SecLists.Org Security Mailing List Archive

Any hacker will tell you that the latest news and exploits are not found on any web site—not even Insecure.Org. No, the cutting edge in security research is and will continue to be the full disclosure mailing lists such as Bugtraq. Here we provide web archives and RSS feeds (now including message extracts), updated in real-time, for many of our favorite lists. Browse the individual lists below, or search them all:

Insecure.Org Lists

Nmap Development — Unmoderated technical development forum for debating ideas, patches, and suggestions regarding proposed changes to Nmap and related projects. Subscribe here.

Re: Port Exclusion option? Fyodor (Feb 05)
No, it won't cause that problem. A portlist provided on the command
line takes precedence over Nmap's default
top-1000-ports-in-nmap-services behavior.

Cheers,
Fyodor

Re: [NSE] http-backup-finderpatch Martin Holst Swende (Feb 05)
Done in r28015 !
/M

Re: [patch] Make sql-injection.nse use httpspider Patrik Karlsson (Feb 05)
Thanks Duarte!

//Patrik

New VA Modules: NSE: 2, MSF: 1, Nessus: 1 New VA Module Alert Service (Feb 05)
This report describes any new scripts/modules/exploits added to Nmap,
OpenVAS, Metasploit, and Nessus since yesterday.

== Nmap Scripting Engine scripts (2) ==

r28013 rsync-brute http://nmap.org/nsedoc/scripts/rsync-brute.html
Performs brute force password auditing against rsync.

r28013 rsync-list-modules http://nmap.org/nsedoc/scripts/rsync-list-modules.html
List modules available for rsync synchronization

== Metasploit modules (1) ==

r14692...

Re: [patch] Make sql-injection.nse use httpspider Duarte Silva (Feb 05)
Hi all,

updated the SecWiki, removed the task from incomming,

"
=== Update <tt>sql-injection</tt> to use new httpspider system===

This script includes its own web spider, but it should be upgraded to instead
use our new httpspider library.
"

Regards,
Duarte Silva_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at...

Re: [patch] Make sql-injection.nse use httpspider Lauri Kokkonen (Feb 05)
Glad to be of help.

Yes, and in addition to HTTP redirects it also supported meta-style
redirects.

Lauri

Re: [NSE] http-backup-finderpatch Patrik Karlsson (Feb 05)
On Sat, Feb 4, 2012 at 10:53 PM, Martin Holst Swende <martin () swende se>wrote:

Looks good to me, please commit it.

Cheers,
Patrik

Re: [patch] Make sql-injection.nse use httpspider Patrik Karlsson (Feb 05)
On Fri, Feb 3, 2012 at 8:19 AM, Lauri Kokkonen
<lauri.u.kokkonen () gmail com>wrote:

Thanks Lauri! I've committed your changes as r28014.
I noticed that the code for supporting redirect was taken out of the new
version.
One would assume that the spider/http library already supports this, but
unfortunately it doesn't.
Anyway, It's not a big problem though as I will be committing a patch for
this within the next few days....

[NSE] http-backup-finderpatch Martin Holst Swende (Feb 04)
Hi,

While scanning my cupsdaemon with some http-*, I found a flaw in the
http backup finder. It spat out some strange folders due to a
malfunction if it cannot determine a filename and a suffix:

| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=localhost
[snip]
| http://localhost:631/classes/{basename}.bak
| http://localhost:631/classes/{basename}.{suffix}~
| http://localhost:631/classes/{basename} copy.{suffix}
|...

Script suggestions, take #3 Martin Holst Swende (Feb 04)
Hi list,

I have now re-added script-suggest based on the latest head, which had
changed quite a bit with the additions of force and script-args-file. I
also fixed the issue where the suggestions weren't run if no script was
selected. Quite a few files are modified (mostly minor), most work is in
nse_main.lua. I had to refactor it a bit in order to first load normal
scripts, then load "suggestable" scripts in a second batch, which...

New VA Modules: Nessus: 20 New VA Module Alert Service (Feb 04)
This report describes any new scripts/modules/exploits added to Nmap,
OpenVAS, Metasploit, and Nessus since yesterday.

== Nessus plugins (20) ==

57825 php_5_3_10.nasl
http://nessus.org/plugins/index.php?view=single&id=57825
PHP 5.3.9 'php_register_variable_ex()' Code Execution

57824 soliddb_select_dos.nasl
http://nessus.org/plugins/index.php?view=single&id=57824
IBM solidDB < 7.0 Fix Pack 1 / 6.5.0.8 Interim Fix 5 Denial...

nping bugs support (Feb 03)
HOST: WindowsXP SP3 (latest update)
Microsoft Visual C++ 2010 Redistributable Package

WinPcap 412

nmap -V
Nmap version 5.61TEST4 ( http://nmap.org )
Platform: i686-pc-windows-windows
Compiled with: nmap-liblua-5.1.3 openssl-1.0.0a nmap-libpcre-7.6
libpcap-4.1.2 n
map-libdnet-1.12 ipv6
Compiled without:

-----------------------------------

nping -d3 --unprivileged --ttl 1 --delay 1s -c 999999999 --tcp --flags
SYN -p 80 surfjunky.com
Mode TCP...

Re: 5.61TEST4 BUGS David Fifield (Feb 03)
So we can help you, please send us debugging logs of the above commands.
I would like these logs:

nmap --iflist -oN iflist-%D.nmap
nmap -d3 --unprivileged -r -n -PS1080 -sn 125.40-47.*.* -oN ping-user-net-%D.nmap
nmap -d3 --unprivileged -r -n -PS1080 -sn 125.40-47.-.- -oN ping-user-net-dashes-%D.nmap
nmap -d3 --unprivileged -r -n -PS1080 -sn 125.40.0.1 -oN ping-user-host-%D.nmap
nmap -d3 -sn remotehelp.pp.ua -oN ping-admin-host-%D.nmap

David...

5.61TEST4 BUGS support (Feb 03)
HOST: WindowsXP SP3 (latest update)
Microsoft Visual C++ 2010 Redistributable Package

WinPcap 412

nmap -V
Nmap version 5.61TEST4 ( http://nmap.org )
Platform: i686-pc-windows-windows
Compiled with: nmap-liblua-5.1.3 openssl-1.0.0a nmap-libpcre-7.6
libpcap-4.1.2 n
map-libdnet-1.12 ipv6
Compiled without:

----------------------------------------------

1) BUG
пинг диапазона ИП, например:
ping range of IP, such as
nmap...

Re: Nmap-5.61TEST4 for Windows - VMWare ESXi OS Fingerprinting Issue -- ISSUE RESOLVED Shane Kinney (Feb 03)
Hi David,

Thank you for your help. This issue has now been resolved. There was a
firewall in the way,
and once disabled nmap-5.61TEST4 was able to port scan and OS fingerprint
VMWare ESXi 4.1
successfully.

Thanks to you and the dev-list for the help!

Cheers,
-Shane Kinney

Nmap Hackers — Moderated list for the most important new releases and announcements regarding the Nmap Security Scanner and related projects. We recommend that all Nmap users subscribe.

Updates on Download.Com caught adding malware to Nmap installer Fyodor (Dec 06)
Hi Folks. A lot has happened since yesterday's email about
Download.com's antics (http://seclists.org/nmap-hackers/2011/5) and I
wanted to send a quick update.

First of all, several people complained about my angry tone and my
telling Download.com to "F*ck" themselves. I appologize to anyone
offended. But if you ever spend more than 14 years creating free
software as a gift to the community, only to have it used as bait by...

C|Net Download.Com is now bundling Nmap with malware! Fyodor (Dec 05)
Hi Folks. I've just discovered that C|Net's Download.Com site has
started wrapping their Nmap downloads (as well as other free software
like VLC) in a trojan installer which does things like installing a
sketchy "StartNow" toolbar, changing the user's default search engine
to Microsoft Bing, and changing their home page to Microsoft's MSN.

The way it works is that C|Net's download page (screenshot attached)...

SecTools.Org relaunched based on your survey responses! Fyodor (Nov 04)
Hi folks! Remember the latest Nmap survey that almost 3,000 of you
filled out? Well, it took a while, but I'm happy to report that we've
tabulated the results and launched a new version of the SecTools.Org
top security tools list! In addition to updating the data, we've
dramatically improved the site. It now includes user ratings and
reviews, tracks release dates, offers searching and sorting, and even
lets you nominate your...

Nmap 5.59BETA1 Released! Fyodor (Jun 30)
Hi Folks. Other than the recent informal IPv6 commemorative edition,
we haven't had a real Nmap release in more than four months since
5.51. That is in part because we've been so busy with seven (!)
full-time Google Summer of Code students cranking out tons of
excellent code! But I think we've pulled this together into a release
we can be proud of, and I'm happy to announce Nmap 5.59BETA1!

This version includes:
o 40 new...

Happy World IPv6 Day From the Nmap Project! Fyodor (Jun 08)
Hi Folks. You have probably heard that today is World IPv6 Day, with
sites like Google, Facebook, and Yahoo publishing IPv6 records for
their main web sites. I'm happy to report that the Nmap Project is
celebrating in several ways:

==Scanme Updated to IPv6==

You probably know that we run the machine scanme.nmap.org as a system
people are allowed to use as a target for test scans and the like.
That system now has native IPv6 support. So...

Nmap 5.51 and SoC Opportunity Fyodor (Apr 05)
Hi Folks! I'm happy to report that the Nmap 5.50 release was a big
success, with nearly 300,000 downloads in the first two weeks. That
much attention inevitably uncovers some bugs, so we released Nmap 5.51
in February to address them. You can find the release notes at
(http://seclists.org/nmap-dev/2011/q1/518) and the downloads at
http://nmap.org/download.html.

I also wanted to let you know about a serious potential competitive
threat to...

Nmap 5.50: Now with Gopher protocol support! Fyodor (Jan 28)
Hi folks! It has been a year since the last Nmap stable release
(5.21) and six months since development version 5.35DC1, so I'm
pleased to release Nmap 5.50! I'm sure you'll find that it was worth
the wait!

A primary focus of this release is the Nmap Scripting Engine, which
has allowed Nmap to expand up the protocol stack and take network
discovery to the next level. Nmap can now query all sorts of
application protocols,...

Nmap Defcon Release: Version 5.35DC1 Fyodor (Jul 16)
Hi folks. It has been 3.5 months since the last Nmap release
(5.30BETA1 on March 29), and anyone following the nmap-dev list knows
that we've been very busy during that time. So I'm pleased to release
Nmap version 5.35DC1 containing the fruits of that labor. The Defcon
name is because that conference is awesome! And also because David
Fifield and I have an exciting Nmap talk planned there and at Black
Hat in a couple weeks (see...

Nmap News and Last Chance to Take the Survey Fyodor (Apr 30)
Hi Folks. I have some Nmap news to share with you:

First off, I'm delighted to introduce the 2010 Nmap/Google Summer of
Code Team! Google has sponsored eight student developers to spend
this summer enhancing the Nmap Security Scanner and related projects,
so you can expect great things in coming months. Ithilgore and Luis
MartinGarcia are returning to improve Ncrack and Nping, new students
Drazen Popovic and Djalal Harouni will be...

Survey Reminder Fyodor (Apr 14)
Hi folks, I have a quick question for you:

Q: What do the Nmap Scripting Engine, Ndiff, and the Zenmap Topology
Mapper have in common?

A: They're all features which were added after you asked for them in
the 2006 Nmap Survey!

With that in mind, I'd like to thank the 1,013 people who have already
taken the 2010 survey. We just need 1,987 more and we can close this
survey up, tabulate and share results, choose the prize winners,...

Nmap/SecTools Survey and GSoC Deadline Fyodor (Apr 07)
Hello everyone. I hope you're enjoying the 5.30BETA1 release. So far
it has proven stable and functional, so don't let the BETA name scare
you. You can get it at http://nmap.org/download.html. Meanwhile, I
have some great news, and I'm also asking for your help on two things.

The first is that the Nmap Project was again accepted for the Google
Summer of Code program, so we'll have full time coding help this
summer! SoC...

Nmap 5.30BETA1 Released w/37 new scripts and new Apple vuln Fyodor (Mar 29)
Hi folks! It has been two months since the 5.21 release and we've
been very busy during that time! I hope you're happy with the results,
which is a new 5.30BETA1 release made today. Top features include:

o 37 new NSE scripts, bringing the total to 117! New scripts cover
SNMP, SSL, Postgress, MySQL, HTTP, LDAP, NFS, DB2, AFS, and many
more. Also check out the clever host scripts qscan and
ipidseq. Learn about them all at...

Nmap 5.21 released Fyodor (Jan 27)
Hello everyone. I'm pleased to release Nmap 5.21, which contains zero
exciting new features! It is a bug-fix only release instead,
addressing about a dozen issues discovered since 5.20. Thanks for all
the testing and bug reports! None of the bugs are critical, but we
wanted to polish things up since 5.21 may be the latest stable version
for a while. That gives us time to tackle and stabilize big
development projects. If you want to...

Lots of Nmap News Fyodor (Jan 22)
Hi folks. I'm happy to report that the 5.20 release went well. But
with this many improvements, there will always be a few bugs found.
We're planning to round those up with a bugfix-only 5.21 release next
week. So please test out 5.20 and report any problems you experience:

Download Page: http://nmap.org/download.html
Bug Report Instructions: http://nmap.org/book/man-bugs.html

If you're running from a build of the latest SVN...

Nmap 5.20 Released Fyodor (Jan 20)
Happy new year, everyone. I'm happy to announce Nmap 5.20--our first
stable Nmap release since 5.00 last July! It offers more than 150
significant improvements, including:
o 30+ new Nmap Scripting Engine scripts
o enhanced performance and reduced memory consumption
o protocol-specific payloads for more effectie UDP scanning
o a completely rewritten traceroute engine
o massive OS and version detection DB updates (10,000+ signatures)...

Other Excellent Security Lists

Bugtraq — The premier general security mailing list. Vulnerabilities are often announced here first, so check frequently!

[ MDVSA-2012:013 ] mozilla security (Feb 03)
_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2012:013
http://www.mandriva.com/security/
_______________________________________________________________________

Package : mozilla
Date : February 3, 2012
Affected: 2010.1, 2011., Enterprise Server 5.0
_______________________________________________________________________

Problem Description:...

ESA-2012-010: EMC Documentum xPlore information disclosure vulnerability Security_Alert (Feb 03)
ESA-2012-010: EMC Documentum xPlore information disclosure vulnerability.

EMC Identifier: ESA-2012-010
EMC Identifier: SRCH-7949

CVE Identifier: CVE-2012-0396

Severity Rating: CVSS v2 Base Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)

Affected products:
EMC SW: EMC Documentum xPlore 1.0 (all patch versions)
EMC SW: EMC Documentum xPlore 1.1 (all patch versions prior to 1.1 P07)
EMC SW: EMC Documentum xPlore 1.2 (all patch versions)...

RFC 6528 on Defending against Sequence Number Attacks Fernando Gont (Feb 03)
Folks,

FYI. (the RFC is available at: <http://www.rfc-editor.org/rfc/rfc6528.txt>)

A new Request for Comments is now available in online RFC libraries.

RFC 6528

Title: Defending against Sequence Number Attacks
Author: F. Gont, S. Bellovin
Status: Standards Track
Stream: IETF
Date: February 2012
Pages: 12
Characters: 26917
Obsoletes:...

[SECURITY] [DSA 2403-1] php5 security update Thijs Kinkhorst (Feb 03)
-------------------------------------------------------------------------
Debian Security Advisory DSA-2403-1 security () debian org
http://www.debian.org/security/ Thijs Kinkhorst
February 02, 2012 http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : php5
Vulnerability : code injection
Problem type :...

[SECURITY] [DSA 2402-1] iceape security update Moritz Muehlenhoff (Feb 03)
-------------------------------------------------------------------------
Debian Security Advisory DSA-2402-1 security () debian org
http://www.debian.org/security/ Moritz Muehlenhoff
February 02, 2012 http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : iceape
Vulnerability : several
Problem type : remote...

[SECURITY] [DSA 2400-1] iceweasel security update Moritz Muehlenhoff (Feb 03)
-------------------------------------------------------------------------
Debian Security Advisory DSA-2400-1 security () debian org
http://www.debian.org/security/ Moritz Muehlenhoff
February 02, 2012 http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : iceweasel
Vulnerability : several
Problem type : remote...

[SECURITY] [DSA 2401-1] tomcat6 security update Moritz Muehlenhoff (Feb 03)
-------------------------------------------------------------------------
Debian Security Advisory DSA-2401-1 security () debian org
http://www.debian.org/security/ Moritz Muehlenhoff
February 02, 2012 http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : tomcat6
Vulnerability : several
Problem type : remote...

[security bulletin] HPSBGN02740 SSRT100741 rev.1 - HP Operations Manager, Operations Agent, Performance Agent, Service Health Reporter, Service Health Optimizer, Performance Manager, Remote Execution of Arbitrary Code security-alert (Feb 03)
SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c03179825
Version: 1

HPSBGN02740 SSRT100741 rev.1 - HP Operations Manager, Operations Agent, Performance Agent, Service Health Reporter,
Service Health Optimizer, Performance Manager, Remote Execution of Arbitrary Code

NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.

Release Date: 2012-02-02
Last Updated: 2012-02-02

Potential Security Impact:...

GLSA (Gentoo Linux Security Advisory) publication changes Alex Legler (Feb 02)
Like other Linux distribution vendors, Gentoo is currently CC'ing advisories
to the full-disclosure and bugtraq mailing lists.
Starting today, we will be *no longer* publishing our advisories to full-
disclosure or bugtraq.
We are following our colleagues at Ubuntu with this decision.

Users who want to receive advisories via email in the future should subscribe
to the gentoo-announce mailing list, as described here:...

[security bulletin] HPSBMU02739 SSRT100280 rev.1 - HP Data Protector Media Operations, Remote Execution of Arbitrary Code security-alert (Feb 02)
SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c03179046
Version: 1

HPSBMU02739 SSRT100280 rev.1 - HP Data Protector Media Operations, Remote Execution of Arbitrary Code

NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.

Release Date: 2012-02-01
Last Updated: 2012-02-01

------------------------------------------------------------------------------

Potential Security Impact: Remote execution...

[CAL-2012-0004] opera array integer overflow Code Audit Labs (Feb 02)
CAL-2012-0004 opera array integer overflow

1 Affected Products
=================
11.60 and prior

2 Vulnerability Details
=====================

Code Audit Labs http://www.vulnhunt.com has discovered a integer
overflow vulnerability in array functions like
Int32Array,Int16Array... .

Opear vendor say "We have reproduced the problem, and determined that it
does not have any security implications, since the crash is a caused by
a memory...

Fwd: RA-Guard: Advice on the implementation (feedback requested) Fernando Gont (Feb 02)
Folks,

We have talked about this one quite a few times (including
<http://blog.si6networks.com/2011/09/router-advertisement-guard-ra-guard.html>).
-- still, most implementations remain broken.

If you care to get this fixed, please provide feedback about this I-D on
the IETF *v6ops* mailing-list <v6ops () ietf org>, and CC me if possible.

Thanks!

Best regards,
Fernando

-------- Original Message --------
Subject: RA-Guard: Advice...

Call For Paper asemailing (Feb 02)
CALL FOR PAPER

2012 ASE/IEEE International Conference on Privacy, Security, Risk, and Trust
Amsterdam, The Netherlands, September 3-6, 2012
WebSite: http://www.asesite.org/conferences/PASSAT/2012/
Workshop Proposal Submission Deadline: March 1, 2012
Paper Submission Deadline: May 11, 2012

================================================================
2012 ASE/IEEE International Conference on Cyber Security
Washington D.C., USA, October 5-7,...

APPLE-SA-2012-02-01-1 OS X Lion v10.7.3 and Security Update 2012-001 Apple Product Security (Feb 02)
APPLE-SA-2012-02-01-1 OS X Lion v10.7.3 and Security Update 2012-001

OS X Lion v10.7.3 and Security Update 2012-001 is now available and
addresses the following:

Address Book
Available for: OS X Lion v10.7 to v10.7.2,
OS X Lion Server v10.7 to v10.7.2
Impact: An attacker in a privileged network position may intercept
CardDAV data
Description: Address Book supports Secure Sockets Layer (SSL) for
accessing CardDAV. A downgrade issue caused...

[ MDVSA-2012:012 ] apache security (Feb 02)
_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2012:012
http://www.mandriva.com/security/
_______________________________________________________________________

Package : apache
Date : February 2, 2012
Affected: 2010.1, 2011., Enterprise Server 5.0
_______________________________________________________________________

Problem Description:...

Full Disclosure — A lightly moderated high-traffic forum for disclosure of security information. Fresh vulnerabilities sometimes hit this list many hours before they pass through the Bugtraq moderation queue. The relaxed atmosphere of this quirky list provides some comic relief and certain industry gossip. Unfortunately, most of the posts are worthless drivel, so finding the gems takes patience.

Exploit Pack - Hacking Microsoft Word and Excel noreply (Feb 05)
This video shows how to exploit a vulnerability in Microsoft Word and
Excel by using Exploit Pack 2.1.7. Get you own copy of Exploit Pack
from: http://exploitpack.com

Check it out: http://www.youtube.com/watch?v=4n0J6DXFQI0

Exploit Pack Team
Juan Sacco
http://exploitpack.com

Re: Vulnerability-lab.com XSS Ferenc Kovacs (Feb 05)
Judging from the screenshot, it seems to be a reflected XSS through the
User-Agent field.
I would be curious how could this be exploited from the client side as you
can't manipulate other visitors User-Agent header.
Of course if the User-Agent is logged and the admin area which displays the
logs has the same defect, then this is a different story.

Re: Vulnerability-lab.com XSS RandallM (Feb 05)
Hell, his English teacher is...

Re: can you answer this? Valdis . Kletnieks (Feb 05)
On Fri, 03 Feb 2012 02:58:52 CST, Fatherlaptop said:

Simple - it probably came in from elsewhere, and it's asking an IP from an
address that it thought *was* in *its* trust scheme.

Re: Multiple vendor antivirus .kz archive format evasion/bypass vulnerability. ZeroDay.JP (Feb 05)
antiviruses

Does this ".kz" archiver have an SFX extractor? Because a new SFX type
of an archive file will raise support priority instead.

Yes, but AFTER being extracted beforehand (or maybe you can prove the
otherwise)
You can't be serious to expect every unknown archive format to be
supported by AV scanners..

Cheers

Sent to you by ZeroDay.JP via Google Reader: Re: Multiple vendor
antivirus .kz archive format evasion/bypass...

Advantech/Broadwin HMI/SCADA WebAccess universal network RPC exploit Arthur Conan Doyle (Feb 05)
New exploit for Broadwin/Advantexh HMI/SCADA was published by Zomb1E &
amistox07.
Exploit is used undocumented features of SCADA.
See:
http://fuzzyd00r.blogspot.com/2012/02/advantechbroadwin-hmiscada-webaccess6xx.html

Re: can you answer this? Fatherlaptop (Feb 05)
Excellent idea. And yes I'm top posting hate snipping on iPhone!

From: Randy

It's an iPhone Thang!
Was learning cursive necessary?

Re: can you answer this? Granville Moore (Feb 05)
Sorry - my "From" address was screwed up in my previous reply.

Granville Moore
Nemesys Computer Consultants
www.nemesys.com

Re: [SECURITY] [DSA 2403-1] php5 security update The:Paradox (Feb 05)
Do you have Esser's site link reference about this?
Il giorno 03/feb/2012 09:16, "Thijs Kinkhorst" <thijs () debian org> ha
scritto:

Vulnerability-lab.com XSS lulzlab (Feb 05)
vulnerability-lab XSS hahahahahaha ROTFL

vulnerability lab kiddos!!!

Re: can you answer this? Fatherlaptop (Feb 05)
... Why? How is this IP asking for DHCP to another not in my trust IP scheme?

From: Randy

It's an iPhone Thang!
Was learning cursive necessary?

Re: Multiple vendor antivirus .kz archive format evasion/bypass vulnerability. Julius Kivimäki (Feb 05)
You do know that anyone can create a new archive format that antiviruses
will not detect... Right?

2012/2/2 Michel <kareldjag () yahoo fr>

[SECURITY] [DSA 2404-1] xen-qemu-dm-4.0 security update Florian Weimer (Feb 05)
-------------------------------------------------------------------------
Debian Security Advisory DSA-2404-1 security () debian org
http://www.debian.org/security/ Florian Weimer
February 05, 2012 http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : xen-qemu-dm-4.0
Vulnerability : buffer overflow
Problem...

Re: Tricky Shellcode bashrc (Feb 05)
Hello Joshua,

your shellcode is basically decrypting some string using 8-bit XOR with
the key 0x41.
You can use ndisasm for analysing it. The code is easy to understand if
you know assembler.

Regards,
bashrc

$ ndisasm -b 32 SC
00000000 31C0 xor eax,eax
00000002 50 push eax ;push 0
00000003 6870797178 push dword 0x78717970 ; push string
00000008 6872772771 push dword 0x71277772
0000000D...

Re: Vulnerability-lab.com XSS Valdis . Kletnieks (Feb 04)
On Sat, 04 Feb 2012 08:06:47 +1100, doomxd said:

Dale Carnegie is rolling over in his grave...

Security Basics — A high-volume list which permits people to ask "stupid questions" without being derided as "n00bs". I recommend this list to network security newbies, but be sure to read Bugtraq and other lists as well.

Exploit Pack - Hacking Microsoft Word and Excel noreply (Feb 05)
This video shows how to exploit a vulnerability in Microsoft Word and
Excel by using Exploit Pack 2.1.7. Get you own copy of Exploit Pack
from: http://exploitpack.com

Check it out: http://www.youtube.com/watch?v=4n0J6DXFQI0

Exploit Pack Team
Juan Sacco
http://exploitpack.com

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the...

Re: Best Commercial Security Testing tools security () stealthnodes com (Feb 05)
Rapid7, Core-impact, saints corp, GFI, WebInspect, AppScan, Alert Logic
(service), Nessus, mavitunasecurity (netsparker)
All are great tools and each has its strength and weaknesses so you need
to test and find out which works best for your needs

-Payam

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and...

Re: VPN Service Jason Hellenthal (Feb 05)
Most of all IRC & IM for a good majority of common services use SSL to
encrypt traffic. I don't know what you use for a IRC client but Irssi
has a -ssl connect/server switch to connect to those servers that have
it configured already and if they don't then you should take it up with
their operators. As for IM your traffic is subject to the operating
server either find a service that is encrypted or route it through Tor
but...

RE: CISSP online training Pranav Lal (Feb 05)
www.cccure helped me too! It gave me a good idea of the kind of questions
that would come and gave me a way to test myself. That is crucial since you
have a lot of material to get through.

Most of the questions were case study style of questions if I remember
correctly.
Pranav

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the...

RE: VPN Service David Gillett (Feb 03)
Traditionally, VPNs have been a service that corporate/institutional IT
departments have implemented to allow their users to access internal
resources remotely and securely. This doesn't appear to be what you have in
mind.

Only within the last 3-6 months, I've started getting spammed (NOT a
recommendation!) by mysterious third parties offering VPN services "to the
Internet", apparently as a way to secretly violate local...

Re: VPN Service Jeffrey Walton (Feb 03)
Scratch the UK too. The long arm of the US reached in to the UK also.
"VPN provider helped track down alleged LulzSec member",
http://seclists.org/fulldisclosure/2011/Sep/286.

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how
it benefits...

Re: VPN Service xgermx (Feb 03)
Sounds like WiTopia might be a good fit for you.
https://www.witopia.net/

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase,...

Re: VPN Service Pierre Jaury (Feb 03)
Additionally to my previous reaction: using Tor is almost no better than
using VPN. At least it does not create artificial central communication
points, yet it does not actually help with anonymity or obfuscation: you
are not anonymous or safe using the remote application unless this
application includes such features.

The only actual interesting Tor use case remains hidden services imho.

Re: VPN Service Nicolas Bazire (Feb 03)
Before looking at the price, the encryption level and the available
bandwidth, you should really investigate on the privacy policy of the
provider. More importantly, you should check the country in which the
company is registered and the laws regarding privacy in that country.

For instance, forget about any VPN provider operating in America.
Thanks to the Patriot Act, law enforcement agencies can basically get
any information from any company...

Re: VPN Service Pierre Jaury (Feb 03)
Hello,

Basically, VPN are not meant to act as encrypting gateways, but to
securely and transparently connect remote sites. Using them for Internet
anonymity is a common terrible mistake:
- first, anonymity has nothing to do with networking, you are trying
this the wrong way: anonymity and obfuscated communications is a matter
of application, then use the right applications (first SSL, https, etc,
then have a look at PGP and so before you spend...

Re: VPN Service Glenn English (Feb 03)
Please excuse my possible ignorance, but I don't understand why you need a 'provider' for a VPN. I use OpenVPN on
Linux, and I think it can be installed on other platforms as well. It's free. And if you're using Cisco or Juniper
routers/firewalls, they will create an IPsec VPN. That's also free, once you pay for the box. The ones around here
will, anyway...

Re: VPN Service Kalka, Jean F DOD CIV $US$ (Feb 03)
Agree on strong vpn. And it works well overseas
Sent from US Delegation BlackBerry device

----- Original Message -----
From: Voulnet [mailto:voulnet () gmail com]
Sent: Friday, February 03, 2012 06:30 PM
To: haZard0us <hazard0us.pt () gmail com>
Cc: security-basics () securityfocus com <security-basics () securityfocus com>
Subject: Re: VPN Service

StrongVPN is one good choice. You can get an OpenVPN bundle which
helps against VPN...

Re: VPN Service John Hebert (Feb 03)
A VPN provider can secure your connection to them. However, the traffic between the VPN provider and the destination
server is still as secure/insecure as before.

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how
it benefits your company and how...

Re: VPN Service Jeffrey Walton (Feb 03)
Does it have to be a VPN (IPSec or L2TP)? VPN providers have shown a
penchant for selling out their customers to law enforcement and other
authorities despite their claims.

TOR is a good alternative, but does not operate as low in the stack.
TOR offer confidentiality and does a better job at anonymity.

Additionally, the EFF's Https Everywhere will help you with HTTP
(https://www.eff.org/https-everywhere).

Jeff...

Re: VPN Service Kalka, Jean F DOD CIV $US$ (Feb 03)
In the US or outside CONUS
Sent from US Delegation BlackBerry device

----- Original Message -----
From: haZard0us [mailto:hazard0us.pt () gmail com]
Sent: Friday, February 03, 2012 03:39 AM
To: security-basics () securityfocus com <security-basics () securityfocus com>
Subject: VPN Service

Hello all,

I'm looking for a VPN provider to encrypt my communications. My main
objective is to get secure communications while being able to...

Penetration Testing — While this list is intended for "professionals", participants frequenly disclose techniques and strategies that would be useful to anyone with a practical interest in security and network auditing.

[HITB-Announce] Reminder: HITB2012AMS Call For Papers Closing Soon Hafez Kamal (Jan 27)
This is a gentle reminder that the Call for Papers for the third annual
HITBSecConf in Europe closes on the 18th of February! Send in your
submissions now!

http://cfp.hackinthebox.org/

---

This year, we're moving to a new, bigger and better venue -- the
award winning Okura Hotel right in middle of Amsterdam with easy access
via public transportation. #HITB2012AMS will be a quad-track conference
featuring keynote speakers Andy Ellis (Chief...

DoS attacks using Exploit Pack noreply (Jan 22)
DoS attacks by using Exploit Pack
What is this? Exploit Pack is a next generation tool to assist you
while you perform penetration testing to your workstations or servers.
Make your workstation safe by testing its security. Before hackers do.

Take a look of this tool while we perform a denial of service to a test
site.
http://www.youtube.com/watch?v=1dBa2jBu1XE

Exploit Pack Team
Juan Sacco
Dev Lead
http://exploitpack.com...

Technology Neutral Healthcheck cribbar (Jan 19)
Can I ask if any of you have roles as security admins or managers if you have
a sort of baseline checklist you use for when departments in your company
come calling saying they need a new payroll system, or a new procurement
system or whatever. I am in a very jnr role in a risk section but I thought
it wouldnt do any harm to see the kind of checks or questions you'll ask any
3rd party offering a solution/application for you that will give...

Re: Goofile 1.0 - Command line google search for files by domain James Condron (Jan 18)
Tom,

You can do this in about five lines with the Google REST interface

http://code.google.com/apis/customsearch/v1/using_rest.html

In much the same way the ld JSON interface worked (prior to
deprecation a year or two ago, though it does still work to an
extent).

Additionally you're passing the variable 'cant' to run(); where is
this being used? And why, by using a global with a maximum of 100 and
then having this value set to...

Exploit Pack - New release noreply (Jan 18)
Exploit Pack is a Security Tool that will assist you while you test the
security of your workstations or networks. With a friendly and easy to
use interface, it has an update manager to keep you up to date and an
IDE for develop or modify it’s modules. Also we provide you with
technical support if you need it. Try it out and purchase a subscription
now. Make your computer safe using Exploit pack.

Make your workstation safe by testing it...

Goofile 1.0 - Command line google search for files by domain tom (Jan 18)
Greetings!

Goofile 1.0 has been released. This tool will perform queries against
a domain for a particular filetype. I hope this will help with
enumeration!

http://code.google.com/p/goofile

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration...

Re: Best route to penetration testing learning wlandymore (Jan 11)
Thanks for the tips guys. I've seen the offensive-security.com website and I
was interested in that because it had the 'real' hands on labs and then a
certification that was very similar. It seemed to be the best for 'real
world experience' so I was actually going to take that course.

I'll setup a test lab here and starting working away, but I appreciate the
opinions and direction.

Thanks.

Archangel Amael wrote:

Re: Best route to penetration testing learning robertwood50 (Jan 07)
The SANS courses are pretty good in that you will actually be learning useful information, not just information
required to pass a test. Also, for a lot of Security Consultant jobs, either the CISSP or a GIAC cert is required so
this is another reason to get involved with SANS.

In my opinion, books are great but they only get you so far. You only retain the knowledge in a book for so long unless
it is put into practice. For reading I would...

Re: Best route to penetration testing learning Archangel Amael (Jan 07)
Hello,

There will likely be many opinions on the matter but a quick link or
two to help get you going, would be
http://www.offensive-security.com/ While not an easy certification to
be sure, it will likely be one of the most realistic in terms of
actually using Penetration testing tools within a realistic network
environment.
For an extensive collection of free information regarding using
metasploit and some other pentesting tools, check out...

Best route to penetration testing learning wlandymore (Jan 06)
I'm new to penetration testing and recently took the CEH. I found that it was
pretty basic but I was wondering if people had some insight as to the best
route to take if you wanted to be a penetration testing engineer....

Any courses/books that are mandatory that will help get me on my way, or
other opinions as to how I can get into this?

Thanks.

AppSec DC 2012 CFP EXTENDED! AppSec DC (Jan 06)
All,

Many of you have written to us asking about the requirement for a
paper in our CFP hosted on EasyChair. Due to an unforseen change in
the way EasyChair works, you are no longer able to configure a
submission to require only an abstract as we thought we had done, and
done in the past. To be clear, we are ***NOT*** requiring papers with
our CFP submissions. As we have already started the CFP and can not
move the platform we ask that...

Arachni v0.4 has been released (Open Source Web Application Security Scanner Framework) Tasos Laskos (Jan 06)
Hi guys,

This is just to let you know that there's a new version of Arachni.

Arachni is a high-performance (Open Source) Web Application Security
Scanner Framework written in Ruby.

This version includes lots of goodies, including:
* A new light-weight RPC implementation (No more XMLRPC)
* High Performance Grid (HPG) -- Combines the resources of multiple
nodes for lightning-fast scans
* Updated WebUI to provide access to HPG...

RE: Nmap S Walker (Jan 02)
Just an added note to the current replies (which are all great for hosts not in the local broadcast domain): It is
almost certain that every device in your local network will respond to an ARP request. nmap does this by default anyway
(-PR for local networks), but it's worth bearing in mind, as something local that won't respond to an ARP request is
almost certainly not reachable.

S

----------------------------------------...

Re: Nmap Juan Pablo (Jan 02)
Sorry for the late answer...

But when you scan for machines that do not answer to ping (it means
answer with an echo reply for each echo request), you could try using
timestamp, and will return timestamp reply, and also information
request and wait for an information reply

Both coould be useful also to detect equipments that do not answer to
ping. And if you want something more "noisy" maybe a network discovery
or a -P0 option.

Here...

[TOOL RELEASE] Technitium MAC Address Changer v6 (FREEWARE) Shreyas Zare (Jan 02)
Hi,

Technitium MAC Address Changer allows you to change Media Access
Control (MAC) Address of your Network Interface Card (NIC)
irrespective to your NIC manufacturer or its driver. It has a very
simple user interface and provides ample information regarding each
NIC in the machine. Every NIC has a MAC address hard coded in its
circuit by the manufacturer. This hard coded MAC address is used by
windows drivers to access Ethernet Network (LAN)....

Info Security News — Carries news items (generally from mainstream sources) that relate to security.

Firewall Wizards — Tips and tricks for firewall administrators

Ruxcon 2011 Final Call For Papers cfp (Aug 21)
Ruxcon 2011 Final Call For Papers

The Ruxcon team is pleased to announce the final call for papers for the seventh annual Ruxcon conference.

This year the conference will take place over the weekend of 19th and 20th of November at the CQ Function Centre,
Melbourne, Australia.

The deadline for submissions is the 15th of October.

* What is Ruxcon?

Ruxcon is the premier technical computer security conference in the Australia-Pacific region....

Re: Securing email by inhibiting urls Paul D. Robertson (Aug 12)
The mail server isn't the target, the desktop is- that's where your
protection needs to be.

Which is it? Attachments, or links? Those are two different issues.
Seems to me like not letting encrypted attachments through would be a
good start. It also seems that not letting most MIME types through the
HTTP proxy would be a good second step. Exceptions on a by-domain basis
tend to take about a week to get cleared up if you do it...

Re: Securing email by inhibiting urls Marcus Ranum (Aug 12)
Jean-Denis Gorin writes:

I saw a company that did that, years ago. They had all incoming mail go
through
mimedefang and all URLs got converted to https:-URL pointing to their proxy
server, which required a login. They also had a whitelist ruleset in the
rewrite,
so that some URLs didn't get rewritten on a case-by-case basis. Anything
with
metacharacters or on a blacklist got rewritten to a warning. That was
the first
layer.

The other...

Re: Securing email by inhibiting urls Chris (Aug 12)
Thanks for the response.

1. We block china but that doesnt stop mail being sourced from a
hacked American company

2. We don't allow any webmail access from our site. For business
reasons we are not allowed to block mail from anything but "freemail" sites
like gmail, hotmail etc.

3. We have Brightmail, Juniper IDS, ISS IDS and Symantec Antivirus
protecting all mail servers.

We don't have issues with...

Re: Securing email by inhibiting urls Jean-Denis Gorin (Aug 12)
----- Marcus Ranum <mjr () ranum com> a écrit :

There might be a way *evil grin*
1- convert ALL incoming email to text/plain format (all those HTML formated emails from outside are bullshit: SPAM,
commercials from vendors, invitations to shiny conferences, etc.)
2- substitute ALL URL with 'that link was removed for security reason [*]', with [*] stating: 'if access to that link
is needed, please contact the sender of the...

Re: Securing email by inhibiting urls Ilias - (Aug 11)
Hi,

I'm using MailMarshal with blended threat module, which also protect against zero day exploit URL's.

Take a look at the PDF :
http://www.m86security.com/documents/pdfs/datasheets/email_security/DS_Blended_Threats_Module.pdf

If you want some further information about this solution and how you can use this.. Send me an (direct) message.

Best regards,
Ilias
Send from my Blackberry

-----Original Message-----
From: Raphael Rivera...

Re: Securing email by inhibiting urls Timothy Shea (Aug 11)
You are focusing on the wrong problem. If desktops are being infected then
your desktop, anti-spam, and web browsing controls are all weak.
Eliminating "links" in e-mail is going to accomplish nothing.

A commercial web content filter for web browsing will go a long way to
resolving your issues. Most commercial content filters are continuously
updated throughout the day and much can be filtered out via categories. We
went from...

Re: Securing email by inhibiting urls Victor Williams (Aug 11)
Cisco Ironport or McAfee's two offerings: Email & Web Security Appliance or
Email Gateway.

The McAfee products used to be Secure Computing's Ironmail appliances, but
were bought with the Secure Computing acquisition.

Additionally, you should implement a true URL and content filtering service.
Even if an email gets through here or there, clicking on the link in it
will do more or less nothing if you have a "good"...

Re: Securing email by inhibiting urls Marcus Ranum (Aug 11)
Chris wrote:

Stupid users, too much connectivity, good security - you can have
any two.

I'm guessing that when you say "trusted source" what you mean
is "apparently trustworthy source" - not that you actually have a
list somewhere of trusted sources. If you had a list of trusted
sources then you could put in a firewall that did URL filtering
then have 2 group policies: "users who click on bad URLs"
and...

Re: Securing email by inhibiting urls Mark E. Donaldson (Aug 11)
You need to re-think how you handle mail. Two things:

1. Take out all Chinese IP addresses at the firewall. Nothing of value comes out of China. 99% of it is toxic.
Why let them even have a chance?

2. Direct webmail over the internet is dangerous at best. You need to set up an SMTP mail proxy on your system
that receives, processes, and either accepts or rejects all incoming email. Use Sendmail + MailScanner + SpamAssassin +...

Re: Securing email by inhibiting urls Raphael Rivera (Aug 11)
Chris,

Have you all tried barracuda spam firewall?

Sent from my iPhone

Re: Securing email by inhibiting urls Chris (Aug 11)
I'll check out Ironport. We looked at this earlier but there was something about it at the time that caused us to not
buy it. Time to revisit...

Thanks

-----Original Message-----
From: Kaas, David D [mailto:David_D_Kaas () RL gov]
Sent: Thursday, August 11, 2011 12:06 AM
To: 'chughes () l8c com'; 'Firewall Wizards Security Mailing List'; 'firewall-wizards () listserv cybertrust com'
Subject: RE: [fw-wiz]...

Re: Securing email by inhibiting urls Chris (Aug 11)
Should have mentioned that this is a MS Exchange environment. Spam filters are MS based currently MS based but that’s
up for grabs if we can replace them with something that provides the same functionality in place now. Currently using
Brightmail and other than disabling/replacing urls in email it is working pretty good.

-----Original Message-----
From: Kurt Buff [mailto:kurt.buff () gmail com]
Sent: Thursday, August 11, 2011 1:32 AM
To:...

Re: Securing email by inhibiting urls Chris (Aug 11)
This wont work. This site is under constant attack from China and randomly
hacked domains that are used as relays are not on any watch lists. We are
talking zero day here. There are no signatures for the payload if a user
clicks these links. Right now user awareness is our best line of defense
and we all know how reliable that is.

Until I can disable a users ability to click a url in an email that appears
to come from a trusted source,...

Re: Securing email by inhibiting urls Kurt Buff (Aug 11)
Which is why I use a mail gateway for $WORK.

Web App Security — Provides insights on the unique challenges which make web applications notoriously hard to secure, as well as attack methods including SQL injection, cross-site scripting (XSS), cross-site request forgery, and more.

Re: Apache Killer - take 2? Anestis Bechtsoudis (Jan 23)
Apache byte-range killer use many small byte-range chunks in a single
request. So no, your attached request is not related to such an attack.

At latest Apache stable release (2.2.21) -1 is not a valid
entity-length, resulting in a full size 200 response (and not a 206
partial content response) despite the requested range.

For better understanding take a look at modules/http/byterange_filter.c
at apache sources.

I attach a simple perl PoC to...

Re: Apache Killer - take 2? Damiano Bolzoni (Jan 23)
You are right, I didn't write it down properly...what I meant is
"doesn't it look like a clumsy way to exhaust resources (due to the +inf
number that should result from 1024/-1)".

Perhaps another web server is vulnerable? This kind of "checks" are
usually performed randomly by scanners...

It just really weird that a client sends that header value, I searched
around but couldn't find any other example......

Apache Killer - take 2? Damiano Bolzoni (Jan 22)
Hi all,
today we saw a weird HTTP header in a request that came to a web server
we are monitoring:

HEAD /contact HTTP/1.1
Content-Range: bytes 1-1024/-1
User-Agent: Opera/9.80 (Windows NT 5.1; U; pl) Presto/2.5.22 Version/10.51
Host: www.xyz.nl
Accept: */*

The offending IP is not in any blacklist, and the intent is kind of
clear...the server is Apache, but I have no detailed information about
the version/patching level. The server went ahead...

CarolinaCon-8/2012 - Final Announcement/Call for Papers/Presenters/Speakers Vic Vandal (Jan 12)
h4x0rs, InfoSec professionals, international spies, script kidz, and posers,

CarolinaCon-8 will occur on May 11th-13th 2012 in Raleigh NC (USA). We are now officially accepting speaker/paper/demo
submissions for the event.

If you are somewhat knowledgeable in any interesting field of hacking, technology, robotics, science, global
thermonuclear war, etc. (but mostly hacking), and are interested in presenting at CarolinaCon-8, we cordially...

OWASP AsiaPac 2012 - Sydney Australia CFP and CFT Andrew van der Stock (Jan 11)
Colleagues,

In 2012, OWASP is holding Global AppSec AsiaPac Conference in Sydney Australia! OWASP Asia Pacific is the foremost
Application Security conference for the region, and brings together the community in a central meeting for 4 days to
discuss and present on recent and current Application Security related topics. In previous years the conference has
been held on the Gold Coast Australia, in 2012 the event has been moved to Sydney, and...

RE: Application Security Milind Nanal (Jan 11)
Reference on the subject. Members view on these points how they are managing similar
Requirement. Information on tools etc.

Regards,

Milind Nanal

-----Original Message-----
From: Yiannis Koukouras [mailto:ikoukouras () gmail com]
Sent: Wednesday, January 11, 2012 6:33 PM
To: Milind Nanal
Cc: security-basics () securityfocus com; webappsec () securityfocus com; pen-test () securityfocus com
Subject: Re: Application Security

Hi,

Not sure...

Re: Application Security Yiannis Koukouras (Jan 11)
Hi,

Not sure what you are actually looking for...

Are you looking for references on those subjects or are you looking to
recruit people to perform this tasks?

BR,
Ioannis (Yiannis) Koukouras
CISSP, CISA, CISM, OSCP
MSc in Computer Systems Security
BEng in Electronic Engineering
http://www.linkedin.com/in/ikoukouras

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally...

Application Security Milind Nanal (Jan 08)
Hi Mailing list,

Seeking help below scenario :

1) The organization software development life cycle where in application security needs to be plugged in as focused
approach.
2) Deployment & planning on roles & responsibilities of dedicated 4-5 members as apps tester & an apps test manager
from info sec apps testing.
3) Plan for training developers, quality staff & apps testing team on various info sec aspect of application...

Re: stacking proxies Robin Wood (Jan 08)
I know this is what he was talking about and I've got the chain that
Jason suggested, what I'm after is what chains other people use and
why.

When chaining proxies there is a chance of the two interfering with
each other so you have to make sure they are in the right order, for
example Burp through Ratproxy might work but Rat through Burp may
fail.

Chaining may be used to improve efficiency due to lack of time or just
to improve the...

AppSec DC 2012 CFP EXTENDED! AppSec DC (Jan 08)
All,

Many of you have written to us asking about the requirement for a
paper in our CFP hosted on EasyChair. Due to an unforseen change in
the way EasyChair works, you are no longer able to configure a
submission to require only an abstract as we thought we had done, and
done in the past. To be clear, we are ***NOT*** requiring papers with
our CFP submissions. As we have already started the CFP and can not
move the platform we ask that...

Arachni v0.4 has been released (Open Source Web Application Security Scanner Framework) Tasos Laskos (Jan 08)
Hi guys,

This is just to let you know that there's a new version of Arachni.

Arachni is a high-performance (Open Source) Web Application Security
Scanner Framework written in Ruby.

This version includes lots of goodies, including:
* A new light-weight RPC implementation (No more XMLRPC)
* High Performance Grid (HPG) -- Combines the resources of multiple
nodes for lightning-fast scans
* Updated WebUI to provide access to HPG...

Re: stacking proxies Jamie Riden (Jan 03)
To be honest, I just use Burp (Pro).

I've seen people route sqlmap through Burp as well though, if it's not
immediately obvious how to exploit the issue - helps with analysis.

cheers,
Jamie

Re: stacking proxies Robert Hajime Lanning (Jan 03)
I am putting together: (in this order)Nginx (ssl)Varnish
(caching)Haproxy (load balancing/fail over)

Re: stacking proxies Robin Wood (Jan 03)
Most of my clients like to know where the attack will be coming from
so they can monitor it in their logs. I do some attacks through either
tor or from a different IP so I can see if they have enabled/disabled
anything special for the IP I told them I was using.

Robin

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request...

stacking proxies Robin Wood (Dec 31)
I watched Jason Haddix talk at BruCon and he talked about stacking
proxy servers when doing web app tests so that you could get the best
out of each one.

I've been meaning to ask for a while, what proxies do people use when
stacking and in what order?

Robin

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours...

Daily Dave — This technical discussion list covers vulnerability research, exploit development, and security events/gossip. It was started by ImmunitySec founder Dave Aitel and many security luminaries participate. Many posts simply advertise Immunity products, but you can't really fault Dave for being self-promotional on a list named DailyDave.

Anyone else wondering... Isaac Dawson (Feb 04)
How hard of a time the FBI is going to have with removing anonymous from
their networks now? This whole leaked conference call recording reminded me
of an email Dave sent out (which I can't seem to find) where he mentioned
the longer an attacker is ingrained in your network, the harder they are to
remove.
-Isaac

CFP for LEET dan (Feb 04)
FYI. It is a good meeting.

--dan

------- Forwarded Message Body

I'm writing to remind you that the submissions deadline for the 5th
USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET '12)
is just under three weeks away.

Please submit your work by Thursday, February 23, 2012, 11:59 p.m. PST.
http://www.usenix.org/leet12/cfpb

Now in its fifth year, LEET continues to provide a unique forum for the
discussion of...

More grist for the mill Dave Aitel (Jan 30)
Democratic Cyber Security Plan (to be voted on this week or something):
http://www.opencongress.org/bill/112-s413/show
Today's Republican response (which can be summed up to "I don't think
so", but the "regulation" angle is a continuing tough one here):
http://www.politico.com/news/stories/0112/72120.html

Also, the WSJ posted an opinion piece this weekend on cyber-security:...

Cyber Politics By Other Means Dave Aitel (Jan 27)
Dear DD - attached is some red meat. :>
-dave

Introduction

It is, of course, very possible that hackers will get to help choose
America's next president. Possibly not in the most direct way (aka,
attacking the electoral system directly, the candidates, or the super
PACs that support their campaigns), although this did happen to some
extent last time around
<...

Alligators Dave Aitel (Jan 19)
INFILTRATE 2012 is over (as of an hour from now). I will say that all
the talks, especially the keynotes, exceeded our expectations. That's a
good thing - we had high expectations even of Thomas Lim!

Here is one review:
http://blog.opensecurityresearch.com/2012/01/infiltrate-wrap-up.html

Immunity gave two talks ourselves. We'll release Leo's later, but you
should read Mark's now:
And here is Mark's Prezi:...

Open Bars Dave Aitel (Jan 09)
So we ordered quite a few open bars for INFILTRATE people - one of which
is the night before the conference (see below). Also, as a reminder, the
Master Class and Unethical Hacking classes DO start on Sunday. That's
SUNDAY. Not MONDAY. You can ask me why during one of the many open bars! :>

Also if you are on the twitterz you should probably follow
@InfiltrateCon (https://twitter.com/#!/infiltratecon
<...

Security Event Horizons Dave Aitel (Jan 09)
Every so often you see a ton of effort from a security person go into a
platform or protocol that most people ignore. For example, X405, or
MSRPC or DCERPC or HTTP or the BlackBerry Playbook. I don't have a good
way to explain it, but there's an event horizon where once you've
understood a platform enough, the only way to secure it against you is
to turn it off or tunnel it completely under something that provides its
own...

New Paper - Acquisition and Analysis of Volatile Memory from Android Devices Andrew Case (Jan 09)
We are writing to announce that our paper on Android memory forensics has
just been published in the Journal of Digital Investigation. Please see the
following blog post for complete details and the paper:

http://dfsforensics.blogspot.com/2012/01/new-paper-acquisition-and-analysis-of.html

If you have any questions or comments please reply to this Email or comment
on the blog.

Thanks,
Andrew

Re: Symantec AV source compromised and the questions it raises Michal Zalewski (Jan 06)
This reminds me of the wise words of the chairman of Trend Micro:

"Android is open-source, which means the hacker can also understand
the underlying architecture and source code. We have to give credit to
Apple, because they are very careful about it. It's impossible for
certain types of viruses to operate on the iPhone."

Shortly thereafter, Kaspersky "joined" the open source community, and
now looks like Symantec will,...

Symantec AV source compromised and the questions it raises Mohammad Hosein (Jan 06)
"Sadly, we'll likely never know the answer."
how come ? attackers can easily post details on how they compromised the
targets and to whom they belong and considering there could be a couple of
names and , perhaps , some phones or emails included in such leak , it
shouldnt be hard to connect the dots . the cybergames between Pakistani and
Indian groups is going on for a very long time now and although people in
forums and tweets are...

Symantec AV source compromised and the questions it raises William Arbaugh (Jan 06)
Security Week ran a story that Symantec's AV source was obtained (and soon to be released) via a compromise of an
Indian Military Intelligence server.
http://www.securityweek.com/symantec-investigating-possible-theft-norton-av-source-code

Symantec issued a statement that the compromise and eventual release of the source does not place customers at risk
since the source is 4+ years old....

Apache Struts Dave Aitel (Jan 06)
Just how bad is that Sec-Consult Apache Struts vulnerability...

(from their advisory)
___

2.) Remote command execution in Struts <= 2.3.1 (CookieInterceptor)

Given struts.xml is configured to handle all cookie names (independent
of limited cookie values):
<action name="Test" class="example.Test">
<interceptor-ref name="cookie">
<param...

Re: INFILTRATE Book Club Part 2 h1kari (Jan 05)
Hey guys,

Sorry about the shameless self-promotion, but I just thought I'd
mention that my wife and I run a technical bookstore in Seattle and
we're part of the computer security community (I started and run
ToorCon/ToorCamp/etc) so our bookstore is obviously heavily based
around supporting the local community and fostering tech innovation in
the area.

I say this because we just started selling Google eBooks and so if you
have a...

INFILTRATE Book Club Part 2 Dave Aitel (Jan 04)
So I personally wasn't a huge fan, but more than one person has
suggested Daemonby Leinad Zeraus. But you can't buy this in electronic
format anymore for some reason, and I can't find the torrent on
PirateBay, so it's not eligible! You're better off reading Daniel Keys
Moran's AI War instead. :>
http://www.amazon.com/I-War-Book-One-ebook/dp/B004XMR5A4

At this year's INFILTRATE, due to a few factors, we have...

InfoSec Southwest 2012 CFP First-round Speaker Selections I)ruid (Jan 04)
Hello,

InfoSec Southwest is proud to announce our keynote speaker and
first-round speaker selections for our 2012 conference. Our CFP remains
open until February 1st 2012 after which we will make our remaining
final speaker selections. CFP information is available at:

http://www.infosecsouthwest.com/cfp.html

Keynote Speaker: Peiter "Mudge" Zatko

We're quite excited to have Mudge accept our invitation to be our
Keynote...

PaulDotCom — General discussion of security news, research, vulnerabilities, and the PaulDotCom Security Weekly podcast.

Exploit Pack - Hacking Microsoft Word and Excel noreply (Feb 05)
This video shows how to exploit a vulnerability in Microsoft Word and
Excel by using Exploit Pack 2.1.7. Get you own copy of Exploit Pack
from: http://exploitpack.com

Check it out: http://www.youtube.com/watch?v=4n0J6DXFQI0

Exploit Pack Team
Juan Sacco
http://exploitpack.com

Re: Remote Management & Monitoring, Remote Connect (VNC, Logmein, etc) & Data Sharing tools list Tim Krabec (Feb 05)
Thanks

ShmooCon Firetalks 2012 Videos Adrian Crenshaw (Feb 05)
ShmooCon Firetalks 2012 Videos

These are the videos I have for the ShmooCon Firetalks 2012.

http://www.irongeek.com/i.php?page=videos/shmoocon-firetalks-2012

Thanks to:
http://novahackers.blogspot.com
http://georgiaweidman.com
http://www.irongeek.com

Night 1

“How Do You Know Your Colo Isn’t “Inside” Your Cabinet, A Simple Alarm
Using Teensy” by David Zendzian

“Bending SAP Over & Extracting What You Need!” by Chris John...

Re: Remote Management & Monitoring, Remote Connect (VNC, Logmein, etc) & Data Sharing tools list xgermx (Feb 05)
Don't forget Dameware Mini Remote Control
http://www.dameware.com/Products/Mini-Remote-Control/Product-Overview.aspx

ShmooCon Epilogue 2012 Talks Adrian Crenshaw (Feb 05)
These are the videos I have for ShmooCon Epilogue 2012. Georgia
recorded the live parts, and my rig was used for the slides. Sorry that
there are some missing talks, Georgia may have them on her site.

Thanks to:
http://novahackers.blogspot.com
http://georgiaweidman.com
http://www.irongeek.com

Resurrection of Ettercap: easy-creds, Lazarus & Assimilation
Eric Milam - (Brav0Hax) &
Emilio Escobar

Media Hype and Hacks...

Remote Management & Monitoring, Remote Connect (VNC, Logmein, etc) & Data Sharing tools list Tim Krabec (Feb 05)
I've started a google doc listing as many of these programs, locations,
exe's as I can find (still working on it now), and figured it'd be a great
tool for the community

I plan to eventually get a script to check for them.

Any help would be appreciated

https://docs.google.com/spreadsheet/ccc?key=0Ah42Oi5038y4dHpRdFdGMkREdmNfZGJ4cVVWNFlGWmc

email me if you want write access.

Webshell if anyone want's to look at it Adrian Crenshaw (Feb 05)
Hi all,
I found this little dingle berry hanging off a shared host box I
control. Not 100% sure how it got there, and the damn logs don't go far
enough back. I plan to have a coworker translate what I think is Chinese
later. Figured I'd give it to you all to have analytical fun with.

Adrian

Re: Capturing HTTPS traffic from iPhone/iPad Dimitrios Kapsalis (Feb 04)
Hi Josh,

The application has not yet been submitted to the App Store. I'll have to
run a strings on it or see if I can get the source code to understand if
some attribute of the certificate is being checked in the application that
prevents the self-signed cert from working.

Thanks,
Jim

Re: Capturing HTTPS traffic from iPhone/iPad Joshua Wright (Feb 04)
It's possible the application is checking the common name on the
certificate, or explicitly matching other certificate elements prior to
accepting the connection. I think this is an iOS API violation, but
maybe Apple App Store ninjas didn't notice.

Is this an app from the app store? I can grab it and test it here and
let you know if I get the same result.

-Josh

Re: Capturing HTTPS traffic from iPhone/iPad Dimitrios Kapsalis (Feb 04)
Hi Josh,

I did extract the certificate from burp and added it to my devices trusted
store by emailing the certificate to myself.

In the settings it shows that the certificate is now trusted. Can you send
the serial number of the cert to confirm I have the correct one?

Additionally, I tried another application, at first it did not work. After
installing the burp cert I can capture its traffic. The original
application still fails.

Thanks,
Jim

Re: Capturing HTTPS traffic from iPhone/iPad Tim Krabec (Feb 03)
Set up a proxy/ tunnel get the data from there

Re: Capturing HTTPS traffic from iPhone/iPad Joshua Wright (Feb 03)
No, I am doing this with Burp on iOS 5.0.1 and it works well. Have you
exported the Burp certificate and added it to the trust store on the iOS
device?

-Josh

Capturing HTTPS traffic from iPhone/iPad Dimitrios Kapsalis (Feb 03)
Hi,

I have updated my iOS device to 5.0.1, in order to try to capture the HTTPS
traffic from an application.

The application returns an error that the the connection cannot be
established. I've tried it with the WebScarab, Fiddler, and Burp. I've
installed for each the certificate in my iOS device and configured the
network connection to point to my laptop that is running my proxy software.

I've confirmed that the connection is...

Joe Stewart and Jon Oberheide on tomorrow night Mike Perez (Feb 01)
We'll have Joe Stewart on to discuss 'teh APT' and Jon Oberheide to go over
his research into the Android Marketplace and malware.

If you have any questions for either, please email psw -at -
pauldotcom.comand we'll do our best to get them to the prospective
guests.

Please join us live, Thursday night beginning at 6PM....

http://pauldotcom.com/live

- Mike

hackers.it disappeared from google search results David3 Gonnella (Feb 01)
Hello guys,

Since few days my domain is out for first tests ..but today
it is totally disappeared from Google search results.

Do you know how this can happen?

It has no malwares, exploits or anything illegal and there is neither
the intent as you can read in the few pages.

the domain is hackers.it

Any help in understanding would greatly appreciated.
Thank you

Davide

Honeypots — Discussions about tracking attackers by setting up decoy honeypots or entire honeynet networks.

2012 Honeynet Project Security Workshop Guillaume Arcas (Feb 02)
Hi.

The Honeynet Project holds its second Public Event on March 19 - 20,
2012 at Facebook HQ, SF Bay Area, Ca (USA).

Public event consists on a one-day technical presentations and a one-day
hands-on tutorial trainings.

All details available here:
https://honeynet.org/SecurityWorkshops/2012_SF_Bay_Area

Regards,

Guillaume Arcas
-------------------------
PR - The Honeynet Project

[HONEYPOTS] Cyber Warfare / Network Defense Simulation Teóphilo Athos Brauns (Jan 24)
Hi,

I would like to ask if you guys have any suggestions (including
articles, references, books, sites, ideas, anything) on how to build a
"Poor man's Cyber Warfare / Network Defense Simulation" for:

1 - study
2 - forensic analysis
3 - vulnerabilities replication
4 - worm/virus spreading
5 - DLP (data leak/loss prevention) study

For my first attempts I used a dual-quad xeon server with 32GB ram and
managed to create a whole...

Cyber Warfare / Network Defense Simulation Teóphilo Athos Brauns (Jan 24)
Hi,

I would like to ask if you guys have any suggestions (including
articles, references, books, sites, ideas, anything) on how to build a
"Poor man's Cyber Warfare / Network Defense Simulation" for:

1 - study
2 - forensic analysis
3 - vulnerabilities replication
4 - worm/virus spreading
5 - DLP (data leak/loss prevention) study
6 - ???

For my first attempts I used a dual-quad xeon server with 32GB ram and
managed to create a...

CanSecWest 2012 Mar 7-9; 2nd call for papers, closes next week, Monday. Dec 5 2011 Dragos Ruiu (Dec 01)
So after a dozen years or so organizing conferences, you
get the urge to pull levers and try experimenting with
things. So this year I sent out the CanSecWest CFP
only over Twitter, and G+ publicly. Just curious as to the
adoption and information dispersion rate, and some
estimate of the attention these newer channels are getting.

So after this experiment I hear about people having
submissions and missing the CFP. So for my control set,...

Microsoft Sec Notification — Beware that MS often uses these security bulletins as marketing propaganda to downplay serious vulnerabilities in their products—note how most have a prominent and often-misleading "mitigating factors" section.

Microsoft Security Bulletin Minor Revisions Microsoft (Feb 01)
********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: February 1, 2012
********************************************************************

Summary
=======
The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

* MS11-098 - Important
* MS11-100 - Critical

Bulletin Information:
=====================

*...

Microsoft Security Bulletin Minor Revisions Microsoft (Jan 27)
********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: January 27, 2012
********************************************************************

Summary
=======
The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

* MS12-004 - Critical
* MS12-JAN

Bulletin Information:
=====================

* MS12-004 -...

Microsoft Security Bulletin Minor Revisions Microsoft (Jan 24)
********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: January 24, 2012
********************************************************************

Summary
=======
The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

* MS11-025 - Important
* MS11-049 - Important

Bulletin Information:
=====================...

Microsoft Security Bulletin Minor Revisions Microsoft (Jan 18)
********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: January 18, 2012
********************************************************************

Summary
=======
The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

* MS11-049 - Important
* MS11-JUN
* MS12-006 - Important

Bulletin Information:...

Microsoft Security Bulletin Minor Revisions Microsoft (Jan 17)
********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: January 17, 2012
********************************************************************

Summary
=======
The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

* MS11-100 - Critical

Bulletin Information:
=====================

* MS11-100 - Critical

-...

Microsoft Security Bulletin Minor Revisions Microsoft (Jan 16)
********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: January 16, 2012
********************************************************************

Summary
=======
The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

* MS12-007 - Important

Bulletin Information:
=====================

* MS12-007 - Important...

Microsoft Security Bulletin Re-Releases Microsoft (Jan 11)
********************************************************************
Title: Microsoft Security Bulletin Re-Releases
Issued: January 11, 2012
********************************************************************

Summary
=======
The following bulletins have undergone a major revision increment.
Please see the appropriate bulletin for more details.

* MS12-007 - Important
* MS12-JAN

Bulletin Information:
=====================

* MS12-007 -...

Microsoft Security Bulletin Minor Revisions Microsoft (Jan 11)
********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: January 11, 2012
********************************************************************

Summary
=======
The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

* MS12-004 - Critical

Bulletin Information:
=====================

* MS12-004 - Critical

-...

Microsoft Security Bulletin Summary for January 2012 Microsoft (Jan 10)
********************************************************************
Microsoft Security Bulletin Summary for January 2012
Issued: January 10, 2012
********************************************************************

This bulletin summary lists security bulletins released for
January 2012.

The full version of the Microsoft Security Bulletin Summary for
January 2012 can be found at
http://technet.microsoft.com/security/bulletin/ms12-jan.

With...

Microsoft Security Advisory Notification Microsoft (Jan 10)
********************************************************************
Title: Microsoft Security Advisory Notification
Issued: January 10, 2012
********************************************************************

Security Advisories Updated or Released Today
==============================================

* Microsoft Security Advisory (2588513)
- Title: Vulnerability in SSL/TLS Could Allow
Information Disclosure
-...

Microsoft Security Bulletin Minor Revisions Microsoft (Jan 10)
********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: January 10, 2012
********************************************************************

Summary
=======
The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

* MS11-099 - Important

Bulletin Information:
=====================

* MS11-099 - Important...

Microsoft Security Bulletin Advance Notification for January 2012 Microsoft (Jan 08)
********************************************************************
Microsoft Security Bulletin Advance Notification for January 2012
Issued: January 5, 2012
********************************************************************

This is an advance notification of security bulletins that
Microsoft is intending to release on January 10, 2012.

The full version of the Microsoft Security Bulletin Advance
Notification for January 2012 can be found at...

Microsoft Security Bulletin Minor Revisions Microsoft (Dec 30)
********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: December 30, 2011
********************************************************************

Summary
=======
The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

* MS11-100 - Critical

Bulletin Information:
=====================

* MS11-100 - Critical...

Microsoft Security Advisory Notification Microsoft (Dec 29)
********************************************************************
Title: Microsoft Security Advisory Notification
Issued: December 29, 2011
********************************************************************

Security Advisories Updated or Released Today
==============================================

* Microsoft Security Advisory (2659883)
- Title: Insecure Library Loading Could Allow Remote Code
Execution
-...

Microsoft Security Bulletin Summary for December 2011 Microsoft (Dec 29)
********************************************************************
Microsoft Security Bulletin Summary for December 2011
Issued: December 29, 2011
********************************************************************

This bulletin summary lists an out-of-band security bulletin released
on December 29, 2011.

The full version of the Microsoft Security Bulletin Summary for
December 2011 can be found at...

Funsec — While most security lists ban off-topic discussion, Funsec is a haven for free community discussion and enjoyment of the lighter, more humorous side of the security community

Re: [Full-disclosure] Key Internet operator VeriSign hit by hackers [DNS] steve pirk [egrep] (Feb 05)
I was born at night, but not last night.

Well, Verisign did offload the SSL business to Symantec in August 2010, so
that makes me think something happened.
That was also around the time the Chinese (theoretically) hacked all those
gmail accounts. I think it was later discovered that some sites had not
processed CRLs correctly and still had old revoked certs for companies like
Google.

I am not saying any of the above is/was probable, but it sure...

Re: [Full-disclosure] can you answer this? Valdis . Kletnieks (Feb 05)
On Fri, 03 Feb 2012 02:58:52 CST, Fatherlaptop said:

Simple - it probably came in from elsewhere, and it's asking an IP from an
address that it thought *was* in *its* trust scheme.

Re: Hackers intercept FBI, Scotland Yard call Marc (Feb 03)
"It's not entirely clear how the hackers got their hands on the recording,
which appears to have been edited to bleep out the names of some of the
suspects being discussed."

That's easy..They got the email invite and listened in:

http://pastebin.com/8G4jLha8

From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On
Behalf Of lists
Sent: Friday, February 03, 2012 14:26
To: FunSec
Subject: [funsec]...

Hackers intercept FBI, Scotland Yard call lists (Feb 03)
Aren't these the same folks that investigated Murdock paper's telephone hacking and found nothing and spend billions to
modernize their case load computers and scrapped them and now....

http://m.apnews.com/ap/db_16026/contentdetail.htm?contentguid=D66zjTvT

And these guys are "protecting" us.....

This is really sad.

Tom_______________________________________________
Fun and Misc security discussion for OT posts....

can you answer this? RandallM (Feb 03)
since no one could answer the last one how bout this. In my FW log
Trust (our 10.0.0.0. network) to untrust picked this up:

2012-02-02 10:08:10 7.254.254.254:68 7.254.254.255:67 0.0.0.0:0
0.0.0.0:0 DHCP 0 sec. 0 0 Traffic Denied

My "any" to "any" denied queue.

Re: [Full-disclosure] Key Internet operator VeriSign hit by hackers [DNS] Jeffrey Walton (Feb 02)
As I said: Alarming.

I was born at night, but not last night.

Pure science fiction, I'm sure.

Jeff

Re: [Full-disclosure] Key Internet operator VeriSign hit by hackers [DNS] Kyle Creyts (Feb 02)
"Management was informed of the incident in September 2011" pg 33, sect 2

Further, there is no mention of risk potential for the SSL business
whatsoever, despite numerous mentions of risk factors for the Registry
Services business, not related to this attack.

While nothing is "safe" to assume, I would say that suggesting that
this description of the incident describes an attack on tangential,
unmentioned businesses operated...

Re: [Full-disclosure] Key Internet operator VeriSign hit by hackers [DNS] Jeffrey Walton (Feb 02)
Actually, it was just released in Verisign's 10-Q
(https://investor.verisign.com/secfiling.cfm?filingID=1193125-11-285850&CIK=1014473).
Otherwise, without the SEC changes, it probably never would have seen
the light of day.

And this is alarming: "Ken Silva, who was VeriSign's chief technology
officer for three years until November 2010, said he had not learned
of the intrusion until contacted by Reuters. Given the time elapsed...

Re: [Full-disclosure] Key Internet operator VeriSign hit by hackers [DNS] Kyle Creyts (Feb 02)
This is at least a year and a half old. Please, don't republish "news"
that should have never been reprinted. I'm not sure who would have
allowed this tripe to be syndicated...

Key Internet operator VeriSign hit by hackers [DNS] Jeffrey Walton (Feb 02)
http://www.reuters.com/article/2012/02/02/us-hacking-verisign-idUSTRE8110Z820120202
http://www.msnbc.msn.com/id/46238729/ns/technology_and_science-security/

(Reuters) - VeriSign Inc, the company in charge of delivering people
safely to more than half the world's websites, has been hacked
repeatedly by outsiders who stole undisclosed information from the
leading Internet infrastructure company.

The previously unreported breaches occurred in...

See how important my book reviews are? Rob, grandpa of Ryan, Trevor, Devon & Hannah (Feb 02)
I have a couple of mailing lists that I run to let people join up for the book
reviews. Apparently this is of major interest to the families of deposed Middle
Eastern leaders:

------- Forwarded message follows -------
Date sent: Thu, 02 Feb 2012 05:05:06 +0000
To: techbooks-owner () yahoogroups com
Subject: APPROVE -- mrssuzannemubarak22 () rocketmail com
<mrssuzannemubarak22 ()...

The newest illusions Rob, grandpa of Ryan, Trevor, Devon & Hannah (Feb 02)
http://illusioncontest.neuralcorrelate.com/2011/#post-2336

Some really intriguing ones, mostly fairly complex.

(And the relation to security? Ummm, well ... we can be fooled really easily!
Yeah, that's it!)

====================== (quote inserted randomly by Pegasus Mailer)
rslade () vcn bc ca slade () victoria tc ca rslade () computercrime org
Those who do not learn from computer history tend to repackage it...

Re: You can think different, you just can't talk different ... rackow (Feb 02)
"Rob, grandpa of Ryan, Trevor, Devon & Hannah" made the following keystrokes:
>http://www.latimes.com/news/nationworld/world/la-fg-scotland-siri-20120131,0,6158274,full.story
>

If you missed it, Season 5 Episode 14 of The Big Bang Theory highlighted
siri as well. Koothrappali falls in love and Kripke doesn't think siwi is
all that gweat. One of their better episodes.

/~\ The ASCII Gene Rackow...

You can think different, you just can't talk different ... Rob, grandpa of Ryan, Trevor, Devon & Hannah (Feb 01)
http://www.latimes.com/news/nationworld/world/la-fg-scotland-siri-
20120131,0,6158274,full.story

====================== (quote inserted randomly by Pegasus Mailer)
rslade () vcn bc ca slade () victoria tc ca rslade () computercrime org
It is better, of course, to know useless things than to know
nothing. - Seneca
victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links...

CanSecWest Rob, grandpa of Ryan, Trevor, Devon & Hannah (Feb 01)
Anybody else going?

====================== (quote inserted randomly by Pegasus Mailer)
rslade () vcn bc ca slade () victoria tc ca rslade () computercrime org
You will come here and get books that will open your eyes, and
your ears, and your curiosity, and turn you inside out or outside
in. - Ralph Waldo Emerson
victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links...

CERT Advisories — The Computer Emergency Response Team has been responding to security incidents and sharing vulnerability information since the Morris Worm hit in 1986. This archive combines their technical security alerts, tips, and current activity lists.

Current Activity - Apple Releases Multiple Security Updates Current Activity (Feb 02)
US-CERT Current Activity

Apple Releases Multiple Security Updates

Original release date: February 2, 2012 at 12:15 pm
Last revised: February 2, 2012 at 12:15 pm

Apple has released security updates for Apple OS X Lion 10.7 to
10.7.2, OS X Lion Server 10.7 to 10.7.2, Mac OS 10.6.8, and Mac OS X
Server v 10.6.8 to address multiple vulnerabilities. These
vulnerabilities may allow an attacker to execute arbitrary code, cause
a denial-of-service...

Current Activity - Mozilla Releases Firefox 10 and 3.6.26 Current Activity (Feb 01)
US-CERT Current Activity

Mozilla Releases Firefox 10 and 3.6.26

Original release date: February 1, 2012 at 9:50 am
Last revised: February 1, 2012 at 9:50 am

The Mozilla Foundation has released Firefox 10 and Firefox 3.6.26 to
address multiple vulnerabilities. These vulnerabilities may allow an
attacker to execute arbitrary code, cause a denial-of-service
condition, obtain sensitive information, or perform a cross-site
scripting attack....

TA12-024A -- "Anonymous" DDoS Activity US-CERT Technical Alerts (Jan 24)
National Cyber Alert System

Technical Cyber Security Alert TA12-024A

"Anonymous" DDoS Activity

Original release date: January 24, 2012
Last revised: --
Source: US-CERT

Overview

US-CERT has received information from multiple sources about
coordinated distributed denial-of-service (DDoS) attacks with
targets that included U.S. government agency and entertainment
industry...

Current Activity - Denial-of-Service Malware Campaign Current Activity (Jan 24)
US-CERT Current Activity

Denial-of-Service Malware Campaign

Original release date: January 24, 2012 at 5:35 pm
Last revised: January 24, 2012 at 5:35 pm

US-CERT is aware of public reports of ongoing distributed
denial-of-service attacks against entities in the government and
private sector. According to the reports, these attacks are being
attributed to the hacker group Anonymous.
US-CERT encourages users and administrators to do the following...

Current Activity - Google Releases Chrome 16.0.912.77 Current Activity (Jan 24)
US-CERT Current Activity

Google Releases Chrome 16.0.912.77

Original release date: January 24, 2012 at 1:03 pm
Last revised: January 24, 2012 at 1:03 pm

Google has released Chrome 16.0.912.77 for Linux, Mac, Windows, and
Chrome Frame to address multiple vulnerabilities. These
vulnerabilities may allow an attacker to execute arbitrary code or
cause a denial-of-service condition.

US-CERT encourages users and administrators to review the Google...

Current Activity - Symantec pcAnywhere Hotfix Current Activity (Jan 24)
US-CERT Current Activity

Symantec pcAnywhere Hotfix

Original release date: January 24, 2012 at 11:30 am
Last revised: January 24, 2012 at 11:30 am

Symantec has released an update for pcAnywhere to address multiple
vulnerabilities for the following software versions running on
Windows:
* pcAnywhere 12.5 SP3
* pcAnywhere Solutions 7.1 GA, SP 1, and SP 2

US-CERT encourages users and administrators to review the Symantec
pcAnywhere hot fix...

Current Activity - Best Practices for Recovery from the Malicious Erasure of Files Current Activity (Jan 19)
US-CERT Current Activity

Best Practices for Recovery from the Malicious Erasure of Files

Original release date: January 19, 2012 at 3:43 pm
Last revised: January 19, 2012 at 3:43 pm

Cyber criminals can damage their victim's computer systems and data by
changing or deleting files, wiping hard drives, or erasing backups to
hide some or all of their malicious activity and tradecraft. By
wiping, or "zeroing out," the hard disk...

Current Activity - Oracle Releases Critical Patch Update for January 2012 Current Activity (Jan 18)
US-CERT Current Activity

Oracle Releases Critical Patch Update for January 2012

Original release date: January 18, 2012 at 10:58 am

Oracle has released its Critical Patch Update for January 2012 to address
78 vulnerabilities across multiple products. This update contains the
following security fixes:

* 2 for Oracle Database Server
* 1 for Oracle Fusion Middleware
* 3 for Oracle E-Business Suite
* 1 for Oracle Supply Chain Products Suite...

Current Activity - Phishing Campaign Using Spoofed US-CERT Email Addresses Current Activity (Jan 11)
US-CERT Current Activity

Phishing Campaign Using Spoofed US-CERT Email Addresses

Original release date: January 10, 2012 at 2:06 pm
Last revised: January 11, 2012 at 4:58 pm

On January 10, 2012, US-CERT received reports of a phishing campaign
that is spoofing US-CERT email to deliver a variant of the Zeus/Zbot
Trojan known as Ice-IX. This campaign appears to be targeting a large
number of private sector organizations as well as federal, state,...

Current Activity - Adobe Releases Security Advisory for Adobe Reader and Acrobat Current Activity (Jan 10)
US-CERT Current Activity

Adobe Releases Security Advisory for Adobe Reader and Acrobat

Original release date: January 10, 2012 at 4:40 pm
Last revised: January 10, 2012 at 4:40 pm

Adobe has released a Security Advisory for Adobe Reader and Acrobat to
address multiple vulnerabilities affecting the following software
versions:
* Adobe Reader X (10.1.1) and earlier 10.x versions for Windows and
Macintosh
* Adobe Reader 9.4.7 and earlier...

Current Activity - Microsoft Releases January Security Bulletin Current Activity (Jan 10)
US-CERT Current Activity

Microsoft Releases January Security Bulletin

Original release date: January 5, 2012 at 1:24 pm
Last revised: January 10, 2012 at 3:09 pm

Microsoft has released updates to address vulnerabilities in Microsoft
Windows and Microsoft Developer Tools and Software as part of the
Microsoft Security Bulletin Summary for January 2012. These
vulnerabilities may allow an attacker to execute arbitrary code,
operate with elevated...

TA12-010A -- Microsoft Updates for Multiple Vulnerabilities US-CERT Technical Alerts (Jan 10)
National Cyber Alert System

Technical Cyber Security Alert TA12-010A

Microsoft Updates for Multiple Vulnerabilities

Original release date: January 10, 2012
Last revised: --
Source: US-CERT

Systems Affected

* Microsoft Windows
* Microsoft Developer Tools and Software

Overview

There are multiple vulnerabilities in Microsoft Windows and
Microsoft Developer Tools and Software....

Current Activity - Phishing Campaign Using Spoofed US-CERT E-mail Addresses Current Activity (Jan 10)
US-CERT Current Activity

Phishing Campaign Using Spoofed US-CERT E-mail Addresses

Original release date: January 10, 2012 at 1:32 pm
Last revised: January 10, 2012 at 1:32 pm

US-CERT has received reports of a phishing email campaign that uses
spoofed US-CERT email addresses. This campaign appears to be targeting
a large number of private sector organizations as well as federal,
state, and local governments. US-CERT began receiving reports of...

TA12-006A -- Wi-Fi Protected Setup (WPS) Vulnerable to Brute-Force Attack US-CERT Technical Alerts (Jan 06)
National Cyber Alert System

Technical Cyber Security Alert TA12-006A

Wi-Fi Protected Setup (WPS) Vulnerable to Brute-Force Attack

Original release date: January 06, 2012
Last revised: --
Source: US-CERT

Systems Affected

Most Wi-Fi access points that support Wi-Fi Protected Setup (WPS)
are affected.

Overview

Wi-Fi Protected Setup (WPS) provides simplified mechanisms to
configure secure...

Current Activity - Google Releases Chrome 16.0.912.75 Current Activity (Jan 06)
US-CERT Current Activity

Google Releases Chrome 16.0.912.75

Original release date: January 6, 2012 at 9:26 am
Last revised: January 6, 2012 at 9:26 am

Google has released Chrome 16.0.912.75 for Linux, Mac, Windows, and
Chrome Frame to address multiple vulnerabilities. These
vulnerabilities may allow an attacker to execute arbitrary code.

US-CERT encourages users and administrators to review the Google
Chrome Releases blog entry and update to...

Open Source Security — Discussion of security flaws, concepts, and practices in the Open Source community

CVE-2011-3637 Linux kernel: proc: fix Oops on invalid /proc/<pid>/maps access Solar Designer (Feb 05)
Hi,

I just analyzed this issue a little bit and thought I'd post a followup
to the thread on oss-security, but to my surprise I could not find the
issue mentioned in here, even though "nearby" ones (e.g. fixed in RHEL
at about the same time) were brought to this list. I guess this has to
do with differences in CVE assignment - when an issue already has a CVE
ID, it is less likely to be brought up in here - which I find wrong....

Re: Adding Xen.org contact to linux-distros security list Ian Campbell (Feb 05)
Thanks, I can quite understand your position.

I'll get back in touch with the qemu folks and update the wiki as you
suggest.

Cheers,
Ian.

Re: distros & linux-distros embargo period and message format Solar Designer (Feb 03)
There was not exactly a "concern" - I just said that I was not aware of
a tool to do the job, and I still am not. What you're proposing is to
write an own tool (script).

Thank you for the suggestion to use munpack, this is something I had not
considered. I was thinking of options that would produce (almost) the
exact same mbox that we'd get if mail to subscribers were not encrypted.
With the munpack approach, I think it...

Re: distros & linux-distros embargo period and message format Michael Gilbert (Feb 03)
2012/2/3 Solar Designer:

I was trying to keep it simple. I got the impression that your
concern was potentially needing to enter a passphrase to individually
decrypt each message. Anyway, just throw in the appropriate munpack
calls above to handle the mime parts.

Best wishes,
Mike

Re: distros & linux-distros embargo period and message format Solar Designer (Feb 03)
That's what we have now, right?

Unless I am missing something, this doesn't handle MIME at all - so it
won't do the trick.

I was thinking of building something upon Mutt in its entirety (e.g.,
talk to it with expect) or upon pieces of code from Mutt (since it
handles such mbox'es just fine) or maybe upon my own mbox and MIME
parsing code from blists (but add the gpg invocations to it myself).

Alternatively, I could in fact...

Re: distros & linux-distros embargo period and message format Michael Gilbert (Feb 03)
That's why I think its more appropriate to defer such decisions to the
researcher who understands the complexity of the problem at hand (of
course hopefully allowing negotiation with those affected to choose a
disclosure date that can be met).

Completely unfleshed out, but a pseudo-bash script along the lines of
the following should do it:

echo "" > newmbox
gpg-agent --allow-preset-passphrase...

Re: distros & linux-distros embargo period and message format Solar Designer (Feb 03)
Thank you for sharing your opinion.

Yet the delay itself matters too. There are different opinions as to
whether it is "the important aspect" or not.

I don't mind. Like I said, I need a tool - a program to mass-decrypt a
PGP/MIME mbox, producing another mbox. I think such a program might be
generally useful. Well, or alternatively I need to introduce a
different mechanism for the archive - not treat it as a regular
subscriber...

Re: distros & linux-distros embargo period and message format Michael Gilbert (Feb 03)
I think the important aspect here is the transparency of the private
discussion (after an appropriate delay), rather than the length of the
delay itself. That can be set by the researcher (with some reasonable
maximum, like a month).

We all should be able to see what is going on over in the closed list.
Although it is unlikely being used for nefarious purposes (hiding
issues permanently, etc.), transparency (after a delay) is the only
way to...

Re: Adding Xen.org contact to linux-distros security list Solar Designer (Feb 03)
I think not. We had a few exceptions like this on vendor-sec, but when
setting up the linux-distros list I proposed not to be making such
exceptions anymore and everyone seemed to agree. In fact, that's even
reflected in the list name - on purpose.

Thanks for bringing the topic up anyway. It helps to know what's in
demand and see what solutions we have (or don't have).

I think you should contact the QEMU folks and ask them to...

Re: CVE-request: Joomla! Security News 2012-02-03 Kurt Seifried (Feb 03)
http://developer.joomla.org/security/news/387-20120201-core-information-disclosure.html

Please use CVE-2012-0835 for this issue

http://developer.joomla.org/security/news/388-20120202-core-information-disclosure.html

Please use CVE-2012-0836 for this issue

http://developer.joomla.org/security/news/389-20120203-core-information-disclosure.html

Please use CVE CVE-2012-0837 for this issue

Also I not from last time we ended at 385, I can't...

Re: Adding Xen.org contact to linux-distros security list Kurt Seifried (Feb 03)
I think this is something that should be discussed (I'm not specifically
against Xen joining, but I'm worried about the precedent it might set).
Many projects incorporate upstream software, if we lower the bar of
entry in this respect we may get a lot more people on the list. This
might not be a good idea (more chances of leaks/etc.).

My understanding of the way the vs security list is used is that
upstream is typically notified (after...

Re: CVE Request (2002): Linux TCP stack could accept invalid TCP flag combinations Kurt Seifried (Feb 03)
Nice, a cert KB with a picture, never seen that before.

Please use CVE-2002-2438 for this issue.

CVE-request: Joomla! Security News 2012-02-03 Henri Salo (Feb 03)
And again few Joomla security issues without CVE.

- Henri Salo

----- Forwarded message from Joomla! Developer Network - Security News <no_reply () joomla org> -----

Date: Fri, 03 Feb 2012 13:11:55 +0000
From: Joomla! Developer Network - Security News <no_reply () joomla org>
To: henri () nerv fi
Subject: Joomla! Security News

Joomla! Developer Network - Security News

///////////////////////////////////////////
[20120201] - Core -...

CVE Request (2002): Linux TCP stack could accept invalid TCP flag combinations Marcus Meissner (Feb 03)
Hi,

After a customer query likely coming from erroneous Security Scanner output,

this issue from 2002 has no CVE id yet as far as I see:

http://www.kb.cert.org/vuls/id/464113

It describes a problem where firewalls might let some TCP flags combinations
pass (e.g. all with RST flag set) and the OS (e.g. Linux) stack would in turn
accept a TCP session it might not have accepted otherwise.

The protection added in Linux 2.4.20 is checking for the...

Adding Xen.org contact to linux-distros security list Ian Campbell (Feb 03)
Hello,

Would it be possible for myself to be subscribed to the linux-distros
security list as a representative of Xen.org?

Although Xen.org is not a distro we do incorporate upstream software and
one of our upstreams (qemu) uses this list as their embargoed security
announcement channel. We would like to be able to co-ordinate the
release of fixes into our own qemu trees.

Many thanks,

Ian.

Secure Coding — The Secure Coding list (SC-L) is an open forum for the discussion on developing secure applications. It is moderated by the authors of Secure Coding: Principles and Practices.

Silver Bullet 70: Ross Anderson Reprise Gary McGraw (Feb 03)
hi sc-l,

Ross Anderson's first Silver Bullet episode (episode 13) has consistently led the download totals since its release way
back when. Over 25,000 people have listened to the episode and it remains very popular (either that or Ross is
clicking on it an awful lot himself). In order to compete with Ross's record, we brought in a heavy hitter, Ross
Anderson for episode 70. So, can Ross surpass Ross? Only time will tell....

informIT: vBSIMM revised Gary McGraw (Jan 26)
hi sc-l,

Third party software is a major risk category in most modern organizations (see Third-Party Software and
Security<http://www.informit.com/articles/article.aspx?p=1809143>). We have been working on a BSIMM derivative called
the vBSIMM to help manage third party software risk. Today we published a second, revised version of the vBSIMM.
Instead of focusing on an individual applications, the vBSIMM approach focuses on software...

Only 7 Days Left: SANS AppSec 2012 CFP SANS AppSec CFP (Jan 24)
Hi everyone,

This is the final CFP reminder for SANS AppSec 2012 being held in Las
Vegas, Nevada on April 30 - May 1, 2012.

The call for papers ends in seven days on February 1, 2012 so submit today!

============

The theme for this conference is "Application Security at Scale".

Billions of records in the cloud. Millions of smart mobile devices.
Millions of developers writing new code. Hundreds of apps in your
enterprise. Untold...

OWASP AsiaPac 2012 - Sydney, Australia: CFP and call for trainers Andrew van der Stock (Jan 12)
Colleagues,

In 2012, OWASP is holding Global AppSec AsiaPac Conference in Sydney Australia! OWASP Asia Pacific is the foremost
Application Security conference for the region, and brings together the community in a central meeting for 4 days to
discuss and present on recent and current Application Security related topics. In previous years the conference has
been held on the Gold Coast Australia, in 2012 the event has been moved to Sydney, and...

Re: informIT: BSIMM versus SAFECode Kevin W. Wall (Jan 02)
Gary,
Hope you and other SC-L readers had a safe and happy holidays. I had a few
comments on your InformIT article referenced here.

First, you take exception of SAFECode of calling out BSIMM as a "methodology".
After quickly skimming their paper which you referenced, I think that
perhaps you
and Sammy are overreacting a bit. (Maybe you are misconstruing their
misconstruing? ;-)

Specifically, the SAFECode _Fundamental Practices_ paper...

Silver Bullet 69: Steve Myers Gary McGraw (Dec 31)
happy new year sc-l,

The 69th episode of Silver Bullet is an interview with professor Steve Myers from Indiana University. Steve is a
cryptographer who works on Phishing, but he also teaches the security engineering course at IU. Among other topics, we
discuss the challenge of keeping academic research both scientific and relevant to practitioners.

http://www.cigital.com/silver-bullet/show-069/

As always, we welcome your feedback on the...

informIT: BSIMM versus SAFECode Gary McGraw (Dec 31)
Lets try that again, this time with the proper email address…

From: gem <gem () cigital com<mailto:gem () cigital com>>
Date: Tue, 27 Dec 2011 16:32:56 -0500
To: "sc-l-bounces () securecoding org<mailto:sc-l-bounces () securecoding org>" <sc-l-bounces () securecoding
org<mailto:sc-l-bounces () securecoding org>>

hi sc-l,

How about a little software security controversy for the tweener holiday week?...

ANNOUNCEMENT: SecAppDev 2012, Leuven, Belgium Kenneth Van Wyk (Dec 22)
We are pleased to announce SecAppDev 2012, an intensive one-week
course in secure application development. The course is organized by
secappdev.org, a non-profit organization that aims to broaden security
awareness in the development community and advance secure software
engineering practices. The course is a joint initiative with K.U.
Leuven and Solvay Brussels School of Economics and Management.

SecAppDev 2012 is the 8th edition of our widely...

MoST 2012 CFP - Mobile Security Technologies (MoST) 2012 Workshop Larry Koved (Dec 22)
On behalf of the workshop co-chairs and program chair, we would like to
invite you participate in the Mobile Security Technologies (MoST)
Workshop.

MoST is co-located with the IEEE Security & Privacy Symposium.
Mobile Security Technologies (MoST) brings together researchers,
practitioners, policy makers, and hardware and software developers
of mobile systems to explore the latest understanding and advances
in the security and privacy...

W2SP 2012 CFP - Web 2.0 Security and Privacy 2012 Workshop Call for Papers Larry Koved (Dec 22)
W2SP 2012 CFP - Web 2.0 Security and Privacy 2012 Workshop Call for Papers

On behalf of the workshop co-chairs and program chair, we would like to
invite you participate in the 5th annual workshop on Web 2.0 Security
and Privacy. Started in 2007, this successful series of workshops has
attracted participation from both academia and industry, and participants
from around the world.

W2SP is co-located with the IEEE Security & Privacy...

SANS AppSec 2012 CFP reminder SANS AppSec CFP (Dec 01)
Hi everyone,

It's been over a month since we first announced the CFP for the SANS
AppSec Summit being held in Las Vegas, Nevada on April 30 - May 1, 2012.

We've received a number of great submissions so far but there's only two
months left until the deadline on February 1, 2012. If you'd like to
speak please get your submission in as soon as possible.

Hope to see you in Vegas!

============

The theme for this conference...

Silver Bullet 68 Gary McGraw (Nov 30)
hi sc-l,

I am pleased to announce that episode 68 of the Silver Bullet Security Podcast is an interview of Cigital's own John
Steven. jOHN (or jS) as he is know around here is a well-respected technologist and software security practitioner.
He served a stint editing the Building Security In column for IEEE S&P magazine along with Gunnar Peterson. He is also
a very active OWASP participant. I have worked closely with jS for many...

informIT: third-party software and security Gary McGraw (Nov 30)
hi sc-l,

We recently convened a BSIMM Community Conference near Portland, Oregon. (For a list of the 42 companies participating
in the BSIMM project, see <http://bsimm.com/community/>.) The BSIMM project describes and measures the work of 786 SSG
members, who together with a satellite of 1750 people, have direct impact on the work of 185,316 developers.

As you know, the BSIMM is mostly about SSDL activities and governance. However,...

Call for papers - i-Society Call for papers (Nov 06)
Apologies for cross-postings!

Kindly email this Call for Papers to your colleagues,
faculty members and postgraduate students.

CALL FOR PAPERS

************************************************************
International Conference on Information Society (i-Society 2012)
Technical Co-Sponsored by IEEE UK/RI Computer Chapter
June 25-28, 2012, London, UK
www.i-society.eu
************************************************************

The...

silver bullet: bill pugh Gary McGraw (Oct 31)
hi sc-l,

The 67th Silver Bullet podcast features Bill Pugh. Bill is an alpha geek who is currently a professor at University of
Maryland. You may know his FindBugs project if you're a Java person. You may not know that Bill is also a fire eater
who once lit my solstice bonfire in an interesting ritual.

Our conversation ranged far and wide on this episode and is likely to be appreciated by more technical listeners....

Educause Security Discussion — Securing networks and computers in an academic environment.

Re: ROI on stateful and deep-packet-inspection firewalls Brian Helman (Feb 03)
We've been using Palo Alto firewalls for ~5 years now. They are comprehensive application-layer (ie deep-packet
inspection) firewalls with IDS/IPS. These are the units that Gartner rated highest in their Magic Quadrant ratings a
couple months ago. They are less complicated that the Checkpoint FW's we stopped using at that time, once you get out
of the port-specific mindset for controlling traffic. I have no experience with the...

Re: survey re interest for SAN NetWars Tournament at SPC (short deadline to answer) Valerie Vogel (Feb 03)
Good afternoon - Please take a minute to complete this survey about the possibility of holding a SANS NetWars
Tournament prior to the Security Conference in Indianapolis this May. Many of you have signed up for the SANS NetWars
Continuous Play and now our input is vital to our decision as to whether we can host the tournament. Deadline to
respond: Tuesday, February 7.

http://www.surveymonkey.com/s/SANS-NetWars

Thank you!
Valerie...

Re: ROI on stateful and deep-packet-inspection firewalls Chris Green (Feb 03)
The ROI is hard to capture but I generally am in favor of it AND hardening end-points . There are several factors
involved in the space.

Complexity Often does go up. When going inline with Firewalls & IPS activities, we've generally had an A and a B path
with L2 redundancy between them.

Some scenarios worth considering both policy and technically:

- If you are experiencing a mass-virus infection targeting end-point software...

Re: ROI on stateful and deep-packet-inspection firewalls Seth Hall (Feb 03)
I would love to see the answers to this question in particular. My expectation is that downtime increases (solely due
to increased inline complexity), trouble tickets remain fairly stable, and there is almost certainly going to be
considerable time spent tuning rules but that's completely unavoidable.

For anyone that knows me I certainly can't pretend to not be biased, but a suggestion that I tend to give people with
these...

Re: Desktop Administrator Question Johnson, Jeff (Feb 03)
Thanks for the feedback Adam....I will add this to the results when I publish.

Regards,

Jeff

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Drews,
Adam
Sent: Thursday, February 02, 2012 12:01 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Desktop Administrator Question

Jeff,

Much like many others on this list, I answered "yes" to question 3 on your...

Re: Desktop Administrator Question Johnson, Jeff (Feb 03)
Thanks Kevin....will add to the details when I publish the results.

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Kevin
Shalla
Sent: Thursday, February 02, 2012 11:29 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Desktop Administrator Question

Here at UIC, individual departments decide this. I decided no admin rights for mine (with a few exceptions) - about...

Re: Password security David Pirolo (Feb 02)
I'd have to agree with Joe here. Since it really isn't a requirement or
a law to not store in plain-text, rather is just a best practice, the
only ammo we have is putting pressure on the vendors by using the
products that do adhere to best practice.

The increasing pressure and monetary fines we face from our regulatory
bodies are really making this more vital to increase the pressure on our
vendors. Best way to put pressure on a...

Re: Desktop Administrator Question Drews, Adam (Feb 02)
Jeff,

Much like many others on this list, I answered "yes" to question 3 on your survey because we do allow admin access to
staff and faculty. However, that access is only given after they fill out a request form and have it approved by
management. I would say less than 5% of our users have admin on their workstations.

Adam

Adam Drews
Information Security Analyst
Information Security Office

Joliet Junior College
1215 Houbolt...

Re: Desktop Administrator Question Kevin Shalla (Feb 02)
Here at UIC, individual departments decide this. I decided no admin
rights for mine (with a few exceptions) - about 170 desktops.

Re: Aruba Via? Cappalli, Tim G @ LSC-ITS (Feb 02)
We recently deployed a mix of RAP-2's and RAP-5WN's in a split-tunnel configuration. Our users have been very satisfied
with this solution. Our next step will be VIA this summer.

Tim Cappalli, CCNA ACMA | IT Services | (802) 626-6456

[cid:image001.jpg@01CCE197.08646410]

[cid:image002.jpg@01CCE197.08646410]

PRIVACY & CONFIDENTIALITY NOTICE
This message is for the designated recipient only and
may contain privileged,...

Re: Aruba Via? Timothy Fairlie (Feb 02)
We have VIA running on a 3600 controller and have been experimenting with it for a few months.

So far it's been working very well. It's not as convenient as our java/web-based anyconnect VPN, but we've been having
problems with users and java and such with the Cisco version. Once installed, via has been very stable for the users.
(windows , Mac and iOS all work very well)

One thing to keep in mind, is that the VIA client only...

Aruba Via? Russ Leathe (Feb 02)

Anyone with an Aruba installation using their VPN solution - VIA? Which platforms?

If so, what is your honest opinion?

We currently use an SSL/VPN solution as well as RAP-2's. Both have their good points and bad.

NSTIC Update: Moving forward with pilots, the Steering Group and other events... Rodney Petersen (Feb 01)
I am sorry that we had to alter our focus of next week's IAM Online when our scheduled guest from The White House could
not participate to provide an update on the National Strategy for Trusted Identities in Cyberspace (NSTIC). However, I
received the information below earlier today which provides an update and describes a new federal funding opportunity.
EDUCAUSE will continue to track the progress of NSTIC, report on the establishment...

Re: Password security Joe St Sauver (Feb 01)
Hi,

While I share everyone's concern about plain text passwords, there
*are* many, many, mainstream applications that *do* store passwords
unencrypted, and often in ways that are publicly accessible.
(Anyone skeptical of this can quickly lose that skepticism via a
little Google dorking, e.g., see for example
http://www[dot]exploit-db[dot]com/google-dorks/9/ )

ARE out there all over the place, how do we get that problem sorted?

I...

IAM Online, Feb 8 - Policy and Privacy Considerations for IAM in a Federated World Valerie Vogel (Feb 01)
Please note that the focus of next week's IAM Online has changed. We will hear from Steven Carmody and Ken Klingenstein
on Policy and Privacy Considerations for IAM in a Federated World. An updated abstract is included below.

**************

IAM Online - Wednesday, February 8, 2012
3 p.m. ET / 2 p.m. CT / 1 p.m. MT / Noon PT
www.incommon.org/iamonline

**************

Policy and Privacy Considerations for Identity and Access Management in...

Internet Issues and Infrastructure

NANOG — The North American Network Operators' Group discusses fundamental Internet infrastructure issues such as routing, IP address allocation, and containing malicious activity.

Re: Hijacked Network Ranges Mark Tinka (Feb 05)
On Wednesday, February 01, 2012 12:10:32 PM George Bonser
wrote:

We've been in such situations without customers requesting
us either to:

a) Block certain addresses across their transit
links in order to mitigate DoS attacks.

b) Announce address space which does not necessarily
belong to them, even though they aren't being
nefarious.

In either case, a quick check of the RIR WHOIS...

Re: Hijacked Network Ranges Suresh Ramasubramanian (Feb 05)
I had this happen to me in 2008 -
http://www.gossamer-threads.com/lists/nanog/users/110097
Total pain in the ass when it does happen. Funnily enough in that
case it was another downstream of the same ISP who was pulling this
stunt ..

--srs

Re: Hijacked Network Ranges Mark Tinka (Feb 05)
On Wednesday, February 01, 2012 02:57:46 AM Tony McCrory
wrote:

The fact that the hijacking ISP's upstreams accepted routes
through their network that didn't belong to that ISP is bad
enough.

That we should still be able to advertise anything without
an appropriate filter being in place and expecting it to
work (even if it's with good intention, as in this case) is
equally as bad.

A big fail to our community, for up to...

Re: UDP port 80 DDoS attack Steve Bertrand (Feb 05)
> 2012/2/5 Steve Bertrand <steve.bertrand () gmail com

Agreed. Diligence does play a role. However, the times I have
implemented and used (s/)RTBH, I thought it was most elegant. I love its
simplicity and effectiveness.

Agreed. But to me, DDOS mitigation is not just a cool knob. If my ISP
can help mitigate a 1Gb onslaught so my 100Mb pipe isn't overwhelmed,
that's more functional than cool. Ranks right up there with IPv6...

Re: UDP port 80 DDoS attack Keegan Holley (Feb 05)
2012/2/5 Steve Bertrand <steve.bertrand () gmail com>

This is still vulnerable to spoofing which could cause you to filter
legitimate traffic and make the problem worse. Not saying that S/RTBH is a
bad idea. RTBH is effective and a great idea just not very elegant.

You sometimes have to weigh the pro's and cons. You can't always pick the
guys with the coolest knobs.

Re: Super Sunday Michael Painter (Feb 05)
Mike Lyon wrote:

Looks like a well designed product...Thanks!

Any idea of what the 'Tahoe' costs (we have 16 sources)?

--Michael

Re: UDP port 80 DDoS attack Steve Bertrand (Feb 05)
This is so very easily automated. Even if you don't actually want to
trigger the routes automatically, finding the sources you want to
blackhole is as simple as a monitor port, tcpdump and some basic Perl.

...and as far as this not having been deployed in many ISPs (per your
next message)... their mitigation strategies should be asked up front,
and if they don't have any (or don't know what you speak of), find a new
ISP....

Re: Optimal IPv6 router Masataka Ohta (Feb 05)
Glen Kent wrote:

It depends on what you want routers to do.

As I am working on Tbps photonic routers with fiber delay lines,
the bottleneck is at constant time (nano seconds order) electric
route look up.

There, several simple 4M*16bit SRAMs is fine for IPv4 with mostly
/24 routing table entries.

IPv6 was better because TLA had was merely 13bit long with only
8192 entries.

However, as the idea of TLA was abandoned long before and a lot
more...

Re: Super Sunday Mike Lyon (Feb 05)
When i did a sports bar of about 24 HD TVs, i used gear from here:

http://www.neoprointegrator.com/products.php

Good product, good support.

-mike

Sent from my iPhone

Re: Optimal IPv6 router Valdis . Kletnieks (Feb 05)
On Mon, 06 Feb 2012 06:50:54 +0530, Glen Kent said:

Not sure if this statement is troll bait or flame bate. Probably both. ;)

I see Joel has already confirmed my memory that vendors had ASICs
doing IPv6 forwarding last century.

OK, I'll bite. What would qualify as a "native IPv6" router? Is this
another concept as silly as "hardware vs software based" routers?

And whaqt would be the definition of "more...

Re: Optimal IPv6 router Joel jaeggli (Feb 05)
Asic based forwarding engines with ipv6 support are more than a decade
old at this point.

If one looks at an asr9000 or an MX or T that looks like an ipv6 router
to me.

Re: UDP port 80 DDoS attack Dobbins, Roland (Feb 05)
I'm certainly not making that assumption - hence the presos.

;>

-----------------------------------------------------------------------
Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com>

The basis of optimism is sheer terror.

-- Oscar Wilde

Re: UDP port 80 DDoS attack Keegan Holley (Feb 05)
2012/2/5 Dobbins, Roland <rdobbins () arbor net>

If folks don't want to read the presos or search through the archives,

by the entire industry gives one false hope no?

Re: Super Sunday Michael Painter (Feb 05)
Mike Lyon wrote:

I'm integrating the b520 modulator(s) into our exisiting 16 Ch. analog system. Works great.
http://www.zeevee.com/hdbridge

Re: UDP port 80 DDoS attack Dobbins, Roland (Feb 05)
S/RTBH can be rapidly shifted in order to deal with changing purported source IPs, and it isn't limited to /32s. It's
widely supported on Cisco and Juniper gear (flowspec is a better choice on Juniper gear).

If folks don't want to read the presos or search through the archives, that's fine, of course. The fact is that there
are quite a few things that operators can and should do in order to mitigate DDoS attacks; and...

The RISKS Forum — Peter G. Neumann moderates this regular digest of current events which demonstrate risks to the public in computers and related systems. Security risks are often discussed.

Risks Digest 26.70 RISKS List Owner (Jan 02)
RISKS-LIST: Risks-Forum Digest Monday 2 January 2012 Volume 26 : Issue 70

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/26.70.html>
The current issue can be...

Risks Digest 26.69 RISKS List Owner (Dec 29)
RISKS-LIST: Risks-Forum Digest Thursday 29 December 2011 Volume 26 : Issue 69

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/26.69.html>
The current issue can...

Risks Digest 26.68 RISKS List Owner (Dec 28)
RISKS-LIST: Risks-Forum Digest Weds 28 December 2011 Volume 26 : Issue 68

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/26.68.html>
The current issue can be...

Risks Digest 26.67 RISKS List Owner (Dec 20)
RISKS-LIST: Risks-Forum Digest Tuesday 20 December 2011 Volume 26 : Issue 67

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/26.67.html>
The current issue can...

Risks Digest 26.66 RISKS List Owner (Dec 06)
RISKS-LIST: Risks-Forum Digest Tuesday 6 December 2011 Volume 26 : Issue 66

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/26.66.html>
The current issue can be...

Risks Digest 26.65 RISKS List Owner (Nov 29)
RISKS-LIST: Risks-Forum Digest Tuesday 29 November 2011 Volume 26 : Issue 65

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/26.65.html>
The current issue can...

Risks Digest 26.64 RISKS List Owner (Nov 26)
RISKS-LIST: Risks-Forum Digest Saturday 26 November 2011 Volume 26 : Issue 64

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/26.64.html>
The current issue can...

Risks Digest 26.63 RISKS List Owner (Nov 22)
RISKS-LIST: Risks-Forum Digest Tuesday 22 November 2011 Volume 26 : Issue 63

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/26.63.html>
The current issue can...

Risks Digest 26.62 RISKS List Owner (Nov 18)
RISKS-LIST: Risks-Forum Digest Friday 18 November 2011 Volume 26 : Issue 62

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/26.62.html>
The current issue can be...

Risks Digest 26.61 RISKS List Owner (Nov 13)
RISKS-LIST: Risks-Forum Digest Sunday 13 November 2011 Volume 26 : Issue 61

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/26.61.html>
The current issue can be...

Risks Digest 26.60 RISKS List Owner (Nov 11)
RISKS-LIST: Risks-Forum Digest Friday 11 November 2011 Volume 26 : Issue 60

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/26.60.html>
The current issue can be...

Risks Digest 26.59 RISKS List Owner (Oct 23)
RISKS-LIST: Risks-Forum Digest Sunday 23 October 2011 Volume 26 : Issue 59

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/26.59.html>
The current issue can be...

Data Loss — Data Loss covers large-scale personal data loss and theft incidents. This archive combines the main list (news releases) and the discussion list.

Open Source Tool Development

Metasploit — Development discussion for Metasploit, the premier open source remote exploitation tool

problems using SMB_enumshares on Windows 2008R2? Mee, John H (Feb 02)
I cannot get a list of known shares on a Windows 2008R2 Datacenter
edition. I get messages indicating that it successfully scanned the
server (this is test server in my lab), and I can get to a known share
via "net use" and nMap shows it is alive and well, but likewise, it does
not return any shares.

Based on the .pcap files, it appears that smb_enumshares uses lanman and
2008R2 uses smb2 queries.

Are there any alternatives, fixes,...

Fwd: against EMET? Joshua Smith (Feb 02)
Oops, forgot to include the list...
-Josh

Re: against EMET? Joshua Smith (Feb 01)
Tho if u r just talking about binary payloads you'll want to google around, scriptjunkie has a nice write up on it from
a while back (scriptjunkie.us). Has to do with the stub msf uses to generate the binary iirc

-Josh

Re: against EMET? Joshua Smith (Feb 01)
In the case you specified you would get caught because you are using psexec, just like many AVs might detect use of the
sysinternals version. MSF's psexec is fundamentally different from most other MSF exploit mods, with psexec u are
exploiting your knowledge of creds or hashes. A regular exploit payload would not usually be an exe as the payload is
being injected into a running process.

-Josh

Re: against EMET? Chip (Feb 01)
It is my understanding that although Metapsloit can create custom
payloads as such:

msf > use exploit/windows/smb/psexec
msf exploit(psexec) > set EXE::Custom /tmp/mypayload.exe
EXE::Custom => /tmp/mypayload.exe

these would generally be detected by AV (correct me if I'm wrong).

Is there someplace on the net where we can learn how to generate "real"
custom payloads that can then be folded into Metapsloit?

Thanks.

Re: against EMET? HD Moore (Feb 01)
The stager is used for both EXE generation and normal payloads
(in-memory). AV detection is usually due to the EXE generator's output
template hitting known signatures or the mechanics of the stager being
detected encoded on disk (but the former is much more common). Getting
some experience writing custom payloads of any type (whether its a
stager, stage, or single in metasploit terms) will help with HIPS, IDS,
and AV evasion.

-HD

Re: against EMET? Stephen Haywood (Feb 01)
Is the stager typically caught by the AV because it gets written to disk
but the payload doesn't get caught because it is in memory? If that is the
case, then learning how to write custom stagers is a good skill to have for
bypassing AV right?

Re: against EMET? HD Moore (Jan 31)
The problem is a bit of cat-and-mouse - no plans now to rework payloads
and stagers to avoid it, but we may do so if it becomes default at some
point. The previous EAF and other hook filters were easy to bypass, but
even between 2.0 and 2.1 changes were made to how the hooks were done.

If you want to get started, the stager code is likely your best bet -
once its been modified to do whatever is needed for EMET-$current, you
can use the rest of...

Re: framework Digest, Vol 48, Issue 15 PCanyi (Jan 31)
http://technet.microsoft.com/en-us/security/gg524265

These are some words in the page as bellows:

This mitigation has proved to be quite effective, and even the author of the metasploit module for this vulnerability
suggests installing EMET so it will be harder to successfully exploit the vulnerability.

Mandatory ASLR it just one of the six mitigations bundled with EMET version 2.0. To read more about EMET, including a
link to the...

against EMET? Jun Koi (Jan 30)
hi,

i am wondering how we are doing against EMET (running on Windows XP, for ex)?
is it true that most (or even all?) exploits in Metasploit fail against EMET?

if so, is there any plan to fix the problem?

many thanks,
Jun

Re: Using sudo as root Tod Beardsley (Jan 29)
I'm not entirely sure what the difference is that Danux escreveu is
describing -- two different msfconsole's maybe? But regardless:

To retain your environment, and if BT5 has rvm, you can either

rvmsudo msfconsole

or if not:

sudo -s -E msfconsole

and the -E should keep your old env settings.

-todb

Using sudo as root Cristian Livadaru (Jan 29)
I was searching google for the nmap error "Traceroute does not support idle or connect scan"
and found this message:

it has nothing to do with permissions! When starting nmap from the msfconsole with sudo, you end up with diferent
environment settings and it starts a different version of NMAP !
I assume you have done this:

root () root:~# cd /opt/framework/msf3/
root () root:/opt/framework/msf3# msfconsole
...SNIP...

msf >...

Re: wdbrpc_memory_dump.rb bug and question Robin Wood (Jan 25)
The only reason I moved the original file away was in case it
overwrote the existing file when I restarted the download, I didn't
want to lose the 30% already downloaded. Now I know the intended
functionality it makes perfect sense and the fix you've put in should
be fine. I've finished the job I was on where I could test this so
I'll trust you that it works find and hopefully have chance to test it
some time in the future....

Re: wdbrpc_memory_dump.rb bug and question Joshua J. Drake (Jan 25)
Robin,

Setting the "OFFSET" variable indictates that you wish to resume a
partial dump. This feature is intended to be used along with an
existing dump that did not complete.

The initial portion of the dump should remain undisturbed while the
new parts will be written starting at the supplied offset. Currently,
starting at a specific offset and writing to a new file is not
supported. This is due to some strangeness with ruby's...

Re: wdbrpc_memory_dump.rb bug and question Robin Wood (Jan 25)
I've just reproduced this showing the directory exists but the file
doesn't, this is only when the offset is set to non-zero, if I set it
to 0 then it runs fine. I'll put a ticket in for it.

Robin

msf auxiliary(wdbrpc_memory_dump) > run

[*] Attempting to dump system memory, starting at offset 0xecfb8f0
[*] 10.21.10.22 Connected to VxWorks5.5.1 - Motorola E500 : Unknown
system version ()
[*] Dumping 0x10000000 bytes from base...

Wireshark — Discussion of the free and open source Wireshark network sniffer. No other sniffer (commercial or otherwise) comes close. This archive combines the Wireshark announcement, users, and developers mailing lists.

Re: Remaining Wireshak stuff during FOSDEM Sylvain Munaut (Feb 05)
Hi,

Something pretty important to me is that the code can be modified to
"look" nice.

For eg. when you look at the TETRA dissectors that uses ASN.1
autogenerated stuff the field values are presented but the names are
obscure and most of the time you have no idea what they mean unless
you have the spec opened at the right page beside you.

While on the other hand when you look at the output of the manually
crafted CSN1 (well, it uses a...

filters name : gmr1_xxx vs gmr1.xxx Sylvain Munaut (Feb 05)
Hi,

I'm about to submit GMR-1 dissectors and when running them through the
checkfiltername script, it warns me about the name I chose.

Since GMR-1 has different channel types with completely different
messages (and messages encoding), there is several packet-xxx:

packet-gmr1_dtap.c
packet-gmr1_rr.c
packet-gmr1_common.c
packet-gmr1_bcch.c

So far I had named the filters in the field definition like
gmr1.bcch.xxx or gmr1.rr.xxx ...

Is...

Top 3 patches to review ;) Anders Broman (Feb 05)
Hi,
I'd like to hear the opinion on these patches, apply or not? fix in a
different way...

3984: r29723 optimization, if (cinfo->col_data[col] !=
cinfo->col_buf[col]) col_data is not always a constant
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3984

Patch to fix memory leaks/errors in Lua plugin
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5575

new_packet_list: crash in add_byte_views from decrypted zigbee data...

Remaining Wireshak stuff during FOSDEM Joerg Mayer (Feb 05)
Hello everyone,

here's the remaining wireshark/sniffing related stuff that I remember
talking about.

Ciao
Jörg

Friday:

Dinnertalk (just ideas, not discussed in detail):

- Something I can't remember
- In order to reduce the impact of buffer overflows and similar mistakes
separate out the dissection code into it's own executable like it was
done with dumpcap. This process could then be run in a sandbox and talk
to...

Re: Meeting minutes from (pre)FOSDEM meeting Joerg Mayer (Feb 05)
The idea (as I see it) would work as follows:
- We (well Gerald :) want to make a new release 1.6.n+1
- Obtain the svn revision of 1.6.n
- Go through the changelog of all patches to trunk since that
commit up to HEAD.
- Determine all commits that have the backport magic in the commit message
- Extract all these patches into individual files with their revision numbers
in the name. Create a corresponding file with the original commit message...

Re: Meeting minutes from (pre)FOSDEM meeting Alexis La Goutte (Feb 04)
Thanks, for the minute !

I work on this topic with qtshark.
I will send a patch soon with i10n support of qtshark (with French
translations !)

Re: slow sip voip flow for large captures Anders Broman (Feb 04)
Please add your patch as it is so we can have a look at it.
Regards
Anders

Cristian Constantin skrev 2012-02-03 15:19:

Re: Meeting minutes from (pre)FOSDEM meeting Guy Harris (Feb 03)
...and also probably doesn't allow programs that run as root, which would be needed if the permissions on the BPF
devices aren't changed, or allow the installation of arbitrary launchd LaunchDaemons, which would be needed to change
the permissions on the BPF devices.

For libpcap and tcpdump I've learned how to work around Git's "check in frequently" orientation (my workflow *really*
matches that of CVS and SVN...

Re: Meeting minutes from (pre)FOSDEM meeting / packet-x11.c Jeff Morriss (Feb 03)
Joerg Mayer wrote:

[...]

By "includes" does this mean all the xcbproto and mesa files that are
required to rebuild the X11 dissector? The whole Mesa tree (of which I
have no clue how much we need) is (was) like 53 Mb. I suppose we could
try to pull out only what we need, but... Seems like a bunch of work
for a benefit I don't see [yet].

Re: Meeting minutes from (pre)FOSDEM meeting Bill Meier (Feb 03)
So: Do you think fixing the current Makefile.nmake to be able to do
out-of-tree builds is worth any effort ?

I think I read the above to indicate "no" (or maybe: "wait until
non-cygwin name is complete and then fix that" ?)

Re: Meeting minutes from (pre)FOSDEM meeting Graham Bloice (Feb 03)
My main interest in CMake for Windows is to produce VS project files to ease the entry barrier for windows devs wedded
to VS.

The out of tree build idea came up when discussing CMake which apparently by default creates Makefiles for an out of
tree build, and this would help those Windows devs trying to build both Win32 and win64 from the same source tree.

For an out of tree nmake I would think you would need cl and linker flags indicating...

Re: Meeting minutes from (pre)FOSDEM meeting Jaap Keuter (Feb 03)
Hi all down there in Belgium,

I see I missed a lot already :/ Good to see so many things discussed.
Well done documenting this Jörg.

Without starting a complete discussion I would like to put in my 2
cents.

Re: Meeting minutes from (pre)FOSDEM meeting Bill Meier (Feb 03)
Jörg:

Thanks for the detailed write-up.

Bill

(See below)

+1

Meaning: out-of-tree using nmake ?

(If so, I coulkd take a shot at that).

Meeting minutes from (pre)FOSDEM meeting Joerg Mayer (Feb 03)
As some people met in Brussels on the eve of FOSDEM and talked about Wireshark,
here are some notes on what was talked about. We just don't want to leave anyone
out on what was talked about.

As usual: These are personal opinions etc, nothing is set in stone....

ciao
Jörg

Next release:

- we have interesting new features
+ multi interface capture:
o how will people feel about the additional click required to get to capture...

Re: slow sip voip flow for large captures Cristian Constantin (Feb 03)
cristian: but this means really 2 different patches which I have to
test separately, right?
otoh:

* the append operation on lists with over 10k elements is really cpu
intensive (imo it
does NOT actually make sense to iterate over 10k pointers just to get
to the end of
some linked list)

* if one does NOT apply that patch (step 3),
one cannot actually see the actual improvement.

I will open one bug report and post the results/patches there.

Snort — Everyone's favorite open source IDS, Snort. This archive combines the snort-announce, snort-devel, snort-users, and snort-sigs lists.

Re: Compiling Snort and Razorback Error Jonathan S. Abrams (Feb 05)
I am trying to install Snort v2.9.2.1 on OS X Server v10.6.8 and I am
running into the same problem with Razorback. The fix for v10.4.11 was to
install pkg-config 0.23. I installed pkg-config 0.25 on OS X Server
v10.6.8 and I am still having this problem.

Does anyone reading this know what could be the problem this time?

------------------------------------------------------------------------------
Try before you buy = See our experts in...

Re: Where Is libprelude? Jonathan S. Abrams (Feb 05)
I do have an m4 directory with a libprelude.m4 file inside of it.

At the root of daq (not libdnet, sorry!), I ran autoreconf -isvf and still
received this error.

I resolved the error by copying libprelude.m4 to /usr/share/aclocal. Was
this supposed to be done by the commands I run during the install process?

------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most...

Re: how to release a Snort IPv6 plugin? Joel Esler (Feb 05)
If you didn't hear different, we didn't ask you to sign over copyright.

Re: how to release a Snort IPv6 plugin? Joshua Kinard (Feb 05)
The non-IP layer 3 detection patch included several new files. Not being
certain how you guys did copyright, I assigned copyright of those new files
to myself. They probably qualify for the referenced form. Or does that
only matter if you guys decide to include the code in a future release?

Re: [Emerging-Sigs] How can i prevent from the MS09-004 and MS08-040 HIRisk ? Joel Esler (Feb 05)
Well, these are VRT rules.

Nessus for the most part simply checks for patch level using local credentials on the system.

Re: how to release a Snort IPv6 plugin? Joel Esler (Feb 05)
We don't have a form for patches. Just for big contributions of code.

Re: [Snort-users] Public Bugzilla? [was: threshold -- is it really deprecated?] Joshua Kinard (Feb 05)
Sounds good. LKML ran for years before adding a public bugzilla to deal
with those that like that system. I'd say that, 95% of patches and bugs
still come in on that mailing list, though, so it's a system that works.
Worth an inquiry.

Cheers!

Re: how to release a Snort IPv6 plugin? Joshua Kinard (Feb 05)
Re #2, Is there a form for this? That's one of the confusing bits I had on
the non-IP layer 3 patch I sent in a while back. I am on file with the FSF
(if it matters), though that was years ago for a small patch to GCC.

Re: [Snort-users] Public Bugzilla? [was: threshold -- is it really deprecated?] Joel Esler (Feb 04)
Followup to this. We had a bugzilla system. It seems that no one ever used it. It's different from our internal
bugzilla system that we actually commit code with and annotate. So I made the decision to kill it. Reason being, most
bugs and feature requests are submitted through the bugs[ () ] email address. I handle all the bugs that come into the
system through the community anyway and provide feedback to the reporters when I know...

Re: snort 2.9.2 disable alerts for so_rules (p2p) Joel Esler (Feb 04)
Not necessarily true. While we recommend you use PulledPork, after some more thought and discussion inside the VRT
we've realized this may not be the only way that people can feasibly deploy our rulesets. So we are looking at a way
to "level the playing field", as it were, with regard to the needs for PulledPork.

As of right this second, we recommend you use it, and we always will for rule management. But your cry of help...

Re: how to release a Snort IPv6 plugin? Joel Esler (Feb 04)
Okay, so there are two ways to go about this.

#1 -- you release it on your own, pick a high GID and SID range that we wouldn't use any time soon, and you go on your
merry way as an additional plugin.
#2 -- You gives us the code for possible incorporation into the Snort tree. The way that works is that you sign over
all Copyright to the code to Sourcefire, and we attribute it back to you.

Re: snort 2.9.2 disable alerts for so_rules (p2p) waldo kitty (Feb 04)
i haven't read it yet and i understand what you are saying BUT there are
environments where it is NOT feasible or capable to run pulledpork... /THAT'S/
what i and others are pointing out and trying to clarify...

sadly, it is starting to look like snort is /not/ going to be able to be used in
environments like ours and that's NotAGoodThing<tm> :(...

Re: snort 2.9.2 disable alerts for so_rules (p2p) JJ Cummings (Feb 04)
Simply commenting the stub will disable it, if it doesn't then something else is amuck... I.E. another entry of the
same stub etc...

Sent from the iRoad

------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps,...

Re: snort 2.9.2 disable alerts for so_rules (p2p) Joel Esler (Feb 03)
http://blog.snort.org/2012/01/importance-of-pulledpork.html

Re: snort 2.9.2 disable alerts for so_rules (p2p) waldo kitty (Feb 03)
+1000000000000000000~

------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2

OpenVAS — Development and announcements regarding OpenVAS, a free network security scanner which forked from Nessus. This is a combination of the English openvas-announce, openvas-devel, openvas-discuss, and openvas-plugins lists.

CentOS 6 patch for gather-package-list.nasl Tom H (Feb 05)
In order to get the plugins that relied upon gather-package-list to run
against CentOs 6 boxes, I had to add a test for CentOS 6... here is a
diff for the NVT feed if anyone has the same problem...

122a123
> "CENTOS6", "cpe:/o:centos:centos:6",
557c558,565
< #CentOS release 3.4 (final)
---
> #CentOS release 3.4 (final)
> if("CentOS release 6" >< rls) {
> buf = ssh_cmd(socket:sock,...

How to determine why openvas-plugin test has true results (Arora - oid=1.3.6.1.4.1.25623.1.0.902764) Tom H (Feb 05)
Hi all,

Im doing a scan against a newly built server and I am getting a positive
result for " Arora Common Name SSL Certificate Spoofing Vulnerability
(Linux)"

I pulled up the script, and it seems to be searching the binary with
file name "arora"; (

modName = find_file(file_name:"arora", file_path:"/usr/bin/",
useregex:TRUE, regexpar:"$", sock:sock);

However the...

Re: OpenVAS Documentation Project Geoff Galitz (Feb 05)
Ah.. the pitfalls of volunteer based projects. For whatever reason the wiki
was up, then went unavailable and I haven't been able to contact to site
owner. If he is still around he'll comment. If he doesn't respond in the
next day or three we'll need a new solution.

-Geoff

-----Original Message-----
From: Tim Brown
Sent: Sunday, February 05, 2012 1:20 AM
To: openvas-discuss () wald intevation org
Subject: Re:...

Re: OpenVAS Documentation Project Tim Brown (Feb 04)
Where did we get with this? I have 2 lots of wiki content from previous
iterations.. the official wiki from when the project started.

Tim

Re: About Test HTTP dangerous methods Michael Meyer (Feb 04)
*** sight In <insight.labs2012 () gmail com> wrote:

mime () kira[4]: ~ 0)$ telnet 85.90.165.136 80
Trying 85.90.165.136...
Connected to 85.90.165.136.
Escape character is '^]'.
OPTIONS * HTTP/1.1
Host: 85.90.165.136

HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Date: Sat, 04 Feb 2012 17:20:52 GMT
Allow: HEAD, GET, PUT, POST, DELETE, TRACE, OPTIONS, MOVE, INDEX, MKDIR, RMDIR, COPY, CONNECT, PROPFIND, PROPPATCH,
MKCOL,...

Re: About Test HTTP dangerous methods sight In (Feb 04)
ok , i don't know why my results are different. i use OPTIONS checked

85.90.165.136 Sun-Java-System-Web-Server/7.0
Allow: HEAD, GET, TRACE

205.183.255.195 Netscape-Enterprise/4.1
Allow: HEAD, GET

Thanks

2012/2/4 Michael Meyer <michael.meyer () greenbone net>

Re: About Test HTTP dangerous methods Michael Meyer (Feb 04)
*** sight In <insight.labs2012 () gmail com> wrote:

Allow: HEAD, GET, PUT, POST, DELETE, TRACE, OPTIONS, MOVE, INDEX, MKDIR, RMDIR

Allow: HEAD, GET, PUT, POST, DELETE, TRACE, OPTIONS, MOVE, INDEX, MKDIR, RMDIR

Allow: HEAD, GET, PUT, POST, DELETE, TRACE, ...

Allow: HEAD, GET, PUT, POST, DELETE, TRACE, OPTIONS

And ther NVT reports:
"It seems that the PUT method is enabled on your web server
Although we could not exploit this,...

Re: About Test HTTP dangerous methods sight In (Feb 03)
hi
i think caused fp on Netscape-Enterprise/4.1 and
Sun-Java-System-Web-Server/7.0 .
i through SHODAN fignerprint search the target for testing and encountered
FP

ex:
81.26.146.131 Netscape-Enterprise/4.1
205.183.255.195 Netscape-Enterprise/4.1
85.90.165.136 Sun-Java-System-Web-Server/7.0
198.119.166.86 Sun-Java-System-Web-Server/7.0

Thanks

2012/2/3 Michael Meyer <michael.meyer () greenbone net>

Re: Plugins reload Derek Wuelfrath (Feb 03)
Do you need any log reports ?
Anything that can help you?

It's really annoying to have to wait almost 10 minutes for a scan to
complete.

Re: SSL WEAK CIPHER : secpod_ssl_ciphers.nasl vs sslscan Antu Sanadi (Feb 03)
Hi,

Fixed the issue and committed the updated plugin.
If you want to list all supported ciphers, you need enable
"List SSL Suported Ciphers" in Prefs section.

Please let me know if you found any issues.

Thank you!

Regards,
Antu Sanadi
SecPod Technologies Pvt Ltd

Call for vote: CR59 (NVT Feed message consolidation) Jan-Oliver Wagner (Feb 03)
Hello,

I'd like to call for a vote on Change Request #59 (NVT Feed
message consolidation) which is around for quite some time
already.

I reworked it with some feedback I received meanwhile:

http://www.openvas.org/openvas-cr-59.html

My vote, naturally, is +1 :-)

All the best

Jan

Re: About Test HTTP dangerous methods Michael Meyer (Feb 03)
*** sight In <insight.labs2012 () gmail com> wrote:

So far I have not seen a FP from this NVT. Please provide more
information. What kind of Webserver, what's the message from this NVT,
...

Micha

Re: SSL WEAK CIPHER : secpod_ssl_ciphers.nasl vs sslscan Sébastien AUCOUTURIER (Feb 02)
i can give you 'in private' the website for testing purpose if you need
it.

Le 2/3/2012 08:34, Antu Sanadi a écrit :

Re: SSL WEAK CIPHER : secpod_ssl_ciphers.nasl vs sslscan Antu Sanadi (Feb 02)
Hi,

Thanks for reporting issue. Let me check.

Regards,
Antu Sanadi
SecPod Technologies Pvt Ltd

Re: About Test HTTP dangerous methods Antu Sanadi (Feb 02)
Hi,

Plugin is works fine. I didn't find any false positive.

Case 1:
Here after put request checking for file existence.
If file exists then it will be deleted.

Case 2:
If file does not exists, Checking for the PUT in the response.
So this wont be false positive.

Regards,
Antu Sanadi
SecPod Technologies Pvt Ltd

More Lists

Related Resources

We're always looking for great network security related lists to archive. To suggest one, mail Fyodor.