|
SecLists.Org Security Mailing List Archive
Any hacker will tell you that the latest news and exploits are not
found on any web site—not even Insecure.Org. No, the cutting edge
in security research is and will continue to be the full
disclosure mailing lists such as Bugtraq. Here we provide web
archives and RSS feeds (now including message extracts), updated in real-time, for many of our favorite lists. Browse the individual lists below, or search them all:
 Nmap Development — Unmoderated technical development forum for debating ideas, patches, and suggestions regarding proposed changes to Nmap and related projects.
Re: zenmap doesn't scan my user mode linux image
Toralf Förster (Mar 11)
David Fifield wrote at 21:13:20
16970 works fine :-)
Hogger - bringing nmap & Snort together
Crook, Parker (Mar 11)
To all you nmappers out there that may or may not be using Snort, I wanted to let you know that there is a new tool
that I whipped up to parse nmap scan files for digestion by Snort:
Hogger is a tool written in perl that generates a host-attribute table for Snort. It parses the output of an nmap
scan, and creates a properly formatted XML file readable by Snort for easy preprocessor tuning. Hogger can run on most
platforms that can run perl...
Re: zenmap doesn't scan my user mode linux image
Toralf Förster (Mar 11)
David Fifield wrote at 21:04:02
Well, I found the difference. Since some time I' use wlan instead of a cable
at the office. If I use the cable then it works well.
Probably this information are interestign for you :
n22 ~ # nmap n22_uml
Starting Nmap 5.21 ( http://nmap.org ) at 2010-03-11 10:00 CET
Nmap scan report for n22_uml (192.168.1.50)
Host is up (0.000050s latency)....
host/domain name with an underscore not printed correctly
Toralf Förster (Mar 11)
This is only a small issue but anyway the attached screen shot should show it
for the system "n22_uml.uml_domain".
Re: zenmap doesn't scan my user mode linux image
Toralf Förster (Mar 11)
David Fifield wrote at 21:04:02
Well,
using "-e tap0" now it works - but again, I'm wondering if glibc or something
else changed...
Re: zenmap doesn't scan my user mode linux image
Toralf Förster (Mar 11)
David Fifield wrote at 21:04:02
Well,
I tested both version 5.0 and 4.76 - which were known to work at my system
last year, but currently they show the same behaviour.
Something else must be the culprit (I upgrade glibc from 2.8_p20080602-r1 to
glibc-2.10.1-r1, this I cannot roll back, kernel sources and headers were
upgraded too).
What I do not understand is, that the UML is fully reachable and I can browse
with lynx the internet, but...
Re: Nmap bug - Doesn't folow static route
David Fifield (Mar 11)
I've just added another possibility from testing on OS X. The ways for
an address to be considered directly connected are:
1. Gateway address is 0.0.0.0 (Linux).
2. Gateway address is the same as local interface address (Windows).
3. Gateway address is the same as the destination address (Mac OS X).
It would be better to get this directly from the system routing table,
but I haven't found out how to do that on platforms that don't have...
Payloads file
Jay Fink (Mar 11)
All,
Attached is payloader.cc and nmap-payloads file. This is for testing
but hopefully finally almost ready for integration. Per David's
direction it now loads up all payloads at init then does a lookup of
needed payloads later.
What would go into nmap itself is everything except the main() routine
and of course defines and headers would be in the appropiate
locations.
To try it out just download the files and run:
c++ payloader.cc -o...
Re: zenmap doesn't scan my user mode linux image
David Fifield (Mar 11)
If you are building from Subversion, please update to at least r16970
and try again. The routing problem should be fixed. See
http://seclists.org/nmap-dev/2010/q1/845.
David Fifield
Re: Nmap bug - Doesn't folow static route
David Fifield (Mar 11)
Those /0 netmasks were a separate bug, fixed in r16968.
I've implemented this as of r16970. If you are building from source,
please give it a try. Here is the commit message:
Before, route_dst worked like this:
1) Check destination address against all interfaces, with special-case
handling for local addresses.
2) Check destination address against routing table.
Now it works like this:
1) Check destination address against local...
Re: NMAP XML output too verbose
Farkas Levente (Mar 11)
this is almost exactly what i request in my previous mail.
- i like the idea than normal output match with the xml output.
- and i also like to get a list only where a given port is open.
the only problem with this, that there are some case when filtered port
would be also useful. may be a --filtered option would be useful.
anyway even if only the current proposal will be included in the next
version, then it'd be a perfect solution for...
RE: [BULK] Re: new Win install fails beyond localhost
Norris Carden (Mar 10)
This showed up in the zenmap.exe.log:
E:\tools\Nmap\py2exe\library.zip\zenmapGUI\MainWindow.py:625:
GtkWarning: Could not find the icon '"C:\Program Files\Windows
NT\Accessories\WORDPAD.EXE",1'. The 'hicolor' theme
was not found either, perhaps you need to install it.
You can get a copy from:
http://icon-theme.freedesktop.org/releases
E:\tools\Nmap\py2exe\library.zip\zenmapGUI\App.py:337: GtkWarning:
gdkselection-win32.c:1068:...
Re: zenmap doesn't scan my user mode linux image
Toralf Förster (Mar 10)
David Fifield wrote at 17:41:12
Well,
but it is a regression at least at at my Gentoo system either between net-
analyzer/nmap-5.00-r2 and net-analyzer/nmap-5.21.
Or something other at my notebook changed, b/c I'm pretty sure that it worked
fine before (b/c I use the UML system since years to play with wireshark and
the protocols of sendmail, courier, apache, cups and friends).
Re: More nsock socket_count_write_dec assert() failures
David Fifield (Mar 09)
I worked off-list with Brandon on this problem, and I think we have it
solved. It's committed as r16961.
The problem was that handle_write_results always assumed that it was
being called as the result of a socket becoming writable. If a call to
SSL_write resulted in the pseudo-error SSL_ERROR_WANT_READ, it would
(correctly) decrement the write count and increment the write count.
However, when handle_write_result was called agains as a result of...
Re: NMAP XML output too verbose
Duarte Silva (Mar 09)
Knowing that I'm fairly new in the area of contributing to nmap, but
here it goes :)
The question of the XML showing off-line hosts can be solved with a
different XSL that only shows hosts that are up. (I have been
tinkering about a new and a little more interactive XSL file that
could transform the XML to something more pleasant to use, mashing it
up with JavaScript maybe?? Kind of thinking out loud now).
The problem of XML having hosts that...
 Nmap Hackers — Moderated list for the most important new releases and announcements regarding the Nmap Security Scanner and related projects. We recommend that all Nmap users subscribe.
Nmap 5.21 released
Fyodor (Jan 27)
Hello everyone. I'm pleased to release Nmap 5.21, which contains zero
exciting new features! It is a bug-fix only release instead,
addressing about a dozen issues discovered since 5.20. Thanks for all
the testing and bug reports! None of the bugs are critical, but we
wanted to polish things up since 5.21 may be the latest stable version
for a while. That gives us time to tackle and stabilize big
development projects. If you want to know...
Lots of Nmap News
Fyodor (Jan 22)
Hi folks. I'm happy to report that the 5.20 release went well. But
with this many improvements, there will always be a few bugs found.
We're planning to round those up with a bugfix-only 5.21 release next
week. So please test out 5.20 and report any problems you experience:
Download Page: http://nmap.org/download.html
Bug Report Instructions: http://nmap.org/book/man-bugs.html
If you're running from a build of the latest SVN checkout, you...
Nmap 5.20 Released
Fyodor (Jan 20)
Happy new year, everyone. I'm happy to announce Nmap 5.20--our first
stable Nmap release since 5.00 last July! It offers more than 150
significant improvements, including:
o 30+ new Nmap Scripting Engine scripts
o enhanced performance and reduced memory consumption
o protocol-specific payloads for more effectie UDP scanning
o a completely rewritten traceroute engine
o massive OS and version detection DB updates (10,000+ signatures)
The...
Nmap 5.00 Released!
Fyodor (Jul 16)
Hello everyone. I'm delighted to announce the release of Nmap 5.00!
This is the first major release since 4.50 in 2007, and includes about
600 significant changes since then! We consider this the most
important Nmap release since 1997, and we recommend that all current
users upgrade.
There are too many changes to list them all in this email, so here are
the top 5 improvements in Nmap 5:
1) The new Ncat tool aims to be your Swiss Army Knife...
Nmap news: stable release candidate 4.90RC1, SoC team, and new translations
Fyodor (Jun 26)
Hi Folks. I'm pleased to announce some exciting Nmap news:
[=================Nmap 4.90RC1==================]
It has been nearly 10 months (and 11 dev releases) since 4.76, the
last stable Nmap release. And we've made many dramatic changes, so it
is time for a new stable version! I've posted a release
candidate--4.90RC1--on the Nmap download page:
http://nmap.org/download.html
Please test it out, and let us know if you find any problems...
Nmap 4.85BETA6 now avail w/Conficker detection
Fyodor (Apr 01)
Hi Folks! In case you missed all the news reports yesterday, a couple
great researchers from the Honeynet Project (Tillmann Werner and Felix
Leder) and Dan Kaminsky came up with a way to remotely detect the
Conficker worm which has infected millions of machines worldwide.
Some say 15,000,000 machines infected, but that might just be
exaggerated AV-company BS for all I know. But there are clearly
millions of infections, and this massive botnet...
Nmap News: 4.84BETA4 release, Nmap book news, Summer of Code, Twitter, etc.
Fyodor (Mar 27)
Hello everyone. We've seen 848 messages on nmap-dev this year, but
this is my first post to nmap-hackers. So I have a lot of exciting
Nmap news to fit into this one email!
[=================Nmap 4.85BETA4==================]
While the last release I posted to this list was 4.76 in September of
last year, we've had four beta releases since then with hundreds of
important and dramatic changes. I'm pretty happy with the latest
4.85BETA4 release,...
 Bugtraq — The premier general security mailing list. Vulnerabilities are often announced here first, so check frequently!
Multiple vulnerabilities in SUPERAntiSpyware and Super Ad Blocker
Luka Milkovic (Mar 11)
Title: Multiple vulnerabilities in
SUPERAntiSpyware and Super Ad Blocker
Date of Discovery: 2 Feb 2010
Contact Date: 4 Feb.2010
Release Date: 10 Mar 2010
Author: Luka Milkovic
Mail: milkovic.luka at gmail.com
Software Link: SUPERAntiSpyware -
http://www.superantispyware.com/index.html...
[SECURITY] [DSA 2011-1] New dpkg packages fix path traversal
Nico Golde (Mar 11)
--------------------------------------------------------------------------
Debian Security Advisory DSA-2011-1 security () debian org
http://www.debian.org/security/ Nico Golde
March 10th, 2010 http://www.debian.org/security/faq
--------------------------------------------------------------------------
Package : dpkg
Vulnerability : path traversal
Problem type :...
[ MDVSA-2010:060 ] squid
security (Mar 11)
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2010:060
http://www.mandriva.com/security/
_______________________________________________________________________
Package : squid
Date : March 10, 2010
Affected: 2008.0, 2009.0, 2009.1, 2010.0, Corporate 4.0,
Enterprise Server 5.0...
Skype URI Handler Input Validation
Paul Craig (Mar 11)
( , ) (,
. `.' ) ('. ',
). , ('. ( ) (
(_,) .`), ) _ _,
/ _____/ / _ \ ____ ____ _____
\____ \==/ /_\ \ _/ ___\/ _ \ / \
/ \/ | \\ \__( <_> ) Y Y \
/______ /\___|__ / \___ >____/|__|_| /
\/ \/.-. \/ \/:wq
(x.0)
'=.|w|.='
_='`"``=.
presents..
Skype URI Handler Input Validation...
Vulnerabilities in Abton
MustLive (Mar 11)
Hello Bugtraq!
I want to warn you about vulnerabilities in Abton. It's commercial Ukrainian
CMS.
-----------------------------
Advisory: Vulnerabilities in Abton
-----------------------------
URL: http://websecurity.com.ua/2886/
-----------------------------
Timeline:
31.03.2008 - found the vulnerabilities.
16.02.2009 - announced at my site.
17.02.2009 - informed developers.
24.11.2009 - disclosed at my site.
-----------------------------...
[USN-909-1] dpkg vulnerability
Kees Cook (Mar 11)
===========================================================
Ubuntu Security Notice USN-909-1 March 11, 2010
dpkg vulnerability
CVE-2010-0396
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 6.06 LTS
Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04
Ubuntu 9.10
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can...
Friendly-Tech FriendlyTR69 CPE Remote Management V2.8.9 SQL Injection Vulnerability
lament (Mar 10)
=========================================
Yaniv Miron aka "Lament" Advisory March 7, 2010
Friendly-Tech FriendlyTR69 CPE Remote Management V2.8.9 SQL Injection Vulnerability
=========================================
=====================
I. BACKGROUND
=====================
Based on the companys technical expertise and a decade of hands-on experience
in the telecom industry, Friendlys solution is a ROBUST, SCALABLE, SECURED,
TELCO...
CVE-2010-0624: Heap-based buffer overflow in GNU Tar and GNU Cpio
Jakob Lell (Mar 10)
I. BACKGROUND
GNU Tar and GNU Cpio are popular programs for managing archive
files. Both programs are included in many linux distributions. GNU Tar
is commonly used for exchanging source code archives.
Both programs include a client implementation for the remote mag tape
protocol (rmt). This protocol allows accessing a tape device attached
to a remote system via a rsh/ssh. It can also be used to
extract/create archive files on another system...
[SECURITY] [DSA-2010-1] New kvm packages fix several vulnerabilities
dann frazier (Mar 10)
------------------------------------------------------------------------
Debian Security Advisory DSA-2010 security () debian org
http://www.debian.org/security/ Dann Frazier
March 10, 2010 http://www.debian.org/security/faq
------------------------------------------------------------------------
Package : kvm
Vulnerability : privilege escalation/denial of service
Problem type...
[SECURITY] [DSA 2009-1] New tdiary packages fix cross-site scripting
Steffen Joeris (Mar 10)
------------------------------------------------------------------------
Debian Security Advisory DSA-2009-1 security () debian org
http://www.debian.org/security/ Steffen Joeris
March 09, 2010 http://www.debian.org/security/faq
------------------------------------------------------------------------
Package : tdiary
Vulnerability : insufficient input sanitising
Problem type...
[USN-908-1] Apache vulnerabilities
Marc Deslauriers (Mar 10)
===========================================================
Ubuntu Security Notice USN-908-1 March 10, 2010
apache2 vulnerabilities
CVE-2010-0408, CVE-2010-0434
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 6.06 LTS
Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04
Ubuntu 9.10
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and...
Secunia Research: XnView DICOM Parsing Integer Overflow Vulnerability
Secunia Research (Mar 10)
======================================================================
Secunia Research 10/03/2010
- XnView DICOM Parsing Integer Overflow Vulnerability -
======================================================================
Table of Contents
Affected Software....................................................1
Severity.............................................................2
Vendor's Description of...
[ MDVSA-2010:059 ] virtualbox
security (Mar 10)
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2010:059
http://www.mandriva.com/security/
_______________________________________________________________________
Package : virtualbox
Date : March 10, 2010
Affected: 2008.0, 2009.0, 2009.1, 2010.0
_______________________________________________________________________
Problem Description:
A...
iDefense Security Advisory 03.09.10: Microsoft Excel MDXSET Record Heap Overflow Vulnerability
iDefense Labs (Mar 10)
iDefense Security Advisory 03.09.10
http://labs.idefense.com/intelligence/vulnerabilities/
Mar 09, 2010
I. BACKGROUND
Excel is the spreadsheet application included with Microsoft Corp.'s
Office productivity software suite. More information is available at
the following website:
http://office.microsoft.com/excel/
II. DESCRIPTION
Remote exploitation of a heap overflow vulnerability in Microsoft
Corp.'s Excel could allow an attacker to execute...
Secunia Research: Employee Timeclock Software Backup Information Disclosure
Secunia Research (Mar 10)
======================================================================
Secunia Research 10/03/2010
- Employee Timeclock Software Backup Information Disclosure -
======================================================================
Table of Contents
Affected Software....................................................1
Severity.............................................................2
Vendor's Description of...
 Full Disclosure — An unmoderated high-traffic forum for disclosure of security information. Fresh vulnerabilities sometimes hit this list many hours before they pass through the Bugtraq moderation queue. The relaxed atmosphere of this quirky list provides some comic relief and certain industry gossip. Unfortunately 80% of the posts are worthless drivel, so finding the gems takes patience.
2nd CfP: ICCGI 2010 || September 20-25, 2010 - Valencia, Spain
Miguel . Garcia (Mar 12)
2nd CfP: ICCGI 2010 || September 20-25, 2010 - Valencia, Spain
INVITATION:
=================
Please consider to contribute to and/or forward to the appropriate
groups the following opportunity to submit and publish original
scientific results.
=================
============== ICCGI 2010 | Call for Papers ===============
CALL FOR PAPERS, TUTORIALS, PANELS
ICCGI 2010: The Fifth International Multi-Conference on Computing in the
Global...
2nd CfP: INTERNET 2010 || September 20-25, 2010 - Valencia, Spain
Sandra Sendra (Mar 12)
INVITATION:
=================
Please consider to contribute to and/or forward to the appropriate groups the following opportunity to submit and
publish original scientific results.
=================
============== INTERNET 2010 | Call for Papers ===============
CALL FOR PAPERS, TUTORIALS, PANELS
INTERNET 2010: The Second International Conference on Evolving Internet
September 20-25, 2010 - Valencia, Spain
General page:...
SecurityFocus to partially shut down
netinfinity (Mar 12)
*Since its inception in 1999, SecurityFocus has been a mainstay in the
security community. From original news content to detailed technical papers
and guest columnists, we’ve strived to be the community’s source for all
things security related. SecurityFocus was formed with the idea that the
community needed a place to come together and share its collected wisdom and
knowledge. *
* At the time, the security community was fairly fragmented...
[SECURITY] [DSA 2014-1] New moin packages fix several vulnerabilities
Giuseppe Iuculano (Mar 12)
------------------------------------------------------------------------
Debian Security Advisory DSA-2014-1 security () debian org
http://www.debian.org/security/ Giuseppe Iuculano
March 12, 2010 http://www.debian.org/security/faq
------------------------------------------------------------------------
Package : moin
Vulnerability : several
Problem type : remote...
[SECURITY] [DSA 2012-1] New Linux 2.6.26 packages fix several issues
dann frazier (Mar 12)
----------------------------------------------------------------------
Debian Security Advisory DSA-2012-1 security () debian org
http://www.debian.org/security/ dann frazier
March 11, 2010 http://www.debian.org/security/faq
----------------------------------------------------------------------
Package : linux-2.6
Vulnerability : privilege escalation/denial of service
Problem...
Fw: Ubisoft DDoS
Shinnok (Mar 12)
----- Forwarded Message ----
From: Shinnok <raydenxy () yahoo com>
To: Jan Schejbal <jan.mailinglisten () googlemail com>
Sent: Fri, March 12, 2010 10:43:30 AM
Subject: Re: [Full-disclosure] Ubisoft DDoS
Hi,
I'd more likely believe that this is a story made up by Ubisoft to hide out their big failure in the new centralized
DRM system.
Buyers of Assassins Creed and alikes that use the new DRM system haven't been able to play it for...
[USN-911-1] MoinMoin vulnerabilities
Jamie Strandboge (Mar 11)
===========================================================
Ubuntu Security Notice USN-911-1 March 11, 2010
moin vulnerabilities
CVE-2010-0668, CVE-2010-0669, CVE-2010-0717
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 6.06 LTS
Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04
Ubuntu 9.10
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu,...
iDefense Security Advisory 03.11.10: Multiple Vendor WebKit HTML Element Use After Free Vulnerability
iDefense Labs (Mar 11)
iDefense Security Advisory 03.11.10
http://labs.idefense.com/intelligence/vulnerabilities/
Mar 11, 2010
I. BACKGROUND
WebKit is an open source web browser engine. It is currently used by
Apple Inc.'s Safari browser, as well as by Google's Chrome browser. For
more information, see the vendor's site at the following link.
http://webkit.org/
II. DESCRIPTION
Remote exploitation of a memory corruption vulnerability in WebKit, as
included with...
Last day to download WinScanX Basic or WinScanX Pro... forever.
Reed Arvin (Mar 11)
I have received a cease and desist letter regarding certain tools on
http://windowsaudit.com. Regardless of the validity of the
accusations, I do not have the financial means to support legal
defense.
With that said, please take this opportunity to download WinScanX
Basic or purchase WinScanX Pro before they are gone forever. After
today, all that remains is a slim chance to find the product(s) via
some other means.
The http://windowsaudit.com...
[SECURITY] [DSA 2013-1] New egroupware packages fix several vulnerabilities
Moritz Muehlenhoff (Mar 11)
------------------------------------------------------------------------
Debian Security Advisory DSA-2013-1 security () debian org
http://www.debian.org/security/ Moritz Muehlenhoff
March 11, 2010 http://www.debian.org/security/faq
------------------------------------------------------------------------
Package : egroupware
Vulnerability : several
Problem type : remote...
[ MDVSA-2010:061 ] ncpfs
security (Mar 11)
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2010:061
http://www.mandriva.com/security/
_______________________________________________________________________
Package : ncpfs
Date : March 11, 2010
Affected: 2008.0, 2009.0, 2009.1, 2010.0, Corporate 4.0,
Enterprise Server 5.0, Multi Network Firewall 2.0...
Re: New Internet Explorer code-execution
Georgi Guninski (Mar 11)
haha, they updated their ``advisory'' to 1.1 from 1.0 at
http://www.microsoft.com/technet/security/advisory/981374.mspx
they changed ``targeted'' to ``public'' and the rest seems the same.
are targeted customers less important than public customers?
extra points for spelling eCHO as Echo:
Echo y| cacls %WINDIR%\SYSWOW64\iepeers.DLL /E /P everyone:N
Impact of workaround. Extended MSHTML functionality such as printing and
Web folders may be...
Re: Multiple vulnerabilities in SUPERAntiSpyware and Super Ad Blocker
netinfinity (Mar 11)
*I am really sorry and appologize for using lame file uploading sites,
but I don't own a domain:( I tried to attach ZIP archive, but it seems
it's being filtered*
Use tar.gz not zip. Or .rar could also work.
ZDI-10-027: Skype Protocol Handler datapath Argument Injection Remote Code Execution Vulnerability
ZDI Disclosures (Mar 11)
ZDI-10-027: Skype Protocol Handler datapath Argument Injection Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-027
March 11, 2010
-- Affected Vendors:
Skype
-- Affected Products:
Skype
-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 8328.
For further product information on the TippingPoint IPS,...
ZDI-10-028: Skype URI Processing Arbitrary XML File Deletion Vulnerability
ZDI Disclosures (Mar 11)
ZDI-10-028: Skype URI Processing Arbitrary XML File Deletion Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-028
March 11, 2010
-- Affected Vendors:
Skype
-- Affected Products:
Skype
-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 8329.
For further product information on the TippingPoint IPS, visit:...
 Security Basics — A high-volume list which permits people to ask "stupid questions" without being derided as "n00bs". I recommend this list to network security newbies, but be sure to read Bugtraq and other lists as well.
Re: Reporting SSH abuse
James Bensley (Mar 10)
I find in these situations, who is it you should actually tell? In the
your case were the traffic is coming from a University I'm sure the
Uni tech team would appreciated knowing but I have had it from some IP
in Brazil, I never reported it because I couldn't think who would give
a damn?
Re: Help hardening router
Dave LaDuke (Mar 10)
Thanks for telling him, I had planned to have some fun later.
--------------------------------------------------
From: "Curt Shaffer" <cshaffer () gmail com>
Sent: Tuesday, March 09, 2010 1:49 AM
To: <mzcohen2682 () aim com>
Cc: <security-basics () securityfocus com>
Subject: Re: Help hardening router
------------------------------------------------------------------------
Securing Apache Web Server with thawte...
RE: Reporting SSH abuse
Dan Lynch (Mar 10)
I could swear I once read an "authoritative" source doc on this subject, maybe an RFC (Site Security Handbook?), or
something from CERT. But I can't seem to dig it up. Anyone?
Here's what I did find:
Going to the Source: Reporting Security Incidents to ISPs (2002)
http://www.securityfocus.com/infocus/1555
And a most-excellent write up "Composing abuse reports" (2007)
http://blog.anta.net/2007/04/18/composing-abuse-reports/...
Re: Reporting SSH abuse
Liquid (Mar 10)
Dan Pilcheck wrote:
Dan,
Honestly thats more than enough. I've had client sites that were doing
the same and the notifications were more than ample to at least look
into it. A nice note to the person should work, we had a couple in the
past where the admin was a complete jerk in letting us know. So
personally I'd recommend a screenshot of a log and perhaps just listing
the IP and what its hammering against. (ssh in this case). Hope this...
Re: Help hardening router
doug schmidt (Mar 10)
http://www.cymru.com/Documents/secure-ios-template.html
------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase,
install and use a...
Reporting SSH abuse
Dan Pilcheck (Mar 09)
Hello list,
I've been getting a slew of SSH brute forces coming from a university
inside the US over the
past week. Normally I wouldn't even bother with reporting, but I
figured this would be a
chance to clear this up.
Fail2ban bans for 10 hours, and then the login attempts area right
back at it. Repeat.
An email with associated logs, and perhaps a little info from this
side is the best I can come
up with. I suppose there's not much else to...
Re: Help hardening router
Mike Hale (Mar 09)
Wouldn't you want to encrypt your passwords in 5? Level 7 can be
cracked in seconds online.
Re: Help hardening router
Curt Shaffer (Mar 09)
Step one is to now change all of your passwords unless you put bogus hashes in there when you posted this. Otherwise,
everyone on this list can tell you what they are now :)
------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how
it benefits your...
Re: Help hardening router
Alex (Mar 09)
Hi you
Take a look at the Cisco IOS benchmark from CIS [1]
type this
MARIO (config)#ip ssh?
does it show anything? [2]
Yes. You better change this access list with one that only allows the
traffic that you want and place a deny-all rule at the end. (You will
see this int the CIS benchmark as well)
But that's the access list that's applied to your internal network
going out. You also have an access-list that seems to be applied to
the...
RE: Help hardening router
Jatmoko, Arif (ID - Jakarta) (Mar 09)
If this is a Cisco Catalyst, that should be support SSH. Just enable SSH by entering the command :
crypto key generate rsa
line vty 0 4
And disable telnet, make SSH the only transport agent, use ACL to restrict inbound & outbound packet passing your
interfaces (by ip address & services), enable logging, secure your login, etc...etc.
You should, at least learn some basic command or consults about configuring Catalyst IOS to someone has...
Re: securing a segment of a network
krymson (Mar 09)
Would that be a primary concern about the current state of audits and checklists? Basically, there is a *lot* of effort
to camoflage or "limit the scope" of such audits.
<- snip ->
Now to the issue itself.
I am willing to believe the issue was actually about potential inappropriate access to system resources such as
applicatiions, shares and/or privileges. Splitting the network does not address this in any way, at best it...
FW: Help hardening router
Craig S. Wright (Mar 09)
ARGGG!
Always obscure the details.
It is clear you are not experienced with Cisco security. As such, I would
start with an automated tool such as the router audit tool (RAT) and Nipper.
You get these from the following sites respectively:
Centre for Internet Security (CIS) website
http://www.cisecurity.org/bench_cisco.html.
Nipper, (Network Infrastructure Parser)...
Re: Help hardening router
John Morrison (Mar 09)
Joe,
To protect, or secure, the router there are a few basics. These boil down to:
Install the latest IOS updates
Only run required services and disable all others
Allow only authenticated and encrypted access to the router
Use ACLs to control remote access to the router
See
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml
Latest IOS Update
==============
Download and installed the latest...
Re: Help hardening router
David Goldsmith (Mar 09)
Did you change the various encrypted passwords before posting the
config? If not, we may not have the IP address of the router, but you
just exposed their passwords (which may be used elsewhere)
There are also IP address for other interfaces on the router and other
endpoints, descriptions of connections, etc, in the configuration that
you posted.
If you post configurations to public lists asking for review, you should
be sure to fully...
Re: securing a segment of a network
Adam Pal (Mar 08)
Hi Roger,
First point: what you described bellow is nice, but it is one special scenario.
What is the most likely threat you want to mitigate?
Try to keep in mind, that mitigating exitic threats can lead you to higher costs and that is what you wanted to avoid
acording to your first email.
Also another question you can take in consideration: what would be your acceptable risks?
If the requirement is:
"Keep the same, maintain the...
 Penetration Testing — While this list is intended for "professionals", participants frequenly disclose techniques and strategies that would be useful to anyone with a practical interest in security and network auditing.
Re: proposed pen-test
Matt Gardenghi (Mar 11)
I'd vote that you didn't do this. It's cool, but a waste of your time.
Unless you work for DOE and this is to prevent a similar event from
Chinese or Russian spies, then you should do it.
Anyone can build such an elaborate scheme that you will eventually fall
for it. Realistically, you want to protect your users from the average
attacks not the super well-constructed spear-phishing attacks. Yeah,
you need to cover those, but what is...
Re: Professional Scrpt Kiddies vs Real Talent
Mike (Mar 11)
Good discussion, but I feel both are equally important. I mean when I
go to the Dr. for an xray the technician doesn't have a CLUE to how
the machine works, but he can push a button. The Dr. doesn't have a
CLUE to how the machine works either, but he can hopefully interpret
the picture and give a proper diagnoses. We all use tools for
pentesting and all that matters is that we can accurately and
intelligently interpret the data and we don't...
RE: Evaluating pentesters
Frye, Dan (Mar 11)
Does anyone know if a "bakeoff" of pentest vendors has ever been done?
As an overly simplified example, think of an IDP bakeoff where they fire
a certain number of tests at different sensors. Whichever sensor records
the most attacks is "better" (remember this is a simplified view). If
you reverse it, basically let a certain number of pentest firms target a
test network then publish the results of who scored the highest (%...
Re: Professional Scrpt Kiddies vs Real Talent
5.K1dd (Mar 11)
Translation: "0ur cR3w 1$ l33t HaX0rz - 3v3ry0n3 3l$3 r l4m3rz +
Sk1dd13s! gR33tz to dIn0 D () I z0V - k3vIn fInI$73RRe -l () nD0N FuLL3R -
r0b3r7 gR () H@m - j3r3miah Gr055m () n - l () rry HigH5MI7h - 8IlLy h0FfM () n
-mikk0 Hyppon3n - d () n K () miN5KY - p () uL k0CH3R - N () 7e L () w$0N - D () viD
LI7cHfi3Ld - Ch () Rl3$ mILl3R - J3FF M055 - J0se n () z@ri0 - J0 () nN@
RU7k0W$k@ U 6Uy$ R r0xoR$!!!"
I guess the white hats are...
Re: Evaluating pentesters
Daniel Clemens (Mar 11)
ASV's and Pentesters are two different animals all together.
This may be a horrible place to start.
| Daniel Uriah Clemens
| Packetninjas L.L.C | | http://www.packetninjas.net
| c. 205.567.6850 | | o. 866.267.8851
"Moments of sorrow are moments of sobriety"
------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board
Prove to peers and...
Re: Evaluating pentesters
Mohamed Farid (Mar 11)
There is a lot of Pen test firms - but my advise is to check with your
QSA if they are offering such service - the goal is to reduce the
number of firms who knows your infrastructure and your network diagram
- and as the QSA already involved in this knowledge, so it will be
better if you let them penetrate your system their selves..
Controlled DoS
Tibor Kaskoto (Mar 11)
Respected Members,
Is it possible to do a Denial of Service attack in a controlled way, e.g. in
a penetration testing scenario? How can you control/limit the possible
degradation of the client's services? Can you ask the client to corporate in
terms of IDS/IPS alerts, or any sign of service degradation? How can you
measure the success of the test if you are actually not allowed to break
anything? What is the approach to a 99.99% availability...
Re: Evaluating pentesters
Brent Huston (Mar 11)
Obtain and check references, do a Google search on the company name and the names of the principles. Check for real
capabilities, research, contributions to the security community.
A little research will set apart the real security teams from the "scan and forget" vendors. It just takes a little
time and energy. 15 mins per vendor and a browser will make it all make sense....
Re: DNS Pen-Test Tools
gigi sulli (Mar 11)
I want to suggest hostmap: http://hostmap.lonerunners.net
------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board
Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT
and CEPT certs require a full practical examination in order to become certified.
http://www.iacertification.org...
Re: Professional Scrpt Kiddies vs Real Talent
Eric Milam (Mar 11)
I think it is important to note that these days there is beginning to be
a greater divide in the Security field. Just like in the early 90's
when a "Computer Guy" did pretty much everything, specific roles began
to be created and specializations were weeded out.
Now a days we have the same thing going on in our field. At least at a
more direct level than before. I use BT for my PT's and use a lot of
tools. I have written only one...
Re: proposed pen-test
Steve Friedl (Mar 11)
Nobody, because a pen-test is not *actual* fraud, and there is no
actual damage.
There are all kinds of Postal Service rules, such as it being illegal to
open somebody else's mail, but when you dig in, you find that opening
the mail of a previous resident for the purposes of tracking them down
or informing the sender, is NOT illegal.
Fraud requires an actual intend to defraud; saying "gotcha"
is not the same as defrauding.
This may...
Re: Evaluating pentesters
Rudra Kamal Sinha Roy (Mar 11)
Hi Tony,
Have a look at this blog post : "5 Tips on Choosing Penetration
Testing Companies" :
http://www.ivizsecurity.com/blog/penetration-testing/how-to-choose-penetration-testing-companies/
Go through it carefully and it will answer all your queries, I hope.
The tips which are highlighted in this post are:
Tip 1: Evaluate Technology Competence of Vendors
Tip 2: Focus on the vendor’s real knowledge and not just on certifications...
Re: RE: Wireless Encryption Methods (eg; WPA2) vs Forced Secure Proxy Redirects
Cedric Blancher (Mar 11)
Le vendredi 05 mars 2010 à 10:31 +0100, Malick Sy a écrit :
They are advantageous because people are lazy. Period. Windows has a
native supplicant supporting PEAP, OSX too, and they are pretty much
transparent for the end-user, asking for a login/password. As for
deployments, T-Mobile has been deploying hotspots providing PEAP
authentication for instance.
Now, you can argue you need a first step to retrieve access credentials,
and that will...
RE: Professional Scrpt Kiddies vs Real Talent
Craig S. Wright (Mar 11)
The entire notion that security is about pen testing is flawed.
Pen testing can say your system sucks, it can find holes. Really so what.
This does little to actually improve architecture, policy, user behaviour
etc. There are always holes, security is an economic risk function.
There are limits to what can be spent on security and too much on Pen
testing leaves less for mitigation. I see less spent on code testing than on
getting the site pen...
Fwd: Evaluating pentesters
Daniel Hood (Mar 11)
I'm usually on the otherside of the fence with this sort of stuff
(Being a pen-tester). But I guess the easiest way to weed out those
"cash-hungry" bogans who just use tools like Nessus and such and then
hand you the scan results and those people who have a little bit of
experience with metasploit and think they are the best, is to check
into their companies and make sure they have some kind of RnD
department. Not a product RnD...
 Info Security News — Carries news items (generally from mainstream sources) that relate to security.
Change in Focus
InfoSec News (Mar 11)
http://www.securityfocus.com/news/11582
By SecurityFocus Staff
SecurityFocus
2010-03-10
Since its inception in 1999, SecurityFocus has been a mainstay in the
security community. From original news content to detailed technical
papers and guest columnists, we've strived to be the community's source
for all things security related. SecurityFocus was formed with the idea
that the community needed a place to come together and share its...
TJX Hacking Conspirator Gets 4 Years
InfoSec News (Mar 11)
http://www.wired.com/threatlevel/2010/03/tjx-conspirator-sentenced-to-46-month/
By Kim Zetter
Threat Level
Wired.com
March 11, 2010
Humza Zaman, a co-conspirator in the hack of TJX and other companies,
was sentenced Thursday in Boston to 46 months in prison and fined
$75,000 for his role in the conspiracy. The sentence matches what
prosecutors were seeking.
Zaman, a 33-year-old former programmer at Barclays Bank, was charged
with...
Final CFP: TrustBus'10-- Deadline Extended
InfoSec News (Mar 11)
Forwarded from: "M. Carmen Fernández Gago" <mcgago@ (at) cc.uma.es>
** Apologies for multiple copies **
*Final Call for Papers*
7th International Conference on
*TRUST, PRIVACY AND SECURITY IN DIGITAL BUSINESS (TrustBus'10)
*
Bilbao, Spain
30 August -- 3 September 2010
http://www.isac.uma.es/trustbus10
/in conjunction with the 21st International Conference on Databse and
Expert Systems Applications (DEXA 2010)/
The...
State Web site breach tied to foreign attacker
InfoSec News (Mar 11)
http://www.desmoinesregister.com/article/20100311/NEWS10/3110351/-1/networking/State-Web-site-breach-tied-to-foreign-attacker
By William Petroski
The Des Moines Register
March 11, 2010
A hacking incident on an Iowa homeland security Web site last week has
been linked to a foreign attacker who gained access through a security
vulnerability, a state official said Wednesday.
This hacker used an "abstract, colorful" image to deface...
ZeuS botnet code keeps getting better... for criminals
InfoSec News (Mar 11)
http://www.networkworld.com/news/2010/031110-zeus-botnet.html
By Ellen Messmer
Network World
March 11, 2010
New capabilities are strengthening the ZeuS botnet, which criminals use
to steal financial credentials and execute unauthorized transactions in
online banking, automated clearing house (ACH) networks and payroll
systems. The latest version of this cybercrime toolkit, which starts at
about $3,000, offers a $10,000 module that can let...
Secunia Weekly Summary - Issue: 2010-10
InfoSec News (Mar 11)
========================================================================
The Secunia Weekly Advisory Summary
2010-03-04 - 2010-03-11
This week: 63 advisories
========================================================================
Table of Contents:
1.....................................................Word From...
Why Bob Maley's Firing is Bad for All of Us
InfoSec News (Mar 11)
http://threatpost.com/en_us/blogs/why-bob-maleys-firing-bad-all-us-031110
By Dennis Fisher
Threatpost
March 11, 2010
The news that Pennsylvania CISO Bob Maley lost his job for publicly
discussing a security incident at last week's RSA Conference really
shouldn't come as a surprise, but it does. Even for a government agency,
this kind of lack of understanding of what actually matters is appalling
and it is a glaring example of the sickness...
Pennsylvania's Web security officer leaves post a week after talking about PennDOT hacking incident
InfoSec News (Mar 10)
http://www.pennlive.com/midstate/index.ssf/2010/03/pennsylvanias_web_security_off.html
By JAN MURPHY
The Patriot-News
March 10, 2010
Last week, Pennsylvania's chief information security officer Robert
Maley was at an information security conference in San Francisco talking
about a hacking incident involving PennDOT's computers. This week, Maley
is gone.
Gary Tuma, Gov. Ed Rendell's press secretary, confirmed that Maley is no
longer...
The FBI supply chain illustrated
InfoSec News (Mar 10)
http://blogs.csoonline.com/the_fbi_supply_chain_illustrated
By Robert McMillan
Security Blanket
2010-03-09
While FBI Director Robert Mueller was talking about possible threats to
the U.S. supply chain at the RSA Conference last week, staffers at the
first-ever FBI RSA booth were getting ribbed about the pens they were
giving out.
http://blogs.csoonline.com/sites/blogs.csoonline.com/files/pensm.jpg
Colorado Springs man allegedly sabotaged TSA computers
InfoSec News (Mar 10)
http://www.denverpost.com/ci_14648083
By Howard Pankratz
The Denver Post
03/10/2010
A former employee of the Transportation Security Administration has been
indicted by the Denver federal grand jury for attempting to sabotage TSA
computers that enable TSA airport personnel to spot potential terrorists
before they board airliners.
Douglas James Duchak, 46, of Colorado Springs, worked for the TSA from
August 2004 through October 2009....
Zeus botnets suffer mighty blow after ISP taken offline
InfoSec News (Mar 10)
http://www.theregister.co.uk/2010/03/10/massive_zeus_takedown/
By Dan Goodin in San Francisco
The Register
10th March 2010
At least a quarter of the command and control servers linked to
Zeus-related botnets have suddenly gone quiet, continuing a recent trend
of takedowns hitting some of the world's most nefarious cyber
operations.
The massive drop is the result of actions taken by two Eastern European
network providers. On Tuesday, they...
WhitePages.com halts ad networks over malware
InfoSec News (Mar 10)
http://news.cnet.com/8301-27080_3-10466753-245.html
By Elinor Mills
InSecurity Complex
CNet News
March 10, 2010
WhitePages.com has stopped ad networks from delivering ads to its site
after they were found to contain fake antivirus malware.
"On Monday morning WhitePages received reports from users [about]
malware in the form of a fake antivirus upsell program that we believe
originated (against our terms) from a third-party advertising...
Thailand approves extradition of credit card hack suspect
InfoSec News (Mar 09)
http://www.theregister.co.uk/2010/03/08/thailand_extradites_hacking_suspect/
By Dan Goodin in San Francisco
The Register
8th March 2010
A criminal court in Thailand has approved the extradition to the US of a
Malaysian man suspected of participating in credit card thefts of more
than $152m, according to a local news report.
Gooi Kokseng, 44, was arrested on January 30 after being accused of
causing more than 5 billion baht, or $152.9m, in...
RSA: Cybersecurity A Joint Fed, Industry Effort
InfoSec News (Mar 09)
http://www.informationweek.com/news/government/security/showArticle.jhtml?articleID=223200125
By J. Nicholas Hoover
InformationWeek
March 8, 2010
Government officials played a starring role at the annual RSA Conference
last week, laying out their plans for government cybersecurity,
particularly the need for increased cooperation with industry, in
keynotes and panel sessions throughout the week.
White House cybersecurity coordinator Howard...
Cybersecurity program has serious defects, GAO says
InfoSec News (Mar 09)
http://gcn.com/articles/2010/03/08/cnci-assessment-030810.aspx
By William Jackson
GCN.com
March 08, 2010
Implementing the Comprehensive National Cybersecurity Initiative, a
broad program intended to protect the nation.s cyber infrastructure, has
been hampered by a lack of coordination and transparency, according to
the Government Accountability Office.
"CNCI is unlikely to fully achieve its goal of reducing potential
vulnerabilities,...
 Firewall Wizards — Tips and tricks for firewall administrators
Call for papers: ISP-10, Orlando, USA, July 2010
James Heralds (Feb 22)
It would be highly appreciated if you could share this announcement with
your colleagues, students and individuals whose research is in information
security, cryptography, privacy, and related areas.
Call for papers: ISP-10, Orlando, USA, July 2010
The 2010 International Conference on Information Security and Privacy
(ISP-10) (website:
http://www.PromoteResearch.org<http://www.promoteresearch.org/>) will
be held during 12-14 of July 2010...
Re: Inline 2 port POE Firewall
bruces (Feb 16)
What about the RouterBoard 433 series boards. Three NICs and POE,
firewall on RouterOS is Linux 2.6 based, so iptables is there. If you
want gigabit ethernet, the 600 series has that.
Regards,
Bruce
Quoting Kerry Milestone <km4 () sanger ac uk>:
Inline 2 port POE Firewall
Kerry Milestone (Feb 16)
Hello,
i'm looking for an in-line firewall which runs on power over the ethernet. Two ports, one in and one out - running
something like iptables or monowall etc.
Ideally, i'd like to see a yoggie style small device, but their SOHO doesn't run on poe and USB is out of the question.
~ I've seen some bareboards, but in our case it would be really handy to purchase working units (when required) for a
fairly cheap price - rather than have to...
Re: Login straight to priv mode in PIX with TACACS server
John Morrison (Feb 12)
Michel,
If you set the PIX to use tacacs+ and then local it will use local if
it cannot contact the TACACS+ server, The easiest way to make sure it
cannot contact the TACACS+ server is to remove the network cables.
Login straight to priv mode in PIX with TACACS server
Michel Ferreira (Feb 11)
Hi,
I've successfully configured my PIX 506E (6.3) to authenticate with my
TACACS+ Server (ACS 4.1), however I want to know if there's any way to
put the user straight in priv mode (enable) just after login, without
the need to input the 'enable' command.
I'm questioning this because I don't want to include the "aaa
authentication enable console tacacs+ LOCAL" command, since with this
command if I need console access I still will be...
Draft paper submission deadline is extended: ISP-10
James Heralds (Feb 05)
Draft paper submission deadline is extended: ISP-10
The 2010 International Conference on Information Security and Privacy
(ISP-10) (website:
http://www.PromoteResearch.org<http://www.promoteresearch.org/>)
will be held during 12-14 of July 2010 in Orlando, FL, USA. ISP is an
important event in the areas of information security, privacy, cryptography
and related topics.
The conference will be held at the same time and location where...
Hackito Ergo Sum 2010 - Call For Paper - HES2010 CFP
endrazine (Feb 04)
Hackito Ergo Sum 2010 - Call For Paper - HES2010 CFP
http://hackitoergosum.org
Hackito Ergo Sum conference will be held from April 8th to 10th 2010 in
Paris, France.
It is part of the series of conference "Hacker Space Fest" taking place
since 2008 in France and all over Europe.
HES2010 will focus on hardcore computer security, insecurity,
vulnerability analysis, reverse engineering, research and hacking.
INTRO
The goal of this...
Re: Is it possible to control access between clients on same LAN with a firewall?
pkc_mls (Jan 28)
William Fitzgerald a écrit :
this is exactly the point.
there are some firewalls that can do layer2 filtering. (bridge mode,
transparent mode, layer2).
this is another option, but you can have some difficulties to find a
local firewall
on a printer.
you should check in the dd-wrt doc or ask the dd-wrt mailing list if it
can be configured with bridge interface
on the LAN.
Re: Is it possible to control access between clients on same LAN with a firewall?
Paul D. Robertson (Jan 27)
I'm going to give you the non-firewall, imperfect but quick and easy
solution because with my quick reading of the postings I've approved, I
didn't see anyone suggest it yet- and it works no matter what you're using
as a router, assuming that it operations normally, and someone hasn't been
too clever in making it work...
Supernet the router, so use something like say 10.10.0.0/255.255.0.0 as
the "internal" network on the router....
Re: Is it possible to control access between clients on same LAN with a firewall?
William Fitzgerald (Jan 27)
Hi everyone,
Thanks for the constructive feedback.
I'll read into the proposed areas such as private vlans and the possible
configurations of vlans within dd-wrt.
I now know what some of the terminology used is (private vlan etc) in
order to hone in on the correct types of documentation to read.
kind regards,
Will.
PS: This reply may not get to you for some time, as I seem to need
moderator approval to post to the list.
Pete.LeMay wrote:
Re: Is it possible to control access between clients on same LAN with a firewall?
Will Brickles (Jan 27)
Using DD-WRT, what comes to mind immediately is to put your devices into separate VLANs and then use iptables to
restrict traffic between the VLANs. I don't know how flexible DD-WRT is when it comes to VLANs, but it might be your
best bet on such a platform. A configuration guide for VLANs I came across is at
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=1160 - it sounds as if you are already familiar with iptables.
Using other (much more...
Re: Is it possible to control access between clients on same LAN with a firewall?
K K (Jan 27)
Yes.
The most transparent (to the host) technique is what Cisco calls
"private VLAN", see:
http://en.wikipedia.org/wiki/Private_VLAN
There are other approaches to get the same results, all require either
a firewall with lots of interfaces (real or virtual) or a very smart
switch.
Kevin
Re: Is it possible to control access between clients on same LAN with a firewall?
Paul Melson (Jan 26)
With DD-WRT you can assign a different VLAN to each interface of the
router and then use iptables rules to manage traffic between devices.
This requires either a high degree of customization of your router or
the use of static IP addressing on some of the VLANs. Which for a
home network may not be so bad. Keep in mind that if you uplink other
switches to the router that the firewall cannot protect two devices
connected to that switch from each...
Re: Is it possible to control access between clients on same LAN with a firewall?
Mark (Jan 26)
Will:
The issue here is that computers on the same LAN do not forward packets to
the default gateway (your firewall), but use ARP and layer 2 to communicate.
The firewall never even pays attention to this traffic. The fact that the
firewall and switch are occupying the same physical device (your WRT54G)
makes no nevermind (as we say in the south). Even if you could make your
firewall filter the traffic, in essence you would be creating a...
Re: Is it possible to control access between clients on same LAN with a firewall?
Eric Gearhart (Jan 26)
You sound like you might already know this, but I may as well
summarize it for the audience. Normally in "production networks" you
separate different servers on a network based on their purpose... for
example, application servers go into an "application VLAN," database
servers go into a "database VLAN," and publicly accessible servers go
in their own separate DMZ (preferably they also hang off their own
separate...
 IDS Focus — Technical discussion about Intrusion Detection Systems. You can also read the archives of a previous IDS list
Call for Papers: EC2ND 2010
Konrad Rieck (Mar 08)
Dear Colleagues,
Please find attached the Call for Papers for EC2ND 2010,
the sixth European Conference on Computer Network Defense,
which will be held in Berlin, Germany, October 28-29, 2010.
Please feel free to distribute this announcement. We apologize
if you receive multiple copies of this message.
Best Regards,
The EC2ND 2010 Organization Committee
* * * * * *
6th European Conference on Computer...
Announcing xtractr (on pcapr)
kowsik (Feb 22)
We are happy to announce xtractr, a collaborative cloud app for
indexing, searching, extracting and reporting on large pcaps. xtractr
enables network/support engineers and testers to troubleshoot the
network, isolate problems, identify field issues and perform network
forensics.
You can learn more about xtractr on our blog: http://bit.ly/d7yrKl or
watch a demo: http://www.pcapr.net/xtractr
Thanks,
K.
---
http://www.pcapr.net/...
CFP: Workshop on the Analysis of System Logs
Kathryn Mohror (Feb 05)
Workshop on the Analysis of System Logs (WASL) 2010
http://www.systemloganalysis.com
Call for Papers
===============================
October 3, 2010
Vancouver, Canada
(at OSDI)
===============================
FULL PAPER SUBMISSION: Sunday, June 13, 2010
AUTHOR...
 Web App Security — Provides insights on the unique challenges which make web applications notoriously hard to secure, as well as attack methods including SQL injection, cross-site scripting (XSS), cross-site request forgery, and more.
Re: Need a real Java web application with vulnerabilities
Yu Qu (Mar 08)
Hi, Peine and others:
I have encountered similar problems too, my suggestion is please try to google the alphabetic strings like this:
"sql injection vulnerability CVE site:web.nvd.nist.gov jsp"
I believe that some positive results can be found. I'm also looking forward to other suggestions, thx!
Best wishes!
------------------------------------
Yu Qu
Ph.D. Candidate Student
Ministry of Education Key Lab for Intelligent...
RE: [WEB SECURITY] Re: Need a real Java web application with vulnerabilities
Calderon, Juan Carlos (GE, Corporate, consultant) (Mar 08)
Yeah, Steve's is just a nice approach, my experience is the same, you
will hardly find a non vulnerable custom application.
Besides you will improve your internal systems security, but fix them
fast or you could suddenly have those vulnerabilities exploited in
production and some grades changed :).
Regards,
JC
-----Original Message-----
From: Steve Pinkham [mailto:steve.pinkham () gmail com]
Sent: Lunes, 08 de Marzo de 2010 12:04 p.m.
To:...
Re: Need a real Java web application with vulnerabilities
Morgan Reed (Mar 08)
Sounds like the right approach, though I'm not aware of any Java based CMS.
I'd suggest your best bet is to go trawling some of the various
vulnerability databases around the place for a suitable candidate.
This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus...
Re: [WEB SECURITY] Re: Need a real Java web application with vulnerabilities
Steve Pinkham (Mar 08)
Rogan Dawes wrote:
> Unfortunately, your first requirement seems to suggest against your
> suggestion. :-)
>
> As an open source app, the student would be able to see the change logs,
> and any security announcements for the app, and would be able to make
> use of those to identify known vulnerabilities in that version of the
app.
>
> I suggest you look for a project that may have had a history of
>...
Security BSides Austin - sponsors needed!
Benjamin Tomhave (Mar 08)
Hi folks,
We need your help. We're still looking for sponsors for this weekend's
Security BSides Austin, which is set to occur the same day as the
kickoff for SxSW Interactive (a major developer conference). We have
official sponsorship from Astaro and Panda, plus a couple unofficial
sponsors. We'd love to see your organization involved, too! We're hoping
for a successful inaugural event in Austin, TX, so that next year we can
become officially...
Re: Need a real Java web application with vulnerabilities
Marc-André Laverdière (Mar 08)
You can have a try at Securibench. Some of the apps in there don't run without
some serious armtwisting though, but its good enough for manual review and
static analysis.
Marc-André Laverdière
Software Security Scientist
Innovation Labs, Tata Consultancy Services
Hyderabad, India
This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck....
Re: Need a real Java web application with vulnerabilities
Federico Maggi (Mar 08)
OWASP's WebGoat Project has designed a non-trivial web application in Java, exactly for this purpose.
Ciao,
-- Federico
This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------
Re: Need a real Java web application with vulnerabilities
Kvetch (Mar 08)
Check out Daffodil CRM - http://sourceforge.net/projects/daffodilcrm/
It has SQL injection, XSS and some coding opportunities.
Nick Baronian
This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------
Re: Need a real Java web application with vulnerabilities
Wagner Elias (Mar 08)
OWASP Broken Web App Project contains WebGoat an app vulnerable in Java.
http://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project#tab=Project_Details
Regards
2010/3/8 Holger Peine <Holger.Peine () fh-hannover de>:
Need a real Java web application with vulnerabilities
Holger Peine (Mar 08)
Hello,
I have a student who wants to perform a mostly manual security review
of some Java web application as his master's thesis work. I am well
aware of pedagogical, deliberately insecure applications like Webgoat
and many others. However, we need a real application for this:
- Real code, since the job should create a realistic experience for
the student, and the results should not be readily available
in advance (as with Webgoat etc.)
-...
SamuraiWTF 0.8 released
Kevin Johnson (Mar 05)
Hi all,
I have just finished releasing SamuraiWTF 0.8. It is available at http://samurai.inguardians.com
and is a huge update. It includes metasploit, target applications
and tons of tool updates. It is now DVD sized as it has out grown the
CD release.
Thank you
Kevin Johnson and the SamuraiWTF project team
Senior Security Analyst
InGuardians, Inc.
office: 202.448.8958
cell: 904.403.8024
removing version identifying attribution data
Robin Wood (Mar 04)
With a lot of open source web apps there is usually some kind of file
or comment block in the code that identifies the author and gives
attribution. The problem with most of these is that they end up
leaking information about the version of the app being used.
I'm very keen on keeping attribution in place and wouldn't want to
release software without giving due credit but at the same time I'd
rather not expose my clients to data leakage which I...
Vulnerabilities Animated Clips
Maty Siman (Mar 03)
One of the biggest challenges of the security community is to build true
SDLC (Secure development Life Cycle).
The biggest obstacle is that application developers at large lack the
know-how and motivation to address application risk.
At Checkmarx labs we thought that a new approach to application developers
might help them cross the barrier.
We have developed as a pilot including two short animated clips that should
help developers understand a...
Advanced PHP Hacking
Laurent OUDOT at TEHTRI-Security (Mar 03)
Hi,
I'd like to announce a Security Master's Dojo course during next
CanSecWest 2010 in Vancouver (March 22-26 2010).
Title: Advanced PHP Hacking (!)
PHP is a worldwide web language used by individuals as well as companies
(Facebook...). This session aims at providing a hands-on focused PHP
Hacking experience. After this course, you will really know how
attackers work and move through PHP hax0ring so that they can jump
deeper down to your...
Re: Cookie Secure Attribute - Clarification
51l3n73y3s (Mar 01)
I would make the attribute as Secure and then also set the requireSSL of the
form to true. In this way the server will discard it if it's over HTTP.
Regards, Sandeep
--------------------------------------------------
From: "arvind doraiswamy" <arvind.doraiswamy () gmail com>
Sent: Sunday, February 28, 2010 12:23 PM
To: <webappsec () securityfocus com>
Subject: Re: Cookie Secure Attribute - Clarification
This list is...
 Daily Dave — This technical discussion list covers vulnerability research, exploit development, and security events/gossip. It was started by ImmunitySec founder Dave Aitel and many security luminaries participate. Many posts simply advertise Immunity products, but you can't really fault Dave for being self-promotional on a list named DailyDave.
Wings
dave (Mar 11)
So kudos to team .cn for another great IE bug. Anyone burning great bugs
like that clearly has a whole pot-full of them. Feel free to send any
spare ones my way. :>
Anyways, if you're sitting in a room with some hackers, you can always
do this: Ask them (as a group) if they could get kicked out of any
network they spent six months undetected in.
All hackers say "no" of course (what's a hacker without an ego?) but
it's interesting...
Re: Mike Bailey's Flash presentation is good.
Florian Weimer (Mar 09)
Bugs in web application frameworks are typically not fixed in the
frameworks, but are classified as application bugs instead. Each
application has to work around them. That creates enough commonality
that makes scanners not entirely useless.
Mike Bailey's Flash presentation is good.
dave (Mar 09)
People in the web application security space are often more into
"scanners" than people finding memory corruption bugs. I'm not sure what
the root cause is there - perhaps the set of bug classes that are
useful in web applications includes an abnormally large number of
automatable possibilities? Perhaps it's just a sign of the immaturity of
the field in general.
But web application hacking can be as complex as a CLOUDBURST style...
Re: Does anyone have video of this?
Nate Lawson (Mar 04)
I'm not sure why you're so excited about this. This panel is up every
year and mostly has the same people on it.
Basically you have Shamir and Rivest as the only two active
cryptographers with Whit Diffie as comedy relief. Brian Snow retired
from the NSA a while ago. It may be a fun format to watch for a Access
Hollywood level overview of recent crypto news, but nothing
groundbreaking has ever been presented here.
As for the NSA, crypto is such...
Perforce
Intevydis (Mar 04)
Hi,
Usually I tend to ignore articles related to "sophisticated" aurora
attacks but according to
http://www.wired.com/threatlevel/2010/03/source-code-hacks many
companies use Perforce, big surprise..
About two years ago we've performed a quick testing of Perforce 2008.1
and released some bugs with Vulndisco:
1. p4s.exe DoS (crash)
to trigger send the following data to port "...
Re: Does anyone have video of this?
Dave Aitel (Mar 04)
Btw, for those who missed it:
"""
You find it at:
http://media.omediaweb.com/rsa2010/video-only.htm?id=1-5
And the other media from:
http://www.rsaconference.com/2010/usa/recordings/keynote-catalog.htm?utm_source=us10showdaily&utm_medium=email&utm_campaign=Wednesday
"""
-dave
Does anyone have video of this?
Dave Aitel (Mar 02)
NSA, cryptoexperts jab at RSA Conference Cryptographers' Panel
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1407881,00.html
FIRST 2010!
dave (Mar 02)
I'm giving a keynote at FIRST 2010. As you might imagine, FIRST is an
incident response conference (largely), and is chaired by Steve Adegbite
(Microsoft). It's in Miami, so I'm skating on home ice, as Justin Seitz
would say.
http://conference.first.org/program/program.aspx
Here's my abstract. I'm promising to "shed light" which will probably be
via a laser pointer!
"""
Incident response happens when your secure...
Month of PHP Security 2010 - CALL FOR PAPERS
Stefan Esser (Feb 27)
Month of PHP Security 2010 - CALL FOR PAPERS
--------------------------------------------
Three years ago, in March 2007, the Hardened-PHP project had organized
the Month of PHP Bugs. During one month more than 40 vulnerabilities in
the PHP interpreter were disclosed in order to improve the overall
security of PHP. Now, three years later, SektionEins GmbH will
continue in the same spirit and organize the Month of PHP Security.
The intention of...
dnsmap v0.30 + embedded devices discovery trick
Adrian P. (Feb 25)
Hello folks,
Just wanted to let you know that we recently released a new version of dnsmap.
dnsmap is a command line tool originally released in 2006 which helps
discover target subdomains and IP ranges during the initial stages of
an infrastructure pentest. dnsmap is a passive(ish) discovery tool
meant to be used before an actual active attack. It’s an alternative
to other discovery techniques such as whois lookups, scanning large IP
ranges,...
Re: XSS in viewstate
Nicolas RUFF (Feb 21)
Hello,
I already had a look at that in the past, and it appears that ViewState
data is encoded using System.Web.UI.LosFormatter (LOS meaning Limited
Object Serialization).
Everything can be found in System.Web.dll (from the .NET Framework). It
might even be available in the source
(http://referencesource.microsoft.com/netframework.aspx).
There is at least one Open Source project that began to reimplement the
serialization logic (but it...
Re: XSS in viewstate
David Byrne (Feb 19)
We usually see MAC protection turned off on at least one page during an
assessment. Does this mean that you can always have XSS if MAC
protection is turned off? That would be pretty cool.
I'm not familiar with Expression Language, but the TrustWave advisory
indicates that things can be executed on the server as well. What's the
story there?
-dave
( https://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt )
Chris Weber wrote:
Re: XSS in viewstate
David Byrne (Feb 19)
In our original advisory, we did comment that Microsoft hinted at this vulnerability in a rather buried document
(http://support.microsoft.com/kb/829743), but we could find no other references to it on Microsoft's website or
anywhere else. While there are plenty of comments about application developers abusing the view state, this is the
first time (as far as we know) that the .Net framework was demonstrated to be vulnerable to XSS through the...
Re: XSS in viewstate
dave (Feb 19)
We usually see MAC protection turned off on at least one page during an
assessment. Does this mean that you can always have XSS if MAC
protection is turned off? That would be pretty cool.
I'm not familiar with Expression Language, but the TrustWave advisory
indicates that things can be executed on the server as well. What's the
story there?
-dave
( https://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt )
Chris Weber wrote:
Re: XSS in viewstate
David Byrne (Feb 19)
http://www.hacking-lab.com/misc/downloads/ViewState_Afames.pdf
This, on first glance, looks real to me. Does anyone have any comments
on it? ViewState is pretty complex and fairly opaque. If I understand
properly, MS does not publish the full specs to it? Maybe the Mono team
found them somewhere?
-dave
 Honeypots — Discussions about tracking attackers by setting up decoy honeypots or entire honeynet networks.
Re: DNS honeypots?
Jason Ross (Mar 03)
But it would have the advantage of allowing you to capture further
traffic for analysis through whatever tools you choose.
Re: DNS honeypots?
Alexandre Dulaunoy (Mar 03)
We have used various techniques to make DNS honeypots. But there is
an easy to do "fake" DNS server using Net::DNS::Nameserver :
http://search.cpan.org/~olaf/Net-DNS/
You can even find a simple example in the POD :
http://search.cpan.org/~olaf/Net-DNS/lib/Net/DNS/Nameserver.pm
If you want to make a low-interaction nameserver, you can filter
the request and answer to limit the malicious queries but still gain
information by doing and...
Re: DNS honeypots?
Brent Huston (Mar 03)
Likely nothing today, most malware isn't smart enough to figure that out.
Re: DNS honeypots?
Jason Lewis (Mar 03)
Slightly related, I was wondering what might happen if I made every
query to the honeypot resolve back to the honeypot?
Re: DNS honeypots?
Brent Huston (Mar 03)
One of the tactics our clients use is that they stand up one of our HoneyPoint Agents on a decoy box and then send all
malicious and failed queries to that IP address. The HoneyPoint Agent then absorbs the traffic for analysis.
You can find a little bit about it from one of our customers here, they wrote it up with us: http://hurl.ws/cbhp
Let me know if that helps!
Re: DNS honeypots?
chr1x (Mar 02)
This post looks pretty interesting!
Let's analyze your requirement:
1. Logging malicious queries
2. Reject/Deny any possible dns attack attempt
Well, from my point of view, going from the Honeypot concept which is
track hackers, probably the best way that you can follow is to setup an
IPS instead a Sensor. Personally, I don't see the purpose to have
"Reactive" honeypot if the objective of a honeypot is to be the most
open possible...
Re: DNS honeypots?
Jason Lewis (Mar 02)
I just figured I'd setup something to log access and see what shows
up. I wasn't planning on directing traffic to the system.
Re: DNS honeypots?
Jason Lewis (Mar 02)
Cool, this is the kind of thing I was thinking of doing. I was hoping
I wouldn't have to reinvent the wheel.
Thanks.
Re: DNS honeypots?
Jason Ross (Mar 02)
There's quite a lot of (bad and good) bots "out there" looking for DNS
servers, particularly ones that appear to permit recursive queries to
the Internet. Just leaving a box on the net that meets those criteria
will collect a fair amount of queries.
Re: DNS honeypots?
Valdis . Kletnieks (Mar 02)
On Tue, 02 Mar 2010 15:00:43 EST, Jason Lewis said:
Out of curiosity, how do you get traffic directed to the honeypot without
listing it in an NS entry for an SOA? Give it a hostname like ns1.exampe.com
and hope that works?
Re: DNS honeypots?
Jason Ross (Mar 02)
Below is how I've got BIND set up in Debian Linux for a similar purpose.
It sends all the queries to a log file, and returns an A record (and MX)
of whatever value you'd like (I used RFC1918 space for this example).
Not sure it's perfect, but it works pretty well for my purposes.
Cheers,
Re: DNS honeypots?
Tillmann Werner (Mar 02)
Jason,
No need to run a server, you can simply sniff DNS traffic destined to
that box. If you don't want to send back an ICMP port unreachable
message, just block them using a packet filter.
I have some DNS sniffer code for exactly that purpose I can send to you
off-list if you are interested. tcpdump does the job, too, but mine
integrates DNS processing and logging (for IN/A record queries via UDP).
Tillmann
DNS honeypots?
Jason Lewis (Mar 02)
Anyone have any pointers to dns honeypots or maybe just BIND
configurations that would allow logging of malicious queries without
actually executing them?
Honeynet Project Forensic Challenge 2010/2 - browsers under attack
christian . seifert (Feb 27)
The Honeynet Project has revived an successful program from the past: The Honeynet Project Forensic Challenge 2010. The
purpose of the Forensic Challenges is to take learning one step farther. Instead of having the Honeynet Project analyze
attacks and share their findings, Forensic Challenges give the security community the opportunity to do so. In the end,
individuals and organizations not only learn about threats, but also learn how to...
 MS Sec Notification — Beware that MS often uses these security bulletins as marketing propaganda to downplay serious vulnerabilities in their products -- note how most have a prominent and often-misleading "mitigating factors" section.
Microsoft Security Bulletin Major Revisions
Microsoft (Mar 09)
********************************************************************
Title: Microsoft Security Bulletin Major Revisions
Issued: March 9, 2010
********************************************************************
Summary
=======
The following bulletins have undergone a major revision increment.
Please see the appropriate bulletin for more details.
* MS09-033 - Important
Bulletin Information:
=====================
* MS09-033 - Important
-...
Microsoft Security Bulletin Summary for March 2010
Microsoft (Mar 09)
********************************************************************
Microsoft Security Bulletin Summary for March 2010
Issued: March 9, 2010
********************************************************************
This bulletin summary lists security bulletins released for
March 2010.
The full version of the Microsoft Security Bulletin Summary for
March 2010 can be found at
http://www.microsoft.com/technet/security/bulletin/ms10-mar.mspx.
With...
Microsoft Security Bulletin Summary for February 2010
Microsoft (Feb 09)
********************************************************************
Microsoft Security Bulletin Summary for February 2010
Issued: February 9, 2010
********************************************************************
This bulletin summary lists security bulletins released for
February 2010.
The full version of the Microsoft Security Bulletin Summary for
February 2010 can be found at...
Microsoft Security Bulletin Summary for January 2010
Microsoft (Jan 21)
********************************************************************
Microsoft Security Bulletin Summary for January 2010
Issued: January 21, 2010
********************************************************************
This bulletin summary lists the out-of-band security bulletin
released on January 21, 2010.
The full version of the Microsoft Security Bulletin Summary for
January 2010 can be found at...
Microsoft Security Bulletin Major Revision
Microsoft (Jan 14)
********************************************************************
Title: Microsoft Security Bulletin Major Revision
Issued: January 13, 2010
********************************************************************
Summary
=======
The following bulletin has undergone a major revision increment.
* MS09-073 - Important
Bulletin Information:
=====================
* MS09-073 - Important
-...
Microsoft Security Bulletin Summary for January 2010
Microsoft (Jan 12)
********************************************************************
Microsoft Security Bulletin Summary for January 2010
Issued: January 12, 2010
********************************************************************
This bulletin summary lists security bulletins released for
January 2010.
The full version of the Microsoft Security Bulletin Summary for
January 2010 can be found at
http://www.microsoft.com/technet/security/bulletin/ms10-jan.mspx....
Microsoft Security Bulletin Re-Release
Microsoft (Jan 12)
********************************************************************
Title: Microsoft Security Bulletin Re-Release
Issued: January 12, 2010
********************************************************************
Summary
=======
The following bulletin has undergone a major revision increment.
* MS09-035 - Moderate
Bulletin Information:
=====================
* MS09-035 - Moderate
-...
Microsoft Security Bulletin Major Revisions
Microsoft (Dec 08)
********************************************************************
Title: Microsoft Security Bulletin Major Revisions
Issued: December 8, 2009
********************************************************************
Summary
=======
The following bulletins have undergone a major revision increment.
Please see the appropriate bulletin for more details.
* MS08-037 - Important
Bulletin Information:
=====================
* MS08-037 - Important...
Microsoft Security Bulletin Summary for December 2009
Microsoft (Dec 08)
********************************************************************
Microsoft Security Bulletin Summary for December 2009
Issued: December 8, 2009
********************************************************************
This bulletin summary lists security bulletins released for
December 2009.
The full version of the Microsoft Security Bulletin Summary for
December 2009 can be found at...
Microsoft Security Bulletin Major Revisions
Microsoft (Nov 24)
********************************************************************
Title: Microsoft Security Bulletin Major Revisions
Issued: November 24, 2009
********************************************************************
Summary
=======
The following bulletins have undergone a major revision increment.
Please see the appropriate bulletin for more details.
* MS08-076 - Important
Bulletin Information:
=====================
* MS08-076 - Important...
Microsoft Security Bulletin Major Revisions
Microsoft (Nov 10)
********************************************************************
Title: Microsoft Security Bulletin Major Revisions
Issued: November 10, 2009
********************************************************************
Summary
=======
The following bulletins have undergone a major revision increment.
Please see the appropriate bulletin for more details.
* MS09-051 - Critical
* MS09-045 - Critical
Bulletin Information:
=====================
*...
Microsoft Security Bulletin Summary for November 2009
Microsoft (Nov 10)
********************************************************************
Microsoft Security Bulletin Summary for November 2009
Issued: November 10, 2009
********************************************************************
This bulletin summary lists security bulletins released for
November 2009.
The full version of the Microsoft Security Bulletin Summary for
November 2009 can be found at...
Microsoft Security Bulletin Advance Notification for November 2009
Microsoft (Nov 05)
********************************************************************
Microsoft Security Bulletin Advance Notification for November 2009
Issued: November 5, 2009
********************************************************************
This is an advance notification of security bulletins that
Microsoft is intending to release on November 10, 2009.
The full version of the Microsoft Security Bulletin Advance
Notification for November 2009 can be found...
Microsoft Security Bulletin Major Revisions
Microsoft (Nov 03)
********************************************************************
Title: Microsoft Security Bulletin Major Revisions
Issued: November 2, 2009
********************************************************************
Summary
=======
The following bulletins have undergone a major revision increment.
Please see the appropriate bulletin for more details.
* MS09-054 - Critical
Bulletin Information:
=====================
* MS09-054 - Critical
-...
Microsoft Security Bulletin Major Revisions
Microsoft (Oct 28)
********************************************************************
Title: Microsoft Security Bulletin Major Revisions
Issued: October 28, 2009
********************************************************************
Summary
=======
The following bulletins have undergone a major revision increment.
Please see the appropriate bulletin for more details.
* MS09-062 - Critical
Bulletin Information:
=====================
* MS09-062 - Critical
-...
 Funsec — While most security lists ban off-topic discussion, Funsec is a haven for free community discussion and enjoyment of the lighter, more humorous side of the security community
Rainbox table speed
Rob, grandpa of Ryan, Trevor, Devon & Hannah (Mar 11)
New work on a rainbow table system that will crack a 14 char XP password in
under 6 seconds.
http://www.h-online.com/security/news/item/Password-cracker-100-times-faster-
with-an-SSD-950184.html
Try it out:
https://www.objectif-securite.ch/en/products.php#demo
(I'm rather amazed at the number of students who don't seem to be able to
comprehend the idea ...)
====================== (quote inserted randomly by Pegasus Mailer)
rslade () vcn...
Re: Ford's SyncMyRide -- all your voice are belong to us?
Rob, grandpa of Ryan, Trevor, Devon & Hannah (Mar 10)
Date sent: Wed, 10 Mar 2010 07:36:41 -0800
From: Shawn Merdinger <shawnmer () gmail com>
OK, so Ford and Tellme can record your conversations, and then assemble
"random" bits in order to make an interesting and blackmailable (or otherwise
embarrassing) piece?
I think this is appalling, and should not be allowed. Like anyone would agree to
the idea that it's in order for these really expensive,...
Re: Ford's SyncMyRide -- all your voice are belong to us?
Shawn Merdinger (Mar 10)
I kinda think it gets better...or worse ;)
the "Vehicle Health Report" only requires a VIN. Those are easy to
get, such as from Ebay Motors (and of course plenty of other places,
the vehicle dashboard, accident reports, etc.).
With the vehicle's VIN, *it seems* that anyone can go to SyncMyRide
website, then register someone else's car to anyone's contact
information (cell phone, email) to receive "Vehicle Health Reports."...
Re: Ford's SyncMyRide -- all your voice are belong to us?
Benjamin Brown (Mar 10)
creeptastic
On Wed, Mar 10, 2010 at 10:36 AM, Shawn Merdinger <shawnmer () gmail com>wrote:
Ford's SyncMyRide -- all your voice are belong to us?
Shawn Merdinger (Mar 10)
Interesting news:
http://www.darkreading.com/vulnerability_management/security/client/showArticle.jhtml?articleID=223200163
Ya gotta love this lovely tidbit of fine print from the SyncMyRide
terms and conditions:
http://www.syncmyride.com/Own/Modules/PageTools/TermsAndConditions.aspx
<snip>
Ford's Service provider Tellme Networks, Inc. ("Tellme"), a subsidiary
of Microsoft Corporation, may record and retain user voice...
Re: Bank security
Dave Paris (Mar 10)
::sniff:: I love happy endings. :)
Re: Bank security
Joel Esler (Mar 09)
GodDAMN those icebergs.
Re: Hitler and Cloud Computing Security mashup YouTube video : http://www.youtube.com/watch?v=VjfaCoA2sQk
Benjamin Brown (Mar 09)
http://www.youtube.com/watch?v=fQ97CZU_7kA&feature=PlayList&p=E1D776E2C30908A3&index=15
Re: Bank security
Rich Kulawiec (Mar 09)
Well, at that very moment an iceberg the size of Rhode Island broke
off into the southern Atlantic, sending a wave careening into the
side of an ocean liner full of dyspeptic tourists on holiday from
Camden, New Jersey, sweeping overboard the laptop of the secondary
accountant's assistant and with it the only copy of the security
policy for the entire company. As the news of this rippled (heh)
through the fabric of the corporation, causing chaos...
Re: Hitler and Cloud Computing Security mashup YouTube video : http://www.youtube.com/watch?v=VjfaCoA2sQk
Adriel T. Desautels (Mar 09)
I think I need to post that on my blog.
Adriel T. Desautels
ad_lists () netragard com
--------------------------------------
Subscribe to our blog
http://snosoft.blogspot.com
Google Responds To Privacy Concerns With Unsettlingly Specific Apology
Morrow Long (Mar 09)
Google Responds To Privacy Concerns With Unsettlingly Specific Apology
http://www.theonion.com/content/news/google_responds_to_privacy?utm_source=EMTF_Onion
...
"Added Schmidt, "Whether you're Michael Paulson who lives at 3425
Longview Terrace and makes $86,400 a year, or Jessica Goldblatt from
Lynnwood, WA, who already has well-established trust issues, we at
Google would just like to say how very, truly sorry we are."
...
Hitler and Cloud Computing Security mashup YouTube video : http://www.youtube.com/watch?v=VjfaCoA2sQk
Morrow Long (Mar 09)
Hitler and Cloud Computing Security
http://www.youtube.com/watch?v=VjfaCoA2sQk
Sleepy-time tips for extreme multitaskers
Juha-Matti Laurio (Mar 09)
http://www.wired.com/underwire/2010/03/alt-text-dreams/
:)
Juha-Matti
APWG Q4 '09 report out
Juha-Matti Laurio (Mar 09)
Q4 report has been released recently -
http://www.antiphishing.org/reports/apwg_report_Q4_2009.pdf
Juha-Matti
Re: Bank security
Mike Preston (Mar 09)
I just had a backup of a PCI DSS DB uploaded via anon FTP for a server
I'm working on. Can't get much more clueless than that considering that
they had:
- a valid login to an alternative secure sftp server.
- both my and their own GPG credentials to allow it to be encrypted.
- over 10 years experience as a 'system administrator' responsible for
the companies PKI.
The only mitigating factor was that the upload directory doesn't allow
downloads,...
 CERT Advisories — The Computer Emergency Response Team has been responding to security incidents and sharing vulnerability information since the Morris Worm hit in 1986. This archive combines their technical security alerts, bulletins, tips, and current activity lists.
Cyber Security Tip ST05-003 -- Securing Wireless Networks
US-CERT Security Tips (Mar 11)
Cyber Security Tip ST05-003
Securing Wireless Networks
Wireless networks are becoming increasingly popular, but they introduce
additional security risks. If you have a wireless network, make sure to take
appropriate precautions to protect your information.
How do wireless networks work?
As the name suggests, wireless networks, sometimes called WiFi, allow you to
connect to the...
TA10-068A -- Microsoft Updates for Multiple Vulnerabilities
US-CERT Technical Alerts (Mar 09)
National Cyber Alert System
Technical Cyber Security Alert TA10-068A
Microsoft Updates for Multiple Vulnerabilities
Original release date:
Last revised: --
Source: US-CERT
Systems Affected
* Microsoft Windows
* Microsoft Office
Overview
Microsoft has released updates to address vulnerabilities in
Microsoft Windows and Microsoft Office.
I. Description
Microsoft has released...
Current Activity - Microsoft Releases March Security Bulletin
Current Activity (Mar 09)
US-CERT Current Activity
Microsoft Releases March Security Bulletin
Original release date: March 9, 2010 at 1:44 pm
Last revised: March 9, 2010 at 1:44 pm
Microsoft has released an update to address vulnerabilities in
Microsoft Windows and Office as part of the Microsoft Security
Bulletin Summary for March 2010. These vulnerabilities may allow an
attacker to execute arbitrary code.
US-CERT encourages users and administrators to review the...
SB10-067 -- Vulnerability Summary for the Week of March 1, 2010
US-CERT Security Bulletins (Mar 08)
Vulnerability Summary for the Week of March 1, 2010
This bulletin provides a summary of new vulnerabilities that have been
recorded by the National Institute of Standards and Technology (NIST)
National Vulnerability Database (NVD) the week of March 1, 2010. It is
available here:
http://www.us-cert.gov/cas/bulletins/SB10-067.html
For instructions on subscribing to or unsubscribing from this
mailing list, visit <...
Current Activity - Energizer DUO USB Battery Charger Software Allows Remote System Access
Current Activity (Mar 08)
US-CERT Current Activity
Energizer DUO USB Battery Charger Software Allows Remote System Access
Original release date: March 8, 2010 at 10:26 am
Last revised: March 8, 2010 at 10:26 am
US-CERT is aware of a backdoor in the software for the Energizer DUO
USB battery charger. This backdoor may allow a remote attacker to list
directories, send and receive files, and execute programs on an
affected system. The software, which has been...
New US-CERT PGP Key
US-CERT Technical Alerts (Mar 05)
New US-CERT PGP Key
US-CERT has generated a new US-CERT Publications PGP key. We use this
key to sign all publications, including documents sent to this list.
Effective immediately, this new key (key ID 0x093916B7) is available
and will be valid until Saturday, October 1, 2011. This key replaces the
current PGP key (key ID 0xBEE871AC).
To obtain further information or to download the new
US-CERT publications PGP key, please visit
<...
New US-CERT PGP Key
US-CERT Security Bulletins (Mar 05)
New US-CERT PGP Key
US-CERT has generated a new US-CERT Publications PGP key. We use this
key to sign all publications, including documents sent to this list.
Effective immediately, this new key (key ID 0x093916B7) is available
and will be valid until Saturday, October 1, 2011. This key replaces the
current PGP key (key ID 0xBEE871AC).
To obtain further information or to download the new
US-CERT publications PGP key, please visit
<...
Cyber Security Tip -- New US-CERT PGP Key
US-CERT Security Tips (Mar 05)
New US-CERT PGP Key
US-CERT has generated a new US-CERT Publications PGP key. We use this
key to sign all publications, including documents sent to this list.
Effective immediately, this new key (key ID 0x093916B7) is available
and will be valid until Saturday, October 1, 2011. This key replaces the
current PGP key (key ID 0xBEE871AC).
To obtain further information or to download the new
US-CERT publications PGP key, please visit
<...
Current Activity - Cisco Releases Multiple Security Advisories
Current Activity (Mar 04)
US-CERT Current Activity
Cisco Releases Multiple Security Advisories
Original release date: March 4, 2010 at 6:00 pm
Last revised: March 4, 2010 at 6:00 pm
Cisco has released three security advisories to address
vulnerabilities.
Security advisory cisco-sa-20100303-cucm, addresses multiple
vulnerabilities in the Cisco Unified Communications Manager which
affect the Session Initiation Protocol (SIP), Skinny Client Control
Protocol (SCCP), and...
Current Activity - Microsoft Releases Advance Notification for March Security Bulletin
Current Activity (Mar 04)
US-CERT Current Activity
Microsoft Releases Advance Notification for March Security Bulletin
Original release date: March 4, 2010 at 1:57 pm
Last revised: March 4, 2010 at 1:57 pm
Microsoft has issued a Security Bulletin Advance Notification,
indicating that its March release cycle will contain two bulletins.
These bulletins will have a severity rating of Important and will be
for Microsoft Windows and Microsoft Office. Release of these...
Current Activity - Microsoft Re-Releases Security Bulletin MS10-015
Current Activity (Mar 03)
US-CERT Current Activity
Microsoft Re-Releases Security Bulletin MS10-015
Original release date: March 3, 2010 at 10:02 am
Last revised: March 3, 2010 at 10:02 am
Microsoft has re-released the security update described in Microsoft
Security Bulletin MS10-015. This release contains an updated
installation package that does not allow the security update to be
installed on computers infected with malicious code. Microsoft has
also released a...
Current Activity - U.S. Census Bureau 2010 Census Campaign Warning
Current Activity (Mar 03)
US-CERT Current Activity
U.S. Census Bureau 2010 Census Campaign Warning
Original release date: March 3, 2010 at 11:21 am
Last revised: March 3, 2010 at 11:21 am
US-CERT asks users to be vigilant during the U.S. Census Bureau's 2010
Census campaign and to watch for potential census scams.
According to the U.S. Census 2010 website, they began delivery of the
printed census forms to every resident in the United States on March
1, 2010. The only...
Current Activity - Microsoft Releases Security Advisory to Address VBScript Vulnerability
Current Activity (Mar 02)
US-CERT Current Activity
Microsoft Releases Security Advisory to Address VBScript Vulnerability
Original release date: March 2, 2010 at 8:36 am
Last revised: March 2, 2010 at 8:36 am
Microsoft has released a security advisory to address a vulnerability
in VBScript. The advisory indicates that this vulnerability exists in
the way that VBScript interacts with Windows Help files when using
Internet Explorer. By convincing a user to view a...
SB10-060 -- Vulnerability Summary for the Week of February 22, 2010
US-CERT Security Bulletins (Mar 01)
Vulnerability Summary for the Week of February 22, 2010
This bulletin provides a summary of new vulnerabilities that have been
recorded by the National Institute of Standards and Technology (NIST)
National Vulnerability Database (NVD) the week of February 22, 2010. It is
available here:
http://www.us-cert.gov/cas/bulletins/SB10-060.html
For instructions on subscribing to or unsubscribing from this
mailing list, visit <...
Cyber Security Tip ST04-022 -- Understanding Your Computer: Web Browsers
US-CERT Security Tips (Feb 25)
Cyber Security Tip ST04-022
Understanding Your Computer: Web Browsers
Web browsers allow you to navigate the internet. There are a variety of
options available, so you can choose the one that best suits your needs.
How do web browsers work?
A web browser is an application that finds and displays web pages. It
coordinates communication between your computer and the web server where a...
 Open Source Security — Discussion of security flaws, concepts, and practices in the Open Source community
CVE-2010-0729 kernel: ia64: ptrace: peek_or_poke requests miss ptrace_check_attach()
Eugene Teo (Mar 11)
The "ia64: fix deadlock in ia64 sys_ptrace" patch (no reference as it's
only added in our shipped kernels) moved ptrace_check_attach() from
find_thread_for_addr() to tasklist-is-not-held area. However it
introduced other problems.
One of the problems is security-relevant. In certain code path, it is
possible that ptrace_check_attach() is not called, and the user can do
ptrace() on any target even without PTRACH_ATTACH.
This only...
CVE-2010-0727 kernel: gfs/gfs2 locking code DoS flaw
Eugene Teo (Mar 11)
static int
gfs_lock(struct file *file, int cmd, struct file_lock *fl)
{
..
if ((ip->i_di.di_mode & (S_ISGID | S_IXGRP)) == S_ISGID)
return -ENOLCK;
..
}
This is a check for mandatory locking where the GFS/GFS2 locking code
will skip the lock in case sgid bits are set for the file. This can be
triggered to cause a crash on a system mounting a GFS/GFS2 filesystem.
I believe only GFS2 is part of the upstream...
Re: CVE request: kernel: connector security bypass
dann frazier (Mar 11)
Debian provides an out-of-tree drbd module (drbd8), and it appears to
be affected by this issue as well. I assume we need to allocate an
additional CVE ID for it?
Here's a link to the upstream fix:
http://git.drbd.org/?p=drbd-8.3.git;a=commitdiff;h=71915b0d267392c77fe0ae2309535333026cef66
The in-tree version that got merged for 2.6.33 looks fine.
Re: CVE Request: libesmtp does not check NULL bytes in commonName
Joe Orton (Mar 11)
You probably mean this:
http://tools.ietf.org/html/draft-saintandre-tls-server-id-check
Regards, Joe
Re: CVE Request: libesmtp does not check NULL bytes in commonName
Geoff Keating (Mar 11)
The best current practice for CAs is probably expressed in the EV certificate requirements documents, which say that
there should be no wildcards at all---and after reading this discussion, I think you can see why.
I doubt it makes sense, from a CA perspective, to ever issue a certificate with wildcard(s) anywhere but leftmost.
Certainly there should never be a certificate which has a wildcard for the top-level (or second-level) domain, as...
Re: CVE Request: libesmtp does not check NULL bytes in commonName
Brian Stafford (Mar 11)
Ludwig Nussel wrote:
Hmm, looking over RFC 3207 again, I'm wondering where I originally got
the inspiration to use RFC 2818 as the reference for checking domain
names in certificates. One possibility is Eric Rescorla's SSL/TLS book
(he is also the author of RFC 2818), I'll have a look there again later.
RFC 3207 states
The decision of whether or not to believe the authenticity of the
other party in a TLS negotiation is a local...
Re: CVE Request: libesmtp does not check NULL bytes in commonName
Brian Stafford (Mar 11)
Ludwig Nussel wrote:
Aargh! I'm half way down this discussion and already I'd prefer to
stick needless in my eyes. So far though consensus seems to be RFC 2818
rules for wildcards. I notice some of the test patterns suggested would
not work in libESMTP as it stands.
Indeed.
I'm happy that the patch jumps through the right hoops though I'm rather
out of touch with the OpenSSL APIs these days so there is a certain
element of trust here...
Re: CVE Request: libesmtp does not check NULL bytes in commonName
Ludwig Nussel (Mar 11)
Brian Stafford wrote:
More fun:
https://bugzilla.mozilla.org/show_bug.cgi?id=159483
Encryption without authentication makes you prone to MITM.
The most common implementation is to just allow the simple form
*.something so I'd assume that other patterns are rare in the wild.
The last commenter in the aforementioned Mozilla bug says that
*.*.appspot.com is actually used by Google though.
Anyways, the matching function in libesmtp certainly is...
Re: CVE Request: libesmtp does not check NULL bytes in commonName
Ludwig Nussel (Mar 11)
Brian Stafford wrote:
Hmm. Yes, RFC 2818 could be interpretet that way. RFCs 2595 (IMAP),
4642 (NNTP) and 4513 (LDAP) restrict wildcards to the leftmost
component. The LDAP one doesn't allow wildcards in CN's though and
none of them explicitly disallows use of the CN if a subjAltname is
present. RFC 3207 (SMTP) doesn't tell how matching should be
performed. perl-IO-Socket therefore doesn't allow wildcards for
smtp. perl-IO-Socket has the most...
CVE id request: mydms
Nico Golde (Mar 11)
Hi,
multiple CSRF issues and file inclusion in mydms:
http://seclists.org/fulldisclosure/2010/Jan/267
Can someone assign CVE ids please?
Cheers
Nico
Re: CVE Request: libesmtp does not check NULL bytes in commonName
Brian Stafford (Mar 10)
Ludwig Nussel wrote:
I've been reviewing match_domain() with a view to how it conforms to RFC
2459 and RFC 2818 section 3.1. Unfortunately, the relevant text is
rather less rigourous than it might be so some further input might be
useful.
The text in RFC 2459 is
Finally, the semantics of subject alternative names that include
wildcard characters (e.g., as a placeholder for a set of names) are
not addressed by this specification....
CVE Request: ViewVC 1.1.4 / 1.0.10 -- XSS via user-provided query form input
Reed Loden (Mar 10)
Just received an announcement stating ViewVC 1.1.4 and 1.0.10 were
released today. Looks like they fix an XSS that needs a CVE assigned.
"security fix: escape user-provided query form input to avoid XSS
attack"
http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?r1=2313&r2=2342&pathrev=HEAD
Here's the patch for the XSS:
http://viewvc.tigris.org/source/browse/viewvc?view=rev&revision=2326
* lib/viewvc.py...
CVE Request: DeviceKit privilege escalation via pluggable storage device labels
Vincent Danen (Mar 10)
This is quite old, but I don't think a CVE name has ever been assigned
to it. The issue is with how DeviceKit handled labels for pluggable
storage devices. A local unprivileged user could use this flaw to
elevate privileges. It has been corrected upstream.
References:
https://bugzilla.redhat.com/show_bug.cgi?id=523178
http://cgit.freedesktop.org/DeviceKit/DeviceKit-disks/commit/?id=62f883c7d38e75d0669c162529062a1e81d00da2...
CVE Request -- Dovecot v1.2.11 -- DoS (excessive CPU use) by processing email with huge header
Jan Lieskovsky (Mar 10)
Hi Steve, vendors,
Dovecot upstream has released latest v1.2.11 version of Dovecot IMAP server:
[1] http://www.dovecot.org/list/dovecot-news/2010-March/000152.html
addressing one denial of service issue (from upstream announcement):
"mbox users really should upgrade, because by sending a message with
a huge header you could basically cause a DoS (this problem exists only
with v1.2.x, not with v1.0 or v1.1)."...
Re: phpmyvisites 2.3
Anthon Pang (Mar 10)
Should the CVE be against clickheat instead? Looking at the
sourceforge project page, clickHeat is a standalone app, which
suggests only a loosely coupled integration with PMV.
Sent from my iPhone
 NANOG — The North American Network Operators' Group discusses fundamental Internet infrastructure issues such as routing, IP address allocation, and containing malicious activity.
Re: YouTube AS36561 began announcing 1.0.0.0/8
William Pitcock (Mar 12)
<stupid question>
Any IPs we can ping and get a response back from to verify everything is
ok? 1.2.3.4 isn't pingable, for example. :(
</stupid question>
William
Re: OT: Anyone seeing these sorts of probes? Port 46993 udp?
Clinton Popovich (Mar 12)
I agree, this looks to be bit torrent traffic, The Pirate Bay has a
practice of injecting fake client IP address. I have a feeling that is
what your seeing. I would write more but power is out and the battery is
going....
James Hess wrote:
YouTube AS36561 began announcing 1.0.0.0/8
Nathan (Mar 11)
Hello,
I'm hoping to alleviate the "what's going on!?" type messages here this time. :)
Here's an except from the APNIC provided LOA I provided to a couple
networks, to carry a new announcement...
"To whom it may concern,
APNIC and YouTube are cooperating in a project to investigate the
properties of unwanted traffic that is being sent to specific
destinations in the address block of 1.0.0.0/8. This address block has
been...
Re: OT: Anyone seeing these sorts of probes? Port 46993 udp?
James Hess (Mar 11)
Well, those UDP captures appear to be BitTorrent Peer-to-Peer file
sharing traffic, or something disguised as such.
Note the "64 31 3a 61 64 32 3a 69 64 32 30 3a"
and also the textual reference to info_hash
OT: Anyone seeing these sorts of probes? Port 46993 udp?
Joe (Mar 11)
Not to distract from the IPV4/IPV6 thread, but just wondering if anyone has
seen this beavior or perhaps can enlighten me to its orgin/virus/meaning?
Internet Protocol, Src: 183.0.215.179 (183.0.215.179), Dst: 192.168.1.52
(192.168.1.52)
User Datagram Protocol, Src Port: 64514 (64514), Dst Port: 46993 (46993)
Data (101 bytes)
0000 64 31 3a 61 64 32 3a 69 64 32 30 3a 49 10 78 b3 d1:ad2:id20:I.x.
0010 9d 3f ab 23 75 7e d4 35 d7 cf c0 13 98 bf...
Re: IPv6 enabled carriers?
Cameron Byrne (Mar 11)
IPv6 is mandatory on all VZW LTE devices, all SMS functions on VZW LTE
devices will be handled as IPv6. The device requirements are publicly
available.
Re: IPv6 enabled carriers?
Christopher Morrow (Mar 11)
yup, the core point I was trying to make was that LTE is really just a
vzw network change, and has basically nothing to do with 'verizon'
networks (19262 or 70X). in the end though, I'm sure they'll put v6 on
it (lte)... eventually :)
-Chris
Re: ethernet to serial converters with ACLs
Brandon Galbraith (Mar 11)
How do these compare to the Avocent/Cyclades serial console products? SNMP
seems poorly implemented in the Cyclades, and if folks have good things to
say about using the OpenGear stuff, it's a direction I'd want to move in.
Private replies preferred to keep s/n down.
On Thu, Mar 11, 2010 at 12:10 PM, Bill Fehring <lists () billfehring com>wrote:
RE: Need advise for a linux firewall
Mark Scholten (Mar 11)
That is why we use Debian with IPtables (works great, easy to manage).
Deploying anything now that doesn't fully support IPv6 is something I won't
do unless there is no other option (and I strongly advice everyone else to
be at least IPv6 ready).
Sorry, legally I am allowed to do that by local laws.
Regards, Mark
Re: IP4 Space
Mark Andrews (Mar 11)
In message <2d6a9f6f1003111016t16ddc73frc4a430e22089149d () mail gmail com>, Bill
Bogstad writes:
You test and file bug reports. Multi-homing support has been a
host requirement for 20+ years now. IPv4 + IPv6 is just a example
of multi-homing so there really should be no reason for any application
to break when IPv6 support is added.
I think you will find that most organizations *added* IPv6.
I don't recommend turning on IPv6...
Re: Need advise for a linux firewall
Daniel Staal (Mar 11)
--As of March 11, 2010 4:22:38 PM +0000, gordon b slater is alleged to have
said:
--As for the rest, it is mine.
One more, given the other current thread going on at the moment: The
current version of PFsense doesn't support IPv6 through the GUI. (The OS
and PF support it, but you have to log in to a shell to configure it.)
It's on their to-do list.
Daniel T. Staal
---------------------------------------------------------------
This...
Re: Need advise for a linux firewall
Bryan Irvine (Mar 11)
Great new book on pfsense as well.
http://www.reedmedia.net/books/pfsense/
RE: IPv6 enabled carriers?
TJ (Mar 11)
Hmm, apologies - I was not explicit in calling out VZW; meant to, my bad and
thanks for pointing it out!
Posting from phone, while distracted . less than ideal.
/TJ
From: TJ [mailto:trejrco () gmail com]
Sent: Thursday, March 11, 2010 17:52
To: Christopher Morrow
Subject: Re: IPv6 enabled carriers?
VZW's LTE HW spec's mandate IPv6 support, that's why it is relevant.
Yes, VZW - thought I made that pretty clear in my post ... (cough)also not...
RE: 10GBase-t switch
Michael Balasko (Mar 11)
+1 for the Arista boxes.
We are a pure Cisco shop and looked at them to start replacing some gear
where it made sense. We didn't buy them because they didn't do
Rapid-PVST+ at the time. Yeah I know that's a Cisco-centric thing, but
they were tentative on implementing it but the timeline just didn't meet
our needs.
Observations:
Seriously knowledgeable technical/dev guys and I know for a fact that a
pile of them came from the old Cisco 4K team...
Re: Need advise for a linux firewall
Will Clayton (Mar 11)
Microtik makes a pretty robust Linux based firewall
appliance-on-a-usb-stick. It does a lot out of the box like BGP, VPN,
MPLS,QoS and all kinds of other crazy things you wouldn't expect to fit on
one gig of flash. It takes my HP about 10 seconds to load a full table.
My vote is for PFSense though. PF is a lot of fun itself and I have seen
awesome throughput with no load on very low end hardware.
 Interesting People — David Farber moderates this list for discussion involving internet governance, infrastructure, and any other topics he finds fascinating
FiOS buildout is dying
David Farber (Mar 12)
Begin forwarded message:
From: dewayne () warpspeed com (Dewayne Hendricks)
Date: March 11, 2010 9:49:23 PM EST
To: Dewayne-Net Technology List <xyzzy () warpspeed com>
Subject: [Dewayne-Net] FiOS buildout is dying
FiOS buildout is dying
[Commentary] Verizon is changing. The company has canceled planned FiOS deployments for all new territories. Instead,
Verizon "will now focus on installing its network and gaining market share...
Re: Why I'm Skeptical of the FCC's Call for User Broadband Testing
David Farber (Mar 11)
Begin forwarded message:
From: Richard Bennett <richard () bennett com>
Date: March 11, 2010 8:51:05 PM EST
To: dave () farber net
Cc: ip <ip () v2 listbox com>
Subject: Re: [IP] Re: Why I'm Skeptical of the FCC's Call for User Broadband Testing
I think it's safe to say that bursting or "burst boosting" if you will is the most common form of traffic shaping on
today's Internet. It's great for people who are surfing the...
Re: The day apple and amazon hate holden caulfield
David Farber (Mar 11)
Begin forwarded message:
From: "David P. Reed" <dpreed () reed com>
Date: March 11, 2010 8:56:51 PM EST
To: dave () farber net
Cc: ip <ip () v2 listbox com>
Subject: Re: [IP] Re: The day apple and amazon hate holden caulfield
I wonder if those of us who are "old" are missing the point here. If copyright becomes the ultimate arbiter of
cultural norms, and every day I think it's becoming clearer that it will,...
Re: The day apple and amazon hate holden caulfield
David Farber (Mar 11)
Begin forwarded message:
From: jhorton <jhorton () rockiehost com>
Date: March 11, 2010 6:23:58 PM EST
To: Charles Pinneo <pinneo () sbcglobal net>
Cc: Dave Farber <dave () farber net>
Subject: Re: [IP] The day apple and amazon hate holden caulfield
Hi Charlie,
Thanks for your comments. I want to clarify though that I am not
picking on the iPad or anyone's specific device.
The concern I was expressing was a...
Re: Why I'm Skeptical of the FCC's Call for User Broadband Testing
David Farber (Mar 11)
Begin forwarded message:
From: Brett Glass <brett () lariat net>
Date: March 11, 2010 4:55:39 PM EST
To: dave () farber net, "ip" <ip () v2 listbox com>
Subject: Re: [IP] Why I'm Skeptical of the FCC's Call for User Broadband Testing
These tests will do little or nothing to determine a connection's bandwidth or quality.
My network routes different types of traffic through different connections which are optimized for that...
Re: Why I'm Skeptical of the FCC's Call for User Broadband Testing
David Farber (Mar 11)
Begin forwarded message:
From: "John S. Quarterman" <jsq () quarterman org>
Date: March 11, 2010 4:59:16 PM EST
To: dave () farber net
Cc: "John S. Quarterman" <jsq () quarterman org>, "ip" <ip () v2 listbox com>, Lauren Weinstein <lauren () vortex com>
Subject: Re: [IP] Why I'm Skeptical of the FCC's Call for User Broadband Testing
Dave: for IP.
>> From: Lauren Weinstein <lauren...
Why I'm Skeptical of the FCC's Call for User Broadband Testing
Dave Farber (Mar 11)
Begin forwarded message:
> From: Jason Livingood <jason_livingood () cable comcast com>
> Date: March 11, 2010 5:43:18 PM EST
> To: Dave Farber <dave () farber net>, ip <ip () v2 listbox com>, lauren () vortex com
> Subject: Re: [IP] Why I'm Skeptical of the FCC's Call for User
> Broadband Testing
>
> Dave: Lauren raises some fair points below. Additional comments
> inline below (I have cut out...
Why I'm Skeptical of the FCC's Call for User Broadband Testing
Dave Farber (Mar 11)
Begin forwarded message:
> From: Lauren Weinstein <lauren () vortex com>
> Date: March 11, 2010 3:56:32 PM EST
> To: dave () farber net
> Subject: Why I'm Skeptical of the FCC's Call for User Broadband
> Testing
>
>
>
> Why I'm Skeptical of the FCC's Call for User Broadband Testing
>
> http://lauren.vortex.com/archive/000688.html
>
>
> Greetings. The FCC has issued a call...
Govt's Top Privacy Cop Job Up for Grabs
Dave Farber (Mar 11)
Begin forwarded message:
> From: bnmeeks () verizon net
> Date: March 11, 2010 12:55:00 PM EST
> To: dave () farber net
> Subject: Govt's Top Privacy Cop Job Up for Grabs
>
> Dave,
>
> For IP if you wish. I know this isn't a job's board, but this one
> seems of particular interest and importance.
>
> Cheers -- Brock
>
> From: "Privacy" <Privacy () dhs gov>
> Date: March 11, 2010...
FOSE 2010 - Help us spread the word
Dave Farber (Mar 11)
Begin forwarded message:
> From: Kalin Tyler <ktyler () 1105media com>
> Date: March 11, 2010 11:03:41 AM EST
> To: dave () farber net
> Subject: FOSE 2010 - Help us spread the word
>
> Hi Dave,
>
> As someone deeply involved in the government information technology
> news, I believe that members of your IP List mailing list will be
> interested in learning about the FOSE 2010 Conference & Expo (...
Wireless National Test Bed (WiNTeB)
David Farber (Mar 11)
NSF Workshop on a Wireless National Test Bed (WiNTeB)
May 5-6, 2010; at Hilton Hotel 950 North Stafford Street, Arlington, Virginia
There is a current and growing need for a Wireless National scale Test Bed (WiNTeB). WiNTeB could support research in
application areas such as sensor nets, healthcare.
Possible WiNTeB Applications & Approach: Start with relatively simple and constrained experiments with application S/W
in end user devices,...
TSA: Epic Fail (of infosec 101)
David Farber (Mar 11)
Begin forwarded message:
From: Richard Forno <rforno () infowarrior org>
Date: March 11, 2010 9:12:52 AM EST
To: Undisclosed-recipients: <>;
Cc: Dave Farber <dave () farber net>, Bruce Schneier <schneier () schneier com>
Subject: TSA: Epic Fail (of infosec 101)
Epic Fail!! For years we advise clients that if you're going to fire someone who has access to sensitive systems you
cut off their access *before* you fire...
Re: A clarification on -- Time to try a Nexus or other non Apple phone -- recs welcome djf
David Farber (Mar 10)
Begin forwarded message:
From: Geoff Kuenning <geoff () cs hmc edu>
Date: March 10, 2010 3:56:41 PM EST
To: dave () farber net
Subject: Re: [IP] A clarification on -- Time to try a Nexus or other non Apple phone -- recs welcome djf
> My annoyance with Apple iphone ownership is not the development
> contract but the censorship and control mania of Apple
Yesterday I went to a talk by a group who is developing an iPhone
application on...
Apple removes German magazine's iPhone app (and therefore content)
David Farber (Mar 10)
Begin forwarded message:
From: Dan Gillmor <dan () gillmor com>
Date: March 10, 2010 5:59:28 PM EST
To: Dave Farber <dave () farber net>
Subject: Apple removes German magazine's iPhone app (and therefore content)
http://gizmodo.com/5490310/its-time-to-declare-war-against-apples-censorship
-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed:...
The day apple and amazon hate holden caulfield
David Farber (Mar 10)
Begin forwarded message:
From: jhorton <jhorton () rockiehost com>
Date: March 10, 2010 6:01:11 PM EST
To: dave () farber net
Subject: [RESEND with corrections] The day apple and amazon hate holden caulfield
Hi Mr. Farber, love your ip list.
Todays messages about Apples content made me want to send you a blog
post I wrote recently that has my concerns about the future.
If you find it interesting please feel free to forward.
I aplogize,...
 The RISKS Forum — Peter G. Neumann moderates this regular digest of current events which demonstrate risks to the public in computers and related systems. Security risks are often discussed.
Risks Digest 25.95
RISKS List Owner (Feb 28)
RISKS-LIST: Risks-Forum Digest Sunday 28 February 2010 Volume 25 : Issue 95
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/25.95.html>
The current issue can be...
Risks Digest 25.94
RISKS List Owner (Feb 14)
RISKS-LIST: Risks-Forum Digest Sunday 14 February 2010 Volume 25 : Issue 94
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/25.94.html>
The current issue can be...
Risks Digest 25.93
RISKS List Owner (Jan 29)
RISKS-LIST: Risks-Forum Digest Friday 29 January 2010 Volume 25 : Issue 93
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/25.93.html>
The current issue can be...
Risks Digest 25.92
RISKS List Owner (Jan 26)
RISKS-LIST: Risks-Forum Digest Tuesday 26 January 2010 Volume 25 : Issue 92
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/25.92.html>
The current issue can be...
Risks Digest 25.91
RISKS List Owner (Jan 19)
RISKS-LIST: Risks-Forum Digest Tuesday 19 January 2010 Volume 25 : Issue 91
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/25.91.html>
The current issue can be...
Risks Digest 25.90
RISKS List Owner (Jan 08)
RISKS-LIST: Risks-Forum Digest Friday 8 January 2010 Volume 25 : Issue 90
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/25.90.html>
The current issue can be...
Risks Digest 25.89
RISKS List Owner (Jan 07)
RISKS-LIST: Risks-Forum Digest Thursday 7 January 2010 Volume 25 : Issue 89
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/25.89.html>
The current issue can be...
Risks Digest 25.88
RISKS List Owner (Dec 26)
RISKS-LIST: Risks-Forum Digest Saturday 26 December 2009 Volume 25 : Issue 88
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/25.88.html>
The current issue can...
Risks Digest 25.87
RISKS List Owner (Dec 15)
RISKS-LIST: Risks-Forum Digest Tuesday 15 December 2009 Volume 25 : Issue 87
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/25.87.html>
The current issue can...
Risks Digest 25.86
RISKS List Owner (Dec 14)
RISKS-LIST: Risks-Forum Digest Monday 14 December 2009 Volume 25 : Issue 86
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/25.86.html>
The current issue can be...
Risks Digest 25.85
RISKS List Owner (Nov 28)
RISKS-LIST: Risks-Forum Digest Saturday 28 November 2009 Volume 25 : Issue 85
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/25.85.html>
The current issue can...
Risks Digest 25.84
RISKS List Owner (Nov 25)
RISKS-LIST: Risks-Forum Digest Weds 25 November 2009 Volume 25 : Issue 84
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/25.84.html>
The current issue can be...
Risks Digest 25.83
RISKS List Owner (Nov 06)
RISKS-LIST: Risks-Forum Digest Friday 6 November 2009 Volume 25 : Issue 83
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/25.83.html>
The current issue can be...
Risks Digest 25.82
RISKS List Owner (Oct 20)
RISKS-LIST: Risks-Forum Digest Tuesday 20 October 2009 Volume 25 : Issue 82
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/25.82.html>
The current issue can be...
Risks Digest 25.81
RISKS List Owner (Oct 12)
RISKS-LIST: Risks-Forum Digest Monday 12 October 2009 Volume 25 : Issue 81
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/25.81.html>
The current issue can be...
 Data Loss — Data Loss covers large-scale personal data loss and theft incidents. This archive combines the main list (news releases) and the discussion list.
VA investigating security breach of veterans' medical data
security curmudgeon (Mar 11)
[Given the date and description, this sounds like a new / different VA
incident - jericho]
http://www.nextgov.com/nextgov/ng_20100309_9888.php
VA investigating security breach of veterans' medical data
By Bob Brewin 03/09/2010
The Veterans Affairs Department's inspector general has launched a
criminal investigation into a physician assistant's alleged downloading of
veterans' clinical data at its Atlanta medical center, sources have told...
Gables Couple Accused Of Stealing Patient Records
security curmudgeon (Mar 11)
http://cbs4.com/local/hiospital.conspiracy.fraud.2.1545308.html
Mar 8, 2010 1:11 pm US/Eastern
Gables Couple Accused Of Stealing Patient Records
A Coral Gables couple is accused of allegedly stealing patient information
from hospitals and selling it to lawyers for kickback payments.
Federal authorities say Ruben Rodriguez and Maria Victoria Suarezpaid an
ambulance-company employee to steal computer records of patients which
were sent to...
HSBC: data on 24, 000 Swiss account holders stolen
lyger (Mar 11)
http://www.google.com/hostednews/ap/article/ALeqM5gYEyiC3vLcRdV3BLGW9DcqzFx16AD9ECG8GO0
Information on 24,000 HSBC customers with Swiss accounts has been stolen,
the British bank said Thursday, potentially exposing large numbers of
international clients to prosecution by tax authorities in their home
countries.
A former IT employee of Swiss subsidiary HSBC Private Bank (Suisse) SA,
identified by French authorities as Herve Falciani,...
Monoprice.com Shuttered After Fraud Complaints
security curmudgeon (Mar 11)
http://www.krebsonsecurity.com/2010/03/monoprice-com-shuttered-after-fraud-complaints/
Monoprice.com Shuttered After Fraud Complaints
Audio visual cabling giant monoprice.com shut down its Web site . possibly
for the next couple of weeks . while it investigates the possible
compromise of its customer credit and debit card information.
Vincent Lim, monoprice.com.s operations manager, said the company took the
site offline around midnight on...
Thrivent Financial Suffers Breach Of Security
kirniki (Mar 10)
http://www.lifeandhealthinsurancenews.com/News/2010/3/Pages/Thrivent-Financial-Suffers-Breach-of-Security.aspx
A Great Lakes-based insurer says it has suffered a security breach
that may have compromised sensitive client data.
Thrivent Financial for Lutherans, Minneapolis, says it experienced a
break-in at one of its offices in Pennsylvania. A laptop computer was
among the items stolen. The laptop had safeguards to protect sensitive...
LifeLock Will Pay $12 Million to Settle Charges by the FTC and 35 States
security curmudgeon (Mar 09)
http://www.databreaches.net/?p=10553
LifeLock Will Pay $12 Million to Settle Charges by the FTC and 35 States
That Identity Theft Prevention and Data Security Claims Were False
March 9, 2010 by admin
LifeLock, Inc. has agreed to pay $11 million to the Federal Trade
Commission and $1 million to a group of 35 state attorneys general to
settle charges that the company used false claims to promote its identity
theft protection services, which...
Mystery hacker a folk hero for struggling population of Latvia
security curmudgeon (Mar 09)
http://www.irishtimes.com/newspaper/world/2010/0308/1224265794239.html
The Irish Times - Monday, March 8, 2010
Mystery hacker a folk hero for struggling population of Latvia
LATVIA LETTER: The person known as Neo has been embarrassing the .fat
cats. in a country with the EU.s highest rate of unemployment, writes
DANIEL McLAUGHLIN
IN THEIR hour of need the people of Latvia, the European country hardest
hit by the economic crisis, have found...
follow-up: Hancock Fabrics confirms skimmers found in some stores
security curmudgeon (Mar 07)
http://www.databreaches.net/?p=10474
Hancock Fabrics confirms skimmers found in some stores
March 5, 2010 by admin
Hancock Fabrics today confirmed what had been reported in the media back
in October and November of 2009: customers in a number of states had their
debit and credit card data stolen by skimmers in some of the stores. The
data theft occurred during the period of August-September, 2009, but
reports of fraud did not appear in the...
NHS in 7 new data blunders
security curmudgeon (Mar 07)
http://www.thesun.co.uk/sol/homepage/news/article730304.ece
NHS in 7 new data blunders
By EMMA MORTON
Health and Science Editor
Published: 26 Jan 2008
THE NHS has owned up to seven new breaches of security involving patient
details, The Sun can reveal.
In one incident, the confidential records of more than 1.7 million
patients were lost.
In another, a doctor's name was used in a Google search - which came up
with a link that accessed...
CA: Westin hotel in LA reports possible data breac
lyger (Mar 05)
http://www.computerworld.com/s/article/9166898/Westin_hotel_in_LA_reports_possible_data_breach?taxonomyId=84
People who stayed at the Westin Bonaventure Hotel & Suites in Los Angeles
last year and used their credit or debit card to eat there should keep a
close eye on their bank statements.
Hotel officials disclosed Friday that the hotel's four restaurants, along
with its valet parking operation, may have been hacked at some time...
TX: UT Southwestern employee accused of selling patient information
lyger (Mar 05)
http://www.wfaa.com/news/crime/UT-Southwestern-employee-accused-of-se-86684637.html
Authorities arrested an employee at UT Southwestern Medical Center after
she allegedly stole patent information and possibly their identities.
Hundreds of patients' personal information - including birth dates,
addresses, phone numbers and financial data - was stolen before Tracy
Renay Thomas' arrest and termination, police said.
Thomas is accused of...
Public employees union slams Alaska data loss deal
security curmudgeon (Mar 05)
http://www.businessweek.com/ap/financialnews/D9E8IENO1.htm
The Associated Press March 5, 2010, 10:46AM ET
Public employees union slams Alaska data loss deal
By JEREMY HSIEH
A union representing 8,000 Alaska government workers is calling on the
state to renegotiate terms of an identity theft settlement with the firm
responsible for losing personal data of 77,000 current and former public
employees.
In a letter to the administration sent...
Arkansas National Guard alerting soldiers of data loss
security curmudgeon (Mar 05)
http://ktlo.com/wire/newsfri/00371_National_Guard_hard_drive_stolen_052208.php
Arkansas National Guard alerting soldiers of data loss
By: Press release
CAMP JOSEPH T. ROBINSON, Ark. - A team of Guardsmen searching data known
to be contained on an external hard drive that was reported missing on
February 22 has discovered approximately 35,000 current and former members
of the Arkansas Army National Guard are affected by the loss.
While the...
Monster botnet held 800,000 people's details
security curmudgeon (Mar 05)
http://www.theregister.co.uk/2010/03/04/mariposa_police_hunt_more_botherders/
Monster botnet held 800,000 people's details
Fourth zombie admin could be in South America
By John Leyden
Posted in Crime, 4th March 2010 12:33 GMT
The Mariposa botnet had the power to dwarf Georgia and Estonia
cyberattacks if it had been used to launch denial of service attacks, say
Spanish police.
Months of investigations by the Guardia Civil in Spain, the FBI...
UK: Argos exposes customers' credit-card numbers in emails
kirniki (Mar 03)
http://www.pcpro.co.uk/news/security/356020/argos-exposes-customers-credit-card-numbers-in-emails
High street retailer Argos has compromised its customers' security by
sending their credit-card details - including the vital security code
- in unencrypted emails.
The company has been including the customer's full name, address,
credit-card number and three-digit CCV security code in order
confirmation emails, which are sent once a customer has...
 Metasploit — Development discussion for Metasploit, the premier open source remote exploitation tool
Re: [Help]Auxiliary/admin/oracle_login
MC (Mar 12)
You may want to follow this:
http://www.metasploit.com/redmine/projects/framework/wiki/OracleUsage
~mc
Problems with portscan
Gmail (Mar 12)
Hello List!
I'm having problems with scanner/portscan/syn auxiliary module. The
problems begins when I set up INTERFACE option to the "eth1" value.
During scan I set up tcpdump on another console and got such output:
arp who-has 192.168.20.2 tell 77.83.70.51
arp who-has 192.168.20.3 tell 77.83.70.51
arp who-has 192.168.20.4 tell 77.83.70.51
arp who-has 192.168.20.5 tell 77.83.70.51
arp who-has 192.168.20.6 tell 77.83.70.51
I'm...
exploiting particular target
SuNeEl (Mar 11)
Hi,
How do we exploit a particular target using domain spoofing or ARP spoofing etc.
I may use latest IE exploits but not able to exploit a particular machine say in LAN
The INTERNET now has a personality. YOURS! See your Yahoo! Homepage. http://in.yahoo.com/_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework
Payload execution location!
Dont Know (Mar 11)
hi list,
while using down_exec payload, wat i've seen is, it loads the actual payload into an exe named 'a.exe' wen the target
machine is windows, and puts it into windows/system32
maybe, i don kno much abt it, but, how can i change the payload to give a customized file-location?
thanx in advance.
[Help]Auxiliary/admin/oracle_login
Bugtrace (Mar 11)
When I tried to run the oracle_login I get the following error:
msf auxiliary(oracle_login) > run
[*] Starting brute force on 192.168.1.100:1521...
[-] Auxiliary failed: NameError uninitialized constant OCIError
[-] Call stack:
[-] /msf3/data/msfweb/vendor/rails/activesupport/lib/active_support/dependencies.rb:443:in
`load_missing_constant'
[-] /msf3/data/msfweb/vendor/rails/activesupport/lib/active_support/dependencies.rb:80:in...
Re: Downloading legacy versions of metasploit
HD Moore (Mar 10)
The last development snapshot of 2.7 (2.8-dev) is in the SVN tree:
$ svn co https://www.metasploit.com/svn/framework2/trunk/ msf2/
-HD
Downloading legacy versions of metasploit
Stever (Mar 10)
I'm trying to download a legacy version of metasploit (2.7). I'm going
through a particular tutorial and one of the scripts requires 2.7 since
it's written in perl. However, I cannot find legacy versions of the
product on the website. Is there an area where I can download older
versions?
Duplicate posts
xyberpix (Mar 09)
Hi All,
Anyone else seeing duplicate posts appearing?
TIA
xyberpix
Re: install framework 3.3.3.exe
Loaden (Mar 08)
AntiVir identificates one or more exploits by signature.
That's normal. Put Metasploit on AntiVir ignorelist.
install framework 3.3.3.exe
Daniele Grossi (Mar 08)
I download framewor 3.3.3.exe and istall it on a notebook with Vista.
I have avira Antivir Premium as antivirus.
Now during installation process, the antivirus signal some virus .
How it is possible?
these are the messagges.
Thanks in advanvce
Dan - Itay
....................
messagges:
Inizia con la scansione di 'C:\Program Files\Metasploit'
C:\Program Files\Metasploit\Framework3\msf3\data\exploits\CVE-2009-3867.jar
[0] Tipo di archivio:...
Re: multiscript problems?
ricky-lee birtles (Mar 08)
The update fixed things Carlos.
Thanks
Regards,
-- Mr R Birtles
Re: multiscript problems?
Carlos Perez (Mar 07)
Please do a "svn up" and re test, just updated the script.
Cheers,
Carlos
Re: multiscript problems?
Carlos Perez (Mar 07)
in fact you are using the script correctly, I believe there has been some changes to the Meterpreter scripting code, I
will take a look at it
multiscript problems?
ricky-lee birtles (Mar 07)
Is there somthing up with multiscript .rb or is there somthing I am doing wrong?
usr () endure:~/tools/msf3-dev$ cat Multi_2.rc
use exploit/multi/handler
set ExitOnSession false
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 77.97.189.69
set LPORT 443
set AutoRunScript multiscript.rb -s tmp.lst
exploit -j
usr () endure:~/tools/msf3-dev$ cat tmp.lst
scraper.rb
metsvc.rb -A
usr () endure:~/tools/msf3-dev$
usr () endure:~/tools/msf3-dev$...
Re: exploit(ie_winhlp32) F1
SuNeEl (Mar 06)
nice thanx did work after svn update
 Wireshark — Discussion of the free and open source Wireshark network sniffer. No other sniffer (commercial or otherwise) comes close. This archive combines the Wireshark announcement, users, and developers mailing lists.
radiotap.datarate filter
Adriana Hava (Mar 12)
Hello,
I have a question regarding filtering information in Wireshark based on radiotap.datarate value.
I wanted to filter data that has the data rate bigger then, lets say, 40 Mb/s
But the information shown includes also entris for which the data rate is 24Mb/s.
Do you have any idea why this is happening?
Thanks!
___________________________________________________________________________
Sent via: Wireshark-users mailing list...
Re: Query on DHCP transactions
Kok-Yong Tan (Mar 11)
Thanks for the response. Okay, so I now understand that it's not
normal.
Could you elaborate on what you mean by "the unicast/broadcast
option"? From where? The server or the client? Thus far, I've
noticed a packet every second from the DHCP server (maintained by
Time Warner, the cable ISP, so out of my control) to the multicast
address of the client (a firewall, which is under my control) at
224.0.0.1 but how would...
Re: Query on DHCP transactions
Jaap Keuter (Mar 11)
Hi,
Not really.
Note this is broadcast traffic, judging from the IP address. There
might be something going on with the unicast/broadcast option.
Thanks,
Jaap
Send from my iPhone
Re: Bug reporting howto?
Gerald Combs (Mar 11)
Guy Harris wrote:
Landfill.bugzilla.org is Bugzilla's test/development server. It's the
URL used in the default documentation. To add to the confusion at some
point the HTML documentation was dropped from CVS updates, so the
documentation was old as well.
Trying to rebuild the documentation locally resulted in a package
dependency explosion so I've pointed the documentation URL to the
release documentation at bugzilla.org. The links still point...
Query on DHCP transactions
Kok-Yong Tan (Mar 11)
Before hubbing out and firing up Wireshark, I got curious about
something while watching a log of DHCP transactions between a DHCP
server and client: Is it normal after the client has already obtained
an address, to see continuous attempts by the DHCP server to send
packets to 255.255.255.255:68 on the DHCP client if the DHCP client
is no longer asking for an address in a switched network?
Re: Bug reporting howto?
Guy Harris (Mar 11)
That link isn't broken for me - it's just the links to "landfill.bugzilla.org" that are broken there:
The page in question is from the Bugzilla documentation; Gerald, is that just an out-of-date version of the Bugzilla
documentation?
TCP tunnel to CAP
Juergen Weber (Mar 11)
Hi,
I'd like to debug LDAP traffic. I know Wireshark has an analyzer for LDAP.
Only, I cannot access the network interfaces, and neither this should
be necessary.
Is there a TCP tunnel, that can dump TCP data into a file readable and
analizable by Wireshark?
I can configure the LDAP client to go via the tunnel, e.g. the traffic
goes fine over Eclipse's TCP/IP Monitor
(...
Re: Bug reporting howto?
Chad Dailey (Mar 11)
My bad again. Proxy does not enter into this for the Bugzilla links. Here
are some broken links:
https://bugs.wireshark.org/bugzilla/docs/html/bugreports.html
http://landfill.bugzilla.org/bugzilla-2.22-branch/page.cgi?id=bug-writing.html
(404 not found)
http://landfill.bugzilla.org/bugzilla-2.22-branch/ (404 not found)
http://landfill.bugzilla.org/bugzilla-2.22-branch/enter_bug.cgi (404 not
found)
There are more on other 'bug' pages.
The...
Re: use tshark as part of one application
yassine antir (Mar 11)
yes i mean it is linked against ringbuffer.o
i am trying to use const gchar *ringbuf_current_filename(void);
which generates link problem undefined reference
Re: Custom formatter for 64bit field
Maynard, Chris (Mar 11)
I think the problem is that the custom format function takes a guint32 as its 2nd argument and you need a guint64, so
unless this is changed to a guint64, you will have to modify your declaration to some other BASE_ supported by
FT_UINT64 and then use one of the other proto_tree_add_XYZ() routines such as proto_tree_add_uint64_format().
BASE_CUSTOM allows one to specify a callback function pointer that will
format the value. The function...
Re: Custom formatter for 64bit field
Guy Harris (Mar 11)
What do you mean by "the format required for FT_ABSOLUTE_TIME"? An FT_ABSOLUTE_TIME field doesn't have to be in the
form of seconds/nanoseconds in the packet (there's no support for FT_ABSOLUTE_TIME in proto_tree_add_item()), it just
has to be possible to convert the value, in whatever form it is in the packet, into a
seconds-since-January-1-1970-midnight-UTC value and a nanoseconds-since-that-second value; is it possible to convert...
Re: use tshark as part of one application
Jeff Morriss (Mar 11)
Eloy Paris wrote:
Yes, it is big. See:
http://wiki.wireshark.org/Development/multithreading
for more info.
Re: use tshark as part of one application
Eloy Paris (Mar 11)
Hi Jeff,
[...]
Indeed. I personally found that out while integrating libwireshark into
netexpect. For one particular feature netexpect needs to dissect two
packet simultaneously (or keep two dissection results in memory at the
same time) so I ended up using a very ugly hack, which I still have had
a chance to fix in a better way.
Are there any plans, or at least a desire, to make it thread-safe at
some point in the future? Is there any...
Re: Bug reporting howto?
Guy Harris (Mar 11)
As per the bug you filed, that was a problem with your proxy, right?
The "First, you must pick a product on which to enter a bug." page offers, as the choices:
Web sites: The Wireshark web sites, including the www.wireshark.org, wiki.wireshark.org, and
anonsvn.wireshark.org. Problems with other network services such as Subversion, mail, FTP, and rsync should be reported
here as well.
Wireshark: The...
Custom formatter for 64bit field
David Arnold (Mar 11)
Hi!
I'm writing a dissector for a protocol that uses a 64-bit time field
which is not in the format required for FT_ABSOLUTE_TIME.
So, I declared the hfinfo like
{ &hf_prot_pkthdr_time,
{ "Transmit Time", "prot.time",
FT_UINT64, BASE_CUSTOM,
prot_fmt_time, 0x0,
"Transmission timestamp",
HFILL }
}
However, this causes an abort from the...
 Snort — Everyone's favorite open source IDS, Snort. This archive combines the snort-announce, snort-devel, snort-users, and snort-sigs lists.
Re: UDP alerts with sneeze
Russ Combs (Mar 12)
Sriharsha,
Snort is getting an IP:UDP packet with datagram length of 92 and a UDP
length greater than 72. The packet should look like this, excluding any
layer 2 stuff:
[20 byte IP header] + [8 byte UDP header] + [64 byte UDP payload]
The UDP length field includes the both header and payload lengths so it
should be 64+8=72 but in fact it is something greater than that (maybe those
8 bytes are being counted twice?).
Here is some partial...
UDP alerts with sneeze
sri harsha (Mar 11)
Hi,
I am using snort 2.8.5.2 version on linux machine. Using sneeze for
attacks, I could see alerts generated for icmp rules as attacks. But, for
UDP packets, I see the following alert messages.
[116:97:1] (snort_decoder): Short UDP packet, length field > payload length
[**]
[Priority: 3]
03/12-06:17:32.840382 76.0.0.10:0 -> 4.4.4.10:0
UDP TTL:63 TOS:0x10 ID:0 IpLen:20 DgmLen:92 DF
UDP header truncated
What can be the reason for this?...
Snort payload .bin files
Paul Schmehl (Mar 11)
Is there a way to merge multiple snort payload (.bin) files like mergecap does
for pcaps?
Re: Pulled Pork over Oinkmaster?
Matt Olney (Mar 11)
Well whatever the hell you are, you are "useful".
------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
Re: Pulled Pork over Oinkmaster?
JJ Cummings (Mar 11)
While I'm not an SE.. I appreciate the plug all the same :-P
JJC
------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev...
Re: Anyone having problems with Oinkmaster getting 404 error?
Nigel Houghton (Mar 11)
Looks like you are trying to download the registered rules. As a
registered user you can only download the rules once in a 15 minute
period. Try again in 20 minutes.
However, if you are an integrator, you should probably have a
subscription and you should be pulling the subscription rule set which
has no such limitation.
Anyone having problems with Oinkmaster getting 404 error?
Andy Berryman (Mar 11)
I'm sure I'm typing in the link wrong, but it worked last week when I
did this. I'm getting a 404 error when Oinkmaster runs on one of my test
boxes.
Downloading file from
http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapsh
ot-2.8.tar.gz...
./oinkmaster.pl: Error: could not download from
http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapsh
ot-2.8.tar.gz. Output from wget follows:...
Re: Pulled Pork over Oinkmaster?
Matt Olney (Mar 11)
While not an official project, JJ is one of our very best SEs and does
some good work. Move to Pulled Pork when you can, he's as plugged in
as it gets.
As an aside, Andy if you can drop a list of rules customers are
interested in to me, I might (schedule pending) be able to give some
feedback as to why they were shipped disabled.
Matt
p.s. Don't tell JJ I'm talking good about him, don't need him getting uppity....
Pulled Pork over Oinkmaster?
Andy Berryman (Mar 11)
I've been reading and it seems Oinkmaster can't handle the SO rules but
pulled pork can. I've also read in pulled pork I can make it default to
every rule being turned on and then I can turn off from there. I see
it's maintained by JJ, but is it a "supported" Sourcefire way to pull
rules?
We currently use Oinkmaster, but I like the option to have all rules
enabled by default then tune my rule set myself. We currently get the
2.8_s...
Re: BUG: corner case involving http_cookie
Will Metcalf (Mar 11)
Fails on byte_jump as well, additionally http_header appears to act
the same way.
Regards,
Will
#test 73 http_cookie + byte_jump.
#hmm interesting using http_cookie in combination with byte_jump seems
to fail always. Removing either the byte_jump check or the http_cookie
modifier will cause this sig to fire. Notice that the byte_jump
#check isn't even relative to the content match.
#
#file oisfsearchnums.pcap
alert tcp any any -> any any...
Re: remotely accessing BASE
Joel Esler (Mar 11)
BASE is a webpage. You'd have to try and access it via a browser on a different machine.
Joel
remotely accessing BASE
Pradeep Lamabam (Mar 11)
hi,
i want to access BASE running with snort from a different system. how can i
achieve it?
with regards,
deep
------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta....
Re: BUG: corner case involving http_cookie
Will Metcalf (Mar 10)
How about this one, using the same pcap. I have both client and server
flow_depth set to 0.
#test 72 http_cookie + byte_test.
#hmm interesting using http_cookie in combination with byte_test seems
to fail always. Removing either the byte_test check or the http_cookie
modifier will cause this sig to fire. Notice that the byte_test
#check isn't even relative to the content match.
#
#file oisfsearchnums.pcap
alert tcp any any -> any any...
Hogger 0.1.3 released
Crook, Parker (Mar 10)
Howdy fellow Snort heads,
I'm pretty sure most of you have already heard about Hogger via Alex Tatistcheff's post to this list or JJ Cumming's
blog post over at http://global-security.blogspot.com/2010/02/hogging-snort-host-attribute-table.html (an excellent
guide by the way), but I wanted to go ahead and make an official announcement that Hogger is ready for prime-time use.
The bugs are out, and Hogger is creating attribute tables that are...
Re: The same GID and SID in rule duplicates previous rule in Snort-2.8.5.2
Matt Olney (Mar 10)
er......I'd get in the source code and muck around.
But honestly, this is silly. Don't do this.
Matt
------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta....
We also maintain archives for these lists (some are currently inactive):
Read some old-school private security digests such as Zardoz at SecurityDigest.Org
We're always looking for great network security related lists to archive. To suggest one, mail Fyodor.
|
Current Quarter
Archived Posts
RSS Feed
About List
Show Latest Posts
Hide Latest Posts