SecLists.Org Security Mailing List Archive

Any hacker will tell you that the latest news and exploits are not found on any web site—not even Insecure.Org. No, the cutting edge in security research is and will continue to be the full disclosure mailing lists such as Bugtraq. Here we provide web archives and RSS feeds (now including message extracts), updated in real-time, for many of our favorite lists. Browse the individual lists below, or search them all:

Insecure.Org Lists

Nmap Development — Unmoderated technical development forum for debating ideas, patches, and suggestions regarding proposed changes to Nmap and related projects. Subscribe here.

Fixed ncat temporary certificates and CI on github broken Tobias Girstmair (Dec 01)
hi,

CONTRIBUTING.md says to send a notification when sending a pull request
(http://issues.nmap.org/2168). It's a one-liner change to fix the expiry
date of temporary certificates issued by ncat --ssl, which currently is
60 seconds instead of one year.

Given the triviality of the patch, I wouldn't have posted here, were it
not to inform you that Travis-CI is refusing to run on the majority of
pull requests. <...

Zenmap Error "No module named GTK" Anomous Gufox (Dec 01)
Dear Developer,
I am Sagnik Haldar known as AnomousG would like to report that I found that
after I started using Kali Linux version 2020.4. I usually downloaded
zenmap as one of my favourite tools but unfortunately it showed the
following error after a successful installation.
I also reported it as a bug in Kali Linux but got to know the reason why
zenmap was dropped from Kali is because the Python2 dependencies (such as
the GTK one) are gone...

NSE script contribution - CVE-2020-14882 NSE script Daniel M (Dec 01)
Hello nmap-dev,

I submitted a pull request adding a NSE script to detect CVE-2020-14882
(WebLogic unauthenticated RCE):

https://github.com/nmap/nmap/pull/2169

I hope it helps! Looking forward to your feedback.

Thanks,
Daniel

Username check for ARD bruteforce adwiteeya agrawal (Dec 01)
Hello dev@nmap,

Just raised https://github.com/nmap/nmap/pull/2190.

Mac ARD login requires a username. Nmap currently does not check if the
username is
empty and errors out. This patch will skip attempts with empty passwords.

Please refer to the PR for complete details.

Regards
Adwiteeya Agrawal

NmapWin rodion.raskolnikov via dev (Nov 20)
Hi Guys,

I made a small native Window UI for nmap. I know that there was already (once upon a time) a NmapWin, but this doesn't
seem to be updated anymore (at least for 10 years). Anyway, the new NmapWin is a C#/.Net application and is quite
similar to Zenmap.

Features:

- Parallel scans (nmap runs in background tasks)
- Embedded SQL Server CE database
- Lots of help screens (for beginners ;-)
- Easy installation (nmap needs to be...

NSE script contribution: CVE-2020-14882 - WebLogic unauthenticated RCE Daniel M (Nov 20)
Hello nmap-dev,

I submitted a pull request adding a NSE script to detect the WebLogic
unauthenticated RCE (CVE-2020-14882) disclosed by Jang:

https://github.com/nmap/nmap/pull/2169

I hope it helps! Looking forward to your feedback.

Thanks,
Daniel

[sparc64] nmap.git sigbus on a recent change Anatoly Pugachev (Nov 09)
Hello!

Could someone please look at this issue
https://github.com/nmap/nmap/issues/2173

Thanks.

Re: NSE script contribution - dkron-discovery Ícaro Torres (Nov 04)
Hello David,

Sorry for the delay, I only was able to see the code right now, thanks a
lot for the revision and tips. Follows attached the new version of the
script.

Best regards.

Em qua., 4 de nov. de 2020 às 13:28, David Fifield <david () bamsoftware com>
escreveu:

Re: NSE script contribution - dkron-discovery David Fifield (Nov 04)
Hi, thanks for this contribution. Here is some quick review.

-- @args dkron-discovery.path The URL path to request. The default path is "/".
local http_response = http.get(host, port, "/dashboard")

The doc comment doesn't match the code, and dkron-discovery.path is not
used.

if string.match(http_response.rawbody, "Dkron %d.%d.%d") then
dkron_version = string.match(http_response.rawbody,...

--script=ssl-cert | deviation of results Christoph Gruber (Nov 04)
Hi!

Running on debian
me@my:~$ nmap legacy.ppro.com --script ssl-cert
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-04 13:41 CET
Nmap scan report for legacy.ppro.com (54.77.199.142)
Host is up (0.043s latency).
rDNS record for 54.77.199.142: ec2-54-77-199-142.eu-west-1.compute.amazonaws.com
Not shown: 998 filtered ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https
| ssl-cert: Subject: commonName=legacy.ppro.com
| Subject...

NSE script contribution - dkron-discovery Ícaro Torres (Nov 04)
Hello,

I would like to contribute with the NSE script dkron-discovery. It will
look for the URI "/dashboard" in the port 8080 of the host running dKron
service, and if this is available it will grab the installed version.

description = [[
Dkron is a system service for workload automation that runs scheduled jobs,
just like the cron unix service but distributed in several machines in a
cluster. Default TCP port is 8080.
]]

This could...

Re: Nmap trouble Daniel Miller (Oct 31)
Hello, and thank you for reporting this. This issue was also reported on
our issue tracker here: https://issues.nmap.org/2157

We have added a fix for the crash issue, but there may be additional
problems which will prevent you from running Nmap within Zenmap, namely the
UnicodeDecodeError mentioned in the traceback. Please let us know if you
have further problems.

Dan

Nmap trouble 권세인 (Oct 22)
Hi! I'm nmap user from Korea.
I'm having trouble using nmap and pop-up message tell me sending email to you.
Please fix this problem! thanks :)

Version: 7.91
Traceback (most recent call last):
File "zenmapGUI\ScanInterface.pyo", line 389, in start_scan_cb
File "zenmapGUI\ScanInterface.pyo", line 516, in execute_command
TypeError: coercing to Unicode: need string or buffer, exceptions.UnicodeDecodeError found

Problems with WlanHelper santiago montoto (Oct 22)
Hello,

I installed Wireshark and latest version of Npcap with Support raw 802.11 traffic option checked. I try to to select
Monitor Mode in Wireshark for my WiFi but it was not possible. Then I tried to run WlanHelper with (administrative
privileges) and it says that wlanhelper is not recognized as internal or external command, operable program or batch...
I am using instructions of the following website:...

Re: nping --ipv6 source determination Artem Egorenkov (Oct 15)
I can believe you guys are extremely busy, no pressure here.
Just wanted to make sure you are aware of the existence of this PR.

Take your time and thank you for your hard work! :)

Thanks,
Artem

Nmap Announce — Moderated list for the most important new releases and announcements regarding the Nmap Security Scanner and related projects. We recommend that all Nmap users subscribe.

Nmap 7.91 Bugfix Release Gordon Fyodor Lyon (Oct 14)
Hello everyone. I'm glad Nmap 7.90 was so well received! There were so
many improvements that the official announcement (
https://seclists.org/nmap-announce/2020/1) was a bit unwieldy. So Daniel
Miller (who made most of those changes) Tweeted his top highlights at
https://twitter.com/bonsaiviking/status/1313247253197393920

While we do work hard to avoid bugs during development and to catch them
pre-release through continuous integration...

Nmap 7.90 Released! First release since August 2019. Gordon Fyodor Lyon (Oct 03)
Hello everyone. Hot on the heels of the big Npcap 1.00 release (
https://seclists.org/nmap-announce/2020/0), we're delighted to announce a
new Nmap--version 7.90! It's the first Nmap release since Defcon 2019, even
though we've made 16 Npcap releases since then. Raw packets are so
fundamental to Nmap that we really wanted to get it right. With the
production-ready and highly performant Npcap 1.00 driver included, we can
finally...

Npcap 1.00 was just released and a new Nmap is on the way! Gordon Fyodor Lyon (Sep 28)
Hello everyone. I hope you are all safe and well during this nasty
pandemic. I obviously haven't been wearing my marketing hat enough given
that this is my first mail to the Nmap Announcement list since last
August's Nmap 7.80 release. But we've been heads-down programming since
then and have great news to report!

The biggest news is that, after more than 7 years of development and 170
previous public releases, we're...

Nmap Defcon Release! 80+ improvements include new NSE scripts/libs, new Npcap, etc. Gordon Fyodor Lyon (Aug 10)
Fellow hackers,

I'm here in Las Vegas for Defcon and delighted to release Nmap 7.80. It's
the first formal Nmap release in more than a year, and I hope you find it
worth the wait!

The main reason for the delay is that we've been working so hard on our
Npcap Windows packet capturing driver. As many of you know, Windows Nmap
traditionally depended on Winpcap for packet capture. That is great
software, but it has been...

Full Disclosure — A public, vendor-neutral forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. The relaxed atmosphere of this quirky list provides some comic relief and certain industry gossip. More importantly, fresh vulnerabilities sometimes hit this list many hours or days before they pass through the Bugtraq moderation queue.

AST-2020-004: Remote crash in res_pjsip_diversion Asterisk Security Team (Dec 22)
Asterisk Project Security Advisory - AST-2020-004

Product Asterisk
Summary Remote crash in res_pjsip_diversion
Nature of Advisory Denial of service
Susceptibility Remote authenticated sessions
Severity Moderate...

AST-2020-003: Remote crash in res_pjsip_diversion Asterisk Security Team (Dec 22)
Asterisk Project Security Advisory - AST-2020-003

Product Asterisk
Summary Remote crash in res_pjsip_diversion
Nature of Advisory Denial of service
Susceptibility Remote authenticated sessions
Severity Moderate...

Rocket.Chat Path Traversal Moe Szyslak (Dec 21)
Rocket.Chat has fixed a server-side path traversal vulnerability that may
be abused to write files to attacker-controlled locations:

https://github.com/RocketChat/Rocket.Chat/commit/f5c7d94bffb279d7a2f859773935fb5cf70c81cd

Exploitation of this vulnerability requires uploading attachments with
crafted names and requesting a data download.

No release of Rocket.Chat contains these fixes. Users should consider
cherrypicking...

remote code execution when open a project in android studio that google refused to fix(still 0day) houjingyi (Dec 21)
Video and POC here : https://www.youtube.com/watch?v=hAPkSGxh9H0

When you open a project in android studio, if gradle-wrapper.properties set
distributionUrl=https\://
services.gradle.org/distributions/gradle-2.6-all.zip
<https://www.google.com/url?q=http://services.gradle.org/distributions/gradle-2.6-all.zip&sa=D&usg=AFQjCNHSuog_mDHXLFUDcfXdMkVSqzfLug>,
then android studio will download and extract gradle-2.6-all.zip, jar file
in...

SUPREMO Local privilege escalation Adan Alvarez (Dec 21)
Details
=======

Subject: Local Privilege Escalation
Product: SUPREMO by Nanosystems S.r.l.
Vendor Homepage: https://www.supremocontrol.com/
Vendor Status: fixed version released
Vulnerable Version: 4.1.3.2348 (No other version was tested, but it is
believed for the older versions to be also vulnerable.)
Fixed Version: 4.2.0.2423
CVE Number: CVE-2020-25106
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25106
Authors: Victor...

Defense in depth -- the Microsoft way (part 68): where compatibility means vulnerability Stefan Kanthak (Dec 18)
Hi @ll,

this post is a shortened version of
<https://skanthak.homepage.t-online.de/detour.html>

With Windows 2000 and Windows XP, Microsoft introduced the functions
SystemFunction035() alias RtlCheckSignatureInFile(),
SystemFunction036() alias RtlGenRandom(),
SystemFunction040() alias RtlEncryptMemory(), and
SystemFunction041() alias RtlDecryptMemory() in ADVAPI32.dll

Note: RtlCheckSignatureInFile() was never documented, it has the...

Rocket.Chat quietly patches XSS vulnerability Moe Szyslak (Dec 18)
Rocket.Chat has quietly fixed a stored XSS vulnerability in the following
commits:

https://github.com/RocketChat/Rocket.Chat/commit/96d3155245ec65f681664b48b6dafc94c1ea021c
https://github.com/RocketChat/Rocket.Chat/commit/43fe12d775b2329e780a1369a1b2c25070cdcab9

Exploitation of this vulnerability is very straightforward by manipulating
a message attachment to contain a XSS payload either in the type or the
body.

No release of Rocket.Chat...

CA20201215-01: Security Notice for CA Service Catalog Kevin Kotas via Fulldisclosure (Dec 18)
CA20201215-01: Security Notice for CA Service Catalog

Issued: December 15, 2020
Last Updated: December 15, 2020

CA Technologies, a Broadcom Company, is alerting customers to a risk
with CA Service Catalog. A vulnerability can potentially exist in a
specific configuration that can allow a remote attacker to cause a
denial of service condition. CA published a solution and instructions
to resolve the vulnerability.

The vulnerability,...

Programi Bilanc - Build 007 Release 014 31.01.2020 - Software-update packages are downloaded via unencrypted HTTP [CVE-2020-11718] Georg Ph E Heise via Fulldisclosure (Dec 18)
Programi Bilanc - Build 007 Release 014 31.01.2020 - Software-update packages are downloaded via unencrypted HTTP

===============================================================================

Identifiers

-------------------------------------------------

CVE-2020-11718

Vendor

-------------------------------------------------

Balanc Shpk (https://bilanc.com)

Product

-------------------------------------------------

Programi Bilanc...

Programi Bilanc - Build 007 Release 014 31.01.2020 - Broken encryption with guessable static encryption key [CVE-2020-8995] Georg Ph E Heise via Fulldisclosure (Dec 18)
Programi Bilanc - Build 007 Release 014 31.01.2020 - Broken encryption with guessable static encryption key

===============================================================================

Identifiers

-------------------------------------------------

CVE-2020-8995

Vendor

-------------------------------------------------

Balanc Shpk (https://bilanc.com)

Product

-------------------------------------------------

Programi Bilanc

Affected...

Programi Bilanc - Build 007 Release 014 31.01.2020 - Multiple SQL Injections [CVE-2020-11717] Georg Ph E Heise via Fulldisclosure (Dec 18)
Programi Bilanc - Build 007 Release 014 31.01.2020 - Multiple SQL Injections

=============================================================================

Identifiers

-------------------------------------------------

CVE-2020-11717

Vendor

-------------------------------------------------

Balanc Shpk (https://bilanc.com)

Product

-------------------------------------------------

Programi Bilanc

Affected versions...

Programi Bilanc - Build 007 Release 014 31.01.2020 - Broken encryption with guessable static encryption key [CVE-2020-11719] Georg Ph E Heise via Fulldisclosure (Dec 18)
Programi Bilanc - Build 007 Release 014 31.01.2020 - Broken encryption with guessable static encryption key

===============================================================================

Identifiers

-------------------------------------------------

CVE-2020-11719

Vendor

-------------------------------------------------

Balanc Shpk (https://bilanc.com)

Product

-------------------------------------------------

Programi Bilanc

Affected...

Programi Bilanc - Build 007 Release 014 31.01.2020 - Use of weak default Password - CVE-2020-11720 Georg Ph E Heise via Fulldisclosure (Dec 18)
Programi Bilanc - Build 007 Release 014 31.01.2020 - Use of weak default Password

===============================================================================

Identifiers

-------------------------------------------------

CVE-2020-11720

Vendor

-------------------------------------------------

Balanc Shpk (https://bilanc.com)

Product

-------------------------------------------------

Programi Bilanc

Affected versions...

SEC Consult SA-20201217-0 :: Multiple critical vulnerabilities in Trend Micro InterScan Web Security Virtual Appliance (IWSVA) SEC Consult Vulnerability Lab (Dec 17)
SEC Consult Vulnerability Lab Security Advisory < 20201217-0 >
=======================================================================
title: Multiple critical vulnerabilities
product: Trend Micro InterScan Web Security Virtual Appliance (IWSVA)
vulnerable version: < IWSVA 6.5 SP2 EN Patch 4 Build 1919
fixed version: IWSVA 6.5 SP2 EN Patch 4 Build 1919
CVE number: CVE-2020-8461, CVE-2020-8462,...

APPLE-SA-2020-12-14-4 Additional information for APPLE-SA-2020-11-13-1 macOS Big Sur 11.0.1 Apple Product Security via Fulldisclosure (Dec 15)
APPLE-SA-2020-12-14-4 Additional information for
APPLE-SA-2020-11-13-1 macOS Big Sur 11.0.1

macOS Big Sur 11.0.1 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/HT211931.

AMD
Available for: Mac Pro (2013 and later), MacBook Air (2013 and
later), MacBook Pro (Late 2013 and later), Mac mini (2014 and later),
iMac (2014 and later), MacBook (2015 and later), iMac Pro (all
models)...

Other Excellent Security Lists

Bugtraq — The premier general security mailing list. Vulnerabilities are often announced here first, so check frequently!

Defense in depth -- the Microsoft way (part 62): Windows shipped with end-of-life components Stefan Kanthak (Feb 25)
Hi @ll,

since Microsoft Server 2003 R2, Microsoft dares to ship and install the
abomination known as .NET Framework with every new version of Windows.

Among other components current versions of Windows and .NET Framework
include

C# compiler (C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe,
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe)
J# compiler (C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe,...

Local information disclosure in OpenSMTPD (CVE-2020-8793) Qualys Security Advisory (Feb 25)
Qualys Security Advisory

Local information disclosure in OpenSMTPD (CVE-2020-8793)

==============================================================================
Contents
==============================================================================

Summary
Analysis
Exploitation
POKE 47196, 201
Acknowledgments

==============================================================================
Summary...

LPE and RCE in OpenSMTPD's default install (CVE-2020-8794) Qualys Security Advisory (Feb 25)
Qualys Security Advisory

LPE and RCE in OpenSMTPD's default install (CVE-2020-8794)

==============================================================================
Contents
==============================================================================

Summary
Analysis
...
Acknowledgments

==============================================================================
Summary...

[SECURITY] [DSA 4633-1] curl security update Alessandro Ghedini (Feb 25)
-------------------------------------------------------------------------
Debian Security Advisory DSA-4633-1 security () debian org
https://www.debian.org/security/ Alessandro Ghedini
February 22, 2020 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : curl
CVE ID : CVE-2019-5436 CVE-2019-5481...

Cisco Unified Contact Center Express Privilege Escalation Vulnerability (CVE-2019-1888) Jamie R (Feb 25)
I've quoted the Cisco summary below as it's pretty accurate.

tl;dr is an admin user on the web console can gain command execution
and then escalate to root. If this is an issue in your environment,
then please patch.

Thanks to Cisco PSIRT who were responsive and professional.

Shouts to Andrew, Dave and Senad, Pedro R - if that's still even a
thing on advisories.

Ref:...

[TZO-22-2020] Qihoo360 | GDATA | Rising | Command Generic Malformed Archive Bypass Thierry Zoller (Feb 24)

[TZO-16-2020] - F-SECURE Generic Malformed Container bypass (GZIP) Thierry Zoller (Feb 24)

[slackware-security] proftpd (SSA:2020-051-01) Slackware Security Team (Feb 20)
[slackware-security] proftpd (SSA:2020-051-01)

New proftpd packages are available for Slackware 14.0, 14.1, 14.2, and -current
to fix a security issue.

Here are the details from the Slackware 14.2 ChangeLog:
+--------------------------+
patches/packages/proftpd-1.3.6c-i586-1_slack14.2.txz: Upgraded.
No CVEs assigned, but this sure looks like a security issue:
Use-after-free vulnerability in memory pools during data transfer.
(* Security...

[SECURITY] [DSA 4628-1] php7.0 security update Moritz Muehlenhoff (Feb 19)
-------------------------------------------------------------------------
Debian Security Advisory DSA-4628-1 security () debian org
https://www.debian.org/security/ Moritz Muehlenhoff
February 18, 2020 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : php7.0
CVE ID : CVE-2019-11045 CVE-2019-11046...

[SECURITY] [DSA 4629-1] python-django security update Sebastien Delafond (Feb 19)
-------------------------------------------------------------------------
Debian Security Advisory DSA-4629-1 security () debian org
https://www.debian.org/security/ Sebastien Delafond
February 19, 2020 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : python-django
CVE ID : CVE-2020-7471
Debian Bug...

[TZO-18-2020] - Bitdefender Malformed Archive bypass (GZIP) Thierry Zoller (Feb 18)

[TZO-17-2020] - Kaspersky Generic Archive Bypass (ZIP FLNMLEN) Thierry Zoller (Feb 18)

[SECURITY] [DSA 4626-1] php7.3 security update Moritz Muehlenhoff (Feb 18)
-------------------------------------------------------------------------
Debian Security Advisory DSA-4626-1 security () debian org
https://www.debian.org/security/ Moritz Muehlenhoff
February 17, 2020 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : php7.3
CVE ID : CVE-2019-11045 CVE-2019-11046...

[SECURITY] [DSA 4627-1] webkit2gtk security update Moritz Muehlenhoff (Feb 18)
-------------------------------------------------------------------------
Debian Security Advisory DSA-4627-1 security () debian org
https://www.debian.org/security/ Alberto Garcia
February 17, 2020 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : webkit2gtk
CVE ID : CVE-2020-3862 CVE-2020-3864...

Web Application Firewall bypass via Bluecoat device RedTimmy Security (Feb 16)
Hi,
we have published a new post in our blog titled "How to hack a company by circumventing its WAF through the abuse of a
different security appliance and win bug bounties".

We basically have [ab]used a Bluecoat device behaving as a request forwarder to mask our malicious payload, avoid WAF
detection, hit an HTTP endpoint vulnerable to RCE and pop out a shell.

Full story is here:...

Info Security News — Carries news items (generally from mainstream sources) that relate to security.

Daily Dave — This technical discussion list covers vulnerability research, exploit development, and security events/gossip. It was started by ImmunitySec founder Dave Aitel and many security luminaries participate. Many posts simply advertise Immunity products, but you can't really fault Dave for being self-promotional on a list named DailyDave.

paper + data-set tracking supply-chain compromises worth a peek by Geer, Tozer et.al. Arun Koshy via Dailydave (Dec 16)
paper : http://geer.tinho.net/fgm/fgm.geer.2012.pdf
data-set : https://github.com/IQTLabs/software-supply-chain-compromises

Kiroshi Optics Dave Aitel via Dailydave (Dec 11)
https://twitter.com/JesseHeinig/status/1336913378564919297
https://twitter.com/ClipperChip/status/1337289319988473856

People seem to think you can use etymology as some clue to deciphering the
cyberpunk and cyber philosophy in general. You can read a whole Thomas Rid
book
<https://www.amazon.com/Rise-Machines-Cybernetic-Thomas-Rid/dp/0393286002>
on it, and it's weird when people stress "Cybernetics" as if they've found...

Worth a listen on your morning drive Dave Aitel via Dailydave (Dec 10)
https://www.youtube.com/watch?v=pyE29pX9HBE&feature=emb_logo&ab_channel=TheHagueProgramforCyberNorms

(text:
https://www.internetgovernance.org/2020/11/13/hague-keynote-sovereignty-in-cyberspace/
)

Keynote by Milton Mueller, Professor at the Georgia Institute of Technology
(Atlanta, USA) in the School of Public Policy.

I lolled at this section which is so true it hurts:

Since publishing that book I explored the concepts of sovereignty...

How many treadmills can you run on at once? Dave Aitel via Dailydave (Dec 08)
I wanted everyone to browse here and enjoy this Microsoft Teams
vulnerability: https://github.com/oskarsve/ms-teams-rce/blob/main/README.md

I also enjoy the discussion
<https://twitter.com/taviso/status/1336365194071535617?s=20> it has
engendered when it comes to how to measure vulnerabilities that are "in the
cloud" or via "Auto-update". It would be good to get clarity on these
things.
[image: image.png]

Measurement...

Gratitude Dave Aitel via Dailydave (Nov 25)
So because we are thankful for all the support of every attendee at
INFILTRATE for the past ten years (Yes, TEN YEARS!), we are releasing a
special featured speakers series for the end of the year. If you are signed
up for INFILTRATE 2020, PLAGUE EDITION then you already got an email invite
to the first viewing-and-Q&A session with Marco Ivaldi.

These talks are great - something I can say because we do our standard
INFILTRATE dry-run process...

Deana Shick on INFILTRATE ONLINE Dave Aitel via Dailydave (Oct 30)
Happy Friday! For those of you who enjoy laughing at my video editing job
or want to learn about how big companies do vulnerability management "at
scale" or what the alternatives are to CVSS, we've recently published a new
fifteen minute video: https://vimeo.com/473562240 .

-dave

Things to Watch! Dave Aitel via Dailydave (Oct 19)
It's MONDAY, and I wanted to send over the shorts we did with Chris Eng and
Ben Edwards. I think there's a lot of value in a robust question and answer
session with paper authors. Too often papers are supposed to stand on their
own without any real discussion.

(PHP IS DOUBLE PLUS UNGOOD)
https://vimeo.com/457850389/373c907909

(CVSS, an INTRODUCTION TO FAIL)
https://vimeo.com/454453494/330060fbb2

(XXE)
https://vimeo.com/464273744...

Identity + Host Dave Aitel via Dailydave (Sep 21)
Recently Thomas Dullien wrote a blogpost
<http://addxorrol.blogspot.com/2020/07/the-missing-os.html> asking what the
OS of the future really looks like, considering the computer of the future
is a distributed mega-engine. I would, annoyingly, posit that the
algorithms that make sense to understand in that world are those already
implemented in the many species of social insects.

In that sense, I think there are things missing from his list...

R2 Browser Hacking Class Review Dave Aitel via Dailydave (Aug 13)
Sometimes we review books on this list, but I spent last week, for seven
days in a row, taking the R2-RingZer0-Amy-Burnett Browser Hacking
<https://ringzer0.training/advanced-browser-exploitation.html> class. But
before I do, I want to point out that 36 Minutes into this video (
https://vimeo.com/442583799) I ask Marco Ivaldi about what it's like to
switch from management back into the technical field. "It's hard, but...

Dino-VSS Dave Aitel via Dailydave (Aug 10)
[image: image.png]

Bistahieversor or MS08-067?

If you had to list out the problems with CVSS it would be like analyzing
the anatomical issues of a children's drawing. No part of it fits together
properly. Here's a problem: Scoring of threats is not one dimensional, and
numbers can't carry the whole story. We need a vulnerability scoring system
that's extensible, and programable.

But I have an alternative: Take each...

Re: [EXTERNAL] WAF Metrics Chuck McAuley via Dailydave (Jul 17)
Isn’t using a WAF an “investment in technology to stop constant attacks?”

-chuck
From: Greg Frazier <glfrazier () alum mit edu>
Date: Friday, July 17, 2020 at 3:46 PM
To: Don Ankney <dankney () hackerco de>
Cc: John Lampe <jlampe () tenable com>, Rafal Los <Rafal () ishackingyou com>, Chuck McAuley <chuck.mcauley () keysight
com>, "dailydave () lists aitelfoundation org" <dailydave () lists...

Re: [EXTERNAL] WAF Metrics Greg Frazier via Dailydave (Jul 17)
I'm not parsing your argument. If you knew the bug was there, you would fix
the bug. The WAF is there to mitigate the bugs that you are not aware of.
Further, web accesses that are out of scope of your intended functionality
but do not trigger a bug may be information gathering attacks that you
would, in hindsight, have wished your WAF had blocked. I would argue that
the WAF is not a stop-gap at all--it is an integral part of your...

Re: [EXTERNAL] WAF Metrics Don Ankney via Dailydave (Jul 15)
So far, this conversation focuses on how effectively WAFs block malicious HTTP requests. I'd argue that this is both a
red herring and an abuse of WAF technology. A WAF only protects the enterprise when it blocks a request that would
trigger an actual bug. If there's no bug present, all that's really happening is that likely malicious requests are
being logged at a much higher costs than if it were simply allowed to sit in the...

Re: [EXTERNAL] WAF Metrics Chuck McAuley via Dailydave (Jul 15)
This isn’t directly related to John’s observation below, but it got me motivated to further clarify some of the
challenges involved in testing WAFs.

I’ve seen many implementations over the years that try to determine the decision making process of an IPS, WAF, or
similar device by simply interrogating it from the client side only. The realities of test of measurement is that it
requires the user to implement both a client and server...

Re: [EXTERNAL] WAF Metrics John Lampe via Dailydave (Jul 13)
Yeah, I guess the way I would envision it going would be:

1) web app scanner sees XSS vuln on /path/to/foo.php
2) my integration ties that web app scan into a format to pass to WAF
3) WAF sets up anti-xss rules on /path/to/foo.php (we had to actually
create a static mapping for this step)
4) measure how many hits the waf blocks to that endpoint for the XSS

John

PaulDotCom — General discussion of security news, research, vulnerabilities, and the PaulDotCom Security Weekly podcast.

BHIS Sorta Top Used Tools of 2018 John - Black Hills Information Security (Dec 06)
Free Webcast

Hello all,

For our next webcast we will cover some of the core tools we use all the time at Black Hills Information Security.
However, there will be a twist. We will not talk about Nessus, Nmap, or Metasploit. Why? Because there are a ton of new
(and older) tools we use that fall outside of the standard tools you see in every security book/blog out there.

Basically, we are trying to be edgy and different.

You may want to come...

BHIS Webcast - Tues 10/2 @ 11am MDT John Strand - Black Hills Information Security (Sep 26)
Hello All,

In this next webcast I want to cover what I am doing with the BHIS Systems team to create a C2/Implant/Malware test
bed. Testing our C2/malware solutions is important because vendors tend to lie or over-hype their capabilities. I will
cross reference some different malware specimens to the MITRE ATT&CK framework and we will cover how you can use these
techniques to test your defensive solutions at both the endpoint and the...

BHIS Webcast: The PenTest Pyramid of Pain 9/4 - 11am MDT Sierra - Black Hills Information Security (Aug 29)
Hello!

How are you all? We had a fantastic webcast last week with John Strand and Chris Brenton and we're still working
through some unexpected hiccups to get the recording up and posted. The podcast version is on our blog, and the YouTube
version will be posted shortly on the Active Countermeasures channel and blog as well. Thanks for all of you who
ventured over to attend!

Ready for another awesome BHIS webcast? Dakota is back and...

Webcast with CJ: Tues 7/24 at 11am Sierra - Black Hills Information Security (Jul 19)
Our upcoming webcast will be about POLICY...

Did you check out when you heard “policy”? Policy can often seem like a drudgery, but it’s also an important and
potentially overlooked part of business and procedure; it’s the framework on which security is really built!

CJ, our COO and Head of Sales has experience writing, assessing and implementing policies for many different kinds of
companies. And if you are worried it will be dry and...

Microsoft Sec Notification — Beware that MS often uses these security bulletins as marketing propaganda to downplay serious vulnerabilities in their products—note how most have a prominent and often-misleading "mitigating factors" section.

Microsoft Security Update Minor Revisions Microsoft (Dec 11)
********************************************************************
Title: Microsoft Security Update Minor Revisions
Issued: December 11, 2018
********************************************************************

Summary
=======

The following CVE has undergone a minor revision
increment:

* CVE-2018-8172

Revision Information:
=====================

- CVE-2018-8172 | Visual Studio Remote Code Execution
Vulnerability
-...

Microsoft Security Update Minor Revisions Microsoft (Nov 14)
********************************************************************
Title: Microsoft Security Update Minor Revisions
Issued: November 14, 2018
********************************************************************

Summary
=======

The following CVEs and advisory have undergone a minor revision
increment:

* CVE-2018-8454
* CVE-2018-8552
* ADV990001

Revision Information:
=====================

- CVE-2018-8454 | Windows Audio Service...

Microsoft Security Update Minor Revisions Microsoft (Oct 24)
********************************************************************
Title: Microsoft Security Update Minor Revisions
Issued: October 24, 2018
********************************************************************

Summary
=======

The following CVE has undergone a minor revision increment:

* CVE-2018-8512

Revision Information:
=====================

- CVE-2018-8512 | Microsoft Edge Security Feature Bypass
Vulnerability
-...

Microsoft Security Update Releases Microsoft (Oct 19)
********************************************************************
Title: Microsoft Security Update Releases
Issued: October 19, 2018
********************************************************************

Summary
=======

The following CVE been added to the October 2018 Security updates:

* CVE-2018-8569

Revision Information:
=====================

- CVE-2018-8569 | Yammer Desktop Application Remote Code Execution
Vulnerability
-...

Microsoft Security Update Releases Microsoft (Oct 17)
********************************************************************
Title: Microsoft Security Update Releases
Issued: October 17, 2018
********************************************************************

Summary
=======

The following CVEs have undergone a major revision increment:

* CVE-2010-3190

Revision Information:
=====================

- CVE-2010-3190 | MFC Insecure Library Loading Vulnerability
-...

Microsoft Security Update Minor Revisions Microsoft (Oct 09)
********************************************************************
Title: Microsoft Security Update Minor Revisions
Issued: October 9, 2018
********************************************************************

Summary
=======

The following CVE has undergone a minor revision increment:

* CVE-2018-8531

Revision Information:
=====================

- CVE-2018-8531 | Azure IoT Device Client SDK Memory Corruption
Vulnerability
-...

Microsoft Security Update Releases Microsoft (Oct 09)
********************************************************************
Title: Microsoft Security Update Releases
Issued: October 9, 2018
********************************************************************

Summary
=======

The following CVE been added to the October 2018 Security updates:

* CVE-2018-8292

Revision Information:
=====================

- CVE-2018-8292 | .NET Core Information Disclosure Vulnerability
-...

Microsoft Security Update Releases Microsoft (Oct 09)
********************************************************************
Title: Microsoft Security Update Releases
Issued: October 9, 2018
********************************************************************

Summary
=======

The following bulletin has undergone a major revision increment:

* MS11-025

Revision Information:
=====================

- https://docs.microsoft.com/en-us/security-updates/
SecurityBulletins/2011/ms11-025:...

Microsoft Security Update Summary for October 9, 2018 Microsoft (Oct 09)
********************************************************************
Microsoft Security Update Summary for October 9, 2018
Issued: October 9, 2018
********************************************************************

This summary lists security updates released for October 9, 2018.

Complete information for the October 2018 security update release can
Be found at
<https://portal.msrc.microsoft.com/en-us/security-guidance>.

Please note the...

Microsoft Security Update Releases Microsoft (Oct 02)
********************************************************************
Title: Microsoft Security Update Releases
Issued: October 2, 2018
********************************************************************

Summary
=======

The following CVE has undergone a major revision increment:

* CVE-2018-0952

Revision Information:
=====================

- CVE-2018-0952 | Diagnostic Hub Standard Collector Elevation of
Privilege Vulnerability
-...

Microsoft Security Advisory Notification Microsoft (Sep 12)
********************************************************************
Title: Microsoft Security Advisory Notification
Issued: September 12, 2018
********************************************************************

Security Advisories Released or Updated on September 12, 2018
===================================================================

* Microsoft Security Advisory ADV180022

- Title: Windows Denial of Service Vulnerability
-...

Microsoft Security Update Minor Revisions Microsoft (Sep 12)
********************************************************************
Title: Microsoft Security Update Minor Revisions
Issued: September 12, 2018
********************************************************************

Summary
=======

The following CVEs have undergone a minor revision increment:

* CVE-2018-8421
* CVE-2018-8468

Revision Information:
=====================

- CVE-2018-8421 | .NET Framework Remote Code Execution
Vulnerability...

Microsoft Security Update Summary for September 11, 2018 Microsoft (Sep 11)
********************************************************************
Microsoft Security Update Summary for September 11, 2018
Issued: September 11, 2018
********************************************************************

This summary lists security updates released for September 11, 2018.

Complete information for the September 2018 security update release can
Be found at
<https://portal.msrc.microsoft.com/en-us/security-guidance>....

Microsoft Security Update Releases Microsoft (Sep 11)
********************************************************************
Title: Microsoft Security Update Releases
Issued: September 11, 2018
********************************************************************

Summary
=======

The following CVE has undergone a major revision increment:

* CVE-2018-8154

Revision Information:
=====================

- CVE-2018-8154 | Microsoft Exchange Memory Corruption
Vulnerability
-...

Microsoft Security Advisory Notification Microsoft (Sep 11)
********************************************************************
Title: Microsoft Security Advisory Notification
Issued: September 11, 2018
********************************************************************

Security Advisories Released or Updated on September 11, 2018
===================================================================

* Microsoft Security Advisory ADV180002

- Title: Guidance to mitigate speculative execution...

Funsec — While most security lists ban off-topic discussion, Funsec is a haven for free community discussion and enjoyment of the lighter, more humorous side of the security community

Verizon: 1.5M of Contact Records Stolen, Now on Sale Jeffrey Walton (Mar 26)
http://www.mobipicker.com/verizon-1-5m-contact-records-stolen-now-sale/:

A business to business telecommunication giant,
Verizon Enterprise Solutions, a Basking Ridge,
New Jersey-based company, has been the latest
victim of a cyber crime that stole 1.5 million contact
records of the customers of Verizon...

I don't quite understand this double talk. Could someone explain to me:

A spokesperson from Verizon said that...

Statement on Lavabit Citation in Apple Case Jeffrey Walton (Mar 16)
(From John Young on another list):
http://www.facebook.com/KingLadar/posts/10156714933135038

As many of you already know, the government cited the Lavabit case in
a footnote. The problem is their description insinuates a precedent
that was never created. Obviously I was somewhat disturbed by their
misrepresentation. So I decided to draft a statement. And keep in
mind, these are the same people who say "trust us." Click continue to
read...

The NSA's back door has given every US secret to our enemies Jeffrey Walton (Feb 29)
http://www.businessinsider.com/john-mcafee-nsa-back-door-gives-every-us-secret-to-enemies-2016-2

Deng Xiaoping, in 1979 - his second year as supreme leader of China -
perceived a fundamental truth that has yet to be fully grasped by most
Western leaders: Software, if properly weaponized, could be far more
destructive than any nuclear arsenal.

Under Deng’s leadership, China began one of the most ambitious and
sophisticated meta- software...

Can Spies Break Apple Crypto? Jeffrey Walton (Feb 27)
Here's an interesting exchange between Cryptome and Michael Froomkin,
Law Professor at University of Miami, on the All Writs Act
(http://cryptome.org/2016/02/can-spies-break-apple-crypto.htm):

-----

A. Michael Froomkin:

The factual posture in the key Supreme Court precedent, New York
Telephone, involved a situation where only the subject of the order
was capable of providing the assistance at issue. This is the basis
for Apple's...

The FBI's iPhone Problem: Tactical vs. Strategic Thinking Jeffrey Walton (Feb 23)
http://www.technewsworld.com/story/83130.html

I'm an ex-sheriff, and I've been in and out of security jobs for much
of my life, so I've got some familiarity with the issues underlying
the drama between the FBI and Apple. FBI officials -- and likely those
in every other three-letter agency and their counterparts all over the
world -- would like an easier way to do their jobs. Wouldn't we all?

If they could put cameras in...

Wanted: Cryptography Products for Worldwide Survey Jeffrey Walton (Jan 01)
(http://www.schneier.com/crypto-gram/archives/2015/1215.html):

In 1999, Lance Hoffman, David Balenson, and others published a survey
of non-US cryptographic products. The point of the survey was to
illustrate that there was a robust international market in these
products, and that US-only export restrictions on strong encryption
did nothing to prevent its adoption and everything to disadvantage US
corporations. This was an important contribution...

CERT Advisories — The Computer Emergency Response Team has been responding to security incidents and sharing vulnerability information since the Morris Worm hit in 1986. This archive combines their technical security alerts, tips, and current activity lists.

Open Source Security — Discussion of security flaws, concepts, and practices in the Open Source community

CVE-2020-25723 QEMU: assertion failure through usb_packet_unmap() in hw/usb/hcd-ehci.c Mauro Matteo Cascella (Dec 22)
Hello,

A flaw was found in the USB EHCI controller emulation of QEMU. It
could occur while processing USB requests due to DMA memory map
failure not being properly detected. This was fixed in the following
commit by checking the return value of usb_packet_map(), thus
preventing a reachable assertion issue from occuring in a later call
of usb_packet_unmap().

Upstream commit:...

CVE-2020-17526: Apache Airflow Incorrect Session Validation in Airflow Webserver with default config Kaxil Naik (Dec 21)
Versions Affected: < 1.10.14

*Description*:
Incorrect Session Validation in Airflow Webserver with default config
allows a malicious airflow user on site A where they log in normally, to
access unauthorized Airflow Webserver on Site B through the session from
Site A.

This does not affect users who have changed the default value for
`[webserver] secret_key` config.

*Mitigation*:
Change the default value for `[webserver] secret_key` config....

CVE-2020-17520 Apache Pulsar Manager Information Disclosure (bypass admin interceptor) Guangning E (Dec 17)
CVE-2020-17520 Apache Pulsar Manager Information Disclosure

Severity: High

Vendor: The Apache Software Foundation

Versions Affected:
Apache Pulsar Manager 0.1.0

Description
In Pulsar manager 0.1.0 version, malicious users will be able to bypass
pulsar-manager's admin, permission verification mechanism by constructing
special URLs, thereby accessing any HTTP API

Mitigation:
Users of the affected versions should apply one of the following...

CVE-2020-27781 User credentials can be manipulated and stolen by Native CephFS consumers of OpenStack Manila Ana McTaggart (Dec 16)
Dear all,
We have received a report of the following vulnerability affecting CephFS.
At Red Hat, we have assigned it CVE-2020-27781

We are proposing a public date of 12/16/2020, as suggested by the
reporter, but want to ensure agreement with upstream first.
I have included our original description of the flaw as follows.

Issue: User credentials can be manipulated and stolen by Native CephFS
consumers of OpenStack Manila

Products affected: RHCS...

CVE-2020-27821 QEMU: heap buffer overflow in msix_table_mmio_write() in hw/pci/msix.c Mauro Matteo Cascella (Dec 16)
Hello,

A flaw was found in the memory management API of QEMU during the
initialization of a memory region cache. This flaw could lead to an
out-of-bounds access of the Message Signalled Interrupt (MSI-X) table
while performing MMIO operations. A privileged guest user may abuse
this issue to crash the QEMU process on the host, resulting in a
denial of service.

Upstream fix:...

Xen Security Advisory 343 v5 (CVE-2020-25599) - races with evtchn_reset() Xen . org security team (Dec 16)
Xen Security Advisory CVE-2020-25599 / XSA-343
version 5

races with evtchn_reset()

UPDATES IN VERSION 5
====================

In the RESOLUTION section, describe and list the followup fixes for
vm_event.

ISSUE DESCRIPTION
=================

Uses of EVTCHNOP_reset (potentially by a guest on itself) or
XEN_DOMCTL_soft_reset (by itself covered by XSA-77) can lead to the
violation...

Xen Security Advisory 358 v5 (CVE-2020-29570) - FIFO event channels control block related ordering Xen . org security team (Dec 16)
Xen Security Advisory CVE-2020-29570 / XSA-358
version 5

FIFO event channels control block related ordering

UPDATES IN VERSION 5
====================

"Unstable" patch updated (needed re-basing).

ISSUE DESCRIPTION
=================

Recording of the per-vCPU control block mapping maintained by Xen and
that of pointers into the control block is reversed. The consumer
assumes,...

Xen Security Advisory 322 v5 (CVE-2020-29481) - Xenstore: new domains inheriting existing node permissions Xen . org security team (Dec 16)
Xen Security Advisory CVE-2020-29481 / XSA-322
version 5

Xenstore: new domains inheriting existing node permissions

UPDATES IN VERSION 5
====================

Fix deployment info to refer to xsa322-4.12-c.patch not nonexistent
file xsa322-4.13-c.patch.

ISSUE DESCRIPTION
=================

Access rights of Xenstore nodes are per domid. Unfortunately,
existing granted access rights are not...

CVE-2020-13931 Apache TomEE - Incorrect config on JMS Resource Adapter can lead to JMX being enabled Jonathan Gallimore (Dec 16)
Severity: High

Vendor: The Apache Software Foundation

Versions Affected:
Apache TomEE 8.0.0-M1 - 8.0.3
Apache TomEE 7.1.0 - 7.1.3
Apache TomEE 7.0.0-M1 - 7.0.8
Apache TomEE 1.0.0 - 1.7.5

Description:
If Apache TomEE is configured to use the embedded ActiveMQ broker, and the
broker config is misconfigured, a JMX port is opened on TCP port 1099,
which does not include authentication. CVE-2020-11969 previously addressed
the creation of the JMX...

[ANNOUNCE] qemu-security mailing list P J P (Dec 16)
Hello,

* QEMU project has set-up a dedicated mailing list to receive and triage all
its security issues.

Please see:
-> https://www.qemu.org/contribute/security-process/
-> https://lists.nongnu.org/mailman/listinfo/qemu-security

* If you are a security researcher OR think you've found a potential security
issue in QEMU, please kindly follow the new process to report your issues.

* This is a moderated mailing...

Xen Security Advisory 359 v3 (CVE-2020-29571) - FIFO event channels control structure ordering Xen . org security team (Dec 15)
Xen Security Advisory CVE-2020-29571 / XSA-359
version 3

FIFO event channels control structure ordering

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

A bounds check common to most operation time functions specific to FIFO
event channels depends on the CPU observing consistent state. While the
producer side uses appropriately ordered...

Xen Security Advisory 356 v3 (CVE-2020-29567) - infinite loop when cleaning up IRQ vectors Xen . org security team (Dec 15)
Xen Security Advisory CVE-2020-29567 / XSA-356
version 3

infinite loop when cleaning up IRQ vectors

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

When moving IRQs between CPUs to distribute the load of IRQ handling,
IRQ vectors are dynamically allocated and de-allocated on the relevant
CPUs. De-allocation has to happen when certain...

Xen Security Advisory 358 v4 (CVE-2020-29570) - FIFO event channels control block related ordering Xen . org security team (Dec 15)
Xen Security Advisory CVE-2020-29570 / XSA-358
version 4

FIFO event channels control block related ordering

UPDATES IN VERSION 4
====================

Public release.

ISSUE DESCRIPTION
=================

Recording of the per-vCPU control block mapping maintained by Xen and
that of pointers into the control block is reversed. The consumer
assumes, seeing the former initialized, that the...

Xen Security Advisory 353 v4 (CVE-2020-29479) - oxenstored: permissions not checked on root node Xen . org security team (Dec 15)
Xen Security Advisory CVE-2020-29479 / XSA-353
version 4

oxenstored: permissions not checked on root node

UPDATES IN VERSION 4
====================

Public release.

ISSUE DESCRIPTION
=================

In the Ocaml xenstored implementation, the internal representation of
the tree has special cases for the root node, because this node has no
parent.

Unfortunately, permissions were not...

Xen Security Advisory 352 v3 (CVE-2020-29486) - oxenstored: node ownership can be changed by unprivileged clients Xen . org security team (Dec 15)
Xen Security Advisory CVE-2020-29486 / XSA-352
version 3

oxenstored: node ownership can be changed by unprivileged clients

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

Nodes in xenstore have an ownership. In oxenstored, a owner could
give a node away. But node ownership has quota implications.

Any guest can run another guest out of quota, or...

Educause Security Discussion — Securing networks and computers in an academic environment.

EDUCAUSE Webinar - The Rise of the Chief Privacy Officer (CPO) in Higher Ed on January 28. Brian Kelly (Dec 22)
I am excited to share that I will be moderating the EDUCAUSE Webinar - The Rise of the Chief Privacy Officer (CPO) in
Higher Ed on January 28.

The number of chief privacy officers (CPOs) in higher education is on the rise. A recent EDUCAUSE research report, “The
Evolving Landscape of Data Privacy in Higher Education,” highlights that many institutions have created privacy offices
and CPO positions. Historically privacy was managed in a...

Research Security Symposium - January 26, 2021 Brian Kelly (Dec 22)
Please see the attached Research Security Symposium invitation for January 26, 2021.
The agenda will include speakers from the university community, our federal partners and Higher Ed organizations.
The symposium is open to the general university community and federal partners.

Direct registration link - https://ucop.zoom.us/webinar/register/WN_mBHuLaFhR720D85GzpwOuw

Brian

Brian Kelly, CISSP, CISM, CEH
Director, Cybersecurity
Program<...

Client Certificates Valerie Smith (Dec 18)
Hi all,

We're starting to issue client certificates for authentication and are
looking for best practices for certificate lifecycle management. We would
like to automate certificate issuance using SCEP with the InCommon version
of Sectigo to support authentication to WiFi. (Since our focus is on using
certificates for authentication, not encryption, we are not very concerned
about the key recovery piece).

Any tips, lessons learned, or best...

Re: Teaching security using malware Menne, Michael S (Dec 16)
Should we allow this to happen on premise using some sort of virtual environment or only allow it to be done in cloud
instances?

* This shouldn’t be a YES/NO question. It should be a YES/HOW question.
* For our campus, we have one classroom dedicated to this. It’s on the local network, but the instructor runs a
script that flips the entire classroom network over to a private VLAN that has no routing. It may have internet...

Teaching security using malware Matt Hall (Dec 16)
Listserv,

For those schools that are teaching security classes that involve utilizing
malware, how are you setting up your environment?

Some specific questions that came up during internal IT conversations are:

- Should we allow this to happen on premise using some sort of virtual
environment or only allow it to be done in cloud instances?
- Should there be anything special about the computers that are used to
connect to the...

Re: Solarwinds Compromise Blake Brown (Dec 15)
Thanks for the clarification on this massive amount of confusing information!

~Blake

________________________________
From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Alex Keller
<axkeller () STANFORD EDU>
Sent: Tuesday, December 15, 2020 10:57 AM
To: SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Solarwinds Compromise...

Re: Solarwinds Compromise Alex Keller (Dec 15)
While admittedly a little confusing, please note that the IPs listed in the FireEye deep dive
(https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html)
under “Network Command and Control (C2)” are NOT the actual C2 servers but rather IP ranges hard coded into the
malware that tell it NOT to execute if installed on an host in that range.
Considering...

Re: Solarwinds Compromise Blake Brown (Dec 15)
I added the following IOC's to an ACL in our FMC. Still confused on if we were even affected by this as we just rebuilt
our system in November from scratch and are at 2020.2.1 HF1 already. Also not seeing any hits on the below IOC's in the
past 2 months.

13.59.205[.]66
54.193.127[.]66
54.215.192[.]52
34.203.203[.]23
139.99.115[.]204
5.252.177[.]25
5.252.177[.]21
204.188.205[.]176
51.89.125[.]18
167.114.213[.]199

freescanonline[.]com...

Re: Solarwinds Compromise Frank Barton (Dec 15)
I saw something today that one of the domains that was being used for C&C
avsvmcloud.com was 'taken over' by Microsoft earlier today - so just the
IPs being owned by microsoft may not be 'valid'

Frank

Re: Solarwinds Compromise Koors, Anne N. (Dec 15)
Many of the IPs I am finding are hosting providers like Amazon. It is hard to determine if there was traffic related
to this when traffic there is so common. 2 of the IPs below are also Microsoft.

Anne Koors
Security Analyst
Northeast Wisconsin Technical College
2740 West Mason Street, P.O. Box 19042
Green Bay, WI 54307-9042
anne.koors () nwtc edu<mailto:anne.koors () nwtc edu>
920-498-6942

From: The EDUCAUSE Security...

Re: Solarwinds Compromise Lee Ostrowski (Dec 15)
I've been relying on the list of IP's and domain's provided by FireEye.

https://github.com/fireeye/sunburst_countermeasures/blob/main/indicator_release/Indicator_Release_NBIs.csv

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Blake Brown
Sent: Tuesday, December 15, 2020 11:20 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Solarwinds Compromise

CAUTION...

Re: Solarwinds Compromise Blake Brown (Dec 15)
We are in the initial stages and have unplugged the network connection from our SW servers and will continue with
threat hunting today. Are these the IOC subnets you are seeing traffic to in your network?

* 20.140.0.0/15
* 96.31.172.0/24
* 131.228.12.0/22
* 144.86.226.0/24

Thanks,
Blake

________________________________
From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of...

Solarwinds Compromise Lee Ostrowski (Dec 15)
Good Morning Everyone,

I'm interested in what practical steps everyone has been taking to return your network to normal. Please no political
responses.

1. We've turned off our SolarWinds infrastructure at this point until Solarwinds releases their HF2 update and has a
little more time to vet the update.
* The DHS and Fireeye guidance recommend completely rebuilding the Solarwinds servers from scratch with known
clean...

[Alert] SolarWinds hit in Supply Chain Attack (malicious code inserted into Orion Platform) Kyrouz, Bill J. (Dec 14)
If you are a SolarWinds customer, you'll want to read up on this:

https://www.solarwinds.com/securityadvisory
https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html

William J. Kyrouz
Director of Information Security
Jenzabar
O - 617.492.9099 x65263
[cid:image001.png@01D6D200.DE78F3F0]<https://www.jenzabar.com/>
Connect with us!...

Potential Higher Ed focused Ransomware attacks Brian Kelly (Dec 11)
The EDUCAUSE Cybersecurity Program would like to alert our community to a recent attack at a member institution.
Identification of the threat actor indicate a connection to a known ransomware attack group and actions seen by the
institution are often a precursor to a ransomware attack. The member institutions consulted with [Law Enforcement]
Authorities during this incident, who believe the perpetrators may be an emerging threat group focusing...

Internet Issues and Infrastructure

NANOG — The North American Network Operators' Group discusses fundamental Internet infrastructure issues such as routing, IP address allocation, and containing malicious activity.

Announcing UKNOF46 James Bensley (Dec 23)
Dear Colleagues,

We are pleased to announce UKNOF46, taking place online, on 19th
January followed by an online social event.

The meeting website is live and both the Call for Presentations and
Registrations are now open.

[ REGISTRATION ]

There are a limited number of Free Registration spaces - 50 in total.
Paid tickets are £50 each including VAT and the Eventbrite fee. You
may also pay extra as an add-on to your registration.

Registration...

Re: Are the days of the showpiece NOC office display gone forever? Mark Tinka (Dec 22)
The good news is that choice deals with this problem.

The level of patience we've had to allow this type of customer
interaction has been drastically reduced by our experiences with free or
paid services we experience with apps on our phones. Without realizing
it, our basic expectations rise from how we experience one app that has
nothing to do with the other. It put more stock in choice.

Either we are deleting an app 5 seconds after...

Re: Are the days of the showpiece NOC office display gone forever? Wayne Bouchard (Dec 22)
And if the last 15 years has shown us anything, it is that when you
can't get past the auto-attendant and talk to a real human, and if
that person can't talk to you like a person instead of reading scripts
at you, your stress levels go way up as does your desire to break
things. Automation in customer service (or excessive emphasis on
procedures) is a really nice way of taking a five minute problem and
turning it into an hour long...

Re: Are the days of the showpiece NOC office display gone forever? Robert Brockway (Dec 22)
Indeed. More broadly, a lot of people have tried to get rid of operations
staff and suffered the consequences.

Exactly. There is an argument to be said that human operators are
actually part of the computer system. This is implied in terms like
'wetware' but not often explicitely stated.

If the last 50 years has shown us anything it is that humans and computers
working together can achieve far more than either in isolation....

Sonicwall GEoIP Database Justin Wilson (Lists) (Dec 22)
Does anyone know what GEoIP database sonic wall uses? Their tech support has been horrid. We are not a
customer but getting customers who are getting blocked by some sonic walls due to “unknot” country for GeoIP. I have
checked the ips against the database providers listed at: https://thebrotherswisp.com/index.php/geo-and-vpn/
<https://thebrotherswisp.com/index.php/geo-and-vpn/>

All checkout okay so looking for...

Telus Technical Network Contact Adam Burnworth (Dec 22)
Hello All! I am hoping to find a Technical network contact inside Telus; I have reached out to the listed address on
their ARIN records a couple of times, and haven't heard back.

If someone can point me in the right direction, it would be much appreciated.

Thank you!

Adam Burnworth (he/him)
Terrestrial Network Engineer
adam.burnworth () spacex com<mailto:adam.burnworth () spacex com>
SpaceX Starlink

RE: Unexplainable router log entries mentioning IPSEC from Yahoo IPs techzone (Dec 19)
Maybe something to do with the shutdown of Yahoo Groups.

https://groups.yahoo.com/neo

Frank Whiteley

From: NANOG <nanog-bounces+techzone=greeleynet.com () nanog org> On Behalf Of Matthew Petach
Sent: Saturday, December 19, 2020 7:04 AM
To: Dobbins, Roland <Roland.Dobbins () netscout com>
Cc: NANOG <nanog () nanog org>
Subject: Re: Unexplainable router log entries mentioning IPSEC from Yahoo IPs

In this case, however,...

Re: best current practice: buffers Toke Høiland-Jørgensen via NANOG (Dec 19)
Baldur Norddahl <baldur.norddahl () gmail com> writes:

There are a couple of trends here to be aware of: One is that the
proliferation of CDNs and localised clouds means RTTs for a lot of
bandwidth-heavy traffic is quite low these days. The second is that
newer TCP congestion control algorithms such as BBR make heavy use of
packet pacing which all but eliminates the microbursts of older TCPs.
BBR will run quite happily across a...

best current practice: buffers Baldur Norddahl (Dec 19)
Hello

What is the best current practice for buffer size? For customer facing
ports, core network ports and transit links?

We have a buffer problem, discovered by a customer that moved their servers
to a cloud service some distance away. That resulted in a drastic reduced
transfer speed between their office and the cloud service. Nothing much
could be done since we, like so many others, have switches with extreme
fast port speeds (48x 10G, 4x...

Re: Unexplainable router log entries mentioning IPSEC from Yahoo IPs Matthew Petach (Dec 19)
In this case, however, what's being seen is simply valid traffic
which was most likely erroneously redirected through an
internal encryption device.

I would hazard a guess the folks involved have already jumped
on checking the redirector rules to fix the leakage which allowed
external IPs to be passed through the internal encryption pathway.

I helped build the system that's causing those messages, so I have
a bit of a guess as to what...

Re: Unexplainable router log entries mentioning IPSEC from Yahoo IPs Dobbins, Roland (Dec 18)
Curious if someone can point me in the right direction. In the last three
days our core router (Cisco 7609) has logged the following events:

Dec 16 19:04:59.027 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
packet has invalid spi for destaddr=<redacted>, prot=50,
spi=0xEF7ED795(4018067349), srcaddr=68.180.160.18, input interface=Vlan20

It should be noted that attackers will sometimes generate non-TCP/-UDP/-ICMP DDoS attack...

Re: [EXTERNAL]Re: Don't need someone with clue @ Network Solutions. Matthew Crocker (Dec 18)
Yes I tried reaching out to Amazon and they said they can't help me. Crocker.com was hosted with Network Solutions
earlier this year. I'm thinking it might transfer it back to Network Solutions and get them to delete the stale
records. Amazon Route53 is great, Amazon Registrar not so much.

On 12/18/20, 4:36 PM, "NANOG on behalf of Doug Barton" <nanog-bounces+matthew=corp.crocker.com () nanog org on behalf
of...

Re: [EXTERNAL]Re: Don't need someone with clue @ Network Solutions. Doug Barton (Dec 18)
I'm curious, and my apologies if I missed it, but crocker.com is
registered at Amazon, and the COM whois shows that it was Amazon's
registrar that added the host records.

Were you able to work with the Amazon registrar (not AWS), as one of
their customers, to get the records removed; since crocker.com is not
delegated to those servers?

If not, that's a pretty big gap in their registrar offering.

Doug...

Re: Unexplainable router log entries mentioning IPSEC from Yahoo IPs Adrian Minta (Dec 18)
Yes, we saw them as well:

Dec    18    10:02:00:    %CRYPTO-4-RECVD_PKT_INV_SPI:    decaps:
rec'd    IPSEC    packet    has    invalid    spi    for
destaddr=<redacted>    prot=50 spi=0x4CF4BE5D(1291107933)
srcaddr=68.180.160.102
Dec    18    08:55:18:    %CRYPTO-4-RECVD_PKT_INV_SPI:    decaps:
rec'd    IPSEC    packet    has    invalid    spi    for...

Re: [EXTERNAL]Re: Don't need someone with clue @ Network Solutions. Matthew Crocker (Dec 18)
At this point I've basically given up and I'm moving the 66.59.48.x IPs to a new datacenter over the weekend. I'll
move the DNS servers on the old IPs to the new datacenter and call it a day. We are trying to get all of the
customers to re-register anyway, then I'll shut all of this down.

Thanks for the help

On 12/17/20, 3:16 PM, "NANOG on behalf of John R. Levine" <nanog-bounces+matthew=corp.crocker.com...

The RISKS Forum — Peter G. Neumann moderates this regular digest of current events which demonstrate risks to the public in computers and related systems. Security risks are often discussed.

Risks Digest 32.41 RISKS List Owner (Dec 19)
RISKS-LIST: Risks-Forum Digest Saturday 19 December 2020 Volume 32 : Issue 41

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.41>
The current issue can also be found at
<...

Risks Digest 32.40 RISKS List Owner (Dec 11)
RISKS-LIST: Risks-Forum Digest Friday 11 December 2020 Volume 32 : Issue 40

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.40>
The current issue can also be found at
<...

Risks Digest 32.39 RISKS List Owner (Dec 04)
RISKS-LIST: Risks-Forum Digest Friday 4 December 2020 Volume 32 : Issue 39

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.39>
The current issue can also be found at
<...

Risks Digest 32.38 RISKS List Owner (Nov 22)
RISKS-LIST: Risks-Forum Digest Sunday 22 November 2020 Volume 32 : Issue 38

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.38>
The current issue can also be found at
<...

Risks Digest 32.37 RISKS List Owner (Nov 13)
RISKS-LIST: Risks-Forum Digest Friday 13 November 2020 Volume 32 : Issue 37

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.37>
The current issue can also be found at
<...

Risks Digest 32.36 RISKS List Owner (Nov 08)
RISKS-LIST: Risks-Forum Digest Sunday 8 November 2020 Volume 32 : Issue 36

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.36>
The current issue can also be found at
<...

Risks Digest 32.35 RISKS List Owner (Nov 02)
RISKS-LIST: Risks-Forum Digest Monday 2 November 2020 Volume 32 : Issue 35

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.35>
The current issue can also be found at
<...

Risks Digest 32.34 RISKS List Owner (Oct 27)
RISKS-LIST: Risks-Forum Digest Tuesday 27 October 2020 Volume 32 : Issue 34

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.34>
The current issue can also be found at
<...

Risks Digest 32.33 RISKS List Owner (Oct 24)
RISKS-LIST: Risks-Forum Digest Saturday 24 October 2020 Volume 32 : Issue 33

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.33>
The current issue can also be found at
<...

Risks Digest 32.32 RISKS List Owner (Oct 15)
RISKS-LIST: Risks-Forum Digest Thursday 15 October 2020 Volume 32 : Issue 32

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.32>
The current issue can also be found at
<...

Risks Digest 32.31 RISKS List Owner (Oct 10)
RISKS-LIST: Risks-Forum Digest Saturday 10 October 2020 Volume 32 : Issue 31

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.31>
The current issue can also be found at
<...

Risks Digest 32.30 RISKS List Owner (Oct 02)
RISKS-LIST: Risks-Forum Digest Friday 2 October 2020 Volume 32 : Issue 30

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.30>
The current issue can also be found at
<...

Risks Digest 32.29 RISKS List Owner (Sep 25)
RISKS-LIST: Risks-Forum Digest Friday 25 September 2020 Volume 32 : Issue 29

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.29>
The current issue can also be found at
<...

Risks Digest 32.28 RISKS List Owner (Sep 22)
RISKS-LIST: Risks-Forum Digest Tuesday 22 September 2020 Volume 32 : Issue 28

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.28>
The current issue can also be found at
<...

Risks Digest 32.27 RISKS List Owner (Sep 18)
RISKS-LIST: Risks-Forum Digest Friday 18 September 2020 Volume 32 : Issue 27

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.27>
The current issue can also be found at
<...

BreachExchange — BreachExchange focuses on all things data breach. Topics include actual data breaches, cyber insurance, risk management, metrics and more. This archive includes its predecessor, the Data Loss news and discussion lists.

Open Source Tool Development

Wireshark — Discussion of the free and open source Wireshark network sniffer. No other sniffer (commercial or otherwise) comes close. This archive combines the Wireshark announcement, users, and developers mailing lists.

Re: Documentation : 9.6. How to produce protocol stats Jaap Keuter (Dec 23)
Hi,

Thanks for having a look and reporting back. This could have been done as a merge request, this works as well. I’ve
created one on your behalf, see WSDG: update protocol stats section to match current API
<https://gitlab.com/wireshark/wireshark/-/merge_requests/1449>

Further comments are inline.

Thanks,
Jaap

Done

Done

Done

Done

Nope, this is what ws_symbol_export.h is in place for, to have a cross platform abstraction of...

Re: ZLIB on macOS build discrepancy? Michael Tuexen (Dec 20)
Yepp, that is what I wanted to say...

That makes sense. I recently re-installed the SDK. I guess some software update removed it.

Best regards
Michael

Re: ZLIB on macOS build discrepancy? Guy Harris (Dec 20)
It does *not* build or install zlib 1.2.11 itself, however; it only downloads it to get the minizip library.

And, thus, by the 10.12 SDK; the "compiled with" value comes from the header file, which is part of the SDK, not part
of the OS.

Yes, *that* comes from a library API call (zlibVersion()), so it may return a value different from "compiled with".

My recently-updated Mojave virtual machine appears to ship with zlib...

Re: ZLIB on macOS build discrepancy? Michael Tuexen (Dec 20)
Hi Jaap,

thanks for reporting.

macos_setup.sh installs minizip in version 1.2.11. I double checked that this is also installed on the
builder: libminizip.dylib So that is working as expected.
I guess the "with zlib 1.2.8" comes from using the default version provided by Mac OS 10.12.
The About dialog also says "Running on Mac OS X 10.16, build 20C69 (Darwin 20.2.0, ... with zlib 1.2.11"
which I guess is the version used and...

ZLIB on macOS build discrepancy? Jaap Keuter (Dec 20)
Hi,

Not that it bothers me too much but I noticed (another) library mismatch in 3.4.2

tools/macos_setup.sh sports ZLIB_VERSION=1.2.11, while About Wireshark (3.4.2) states “with zlib 1.2.8,”.

Looking at my currently installed 3.4.0, it says "with zlib 1.2.11,” so it seemed to have rolled back somehow?

Thanks,
Jaap

Documentation : 9.6. How to produce protocol stats wsgd (Dec 20)
Hello all,

Questions/remarks about
https://www.wireshark.org/docs/wsdg_html_chunked/ChDissectStats.html

1) An include is missing :
Solution :
Add #include <epan/stats_tree.h>

2) msgtypevalues does not exist
Solution :
Replace "msgtypevalues" by "packettypenames"
to be conform with previous § 9.2.3. Improving the dissection
information
(https://www.wireshark.org/docs/wsdg_html_chunked/ChDissectAdd.html)

3)...

Wireshark 3.2.10 is now available Wireshark announcements (Dec 18)
I'm proud to announce the release of Wireshark 3.2.10.

What is Wireshark?

Wireshark is the world’s most popular network protocol analyzer. It is
used for troubleshooting, analysis, development and education.

What’s New

Bug Fixes

The following bugs have been fixed:

• macos-setup.sh can’t find SDK on macOS Big Sur, as it went to 11
Bug 17043[1].

• Wireshark 3.4.1 hangs on startup on macOS Big Sur...

Wireshark 3.4.2 is now available Wireshark announcements (Dec 18)
I'm proud to announce the release of Wireshark 3.4.2.

What is Wireshark?

Wireshark is the world’s most popular network protocol analyzer. It is
used for troubleshooting, analysis, development and education.

What’s New

Bug Fixes

The following vulnerabilities have been fixed:

• wnpa-sec-2020-20[1] QUIC dissector crash Bug 17073[2].

The following bugs have been fixed:

New and Updated Features

• IETF...

Wireshark 3.4.2 is now available Gerald Combs (Dec 18)
I'm proud to announce the release of Wireshark 3.4.2.

What is Wireshark?

Wireshark is the world’s most popular network protocol analyzer. It is
used for troubleshooting, analysis, development and education.

What’s New

Bug Fixes

The following vulnerabilities have been fixed:

• wnpa-sec-2020-20[1] QUIC dissector crash Bug 17073[2].

The following bugs have been fixed:

New and Updated Features

• IETF...

Re: F1AP Messages are not getting dissected correctly. Pascal Quantin (Dec 16)
Dear Simran,

Le mer. 16 déc. 2020 à 17:38, Simran Kumawat <kumawat.simran () 5g iith ac in>
a écrit :

Wireshark decodes your pcap as:
F1 Application Protocol
F1AP-PDU: successfulOutcome (1)
successfulOutcome
procedureCode: id-F1Setup (1)
criticality: reject (0)
value
F1SetupResponse
protocolIEs: 2 items
Item 0: id-TransactionID...

F1AP Messages are not getting dissected correctly. Simran Kumawat (Dec 16)
Hi Sir/Ma'am,

This is Simran Kumawat, Project Associate at 5G-TestBed Project, IIT
Hyderabad.
I am working on the F1AP interface currently, I observed a few things as
mentioned below.
Wireshark is dissecting f1ap msgs like this -
1. Initiating Message ----------------------> Initiating Message
2. SuccessfulOutcome Message--------> Initiating Message
3. UnsuccessfulOutcome Message-----> SuccessfulOutcome Message
The information...

[Outreachy] Internship blog 2020 post #2 Joey Salazar via Wireshark-dev (Dec 16)
Hi all,

A short blog entry on "I was running the version that I didn't rebuild" here [1].

Check it out! The next one will be there in 2 weeks.

Rebuild u/gtk/pixbuf-csource.c/h Lucio Di-Giovannantonio via Wireshark-dev (Dec 16)
Hello to everyone,

I'm building Wireshark from an old trunk 2.4.7, and I need to add "myimage_pb_data" to pixbuf-csource.c
(pixbuf-csource.h), starting from "myimage.png" file.

The problem is that pixbuf-csource files are generated, but I don't know how rebuild them to add my image, anyone know
how to do that?

Regards
Lucio

Lucio Di Giovannantonio
Senior Software Developer

Keysight Technologies Italy srl -...

How to allow string matching on a decoded string field ? Fulko Hew (Dec 15)
I have a protocol that has an encrypted string as one of its fields.
A Lua based dissector (for example) shows this using the following
code snippet:

xx_proto.fields.msg = ProtoField.string("xx.msg", "Msg", base.ASCII)

local decoded = decrypt(buf, start)
subtree:add(xx_proto.fields.msg, buf(start, len), decoded:raw())

The decoder converts the encrypted data into ASCII.

I'd love to be able to search on the decrypted...

Re: Display of UTF-8 Characters jayrturner99 (Dec 13)
I cloned 3.5, built, and ran it. The display issue is fixed (and the QT warnings have disappeared).

-----Original Message-----
From: Wireshark-dev <wireshark-dev-bounces () wireshark org> On Behalf Of Guy Harris
Sent: Saturday, December 12, 2020 5:33 PM
To: Developer support list for Wireshark <wireshark-dev () wireshark org>
Subject: Re: [Wireshark-dev] Display of UTF-8 Characters

To GitLab from our own Git repository (and Gerrit...

Snort — Everyone's favorite open source IDS, Snort. This archive combines the snort-announce, snort-devel, snort-users, and snort-sigs lists.

Snort Subscriber Rules Update 2020-12-22 Research (Dec 22)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the deleted, file-other,
malware-cnc, malware-other, malware-tools, policy-other, server-apache
and server-webapp rule sets to provide coverage for emerging threats
from these technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Snort Subscriber Rules Update 2020-12-17 Research (Dec 17)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the file-other,
malware-cnc, malware-other and server-webapp rule sets to provide
coverage for emerging threats from these technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Snort Subscriber Rules Update 2020-12-14 Research (Dec 14)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the browser-webkit,
malware-cnc and server-webapp rule sets to provide coverage for
emerging threats from these technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Re: A question about subscription Joel Esler (jesler) via Snort-sigs (Dec 14)
Hello,

Our rules consist of both plaintext rules and Shared object rules.

Re: AppId FTP service detector problem Joel Esler (jesler) via Snort-devel (Dec 14)
This user has been banned from the list. Apologies for any inconvenience.

A question about subscription 徐天琦 via Snort-sigs (Dec 14)
Hi snort-sigs,
If I subscribe your personal subscription, What type of rules can I
get? Plaintext or ciphertext？

Re: AppId FTP service detector problem Steve G via Snort-devel (Dec 11)
Hi can you please send me screen shot or 'kiddy porn' if you remember
i asked you to arcihve all date for security reasons.would you please
help-bless you!

Snort Subscriber Rules Update 2020-12-10 Research (Dec 10)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the browser-other and
server-other rule sets to provide coverage for emerging threats from
these technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Snort Subscriber Rules Update 2020-12-09 Research (Dec 09)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the browser-other,
indicator-compromise, malware-backdoor, malware-cnc, malware-other,
malware-tools, os-windows and server-webapp rule sets to provide
coverage for emerging threats from these technologies.

For a complete list of new and modified rules please see:...

Snort Subscriber Rules Update 2020-12-08 Research (Dec 08)
Talos Snort Subscriber Rules Update

Synopsis:
Talos is aware of vulnerabilities affecting products from Microsoft
Corporation.

Details:
Microsoft Vulnerability CVE-2020-17096:
A coding deficiency exists in NTFS that may lead to remote code
execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 56561 through 56562.

Microsoft Vulnerability CVE-2020-17121:
A coding...

Re: Rule updates FYI Joel Esler (jesler) via Snort-sigs (Dec 04)
Thanks James. I can’t replicate.

Re: Rule updates FYI James Lay (Dec 04)
Ya can do...I'll add a sleep to the script to delay it..thanks Joel!

James

Re: Rule updates FYI Joel Esler (jesler) via Snort-sigs (Dec 04)
Interesting. Thanks, I’ll have the team take a look. Can you try and do it *not* in the first five minute at the top
of the hour?

Sent from my  iPad

Rule updates FYI James Lay (Dec 04)
Been seeing these for this whole week:

Dec 4 15:06:54 pulledpork[20543]: FATAL: Error 422 when fetching
snortrules-snapshot-29161.tar.gz

Dec 4 15:01:47 pulledpork[12520]: FATAL: 500 error occured

James

Snort Subscriber Rules Update 2020-12-03 Research (Dec 03)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the malware-other and
server-webapp rule sets to provide coverage for emerging threats from
these technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

More Lists

Related Resources

We're always looking for great network security related lists to archive. To suggest one, mail Fyodor.