SecLists.Org Security Mailing List Archive

Any hacker will tell you that the latest news and exploits are not found on any web site—not even Insecure.Org. No, the cutting edge in security research is and will continue to be the full disclosure mailing lists such as Bugtraq. Here we provide web archives and RSS feeds (now including message extracts), updated in real-time, for many of our favorite lists. Browse the individual lists below, or search them all:

Nmap Development — Unmoderated technical development forum for debating ideas, patches, and suggestions regarding proposed changes to Nmap and related projects.

Re: [nmap-svn] r16159 - nmap/nselib Ron (Nov 20)
Sorry, I committed some extra code in this one that I didn't mean to
(should have 'svn diff'ed.. oops).

The code is simply functions that aren't called from anywhere (yet), so,
unless somebody minds, I'm just going to leave it.

commit-mailer () insecure org wrote:

Pushed in my changes Ron (Nov 20)
Nobody had any issues with smb-enum-groups or my updated output, so I
committed the changes into the main trunk. This'll be the last of my
changes for a little while, since I'm sort of out of ideas. I didn't
want to leave stuff sitting my branch, though.

I added smb-enum-groups.nse to the CHANGELOG, but not the updated output
(I didn't want to mess with it too much while Fyodor was updating it).

As for the updated output, I went with...

Re: Removing email addresses from NSE script author field Ron (Nov 20)
Fyodor wrote:

Someone should stop that guy!

Ultimately, I don't care. Whenever I put my email address somewhere, I'm
always aware of the spam risk, so I wasn't too worried. But it's
probably a good idea to get rid of it.

Ron

Re: Removing email addresses from NSE script author field DePriest, Jason R. (Nov 19)
I never thought about them being used to fuel SPAM.

Keeping the names and removing the email addresses should be okay
since anyone who is actively maintaining a script will likely be
reading the nmap-dev list.

Perhaps put information about subscribing to or contacting nmap-dev
instead of individual email addresses?

-Jason

Removing email addresses from NSE script author field Fyodor (Nov 19)
Hi folks. I've noticed NSE author fields in several formats,
including:

p2p-conficker.nse: author = "Ron Bowes (with research from Symantec Security Response)"

http-enum.nse: author = "Ron Bowes <ron () skullsecurity net>, Andrew Orr
<andrew () andreworr ca>, Rob Nicholls
<robert () everythingeverything co uk>"

smb-enum-sessions.nse: author = "Ron...

Nmap's memory use David Fifield (Nov 19)
Hi,

We've had some report recently about Nmap using a lot of memory.

"Port memory bloat"
http://seclists.org/nmap-dev/2009/q3/926
"nmap 5 memory usage"
http://seclists.org/nmap-dev/2009/q4/300

I started looking at ways to improve this. This note is to let you know
what I've found so far and to ask if anyone has tips on memory
profiling.

In the first link above, Pavel Kankovsky observed that it is the Port
class that is...

Re: Bug/Enhancement (ncat/nsock) - Recognize Winsock error codes David Fifield (Nov 19)
Hi Paul, thanks for your suggestion. The next release of Ncat will have
this. When Ncat has a connection error, it will print the error even
without -v, and it will interpret the Windows error codes.

The Nsock messages don't interpret the Windows codes, because as I
recall those strings can be long and contain newlines. Nsock tracing is
a low-level option; we wanted to make the information from common
connection errors visible without excessive...

Re: Scanning 255.255.255.255 from Windows Jon Kibler (Nov 19)
David Fifield wrote:

Although I cannot test right now to verify it, I seem to recall that (at least
for Linux) packets sent to 255.255.255.255/32 usually (always?) have a
destination MAC address of FF:FF:FF:FF:FF:FF. Maybe nmap should simply set the
MAC associated with 255.255.255.255/32 to FF:FF:FF:FF:FF:FF?

Jon

Bug/Enhancement (ncat/nsock) - Recognize Winsock error codes Paul Milliken (Nov 19)
Hi,

I've noticed that ncat doesn't interpret Windows Socket errors,
instead displaying them as "Unknown error". Contrast the following
outputs from Windows and Linux respectively:

C:\tools\nmap-5.00>ncat -v -v -v 10.10.130.140 8888
Ncat version 5.00 ( http://nmap.org/ncat )
NSOCK (0.0620s) TCP connection requested to 10.10.130.140:8888 (IOD #1) EID 8
NSOCK (1.0160s) Callback: CONNECT ERROR [Unknown error (10061)] for
EID 8...

Re: port order in 5.00-2 bensonk (Nov 18)
You can also use netcat (not ncat, sadly) with the -z flag, which says
"do no IO, just connect". This might do what you want in a pretty small
package.

This raises the question -- why doesn't ncat support netcat's -z? Was
it decided that this sort of action should be taken by nmap or nping?

Benson

Re: Scanning 255.255.255.255 from Windows David Fifield (Nov 18)
I looked into this and I can reproduce it. I get the "Failed to
determine dst MAC address" message even without -e, though. I think I
know why: for some reason the routing table has the gateway for
255.255.255.255/32 set to the local IP address. This machine's IP
address is 192.168.0.190 and its Internet gateway is 192.168.0.1.

$ nmap --iflist

Starting Nmap 5.05BETA1 ( http://nmap.org ) at 2009-11-18 21:44 Mountain Standard Time...

Re: Segfault in latest SVN David Fifield (Nov 18)
Thanks, Ron. I think this was caused by my r16121, which changed how NSE
sockets are created. I've reverted it until I can investigate.

David Fifield

Segfault in latest SVN Ron (Nov 18)
I'm not sure when this was introduced, and I'm currently on the clock
and can't troubleshoot, but here's the output:

ron () carrot:~/tools/nmap$ gdb ./nmap
GNU gdb 6.8
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show...

Re: ncat: using UDP with --chat clemens fischer (Nov 18)
(Sorry for being late again, I am busy with something else.)

Sounds reasonable. But. Can brokering be made to work over unix local
sockets in reliable datagram mode, like TCP? What I mean is mentioned
in unix(7): "unix_socket = socket(AF_UNIX, type, 0);" where type would
preferably be SOCK_STREAM or even SOCK_SEQPACKET (portability?) and
allow nice tricks with passing SO_PASSCRED! I had experimented with
"socat" much...

Re: Deletion of obsolete script files before installation Tom Sellers (Nov 18)
Should we implement a subdirectory for custom scripts to reduce the
likelihood of running into this problem in the future?

Tom

Nmap Hackers — Moderated list for the most important new releases and announcements regarding the Nmap Security Scanner and related projects. We recommend that all Nmap users subscribe.

Nmap 5.00 Released! Fyodor (Jul 16)
Hello everyone. I'm delighted to announce the release of Nmap 5.00!
This is the first major release since 4.50 in 2007, and includes about
600 significant changes since then! We consider this the most
important Nmap release since 1997, and we recommend that all current
users upgrade.

There are too many changes to list them all in this email, so here are
the top 5 improvements in Nmap 5:

1) The new Ncat tool aims to be your Swiss Army Knife...

Nmap news: stable release candidate 4.90RC1, SoC team, and new translations Fyodor (Jun 26)
Hi Folks. I'm pleased to announce some exciting Nmap news:

[=================Nmap 4.90RC1==================]

It has been nearly 10 months (and 11 dev releases) since 4.76, the
last stable Nmap release. And we've made many dramatic changes, so it
is time for a new stable version! I've posted a release
candidate--4.90RC1--on the Nmap download page:

http://nmap.org/download.html

Please test it out, and let us know if you find any problems...

Nmap 4.85BETA6 now avail w/Conficker detection Fyodor (Apr 01)
Hi Folks! In case you missed all the news reports yesterday, a couple
great researchers from the Honeynet Project (Tillmann Werner and Felix
Leder) and Dan Kaminsky came up with a way to remotely detect the
Conficker worm which has infected millions of machines worldwide.
Some say 15,000,000 machines infected, but that might just be
exaggerated AV-company BS for all I know. But there are clearly
millions of infections, and this massive botnet...

Nmap News: 4.84BETA4 release, Nmap book news, Summer of Code, Twitter, etc. Fyodor (Mar 27)
Hello everyone. We've seen 848 messages on nmap-dev this year, but
this is my first post to nmap-hackers. So I have a lot of exciting
Nmap news to fit into this one email!

[=================Nmap 4.85BETA4==================]

While the last release I posted to this list was 4.76 in September of
last year, we've had four beta releases since then with hundreds of
important and dramatic changes. I'm pretty happy with the latest
4.85BETA4 release,...

Nmap Network Scanning Book Released! Fyodor (Dec 09)
Nmap Hackers:

After promising you a book on Nmap for years, I'm delighted to finally
announce the release of Nmap Network Scanning! It contains everything
I've learned about network scanning from more than a decade of Nmap
development, plus some bad jokes and (over Time Warner's written
objections) pictures of Trinity hacking the Matrix :). Here is the
abstract:

Nmap Network Scanning is the official guide to the Nmap Security
Scanner, a...

Nmap News: 4.76 release, Defcon presentation online, Is port scanning legal? Fyodor (Sep 23)
Hi everyone. I'm happy to report that the Nmap 4.75 release (with
port frequencies, Zenmap topology, etc.) was a big success. But such
large exposure inevitably leads to bug discovery, so we've
released version 4.76 with about a dozen small fixes and stability
improvements. If 4.75 is working great for you, there is probably no
need to upgrade. But if you encountered problems, or if you are the
type who waits a couple weeks for stabilization...

Nmap 4.75 released Fyodor (Sep 08)
Hi Everyone. I'm delighted to report the release of Nmap 4.75, which
has almost 100 significant improvements since 4.68. Some which I'm
most excited about are:

o While Nmap stands for "Network Mapper", it hasn't been able to
actually draw you a map of the network--until now! Visit
http://nmap.org/book/zenmap-topology.html for details and pretty
pictures of Zenmap's new Scan Topology system.

o I spent much of this summer...

Nmap 4.68 release Fyodor (Jul 31)
Hi All. I'm happy to report that there have been several stable Nmap
releases since I mailed you about Nmap 4.60 in March. The latest
version is 4.68, and I think you'll like it (unless you still use
Win2K, which can be problematic due to IPv6 issues that we hope to
resolve in the next release). Before I give you the full list of 125
improvements, I'll start with a few highlights:

o Added a new --min-rate option that allows specifying a...

Lots of Nmap News Fyodor (Jul 31)
Hi All. I feel derelict for failing to post any Nmap news to this
nmap-hackers list in the last four months, but you can rest assured
that we've been busy on the project! For example, there have been
1,181 posts on the nmap-dev list (not all from me) since my March
nmap-hackers announcements. So you can always join that if you want a
constant flood of Nmap news :). There have also been several stable
Nmap releases since that time, great news...

Nmap accepting applications for Summer of Code developers Fyodor (Mar 24)
It may have taken me four months to send this year's first
nmap-hackers mail, but the second only took me four hours. I want to
let you all know that Nmap has been accepted for the fourth year
running to participate in the Google Summer of Code program. This
generous and innovative program provides $4,500 stipends to hundreds
of university students to create or enhance open source software.
Applications are only accepted for one week, until...

Nmap 4.60 and new movies page Fyodor (Mar 24)
Hi everyone. This is the first nmap-hackers message of the year, but
we haven't been slacking. The nmap-dev list has more than 500 posts
so far this quarter, and we've made many great improvements to Nmap
during the period.

Nmap-hackers is reserved for the most important Nmap news, but that
won't prevent me from starting out this message with something
frivolous :). I recently learned that Nmap was in not just one, but
two major motion...

Bugtraq — The premier general security mailing list. Vulnerabilities are often announced here first, so check frequently!

VMSA-2009-0016 VMware vCenter and ESX update release and vMA patch release address multiple security issue in third party components VMware Security Team (Nov 20)
-----------------------------------------------------------------------
VMware Security Advisory

Advisory ID: VMSA-2009-0016
Synopsis: VMware vCenter and ESX update release and vMA patch
release address multiple security issue in third
party components
Issue date: 2009-11-20
Updated on: 2009-11-20 (initial release of advisory)
CVE numbers: --- JRE ---...

IE7 info (Nov 20)

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
<HTML xmlns="http://www.w3.org/1999/xhtml";>
<HEAD>
<script>
function load(){
var e;
e=document.getElementsByTagName("STYLE")[0];...

[security bulletin] HPSBMA02478 SSRT090251 rev.1 - HP Operations Manager for Windows, Remote Unauthorized Access security-alert (Nov 20)
SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c01931960
Version: 1

HPSBMA02478 SSRT090251 rev.1 - HP Operations Manager for Windows, Remote Unauthorized Access

NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.

Release Date: 2009-11-18
Last Updated: 2009-11-18

Potential Security Impact: Remote unauthorized access

Source: Hewlett-Packard Company, HP Software Security Response Team...

PHP "multipart/form-data" denial of service Bogdan Calin (Nov 20)
Description
------------
PHP version 5.3.1 was just released. This release contains a patch for a
denial of service condition we've reported on 27 October 2009. The
problem is related with PHP's handling of RFC 1867 (Form-based File
Upload in HTML).

When you send a POST request to a PHP script with the content-type of
"multipart/form-data" and include a list of files in that request, PHP
will create a temporary file for each file from...

Firefox 3.5.3 Remote Array Overrun (UPDATE) cxib (Nov 20)
Please update CVE-2009-1563 BID:36851 and BID:36843

Mozilla has changed credit.

http://www.mozilla.org/security/announce/2009/mfsa2009-59.html

and add correct CVE: CVE-2009-0689.

CVE-2009-1563 shouldn't never exists. It is duplicate.

KDE KDELibs 4.3.3 Remote Array Overrun (Arbitrary code execution) cxib (Nov 20)
[ KDE KDELibs 4.3.3 Remote Array Overrun (Arbitrary code execution) ]

Author: Maksymilian Arciemowicz and sp3x
http://SecurityReason.com
Date:
- Dis.: 07.05.2009
- Pub.: 20.11.2009

CVE: CVE-2009-0689
Risk: High
Remote: Yes

Affected Software:
- KDELibs 4.3.3

NOTE: Prior versions may also be affected.

Original URL:
http://securityreason.com/achievement_securityalert/74

--- 0.Description ---
KDELibs is a collection of libraries built on top of...

K-Meleon 1.5.3 Remote Array Overrun (Arbitrary code execution) cxib (Nov 20)
[ K-Meleon 1.5.3 Remote Array Overrun (Arbitrary code execution) ]

Author: Maksymilian Arciemowicz and sp3x
http://SecurityReason.com
Date:
- Dis.: 07.05.2009
- Pub.: 20.11.2009

CVE: CVE-2009-0689
Risk: High
Remote: Yes

Affected Software:
- K-Meleon 1.5.3

NOTE: Prior versions may also be affected.

Original URL:
http://securityreason.com/achievement_securityalert/72

--- 0.Description ---
K-Meleon is an extremely fast, customizable,...

SeaMonkey 1.1.8 Remote Array Overrun (Arbitrary code execution) cxib (Nov 20)
[ SeaMonkey 1.1.8 Remote Array Overrun (Arbitrary code execution) ]

Author: Maksymilian Arciemowicz and sp3x
http://SecurityReason.com
Date:
- Dis.: 07.05.2009
- Pub.: 20.11.2009

CVE: CVE-2009-0689
Risk: High
Remote: Yes

Affected Software:
- SeaMonkey 1.1.18

Fixed in:
- SeaMonkey 2.0

NOTE: Prior versions may also be affected.

Original URL:
http://securityreason.com/achievement_securityalert/71

--- 0.Description ---
The SeaMonkey project is...

Opera 10.01 Remote Array Overrun (Arbitrary code execution) cxib (Nov 20)
[ Opera 10.01 Remote Array Overrun (Arbitrary code execution) ]

Author: Maksymilian Arciemowicz and sp3x
http://SecurityReason.com
Date:
- Dis.: 07.05.2009
- Pub.: 20.11.2009

CVE: CVE-2009-0689
Risk: High
Remote: Yes

Affected Software:
- Opera 10.01
- Opera 10.10 Beta

NOTE: Prior versions may also be affected.

Original URL:
http://securityreason.com/achievement_securityalert/73

--- 0.Description ---
Opera is a Web browser and Internet suite...

NSA Iraqi Computer Attacks And U.S. Defense Gadi Evron (Nov 19)
In a recent article in the National Journal Magazine, the NSA
supposedly admits to using computer attacks in Iraq, attacking
cellular systems. Aside to the hacking part, which is obviously
"cool", the impact on the US cyber defense stance as well as
international relations is staggering.

I spent some time trying to figure out what facts were given in the
story, and analyze it.

Original story:...

AssetsSoSimple supplier_admin.php Supplier Field XSS Bugs NotHugs (Nov 19)
product: AssetsSoSimple
version tested: 0.33
vendor URL: http://assetssosimple.sourceforge.net/
script: supplier_admin.php
field: Supplier

ooo

BugsNotHugs
Shared Vulnerability Disclosure Account

Auto Manager admin.cgi Multiple Field XSS Bugs NotHugs (Nov 19)
vendor: interactivetools.com, inc.,
http://www.interactivetools.com/products/automanager/
product: Auto Manager
version: 2.52
script: admin.cgi
fields: Vehicle, Year, Price, Drive Train, Transmission, Body, Engine,
Description, Color, Miles

***

BugsNotHugs
Shared Vulnerability Disclosure Account

[security bulletin] HPSBMA02477 SSRT090177 rev.2 - HP OpenView Network Node Manager (OV NNM), Remote Denial of Service (DoS) security-alert (Nov 19)
SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c01926980
Version: 2

HPSBMA02477 SSRT090177 rev.2 - HP OpenView Network Node Manager (OV NNM), Remote Denial of Service (DoS)

NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.

Release Date: 2009-11-17
Last Updated: 2009-11-18

Potential Security Impact: Remote Denial of Service (DoS)

Source: Hewlett-Packard Company, HP Software Security Response...

[security bulletin] HPSBPI02472 SSRT090196 rev.1 - Certain HP Color LaserJet Printers, Remote Unauthorized Access to Data, Denial of Service security-alert (Nov 19)
SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c01886100
Version: 1

HPSBPI02472 SSRT090196 rev.1 - Certain HP Color LaserJet Printers, Remote Unauthorized Access to Data, Denial of Service

NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.

Release Date: 2009-11-18
Last Updated: 2009-11-18

Potential Security Impact: Remote unauthorized access to data, Denial of Service (DoS)

Source:...

[USN-860-1] Apache vulnerabilities Jamie Strandboge (Nov 19)
===========================================================
Ubuntu Security Notice USN-860-1 November 19, 2009
apache2 vulnerabilities
CVE-2009-3094, CVE-2009-3095, CVE-2009-3555
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04
Ubuntu 9.10

This advisory also applies to the corresponding versions of
Kubuntu,...

Full Disclosure — An unmoderated high-traffic forum for disclosure of security information. Fresh vulnerabilities sometimes hit this list many hours before they pass through the Bugtraq moderation queue. The relaxed atmosphere of this quirky list provides some comic relief and certain industry gossip. Unfortunately 80% of the posts are worthless drivel, so finding the gems takes patience.

Re: Meet Kurt Greenbaum, Director of Social Media, St. Louis Post-Dispatch, Reports commenter to employer. Michael Holstein (Nov 20)
Vladis .. not sure about that school since it was K12, but in both your
case and mine .. we *are* the ISP (insofar as we have our own ASN and
valid info on whois).

If K12 is done there like I've seen in a lot of other places, they
probably have a consortium that provides connectivity and each
institution has a CIDR block within the consortium's AS .. and I'm sure
the school had some web-nazi appliance that made it a few-clicks of a
mouse...

VMSA-2009-0016 VMware vCenter and ESX update release and vMA patch release address multiple security issue in third party components VMware Security Team (Nov 20)
-----------------------------------------------------------------------
VMware Security Advisory

Advisory ID: VMSA-2009-0016
Synopsis: VMware vCenter and ESX update release and vMA patch
release address multiple security issue in third
party components
Issue date: 2009-11-20
Updated on: 2009-11-20 (initial release of advisory)
CVE numbers: --- JRE ---...

Pussy and the right to free speech. yuri . nate (Nov 20)
This whole thing is ridiculous. Kurt Greenbaum is an idiot. What
kind of question is that in the first place? Only and idiot would
post “what’s the strangest thing you’ve ever eaten” and not expect
some obvious remarks. And what’s wrong with pussy? Eating pussy
is good! I LOVE eating pussy! All they guys I know, along with
several women I know love to eat pussy. I eat pussy. You eat
pussy. Everyone eats pussy. That’s...

Re: Meet Kurt Greenbaum, Director of Social Media, St. Louis Post-Dispatch, Reports commenter to employer. Valdis . Kletnieks (Nov 20)
On Fri, 20 Nov 2009 01:42:08 +0100, netinfinity said:

Unfortunately, that's exactly what *did* happen. Although for *home*
users, the 'ISP' is the person to complain to, for organizations that run
their own networks (like many businesses and schools, etc) the proper place
to complain is the network management of that organization. He contacted
the admins of the school's network, and said "One of your users is being
a bozo". The...

PHP "multipart/form-data" denial of service Bogdan Calin (Nov 20)
Description
------------
PHP version 5.3.1 was just released. This release contains a patch for a
denial of service condition we've reported on 27 October 2009. The
problem is related with PHP's handling of RFC 1867 (Form-based File
Upload in HTML).

When you send a POST request to a PHP script with the content-type of
"multipart/form-data" and include a list of files in that request, PHP
will create a temporary file for each file from...

n3td3v / Andrew Wallace's psychological profile Sam Haldorf (Nov 19)
Earlier this year, a very well educated FD member posted the psychological profile of Mr. Wallace. (Found here:
http://seclists.org/fulldisclosure/2009/Jan/415 ) Interesting to view in retrospect, because I find it depicts him to a
T.

This profile is almost like an instruction set for n3td3v's life. A self-fulfilling prophecy if you will.

An eery example: Anyone here remember how n3td3v posted as full-censorship a few months ago claiming to...

Re: Meet Kurt Greenbaum, Director of Social Media, St. Louis Post-Dispatch, Reports commenter to employer. Sam Haldorf (Nov 19)
No problem regarding the personal post, I have made the same mistake myself.

I also see what you mean regarding the language of the privacy statement.
"unauthorised use" could be interpreted as any use that has not been given explicit approval before the fact.

Weasel words imho.

And Mr Holstein if this was the point you were trying to make, I accept it.

regards
mrx

dramacrat wrote:

Re: Meet Kurt Greenbaum, Director of Social Media, St. Louis Post-Dispatch, Reports commenter to employer. netinfinity (Nov 19)
Mr. Kurt Greenbaum made a mistake. Privacy violated, because there
are other mechanism's like baninig the IP, email or whatever is
necessary to submit the post. If this fails then you should conntact
the ISP of the "spammer" based on the IP.

SecurityReason: KDE KDELibs 4.3.3 Remote Array Overrun (Arbitrary code execution) Maksymilian Arciemowicz (Nov 19)
[ KDE KDELibs 4.3.3 Remote Array Overrun (Arbitrary code execution) ]

Author: Maksymilian Arciemowicz and sp3x
http://SecurityReason.com
Date:
- Dis.: 07.05.2009
- Pub.: 20.11.2009

CVE: CVE-2009-0689
Risk: High
Remote: Yes

Affected Software:
- KDELibs 4.3.3

NOTE: Prior versions may also be affected.

Original URL:
http://securityreason.com/achievement_securityalert/74

--- 0.Description ---
KDELibs is a collection of libraries built on top of...

SecurityReason: Opera 10.01 Remote Array Overrun (Arbitrary code execution) Maksymilian Arciemowicz (Nov 19)
[ Opera 10.01 Remote Array Overrun (Arbitrary code execution) ]

Author: Maksymilian Arciemowicz and sp3x
http://SecurityReason.com
Date:
- Dis.: 07.05.2009
- Pub.: 20.11.2009

CVE: CVE-2009-0689
Risk: High
Remote: Yes

Affected Software:
- Opera 10.01
- Opera 10.10 Beta

NOTE: Prior versions may also be affected.

Original URL:
http://securityreason.com/achievement_securityalert/73

--- 0.Description ---
Opera is a Web browser and Internet suite...

SecurityReason: K-Meleon 1.5.3 Remote Array Overrun (Arbitrary code execution) Maksymilian Arciemowicz (Nov 19)
[ K-Meleon 1.5.3 Remote Array Overrun (Arbitrary code execution) ]

Author: Maksymilian Arciemowicz and sp3x
http://SecurityReason.com
Date:
- Dis.: 07.05.2009
- Pub.: 20.11.2009

CVE: CVE-2009-0689
Risk: High
Remote: Yes

Affected Software:
- K-Meleon 1.5.3

NOTE: Prior versions may also be affected.

Original URL:
http://securityreason.com/achievement_securityalert/72

--- 0.Description ---
K-Meleon is an extremely fast, customizable,...

SecurityReason: SeaMonkey 1.1.8 Remote Array Overrun (Arbitrary code execution) Maksymilian Arciemowicz (Nov 19)
[ SeaMonkey 1.1.8 Remote Array Overrun (Arbitrary code execution) ]

Author: Maksymilian Arciemowicz and sp3x
http://SecurityReason.com
Date:
- Dis.: 07.05.2009
- Pub.: 20.11.2009

CVE: CVE-2009-0689
Risk: High
Remote: Yes

Affected Software:
- SeaMonkey 1.1.18

Fixed in:
- SeaMonkey 2.0

NOTE: Prior versions may also be affected.

Original URL:
http://securityreason.com/achievement_securityalert/71

--- 0.Description ---
The SeaMonkey project is...

Re: Meet Kurt Greenbaum, Director of Social Media, St. Louis Post-Dispatch, Reports commenter to employer. mrx (Nov 19)
No problem regarding the personal post, I have made the same mistake myself.

I also see what you mean regarding the language of the privacy statement.
"unauthorised use" could be interpreted as any use that has not been given explicit approval before the fact.

Weasel words imho.

And Mr Holstein if this was the point you were trying to make, I accept it.

regards
mrx

dramacrat wrote:

Re: Meet Kurt Greenbaum, Director of Social Media, St. Louis Post-Dispatch, Reports commenter to employer. dramacrat (Nov 19)
They're ORs, unfortunately. The language is unclear but it seems to be one
of those infernal boilerplate pieces of shit that basically invalidate the
assurances as to privacy.

You could still probably press the suit. "Unauthorised use" has recently
been defined and redefined, it's an evolving piece of law and if you have
the resources to get a jury trial they'll *want* to find in favor of the
plaintiff, which is more important than you...

Re: Meet Kurt Greenbaum, Director of Social Media, St. Louis Post-Dispatch, Reports commenter to employer. mrx (Nov 19)
Michael Holstein wrote:

So what? Ban the IP address. Admittedly a childish comment but the site is hardly one that is frequented by children.
imho Mr K. Greenbaum should be fired and sued.

And Mr Holstein you seem to be using your quote above out of context...

Compliance with Legal Process
We may disclose personal information if we or one of our affiliated companies is required by law to disclose personal
information, or if we
believe in good...

Security Basics — A high-volume list which permits people to ask "stupid questions" without being derided as "n00bs". I recommend this list to network security newbies, but be sure to read Bugtraq and other lists as well.

How to detect process using ICMP Tony Raboza (Nov 19)
Hi

I have a Linux server which I now is sending out strange ICMP traffic
to two hosts. My IDS (snort) told me that its a stacheldraht-dos. I
have checked on the server using tcpdump and indeed it is sending out
ICMP. Now, how do I found out which process is doing this? lsof so
far has not been successful.

Thanks.

Best,
Tony

------------------------------------------------------------------------
Securing Apache Web Server with thawte...

Re: How do I find out what hop is not forwarding traffic on a specific port? Alex Fiuvertiz (Nov 19)
Perhaps firewalk will solve that question? I'm not sure I completely
understood the problem, but if you're having a firewall/router in
front of a network and wants to map the firewall's rulebase than
perhaps firewalk could help.
But you will have to know a host on the inside network of the filtering devices.
The method will only work at level 3 firewalls/filtering devices.
You let firewalk calculate the TTL so that TTL is 1 when you get to
the...

Methodology Alex Fiuvertiz (Nov 19)
Hi Security-basics,

It seems like there are a lot of different methodologies out there
when it comes down to perfoming penetration tests.
But how often are people/pentesters out there use the
industry/official "standards" (se example list below)?
Are you/they using them mostly for the client's sake when writing
reports and to make sure you don't overlook anything?

Or are you ignoring them totally and just hack away and have your own...

Detecting Mutating Javascript TSS (Nov 18)
Hi,

I'm looking for people working on detecting mutating Javascript. I've
been working on detecting Javascript encoded in whitespace and
have come up with a few ideas so far:
* Signature detection on the decoder function (lame)
* Analyzing the whitespace to try to find encoded information (decent,
but difficult because there could be so many encoding schemes)
* Building character frequency maps from non-malicious Javascript
libraries and...

Re: Windows Service Accounts Henri Salo (Nov 17)
I would start by making a policy to expire passwords.

---
Henri Salo

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase,
install...

machine authentication on Cisco ACS marco gregorio (Nov 17)
Hi,

Does wpa_supplicant supports machine authentication? If so, how to
configure it?

More specifically, in Cisco's ACS, there is a setting called "Enable
machine access restrictions". Does wpa_supplicant support that?

Thanks,

Marco

Re: Two Factor - Virtual Private Network Nick Owen (Nov 16)
As for the last question, there are a number of options, though the
easiest will probably not be a 100% open source solution, because you
are going to an MS authentication server. What you really want to think
about is what VPN solutions work with what two-factor authentication
solutions using the authentication protocols in my environment.

I discussed this strategy in a recent webinar, which you can see here:...

WAP's with guest access and compatible with IAS Murad Talukdar (Nov 16)
Hi all,
Looking for some decent but cost consciously priced WAPs for a small office
training room.
I'm hoping to get one which has IAS/RADIUS compatible so that it can be used
in conjunction with AD.
But, if it can also have some kind of guest access that would be great.

Otherwise, if this is a security risk, I will setup two, one on a DMZ for
guests and one on a separate VLAN for the in-house users.

I'm looking at the LinksysWAP 2000 initially...

Re: Security Incident Handling / Organization Gleb Paharenko (Nov 16)
Hi, Tony!

I suggest you to start from defining roles and assigning them to
personnel. It is a good practice for security incidents to form ad-hoc
team, which should include IT/helpdesk specialist for technical work
and some one from management, who has enough power for administrative
actions. Later you can allocate a dedicated persons for a roles. For
strategic IT security initiatives you might want to form a security
committee (board) in the...

Windows Service Accounts Abo Sous (Nov 16)
Hi list,

Part of my new job, I'm cleaning up the accounts (both AD and local)
in a windows environment (~2000+ in all). Getting to the local
services accounts, i wonder if you would have some remediation
approach to track such accounts, remove unused ones, and, at a later
stage (long term), to manage those which are hard coded in 3rd party
applications or that need to be remain in the environment.

thanks,
./as...

Doohickey of House:How to select fingerprint lock we (Nov 16)
Fingerprint Technologyis one of mature biometric technology, which moves to lock industry, brings big innovation for
traditional lock applications, to gain better life and security.

however,how to select a good Fingerprint door lock? there is some suggestions for your following up

1. check what type of doors in your house, find the right saddle for your horse, for example, wooden door inside
house, no need to select a big cylinder type...

RE: Rouge Wireless AP Nick Duda (Nov 13)
I know the OP is looking for cheap/free solutions, but we use Cisco Wireless LAN Controllers for rogue AP detection,
(auto/manual)containment, and WIPS. Works pretty good.

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Murda Mcloud
Sent: Thursday, November 12, 2009 5:53 PM
To: 'Steven Bonici'; security-basics () lists securityfocus com
Subject: RE: Rouge Wireless AP

How...

RE: Rouge Wireless AP Erin Carroll (Nov 13)
Ekahau Heat Mapper is a useful tool for building coverage maps &
triangulation that I've used with some success. www.ekahau.com

Re: Security Toolkit for dummies n3td3v (Nov 13)
It's not been removed, I found it http://www.securityfocus.com/brief/1034

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase,...

Re: Security Toolkit for dummies Jay Vlavianos (Nov 13)
Probably for the same reason it was removed as a torrent from various
sites - it is deemed too hot to deal with at the moment.

Considering it is one of the only software packages out there that was
completely designed for LEOs, it stands to reason that people fear M$
legal/cop smack down.

Why get the BSA involved for piracy when you can just let the LEOs you
create it for own the case? Even reporting that you reviewed it is an...

Penetration Testing — While this list is intended for "professionals", participants frequenly disclose techniques and strategies that would be useful to anyone with a practical interest in security and network auditing.

Re: password auditing Kevin L. Shaw, CISSP, GCIH (Nov 19)
Derek:

"an hour or two" is not going to give you a sufficient assessment.
Going through your 200K word dictionary a single time will probably take
longer than that. I would recommend a couple of things based on your
latest note, as well as this comment - without first an enforceable
policy in place; this is really like putting the cart before the horse.
However; I understand the reason why you are doing this so good luck -
but you...

Firewall Type Fingerprinting Zaki Akhmad (Nov 19)
Hello,

Can we do firewall type fingerprinting? With what tools? I want to
know the type of the firewall in front of the web server.

Pentest lab box 16 gigs of ram macubergeek (Nov 19)
All

I'm thinking of building a vmware target box for a pentest practice
lab consisting of:

cheap Dell server with 16 gigs of ram PowerEdge T105
vmware workstation

My question is with the host OS.
I was contemplating the home version of Windows 7 to give me a 64 bit
OS to support the amount of ram I'm planning on
Does anyone have any experience with the latest version of VMware
workstation and if it will run properly on Windows 7?

would...

Re: password auditing Anders Thulin (Nov 19)
Derek Robson wrote:

Be careful: don't fall into the all too common trap that any password that JtR
can crack must be a weak password.

And don't fall into the other trap that any password that contains upper and
lower case letters, digits and spcial characters and is at least 8 characters long
necessarily is a strong password. (This is the 'password policy' fallacy).

And don't assume that password strength alone is the entire truth....

Windows Internationalization? Jon Kibler (Nov 19)
Hi,

I have been approached about doing a pen test job that would involve a target
organization whose native character set is not ASCII. So, I have a few questions
and would appreciate some pointers to help me decide if I really want this
assignment.

Questions that immediately come to mind are:
1) On a Windows system that uses a non-ASCII character set (Chinese, Arabic,
Russian, etc.), how does that effect Windows?
-- Are registry key names...

VideoJak 2.0 Released Abhijeet Hatekar (Nov 19)
Sipera VIPER Lab has released VideoJak 2.0:

http://videojak.sourceforge.net

VideoJak is an IP Video security assessment tool that can target a video stream and/or video call in progress to play a
targeted malicious video clip, resulting in a DoS.
Some key features of the new VideoJak:

* IP Video Replay (as presented at ToorCon 11, DefCon 17)
* Media Blackhole attack.

We welcome all suggestions and feedbacks.

Thanks and Regards,

Abhijeet...

Re: password auditing JoePete (Nov 19)
A few observations:

One of the big reasons for password complexity is the ability to crack
them offline. Essentially, password policy reflects more on the
vulnerability of poorly secured systems (i.e. the ability to get at the
password store) than the feeble-mindedness of employees.

If your Internet facing services (email, intranet, VPN, etc) are a
concern, your best protection is not password complexity but account
lockout. Without account...

Re: Possible Milw0rm replacement? J.Hart, Elec.Eng.Tech. (Nov 19)
Nice.
Yes - it is a learning experience - I never expect the code to be
perfect - that wouldnt be any fun

Elle

CEH or OSCP? Vaibhav Kaushal (Nov 19)
Hi all,

I am really interested in hacking. I know I can learn on my own but I
would like to have a course guiding me properly rather than wandering
here and there for some stupid material.

I think C|EH is great but the OSCP is way better (I prefer being
practical). I went through the websites of both and as far as I have
understood, CEH is only for the professionals working in organizations.
Since I am just an undergraduate student as of...

Re: password auditing Derek Robson (Nov 17)
thanks to everyone for such a big responce.

many of you have pointed me to questions of our policy...
many of you have talked about haveing password quality inforced when
they are set....

we have no real policy around passwords, we have no standards, we do
no quality testing.
we dont force users to change passwords, some have had the same
password for many years.
some still have the default password.

this project is to get some real data about...

Re: password auditing Derek Robson (Nov 17)
as per my last post....

we have no policy for passwords, we plan on getting some policy and
inforcing it.
before we do this we want to get an overview of just how ugly things are.
we want to get real facts about how many users are using the default password.

in many of the meetings we have un-educated managers quoting "facts"
that they cant know until we do this project.

many of the IT staff are keen to get good password policy in...

Re: password auditing Tracy Reed (Nov 17)
On Tue, Nov 17, 2009 at 08:59:29AM -0600, Harris, Michael C. spake thusly:

Probably a good idea. Especially in a big corporation where things can
easily get out of control when the lawyers get their hands on
things. Learn the lesson of poor Randall Schwartz and his felony
convictions due to his work with Intel. In a smaller company (such as
mine) I wouldn't worry so much.

Might be a bit overkill but ok... Seems like all of the servers should
be...

Re: password auditing R. DuFresne (Nov 17)
Yes, this box needs to be locked down as tightly as possible. Afterall
that data it contains is delicate to say the least.

Secondly though, why do passwd's in this env not expire? And why are
there now requirements to force users to choose secure passwd's in the
first place?

Thanks,

Ron DuFresne

Re: Possible Milw0rm replacement? Pedro Drimel (Nov 17)
Note that now some of the applications are available to download
directly from their repositories which is awesome.

2009/11/17 Kevin L. Shaw, CISSP, GCIH <kshaw () eeenterprisesinc com>:

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration...

Re: password auditing Haris Pilton (Nov 17)
sounds like a fun project. I would Protect it like you currently
protect the password files you are going to brute.

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT
and CEPT certs require a full practical examination in order to...

Info Security News — Carries news items (generally from mainstream sources) that relate to security.

Microsoft denies it built 'backdoor' in Windows 7 InfoSec News (Nov 20)
http://www.computerworld.com/s/article/9141182/Microsoft_denies_it_built_backdoor_in_Windows_7

By Gregg Keizer
Computerworld
November 19, 2009

Microsoft today denied that it has built a backdoor into Windows 7, a
concern that surfaced yesterday after a senior National Security Agency
(NSA) official testified before Congress that the agency had worked on
the operating system.

"Microsoft has not and will not put 'backdoors' into...

Re: FBI Suspects Terrorists Are Exploring Cyber Attacks InfoSec News (Nov 20)
Forwarded from: Richard Forno <rforno (at) infowarrior.org>

The second paragraph undermines the whole article, as such statements
tend to do in all articles warning of cyber or terrorist attacks, just
as any number of 'stories' citing some new DHS or FBI terror threat that
suddenly hits the airwaves periodically during the year.

This entire article simply says -er, repeats- that "terrorists may
consider cyber attacks."...

Bill Would Ban P2P Use By Federal Employees InfoSec News (Nov 20)
http://www.informationweek.com/news/government/policy/showArticle.jhtml?articleID=221900107

By J. Nicholas Hoover
InformationWeek
November 18, 2009

Following a leaked document that disclosed ethics investigations of
members of Congress on a file sharing network, the chairman of the House
Oversight and Government Affairs Committee has introduced a bill that
would ban the use of public peer-to-peer networks by federal employees.

The Secure...

Crypto pioneer and security chief exits Sun InfoSec News (Nov 20)
http://www.theregister.co.uk/2009/11/19/diffie_leaves_sun/

By Gavin Clarke in San Francisco
The Register
19th November 2009

Crypto pioneer and Sun Microsystems' veteran chief security officer
Whitfield Diffie has left the company, with database-giant Oracle's
acquisition still in the air.

According to Technology Review, Diffie is slated to be a visiting
professor at Royal Holloway, University of London, after 18 years at
Sun, latterly in...

Palin Calls E-Mail Hack 'Most Disruptive' Campaign Event InfoSec News (Nov 20)
http://www.wired.com/threatlevel/2009/11/palin-hack-2

By Kim Zetter
Threat Level
Wired.com
November 18, 2009

Never mind the disastrous interview with Katie Couric or the blank
stares in response to Charlie Gibson's question about the Bush Doctrine.
Former vice presidential candidate Sarah Palin calls the hacking of her
Yahoo e-mail account "the most disruptive and discouraging" incident in
last year's presidential campaign....

The Perfect Holiday Gift For Any Security Pro: A Bruce Schneier Action Figure InfoSec News (Nov 20)
http://www.darkreading.com/security/management/showArticle.jhtml?articleID=221900184

By Tim Wilson
DarkReading
Nov 18, 2009

Move over, James Kirk and Luke Skywalker -- there's a new action figure
popping up on top of security professionals' computers -- and this one
is a real guy.

A miniature version of BT Counterpane security guru Bruce Schneier --
complete with beard and ponytail -- is now available from the That's My
Face site.

The...

FC 2010: Call for Posters. Accepted Papers. InfoSec News (Nov 20)
Forwarded from: Conference Mailer <noreply (at) moon.crypto.cs.stonybrook.edu>

Financial Cryptography and Data Security
Tenerife, Canary Islands, Spain
25-28 January 2010

http://fc10.ifca.ai

Dear Colleagues,

We would like to invite you to submit a poster (deadline extended to
December 3rd) and participate in the 2010 Financial Cryptography and
Data Security Conference, January 25-28, 2010 in Tenerife, Canary
Islands, Spain, a...

NSA helped with Windows 7 development InfoSec News (Nov 19)
http://www.computerworld.com/s/article/9141105/NSA_helped_with_Windows_7_development?taxonomyId=17

By Gregg Keizer
Computerworld
November 18, 2009

The National Security Agency (NSA) worked with Microsoft on the
development of Windows 7, an agency official acknowledged yesterday
during testimony before Congress.

"Working in partnership with Microsoft and elements of the Department of
Defense, NSA leveraged our unique expertise and...

PS3s used to capture child pornographers InfoSec News (Nov 19)
http://www.gamespot.com/news/6240562.html

By Tom Magrino
GameSpot
Nov 17, 2009

The PlayStation 3 has been used for a variety of altruistic tasks
following its launch in 2006. Perhaps the most high-profile of these
ventures is the Folding () home project, which uses spare processing power
from idling, networked PS3s to undertake the arduous task of simulating
protein folding in order to study the causes of various diseases.

The latest...

FBI Suspects Terrorists Are Exploring Cyber Attacks InfoSec News (Nov 19)
http://online.wsj.com/article/SB125850773065753011.html

By Siobhan Gorman
Wall Street Journal
November 19, 2009

The Federal Bureau of Investigation is looking at people with suspected
links to al Qaeda who have shown an interest in mounting an attack on
computer systems that control critical U.S. infrastructure, a senior
official told Congress Tuesday.

While there is no evidence that terrorist groups have developed
sophisticated...

Hackers descend upon defense website InfoSec News (Nov 19)
http://english.people.com.cn/90001/90782/90872/6817348.html

People's Daily Online
November 19, 2009

Hackers are trying to penetrate the website of China's Ministry of
National Defense and have made more than 2 million attacks on it within
one month since the site's launch three months ago, People's Daily
reported Wednesday.

The efforts are seen as a sign of the increasing vulnerability facing
China's official websites.

"Since the...

In-Q-Tel Invests In Cybersecurity Company InfoSec News (Nov 19)
http://www.informationweek.com/news/government/security/showArticle.jhtml?articleID=221900133

By J. Nicholas Hoover
InformationWeek
November 18, 2009

The independent venture arm of the U.S. intelligence community,
In-Q-Tel, has invested in cybersecurity company FireEye, the company
announced Wednesday.

In-Q-Tel and FireEye didn't disclose terms of the agreement, or which
intelligence agencies are particularly interested in the technology....

Hospitals tighten security on patient data InfoSec News (Nov 19)
http://fcw.com/articles/2009/11/18/hospitals-beefing-up-cybersecurity-to-comply-with-hitech-survey-says.aspx

By Alice Lipowicz
FCW.com
Nov 18, 2009

More than half of the nation's hospitals and health care providers
surveyed intend to buy more cybersecurity tools to safeguard against
breaches of electronic medical records as a result of requirements in
the economic stimulus law, according to a new survey of 186 health care
providers and...

Pentagon expands exclusive deal with McAfee InfoSec News (Nov 19)
http://www.networkworld.com/news/2009/111809-pentagon-mcafee.html

By Carolyn Duffy Marsan
Network World
11/18/2009

The U.S. Defense Department is expanding its exclusive arrangement with
McAfee, whose security software is at the heart of the military's
cybersecurity efforts.

McAfee was selected three years ago for the Department of Defense's Host
Based Security System (HBSS), which provides standard intrusion
prevention and firewall...

Penetration Testing Grows Up InfoSec News (Nov 19)
http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=221900215

By Kelly Jackson Higgins
DarkReading
Nov 18, 2009

Penetration testing, once considered a risky practice for the enterprise
and even a tool for evil hacking purposes, is becoming more of an
accepted mainstream process in the enterprise mainly due to compliance
requirements and more automated, user-friendly tools -- and most
recently, the imminent...

Firewall Wizards — Tips and tricks for firewall administrators

Re: Message Labs A (Nov 17)
Yeah, its if you are using their mail-filtering service, for them to
be able to send you mail you have to allow the ip ranges.

Most people will lock down the router to only accept email from the
hosted security provider.. to reduce spam.

Aaron

\ /
Putting the F in BOFH!

2009/11/11 Brian Loe <knobdy () gmail com>:

Re: port scanning activity going up recently? Nate Itkin (Nov 17)
Overall illicit activity looks to be down slightly.
see: http://www.dshield.org/submissions.html (select sources, targets,
and reports for 2009)

Cheers,
Nate Itkin

Re: Message Labs shane brennan (Nov 17)
Hi

We use it in work. havent received any notification like that

Shane

Re: Network design change sai (Nov 15)
not good from a security point of view.

I would prefer to connect the routers, at the internet cloud level not the
DMZ level. I'd have the 2 core switches connected as you have.

2 reasons:
[1] gives me redundant internet connectivity in case one of the isps goes
down (assuming multiple isps and routing that can handle one link going
down)
[2] the DMZs should be separate. the more segments you have the better.
connecting the 2 at switch level...

Re: Network design change pkc_mls (Nov 15)
shadow floating a écrit :

If it's possible, I'd rather use a link between both firewalls
to connect the DMZ.

If you connect directly the dmz switches, and if someone can get access
to your dmz, he will get access to the other one as well, as there won't
be any filtering between the DMZs.

do the DMZ share the same network addresses ?

if not, just use an unused interface on each fw, connect both via a
link, then create some routes to allow...

Re: secure firewall rule management program Lan Li (Nov 15)
Athena Security also provides a cleanup tool/basic ops tool. Works with
Cisco, Check Point and Netscreen firewalls. Available for eval download at
http://www.athenasecurity.net/firepac_trial.html

Lan Li

-----Original Message-----

From: firewall-wizards-bounces () listserv icsalabs com

[mailto:firewall-wizards-bounces () listserv icsalabs com] On Behalf Of Marcin
Antkiewicz

Sent: Thursday, November 05, 2009 10:52 PM

To: Firewall Wizards...

Re: OT, sorta: Breaking pipes? Kurt Buff (Nov 15)
We don't use perl/cgi here, but the example is instructive.

This issue at hand is for web browsing by clients - the newish manager
believes that it's just too annoying to add exceptions for the
misbehaving web sites. Of course, it's not just the pipe character.
It's also the other unsafe/unwise characters, and the URLs that are
longer than 1024 characters, etc.

At some point we may be hosting a web site locally, but that hasn't happened.

This...

Message Labs Brian Loe (Nov 15)
Anyone here using message labs? Have you received notice that you MUST
open up your firewall for 8 or so networks?

port scanning activity going up recently? Ken Fox (Nov 15)
Hi all -

Has anyone else noticed a recent spike in port scan activity over the last
few days?

I've been seeing some interesting traffic where multiple source addresses
are probing a number of the same high order destination ports from a small
set of source ports with a number of different but specific packet sizes.

e.g.: source port 3268 -> dest port 50572 packet size 48, 60, 64, and 52
egg: source port 3268...

Re: Network design change shadow floating (Nov 10)
Hi All,
My company has two sites in to 2 different locations that are
connected via high speed link at the core layer ( I've attached a
link to the diagram :
http://img18.imageshack.us/img18/77/questionhk.jpg for ease of
explanation)
in each site I've 1 DMZ , the network team wants to connect the DMZ
switches in both sites for better performance and "security" - the
link under investigation is shown in red in the picture - via...

Re: secure firewall rule management program Marcin Antkiewicz (Nov 10)
Hi Morty,

we are looking at the same, but we are looking for a cleanup/basic ops support
tool right now.

Would you mind sharing the dealbreaking requirements? I am wondering now
what, if anything we have missed.

Re: OT, sorta: Breaking pipes? Chris Myers (Nov 10)
Do you use Perl at all with CGI scripts? If so, this is just an
example of what might be done with anything written with custom
scripts. In this case, it is a specific vendor, but it could happen to
anyone who does not code diligently.

http://www.kb.cert.org/vuls/id/496064

Thank You,

Chris Myers
clmmacunix () charter net

John 1:17
For the Law was given through Moses; grace and truth were realized
through Jesus Christ.

Go Vols!!!!

Re: secure firewall rule management program Morty Abzug (Nov 05)
Thanks! We're looking both at Tufin (mentioned by Rainer Ginsberg)
and at Algosec (mentioned by one of our managers and by Rainer). The
current versions of both products fail to meet several of our
dealbreaking requirements. Both products are relatively new. We're
hopeful that a future version of one or both products will be what we
want.

- Morty

Re: secure firewall rule management program Matthias Leu (Nov 05)
Hi Morty,
have you had a look at Tufin SecureTrack and SecureChange Workflow?
It's not free, but quite good and I think your requirements are fulfilled.

It runs on Linux and is written by security professionals.
SecureTrack is connected to Check Point SmartCenter or MDS/CMA via
OPSEC, other vendors are supported too (e.g. Juniper, Cisco,
Fortinet,...).
Each 'save' gives a new revision, no 'install' necessary. So reports,
and above all, alerts...

OT, sorta: Breaking pipes? Kurt Buff (Nov 05)
All,

At $WORK I admin a nice Sidewinder. Works well. I like it, though I'm
not as fully trained on it as I'd like to be.

However, I'm seeing more complaints from end-users who are
encountering web sites that issue URLs with the pipe/vertical bar -
"|" - character embedded in them. The Sidewinder proxy denies it, as
is proper. The latest occurrence is a really stupid State government
web site that actually puts the pipe character at...

IDS Focus — Technical discussion about Intrusion Detection Systems. You can also read the archives of a previous IDS list

Web App Security — Provides insights on the unique challenges which make web applications notoriously hard to secure, as well as attack methods including SQL injection, cross-site scripting (XSS), cross-site request forgery, and more.

winAUTOPWN 2.0 - Introducing winAUTOPWN GUI - Now you can sleep QUAKER DOOMER (Nov 03)
Dear all,

After a long break and a lot of Unpolished SITA releases of the previous version,
I am finally releasing winAUTOPWN version 2.0

winAUTOPWN or WINDOWS AUTOPWN version 2.0 now has a GUI (winAUTOPWN_GUI.exe) to initiate the main
console winAUTOPWN.exe
winAUTOPWN now supports all console arguments which can also be fed interactively.
This version covers almost all remote exploits from 2009 start uptill October 2009. Though a few are...

[AntiSnatchOr] Eclipse BIRT <= 2.2.1 Reflected XSS Michele Orru (Oct 16)
Eclipse BIRT <= 2.2.1 Reflected XSS

Vendor: Eclipse
Advisory: http://antisnatchor.com/2008/12/18/eclipse-birt-reflected-xss/
Author: Michele "euronymous" Orrù (euronymous AT antisnatchor DOT com)

Quite a common problem in a lot of Java based applications: reflected
XSS in Java stack trace.

A Reflected XSS is present in the _report parameter: here below the modified
request (that is the BIRT 2.2.1 version included in Konakart...

Snitz Forums 2000 Multiple Cross-Site Scripting Vulnerabilities Andrea Fabrizi (Oct 16)
**************************************************************
Application: Snitz Forums 2000
Version affected: 3.4.07
Website: http://forum.snitz.com/
Discovered By: Andrea Fabrizi
Email: andrea.fabrizi () gmail com
Web: http://www.andreafabrizi.it
Vuln: Multiple Cross-Site Scripting
**************************************************************

###### PERMANENT XSS
If [sound] tag is allowed:

[sound]...

[BONSAI] XSS in Achievo - Customized XSS payload included Bonsai - Information Security (Oct 16)
Bonsai Information Security - Advisory
http://www.bonsai-sec.com/research/

Multiple XSS in Achievo

1. *Advisory Information*

Title: Multiple XSS in Achievo
Advisory ID: BONSAI-2009-0101
Advisory URL: http://www.bonsai-sec.com/research/vulnerabilities/achievo-multiple-xss-0101.txt
Date published: 2009-10-13
Vendors contacted: Achievo
Release mode: Coordinated release

2. *Vulnerability Information*...

WASC Announcement: 2008 Web Application Security Statistics Published announcements (Oct 16)
The Web Application Security Consortium (WASC) is pleased to announce
the WASC Web Application Security Statistics Project 2008. This
initiative is a collaborative industry wide effort to pool together
sanitized website vulnerability data and to gain a better understanding
about the web application vulnerability landscape.

The statistics was compiled from web application security assessment
projects which were made by the following companies in...

[AntiSnatchOr] Pentaho Bi-server multiple vulnerabilities Michele Orru (Oct 16)
Pentaho 1.7.0.1062 Multiple Vulnerabilities

Name Multiple Vulnerabilities in Pentaho
Systems Affected Pentaho <= 1.7.0.1062
Severity High
Impact (CVSSv2) High 7/10, vector: (AV:N/AC:L/Au:S/C:P/I:C/A:P)
Vendor http://www.pentaho.com
Advisory http://antisnatchor.com/2009/06/20/pentaho-1701062-multiple-vulnerabilities/
Authors Michele "euronymous" Orrù (euronymous AT antisnatchor DOT com)

Date 20081224

I. BACKGROUND...

[BONSAI] SQL Injection in Achievo Bonsai - Information Security (Oct 16)
Bonsai Information Security - Advisory
http://www.bonsai-sec.com/research/

SQL Injection in Achievo

1. *Advisory Information*

Title: SQL Injection in Achievo
Advisory ID: BONSAI-2009-0102
Advisory URL: http://www.bonsai-sec.com/research/vulnerabilities/achievo-sql-injection-0102.txt
Date published: 2009-10-13
Vendors contacted: Achievo
Release mode: Coordinated release

2. *Vulnerability Information*...

WASC Announcement: Announcing the Web Application Security Scanner Evaluation Criteria v1 announcements (Oct 08)
The Web Application Security Consortium is pleased to announce the release
of version 1 of the Web Application Security Scanner Evaluation Criteria
(WASSEC). The goal of the WASSEC project is to create a vendor-neutral
document to help guide information security professionals during web
application scanner evaluations. The document provides a comprehensive list
of features that should be considered when conducting an evaluation. The
WASSEC...

FBController - (Facebook Control Utility) version 2.0 QUAKER DOOMER (Sep 15)
FBController - The Ultimate Utility to Control Facebook accounts without the
Password.

Let me clear this again like last time that this utility WON'T hack/crack Facebook accounts.
The utility will need biscuits/cookies instead of the password.

Get the target's cookie by sniffing, XSS, social engineering, ARP Poison-Sniffing,
scroogle search, anyhow !
Once you have the cookies you can use FBController and have Full control over the
target's...

Re: How to enable LDAP signing on client side Peter M. Jansson (Sep 15)
The goal of having the server sign LDAP results would be to give
confidence in the integrity if the answers. I don't understand what
the goal of having clients sign queries would be. If you use SSL, the
client-server exchange is kept confidential (subject to some
assumptions) and client-side certificates can be used by the server to
provide access control so rogue clients can't make requests.

How to enable LDAP signing on client side Jianrong Yu (Sep 15)
Hi All,

The link <http://support.microsoft.com/kb/935834> is the step the How to
enable LDAP signing in Windows Server 2008.

How to enable LDAP signing on client side?

Thanks,

Jianrong Yu
Systems Operation
Office of Information technology
Ohio University

nullcon Goa 2010 Call For Papers nullcon nullcon (Sep 13)
Calling all greyhats, whitehats, blackhats, rainbowhats, nohats,
underground, aboveground, in-the-sky, on-the-moon, Grannies,
Grandpas, martians, Doodhwalas, Kaamwalis, Bai, Bhai, Chuck norris Fans,
Mithun Da Fans, Himesh Reshamiya wannabees……..

Call For Paper is officially open for nullcon Goa 2010. It is time for
you to polish your paper, stick up an abstract and send it across.
A live demo/exploit/0day with the presentation might win you...

Running ratproxy from windows command prompt without installing cygwin dec123 (Sep 13)
Hi,
Can anybody tell me how to run ratproxy from windows comand prompt,without
installing cygwin.

Re: Web 2.0 support group Catherine Pagliaro (Sep 09)
The Payment Card Industry Security Standards and Payment Application Data
Security Standards attempt to get programmers to code securely. I
underline attempt. We as payment application developers must follow
owasp.org standards and common sense security best business practises for
developing any type of code, hardening servers and locking down network
systems,as well as assuring our physical environments are locked down to
maintain our PCI DSS...

RE: Securing password between webserver & appserver. Calderon, Juan Carlos (GE, Corporate, consultant) (Sep 09)
Don that is an interesting suggestion

Do you have more specific information, since I only know that SSL/IPSec
can be end-to-end in a per link basis, but the idea of a real End-to-End
encryption using SSL, that is the case of Chintan is interesting.

Any link or whitepaper on how to do this in Tomcat as you mention?

Regards,
Juan Carlos

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]

Daily Dave — This technical discussion list covers vulnerability research, exploit development, and security events/gossip. It was started by ImmunitySec founder Dave Aitel and many security luminaries participate. Many posts simply advertise Immunity products, but you can't really fault Dave for being self-promotional on a list named DailyDave.

Re: Fedora 12 Fail Kees Cook (Nov 19)
I've seen variations on this sentence get repeated in a few places and I
think it's valuable to point out it should read as "Any _local_ user..."
(where "local" is defined by console-kit[1] -- see "ck-list-sessions"
command). This makes it a smaller scope of problem, but it should not
discourage anyone from reading the bug report anyway:
https://bugzilla.redhat.com/show_bug.cgi?id=534047

-Kees

[1]...

Re: Fedora 12 Fail dan (Nov 19)
Michael Graham writes:
-+--------------------
| "I don't particularly care how UNIX has always worked." has already
| turned into a new catchphrase around here.
|

Those who do not understand UNIX are condemned to reinvent it, poorly.

-- Henry Spencer, 1987

Re: Fedora 12 Fail Michael Graham (Nov 18)
"I don't particularly care how UNIX has always worked." has already
turned into a new catchphrase around here.

Fedora 12 Fail Dave Aitel (Nov 18)
Probably the best Linux thread in months:
https://www.redhat.com/archives/fedora-devel-list/2009-November/msg00945.html

To sum it up, Fedora 12 is defaulting to "Any user can install any
package from the repo and then exploit it to get root". So like, if
the repo signs something hilarious like "bob's vulnerable FTP
server.rpm", every Fedora 12 server is vulnerable. Unless you've
uninstalled PolicyKit or something else...

Re: "We're in the top of the league." Nate Lawson (Nov 13)
gold flake wrote:

The government is just a very large company. They experience the same
security problems as other big companies. I'm always annoyed to hear the
"we're under cyber attack via cyber warfare using cyber malware".

Please... you're under attack just like any other big company with
extremely valuable assets. You're not any more special than that. It's
possible the IRS is more valuable a target than Joe Random sergeant's PC.

Re: "We're in the top of the league." gold flake (Nov 12)
I am not from US and was for almost 10 years part of my government's
cyber security setup. I can vouch for the claims regarding "some
foreign power"'s attacks. These are systematic, planned and
relentless attacks that we also faced. The vector was spear phishing
in most cases and the thumb drive method was used to propagate the
malware to the internal segment. The malware called home (mostly
China) and downloaded backdoors,...

Re: "We're in the top of the league." Richard Bejtlich (Nov 12)
Aaron and everyone,

If anyone has doubts, or just wants to read some excellent
unclassified reporting on advanced persistent threat, please check out
this report by Northrop Grumman:

http://taosecurity.blogspot.com/2009/10/report-on-chinese-government-sponsored.html

Sincerely,

Richard

Re: "We're in the top of the league." Dobbins, Roland (Nov 09)
Here's a pretty accurate assessment of the 60 Minutes story, IMHO:

<http://erratasec.blogspot.com/2009/11/brazil-outage-not-caused-by-hackers.html
>

-----------------------------------------------------------------------
Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com>

Injustice is relatively easy to bear; what stings is justice.

-- H.L. Mencken

a brief interlude between exploits dave (Nov 09)
There's been a lot happening in the world, and usually everyone is too
busy to comment on it. Exploit devs sometimes think of the world as the
dark troughs in a storm ocean, where the peaks are the sudden insights
of truth provided by a really good exploit, where all of a sudden you
can see for miles. Or maybe I just made all that up. In any case:

CBS says that someone turned off Brazilian power using cyber attack:...

"We're in the top of the league." Aaron (Nov 09)
Anyone else catch the 60-minutes story about Cyber warfare? There are a lot of interesting anecdotes from Admiral Mike
McConnell (described in the story as the former top spy of the nation), Jim Lewis (director of the Center for Strategic
and International Studies), and Jim Gosler.

Some of the more WTF things admitted were:
- "Some foreign power" was able to penetrate the Pentagon by leaving infected thumbnail drives where military...

MITM Attack on Smartphones whitepaper Mayank Aggarwal (Nov 05)
SMobile has released a detailed report on research indicating that smartphone users are just as susceptible to
man-in-the-middle (MITM) attacks as PC users. This report details the results of attempts to produce MITM attacks to
determine whether it is possible to intercept SSL encrypted communications between various smartphone devices and
servers. Of the devices that were tested, each of the major smartphone operating systems appeared to lack...

Re: PrevX and other projects Shane Macaulay (Oct 30)
The chart on their main page would be a lot more compelling if they had
conversely applied whatever method they used to collect that information.

""""These statistics are provided to show that all vendors miss threats
and cannot be interpreted to compare the effectiveness of one product to
another."""""

That seems to indicate they would show us their failure rate when
compared to these vendors? And...

PrevX and other projects dave (Oct 28)
So you can read one Immunity deliverable linked here:
http://www.prevx.com/ (look for "Independent Review").

Likewise, if you have wondered where all the Immunity Debugger scripts
ran off to, they were on the old Immunity Forum. We ripped the old forum
content out of the old database and imported into the new hotness, so
you can seem them all here:
https://forum.immunityinc.com/. I don't think Google spiders HTTPS sites
for some reason...

B. Aggressive. B. E. Aggressive. (or "One 0day is enough") dave (Oct 27)
When you go into security consulting engagements with a new business
unit you usually face a few questions from the developers and business
owners. "What is it exactly that you're going to tell us?"

We always answer this the same way: "Things that will surprise you."

Most developers have read a lot about security these days - they
understand SQL Injection, Cross Site Scripting, access control, not to
use their own...

Last mile || InfoSys 2010 [ICAS, ICNS, INTENSIVE, LMPCNA] March 7-13, 2010 - Cancun, Mexico Jaime Lloret Mauri (Oct 26)
Last mile || InfoSys 2010 [ICAS, ICNS, INTENSIVE, LMPCNA] March 7-13,
2010 - Cancun, Mexico

INVITATION

Note that we are entering the last few days of submission for the events
collocated in Cancun, Mexico

Please consider to contribute and encourage your team members and fellow
scientists to contribute to the following federated events.

The submission deadline has now been moved to November 1, 2009.

Publisher: CPS ( see:...

Honeypots — Discussions about tracking attackers by setting up decoy honeypots or entire honeynet networks.

nullcon Goa 2010 Call For Papers nullcon nullcon (Sep 27)
Calling all greyhats, whitehats, blackhats, rainbowhats, nohats,
underground, aboveground, in-the-sky, on-the-moon, Grannies, Grandpas,
martians, Doodhwalas, Kaamwalis, Bais, Bhais, Chuck norris Fans,
Mithun Da Fans, Himesh Reshamiya wannabees……..

Call For Paper is officially open for nullcon Goa 2010. It is time for
you to polish your paper, stick up an abstract and send it across. A
live demo/exploit/0day with the presentation might win...

Sebek issues with windows XP/Vista dharm (Sep 24)
Hello ,
Did anybody tried running sebek on windows vista as a
honeypot ? i am trying to install sebek on windows XP /Vista
environment and getting DOB screen error. Any ideas would be
appreciated .
Thanks

Workshop on the Analysis of System Logs - Oct 14 - Call for Participation Greg Bronevetsky (Sep 01)
Workshop on the Analysis of System Logs (WASL) 2009
http://www.systemloganalysis.com
Call for Participation

===============================
October 14, 2009
Big Sky, MT
(at SOSP)
===============================

--------------------------------------------------------------------------

System...

Re: Send strace output through syslog-ng BB () umd (Aug 05)
Well I did not think about this, but it seems to be a great idea. Thanks a
lot.

However, I decided to open a new port and to send syslog data through it so
that it is really easy to administrate. It works great.

Thanks for your help,

Regards,

BB () umd wrote:

Re: Send strace output through syslog-ng Gergely Révay (Aug 05)
Hi,

First of all there is no filter for strace. My first idea for your
problem was to open a new port on the server just for strace, but it's
understandable if you don't want to do it. Also the idea of Chris
sounds good as well if you don't use the facility field generally. But
a third solution that I've found is the following:

You should create a separate log path for the strace output which
should read the logs from the file and replace the...

Re: Send strace output through syslog-ng Chris Brenton (Aug 04)
Hey man,

What about something like:
tail -f /var/log/strace.log | logger -p <facility> &

In the above command you need to specify an unused facility. Then on the
server simply tell syslog-ng which file it should use for storing log
entries with the above specified facility (this can be a new unique
file).

You are suppose to use one of the "local use" facilities for stuff like
this, but I run into conflicts far too often....

Send strace output through syslog-ng BB () umd (Aug 04)
Good afternoon.

I have a honeypot which syslog-ng running. I configured it so that it can
send all the log files to a remote web server. (So that mean I have already
configured syslog-ng on this web server too) No matter with that, it works
great.

Then, on my honeypot, I have a strace command attached to my ssh server. It
gathers strace outputs in a strace.log file. Here is this command :
strace -f -q -p `cat /var/run/sshd.pid` -o...

Running Honeyd on interface IP Evgeniy Arbatov (Jul 22)
Hello,

I have a question concerning the configuration of Honeyd IP address.

I want to make my honeypot visible by the IP address of host computer interface.
I have the following setup, within the same physical host:

1.1.1.1 (interface IP)-> 2.2.2.2 (honeyd IP)

So if I ssh to the honeyd, I want to ssh to 1.1.1.1.

I guess this is something that can be done with iptables, for example like this:

iptables -A FORWARD -s 1.1.1.1 -p tcp --dport...

Extended deadline: Monday, July 6th. Workshop on the Analysis of System Logs (WASL) 2009 Greg Bronevetsky (Jul 01)
Due to multiple requests, the paper submission deadline for the Workshop
on the
Analysis of System Logs has been moved to Monday, July 6th.

Workshop on the Analysis of System Logs (WASL) 2009
http://www.systemloganalysis.com Call for Papers

===============================
October 14, 2009
Big Sky, MT
(at SOSP)...

MS Sec Notification — Beware that MS often uses these security bulletins as marketing propaganda to downplay serious vulnerabilities in their products -- note how most have a prominent and often-misleading "mitigating factors" section.

Microsoft Security Bulletin Major Revisions Microsoft (Nov 10)
********************************************************************
Title: Microsoft Security Bulletin Major Revisions
Issued: November 10, 2009
********************************************************************

Summary
=======
The following bulletins have undergone a major revision increment.
Please see the appropriate bulletin for more details.

* MS09-051 - Critical
* MS09-045 - Critical

Bulletin Information:
=====================

*...

Microsoft Security Bulletin Summary for November 2009 Microsoft (Nov 10)
********************************************************************
Microsoft Security Bulletin Summary for November 2009
Issued: November 10, 2009
********************************************************************

This bulletin summary lists security bulletins released for
November 2009.

The full version of the Microsoft Security Bulletin Summary for
November 2009 can be found at...

Microsoft Security Bulletin Advance Notification for November 2009 Microsoft (Nov 05)
********************************************************************
Microsoft Security Bulletin Advance Notification for November 2009
Issued: November 5, 2009
********************************************************************

This is an advance notification of security bulletins that
Microsoft is intending to release on November 10, 2009.

The full version of the Microsoft Security Bulletin Advance
Notification for November 2009 can be found...

Microsoft Security Bulletin Major Revisions Microsoft (Nov 03)
********************************************************************
Title: Microsoft Security Bulletin Major Revisions
Issued: November 2, 2009
********************************************************************

Summary
=======
The following bulletins have undergone a major revision increment.
Please see the appropriate bulletin for more details.

* MS09-054 - Critical

Bulletin Information:
=====================

* MS09-054 - Critical

-...

Microsoft Security Bulletin Major Revisions Microsoft (Oct 28)
********************************************************************
Title: Microsoft Security Bulletin Major Revisions
Issued: October 28, 2009
********************************************************************

Summary
=======
The following bulletins have undergone a major revision increment.
Please see the appropriate bulletin for more details.

* MS09-062 - Critical

Bulletin Information:
=====================

* MS09-062 - Critical

-...

Microsoft Security Bulletin Major Revisions Microsoft (Oct 27)
********************************************************************
Title: Microsoft Security Bulletin Major Revisions
Issued: October 27, 2009
********************************************************************

Summary
=======
The following bulletins have undergone a major revision increment.
Please see the appropriate bulletin for more details.

* MS09-043 - Critical

Bulletin Information:
=====================

* MS09-043 - Critical

-...

Microsoft Security Bulletin Summary for October 2009 Microsoft (Oct 13)
********************************************************************
Microsoft Security Bulletin Summary for October 2009
Issued: October 13, 2009
********************************************************************

This bulletin summary lists security bulletins released for
October 2009.

The full version of the Microsoft Security Bulletin Summary for
October 2009 can be found at
http://www.microsoft.com/technet/security/bulletin/ms09-oct.mspx....

Microsoft Security Bulletin Major Revision Microsoft (Sep 09)
********************************************************************
Title: Microsoft Security Bulletin Major Revision
Issued: September 9, 2009
********************************************************************

Summary
=======
The following bulletin has undergone a major revision increment.
Please see the appropriate bulletin for more details.

* MS09-048 - Critical

Bulletin Information:
=====================

* MS09-048 - Critical

-...

Microsoft Security Bulletin Summary for September 2009 Microsoft (Sep 08)
********************************************************************
Microsoft Security Bulletin Summary for September 2009
Issued: September 8, 2009
********************************************************************

This bulletin summary lists security bulletins released for
September 2009.

The full version of the Microsoft Security Bulletin Summary for
September 2009 can be found at...

Microsoft Security Bulletin Major Revisions Microsoft (Aug 25)
********************************************************************
Title: Microsoft Security Bulletin Major Revisions
Issued: August 25, 2009
********************************************************************

Summary
=======
The following bulletins have undergone a major revision increment.
Please see the appropriate bulletin for more details.

* MS09-044 - Critical
* MS09-029 - Critical

Bulletin Information:
=====================

*...

Microsoft Security Bulletin Major Revisions Microsoft (Aug 11)
********************************************************************
Title: Microsoft Security Bulletin Major Revisions
Issued: August 11, 2009
********************************************************************

Summary
=======
The following bulletins have undergone a major revision increment.
Please see the appropriate bulletin for more details.

* MS09-035 - Moderate
* MS09-029 - Critical

Bulletin Information:
=====================

*...

Microsoft Security Bulletin Summary for August 2009 Microsoft (Aug 11)
********************************************************************
Microsoft Security Bulletin Summary for August 2009
Issued: August 11, 2009
********************************************************************

This bulletin summary lists security bulletins released for
August 2009.

The full version of the Microsoft Security Bulletin Summary for
August 2009 can be found at
http://www.microsoft.com/technet/security/bulletin/ms09-aug.mspx....

Microsoft Security Bulletin Major Revisions Microsoft (Aug 06)
********************************************************************
Title: Microsoft Security Bulletin Major Revisions
Issued: August 4, 2009
********************************************************************

Summary
=======
The following bulletins have undergone a major revision increment.
Please see the appropriate bulletin for more details.

* MS09-034 - Critical

Bulletin Information:
=====================

* MS09-034 - Critical

-...

Microsoft Security Bulletin Summary for July 2009 Microsoft (Jul 28)
********************************************************************
Microsoft Security Bulletin Summary for July 2009
Issued: July 28, 2009
********************************************************************

This bulletin summary lists out-of-band security bulletins released
on July 28, 2009.

The full version of the Microsoft Security Bulletin Summary for
July 2009 can be found at...

Microsoft Security Bulletin Summary for July 2009 Microsoft (Jul 14)
********************************************************************
Microsoft Security Bulletin Summary for July 2009
Issued: July 14, 2009
********************************************************************

This bulletin summary lists security bulletins released for
July 2009.

The full version of the Microsoft Security Bulletin Summary for
July 2009 can be found at
http://www.microsoft.com/technet/security/bulletin/ms09-jul.mspx.

With the...

Funsec — While most security lists ban off-topic discussion, Funsec is a haven for free community discussion and enjoyment of the lighter, more humorous side of the security community

Re: Rethinking FUNSEC Alex Eckelberry (Nov 20)
Where is Brian Loe these days???

-----Original Message-----
From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org]

I just looked back to my oldest funsec postings: god I was a cranky
prick! My apologies to anyone I offended then who I wouldn't still want
to offend today.

-chris

Re: Onstar - throwing the baby out with the bath water Alex Eckelberry (Nov 20)
Florian's message, I believe, was rich with irony...

-----Original Message-----
From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org]

Um, no.

That's like letting fire insurance lapse, and then calling up the
insurance company asking to reinstate it as you are standing outside in
your pajamas watching your house burn down. Like insurance, OnStar uses
the money from people who DON'T need the service to pay to support...

Re: Rethinking FUNSEC chris (Nov 20)
--- On Fri, 11/20/09, Remo Cornali <remo.cornali () alice it> wrote:

I'm leaving that in just because Italian is such a cool language...

I leave that as an exercise for the reader...

!~)

-chris

Re: Onstar - throwing the baby out with the bath water Robert Graham (Nov 20)
--- On Fri, 11/20/09, Florian Weimer <fweimer () bfk de> wrote:

Um, no.

That's like letting fire insurance lapse, and then calling up the insurance company asking to reinstate it as you are
standing outside in your pajamas watching your house burn down. Like insurance, OnStar uses the money from people who
DON'T need the service to pay to support those who DO need it.

Any way you crunch the numbers, the "reinstantiation" fee...

Re: Microsoft denies it build backdoor in Windows 7 Jeff Kell (Nov 20)
Juha-Matti Laurio wrote:

Who needs a back door when the front door is a screen door? :-)

Jeff

Re: Rethinking FUNSEC Remo Cornali (Nov 20)

Re: Rethinking FUNSEC chris (Nov 20)
--- On Thu, 11/19/09, Blue Boar <BlueBoar () thievco com> wrote:

I just looked back to my oldest funsec postings: god I was a cranky prick! My apologies to anyone I offended then who
I wouldn't still want to offend today.

-chris

Re: Onstar - throwing the baby out with the bath water Florian Weimer (Nov 20)
* Dan White:

The response of the official was indeed unprofessional. He should
have negotiated a reinstantiation fee and a new 12 month support
contract. After all, few vendors provide free security support.

Re: It's not safe to go back in the water again ... Robert Portvliet (Nov 20)
Must be a slow news day.... http://en.wikipedia.org/wiki/Summer_of_the_Shark

Re: Onstar - throwing the baby out with the bath water Joel Esler (Nov 20)
Totally true. Didn't you guys see "Live Free or Die Hard"?

Microsoft denies it build backdoor in Windows 7 Juha-Matti Laurio (Nov 20)
http://www.computerworld.com/s/article/9141182/Microsoft_denies_it_built_backdoor_in_Windows_7

Juha-Matti

Re: man-made swine-bird flu, what could POSSIBLY go wrong? Martin Tomasek (Nov 19)
Jim O'Gorman napsal(a):

and Umbrella Corporation is here: http://www.umbrellacorporation.com/home/

Re: NASA on 2012 crap - excellent Rich Kulawiec (Nov 19)
<chuckle> Yes, well...sometimes it takes a little while to step back
and see the larger picture. I don't mind at all admitting that spending
every day down here in the weeds can make it difficult to see the forest.
So one of the [many] reasons I wade in here, and elsewhere, periodically is
to have my perspective adjusted, challenged, shattered, and reshaped.

Also, sometimes there is beer.

---Rsk

Re: Rethinking FUNSEC Larry Seltzer (Nov 19)
No, but I guess I'm qualified. Anyone have a resume I can copy and send
on to them?

Larry Seltzer
Contributing Editor, PC Magazine

larry_seltzer () ziffdavis com

http://blogs.pcmag.com/securitywatch/

From: Alex Eckelberry [mailto:AlexE () sunbelt-software com]
Sent: Thursday, November 19, 2009 6:03 PM
To: Larry Seltzer; Michael Graham; funsec () linuxbox org
Subject: RE: [funsec] Rethinking FUNSEC

You're working for Gartner now?

From:...

Re: Rethinking FUNSEC Nick FitzGerald (Nov 19)
Larry Seltzer wrote:

"Nowadays"???

Regards,

Nick FitzGerald

CERT Advisories — The Computer Emergency Response Team has been responding to security incidents and sharing vulnerability information since the Morris Worm hit in 1986. This archive combines their technical security alerts, bulletins, tips, and current activity lists.

Cyber Security Tip ST04-016 -- Recognizing and Avoiding Spyware US-CERT Security Tips (Nov 19)
National Cyber Alert System
Cyber Security Tip ST04-016

Recognizing and Avoiding Spyware

Because of its popularity, the internet has become an ideal target for
advertising. As a result, spyware, or adware, has become increasingly
prevalent. When troubleshooting problems with your computer, you may
discover that the source of the problem is spyware software that has been
installed on your machine without your knowledge....

SB09-320 -- Vulnerability Summary for the Week of November 9, 2009 US-CERT Security Bulletins (Nov 16)
Vulnerability Summary for the Week of November 9, 2009

This bulletin provides a summary of new vulnerabilities that have been
recorded by the National Institute of Standards and Technology (NIST)
National Vulnerability Database (NVD) the week of November 9, 2009. It is
available here:

http://www.us-cert.gov/cas/bulletins/SB09-320.html

For instructions on subscribing to or unsubscribing from this
mailing list, visit <...

Current Activity - Microsoft Releases Security Advisory 977544 Current Activity (Nov 16)
US-CERT Current Activity

Microsoft Releases Security Advisory 977544

Original release date: November 16, 2009 at 9:21 am
Last revised: November 16, 2009 at 9:21 am

Microsoft has released security advisory 977544 to address a
vulnerability in the Server Message Block (SMB) protocol. This
vulnerability may allow an attacker to cause a denial-of-service
condition. This vulnerability only affects Windows 7 and Server 2008
software.

US-CERT...

Current Activity - Apple Releases Safari 4.0.4 Current Activity (Nov 12)
US-CERT Current Activity

Apple Releases Safari 4.0.4

Original release date: November 12, 2009 at 8:08 am
Last revised: November 12, 2009 at 8:08 am

Apple has released Safari 4.0.4 to address multiple vulnerabilities in
a number of components. Exploitation of these vulnerabilities may
allow an attacker to execute arbitrary code, cause a denial-of-service
condition, conduct cross-site request forgery, or obtain sensitive
information. These...

TA09-314A -- Microsoft Updates for Multiple Vulnerabilities US-CERT Technical Alerts (Nov 10)
National Cyber Alert System

Technical Cyber Security Alert TA09-314A

Microsoft Updates for Multiple Vulnerabilities

Original release date:
Last revised: --
Source: US-CERT

Systems Affected

* Microsoft Windows and Windows Server
* Microsoft Office Word and Excel

Overview

Microsoft has released updates to address vulnerabilities in
Microsoft Windows and Windows Server and Office...

Current Activity - Microsoft Releases November Security Bulletin Current Activity (Nov 10)
US-CERT Current Activity

Microsoft Releases November Security Bulletin

Original release date: November 10, 2009 at 1:50 pm
Last revised: November 10, 2009 at 1:50 pm

Microsoft has released an update to address vulnerabilities in
Microsoft Windows and Office as part of the Microsoft Security
Bulletin Summary for November 2009. These vulnerabilities may allow an
attacker to execute arbitrary code, cause a denial-of-service
condition, or operate...

Current Activity - Apple Releases Mac OS X v10.6.2 and Security Update 2009-006 Current Activity (Nov 10)
US-CERT Current Activity

Apple Releases Mac OS X v10.6.2 and Security Update 2009-006

Original release date: November 10, 2009 at 8:02 am
Last revised: November 10, 2009 at 8:02 am

Apple has released Mac OS X v10.6.2 and Security Update 2009-006 to
address multiple vulnerabilities in a number of applications. These
vulnerabilities may allow an attacker to execute arbitrary code, cause
a denial-of-service condition, conduct a man-in-the-middle...

SB09-313 -- Vulnerability Summary for the Week of November 2, 2009 US-CERT Security Bulletins (Nov 09)
Vulnerability Summary for the Week of November 2, 2009

This bulletin provides a summary of new vulnerabilities that have been
recorded by the National Institute of Standards and Technology (NIST)
National Vulnerability Database (NVD) the week of November 2, 2009. It is
available here:

http://www.us-cert.gov/cas/bulletins/SB09-313.html

For instructions on subscribing to or unsubscribing from this
mailing list, visit <...

Current Activity - SSL and TLS Vulnerable to Man-in-the-middle Attacks Current Activity (Nov 06)
US-CERT Current Activity

SSL and TLS Vulnerable to Man-in-the-middle Attacks

Original release date: November 6, 2009 at 7:01 pm
Last revised: November 6, 2009 at 7:01 pm

US-CERT is aware of reports of publicly available exploit code for a
vulnerability within the SSL and TLS protocols. Reports indicate that
exploitation of this vulnerability may allow an attacker to conduct a
man-in-the-middle attack, allowing an attacker to inject plaintext...

Current Activity - Microsoft Releases Advance Notification for November Security Bulletin Current Activity (Nov 05)
US-CERT Current Activity

Microsoft Releases Advance Notification for November Security Bulletin

Original release date: November 5, 2009 at 4:17 pm
Last revised: November 5, 2009 at 4:17 pm

Microsoft has issued a Security Bulletin Advance Notification
indicating that its November release cycle will contain six bulletins,
three of which will have a severity rating of Critical. The
notification states that these Critical bulletins are for...

Current Activity - BlackBerry Desktop Manager Vulnerability Current Activity (Nov 05)
US-CERT Current Activity

BlackBerry Desktop Manager Vulnerability

Original release date: November 5, 2009 at 8:45 am
Last revised: November 5, 2009 at 8:45 am

Research in Motion has released Security Advisory KB19701 to address a
vulnerability in BlackBerry Desktop Manager. This vulnerability may
allow an attacker to execute arbitrary code.

US-CERT encourages users to review BlackBerry Security Advisory
KB19701 and apply any necessary...

Cyber Security Tip ST04-015 -- Understanding Denial-of-Service Attacks US-CERT Security Tips (Nov 04)
Cyber Security Tip ST04-015
Understanding Denial-of-Service Attacks

You may have heard of denial-of-service attacks launched against websites,
but you can also be a victim of these attacks. Denial-of-service attacks can
be difficult to distinguish from common network activity, but there are some
indications that an attack is in progress.

What is a denial-of-service (DoS) attack?

In a...

Current Activity - Adobe Releases Update for Shockwave Player Current Activity (Nov 04)
US-CERT Current Activity

Adobe Releases Update for Shockwave Player

Original release date: November 4, 2009 at 9:04 am
Last revised: November 4, 2009 at 9:04 am

Adobe has released Shockwave Player 11.5.2.602 to address multiple
vulnerabilities. Exploitation of these vulnerabilities may allow an
attacker to run malicious code on the user's machine.

US-CERT encourages users and administrators to review Adobe security
bulletin APSB09-16 and...

Current Activity - Sun Releases Update 17 for Java SE 6 Current Activity (Nov 04)
US-CERT Current Activity

Sun Releases Update 17 for Java SE 6

Original release date: November 4, 2009 at 9:04 am
Last revised: November 4, 2009 at 9:04 am

Sun has released update 17 for Java SE JDK 6 and Java SE JRE 6 to
address multiple vulnerabilities. The impacts of these vulnerabilities
include arbitrary code execution, privilege escalation, denial of
service, and information disclosure.

US-CERT encourages users and administrators to...

SB09-306 -- Vulnerability Summary for the Week of October 26, 2009 US-CERT Security Bulletins (Nov 02)
Vulnerability Summary for the Week of October 26, 2009

This bulletin provides a summary of new vulnerabilities that have been
recorded by the National Institute of Standards and Technology (NIST)
National Vulnerability Database (NVD) the week of October 26, 2009. It is
available here:

http://www.us-cert.gov/cas/bulletins/SB09-306.html

For instructions on subscribing to or unsubscribing from this
mailing list, visit <...

Open Source Security — Discussion of security flaws, concepts, and practices in the Open Source community

NANOG — The North American Network Operators' Group discusses fundamental Internet infrastructure issues such as routing, IP address allocation, and containing malicious activity.

Weekly Routing Table Report Routing Analysis Role Account (Nov 20)
This is an automated weekly mailing describing the state of the Internet
Routing Table as seen from APNIC's router in Japan.
Daily listings are sent to bgp-stats () lists apnic net

For historical data, please see http://thyme.apnic.net.

If you have any comments please contact Philip Smith <pfs () cisco com>.

Routing Table Report 04:00 +10GMT Sat 21 Nov, 2009

Report Website: http://thyme.apnic.net
Detailed Analysis:...

Re: Password repository Peter Beckman (Nov 20)
I'll second that. 1Password truly is fabulous, though it's strength is
the Auto-website login feature with a hotkey. When in your browser,
Command+Option+\, type some characters of the site or description, hit
enter, and it opens your default browser, goes to the site and logs you
in. Integrates on all browsers: Safari, Firefox, Opera and others.

Supports secure notes, has a well designed strong password generator, can
be synced...

Re: Testing Internet Speeds and Capacity Jeff Shultz (Nov 20)
shake righa wrote:

Nice ISP's will put speed test software on their backbone so you can
test the speed of your circuit to the backbone.

Remember that the speed your provider quotes you is probably the full
throughput of the circuit. Some circuits, such as DSL ones, will read up
to 15% slower due to ATM circuit overhead.

Re: What DNS Is Not Matthew Palmer (Nov 20)
*Facepalm* Maybe my browser's just doing something wrong, but when was the
last time you got a "nasty 404 page error" for an NXDOMAIN response?

- Matt
*mumblemumble*journalists*mumblemumble*

Re: backupdns.com down? Jared Mauch (Nov 20)
A plug for the secondary dns service I run (free!)

http://puck.nether.net/dns/

Jared Mauch

Re: backupdns.com down? James Bensley (Nov 20)
Not working for me.

backupdns.com down? Antonio Querubin (Nov 20)
Anyone else having trouble reaching backupdns.com or their nameservers?

Antonio Querubin
808-545-5282 x3003
e-mail/xmpp: tony () lava net

Re: edgedirector.com Martin Hepworth (Nov 20)
2009/11/17 Jeffrey Lyon <jeffrey.lyon () blacklotus net>

Jeffrey

can't see any info on the Afilias web site on them doing stuff with GNS type
solutions - maybe I should do something odd like talk
to them ;-)

Re: Testing Internet Speeds and Capacity James Bensley (Nov 20)
2009/11/20 Brandon Galbraith <brandon.galbraith () gmail com>

Speedtest.net now have their mini speedtest which you can download and put
on your servers and then test their speed via your browser.

Re: Password repository Kevin Broderick (Nov 20)
Pierre-Yves Maunier <nanog () maunier org> wrote:

Re: Password repository John Adams (Nov 19)
I'm a big fan of 1password, but I'm on mac and iPhone.

Sent from my iPhone

Re: Password repository Pierre-Yves Maunier (Nov 19)
Jay Nakamura wrote:

I use opensource, multiplatforms softwares :

Keepass password file in a truecrypt container and it works as heaven
and securely.

Keepass for Windows : http://www.keepass.info/
Keepass for Linux/Mac OS : http://www.keepassx.org/

Truecrypt (all platforms) : http://www.truecrypt.org/

Pierre-Yves Maunier

Re: Testing Internet Speeds and Capacity Andrew Cox (Nov 19)
There was a thread on speed testing a little while back.

http://www.merit.edu/mail.archives/nanog/msg01842.html

Regards,
Andrew Cox
AccessPlus HNA

shake righa wrote:

Re: Testing Internet Speeds and Capacity Brandon Galbraith (Nov 19)
Speedtest sites (speedtest.net, ndt.anl.gov, etc) or your own tests:

http://www.google.com/search?q=nanog+iperf

Testing Internet Speeds and Capacity shake righa (Nov 19)
Hi,

how does one truly test internet speeds provided by your provider.

Speed test sits give different results that one provided by the provider.

Regards,
Shake

Interesting People — David Farber moderates this list for discussion involving internet governance, infrastructure, and any other topics he finds fascinating

The RISKS Forum — Peter G. Neumann moderates this regular digest of current events which demonstrate risks to the public in computers and related systems. Security risks are often discussed.

Risks Digest 25.83 RISKS List Owner (Nov 06)
RISKS-LIST: Risks-Forum Digest Friday 6 November 2009 Volume 25 : Issue 83

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/25.83.html>
The current issue can be...

Risks Digest 25.82 RISKS List Owner (Oct 20)
RISKS-LIST: Risks-Forum Digest Tuesday 20 October 2009 Volume 25 : Issue 82

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/25.82.html>
The current issue can be...

Risks Digest 25.81 RISKS List Owner (Oct 12)
RISKS-LIST: Risks-Forum Digest Monday 12 October 2009 Volume 25 : Issue 81

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/25.81.html>
The current issue can be...

Risks Digest 25.80 RISKS List Owner (Oct 09)
RISKS-LIST: Risks-Forum Digest Friday 9 October 2009 Volume 25 : Issue 80

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/25.80.html>
The current issue can be...

Risks Digest 25.79 RISKS List Owner (Sep 25)
RISKS-LIST: Risks-Forum Digest Friday 25 September 2009 Volume 25 : Issue 79

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/25.79.html>
The current issue can...

Risks Digest 25.78 RISKS List Owner (Sep 14)
RISKS-LIST: Risks-Forum Digest Monday 14 September 2009 Volume 25 : Issue 78

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/25.78.html>
The current issue can...

Risks Digest 25.77 RISKS List Owner (Sep 01)
RISKS-LIST: Risks-Forum Digest Tuesday 1 September 2009 Volume 25 : Issue 77

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/25.77.html>
The current issue can...

Risks Digest 25.76 RISKS List Owner (Aug 15)
RISKS-LIST: Risks-Forum Digest Saturday 15 August 2009 Volume 25 : Issue 76

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/25.76.html>
The current issue can be...

Risks Digest 25.75 RISKS List Owner (Aug 06)
RISKS-LIST: Risks-Forum Digest Thursday 6 August 2009 Volume 25 : Issue 75

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/25.75.html>
The current issue can be...

Risks Digest 25.74 RISKS List Owner (Jul 22)
RISKS-LIST: Risks-Forum Digest Wednesday 22 July 2009 Volume 25 : Issue 74

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/25.74.html>
The current issue can be...

Risks Digest 25.73 RISKS List Owner (Jul 16)
RISKS-LIST: Risks-Forum Digest Thursday 16 July 2009 Volume 25 : Issue 73

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/25.73.html>
The current issue can be...

Risks Digest 25.72 RISKS List Owner (Jul 06)
RISKS-LIST: Risks-Forum Digest Monday 6 July 2009 Volume 25 : Issue 72

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/25.72.html>
The current issue can be...

Data Loss — Data Loss covers large-scale personal data loss and theft incidents. This archive combines the main list (news releases) and the discussion list.

Mass Mutual Unknown Al (Nov 20)

http://www.net-security.org/secworld.php?id=8521

the latest data breach to be discovered happened to MassMutual, a
Massachussets-based insurance company. One of the company's employees
databases was accessed by a (so far) unknown unauthorized individual.

MassMutual stated that maintenance of the database in question was outsorced
to a third-party vendor, who upon the discovery of the breach hired
forensics specialists to investigate and get...

Hospitals tighten security on patient data security curmudgeon (Nov 20)
---------- Forwarded message ----------
From: InfoSec News <alerts () infosecnews org>

http://fcw.com/articles/2009/11/18/hospitals-beefing-up-cybersecurity-to-comply-with-hitech-survey-says.aspx

By Alice Lipowicz
FCW.com
Nov 18, 2009

More than half of the nation's hospitals and health care providers
surveyed intend to buy more cybersecurity tools to safeguard against
breaches of electronic medical records as a result of requirements...

TADGEAR, Inc. breach notice security curmudgeon (Nov 19)
https://www.tadgear.com/content.php?id=38

This notice is to inform our customers of a security incident at TAD Gear.
We recently learned that our database was illegally accessed from an
external source, and it appears that some customer data were taken, which
may include customer names, contact information and credit card data.
The possibility of a security breach came to our attention when certain
customers notified us that unauthorized...

1.5 Million Medical Files At Risk In Health Net Data Breach kirniki (Nov 19)
http://www.courant.com/health/hc-healthbreach1119.artnov19,0,1798384.story

A hard drive with seven years of personal and medical information on
about 1.5 million Health Net customers, including 446,000 in
Connecticut, was lost six months ago and was first reported Wednesday,
state and company officials said.

The insurance company informed the state attorney general's office and
the Department of Insurance Wednesday of the security breach that...

PA: 80, 000 Mailers Sent Out With Recipients' Social Security Numbers In Plain View kirniki (Nov 18)
http://www.wgal.com/news/21655737/detail.html

ELIZABETHTOWN, Pa. -- Check your mailbox. Thousands of Pennsylvanians
could become victims of identity theft just because a piece of mail
has been sent to their homes.

Right on the front of the piece of mail, in plain view, is the
recipient's Social Security number. Tens of thousands of Medicare
recipients may be at risk.

Delores and Frank Ember, of Elizabethtown, simply could not believe
what they...

Germany in 'credit card recall' lyger (Nov 18)
http://news.bbc.co.uk/2/hi/business/8365828.stm

More than 100,000 German credit cards are being replaced after fears that
personal data has been stolen, German press reports say.

The reports say that the Volks- and Raiffeisenbank group alone is
recalling 60,000 cards.

Fraudsters are thought to have stolen data on German customers from a
service provider in Spain. There have been no actual reports of fraud.

[...]

Canada: Personal info at risk when items go missing lyger (Nov 18)
http://www.torontosun.com/news/canada/2009/11/18/11785441-sun.html

The personal information of taxpayers may be at risk because of a series
of security breaches at the Canada Revenue Agency.

Documents obtained by Ottawa researcher Ken Rubin reveal that lost mail,
missing shipments of computers or other data storage devices, and the
theft of computers that might contain tax records, is an ongoing problem.

"Our analysis revealed an...

NE: Personal info jeopardized after Workers' Comp Court computer hacked lyger (Nov 17)
http://journalstar.com/news/local/crime-and-courts/article_b9a02f46-d3a9-11de-85e5-001cc4c002e0.html

The Nebraska State Patrol and FBI are trying to figure out who hacked into
a Nebraska Workers' Compensation Court computer server -- and whether the
hacker took personal information.

The state agency learned last week someone had broken into a server that
temporarily held injury reports, said Glenn Morton, court administrator
for the...

[Dataloss] http://www.guardian.co.uk/uk/2009/nov/17/t-mobile-phone-data-privacy Jon Turner (Nov 17)
http://www.guardian.co.uk/uk/2009/nov/17/t-mobile-phone-data-privacy

The personal details of thousands of mobile phone customers have been stolen
and sold on to rival firms in the biggest data breach of its kind, the
government's privacy <http://www.guardian.co.uk/uk/privacy> watchdog said
today.

An employee of the phone operator T-Mobile sold the personal records of
customers, which included details of when their mobile phone contracts...

Commentary: According to OSF... nothing. (was re: try asking us first) lyger (Nov 16)
http://datalossdb.org/incident_highlights/39-according-to-osf-nothing-was-re-try-asking-us-first

On occasion, we look for news related to things other than data loss
events. Press releases veiled as "news" are a frequent treasure chest of
(not so) great information, so we often use detailed and complicated
techniques to make sure we have as much information as we can gather
about... Open Security Foundation and DataLossDB. In other...

Guam: Stolen laptop reveals unsecured GMH data lyger (Nov 16)
http://www.kuam.com/Global/story.asp?S=11509903

There's been a breach at the Guam Memorial Hospital. A laptop computer
used by the agency's Employee Health Office was stolen in late-October,
but hospital officials didn't realize what information was contained in
the computer until late last week. GMH Spokesperson Connor Murphy says an
investigation is underway to determine how the laptop was stolen from a
locked office.

GMH is required...

TX: Lost hard drive may contain personal data of 60k lyger (Nov 13)
http://www.armytimes.com/news/2009/11/army_breach_111309w/

The Corps of Engineers is investigating the recent loss of an external
hard drive that could pose identify theft problems for as many as 60,000
soldiers and Army civilians.

Maj. Mark Young, a Corps of Engineers spokesman in Washington, said the
security breach occurred in the command's Southwestern Division, which is
headquartered in Dallas, in early November.

"Right now the...

CA: Personal data of Cal Poly Pomona applicants inadvertently put online lyger (Nov 13)
http://latimesblogs.latimes.com/lanow/2009/11/personal-data-of-cal-poly-pomona-applicants-inadvertently-put-online.html

The Social Security numbers, home addresses and phone contacts for at
least 300 students who applied for admission to Cal Poly Pomona six years
ago were unintentionally disclosed online, the university said today.

The applicants were notified this week and urged to contact
credit-reporting agencies, school official said....

Settlement OK’d over hacking into f inancial firm Jake Kouns (Nov 13)
Settlement OK’d over hacking into financial firm
http://billingsgazette.com/news/local/crime-and-courts/article_6341f994-d00d-11de-bfda-001cc4c03286.html

A federal judge approved a settlement Thursday in a class action
lawsuit against D.A. Davidson & Co. over clients’ information that was
compromised by a computer hacker almost two years ago.

Chief U.S. District Judge Richard Cebull called the agreement “fair
and reasonable.”

The...

UK: MoJ consults on 500k data breach fines lyger (Nov 12)
http://news.zdnet.co.uk/security/0,1000000189,39875322,00.htm

On Monday, the Ministry of Justice launched a consultation over levels of
monetary penalties for breaches of the Data Protection Act. In a press
statement, justice minister Michael Wills said the powers of the body that
enforces the act, the Information Commissioner's Office, needed to be
strengthened.

'The government is committed to ensuring that personal data is handled and...

Metasploit — Development discussion for Metasploit, the premier open source remote exploitation tool

Re: errors using dns_enum Carlos Perez (Nov 20)
I was not able to replicate the error on my test systems can you send
me a ruby -v on each system and the domain and options so as to
replicate it better

Sent from my Mobile Phone

errors using dns_enum Chris Calaf (Nov 20)
Apologies for the double post but first one did not hit the list.

I'm getting the following error when trying to use dns_enum on both BT4 and
Snow Leopard. I installed the macports version of net-dns. Should I be
installing it via CPAN or some ruby port?

Using ruby 1.9

=[ metasploit v3.4-dev [core:3.4 api:1.0]
+ -- --=[ 448 exploits - 216 auxiliary
+ -- --=[ 192 payloads - 22 encoders - 8 nops
=[ svn r7568 updated today...

Re: Metasploit Framework 3.3 Released! go . hawaii (Nov 19)
Or check this out:

http://www.room362.com/blog/2009/11/3/metasploit-blends-in-new-msfpayloadencode.html

Re: Metasploit Framework 3.3 Released! HD Moore (Nov 19)
You should be able to do:

msfpayload windows/shell_bind_tcp R | msfencode -x notepad.exe -t exe \
-o test.exe

Re: Metasploit Framework 3.3 Released! Jeffs (Nov 19)
That looks like a great new addition! Can you give a semi-working
example of the syntax of using the -x parameter in the msfencode when
used with msfpayload in the usual way?

I've tried various permutations of the syntax and can't get it to
recognize notepad.exe as the "carrier".

Thanks!

HD Moore wrote:

The payload encoding library can now embed Metasploit payloads into
arbitrary executables. The -x parameter to msfencode allows...

errors using dns_enum thelab13 (Nov 19)
I'm getting the following error when trying to use dns_enum on both BT4 and
Snow Leopard. I installed the macports version of net-dns. should I be
installing it via CPAN or some ruby's port?

Using ruby 1.9

=[ metasploit v3.4-dev [core:3.4 api:1.0]
+ -- --=[ 448 exploits - 216 auxiliary
+ -- --=[ 192 payloads - 22 encoders - 8 nops
=[ svn r7568 updated today (2009.11.18)

msf > use auxiliary/gather/dns_enum
msf...

Install silence mode new options . . (Nov 19)
New options to be silently installed via the /S /D=path don't work
completely. When Nmap 5.0 is going to be installed, a dialog box appears,
and all the install process is visible. Same with the PCAP library.
Any way to fix this ?

Where is now the mini-3.3-dev.exe version with only msfconsole ? Which
version may I chose to use metasploit like a PAYLOAD (deploymsf.rb) ?

Thanx in advance.

Sorry for my poor English...

PD: D-Null, very useful...

Re: db_autopwn problem and suggestions wullie millen (Nov 19)
Your right, I very rarely use autopwn but was just thinking while we were
on the subject that if you had a target
with lots of ports it would be usefull to have metasploit send all suitable
exploits automaticlly without trailing through
all the modules looking for ones with a suitable target.

-will

Re: db_autopwn problem and suggestions Rob Fuller (Nov 19)
Why wouldn't you just use the exploit module at that point?

Re: Useful tutorials D-Null (Nov 19)
Hello,

The links works for me, maybe just a temporary downtime for the server?

Please try again ;-)

Greatz

//D-Null

2009/11/19 Jeffs <jeffs () speakeasy net>

Re: db_autopwn problem and suggestions wullie millen (Nov 19)
I have a small suggestion it would be good to be able to add a target to
autopwn, I know this would be no good for large scale scans but for one
system when using the -p option it would be good to fire off all suitable
exploits for that system.

-will

Useful tutorials D-Null (Nov 18)
Hi framework mailing list,

I found some really nice tutorials (windows exploiting) and I wanna share
them with you, who knows, maybe useful for some of us ;-)

The tutorials are very easy to follow and they all ends with *working*
example sploits.
And I know that there is more tutorials in the pipe, just waiting to be
written and published.

Have fun

//D-Null

* Stack based overflows (direct RET overwrite) :
(Tutorial Part 1)...

Re: Framework Digest, Vol 22, Issue 13 Moshe Ben Simon (Nov 18)
Someone know why the adobe_pdf_exe doesn't work on windows platform..?

He doesn't find the input file...

I read about setting homedrive..homepath...

Help.. :)

-----Original Message-----
From: framework-bounces () spool metasploit com
[mailto:framework-bounces () spool metasploit com] On Behalf Of
framework-request () spool metasploit com
Sent: Wednesday, November 18, 2009 12:54 PM
To: framework () spool metasploit com
Subject: Framework...

Re: Metasploit Framework 3.3 Released! David Sopas (Nov 18)
Congrats with this new release, it's awesome.
Keep up the good work you guys.

2009/11/17 HD Moore <hdm () metasploit com>:

(no subject) Nguyen Huynh (Nov 18)
I'm learning about metasploit. And I want to consult you some questions ?
1. What is the better metasploit with another tools?
2.What is the tendency of development of metasploit in future?

Thứ sáu ngày 13 có thật sự là ngày xui xẻo? Nghe ý kiến của mọi người! http://vn.answers.yahoo.com_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework

Wireshark — Discussion of the free and open source Wireshark network sniffer. No other sniffer (commercial or otherwise) comes close. This archive combines the Wireshark announcement, users, and developers mailing lists.

Re: ANSI TCAP/ANSI MAP dissection problem Michael Lum (Nov 20)
Hi Anders,

we found the problem with frame #2.

The conversation with permission is for continuing the dialog
between the two users.

The Transaction ID part of the Conversation Portion contains TWO
transaction identifiers.

You'll notice the Transaction ID length is 8 and there are two IDs or 4 octets each:
Originating Transaction ID
Responding Transaction ID

So in frame #2

Otid = 0x0000000e
Rtid = 0x00000027

with the Rtid...

'[xxx bytes missing in capture file]' Stephen Noonan (Nov 20)
I have some concerns about the '[xxx bytes missing in capture file]' message
that I getting in my Follow TCP Stream output.

I am doing some stress testing on an embedded product we are developing by
applying impairments to the network using a third party package (PacketStorm
Tornado). Our product must work under extremely adverse conditions, allowing
for the maximum number of dropped packets feasible, multi-second RTTs, bit
errors, etc.

We are...

Re: Windows plugin directory search path? Jarolin, Robert (Nov 20)
Thank you!

________________________________

From: wireshark-dev-bounces () wireshark org
[mailto:wireshark-dev-bounces () wireshark org] On Behalf Of Beth
Sent: Thursday, November 19, 2009 11:07 AM
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] Windows plugin directory search path?

Yes, you can put them under your user folder (usually "Documents and
Settings\<username>)\ApplicationData\Wireshark\plugins and...

SMB Diagnostics w/ Wireshark St. Onge,Adam (Nov 20)
I was wondering if anyone has any training resources on troubleshooting SMB performance with Wireshark?

I have a situation where the same user from the same workstation accesses the same file on two different NAS devices,
and sees much worse performance on one. I took a look at the trace and see some differences, specifically in the size
of the READ ANDX buffers, where one uses a 16K buffer and the other uses a 64K buffer, but I dont see...

inspecting full (reassembled) http post content Tomasz Marciniak (Nov 20)
Hello list,

I can't find the solution for following problem: I have a tcpdump
capture file from which I'd like to extract all HTTP POST requests (with
their payload).

When I do something like this:

tshark -V -T text -R 'http.request and http.request.method == "POST"'
-r /tmp/tpdump.out

the POST content is truncated, e.g. for example captured PNG upload
shows only information about encapsulated chunks of data, not the data
itself....

Re: Lua syntax question Beth (Nov 19)
Thanks very much!

Re: Lua syntax question Stig Bjørlykke (Nov 19)
newtvb = tvbuffer(50):tvb()
next_dissector:call( newtvb, pinfo, treeitem )

Lua syntax question Beth (Nov 19)
I'm creating a chained dissector in Lua, and all I want to do is strip the
first N bytes off of the tvb and pass the remainder to another dissector.

I've been poring over the Lua section of the Wireshark manual, as well as
the Wireshark-Lua wiki pages, but I can't find the exact syntax I need.
Everything I try gets an error of one type or another, I guess I'm not
reading the API reference correctly. Can someone tell me the correct
syntax?...

buildbot failure in Wireshark (development) on Windows-XP-Win64 buildbot-no-reply (Nov 19)
The Buildbot has detected a new failure of Windows-XP-Win64 on Wireshark (development).
Full details are available at:
http://buildbot.wireshark.org/trunk/builders/Windows-XP-Win64/builds/629

Buildbot URL: http://buildbot.wireshark.org/trunk/

Buildslave for this Build: windows-xp-win64

Build Reason:
Build Source Stamp: 31023
Blamelist: dimeg,gerald

BUILD FAILED: failed nmake packaging

sincerely,
-The Buildbot

Feature request Starr, David (Nov 19)
I have many connections that use EBCDIC encoding. It would be very
handy to be able to choose either ASCII or EBCDIC when displaying the
Packet Bytes in that frame. That way in the lower window, when looking
at the packet data, there would be the offset, the hex bytes, and either
ASCII or EBCDIC character data.

Thanks

Dave

Re: ANSI TCAP/ANSI MAP dissection problem Michael Lum (Nov 19)
Thanks Anders.

I have submitted a spec reference and patch for frame #1 problems.

Michael Lum (michael.lum () starsolutions com <mailto:michael.lum () starsolutions com> ) | STAR SOLUTIONS
<http://www.starsolutions.com/> | Principal Software Engineer
4600 Jacombs Road, Richmond BC, Canada V6V 3B1 | +1.604.303.2315

________________________________

From: wireshark-dev-bounces () wireshark org [mailto:wireshark-dev-bounces...

Re: Missing packet padding bytes on Mac Guy Harris (Nov 19)
So presumably you're capturing traffic from the device on both machines?

What operating system was the PC running? If it's running Windows,
what happens if you install version 1.2.4 (the latest 1.2.x release)
and try capturing that traffic? (If it's not running Windows - e.g.,
if it's running Linux - see whether you can install some 1.2.x release
and try that.)

What type of network is this on? If it's Ethernet, CDP puts a length...

Re: How to see through the PLCP header ASHISH HARCHWANI (Nov 19)
Thanks gerald. It would be of great help if you can elaborate on meta
information and PPI . I am kind of new bie to the world of networks.

Re: compression algorithms Bob Carlson (Nov 19)
There is a lossless compression scheme in jpeg2000. Take a look at that. I have
no idea whether it is supported by WS.

Cheers, Bob

Eugene, OR - Tucson, AZ

From: wireshark-users-bounces () wireshark org
[mailto:wireshark-users-bounces () wireshark org] On Behalf Of Matt Powers
Sent: Wednesday, November 18, 2009 1:02 PM
To: wireshark-users () wireshark org
Subject: [Wireshark-users] compression algorithms

Is there a compression algorithm that...

Re: Missing packet padding bytes on Mac Jaap Keuter (Nov 19)
Mac

on

in

the

sent

112

property

something

Hi,

Sounds like an 32bit FCS at the end of the frame...

Thanks,
Jaap

Snort — Everyone's favorite open source IDS, Snort. This archive combines the snort-announce, snort-devel, snort-users, and snort-sigs lists.

Re: TCP Portals: The Handshake's a Lie! Martin Roesch (Nov 20)
You'd probably want to try to modify something like fragroute...

Re: TCP Portals: The Handshake's a Lie! Jason Brvenik (Nov 20)
I don't think netcat will do it. There needs to be a stack
modification to do the handshake in this manner or an app that will do
it while suppressing the existing stack.

I can think of a quick and dirty iptables / libdnet app but don't have
the time to implement at the moment. Someone could probably do it
quickly with iptables and scapy too.

------------------------------------------------------------------------------
Let Crystal Reports...

Re: TCP Portals: The Handshake's a Lie! CunningPike (Nov 20)
I can provide the server - but would need a little hand-holding to make sure
it was replicating this behavior properly. Perhaps a netcat listener of some
kind?

CP

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding....

Detection of traffic IPv6/icmpv6 sofia insat (Nov 20)
Hello everyone,

I want to know if snort can detect and analyze IPv6 traffic ??
and if It analyses the fields of Icmpv6 like code, type ... ??

Thanks,
Sofia

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding....

Re: TCP Portals: The Handshake's a Lie! Jason Brvenik (Nov 20)
My casual read on it was that you would have to be dealing with a
malicious server which deliberately responds to a syn with a syn and
that the likelihood of that is not the greatest. If it does happen the
server is going to be doing a lot of other more malicious things. My
presumptions are:

- An inbound SYN that is not acknowledging a syn at the same time is
going to be blocked by firewalls if properly configured.

- Even a properly configured...

cvs.snort.org Randal T. Rioux (Nov 19)
...has not been working for a while now. Has it moved?

Thanks!
Randy

FYI Originally posted to snort-devel with no bites.

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now....

Possible Content Match problem - Was: Re: how can we alert on web visiting activity? Jason Brvenik (Nov 19)
I would be happy to look into both of these further. The odds are that
it is a configuration / environmental issue so please send me your
snort.conf, local.rules with the example rules in them, and a pcap.

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you...

Re: how can we alert on web visiting activity? Jason Brvenik (Nov 19)
Yes there is. Accepting packets for analysis that have bad checksums (
and thus will not be processed by the targets) presents evasion
opportunities for the attacker.

For the body of work surrounding it check out the first few links in
these google searches.

http://www.google.com/search?q=checksum+ips+evasion
http://www.google.com/search?q=checksum+ids+evasion

------------------------------------------------------------------------------
Let...

is there a windows gui tool to also capture snort alerts? mary andrews (Nov 19)
Now that we captured alerts on the dos screen where snort is running, as
well as inside its logs,

is there a windows tool to install to show us the alerts triggered?

thanks
m
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application...

Re: how can we alert on web visiting activity? Eoin Miller (Nov 19)
This has bit us in the rear as well. Adding the following lines to your
snort.conf file will also act the same as using the "-k" option. Here is
a section of our snort.conf related to this:

---snip---
#
# Dont drop stuff because of the checksum (snort -k)
#
config checksum_mode: none
---snip---

I am sure there is a great reason to allow packets to be ignored due to
bad checksums, but having this be default behavior can cause some...

Re: how can we alert on web visiting activity? mary andrews (Nov 19)
got it, thats what it was, it worked!!!!!

Many, MANY THANKS!
m

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july...

Re: how can we alert on web visiting activity? Matt Olney (Nov 19)
doh...you're right, thanks for the catch!

Matt

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july

Re: how can we alert on web visiting activity? evilghost () packetmail net (Nov 19)
You may want to peek at the manual again. You turned off logging, not
checksum checking.

-k <mode> Checksum mode (all,noip,notcp,noudp,noicmp,none)
-K <mode> Logging mode (pcap[default],ascii,none)

-evilghost

mary andrews wrote:

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design,...

Re: how can we alert on web visiting activity? evilghost () packetmail net (Nov 19)
NP Joel, the flowbits was a gift. I think our thread about rawbytes was
here,
http://lists.emergingthreats.net/pipermail/emerging-sigs/2009-September/003682.html

Flowbits one was here,
http://lists.emergingthreats.net/pipermail/emerging-sigs/2009-September/003786.html
and a few exchanges there.

I'll tap out of this thread now since it's getting off-topic. I replied
only to substantiate my assertion about rawbytes after Nigel rebuked me....

Re: how can we alert on web visiting activity? mary andrews (Nov 19)
I apologize for frustrating you, I really dont mean to.

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july...

We're always looking for great network security related lists to archive. To suggest one, mail Fyodor.