digi ninja>
To: Security Weekly Mailing List <pauldotcom () mail securityweekly com>
Sent: Monday, August 4, 2014 5:54 AM
Subject: [Security Weekly] Java and...

[Security Weekly] DoFler @ BSidesLV Steven McGrath (Aug 04)
This will be the 3rd year that DoFler (the Dashboard of Fail) will be at BSidesLV. This year I wrote a new spiffy
interface for maximum trolling. Let’s be honest now, everyone loves to surf for various forms of horrible on the
internet at cons :D. Also added this year is a little vulnerability analysis (using Tenable’s PVS). Every year I try
to improve it a bit based on everyone’s input, and am always welcome to more feedback.

DB...

Re: [Security Weekly] cheap hosting Robin Wood (Aug 04)
Already sorted but thanks for the info.

Re: [Security Weekly] Java and Flash decompilers Nathan Sweaney (Aug 04)
Here are a few others I've used with varying success in the past:

SWFInvestigator - http://labs.adobe.com/technologies/swfinvestigator/
SWFScan - from Rafal Los at HP, though the link has been deleted. (Careful,
I've seen trojaned copies online.)

Re: [Security Weekly] SecurityCenter alternative Paul Asadoorian (Aug 04)
Thanks all for the informative discussion!

I know, I'm jumping in late, some closing thoughts on the subject:

- SecurityCenter has the unique advantage of consolidating plugin
updates, meaning you could have hundred of Nessus scanners deployed in
your organization, and the scanners get the plugin feed from your
SecurityCenter system. The removes the requirement of Internet access
(From the scanners), and greatly eases the administration...

Re: [Security Weekly] SecurityCenter alternative k41zen (Aug 04)
Thanks for all of your help.

We are in discussions with our Tenable contact about solutions for this issue. They’ve helped me out by enabling me to
move forward to at least deploy this into a Pre-Production environment but the costs of SC are a massive stumbling
block; hence my question about something else. Appreciate we have a big Nessus fan base here of which I am a member
too, but just wondered what could be wrapped around it.

I’ll...

Re: [Security Weekly] SecurityCenter alternative Adrien de Beaupre (Aug 04)
Hi,

I have also written a series of script to collect data from tools such as
nmap and nessus to import into MySQL called OSSAMS:
http://www.ossams.com/wp-content/uploads/2011/10/ossams-parser-SecTor-2011.zip
That leaves report writing as a series of SQL queries.
I also have a series of scripts to kick off scans, as well as a command
like XML-RPC nessus client in python if anyone is interested.

Cheers,
Adrien

Re: [Security Weekly] cheap hosting sec list (Aug 04)
Hey Robin,

If you're still looking, might want to try out getclouder.com - they
spin up Linux containers in 5 seconds and use distributed storage, which
is pretty awesome. It's still in beta, so they offer 3 months free
service, but it has been pretty stable so far from my experience.

[Security Weekly] Java and Flash decompilers Robin Wood (Aug 04)
Hi
I'm trying to put together a list of tools for decompiling Flash and Java
apps. From asking on another list I already have:

Java
JD-GUI
Java Decompiler http://jd.benow.ca/jd-gui/downloads/jd-gui-0.3.6.windows.zip.

Java snoop https://code.google.com/p/javasnoop/

Flash
Trillix
Flashbang https://github.com/cure53/Flashbang

Has anyone here got any others they can suggest?

Ideally I'm looking for free stuff but cheap commercial...

Microsoft Sec Notification — Beware that MS often uses these security bulletins as marketing propaganda to downplay serious vulnerabilities in their products—note how most have a prominent and often-misleading "mitigating factors" section.

Microsoft Security Update Minor Revisions Microsoft (Nov 01)
********************************************************************
Title: Microsoft Security Update Minor Revisions
Issued: November 1, 2017
********************************************************************

Summary
=======

The following CVE has been revised in the October 2017
Security Updates.

* CVE-2017-11826

Revision Information:
=====================

CVE-2017-11826

- Title: CVE-2017-11826 | Microsoft Office Memory Corruption...

Microsoft Security Update Minor Revisions Microsoft (Oct 26)
********************************************************************
Title: Microsoft Security Update Minor Revisions
Issued: October 26, 2017
********************************************************************

Summary
=======

The following advisory has been revised in the October 2017 Security
Updates.

* ADV170012

Revision Information:
=====================

ADV170012

- Title: ADV170012 | Vulnerability in TPM could allow Security...

Microsoft Security Update Minor Revisions Microsoft (Oct 20)
********************************************************************
Title: Microsoft Security Update Minor Revisions
Issued: October 20, 2017
********************************************************************

Summary
=======

The following advisory and security bulletin have undergone a
minor revision increment.

* ADV170012
* MS14-085

Revision Information:
=====================

ADV170012

- Title: ADV170012 | Vulnerability in TPM could...

Microsoft Security Update Minor Revisions Microsoft (Oct 19)
********************************************************************
Title: Microsoft Security Update Minor Revisions
Issued: October 18, 2017
********************************************************************

Summary
=======

The following advisory and CVE have been revised in the October 2017
Security Updates.

* ADV170012
* CVE-2017-13080

Revision Information:
=====================

ADV170012

- Title: ADV170012 | Vulnerability in TPM...

Microsoft Security Update Minor Revisions Microsoft (Oct 17)
********************************************************************
Title: Microsoft Security Update Minor Revisions
Issued: October 17, 2017
********************************************************************

Summary
=======

The following advisory has been revised in the October 2017 Security
Updates.

* ADV170012

Revision Information:
=====================

ADV170012

- Title: ADV170012 | Vulnerability in TPM could allow Security...

Microsoft Security Update Releases Microsoft (Oct 17)
********************************************************************
Title: Microsoft Security Update Releases
Issued: October 17, 2017
********************************************************************

Summary
=======

The following CVE has undergone a major revision increment.

* ADV170018

CVE Revision Information:
=====================

CVE-2017-13080

- Title: ADV170018 | October 2017 Flash Update
-...

Microsoft Security Update Minor Revisions Microsoft (Oct 16)
********************************************************************
Title: Microsoft Security Update Minor Revisions
Issued: October 16, 2017
********************************************************************

Summary
=======

The following CVEs have been revised in the October 2017 Security
Updates.

* CVE-2017-11775
* CVE-2017-11777
* CVE-2017-11815
* CVE-2017-11820

Revision Information:
=====================

CVE-2017-11775

- Title:...

Microsoft Security Update Releases Microsoft (Oct 16)
********************************************************************
Title: Microsoft Security Update Releases
Issued: October 16, 2017
********************************************************************

Summary
=======

The following CVE has undergone a major revision increment.

* CVE-2017-13080

CVE Revision Information:
=====================

CVE-2017-13080

- Title: CVE-2017-13080 | Windows Wireless WPA Group Key
Reinstallation...

Microsoft Security Update Minor Revisions Microsoft (Oct 11)
********************************************************************
Title: Microsoft Security Update Minor Revisions
Issued: October 11, 2017
********************************************************************

Summary
=======

The following advisory has been revised in the October 2017 Security
Updates.

* ADV170012

Revision Information:
=====================

ADV170012

- Title: ADV170012 | Vulnerability in TPM could allow Security...

Microsoft Security Bulletin Releases Microsoft (Oct 10)
********************************************************************
Title: Microsoft Security Update Minor Revisions
Issued: October 10, 2017
********************************************************************

Summary
=======

The following CVE has been revised in the October 2017 Security
Updates.

* CVE-2017-11774

Revision Information:
=====================

CVE-2017-11774

- Title: CVE-2017-11774 | Microsoft Outlook Security Feature...

Microsoft Security Bulletin Releases Microsoft (Oct 10)
********************************************************************
Title: Microsoft Security Update Minor Revisions
Issued: October 10, 2017
********************************************************************

Summary
=======

The following CVE has been revised in the October 2017 Security
Updates.

* CVE-2017-11774

Revision Information:
=====================

CVE-2017-11774

- Title: CVE-2017-11774 | Microsoft Outlook Security Feature...

This summary lists security updates released for October 2017. Microsoft (Oct 10)
********************************************************************
Microsoft Security Update Summary for October 2017
Issued: October 10, 2017
********************************************************************

This summary lists security updates released for October 2017.

Complete information for the October 2017 security update release can
Be found at
<https://portal.msrc.microsoft.com/en-us/security-guidance>.

Critical Security...

The following CVE has undergone a major revision increment. Microsoft (Oct 04)
********************************************************************
Title: Microsoft Security Update Releases
Issued: October 4, 2017
********************************************************************

Summary
=======

The following CVE has undergone a major revision increment.

* CVE-2017-8695

CVE Revision Information:
=====================

CVE-2017-8695

- Title: CVE-2017-8695 | Graphics Component Information Disclosure
Vulnerability...

The following CVEs have been revised in the September 2017 Security Updates. Microsoft (Oct 03)
********************************************************************
Title: Microsoft Security Update Minor Revisions
Issued: October 3, 2017
********************************************************************

Summary
=======

The following CVEs have been revised in the September 2017 Security
Updates.

* CVE-2017-8759

Revision Information:
=====================

CVE-2017-8759

- Title: CVE-2017-8759 | .NET Framework Remote Code Execution...

The following CVE has undergone a major revision increment. Microsoft (Sep 26)
********************************************************************
Title: Microsoft Security Update Releases
Issued: September 26, 2017
********************************************************************

Summary
=======

The following CVE has undergone a major revision increment.

* CVE-2017-8628

CVE Revision Information:
=====================

CVE-2017-8628

- Title: CVE-2017-8628 | Microsoft Bluetooth Driver Spoofing
Vulnerability
-...

Funsec — While most security lists ban off-topic discussion, Funsec is a haven for free community discussion and enjoyment of the lighter, more humorous side of the security community

Verizon: 1.5M of Contact Records Stolen, Now on Sale Jeffrey Walton (Mar 26)
http://www.mobipicker.com/verizon-1-5m-contact-records-stolen-now-sale/:

A business to business telecommunication giant,
Verizon Enterprise Solutions, a Basking Ridge,
New Jersey-based company, has been the latest
victim of a cyber crime that stole 1.5 million contact
records of the customers of Verizon...

I don't quite understand this double talk. Could someone explain to me:

A spokesperson from Verizon said that...

Statement on Lavabit Citation in Apple Case Jeffrey Walton (Mar 16)
(From John Young on another list):
http://www.facebook.com/KingLadar/posts/10156714933135038

As many of you already know, the government cited the Lavabit case in
a footnote. The problem is their description insinuates a precedent
that was never created. Obviously I was somewhat disturbed by their
misrepresentation. So I decided to draft a statement. And keep in
mind, these are the same people who say "trust us." Click continue to
read...

The NSA's back door has given every US secret to our enemies Jeffrey Walton (Feb 29)
http://www.businessinsider.com/john-mcafee-nsa-back-door-gives-every-us-secret-to-enemies-2016-2

Deng Xiaoping, in 1979 - his second year as supreme leader of China -
perceived a fundamental truth that has yet to be fully grasped by most
Western leaders: Software, if properly weaponized, could be far more
destructive than any nuclear arsenal.

Under Deng’s leadership, China began one of the most ambitious and
sophisticated meta- software...

Can Spies Break Apple Crypto? Jeffrey Walton (Feb 27)
Here's an interesting exchange between Cryptome and Michael Froomkin,
Law Professor at University of Miami, on the All Writs Act
(http://cryptome.org/2016/02/can-spies-break-apple-crypto.htm):

-----

A. Michael Froomkin:

The factual posture in the key Supreme Court precedent, New York
Telephone, involved a situation where only the subject of the order
was capable of providing the assistance at issue. This is the basis
for Apple's...

The FBI's iPhone Problem: Tactical vs. Strategic Thinking Jeffrey Walton (Feb 23)
http://www.technewsworld.com/story/83130.html

I'm an ex-sheriff, and I've been in and out of security jobs for much
of my life, so I've got some familiarity with the issues underlying
the drama between the FBI and Apple. FBI officials -- and likely those
in every other three-letter agency and their counterparts all over the
world -- would like an easier way to do their jobs. Wouldn't we all?

If they could put cameras in...

Wanted: Cryptography Products for Worldwide Survey Jeffrey Walton (Jan 01)
(http://www.schneier.com/crypto-gram/archives/2015/1215.html):

In 1999, Lance Hoffman, David Balenson, and others published a survey
of non-US cryptographic products. The point of the survey was to
illustrate that there was a robust international market in these
products, and that US-only export restrictions on strong encryption
did nothing to prevent its adoption and everything to disadvantage US
corporations. This was an important contribution...

CERT Advisories — The Computer Emergency Response Team has been responding to security incidents and sharing vulnerability information since the Morris Worm hit in 1986. This archive combines their technical security alerts, tips, and current activity lists.

Open Source Security — Discussion of security flaws, concepts, and practices in the Open Source community

Re: Fw: Security risk of vim swap files Scott Court (Nov 05)
Just want to point out that even if we do set 0600 permissions on all
.swp files, it still may allow for a form of the attack Hanno originally
pointed out if vim is ever run as the httpd user. In reality, this is
far less likely to occur but it's still worth pointing out.

Storing the .swp files in a separate directory prevents this from
potentially being a problem as well. However, universally setting the
.swp files to 0600 is probably a...

Re: Fw: Security risk of vim swap files Jakub Wilk (Nov 05)
* Christian Brabandt <cb () 256bit org>, 2017-11-05, 18:17:

So the code in question looks like this:

/*
* If the group-read bit is set but not the world-read bit, then
* the group must be equal to the group of the original file. If
* we can't make that happen then reset the group-read bit. This
* avoids making the swap file readable to more users when the
* primary group of the user is too permissive.
*/...

Re: Fw: Security risk of vim swap files Solar Designer (Nov 05)
That's some effort and code complexity for a fix that is not even trying
to address the problem Hanno pointed out. :-( What we really need is
simply forcing the permissions to 0600 no matter what. I do notice that,
non-surprisingly, Bram said:

| Why would a web server expose and serve such a file? That clearly is
| the problem, not that Vim happens to create swap files (and undo and
| backup files, depending on your configuration).
|
|...

Re: Fw: Security risk of vim swap files Christian Brabandt (Nov 05)
I think patch https://github.com/vim/vim/releases/tag/v8.0.1263 fixes
the group ownership problem.

Christian

Re: Re: CVE-2017-5123 Linux kernel v4.13 waitid() not calling access_ok() Solar Designer (Nov 05)
This is a mailing list.

A write-up included (at least) in the message itself would have been far
more appropriate for oss-security.

I appreciate you having included a summary, yet I feel we need to
actively discourage video-mostly postings - hence this follow-up.

Alexander

Foreman 1.2+ stored XSS in fact charts Tomer Brisker (Nov 05)
CVE-2017-15100: Facts reported by hosts to Foreman containing HTML are
not properly escaped on fact charts in the facts page, statistics
page, and trends page when hovering over the chart with the mouse.

Affects Foreman 1.2 and higher.

Patch available at https://github.com/theforeman/foreman/pull/4967
Fix will be release in Foreman 1.16.0 (to be released).
For more information see: http://projects.theforeman.org/issues/21519

Re: Re: CVE-2017-5123 Linux kernel v4.13 waitid() not calling access_ok() up201407890 (Nov 05)
Hello again list,

Here's a video on how I bypassed KASLR and got root using only
CVE-2017-5123, a non-controlled arbitrary write (though 0's are
written), without a single read.

https://www.youtube.com/watch?v=DfwOJIcV5ZA

"This exploit uses solely CVE-2017-5123, a Linux kernel vulnerability
for 4.12-4.13, which gives an attacker a write-not-what-only-where
primitive, or in other words, the ability to write non-controlled...

Re: Security risk of server side text editing in general and vim.tiny specifically Leonid Isaev (Nov 05)
Ah, great :) I've been using sshd and ssh as a sudo replacement on all
machines, inspired by your old article about insecurities of the latter (with
locked root password, so su also doesn't work). Of course, sshd is in general
listens on localhost:22. As for the keys, the keypair to access root, as well
as root's authorized_keys file, are generated at each boot and stored in tmpfs.

Thanks for the idea,

Re: nvi crash recovery Jakub Wilk (Nov 04)
* Jakub Wilk <jwilk () jwilk net>, 2017-11-03, 21:41:

I took a closer look at what nvi does. As I expected, it's hilariously
bad.

1) The documentation says: "If the recovery directory does not exist,
ex/vi will attempt to create it. This can result in the recovery
directory being owned by a normal user, which means that that user will
be able to remove other user's recovery and backup files. This is
annoying, but is...

Re: Re: Security risk of server side text editing in general and vim.tiny specifically Christos Zoulas (Nov 03)
-- Subject: [oss-security] Re: Security risk of server side text editing in g

| How much of this (and the parallel thread of course) applies to nvi?

Nvi stores the recovery files in /var/tmp/vi.recover/ owned by the user,
mode 600.

christos

Re: nvi crash recovery (was Re: [oss-security] Re: Security risk of server side text editing in general and vim.tiny specifically) Daniel Micay (Nov 03)
It's strange it's using /var/tmp instead of ~/.cache but at least it can
be protected with PAM's per-user isolated directory support rather than
relying on it being done securely.

In /etc/security/namespace.conf, for per-user isolated /tmp and /var/tmp:

/tmp /tmp-inst/ level
/var/tmp /var/tmp-inst/ level

In /etc/pam.d/system-auth:

session required pam_namespace.so

Likely also want to mount /tmp-inst as...

Re: nvi crash recovery Jakub Wilk (Nov 03)
* Hanno Böck <hanno () hboeck de>, 2017-11-03, 21:26:

Sounds like a recipe for disaster.

In Debian, installation scripts try to ensure that /var/tmp/vi.recover
is root-owned:

if [[ -L /var/tmp/vi.recover || \
-e /var/tmp/vi.recover && ! -d /var/tmp/vi.recover ]]; then
echo "Cannot create recovery directory /var/tmp/vi.recover" 1>&2
exit 1
fi
[ -d /var/tmp/vi.recover ] || mkdir -p...

nvi crash recovery (was Re: [oss-security] Re: Security risk of server side text editing in general and vim.tiny specifically) Hanno Böck (Nov 03)
This is actually interesting:
nvi saves recovery files to /var/tmp/vi.recover and creates them with
600 permissions.
So all the problems discussed don't really apply here.
However the dir itself gets created by the first user using nvi. Not
sure if that causes any other problems (permissions are rwx for all and
sticky bit).

Re: Fw: Security risk of vim swap files Christian Brabandt (Nov 03)
Yes, I am not saying there is no room for improvement here.

I don't buy that argument. There are at least 2 problems here. Someone
misconfiguring his webserver so it does serve dotfiles and secondly
making some last minute changes on a live production server (and
thirdly, the Vim session must have crashed). That sounds more like an
user error. Also the other example about deleting the file that is
currently being edited is not very...

Re: Fw: Security risk of vim swap files Christian Brabandt (Nov 03)
make this
call system('install -d -m 700 ~/.vim/swap')

Christian

Educause Security Discussion — Securing networks and computers in an academic environment.

Cybersecurity Policy Workshop at KanREN Andy Fleming (Nov 02)
Feel free to pass along the following opportunity .
I was given permission to forward this on outside of Kansas. I think
they are hoping to get at least another individual or two to sign up.
Questions, please contact Melinda Stanley mstanley () kanren net
785-856-9813 .

---------- Forwarded message ----------

Is your institution prepared to respond to a cyber incident? October
is Cybersecurity Awareness month--and as the state's...

Re: VPNs / hostile network / cloud storage Jim Cheetham (Oct 31)
Excerpts from Kevin Shalla's message of November 1, 2017 9:44 am:

In general, the synchronising programs will be doing their own encryption with TLS (i.e. in the same way as HTTPS
websites), and therefore they are encrypted and safe from attack.

However, there will be unencrypted traffic that you depend on first, such as DNS queries; and in a hostile network
these will be subverted.

If the DNS *content* is signed and this signature is...

VPNs / hostile network / cloud storage Kevin Shalla (Oct 31)
I have a question about protecting cloud storage synchronization, particularly as it relates to public wireless
networks.

While I know that when working on a public wireless network it is recommended that you use a VPN, I wonder how
recommendation relates to cloud storage synchronization.

If I have OneDrive or Box or Google set up and automatically synchronizing my local folders to the cloud, and I connect
to a hostile network, is that...

Help w/ IARPA research project--survey Bridges, Robert A. (Oct 30)
All,
I am a researcher at Oak Ridge National Laboratory (ORNL), and am writing to ask for your help with a cyber security
research project. It pertains to understanding current practices and tools for security leveraging host-based data
sources. If you are involved with cyber security operations or tool development for security we’d like your feedback.
Please see below and attached documents.

ORNL is conducting a research study for IARPA...

Collecting parent email Kevin Smith (Oct 30)
Hi all,

We are discussing parent email and I had a few questions for the group:

1. Do you collect parent email?

2. If not do you use social media opt in to allow parents to be informed & connected?
If parent email is collected:

3. What groups collect/use this (Student Life? Advancement?)?

4. What are you using for collecting parent email & keeping them up to date?

5. Is this parent email tied to the...

Certification education professional Mário César Pintaudi Peixoto (Oct 30)
Hi,

Is there any specific certification for safety in education? For
example, an existing framework for addressing issues focused on student
data, educational data from a teaching institution, to provide
information security. So that the professional can take this certification.

tanks,
Mario.

Re: MFA Deployment Questions Tim Lane (Oct 29)
Hi All,

I've had quite a few responses on MFA including many institutions asking
for the feedback to be collated and provided back to the forum, so in the
absence of having established a survey I have summarised both the responses
received as well as some insights from our USA counterparts.

*(1) If you have an MFA deployment, is this just for staff, or only for
students or for both? What about Alumni?'*

The extent of MFA rollout...

Re: Blocked URL Categories Garrett Hildebrand (Oct 27)
Frank,

I'd like hear more about that. Sounds like a great idea.

Garrett
-==-==-
G.D. Hildebrand Senior IT Security Analyst
UC Irvine, OIT, 6137 Ayala Sci Lib., Irvine, 92697-1175
tel.: 949-824-8913 email: gdh () uci edu
Created new page 15 December 2016
My URL is http://about.me/garretthildebrand
*Splunk - the Benihana of log-data slicing and dicing.*

Don't be a victim of phishing. Legitimate businesses...

Re: Blocked URL Categories Frank Barton (Oct 27)
While this is somewhat of a tangent, while we don't block P2P, but I've
built a nifty system that uses snort to trap Bittorrent traffic that has an
identifiable hash, and logs it, so that when the inevitable
Cease-And-Desist comes in, we know who to refer to the student conduct
office.

Frank

Re: Blocked URL Categories Ladwig, John M (Oct 27)
Same big-three policy. Some local variation on other categories, those are under campus and system IT governance.

-jml

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Adam
Maynard
Sent: Friday, October 27, 2017 12:23 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Blocked URL Categories

The only URL categories we block are malware, command-and-control, and...

Re: Blocked URL Categories Babak Oskouian (Oct 27)
At Mills College we follow the same line of reasoning: allowing access to
everything for research purposes while blocking malware, phishing and
Command & Control sites.

Babak

*Babak Oskouian, Ph.D. | Campus Network Engineer | Information Security
Officer*

*Mills College | 5000 MacArthur Blvd | Oakland, CA 94613-1301*

*Babak Oskouian, Ph.D. | Campus Network Engineer | Information Security
Officer*

*Mills College | 5000 MacArthur Blvd |...

Re: Blocked URL Categories Frank Barton (Oct 27)
We block known malicious sites, and we also maintain an internal black-list
of sites that haven't hit the routine lists yet

other than that, it's open season on the internet.

Frank

Re: Blocked URL Categories Ronald King (Oct 27)
That is too true.

Thank you everyone that has responded. These are great ideas to help
strengthen our stance.

Ron

*Ronald A. King, CISSP*
Chief Information Security Officer
Morgan State University Office: (443) 885-3372
1700 E. Cold Spring Ln. Email: ronald.king () morgan edu
Baltimore, MD 21251 URL: http://www.morgan.edu

*Growing the future ... Leading the world*
<...

Re: Blocked URL Categories Ruth Ginzberg (Oct 27)
Another thought: Your AUP also prohibits use for profit-making purposes, but I bet nobody is complaining about
allowing access to business publications or marketing associations. What’s the difference? Students and faculty have
the right, and possibly the obligation, to study activities that your AUP would not allow them to do.

Ruth Ginzberg
608-890-3961

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV...

Re: Blocked URL Categories Mccormick, Kevin (Oct 27)
You allow access because you are a higher education institution and those
are topics that need researched.

We don't filter anything here, and if we even tried to the faculty and
students would throw a huge fit.

If the AUP is a university policy like ours, I would recommend re-writing
the AUP.

Some of the older AUPs I have seen are by today's standards overly
restrictive and outdated.

Here is our AUP....

Internet Issues and Infrastructure

NANOG — The North American Network Operators' Group discusses fundamental Internet infrastructure issues such as routing, IP address allocation, and containing malicious activity.

RE: Are there inexpensive DWDM products? Eric C. Miller (Nov 03)
These guys are pretty inexpensive. Take it for what it is :)

https://www.sfpcables.com/cisco-cwdm-oadm-series

Eric Miller, CCNP
Network Engineering Consultant

-----Original Message-----
From: NANOG [mailto:nanog-bounces+eric=ericheather.com () nanog org] On Behalf Of Adnan Ahmed
Sent: Friday, November 3, 2017 9:26 AM
To: Hank Nussbacher <hank () efes iucc ac il>
Cc: nanog () nanog org
Subject: Re: Are there inexpensive DWDM products?...

Weekly Routing Table Report Routing Analysis Role Account (Nov 03)
This is an automated weekly mailing describing the state of the Internet
Routing Table as seen from APNIC's router in Japan.

The posting is sent to APOPS, NANOG, AfNOG, SANOG, PacNOG, SAFNOG, CaribNOG
TZNOG, MENOG, BJNOG, SDNOG, CMNOG, LACNOG, IRNOG and the RIPE Routing WG.

Daily listings are sent to bgp-stats () lists apnic net

For historical data, please see http://thyme.rand.apnic.net.

If you have any comments please contact Philip...

Re: Are there inexpensive DWDM products? Adnan Ahmed (Nov 03)
Also look at these guys,
https://www.optelian.com/products/dwdm-optical-multiplexing/

Re: Are there inexpensive DWDM products? Hank Nussbacher (Nov 02)
Try: https://www.packetlight.com/

-Hank

Re: Are there inexpensive DWDM products? Christopher Morrow (Nov 02)
the example 80k cwdm sfp+:
http://www.fs.com/products/19371.html

Re: Are there inexpensive DWDM products? Christopher Morrow (Nov 02)
as another fs.com user of cwdm muxes... yes, in the limited sample I have
they work for me...
you ought to be able to pair the CWDM muxes like:
http://www.fs.com/products/42972.html

with their 80km optics and get pretty far along... a 'city' solution
shouldn't really need more than 80k, right? :)

Re: Are there inexpensive DWDM products? Brent Jones (Nov 02)
I've set a few people up with FS.com, and my $employer uses then for a lot
of DWDM without issue.

Quality bites everyone, cleaning terminations is one of the neglected steps
:p

Re: Are there inexpensive DWDM products? Micah Croff (Nov 02)
I've used Adva passive DWDM MUX's and colored FlexOptix DWDM 10G optics. It
worked very well with zero issues. I haven't personally used MUX's from
fs.com but I've had colleagues use them and caution against them due to the
quality.

Re: Calgary <-> Toronto 100% Canadian Fibre Resiliency on failover Mike Hammett (Nov 02)
I believe when I've looked into it before, UP required your utility to be at the far outside edge of their ROW, so not
really close to the track.

-----
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com

Midwest-IX
http://www.midwest-ix.com

----- Original Message -----

From: "Joe Abley" <jabley () hopcount ca>
To: "Steve Naslund" <SNaslund () medline com>
Cc: nanog () nanog org...

Re: Are there inexpensive DWDM products? Mike Hammett (Nov 02)
fs.com DWDM with a 1310 pass through port. That way you can still run 40G or 100G over the 1310.

-----
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com

Midwest-IX
http://www.midwest-ix.com

----- Original Message -----

From: "LF OD" <bz_siege_01 () hotmail com>
To: nanog () nanog org
Sent: Thursday, November 2, 2017 1:01:10 PM
Subject: Are there inexpensive DWDM products?

We have several buildings...

Re: Are there inexpensive DWDM products? LF OD (Nov 02)
Wow... a lot of suggestions and very quickly too. CWDM may not be an option because some of the spans are just out of
range, but I'm going to look at it for the short spans.

Thanks for all the feedback, folks. (I'll contact some of you off-board)

LFOD

________________________________
From: NANOG <nanog-bounces () nanog org> on behalf of LF OD <bz_siege_01 () hotmail com>
Sent: Thursday, November 2, 2017 11:01 AM
To:...

RE: Are there inexpensive DWDM products? Robert Jacobs (Nov 02)
We use and love Infinera XTG Muxes for our P2P extensions off the main optical core. They have a line of manageable 8
channel DWDM passive mux that you can get basic up down traps and optical information about each channel. You can use
grey market or OAM tuned ten gig transponders in your switches or routers and patch into the mux. There is an option
to add an amp if distances are too great. About 6K for a pair of the muxes and tuned...

RE: Are there inexpensive DWDM products? Romeo Czumbil (Nov 02)
CWDM option might be your best bet here.
If you need more channels and you want to go to DWDM then check out Ekinops
Great product and they don't charge as much as the other guys

-----Original Message-----
From: NANOG [mailto:nanog-bounces () nanog org] On Behalf Of LF OD
Sent: Thursday, November 2, 2017 2:01 PM
To: nanog () nanog org
Subject: Are there inexpensive DWDM products?

We have several buildings and a couple data centers spread...

Re: Calgary <-> Toronto 100% Canadian Fibre Resiliency on failover Joe Abley (Nov 02)
I remember years ago in New Zealand there was buried fibre along the railway running north-south in the North Island
that was not generally anybody's first choice of glass when trying to connect sites in Auckland and Wellington. The
problem I heard described (from memory, long time ago, I am old) was that the natural vibration of the ground due to
trains on rails had the effect over time of pushing conduit down the embankment away from...

RE: Are there inexpensive DWDM products? Luke Guillory (Nov 02)
These guys seem to be a white box solution for Optical. https://www.lumentum.com

I see that Juniper and Infinera have both worked on solutions to work on their hardware.

Luke Guillory
Vice President – Technology and Innovation

Tel: 985.536.1212
Fax: 985.536.0300
Email: lguillory () reservetele com

Reserve Telecommunications
100 RTC Dr
Reserve, LA 70084

Interesting People — David Farber moderates this list for discussion involving internet governance, infrastructure, and any other topics he finds fascinating

The RISKS Forum — Peter G. Neumann moderates this regular digest of current events which demonstrate risks to the public in computers and related systems. Security risks are often discussed.

Risks Digest 30.48 RISKS List Owner (Oct 19)
RISKS-LIST: Risks-Forum Digest Thursday 19 October 2017 Volume 30 : Issue 48

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.48>
The current issue can also...

Risks Digest 30.47 RISKS List Owner (Sep 29)
RISKS-LIST: Risks-Forum Digest Friday 29 September 2017 Volume 30 : Issue 47

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.47>
The current issue can also...

Risks Digest 30.46 RISKS List Owner (Sep 11)
RISKS-LIST: Risks-Forum Digest Monday 11 September 2017 Volume 30 : Issue 46

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.46>
The current issue can also...

Risks Digest 30.44 RISKS List Owner (Aug 31)
RISKS-LIST: Risks-Forum Digest Thursday 31 August 2017 Volume 30 : Issue 44

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.44>
The current issue can also be...

Risks Digest 30.43 RISKS List Owner (Aug 14)
RISKS-LIST: Risks-Forum Digest Monday 14 August 2017 Volume 30 : Issue 43

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.43>
The current issue can also be...

Risks Digest 30.42 RISKS List Owner (Aug 07)
RISKS-LIST: Risks-Forum Digest Monday 7 August 2017 Volume 30 : Issue 42

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.42>
The current issue can also be...

Risks Digest 30.41 RISKS List Owner (Aug 01)
RISKS-LIST: Risks-Forum Digest Tuesday 1 August 2017 Volume 30 : Issue 41

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.41>
The current issue can also be...

Risks Digest 30.40 RISKS List Owner (Jul 28)
RISKS-LIST: Risks-Forum Digest Friday 28 July 2017 Volume 30 : Issue 40

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.40>
The current issue can also be...

Risks Digest 30.39 RISKS List Owner (Jul 22)
RISKS-LIST: Risks-Forum Digest Saturday 22 July 2017 Volume 30 : Issue 39

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.39>
The current issue can also be...

Risks Digest 30.38 RISKS List Owner (Jul 17)
RISKS-LIST: Risks-Forum Digest Monday 17 July 2017 Volume 30 : Issue 38

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.38>
The current issue can also be...

Risks Digest 30.37 RISKS List Owner (Jul 14)
RISKS-LIST: Risks-Forum Digest Friday 14 July 2017 Volume 30 : Issue 37

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.37>
The current issue can also be...

Risks Digest 30.36 RISKS List Owner (Jul 07)
RISKS-LIST: Risks-Forum Digest Friday 7 July 2017 Volume 30 : Issue 36

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.36>
The current issue can also be...

BreachExchange — BreachExchange focuses on all things data breach. Topics include actual data breaches, cyber insurance, risk management, metrics and more. This archive includes its predecessor, the Data Loss news and discussion lists.

Best Practices for Implementing an IT/Cybersecurity Policy Audrey McNeil (Nov 03)
http://resources.infosecinstitute.com/best-practices-implementing-
itcybersecurity-policy/

An essential part of a company’s cybersecurity program is the creation and
implementation of a workplace security policy, a document that outlines all
plans in place to protect physical and information technology (IT) assets;
in fact, a policy includes a set of rules, instructions, and information
for companies’ end users and guests aiming at ensuring...

What More Does It Take to Make Cyber Security a Top Priority? Audrey McNeil (Nov 03)
http://www.securityweek.com/what-more-does-it-take-make-
cyber-security-top-priority

It has been yet another busy month in the world of cyber security news.
What does it mean when breaches reach private sector and public
institutions that are supposed to be experts in risk oversight? It means
that security is hard even when it is treated as a priority, let alone when
it is an afterthought, as it is in most institutions. Given the business
they...

Cybersecurity must be everyone’s job Audrey McNeil (Nov 03)
http://magicvalley.com/business/cybersecurity-must-
be-everyone-s-job/article_d62ae4dc-5068-59c2-b0f6-d64bdef4b69b.html

We hear of data breaches regularly, and it’s easy to think that it’s
someone else’s problem. What can I really do to stop a data breach?

Cybersecurity must be everyone’s job. Owner, manager and staff are a
crucial part of protecting information. Train employees and keep on top of
new risks. Large firm or small...

Credit card details, salary information published by government contractor Audrey McNeil (Nov 03)
http://www.abc.net.au/news/2017-11-02/major-government-data-breach-prompts-
investigation/9112246

The personal details of up to 50,000 Australians — including some credit
card numbers and salaries — have been mistakenly posted online by a
contractor, in one of the biggest data breaches to date.

The information, including full names, emails, expenses and payment
details, was publicly available online until early October.

The breach, first...

Don't Make the Same Mistake as Target and Home Depot. Protect Your Data With These Tips Audrey McNeil (Nov 03)
https://www.inc.com/schuyler-brown/5-questions-to-ask-
before-trusting-a-vendor-with-your-data.html

When it comes to preventing a data breach, you're only as secure as your
weakest link. Even after training your team and investing in the latest
security software, most companies have a blind spot: vendors. You depend on
a variety of vendors to do everything from inventory management to
accounting, advertising, customer support and more. Many...

Yahoo’s Mayer set to face further data breach scrutiny Audrey McNeil (Nov 03)
https://www.arnnet.com.au/article/629483/yahoo-mayer-
set-face-further-data-breach-scrutiny/

Former Yahoo CEO, Marissa Mayer, and the current and former CEOs of Equifax
will testify before a US Senate panel on 8 November over two massive data
breaches, the committee said Wednesday.

Verizon, the largest US wireless operator, acquired most of Yahoo’s assets
in June. Yahoo disclosed in October that a 2013 data breach affected all
three billion...

Hackers demand $30, 000 ransom from University of the Fraser Valley Destry Winant (Nov 02)
http://www.metronews.ca/news/vancouver/2017/11/01/university-of-the-fraser-valley-investigating-breach-of-student-information.html

The personal information of more than two dozen students attending the
University of the Fraser Valley in British Columbia has potentially
been breached online.

Spokesman Dave Pinton said the Abbotsford-based university and police
are investigating suspicious email related to the disclosure of
"limited personal...

Standing Only Gets You So Far. Scottrade Offers Tactics To Win The Data Breach Class Action War Audrey McNeil (Nov 02)
https://www.jdsupra.com/legalnews/standing-only-gets-
you-so-far-scottrade-68249/

A recent skirmish about standing in data breach class actions (this time in
the Eighth Circuit), involving securities and brokerage firm Scottrade,
suggests that, even if plaintiffs win that limited question, there are
other key battles that can win the war for defendants. As we reported with
Neiman Marcus, P.F. Chang’s, Nationwide, and Barnes & Noble, the...

State AGs Argue That Federal Data Security Legislation Should Set Floor, Not Ceiling Audrey McNeil (Nov 02)
https://www.natlawreview.com/article/state-ags-argue-federal-data-security-
legislation-should-set-floor-not-ceiling

The flood of massive data breaches – including, most recently, the Equifax
breach that compromised the personal data of around 145 million U.S.
consumers – has increased the pressure on Congress to pass sweeping federal
data security and breach reporting legislation. While it’s difficult to
project whether such legislation...

Are Doctors the Weak Link in Terms of Medical Security? Audrey McNeil (Nov 02)
http://adigaskell.org/2017/10/27/are-doctors-the-weak-link-
in-terms-of-medical-security/

Earlier this year I wrote about a study highlighting the slow pace of the
rollout of digital patient records in the UK health system. The analysis,
which is believed to be the first of its kind, examines the progress made
in transferring patient records to digital, and shows a complex picture
best by poor understanding of IT implementation and an...

Cyberattacks Are Inevitable -- Until We Stop Playing The Blame Game Audrey McNeil (Nov 02)
https://www.forbes.com/sites/williamsaito/2017/10/25/
cyberattacks-are-inevitable-until-we-stop-playing-the-
blame-game/#79fe48ab3fb0

As organizations around the world begin to take cybersecurity threats more
seriously, large-scale attacks like the recent breach of a major credit
reporting agency seem to be happening more frequently. At the same time,
there’s increased focus on who’s responsible for security vulnerabilities.

The...

8 cyber preparedness best practices for businesses Audrey McNeil (Nov 02)
http://www.propertycasualty360.com/2017/10/24/8-cyber-preparedness-
best-practices-for-businesses?slreturn=1508858556

Cyberattacks may be the greatest threat to organizations in the
21stcentury.

All businesses may be vulnerable, regardless of size or sector, public or
private. Cybercriminals won’t ignore a company with a smaller market cap or
fewer employees. They cast a wide net, and they don’t discriminate.

Your business clients are...

Mitigating security risks in the extended enterprise Audrey McNeil (Nov 01)
https://www.scmagazineuk.com/mitigating-security-risks-in-
the-extended-enterprise/article/699000/

When it comes to large-scale data attacks, the Target breach of late 2013
still looms large. But while its headline-grabbing consequences are easily
recalled – over 40 million people impacted, US$18.5 million (£14 million)
in settlement costs – there's another fact that sometimes goes overlooked:
The breach didn't start with Target....

North Korean hackers suspected of stealing secret blueprints of South Korean warships and submarines Audrey McNeil (Nov 01)
http://www.ibtimes.co.uk/north-korea-accused-hacking-stealin
g-secret-blueprints-south-korean-warships-submarines-1645245

North Korea has been accused of hacking and stealing secret blueprints of
South Korean warships and submarines. Hackers reportedly hit Daewoo
Shipbuilding and Marine Engineering Co last year and stole around 40,000
documents, including classified military records as well as information on
weapons and construction technology....

Getting your business ready for the GDPR Audrey McNeil (Nov 01)
https://www.itproportal.com/features/getting-your-
business-ready-for-the-gdpr/

Yes, it’s an EU-led regulation, but even with the UK leaving, the GDPR will
still have a substantial impact on the way British organisations manage
personal data.

The GDPR represents the biggest shakeup to data protection in over 20
years. But looking back at how radically the internet has transformed our
lives in that time, it’s no surprise that data privacy...

Open Source Tool Development

Wireshark — Discussion of the free and open source Wireshark network sniffer. No other sniffer (commercial or otherwise) comes close. This archive combines the Wireshark announcement, users, and developers mailing lists.

Re: g_free throwing an exception Pascal Quantin (Nov 05)
Hi Paul,

2017-11-05 12:15 GMT+01:00 Paul Offord <Paul.Offord () advance7 com>:

Usually this is a sign of an attempt to free a memory block that was not
allocated with g_malloc. Is it a field from your plugin?

BR,
Pascal.

g_free throwing an exception Paul Offord (Nov 05)
Hi,

I am working on a plugin dissector. It works OK except when I change profiles Wireshark throws an exception in code in
proto.c as follows:

static void
free_deregistered_field (gpointer data, gpointer user_data _U_)
{
header_field_info *hfi = (header_field_info *) data;
gint hf_id = hfi->id;

g_free((char *)hfi->name); <== The exception occurs on execution of this call

The hfi...

Re: Capture filename not available at plugin init time Paul Offord (Nov 03)
I see several problems with doing dumpcap first:

* Once the dumpcap code is finished you’d still not be able to do anything new and, probably more importantly,
you’d have no way of testing that the code is working correctly
* I already have a dissector that works which I can quickly submit to the project once the TSDB piece (and perhaps
TRB piece) is done
* Developers (or users) will be able to use TribeLab Workbench to create...

Re: Capture filename not available at plugin init time Roland Knall (Nov 03)
Quite a few breweries I assume ;-)

The real question here is dumpcap. That should be done first. Over the
years, there was an effort to get this done every so months. But most
people seem to give up silently.

understand the reasoning

cheers

Re: Capture filename not available at plugin init time Paul Offord (Nov 03)
Probably a whole brewery!

From: Wireshark-dev [mailto:wireshark-dev-bounces () wireshark org] On Behalf Of Graham Bloice
Sent: 03 November 2017 16:48
To: Developer support list for Wireshark <wireshark-dev () wireshark org>
Subject: Re: [Wireshark-dev] Capture filename not available at plugin init time

So the plan would be:

* Add support to read the TSDB and create the resulting structures
* Add support to read Text Record Blocks...

Re: Capture filename not available at plugin init time Graham Bloice (Nov 03)
That sounds like it will need a lot of beer tokens ;-/

Re: Capture filename not available at plugin init time Paul Offord (Nov 03)
So the plan would be:

* Add support to read the TSDB and create the resulting structures
* Add support to read Text Record Blocks (TRBs)
* This is mostly stuff that Guy Harris described a while back
* In my current code the data records are encapsulated in a dummy Ethernet frame
* Add support to mergecap to correctly handle the TSDBs
* Similar to adjusting IDBs when files are merged
* Add the dumpcap code to...

Re: Capture filename not available at plugin init time Roland Knall (Nov 03)
This is a different thing here. If TSDB is a common code block, I think the
chances are really good.

But still it needs the basic read functionality in dumpcap

cheers

Re: Capture filename not available at plugin init time Paul Offord (Nov 03)
OK – I understand.

If I write the code to read the TSDB and make it available do you think it would be accepted into the main project?
I’m thinking about my syncro experience here.

Thanks and regards…Paul

From: Wireshark-dev [mailto:wireshark-dev-bounces () wireshark org] On Behalf Of Roland Knall
Sent: 03 November 2017 14:15
To: Developer support list for Wireshark <wireshark-dev () wireshark org>
Subject: Re: [Wireshark-dev]...

Re: Capture filename not available at plugin init time Roland Knall (Nov 03)
Hi Paul

You should never assume, that you will be able to read the file, while WS
is reading it. If this is working right now, it might be out of pure
coincidence, that said, the real thing here should be to get dumpcap to use
pcapng as input format, which would give you the tsdb block where you need
it to be, during dissection.

The support for any pcap-ng extension block is already in Wireshark. The
issue still is, to get the block structure...

Re: Capture filename not available at plugin init time Paul Offord (Nov 03)
Thanks for responding Roland.

I’ve written a tool that reads a log file and converts it to a PCAP-NG with a matching dissector. The pcap file
carries a data descriptor block in a new PCAP-NG block type called as TSDB. The TSDB carries the information needed to
register the header fields. To add support for the TSDB into core Wireshark is going to be a big job (which I will
submit later). As a quick solution, the dissector gets the...

Re: Capture filename not available at plugin init time Paul Offord (Nov 03)
No it’s called when you open a capture file.

From: Wireshark-dev [mailto:wireshark-dev-bounces () wireshark org] On Behalf Of Anders Broman
Sent: 03 November 2017 14:00
To: Developer support list for Wireshark <wireshark-dev () wireshark org>
Subject: Re: [Wireshark-dev] Capture filename not available at plugin init time

Isn't the init function called at startup of wireshark? At which point a file may not yet have been selected....

Re: Capture filename not available at plugin init time Anders Broman (Nov 03)
Isn't the init function called at startup of wireshark? At which point a
file may not yet have been selected.
Regards
Anders

Den 3 nov. 2017 2:54 em skrev "Roland Knall" <rknall () gmail com>:

Re: Capture filename not available at plugin init time Roland Knall (Nov 03)
Hi Paul

As far as I know, cf_open can still fail after calling the init-functions.
In that case you would get the filename, but the capture is already closed.

My question is, why do you need the filename in the first place?

Also, you could set the filename at a later point. If you implement a
tap-interface, you could set the filename in the first tap-print callback.
Makes sense, 'cause you normally only have data at this point anyway....

Capture filename not available at plugin init time Paul Offord (Nov 03)
I have a dissector that needs the capture file name at the time my dissector's init function is called. I attempt to
get the name with plugin_if_get_ws_info(...), not an unreasonable request I think you'll agree, but unfortunately the
filename comes back as a NULL pointer.

I've traced through the code and this is what happens:

* We pass through the MainWindow signal and slot stuff and eventually call cf_open(...) in file.c...

Snort — Everyone's favorite open source IDS, Snort. This archive combines the snort-announce, snort-devel, snort-users, and snort-sigs lists.

(no subject) mehalil ahmed djamel eddine via Snort-users (Nov 04)
i wante to registre in snort site

(no subject) mehalil ahmed djamel eddine via Snort-users (Nov 04)
hi_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

(no subject) mehalil ahmed djamel eddine via Snort-users (Nov 04)
slt

Write rule for TCP packet without content nguyen cao via Snort-users (Nov 03)
Hi! I use wireshark and catch TCP packets without content (empty TCP
packet). So, how to write a snort rule to detect this empty TCP packet?
thank you

Re: Snort and AI DFIRob via Snort-users (Nov 02)
Longer answer on why we're not doing your homework. Snort produces alerts
in a format easily digestible by databases, log parsers of any kind, and
even non artificial intelligence, that's what SOC monkeys are doing all day
;)

Any ML algo can do its stuff from there on, and tell you it's all guacamole
in the end. There is nothing specific to snort output in this case, and
it's out of scope of the user's guide to tell you...

Re: Snort and AI Ale Fredes Hadad via Snort-users (Nov 02)
I am only looking for the name of the tool (if there is any) and then I am
going to research for my own. I am reading the user´s guide and I can´t
find that.

2017-11-02 15:44 GMT-03:00 Joel Esler (jesler) <jesler () cisco com>:

Re: Snort and AI Joel Esler (jesler) via Snort-users (Nov 02)
https://snort.org/faq/can-i-have-help-with-my-homework

Snort and AI Ale Fredes Hadad via Snort-users (Nov 02)
Hello eveyone!

I am studying about Snort and I would like to ask if there is a software
tool that work with Snort and uses Artificial Intelligence techniques like
machine learning, neural networks and so on.
Thanks!

Regrets,
Alexis Fredes

Snort Subscriber Rules Update 2017-11-02 Research (Nov 02)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the
indicator-compromise, policy-other, protocol-snmp and server-webapp
rule sets to provide coverage for emerging threats from these
technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Re: Question about "stream5: TCP 4-way handshake detected" agustin larrarte via Snort-users (Nov 02)
thank you!

Re: Question about "stream5: TCP 4-way handshake detected" Victor Roemer via Snort-users (Nov 01)
Fairly confident this alert is for the 4-way variant of the typical
3-way handshake.

Like so

|a( syn ) b( ack ) b( syn ) a( ack ) |

however, several years ago, someone noticed some peculiar behavior where
the the the initiating host (read client), upon receiving a syn response
(not a syn+ack) would result in the the client sending a |syn+ack| back
to the server; the handshake then tends to look like this:

|a( syn ) b( syn ) a( syn,ack )...

Re: Question about "stream5: TCP 4-way handshake detected" wkitty42 (Nov 01)
129:13 is, indeed, the rule for announcing that a "TCP 4-way handshake has been
detected"... not any specific part (close connection??) of it.. the whole
handshake...

to find out more about what's going on, you need to capture those packets
(wireshark, tcpdump, etc) and study the sessions... if it is legit traffic, then
handle the rule in threshold.conf... if not, reconfigure the problematic
system/software or otherwise clean...

Question about "stream5: TCP 4-way handshake detected" agustin larrarte via Snort-users (Nov 01)
Hi,

I would like to ask for advice on this alert. We are receiving many alerts
from one unique ip address on our environment for this event. We have been
looking for documentation or aid online trying to figure out what this
alert event means but we can't find anything snort related. Is this related
to the 4 way TCP close connection handshake? why is this alert being
triggered?

here is a screenshot of snorby showing the alert:

[image:...

Snort Subscriber Rules Update 2017-10-31 Research (Oct 31)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the browser-ie,
browser-plugins, exploit-kit, file-office, file-other,
indicator-obfuscation, malware-cnc, os-windows, policy-other,
pua-adware, server-apache, server-MySQL and server-webapp rule sets to
provide coverage for emerging threats from these technologies.

For a complete...

Fwd: Problem unix socket Giuseppe Iatrino via Snort-devel (Oct 31)
Hello everyone,

i am using library: *https://github.com/John-Lin/snortunsock
<https://github.com/John-Lin/snortunsock>* to read snort event values
but

- sig_generator
- sig_id
- sig_rev

Are always wrong! ( i am reading it without any conversion rule)

How to read it?

More Lists

Related Resources

We're always looking for great network security related lists to archive. To suggest one, mail Fyodor.