SecLists.Org Security Mailing List Archive

Any hacker will tell you that the latest news and exploits are not found on any web site—not even Insecure.Org. No, the cutting edge in security research is and will continue to be the full disclosure mailing lists such as Bugtraq. Here we provide web archives and RSS feeds (now including message extracts), updated in real-time, for many of our favorite lists. Browse the individual lists below, or search them all:

Insecure.Org Lists

Nmap Development — Unmoderated technical development forum for debating ideas, patches, and suggestions regarding proposed changes to Nmap and related projects. Subscribe here.

Re: Exception fail / crash Henri Doreau (Jan 27)
2012/1/27 Henri Doreau <henri.doreau () gmail com>:

After consideration I think that it would ease readability,
maintenance and prevent copy/paste problems like the one I've just
fixed in r27936.

I would therefore suggest applying the patch attached. It removes the
need for the callers to cleanup the event sets.

Regards.

Re: Exception fail / crash Henri Doreau (Jan 27)
2012/1/27 David Fifield <david () bamsoftware com>:

Sure, sorry for that obscure brevity...

Bug:
It could happen that nsock wants to add and suppress two events of the
same kind on a given IOD. I have added an assertion in update_events()
in order to force the caller to handle these cases. Previously (before
nsock-engines) they were removed and re-added, cost was negligible
with the bitfields used by select(), but that's expensive...

Re: Exception fail / crash David Fifield (Jan 27)
Can you describe the bug and fix?

David Fifield

New VA Modules: NSE: 3, OpenVAS: 2, MSF: 3, Nessus: 10 New VA Module Alert Service (Jan 27)
This report describes any new scripts/modules/exploits added to Nmap,
OpenVAS, Metasploit, and Nessus since yesterday.

== Nmap Scripting Engine scripts (3) ==

r27919 broadcast-xdmcp-discover http://nmap.org/nsedoc/scripts/broadcast-xdmcp-discover.html
Discovers servers running the X Display Manager Control Protocol (XDMCP)
by sending a XDMCP broadcast request to the LAN. Display managers
allowing access are marked using the keyword Willing in...

Re: Exception fail / crash Henri Doreau (Jan 27)
2012/1/27 Ron <ron () skullsecurity net>:

Thanks for testing, I have committed it as r27935.

Re: Exception fail / crash Ron (Jan 27)
The patch fixed the issue. Thanks!

Ron

Re: Exception fail / crash Henri Doreau (Jan 27)
2012/1/27 Ron <ron () skullsecurity net>:

Thanks a lot, can you try the patch attached first?

Regards.

Re: Exception fail / crash Ron (Jan 27)
I got it loaded in gdb. I don't really know how to use gdb, though, so let me know if there are any commands you want
me to run.

Here's the backtrace:
#0 0x00007ffff61f7b05 in raise () from /lib64/libc.so.6
#1 0x00007ffff61f8f86 in abort () from /lib64/libc.so.6
#2 0x00007ffff61f0735 in __assert_fail () from /lib64/libc.so.6
#3 0x00000000004a8ed7 in update_events (iod=<optimized out>,
ms=<optimized out>,...

Re: Exception fail / crash Henri Doreau (Jan 27)
2012/1/27 Ron <ron () skullsecurity net>:

Hi Ron,

Thanks for the report. I'll investigate the problem.
Currently I can't reproduce it, so a coredump or debug output would
probably help, if that's ok for you.

Regards.

Exception fail / crash Ron (Jan 27)
Hey,

I'm running into this exception:

nmap: nsock_core.c:186: update_events: Assertion `(ev_inc & ev_dec) ==
0' failed.

It happens during the script scan. I can reproduce the errror, but it takes a couple hours. Here's my commandline:

sudo ./nmap -sT -T4 -n -d -p- -A --log-errors --script="(safe or http-*
or smtp-* or pop3-* or sip-*) and not *brute* and not *broadcast* and
not *fuzz* and not *firewalk* and not...

New VA Modules: OpenVAS: 2, MSF: 1, Nessus: 28 New VA Module Alert Service (Jan 26)
This report describes any new scripts/modules/exploits added to Nmap,
OpenVAS, Metasploit, and Nessus since yesterday.

== OpenVAS plugins (2) ==

r12525 103401 gb_EPractize_Subscription_Manager_50919.nasl
http://wald.intevation.org/plugins/scmsvn/viewcvs.php/trunk/openvas-plugins/scripts/gb_EPractize_Subscription_Manager_50919.nasl?root=openvas&view=markup
EPractize Labs Subscription Manager 'showImg.php' PHP Code Injection...

Re: Unused captures in nmap-service-probes David Fifield (Jan 26)
Thank you. This was very helpful. I committed your patch, some
additional changes by Rob Nicholls, and then handled the remaining ones
myself. marking the non-capturing groups helps because now I can turn on
those warnings by default in sv-tidy and we won't have to do this big
fix again in the future.

Indeed; very few people are going to see "My spelling is Wobbly."

David Fifield

New VA Modules: NSE: 2, OpenVAS: 25, Nessus: 26 New VA Module Alert Service (Jan 25)
This report describes any new scripts/modules/exploits added to Nmap,
OpenVAS, Metasploit, and Nessus since yesterday.

== Nmap Scripting Engine scripts (2) ==

r27896 broadcast-dhcp6-discover http://nmap.org/nsedoc/scripts/broadcast-dhcp6-discover.html
Sends a DHCPv6 request (Solicit) to the DHCPv6 multicast address. It
parses the response and extracts the address along with any options
returned by the server.

r27899 iax2-brute...

Problems downloading Brian Poppe (Jan 24)
Your servers are constantly timing out when trying to download the Windows installer. The speeds will be 140-150KB/s
and then the download will stop. There is no consistency to when it stops - sometimes after 6MB, sometimes 20%,
sometimes 65%. I've tried from multiple servers and 2 different internet connections with the same result. I'm going
to keep trying and hopefully it will let me finish the download eventually.

Just...

[NSE] New script iax2-brute Patrik Karlsson (Jan 24)
Hi all,

I just committed a script called iax2-brute that performs brute-force
password guessing against the Asterisk IAX2 protocol.
It performs reasonably well against my systems reaching almost 1000 guesses
per second.

Cheers,
Patrik

Nmap Hackers — Moderated list for the most important new releases and announcements regarding the Nmap Security Scanner and related projects. We recommend that all Nmap users subscribe.

Updates on Download.Com caught adding malware to Nmap installer Fyodor (Dec 06)
Hi Folks. A lot has happened since yesterday's email about
Download.com's antics (http://seclists.org/nmap-hackers/2011/5) and I
wanted to send a quick update.

First of all, several people complained about my angry tone and my
telling Download.com to "F*ck" themselves. I appologize to anyone
offended. But if you ever spend more than 14 years creating free
software as a gift to the community, only to have it used as bait by...

C|Net Download.Com is now bundling Nmap with malware! Fyodor (Dec 05)
Hi Folks. I've just discovered that C|Net's Download.Com site has
started wrapping their Nmap downloads (as well as other free software
like VLC) in a trojan installer which does things like installing a
sketchy "StartNow" toolbar, changing the user's default search engine
to Microsoft Bing, and changing their home page to Microsoft's MSN.

The way it works is that C|Net's download page (screenshot attached)...

SecTools.Org relaunched based on your survey responses! Fyodor (Nov 04)
Hi folks! Remember the latest Nmap survey that almost 3,000 of you
filled out? Well, it took a while, but I'm happy to report that we've
tabulated the results and launched a new version of the SecTools.Org
top security tools list! In addition to updating the data, we've
dramatically improved the site. It now includes user ratings and
reviews, tracks release dates, offers searching and sorting, and even
lets you nominate your...

Nmap 5.59BETA1 Released! Fyodor (Jun 30)
Hi Folks. Other than the recent informal IPv6 commemorative edition,
we haven't had a real Nmap release in more than four months since
5.51. That is in part because we've been so busy with seven (!)
full-time Google Summer of Code students cranking out tons of
excellent code! But I think we've pulled this together into a release
we can be proud of, and I'm happy to announce Nmap 5.59BETA1!

This version includes:
o 40 new...

Happy World IPv6 Day From the Nmap Project! Fyodor (Jun 08)
Hi Folks. You have probably heard that today is World IPv6 Day, with
sites like Google, Facebook, and Yahoo publishing IPv6 records for
their main web sites. I'm happy to report that the Nmap Project is
celebrating in several ways:

==Scanme Updated to IPv6==

You probably know that we run the machine scanme.nmap.org as a system
people are allowed to use as a target for test scans and the like.
That system now has native IPv6 support. So...

Nmap 5.51 and SoC Opportunity Fyodor (Apr 05)
Hi Folks! I'm happy to report that the Nmap 5.50 release was a big
success, with nearly 300,000 downloads in the first two weeks. That
much attention inevitably uncovers some bugs, so we released Nmap 5.51
in February to address them. You can find the release notes at
(http://seclists.org/nmap-dev/2011/q1/518) and the downloads at
http://nmap.org/download.html.

I also wanted to let you know about a serious potential competitive
threat to...

Nmap 5.50: Now with Gopher protocol support! Fyodor (Jan 28)
Hi folks! It has been a year since the last Nmap stable release
(5.21) and six months since development version 5.35DC1, so I'm
pleased to release Nmap 5.50! I'm sure you'll find that it was worth
the wait!

A primary focus of this release is the Nmap Scripting Engine, which
has allowed Nmap to expand up the protocol stack and take network
discovery to the next level. Nmap can now query all sorts of
application protocols,...

Nmap Defcon Release: Version 5.35DC1 Fyodor (Jul 16)
Hi folks. It has been 3.5 months since the last Nmap release
(5.30BETA1 on March 29), and anyone following the nmap-dev list knows
that we've been very busy during that time. So I'm pleased to release
Nmap version 5.35DC1 containing the fruits of that labor. The Defcon
name is because that conference is awesome! And also because David
Fifield and I have an exciting Nmap talk planned there and at Black
Hat in a couple weeks (see...

Nmap News and Last Chance to Take the Survey Fyodor (Apr 30)
Hi Folks. I have some Nmap news to share with you:

First off, I'm delighted to introduce the 2010 Nmap/Google Summer of
Code Team! Google has sponsored eight student developers to spend
this summer enhancing the Nmap Security Scanner and related projects,
so you can expect great things in coming months. Ithilgore and Luis
MartinGarcia are returning to improve Ncrack and Nping, new students
Drazen Popovic and Djalal Harouni will be...

Survey Reminder Fyodor (Apr 14)
Hi folks, I have a quick question for you:

Q: What do the Nmap Scripting Engine, Ndiff, and the Zenmap Topology
Mapper have in common?

A: They're all features which were added after you asked for them in
the 2006 Nmap Survey!

With that in mind, I'd like to thank the 1,013 people who have already
taken the 2010 survey. We just need 1,987 more and we can close this
survey up, tabulate and share results, choose the prize winners,...

Nmap/SecTools Survey and GSoC Deadline Fyodor (Apr 07)
Hello everyone. I hope you're enjoying the 5.30BETA1 release. So far
it has proven stable and functional, so don't let the BETA name scare
you. You can get it at http://nmap.org/download.html. Meanwhile, I
have some great news, and I'm also asking for your help on two things.

The first is that the Nmap Project was again accepted for the Google
Summer of Code program, so we'll have full time coding help this
summer! SoC...

Nmap 5.30BETA1 Released w/37 new scripts and new Apple vuln Fyodor (Mar 29)
Hi folks! It has been two months since the 5.21 release and we've
been very busy during that time! I hope you're happy with the results,
which is a new 5.30BETA1 release made today. Top features include:

o 37 new NSE scripts, bringing the total to 117! New scripts cover
SNMP, SSL, Postgress, MySQL, HTTP, LDAP, NFS, DB2, AFS, and many
more. Also check out the clever host scripts qscan and
ipidseq. Learn about them all at...

Nmap 5.21 released Fyodor (Jan 27)
Hello everyone. I'm pleased to release Nmap 5.21, which contains zero
exciting new features! It is a bug-fix only release instead,
addressing about a dozen issues discovered since 5.20. Thanks for all
the testing and bug reports! None of the bugs are critical, but we
wanted to polish things up since 5.21 may be the latest stable version
for a while. That gives us time to tackle and stabilize big
development projects. If you want to...

Lots of Nmap News Fyodor (Jan 22)
Hi folks. I'm happy to report that the 5.20 release went well. But
with this many improvements, there will always be a few bugs found.
We're planning to round those up with a bugfix-only 5.21 release next
week. So please test out 5.20 and report any problems you experience:

Download Page: http://nmap.org/download.html
Bug Report Instructions: http://nmap.org/book/man-bugs.html

If you're running from a build of the latest SVN...

Nmap 5.20 Released Fyodor (Jan 20)
Happy new year, everyone. I'm happy to announce Nmap 5.20--our first
stable Nmap release since 5.00 last July! It offers more than 150
significant improvements, including:
o 30+ new Nmap Scripting Engine scripts
o enhanced performance and reduced memory consumption
o protocol-specific payloads for more effectie UDP scanning
o a completely rewritten traceroute engine
o massive OS and version detection DB updates (10,000+ signatures)...

Other Excellent Security Lists

Bugtraq — The premier general security mailing list. Vulnerabilities are often announced here first, so check frequently!

AdaCore Security Advisory SA-2012-L119-003 Hash collisions in AWS Thomas Quinot (Jan 27)
AdaCore Security Advisory
=========================

SA-2012-L119-003 Hash collisions in AWS

Problem: Impacted versions of AWS store key/value pairs from submitted
form data in hash tables using a hash function that has
predictable collisions. As a result, a single specially crafted
HTTP request can cause the server to use hours of CPU time,
thus causing a denial of service.

Impact:...

[HITB-Announce] Reminder: HITB2012AMS Call For Papers Closing Soon Hafez Kamal (Jan 27)
This is a gentle reminder that the Call for Papers for the third annual
HITBSecConf in Europe closes on the 18th of February! Send in your
submissions now!

http://cfp.hackinthebox.org/

---

This year, we're moving to a new, bigger and better venue -- the
award winning Okura Hotel right in middle of Amsterdam with easy access
via public transportation. #HITB2012AMS will be a quad-track conference
featuring keynote speakers Andy Ellis (Chief...

[ GLSA 201201-15 ] ktsuss: Privilege escalation Sean Amoss (Jan 27)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201201-15
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: High
Title: ktsuss: Privilege escalation
Date: January 27, 2012...

[SECURITY] [DSA 2394-1] libxml2 security update Luciano Bello (Jan 27)
-------------------------------------------------------------------------
Debian Security Advisory DSA-2394-1 security () debian org
http://www.debian.org/security/ Luciano Bello
January 27, 2012 http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : libxml2
Vulnerability : several
Problem type : remote...

ESA-2012-007: RSA, The Security Division of EMC, announces security fixes for RSA enVision Security_Alert (Jan 26)
ESA-2012-007: RSA, The Security Division of EMC, announces security fixes for RSA enVision

Advisories
Updated January 25, 2012

Summary:

RSA, The Security Division of EMC, announces security fixes to address a security vulnerability and provide an
enhancement in RSA enVision®.

Affected Products:

RSA enVision 4.x

Description:

CVE Identifier: CVE-2011-4143

This release addresses an environmental variable disclosure vulnerability. The...

ESA-2012-005: EMC NetWorker buffer overflow vulnerability Security_Alert (Jan 26)
ESA-2012-005: EMC NetWorker buffer overflow vulnerability.

EMC Identifier: ESA-2012-005
EMC Identifier: NW135173

CVE Identifier: CVE-2012-0395

Severity Rating: CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

Affected products:
EMC NetWorker Server 7.5.x
EMC NetWorker Server 7.6.x

Vulnerability Summary:
EMC NetWorker Server 7.5.x and 7.6.x contain a buffer overflow vulnerability which may possibly be exploited to cause a
denial...

Cisco Security Advisory: Cisco IronPort Appliances Telnet Remote Code Execution Vulnerability Cisco Systems Product Security Incident Response Team (Jan 26)
Cisco Security Advisory: Cisco IronPort Appliances Telnet Remote Code
Execution Vulnerability

Advisory ID: cisco-sa-20120126-ironport

Revision 1.0

For Public Release 2012 January 26 17:00 UTC (GMT)

+--------------------------------------------------------------------

Summary
=======

Cisco IronPort Email Security Appliances (ESA) and Cisco IronPort
Security Management Appliances (SMA) contain a vulnerability that may
allow a remote,...

ZDI-12-018 : Symantec PCAnywhere awhost32 Remote Code Execution Vulnerability ZDI Disclosures (Jan 25)
ZDI-12-018 : Symantec PCAnywhere awhost32 Remote Code Execution
Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-12-018
January 25, 2012

-- CVE ID:
CVE-2011-3478

-- CVSS:
9.7, AV:N/AC:L/Au:N/C:C/I:C/A:P

-- Affected Vendors:

Symantec

-- Affected Products:

Symantec PCAnywhere

-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Symantec PCAnywhere....

NX Web Companion Spoofing Arbitrary Code Execution Vulnerability otr (Jan 25)
# Vuln Title: NX Web Companion Spoofing Arbitrary Code Execution
# Vulnerability
# Date: 25.01.2012
# Author: otr
# Software Link: http://www.nomachine.com/documents/plugin/install.php
# Version: <= 3.x
# Tested on: Linux, Windows, Mac OS X x86, Mac OS X PPC, Solaris
# CVE : None, yet

Summary

The No Machine NX Web Companion is a Java applet that allows to
download and update the No Machine software from a server. The No
Machine software...

[SECURITY] [DSA-2393-1] bip security update dann frazier (Jan 25)
-------------------------------------------------------------------------
Debian Security Advisory DSA-2393-1 security () debian org
http://www.debian.org/security/ dann frazier
January 25, 2012 http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : bip
Vulnerability : buffer overflow
Problem type :...

D-Link DIR-601 TFTP Directory Traversal Vulnerability robkraus (Jan 25)
Vulnerability title: D-Link DIR-601 TFTP Directory Traversal Vulnerability

CVSS Risk Rating: 7.8 (High)

Product: D-Link DIR-601 Wireless N 150 Home Router

Application Vendor: D-Link

Vendor URL: www.dlink.com

Public disclosure date: 1/20/2012

Discovered by: Rob Kraus and Solutionary Engineering Research Team (SERT)

Solutionary ID: SERT-VDN-1013

Solutionary public disclosure URL:...

CSRF (Cross-Site Request Forgery) in DClassifieds advisory (Jan 25)
Advisory ID: HTB23067
Reference: https://www.htbridge.ch/advisory/csrf_cross_site_request_forgery_in_dclassifieds.html
Product: DClassifieds
Vendor: www.dclassifieds.eu ( http://www.dclassifieds.eu/ )
Vulnerable Version: 0.1 final and probably prior
Tested Version: 0.1 final
Vendor Notification: 04 January 2012
Vulnerability Type: CSRF (Cross-Site Request Forgery)
Risk Level: Low
Credit: High-Tech Bridge SA Security Research Lab (...

Multiple vulnerabilities in OSclass advisory (Jan 25)
Advisory ID: HTB23068
Reference: https://www.htbridge.ch/advisory/multiple_vulnerabilities_in_osclass.html
Product: OSclass
Vendor: osclass.org ( http://osclass.org/ )
Vulnerable Version: 2.3.3 and probably prior
Tested Version: 2.3.3
Vendor Notification: 04 January 2012
Vendor Patch: 16 January 2012
Vulnerability Type: SQL Injection, XSS (Cross Site Scripting)
Status: Fixed by Vendor
Risk Level: High
Credit: High-Tech Bridge SA Security...

NGS00117 Patch Notification: Symantec PCAnywhere Local Privilege Escalation Research () NGSSecure (Jan 25)
High Risk Vulnerability in Symantec PCAnywhere

25 January 2012

Edward Torkington of NGS Secure has discovered a high risk vulnerability in Symantec PCAnywhere

Impact: Local Privilege Escalation

Versions affected:

Symantec pcAnywhere 12.5.x
IT Management Suite 7.0 pcAnywhere Solution 12.5.x
IT Management Suite 7.1 pcAnywhere Solution 12.6.x

An updated version of the software has been released to address these vulnerabilities:...

NGS00118 Patch Notification: Symantec PCAnywhere Remote Code Execution as SYSTEM Research () NGSSecure (Jan 25)
Critical Vulnerability in Symantec PCAnywhere

25 January 2012

Edward Torkington of NGS Secure has discovered a critical vulnerability in Symantec PCAnywhere

Impact: Remote Code Execution (pre-auth) as SYSTEM

Versions affected:
Symantec pcAnywhere 12.5.x
IT Management Suite 7.0 pcAnywhere Solution 12.5.x
IT Management Suite 7.1 pcAnywhere Solution 12.6.x

An updated version of the software has been released to address these vulnerabilities:...

Full Disclosure — A lightly moderated high-traffic forum for disclosure of security information. Fresh vulnerabilities sometimes hit this list many hours before they pass through the Bugtraq moderation queue. The relaxed atmosphere of this quirky list provides some comic relief and certain industry gossip. Unfortunately, most of the posts are worthless drivel, so finding the gems takes patience.

[ GLSA 201201-17 ] Chromium: Multiple vulnerabilities Tim Sammut (Jan 27)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201201-17
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: Chromium: Multiple vulnerabilities
Date: January 28,...

Re: when did piracy/theft become expression of freedom Zach C. (Jan 27)
the

is a

yourself

you're

*not*

"first sale

If you buy an album used, the seller generally loses possession of it, you
gain possession of it at a reduced cost, and the original purchase still
gave the original seller and producer value. Value has still been
exchanged, assuming no literal theft was involved to make the whole thing
criminal anyway. If you make a copy, you're pretty much creating (or, if
you prefer,...

Re: when did piracy/theft become expression of freedom Thor (Hammer of God) (Jan 27)
These arguments do more harm than good. You can't base property law on what people may not have done (of course there
are "not paid your taxes" etc - let's not get tied down with that). I'm actually surprised you made that comment. I
have a product that I own the rights to. If you don't feel like paying full price, then don't buy it. You go down the
street and buy a similar product for less money. That...

Re: when did piracy/theft become expression of freedom Valdis . Kletnieks (Jan 27)
On Fri, 27 Jan 2012 18:06:28 GMT, Michael Schmidt said:

You might want to go read "Courtney Love Does The Math", and then ask yourself
the following:

1) You can make a case that if you copy an album intead of buying it, you're
depriving somebody of profits. But what if it's an album that you would *not*
have bought at full price anyhow? Or one that you bought used (see "first sale
principle")?

2) Who gets those...

[ GLSA 201201-16 ] X.Org X Server/X Keyboard Configuration Database: Screen lock bypass Alex Legler (Jan 27)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201201-16
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: X.Org X Server/X Keyboard Configuration Database: Screen...

[SECURITY] [DSA 2396-1] qemu-kvm security update Moritz Muehlenhoff (Jan 27)
-------------------------------------------------------------------------
Debian Security Advisory DSA-2396-1 security () debian org
http://www.debian.org/security/ Moritz Muehlenhoff
January 27, 2012 http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : qemu-kvm
Vulnerability : buffer underflow
Problem type :...

Re: when did piracy/theft become expression of freedom Laurelai (Jan 27)
Yeah and the US is becoming a police state, so using US law as examples
of morality is pretty shaky ground.

[SECURITY] [DSA 2395-1] wireshark security update Moritz Muehlenhoff (Jan 27)
-------------------------------------------------------------------------
Debian Security Advisory DSA-2395-1 security () debian org
http://www.debian.org/security/ Moritz Muehlenhoff
January 27, 2012 http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : wireshark
Vulnerability : buffer underflow
Problem type...

Re: when did piracy/theft become expression of freedom Michael Schmidt (Jan 27)
You want to be very careful with that line of thought. You are taking the creator the rightful owners profits, which
they are entitled to if it is a product they created to be sold. You are confusing what you want - with what the law
states. Theft is typically very widely defined in the law, not just what the dictionary states.

When you make a copy, you are performing a step that the manufacturer takes with physical products. Just because...

Advisory: Remote Command Execution in Gitorious joernchen of Phenoelit (Jan 27)
Hi,

FYI, see attached.

cheers,

joernchen

Fortigate UTM WAF Appliance - Multiple Web Vulnerabilities research () vulnerability-lab com (Jan 27)
Title:
======
Fortigate UTM WAF Appliance - Multiple Web Vulnerabilities

Date:
=====
2012-01-27

References:
===========
http://vulnerability-lab.com/get_content.php?id=144

VL-ID:
=====
144

Introduction:
=============
The FortiGate series of multi-threat security systems detect and eliminate the most damaging, content-based threats
from email
and Web traffic such as viruses, worms, intrusions, inappropriate Web content and more in real time...

[ GLSA 201201-15 ] ktsuss: Privilege escalation Sean Amoss (Jan 27)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201201-15
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: High
Title: ktsuss: Privilege escalation
Date: January 27, 2012...

Re: when did piracy/theft become expression of freedom Valdis . Kletnieks (Jan 27)
On Fri, 27 Jan 2012 18:01:31 +0900, Robert Kim App and Facebook Marketing said:

You may want to talk to your fellow content producers - and even more
importantly, certain content *restirction-of-distribution cartels* about
*their* sense of entitlement.

Re: VNC viewers: Clipboard of host automatically sent to remote machine Alyx (Jan 27)
Why yes, yes there is. :) More of a distinction, in fact, than there is in
Linux world!

[SECURITY] [DSA 2394-1] libxml2 security update Luciano Bello (Jan 27)
-------------------------------------------------------------------------
Debian Security Advisory DSA-2394-1 security () debian org
http://www.debian.org/security/ Luciano Bello
January 27, 2012 http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : libxml2
Vulnerability : several
Problem type : remote...

Security Basics — A high-volume list which permits people to ask "stupid questions" without being derided as "n00bs". I recommend this list to network security newbies, but be sure to read Bugtraq and other lists as well.

Re: Building an Information Asset database Bharat Gosalia (Jan 27)
I FOUND chapter 4 somewhat relevent.
Naturally it is a copy from somewhere.

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase,...

SOAP Thugzclub (Jan 27)
All,

do you know of a way to scan soap for injection attacks (and others). I could go to Layer 7 and get an expensive XML
gateway but don't have the money! Any open source solutions or tips/books are appreciated.

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look...

RE: Regularly Vulnerability Assessment using QualysGuard - Pro/Cons? Wright, Joe # ATLANTA (Jan 27)
Andre;

Qualys does store credentials in the cloud, however, they are also have serious security controls around the users
information such as encryption and so forth. You may wish to look further into their security status and storage
process. Alternately, you could use something like Nessus or Tenable Perimeter Security. It really depends on what you
are trying to achieve. Qualys however tends to be expensive on initial cost and recurring...

[HITB-Announce] Reminder: HITB2012AMS Call For Papers Closing Soon Hafez Kamal (Jan 27)
This is a gentle reminder that the Call for Papers for the third annual
HITBSecConf in Europe closes on the 18th of February! Send in your
submissions now!

http://cfp.hackinthebox.org/

---

This year, we're moving to a new, bigger and better venue -- the
award winning Okura Hotel right in middle of Amsterdam with easy access
via public transportation. #HITB2012AMS will be a quad-track conference
featuring keynote speakers Andy Ellis (Chief...

Re: [Full-disclosure] DNS bind attacks Chris Granger (Jan 27)
Your theory's likely correct - do you allow external IPs to make recursive queries to your server?

From (this would be a way to corroborate & I can't say it any better):
http://www.gossamer-threads.com/lists/nanog/users/143319

"The isc.org record is commonly used in reflection attacks because the size of the record is so large, so the
amplification factor is greatly increased. Can you check to see if +edns=0 was set in the...

Re: [Full-disclosure] DNS bind attacks Jeffrey Walton (Jan 27)
What's the query. Could it be related to
http://www.isc.org/software/bind/advisories/cve-2011-4313?

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how
it benefits your company and how your customers can tell if a site is secure. You will find...

DNS bind attacks J. von Balzac (Jan 27)
I'm seeing a lot of hosts in my named logs (I mean log files, it's not
like I am naming my poop)

...ok... silly joke hehe

So anyway, named bind is reporting a lot of denied queries of type
'isc.org/ANY/IN'. I'm not looking for a solution - I have one (which
is to immediately block the IPs for port 53 after as few as one denied
query) - but I want to warn server admins who haven't spotted both
these queries and...

Re: DoS attacks using Exploit Pack Thugzclub (Jan 27)
Any proxy will do, as long as it has not been blocked by that site!

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase,
install...

Re: Cyber Warfare / Network Defense Simulation Thugzclub (Jan 27)
Yup !

You don't wanna spend too much time building machines!

I also recommend;

Turnkey Linux - for ready made installs of Snort etc
VMWare market - for VIrtualised firewalls and other appliances
Vulnerable machines: Metasploitable virtual machine
AlienVault/Splunk - SIEM solutions

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine...

PPP / NCP Vulnerability Research Miguel Regala (Jan 25)
Hi,

are there any relevant, known vulnerabilities in the NCP protocol,
more precisely in the IPCP?

Regards,
Miguel Regala

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how
it benefits your company and how your customers can tell if a site is...

Re: Cyber Warfare / Network Defense Simulation Jim Elkins (Jan 24)
Here are a couple of suggested books.

Build your own sec......
Isbn 978-0-470-17986-4
A bit dated, but informative.

Laura Chappel's reference
Wireshark network Analysis
Isbn 978-1-893939-99-8

Cheers

Jim Elkins, Integration Engineer
Vote By Mail Solutions
Runbeck Election Services
765.404.3222
www.Runbeck.net

Hi,

I would like to ask if you guys have any suggestions (including
articles, references, books, sites, ideas, anything) on...

Re: Cyber Warfare / Network Defense Simulation Henri Salo (Jan 24)
Key-point in my opinion is to have the setup up and running fast from scratch.

- Henri Salo

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how
it benefits your company and how your customers can tell if a site is secure. You will find out how to...

Re: Cyber Warfare / Network Defense Simulation Christopher Siedlecki (Jan 24)
That is very neat, but in my opinion little bit to broad idea. For
instance you can build yourself a basic CCNA lab with PIX firewall for
less than couple hundred bucks. Using that simple hardware you can
recreate literally unlimited amount of scenarios. There is really no
need to use dual-quad servers with 32GB ram, unless you have something
specific in mind.

Christopher Siedlecki
IT-Security Consultant
Phone: +1.847.261.4549
E-mail:...

Cyber Warfare / Network Defense Simulation Teóphilo Athos Brauns (Jan 24)
Hi,

I would like to ask if you guys have any suggestions (including
articles, references, books, sites, ideas, anything) on how to build a
"Poor man's Cyber Warfare / Network Defense Simulation" for:

1 - study
2 - forensic analysis
3 - vulnerabilities replication
4 - worm/virus spreading
5 - DLP (data leak/loss prevention) study
6 - ???

For my first attempts I used a dual-quad xeon server with 32GB ram and
managed to create a...

Re: DoS attacks using Exploit Pack Richard Steinbrück (Jan 24)
try this ... https://youtubeproxy.org/

Penetration Testing — While this list is intended for "professionals", participants frequenly disclose techniques and strategies that would be useful to anyone with a practical interest in security and network auditing.

[HITB-Announce] Reminder: HITB2012AMS Call For Papers Closing Soon Hafez Kamal (Jan 27)
This is a gentle reminder that the Call for Papers for the third annual
HITBSecConf in Europe closes on the 18th of February! Send in your
submissions now!

http://cfp.hackinthebox.org/

---

This year, we're moving to a new, bigger and better venue -- the
award winning Okura Hotel right in middle of Amsterdam with easy access
via public transportation. #HITB2012AMS will be a quad-track conference
featuring keynote speakers Andy Ellis (Chief...

DoS attacks using Exploit Pack noreply (Jan 22)
DoS attacks by using Exploit Pack
What is this? Exploit Pack is a next generation tool to assist you
while you perform penetration testing to your workstations or servers.
Make your workstation safe by testing its security. Before hackers do.

Take a look of this tool while we perform a denial of service to a test
site.
http://www.youtube.com/watch?v=1dBa2jBu1XE

Exploit Pack Team
Juan Sacco
Dev Lead
http://exploitpack.com...

Technology Neutral Healthcheck cribbar (Jan 19)
Can I ask if any of you have roles as security admins or managers if you have
a sort of baseline checklist you use for when departments in your company
come calling saying they need a new payroll system, or a new procurement
system or whatever. I am in a very jnr role in a risk section but I thought
it wouldnt do any harm to see the kind of checks or questions you'll ask any
3rd party offering a solution/application for you that will give...

Re: Goofile 1.0 - Command line google search for files by domain James Condron (Jan 18)
Tom,

You can do this in about five lines with the Google REST interface

http://code.google.com/apis/customsearch/v1/using_rest.html

In much the same way the ld JSON interface worked (prior to
deprecation a year or two ago, though it does still work to an
extent).

Additionally you're passing the variable 'cant' to run(); where is
this being used? And why, by using a global with a maximum of 100 and
then having this value set to...

Exploit Pack - New release noreply (Jan 18)
Exploit Pack is a Security Tool that will assist you while you test the
security of your workstations or networks. With a friendly and easy to
use interface, it has an update manager to keep you up to date and an
IDE for develop or modify it’s modules. Also we provide you with
technical support if you need it. Try it out and purchase a subscription
now. Make your computer safe using Exploit pack.

Make your workstation safe by testing it...

Goofile 1.0 - Command line google search for files by domain tom (Jan 18)
Greetings!

Goofile 1.0 has been released. This tool will perform queries against
a domain for a particular filetype. I hope this will help with
enumeration!

http://code.google.com/p/goofile

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration...

Re: Best route to penetration testing learning wlandymore (Jan 11)
Thanks for the tips guys. I've seen the offensive-security.com website and I
was interested in that because it had the 'real' hands on labs and then a
certification that was very similar. It seemed to be the best for 'real
world experience' so I was actually going to take that course.

I'll setup a test lab here and starting working away, but I appreciate the
opinions and direction.

Thanks.

Archangel Amael wrote:

Re: Best route to penetration testing learning robertwood50 (Jan 07)
The SANS courses are pretty good in that you will actually be learning useful information, not just information
required to pass a test. Also, for a lot of Security Consultant jobs, either the CISSP or a GIAC cert is required so
this is another reason to get involved with SANS.

In my opinion, books are great but they only get you so far. You only retain the knowledge in a book for so long unless
it is put into practice. For reading I would...

Re: Best route to penetration testing learning Archangel Amael (Jan 07)
Hello,

There will likely be many opinions on the matter but a quick link or
two to help get you going, would be
http://www.offensive-security.com/ While not an easy certification to
be sure, it will likely be one of the most realistic in terms of
actually using Penetration testing tools within a realistic network
environment.
For an extensive collection of free information regarding using
metasploit and some other pentesting tools, check out...

Best route to penetration testing learning wlandymore (Jan 06)
I'm new to penetration testing and recently took the CEH. I found that it was
pretty basic but I was wondering if people had some insight as to the best
route to take if you wanted to be a penetration testing engineer....

Any courses/books that are mandatory that will help get me on my way, or
other opinions as to how I can get into this?

Thanks.

AppSec DC 2012 CFP EXTENDED! AppSec DC (Jan 06)
All,

Many of you have written to us asking about the requirement for a
paper in our CFP hosted on EasyChair. Due to an unforseen change in
the way EasyChair works, you are no longer able to configure a
submission to require only an abstract as we thought we had done, and
done in the past. To be clear, we are ***NOT*** requiring papers with
our CFP submissions. As we have already started the CFP and can not
move the platform we ask that...

Arachni v0.4 has been released (Open Source Web Application Security Scanner Framework) Tasos Laskos (Jan 06)
Hi guys,

This is just to let you know that there's a new version of Arachni.

Arachni is a high-performance (Open Source) Web Application Security
Scanner Framework written in Ruby.

This version includes lots of goodies, including:
* A new light-weight RPC implementation (No more XMLRPC)
* High Performance Grid (HPG) -- Combines the resources of multiple
nodes for lightning-fast scans
* Updated WebUI to provide access to HPG...

RE: Nmap S Walker (Jan 02)
Just an added note to the current replies (which are all great for hosts not in the local broadcast domain): It is
almost certain that every device in your local network will respond to an ARP request. nmap does this by default anyway
(-PR for local networks), but it's worth bearing in mind, as something local that won't respond to an ARP request is
almost certainly not reachable.

S

----------------------------------------...

Re: Nmap Juan Pablo (Jan 02)
Sorry for the late answer...

But when you scan for machines that do not answer to ping (it means
answer with an echo reply for each echo request), you could try using
timestamp, and will return timestamp reply, and also information
request and wait for an information reply

Both coould be useful also to detect equipments that do not answer to
ping. And if you want something more "noisy" maybe a network discovery
or a -P0 option.

Here...

[TOOL RELEASE] Technitium MAC Address Changer v6 (FREEWARE) Shreyas Zare (Jan 02)
Hi,

Technitium MAC Address Changer allows you to change Media Access
Control (MAC) Address of your Network Interface Card (NIC)
irrespective to your NIC manufacturer or its driver. It has a very
simple user interface and provides ample information regarding each
NIC in the machine. Every NIC has a MAC address hard coded in its
circuit by the manufacturer. This hard coded MAC address is used by
windows drivers to access Ethernet Network (LAN)....

Info Security News — Carries news items (generally from mainstream sources) that relate to security.

Firewall Wizards — Tips and tricks for firewall administrators

Ruxcon 2011 Final Call For Papers cfp (Aug 21)
Ruxcon 2011 Final Call For Papers

The Ruxcon team is pleased to announce the final call for papers for the seventh annual Ruxcon conference.

This year the conference will take place over the weekend of 19th and 20th of November at the CQ Function Centre,
Melbourne, Australia.

The deadline for submissions is the 15th of October.

* What is Ruxcon?

Ruxcon is the premier technical computer security conference in the Australia-Pacific region....

Re: Securing email by inhibiting urls Paul D. Robertson (Aug 12)
The mail server isn't the target, the desktop is- that's where your
protection needs to be.

Which is it? Attachments, or links? Those are two different issues.
Seems to me like not letting encrypted attachments through would be a
good start. It also seems that not letting most MIME types through the
HTTP proxy would be a good second step. Exceptions on a by-domain basis
tend to take about a week to get cleared up if you do it...

Re: Securing email by inhibiting urls Marcus Ranum (Aug 12)
Jean-Denis Gorin writes:

I saw a company that did that, years ago. They had all incoming mail go
through
mimedefang and all URLs got converted to https:-URL pointing to their proxy
server, which required a login. They also had a whitelist ruleset in the
rewrite,
so that some URLs didn't get rewritten on a case-by-case basis. Anything
with
metacharacters or on a blacklist got rewritten to a warning. That was
the first
layer.

The other...

Re: Securing email by inhibiting urls Chris (Aug 12)
Thanks for the response.

1. We block china but that doesnt stop mail being sourced from a
hacked American company

2. We don't allow any webmail access from our site. For business
reasons we are not allowed to block mail from anything but "freemail" sites
like gmail, hotmail etc.

3. We have Brightmail, Juniper IDS, ISS IDS and Symantec Antivirus
protecting all mail servers.

We don't have issues with...

Re: Securing email by inhibiting urls Jean-Denis Gorin (Aug 12)
----- Marcus Ranum <mjr () ranum com> a écrit :

There might be a way *evil grin*
1- convert ALL incoming email to text/plain format (all those HTML formated emails from outside are bullshit: SPAM,
commercials from vendors, invitations to shiny conferences, etc.)
2- substitute ALL URL with 'that link was removed for security reason [*]', with [*] stating: 'if access to that link
is needed, please contact the sender of the...

Re: Securing email by inhibiting urls Ilias - (Aug 11)
Hi,

I'm using MailMarshal with blended threat module, which also protect against zero day exploit URL's.

Take a look at the PDF :
http://www.m86security.com/documents/pdfs/datasheets/email_security/DS_Blended_Threats_Module.pdf

If you want some further information about this solution and how you can use this.. Send me an (direct) message.

Best regards,
Ilias
Send from my Blackberry

-----Original Message-----
From: Raphael Rivera...

Re: Securing email by inhibiting urls Timothy Shea (Aug 11)
You are focusing on the wrong problem. If desktops are being infected then
your desktop, anti-spam, and web browsing controls are all weak.
Eliminating "links" in e-mail is going to accomplish nothing.

A commercial web content filter for web browsing will go a long way to
resolving your issues. Most commercial content filters are continuously
updated throughout the day and much can be filtered out via categories. We
went from...

Re: Securing email by inhibiting urls Victor Williams (Aug 11)
Cisco Ironport or McAfee's two offerings: Email & Web Security Appliance or
Email Gateway.

The McAfee products used to be Secure Computing's Ironmail appliances, but
were bought with the Secure Computing acquisition.

Additionally, you should implement a true URL and content filtering service.
Even if an email gets through here or there, clicking on the link in it
will do more or less nothing if you have a "good"...

Re: Securing email by inhibiting urls Marcus Ranum (Aug 11)
Chris wrote:

Stupid users, too much connectivity, good security - you can have
any two.

I'm guessing that when you say "trusted source" what you mean
is "apparently trustworthy source" - not that you actually have a
list somewhere of trusted sources. If you had a list of trusted
sources then you could put in a firewall that did URL filtering
then have 2 group policies: "users who click on bad URLs"
and...

Re: Securing email by inhibiting urls Mark E. Donaldson (Aug 11)
You need to re-think how you handle mail. Two things:

1. Take out all Chinese IP addresses at the firewall. Nothing of value comes out of China. 99% of it is toxic.
Why let them even have a chance?

2. Direct webmail over the internet is dangerous at best. You need to set up an SMTP mail proxy on your system
that receives, processes, and either accepts or rejects all incoming email. Use Sendmail + MailScanner + SpamAssassin +...

Re: Securing email by inhibiting urls Raphael Rivera (Aug 11)
Chris,

Have you all tried barracuda spam firewall?

Sent from my iPhone

Re: Securing email by inhibiting urls Chris (Aug 11)
I'll check out Ironport. We looked at this earlier but there was something about it at the time that caused us to not
buy it. Time to revisit...

Thanks

-----Original Message-----
From: Kaas, David D [mailto:David_D_Kaas () RL gov]
Sent: Thursday, August 11, 2011 12:06 AM
To: 'chughes () l8c com'; 'Firewall Wizards Security Mailing List'; 'firewall-wizards () listserv cybertrust com'
Subject: RE: [fw-wiz]...

Re: Securing email by inhibiting urls Chris (Aug 11)
Should have mentioned that this is a MS Exchange environment. Spam filters are MS based currently MS based but that’s
up for grabs if we can replace them with something that provides the same functionality in place now. Currently using
Brightmail and other than disabling/replacing urls in email it is working pretty good.

-----Original Message-----
From: Kurt Buff [mailto:kurt.buff () gmail com]
Sent: Thursday, August 11, 2011 1:32 AM
To:...

Re: Securing email by inhibiting urls Chris (Aug 11)
This wont work. This site is under constant attack from China and randomly
hacked domains that are used as relays are not on any watch lists. We are
talking zero day here. There are no signatures for the payload if a user
clicks these links. Right now user awareness is our best line of defense
and we all know how reliable that is.

Until I can disable a users ability to click a url in an email that appears
to come from a trusted source,...

Re: Securing email by inhibiting urls Kurt Buff (Aug 11)
Which is why I use a mail gateway for $WORK.

Web App Security — Provides insights on the unique challenges which make web applications notoriously hard to secure, as well as attack methods including SQL injection, cross-site scripting (XSS), cross-site request forgery, and more.

Re: Apache Killer - take 2? Anestis Bechtsoudis (Jan 23)
Apache byte-range killer use many small byte-range chunks in a single
request. So no, your attached request is not related to such an attack.

At latest Apache stable release (2.2.21) -1 is not a valid
entity-length, resulting in a full size 200 response (and not a 206
partial content response) despite the requested range.

For better understanding take a look at modules/http/byterange_filter.c
at apache sources.

I attach a simple perl PoC to...

Re: Apache Killer - take 2? Damiano Bolzoni (Jan 23)
You are right, I didn't write it down properly...what I meant is
"doesn't it look like a clumsy way to exhaust resources (due to the +inf
number that should result from 1024/-1)".

Perhaps another web server is vulnerable? This kind of "checks" are
usually performed randomly by scanners...

It just really weird that a client sends that header value, I searched
around but couldn't find any other example......

Apache Killer - take 2? Damiano Bolzoni (Jan 22)
Hi all,
today we saw a weird HTTP header in a request that came to a web server
we are monitoring:

HEAD /contact HTTP/1.1
Content-Range: bytes 1-1024/-1
User-Agent: Opera/9.80 (Windows NT 5.1; U; pl) Presto/2.5.22 Version/10.51
Host: www.xyz.nl
Accept: */*

The offending IP is not in any blacklist, and the intent is kind of
clear...the server is Apache, but I have no detailed information about
the version/patching level. The server went ahead...

CarolinaCon-8/2012 - Final Announcement/Call for Papers/Presenters/Speakers Vic Vandal (Jan 12)
h4x0rs, InfoSec professionals, international spies, script kidz, and posers,

CarolinaCon-8 will occur on May 11th-13th 2012 in Raleigh NC (USA). We are now officially accepting speaker/paper/demo
submissions for the event.

If you are somewhat knowledgeable in any interesting field of hacking, technology, robotics, science, global
thermonuclear war, etc. (but mostly hacking), and are interested in presenting at CarolinaCon-8, we cordially...

OWASP AsiaPac 2012 - Sydney Australia CFP and CFT Andrew van der Stock (Jan 11)
Colleagues,

In 2012, OWASP is holding Global AppSec AsiaPac Conference in Sydney Australia! OWASP Asia Pacific is the foremost
Application Security conference for the region, and brings together the community in a central meeting for 4 days to
discuss and present on recent and current Application Security related topics. In previous years the conference has
been held on the Gold Coast Australia, in 2012 the event has been moved to Sydney, and...

RE: Application Security Milind Nanal (Jan 11)
Reference on the subject. Members view on these points how they are managing similar
Requirement. Information on tools etc.

Regards,

Milind Nanal

-----Original Message-----
From: Yiannis Koukouras [mailto:ikoukouras () gmail com]
Sent: Wednesday, January 11, 2012 6:33 PM
To: Milind Nanal
Cc: security-basics () securityfocus com; webappsec () securityfocus com; pen-test () securityfocus com
Subject: Re: Application Security

Hi,

Not sure...

Re: Application Security Yiannis Koukouras (Jan 11)
Hi,

Not sure what you are actually looking for...

Are you looking for references on those subjects or are you looking to
recruit people to perform this tasks?

BR,
Ioannis (Yiannis) Koukouras
CISSP, CISA, CISM, OSCP
MSc in Computer Systems Security
BEng in Electronic Engineering
http://www.linkedin.com/in/ikoukouras

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally...

Application Security Milind Nanal (Jan 08)
Hi Mailing list,

Seeking help below scenario :

1) The organization software development life cycle where in application security needs to be plugged in as focused
approach.
2) Deployment & planning on roles & responsibilities of dedicated 4-5 members as apps tester & an apps test manager
from info sec apps testing.
3) Plan for training developers, quality staff & apps testing team on various info sec aspect of application...

Re: stacking proxies Robin Wood (Jan 08)
I know this is what he was talking about and I've got the chain that
Jason suggested, what I'm after is what chains other people use and
why.

When chaining proxies there is a chance of the two interfering with
each other so you have to make sure they are in the right order, for
example Burp through Ratproxy might work but Rat through Burp may
fail.

Chaining may be used to improve efficiency due to lack of time or just
to improve the...

AppSec DC 2012 CFP EXTENDED! AppSec DC (Jan 08)
All,

Many of you have written to us asking about the requirement for a
paper in our CFP hosted on EasyChair. Due to an unforseen change in
the way EasyChair works, you are no longer able to configure a
submission to require only an abstract as we thought we had done, and
done in the past. To be clear, we are ***NOT*** requiring papers with
our CFP submissions. As we have already started the CFP and can not
move the platform we ask that...

Arachni v0.4 has been released (Open Source Web Application Security Scanner Framework) Tasos Laskos (Jan 08)
Hi guys,

This is just to let you know that there's a new version of Arachni.

Arachni is a high-performance (Open Source) Web Application Security
Scanner Framework written in Ruby.

This version includes lots of goodies, including:
* A new light-weight RPC implementation (No more XMLRPC)
* High Performance Grid (HPG) -- Combines the resources of multiple
nodes for lightning-fast scans
* Updated WebUI to provide access to HPG...

Re: stacking proxies Jamie Riden (Jan 03)
To be honest, I just use Burp (Pro).

I've seen people route sqlmap through Burp as well though, if it's not
immediately obvious how to exploit the issue - helps with analysis.

cheers,
Jamie

Re: stacking proxies Robert Hajime Lanning (Jan 03)
I am putting together: (in this order)Nginx (ssl)Varnish
(caching)Haproxy (load balancing/fail over)

Re: stacking proxies Robin Wood (Jan 03)
Most of my clients like to know where the attack will be coming from
so they can monitor it in their logs. I do some attacks through either
tor or from a different IP so I can see if they have enabled/disabled
anything special for the IP I told them I was using.

Robin

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request...

stacking proxies Robin Wood (Dec 31)
I watched Jason Haddix talk at BruCon and he talked about stacking
proxy servers when doing web app tests so that you could get the best
out of each one.

I've been meaning to ask for a while, what proxies do people use when
stacking and in what order?

Robin

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours...

Daily Dave — This technical discussion list covers vulnerability research, exploit development, and security events/gossip. It was started by ImmunitySec founder Dave Aitel and many security luminaries participate. Many posts simply advertise Immunity products, but you can't really fault Dave for being self-promotional on a list named DailyDave.

Cyber Politics By Other Means Dave Aitel (Jan 27)
Dear DD - attached is some red meat. :>
-dave

Introduction

It is, of course, very possible that hackers will get to help choose
America's next president. Possibly not in the most direct way (aka,
attacking the electoral system directly, the candidates, or the super
PACs that support their campaigns), although this did happen to some
extent last time around
<...

Alligators Dave Aitel (Jan 19)
INFILTRATE 2012 is over (as of an hour from now). I will say that all
the talks, especially the keynotes, exceeded our expectations. That's a
good thing - we had high expectations even of Thomas Lim!

Here is one review:
http://blog.opensecurityresearch.com/2012/01/infiltrate-wrap-up.html

Immunity gave two talks ourselves. We'll release Leo's later, but you
should read Mark's now:
And here is Mark's Prezi:...

Open Bars Dave Aitel (Jan 09)
So we ordered quite a few open bars for INFILTRATE people - one of which
is the night before the conference (see below). Also, as a reminder, the
Master Class and Unethical Hacking classes DO start on Sunday. That's
SUNDAY. Not MONDAY. You can ask me why during one of the many open bars! :>

Also if you are on the twitterz you should probably follow
@InfiltrateCon (https://twitter.com/#!/infiltratecon
<...

Security Event Horizons Dave Aitel (Jan 09)
Every so often you see a ton of effort from a security person go into a
platform or protocol that most people ignore. For example, X405, or
MSRPC or DCERPC or HTTP or the BlackBerry Playbook. I don't have a good
way to explain it, but there's an event horizon where once you've
understood a platform enough, the only way to secure it against you is
to turn it off or tunnel it completely under something that provides its
own...

New Paper - Acquisition and Analysis of Volatile Memory from Android Devices Andrew Case (Jan 09)
We are writing to announce that our paper on Android memory forensics has
just been published in the Journal of Digital Investigation. Please see the
following blog post for complete details and the paper:

http://dfsforensics.blogspot.com/2012/01/new-paper-acquisition-and-analysis-of.html

If you have any questions or comments please reply to this Email or comment
on the blog.

Thanks,
Andrew

Re: Symantec AV source compromised and the questions it raises Michal Zalewski (Jan 06)
This reminds me of the wise words of the chairman of Trend Micro:

"Android is open-source, which means the hacker can also understand
the underlying architecture and source code. We have to give credit to
Apple, because they are very careful about it. It's impossible for
certain types of viruses to operate on the iPhone."

Shortly thereafter, Kaspersky "joined" the open source community, and
now looks like Symantec will,...

Symantec AV source compromised and the questions it raises Mohammad Hosein (Jan 06)
"Sadly, we'll likely never know the answer."
how come ? attackers can easily post details on how they compromised the
targets and to whom they belong and considering there could be a couple of
names and , perhaps , some phones or emails included in such leak , it
shouldnt be hard to connect the dots . the cybergames between Pakistani and
Indian groups is going on for a very long time now and although people in
forums and tweets are...

Symantec AV source compromised and the questions it raises William Arbaugh (Jan 06)
Security Week ran a story that Symantec's AV source was obtained (and soon to be released) via a compromise of an
Indian Military Intelligence server.
http://www.securityweek.com/symantec-investigating-possible-theft-norton-av-source-code

Symantec issued a statement that the compromise and eventual release of the source does not place customers at risk
since the source is 4+ years old....

Apache Struts Dave Aitel (Jan 06)
Just how bad is that Sec-Consult Apache Struts vulnerability...

(from their advisory)
___

2.) Remote command execution in Struts <= 2.3.1 (CookieInterceptor)

Given struts.xml is configured to handle all cookie names (independent
of limited cookie values):
<action name="Test" class="example.Test">
<interceptor-ref name="cookie">
<param...

Re: INFILTRATE Book Club Part 2 h1kari (Jan 05)
Hey guys,

Sorry about the shameless self-promotion, but I just thought I'd
mention that my wife and I run a technical bookstore in Seattle and
we're part of the computer security community (I started and run
ToorCon/ToorCamp/etc) so our bookstore is obviously heavily based
around supporting the local community and fostering tech innovation in
the area.

I say this because we just started selling Google eBooks and so if you
have a...

INFILTRATE Book Club Part 2 Dave Aitel (Jan 04)
So I personally wasn't a huge fan, but more than one person has
suggested Daemonby Leinad Zeraus. But you can't buy this in electronic
format anymore for some reason, and I can't find the torrent on
PirateBay, so it's not eligible! You're better off reading Daniel Keys
Moran's AI War instead. :>
http://www.amazon.com/I-War-Book-One-ebook/dp/B004XMR5A4

At this year's INFILTRATE, due to a few factors, we have...

InfoSec Southwest 2012 CFP First-round Speaker Selections I)ruid (Jan 04)
Hello,

InfoSec Southwest is proud to announce our keynote speaker and
first-round speaker selections for our 2012 conference. Our CFP remains
open until February 1st 2012 after which we will make our remaining
final speaker selections. CFP information is available at:

http://www.infosecsouthwest.com/cfp.html

Keynote Speaker: Peiter "Mudge" Zatko

We're quite excited to have Mudge accept our invitation to be our
Keynote...

Re: WebHacking and lcamtuf Michal Zalewski (Jan 03)
Okay!

/mz

PS. And yeah, thanks for the review :-)

WebHacking and lcamtuf Dave Aitel (Jan 02)
So this is my review of lcamtuf's book, which is this: It's the best
book out there on web security right now, and if we had more time, we'd
buy one for every student at the INFILTRATE WebHacking class.

The book is less an attempt to "teach" web security than the result of
lcamtuf's extremely deep and systematic review of the basement of web
technology. I think only lcamtuf could have written it, since it not
only...

INFILTRATE book club part 1 Dave Aitel (Jan 02)
For those of you traveling to INFILTRATE (in just a few short days!) I
wanted to post a list of books, so you don't end up reading the whole
Stain trilogy, or "The Lucky One" or something like that.

First off, thrillers/spy books:
Robert Baer is a bit political, but he's a very good writer and all his
books are extremely readable. You'll remember him from incoherent movies
(Syriana) that were based on his books, just...

PaulDotCom — General discussion of security news, research, vulnerabilities, and the PaulDotCom Security Weekly podcast.

Re: Bitcasa invites Frank Forresrer (Jan 24)
I have infinite invites now.

https://portal.bitcasa.com/invited/85781076b83749c8abd0cf623f46a535/
Remember when gmail was invite only & they weren't evil? Ah those were the days ;-p

Sent from my iPod

Re: CC numbers stored on planes David Freedman (Jan 24)
Agreed. We already agreed that the log server and anywhere that data gets
backed up to is considered in scope. Our issue was with a database that
only stores truncated PAN (last 4) and no other CC data. If this is
considered in scope then anywhere that has stored or the ability to view
truncated PAN is in scope (so the whole network). Our last assessor did
not think it was in scope.

We have included this DB as an in scope system as per...

Re: CC numbers stored on planes Robin Wood (Jan 24)
One place I've found that isn't always automatically considered in scope is
log servers. People turn on full logging and the CC data gets sent off to a
separate machine then they forget to turn it off or to clear it down later.
Also backup locations, the SQL server either generates a SQL dump or a
binary backup of all the data and that is passed to a separate machine,
that machine isn't in the normal flow of data so people forget...

Re: CC numbers stored on planes Tony Turner (Jan 24)
Not yet. The SIG is moving very slowly. The only things I've seen so far are a comprehensive problem statement
communicated to the card brands and the council and a conscious effort to get speakers from PCI council to speak at air
travel industry conferences. There's a serious lack of information here as many don't fully understand how it all works
together and the issues that are preventing airlines from becoming compliant....

Re: CC numbers stored on planes David Freedman (Jan 24)
I love Robin's point about being concerned with the assessor's abilities to
explain why something is in scope and what is considered out of scope. We
have recently gone through our yearly PCI compliance 2.0 and there was a
big debate over what was in scope due to the differences between last 4 of
a PAN and full track data.

Tony - how did the SIG work out? Did it provide
solid compensating controls for the airlines? I mean this with...

Re: CC numbers stored on planes Scott Rosenthal (Jan 24)
My response wasn't about assuming that they were PCI compliant I was
implying that they are required to be PCI compliant. If they aren't
required to be PCI compliant I would love to see where that information is
published. If I were conducting a pen test I would obviously be validating
that the information was in fact encrypted. The way I understood Robin's
question was that he was merely questioning the storage of those cards. I...

Re: Bitcasa invites Xavier Mertens (Jan 24)
Am I not too late? Still one available?
Tx!

Re: CC numbers stored on planes Robin Wood (Jan 24)

Re: CC numbers stored on planes Bill Swearingen (Jan 24)
Trent and I have discussed this with a stewardess, yes it is stored into
the little hand held machine, and then they dock it into the plane. When
it docks, it transfers the cc# to a storage unit on the plane. When the
plane lands, part of their procedures is to then charge those CC#s. She
did not know about the state of the data (encrypted/etc).

Not that we have ever done this, but one can imagine replacing the mag
stripe data on a valid...

Re: CC numbers stored on planes Tony Turner (Jan 24)
Many airlines are not PCI compliant. There are complexities to their business model with airports, common use platforms
and travel agents that create significant difficulties. This was why we created an informal SIG for Air Travel PCI.
Bottom line, don't assume.

Sent from Yahoo! Mail on Android

Re: CC numbers stored on planes Scott Rosenthal (Jan 24)
Hi Robin, here in the states many if not all of the airlines are required
to be PCI compliant. That being said those devices should be considered in
scope by the company that is performing their assessment. If they are truly
PCI compliant, all of the credit card numbers stored on those devices
should be encrypted. I hope that helps.

Scott

Re: Bitcasa invites Udiggity (Jan 24)
I'd love one of you have any more

Please excuse typos, I'm on my mobile

Re: CC numbers stored on planes Bacon Zombie (Jan 24)
the fact that you can use a CC that is 10 years out of date I'm sure they
are stored.

downloaded, stored and the sent to the bank / processor only once a week or
month.

Anybody know if the engineering logs are download in plan text or
encrypted. And is that via wifi, cable, Zigbee, Dect,Tetra or squirrels?
On Jan 24, 2012 5:43 AM, "Robin Wood" <robin () digininja org> wrote:

CC numbers stored on planes Robin Wood (Jan 23)
I've been on quite a few planes where the duty free and the bar allow
people to pay by credit card. I'd guess the data is stored and
downloaded to be processed at the end of each flight, if so, that is a
great target for card thieves. I wonder how many are actually properly
protected?

Robin

Bitcasa invites Brett (Jan 23)
I have 8 left. https://portal.bitcasa.com/invited/4afb180718ec403294941dff925b6e0d/

No Linux client yet, but it "should" work for windows and Mac. I think you need os x 10.6 or higher for Mac.

Sent from my iPhone

Honeypots — Discussions about tracking attackers by setting up decoy honeypots or entire honeynet networks.

Microsoft Sec Notification — Beware that MS often uses these security bulletins as marketing propaganda to downplay serious vulnerabilities in their products—note how most have a prominent and often-misleading "mitigating factors" section.

Microsoft Security Bulletin Minor Revisions Microsoft (Jan 27)
********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: January 27, 2012
********************************************************************

Summary
=======
The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

* MS12-004 - Critical
* MS12-JAN

Bulletin Information:
=====================

* MS12-004 -...

Microsoft Security Bulletin Minor Revisions Microsoft (Jan 24)
********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: January 24, 2012
********************************************************************

Summary
=======
The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

* MS11-025 - Important
* MS11-049 - Important

Bulletin Information:
=====================...

Microsoft Security Bulletin Minor Revisions Microsoft (Jan 18)
********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: January 18, 2012
********************************************************************

Summary
=======
The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

* MS11-049 - Important
* MS11-JUN
* MS12-006 - Important

Bulletin Information:...

Microsoft Security Bulletin Minor Revisions Microsoft (Jan 17)
********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: January 17, 2012
********************************************************************

Summary
=======
The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

* MS11-100 - Critical

Bulletin Information:
=====================

* MS11-100 - Critical

-...

Microsoft Security Bulletin Minor Revisions Microsoft (Jan 16)
********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: January 16, 2012
********************************************************************

Summary
=======
The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

* MS12-007 - Important

Bulletin Information:
=====================

* MS12-007 - Important...

Microsoft Security Bulletin Re-Releases Microsoft (Jan 11)
********************************************************************
Title: Microsoft Security Bulletin Re-Releases
Issued: January 11, 2012
********************************************************************

Summary
=======
The following bulletins have undergone a major revision increment.
Please see the appropriate bulletin for more details.

* MS12-007 - Important
* MS12-JAN

Bulletin Information:
=====================

* MS12-007 -...

Microsoft Security Bulletin Minor Revisions Microsoft (Jan 11)
********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: January 11, 2012
********************************************************************

Summary
=======
The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

* MS12-004 - Critical

Bulletin Information:
=====================

* MS12-004 - Critical

-...

Microsoft Security Bulletin Summary for January 2012 Microsoft (Jan 10)
********************************************************************
Microsoft Security Bulletin Summary for January 2012
Issued: January 10, 2012
********************************************************************

This bulletin summary lists security bulletins released for
January 2012.

The full version of the Microsoft Security Bulletin Summary for
January 2012 can be found at
http://technet.microsoft.com/security/bulletin/ms12-jan.

With...

Microsoft Security Advisory Notification Microsoft (Jan 10)
********************************************************************
Title: Microsoft Security Advisory Notification
Issued: January 10, 2012
********************************************************************

Security Advisories Updated or Released Today
==============================================

* Microsoft Security Advisory (2588513)
- Title: Vulnerability in SSL/TLS Could Allow
Information Disclosure
-...

Microsoft Security Bulletin Minor Revisions Microsoft (Jan 10)
********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: January 10, 2012
********************************************************************

Summary
=======
The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

* MS11-099 - Important

Bulletin Information:
=====================

* MS11-099 - Important...

Microsoft Security Bulletin Advance Notification for January 2012 Microsoft (Jan 08)
********************************************************************
Microsoft Security Bulletin Advance Notification for January 2012
Issued: January 5, 2012
********************************************************************

This is an advance notification of security bulletins that
Microsoft is intending to release on January 10, 2012.

The full version of the Microsoft Security Bulletin Advance
Notification for January 2012 can be found at...

Microsoft Security Bulletin Minor Revisions Microsoft (Dec 30)
********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: December 30, 2011
********************************************************************

Summary
=======
The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

* MS11-100 - Critical

Bulletin Information:
=====================

* MS11-100 - Critical...

Microsoft Security Advisory Notification Microsoft (Dec 29)
********************************************************************
Title: Microsoft Security Advisory Notification
Issued: December 29, 2011
********************************************************************

Security Advisories Updated or Released Today
==============================================

* Microsoft Security Advisory (2659883)
- Title: Insecure Library Loading Could Allow Remote Code
Execution
-...

Microsoft Security Bulletin Summary for December 2011 Microsoft (Dec 29)
********************************************************************
Microsoft Security Bulletin Summary for December 2011
Issued: December 29, 2011
********************************************************************

This bulletin summary lists an out-of-band security bulletin released
on December 29, 2011.

The full version of the Microsoft Security Bulletin Summary for
December 2011 can be found at...

Microsoft Security Bulletin Advance Notification for December 2011 Microsoft (Dec 28)
********************************************************************
Microsoft Security Bulletin Advance Notification for December 2011
Issued: December 28, 2011
********************************************************************

This is an advance notification of security bulletins that
Microsoft is intending to release on December 29, 2011.

The full version of the Microsoft Security Bulletin Advance
Notification for December 2011 can be...

Funsec — While most security lists ban off-topic discussion, Funsec is a haven for free community discussion and enjoyment of the lighter, more humorous side of the security community

Really simple security blog Robert Slade (Jan 27)
This was a new one to me, anyway.

http://www.secmeme.com/

Short, pithy, and lots of pictures.

We get lots of postings asking what security blogs/podcasts/etc to follow. Well, this one is probably even suitable
for your boss :-)

Twitter nation-based censorship Robert Slade (Jan 27)
A large stake in Twitter was recently bought by a Saudi prince. He said he agreed with the concept.

Saudi Arabia, however, is pretty big on censorship.

Now Twitter has announced censorship by nation.

Of course, this timing is simply a coincidence. There couldn't possibly be any relationship.

Privacy Policy Rob, grandpa of Ryan, Trevor, Devon & Hannah (Jan 26)
This seems vaguely familiar, but what the heck:

https://addons.mozilla.org/en-US/firefox/addon/screenshot-pimp-screengrab-
scr/privacy/

====================== (quote inserted randomly by Pegasus Mailer)
rslade () vcn bc ca slade () victoria tc ca rslade () computercrime org
It is easier to get forgiveness than permission. - Alan J. Perlis
victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links...

OK, we don't need the Borg for "Total Recall" Rob, grandpa of Ryan, Trevor, Devon & Hannah (Jan 26)
http://www.scientificamerican.com/article.cfm?id=totaling-recall

====================== (quote inserted randomly by Pegasus Mailer)
rslade () vcn bc ca slade () victoria tc ca rslade () computercrime org
There are some Perl programs that look like nothing so much as
line noise. - Margaret Fleck
victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links...

[HITB-Announce] Reminder: HITB2012AMS Call For Papers Closing Soon Hafez Kamal (Jan 26)
This is a gentle reminder that the Call for Papers for the third annual
HITBSecConf in Europe closes on the 18th of February! Send in your
submissions now!

http://cfp.hackinthebox.org/

---

This year, we're moving to a new, bigger and better venue -- the
award winning Okura Hotel right in middle of Amsterdam with easy access
via public transportation. #HITB2012AMS will be a quad-track conference
featuring keynote speakers Andy Ellis (Chief...

Resistance is futile: you will be assimilated ... Rob, grandpa of Ryan, Trevor, Devon & Hannah (Jan 26)
http://thenextweb.com/socialmedia/2012/01/25/facebook-is-killing-local-social-
networks-around-the-world/

====================== (quote inserted randomly by Pegasus Mailer)
rslade () vcn bc ca slade () victoria tc ca rslade () computercrime org
I know that there are people in this world who do not love their
fellow man, and I hate people like that! - Tom Lehrer
victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links...

Re: Teaching reporters infosec ... Kyle Creyts (Jan 25)
Flashy and interesting like using the mouse to move your cursor around,
entering strings out of order and/or changing focus to a junk pad, etc...
not quite "strong" protection, but better than nothing in some cases.

Re: Teaching reporters infosec ... Paul M Moriarty (Jan 25)
While doing something flashy and interesting with your left hand, type your message quickly with your right hand. The
keyloggers fall for it every time. :)

Re: Teaching reporters infosec ... Patrick Laverty (Jan 25)
I thought this line interesting:

"using Tor for online anonymity, the benefits of no-contract cell
phones, and how to trick keyloggers,"

What does that mean to trick a keylogger?

Re: Teaching reporters infosec ... Paul M Moriarty (Jan 25)
It's a step in the right direction, though clearly it will be a long journey.

- Paul -

Teaching reporters infosec ... Robert Slade (Jan 25)
http://www.cjr.org/the_news_frontier/teaching_cyber-security.php

Does this provide us with any level of comfort or confidence? (Those two are not necessarily equal ...)

======================
rslade () computercrime org slade () victoria tc ca rslade () vcn bc ca
"If you do buy a computer, don't turn it on." - Richards' 2nd Law
============= for back issues:
[Base URL] site http://victoria.tc.ca/techrev/
CISSP...

Re: Google Docs illegal in Norway Paul Ferguson (Jan 25)
Funny you should mention that:

http://www.zdnet.com/blog/london/european-commission-8216in-denial-over-patriot-act-loophole/2556

- ferg

Re: Google Docs illegal in Norway Jeffrey Walton (Jan 25)
The PATRIOT Act is gestapo legislation - its a subversion of the
principals the country was founded upon. The US Supreme Court has
repeatedly struck down its provisions as unconstitutional, including
the illegal detention of suspects.

Only a handful of US politicans had the political courage to vote
against it (http://clerk.house.gov/evs/2001/roll398.xml). The
politicians who supported it (including members of the administration
who drafted and...

BitDefender, you've created a monster! (story ...) Robert Slade (Jan 25)
www.infosecurity-magazine.com/view/23465/viruses-and-worms-are-evolving-into-frankenmalware/

OK, this is obviously going to be the AV/infosec story of the week. (At least this particular story notes that it
isn't a big deal, although they don't seem to realize it's old news.)

(If any AV/anti-malware/security company wants to hire me, I'd be glad to look back through my archives and find
threats from 25 years ago and dress...

Google Docs illegal in Norway Robert Slade (Jan 25)
http://www.infosecurity-magazine.com/view/23463/use-of-google-docs-is-illegal-in-norway/

This is of particular interest to me right at this moment, because I'm in a meeting, and one of our exec has mentioned
our files directory. Our site is hosted by Google, and our files are, of course, on Google Docs. ( www.ismsug.org ,
in case anyone is interested.)

However, I've got to say that the only thing that surprises me about...

CERT Advisories — The Computer Emergency Response Team has been responding to security incidents and sharing vulnerability information since the Morris Worm hit in 1986. This archive combines their technical security alerts, tips, and current activity lists.

TA12-024A -- "Anonymous" DDoS Activity US-CERT Technical Alerts (Jan 24)
National Cyber Alert System

Technical Cyber Security Alert TA12-024A

"Anonymous" DDoS Activity

Original release date: January 24, 2012
Last revised: --
Source: US-CERT

Overview

US-CERT has received information from multiple sources about
coordinated distributed denial-of-service (DDoS) attacks with
targets that included U.S. government agency and entertainment
industry...

Current Activity - Denial-of-Service Malware Campaign Current Activity (Jan 24)
US-CERT Current Activity

Denial-of-Service Malware Campaign

Original release date: January 24, 2012 at 5:35 pm
Last revised: January 24, 2012 at 5:35 pm

US-CERT is aware of public reports of ongoing distributed
denial-of-service attacks against entities in the government and
private sector. According to the reports, these attacks are being
attributed to the hacker group Anonymous.
US-CERT encourages users and administrators to do the following...

Current Activity - Google Releases Chrome 16.0.912.77 Current Activity (Jan 24)
US-CERT Current Activity

Google Releases Chrome 16.0.912.77

Original release date: January 24, 2012 at 1:03 pm
Last revised: January 24, 2012 at 1:03 pm

Google has released Chrome 16.0.912.77 for Linux, Mac, Windows, and
Chrome Frame to address multiple vulnerabilities. These
vulnerabilities may allow an attacker to execute arbitrary code or
cause a denial-of-service condition.

US-CERT encourages users and administrators to review the Google...

Current Activity - Symantec pcAnywhere Hotfix Current Activity (Jan 24)
US-CERT Current Activity

Symantec pcAnywhere Hotfix

Original release date: January 24, 2012 at 11:30 am
Last revised: January 24, 2012 at 11:30 am

Symantec has released an update for pcAnywhere to address multiple
vulnerabilities for the following software versions running on
Windows:
* pcAnywhere 12.5 SP3
* pcAnywhere Solutions 7.1 GA, SP 1, and SP 2

US-CERT encourages users and administrators to review the Symantec
pcAnywhere hot fix...

Current Activity - Best Practices for Recovery from the Malicious Erasure of Files Current Activity (Jan 19)
US-CERT Current Activity

Best Practices for Recovery from the Malicious Erasure of Files

Original release date: January 19, 2012 at 3:43 pm
Last revised: January 19, 2012 at 3:43 pm

Cyber criminals can damage their victim's computer systems and data by
changing or deleting files, wiping hard drives, or erasing backups to
hide some or all of their malicious activity and tradecraft. By
wiping, or "zeroing out," the hard disk...

Current Activity - Oracle Releases Critical Patch Update for January 2012 Current Activity (Jan 18)
US-CERT Current Activity

Oracle Releases Critical Patch Update for January 2012

Original release date: January 18, 2012 at 10:58 am

Oracle has released its Critical Patch Update for January 2012 to address
78 vulnerabilities across multiple products. This update contains the
following security fixes:

* 2 for Oracle Database Server
* 1 for Oracle Fusion Middleware
* 3 for Oracle E-Business Suite
* 1 for Oracle Supply Chain Products Suite...

Current Activity - Phishing Campaign Using Spoofed US-CERT Email Addresses Current Activity (Jan 11)
US-CERT Current Activity

Phishing Campaign Using Spoofed US-CERT Email Addresses

Original release date: January 10, 2012 at 2:06 pm
Last revised: January 11, 2012 at 4:58 pm

On January 10, 2012, US-CERT received reports of a phishing campaign
that is spoofing US-CERT email to deliver a variant of the Zeus/Zbot
Trojan known as Ice-IX. This campaign appears to be targeting a large
number of private sector organizations as well as federal, state,...

Current Activity - Adobe Releases Security Advisory for Adobe Reader and Acrobat Current Activity (Jan 10)
US-CERT Current Activity

Adobe Releases Security Advisory for Adobe Reader and Acrobat

Original release date: January 10, 2012 at 4:40 pm
Last revised: January 10, 2012 at 4:40 pm

Adobe has released a Security Advisory for Adobe Reader and Acrobat to
address multiple vulnerabilities affecting the following software
versions:
* Adobe Reader X (10.1.1) and earlier 10.x versions for Windows and
Macintosh
* Adobe Reader 9.4.7 and earlier...

Current Activity - Microsoft Releases January Security Bulletin Current Activity (Jan 10)
US-CERT Current Activity

Microsoft Releases January Security Bulletin

Original release date: January 5, 2012 at 1:24 pm
Last revised: January 10, 2012 at 3:09 pm

Microsoft has released updates to address vulnerabilities in Microsoft
Windows and Microsoft Developer Tools and Software as part of the
Microsoft Security Bulletin Summary for January 2012. These
vulnerabilities may allow an attacker to execute arbitrary code,
operate with elevated...

TA12-010A -- Microsoft Updates for Multiple Vulnerabilities US-CERT Technical Alerts (Jan 10)
National Cyber Alert System

Technical Cyber Security Alert TA12-010A

Microsoft Updates for Multiple Vulnerabilities

Original release date: January 10, 2012
Last revised: --
Source: US-CERT

Systems Affected

* Microsoft Windows
* Microsoft Developer Tools and Software

Overview

There are multiple vulnerabilities in Microsoft Windows and
Microsoft Developer Tools and Software....

Current Activity - Phishing Campaign Using Spoofed US-CERT E-mail Addresses Current Activity (Jan 10)
US-CERT Current Activity

Phishing Campaign Using Spoofed US-CERT E-mail Addresses

Original release date: January 10, 2012 at 1:32 pm
Last revised: January 10, 2012 at 1:32 pm

US-CERT has received reports of a phishing email campaign that uses
spoofed US-CERT email addresses. This campaign appears to be targeting
a large number of private sector organizations as well as federal,
state, and local governments. US-CERT began receiving reports of...

TA12-006A -- Wi-Fi Protected Setup (WPS) Vulnerable to Brute-Force Attack US-CERT Technical Alerts (Jan 06)
National Cyber Alert System

Technical Cyber Security Alert TA12-006A

Wi-Fi Protected Setup (WPS) Vulnerable to Brute-Force Attack

Original release date: January 06, 2012
Last revised: --
Source: US-CERT

Systems Affected

Most Wi-Fi access points that support Wi-Fi Protected Setup (WPS)
are affected.

Overview

Wi-Fi Protected Setup (WPS) provides simplified mechanisms to
configure secure...

Current Activity - Google Releases Chrome 16.0.912.75 Current Activity (Jan 06)
US-CERT Current Activity

Google Releases Chrome 16.0.912.75

Original release date: January 6, 2012 at 9:26 am
Last revised: January 6, 2012 at 9:26 am

Google has released Chrome 16.0.912.75 for Linux, Mac, Windows, and
Chrome Frame to address multiple vulnerabilities. These
vulnerabilities may allow an attacker to execute arbitrary code.

US-CERT encourages users and administrators to review the Google
Chrome Releases blog entry and update to...

Current Activity - Microsoft Releases Advance Notification for January Security Bulletin Current Activity (Jan 05)
US-CERT Current Activity

Microsoft Releases Advance Notification for January Security Bulletin

Original release date: January 5, 2012 at 1:24 pm
Last revised: January 5, 2012 at 1:24 pm

Microsoft has issued a Security Bulletin Advance Notification
indicating that its January release will contain seven
bulletins. These bulletins will have the severity rating of critical
and important and will be for Microsoft Windows and Microsoft
Developer...

Current Activity - Multiple Programming Language Implementations Vulnerable to Hash Table Collision Attacks Current Activity (Dec 28)
US-CERT Current Activity

Multiple Programming Language Implementations Vulnerable to Hash Table Collision Attacks

Original release date: December 28, 2011 at 1:04 pm
Last revised: December 28, 2011 at 1:04 pm

US-CERT is aware of reports stating that multiple programming language
implementations, including web platforms, are vulnerable to hash table
collision attacks. This vulnerability could be used by an attacker to
launch a denial-of-service...

Open Source Security — Discussion of security flaws, concepts, and practices in the Open Source community

Re: non-Linux advance notification list Solar Designer (Jan 27)
Hi,

I would definitely like OpenBSD to be represented on the distros list.
Not only OpenBSD ports, but also OpenBSD base.

Probably yes, but I (and maybe others) would like some info first:

Is there any web page (or something else) specifying the OpenBSD ports
security team (not all committers, but just those the project vouches
for as it relates to handling of non-public security vulnerabilities)?
Or a port-security@ exploder that you're...

Re: non-Linux advance notification list Stuart Henderson (Jan 27)
Could you add myself for OpenBSD ports please? If acceptable I'll send a
public key out of band. Thanks.

Re: CVE Request: Debian (others?) openssh-server: Forced Command handling leaks private information to ssh clients Kurt Seifried (Jan 27)
Ok so we (myself and vdanen () redhat com) have done some more research and
here are the results (good news and bad news):

OpenSSH portable compiled from source with no changes:

5.3p1 is NOT vulnerable
5.4p1 is vulnerable
5.5p1 is vulnerable
5.6p1 is NOT vulnerable

Upon further examination of the errors we have the following for OpenSSH 5.3p1:
=========
debug1: Offering RSA public key: /home/test-ssh2/.ssh/id_rsa
debug1: Remote: Forced...

Re: non-Linux advance notification list Solar Designer (Jan 27)
...

I've just subscribed Alistair Crooks for NetBSD as well.

Alexander

Re: non-Linux advance notification list Solar Designer (Jan 27)
...

I've just subscribed Colin Percival, the FreeBSD Security Officer.

Alexander

Re: Subscribe to linux-distros Ramon de C Valle (Jan 27)
Thanks.

Re: Subscribe to linux-distros Solar Designer (Jan 27)
Subscribed.

Alexander

Re: CVE Request: Debian (others?) openssh-server: Forced Command handling leaks private information to ssh clients Yves-Alexis Perez (Jan 27)
That was my question, in fact. Are separate keys (to the same user
account on the box) really supposed to be considered separate accounts
(on the box).

My first guess is “yes”, but I'm not sure if it was created like that,
and thus think it was a valid question. For the sshd, you don't (may
not) have three separate accounts, but one.

Regards,

Re: CVE Request: Debian (others?) openssh-server: Forced Command handling leaks private information to ssh clients Kurt Seifried (Jan 27)
I created three separate keys, so three separate accounts. I can't see
any valid reason that account #3 (that is the third key listed) should
be able to see the first and second force commands. These commands could
contain sensitive commands/passwords (e.g. log in with a key to trigger
some automated job by the backup user) for example.

Re: Subscribe to linux-distros Kurt Seifried (Jan 27)
I can confirm he is.

Re: CVE request: PostfixAdmin SQL injections and XSS Christian Boltz (Jan 27)
Hello,

Am Donnerstag, 26. Januar 2012 schrieb Kurt Seifried:

Thanks.

I forgot to mention a small, but important detail: The credits ;-)

Credits go to
Filippo Cavallarin <filippo.cavallarin [at] codseq [dot] it>
for finding most of the vulnerabilities and notifying us.

The only exception is
- create-domain: fix SQL injection (only exploitable by superadmins)
which was found by Matthias Bethke <msbethke [at] sourceforge...

Re: CVE Request: Debian (others?) openssh-server: Forced Command handling leaks private information to ssh clients Yves-Alexis Perez (Jan 27)
By the way, is the ForceCommand (and other directives) really supposed
to be private for different keys (or, more widely, for different matches
for the same user).

Regards,

Subscribe to linux-distros Ramon de C Valle (Jan 27)
Hi Solar,

I'm a new member of Red Hat Security Response Team. Could you please
subscribe me to the linux-distros mailing list?

pub 2048R/E9A5A2DD 2011-09-14
Key fingerprint = 37C9 75D7 0092 D074 DA95 F229 191A 8A07 E9A5 A2DD
uid Ramon de C Valle <ramon () redhat com>
uid Ramon de C Valle <rcvalle () redhat com>
uid Ramon de C Valle <rdecarva () redhat com>
sub...

testing pwqgen Solar Designer (Jan 26)
Hi,

I think we can and should use this list not only for discussing actual
vulnerabilities, but also for sharing information on what was audited,
tested, etc. even if found not vulnerable. Such information may be
helpful too.

In light of the pwgen vulnerability:

http://www.openwall.com/lists/oss-security/2012/01/17/5
http://www.openwall.com/lists/oss-security/2012/01/19/24
http://www.openwall.com/lists/oss-security/2012/01/22/6

I also tested...

Re: CVE Request: Debian (others?) openssh-server: Forced Command handling leaks private information to ssh clients Marc Deslauriers (Jan 26)
Looks like this (I haven't tried...):

http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth-options.c.diff?r1=1.53;r2=1.54

Marc.

Secure Coding — The Secure Coding list (SC-L) is an open forum for the discussion on developing secure applications. It is moderated by the authors of Secure Coding: Principles and Practices.

informIT: vBSIMM revised Gary McGraw (Jan 26)
hi sc-l,

Third party software is a major risk category in most modern organizations (see Third-Party Software and
Security<http://www.informit.com/articles/article.aspx?p=1809143>). We have been working on a BSIMM derivative called
the vBSIMM to help manage third party software risk. Today we published a second, revised version of the vBSIMM.
Instead of focusing on an individual applications, the vBSIMM approach focuses on software...

Only 7 Days Left: SANS AppSec 2012 CFP SANS AppSec CFP (Jan 24)
Hi everyone,

This is the final CFP reminder for SANS AppSec 2012 being held in Las
Vegas, Nevada on April 30 - May 1, 2012.

The call for papers ends in seven days on February 1, 2012 so submit today!

============

The theme for this conference is "Application Security at Scale".

Billions of records in the cloud. Millions of smart mobile devices.
Millions of developers writing new code. Hundreds of apps in your
enterprise. Untold...

OWASP AsiaPac 2012 - Sydney, Australia: CFP and call for trainers Andrew van der Stock (Jan 12)
Colleagues,

In 2012, OWASP is holding Global AppSec AsiaPac Conference in Sydney Australia! OWASP Asia Pacific is the foremost
Application Security conference for the region, and brings together the community in a central meeting for 4 days to
discuss and present on recent and current Application Security related topics. In previous years the conference has
been held on the Gold Coast Australia, in 2012 the event has been moved to Sydney, and...

Re: informIT: BSIMM versus SAFECode Kevin W. Wall (Jan 02)
Gary,
Hope you and other SC-L readers had a safe and happy holidays. I had a few
comments on your InformIT article referenced here.

First, you take exception of SAFECode of calling out BSIMM as a "methodology".
After quickly skimming their paper which you referenced, I think that
perhaps you
and Sammy are overreacting a bit. (Maybe you are misconstruing their
misconstruing? ;-)

Specifically, the SAFECode _Fundamental Practices_ paper...

Silver Bullet 69: Steve Myers Gary McGraw (Dec 31)
happy new year sc-l,

The 69th episode of Silver Bullet is an interview with professor Steve Myers from Indiana University. Steve is a
cryptographer who works on Phishing, but he also teaches the security engineering course at IU. Among other topics, we
discuss the challenge of keeping academic research both scientific and relevant to practitioners.

http://www.cigital.com/silver-bullet/show-069/

As always, we welcome your feedback on the...

informIT: BSIMM versus SAFECode Gary McGraw (Dec 31)
Lets try that again, this time with the proper email address…

From: gem <gem () cigital com<mailto:gem () cigital com>>
Date: Tue, 27 Dec 2011 16:32:56 -0500
To: "sc-l-bounces () securecoding org<mailto:sc-l-bounces () securecoding org>" <sc-l-bounces () securecoding
org<mailto:sc-l-bounces () securecoding org>>

hi sc-l,

How about a little software security controversy for the tweener holiday week?...

ANNOUNCEMENT: SecAppDev 2012, Leuven, Belgium Kenneth Van Wyk (Dec 22)
We are pleased to announce SecAppDev 2012, an intensive one-week
course in secure application development. The course is organized by
secappdev.org, a non-profit organization that aims to broaden security
awareness in the development community and advance secure software
engineering practices. The course is a joint initiative with K.U.
Leuven and Solvay Brussels School of Economics and Management.

SecAppDev 2012 is the 8th edition of our widely...

MoST 2012 CFP - Mobile Security Technologies (MoST) 2012 Workshop Larry Koved (Dec 22)
On behalf of the workshop co-chairs and program chair, we would like to
invite you participate in the Mobile Security Technologies (MoST)
Workshop.

MoST is co-located with the IEEE Security & Privacy Symposium.
Mobile Security Technologies (MoST) brings together researchers,
practitioners, policy makers, and hardware and software developers
of mobile systems to explore the latest understanding and advances
in the security and privacy...

W2SP 2012 CFP - Web 2.0 Security and Privacy 2012 Workshop Call for Papers Larry Koved (Dec 22)
W2SP 2012 CFP - Web 2.0 Security and Privacy 2012 Workshop Call for Papers

On behalf of the workshop co-chairs and program chair, we would like to
invite you participate in the 5th annual workshop on Web 2.0 Security
and Privacy. Started in 2007, this successful series of workshops has
attracted participation from both academia and industry, and participants
from around the world.

W2SP is co-located with the IEEE Security & Privacy...

SANS AppSec 2012 CFP reminder SANS AppSec CFP (Dec 01)
Hi everyone,

It's been over a month since we first announced the CFP for the SANS
AppSec Summit being held in Las Vegas, Nevada on April 30 - May 1, 2012.

We've received a number of great submissions so far but there's only two
months left until the deadline on February 1, 2012. If you'd like to
speak please get your submission in as soon as possible.

Hope to see you in Vegas!

============

The theme for this conference...

Silver Bullet 68 Gary McGraw (Nov 30)
hi sc-l,

I am pleased to announce that episode 68 of the Silver Bullet Security Podcast is an interview of Cigital's own John
Steven. jOHN (or jS) as he is know around here is a well-respected technologist and software security practitioner.
He served a stint editing the Building Security In column for IEEE S&P magazine along with Gunnar Peterson. He is also
a very active OWASP participant. I have worked closely with jS for many...

informIT: third-party software and security Gary McGraw (Nov 30)
hi sc-l,

We recently convened a BSIMM Community Conference near Portland, Oregon. (For a list of the 42 companies participating
in the BSIMM project, see <http://bsimm.com/community/>.) The BSIMM project describes and measures the work of 786 SSG
members, who together with a satellite of 1750 people, have direct impact on the work of 185,316 developers.

As you know, the BSIMM is mostly about SSDL activities and governance. However,...

Call for papers - i-Society Call for papers (Nov 06)
Apologies for cross-postings!

Kindly email this Call for Papers to your colleagues,
faculty members and postgraduate students.

CALL FOR PAPERS

************************************************************
International Conference on Information Society (i-Society 2012)
Technical Co-Sponsored by IEEE UK/RI Computer Chapter
June 25-28, 2012, London, UK
www.i-society.eu
************************************************************

The...

silver bullet: bill pugh Gary McGraw (Oct 31)
hi sc-l,

The 67th Silver Bullet podcast features Bill Pugh. Bill is an alpha geek who is currently a professor at University of
Maryland. You may know his FindBugs project if you're a Java person. You may not know that Bill is also a fire eater
who once lit my solstice bonfire in an interesting ritual.

Our conversation ranged far and wide on this episode and is likely to be appreciated by more technical listeners....

informIT: Software Security Training Gary McGraw (Oct 31)
hi sc-l,

Happy Halloween everybody.

Sammy Migues and I just published an article on Software Security Training in informIT based on a decade of experience
delivering software security training:
http://www.informit.com/articles/article.aspx?p=1767770

The article includes some analysis of both data from the BSIMM study and information from Cigital's Training practice.
FWIW, we estimate we have trained 14,000 developers using instructor...

Educause Security Discussion — Securing networks and computers in an academic environment.

Re: Free Download of Matt Ivester's Book Available Now (until Jan. 30)! Pollock, Joseph (Jan 27)
My response was immediate and reflexive when I saw I would have to create an Amazon account - No Way. It's not worth
the bother of having yet another vender nag me. I've reached the point where I don't download most white papers or
technical info, because in the current climate it guarantees a sales call. I don't have a thick enough skin to be
comfortable telling the caller that I wanted information only and have no...

Re: Free Download of Matt Ivester's Book Available Now (until Jan. 30)! John Ladwig (Jan 27)
I need to look over the descriptions of DPD, to see to what degree they cover the issue of the current massive trend of
providers/developers/etc offering "free" - which actually isn't free, because they're collecting data which they
reuse/resell/etc in order to cover costs. Like yesterday's massive Google thread mentioned a time or two.

I haven't dug down deeply into Amazon's Kindle and other user/privacy...

Re: Free Download of Matt Ivester's Book Available Now (until Jan. 30)! Morrow Long (Jan 27)
They might even get a few to install the Kindle app or buy a Kindle.

-----Original Message-----
...
Additionally, it seems (to me) a fairly clever marketing ploy by Amazon.
They offer this book for "free" and in exchange they (probably? hopefully?)
get a bunch of new people to sign up for Amazon accounts. Pretty good deal
for them. Am I being cynical? Or realistic? Or both?

Derek,
I don't think your rant was...

Re: Free Download of Matt Ivester's Book Available Now (until Jan. 30)! Morrow Long (Jan 27)
And actually you can now read it in the Cloud -- you don't have to install
the Kindle software anywhere (you just have to have and login to an Amazon
account).

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Chuck Dunn
Sent: Friday, January 27, 2012 3:23 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Free Download of Matt...

Re: Free Download of Matt Ivester's Book Available Now (until Jan. 30)! Wayne S. Martin (Jan 27)
I apologize for the tone, I shouldn't have been so direct. I suppose where I'm confused is that I view Data Privacy
Day as a time to educate users on where it is appropriate for them to divulge information and what information it is
reasonable for companies, organizations, etc. to be asking for. I had not thought of it as teaching users to never
disclose information.

IMHO, Wayne

Re: Free Download of Matt Ivester's Book Available Now (until Jan. 30)! Charlie Derr (Jan 27)
As someone who understood John's irony (and agrees with it), the reason for the irony is that to some of us, the word
"free" means completely unencumbered by DRM, not just "ostensibly costing $0.00 in terms of capital outlay."

Additionally, it seems (to me) a fairly clever marketing ploy by Amazon. They offer this book for "free" and in
exchange they (probably? hopefully?) get a bunch of new people to sign...

Re: Free Download of Matt Ivester's Book Available Now (until Jan. 30)! Tonkin, Derek K. (Jan 27)
I apologize for the tone, I shouldn't have been so direct. I suppose where I'm confused is that I view Data Privacy
Day as a time to educate users on where it is appropriate for them to divulge information and what information it is
reasonable for companies, organizations, etc. to be asking for. I had not thought of it as teaching users to never
disclose information.

I'm curious what the stance is of others on the list. As...

Re: Free Download of Matt Ivester's Book Available Now (until Jan. 30)! Chuck Dunn (Jan 27)
Valarie,

I find that irony like beauty is frequently in the eye of the beholder.
Unfortunately, unlike acknowledging beauty, irony can also be mistaken
for criticism.

I doubt the amazon.com requirement is a problem at all for most of us.
For those who wish to read it anonymously, well, Barnes & Noble can
provide a printed copy in exchange for cash.

This is a nice present. Thanks to EduCause, the author and the
publisher. It's...

Re: Free Download of Matt Ivester's Book Available Now (until Jan. 30)! Don M. Blumenthal (Jan 27)
I have an Amazon account from which I download Kindle books regularly for a Kindle, iPad, and Android phone, and have
no reason to question Amazon's security or privacy practices.

I'm also part of the "security community" but I intend what' s to follow merely as an observation, not a criticism. I
intend to download the book but, despite the fact that I can understand why free distribution is being done this way, I...

Re: Free Download of Matt Ivester's Book Available Now (until Jan. 30)! Mclaughlin, Kevin (mclaugkl) (Jan 27)
I love my Kindle, I love my Kindle IPhone App, I love my Kindle Android app and I love my Kindle computer app. By the
way did I mention that I love my Kindle? :-)

Thanks for pointing out the free gift of weekend reading.

Have a great weekend everyone,
- Kevin

Kevin L. McLaughlin, CISM, CISSP, GIAC-GSLC, CRISC, PMP
Chief Information Security Officer (CISO) and Assistant Vice President
Administration and Finance
University of Cincinnati...

Re: Free Download of Matt Ivester's Book Available Now (until Jan. 30)! Tonkin, Derek K. (Jan 27)
John,

Pardon the rant but what is the irony here?

I mean I suppose you were hoping that you could just download an ePub copy, right? So far as I can tell the author
hasn't produced the book in that format.

It is Kindle-only which is not my preference but for goodness sakes as "security people" must we always find something
to complain about? I'm not sure what privacy concerns you have with Amazon but it didn't take...

Re: Free Download of Matt Ivester's Book Available Now (until Jan. 30)! Valerie Vogel (Jan 27)
Please note: Although the download is only for Kindle, Amazon has free reading apps for the iPad and other devices.
http://www.amazon.com/gp/feature.html?ie=UTF8&docId=1000493771

They also have a new Kindle Cloud Reader so you can read it on your computer using a browser: https://read.amazon.com/

If the previous download link does not work, go to
http://www.amazon.com/lol-OMG-Reputation-Citizenship-Cyberbullying-ebook/dp/B0060FRNNQ...

Re: Free Download of Matt Ivester's Book Available Now (until Jan. 30)! John Ladwig (Jan 27)
And, you can't download the free book without logging in to Amazon. And, near as I can tell, it's Kindle- or
Kindle-apps-only.

In honor of Data Privacy Day.

The irony, it drips.

-jml

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Valerie
Vogel
Sent: Friday, January 27, 2012 12:34 PM
To: The EDUCAUSE Security Constituent Group...

Free Download of Matt Ivester's Book Available Now (until Jan. 30)! Valerie Vogel (Jan 27)
Starting today (through January 30), you can download Matt Ivester's book - "lol...OMG! What Every Student Needs to
Know About Online Reputation Management, Digital Citizenship, and Cyberbullying" - for free from Amazon in honor of
Data Privacy Day:
http://www.lolomgbook.com/#!vstc5=ebook

Matt Ivester will also be joining us for a special EDUCAUSE Policy webinar next Monday, January 30, 1-2 pm EST....

Re: Google announces privacy changes, no opt out for users Mike Porter (Jan 27)
Without knowing what our contract states, and what portions of the
contracts refer to URLs whose contents may or may not have changed,
the below statement sort of means nothing. Well, it means Google is
not violating a legal contract, but the terms in that contract were
hardly static, if I recall correctly. Am I wrong for most of us?

Mike

Mike Porter
Systems Programmer V
IT/NSS
University of Delaware

-
Mike Porter
PGP Fingerprint: F4 AE E1...

Internet Issues and Infrastructure

NANOG — The North American Network Operators' Group discusses fundamental Internet infrastructure issues such as routing, IP address allocation, and containing malicious activity.

Re: using ULA for 'hidden' v6 devices? Mark Tinka (Jan 27)
Just on this subject, we're peering with networks some
may call "worth their salt", and what we've been seeing
since we started peering with them is interesting. This
is an ACL applied on ingress across the peering
interfaces (note that sequences 90 - 150 are our own APNIC
allocations):

router-in-asia-1#sh ip access-lists filter-incoming
Extended IP access list filter-incoming
10 deny ip 10.0.0.0 0.255.255.255 any...

Re: US DOJ victim letter Martin Hannigan (Jan 27)
It's definitely real.

Best,

-M<

Re: 10GE TOR port buffers (was Re: 10G switch recommendaton) Łukasz Bromirski (Jan 27)
6500 has up to 256MB for non-oversubscribed 10GE ports. People
complaining about microburst tend to use the cheapest 6704 linecard,
and 'microbursts' are a problem seen across most of the products that
don't even try to have a 1/12th of a 6500 history.

Everyone has it's own problems, and as people already said, not
understanding the way properly sized buffers influence the way TCP
traffic behaves can do more harm than good.

Re: pontification bloat (was 10GE TOR port buffers (was Re: 10G switch recommendaton)) Leo Bicknell (Jan 27)
In a message written on Sat, Jan 28, 2012 at 11:02:14AM +0900, Randy Bush wrote:

It's actually simple math, it just can get moderate complex.

Let's say you have a 10Mbps ethernet interface, and you want to set
the queue size (in packets).

10Mbps is ~1250000 bytes/sec.

Now, I pick an arbitrary value, this is where experience comes in.
For this example I'm going to say I want no more than 5ms queuing
latency. 5ms/1000sec/ms *...

RE: pontification bloat (was 10GE TOR port buffers (was Re: 10G switch recommendaton)) George Bonser (Jan 27)
+1

There is no excuse these days for stuff not to be ECN aware. That GREATLY mitigates things as it makes hosts aware
pretty much immediately that there is congestion and they don't have to wait for a lost packet to time out. I brought
it up to a Brocade engineer once asking for the option to set ECN rather than drop the packet and he said "nobody uses
it". I told him nobody uses it because you don't have the feature...

Re: pontification bloat (was 10GE TOR port buffers (was Re: 10G switch recommendaton)) Leo Bicknell (Jan 27)
In a message written on Sat, Jan 28, 2012 at 10:31:20AM +0900, Randy Bush wrote:

I also want to take this opportunity to say there are some cool new
features (that I have not had a chance to deploy myself) that may have
been missed if queueing wasn't your day job for the last few years.

"QoS: Time-Based Thresholds for WRED and Queue Limit for the Cisco 12000
Series Router"...

Re: pontification bloat (was 10GE TOR port buffers (was Re: 10G switch recommendaton)) Randy Bush (Jan 27)
not my router. research probes seeing fun anomalies around the global
network.

while i hope few folk other than telephants still have atm <g>, thanks
for posting running code.

one problem is that we do not have good tools to look at a link and
suggest parms. how did you derive those?

randy

Re: pontification bloat (was 10GE TOR port buffers (was Re: 10G switch recommendaton)) Leo Bicknell (Jan 27)
In a message written on Sat, Jan 28, 2012 at 10:31:20AM +0900, Randy Bush wrote:

Please turn that buffer down.

It's bad enough to take a 100ms hop across the pacific. It's far
worse when there is +0-100ms of additional buffer. :(

Unless that 40G has like 4x10Gbps TCP flows on it you don't need
b*d of buffer. I bet many of your other problems go away. 10ms
of buffer would be a good number.

My current employment offers few...

Re: pontification bloat (was 10GE TOR port buffers (was Re: 10G switch recommendaton)) Randy Bush (Jan 27)
when a line card is designed to buffer the b*d of a trans-pac 40g, the
oddities on an intra-pop link have been observed to spike to multiple
seconds.

so, do you have wred enabled anywhere? who actually has it enabled?

(embarrassed to say, but to set an honest example, i do not believe iij
does)

randy

Re: pontification bloat (was 10GE TOR port buffers (was Re: 10G switch recommendaton)) Leo Bicknell (Jan 27)
In a message written on Sat, Jan 28, 2012 at 10:06:20AM +0900, Randy Bush wrote:

For *most backbone networks* it is a no-op on the backbone. To be
more precise, if the backbone is at least 10x, and preferably more
like 50x faster than the largest single TCP flow from any customer
it will be nearly impossible to measure the performance difference
between a short FIFO queue and a WRED queue.

To the customer, absolutely, whenever possible, which...

Re: 10GE TOR port buffers (was Re: 10G switch recommendaton) Leo Bicknell (Jan 27)
In a message written on Fri, Jan 27, 2012 at 04:00:36PM -0800, Joel jaeggli wrote:

One of the frustrating things, which the c6500 embodies best, is
that the chassis has had many generations of linecards.

It came out in 1999, running CatOS, with a 32Gbps shared bus.

It exists now as a IOS box with a 720Gbps bus, running distributed
switching.

While you can call both a 6500, they share little more than some
sheet metal, fans, and copper traces...

pontification bloat (was 10GE TOR port buffers (was Re: 10G switch recommendaton)) Randy Bush (Jan 27)
for those who say bufferbloat is a problem, do you have wred enabled on
backbone or customer links?

randy

RE: 10GE TOR port buffers (was Re: 10G switch recommendaton) George Bonser (Jan 27)
I assumed since he was asking about a "top of rack" (TOR) switch, he was actually using it as a top of rack switch and
adding a couple more uplinks to his core would be cheaper than replacing all the hardware. Not understanding the
topology and the application makes good recommendations a crap shoot, at best.

From: Nick Hilliard
Sent: Friday, January 27, 2012 4:51 PM
To: bas
Cc: George Bonser; nanog
Subject: Re: 10GE TOR port...

RE: 10GE TOR port buffers (was Re: 10G switch recommendaton) George Bonser (Jan 27)
That is why I added the "it depends on the end to end application" caveat.

Re: 10GE TOR port buffers (was Re: 10G switch recommendaton) Nick Hilliard (Jan 27)
There are a couple of reasons for this: first, dropping the amount of buffer space decreases the cost of the hardware.
Secondly, you really only need large buffers when you need to shape traffic. Shaping traffic is important if you're
down stepping from a faster port to a slower port (this is a common use case for a blade switch like a c6500), or else
if you're running qos on the port and you need to implement sophisticated queuing...

The RISKS Forum — Peter G. Neumann moderates this regular digest of current events which demonstrate risks to the public in computers and related systems. Security risks are often discussed.

Risks Digest 26.70 RISKS List Owner (Jan 02)
RISKS-LIST: Risks-Forum Digest Monday 2 January 2012 Volume 26 : Issue 70

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/26.70.html>
The current issue can be...

Risks Digest 26.69 RISKS List Owner (Dec 29)
RISKS-LIST: Risks-Forum Digest Thursday 29 December 2011 Volume 26 : Issue 69

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/26.69.html>
The current issue can...

Risks Digest 26.68 RISKS List Owner (Dec 28)
RISKS-LIST: Risks-Forum Digest Weds 28 December 2011 Volume 26 : Issue 68

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/26.68.html>
The current issue can be...

Risks Digest 26.67 RISKS List Owner (Dec 20)
RISKS-LIST: Risks-Forum Digest Tuesday 20 December 2011 Volume 26 : Issue 67

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/26.67.html>
The current issue can...

Risks Digest 26.66 RISKS List Owner (Dec 06)
RISKS-LIST: Risks-Forum Digest Tuesday 6 December 2011 Volume 26 : Issue 66

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/26.66.html>
The current issue can be...

Risks Digest 26.65 RISKS List Owner (Nov 29)
RISKS-LIST: Risks-Forum Digest Tuesday 29 November 2011 Volume 26 : Issue 65

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/26.65.html>
The current issue can...

Risks Digest 26.64 RISKS List Owner (Nov 26)
RISKS-LIST: Risks-Forum Digest Saturday 26 November 2011 Volume 26 : Issue 64

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/26.64.html>
The current issue can...

Risks Digest 26.63 RISKS List Owner (Nov 22)
RISKS-LIST: Risks-Forum Digest Tuesday 22 November 2011 Volume 26 : Issue 63

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/26.63.html>
The current issue can...

Risks Digest 26.62 RISKS List Owner (Nov 18)
RISKS-LIST: Risks-Forum Digest Friday 18 November 2011 Volume 26 : Issue 62

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/26.62.html>
The current issue can be...

Risks Digest 26.61 RISKS List Owner (Nov 13)
RISKS-LIST: Risks-Forum Digest Sunday 13 November 2011 Volume 26 : Issue 61

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/26.61.html>
The current issue can be...

Risks Digest 26.60 RISKS List Owner (Nov 11)
RISKS-LIST: Risks-Forum Digest Friday 11 November 2011 Volume 26 : Issue 60

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/26.60.html>
The current issue can be...

Risks Digest 26.59 RISKS List Owner (Oct 23)
RISKS-LIST: Risks-Forum Digest Sunday 23 October 2011 Volume 26 : Issue 59

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/26.59.html>
The current issue can be...

Data Loss — Data Loss covers large-scale personal data loss and theft incidents. This archive combines the main list (news releases) and the discussion list.

Open Source Tool Development

Metasploit — Development discussion for Metasploit, the premier open source remote exploitation tool

Re: wdbrpc_memory_dump.rb bug and question Robin Wood (Jan 25)
The only reason I moved the original file away was in case it
overwrote the existing file when I restarted the download, I didn't
want to lose the 30% already downloaded. Now I know the intended
functionality it makes perfect sense and the fix you've put in should
be fine. I've finished the job I was on where I could test this so
I'll trust you that it works find and hopefully have chance to test it
some time in the future....

Re: wdbrpc_memory_dump.rb bug and question Joshua J. Drake (Jan 25)
Robin,

Setting the "OFFSET" variable indictates that you wish to resume a
partial dump. This feature is intended to be used along with an
existing dump that did not complete.

The initial portion of the dump should remain undisturbed while the
new parts will be written starting at the supplied offset. Currently,
starting at a specific offset and writing to a new file is not
supported. This is due to some strangeness with ruby's...

Re: wdbrpc_memory_dump.rb bug and question Robin Wood (Jan 25)
I've just reproduced this showing the directory exists but the file
doesn't, this is only when the offset is set to non-zero, if I set it
to 0 then it runs fine. I'll put a ticket in for it.

Robin

msf auxiliary(wdbrpc_memory_dump) > run

[*] Attempting to dump system memory, starting at offset 0xecfb8f0
[*] 10.21.10.22 Connected to VxWorks5.5.1 - Motorola E500 : Unknown
system version ()
[*] Dumping 0x10000000 bytes from base...

Re: mssql_enum bug Robin Wood (Jan 24)
I've created a ticket for it, I'll see about getting a PCAP but it is
on a client site so not sure if I can get a sanitized capture or not.

Robin

Re: wdbrpc_memory_dump.rb bug and question Robin Wood (Jan 24)
The directory existed. I had started dumping with a 2 on the end and
it had failed half way through so I thought rather than overwrite the
existing file I would just add a 3 to the end and start it again.

Robin

Re: mssql_enum bug HD Moore (Jan 24)
Our hand-coded MSSQL driver likely can't cope with MSSQL 7 - a Redmine
ticket would rock, along with a PCAP if you can.

-HD

Re: wdbrpc_memory_dump.rb bug and question HD Moore (Jan 24)
This is a problem with your local filesystem - you may need to mkdir
/Users/robin/.msf4/logs/ first before running the module, as it didn't
succeed in opening the dump file.

You can set the output path with the LPATH option

-HD

Re: http_ntlm module output file format Robin Wood (Jan 24)
I was planning to have a go, just wanted to check there was no reason
that it was like it was before I started coding.

Robin

Re: http_ntlm module output file format Tod Beardsley (Jan 24)
The SMB capture module will output a John the Ripper compatible file.
However, the http_ntlm module doesn't give us a the file format we want
(I'm working on a fix), so we'll have to change the file to look like this:
<user>:::<LMHASH>:<NTLMHASH>:<CHALLENGE> (wrapped for space, the
actually file won't be wrapped):

---

sounds like he's going to fix it. You're welcome to beat him to it,
Robin...

http_ntlm module output file format Robin Wood (Jan 24)
I'm playing with NBNS spoofing from this post on Packetstan

http://www.packetstan.com/2011/03/nbns-spoofing-on-your-way-to-world.html

and was wondering if there was any reason that the http_ntlm module
module doesn't generate some of the files in the correct format? It
would be a quick fix to get the files into the correct format.

Robin

Re: mssql_enum bug Robin Wood (Jan 24)
I just tried to connect to this with the MS SQL Enterprise Manager
2008 and that tells me that it can only connect to servers with
version 2000 or above, looking at a process list on the machine SQL
Server is running from c:\MSSQL7 so I'd guess it is version 7. I
wonder if you can catch that it is this early version and do a nice
fail rather than just catch the exception and say couldn't connect.

Robin

Robin

mssql_enum bug Robin Wood (Jan 24)
Everything is set correctly and Nessus reported the install as having
a blank sa password but I get this error, same with mssql_sql.

Robin

msf auxiliary(mssql_enum) > show options

Module options (auxiliary/admin/mssql/mssql_enum):

Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD no The password for
the specified...

wdbrpc_memory_dump.rb bug and question Robin Wood (Jan 24)
First the bug, I think this is because I set an offset but pointed it
at a file that doesn't exist:

[*] Attempting to dump system memory, starting at offset 0xaa84850
[*] 10.21.2.30 Connected to VxWorks5.5.1 - Motorola E500 : Unknown
system version ()
[*] Dumping 0x10000000 bytes from base address 0x00000000 at offset
0x0aa84850...
[-] Auxiliary failed: Errno::ENOENT No such file or directory -
/Users/robin/.msf4/logs/vxworks_memory3.dump...

Re: H.D. Moore in NY Times HD Moore (Jan 23)
Additional information on the blog:

https://community.rapid7.com/community/solutions/metasploit/blog/2012/01/23/video-conferencing-and-self-selecting-targets

Re: possible bug in auxiliary/gather/shodan_search Jonathan Cran (Jan 23)
BG - I believe this has been resolved in the trunk by sinn3r, can you
take a look?

jcran

Wireshark — Discussion of the free and open source Wireshark network sniffer. No other sniffer (commercial or otherwise) comes close. This archive combines the Wireshark announcement, users, and developers mailing lists.

Re: [Wireshark-users] Issue Related to Unrecognized Text in Manifest File Chris Maynard (Jan 27)
NITIN GOYAL <nitinkumgoyal () > writes:

A capture file would be far more useful.
- Chris

Re: Conference room before FOSDEM Chris Maynard (Jan 27)
Graham Bloice <graham.bloice () > writes:

place at Delirium I’m not intending to miss it.

Unfortunately, I will be unable to attend ... but I'll try to enjoy a Belgian
beer or two from RI instead. :) I'm sure the event will be terrific and
everyone will have a great time.

Cheers,
Chris

CMake can't find glib Stephen Fisher (Jan 27)
I'm anxious to try out the beginnings of a Qt Wireshark, but I'm having trouble with CMake on FreeBSD. After making a
separate directory to bulid in, and running "cmake ../wireshark" I get to this point;

/usr/bin/ld: cannot find -lglib-2.0
*** Error code 1

As far as I can tell, the reason is that the glib library is in a non-standard search location for ld (/usr/local/lib).
The only way I've found so far...

Re: disabling loopback Guy Harris (Jan 27)
The relevant part of which is "you can capture on the loopback interface on Linux".

I.e., at least on Linux (and on *BSD and Mac OS X and some other OSes listed there), you *can* capture packets that are
shortcutted in the kernel - capture on the loopback interface ("lo" on Linux, "lo0" on *BSD/Mac OS X and at least some
of the other OSes).

Re: disabling loopback Tim.Poth (Jan 27)
http://wiki.wireshark.org/CaptureSetup/Loopback

-----Original Message-----
From: wireshark-users-bounces () wireshark org [mailto:wireshark-users-bounces () wireshark org] On Behalf Of Andrej
van der Zee
Sent: Friday, January 27, 2012 12:46 PM
To: Community support list for Wireshark
Subject: [Wireshark-users] disabling loopback

Hi,

I was wondering if there is a way to prevent packets sent to a local IP address to be shortcut-ed in the...

disabling loopback Andrej van der Zee (Jan 27)
Hi,

I was wondering if there is a way to prevent packets sent to a local
IP address to be shortcut-ed in the kernel. I want them to show up in
the tcpdump. How could I do this on Ubuntu?

Cheers,
Andrej

Re: Extending VoIP Call Flow Weir, Alan (Jan 27)
Thanks Jaap, That’s exactly what I was looking for, Alan

From: wireshark-dev-bounces () wireshark org [mailto:wireshark-dev-bounces () wireshark org] On Behalf Of Jaap Keuter
Sent: Friday, January 27, 2012 3:23 AM
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] Extending VoIP Call Flow

Hi,

I think you can piggyback onto the generic voip protocol.
It already has a tap listener and takes whatever information you feed it....

Issue Related to Unrecognized Text in Manifest File NITIN GOYAL (Jan 27)
Hi

I am seeing one issue with the Wireshark. While I capture the traffic for
Smooth Streaming, WIreshark is not able to recognize the fields of Manifest
file and return this type of error:

<field name="xml.unknown" showname="\xff\xfe" size="2" pos="238"
show="\xff\xfe" value="fffe"/>
<field name="" show="[ ERROR: Unrecognized text ]" size="10"...

Re: Conference room before FOSDEM Graham Bloice (Jan 27)
As the FOSDEM Friday beer event, http://fosdem.org/2012/beerevent takes
place at Delirium Im not intending to miss it.

From: wireshark-dev-bounces () wireshark org
[mailto:wireshark-dev-bounces () wireshark org] On Behalf Of Sébastien Tandel
Sent: 22 January 2012 12:03
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] Conference room before FOSDEM

Hi all,

I'm really sad I won't be able to participate with...

Re: Conference room before FOSDEM Jaap Keuter (Jan 27)
Sébastien, you're a connoisseur. ;)
I so wanted to be there too, but I can't. :/

Thanks,
Jaap

Re: Extending VoIP Call Flow Jaap Keuter (Jan 27)

Hi,

I think you can piggyback onto the generic voip protocol.
It
already has a tap listener and takes whatever information you feed it.

Thanks,
Jaap

written a plugin for a proprietary VoIP protocol. One application for
this protocol involves a gateway which gearboxes between it and SIP so
extending the VoIP call flow graph to include my protocol would be
highly desirable. Is there any way to achieve this without modifying
voip_calls.c...

[HITB-Announce] Reminder: HITB2012AMS Call For Papers Closing Soon Hafez Kamal (Jan 26)
This is a gentle reminder that the Call for Papers for the third annual
HITBSecConf in Europe closes on the 18th of February! Send in your
submissions now!

http://cfp.hackinthebox.org/

---

This year, we're moving to a new, bigger and better venue -- the
award winning Okura Hotel right in middle of Amsterdam with easy access
via public transportation. #HITB2012AMS will be a quad-track conference
featuring keynote speakers Andy Ellis (Chief...

Re: [Wireshark-commits] rev 40734: /trunk/tools/ /trunk/tools/: make-dissector-reg.py Gerald Combs (Jan 26)
It should be fixed in r40736.

Re: question about sniffing wireless IPOD conversations Matthew (Jan 26)
John,

This will probably be frowned upon but I found using the "hacking" tool
Cain & Abel to perform an ARP Spoof attack against the device on my
network that I wanted to watch allowed me to see the traffic (as after
all I no longer needed promiscuous if the traffic was actually being
sent to me). Effectively the iPod thinks you are the router, so the
traffic is sent via your PC instead of directly to the real router.

This...

Re: [Wireshark-commits] rev 40734: /trunk/tools/ /trunk/tools/: make-dissector-reg.py Guy Harris (Jan 26)
Unfortunately, Python 2.x doesn't appear to like it any more:

and the same complaints is showing up on the Ubuntu buildbot.

Snort — Everyone's favorite open source IDS, Snort. This archive combines the snort-announce, snort-devel, snort-users, and snort-sigs lists.

Re: HELP ON SNORT Joel Esler (Jan 27)
I had a question off list the other day about whether we should stop recommending BASE as a GUI from "snort.org"'s
perspective.

Community? Thoughts?

Re: HELP ON SNORT Castle, Shane (Jan 27)
OTOH BASE is EOL, or at any rate is not being maintained. I actually run BASE myself but I'm getting to hate some of
its failings. Snorby and Squil are in my future you can bet.

Re: snort 2.9.2 Russ Combs (Jan 27)
It probably should at this point. That just differentiates from the other
major modes like packet dump, logging, test, and rule dump.

------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future...

snort 2.9.2 Lawrence R. Hughes, Sr. (Jan 27)
Hi,

I set snort to run in inline mode (-Q), but when snort starts, it reports: Enabling inline operation Running in IDS
mode? I thought it should say IPS Mode?

Thanks,
Larry

------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,...

Re: HELP ON SNORT Jeremy Hoel (Jan 27)
I disagree a bit. BASE is very easy to Setup and use and it gets the
analyst up and running and able to look at results very fast. Taking
the time to install Snorby or SGUIL later is probably a good idea, but
base gets it up and running and you know it's working before you go
fighting ruby or tcl.

------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most...

Re: HELP ON SNORT Martin Holste (Jan 27)
Also, don't use BASE. Use Snorby.

------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2

Re: Excessive alerts on SID 17407 -- Windows help file download rmkml (Jan 27)
Hi Stephen,
Maybe try SF SEU update?
because this sid are on rev 10 around 7 dec 2011...
contains pcre for restrict FP.
Regards
Rmkml

------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future...

Excessive alerts on SID 17407 -- Windows help file download Bachelor, Stephen A CTR USSOCOM HQ (Jan 27)
This often triggers on content which is not a help file, such as "GET
/iu/api/res/1.2/Ip7475OzCLIWah.hLpjbYw--/YXBwaWQ9eXZpZ"

Is there any reason I shouldn't add, after the content rule,
pcre:"/\.hlp[^a-zA-Z0-9]/smi";

Original rule text below:

Rule alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"WEB-CLIENT Windows help file download request";
flow:to_server,established;...

Re: Sensor placement with presence of web proxies Joel Esler (Jan 27)
I've done both. I just prefer it closer to the end point.

Re: Sensor placement with presence of web proxies Martin Holste (Jan 27)
It sounds like there aren't too many show-stoppers for deploying on
the client-side of the proxy, and we definitely don't have the
resources to monitor both sides, so I guess that's where we'll end up.

Great stuff--I'm glad I asked! Thanks all.

------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for...

Re: abt snort log file Joel Esler (Jan 27)
It's the pcap logging method. You can read it with any pcap tool, tcpdump, tshark, wireshark, etc.

J

------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!...

abt snort log file Jagan Mohan Reddy D (Jan 27)
Hi,

I executed the following command...

$ sudo /usr/local/snort/bin/snort -b -l /var/log/snort

then it created the following log file named as "snort.log.1327665537"

How do i read this file into normal text file......?

please help on this.....!

----------------
Thanks & Regards
D J M Reddy
------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most...

Re: on snort Kevin Ross (Jan 27)
https://forums.snort.org/forums/support/topics/warning-ip-dgm-len-gt-captured-len-cannot-disable-it

Try this.

Regards, Kevin

On 27 January 2012 07:45, Jagan Mohan Reddy D <jagan.mohan507 () gmail com>wrote:

------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio,...

on snort Jagan Mohan Reddy D (Jan 26)
While running the following command, i'm getting following error ....

$ sudo /usr/local/snort/bin/snort -dev -l /var/log/snort/

Running in packet logging mode

--== Initializing Snort ==--
Initializing Output Plugins!
Log directory = /var/log/snort/
pcap DAQ configured to passive.
The DAQ version does not support reload.
Acquiring network traffic from "eth0".
Decoding Ethernet

--== Initialization Complete ==--...

Re: help Heine Lysemose (Jan 26)
Hi

This is correct behavior.
If you wan't the prompt to return after running your Snort start-up command
add a -D to start Snort as a daemon. See Snort manual 1.9.1...

*$ sudo /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort.conf -i
eth0 -D*

/Lysemose

------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for...

OpenVAS — Development and announcements regarding OpenVAS, a free network security scanner which forked from Nessus. This is a combination of the English openvas-announce, openvas-devel, openvas-discuss, and openvas-plugins lists.

Windows 7 scan Guillaume Castagnino (Jan 27)
Hi,

I noticed that scanning a windows 7 host (with credentials and registry
access) is "broken" by default.
This is because:
1) W7 do not start the remote registry access service by default
2) UAC prevent the local administrator to gain full registry access needed by
plugins (SMB/registry_full_access).

For point 1) the remote registry service needs to be started, and it's fine.
Do you see an other way to do this ?

For point...

smb_reg_service_pack.nasl (10401) Guillaume Castagnino (Jan 27)
Hi list,

This plugin looks strange to me. If I understand correctly, it's designed to
read from registry the windows version and service pack version.
Then it saves those informations to the KB. Fine.

But this script also register a security_hole with the highest score when both
informations have been succesfully fetched :

if(!isnull(winVal) && !isnull(csdVer))
{
report = string("The ", winName, " ",...

Re: gsad not responding -> 100% CPU Andreas Pflug (Jan 27)
Am 27.01.12 15:17, schrieb Andreas Pflug:

I'm talking about gsad 2.0.1.

gsad not responding -> 100% CPU Andreas Pflug (Jan 27)
When connecting to gsad via port 9392, the daemon will enter an endless
loop, consuming 100% on one CPU, with no response to the client. To end
this, the daemon has to be killed.

Re: Small bug in vnc_security_types.nasl Michael Meyer (Jan 27)
Hello,

*** Torbjorn.Wictorin () its uu se <Torbjorn.Wictorin () its uu se> wrote:

Thanks for pointing out. I'll fix that.

Best Regards,

Micha

Task startup takes forever Derek Wuelfrath (Jan 26)
Hi list,

I'm trying to run a task but when I hit the start task button using the
GSA web admin the task stays on requested for almost 10 minutes!
After these 10 minutes, the task starts and then takes up to 2 minutes
to complete.
Why is it taking 10 minutes to start?
There's NO load on the server.

Here's the log:
event task:MESSAGE:2012-01-26 21h18.23 utc:7913: Status of task
132761198046E74B...

Small bug in vnc_security_types.nasl Torbjorn . Wictorin (Jan 26)
hello,

vnc_security_types.nasl (script_id 19288) checks the VNC security types
and if <= 1: security hole.

However, if you get 0 as a security type, this is an error indication,
not a bad protocol, see

www.realvnc.com/support/documentation.html

under 6.1.2.

So, the test should be 'if == 1: security hole'

Else you get false positives for servers that reject the connection for
some reason.

Torbjörn Wictorin,
Uppsala...

Re: Regression GSD1.20->1.21: can't save report Andreas Pflug (Jan 26)
Am 26.01.2012 20:55, schrieb Matthew Mundell:

All versions are the latest from the debian 6 repository, it's 2.0.4.

Re: Regression GSD1.20->1.21: can't save report Matthew Mundell (Jan 26)
Thanks Andreas. This sounds related to the OMP time format change. Which
version of OpenVAS Manager are you using?

Re: Downtime next monday (30th) Jan-Oliver Wagner (Jan 26)
You mean www.openvas.com I guess.

well, its a real mirror (the page files still only exist on our server, no copies).
I don't think we get it quickly extended to act as a fallback.

Best

Jan

GSD schedule ignores start date/time Andreas Pflug (Jan 26)
Creating a schedule using GSD 1.2.1 doesn't allow setting the start date
and time; the current date and time is always used.

Re: Downtime next monday (30th) Tim Brown (Jan 26)
Any chance to use the US mirror for the website?

Tim

Regression GSD1.20->1.21: can't save report Andreas Pflug (Jan 26)
With GSD 1.2.1, saving of reports fails silently on Windows as well as
Debian6.
Going back to 1.2.0, saving works again.

Regards,
Andreas

Downtime next monday (30th) Jan-Oliver Wagner (Jan 26)
Hello,

just to ensure everyone is aware: The OpenVAS development platform
will undergo a comprehensive upgrade next monday (Jan 30th) and
go offline ca. 11-16UTC.

Website, SVN, Bug tracker, ... everything will be unavailable during
this time.

All the best

Jan

Install instructions on Debian6 Andreas Pflug (Jan 25)
The installation instructions at
http://www.openvas.org/install-packages.html#openvas4_debian_obs miss
the dependency psmisc. The package contains killall, which is used by
step 3. psmisc isn't included in a minimal debian install by default.

Regards,
Andreas

More Lists

Related Resources

We're always looking for great network security related lists to archive. To suggest one, mail Fyodor.