SecLists.Org Security Mailing List Archive

Any hacker will tell you that the latest news and exploits are not found on any web site—not even Insecure.Org. No, the cutting edge in security research is and will continue to be the full disclosure mailing lists such as Bugtraq. Here we provide web archives and RSS feeds (now including message extracts), updated in real-time, for many of our favorite lists. Browse the individual lists below, or search them all:

Insecure.Org Lists

Nmap Development — Unmoderated technical development forum for debating ideas, patches, and suggestions regarding proposed changes to Nmap and related projects. Subscribe here.

Re: npcap 1.50 receiving too many packets. Daniel Miller (Jul 01)
Michael,

Thanks for pointing this out. I'll investigate and get back to you. The
extra packets I believe are "protocol unreachable" errors that we had
previously been stripping out within Npcap. We had removed the code that
stripped them from the packet stream in the interest of transparency and
simplicity, so the solution is likely to restore that code, but I will
investigate other ways as well.

Dan

On Thu, Jun 24, 2021 at 4:37...

Known issues with nmap and TOE? Brian Milliron (Jul 01)
Recently I had an nmap scan (flags -n -A and -p 1-65535) DoS a
customer's network. This is the first time I have encountered this so I
did some digging to find out what went wrong. The scan logs stop on
some network hardware from Chelsio Communications. I'm not familiar
with them, but they sell a line of products that seem to be involved
in some kind of TCP offloading which they call Unified Wire and
Protocol Acceleration. From what I...

Italian translation revision Vincenzo Reale (Jun 30)
Hi all,
I spotted several typos in the current Italian translation, so I decided to
provide an almost complete revision.
A deeper revision will follow soon.
Attached you'll find it.

Best regards,
Vincenzo

npcap 1.50 receiving too many packets. Michael D. Lawler (Jun 24)
This worked fine with 1.31 as the number of sent and received packets
were equal. This is with Win 10 19043.1081. Let me know what I can
do to help. Also notice the results are not always the same I show
two runs below.

Starting Nping 0.7.91 ( https://nmap.org/nping ) at 2021-06-24 17:28
Eastern Daylight Time
SENT (0.0460s) ICMP [127.0.0.1 > 127.0.0.1 Echo request
(type=8/code=0) id=6783 seq=1] IP [ttl=64 id=22972 iplen=28 ]
SENT...

Re: Error getting nmap to read hosts from file Robin Wood (Jun 08)
Not with nmap, but I've seen similar issues with other tools so recognised
that type of error.

Glad it is fixed.

Robin

Re: Error getting nmap to read hosts from file Kurt Buff (Jun 08)
Genius.

Notepad said it was UTF-16 LE. I changed it to ASCII and it's working.

This was an export from our SIEM as a CSV in UTF-8, from which I extracted
the hosts with PowerShell and lightly edited with Notepad++. I suppose
somewhere in there it got converted, probably by PowerShell.

Definitely something to keep in mind.

Thank you very much.

Kurt

Re: Error getting nmap to read hosts from file Robin Wood (Jun 08)
My money is on file encoding, can you check what encoding the file is using?

Robin

Error getting nmap to read hosts from file Kurt Buff (Jun 08)
All,

I'm getting an error trying to run a simple scan with Nmap, as shown.
Running in a CMD session on Win10 20H2. Scans with Zenmap work when not
using a file, as does Nmap. It's just when trying to use a file that I get
this very strange output. I've upgraded npcap from 1.10 to 1.31, and get
the same behavior out of both.

Am I doing something ignorant/stupid, or have I stumbled upon a bug?
Further information gladly provided....

Re: NPCAP GitHub Security Advisories Daniel Miller (May 04)
I would like to add a clarification on the libpcap CVEs: since libpcap is a
user-mode DLL (wpcap.dll in the Npcap installation), it is not capable of
crashing the entire system. Instead, the impact of any CVEs would be
limited to the application and user that is using the DLL. For specifics on
the particular CVEs addressed, see the libpcap changelog at
https://www.tcpdump.org/libpcap-changes.txt

Dan

Re: NPCAP GitHub Security Advisories Gordon Fyodor Lyon (May 01)
Hi Jay. Good questions, and I'm glad you like Nmap and Npcap! We are not
using GitHub's security feature at present. If we issued a security
advisory for Npcap or Nmap, we would likely host it ourselves. But Github
adds that tab to all projects by default and, from a quick glance at
settings, I don't see an obvious way to remove it. I think your best bet
is to sign up for release announcements through GitHub and look for...

NPCAP GitHub Security Advisories Sethi, Jay (May 01)
Hello nmap dev team!

I work for Manitoba Hydro, a utility in Manitoba Candada. We use nmap (and NPCAP!). As part of NERC CIP compliance, we
are required to check regularly for security advisories. I recently noticed the following on the GitHub page:
The npcap change log notes a few releases that resolve CVEs
npcap/CHANGELOG.md at master * nmap/npcap * GitHub<https://github.com/nmap/npcap/blob/master/CHANGELOG.md>
(For example, Npcap...

Better interface names reported by pcap_findalldevs Dmytro Ovdiienko (May 01)
<<< image/png; name="EAAC2C82AF0D4674B18524120B700D78.png": Unrecognized >>>

Feature Request: nping to flag incorrect or curtailed ICMP echo payload Alex Ferenstein (May 01)
Hi Nmap development mailing list, some time I emailed Gordon, asking for a
feature to flag disparity of echo-replied payload compared to that which
was sent. Can it be implemented, or, have I missed an existing feature?
R’s, Alex

------------------------------

Hi Gordon,

thank you for making nmap/nping. I have a feature request for nping.

As you know, “The echo reply is an ICMP message generated in response to an
echo request; *it is...

zenmap crash in Fedora 34 louzaoh (Apr 22)
This is the message I've got:

➜ zenmap
File "/usr/bin/zenmap", line 114
except ImportError, e:
^
SyntaxError: invalid syntax

➜ rpm -qa zenmap\*
zenmap-7.91-1.noarch

Regards.,

Nmap Bug in payload.cc: corrupted UDP packets during -sU scan mzet via dev (Apr 02)
Hi List,

It was observed that UDP packets that are sent during an UDP port scanning (-sU) are corrupted.

Background:

To make UDP scanning more effective, for many services (ports) Nmap takes content of UDP packets from nmap-payloads
file. Logic for handling this is implemented in payload.cc source file.

Issue:

Due to subtle implementation issue (introduced in...

Nmap Announce — Moderated list for the most important new releases and announcements regarding the Nmap Security Scanner and related projects. We recommend that all Nmap users subscribe.

Npcap 1.50 Release Brings Nmap & Wireshark to Windows ARM devices Gordon Fyodor Lyon (Jun 28)
Hi folks. The Nmap Project is pleased to release Npcap version 1.50 at
https://npcap.org. There are many improvements in this release, but the
one we're most excited about is support for the ARM architecture! This
allows apps like Nmap and Wireshark to run for the first time on a newer
generation of hardware which often includes all-day battery life and
always-on LTE/5G capabilities. Devices vary from the $349 Samsung Galaxy
Book Go...

Npcap 1.30 Released: Raw WiFi + Better Performance Gordon Fyodor Lyon (Apr 12)
Hi folks. The Nmap Project is pleased to release Npcap Version 1.30 at
https://npcap.org. We hope Nmap and Wireshark users will be especially
happy with the raw WiFi improvements, since you tend to be particularly
savvy about low-level network inspection. It turns out that some of the
issues we thought were caused by lower level hardware drivers were actually
bugs in our driver. Oops! But at least that means we can fix them
ourselves, and we did....

Npcap 1.20 released Gordon Fyodor Lyon (Mar 16)
Nmap/Npcap Community:

I'm happy to report the release of version 1.20 of the Npcap Windows packet
capturing/sending driver! It's the first release of 2021 and includes
better capabilities for selecting timestamp methods as well as many other
improvements and bug fixes. These include updating the underlying libpcap
library to version 1.10 and building our installer now with NSIS 3. More
details on all this are available from the...

Nmap 7.91 Bugfix Release Gordon Fyodor Lyon (Oct 14)
Hello everyone. I'm glad Nmap 7.90 was so well received! There were so
many improvements that the official announcement (
https://seclists.org/nmap-announce/2020/1) was a bit unwieldy. So Daniel
Miller (who made most of those changes) Tweeted his top highlights at
https://twitter.com/bonsaiviking/status/1313247253197393920

While we do work hard to avoid bugs during development and to catch them
pre-release through continuous integration...

Nmap 7.90 Released! First release since August 2019. Gordon Fyodor Lyon (Oct 03)
Hello everyone. Hot on the heels of the big Npcap 1.00 release (
https://seclists.org/nmap-announce/2020/0), we're delighted to announce a
new Nmap--version 7.90! It's the first Nmap release since Defcon 2019, even
though we've made 16 Npcap releases since then. Raw packets are so
fundamental to Nmap that we really wanted to get it right. With the
production-ready and highly performant Npcap 1.00 driver included, we can
finally...

Npcap 1.00 was just released and a new Nmap is on the way! Gordon Fyodor Lyon (Sep 28)
Hello everyone. I hope you are all safe and well during this nasty
pandemic. I obviously haven't been wearing my marketing hat enough given
that this is my first mail to the Nmap Announcement list since last
August's Nmap 7.80 release. But we've been heads-down programming since
then and have great news to report!

The biggest news is that, after more than 7 years of development and 170
previous public releases, we're...

Full Disclosure — A public, vendor-neutral forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. The relaxed atmosphere of this quirky list provides some comic relief and certain industry gossip. More importantly, fresh vulnerabilities sometimes hit this list many hours or days before they pass through the Bugtraq moderation queue.

CVE-2021-35523: Local Privilege Escalation in Securepoint SSL VPN Client 2.0.30 Florian Bogner via Fulldisclosure (Jun 29)
Local Privilege Escalation in Securepoint SSL VPN Client 2.0.30

Metadata
===================================================
Release Date: 29-Jun-2021
Author: Florian Bogner @ https://bee-itsecurity.at
Affected product: Securepoint SSL VPN Client
Fixed in: version 2.0.32
Tested on: Windows 10 x64 fully patched
CVE: CVE-2021-35523
URL: https://bogner.sh/2021/06/local-privilege-escalation-in-securepoint-ssl-vpn-client-2-0-30/
Vulnerability...

Constructor.Win32.Bifrose.asc / Local Stack Buffer Overflow (Heap Corruption) malvuln (Jun 27)
Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source:
https://malvuln.com/advisory/9e1ef166901534c276b5eeeee511fe22.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Constructor.Win32.Bifrose.asc
Vulnerability: Local Stack Buffer Overflow (Heap Corruption)
Description: Bifrost doesn't properly validate the IP address when
importing Bifrost settings (.set) files. The IP address offset is located
after a...

Trojan-Dropper.Win32.Scrop.dyi / Insecure Permissions malvuln (Jun 27)
Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source:
https://malvuln.com/advisory/af207a19fbe313e3f7e123b6b2acffd4.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Trojan-Dropper.Win32.Scrop.dyi
Vulnerability: Insecure Permissions
Description: The malware creates a hidden dir named "gFnFILdc" with
insecure permissions under c:\ drive and grants change (C) permissions to
the authenticated user...

Email-Worm.Win32.Trance.a / Insecure Permissions malvuln (Jun 27)
Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source:
https://malvuln.com/advisory/ca18a07560efa0308827dc972351301f.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Email-Worm.Win32.Trance.a
Vulnerability: Insecure Permissions
Description: The malware creates a dir named "DCA" and VBS file "log.vbs"
with insecure permissions under c:\ drive and grants change (C) permissions
to the...

Trojan-Dropper.Win32.Krepper.a / Unauthenticated Remote Command Execution malvuln (Jun 27)
Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source:
https://malvuln.com/advisory/ee699b4055c6199f9826681797d64f0b.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Trojan-Dropper.Win32.Krepper.a
Vulnerability: Unauthenticated Remote Command Execution
Description: The malware listens on TCP port 10002 and drops several
executables under Windows dir. Third-party attackers who can reach infected
systems can...

Trojan-Dropper.Win32.Juntador.a / Weak Hardcoded Password malvuln (Jun 27)
Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source:
https://malvuln.com/advisory/f28e866ce2f99013a66b015f6a7f31a8.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Trojan-Dropper.Win32.Juntador.a
Vulnerability: Weak Hardcoded Password
Description: The malware listens on TCP ports 7826 and 13013 and drops
executables under the Windows dir. Authentication is required for remote
user access. However, the...

Trojan.Win32.Banpak.kh / Insecure Permissions malvuln (Jun 27)
Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source:
https://malvuln.com/advisory/304fb160949dcaec3e718481464f9ce6.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Trojan.Win32.Banpak.kh
Vulnerability: Insecure Permissions
Description: The malware creates a dir with insecure permissions under c:\
drive and grants change (C) permissions to the authenticated user group.
Standard users can rename the executable...

Trojan.Win32.SecondThought.ak / Insecure Permissions malvuln (Jun 27)
Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source:
https://malvuln.com/advisory/21cd8bab6b3569f7b375a69a37e36c50.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Trojan.Win32.SecondThought.ak
Vulnerability: Insecure Permissions
Description: The malware creates a dir with insecure permissions under c:\
drive and grants change (C) permissions to the authenticated user group.
Standard users can rename the...

Backdoor.Win32.ReverseTrojan.200 / Authentication Bypass Empty Password malvuln (Jun 27)
Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source:
https://malvuln.com/advisory/3fbec7c0623f5f80e4d9c096a50b0d59.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Backdoor.Win32.ReverseTrojan.200
Vulnerability: Authentication Bypass Empty Password
Description: ReverseTrojan by satan_addict listens on TCP ports, 12000 and
21. The malware accepts empty credentials for authentication as the default
settings...

Using the Android USB Driver to Extract Data as USB Mass Storage Device Roman Fiedler (Jun 27)
Due to a harware failure I was searching for a conventient
and efficient way to copy all internal storage of a mostly broken,
powered off, hardware locked, encrypted phone. The only things
still working to interact with the phone were the USB connector
and power on/volume keys. It was not possible to use the touch
screen, extract any partition data via fastboot, access the ADB
interface, connect via WIFI or use any other common remote access...

Backdoor.Win32.Hupigon.aaio / Remote Stack Buffer Overflow malvuln (Jun 22)
Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source:
https://malvuln.com/advisory/c38cd09fd5ebd1f0cc378804b2da08c4.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Backdoor.Win32.Hupigon.aaio
Vulnerability: Remote Stack Buffer Overflow
Description: The malware listens on TCP ports 8200,8201,8202,8203 and UDP
ports 8200,8204. Third-party attackers who can reach an infected host can
trigger a classic remote...

SYSS-2021-032 Admin Columns WordPress Plug-In - Persistent Cross-Site Scripting Johannes Lauinger (Jun 22)
Advisory ID: SYSS-2021-032
Product: Admin Columns WordPress Plug-In
Manufacturer: Codepress
Affected Version(s): <5.5.2 (Pro version), <4.3.2 (Free version)
Tested Version(s): 5.5.1 (Pro version), 4.3 (Free version)
Vulnerability Type: Cross-Site Scripting (CWE-79)
Risk Level: High
Solution Status: Fixed
Manufacturer Notification: 2021-05-28
Solution...

Trojan-Dropper.Win32.Googite.b / Unauthenticated Remote Command Execution malvuln (Jun 18)
Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source:
https://malvuln.com/advisory/4a8d6bc838c09c6701abfa8b283fd0de.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Trojan-Dropper.Win32.Googite.b
Vulnerability: Unauthenticated Remote Command Execution
Description: The malware listens on TCP ports 3388, 4488 and 10002 and
drops executables under both Windows and SysWOW64 dirs. Third-party
attackers who can...

Trojan.Win32.Alien.erf / Directory Traversal malvuln (Jun 18)
Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source:
https://malvuln.com/advisory/57ab194d8c60ee97914eda22e4d71b68_C.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Trojan.Win32.Alien.erf
Vulnerability: Directory Traversal
Description: The malware deploys a Web server AM6WebMgr.exe (JAO build 809)
listening on TCP port 1789. Third-party attackers who can reach an infected
host can read any file on the...

Trovent Security Advisory 2105-01 / CVE-2021-32612: VeryFitPro unencrypted cleartext transmission of sensitive information Stefan Pietsch (Jun 18)
# Trovent Security Advisory 2105-01 #
#####################################

Unencrypted cleartext transmission of sensitive information
###########################################################

Overview
########

Advisory ID: TRSA-2105-01
Advisory version: 1.0
Advisory status: Public
Advisory URL: https://trovent.io/security-advisory-2105-01
Affected product: VeryFitPro Android mobile application (com.veryfit2hr.second)
Tested versions:...

Other Excellent Security Lists

Bugtraq — The premier general security mailing list. Vulnerabilities are often announced here first, so check frequently!

Info Security News — Carries news items (generally from mainstream sources) that relate to security.

Daily Dave — This technical discussion list covers vulnerability research, exploit development, and security events/gossip. It was started by ImmunitySec founder Dave Aitel and many security luminaries participate. Many posts simply advertise Immunity products, but you can't really fault Dave for being self-promotional on a list named DailyDave.

"Hack the Planet" Dave Aitel via Dailydave (May 20)
[image: image.png]

Ok ya'll - you're letting me down. There's a thousand ways you and your
friends can use 10k to improve the world - engineering a solution nobody
would pay for because it's not something you can put at a booth at RSAC.

EVERYONE ON THIS LIST needs to either submit for a grant, or find someone
who will submit for a grant. You're telling me not one of those
superhackers at Microsoft and Google can find a...

Plausible. Dave Aitel via Dailydave (Apr 11)
A while back I was chatting with someone at INFILTRATE, over fried
alligator and more alcohol than I probably should have imbibed, and he
said, "We're going to make fuzzing obsolete, because we have more CPUs on
the problem than anyone can reasonably duplicate, and we're going to
exhaust the space".

And it's PLAUSIBLE in a way. I've watched a few of the live streams that
Brandon Falk does, and you can see how like,...

News Roundups! Dave Aitel via Dailydave (Feb 01)
So lately I've been doing little news roundups on the YouTubes....
Yesterday's is here: https://youtu.be/xgiymt_0isY

Neal Stephenson, in his most recent book, *Fall*, had a character that was
an interesting play on the traditional fantasy "giant" in the sense that
she was normal size, but fractally dense. I feel like we are living that
kind of time - in the sense that gravity is really a measure of how much
stuff is happening...

Re: Fully Automated CONOPs Exercise Pukhraj Singh via Dailydave (Jan 28)
Folks like Joe Slowik
<https://www.youtube.com/watch?v=n7XqxRXwFZ4&ab_channel=CYBERWARCON>, Grugq
<https://www.blackhat.com/docs/webcast/12142017-the-triple-a-threat.pdf>and you
<https://cybersecpolitics.blogspot.com/2016/09/the-stern-stewart-summit-germany-and.html>(Dave)
have tried to articulate the CONOPS for worms since long. In their current
forms, worms look like IO packages in full-spectrum missions. Ignoring...

Re: Fully Automated CONOPs Exercise Dave Aitel via Dailydave (Jan 28)
I mean, the goal of the question is to start putting some meat on the idea
of what "harm" is and how that is reflected both from a policy and
technical perspective. But also: It's useful to put some real definitions
around what is required to make people comfortable with fully-automated
techniques.

I don't think the idea that we are going to come up with and enforce norms
is as useful as figuring out what the norms really are...

Re: Fully Automated CONOPs Exercise Dave Dittrich via Dailydave (Jan 28)
Did any of them mention international humanitarian law, specifically
discrimination, respecting territory of neutral ("green") actors and
their infrastructure, and avoiding harm to neutral third parties and
non-combatants? The problem with most worms is the inability to
accurately discriminate targets and resulting harm. This is an area
where technical experts need to be balanced with operators and policy
makers to ensure that...

Fully Automated CONOPs Exercise Dave Aitel via Dailydave (Jan 27)
So one of my new fav questions to ask policy teams is what they would do if
they were told to switch their offensive team entirely to worms. Nothing
else. Just worms. What needs to change to make that happen - from op tempo
to supply chain to personnel to policy and technological investment.

And how would their defensive team need to change strategically if they
were facing such an offensive team.

It's a fun thing to see people wrap their...

"Severely lacking". Dave Aitel via Dailydave (Jan 20)
Recently I read this post from Maddie Stone of Google's Project Zero:
https://googleprojectzero.blogspot.com/2020/07/detection-deficit-year-in-review-of-0.html
. In particular, it has a bolded line of "*As a community, our ability to
detect 0-days being used in the wild is severely lacking to the point that
we can’t draw significant conclusions due to the lack of (and biases in)
the data we have collected.*" which is the most...

[mm4.emwd.com] Please Confirm Your E-mail Address noreply (Jan 07)
Hello from mm4.emwd.com!

You're receiving this e-mail because user SeclistsDD has given yours as an e-mail address to connect their account.

To confirm this is correct, go to
https://lists.aitelfoundation.org/accounts/confirm-email/MzAw:1kxbbR:J_gxtLGlz_7WONRMX9blDLA1rXc/

Thank you from mm4.emwd.com!
mm4.emwd.com

Re: The Lost Decade of Security Metrics Andre Gironda via Dailydave (Jan 05)
MITRE ATK > CVE/CVSS
Enterprise v8 is more granular than ever before for vuln purposes, but
always has been extensive for threat purposes

If you want to express CVEs in maldocs or malware (including webshells) may
I suggest Yara and/or Suricata (maybe shortcuts such as JA3 or JARM if TLS
applies)?
If you want to express CVEs in runtime app infra may I suggest
caldera_pathfinder? e.g., this is heartbleed --...

Re: The Lost Decade of Security Metrics toby via Dailydave (Jan 05)
I don't think you are wrong but your comparison of CVSS and the multiple
(also separately bad) metrics for a WAF isn't effective or accurate.

The values going into CVSS have something in common; they are attempts to
characterize the importance of the vulnerability in question. You are
making (have made before) the claim that the importance of a vulnerability
is too variable and specific to an environment or an attack scenario to be...

Re: The Lost Decade of Security Metrics Chuck McAuley via Dailydave (Jan 05)
Throughput* is perhaps the wrong unit of measure. Most of the time you would be interested in measuring
“requests/second” or “transactions/second”. Aside from say a content ingesting site/repeater
(facebook/twitter/instagram), almost all content for a WAF to handle is inbound, using low amounts of available
bandwidth. The outbound content is rarely inspected by such a device, with the exception of 5xx error or similar
(headers).

A...

The Lost Decade of Security Metrics Dave Aitel via Dailydave (Jan 05)
A thousand years ago I subscribed to the Security Metrics mailing list.
Metrics are important - or rather, I think good decision making is
important, and without metrics your decision making is essentially luck.
But we haven't seen any progress on this in a decade, and I wanted to talk
about the meta-reason why: Oversimplification in the hopes of scaling.

There's a theme in security metrics, a deep Wrong, that the community
cannot...

PaulDotCom — General discussion of security news, research, vulnerabilities, and the PaulDotCom Security Weekly podcast.

BHIS Sorta Top Used Tools of 2018 John - Black Hills Information Security (Dec 06)
Free Webcast

Hello all,

For our next webcast we will cover some of the core tools we use all the time at Black Hills Information Security.
However, there will be a twist. We will not talk about Nessus, Nmap, or Metasploit. Why? Because there are a ton of new
(and older) tools we use that fall outside of the standard tools you see in every security book/blog out there.

Basically, we are trying to be edgy and different.

You may want to come...

BHIS Webcast - Tues 10/2 @ 11am MDT John Strand - Black Hills Information Security (Sep 26)
Hello All,

In this next webcast I want to cover what I am doing with the BHIS Systems team to create a C2/Implant/Malware test
bed. Testing our C2/malware solutions is important because vendors tend to lie or over-hype their capabilities. I will
cross reference some different malware specimens to the MITRE ATT&CK framework and we will cover how you can use these
techniques to test your defensive solutions at both the endpoint and the...

BHIS Webcast: The PenTest Pyramid of Pain 9/4 - 11am MDT Sierra - Black Hills Information Security (Aug 29)
Hello!

How are you all? We had a fantastic webcast last week with John Strand and Chris Brenton and we're still working
through some unexpected hiccups to get the recording up and posted. The podcast version is on our blog, and the YouTube
version will be posted shortly on the Active Countermeasures channel and blog as well. Thanks for all of you who
ventured over to attend!

Ready for another awesome BHIS webcast? Dakota is back and...

Webcast with CJ: Tues 7/24 at 11am Sierra - Black Hills Information Security (Jul 19)
Our upcoming webcast will be about POLICY...

Did you check out when you heard “policy”? Policy can often seem like a drudgery, but it’s also an important and
potentially overlooked part of business and procedure; it’s the framework on which security is really built!

CJ, our COO and Head of Sales has experience writing, assessing and implementing policies for many different kinds of
companies. And if you are worried it will be dry and...

Microsoft Sec Notification — Beware that MS often uses these security bulletins as marketing propaganda to downplay serious vulnerabilities in their products—note how most have a prominent and often-misleading "mitigating factors" section.

Microsoft Security Update Minor Revisions Microsoft (Dec 11)
********************************************************************
Title: Microsoft Security Update Minor Revisions
Issued: December 11, 2018
********************************************************************

Summary
=======

The following CVE has undergone a minor revision
increment:

* CVE-2018-8172

Revision Information:
=====================

- CVE-2018-8172 | Visual Studio Remote Code Execution
Vulnerability
-...

Microsoft Security Update Minor Revisions Microsoft (Nov 14)
********************************************************************
Title: Microsoft Security Update Minor Revisions
Issued: November 14, 2018
********************************************************************

Summary
=======

The following CVEs and advisory have undergone a minor revision
increment:

* CVE-2018-8454
* CVE-2018-8552
* ADV990001

Revision Information:
=====================

- CVE-2018-8454 | Windows Audio Service...

Microsoft Security Update Minor Revisions Microsoft (Oct 24)
********************************************************************
Title: Microsoft Security Update Minor Revisions
Issued: October 24, 2018
********************************************************************

Summary
=======

The following CVE has undergone a minor revision increment:

* CVE-2018-8512

Revision Information:
=====================

- CVE-2018-8512 | Microsoft Edge Security Feature Bypass
Vulnerability
-...

Microsoft Security Update Releases Microsoft (Oct 19)
********************************************************************
Title: Microsoft Security Update Releases
Issued: October 19, 2018
********************************************************************

Summary
=======

The following CVE been added to the October 2018 Security updates:

* CVE-2018-8569

Revision Information:
=====================

- CVE-2018-8569 | Yammer Desktop Application Remote Code Execution
Vulnerability
-...

Microsoft Security Update Releases Microsoft (Oct 17)
********************************************************************
Title: Microsoft Security Update Releases
Issued: October 17, 2018
********************************************************************

Summary
=======

The following CVEs have undergone a major revision increment:

* CVE-2010-3190

Revision Information:
=====================

- CVE-2010-3190 | MFC Insecure Library Loading Vulnerability
-...

Microsoft Security Update Minor Revisions Microsoft (Oct 09)
********************************************************************
Title: Microsoft Security Update Minor Revisions
Issued: October 9, 2018
********************************************************************

Summary
=======

The following CVE has undergone a minor revision increment:

* CVE-2018-8531

Revision Information:
=====================

- CVE-2018-8531 | Azure IoT Device Client SDK Memory Corruption
Vulnerability
-...

Microsoft Security Update Releases Microsoft (Oct 09)
********************************************************************
Title: Microsoft Security Update Releases
Issued: October 9, 2018
********************************************************************

Summary
=======

The following CVE been added to the October 2018 Security updates:

* CVE-2018-8292

Revision Information:
=====================

- CVE-2018-8292 | .NET Core Information Disclosure Vulnerability
-...

Microsoft Security Update Releases Microsoft (Oct 09)
********************************************************************
Title: Microsoft Security Update Releases
Issued: October 9, 2018
********************************************************************

Summary
=======

The following bulletin has undergone a major revision increment:

* MS11-025

Revision Information:
=====================

- https://docs.microsoft.com/en-us/security-updates/
SecurityBulletins/2011/ms11-025:...

Microsoft Security Update Summary for October 9, 2018 Microsoft (Oct 09)
********************************************************************
Microsoft Security Update Summary for October 9, 2018
Issued: October 9, 2018
********************************************************************

This summary lists security updates released for October 9, 2018.

Complete information for the October 2018 security update release can
Be found at
<https://portal.msrc.microsoft.com/en-us/security-guidance>.

Please note the...

Microsoft Security Update Releases Microsoft (Oct 02)
********************************************************************
Title: Microsoft Security Update Releases
Issued: October 2, 2018
********************************************************************

Summary
=======

The following CVE has undergone a major revision increment:

* CVE-2018-0952

Revision Information:
=====================

- CVE-2018-0952 | Diagnostic Hub Standard Collector Elevation of
Privilege Vulnerability
-...

Microsoft Security Advisory Notification Microsoft (Sep 12)
********************************************************************
Title: Microsoft Security Advisory Notification
Issued: September 12, 2018
********************************************************************

Security Advisories Released or Updated on September 12, 2018
===================================================================

* Microsoft Security Advisory ADV180022

- Title: Windows Denial of Service Vulnerability
-...

Microsoft Security Update Minor Revisions Microsoft (Sep 12)
********************************************************************
Title: Microsoft Security Update Minor Revisions
Issued: September 12, 2018
********************************************************************

Summary
=======

The following CVEs have undergone a minor revision increment:

* CVE-2018-8421
* CVE-2018-8468

Revision Information:
=====================

- CVE-2018-8421 | .NET Framework Remote Code Execution
Vulnerability...

Microsoft Security Update Summary for September 11, 2018 Microsoft (Sep 11)
********************************************************************
Microsoft Security Update Summary for September 11, 2018
Issued: September 11, 2018
********************************************************************

This summary lists security updates released for September 11, 2018.

Complete information for the September 2018 security update release can
Be found at
<https://portal.msrc.microsoft.com/en-us/security-guidance>....

Microsoft Security Update Releases Microsoft (Sep 11)
********************************************************************
Title: Microsoft Security Update Releases
Issued: September 11, 2018
********************************************************************

Summary
=======

The following CVE has undergone a major revision increment:

* CVE-2018-8154

Revision Information:
=====================

- CVE-2018-8154 | Microsoft Exchange Memory Corruption
Vulnerability
-...

Microsoft Security Advisory Notification Microsoft (Sep 11)
********************************************************************
Title: Microsoft Security Advisory Notification
Issued: September 11, 2018
********************************************************************

Security Advisories Released or Updated on September 11, 2018
===================================================================

* Microsoft Security Advisory ADV180002

- Title: Guidance to mitigate speculative execution...

Funsec — While most security lists ban off-topic discussion, Funsec is a haven for free community discussion and enjoyment of the lighter, more humorous side of the security community

Verizon: 1.5M of Contact Records Stolen, Now on Sale Jeffrey Walton (Mar 26)
http://www.mobipicker.com/verizon-1-5m-contact-records-stolen-now-sale/:

A business to business telecommunication giant,
Verizon Enterprise Solutions, a Basking Ridge,
New Jersey-based company, has been the latest
victim of a cyber crime that stole 1.5 million contact
records of the customers of Verizon...

I don't quite understand this double talk. Could someone explain to me:

A spokesperson from Verizon said that...

Statement on Lavabit Citation in Apple Case Jeffrey Walton (Mar 16)
(From John Young on another list):
http://www.facebook.com/KingLadar/posts/10156714933135038

As many of you already know, the government cited the Lavabit case in
a footnote. The problem is their description insinuates a precedent
that was never created. Obviously I was somewhat disturbed by their
misrepresentation. So I decided to draft a statement. And keep in
mind, these are the same people who say "trust us." Click continue to
read...

The NSA's back door has given every US secret to our enemies Jeffrey Walton (Feb 29)
http://www.businessinsider.com/john-mcafee-nsa-back-door-gives-every-us-secret-to-enemies-2016-2

Deng Xiaoping, in 1979 - his second year as supreme leader of China -
perceived a fundamental truth that has yet to be fully grasped by most
Western leaders: Software, if properly weaponized, could be far more
destructive than any nuclear arsenal.

Under Deng’s leadership, China began one of the most ambitious and
sophisticated meta- software...

Can Spies Break Apple Crypto? Jeffrey Walton (Feb 27)
Here's an interesting exchange between Cryptome and Michael Froomkin,
Law Professor at University of Miami, on the All Writs Act
(http://cryptome.org/2016/02/can-spies-break-apple-crypto.htm):

-----

A. Michael Froomkin:

The factual posture in the key Supreme Court precedent, New York
Telephone, involved a situation where only the subject of the order
was capable of providing the assistance at issue. This is the basis
for Apple's...

The FBI's iPhone Problem: Tactical vs. Strategic Thinking Jeffrey Walton (Feb 23)
http://www.technewsworld.com/story/83130.html

I'm an ex-sheriff, and I've been in and out of security jobs for much
of my life, so I've got some familiarity with the issues underlying
the drama between the FBI and Apple. FBI officials -- and likely those
in every other three-letter agency and their counterparts all over the
world -- would like an easier way to do their jobs. Wouldn't we all?

If they could put cameras in...

Wanted: Cryptography Products for Worldwide Survey Jeffrey Walton (Jan 01)
(http://www.schneier.com/crypto-gram/archives/2015/1215.html):

In 1999, Lance Hoffman, David Balenson, and others published a survey
of non-US cryptographic products. The point of the survey was to
illustrate that there was a robust international market in these
products, and that US-only export restrictions on strong encryption
did nothing to prevent its adoption and everything to disadvantage US
corporations. This was an important contribution...

CERT Advisories — The Computer Emergency Response Team has been responding to security incidents and sharing vulnerability information since the Morris Worm hit in 1986. This archive combines their technical security alerts, tips, and current activity lists.

Open Source Security — Discussion of security flaws, concepts, and practices in the Open Source community

Django: CVE-2021-35042: Potential SQL injection via unsanitized QuerySet.order_by() input Mariusz Felisiak (Jul 01)
https://www.djangoproject.com/weblog/2021/jul/01/security-releases/

In accordance with `our security release policy
<https://docs.djangoproject.com/en/dev/internals/security/>`_, the
Django team
is issuing
`Django 3.2.5 <https://docs.djangoproject.com/en/dev/releases/3.2.5/>`_ and
`Django 3.1.13 <https://docs.djangoproject.com/en/dev/releases/3.1.13/>`_.
These releases address the security issue with severity "high"...

CVE-2021-26920: Apache Druid: The HTTP inputSource allows authenticated users to read data from other sources than intended Jihoon Son (Jul 01)
Severity: low

Description:

In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP
InputSource allows authenticated users to read data from other sources than intended, such as the local file system,
with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid
directly, since Druid also provides the Local InputSource, which allows...

Plone: stored XSS in folder contents Maurits van Rees (Jun 30)
A very good day to all you lovely people!

Matt Moreschi discovered a vulnerability in Plone and reported it to the
security list, security () plone org.
In Plone 5.0.0 through 5.2.4, Editors are vulnerable to XSS in the
folder contents view, if a Contributor has created a folder with a
SCRIPT tag in the description field.
Full information is here:
https://plone.org/security/hotfix/20210518/stored-xss-in-folder-contents
Since we had recently...

Multiple vulnerabilities in Jenkins and Jenkins plugins Daniel Beck (Jun 30)
Jenkins is an open source automation server which enables developers around
the world to reliably build, test, and deploy their software.

The following releases contain fixes for security vulnerabilities:

* Jenkins 2.300
* Jenkins LTS 2.289.2
* CAS Plugin 1.6.1
* requests-plugin 2.2.7, 2.2.8, and 2.2.13
* Selenium HTML report Plugin 1.1

Summaries of the vulnerabilities are below. More details, severity, and
attribution can be found here:...

CVE-2020-28200: Dovecot Pigeonhole Sieve excessive resource usage Aki Tuomi (Jun 28)
Open-Xchange Security Advisory 2021-06-28

Affected product: Dovecot IMAP Server
Vendor: OX Software GmbH

Internal reference: DOV-4159
Vulnerability type: Uncontrolled Resource Consumption (CWE-400)
Vulnerable version: ancient
Vulnerable component: sieve
Report confidence: Confirmed
Solution status: Fix available
Researcher credits: Innokentii Sennovskii from BI.ZONE (rumata)
Vendor notification: 2020-09-23
CVE reference: CVE-2020-28200
CVSS:...

CVE-2021-33515: Dovecot SMTP Submission service STARTTLS injection. Aki Tuomi (Jun 28)
Open-Xchange Security Advisory 2021-06-28

Affected product: Dovecot IMAP Server
Vendor: OX Software GmbH

Internal reference: DOP-2421
Vulnerability type: Cryptographic Issues (CWE-310)
Vulnerable version: 2.3
Vulnerable component: submission
Report confidence: Confirmed
Solution status: Fixed in 2.3.x
Researcher credits: Fabian Ising and Damian Poddebniak of Münster University of Applied Sciences.
Vendor notification: 2021-05-21
CVE reference:...

CVE-2021-29157: Dovecot oauth2 JWT local validation path traversal Aki Tuomi (Jun 28)
Open-Xchange Security Advisory 2021-06-28

Affected product: Dovecot IMAP Server
Vendor: OX Software GmbH

Internal reference: DOP-2159
Vulnerability type: Path Traversal (CWE-24)
Vulnerable version: 2.3.11
Vulnerable component: oauth2
Report confidence: Confirmed
Solution status: Fixed in 2.3.15
Researcher credits: Kirin of Tencent Security Xuanwu Lab.
Vendor notification: 2021-03-22
CVE reference: CVE-2021-29157
CVSS: 6.7...

Re: CVE-2021-22543 - /dev/kvm LPE Eduardo' Vela" <Nava> (Jun 26)
https://github.com/torvalds/linux/commit/f8be156be163a052a067306417cd0ff679068c97
fixed
this issue.

FW: An out-of-bound read/write in fsi driver Luo Likang (Jun 25)

Because of my mistake, I took a normal bug as a security bug and reported it
to linux-distros，linux-distros requested me notify oss-security since these
bugs were deemed to not be a security vulnerability, and no embargo was set.

Because of copy_ from_user has some check, so - 1 does not cause
cross-border access, and lots of check in fsi_check_access().

The following is the original of my report:

I found an oob read/write bug in function...

CVE-2021-3600 - Linux kernel eBPF 32-bit source register truncation on div/mod Thadeu Lima de Souza Cascardo (Jun 23)
It was discovered that eBPF 32-bit div/mod source register truncation could
lead to out-of-bounds reads and writes in the kernel.

It was introduced by commit 68fda450a7df ("bpf: fix 32-bit divide by zero"). It
was first introduced in 4.15-rc9, but backported and applied to v4.14.y, v4.9.y
and v4.4.y. However, this specific attack will not work on v4.4.y and v4.9.y
kernels as pointer arithmetic is prohibited on those kernels. This was...

CVE-2021-26461: Apache NuttX (incubating): malloc, realloc and memalign implementations are vulnerable to integer wrap-arounds Brennan Ashton (Jun 21)
Description:

Apache Nuttx (incubating) versions prior to 10.1.0 are vulnerable to
integer wrap-around in functions malloc, realloc and memalign. This
improper memory assignment can lead to arbitrary memory allocation,
resulting in unexpected behavior such as a crash or a remote code
injection/execution.

This issue is also known as BadAlloc

Credit:

Apache NuttX would like to thank Omri Ben-Bassat of Section 52 at Azure
Defender for IoT of...

[CVE-2021-33624] Linux kernel BPF protection against speculative execution attacks can be bypassed to read arbitrary kernel memory Adam Morrison (Jun 21)
The Linux kernel BPF subsystem's protection against speculative
execution attacks (Spectre mitigation) can be bypassed.

On affected systems, an unprivileged BPF program can exploit this
vulnerability to leak the contents of arbitrary kernel memory (and
therefore, of all physical memory) via a side-channel.

The issue is that when the kernel's BPF verifier enumerates the
possible execution paths of a BPF program, it skips any branch...

Re: CVE-2021-3609: Race condition in net/can/bcm.c leads to local privilege escalation Thadeu Lima de Souza Cascardo (Jun 19)
And here is the proposed fix:

https://lore.kernel.org/netdev/20210619161813.2098382-1-cascardo () canonical com/T/#u

Regards.
Thadeu Cascardo.

CVE-2021-3609: Race condition in net/can/bcm.c leads to local privilege escalation Norbert Slusarek (Jun 19)
Hello,

this is an announcement for the recently reported bug (CVE-2021-3609)
in the CAN BCM networking protocol in the Linux kernel ranging from
version 2.6.25 to mainline 5.13-rc6.
The vulnerability is a race condition in net/can/bcm.c allowing for local
privilege escalation to root. The issue was initially reported by syzbot and
proven to be exploitable by Norbert Slusarek.

The CAN BCM networking protocol allows to register a CAN message...

Vulnerability in Jenkins Generic Webhook Trigger Plugin Daniel Beck (Jun 18)
Jenkins is an open source automation server which enables developers around
the world to reliably build, test, and deploy their software.

The following releases contain fixes for security vulnerabilities:

* Generic Webhook Trigger Plugin 1.74

Summaries of the vulnerabilities are below. More details, severity, and
attribution can be found here:
https://www.jenkins.io/security/advisory/2021-06-18/

We provide advance notification for security...

Educause Security Discussion — Securing networks and computers in an academic environment.

Re: [EXTERNAL] [SECURITY] Cyber Defense Operations research - survey Bridges, Robert A. (Jul 01)
Greg and Shouhuai,
As a research group we’d really be interested in this data/study. Please let us know if / when you are ready to present
the data/findings.
Thanks
Bobby

Robert A. Bridges, PhD
Acting Cybersecurity Research Group Leader
Oak Ridge National Laboratory

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Greg Williams
<gwillia5 () UCCS EDU>
Reply-To: The EDUCAUSE...

Cyber Defense Operations research - survey Greg Williams (Jul 01)
(Apologize for any cross-posting)

Dear Colleagues,

I'm working with an academic research team led by Professor Shouhuai Xu (https://xu-lab.org) at the University of
Colorado Colorado Springs (UCCS). The team has created a survey aiming to collect information on, and characterize, the
state of automation in cyber defense operations (i.e., cyber defense automation). The findings of this study will be
reported back to the community in an...

0-day exploit widely circulating for the Printnightmare vulnerability Alex Keller (Jun 30)
Details are still emerging but 0-day exploit code is widely circulating for the Printnightmare vulnerability. Exploit
requires authentication using a standard domain user account and allows for remote code execution as SYSTEM (root) on
most recent versions of Windows OS (e.g. Win10, 2012R2, 2016, 2019) where the Print Spooler service is running, which
by default includes Domain Controllers:
...

Re: [External] [SECURITY] Privileged Users Napier, Mark E (Jun 29)
We do.
There’s a form to fill out that asks about use case — why it is needed. Also what types of data will be stored and
manipulated and what services (ssh, https, etc) will be exposed to the network.
Faculty can request on their own, staff and grad students need a supervisor to signal support for the request. There
have been instances where the use case statement allowed us to educate end users of other means of getting the job done.

Call for participation Corn, Michael (Jun 29)
Hi everyone,

The 2021 NSF large facility security summit has opened its call for participation. This is a persistently terrific
conference - note that the CFP closes Friday, so please sharpen those pencils and submit a proposal!
thanks
MC

https://www.trustedci.org/2021-summit-cfp

----------------------
Michael Corn | Chief Information Security Officer
mcorn () ucsd edu
University of California San Diego | ITS - Information Technology Services...

Re: Miro Nick Lewis (Jun 28)
Hi Emilie,

I’m not familiar with Miro, but the NET+ team has talked with them. They are talking now about participating in the
Cloud Scorecard. We’ve got the contacts working with Miro listed at:

https://spaces.at.internet2.edu/x/xhWJCQ

Happy to loop you in on that conversation if it would be helpful?

Thanks,

Nick

Nick Lewis, MS, MA, CISSP
Program Manager, NET+ Cloud Services - Security and Identity
Internet2
nlewis () internet2 edu...

Miro Emilie Kunze (Jun 25)
Good morning,

We have several faculty members that are interested in using Miro. Anyone
have any experience with it? Any input from the security perspective? Any
concerns?

Thank you,
Emilie

<https://austincc.edu/>

Emilie Kunze

IT Security Analyst Sr.

Acting Information Security Officer

Office of Information Technology

ekunze () austincc edu | o 512-223-1157

ACC Information Security
<...

Join our team! Systems Administrator & IT Security Analyst Wood, Anne (wood) (Jun 25)
Good morning!

The Campus Technology and Library Services team at Juniata College is currently searching for a Systems
Administrator<https://juniata.peopleadmin.com/postings/881> and an IT Security
Analyst<https://juniata.peopleadmin.com/postings/883>. Both positions are strategically important to our institution,
team, and future! We are a small private liberal arts institution in a naturally beautiful and rural part of central...

Re: Staff Directory on Web Foss, Henry L. (Jun 24)
We strip display names from non-university domains. So fraudsters trying to disguise themselves as university employees
- sending from a Gmail address, or example - end up being revealed as their sender name. And we also embed a yellow
banner and warning that the sender is external.

We make this part of our new hire training also so word gets out to the user community.

-Hank

From: The EDUCAUSE Security Community Group Listserv <SECURITY...

Re: Staff Directory on Web randy (Jun 24)
I don't like having staff directories behind a login page. For example, I
was trying to contact my counterpart at another EDU about a security issue
but didn't have their contact info. Couldn't go to their directory because
it was behind a portal.
We forget sometimes the directory is not so much for internal people as it
is for external.

Having said that, if you tell your faculty/staff their work contact info is
available to the...

Re: Staff Directory on Web Barton, Robert W. (Jun 24)
Afternoon,

We have talked about the first two items. We would have departments available on the web site (department email,
phone, office number). We would need to establish emails for all departments with communication plans (who is
monitoring? who has access? who is primary?). We have not discussed item three, but if they have a department
contact, communications could be initiated.

Robert W. Barton
Executive Director of Information...

Re: Staff Directory on Web Telfer, Will (Jun 24)
Baylor's directory is behind authentication as well, but many of the items mentioned below can be found on the various
departmental web pages (at least the generic front desk number is made public and/or faculty/staff email addresses).

Thank You,
Will Telfer, M.S.
Identity and Authentication Analyst
Information Technology Services

Follow BaylorITS & look for the #BearAware:
Twitter: @BaylorITS
Facebook: facebook.com/BaylorITS
Website:...

Re: Staff Directory on Web Lovaas,Steven (Jun 24)
For those of you who have closed off faculty/staff directories (or moved to requiring authentication to see them), I'd
be interested in hearing how you provide for boot-strapping contact needs like:

* Community members/press/others wanting to ask an expert
* Faculty of other institutions wanting to initiate collaboration
* Potential grad students wanting to explore faculty advisors

Thanks,
Steve...

Re: Staff Directory on Web James Monek (Jun 24)
We did have our directory available publicly at one time but since then we
require authentication to view and search. We did this for the obvious
reasons as you have noted.

Jim

On Thu, Jun 24, 2021 at 1:56 PM Barton, Robert W. <bartonrt () lewisu edu>
wrote:

Re: Staff Directory on Web Blake Brown (Jun 24)
We moved ours behind the firewall to the Intranet a few years back due the security concerns motioned below. The damage
was already with the previous emails exposed but it should help with newer ones.

There was some pushback from facility, but it was minor and after some conversations they understood the reasons why.

Thanks,
Blake Brown

________________________________
From: The EDUCAUSE Security Community Group Listserv <SECURITY ()...

Internet Issues and Infrastructure

NANOG — The North American Network Operators' Group discusses fundamental Internet infrastructure issues such as routing, IP address allocation, and containing malicious activity.

Re: FreeBSD's ping Integrates IPv6 Mark Tinka (Jul 03)
I don't mind it. I was just surprised by it. Which also speaks to what
Randy and others have said... it could break tooling if folk aren't aware.

Not a drama; can be fixed.

Mark.

Re: UCEPROTECT-NETWORK Bjoern Franke (Jul 02)
You want to appear on their cart00ney site?

Regards

Weekly Routing Table Report Routing Analysis Role Account (Jul 02)
This is an automated weekly mailing describing the state of the Internet
Routing Table as seen from APNIC's router in Japan.

The posting is sent to APOPS, NANOG, AfNOG, SANOG, PacNOG, SAFNOG
TZNOG, MENOG, BJNOG, SDNOG, CMNOG, LACNOG and the RIPE Routing WG.

Daily listings are sent to bgp-stats () lists apnic net

For historical data, please see http://thyme.rand.apnic.net.

If you have any comments please contact Philip Smith <pfsinoz...

Re: SITR/SHAKEN implementation in effect today (June 30 2021) Michael Thomas (Jul 02)
People who are actually interested in this subject are well advised to
read this thoroughly because it equally applies to SIP spam with a
system far less complex and far fewer gaping security holes as STIR.

https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-hu.pdf

Mike

Re: Layer 2 based anycast - Kind like GLBP - Research Dobbins, Roland (Jul 02)
As others have pointed out, what you’re describing isn’t anycast, nor anything directly to do with high availability.

There are multiple well-understood frameworks which can be used to do what you’re describing.

This is strictly a layer-7 issue, nothing to do with layer-2 nor anycast. There’s no need to get down into the
networking weeds to accomplish what you appear to be trying to accomplish.

Just do it all at layer-7....

Re: FreeBSD's ping Integrates IPv6 Niels Bakker (Jul 02)
* randy () psg com (Randy Bush) [Fri 02 Jul 2021, 18:48 CEST]:

On the one hand, yes. On the other hand, Linux had already made this
change for ping specifically. Almost all other tools you'd use
regularly are dual-stack by default that follow what's configured for
the system to prefer (for FreeBSD that's ip6addrctl_policy): tools
like telnet, ssh, mtr all follow the system default with -4 and -6
command-line options to...

Re: FreeBSD's ping Integrates IPv6 Randy Bush (Jul 02)
pola breakage. especially fun if you have tools which run on both sides
of the koolaid.

randy

---
randy () psg com
`gpg --locate-external-keys --auto-key-locate wkd randy () psg com`
signatures are back, thanks to dmarc header butchery

Re: SITR/SHAKEN implementation in effect today (June 30 2021) Michael Thomas (Jul 02)
Those who fail to understand the Usenet Death Penalty are doomed to
(not) repeat it.

Mike

Re: SITR/SHAKEN implementation in effect today (June 30 2021) Paul Timmins (Jul 02)
Fun part is that just because it's a telnyx number with a checkmark, it
doesn't mean the call came from Telnyx, just that the call came from a
carrier that gave the call attestation A. As the carrier, we can see who
signed the call (it's an x509 certificate, signed by the STI-PA, with
the carrier's name and OCN in it) and hold them accountable for the
traffic, which is huge.

But that's where the confusion will lie -...

Re: FreeBSD's ping Integrates IPv6 Mark Tinka (Jul 02)
Thanks for the feedback, Patrick. This is great!

This led me to test the same on the family Windows 10 (21H1 version)
machine, and Microsoft are doing the same, which is great to see.

Mark.

Re: FreeBSD's ping Integrates IPv6 Mark Tinka (Jul 02)
This is a good point, as it's the same reason I discovered this today. A
transient IPv6 issue on a specific host broke NTP, and when I tried to
ping the NTP time servers during troubleshooting, it hang for a while
because IPv6 was broken.

Mark.

Re: FreeBSD's ping Integrates IPv6 Niels Bakker (Jul 02)
* mark@tinka.africa (Mark Tinka) [Fri 02 Jul 2021, 16:02 CEST]:

Yes, this broke some of my home network monitoring. Sadly there is no
'ping4' in the system, you have to add -4 to the commandline to return
to the common BSD behaviour.

-- Niels.

Re: FreeBSD's ping Integrates IPv6 Patrick Cole (Jul 02)
Mark,

iputils-ping on linux seems to behave the same for quite some time...

[z@tyl][~] % host ns0
ns0.spirit.net.au has address 27.113.240.197
ns0.spirit.net.au has IPv6 address 2403:3600:8002::100

[z@tyl][~] % ping ns0
PING ns0(2403:3600:8002::100 (2403:3600:8002::100)) 56 data bytes
64 bytes from 2403:3600:8002::100 (2403:3600:8002::100): icmp_seq=1 ttl=63 time=0.344 ms
64 bytes from 2403:3600:8002::100 (2403:3600:8002::100): icmp_seq=2...

FreeBSD's ping Integrates IPv6 Mark Tinka (Jul 02)
Hi all.

I just noticed (although it appears to have come in version 13.0) that
FreeBSD's "ping" app now defaults to IPv6, i.e., no need for ping6:

https://www.freebsd.org/cgi/man.cgi?query=ping&sektion=8&format=html

Does anyone know whether other *nix systems are doing this now?

My Mac (Catalina) still requires ping6, and I don't have any recent
Linux systems handy.

#ThisIsGood

Mark.

Re: SITR/SHAKEN implementation in effect today (June 30 2021) Nick Olsen (Jul 02)
Not all have implemented it yet. But if you haven't. You were supposed to
implement some kind of robo calling mitigation plan (Or atleast certify
that you have one). At $dayjob we're fully deployed (inbound and outbound).

I received my first ever STIR/SHAKEN signed (iPhone Check mark, highly
scientific) spam call on my personal Cell phone on 6/30. It was a Telnyx
number. Had the call terminated to $dayjob network. I fully would have...

The RISKS Forum — Peter G. Neumann moderates this regular digest of current events which demonstrate risks to the public in computers and related systems. Security risks are often discussed.

Risks Digest 32.74 RISKS List Owner (Jun 30)
RISKS-LIST: Risks-Forum Digest Wednesday 30 June 2021 Volume 32 : Issue 74

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.74>
The current issue can also be found at
<...

Risks Digest 32.73 RISKS List Owner (Jun 29)
RISKS-LIST: Risks-Forum Digest Tuesday 29 June 2021 Volume 32 : Issue 73

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.73>
The current issue can also be found at
<...

Risks Digest 32.72 RISKS List Owner (Jun 22)
RISKS-LIST: Risks-Forum Digest Tuesday 22 June 2021 Volume 32 : Issue 72

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.72>
The current issue can also be found at
<...

Risks Digest 32.71 RISKS List Owner (Jun 12)
RISKS-LIST: Risks-Forum Digest Saturday 12 June 2021 Volume 32 : Issue 71

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.71>
The current issue can also be found at
<...

Risks Digest 32.70 RISKS List Owner (Jun 05)
RISKS-LIST: Risks-Forum Digest Saturday 5 June 2021 Volume 32 : Issue 70

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.70>
The current issue can also be found at
<...

Risks Digest 32.69 RISKS List Owner (May 30)
RISKS-LIST: Risks-Forum Digest Sunday 30 May 2021 Volume 32 : Issue 69

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.69>
The current issue can also be found at
<...

Risks Digest 32.68 RISKS List Owner (May 21)
RISKS-LIST: Risks-Forum Digest Friday 21 May 2021 Volume 32 : Issue 68

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.68>
The current issue can also be found at
<...

(no subject) RISKS List Owner (May 21)

Risks Digest 32.67 RISKS List Owner (May 13)
RISKS-LIST: Risks-Forum Digest Thursday 13 May 2021 Volume 32 : Issue 67

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.67>
The current issue can also be found at
<...

Risks Digest 32.66 RISKS List Owner (May 12)
RISKS-LIST: Risks-Forum Digest Wednesday 12 May 2021 Volume 32 : Issue 66

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.66>
The current issue can also be found at
<...

Risks Digest 32.65 RISKS List Owner (May 09)
RISKS-LIST: Risks-Forum Digest Sunday 9 May 2021 Volume 32 : Issue 65

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.65>
The current issue can also be found at
<...

Risks Digest 32.64 RISKS List Owner (May 04)
RISKS-LIST: Risks-Forum Digest Tuesday 4 May 2021 Volume 32 : Issue 64

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.64>
The current issue can also be found at
<...

(no subject) RISKS List Owner (May 04)

Risks Digest 32.63 RISKS List Owner (Apr 30)
RISKS-LIST: Risks-Forum Digest Friday 30 April 2021 Volume 32 : Issue 63

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.63>
The current issue can also be found at
<...

Risks Digest 32.62 RISKS List Owner (Apr 25)
RISKS-LIST: Risks-Forum Digest Sunday 25 April 2021 Volume 32 : Issue 62

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.62>
The current issue can also be found at
<...

BreachExchange — BreachExchange focuses on all things data breach. Topics include actual data breaches, cyber insurance, risk management, metrics and more. This archive includes its predecessor, the Data Loss news and discussion lists.

Open Source Tool Development

Wireshark — Discussion of the free and open source Wireshark network sniffer. No other sniffer (commercial or otherwise) comes close. This archive combines the Wireshark announcement, users, and developers mailing lists.

Snort — Everyone's favorite open source IDS, Snort. This archive combines the snort-announce, snort-devel, snort-users, and snort-sigs lists.

Re: (no subject) Joel Esler (jesler) via Snort-sigs (Jul 01)
The short answer is “yes and no”

Suricata can use most of the rules in the Snort Subscription ruleset, but not all. Snort 2 or Snort 3 can use all of
the rules.

(no subject) Ioan Saakov via Snort-sigs (Jul 01)
Hello
I use a Suricata in a company as an IDS
Can I use Snort's rules?
I'm ready to buy a business subscription, but I don't know if these rules
will suit me.

Snort Subscriber Rules Update 2021-06-30 Research (Jun 30)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
[SID] 57876-57877 are being released to cover the exploitation of
CVE-2021-1675 in the wild.

Talos has added and modified multiple rules in the malware-other,
os-windows and server-webapp rule sets to provide coverage for emerging
threats from these technologies.

For a complete list of new and modified rules please see:...

Snort Subscriber Rules Update 2021-06-29 Research (Jun 29)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the browser-chrome,
exploit-kit, malware-cnc and server-webapp rule sets to provide
coverage for emerging threats from these technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Snort Subscriber Rules Update 2021-06-24 Research (Jun 24)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the and server-webapp
rule sets to provide coverage for emerging threats from these
technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Snort Subscriber Rules Update 2021-06-22 Research (Jun 22)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the browser-chrome,
file-pdf, malware-cnc, malware-other, policy-other and server-webapp
rule sets to provide coverage for emerging threats from these
technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Snort Blog: New version of Snort 3 out now (3.1.6.0) — Here are all the updates and fixes Joel Esler (jesler) via Snort-sigs (Jun 21)

Profinet preprocessor divya varakantham via Snort-sigs (Jun 21)
Hi Snort team,

This is a question about support for ICS/SCADA protocols support and
corresponding preprocessors.

I see from FAQs that any additional preprocessor enhancements or additional
rules developed by Cisco OR Snort community is submitted back to the open
source community. However there are no rules and/or preprocessors available
for Profinet in the free version. Cisco's documentation indicates support
for the same.

Appreciate any...

Snort Subscriber Rules Update 2021-06-17 Research (Jun 17)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the
indicator-obfuscation, malware-other, server-apache and server-webapp
rule sets to provide coverage for emerging threats from these
technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Snort Blog: Snort 2.9.18.0 released Joel Esler (jesler) via Snort-devel (Jun 16)

Re: features for handling elephant flows Oleksii Shumeiko -X (oshumeik - SOFTSERVE INC at Cisco) via Snort-devel (Jun 16)
Hi, Mark

Definitely, elephant flows is the issue. Unfortunately, I cannot point to any details or dates about pending
improvements on this.

Best wishes,
Alexey

Re: how to reload the config of appid odp dir ? Russ Combs (rucombs) via Snort-devel (Jun 15)
There is an appid command for that:

$ src/snort --help-commands appid | grep reload
appid.reload_third_party(): reload appid third-party module
appid.reload_detectors(): reload appid detectors

reload_detectors is what you want. No argument; it will reload from the originally configured directory.

Note that it will report a bogus error. You can safely ignore that:

Entering command shell
o")~
++ [0] /home/russ/ramdisk/defcon.pcap...

Snort Subscriber Rules Update 2021-06-15 Research (Jun 15)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the browser-ie, deleted,
file-flash, file-image, file-multimedia, file-other,
indicator-compromise, malware-cnc, os-linux, os-other, os-windows,
protocol-dns, protocol-icmp, protocol-other, server-other and
server-webapp rule sets to provide coverage for emerging threats from
these...

features for handling elephant flows markj200 via Snort-devel (Jun 14)
Are there any upcoming features planned for load balancing of elephant
flows across multiple packet threads?

Any pointers to information on this gratefully received.

Thanks
Mark

Re: Negate Content - Snort Rules Joel Esler (jesler) via Snort-sigs (Jun 12)
Also, the answer is “because you can’t do a relative match to something that doesn’t exist (distance:1; within:10;)”.

So, in order to do what you want to do, you have to do the positive match and then read backwards. Which is why I ask
what the error you’re receiving is

—
Sent from my  iPad

More Lists

Related Resources

We're always looking for great network security related lists to archive. To suggest one, mail Fyodor.