SecLists.Org Security Mailing List Archive

Any hacker will tell you that the latest news and exploits are not found on any web site—not even Insecure.Org. No, the cutting edge in security research is and will continue to be the full disclosure mailing lists such as Bugtraq. Here we provide web archives and RSS feeds (now including message extracts), updated in real-time, for many of our favorite lists. Browse the individual lists below, or search them all:

Nmap Development — Unmoderated technical development forum for debating ideas, patches, and suggestions regarding proposed changes to Nmap and related projects.

Re: SIP version detection script Patrik Karlsson (Nov 24)
Hi Fyodor,

Thanks for the explanation. It turned out that there's no need for that dynamic stuff to be in there in order to
trigger a response, at least not for the equipment I tested it against using the static probe already in nmap. I did a
quick test against UDP using the static probe and got answers back that seemed equivalent to those recieved over TCP.
For some reason they failed to match any of the existing lines though?

//Patrik

Re: SIP version detection script Fyodor (Nov 24)
Hi Patrik. Thanks for sending your SIP script, and you make a good
point here about the existing static probe.

In general, it is best to handle version detection using that
subsystem (e.g. nmap-service-probes) rather than NSE.
Nmap-service-probes is less powerful and flexible, but more efficient
to execute and maintain. But it can only handle 1 static probe and a
regex-parseable response. I see that your script uses a more dynamic
probe...

Re: Nmap 5.10BETA1 released David Fifield (Nov 24)
I removed the unused Port::owner member a few days ago. Maybe the
libpcap errors kept output.cc from being updated too. libpcap might
cause trouble for some people because of the update to 1.0.0 and the
resulting changes to the build files. In most cases, "make distclean"
will fix it, or if that fails, a fresh checkout.

David Fifield

NFS and Citrix scripts Patrik Karlsson (Nov 24)
I finished two more Nmap scripts that hopefully will be of more use than the first one.
nfs-showmount.nse replicates the functionality of showmount -e in order to list remote NFS shares.
citrix-published-applications.nse queries Citrix (1604/udp) for the list of published applications.

Both scripts use static packets in order to trigger responses, if this is of any interest for the UDP payloads David
requested earlier?

I just finished the...

Re: nmap doesn't work as root David Fifield (Nov 24)
Is this on Mac OS X 10.6? If so, please try version 5.10BETA1, released
yesterday. Also, there may be problems if you are running 10.6 or
10.6.1, but 10.6.2 should work fine.

David Fifield

Nmap Crash Daniel Miessler (Nov 24)
Nmap version:

*5.10BETA1*

The error:
*
*
*nmap: Target.cc:387: void Target::startTimeOutClock(const timeval*)
Assertion `htn.toclock_running == false' failed. Aborted*

I tried to run:

*nmap -A scanme.nmap.org*

My system:

*Linux 2.2.24-24-xen #1 SMP x86_64 GNU/Linux*

trouble with ping version 0.1BETA2 geca (Nov 24)
Hellow
i did install nping version 0.1BETA2 for MAC os.
I try make spoof IP address, but option --source-ip dont work:
My network setings:
ifconfig en1
en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet6 fe80::21e:c2ff:fea6:6a85%en1 prefixlen 64 scopeid 0x4
inet 10.71.0.100 netmask 0xfffff800 broadcast 10.71.7.255
ether 00:1e:c2:a6:6a:85
media: autoselect status: active...

Re: Nmap 5.10BETA1 released Walt Scrivens (Nov 24)
Thanks, everyone for all the hard work!

Preliminary results for Mac OS X 10.6.2

svn complained about several unversioned files in libpcap. At first I ignored the error, but the make gave the
following errors:
======================
output.cc: In function ‘void printportoutput(Target*, PortList*)’:
output.cc:811: error: ‘class Port’ has no member named ‘owner’
output.cc:814: error: ‘class Port’ has no member named ‘owner’...

nmap doesn't work as root Steven Thomas Smith (Nov 24)
I've downloaded and compiled nmap 5.00 and have run into an old problem:
nmap doesn't run correctly a root. Compare nmap behavior as user to sudo:

[~]% *nmap 192.168.1.110*
Starting Nmap 5.00 ( http://nmap.org ) at 2009-11-21 16:14 EST
Warning: File ./nmap-services exists, but Nmap is using
/usr/local/share/nmap/nmap-services for security and consistency reasons.
set NMAPDIR=. to give priority to files in your local directory (may affect
the...

Re: Help with German translation David Fifield (Nov 24)
Thanks, committed.

David Fifield

Re: [RFC] Detect certain Citrix application browsing services David Fifield (Nov 24)
For what it's worth, I tried

nmap -PU1604 -sP -iR 10000 -n --reason

using the Citrix payload and got

# Nmap done at Tue Nov 24 10:38:48 2009 -- 10000 IP addresses (189 hosts up) scanned in 151.77 seconds

But all the up hosts were because of destination unreachable replies,
none from udp-response. In this case the UDP payload didn't help.

David Fifield

Re: [RFC] Detect certain Citrix application browsing services David Fifield (Nov 24)
Okay. We can document that the payload comes from a packet capture of
Program Neighborhood's broadcast. I committed the nmap-service-probes
patch. Please make an updated patch for payload.cc that has
documentation on where the packet comes from (packet capture of Program
Neighborhood) and what is expected in reply. Because we still don't know
much about the reply packet, I want you to include it in its entirety in
a comment, with Xs or something...

Re: Help with German translation Daniel Roethlisberger (Nov 24)
David Fifield <david () bamsoftware com> 2009-11-24:

"%s ist eine plattformunabhängige grafische Oberfläche und "
"Ergebnisanzeige für %s. Es basiert ursprünglich auf %s."

Re: ncat: using UDP with --chat David Fifield (Nov 24)
Ncat can't do that, I'm sure. It is an interesting idea.

If you give the Ncat server a source address, it will listen only on
that interface. It will be local to the machine if you do this:

ncat --broker 127.0.0.1

David Fifield

Re: zenmap - No such file or directory: '/usr/share/zenmap/config' David Fifield (Nov 24)
Did you install using the checkinstall tool? Do you know if checkinstall
changes the prefix when it works?

What does the "prefix =" line say near the top of Makefile after
installing? What is the output line that calls setup.py when you run
"make install"? For me it's

cd zenmap && /usr/bin/python setup.py install --prefix "/usr" --force

David Fifield

Nmap Hackers — Moderated list for the most important new releases and announcements regarding the Nmap Security Scanner and related projects. We recommend that all Nmap users subscribe.

Nmap 5.00 Released! Fyodor (Jul 16)
Hello everyone. I'm delighted to announce the release of Nmap 5.00!
This is the first major release since 4.50 in 2007, and includes about
600 significant changes since then! We consider this the most
important Nmap release since 1997, and we recommend that all current
users upgrade.

There are too many changes to list them all in this email, so here are
the top 5 improvements in Nmap 5:

1) The new Ncat tool aims to be your Swiss Army Knife...

Nmap news: stable release candidate 4.90RC1, SoC team, and new translations Fyodor (Jun 26)
Hi Folks. I'm pleased to announce some exciting Nmap news:

[=================Nmap 4.90RC1==================]

It has been nearly 10 months (and 11 dev releases) since 4.76, the
last stable Nmap release. And we've made many dramatic changes, so it
is time for a new stable version! I've posted a release
candidate--4.90RC1--on the Nmap download page:

http://nmap.org/download.html

Please test it out, and let us know if you find any problems...

Nmap 4.85BETA6 now avail w/Conficker detection Fyodor (Apr 01)
Hi Folks! In case you missed all the news reports yesterday, a couple
great researchers from the Honeynet Project (Tillmann Werner and Felix
Leder) and Dan Kaminsky came up with a way to remotely detect the
Conficker worm which has infected millions of machines worldwide.
Some say 15,000,000 machines infected, but that might just be
exaggerated AV-company BS for all I know. But there are clearly
millions of infections, and this massive botnet...

Nmap News: 4.84BETA4 release, Nmap book news, Summer of Code, Twitter, etc. Fyodor (Mar 27)
Hello everyone. We've seen 848 messages on nmap-dev this year, but
this is my first post to nmap-hackers. So I have a lot of exciting
Nmap news to fit into this one email!

[=================Nmap 4.85BETA4==================]

While the last release I posted to this list was 4.76 in September of
last year, we've had four beta releases since then with hundreds of
important and dramatic changes. I'm pretty happy with the latest
4.85BETA4 release,...

Nmap Network Scanning Book Released! Fyodor (Dec 09)
Nmap Hackers:

After promising you a book on Nmap for years, I'm delighted to finally
announce the release of Nmap Network Scanning! It contains everything
I've learned about network scanning from more than a decade of Nmap
development, plus some bad jokes and (over Time Warner's written
objections) pictures of Trinity hacking the Matrix :). Here is the
abstract:

Nmap Network Scanning is the official guide to the Nmap Security
Scanner, a...

Nmap News: 4.76 release, Defcon presentation online, Is port scanning legal? Fyodor (Sep 23)
Hi everyone. I'm happy to report that the Nmap 4.75 release (with
port frequencies, Zenmap topology, etc.) was a big success. But such
large exposure inevitably leads to bug discovery, so we've
released version 4.76 with about a dozen small fixes and stability
improvements. If 4.75 is working great for you, there is probably no
need to upgrade. But if you encountered problems, or if you are the
type who waits a couple weeks for stabilization...

Nmap 4.75 released Fyodor (Sep 08)
Hi Everyone. I'm delighted to report the release of Nmap 4.75, which
has almost 100 significant improvements since 4.68. Some which I'm
most excited about are:

o While Nmap stands for "Network Mapper", it hasn't been able to
actually draw you a map of the network--until now! Visit
http://nmap.org/book/zenmap-topology.html for details and pretty
pictures of Zenmap's new Scan Topology system.

o I spent much of this summer...

Nmap 4.68 release Fyodor (Jul 31)
Hi All. I'm happy to report that there have been several stable Nmap
releases since I mailed you about Nmap 4.60 in March. The latest
version is 4.68, and I think you'll like it (unless you still use
Win2K, which can be problematic due to IPv6 issues that we hope to
resolve in the next release). Before I give you the full list of 125
improvements, I'll start with a few highlights:

o Added a new --min-rate option that allows specifying a...

Lots of Nmap News Fyodor (Jul 31)
Hi All. I feel derelict for failing to post any Nmap news to this
nmap-hackers list in the last four months, but you can rest assured
that we've been busy on the project! For example, there have been
1,181 posts on the nmap-dev list (not all from me) since my March
nmap-hackers announcements. So you can always join that if you want a
constant flood of Nmap news :). There have also been several stable
Nmap releases since that time, great news...

Nmap accepting applications for Summer of Code developers Fyodor (Mar 24)
It may have taken me four months to send this year's first
nmap-hackers mail, but the second only took me four hours. I want to
let you all know that Nmap has been accepted for the fourth year
running to participate in the Google Summer of Code program. This
generous and innovative program provides $4,500 stipends to hundreds
of university students to create or enhance open source software.
Applications are only accepted for one week, until...

Nmap 4.60 and new movies page Fyodor (Mar 24)
Hi everyone. This is the first nmap-hackers message of the year, but
we haven't been slacking. The nmap-dev list has more than 500 posts
so far this quarter, and we've made many great improvements to Nmap
during the period.

Nmap-hackers is reserved for the most important Nmap news, but that
won't prevent me from starting out this message with something
frivolous :). I recently learned that Nmap was in not just one, but
two major motion...

Bugtraq — The premier general security mailing list. Vulnerabilities are often announced here first, so check frequently!

[USN-861-1] libvorbis vulnerabilities Marc Deslauriers (Nov 24)
===========================================================
Ubuntu Security Notice USN-861-1 November 24, 2009
libvorbis vulnerabilities
CVE-2008-2009, CVE-2009-3379
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04
Ubuntu 9.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem...

New Paper: MitM Attacks against the chipTAN comfort Online Banking System RedTeam Pentesting GmbH (Nov 24)
Abstract
========
ChipTAN comfort is a new system which is supposed to securely authorise online
banking transactions by means of a trusted device. It is assumed that chipTAN
comfort specifically protects against man-in-the-middle attacks. Such attacks are
currently putting bank customers who are using the iTAN system at risk. RedTeam
Pentesting examined chipTAN comfort and showed that even when using this sys-
tem, man-in-the-middle attacks can...

Executing arbitrary PHP code on OpenX <= 2.8.1 Moritz Naumann (Nov 24)
Hi,

OpenX adserver version 2.8.1 and lower is vulnerable to remote code
execution. To be exploited, this vulnerability requires banner / file
upload permissions, such as granted to the 'advertiser' and
'administrator' roles.

This vulnerability is caused by the (insecure) file upload mechanism of
affected OpenX versions. These would check magic bytes of an uploaded
file to determine its MIME type, and erroneously assume this
information to be...

XM Easy Personal FTP Server Remote DoS Vulnerability leinakesi (Nov 24)
Date of Discovery: 24-Nov-2009

Credits:leinakesi[at]gmail.com

Vendor: Dxmsoft
*******************************************************************************
Affected:

XM Easy Personal FTP Server 5.8.0
Earlier versions may also be affected
*******************************************************************************
Overview:

XM Easy Personal FTP Server failed to handle more than 2000 files or folders in

the root...

TYPSoft FTP Server 'APPE' and 'DELE' Commands Remote DoS Vulnerabilities leinakesi (Nov 24)
Date of Discovery: 24-Nov-2009

Credits:leinakesi[at]gmail.com

Vendor: TYPSoft

Affected:
TYPSoft FTP Server Version 1.10
Earlier versions may also be affected

Overview:
TYPSoft FTP Server is an easy use FTP server Application. Denial of Service vulnerability exists in TYPSoft FTP Server
when

"APPE" and "DELE" commands are used in the same socket connection.

Details:
If you could log on the server successfully, take the...

RE: Millions of PDF invisibly embedded with your internal disk paths Thor (Hammer of God) (Nov 24)
Knowing the path of the home directory of an unknown host has little, if any, value. Even if you know the host, you
would have to get the user to run code interactively to leverage this "privacy issue" in addition to ensuring that the
interactive user was indeed the same user that created the PDF doc. And that code would have to be written
specifically for that particularly host/user, which is inefficient (barring network based...

CORE-2009-0910: Autodesk Maya Script Nodes Arbitrary Command Execution CORE Security Technologies Advisories (Nov 23)
Autodesk Maya Script Nodes Arbitrary Command Execution

1. *Advisory Information*

Title: Autodesk Maya Script Nodes Arbitrary Command Execution
Advisory Id: CORE-2009-0910
Advisory URL:
http://www.coresecurity.com/content/maya-arbitrary-command-execution
Date published: 2009-11-23
Date of last update: 2009-11-20
Vendors contacted: Autodesk
Release mode: User release

2. *Vulnerability Information*

Class: Failure to Sanitize Data into a...

CORE-2009-0909: Autodesk 3DS Max Application Callbacks Arbitrary Command Execution CORE Security Technologies Advisories (Nov 23)
Autodesk 3DS Max Application Callbacks Arbitrary Command Execution

1. *Advisory Information*

Title: Autodesk 3DS Max Application Callbacks Arbitrary Command Execution
Advisory Id: CORE-2009-0909
Advisory URL:
http://www.coresecurity.com/content/3dsmax-arbitrary-command-execution
Date published: 2009-11-23
Date of last update: 2009-11-20
Vendors contacted: Autodesk
Release mode: User release

2. *Vulnerability Information*

Class: Failure to...

CORE-2009-0908: Autodesk SoftImage Scene TOC Arbitrary Command Execution CORE Security Technologies Advisories (Nov 23)
Autodesk SoftImage Scene TOC Arbitrary Command Execution

1. *Advisory Information*

Title: Autodesk SoftImage Scene TOC Arbitrary Command Execution
Advisory Id: CORE-2009-0908
Advisory URL:
http://www.coresecurity.com/content/softimage-arbitrary-command-execution
Date published: 2009-11-23
Date of last update: 2009-11-20
Vendors contacted: Autodesk
Release mode: User release

2. *Vulnerability Information*

Class: Failure to Sanitize Data into a...

Millions of PDF invisibly embedded with your internal disk paths Inferno (Nov 23)
Millions of PDF invisibly embedded with your internal disk paths
----------------------------------------------------------------

I found an interesting privacy issue while analyzing PDF files. This bug
occurs when you are using Internet Explorer to print locally saved web pages
as PDF and affects all IE versions including IE8. It does not matter which
PDF generation software you are using like Adobe Acrobat Professional,
CutePDF, PrimoPDF, etc...

Code to mitigate IE STYLE zero-day ds . adv . pub (Nov 23)
/*

This code is for a DLL that loads into Internet Explorer as a BHO and
modifies MSHTML.DLL in memory to render attempts to exploit this new
IE vulnerability inert. It does that by forcing a "controlled crash"
at a high address, instead of letting EIP reach an MSHTML-dependent
address that could fall within the heap-sprayable zone. It's not a
patch, or a "fix" in any pure sense -- it's just a mitigation.

The vulnerability...

[SECURITY] [DSA 1938-1] New php-mail packages fix insufficient input sanitising Steffen Joeris (Nov 23)
------------------------------------------------------------------------
Debian Security Advisory DSA-1938-1 security () debian org
http://www.debian.org/security/ Steffen Joeris
November 23, 2009 http://www.debian.org/security/faq
------------------------------------------------------------------------

Package : php-mail
Vulnerability : programming error
Problem type : remote...

Vulnerabilities in plugins for WordPress MustLive (Nov 23)
Hello Bugtraq!

I want to tell you about different vulnerabilities in plugins for WordPress.
About some of them there were posts to the list earlier.

This August I made a summary about all vulnerabilities in plugins for
WordPress (http://websecurity.com.ua/3397/), which I found during 2006-2009.

In this list 135 different vulnerabilities are mentioned in 20 plugins for
WordPress. Including Cross-Site Scripting, Insufficient Anti-automation,...

[SECURITY] [DSA 1937-1] New gforge packages fix cross-site scripting Steffen Joeris (Nov 23)
------------------------------------------------------------------------
Debian Security Advisory DSA-1937-1 security () debian org
http://www.debian.org/security/ Steffen Joeris
November 21, 2009 http://www.debian.org/security/faq
------------------------------------------------------------------------

Package : gforge
Vulnerability : insufficient input sanitising
Problem type...

[ MDVSA-2009:302 ] php security (Nov 23)
_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2009:302
http://www.mandriva.com/security/
_______________________________________________________________________

Package : php
Date : November 21, 2009
Affected: 2010.0
_______________________________________________________________________

Problem Description:

Some vulnerabilities were...

Full Disclosure — An unmoderated high-traffic forum for disclosure of security information. Fresh vulnerabilities sometimes hit this list many hours before they pass through the Bugtraq moderation queue. The relaxed atmosphere of this quirky list provides some comic relief and certain industry gossip. Unfortunately 80% of the posts are worthless drivel, so finding the gems takes patience.

UK jails schizophrenic for refusal to decrypt files Ivan . (Nov 24)
The first person jailed under draconian UK police powers that
Ministers said were vital to battle terrorism and serious crime has
been identified by The Register as a schizophrenic science hobbyist
with no previous criminal record.

His crime was a persistent refusal to give counter-terrorism police
the keys to decrypt his computer files.

http://www.theregister.co.uk/2009/11/24/ripa_jfl/

Re: PHP "multipart/form-data" denial of service Moritz Naumann (Nov 24)
Bogdan Calin wrote:

Thanks for the good description and test results, Bogdan.

Someone has apparently written one in bash:
http://www.paste-it.com/view/77958658
If testing for IT security issues wasn't practically illegalized in
Germany I might even have done it myself.

This script wasn't so effective when I tested it here, but it did work
after I spawned a couple processes. It takes it quite a while to prepare
the requests, though, and without...

Hackers to CSOs (H2CSO) - Free Online Subscription Rodrigo Rubira Branco (BSDaemon) (Nov 24)
Hackers to CSO (H2CSO) is a debate between CSOs and important hackers
organized by the joint between Check Point and the
TV Decision (a brazilian television focused on the C-level).

There will be an invited audience and it will be held inside the H2HC
(Hackers to Hackers Conference) in November 28
at 10:00 until 12:00am (GMT -3).

The subscription is free and the language is english. The access is
online, just subscribe at:...

Remote DoS condition in harbour.pl dramacrat (Nov 24)
Versions of harbour.pl (up to and including build 1941) are vulnerable to a
remote Denial of Service attack.

Spamming "zeroes" (null packets) to port 1207 results in a large portion of
system resources being tied up.

Please update to build 1945 as soon as possible.

Re: New Paper: MitM Attacks against the chipTAN comfort Online Banking System Patrick Hof (Nov 24)
Hi Thierry,

Thierry Zoller <Thierry () Zoller lu> wrote:

Exactly, the paper states that

"The assumption is made that the users’ computers are infected with a
specialised malware ('Trojan'), which is able to read and manipulate all data
communications."

What we did in a demonstration for German TV was to exploit the victim's PC with
a malicious PDF (JBIG2Decode exploit), install our own root CAs in IE for the
banks and set...

Quick.Cart and Quick.CMS CSRF Vulnerabilities Alice Kaerast (Nov 24)
Systems Affected: Quick.Cart 3.4 (other versions untested), Quick.CMS
2.4 (other versions untested)
Severity: Medium
Vendor: http://opensolution.org/
Author: Alice Kaerast

0. Timeline
25-10-2009 Vulnerability discovered
26-10-2009 Vendor contacted
23-11-2009 No response from vendor, report published

1. Background
Quick.Cart is a "freeware, simple and easy to use shopping cart script.
With this script you will be able to create products...

Re: New Paper: MitM Attacks against the chipTAN comfort Online Banking System Patrick Hof (Nov 24)
Sorry list if this arrives twice, I got stuck in the moderation queue because I
used the wrong email address.

Hi Thierry,

Thierry Zoller <Thierry () Zoller lu> wrote:

Exactly, the paper states that

"The assumption is made that the users’ computers are infected with a
specialised malware ('Trojan'), which is able to read and manipulate all data
communications."

What we did in a demonstration for German TV was to exploit the...

[USN-861-1] libvorbis vulnerabilities Marc Deslauriers (Nov 24)
===========================================================
Ubuntu Security Notice USN-861-1 November 24, 2009
libvorbis vulnerabilities
CVE-2008-2009, CVE-2009-3379
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04
Ubuntu 9.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem...

Re: New Paper: MitM Attacks against the chipTAN comfort Online Banking System Nick FitzGerald (Nov 24)
Thierry Zoller wrote:

<<snip>>

In my experience, "Man in the Browser" (or MitB) is the phrase that
this is commonly known as in the anti-malware and phishing communities
(regardless that some of the components involved are not "in the
browser", per se, at all).

Regards,

Nick FitzGerald

Re: New Paper: MitM Attacks against the chipTAN comfort Online Banking System Thierry Zoller (Nov 24)
Hi,

Thank you for the information.

MITM is used rather vaguely in this paper. Are the proposed
techniques working in an MITM situation - where an attacker is in the
middle of a network stream ? Say on a network over arp cache poisening?

The paper afaik applies to systems that are already compromised
by an attacker, i.e where malware has been installed.

If this is the case what rights (Account acl) does the malware require
in...

New Paper: MitM Attacks against the chipTAN comfort Online Banking System RedTeam Pentesting GmbH (Nov 24)
Abstract
========
ChipTAN comfort is a new system which is supposed to securely authorise online
banking transactions by means of a trusted device. It is assumed that chipTAN
comfort specifically protects against man-in-the-middle attacks. Such attacks are
currently putting bank customers who are using the iTAN system at risk. RedTeam
Pentesting examined chipTAN comfort and showed that even when using this sys-
tem, man-in-the-middle attacks can...

Executing arbitrary PHP code on OpenX <= 2.8.1 Moritz Naumann (Nov 24)
Hi,

OpenX adserver version 2.8.1 and lower is vulnerable to remote code
execution. To be exploited, this vulnerability requires banner / file
upload permissions, such as granted to the 'advertiser' and
'administrator' roles.

This vulnerability is caused by the (insecure) file upload mechanism of
affected OpenX versions. These would check magic bytes of an uploaded
file to determine its MIME type, and erroneously assume this
information to be...

CORE-2009-0910: Autodesk Maya Script Nodes Arbitrary Command Execution CORE Security Technologies Advisories (Nov 23)
Autodesk Maya Script Nodes Arbitrary Command Execution

1. *Advisory Information*

Title: Autodesk Maya Script Nodes Arbitrary Command Execution
Advisory Id: CORE-2009-0910
Advisory URL:
http://www.coresecurity.com/content/maya-arbitrary-command-execution
Date published: 2009-11-23
Date of last update: 2009-11-20
Vendors contacted: Autodesk
Release mode: User release

2. *Vulnerability Information*

Class: Failure to Sanitize Data into a...

CORE-2009-0909: Autodesk 3DS Max Application Callbacks Arbitrary Command Execution CORE Security Technologies Advisories (Nov 23)
Autodesk 3DS Max Application Callbacks Arbitrary Command Execution

1. *Advisory Information*

Title: Autodesk 3DS Max Application Callbacks Arbitrary Command Execution
Advisory Id: CORE-2009-0909
Advisory URL:
http://www.coresecurity.com/content/3dsmax-arbitrary-command-execution
Date published: 2009-11-23
Date of last update: 2009-11-20
Vendors contacted: Autodesk
Release mode: User release

2. *Vulnerability Information*

Class: Failure to...

CORE-2009-0908: Autodesk SoftImage Scene TOC Arbitrary Command Execution CORE Security Technologies Advisories (Nov 23)
Autodesk SoftImage Scene TOC Arbitrary Command Execution

1. *Advisory Information*

Title: Autodesk SoftImage Scene TOC Arbitrary Command Execution
Advisory Id: CORE-2009-0908
Advisory URL:
http://www.coresecurity.com/content/softimage-arbitrary-command-execution
Date published: 2009-11-23
Date of last update: 2009-11-20
Vendors contacted: Autodesk
Release mode: User release

2. *Vulnerability Information*

Class: Failure to Sanitize Data into a...

Security Basics — A high-volume list which permits people to ask "stupid questions" without being derided as "n00bs". I recommend this list to network security newbies, but be sure to read Bugtraq and other lists as well.

Res: Dealing with port/vulnerability scans Leandro Marques (Nov 24)
Hello Tony,

I would enable those signatures, because you can check it in a better way to analyze real scans.

Depending on your IDS/IPS device, you can choose to block/log if it targets more than 10 ports, for example. You can
also check the kind of the event. A vuln scan can trigger a lot of signatures related to probes or some specific
protocol.

In additional, you can send an Abuse Letter to the owner of this IP.

I hope to be helpful....

Re: Is snort an overkill for desktop only environment ? Alexander Klimov (Nov 24)
Because every new software package you install is a potential
source of exploitable flaws, even more so if it is always
working and getting its inputs from network.

Re: Dealing with Scans (portscans, vulnerability, etc.) Jon Kibler (Nov 24)
Tony Raboza wrote:

First, your border firewall rules should block all inbound traffic that:
1) Is not targeted to a known service on a known IP address on your network.
2) Is not in response to traffic initiated from your network.
These two steps should cut down on a lot of the IDS noise.

Next, for services that you have exposed, run fail2ban (or similar) tool that
blocks morons trying to attack those services.

Then, report your firewall...

Security of information harvesting maork-from-ork (Nov 24)
Hi group,

My client wants to harvest information about his servers (done through a consultant, not internal people) using
TreeSize Professional.

http://www.jam-software.com/treesize/

My question is: Is this a safe way to scan servers to determine what type of files should be archived? Any of you say
flaws in that software?

Thanks!

Mork

------------------------------------------------------------------------
Securing Apache Web Server with...

adding another defence layer against viruses/worms Juan B (Nov 24)
Hi all,

I'm doing some security consulting for a client. this client have around 30 remote branches connected to his core. the
problem is that sometimes the AV fails to detect new viruses/worms coming from those branches so those viruses/worms
mess up his LAN.another problem is that the the client doesn't have much of control over the remote PCs in the
branches. so I thought about adding another layer of defence in which we will add an IPS...

Dealing with port/vulnerability scans Tony Raboza (Nov 24)
Hi,

I'm tuning my IDS and I'm thinking of taking out the portscan/web
vulnerability scan rules. Why? Because, yes - I know that somebody
may be scanning my network - but, what can I do about it?

1. Block the IP? But, what if its NAT - meaning only 1
workstation/user did the port scanning, I would be blocking all the
possibly valid users behind that IP.
2. Report it to their ISP or to them? Then what?

I want my IDS console not to be too...

Re: whole disk encryption on multi boot laptop Alexander Klimov (Nov 24)
The XP part is easy: TrueCrypt can encrypt in-place.

The modern way of Linux FDE is thru cryptsetup and LVM (you need an
unencrypted /boot partition). In theory, as far as there is enough
buffering, you can also encrypt in-place by dd: read from original
partition device and write to encrypted device mapped on the same
place, but in practice it is much safe and faster to get an external
HDD, copy Linux data to it, setup FDE for Linux, and copy...

Re: When SPAMMERS Pay You ! τ∂υƒιφ * (Nov 24)
Hi,

I have being doing my research on phishing lately and I tend to
analyze a lot of this emails. If your simply want to report any such
incident to pay pal forward the email to abuse () paypal com . Not sure
if they have a ticketing or live chat support.

You can read more about my research on
http://niiconsulting.com/checkmate/2009/11/05/a-phishy-story/ . I am
not promoting my write up :) It is just a reference.

Are toonel and freegate secure proxy servers? Ali Asghar Toraby Parizy (Nov 24)
Hi
Is it possible that my username and password have been sniffed while i
use toonel or freegate proxies?
In spite of SSL encryption, Is it rational to use this proxies when we
transmit our secure information by internet (for example PAYPAL
account)?
Maybe, over there, somebody sniffs username and passwords! Is it
possible? Does it ever happened before?

toonel.net
en.wikipedia.org/wiki/Freegate...

Dealing with Scans (portscans, vulnerability, etc.) Tony Raboza (Nov 24)
Hi,

I'm tuning my IDS and I'm thinking of taking out the portscan/web
vulnerability scan rules. Why? Because, yes - I know that somebody
may be scanning my network - but, what can I do about it?

1. Block the IP? But, what if its NAT - meaning only 1
workstation/user did the port scanning, I would be blocking all the
possibly valid users behind that IP.
2. Report it to their ISP or to them? Then what?

I want my IDS console not to be too...

Re: How to detect process using ICMP Jared Curtis (Nov 24)
I don't know how to find which process is sending ICMP but the netstat
command can show you which process is using which port and where it is
connected.

netstat -np, would be a good start.

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how
it...

Re: How to detect process using ICMP Tony Raboza (Nov 24)
Hi all,

Thanks to everyone who replied - they were very helpful.

Confirmed that it was indeed the Stacheldraht agent. Anyway here's
how I eventually got it:

- did tcpdump -i eth0 -n icmp on the Linux box. confirmed that
indeed it was doing ICMP
- did the following commands as suggested in the web sites:

- lsof -c ttymon. this confirmed ttymon process running
- lsof | grep raw. this confirmed that it was the ttymon process
sending out...

Replicating the Gonzalez Cyber Attacks through Penetration Testing Core Security (Nov 20)
--------------------------------------------------------------------------------
YOU'RE INVITED: IT SECURITY ON DEMAND WEBCAST

"Replicating the Gonzalez Cyber Attacks through Penetration Testing"
Register: http://www.coresecurity.com/Form/generic/campaign/SecurityFocusGonzalez
---------------------------------------------------------------------------------

Recently, we saw the indictment of cybercrime kingpin Albert Gonzalez, one...

Re: How do I find out what hop is not forwarding traffic on a specific port? Chris Brenton (Nov 20)
Agreed. Last host responding is usually the culprit. A little loose
source route trickery may also be helpful. I did a write up on both
techniques a while back located here:
http://www.chrisbrenton.org/2009/08/network-mapping-through-a-firewall-part-1/

HTH,
Chris

Re: How to detect process using ICMP egopfe (Nov 20)
sending out where?
Note that there are a lot of covert channel shell over ICMP. One stupid for example is:
http://billiejoex.altervista.org/Prj_Py_soicmp.shtml

Just analizing icmp would be difficult to identify what is happening, expecially if the payload is encrypted.

I think you machine is compromised. Grab out the HD, mount it read only on another machine and analize it with forensic
tools such Deft Linux.

regards,

Federico...

Penetration Testing — While this list is intended for "professionals", participants frequenly disclose techniques and strategies that would be useful to anyone with a practical interest in security and network auditing.

RE: Pentest lab box 16 gigs of ram Waddell, Sean (Nov 23)
Why not use VMware ESXi? It's free and has it's own OS. Then just load up your guest OS as needed.

SW
-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of macubergeek
Sent: Wednesday, November 18, 2009 18:33
To: pen-test () securityfocus com
Subject: Pentest lab box 16 gigs of ram

All

I'm thinking of building a vmware target box for a pentest practice lab consisting of:

cheap...

RE: VideoJak 2.0 Released Abhijeet Hatekar (Nov 23)
Videojak is IP Video Hijacking tool which can be used to hijack IP Video calls and streams from video surveillance
camera. It supports SIP, SCCP and RTP protocols and can decode H264 media streams.
Videojak can play fake video content on IP video phones and cameras.
Please visit http://Videojak.sf.net for details.

Thanks and Regards,

Abhijeet Hatekar

When SPAMMERS Pay You ! Shreyas Zare (Nov 23)
Hi,

I dont know if people on this list know this, that's why I am mailing
it to know if you had such experience. I got this email from PayPal
(below). This is new way to SPAM, where the spammer sends you a eCheck
through PayPal, then later cancels the payment. The value on eCheck is
very small. But the spammer is able to get his mails into users inbox
through PayPal servers.

Its quite good idea, I tried to check out on PayPal site where I can...

Different ways to portscan IPS Vimal™ (Nov 23)
What are the different ways of port scanning the target when an IPS in placed.

Some of the methods I used are:

1. Delay the scan prob (nmap --scan-delay)

2. Integrating the scanner with TOR

Regards
Vimal

web : http://www.maestro-sec.com

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt...

Re: Pentest lab box 16 gigs of ram jsb (Nov 23)
Just thinking about using this OS is a bad start. esxi or xenserver
are much better. Then put anything you want on top...

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT
and CEPT certs require a full practical examination in...

Re: Pentest lab box 16 gigs of ram Lorenzo Nicolodi (Nov 23)
Hi jk,

I would suggest to use Ubuntu fot these reasons:

1) it works very well
2) you can use it for free
3) if you are interested in the guests (virtual) machines, the host OS
has to provide only the software layer for the virtualization, so
which OS you will use is not so important
4) I don't have a great experience with Windows Vista / Windows 7, I
have heard that the "home version"s have some troubles which are not
present in the...

Re: Windows Internationalization? Robert Portvliet (Nov 23)
It's been a bit, but I used to do work (remotely) on machines in
Singapore sometimes & I seem to recall everything being in (what I
assume was) Chinese.

As far as the internals go, I noticed some exploits in Metasploit have
'Windows XP Chinese' as a target, so I guess there is some difference
in the return addresses & such.

I see mention on foofus.net from 06/21/2007 about Chinese language
packs that states: "I know there is still...

Penetrating a MySql Server r00fsec (Nov 23)
Hi!!

So...I have a home server . It uses apache , php and MySql (5.0.77). It doesn't has any site on it but i create a page
with a simple sql injection Bug.
MySql server is running as root user. Now the goal is to take a shell in this server just for exercise . I know that it
is not so easy to find out there a server like this but im now starting to "play" with these things.

I have try some technics but i didnt got the shell yet :p...

Re: CEH or OSCP? Danux (Nov 23)
Always the same question from newbies!!! Dont feel that, I asked the
same long time ago.

If you wanna learn hundred of security tools go for CEH.
If you wanna learn how to crete basic hacking tools go for OSCP.

If you are a beginner definitely OSCP is not for you.

Using linux firewalls for PCI compliant infrastructure Siim Põder (Nov 23)
Hi

We are using linux-based servers as firewalls for PCI compliant
infrastructure. During audits it has been AOK so far but security
people internally have suggested that maybe a commercial product would
be better suited for PCI infrastructure (as it is pretty critical).

I'm personally very happy with the iptables firewalls - we can use all
the standard components for firewalls that we use for everything else
(including standard administration...

Re: CEH or OSCP? Jon Kibler (Nov 23)
Vaibhav Kaushal wrote:

http://www.offensive-security.com/contact.php

Re: Firewall Type Fingerprinting Chris Brenton (Nov 23)
If you know what to look for, absolutely. I have yet to see an automated
tool beyond what I've scripted myself. Check out question 13 below as
well as the answer, I've documented a portion of the process:

http://www.chrisbrenton.org/2009/07/test-your-network-security-skills/

Thought about releasing this as a tool but the potential is a bit
scary. ;-)

HTH,
Chris

Re: Malware Analysis Chip Panarchy (Nov 23)
Hi,

Not sure what happened to my last post, so I'll just reiterate it!

Of many anti-malware software I've tried, MalwareBytes (free) seems to
be the best.

However, I haven't tested the latest ones, so I'd recommend (if you
have the time) to test out as many of the different free/trial malware
detection/removal software as you can, then decide for yourself.

Best of luck,

Panarchy...

Re: CEH or OSCP? Wim Remes (Nov 23)
Hi,

There's really only one good answer to this : OSCP.

If you still want to be in security after that, you're good .... be prepared for a wild ride though, you'll be out
there on your own. It's not a course for the faint of heart.

I'm not gonna comment on CEH ...

Cheers,

W

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and...

Re: Firewall Type Fingerprinting Edin Dizdarevic (Nov 23)
Nmap should be the right tool, it can recognize many target systems. Get
it at http://nmap.org, see the docs for more information.

Regards,
Edin

Zaki Akhmad schrieb:

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT
and CEPT...

Info Security News — Carries news items (generally from mainstream sources) that relate to security.

Microsoft warns of IE exploit code in the wild InfoSec News (Nov 24)
http://news.cnet.com/8301-27080_3-10403756-245.html

By Elinor Mills
InSecurity Complex
CNet News
November 23, 2009

Microsoft on Monday said it is investigating a possible vulnerability in
Internet Explorer after exploit code that allegedly can be used to take
control of computers, if they visit a Web site hosting the code, was
posted to a security mailing list.

Microsoft confirmed that the exploit code affects IE 6 and IE 7, but not
IE 8,...

Inside the Ring - Chinese, Russian cyberwarfare InfoSec News (Nov 24)
http://www.washingtontimes.com/news/2009/nov/19/inside-the-ring-37209361/

By Bill Gertz
INSIDE THE RING
November 19, 2009

[...]

Chinese, Russian cyberwarfare

The Pentagon's National Defense University recently published a
groundbreaking book that is one of the few U.S. government documents to
highlight the cyberwarfare capabilities of both China and Russia.

The book "Cyberpower and National Security" contains a chapter on the...

Symantec Japan website bamboozled by hacker InfoSec News (Nov 24)
http://www.theregister.co.uk/2009/11/23/symantec_website_security_snafu/

By John Leyden
The Register
23rd November 2009

A Symantec-run website was vulnerable to Blind SQL Injection problems
that reportedly exposes a wealth of potentially sensitive information.

Romanian hacker Unu used off-the-shelf tools (Pangolin and sqlmap) to
steal a glimpse at the database behind Symantec's Japanese website. A
peek at the Symantec store revealed by the...

NIST Drafts Cybersecurity Guidance InfoSec News (Nov 24)
http://www.informationweek.com/news/government/security/showArticle.jhtml?articleID=221900722

By J. Nicholas Hoover
InformationWeek
November 23, 2009

Draft guidance from the National Institute of Standards and Technology
issued last week, pushes government agencies to adopt a comprehensive,
continuous approach to cybersecurity, tackling criticism that federal
cybersecurity regulations have placed too much weight on periodic
compliance...

Hancock Fabrics Linked to Fraud in 3 States InfoSec News (Nov 24)
http://www.bankinfosecurity.com/articles.php?art_id=1961

By Linda McGlasson
Managing Editor
Bank Info Security
November 23, 2009

Bank customers in California, Wisconsin and Missouri are reporting
fraudulent ATM withdrawals that police say are tied to transactions
conducted with the Hancock Fabrics retail chain.

In California, Napa Police Department spokesman Brian McGovern says 60
residents reported their cards being used by thieves. In one...

Recent Air Force Law Review discusses Cyberlaw InfoSec News (Nov 22)
http://www.maxwell.af.mil/news/story.asp?id=123178704

By Carl Bergquist
Air University Public Affairs
11/20/2009

MAXWELL AIR FORCE BASE, Ala. -- Volume 64 of the Air Force Law Review is
now available in hardcopy and online. Published this year, it is
sub-titled the "Cyberlaw Edition."

Largely the result of a symposium held at the Judge Advocate General
School at Maxwell Air Force Base, the edition addresses many of the
issues...

Three Indicted For Comcast Site Hack InfoSec News (Nov 22)
http://www.darkreading.com/security/attacks/showArticle.jhtml?articleID=221900520

By Tim Wilson
DarkReading
Nov 20, 2009

Three alleged hackers this week were indicted for a 2008 attack that
redirected traffic from the Comcast Website to a prank page.

Christopher Allen Lewis, 19, and James Robert Black Jr., 20, are accused
of being the hackers "EBK" and "Defiant," who hijacked the Comcast
domain in May of last year,...

Hackers steal electronic data from top climate research center InfoSec News (Nov 22)
http://www.washingtonpost.com/wp-dyn/content/article/2009/11/20/AR2009112004093.html

By Juliet Eilperin
Washington Post Staff Writer
November 21, 2009

Hackers broke into the electronic files of one of the world's foremost
climate research centers this week and posted an array of e-mails in
which prominent scientists engaged in a blunt discussion of global
warming research and disparaged climate-change skeptics.

The skeptics have seized upon...

Secunia Weekly Summary - Issue: 2009-47 InfoSec News (Nov 22)
========================================================================

The Secunia Weekly Advisory Summary
2009-11-13 - 2009-11-20

This week: 72 advisories

========================================================================
Table of Contents:

1.....................................................Word From...

China Cyber Espionage Threatens U.S., Report Says InfoSec News (Nov 22)
http://www.informationweek.com/news/government/security/showArticle.jhtml?articleID=221900505

By Thomas Claburn
InformationWeek
November 20, 2009

China has increased its cyber espionage efforts to acquire U.S. secrets
and technology, a Congressional advisory group warned in a report issued
on Thursday.

Echoing its 2008 and 2007 reports, which labeled China's espionage
efforts "the single greatest risk to the security of American...

FBI looking at UMC records leak InfoSec News (Nov 22)
http://www.lasvegassun.com/news/2009/nov/21/fbi-looking-umc-records-leak/

By Marshall Allen
The Las Vegas Sun
Nov. 21, 2009

The FBI said Friday it may investigate a breach of patient privacy laws
at University Medical Center, where hospital officials are reeling with
the realization that at least one of their employees has leaked
confidential names, birth dates and Social Security numbers.

UMC officials spent Friday determining how they...

Microsoft denies it built 'backdoor' in Windows 7 InfoSec News (Nov 20)
http://www.computerworld.com/s/article/9141182/Microsoft_denies_it_built_backdoor_in_Windows_7

By Gregg Keizer
Computerworld
November 19, 2009

Microsoft today denied that it has built a backdoor into Windows 7, a
concern that surfaced yesterday after a senior National Security Agency
(NSA) official testified before Congress that the agency had worked on
the operating system.

"Microsoft has not and will not put 'backdoors' into...

Re: FBI Suspects Terrorists Are Exploring Cyber Attacks InfoSec News (Nov 20)
Forwarded from: Richard Forno <rforno (at) infowarrior.org>

The second paragraph undermines the whole article, as such statements
tend to do in all articles warning of cyber or terrorist attacks, just
as any number of 'stories' citing some new DHS or FBI terror threat that
suddenly hits the airwaves periodically during the year.

This entire article simply says -er, repeats- that "terrorists may
consider cyber attacks."...

Bill Would Ban P2P Use By Federal Employees InfoSec News (Nov 20)
http://www.informationweek.com/news/government/policy/showArticle.jhtml?articleID=221900107

By J. Nicholas Hoover
InformationWeek
November 18, 2009

Following a leaked document that disclosed ethics investigations of
members of Congress on a file sharing network, the chairman of the House
Oversight and Government Affairs Committee has introduced a bill that
would ban the use of public peer-to-peer networks by federal employees.

The Secure...

Crypto pioneer and security chief exits Sun InfoSec News (Nov 20)
http://www.theregister.co.uk/2009/11/19/diffie_leaves_sun/

By Gavin Clarke in San Francisco
The Register
19th November 2009

Crypto pioneer and Sun Microsystems' veteran chief security officer
Whitfield Diffie has left the company, with database-giant Oracle's
acquisition still in the air.

According to Technology Review, Diffie is slated to be a visiting
professor at Royal Holloway, University of London, after 18 years at
Sun, latterly in...

Firewall Wizards — Tips and tricks for firewall administrators

Re: Message Labs A (Nov 17)
Yeah, its if you are using their mail-filtering service, for them to
be able to send you mail you have to allow the ip ranges.

Most people will lock down the router to only accept email from the
hosted security provider.. to reduce spam.

Aaron

\ /
Putting the F in BOFH!

2009/11/11 Brian Loe <knobdy () gmail com>:

Re: port scanning activity going up recently? Nate Itkin (Nov 17)
Overall illicit activity looks to be down slightly.
see: http://www.dshield.org/submissions.html (select sources, targets,
and reports for 2009)

Cheers,
Nate Itkin

Re: Message Labs shane brennan (Nov 17)
Hi

We use it in work. havent received any notification like that

Shane

Re: Network design change sai (Nov 15)
not good from a security point of view.

I would prefer to connect the routers, at the internet cloud level not the
DMZ level. I'd have the 2 core switches connected as you have.

2 reasons:
[1] gives me redundant internet connectivity in case one of the isps goes
down (assuming multiple isps and routing that can handle one link going
down)
[2] the DMZs should be separate. the more segments you have the better.
connecting the 2 at switch level...

Re: Network design change pkc_mls (Nov 15)
shadow floating a écrit :

If it's possible, I'd rather use a link between both firewalls
to connect the DMZ.

If you connect directly the dmz switches, and if someone can get access
to your dmz, he will get access to the other one as well, as there won't
be any filtering between the DMZs.

do the DMZ share the same network addresses ?

if not, just use an unused interface on each fw, connect both via a
link, then create some routes to allow...

Re: secure firewall rule management program Lan Li (Nov 15)
Athena Security also provides a cleanup tool/basic ops tool. Works with
Cisco, Check Point and Netscreen firewalls. Available for eval download at
http://www.athenasecurity.net/firepac_trial.html

Lan Li

-----Original Message-----

From: firewall-wizards-bounces () listserv icsalabs com

[mailto:firewall-wizards-bounces () listserv icsalabs com] On Behalf Of Marcin
Antkiewicz

Sent: Thursday, November 05, 2009 10:52 PM

To: Firewall Wizards...

Re: OT, sorta: Breaking pipes? Kurt Buff (Nov 15)
We don't use perl/cgi here, but the example is instructive.

This issue at hand is for web browsing by clients - the newish manager
believes that it's just too annoying to add exceptions for the
misbehaving web sites. Of course, it's not just the pipe character.
It's also the other unsafe/unwise characters, and the URLs that are
longer than 1024 characters, etc.

At some point we may be hosting a web site locally, but that hasn't happened.

This...

Message Labs Brian Loe (Nov 15)
Anyone here using message labs? Have you received notice that you MUST
open up your firewall for 8 or so networks?

port scanning activity going up recently? Ken Fox (Nov 15)
Hi all -

Has anyone else noticed a recent spike in port scan activity over the last
few days?

I've been seeing some interesting traffic where multiple source addresses
are probing a number of the same high order destination ports from a small
set of source ports with a number of different but specific packet sizes.

e.g.: source port 3268 -> dest port 50572 packet size 48, 60, 64, and 52
egg: source port 3268...

Re: Network design change shadow floating (Nov 10)
Hi All,
My company has two sites in to 2 different locations that are
connected via high speed link at the core layer ( I've attached a
link to the diagram :
http://img18.imageshack.us/img18/77/questionhk.jpg for ease of
explanation)
in each site I've 1 DMZ , the network team wants to connect the DMZ
switches in both sites for better performance and "security" - the
link under investigation is shown in red in the picture - via...

Re: secure firewall rule management program Marcin Antkiewicz (Nov 10)
Hi Morty,

we are looking at the same, but we are looking for a cleanup/basic ops support
tool right now.

Would you mind sharing the dealbreaking requirements? I am wondering now
what, if anything we have missed.

Re: OT, sorta: Breaking pipes? Chris Myers (Nov 10)
Do you use Perl at all with CGI scripts? If so, this is just an
example of what might be done with anything written with custom
scripts. In this case, it is a specific vendor, but it could happen to
anyone who does not code diligently.

http://www.kb.cert.org/vuls/id/496064

Thank You,

Chris Myers
clmmacunix () charter net

John 1:17
For the Law was given through Moses; grace and truth were realized
through Jesus Christ.

Go Vols!!!!

Re: secure firewall rule management program Morty Abzug (Nov 05)
Thanks! We're looking both at Tufin (mentioned by Rainer Ginsberg)
and at Algosec (mentioned by one of our managers and by Rainer). The
current versions of both products fail to meet several of our
dealbreaking requirements. Both products are relatively new. We're
hopeful that a future version of one or both products will be what we
want.

- Morty

Re: secure firewall rule management program Matthias Leu (Nov 05)
Hi Morty,
have you had a look at Tufin SecureTrack and SecureChange Workflow?
It's not free, but quite good and I think your requirements are fulfilled.

It runs on Linux and is written by security professionals.
SecureTrack is connected to Check Point SmartCenter or MDS/CMA via
OPSEC, other vendors are supported too (e.g. Juniper, Cisco,
Fortinet,...).
Each 'save' gives a new revision, no 'install' necessary. So reports,
and above all, alerts...

OT, sorta: Breaking pipes? Kurt Buff (Nov 05)
All,

At $WORK I admin a nice Sidewinder. Works well. I like it, though I'm
not as fully trained on it as I'd like to be.

However, I'm seeing more complaints from end-users who are
encountering web sites that issue URLs with the pipe/vertical bar -
"|" - character embedded in them. The Sidewinder proxy denies it, as
is proper. The latest occurrence is a really stupid State government
web site that actually puts the pipe character at...

IDS Focus — Technical discussion about Intrusion Detection Systems. You can also read the archives of a previous IDS list

Replicating the Gonzalez Cyber Attacks through Penetration Testing Core Security (Nov 20)
--------------------------------------------------------------------------------
YOU'RE INVITED: IT SECURITY ON DEMAND WEBCAST

"Replicating the Gonzalez Cyber Attacks through Penetration Testing"
Register: http://www.coresecurity.com/Form/generic/campaign/SecurityFocusGonzalez
---------------------------------------------------------------------------------

Recently, we saw the indictment of cybercrime kingpin Albert Gonzalez, one...

CfP EWNI2010: 1st European Workshop on Internet Early Warning and Network Intelligence Till Dörges (Nov 12)
Hi all,

attached the CfP for the 1st European Workshop on Internet Early Warning and Network
Intelligence. If you have any questions please don't hesitate to contact me.

Regards -- Till

Re: Re: PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..". Kismet+Snort? Ray (Nov 02)
Although this also does not meet the PCI requirement, one thing you can do
to rapidly detect transient wireless access points is this:

1. Make sure your network default route leads to your firewall.
2. Monitor the firewall for internal devices trying to do NTP (time sync)
lookups.

This presumes you have an internal time server system and you have properly
configured your internal systems to not go to the Internet for time.

It works because...

Re: Re: PCI DSS 11.1 - ".. deploying a wireless IDS/IPS..". Kismet+Snort? brian_klumpp (Oct 30)
I realize this thread is a little old, but I did want to make a comment in regards to this. As a QSA, *wired* side
scanning alone would be insufficient to meet the intent of the PCI DSS 11.1 requirement. There is this quote from PCI
Council:

"Relying on wired side scanning tools (e.g. tools that scan suspicious hardware MAC addresses on switches) may identify
some unauthorized wireless devices; however, they tend to have high false...

Announcing pcapr Trends kowsik (Oct 01)
With the recent influx of pcaps, the number of protocols and pcaps are
getting to the point where interesting trend analysis makes sense. So
we set out to find the meaning of it all with multi-dimensional data
visualization using Motion Charts.

We wanted to find out
- How does the coverage and #pcaps for a given protocol trend over time?
- When was a protocol first introduced into pcapr?
- What is 42 and what does it have to do with packet...

Web App Security — Provides insights on the unique challenges which make web applications notoriously hard to secure, as well as attack methods including SQL injection, cross-site scripting (XSS), cross-site request forgery, and more.

Replicating the Gonzalez Cyber Attacks through Penetration Testing Core Security (Nov 20)
--------------------------------------------------------------------------------
YOU'RE INVITED: IT SECURITY ON DEMAND WEBCAST

"Replicating the Gonzalez Cyber Attacks through Penetration Testing"
Register: http://www.coresecurity.com/Form/generic/campaign/SecurityFocusGonzalez
---------------------------------------------------------------------------------

Recently, we saw the indictment of cybercrime kingpin Albert Gonzalez, one...

winAUTOPWN 2.0 - Introducing winAUTOPWN GUI - Now you can sleep QUAKER DOOMER (Nov 03)
Dear all,

After a long break and a lot of Unpolished SITA releases of the previous version,
I am finally releasing winAUTOPWN version 2.0

winAUTOPWN or WINDOWS AUTOPWN version 2.0 now has a GUI (winAUTOPWN_GUI.exe) to initiate the main
console winAUTOPWN.exe
winAUTOPWN now supports all console arguments which can also be fed interactively.
This version covers almost all remote exploits from 2009 start uptill October 2009. Though a few are...

[AntiSnatchOr] Eclipse BIRT <= 2.2.1 Reflected XSS Michele Orru (Oct 16)
Eclipse BIRT <= 2.2.1 Reflected XSS

Vendor: Eclipse
Advisory: http://antisnatchor.com/2008/12/18/eclipse-birt-reflected-xss/
Author: Michele "euronymous" Orrù (euronymous AT antisnatchor DOT com)

Quite a common problem in a lot of Java based applications: reflected
XSS in Java stack trace.

A Reflected XSS is present in the _report parameter: here below the modified
request (that is the BIRT 2.2.1 version included in Konakart...

Snitz Forums 2000 Multiple Cross-Site Scripting Vulnerabilities Andrea Fabrizi (Oct 16)
**************************************************************
Application: Snitz Forums 2000
Version affected: 3.4.07
Website: http://forum.snitz.com/
Discovered By: Andrea Fabrizi
Email: andrea.fabrizi () gmail com
Web: http://www.andreafabrizi.it
Vuln: Multiple Cross-Site Scripting
**************************************************************

###### PERMANENT XSS
If [sound] tag is allowed:

[sound]...

[BONSAI] XSS in Achievo - Customized XSS payload included Bonsai - Information Security (Oct 16)
Bonsai Information Security - Advisory
http://www.bonsai-sec.com/research/

Multiple XSS in Achievo

1. *Advisory Information*

Title: Multiple XSS in Achievo
Advisory ID: BONSAI-2009-0101
Advisory URL: http://www.bonsai-sec.com/research/vulnerabilities/achievo-multiple-xss-0101.txt
Date published: 2009-10-13
Vendors contacted: Achievo
Release mode: Coordinated release

2. *Vulnerability Information*...

WASC Announcement: 2008 Web Application Security Statistics Published announcements (Oct 16)
The Web Application Security Consortium (WASC) is pleased to announce
the WASC Web Application Security Statistics Project 2008. This
initiative is a collaborative industry wide effort to pool together
sanitized website vulnerability data and to gain a better understanding
about the web application vulnerability landscape.

The statistics was compiled from web application security assessment
projects which were made by the following companies in...

[AntiSnatchOr] Pentaho Bi-server multiple vulnerabilities Michele Orru (Oct 16)
Pentaho 1.7.0.1062 Multiple Vulnerabilities

Name Multiple Vulnerabilities in Pentaho
Systems Affected Pentaho <= 1.7.0.1062
Severity High
Impact (CVSSv2) High 7/10, vector: (AV:N/AC:L/Au:S/C:P/I:C/A:P)
Vendor http://www.pentaho.com
Advisory http://antisnatchor.com/2009/06/20/pentaho-1701062-multiple-vulnerabilities/
Authors Michele "euronymous" Orrù (euronymous AT antisnatchor DOT com)

Date 20081224

I. BACKGROUND...

[BONSAI] SQL Injection in Achievo Bonsai - Information Security (Oct 16)
Bonsai Information Security - Advisory
http://www.bonsai-sec.com/research/

SQL Injection in Achievo

1. *Advisory Information*

Title: SQL Injection in Achievo
Advisory ID: BONSAI-2009-0102
Advisory URL: http://www.bonsai-sec.com/research/vulnerabilities/achievo-sql-injection-0102.txt
Date published: 2009-10-13
Vendors contacted: Achievo
Release mode: Coordinated release

2. *Vulnerability Information*...

WASC Announcement: Announcing the Web Application Security Scanner Evaluation Criteria v1 announcements (Oct 08)
The Web Application Security Consortium is pleased to announce the release
of version 1 of the Web Application Security Scanner Evaluation Criteria
(WASSEC). The goal of the WASSEC project is to create a vendor-neutral
document to help guide information security professionals during web
application scanner evaluations. The document provides a comprehensive list
of features that should be considered when conducting an evaluation. The
WASSEC...

FBController - (Facebook Control Utility) version 2.0 QUAKER DOOMER (Sep 15)
FBController - The Ultimate Utility to Control Facebook accounts without the
Password.

Let me clear this again like last time that this utility WON'T hack/crack Facebook accounts.
The utility will need biscuits/cookies instead of the password.

Get the target's cookie by sniffing, XSS, social engineering, ARP Poison-Sniffing,
scroogle search, anyhow !
Once you have the cookies you can use FBController and have Full control over the
target's...

Re: How to enable LDAP signing on client side Peter M. Jansson (Sep 15)
The goal of having the server sign LDAP results would be to give
confidence in the integrity if the answers. I don't understand what
the goal of having clients sign queries would be. If you use SSL, the
client-server exchange is kept confidential (subject to some
assumptions) and client-side certificates can be used by the server to
provide access control so rogue clients can't make requests.

How to enable LDAP signing on client side Jianrong Yu (Sep 15)
Hi All,

The link <http://support.microsoft.com/kb/935834> is the step the How to
enable LDAP signing in Windows Server 2008.

How to enable LDAP signing on client side?

Thanks,

Jianrong Yu
Systems Operation
Office of Information technology
Ohio University

nullcon Goa 2010 Call For Papers nullcon nullcon (Sep 13)
Calling all greyhats, whitehats, blackhats, rainbowhats, nohats,
underground, aboveground, in-the-sky, on-the-moon, Grannies,
Grandpas, martians, Doodhwalas, Kaamwalis, Bai, Bhai, Chuck norris Fans,
Mithun Da Fans, Himesh Reshamiya wannabees……..

Call For Paper is officially open for nullcon Goa 2010. It is time for
you to polish your paper, stick up an abstract and send it across.
A live demo/exploit/0day with the presentation might win you...

Running ratproxy from windows command prompt without installing cygwin dec123 (Sep 13)
Hi,
Can anybody tell me how to run ratproxy from windows comand prompt,without
installing cygwin.

Re: Web 2.0 support group Catherine Pagliaro (Sep 09)
The Payment Card Industry Security Standards and Payment Application Data
Security Standards attempt to get programmers to code securely. I
underline attempt. We as payment application developers must follow
owasp.org standards and common sense security best business practises for
developing any type of code, hardening servers and locking down network
systems,as well as assuring our physical environments are locked down to
maintain our PCI DSS...

Daily Dave — This technical discussion list covers vulnerability research, exploit development, and security events/gossip. It was started by ImmunitySec founder Dave Aitel and many security luminaries participate. Many posts simply advertise Immunity products, but you can't really fault Dave for being self-promotional on a list named DailyDave.

Re: English Shellcode Bob Auger (Nov 24)
Darrin Barall spoke about this exact thing at blackhat in 2005.

http://www.blackhat.com/html/bh-usa-05/bh-usa-05-speakers.html (grep
Shakespearean Shellcode)
http://media.blackhat.com/bh-usa-05/audio/2005_BlackHat_Vegas-V31-D_Barrall-Shakespearean_Shellcode.mp3
http://mirror.fpux.com/HackerCons/Blackhat%202005/CD/BH_US_05_BARRALL.PDF

English Shellcode dave (Nov 24)
This hit Slashdot recently, and it's interesting.

http://www.cs.jhu.edu/~sam/ccs243-mason.pdf

One thing people always try to avoid mentioning in papers about
shellcode is size. But in this case, they say that a exit(0) Linux
shellcode is going to be 2K or so which is good to know. There's the
obligatory "our shellcode is too powerful to include a complete example
of!" which is pretty funny. Developing these sorts of techniques to...

Re: Fedora 12 Fail Kees Cook (Nov 19)
I've seen variations on this sentence get repeated in a few places and I
think it's valuable to point out it should read as "Any _local_ user..."
(where "local" is defined by console-kit[1] -- see "ck-list-sessions"
command). This makes it a smaller scope of problem, but it should not
discourage anyone from reading the bug report anyway:
https://bugzilla.redhat.com/show_bug.cgi?id=534047

-Kees

[1]...

Re: Fedora 12 Fail dan (Nov 19)
Michael Graham writes:
-+--------------------
| "I don't particularly care how UNIX has always worked." has already
| turned into a new catchphrase around here.
|

Those who do not understand UNIX are condemned to reinvent it, poorly.

-- Henry Spencer, 1987

Re: Fedora 12 Fail Michael Graham (Nov 18)
"I don't particularly care how UNIX has always worked." has already
turned into a new catchphrase around here.

Fedora 12 Fail Dave Aitel (Nov 18)
Probably the best Linux thread in months:
https://www.redhat.com/archives/fedora-devel-list/2009-November/msg00945.html

To sum it up, Fedora 12 is defaulting to "Any user can install any
package from the repo and then exploit it to get root". So like, if
the repo signs something hilarious like "bob's vulnerable FTP
server.rpm", every Fedora 12 server is vulnerable. Unless you've
uninstalled PolicyKit or something else...

Re: "We're in the top of the league." Nate Lawson (Nov 13)
gold flake wrote:

The government is just a very large company. They experience the same
security problems as other big companies. I'm always annoyed to hear the
"we're under cyber attack via cyber warfare using cyber malware".

Please... you're under attack just like any other big company with
extremely valuable assets. You're not any more special than that. It's
possible the IRS is more valuable a target than Joe Random sergeant's PC.

Re: "We're in the top of the league." gold flake (Nov 12)
I am not from US and was for almost 10 years part of my government's
cyber security setup. I can vouch for the claims regarding "some
foreign power"'s attacks. These are systematic, planned and
relentless attacks that we also faced. The vector was spear phishing
in most cases and the thumb drive method was used to propagate the
malware to the internal segment. The malware called home (mostly
China) and downloaded backdoors,...

Re: "We're in the top of the league." Richard Bejtlich (Nov 12)
Aaron and everyone,

If anyone has doubts, or just wants to read some excellent
unclassified reporting on advanced persistent threat, please check out
this report by Northrop Grumman:

http://taosecurity.blogspot.com/2009/10/report-on-chinese-government-sponsored.html

Sincerely,

Richard

Re: "We're in the top of the league." Dobbins, Roland (Nov 09)
Here's a pretty accurate assessment of the 60 Minutes story, IMHO:

<http://erratasec.blogspot.com/2009/11/brazil-outage-not-caused-by-hackers.html
>

-----------------------------------------------------------------------
Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com>

Injustice is relatively easy to bear; what stings is justice.

-- H.L. Mencken

a brief interlude between exploits dave (Nov 09)
There's been a lot happening in the world, and usually everyone is too
busy to comment on it. Exploit devs sometimes think of the world as the
dark troughs in a storm ocean, where the peaks are the sudden insights
of truth provided by a really good exploit, where all of a sudden you
can see for miles. Or maybe I just made all that up. In any case:

CBS says that someone turned off Brazilian power using cyber attack:...

"We're in the top of the league." Aaron (Nov 09)
Anyone else catch the 60-minutes story about Cyber warfare? There are a lot of interesting anecdotes from Admiral Mike
McConnell (described in the story as the former top spy of the nation), Jim Lewis (director of the Center for Strategic
and International Studies), and Jim Gosler.

Some of the more WTF things admitted were:
- "Some foreign power" was able to penetrate the Pentagon by leaving infected thumbnail drives where military...

MITM Attack on Smartphones whitepaper Mayank Aggarwal (Nov 05)
SMobile has released a detailed report on research indicating that smartphone users are just as susceptible to
man-in-the-middle (MITM) attacks as PC users. This report details the results of attempts to produce MITM attacks to
determine whether it is possible to intercept SSL encrypted communications between various smartphone devices and
servers. Of the devices that were tested, each of the major smartphone operating systems appeared to lack...

Re: PrevX and other projects Shane Macaulay (Oct 30)
The chart on their main page would be a lot more compelling if they had
conversely applied whatever method they used to collect that information.

""""These statistics are provided to show that all vendors miss threats
and cannot be interpreted to compare the effectiveness of one product to
another."""""

That seems to indicate they would show us their failure rate when
compared to these vendors? And...

PrevX and other projects dave (Oct 28)
So you can read one Immunity deliverable linked here:
http://www.prevx.com/ (look for "Independent Review").

Likewise, if you have wondered where all the Immunity Debugger scripts
ran off to, they were on the old Immunity Forum. We ripped the old forum
content out of the old database and imported into the new hotness, so
you can seem them all here:
https://forum.immunityinc.com/. I don't think Google spiders HTTPS sites
for some reason...

Honeypots — Discussions about tracking attackers by setting up decoy honeypots or entire honeynet networks.

nullcon Goa 2010 Call For Papers nullcon nullcon (Sep 27)
Calling all greyhats, whitehats, blackhats, rainbowhats, nohats,
underground, aboveground, in-the-sky, on-the-moon, Grannies, Grandpas,
martians, Doodhwalas, Kaamwalis, Bais, Bhais, Chuck norris Fans,
Mithun Da Fans, Himesh Reshamiya wannabees……..

Call For Paper is officially open for nullcon Goa 2010. It is time for
you to polish your paper, stick up an abstract and send it across. A
live demo/exploit/0day with the presentation might win...

Sebek issues with windows XP/Vista dharm (Sep 24)
Hello ,
Did anybody tried running sebek on windows vista as a
honeypot ? i am trying to install sebek on windows XP /Vista
environment and getting DOB screen error. Any ideas would be
appreciated .
Thanks

Workshop on the Analysis of System Logs - Oct 14 - Call for Participation Greg Bronevetsky (Sep 01)
Workshop on the Analysis of System Logs (WASL) 2009
http://www.systemloganalysis.com
Call for Participation

===============================
October 14, 2009
Big Sky, MT
(at SOSP)
===============================

--------------------------------------------------------------------------

System...

Re: Send strace output through syslog-ng BB () umd (Aug 05)
Well I did not think about this, but it seems to be a great idea. Thanks a
lot.

However, I decided to open a new port and to send syslog data through it so
that it is really easy to administrate. It works great.

Thanks for your help,

Regards,

BB () umd wrote:

Re: Send strace output through syslog-ng Gergely Révay (Aug 05)
Hi,

First of all there is no filter for strace. My first idea for your
problem was to open a new port on the server just for strace, but it's
understandable if you don't want to do it. Also the idea of Chris
sounds good as well if you don't use the facility field generally. But
a third solution that I've found is the following:

You should create a separate log path for the strace output which
should read the logs from the file and replace the...

Re: Send strace output through syslog-ng Chris Brenton (Aug 04)
Hey man,

What about something like:
tail -f /var/log/strace.log | logger -p <facility> &

In the above command you need to specify an unused facility. Then on the
server simply tell syslog-ng which file it should use for storing log
entries with the above specified facility (this can be a new unique
file).

You are suppose to use one of the "local use" facilities for stuff like
this, but I run into conflicts far too often....

Send strace output through syslog-ng BB () umd (Aug 04)
Good afternoon.

I have a honeypot which syslog-ng running. I configured it so that it can
send all the log files to a remote web server. (So that mean I have already
configured syslog-ng on this web server too) No matter with that, it works
great.

Then, on my honeypot, I have a strace command attached to my ssh server. It
gathers strace outputs in a strace.log file. Here is this command :
strace -f -q -p `cat /var/run/sshd.pid` -o...

Running Honeyd on interface IP Evgeniy Arbatov (Jul 22)
Hello,

I have a question concerning the configuration of Honeyd IP address.

I want to make my honeypot visible by the IP address of host computer interface.
I have the following setup, within the same physical host:

1.1.1.1 (interface IP)-> 2.2.2.2 (honeyd IP)

So if I ssh to the honeyd, I want to ssh to 1.1.1.1.

I guess this is something that can be done with iptables, for example like this:

iptables -A FORWARD -s 1.1.1.1 -p tcp --dport...

Extended deadline: Monday, July 6th. Workshop on the Analysis of System Logs (WASL) 2009 Greg Bronevetsky (Jul 01)
Due to multiple requests, the paper submission deadline for the Workshop
on the
Analysis of System Logs has been moved to Monday, July 6th.

Workshop on the Analysis of System Logs (WASL) 2009
http://www.systemloganalysis.com Call for Papers

===============================
October 14, 2009
Big Sky, MT
(at SOSP)...

MS Sec Notification — Beware that MS often uses these security bulletins as marketing propaganda to downplay serious vulnerabilities in their products -- note how most have a prominent and often-misleading "mitigating factors" section.

Microsoft Security Bulletin Major Revisions Microsoft (Nov 10)
********************************************************************
Title: Microsoft Security Bulletin Major Revisions
Issued: November 10, 2009
********************************************************************

Summary
=======
The following bulletins have undergone a major revision increment.
Please see the appropriate bulletin for more details.

* MS09-051 - Critical
* MS09-045 - Critical

Bulletin Information:
=====================

*...

Microsoft Security Bulletin Summary for November 2009 Microsoft (Nov 10)
********************************************************************
Microsoft Security Bulletin Summary for November 2009
Issued: November 10, 2009
********************************************************************

This bulletin summary lists security bulletins released for
November 2009.

The full version of the Microsoft Security Bulletin Summary for
November 2009 can be found at...

Microsoft Security Bulletin Advance Notification for November 2009 Microsoft (Nov 05)
********************************************************************
Microsoft Security Bulletin Advance Notification for November 2009
Issued: November 5, 2009
********************************************************************

This is an advance notification of security bulletins that
Microsoft is intending to release on November 10, 2009.

The full version of the Microsoft Security Bulletin Advance
Notification for November 2009 can be found...

Microsoft Security Bulletin Major Revisions Microsoft (Nov 03)
********************************************************************
Title: Microsoft Security Bulletin Major Revisions
Issued: November 2, 2009
********************************************************************

Summary
=======
The following bulletins have undergone a major revision increment.
Please see the appropriate bulletin for more details.

* MS09-054 - Critical

Bulletin Information:
=====================

* MS09-054 - Critical

-...

Microsoft Security Bulletin Major Revisions Microsoft (Oct 28)
********************************************************************
Title: Microsoft Security Bulletin Major Revisions
Issued: October 28, 2009
********************************************************************

Summary
=======
The following bulletins have undergone a major revision increment.
Please see the appropriate bulletin for more details.

* MS09-062 - Critical

Bulletin Information:
=====================

* MS09-062 - Critical

-...

Microsoft Security Bulletin Major Revisions Microsoft (Oct 27)
********************************************************************
Title: Microsoft Security Bulletin Major Revisions
Issued: October 27, 2009
********************************************************************

Summary
=======
The following bulletins have undergone a major revision increment.
Please see the appropriate bulletin for more details.

* MS09-043 - Critical

Bulletin Information:
=====================

* MS09-043 - Critical

-...

Microsoft Security Bulletin Summary for October 2009 Microsoft (Oct 13)
********************************************************************
Microsoft Security Bulletin Summary for October 2009
Issued: October 13, 2009
********************************************************************

This bulletin summary lists security bulletins released for
October 2009.

The full version of the Microsoft Security Bulletin Summary for
October 2009 can be found at
http://www.microsoft.com/technet/security/bulletin/ms09-oct.mspx....

Microsoft Security Bulletin Major Revision Microsoft (Sep 09)
********************************************************************
Title: Microsoft Security Bulletin Major Revision
Issued: September 9, 2009
********************************************************************

Summary
=======
The following bulletin has undergone a major revision increment.
Please see the appropriate bulletin for more details.

* MS09-048 - Critical

Bulletin Information:
=====================

* MS09-048 - Critical

-...

Microsoft Security Bulletin Summary for September 2009 Microsoft (Sep 08)
********************************************************************
Microsoft Security Bulletin Summary for September 2009
Issued: September 8, 2009
********************************************************************

This bulletin summary lists security bulletins released for
September 2009.

The full version of the Microsoft Security Bulletin Summary for
September 2009 can be found at...

Microsoft Security Bulletin Major Revisions Microsoft (Aug 25)
********************************************************************
Title: Microsoft Security Bulletin Major Revisions
Issued: August 25, 2009
********************************************************************

Summary
=======
The following bulletins have undergone a major revision increment.
Please see the appropriate bulletin for more details.

* MS09-044 - Critical
* MS09-029 - Critical

Bulletin Information:
=====================

*...

Microsoft Security Bulletin Major Revisions Microsoft (Aug 11)
********************************************************************
Title: Microsoft Security Bulletin Major Revisions
Issued: August 11, 2009
********************************************************************

Summary
=======
The following bulletins have undergone a major revision increment.
Please see the appropriate bulletin for more details.

* MS09-035 - Moderate
* MS09-029 - Critical

Bulletin Information:
=====================

*...

Microsoft Security Bulletin Summary for August 2009 Microsoft (Aug 11)
********************************************************************
Microsoft Security Bulletin Summary for August 2009
Issued: August 11, 2009
********************************************************************

This bulletin summary lists security bulletins released for
August 2009.

The full version of the Microsoft Security Bulletin Summary for
August 2009 can be found at
http://www.microsoft.com/technet/security/bulletin/ms09-aug.mspx....

Microsoft Security Bulletin Major Revisions Microsoft (Aug 06)
********************************************************************
Title: Microsoft Security Bulletin Major Revisions
Issued: August 4, 2009
********************************************************************

Summary
=======
The following bulletins have undergone a major revision increment.
Please see the appropriate bulletin for more details.

* MS09-034 - Critical

Bulletin Information:
=====================

* MS09-034 - Critical

-...

Microsoft Security Bulletin Summary for July 2009 Microsoft (Jul 28)
********************************************************************
Microsoft Security Bulletin Summary for July 2009
Issued: July 28, 2009
********************************************************************

This bulletin summary lists out-of-band security bulletins released
on July 28, 2009.

The full version of the Microsoft Security Bulletin Summary for
July 2009 can be found at...

Microsoft Security Bulletin Summary for July 2009 Microsoft (Jul 14)
********************************************************************
Microsoft Security Bulletin Summary for July 2009
Issued: July 14, 2009
********************************************************************

This bulletin summary lists security bulletins released for
July 2009.

The full version of the Microsoft Security Bulletin Summary for
July 2009 can be found at
http://www.microsoft.com/technet/security/bulletin/ms09-jul.mspx.

With the...

Funsec — While most security lists ban off-topic discussion, Funsec is a haven for free community discussion and enjoyment of the lighter, more humorous side of the security community

No reasonable person could possibly have forseen this... Valdis . Kletnieks (Nov 24)
http://www.msnbc.msn.com/id/34123395/ns/world_news-europe/

Microsoft advisory of MSIE code execution vulnerability Juha-Matti Laurio (Nov 24)
Advisory link was not posted to list yet:
http://www.microsoft.com/technet/security/advisory/977981.mspx

Affected Software (the most common ones):

Windows XP Service Pack 2
Windows XP Service Pack 3

Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2

Windows Vista Service Pack 1 and Service Pack 2

Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4

Internet Explorer 7 in Windows Vista,...

Re: stopping by to wave RandallM (Nov 24)
I am testiing it for Customer Service use. I think it would be a great
tool in this area with top customer base for viewing proofs and
changes on the fly. Of course, its a tool also that has yet been
reviewed for holes and such (seen a few).

Re: stopping by to wave Paul M Moriarty (Nov 24)
I've been there a while. I keep asking myself, "What's the point?" Another communication window that I need to keep
open all day to be useful? Maybe there's a critical mass that needs to be reached and then I'll say, "Aha!"

- Paul -

stopping by to wave RandallM (Nov 24)
Gadi
I made to Wave. What have you learned? How are the xploits, securtiy issues?

Are we going to put FunSec on? It would be FUN!

analyst accuracy (was: Re: Rethinking FUNSEC) Aryeh Goretsky (home) (Nov 23)
Hello,

At the risk of injecting a note of seriousness into the discussion,
has anyone ever done a systematic review of analysts' reports on
anti-virus/malware/threat or "endpoint" protection software to see
how accurate the predictions are? I wonder if there is a measurable
way to quantify that analysts are X% accurate over N years, or some
other type of proof?

Regards,

Aryeh Goretsky

At 08:05 AM 11/23/2009, funsec-request ()...

509'ers Up The Authentication Stakes Les Bell (Nov 23)
An interesting piece of spam got by Spamassassin this morning. It was a
variant on the usual advance fee fraud script, purporting to be from a US
Army captain in Iraq - you've doubtless seen the kind of thing. What
grabbed my attention this time was the following paragraph:

"I attached my picture and the picture of the Money for your confirmation
as you
requested. It wasn't easy for me to do that but I had to because you
requested
for it...

Re: OK, that'd be a switch ... Robert Graham (Nov 23)
--- On Mon, 11/23/09, Rob, grandpa of Ryan, Trevor, Devon & Hannah Date: Monday, November 23, 2009, 2:03 PM

What's a "hacker attack"?

Imagine they have a class C (256 addresses), and one hacker decides to port scan the class C, that's 16-million "hacker
attacks" right there. And that's just TCP.

OK, that'd be a switch ... Rob, grandpa of Ryan, Trevor, Devon & Hannah (Nov 23)
A Web site set up by Chinas Ministry of Defense this summer was hit by more
than 230 million hacker attacks in its first month of operation, but none of the
attacks were successful, state media reported on November 19. The China Daily
report could not be independently confirmed.

http://www.msnbc.msn.com/id/34042775/ns/technology_and_science-security/

====================== (quote inserted randomly by Pegasus Mailer)
rslade () vcn bc ca...

Re: Rethinking FUNSEC Valdis . Kletnieks (Nov 23)
On Mon, 23 Nov 2009 07:29:27 PST, "Hubbard, Dan" said:

As opposed to its peak of productivity, which was the post where Gadi announed
the list creation. :)

Hospital employees selling patient data to ambulance chasers. Robert Portvliet (Nov 23)
Saw this on Infosec news today, truly disgusting...

http://www.lasvegassun.com/news/2009/nov/21/fbi-looking-umc-records-leak/

If it's happening at one hospital, what do you think the odds are it's
happening elsewhere?

Re: Rethinking FUNSEC Hubbard, Dan (Nov 23)
Funsec has hit its peak of inflated expectations and certainly hit its plateau of productivity, due to that we have
decided to relegate Funsec to the newly created "Jesters Quadrant".

From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On Behalf Of Alex Eckelberry
Sent: Thursday, November 19, 2009 3:03 PM
To: Larry Seltzer; Michael Graham; funsec () linuxbox org
Subject: Re: [funsec] Rethinking FUNSEC

You're...

Re: Rethinking FUNSEC Hubbard, Dan (Nov 23)
"This is not opening the list, this is taking these conversations"

Isn't the list open already?

-----Original Message-----
From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On Behalf Of Barry Raveendran Greene
Sent: Thursday, November 19, 2009 11:53 AM
To: funsec () linuxbox org
Subject: [funsec] Rethinking FUNSEC

Hi Team,

IMHO, the garbage in the press are influencing policy makers in governments
and...

Re: Nice, Gadi Aryeh Goretsky (home) (Nov 23)
Definitely Randy.

At 01:00 AM 11/21/2009, you wrote:

Re: man-made swine-bird flu, what could POSSIBLY go wrong? Valdis . Kletnieks (Nov 21)
On Fri, 20 Nov 2009 18:15:35 EST, Marc said:

RFC1925, setion 2.3.

CERT Advisories — The Computer Emergency Response Team has been responding to security incidents and sharing vulnerability information since the Morris Worm hit in 1986. This archive combines their technical security alerts, bulletins, tips, and current activity lists.

Current Activity - Malicious Code Circulating via Social Security Administration Phishing Messages Current Activity (Nov 24)
US-CERT Current Activity

Malicious Code Circulating via Social Security Administration Phishing Messages

Original release date: November 24, 2009 at 2:42 pm
Last revised: November 24, 2009 at 2:42 pm

US-CERT is aware of public reports of malicious code circulating via
phishing email messages that appear to come from the Social Security
Administration. The messages indicate that the users' annual Social
Security statements may contain errors...

Current Activity - Microsoft Releases Security Advisory 977981 Current Activity (Nov 23)
US-CERT Current Activity

Microsoft Releases Security Advisory 977981

Original release date: November 23, 2009 at 8:51 pm
Last revised: November 23, 2009 at 8:51 pm

Microsoft has released security advisory 977981 to address a
vulnerability in Microsoft Internet Explorer. This vulnerability may
allow an attacker to execute arbitrary code.

US-CERT encourages users and administrators to review Microsoft
Security Advisory 977981 and implement the...

SB09-327 -- Vulnerability Summary for the Week of November 16, 2009 US-CERT Security Bulletins (Nov 23)
Vulnerability Summary for the Week of November 16, 2009

This bulletin provides a summary of new vulnerabilities that have been
recorded by the National Institute of Standards and Technology (NIST)
National Vulnerability Database (NVD) the week of November 16, 2009. It is
available here:

http://www.us-cert.gov/cas/bulletins/SB09-327.html

For instructions on subscribing to or unsubscribing from this
mailing list, visit <...

Cyber Security Tip ST04-016 -- Recognizing and Avoiding Spyware US-CERT Security Tips (Nov 19)
National Cyber Alert System
Cyber Security Tip ST04-016

Recognizing and Avoiding Spyware

Because of its popularity, the internet has become an ideal target for
advertising. As a result, spyware, or adware, has become increasingly
prevalent. When troubleshooting problems with your computer, you may
discover that the source of the problem is spyware software that has been
installed on your machine without your knowledge....

SB09-320 -- Vulnerability Summary for the Week of November 9, 2009 US-CERT Security Bulletins (Nov 16)
Vulnerability Summary for the Week of November 9, 2009

This bulletin provides a summary of new vulnerabilities that have been
recorded by the National Institute of Standards and Technology (NIST)
National Vulnerability Database (NVD) the week of November 9, 2009. It is
available here:

http://www.us-cert.gov/cas/bulletins/SB09-320.html

For instructions on subscribing to or unsubscribing from this
mailing list, visit <...

Current Activity - Microsoft Releases Security Advisory 977544 Current Activity (Nov 16)
US-CERT Current Activity

Microsoft Releases Security Advisory 977544

Original release date: November 16, 2009 at 9:21 am
Last revised: November 16, 2009 at 9:21 am

Microsoft has released security advisory 977544 to address a
vulnerability in the Server Message Block (SMB) protocol. This
vulnerability may allow an attacker to cause a denial-of-service
condition. This vulnerability only affects Windows 7 and Server 2008
software.

US-CERT...

Current Activity - Apple Releases Safari 4.0.4 Current Activity (Nov 12)
US-CERT Current Activity

Apple Releases Safari 4.0.4

Original release date: November 12, 2009 at 8:08 am
Last revised: November 12, 2009 at 8:08 am

Apple has released Safari 4.0.4 to address multiple vulnerabilities in
a number of components. Exploitation of these vulnerabilities may
allow an attacker to execute arbitrary code, cause a denial-of-service
condition, conduct cross-site request forgery, or obtain sensitive
information. These...

TA09-314A -- Microsoft Updates for Multiple Vulnerabilities US-CERT Technical Alerts (Nov 10)
National Cyber Alert System

Technical Cyber Security Alert TA09-314A

Microsoft Updates for Multiple Vulnerabilities

Original release date:
Last revised: --
Source: US-CERT

Systems Affected

* Microsoft Windows and Windows Server
* Microsoft Office Word and Excel

Overview

Microsoft has released updates to address vulnerabilities in
Microsoft Windows and Windows Server and Office...

Current Activity - Microsoft Releases November Security Bulletin Current Activity (Nov 10)
US-CERT Current Activity

Microsoft Releases November Security Bulletin

Original release date: November 10, 2009 at 1:50 pm
Last revised: November 10, 2009 at 1:50 pm

Microsoft has released an update to address vulnerabilities in
Microsoft Windows and Office as part of the Microsoft Security
Bulletin Summary for November 2009. These vulnerabilities may allow an
attacker to execute arbitrary code, cause a denial-of-service
condition, or operate...

Current Activity - Apple Releases Mac OS X v10.6.2 and Security Update 2009-006 Current Activity (Nov 10)
US-CERT Current Activity

Apple Releases Mac OS X v10.6.2 and Security Update 2009-006

Original release date: November 10, 2009 at 8:02 am
Last revised: November 10, 2009 at 8:02 am

Apple has released Mac OS X v10.6.2 and Security Update 2009-006 to
address multiple vulnerabilities in a number of applications. These
vulnerabilities may allow an attacker to execute arbitrary code, cause
a denial-of-service condition, conduct a man-in-the-middle...

SB09-313 -- Vulnerability Summary for the Week of November 2, 2009 US-CERT Security Bulletins (Nov 09)
Vulnerability Summary for the Week of November 2, 2009

This bulletin provides a summary of new vulnerabilities that have been
recorded by the National Institute of Standards and Technology (NIST)
National Vulnerability Database (NVD) the week of November 2, 2009. It is
available here:

http://www.us-cert.gov/cas/bulletins/SB09-313.html

For instructions on subscribing to or unsubscribing from this
mailing list, visit <...

Current Activity - SSL and TLS Vulnerable to Man-in-the-middle Attacks Current Activity (Nov 06)
US-CERT Current Activity

SSL and TLS Vulnerable to Man-in-the-middle Attacks

Original release date: November 6, 2009 at 7:01 pm
Last revised: November 6, 2009 at 7:01 pm

US-CERT is aware of reports of publicly available exploit code for a
vulnerability within the SSL and TLS protocols. Reports indicate that
exploitation of this vulnerability may allow an attacker to conduct a
man-in-the-middle attack, allowing an attacker to inject plaintext...

Current Activity - Microsoft Releases Advance Notification for November Security Bulletin Current Activity (Nov 05)
US-CERT Current Activity

Microsoft Releases Advance Notification for November Security Bulletin

Original release date: November 5, 2009 at 4:17 pm
Last revised: November 5, 2009 at 4:17 pm

Microsoft has issued a Security Bulletin Advance Notification
indicating that its November release cycle will contain six bulletins,
three of which will have a severity rating of Critical. The
notification states that these Critical bulletins are for...

Current Activity - BlackBerry Desktop Manager Vulnerability Current Activity (Nov 05)
US-CERT Current Activity

BlackBerry Desktop Manager Vulnerability

Original release date: November 5, 2009 at 8:45 am
Last revised: November 5, 2009 at 8:45 am

Research in Motion has released Security Advisory KB19701 to address a
vulnerability in BlackBerry Desktop Manager. This vulnerability may
allow an attacker to execute arbitrary code.

US-CERT encourages users to review BlackBerry Security Advisory
KB19701 and apply any necessary...

Cyber Security Tip ST04-015 -- Understanding Denial-of-Service Attacks US-CERT Security Tips (Nov 04)
Cyber Security Tip ST04-015
Understanding Denial-of-Service Attacks

You may have heard of denial-of-service attacks launched against websites,
but you can also be a victim of these attacks. Denial-of-service attacks can
be difficult to distinguish from common network activity, but there are some
indications that an attack is in progress.

What is a denial-of-service (DoS) attack?

In a...

Open Source Security — Discussion of security flaws, concepts, and practices in the Open Source community

Re: CVE request: Argument injections in multiple PEAR packages Josh Bressers (Nov 24)
Use CVE-2009-4023 for this.

Use CVE-2009-4024

Use CVE-2009-4025

Thanks

Re: a new bind issue Josh Bressers (Nov 24)
I'm adding the address BIND notes in their advisory to the CC.

Bind folks, the CVE id for your latest advisory is below.

Thanks.

Re: a new bind issue Steven M. Christey (Nov 24)
If anybody has a direct contact to ISC, could you notify them of the new
number? They have a placeholder in their advisory right now.

Thanks,
Steve

Re: a new bind issue Josh Bressers (Nov 24)
CVE-2009-4022

Bind versions 9.0.x, 9.1.x, 9.2.x, 9.3.x, 9.4.0 before 9.4.3-P3, 9.5.0,
9.5.1, 9.5.2, 9.6.0, 9.6.1-P1

References:
https://www.isc.org/node/504
http://www.kb.cert.org/vuls/id/418861
https://bugzilla.redhat.com/show_bug.cgi?id=538744

Thanks.

Re: a new bind issue Josh Bressers (Nov 24)
I'm going to defer this assignment to MITRE. I suspect they've gotten a number of
requests for this one already (I want to avoid a duplicate assignment).

Thanks.

Re: mysql-5.1.41 Sergei Golubchik (Nov 24)
Hi, Jan!

Not confirming :)
The patch you referenced has a changeset comment
"
Fixed a initialization order remark by Serg : correct directory
expansion order implemented on server startup.
"

And it fixes a problem mentined in my bug comment from [14 Jul 15:53].

The changelog entry you quoted above goes up to bug comment from
[25 Nov 2008 17:26] (no, I don't know why it took a year to get it to
the manual). And the "original...

Re: CVE request: kernel: fuse: prevent fuse_put_request on invalid pointer Josh Bressers (Nov 24)
Please use CVE-2009-4021

Thanks.

Re: mysql-5.1.41 Jan Lieskovsky (Nov 24)
Just small correction - CVE-2008-2079 should be listed of course in
all occurrences below (focused on proper links) and made
two typos :(.

Jan.

Re: mysql-5.1.41 Jan Lieskovsky (Nov 24)
Hi Josh,

looked further into these issues.

A, wrt http://bugs.mysql.com/bug.php?id=32167

You are right, that CVE-2008-2079 was originally assigned to:
http://bugs.mysql.com/bug.php?id=32167

On "[6 May 2008 11:16] Sergei Golubchik" states:

please, note in the manual that it's CVE-2008-2079

But last comment on this bug mentions:

<quote>

[12 Nov 4:50] Paul DuBois

Noted in 5.1.41, 5.5.0, 6.0.14 changelogs.

Additional...

CVE request: BIND 9 bug involving DNSSEC and the additional section Florian Weimer (Nov 24)
Fixed in BIND 9.6.1-P2, 9.5.2-P1 and 9.4.3-P4, per recent
announcements.

2772. [security] When validating, track whether pending data was from
the additional section or not and only return it if
validates as secure. [RT #20438]

The advisory at <https://www.isc.org/node/504> is rather unclear. The
way it is written, one would assume that the in-bailiwick checks are
bypassed as well....

a new bind issue Oden Eriksson (Nov 24)
Hello.

A new bind release is out there, it mentions:

"It addresses a potential cache poisoning vulnerability, in which data in the
additional section of a response could be cached without proper DNSSEC
validation."

"2772. [security] When validating, track whether pending data was from
the additional section or not and only return it if
validates as secure. [RT...

Re: CVEs for nginx Steven M. Christey (Nov 23)
The same core problem could be solved any number of ways, and I don't
think that should distract from the fact that there is just one core
problem. So using the same CVE is appropriate. (Now, if an interim fix
is later found to have its own vulns or be bypassed in a way that was not
originally advertised, that might need its own CVE.)

- Steve

Re: CVE Request - MySQL - 5.0.88 Josh Bressers (Nov 23)
----- "Jan Lieskovsky" <jlieskov () redhat com> wrote:

Let's group these two together. This also appears to affect MySQL versions
before 5.1.41 5.0.88.

CVE-2009-4019

http://dev.mysql.com/doc/refman/5.1/en/news-5-1-41.html
http://dev.mysql.com/doc/refman/5.0/en/news-5-0-88.html
http://bugs.mysql.com/47780
http://bugs.mysql.com/48291

Re: mysql-5.1.41 Josh Bressers (Nov 23)
As best as I can tell, we only need one CVE id (two issues, but one already has
an id).

MySQL clients before version 5.1.41 linked against OpenSSL would not properly
check certificates presented by a MySQL server linked against yaSSL. This could
possibly lead to a man in the middle type of attack on the SSL connection.

http://bugs.mysql.com/bug.php?id=47320
http://dev.mysql.com/doc/refman/5.1/en/news-5-1-41.html

Thanks.

Re: CVE request: php 5.3.1 - proc_open() bypass PHP Bug #49026 [was: Re: [oss-security] CVE request: php 5.3.1 update] Josh Bressers (Nov 23)
CVE-2009-4018

PHP before 5.3.1 proc_open() can be used to bypass the
safe_mode_protected_env_vars INI setting. This could be used to alter the
process environment possibly executing arbitrary code.

http://www.php.net/ChangeLog-5.php#5.3.1
http://bugs.php.net/bug.php?id=49026
http://marc.info/?l=oss-security&m=125897935330618&w=2

Thanks.

NANOG — The North American Network Operators' Group discusses fundamental Internet infrastructure issues such as routing, IP address allocation, and containing malicious activity.

Re: AT&T SMTP Admin contact? Valdis . Kletnieks (Nov 24)
On Tue, 24 Nov 2009 16:38:33 EST, Brad Laue said:

140M+ .com where a malicious DNS server in East Podunk can be authoritative for
a domain actually in Bratslavia and domains are cheap and throw-away.

16M /24's, where you (mostly(*)) need to be able to actually route the packets,
so if you have a /24 in Bratslavia, you need something resembling a router
in Bratslavia as well, and somebody willing to light up the other end of
the cable, and you...

Re: OT: VSS + MEC - port-channel dynamically cloned? Ross Vandegrift (Nov 24)
Check flow control between all of the elements. The only time I've
seen this was inconsistent flow control settings between different
media types on an F5 BIG-IP <-> 6500 bundle.

show interfaces flowcontrol

Ross

Re: Ethernet over DS3 Converters Justin Shore (Nov 24)
Brad Fleming wrote:

Hey Brad. We're doing this with Overture 2200s and 5100s. However, as
others have pointed out, they have some issues. Their redundant PSUs
for models below the 5x00s are a joke. A single DC PSU for those models
requires 1U of space. The PSU has 2 power sources but is still a single
PSU. A redundant PSU requires another 1U of space. Inside the 19" x
roughly 8" 1U chassis is a PCB that's about the size of...

Re: AT&T SMTP Admin contact? Michael Peddemors (Nov 24)
Yes, I think you are :) First of all, domains are easier to throw away than
IP Addresses, IP Lookups are more efficient than DNS SPF records, and SPF is
not really meant to address Spam problems, although it can address some
forgeries.

SPF works best to identify forgeries of large well known domains, but I think
you do not really understand what SPF records do, or how they work. Don't
worry, many email operators don't either, and simply...

Re: AT&T SMTP Admin contact? Brad Laue (Nov 24)
True, but wouldn't a blacklist of SPF records for known spam issuing domains be a more maintainable list than an IP
block whitelist?

(I'm no doubt missing something very obvious with this question)

Brad

Re: Who has AS 1712? bmanning (Nov 24)
the joys of non-uniqueness. ULAs are (going to be) your friends. :)

back in the day, the IANA was pretty careful. the contractors less so.
SRI had the "connected" and "unconnected" databases - duplications abounded
and when interconnection occured... renumbering ensued.

this is not a new or even recent problem. It is certainly compounded by
multiple actors and lack of clean slate. Yet, I beleive that there will...

Re: Who has AS 1712? Joel Jaeggli (Nov 24)
Justin Shore wrote:

ARIN didn't exist when those ASN's were assigned, RIPE NCC did.

Re: AT&T SMTP Admin contact? Joel Jaeggli (Nov 24)
Valdis.Kletnieks () vt edu wrote:

identify framework with trust anchors and reputation management are not
things that spf or pra actually solve. spammers can publish spf and
senderid records and in fact arguably have more incentive to do so if it
can be demonstrated that your mail is more likely to be accepted on the
basis of their existence.

Re: Who has AS 1712? Randy Bush (Nov 24)
i suspect that, in the erx project, there may have been more than one
case of the iana saying "ok, X now manages this block, excpet of course
for those pieces already allocated by Y and Z." and the latter were not
always well defined or easily learnable, and were not registered
directly with the iana, but other rirs.

<rant>

and the data are all buried in whois, which is not well-defined, stats
files, which are not defined, etc....

Re: OT: VSS + MEC - port-channel dynamically cloned? Leland Vandervort (Nov 24)
Thanks Ross,

In this case, though I cannot see where the mismatch is given that the
encapsulation, trunking (vlans allowed, etc.) and channel mode (LACP)
are all configured identically across all ports and the channel itself.

Just wondering if it's a left-over from before the VSS migration when
the original trunks were two separate etherchannels and then migrated
them "live" to MEC...

L.

Re: Who has AS 1712? Justin Shore (Nov 24)
Hank Nussbacher wrote:

Since IANA says that the ASN is ARIN's to assign wouldn't that preclude
another RIR from assigning it?

http://www.iana.org/assignments/as-numbers/

Of course if it was already assigned when IANA said that (no dates on
the link above) then maybe the fault is more IANA's for telling another
RIR that they could allocate an ASN that another RIR already allocated.
Who knows. It should be an interesting one to watch play...

Re: Recomended data cabling contractors in Bay Area/Peninsula? Bill Woodcock (Nov 24)
On Mon, 23 Nov 2009, Darren Bolding wrote:
> I need to identify a quality data cabling contractor in the Bay Area

Kray Cabling. http://kraycablinginc.com/

-Bill

Re: ip capacity provider Christopher Morrow (Nov 24)
of course showing up at terramark's NoTA would also get you lots of
options (and I think 701 has one pop at NoTA)

Re: Who has AS 1712? Larry Blunk (Nov 24)
John Curran wrote:

FWIW,
I searched for any historical registrations from this block
in the RADB and found a number of routes with an origin
of AS1717. They date from 1995 and were registered for the
Université Pierre et Marie Curie by Renater. They have long
since been removed from the RADB.
Here's an example --

route: 132.166.0.0/15
descr: RENATER_CIDR
descr: Universite Pierre et Marie Curie
descr: 4 place Jussieu 75252 PARIS CEDEX...

Re: Who has AS 1712? Jared Mauch (Nov 24)
Yes. I also saw the presentation at IETF in Hiroshima on this.

The issue of zone signing is going to be interesting as some nation-states (ccTLD) have been known to speak-up about
their issues with the signing of the zone.

I'm not saying these things will never happen, just they won't happen on a timescale that some would prefer (or would
have preferred, eg: last summer or earlier).

- Jared

Interesting People — David Farber moderates this list for discussion involving internet governance, infrastructure, and any other topics he finds fascinating

The RISKS Forum — Peter G. Neumann moderates this regular digest of current events which demonstrate risks to the public in computers and related systems. Security risks are often discussed.

Risks Digest 25.83 RISKS List Owner (Nov 06)
RISKS-LIST: Risks-Forum Digest Friday 6 November 2009 Volume 25 : Issue 83

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/25.83.html>
The current issue can be...

Risks Digest 25.82 RISKS List Owner (Oct 20)
RISKS-LIST: Risks-Forum Digest Tuesday 20 October 2009 Volume 25 : Issue 82

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/25.82.html>
The current issue can be...

Risks Digest 25.81 RISKS List Owner (Oct 12)
RISKS-LIST: Risks-Forum Digest Monday 12 October 2009 Volume 25 : Issue 81

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/25.81.html>
The current issue can be...

Risks Digest 25.80 RISKS List Owner (Oct 09)
RISKS-LIST: Risks-Forum Digest Friday 9 October 2009 Volume 25 : Issue 80

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/25.80.html>
The current issue can be...

Risks Digest 25.79 RISKS List Owner (Sep 25)
RISKS-LIST: Risks-Forum Digest Friday 25 September 2009 Volume 25 : Issue 79

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/25.79.html>
The current issue can...

Risks Digest 25.78 RISKS List Owner (Sep 14)
RISKS-LIST: Risks-Forum Digest Monday 14 September 2009 Volume 25 : Issue 78

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/25.78.html>
The current issue can...

Risks Digest 25.77 RISKS List Owner (Sep 01)
RISKS-LIST: Risks-Forum Digest Tuesday 1 September 2009 Volume 25 : Issue 77

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/25.77.html>
The current issue can...

Risks Digest 25.76 RISKS List Owner (Aug 15)
RISKS-LIST: Risks-Forum Digest Saturday 15 August 2009 Volume 25 : Issue 76

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/25.76.html>
The current issue can be...

Risks Digest 25.75 RISKS List Owner (Aug 06)
RISKS-LIST: Risks-Forum Digest Thursday 6 August 2009 Volume 25 : Issue 75

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/25.75.html>
The current issue can be...

Risks Digest 25.74 RISKS List Owner (Jul 22)
RISKS-LIST: Risks-Forum Digest Wednesday 22 July 2009 Volume 25 : Issue 74

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/25.74.html>
The current issue can be...

Risks Digest 25.73 RISKS List Owner (Jul 16)
RISKS-LIST: Risks-Forum Digest Thursday 16 July 2009 Volume 25 : Issue 73

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/25.73.html>
The current issue can be...

Risks Digest 25.72 RISKS List Owner (Jul 06)
RISKS-LIST: Risks-Forum Digest Monday 6 July 2009 Volume 25 : Issue 72

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/25.72.html>
The current issue can be...

Data Loss — Data Loss covers large-scale personal data loss and theft incidents. This archive combines the main list (news releases) and the discussion list.

ACORN Dumped Sensitive Documents as Probe Began, Private Investigator Says security curmudgeon (Nov 24)
http://www.foxnews.com/story/0,2933,576466,00.html

ACORN Dumped Sensitive Documents as Probe Began, Private Investigator Says
Monday, November 23, 2009
By Joseph Abrams

Private investigator Derrick Roach says he found thousands of documents
containing sensitive personal information dumped outside the San Diego
branch of ACORN.

Private investigator Derrick Roach says he found thousands of documents
containing sensitive personal information...

Hancock Fabrics ATM Fraud security curmudgeon (Nov 23)
---------- Forwarded message ----------
From: Dave Farber <dave () farber net>
To: ip <ip () v2 listbox com>

Begin forwarded message:

From: James McMurry <jmcmurry () me com>
Date: November 23, 2009 12:51:42 PM EST
To: dave () farber net
Subject: Hancock Fabrics ATM Fraud

http://www.bankinfosecurity.com/articles.php?art_id=1961

Bank customers in California, Wisconsin and Missouri are reporting
fraudulent ATM withdrawals...

MD: Woman Sentenced For Stealing Patients' Info lyger (Nov 23)
(this ties to:
http://datalossdb.org/incidents/1779-hospital-employee-steals-patients-credit-to-obtain-credit-cards-goods-and-loans
- over 100 stolen, but over 10,000 notified...)

http://wjz.com/wireapnewsmd/Woman.sentenced.for.2.1325015.html

A woman who worked as a patient services coordinator for Johns Hopkins
Medicine has been sentenced to 18 months in prison for stealing patient
information.

Thirty-one-year-old Michelle Courtney...

FBI looking at UMC records leak security curmudgeon (Nov 23)
---------- Forwarded message ----------
From: InfoSec News <alerts () infosecnews org>

http://www.lasvegassun.com/news/2009/nov/21/fbi-looking-umc-records-leak/

By Marshall Allen
The Las Vegas Sun
Nov. 21, 2009

The FBI said Friday it may investigate a breach of patient privacy laws at
University Medical Center, where hospital officials are reeling with the
realization that at least one of their employees has leaked confidential
names,...

IN: Notre Dame security breach potentially affects employees lyger (Nov 21)
http://www.wndu.com/localnews/headlines/70674717.html

Notre Dame is warning university employees to keep an eye on their bank
accounts after a security breach.

Personal information of some past and current employees - including name,
social security number and birth date - was accidentally put onto a public
website.

University spokesman Dennis Brown says the error was corrected and the
information removed from the website.

[...]

Mass Mutual Unknown Al (Nov 20)

http://www.net-security.org/secworld.php?id=8521

the latest data breach to be discovered happened to MassMutual, a
Massachussets-based insurance company. One of the company's employees
databases was accessed by a (so far) unknown unauthorized individual.

MassMutual stated that maintenance of the database in question was outsorced
to a third-party vendor, who upon the discovery of the breach hired
forensics specialists to investigate and get...

Hospitals tighten security on patient data security curmudgeon (Nov 20)
---------- Forwarded message ----------
From: InfoSec News <alerts () infosecnews org>

http://fcw.com/articles/2009/11/18/hospitals-beefing-up-cybersecurity-to-comply-with-hitech-survey-says.aspx

By Alice Lipowicz
FCW.com
Nov 18, 2009

More than half of the nation's hospitals and health care providers
surveyed intend to buy more cybersecurity tools to safeguard against
breaches of electronic medical records as a result of requirements...

TADGEAR, Inc. breach notice security curmudgeon (Nov 19)
https://www.tadgear.com/content.php?id=38

This notice is to inform our customers of a security incident at TAD Gear.
We recently learned that our database was illegally accessed from an
external source, and it appears that some customer data were taken, which
may include customer names, contact information and credit card data.
The possibility of a security breach came to our attention when certain
customers notified us that unauthorized...

1.5 Million Medical Files At Risk In Health Net Data Breach kirniki (Nov 19)
http://www.courant.com/health/hc-healthbreach1119.artnov19,0,1798384.story

A hard drive with seven years of personal and medical information on
about 1.5 million Health Net customers, including 446,000 in
Connecticut, was lost six months ago and was first reported Wednesday,
state and company officials said.

The insurance company informed the state attorney general's office and
the Department of Insurance Wednesday of the security breach that...

PA: 80, 000 Mailers Sent Out With Recipients' Social Security Numbers In Plain View kirniki (Nov 18)
http://www.wgal.com/news/21655737/detail.html

ELIZABETHTOWN, Pa. -- Check your mailbox. Thousands of Pennsylvanians
could become victims of identity theft just because a piece of mail
has been sent to their homes.

Right on the front of the piece of mail, in plain view, is the
recipient's Social Security number. Tens of thousands of Medicare
recipients may be at risk.

Delores and Frank Ember, of Elizabethtown, simply could not believe
what they...

Germany in 'credit card recall' lyger (Nov 18)
http://news.bbc.co.uk/2/hi/business/8365828.stm

More than 100,000 German credit cards are being replaced after fears that
personal data has been stolen, German press reports say.

The reports say that the Volks- and Raiffeisenbank group alone is
recalling 60,000 cards.

Fraudsters are thought to have stolen data on German customers from a
service provider in Spain. There have been no actual reports of fraud.

[...]

Canada: Personal info at risk when items go missing lyger (Nov 18)
http://www.torontosun.com/news/canada/2009/11/18/11785441-sun.html

The personal information of taxpayers may be at risk because of a series
of security breaches at the Canada Revenue Agency.

Documents obtained by Ottawa researcher Ken Rubin reveal that lost mail,
missing shipments of computers or other data storage devices, and the
theft of computers that might contain tax records, is an ongoing problem.

"Our analysis revealed an...

NE: Personal info jeopardized after Workers' Comp Court computer hacked lyger (Nov 17)
http://journalstar.com/news/local/crime-and-courts/article_b9a02f46-d3a9-11de-85e5-001cc4c002e0.html

The Nebraska State Patrol and FBI are trying to figure out who hacked into
a Nebraska Workers' Compensation Court computer server -- and whether the
hacker took personal information.

The state agency learned last week someone had broken into a server that
temporarily held injury reports, said Glenn Morton, court administrator
for the...

[Dataloss] http://www.guardian.co.uk/uk/2009/nov/17/t-mobile-phone-data-privacy Jon Turner (Nov 17)
http://www.guardian.co.uk/uk/2009/nov/17/t-mobile-phone-data-privacy

The personal details of thousands of mobile phone customers have been stolen
and sold on to rival firms in the biggest data breach of its kind, the
government's privacy <http://www.guardian.co.uk/uk/privacy> watchdog said
today.

An employee of the phone operator T-Mobile sold the personal records of
customers, which included details of when their mobile phone contracts...

Commentary: According to OSF... nothing. (was re: try asking us first) lyger (Nov 16)
http://datalossdb.org/incident_highlights/39-according-to-osf-nothing-was-re-try-asking-us-first

On occasion, we look for news related to things other than data loss
events. Press releases veiled as "news" are a frequent treasure chest of
(not so) great information, so we often use detailed and complicated
techniques to make sure we have as much information as we can gather
about... Open Security Foundation and DataLossDB. In other...

Metasploit — Development discussion for Metasploit, the premier open source remote exploitation tool

Re: Metasploit mini end? HD Moore (Nov 24)
Correct - we will start publishing snapshots and mini's again in a
couple weeks, until then you have to roll your own.

-HD

Metasploit mini end? Soporte Exocet (Nov 24)
http://metasploit.com/releases/framework-3.3-dev-mini.tar.bz2 no more
avarible?

Re: Encoder PexFnstenvSub Pedro Drimel (Nov 23)
Yep, most likely I need to evaluate the bad characters, I sent a
string with all the characters, figured out x0d didn't let get into
the JMP ESP, after removing it I was able to read (following the
stack) all other characters however I'm still not sure if I am doing
it correctly.

Anyway, that's not a metasploit bug or so and thank you very much for
your support.

Regards,

Pedro.

2009/11/23 HD Moore <hdm () metasploit com>:

Re: Encoder PexFnstenvSub HD Moore (Nov 23)
It still sounds like you need to figure out bad characters, however you
can try the shortcut (pure alpha)

$ msfpayload windows/shell_bind_tcp R | \
msfencode -e x86/alpha_mixed -t ruby AllowWin32SEH=true

[*] x86/alpha_mixed succeeded with size 795 (iteration=1)
buf =
"\x56\x54\x58\x36\x33\x30\x56\x58\x48\x34\x39\x48\x48\x48" +
"\x50\x68\x59\x41\x41\x51\x68\x5a\x59\x59\x59\x59\x41\x41" +...

Re: Encoder PexFnstenvSub Pedro Drimel (Nov 23)
I used the manual way but it's still weird, could get it working using
framework-2.7 via web but not thru msfpayload/msfencode, even with
current framework 3.3.

Working: via msfweb - badchards: 0x00 0x0d

/* win32_reverse - EXITFUNC=seh LHOST=192.168.230.130 LPORT=4321
Size=312 Encoder=PexFnstenvSub http://metasploit.com */
unsigned char scode[] =
"\x33\xc9\x83\xe9\xb8\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x06"...

Re: errors using dns_enum Chris Calaf (Nov 23)
duh, I think I may have figured it out. Must be my FW in my home lab causing
the issue. I just tried it again on another network and it ran fine.

Re: errors using dns_enum Carlos Perez (Nov 23)
Sorry for not replying to your last email, I spent the entire afternoon
doing several installs of BT4 and on my wifes mac with Macports and I could
not replicate this problem, do you have BT4 on a VM that you can share with
me? are you running it form msfconsole? I found weird the error abot rails.
Does anybody else in the mailing list experiencing this error?

Cheers,
Carlos

Re: Encoder PexFnstenvSub Rob Fuller (Nov 23)
Follow the crash step by step and compare chars, see which has changed once
it hits the stack and add those to your bad chars list. (that's the manual
way at least, not sure if there is a more advanced way)

Re: errors using dns_enum Chris Calaf (Nov 23)
I'll try this again because it seems like my post are not getting through.

osx:
msf auxiliary(dns_enum) > ruby -v
[*] exec: ruby -v

ruby 1.8.7 (2009-06-12 patchlevel 174) [i686-darwin10]
msf auxiliary(dns_enum) > info

Name: DNS Enumeration Module
Version: $Rev: 7500
License: Metasploit Framework License (BSD)

Provided by:
Carlos Perez <carlos_perez () darkoperator com

Basic options:
Name Current
Setting...

Re: Encoder PexFnstenvSub Pedro Drimel (Nov 23)
It is actually a badchars issue. I compared the output I had with the
one generated with 2.7 version and it's different. Probably, in the
past I had to deal with badchars but don't remember what I did.

Tried to run into my buffer the following:

string =
("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e"...

Re: [Good Ruby Book] Rory McCune (Nov 23)
The well grounded rubyist is a recent addition and is excellent at
explaining a lot of the details behind ruby. Probably not a book for
an absolute beginner , but a great choice for 2nd book to read.

Cheers

Rory

Sent from my iPhone

On 23 Nov 2009, at 14:29, ricky-lee birtles <mr.r.birtles () gmail com>
wrote:

Re: [Good Ruby Book] HD Moore (Nov 23)
Free book (somewhat older):
http://www.ruby-doc.org/docs/ProgrammingRuby/

The Programming Ruby 1.9.1 book looked decent and can be purchased at:
http://www.pragprog.com/titles/ruby/programming-ruby

-HD

Re: Encoder PexFnstenvSub HD Moore (Nov 23)
The metasploit:55555 server is just msfweb from Metasploit 2.7, you can
download and run it yourself if you like, but there are really good
reasons for it being offline:

1) The payloads do not work on newer versions of Windows
2) The payloads do not work with newer CPUs with NX support
3) The payloads have since been improved (reliability) and shrunk

The supported way is msfpayload with msfencode, the "pexfnstenvsub"
encode was not...

Re: [Good Ruby Book] Ulisses Castro (Nov 23)
Look at the mail list history, we talked about this a some time ago. ;-)

Cheers,

[Good Ruby Book] ricky-lee birtles (Nov 23)
Hi list,

This is not a msf question as such. I am looking for recommendations
for a good book on Ruby. Any suggestions would be appreciated.

Regards,
-- Mr R Birtles

Wireshark — Discussion of the free and open source Wireshark network sniffer. No other sniffer (commercial or otherwise) comes close. This archive combines the Wireshark announcement, users, and developers mailing lists.

Re: Need advice on modifying tvb Guy Harris (Nov 24)
That sounds a bit like a link-layer protocol; when capturing traffic,
sometimes the link-layer FCS is present and sometimes it isn't, so at
least some link-layer protocol dissectors have variants that might or
might not assume the FCS is there or might check something to
determine whether it's there.

If the dissector you're calling is like that, perhaps you can dissect
the special fields, hand the normal frame to the "no FCS"...

Re: How to build Wireshark 1.3.1 Gerald Combs (Nov 24)
Julian Fielding wrote:

1.3.2 is out now. win-setup.sh is included in the tar.gz and tar.bz2
packages.

Re: Need advice on modifying tvb Jaap Keuter (Nov 24)
Beth wrote:

Well, we're talking about a protocol violation here. I was under the assumption
that the checksum would be part of your outer protocol, not the build-in inner
protocol. That's why the suggestion for tvb_new_subset(). What you're trying to
do is fake the out checksum being the innner checksum. What about checksum
errors? Which protocol is to blame then?
Anyways, Wireshark is designed around proper protocol layering, so this would...

Re: Need advice on modifying tvb Beth (Nov 24)
Change the builtin dissector? You sure that's not cheating? ;)

Seriously though, that might be an option to consider - is there a way I
could turn on that setting automatically from my plugin? I would prefer
this to be a drop-in solution if possible, i.e. the end user simply drops
the plugin into their Wireshark folder and that's all they have to do.

Re: Need advice on modifying tvb didier (Nov 24)
Hi,
Le mardi 24 novembre 2009 à 15:05 -0500, Beth a écrit :

Did you add a new data source? It might work but it won't be pretty.

Another option would be to add a new preference to the standard
dissector: disable checksum.

Didier

Re: Need advice on modifying tvb Beth (Nov 24)
tvb_new_subset doesn't allow me to change the contents, does it? If it
does, then you are correct that would be the easiest way. But I thought
that tvb data was considered constant, and if you needed to modify it then
you should create a new tvb.

Somehow have to change that checksum of the frame that I am forwarding to
the builtin dissector.

Re: How to show ip address by Lua in wireshark Beth (Nov 24)
In Lua, userdata is a different type from a string. The %s tells Wireshark
to expect a string, but the ipv4() method returns a specialized format that
is not necessarily printable.

To print the address in the display tree, you need to find a way to convert
those bytes to a string, or else find a different datatree:add() method that
accepts the ipv4 format data. (If you can find the latter, that would be
the better solution.)

BTW, you may need...

Re: Need advice on modifying tvb Jaap Keuter (Nov 24)
Hi,

What's wrong with tvb_new_subset() ?

Thanks,
Jaap

Beth wrote:

Need advice on modifying tvb Beth (Nov 24)
I am trying to rewrite an existing dissector for a proprietary protocol
that, in fact, is only a slight variation on a standard protocol that is
supported by a builtin Wireshark dissector.

The proprietary frame begins with some special fields, followed by a normal
frame of the standard protocol BUT the checksum at the end of the normal
frame is recalculated to reflect the extra bytes at the beginning. So while
I can easily write a small...

Re: How to build Wireshark 1.3.1 Julian Fielding (Nov 24)
Reddy Nagendra-GKTC37 wrote on Tue, 24 Nov 2009 12:26:30 +0800

[snip]

That seems to be missing from wireshark-1.3.1.tar.gz. You can download it
from http://anonsvn.wireshark.org/viewvc/trunk/tools/

I think most developers use Subversion to get the sources, so might not
notice files missing from tar archives.

Re: Dissector API documentation Jaap Keuter (Nov 24)
sean bzd wrote:

Hi,

In the source tree, you'll find doc/README.developer.
That's what you're looking for.

Thanks,
Jaap

Re: Dissector API documentation Guy Harris (Nov 24)
doc/README.developer and some of the other README.* files in the doc
directory of the Wireshark source code.

Dissector API documentation sean bzd (Nov 24)
Hi,
Can anyone please point me to the documentation available for dissector
APIs? I was only able to find the Wireshark Developer's guide, but it did
not contain any documentation for the APIs used in dissectors.

Thanks very much,
Sean

End to End VoIP delay calculation capricorn 80 (Nov 24)
Hi!

(Sorry for repeating my question)
I am looking to calculate the end-to-end delay between two soft phone/hard phone. I have asterisk server and
configured ntp server on the same machine and synchronized it with ntp pool. I have seen that Wireshark can be used to
check the jitter. But I am not sure how can i calculate the end to end.
May be this is not related to the mailing list topic but please help me if anyone has some information....

buildbot failure in Wireshark (development) on OSX-10.5-x86 buildbot-no-reply (Nov 24)
The Buildbot has detected a new failure of OSX-10.5-x86 on Wireshark (development).
Full details are available at:
http://buildbot.wireshark.org/trunk/builders/OSX-10.5-x86/builds/870

Buildbot URL: http://buildbot.wireshark.org/trunk/

Buildslave for this Build: osx-10.5-x86

Build Reason:
Build Source Stamp: 31051
Blamelist: stig

BUILD FAILED: failed failed slave lost

sincerely,
-The Buildbot

Snort — Everyone's favorite open source IDS, Snort. This archive combines the snort-announce, snort-devel, snort-users, and snort-sigs lists.

Re: [Emerging-Sigs] TCP Portals: The Handshake's a Lie! Frank Knobbe (Nov 24)
That should help the Snort crew to narrow things down... unless it's
decided that it's not a problem. And I'm glad to hear that flow: works
properly. Thanks for testing!

-Frank

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application...

Re: [Emerging-Sigs] TCP Portals: The Handshake's a Lie! Frank Knobbe (Nov 24)
/me nods

Well, if ipA:80->ipB:7627 is in response to ipB:7627 sending a SYN to
ipA:80, then it would be correct. Note that the SYN doesn't establish
the sessions. You still require an ACK from both sides.

Well, I'm glad you learned something ;)

I know you know this. It was for the benefit of other readers. I'd like
to flesh things out so other can visualize what's happening to remain on
"the same page".

I'm not aware of other...

Re: host attribute file question Steven Sturges (Nov 24)
As a side note, you might try the profile 'all' in that
scenario. It really comes down to how the servers handle
spaces/tabs and other things in the request.

-s

Jason Wallace wrote:

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core...

Re: host attribute file question Steven Sturges (Nov 24)
Hi Jason--

No, currently, the client & service application and version attributes
are still ignored.

Thats an interesting configuration you have... I'll add an enhancement
request to our queue. Not sure of the impact of adding it, so
no promises on a time frame.

Cheers.
-steve

Jason Wallace wrote:

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal...

Re: [Emerging-Sigs] TCP Portals: The Handshake's a Lie! Jason Brvenik (Nov 24)
/me thinks if that were the case they would be having problems today.

my though here is not what should be happening but if a poorly
designed / implemented system in an effort to accommodate this valid
behavior might well let ip:80 -> ip:7627 establish a session much like
a poorly implemented system that doesn't recognize
SYN/[PSH,URG,ETC...] can establish state with some stacks.

thanks for the education in flow handling, it was not clear to...

host attribute file question Jason Wallace (Nov 24)
I sent this to the snort-users list, and was asked to send it the
devel list also. Any help would be appreciated.

Per the docs...

With Snort 2.8.1, for a given host entry, the stream and IP frag
information are both used. Of the service
attributes, only the IP protocol (tcp, udp, etc), port, and protocol
(http, ssh, etc) are used. The application
and version for a given service attribute, and any client attributes
are ignored. They will be used...

Re: [Emerging-Sigs] TCP Portals: The Handshake's a Lie! Frank Knobbe (Nov 24)
Or systems that run 30 year old TCP stacks :)

Nope, that's a different issue. Scanning with source port set to 20 can
bypass lame firewalls. Not just stateless firewall, but I've even sailed
past a Checkpoint that had the FTP proxy thingy misconfigured.

Keep in mind that the SYN from the server to the client uses the IP:port
pairs on both sides of the packet. The only difference is that the ACK
flag is not set and it doesn't include the...

Re: Unixsock plugin? Honia A (Nov 24)
Hi Dirk,

Thanks much for your reply, I really appreciate it.

1) I checked the log directory and the file called snort_alert already exists in there (/var/log/snort).

2) I have a script which is supposed to do the same thing, could you please have a look at it and see if it's any good?

3) You said "After this you can read from "sock" when snort writes to it". would you please tell me how could I do this?

Thanks so much,...

host attribute file question Jason Wallace (Nov 24)
Per the docs...

With Snort 2.8.1, for a given host entry, the stream and IP frag
information are both used. Of the service
attributes, only the IP protocol (tcp, udp, etc), port, and protocol
(http, ssh, etc) are used. The application
and version for a given service attribute, and any client attributes
are ignored. They will be used in a future
release.

Is the application and version still not used? I'd like to define the
application in the...

Re: Unixsock plugin? Dirk Geschke (Nov 24)
Hi Honia,

no, in this case it does not matter: Both do the same...

But if you define "output alert_unixsock" in snort.conf there is no
need to use "-A unsock", too.

Simply write a script/program that creates the unix domain socket
and read from it. That's all.

The socket should be in the log dir and called snort_alert.

All you need is something like this:

---
/* get a socket */
sock = socket(PF_UNIX, SOCK_DGRAM, 0) ;

/*...

Re: Fwd: Snort 2.7.0 segfaults on Ubuntu Server 9.04 Jason Wallace (Nov 24)
"Snort is installed from apt repositories, version 2.7.0."

You really need to get to the latest version. If you are using the
current version of the dependencies and a very outdated version of
snort, you are probably going to have these types of problems. If you
(or your friend) don't want to maintain a package from source and your
distro is out dated...switch distros....

Re: Unixsock plugin? Honia A (Nov 24)
Thanks Dirk,

1) Currently I have the line "output alert_unixsock" added to my snort.conf file and this is the command I run: "snort
-A unsock -c snort.conf ". Did you mean I have to delete the line from the snort.conf file and just run the command
itself?

2) You said I have to provide the unix domain socket so that snort can write to it, how can I do that?

Thanks again for your help,

Honia...

Re: Fwd: Snort 2.7.0 segfaults on Ubuntu Server 9.04 Joel Esler (Nov 24)
On Tue, Nov 24, 2009 at 6:42 AM, Igor Zinovik <zinovik.igor () gmail com>wrote:

Darn,

That was the first thing I was going to tell you to do. Troubleshooting an
old version like 2.7.0 is rather consuming for the list, since, we may have
fixed the problem in a newer version. I understand your partners dilemma
about not wanting to maintain the package separately, but in this case, it's
necessary.

J

Re: Question about snort inline fathi.engineer (Nov 24)
Hi,

It wouldn't be possible to block unwanted hosts if you don't modify the iptables rules on Linux.

Short answer: yes.

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now....

Fwd: Snort 2.7.0 segfaults on Ubuntu Server 9.04 Igor Zinovik (Nov 24)
Hello, snort-users@ readers.

We are trying to deploy snort 2.7.0 in our network, but currently with
no luck. We have ordinary i386 box (Celeron 2.0 Mhz with 512 MB DRAM)
with 2 NIC: Intel 1Gb NIC and Realtek 100Mb NIC.

Software we use:
Snort is installed from apt repositories, version 2.7.0. It has
compiled in mysql and prelude support.
Barnyard2 v1.6.
Linux kernel v2.6.28-15.
MySQL v5.1.
libmysqlclient16 v5.1
We also deployed snorby...

We're always looking for great network security related lists to archive. To suggest one, mail Fyodor.