SecLists.Org Security Mailing List Archive

Any hacker will tell you that the latest news and exploits are not found on any web site—not even Insecure.Org. No, the cutting edge in security research is and will continue to be the full disclosure mailing lists such as Bugtraq. Here we provide web archives and RSS feeds (now including message extracts), updated in real-time, for many of our favorite lists. Browse the individual lists below, or search them all:

Insecure.Org Lists

Nmap Development — Unmoderated technical development forum for debating ideas, patches, and suggestions regarding proposed changes to Nmap and related projects. Subscribe here.

npcap 1.50 receiving too many packets. Michael D. Lawler (Jun 24)
This worked fine with 1.31 as the number of sent and received packets
were equal. This is with Win 10 19043.1081. Let me know what I can
do to help. Also notice the results are not always the same I show
two runs below.

Starting Nping 0.7.91 ( https://nmap.org/nping ) at 2021-06-24 17:28
Eastern Daylight Time
SENT (0.0460s) ICMP [127.0.0.1 > 127.0.0.1 Echo request
(type=8/code=0) id=6783 seq=1] IP [ttl=64 id=22972 iplen=28 ]
SENT...

Re: Error getting nmap to read hosts from file Robin Wood (Jun 08)
Not with nmap, but I've seen similar issues with other tools so recognised
that type of error.

Glad it is fixed.

Robin

Re: Error getting nmap to read hosts from file Kurt Buff (Jun 08)
Genius.

Notepad said it was UTF-16 LE. I changed it to ASCII and it's working.

This was an export from our SIEM as a CSV in UTF-8, from which I extracted
the hosts with PowerShell and lightly edited with Notepad++. I suppose
somewhere in there it got converted, probably by PowerShell.

Definitely something to keep in mind.

Thank you very much.

Kurt

Re: Error getting nmap to read hosts from file Robin Wood (Jun 08)
My money is on file encoding, can you check what encoding the file is using?

Robin

Error getting nmap to read hosts from file Kurt Buff (Jun 08)
All,

I'm getting an error trying to run a simple scan with Nmap, as shown.
Running in a CMD session on Win10 20H2. Scans with Zenmap work when not
using a file, as does Nmap. It's just when trying to use a file that I get
this very strange output. I've upgraded npcap from 1.10 to 1.31, and get
the same behavior out of both.

Am I doing something ignorant/stupid, or have I stumbled upon a bug?
Further information gladly provided....

Re: NPCAP GitHub Security Advisories Daniel Miller (May 04)
I would like to add a clarification on the libpcap CVEs: since libpcap is a
user-mode DLL (wpcap.dll in the Npcap installation), it is not capable of
crashing the entire system. Instead, the impact of any CVEs would be
limited to the application and user that is using the DLL. For specifics on
the particular CVEs addressed, see the libpcap changelog at
https://www.tcpdump.org/libpcap-changes.txt

Dan

Re: NPCAP GitHub Security Advisories Gordon Fyodor Lyon (May 01)
Hi Jay. Good questions, and I'm glad you like Nmap and Npcap! We are not
using GitHub's security feature at present. If we issued a security
advisory for Npcap or Nmap, we would likely host it ourselves. But Github
adds that tab to all projects by default and, from a quick glance at
settings, I don't see an obvious way to remove it. I think your best bet
is to sign up for release announcements through GitHub and look for...

NPCAP GitHub Security Advisories Sethi, Jay (May 01)
Hello nmap dev team!

I work for Manitoba Hydro, a utility in Manitoba Candada. We use nmap (and NPCAP!). As part of NERC CIP compliance, we
are required to check regularly for security advisories. I recently noticed the following on the GitHub page:
The npcap change log notes a few releases that resolve CVEs
npcap/CHANGELOG.md at master * nmap/npcap * GitHub<https://github.com/nmap/npcap/blob/master/CHANGELOG.md>
(For example, Npcap...

Better interface names reported by pcap_findalldevs Dmytro Ovdiienko (May 01)
<<< image/png; name="EAAC2C82AF0D4674B18524120B700D78.png": Unrecognized >>>

Feature Request: nping to flag incorrect or curtailed ICMP echo payload Alex Ferenstein (May 01)
Hi Nmap development mailing list, some time I emailed Gordon, asking for a
feature to flag disparity of echo-replied payload compared to that which
was sent. Can it be implemented, or, have I missed an existing feature?
R’s, Alex

------------------------------

Hi Gordon,

thank you for making nmap/nping. I have a feature request for nping.

As you know, “The echo reply is an ICMP message generated in response to an
echo request; *it is...

zenmap crash in Fedora 34 louzaoh (Apr 22)
This is the message I've got:

➜ zenmap
File "/usr/bin/zenmap", line 114
except ImportError, e:
^
SyntaxError: invalid syntax

➜ rpm -qa zenmap\*
zenmap-7.91-1.noarch

Regards.,

Nmap Bug in payload.cc: corrupted UDP packets during -sU scan mzet via dev (Apr 02)
Hi List,

It was observed that UDP packets that are sent during an UDP port scanning (-sU) are corrupted.

Background:

To make UDP scanning more effective, for many services (ports) Nmap takes content of UDP packets from nmap-payloads
file. Logic for handling this is implemented in payload.cc source file.

Issue:

Due to subtle implementation issue (introduced in...

[NSE] Hex digits in URL encoding should be upper-case nnposter (Apr 01)
For visibility to the broad Nmap community:

I have created issue #2281 to start using upper-case hexadecimal digits
for URL encoding inside NSE. More details at

https://github.com/nmap/nmap/issues/2281

Please leave any comments there.

Cheers,
nnposter

Re: Empty do_ipv4 function in address-info nnposter (Mar 27)
I agree that there is no obvious reason why to have the function there
at all. On the other hand, the script description is pretty clear:

"Shows extra information about IPv6 addresses, such as..."

In other words, there should be no expectation that the script does
anything with IPv4.

Cheers,
nnposter

Empty do_ipv4 function in address-info Toni Ruottu (Mar 27)
Hi!

In the current version of address-info.nse the do_ipv4 function body is
completely empty. Is this a mistake? If it is not a mistake I would at
least expect a comment that explains why the function doesn't do anything.

Cheers, --Toni

Nmap Announce — Moderated list for the most important new releases and announcements regarding the Nmap Security Scanner and related projects. We recommend that all Nmap users subscribe.

Npcap 1.30 Released: Raw WiFi + Better Performance Gordon Fyodor Lyon (Apr 12)
Hi folks. The Nmap Project is pleased to release Npcap Version 1.30 at
https://npcap.org. We hope Nmap and Wireshark users will be especially
happy with the raw WiFi improvements, since you tend to be particularly
savvy about low-level network inspection. It turns out that some of the
issues we thought were caused by lower level hardware drivers were actually
bugs in our driver. Oops! But at least that means we can fix them
ourselves, and we did....

Npcap 1.20 released Gordon Fyodor Lyon (Mar 16)
Nmap/Npcap Community:

I'm happy to report the release of version 1.20 of the Npcap Windows packet
capturing/sending driver! It's the first release of 2021 and includes
better capabilities for selecting timestamp methods as well as many other
improvements and bug fixes. These include updating the underlying libpcap
library to version 1.10 and building our installer now with NSIS 3. More
details on all this are available from the...

Nmap 7.91 Bugfix Release Gordon Fyodor Lyon (Oct 14)
Hello everyone. I'm glad Nmap 7.90 was so well received! There were so
many improvements that the official announcement (
https://seclists.org/nmap-announce/2020/1) was a bit unwieldy. So Daniel
Miller (who made most of those changes) Tweeted his top highlights at
https://twitter.com/bonsaiviking/status/1313247253197393920

While we do work hard to avoid bugs during development and to catch them
pre-release through continuous integration...

Nmap 7.90 Released! First release since August 2019. Gordon Fyodor Lyon (Oct 03)
Hello everyone. Hot on the heels of the big Npcap 1.00 release (
https://seclists.org/nmap-announce/2020/0), we're delighted to announce a
new Nmap--version 7.90! It's the first Nmap release since Defcon 2019, even
though we've made 16 Npcap releases since then. Raw packets are so
fundamental to Nmap that we really wanted to get it right. With the
production-ready and highly performant Npcap 1.00 driver included, we can
finally...

Npcap 1.00 was just released and a new Nmap is on the way! Gordon Fyodor Lyon (Sep 28)
Hello everyone. I hope you are all safe and well during this nasty
pandemic. I obviously haven't been wearing my marketing hat enough given
that this is my first mail to the Nmap Announcement list since last
August's Nmap 7.80 release. But we've been heads-down programming since
then and have great news to report!

The biggest news is that, after more than 7 years of development and 170
previous public releases, we're...

Full Disclosure — A public, vendor-neutral forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. The relaxed atmosphere of this quirky list provides some comic relief and certain industry gossip. More importantly, fresh vulnerabilities sometimes hit this list many hours or days before they pass through the Bugtraq moderation queue.

Backdoor.Win32.Hupigon.aaio / Remote Stack Buffer Overflow malvuln (Jun 22)
Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source:
https://malvuln.com/advisory/c38cd09fd5ebd1f0cc378804b2da08c4.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Backdoor.Win32.Hupigon.aaio
Vulnerability: Remote Stack Buffer Overflow
Description: The malware listens on TCP ports 8200,8201,8202,8203 and UDP
ports 8200,8204. Third-party attackers who can reach an infected host can
trigger a classic remote...

SYSS-2021-032 Admin Columns WordPress Plug-In - Persistent Cross-Site Scripting Johannes Lauinger (Jun 22)
Advisory ID: SYSS-2021-032
Product: Admin Columns WordPress Plug-In
Manufacturer: Codepress
Affected Version(s): <5.5.2 (Pro version), <4.3.2 (Free version)
Tested Version(s): 5.5.1 (Pro version), 4.3 (Free version)
Vulnerability Type: Cross-Site Scripting (CWE-79)
Risk Level: High
Solution Status: Fixed
Manufacturer Notification: 2021-05-28
Solution...

Trojan-Dropper.Win32.Googite.b / Unauthenticated Remote Command Execution malvuln (Jun 18)
Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source:
https://malvuln.com/advisory/4a8d6bc838c09c6701abfa8b283fd0de.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Trojan-Dropper.Win32.Googite.b
Vulnerability: Unauthenticated Remote Command Execution
Description: The malware listens on TCP ports 3388, 4488 and 10002 and
drops executables under both Windows and SysWOW64 dirs. Third-party
attackers who can...

Trojan.Win32.Alien.erf / Directory Traversal malvuln (Jun 18)
Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source:
https://malvuln.com/advisory/57ab194d8c60ee97914eda22e4d71b68_C.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Trojan.Win32.Alien.erf
Vulnerability: Directory Traversal
Description: The malware deploys a Web server AM6WebMgr.exe (JAO build 809)
listening on TCP port 1789. Third-party attackers who can reach an infected
host can read any file on the...

Trovent Security Advisory 2105-01 / CVE-2021-32612: VeryFitPro unencrypted cleartext transmission of sensitive information Stefan Pietsch (Jun 18)
# Trovent Security Advisory 2105-01 #
#####################################

Unencrypted cleartext transmission of sensitive information
###########################################################

Overview
########

Advisory ID: TRSA-2105-01
Advisory version: 1.0
Advisory status: Public
Advisory URL: https://trovent.io/security-advisory-2105-01
Affected product: VeryFitPro Android mobile application (com.veryfit2hr.second)
Tested versions:...

Trojan.Win32.Alien.erf / Remote Stack Buffer Overflow malvuln (Jun 18)
Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source:
https://malvuln.com/advisory/57ab194d8c60ee97914eda22e4d71b68_B.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Trojan.Win32.Alien.erf
Vulnerability: Remote Stack Buffer Overflow
Description: The malware deploys a Web server AM6WebMgr.exe (JAO build 809)
listening on TCP port 1789. Third-party attackers who can reach an infected
host can trigger a classic...

Trojan.Win32.Alien.erf / Remote Denial of Service malvuln (Jun 18)
Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source:
https://malvuln.com/advisory/57ab194d8c60ee97914eda22e4d71b68.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Trojan.Win32.Alien.erf
Vulnerability: Remote Denial of Service
Description: The malware deploys a SMTP server JAOSrv821.exe listening on
TCP port 25. Third-party attackers who can reach an infected host can
trigger a denial of service by sending a...

Email-Worm.Win32.Kipis.a / Unauthenticated Remote Code Execution malvuln (Jun 18)
Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source:
https://malvuln.com/advisory/aa703bc17e3177d3b24a57c5d2a91a0c.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Email-Worm.Win32.Kipis.a
Vulnerability: Unauthenticated Remote Code Execution
Description: The malware listens on TCP port 1029 and writes incoming
packets to an executable file that is renamed as "winlogins.exe".
Third-party attackers...

Re: popo2, kernel/tun driver bufferoverflow. Robert Święcki (Jun 18)
Hi,

wt., 15 cze 2021 o 09:56 KJ Jung <x90cx90c1 () gmail com> napisał(a):

While I agree that it might be not the best of programming patterns to
accept length of a local stack buffer from the parent function (this
can easily be misused over time), there's probably no bug here, as all
callers of __tun_chr_ioctl() use sizeof(struct ifreq) or sizeof(struct
compat_ifreq)) which is presumably shorter than the former one, no?
Or, maybe...

Re: popo/popo2 linux kernel vulns RaziREKT via Fulldisclosure (Jun 18)
Hello KJ Jung,

neither of the mails you sent contain bugs.
The kernel code is sound and the vulnerabilities you reported don't seem
to exist.

In your first mail (popo:: linux kernel vulns of it),
you point out a flaw in bond_do_ioctl() and bond_set_dev_addr().

It is impossible to set slave_dev->dev_addr to arbitrary values userspace.
The value will be chosen from a handful of fixed hardware address lengths.
None will exceed the length...

[SYSS-2021-007]: Protectimus SLIM NFC - External Control of System or Configuration Setting (CWE-15) (CVE-2021-32033) Matthias Deeg (Jun 18)
Advisory ID: SYSS-2021-007
Product: Protectimus SLIM NFC
Manufacturer: Protectimus
Affected Version(s): Hardware Scheme 70 / Software Version 10.01
Tested Version(s): Hardware Scheme 70 / Software Version 10.01
Vulnerability Type: External Control of System or Configuration Setting
(CWE-15)
"Time Traveler Attack"
Risk Level: Medium
Solution Status: Open
Manufacturer Notification: 2021-02-04
Solution Date: -
Public...

Backdoor.Win32.Zombam.gen / Information Disclosure malvuln (Jun 15)
Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source:
https://malvuln.com/advisory/ff6516c881dee555b0cd253408b64404_D.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Backdoor.Win32.Zombam.gen
Vulnerability: Information Disclosure
Description: Zombam malware listens on TCP port 80 and deploys an unsecured
HTML Web UI for basic remote administration capability. Third-party
attackers who can reach an infected...

Backdoor.Win32.VB.pld / Unauthenticated Remote Command Execution malvuln (Jun 15)
Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source:
https://malvuln.com/advisory/6ff35087d789f7aca6c0e3396984894e_B.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Backdoor.Win32.VB.pld
Vulnerability: Unauthenticated Remote Command Execution
Description: The malware listens on TCP port 4000. Third-party attackers
who can reach infected systems can connect to port 4000 and run commands
made available by the...

Backdoor.Win32.VB.pld / Insecure Transit malvuln (Jun 15)
Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source:
https://malvuln.com/advisory/6ff35087d789f7aca6c0e3396984894e.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Backdoor.Win32.VB.pld
Vulnerability: Insecure Transit
Description: The malware listens on TCP port 4000 and has a chat feature
"Hnadle-X Pro V1.0 Text Chat". Messages are passed in unencrypted plaintext
across the network. Well...

popo2, kernel/tun driver bufferoverflow. KJ Jung (Jun 15)
Linux kernel 5.4 version.
latest.

__tun_chr_ioctl function of ~/drivers/net/tun.c has a stack buffer
overflow vulnerability. it get's arg, ifreq_len, and copy the arg(argp)
to ifr(ifreq struct) and this steps are no bounds-checking.

if cmd == TUNSETIFF or TUNSETQUEUE or and so on condition
then it's enter copy_from_user function area.

Other Excellent Security Lists

Bugtraq — The premier general security mailing list. Vulnerabilities are often announced here first, so check frequently!

Info Security News — Carries news items (generally from mainstream sources) that relate to security.

Daily Dave — This technical discussion list covers vulnerability research, exploit development, and security events/gossip. It was started by ImmunitySec founder Dave Aitel and many security luminaries participate. Many posts simply advertise Immunity products, but you can't really fault Dave for being self-promotional on a list named DailyDave.

"Hack the Planet" Dave Aitel via Dailydave (May 20)
[image: image.png]

Ok ya'll - you're letting me down. There's a thousand ways you and your
friends can use 10k to improve the world - engineering a solution nobody
would pay for because it's not something you can put at a booth at RSAC.

EVERYONE ON THIS LIST needs to either submit for a grant, or find someone
who will submit for a grant. You're telling me not one of those
superhackers at Microsoft and Google can find a...

Plausible. Dave Aitel via Dailydave (Apr 11)
A while back I was chatting with someone at INFILTRATE, over fried
alligator and more alcohol than I probably should have imbibed, and he
said, "We're going to make fuzzing obsolete, because we have more CPUs on
the problem than anyone can reasonably duplicate, and we're going to
exhaust the space".

And it's PLAUSIBLE in a way. I've watched a few of the live streams that
Brandon Falk does, and you can see how like,...

News Roundups! Dave Aitel via Dailydave (Feb 01)
So lately I've been doing little news roundups on the YouTubes....
Yesterday's is here: https://youtu.be/xgiymt_0isY

Neal Stephenson, in his most recent book, *Fall*, had a character that was
an interesting play on the traditional fantasy "giant" in the sense that
she was normal size, but fractally dense. I feel like we are living that
kind of time - in the sense that gravity is really a measure of how much
stuff is happening...

Re: Fully Automated CONOPs Exercise Pukhraj Singh via Dailydave (Jan 28)
Folks like Joe Slowik
<https://www.youtube.com/watch?v=n7XqxRXwFZ4&ab_channel=CYBERWARCON>, Grugq
<https://www.blackhat.com/docs/webcast/12142017-the-triple-a-threat.pdf>and you
<https://cybersecpolitics.blogspot.com/2016/09/the-stern-stewart-summit-germany-and.html>(Dave)
have tried to articulate the CONOPS for worms since long. In their current
forms, worms look like IO packages in full-spectrum missions. Ignoring...

Re: Fully Automated CONOPs Exercise Dave Aitel via Dailydave (Jan 28)
I mean, the goal of the question is to start putting some meat on the idea
of what "harm" is and how that is reflected both from a policy and
technical perspective. But also: It's useful to put some real definitions
around what is required to make people comfortable with fully-automated
techniques.

I don't think the idea that we are going to come up with and enforce norms
is as useful as figuring out what the norms really are...

Re: Fully Automated CONOPs Exercise Dave Dittrich via Dailydave (Jan 28)
Did any of them mention international humanitarian law, specifically
discrimination, respecting territory of neutral ("green") actors and
their infrastructure, and avoiding harm to neutral third parties and
non-combatants? The problem with most worms is the inability to
accurately discriminate targets and resulting harm. This is an area
where technical experts need to be balanced with operators and policy
makers to ensure that...

Fully Automated CONOPs Exercise Dave Aitel via Dailydave (Jan 27)
So one of my new fav questions to ask policy teams is what they would do if
they were told to switch their offensive team entirely to worms. Nothing
else. Just worms. What needs to change to make that happen - from op tempo
to supply chain to personnel to policy and technological investment.

And how would their defensive team need to change strategically if they
were facing such an offensive team.

It's a fun thing to see people wrap their...

"Severely lacking". Dave Aitel via Dailydave (Jan 20)
Recently I read this post from Maddie Stone of Google's Project Zero:
https://googleprojectzero.blogspot.com/2020/07/detection-deficit-year-in-review-of-0.html
. In particular, it has a bolded line of "*As a community, our ability to
detect 0-days being used in the wild is severely lacking to the point that
we can’t draw significant conclusions due to the lack of (and biases in)
the data we have collected.*" which is the most...

[mm4.emwd.com] Please Confirm Your E-mail Address noreply (Jan 07)
Hello from mm4.emwd.com!

You're receiving this e-mail because user SeclistsDD has given yours as an e-mail address to connect their account.

To confirm this is correct, go to
https://lists.aitelfoundation.org/accounts/confirm-email/MzAw:1kxbbR:J_gxtLGlz_7WONRMX9blDLA1rXc/

Thank you from mm4.emwd.com!
mm4.emwd.com

Re: The Lost Decade of Security Metrics Andre Gironda via Dailydave (Jan 05)
MITRE ATK > CVE/CVSS
Enterprise v8 is more granular than ever before for vuln purposes, but
always has been extensive for threat purposes

If you want to express CVEs in maldocs or malware (including webshells) may
I suggest Yara and/or Suricata (maybe shortcuts such as JA3 or JARM if TLS
applies)?
If you want to express CVEs in runtime app infra may I suggest
caldera_pathfinder? e.g., this is heartbleed --...

Re: The Lost Decade of Security Metrics toby via Dailydave (Jan 05)
I don't think you are wrong but your comparison of CVSS and the multiple
(also separately bad) metrics for a WAF isn't effective or accurate.

The values going into CVSS have something in common; they are attempts to
characterize the importance of the vulnerability in question. You are
making (have made before) the claim that the importance of a vulnerability
is too variable and specific to an environment or an attack scenario to be...

Re: The Lost Decade of Security Metrics Chuck McAuley via Dailydave (Jan 05)
Throughput* is perhaps the wrong unit of measure. Most of the time you would be interested in measuring
“requests/second” or “transactions/second”. Aside from say a content ingesting site/repeater
(facebook/twitter/instagram), almost all content for a WAF to handle is inbound, using low amounts of available
bandwidth. The outbound content is rarely inspected by such a device, with the exception of 5xx error or similar
(headers).

A...

The Lost Decade of Security Metrics Dave Aitel via Dailydave (Jan 05)
A thousand years ago I subscribed to the Security Metrics mailing list.
Metrics are important - or rather, I think good decision making is
important, and without metrics your decision making is essentially luck.
But we haven't seen any progress on this in a decade, and I wanted to talk
about the meta-reason why: Oversimplification in the hopes of scaling.

There's a theme in security metrics, a deep Wrong, that the community
cannot...

PaulDotCom — General discussion of security news, research, vulnerabilities, and the PaulDotCom Security Weekly podcast.

BHIS Sorta Top Used Tools of 2018 John - Black Hills Information Security (Dec 06)
Free Webcast

Hello all,

For our next webcast we will cover some of the core tools we use all the time at Black Hills Information Security.
However, there will be a twist. We will not talk about Nessus, Nmap, or Metasploit. Why? Because there are a ton of new
(and older) tools we use that fall outside of the standard tools you see in every security book/blog out there.

Basically, we are trying to be edgy and different.

You may want to come...

BHIS Webcast - Tues 10/2 @ 11am MDT John Strand - Black Hills Information Security (Sep 26)
Hello All,

In this next webcast I want to cover what I am doing with the BHIS Systems team to create a C2/Implant/Malware test
bed. Testing our C2/malware solutions is important because vendors tend to lie or over-hype their capabilities. I will
cross reference some different malware specimens to the MITRE ATT&CK framework and we will cover how you can use these
techniques to test your defensive solutions at both the endpoint and the...

BHIS Webcast: The PenTest Pyramid of Pain 9/4 - 11am MDT Sierra - Black Hills Information Security (Aug 29)
Hello!

How are you all? We had a fantastic webcast last week with John Strand and Chris Brenton and we're still working
through some unexpected hiccups to get the recording up and posted. The podcast version is on our blog, and the YouTube
version will be posted shortly on the Active Countermeasures channel and blog as well. Thanks for all of you who
ventured over to attend!

Ready for another awesome BHIS webcast? Dakota is back and...

Webcast with CJ: Tues 7/24 at 11am Sierra - Black Hills Information Security (Jul 19)
Our upcoming webcast will be about POLICY...

Did you check out when you heard “policy”? Policy can often seem like a drudgery, but it’s also an important and
potentially overlooked part of business and procedure; it’s the framework on which security is really built!

CJ, our COO and Head of Sales has experience writing, assessing and implementing policies for many different kinds of
companies. And if you are worried it will be dry and...

Microsoft Sec Notification — Beware that MS often uses these security bulletins as marketing propaganda to downplay serious vulnerabilities in their products—note how most have a prominent and often-misleading "mitigating factors" section.

Microsoft Security Update Minor Revisions Microsoft (Dec 11)
********************************************************************
Title: Microsoft Security Update Minor Revisions
Issued: December 11, 2018
********************************************************************

Summary
=======

The following CVE has undergone a minor revision
increment:

* CVE-2018-8172

Revision Information:
=====================

- CVE-2018-8172 | Visual Studio Remote Code Execution
Vulnerability
-...

Microsoft Security Update Minor Revisions Microsoft (Nov 14)
********************************************************************
Title: Microsoft Security Update Minor Revisions
Issued: November 14, 2018
********************************************************************

Summary
=======

The following CVEs and advisory have undergone a minor revision
increment:

* CVE-2018-8454
* CVE-2018-8552
* ADV990001

Revision Information:
=====================

- CVE-2018-8454 | Windows Audio Service...

Microsoft Security Update Minor Revisions Microsoft (Oct 24)
********************************************************************
Title: Microsoft Security Update Minor Revisions
Issued: October 24, 2018
********************************************************************

Summary
=======

The following CVE has undergone a minor revision increment:

* CVE-2018-8512

Revision Information:
=====================

- CVE-2018-8512 | Microsoft Edge Security Feature Bypass
Vulnerability
-...

Microsoft Security Update Releases Microsoft (Oct 19)
********************************************************************
Title: Microsoft Security Update Releases
Issued: October 19, 2018
********************************************************************

Summary
=======

The following CVE been added to the October 2018 Security updates:

* CVE-2018-8569

Revision Information:
=====================

- CVE-2018-8569 | Yammer Desktop Application Remote Code Execution
Vulnerability
-...

Microsoft Security Update Releases Microsoft (Oct 17)
********************************************************************
Title: Microsoft Security Update Releases
Issued: October 17, 2018
********************************************************************

Summary
=======

The following CVEs have undergone a major revision increment:

* CVE-2010-3190

Revision Information:
=====================

- CVE-2010-3190 | MFC Insecure Library Loading Vulnerability
-...

Microsoft Security Update Minor Revisions Microsoft (Oct 09)
********************************************************************
Title: Microsoft Security Update Minor Revisions
Issued: October 9, 2018
********************************************************************

Summary
=======

The following CVE has undergone a minor revision increment:

* CVE-2018-8531

Revision Information:
=====================

- CVE-2018-8531 | Azure IoT Device Client SDK Memory Corruption
Vulnerability
-...

Microsoft Security Update Releases Microsoft (Oct 09)
********************************************************************
Title: Microsoft Security Update Releases
Issued: October 9, 2018
********************************************************************

Summary
=======

The following CVE been added to the October 2018 Security updates:

* CVE-2018-8292

Revision Information:
=====================

- CVE-2018-8292 | .NET Core Information Disclosure Vulnerability
-...

Microsoft Security Update Releases Microsoft (Oct 09)
********************************************************************
Title: Microsoft Security Update Releases
Issued: October 9, 2018
********************************************************************

Summary
=======

The following bulletin has undergone a major revision increment:

* MS11-025

Revision Information:
=====================

- https://docs.microsoft.com/en-us/security-updates/
SecurityBulletins/2011/ms11-025:...

Microsoft Security Update Summary for October 9, 2018 Microsoft (Oct 09)
********************************************************************
Microsoft Security Update Summary for October 9, 2018
Issued: October 9, 2018
********************************************************************

This summary lists security updates released for October 9, 2018.

Complete information for the October 2018 security update release can
Be found at
<https://portal.msrc.microsoft.com/en-us/security-guidance>.

Please note the...

Microsoft Security Update Releases Microsoft (Oct 02)
********************************************************************
Title: Microsoft Security Update Releases
Issued: October 2, 2018
********************************************************************

Summary
=======

The following CVE has undergone a major revision increment:

* CVE-2018-0952

Revision Information:
=====================

- CVE-2018-0952 | Diagnostic Hub Standard Collector Elevation of
Privilege Vulnerability
-...

Microsoft Security Advisory Notification Microsoft (Sep 12)
********************************************************************
Title: Microsoft Security Advisory Notification
Issued: September 12, 2018
********************************************************************

Security Advisories Released or Updated on September 12, 2018
===================================================================

* Microsoft Security Advisory ADV180022

- Title: Windows Denial of Service Vulnerability
-...

Microsoft Security Update Minor Revisions Microsoft (Sep 12)
********************************************************************
Title: Microsoft Security Update Minor Revisions
Issued: September 12, 2018
********************************************************************

Summary
=======

The following CVEs have undergone a minor revision increment:

* CVE-2018-8421
* CVE-2018-8468

Revision Information:
=====================

- CVE-2018-8421 | .NET Framework Remote Code Execution
Vulnerability...

Microsoft Security Update Summary for September 11, 2018 Microsoft (Sep 11)
********************************************************************
Microsoft Security Update Summary for September 11, 2018
Issued: September 11, 2018
********************************************************************

This summary lists security updates released for September 11, 2018.

Complete information for the September 2018 security update release can
Be found at
<https://portal.msrc.microsoft.com/en-us/security-guidance>....

Microsoft Security Update Releases Microsoft (Sep 11)
********************************************************************
Title: Microsoft Security Update Releases
Issued: September 11, 2018
********************************************************************

Summary
=======

The following CVE has undergone a major revision increment:

* CVE-2018-8154

Revision Information:
=====================

- CVE-2018-8154 | Microsoft Exchange Memory Corruption
Vulnerability
-...

Microsoft Security Advisory Notification Microsoft (Sep 11)
********************************************************************
Title: Microsoft Security Advisory Notification
Issued: September 11, 2018
********************************************************************

Security Advisories Released or Updated on September 11, 2018
===================================================================

* Microsoft Security Advisory ADV180002

- Title: Guidance to mitigate speculative execution...

Funsec — While most security lists ban off-topic discussion, Funsec is a haven for free community discussion and enjoyment of the lighter, more humorous side of the security community

Verizon: 1.5M of Contact Records Stolen, Now on Sale Jeffrey Walton (Mar 26)
http://www.mobipicker.com/verizon-1-5m-contact-records-stolen-now-sale/:

A business to business telecommunication giant,
Verizon Enterprise Solutions, a Basking Ridge,
New Jersey-based company, has been the latest
victim of a cyber crime that stole 1.5 million contact
records of the customers of Verizon...

I don't quite understand this double talk. Could someone explain to me:

A spokesperson from Verizon said that...

Statement on Lavabit Citation in Apple Case Jeffrey Walton (Mar 16)
(From John Young on another list):
http://www.facebook.com/KingLadar/posts/10156714933135038

As many of you already know, the government cited the Lavabit case in
a footnote. The problem is their description insinuates a precedent
that was never created. Obviously I was somewhat disturbed by their
misrepresentation. So I decided to draft a statement. And keep in
mind, these are the same people who say "trust us." Click continue to
read...

The NSA's back door has given every US secret to our enemies Jeffrey Walton (Feb 29)
http://www.businessinsider.com/john-mcafee-nsa-back-door-gives-every-us-secret-to-enemies-2016-2

Deng Xiaoping, in 1979 - his second year as supreme leader of China -
perceived a fundamental truth that has yet to be fully grasped by most
Western leaders: Software, if properly weaponized, could be far more
destructive than any nuclear arsenal.

Under Deng’s leadership, China began one of the most ambitious and
sophisticated meta- software...

Can Spies Break Apple Crypto? Jeffrey Walton (Feb 27)
Here's an interesting exchange between Cryptome and Michael Froomkin,
Law Professor at University of Miami, on the All Writs Act
(http://cryptome.org/2016/02/can-spies-break-apple-crypto.htm):

-----

A. Michael Froomkin:

The factual posture in the key Supreme Court precedent, New York
Telephone, involved a situation where only the subject of the order
was capable of providing the assistance at issue. This is the basis
for Apple's...

The FBI's iPhone Problem: Tactical vs. Strategic Thinking Jeffrey Walton (Feb 23)
http://www.technewsworld.com/story/83130.html

I'm an ex-sheriff, and I've been in and out of security jobs for much
of my life, so I've got some familiarity with the issues underlying
the drama between the FBI and Apple. FBI officials -- and likely those
in every other three-letter agency and their counterparts all over the
world -- would like an easier way to do their jobs. Wouldn't we all?

If they could put cameras in...

Wanted: Cryptography Products for Worldwide Survey Jeffrey Walton (Jan 01)
(http://www.schneier.com/crypto-gram/archives/2015/1215.html):

In 1999, Lance Hoffman, David Balenson, and others published a survey
of non-US cryptographic products. The point of the survey was to
illustrate that there was a robust international market in these
products, and that US-only export restrictions on strong encryption
did nothing to prevent its adoption and everything to disadvantage US
corporations. This was an important contribution...

CERT Advisories — The Computer Emergency Response Team has been responding to security incidents and sharing vulnerability information since the Morris Worm hit in 1986. This archive combines their technical security alerts, tips, and current activity lists.

Open Source Security — Discussion of security flaws, concepts, and practices in the Open Source community

Re: CVE-2021-22543 - /dev/kvm LPE Eduardo' Vela" <Nava> (Jun 26)
https://github.com/torvalds/linux/commit/f8be156be163a052a067306417cd0ff679068c97
fixed
this issue.

FW: An out-of-bound read/write in fsi driver Luo Likang (Jun 25)

Because of my mistake, I took a normal bug as a security bug and reported it
to linux-distros，linux-distros requested me notify oss-security since these
bugs were deemed to not be a security vulnerability, and no embargo was set.

Because of copy_ from_user has some check, so - 1 does not cause
cross-border access, and lots of check in fsi_check_access().

The following is the original of my report:

I found an oob read/write bug in function...

CVE-2021-3600 - Linux kernel eBPF 32-bit source register truncation on div/mod Thadeu Lima de Souza Cascardo (Jun 23)
It was discovered that eBPF 32-bit div/mod source register truncation could
lead to out-of-bounds reads and writes in the kernel.

It was introduced by commit 68fda450a7df ("bpf: fix 32-bit divide by zero"). It
was first introduced in 4.15-rc9, but backported and applied to v4.14.y, v4.9.y
and v4.4.y. However, this specific attack will not work on v4.4.y and v4.9.y
kernels as pointer arithmetic is prohibited on those kernels. This was...

CVE-2021-26461: Apache NuttX (incubating): malloc, realloc and memalign implementations are vulnerable to integer wrap-arounds Brennan Ashton (Jun 21)
Description:

Apache Nuttx (incubating) versions prior to 10.1.0 are vulnerable to
integer wrap-around in functions malloc, realloc and memalign. This
improper memory assignment can lead to arbitrary memory allocation,
resulting in unexpected behavior such as a crash or a remote code
injection/execution.

This issue is also known as BadAlloc

Credit:

Apache NuttX would like to thank Omri Ben-Bassat of Section 52 at Azure
Defender for IoT of...

[CVE-2021-33624] Linux kernel BPF protection against speculative execution attacks can be bypassed to read arbitrary kernel memory Adam Morrison (Jun 21)
The Linux kernel BPF subsystem's protection against speculative
execution attacks (Spectre mitigation) can be bypassed.

On affected systems, an unprivileged BPF program can exploit this
vulnerability to leak the contents of arbitrary kernel memory (and
therefore, of all physical memory) via a side-channel.

The issue is that when the kernel's BPF verifier enumerates the
possible execution paths of a BPF program, it skips any branch...

Re: CVE-2021-3609: Race condition in net/can/bcm.c leads to local privilege escalation Thadeu Lima de Souza Cascardo (Jun 19)
And here is the proposed fix:

https://lore.kernel.org/netdev/20210619161813.2098382-1-cascardo () canonical com/T/#u

Regards.
Thadeu Cascardo.

CVE-2021-3609: Race condition in net/can/bcm.c leads to local privilege escalation Norbert Slusarek (Jun 19)
Hello,

this is an announcement for the recently reported bug (CVE-2021-3609)
in the CAN BCM networking protocol in the Linux kernel ranging from
version 2.6.25 to mainline 5.13-rc6.
The vulnerability is a race condition in net/can/bcm.c allowing for local
privilege escalation to root. The issue was initially reported by syzbot and
proven to be exploitable by Norbert Slusarek.

The CAN BCM networking protocol allows to register a CAN message...

Vulnerability in Jenkins Generic Webhook Trigger Plugin Daniel Beck (Jun 18)
Jenkins is an open source automation server which enables developers around
the world to reliably build, test, and deploy their software.

The following releases contain fixes for security vulnerabilities:

* Generic Webhook Trigger Plugin 1.74

Summaries of the vulnerabilities are below. More details, severity, and
attribution can be found here:
https://www.jenkins.io/security/advisory/2021-06-18/

We provide advance notification for security...

New Open-Source Forensic Tool for SQLite Data Recovery Andrew Zayine (Jun 17)
Hi All,

As an editorial assistant in the International Journal of Cyber
Forensics and Advanced Threat Investigations (ISSN: 2753-9997), I
would like to advertise a new open-source tool presented recently in
the journal.

(FQLite) is a tool to find and restore deleted records in SQLite
databases. It, therefore, examines the database for entries marked as
deleted. Those entries can be recovered and displayed. It is written
with the Java...

Multiple vulnerabilities in Jenkins plugins Daniel Beck (Jun 16)
Jenkins is an open source automation server which enables developers around
the world to reliably build, test, and deploy their software.

The following releases contain fixes for security vulnerabilities:

* Scriptler Plugin 3.2 and 3.3

Summaries of the vulnerabilities are below. More details, severity, and
attribution can be found here:
https://www.jenkins.io/security/advisory/2021-06-16/

We provide advance notification for security updates...

CVE-2021-30468: Apache CXF Denial of service vulnerability in parsing JSON via JsonMapObjectReaderWriter Colm O hEigeartaigh (Jun 16)
A vulnerability in the JsonMapObjectReaderWriter of Apache CXF allows
an attacker to submit malformed JSON to a web service, which results
in the thread getting stuck in an infinite loop, consuming CPU
indefinitely.

This issue affects Apache CXF versions prior to 3.4.4; Apache CXF
versions prior to 3.3.11.

For more information please refer to the CXF security advisories page:
http://cxf.apache.org/security-advisories.html

CVE-2020-9493: Apache Chainsaw: Java deserialization in Chainsaw Robert Middleton (Jun 15)
Reply-to: general () logging apache org

Description:

A deserialization flaw was found in Apache Chainsaw versions prior to
2.1.0 which could lead to malicious code execution.

Mitigation:

Don't configure Chainsaw to read serialized log events. Use a
different receiver, such as XMLSocketReceiver

Credit:

This issue was reported by @kingkk

CVE-2021-34693: Infoleak in CAN BCM protocol in Linux kernel Norbert Slusarek (Jun 15)
Hello,

this is an announcement for recently reported infoleaks in the CAN BCM
networking protocol in the Linux kernel.

The vulnerability has been assigned CVE-2021-34693 and was found in kernels
ranging from 2.6.25-rc1 to 5.12.10.

The infoleak can be found in struct bcm_msg_head, which is a structure used to
describe CAN BCM messages. Due to an automatically introduced padding,
the structure contains a 4-byte hole which is never initialized....

xscreensaver: filename command injection in vidwhacker screensaver Hanno Böck (Jun 14)
The "vidwhacker" screensaver in xscreensaver does not properly escape
filenames of input images, allowing command injection via filenames.

The autor of xscreensaver considers this a non-issue.

xscreensaver contains a screensaver called "vidwhacker" which uses
image files as an input and passes them to various command line tools
for decoding. A user can configure a directory with images.

The filenames are passed to the...

CVE-2021-31811: Apache PDFBox: A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading a tiny file Andreas Lehmkuehler (Jun 12)
Description:

A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading
the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.

This issue is being tracked as PDFBOX-5177

Mitigation:

This issue was fixed in 2.0.24. All users are recommended to upgrade to Apache
PDFBox 2.0.24

Credit:

Apache PDFBox would like to thank Chaoyuan Peng for reporting this issue

References:...

Educause Security Discussion — Securing networks and computers in an academic environment.

Miro Emilie Kunze (Jun 25)
Good morning,

We have several faculty members that are interested in using Miro. Anyone
have any experience with it? Any input from the security perspective? Any
concerns?

Thank you,
Emilie

<https://austincc.edu/>

Emilie Kunze

IT Security Analyst Sr.

Acting Information Security Officer

Office of Information Technology

ekunze () austincc edu | o 512-223-1157

ACC Information Security
<...

Join our team! Systems Administrator & IT Security Analyst Wood, Anne (wood) (Jun 25)
Good morning!

The Campus Technology and Library Services team at Juniata College is currently searching for a Systems
Administrator<https://juniata.peopleadmin.com/postings/881> and an IT Security
Analyst<https://juniata.peopleadmin.com/postings/883>. Both positions are strategically important to our institution,
team, and future! We are a small private liberal arts institution in a naturally beautiful and rural part of central...

Re: Staff Directory on Web Foss, Henry L. (Jun 24)
We strip display names from non-university domains. So fraudsters trying to disguise themselves as university employees
- sending from a Gmail address, or example - end up being revealed as their sender name. And we also embed a yellow
banner and warning that the sender is external.

We make this part of our new hire training also so word gets out to the user community.

-Hank

From: The EDUCAUSE Security Community Group Listserv <SECURITY...

Re: Staff Directory on Web randy (Jun 24)
I don't like having staff directories behind a login page. For example, I
was trying to contact my counterpart at another EDU about a security issue
but didn't have their contact info. Couldn't go to their directory because
it was behind a portal.
We forget sometimes the directory is not so much for internal people as it
is for external.

Having said that, if you tell your faculty/staff their work contact info is
available to the...

Re: Staff Directory on Web Barton, Robert W. (Jun 24)
Afternoon,

We have talked about the first two items. We would have departments available on the web site (department email,
phone, office number). We would need to establish emails for all departments with communication plans (who is
monitoring? who has access? who is primary?). We have not discussed item three, but if they have a department
contact, communications could be initiated.

Robert W. Barton
Executive Director of Information...

Re: Staff Directory on Web Telfer, Will (Jun 24)
Baylor's directory is behind authentication as well, but many of the items mentioned below can be found on the various
departmental web pages (at least the generic front desk number is made public and/or faculty/staff email addresses).

Thank You,
Will Telfer, M.S.
Identity and Authentication Analyst
Information Technology Services

Follow BaylorITS & look for the #BearAware:
Twitter: @BaylorITS
Facebook: facebook.com/BaylorITS
Website:...

Re: Staff Directory on Web Lovaas,Steven (Jun 24)
For those of you who have closed off faculty/staff directories (or moved to requiring authentication to see them), I'd
be interested in hearing how you provide for boot-strapping contact needs like:

* Community members/press/others wanting to ask an expert
* Faculty of other institutions wanting to initiate collaboration
* Potential grad students wanting to explore faculty advisors

Thanks,
Steve...

Re: Staff Directory on Web James Monek (Jun 24)
We did have our directory available publicly at one time but since then we
require authentication to view and search. We did this for the obvious
reasons as you have noted.

Jim

On Thu, Jun 24, 2021 at 1:56 PM Barton, Robert W. <bartonrt () lewisu edu>
wrote:

Re: Staff Directory on Web Blake Brown (Jun 24)
We moved ours behind the firewall to the Intranet a few years back due the security concerns motioned below. The damage
was already with the previous emails exposed but it should help with newer ones.

There was some pushback from facility, but it was minor and after some conversations they understood the reasons why.

Thanks,
Blake Brown

________________________________
From: The EDUCAUSE Security Community Group Listserv <SECURITY ()...

Re: Staff Directory on Web Sidharth Nandury (Jun 24)
We had a very brief conversation about this, which sparked from one of the
IT staff email being used for malicious purposes. We have not taken a
particular action yet, but there was a conversation about using an alias
email on the web pages, which still provides contact information and
so-called "good" marketing, but also provides some buffer.

Sid

On Thu, Jun 24, 2021 at 1:56 PM Barton, Robert W. <bartonrt () lewisu edu>
wrote:

Re: Staff Directory on Web Jeremy Livingston (Jun 24)
We moved our directory contact information behind a login page.

It's just too easy for phishing otherwise.

Jeremy M. Livingston
Chief Information Security Officer
M 973-985-4996
STEVENS INSTITUTE OF TECHNOLOGY<http://www.stevens.edu/>
facebook<...

Staff Directory on Web Barton, Robert W. (Jun 24)
Afternoon,

There is a little debate going here on IF our directory of employees (name, number, email, department) should be
available to the web. One side looks at it as we are being transparent, and it is good "marketing". The other side is
looking at it like we are releasing to much information (making it easier for a hacker to find targets) and making it
easy for SPAMers. Has anybody had this conversation before? Anybody have...

Opportunity at the University of Memphis (Remote Eligible) Karen A Bell (kbell) (Jun 24)
We have an opening for an Identity Management Developer that plays an active role in the ITS Security and Identity
Management team.

https://workforum.memphis.edu/postings/27674

Karen Bell
Director | IT Security and Identity Management
Information Technology
[UofM logo]
The University of Memphis
152 Administration Building
Memphis, TN 38152<http://www.memphis.edu/emailsignatures/>

901.678.4274 | kbell () memphis edu<mailto:kbell ()...

State of Iowa CISO Opening Radl, Alison (Jun 23)
The State of Iowa has an opening for a Chief Information Security Officer.
Details are available at:

https://www.governmentjobs.com/careers/iowa?department[0]=185%20Iowa%20Office%20of%20the%20Chief%20Information%20Officer&sort=PositionTitle%7CAscending

Thank you

Alison

Cyber Faculty Opening at PPCC Johnson Akse, Terri (Jun 23)
Consider working with us in Colorado Springs! :)

https://careers.ppcc.edu/en-us/job/492525/computer-networkingcyber-security-limited-faculty

Terri Johnson, MS-CIA
CEH, CCNA R&S & Security
CNG & Cyber Chair, PPCC
719-502-3077

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the
person who sent the message, copy and paste their email address and forward the...

Internet Issues and Infrastructure

NANOG — The North American Network Operators' Group discusses fundamental Internet infrastructure issues such as routing, IP address allocation, and containing malicious activity.

Re: Can somebody explain these ransomwear attacks? Saku Ytti (Jun 27)
I'm not entirely sure if I understood this statement right.

Of course you are aware that every closed source project is breached
by bored hobbyists given the slightest motivation. Ref: pwn2own or
entirety of infosec history.
We have no historic knowledge of how to build software that is robust
enough to withstand an attack from someone motivated by boredom. We
have a lot of finger pointing about 'code it right' and a lot of...

Re: Can somebody explain these ransomwear attacks? Jakob Heitz (jheitz) via NANOG (Jun 26)
Finding vulnerabilities and how to exploit them to run malware
in closed source code is nigh on impossible.
Anyone can read open source code.

What is possible is to analyze patches to figure out what was fixed
and then to attack those that didn't apply the patches.

Even easier is old releases. Patches often have more than one fix,
but a patch for an old release is almost guaranteed to be a fix
for a single vulnerability. That makes it...

Re: Can somebody explain these ransomwear attacks? Michael Thomas (Jun 26)
So what is the industry standard if there is one for DR recovery?
Shouldn't this just be considered another hit by the Chaos Monkey?

Mike

Re: Can somebody explain these ransomwear attacks? Valdis Klētnieks (Jun 26)
On Thu, 24 Jun 2021 14:55:12 -0700, JoeSox said:

If that's a concern, you've *already* totally screwed the pooch regarding DR planning.

Re: Can somebody explain these ransomwear attacks? Karl Auer (Jun 25)
I don't know. I'm trying to figure it out too.

I just know that the less diverse an ecosystem, the more vulnerable it
is to destruction. Heterogeneity (and change, by the way, i.e being a
moving target) mitigates against the risks of a monoculture.

Homogenous, centrally managed, massively networked systems bring many
benefits, but we are now seeing the sorts of weaknesses it brings, too.

Regards, K.

Beta Starlink with a slight tree obstruction vs degraded DOCSIS3 last mile Eric Kuhnke (Jun 25)
I thought I would post an interesting comparison between a degraded DOCSIS3
link, of a carrier that shall remain nameless to avoid embarrassing
anybody, and a starlink CPE with a slight 1/12th tree obstruction in a
portion of its view.

First two screenshots are the docsis3, to its gateway and to a very
reliable hosted asterisk system in Seattle.

Second two screenshots are starlink, also to its gateway and to the same
destination....

Re: Can somebody explain these ransomwear attacks? Michael Thomas (Jun 25)
How does one go about that in real life? You certainly want your servers
patched with the latest security updates. For all intents and purposes
there is just Windows and Linux. I suppose you could throw in some
hardware diversity with ARM or MIPS.

Routers are definitely in better shape on that front as there are lots
of choices and at least Cisco has tons of different BU's that compete
with each other with different software and...

Re: Microsoft O365 DNS issue harbor235 (Jun 25)
I found the routing, peering, and dns support number. Hopefully that will
help

Mike

Re: Can somebody explain these ransomwear attacks? Baldur Norddahl (Jun 25)
fre. 25. jun. 2021 21.33 skrev Aaron C. de Bruyn via NANOG <nanog () nanog org

Or they do business in the EU where huge fines are becoming the norm. The
ransomware does not matter but the implied data breach does.

Microsoft O365 DNS issue harbor235 (Jun 25)
Noggers,

Having some O365 DNS issues, looks like we are getting directed to EMEA
instead of US. Anybody understand O365 A record location syntax? Any one
else have issues being directed to EMEA?

Is there a direct MS O365 DNS support number? I have the O365 biz support?

Mike

Re: Can somebody explain these ransomwear attacks? Aaron C. de Bruyn via NANOG (Jun 25)
Agreed.

I'm sure that'll change drastically if either of these conditions are true:
* A claim is filed
* An audit is required
* Ransomware surges throughout 2021 and payouts go through the roof

I think it's reasonable to expect at least one of those things will happen
in the next year.

-A

Weekly Routing Table Report Routing Analysis Role Account (Jun 25)
This is an automated weekly mailing describing the state of the Internet
Routing Table as seen from APNIC's router in Japan.

The posting is sent to APOPS, NANOG, AfNOG, SANOG, PacNOG, SAFNOG
TZNOG, MENOG, BJNOG, SDNOG, CMNOG, LACNOG and the RIPE Routing WG.

Daily listings are sent to bgp-stats () lists apnic net

For historical data, please see http://thyme.rand.apnic.net.

If you have any comments please contact Philip Smith <pfsinoz...

Re: Can somebody explain these ransomwear attacks? Tom Beecher (Jun 25)
Nah, it's even simpler. It's just dollars all around. Always is.

so much smaller than it would be to prevent the problems from happening to
begin with, so they are happy to let you guys handle it. From the insurance
company's point of view, they are collecting premiums, but no claims are
being filed, so they have no incentive to do anything differently.

Sometimes those of us who know stuff and can fix things are just too darn...

Re: Can somebody explain these ransomwear attacks? Michael Thomas (Jun 25)
Well, the cost of the DR fire drill is proportionate to how automated,
etc, it is. If you think that the odds of a DR event are really low you
want to make it possible but not necessarily cheap. If it happens all of
the time, you want to optimize for speed and efficiency.

The object here is to break their business model, at least for you. Even
if you go through one DR they aren't likely to go back again rather than
finding another...

Re: Can somebody explain these ransomwear attacks? Karl Auer (Jun 25)
Easy to say.

IMHO the only workable long-term defence is heterogeneity - supported
by distribution, redundancy and just taking the simple things
seriously.

Business has spent the last few decades discarding heterogeneity and
the bigger they are, the more comprehensively they have discarded it.
Companies that are floor to ceiling and wall to wall Windows.
Centralised updates, centralised networking, centralised storage,
centralised ops teams,...

The RISKS Forum — Peter G. Neumann moderates this regular digest of current events which demonstrate risks to the public in computers and related systems. Security risks are often discussed.

Risks Digest 32.72 RISKS List Owner (Jun 22)
RISKS-LIST: Risks-Forum Digest Tuesday 22 June 2021 Volume 32 : Issue 72

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.72>
The current issue can also be found at
<...

Risks Digest 32.71 RISKS List Owner (Jun 12)
RISKS-LIST: Risks-Forum Digest Saturday 12 June 2021 Volume 32 : Issue 71

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.71>
The current issue can also be found at
<...

Risks Digest 32.70 RISKS List Owner (Jun 05)
RISKS-LIST: Risks-Forum Digest Saturday 5 June 2021 Volume 32 : Issue 70

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.70>
The current issue can also be found at
<...

Risks Digest 32.69 RISKS List Owner (May 30)
RISKS-LIST: Risks-Forum Digest Sunday 30 May 2021 Volume 32 : Issue 69

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.69>
The current issue can also be found at
<...

Risks Digest 32.68 RISKS List Owner (May 21)
RISKS-LIST: Risks-Forum Digest Friday 21 May 2021 Volume 32 : Issue 68

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.68>
The current issue can also be found at
<...

(no subject) RISKS List Owner (May 21)

Risks Digest 32.67 RISKS List Owner (May 13)
RISKS-LIST: Risks-Forum Digest Thursday 13 May 2021 Volume 32 : Issue 67

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.67>
The current issue can also be found at
<...

Risks Digest 32.66 RISKS List Owner (May 12)
RISKS-LIST: Risks-Forum Digest Wednesday 12 May 2021 Volume 32 : Issue 66

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.66>
The current issue can also be found at
<...

Risks Digest 32.65 RISKS List Owner (May 09)
RISKS-LIST: Risks-Forum Digest Sunday 9 May 2021 Volume 32 : Issue 65

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.65>
The current issue can also be found at
<...

Risks Digest 32.64 RISKS List Owner (May 04)
RISKS-LIST: Risks-Forum Digest Tuesday 4 May 2021 Volume 32 : Issue 64

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.64>
The current issue can also be found at
<...

(no subject) RISKS List Owner (May 04)

Risks Digest 32.63 RISKS List Owner (Apr 30)
RISKS-LIST: Risks-Forum Digest Friday 30 April 2021 Volume 32 : Issue 63

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.63>
The current issue can also be found at
<...

Risks Digest 32.62 RISKS List Owner (Apr 25)
RISKS-LIST: Risks-Forum Digest Sunday 25 April 2021 Volume 32 : Issue 62

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.62>
The current issue can also be found at
<...

Risks Digest 32.61 RISKS List Owner (Apr 23)
RISKS-LIST: Risks-Forum Digest Friday 23 April 2021 Volume 32 : Issue 61

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.61>
The current issue can also be found at
<...

Risks Digest 32.60 RISKS List Owner (Apr 17)
RISKS-LIST: Risks-Forum Digest Saturday 17 April 2021 Volume 32 : Issue 60

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.60>
The current issue can also be found at
<...

BreachExchange — BreachExchange focuses on all things data breach. Topics include actual data breaches, cyber insurance, risk management, metrics and more. This archive includes its predecessor, the Data Loss news and discussion lists.

Open Source Tool Development

Wireshark — Discussion of the free and open source Wireshark network sniffer. No other sniffer (commercial or otherwise) comes close. This archive combines the Wireshark announcement, users, and developers mailing lists.

Re: ASN.1-based dissector decoding by port number vs switch/case using 1st octet Guy Harris (Jun 26)
So this isn't really a Wireshark dissector question, it's a protocol design and encoding question.

The issue isn't "how do I get a Wireshark dissector to distinguish between different message types without giving each
message type its own UDP port", it's "how do I get *the recipient of the messages* to distinguish between different
message types without giving each message type its own UDP port" - this...

Re: GRegex deprecated Gerald Combs (Jun 25)
Has this change actually been committed? It looks like GLib's internal copy of PCRE was removed in

https://gitlab.gnome.org/GNOME/glib/-/merge_requests/2144

but meson.build still requires an external libpcre in GLib's main branch.

As MR 1451 points out, PCRE1 is in maintenance mode so it might make sense to migrate to PCRE2.

GRegex deprecated chuck c (Jun 25)
Deprecate GRegex
https://gitlab.gnome.org/GNOME/glib/-/merge_requests/1451

I guess deprecated is not the same as removed.
Is there a plan to migrate in the future?

(last migration:
https://www.wireshark.org/lists/wireshark-dev/201108/msg00501.html)

Filter IMSI specific data in a HTTP2 trace luke devon via Wireshark-users (Jun 24)
Hi,
Can somebody help me to filter out IMSI specific data in a HTTP2 packet trace. Is there a way to create a filter to
capture only the specific data?
ThanksLuke

Requesting feedback and help on a WIP merge request David Perry (Jun 23)
Hello all! I'm writing to request fresh eyes, and possibly hands, on a
somewhat significant potential change to Wireshark.

There's an old bug, 14329, requesting support for multiple comments per
packet. I've got a proposed solution in merge request #2859: Instead of
creating new fields on wtap_rec for every block option type we want to
know (currently comments, packet verdicts, and most recently added,
custom packet options),...

Re: ASN.1-based dissector decoding by port number vs switch/case using 1st octet Vincent Randal (Jun 22)
The protocol does not exist yet.

Neither. I am helping develop this protocol for IEEE 1451.0. I do not
represent the IEEE. I am simply volunteering (as others) in one of the
working groups (IEEE 1451.0).

Why on earth did I choose to use ASN.1? Because I was asked to provide some
form of IDL for the messages, and I found esnacc and omiidl in Linux as a
means for translating ASN.1 to IDL and syntax checking it. So then I
decided it was worth it...

Re: ASN.1-based dissector decoding by port number vs switch/case using 1st octet Guy Harris (Jun 22)
You should be using whatever encoding the protocol is using.

Is this a protocol for which you have an ASN.1 specification plus an indication of the encoding being used, or is this
something you're reverse-engineering?

Re: ASN.1-based dissector decoding by port number vs switch/case using 1st octet Vincent Randal (Jun 22)
We are using PER per the foo example (Simple ASN.1-based dissector). Wow, I
never about all these different encodings.

Maybe we should be using something other than PER? We think we like PER
because the dissected values agree with what we can see in the raw UDP data.

Re: ASN.1-based dissector decoding by port number vs switch/case using 1st octet Guy Harris (Jun 22)
"ASN.1-based" in what sense?

If the data to be dissected is *entirely* specified by an ASN.1 specification, using one of the representations for
ASN.1, then the way it should decode the first octet depends on the representation - BER or one of its derived variants
(DER, CER), PER or one of its derived variants (CPER), XER, OER, etc..

...and which does not appear to use any ASN.1 encoding, so it may not be relevant in your case.

So...

Re: Wiki editor permission request Gerald Combs (Jun 22)
Done.

Wiki editor permission request Dr. Matthias St. Pierre (Jun 22)
Hi,

would you be so kind and grant me permission to edit the WireShark Wiki? I would like upload the IPsec examples
demonstrating the decryption of IKEv2 and ESP packets, which I mentioned in [MR 3444], to the [SampleCaptures] page.

Regards,

Matthias St. Pierre
GitLab: @mspncp

[MR 3444]: https://gitlab.com/wireshark/wireshark/-/merge_requests/3444
[SampleCaptures]: https://gitlab.com/wireshark/wireshark/-/wikis/SampleCaptures

Dr....

Re: Struggling to build NSIS installation Gerald Combs (Jun 22)
The Asciidoctor.js project ships self-contained Windows executables with each release:

https://github.com/asciidoctor/asciidoctor.js/releases/tag/v2.2.4

I tried setting ASCIIDOCTOR_EXECUTABLE and ASCIIDOCTOR_PDF_EXECUTABLE to /path/to/asciidoctor-win.exe in a Windows VM
here, and it was able to build what appear to be a valid User's Guide, Developer's Guide, and release notes. It looks
like we should be able to use it instead, and...

Re: Struggling to build NSIS installation Gerald Combs (Jun 22)
As far as I can tell, Chocolatey doesn't support alternative package dependencies, so you get too choose between
depending on a specific JRE (which might install an unwanted extra copy of java.exe) or none (which requires an extra
installation step). The AsciidoctorJ package went with the latter. I've added a note about installing a JRE separately
to the Developer's Guide in MR 3441.

Re: Struggling to setup Windows command-line build Martin Mathieson via Wireshark-dev (Jun 22)
Sorry, I accidentally replied only to Graham. Pasted here.

Ah,

[image: image.png]

The problem was that I began with 'x64_x64 Cross Tools Command Prompt for
VS 2019', rather than 'x64 Native Tools Command Prompt for VS 2019'.

When I initially pressed the Windows key then typed 'c' 'm' 'd'
the former appeared, whereas for the correct (latter) one I had to go
digging in the 'Visual...

Re: Struggling to build NSIS installation Martin Mathieson via Wireshark-dev (Jun 22)
Will try this later. Will be interesting to see if I get an automated
corporate email telling me to uninstall the Oracle one :)

Snort — Everyone's favorite open source IDS, Snort. This archive combines the snort-announce, snort-devel, snort-users, and snort-sigs lists.

Snort Subscriber Rules Update 2021-06-24 Research (Jun 24)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the and server-webapp
rule sets to provide coverage for emerging threats from these
technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Snort Subscriber Rules Update 2021-06-22 Research (Jun 22)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the browser-chrome,
file-pdf, malware-cnc, malware-other, policy-other and server-webapp
rule sets to provide coverage for emerging threats from these
technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Snort Blog: New version of Snort 3 out now (3.1.6.0) — Here are all the updates and fixes Joel Esler (jesler) via Snort-sigs (Jun 21)

Profinet preprocessor divya varakantham via Snort-sigs (Jun 21)
Hi Snort team,

This is a question about support for ICS/SCADA protocols support and
corresponding preprocessors.

I see from FAQs that any additional preprocessor enhancements or additional
rules developed by Cisco OR Snort community is submitted back to the open
source community. However there are no rules and/or preprocessors available
for Profinet in the free version. Cisco's documentation indicates support
for the same.

Appreciate any...

Snort Subscriber Rules Update 2021-06-17 Research (Jun 17)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the
indicator-obfuscation, malware-other, server-apache and server-webapp
rule sets to provide coverage for emerging threats from these
technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Snort Blog: Snort 2.9.18.0 released Joel Esler (jesler) via Snort-devel (Jun 16)

Re: features for handling elephant flows Oleksii Shumeiko -X (oshumeik - SOFTSERVE INC at Cisco) via Snort-devel (Jun 16)
Hi, Mark

Definitely, elephant flows is the issue. Unfortunately, I cannot point to any details or dates about pending
improvements on this.

Best wishes,
Alexey

Re: how to reload the config of appid odp dir ? Russ Combs (rucombs) via Snort-devel (Jun 15)
There is an appid command for that:

$ src/snort --help-commands appid | grep reload
appid.reload_third_party(): reload appid third-party module
appid.reload_detectors(): reload appid detectors

reload_detectors is what you want. No argument; it will reload from the originally configured directory.

Note that it will report a bogus error. You can safely ignore that:

Entering command shell
o")~
++ [0] /home/russ/ramdisk/defcon.pcap...

Snort Subscriber Rules Update 2021-06-15 Research (Jun 15)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the browser-ie, deleted,
file-flash, file-image, file-multimedia, file-other,
indicator-compromise, malware-cnc, os-linux, os-other, os-windows,
protocol-dns, protocol-icmp, protocol-other, server-other and
server-webapp rule sets to provide coverage for emerging threats from
these...

features for handling elephant flows markj200 via Snort-devel (Jun 14)
Are there any upcoming features planned for load balancing of elephant
flows across multiple packet threads?

Any pointers to information on this gratefully received.

Thanks
Mark

Re: Negate Content - Snort Rules Joel Esler (jesler) via Snort-sigs (Jun 12)
Also, the answer is “because you can’t do a relative match to something that doesn’t exist (distance:1; within:10;)”.

So, in order to do what you want to do, you have to do the positive match and then read backwards. Which is why I ask
what the error you’re receiving is

—
Sent from my  iPad

Re: Negate Content - Snort Rules Joel Esler (jesler) via Snort-sigs (Jun 12)
What is the error you’re receiving?

—
Sent from my  iPad

Negate Content - Snort Rules João Pedro Lola via Snort-sigs (Jun 12)
Hello All,

In a snort rule, why can´t i have two negate contents and third not negate content? If i can, how do I write it to work?

Example:

alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNA_NET $HTTP_PORTS (
msg:"a message...";
flow:stateless;
content:!"|76 69 64 65 6f 2f 6d 70 65 67|"; offset:13; depth:10;
content:!"|61 75 64 69 6f 2f 6d 70 65 67|"; distance:1; within:10;
content:"|61 75 64 69 6f 2f 6d 70 65...

Snort Subscriber Rules Update 2021-06-10 Research (Jun 10)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the malware-cnc,
malware-other, os-other, policy-other and server-webapp rule sets to
provide coverage for emerging threats from these technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Re: how to reload the config of appid odp dir ? 15135147016--- via Snort-devel (Jun 09)
15135147016 () 163 com

From: Costas Kleopa (ckleopa)
Date: 2021-06-10 10:59
To: 15135147016 () 163 com
CC: snort-openappid () lists snort org
Subject: Re: [Snort-devel] how to reload the config of appid odp dir ?
Moving to the snort-openappid () lists snort org distribution.

Can you confirm what version of snort you are using?

Thanks,
Costas

how to reload the config of appid odp dir ?

15135147016 () 163 com

More Lists

Related Resources

We're always looking for great network security related lists to archive. To suggest one, mail Fyodor.