SecLists.Org Security Mailing List Archive

Any hacker will tell you that the latest news and exploits are not found on any web site—not even Insecure.Org. No, the cutting edge in security research is and will continue to be the full disclosure mailing lists such as Bugtraq. Here we provide web archives and RSS feeds (now including message extracts), updated in real-time, for many of our favorite lists. Browse the individual lists below, or search them all:

Insecure.Org Lists

Nmap Development — Unmoderated technical development forum for debating ideas, patches, and suggestions regarding proposed changes to Nmap and related projects. Subscribe here.

Re: NPCAP GitHub Security Advisories Daniel Miller (May 04)
I would like to add a clarification on the libpcap CVEs: since libpcap is a
user-mode DLL (wpcap.dll in the Npcap installation), it is not capable of
crashing the entire system. Instead, the impact of any CVEs would be
limited to the application and user that is using the DLL. For specifics on
the particular CVEs addressed, see the libpcap changelog at
https://www.tcpdump.org/libpcap-changes.txt

Dan

Re: NPCAP GitHub Security Advisories Gordon Fyodor Lyon (May 01)
Hi Jay. Good questions, and I'm glad you like Nmap and Npcap! We are not
using GitHub's security feature at present. If we issued a security
advisory for Npcap or Nmap, we would likely host it ourselves. But Github
adds that tab to all projects by default and, from a quick glance at
settings, I don't see an obvious way to remove it. I think your best bet
is to sign up for release announcements through GitHub and look for...

NPCAP GitHub Security Advisories Sethi, Jay (May 01)
Hello nmap dev team!

I work for Manitoba Hydro, a utility in Manitoba Candada. We use nmap (and NPCAP!). As part of NERC CIP compliance, we
are required to check regularly for security advisories. I recently noticed the following on the GitHub page:
The npcap change log notes a few releases that resolve CVEs
npcap/CHANGELOG.md at master * nmap/npcap * GitHub<https://github.com/nmap/npcap/blob/master/CHANGELOG.md>
(For example, Npcap...

Better interface names reported by pcap_findalldevs Dmytro Ovdiienko (May 01)
<<< image/png; name="EAAC2C82AF0D4674B18524120B700D78.png": Unrecognized >>>

Feature Request: nping to flag incorrect or curtailed ICMP echo payload Alex Ferenstein (May 01)
Hi Nmap development mailing list, some time I emailed Gordon, asking for a
feature to flag disparity of echo-replied payload compared to that which
was sent. Can it be implemented, or, have I missed an existing feature?
R’s, Alex

------------------------------

Hi Gordon,

thank you for making nmap/nping. I have a feature request for nping.

As you know, “The echo reply is an ICMP message generated in response to an
echo request; *it is...

zenmap crash in Fedora 34 louzaoh (Apr 22)
This is the message I've got:

➜ zenmap
File "/usr/bin/zenmap", line 114
except ImportError, e:
^
SyntaxError: invalid syntax

➜ rpm -qa zenmap\*
zenmap-7.91-1.noarch

Regards.,

Nmap Bug in payload.cc: corrupted UDP packets during -sU scan mzet via dev (Apr 02)
Hi List,

It was observed that UDP packets that are sent during an UDP port scanning (-sU) are corrupted.

Background:

To make UDP scanning more effective, for many services (ports) Nmap takes content of UDP packets from nmap-payloads
file. Logic for handling this is implemented in payload.cc source file.

Issue:

Due to subtle implementation issue (introduced in...

[NSE] Hex digits in URL encoding should be upper-case nnposter (Apr 01)
For visibility to the broad Nmap community:

I have created issue #2281 to start using upper-case hexadecimal digits
for URL encoding inside NSE. More details at

https://github.com/nmap/nmap/issues/2281

Please leave any comments there.

Cheers,
nnposter

Re: Empty do_ipv4 function in address-info nnposter (Mar 27)
I agree that there is no obvious reason why to have the function there
at all. On the other hand, the script description is pretty clear:

"Shows extra information about IPv6 addresses, such as..."

In other words, there should be no expectation that the script does
anything with IPv4.

Cheers,
nnposter

Empty do_ipv4 function in address-info Toni Ruottu (Mar 27)
Hi!

In the current version of address-info.nse the do_ipv4 function body is
completely empty. Is this a mistake? If it is not a mistake I would at
least expect a comment that explains why the function doesn't do anything.

Cheers, --Toni

PR 2278 - improvement on script ssl-enum-ciphers Sulidi Maimaitiming (Mar 26)
Hi Nmap team,

I have been using the ssl-enum-ciphers script to detect the presence of
weak tls protocols and ciphers and it is a great tool.
However I've noticed many ciphers are rated A for cipher strength (while
they are flagged as weak on SSL Labs for instance), and then I realised
there was a list of warnings aggregated at the port level.
Plus the aggregated output is not always consistent...
I opened a PR on GitHub (...

Re: ssl-enum-ciphers.nse not showing TLS_ECDHE* ciphers nnposter (Mar 20)
<snip>

<snip>>

The script has been updated in r38199. Please see the following comment
for the root cause:

https://github.com/nmap/nmap/issues/1187#issuecomment-803503496

Cheers,
nnposter

Re: Nmap Issue : "kernel: RPC: fragment too large:" Dario Ciccarone (dciccaro) via dev (Mar 16)
https://serverfault.com/questions/652188/nfs-share-problems-rpc-fragment-too-large-xxxxx - second answer on a Google
search for "kernel: RPC: fragment too large:"

With the most absolute respect, and from a professional to another: it would certainly help *immensely* if you could
provide information such as:

* Nmap version and command-line options used
* Operating system, patch level on the host being used to run nmap
*...

Nmap Issue : "kernel: RPC: fragment too large:" PENISSON , TIMOTHÉ (Mar 16)
Hello,
I use Nmap to scan machines and in the logs of some of them, we see this kind of messages appearing in the logs:
"kernel: RPC: fragment too large:".
This message appears globally on all servers scanned by Nmap with an NFS mount.
Is this behavior known by the Nmap community? Is it linked to a specific conf or script?
Is there a workaround to avoid this?

Thanks for your help,

Sincerely,

[Bloc marque]

Timothé PENISSON
MOE...

I keep getting this error every time I try to open the scripting window on windows 10 to input an nse Mike Myers (Mar 16)
Here is the stack trace…

Version: 7.90
Traceback (most recent call last):
File "zenmapGUI\ScriptInterface.pyo", line 261, in script_list_timer_callback
File "zenmapGUI\ScriptInterface.pyo", line 270, in initial_script_list_cb
File "zenmapGUI\ScriptInterface.pyo", line 307, in handle_initial_script_list_output
NameError: global name 'os' is not defined

Thanks for any help. I can use the command...

Nmap Announce — Moderated list for the most important new releases and announcements regarding the Nmap Security Scanner and related projects. We recommend that all Nmap users subscribe.

Npcap 1.30 Released: Raw WiFi + Better Performance Gordon Fyodor Lyon (Apr 12)
Hi folks. The Nmap Project is pleased to release Npcap Version 1.30 at
https://npcap.org. We hope Nmap and Wireshark users will be especially
happy with the raw WiFi improvements, since you tend to be particularly
savvy about low-level network inspection. It turns out that some of the
issues we thought were caused by lower level hardware drivers were actually
bugs in our driver. Oops! But at least that means we can fix them
ourselves, and we did....

Npcap 1.20 released Gordon Fyodor Lyon (Mar 16)
Nmap/Npcap Community:

I'm happy to report the release of version 1.20 of the Npcap Windows packet
capturing/sending driver! It's the first release of 2021 and includes
better capabilities for selecting timestamp methods as well as many other
improvements and bug fixes. These include updating the underlying libpcap
library to version 1.10 and building our installer now with NSIS 3. More
details on all this are available from the...

Nmap 7.91 Bugfix Release Gordon Fyodor Lyon (Oct 14)
Hello everyone. I'm glad Nmap 7.90 was so well received! There were so
many improvements that the official announcement (
https://seclists.org/nmap-announce/2020/1) was a bit unwieldy. So Daniel
Miller (who made most of those changes) Tweeted his top highlights at
https://twitter.com/bonsaiviking/status/1313247253197393920

While we do work hard to avoid bugs during development and to catch them
pre-release through continuous integration...

Nmap 7.90 Released! First release since August 2019. Gordon Fyodor Lyon (Oct 03)
Hello everyone. Hot on the heels of the big Npcap 1.00 release (
https://seclists.org/nmap-announce/2020/0), we're delighted to announce a
new Nmap--version 7.90! It's the first Nmap release since Defcon 2019, even
though we've made 16 Npcap releases since then. Raw packets are so
fundamental to Nmap that we really wanted to get it right. With the
production-ready and highly performant Npcap 1.00 driver included, we can
finally...

Npcap 1.00 was just released and a new Nmap is on the way! Gordon Fyodor Lyon (Sep 28)
Hello everyone. I hope you are all safe and well during this nasty
pandemic. I obviously haven't been wearing my marketing hat enough given
that this is my first mail to the Nmap Announcement list since last
August's Nmap 7.80 release. But we've been heads-down programming since
then and have great news to report!

The biggest news is that, after more than 7 years of development and 170
previous public releases, we're...

Full Disclosure — A public, vendor-neutral forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. The relaxed atmosphere of this quirky list provides some comic relief and certain industry gossip. More importantly, fresh vulnerabilities sometimes hit this list many hours or days before they pass through the Bugtraq moderation queue.

SEC Consult SA-20210511-0 :: Cross-site Scripting Vulnerabilities in REWE GO SEC Consult Vulnerability Lab (May 10)
SEC Consult Vulnerability Lab Security Advisory < 20210511-0 >
=======================================================================
title: Reflected Cross-site Scripting Vulnerabilities
product: SIS Informatik - REWE GO
vulnerable version: 7.5.0/12C
fixed version: 7.7 SP17
CVE number: CVE-2021-31537
impact: Medium
homepage:https://sisinformatik.com/rewe-go/...

Backdoor.Win32.NinjaSpy.c / Remote Command Execution malvuln (May 07)
Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source:
https://malvuln.com/advisory/6eece319bc108576bd1f4a8364616264_B.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Backdoor.Win32.NinjaSpy.c
Vulnerability: Remote Command Execution
Description: The malware listens on TCP ports 2003, 2004 and drops a DLL
named "cmd.dll" under Windows dir. Connecting to port 2003, you will get
back a number...

Packed.Win32.Black.d / Unauthenticated Open Proxy malvuln (May 07)
Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source:
https://malvuln.com/advisory/3a36d7ab34b3241aa2a9072700e0cb7c.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Packed.Win32.Black.d
Vulnerability: Unauthenticated Open Proxy
Description: The malware listens on TCP ports 1080 and 8080 and drops a
hidden executable named "Hacker.com.cn.exe" under Windows dir" that runs
with SYSTEM integrity....

Backdoor.Win32.Floder.gqe / Insecure Permissions malvuln (May 07)
Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source:
https://malvuln.com/advisory/0629e3b2ab8a973a3e37e4e97cb9cfea.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Backdoor.Win32.Floder.gqe
Vulnerability: Insecure Permissions
Description: The malware creates an hidden insecure dir named "RECYCLER"
under c:\ drive and grants change (C) permissions to the authenticated user
group. Standard users can...

Trojan.Win32.Siscos.bqe / Insecure Permissions malvuln (May 07)
Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source:
https://malvuln.com/advisory/b4a35ae6dcceea6390769829b4e1506f.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Trojan.Win32.Siscos.bqe
Vulnerability: Insecure Permissions
Description: The malware creates a insecure dir named "Windupdt" under c:\
drive and grants change (C) permissions to the authenticated user group.
Standard users can rename the...

Trojan.Win32.Agent.xdtv / Insecure Permissions malvuln (May 07)
Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source:
https://malvuln.com/advisory/ffa9b76f9549a2c46415c855a0911e8a.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Trojan.Win32.Agent.xdtv
Vulnerability: Insecure Permissions
Description: The malware creates an insecure installation dir under
"C:\Program Files (x86)" and grants full (F) permissions to the Everyone
user group. Standard users can...

Four vulnerabilities found in MikroTik's RouterOS Q C (May 07)
Advisory: four vulnerabilities found in MikroTik's RouterOS

Details
=======

Product: MikroTik's RouterOS
Vendor URL: https://mikrotik.com/
Vendor Status: no fix yet
CVE: CVE-2020-20214, CVE-2020-20222, CVE-2020-20236, CVE-2020-20237
Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team

Product Description
==================

RouterOS is the operating system used on the MikroTik's devices, such as
switch, router and access...

Re: Four vulnerabilities found in MikroTik's RouterOS Q C (May 07)
[Update 2021/05/05] Two CVEs have been assigned to two of these
vulnerabilities.

CVE-2020-20254: Mikrotik RouterOs before 6.47 (stable tree) suffers from a
memory corruption vulnerability in the /nova/bin/lcdstat process. An
authenticated remote attacker can cause a Denial of Service (NULL pointer
dereference).

CVE-2020-20253: Mikrotik RouterOs before 6.47 (stable tree) in the
/nova/bin/lcdstat process. An authenticated remote attacker can...

Re: Two vulnerabilities found in MikroTik's RouterOS Q C (May 07)
[Update 2021/05/05] Two CVEs have been assigned to these vulnerabilities.

CVE-2020-20267: Mikrotik RouterOs before 6.47 (stable tree) suffers from a
memory corruption vulnerability in the /nova/bin/resolver process. An
authenticated remote attacker can cause a Denial of Service due to invalid
memory access.

CVE-2020-20225: Mikrotik RouterOs before 6.47 (stable tree) suffers from an
assertion failure vulnerability in the /nova/bin/user process....

Re: Three vulnerabilities found in MikroTik's RouterOS Q C (May 07)
[Update 2021/05/04] Three CVEs have been assigned to these vulnerabilities.

CVE-2020-20266: Mikrotik RouterOs before 6.47 (stable tree) suffers from a
memory corruption vulnerability in the /nova/bin/dot1x process. An
authenticated remote attacker can cause a Denial of Service (NULL pointer
dereference).

CVE-2020-20264: Mikrotik RouterOs before 6.47 (stable tree) in the
/ram/pckg/advanced-tools/nova/bin/netwatch process. An authenticated remote...

Re: Three vulnerabilities found in MikroTik's RouterOS Q C (May 07)
[update 2021/05/04] Three CVEs have been assigned to these vulnerabilities.

CVE-2020-20215: Mikrotik RouterOs 6.44.6 (long-term tree) suffers from a
memory corruption vulnerability in the /nova/bin/diskd process. An
authenticated remote attacker can cause a Denial of Service due to invalid
memory access.

CVE-2020-20216: Mikrotik RouterOs 6.44.6 (long-term tree) suffers from a
memory corruption vulnerability in the /nova/bin/graphing process. An...

APPLE-SA-2021-05-03-3 watchOS 7.4.1 Apple Product Security via Fulldisclosure (May 04)
APPLE-SA-2021-05-03-3 watchOS 7.4.1

watchOS 7.4.1 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/HT212339.

WebKit
Available for: Apple Watch Series 3 and later
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution. Apple is aware of a report that this issue
may have been actively exploited.
Description: A memory corruption issue was...

APPLE-SA-2021-05-03-4 macOS Big Sur 11.3.1 Apple Product Security via Fulldisclosure (May 04)
APPLE-SA-2021-05-03-4 macOS Big Sur 11.3.1

macOS Big Sur 11.3.1 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/HT212335.

WebKit
Available for: macOS Big Sur
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution. Apple is aware of a report that this issue
may have been actively exploited.
Description: A memory corruption issue was addressed...

APPLE-SA-2021-05-03-1 iOS 14.5.1 and iPadOS 14.5.1 Apple Product Security via Fulldisclosure (May 04)
APPLE-SA-2021-05-03-1 iOS 14.5.1 and iPadOS 14.5.1

iOS 14.5.1 and iPadOS 14.5.1 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/HT212336.

WebKit
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2
and later, iPad 5th generation and later, iPad mini 4 and later, and
iPod touch (7th generation)
Impact: Processing maliciously crafted web content may lead to...

APPLE-SA-2021-05-03-2 iOS 12.5.3 Apple Product Security via Fulldisclosure (May 04)
APPLE-SA-2021-05-03-2 iOS 12.5.3

iOS 12.5.3 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/HT212341.

WebKit
Available for: iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad
mini 2, iPad mini 3, and iPod touch (6th generation)
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution. Apple is aware of a report that this issue
may have been...

Other Excellent Security Lists

Bugtraq — The premier general security mailing list. Vulnerabilities are often announced here first, so check frequently!

Info Security News — Carries news items (generally from mainstream sources) that relate to security.

Daily Dave — This technical discussion list covers vulnerability research, exploit development, and security events/gossip. It was started by ImmunitySec founder Dave Aitel and many security luminaries participate. Many posts simply advertise Immunity products, but you can't really fault Dave for being self-promotional on a list named DailyDave.

Plausible. Dave Aitel via Dailydave (Apr 11)
A while back I was chatting with someone at INFILTRATE, over fried
alligator and more alcohol than I probably should have imbibed, and he
said, "We're going to make fuzzing obsolete, because we have more CPUs on
the problem than anyone can reasonably duplicate, and we're going to
exhaust the space".

And it's PLAUSIBLE in a way. I've watched a few of the live streams that
Brandon Falk does, and you can see how like,...

News Roundups! Dave Aitel via Dailydave (Feb 01)
So lately I've been doing little news roundups on the YouTubes....
Yesterday's is here: https://youtu.be/xgiymt_0isY

Neal Stephenson, in his most recent book, *Fall*, had a character that was
an interesting play on the traditional fantasy "giant" in the sense that
she was normal size, but fractally dense. I feel like we are living that
kind of time - in the sense that gravity is really a measure of how much
stuff is happening...

Re: Fully Automated CONOPs Exercise Pukhraj Singh via Dailydave (Jan 28)
Folks like Joe Slowik
<https://www.youtube.com/watch?v=n7XqxRXwFZ4&ab_channel=CYBERWARCON>, Grugq
<https://www.blackhat.com/docs/webcast/12142017-the-triple-a-threat.pdf>and you
<https://cybersecpolitics.blogspot.com/2016/09/the-stern-stewart-summit-germany-and.html>(Dave)
have tried to articulate the CONOPS for worms since long. In their current
forms, worms look like IO packages in full-spectrum missions. Ignoring...

Re: Fully Automated CONOPs Exercise Dave Aitel via Dailydave (Jan 28)
I mean, the goal of the question is to start putting some meat on the idea
of what "harm" is and how that is reflected both from a policy and
technical perspective. But also: It's useful to put some real definitions
around what is required to make people comfortable with fully-automated
techniques.

I don't think the idea that we are going to come up with and enforce norms
is as useful as figuring out what the norms really are...

Re: Fully Automated CONOPs Exercise Dave Dittrich via Dailydave (Jan 28)
Did any of them mention international humanitarian law, specifically
discrimination, respecting territory of neutral ("green") actors and
their infrastructure, and avoiding harm to neutral third parties and
non-combatants? The problem with most worms is the inability to
accurately discriminate targets and resulting harm. This is an area
where technical experts need to be balanced with operators and policy
makers to ensure that...

Fully Automated CONOPs Exercise Dave Aitel via Dailydave (Jan 27)
So one of my new fav questions to ask policy teams is what they would do if
they were told to switch their offensive team entirely to worms. Nothing
else. Just worms. What needs to change to make that happen - from op tempo
to supply chain to personnel to policy and technological investment.

And how would their defensive team need to change strategically if they
were facing such an offensive team.

It's a fun thing to see people wrap their...

"Severely lacking". Dave Aitel via Dailydave (Jan 20)
Recently I read this post from Maddie Stone of Google's Project Zero:
https://googleprojectzero.blogspot.com/2020/07/detection-deficit-year-in-review-of-0.html
. In particular, it has a bolded line of "*As a community, our ability to
detect 0-days being used in the wild is severely lacking to the point that
we can’t draw significant conclusions due to the lack of (and biases in)
the data we have collected.*" which is the most...

[mm4.emwd.com] Please Confirm Your E-mail Address noreply (Jan 07)
Hello from mm4.emwd.com!

You're receiving this e-mail because user SeclistsDD has given yours as an e-mail address to connect their account.

To confirm this is correct, go to
https://lists.aitelfoundation.org/accounts/confirm-email/MzAw:1kxbbR:J_gxtLGlz_7WONRMX9blDLA1rXc/

Thank you from mm4.emwd.com!
mm4.emwd.com

Re: The Lost Decade of Security Metrics Andre Gironda via Dailydave (Jan 05)
MITRE ATK > CVE/CVSS
Enterprise v8 is more granular than ever before for vuln purposes, but
always has been extensive for threat purposes

If you want to express CVEs in maldocs or malware (including webshells) may
I suggest Yara and/or Suricata (maybe shortcuts such as JA3 or JARM if TLS
applies)?
If you want to express CVEs in runtime app infra may I suggest
caldera_pathfinder? e.g., this is heartbleed --...

Re: The Lost Decade of Security Metrics toby via Dailydave (Jan 05)
I don't think you are wrong but your comparison of CVSS and the multiple
(also separately bad) metrics for a WAF isn't effective or accurate.

The values going into CVSS have something in common; they are attempts to
characterize the importance of the vulnerability in question. You are
making (have made before) the claim that the importance of a vulnerability
is too variable and specific to an environment or an attack scenario to be...

Re: The Lost Decade of Security Metrics Chuck McAuley via Dailydave (Jan 05)
Throughput* is perhaps the wrong unit of measure. Most of the time you would be interested in measuring
“requests/second” or “transactions/second”. Aside from say a content ingesting site/repeater
(facebook/twitter/instagram), almost all content for a WAF to handle is inbound, using low amounts of available
bandwidth. The outbound content is rarely inspected by such a device, with the exception of 5xx error or similar
(headers).

A...

The Lost Decade of Security Metrics Dave Aitel via Dailydave (Jan 05)
A thousand years ago I subscribed to the Security Metrics mailing list.
Metrics are important - or rather, I think good decision making is
important, and without metrics your decision making is essentially luck.
But we haven't seen any progress on this in a decade, and I wanted to talk
about the meta-reason why: Oversimplification in the hopes of scaling.

There's a theme in security metrics, a deep Wrong, that the community
cannot...

PaulDotCom — General discussion of security news, research, vulnerabilities, and the PaulDotCom Security Weekly podcast.

BHIS Sorta Top Used Tools of 2018 John - Black Hills Information Security (Dec 06)
Free Webcast

Hello all,

For our next webcast we will cover some of the core tools we use all the time at Black Hills Information Security.
However, there will be a twist. We will not talk about Nessus, Nmap, or Metasploit. Why? Because there are a ton of new
(and older) tools we use that fall outside of the standard tools you see in every security book/blog out there.

Basically, we are trying to be edgy and different.

You may want to come...

BHIS Webcast - Tues 10/2 @ 11am MDT John Strand - Black Hills Information Security (Sep 26)
Hello All,

In this next webcast I want to cover what I am doing with the BHIS Systems team to create a C2/Implant/Malware test
bed. Testing our C2/malware solutions is important because vendors tend to lie or over-hype their capabilities. I will
cross reference some different malware specimens to the MITRE ATT&CK framework and we will cover how you can use these
techniques to test your defensive solutions at both the endpoint and the...

BHIS Webcast: The PenTest Pyramid of Pain 9/4 - 11am MDT Sierra - Black Hills Information Security (Aug 29)
Hello!

How are you all? We had a fantastic webcast last week with John Strand and Chris Brenton and we're still working
through some unexpected hiccups to get the recording up and posted. The podcast version is on our blog, and the YouTube
version will be posted shortly on the Active Countermeasures channel and blog as well. Thanks for all of you who
ventured over to attend!

Ready for another awesome BHIS webcast? Dakota is back and...

Webcast with CJ: Tues 7/24 at 11am Sierra - Black Hills Information Security (Jul 19)
Our upcoming webcast will be about POLICY...

Did you check out when you heard “policy”? Policy can often seem like a drudgery, but it’s also an important and
potentially overlooked part of business and procedure; it’s the framework on which security is really built!

CJ, our COO and Head of Sales has experience writing, assessing and implementing policies for many different kinds of
companies. And if you are worried it will be dry and...

Microsoft Sec Notification — Beware that MS often uses these security bulletins as marketing propaganda to downplay serious vulnerabilities in their products—note how most have a prominent and often-misleading "mitigating factors" section.

Microsoft Security Update Minor Revisions Microsoft (Dec 11)
********************************************************************
Title: Microsoft Security Update Minor Revisions
Issued: December 11, 2018
********************************************************************

Summary
=======

The following CVE has undergone a minor revision
increment:

* CVE-2018-8172

Revision Information:
=====================

- CVE-2018-8172 | Visual Studio Remote Code Execution
Vulnerability
-...

Microsoft Security Update Minor Revisions Microsoft (Nov 14)
********************************************************************
Title: Microsoft Security Update Minor Revisions
Issued: November 14, 2018
********************************************************************

Summary
=======

The following CVEs and advisory have undergone a minor revision
increment:

* CVE-2018-8454
* CVE-2018-8552
* ADV990001

Revision Information:
=====================

- CVE-2018-8454 | Windows Audio Service...

Microsoft Security Update Minor Revisions Microsoft (Oct 24)
********************************************************************
Title: Microsoft Security Update Minor Revisions
Issued: October 24, 2018
********************************************************************

Summary
=======

The following CVE has undergone a minor revision increment:

* CVE-2018-8512

Revision Information:
=====================

- CVE-2018-8512 | Microsoft Edge Security Feature Bypass
Vulnerability
-...

Microsoft Security Update Releases Microsoft (Oct 19)
********************************************************************
Title: Microsoft Security Update Releases
Issued: October 19, 2018
********************************************************************

Summary
=======

The following CVE been added to the October 2018 Security updates:

* CVE-2018-8569

Revision Information:
=====================

- CVE-2018-8569 | Yammer Desktop Application Remote Code Execution
Vulnerability
-...

Microsoft Security Update Releases Microsoft (Oct 17)
********************************************************************
Title: Microsoft Security Update Releases
Issued: October 17, 2018
********************************************************************

Summary
=======

The following CVEs have undergone a major revision increment:

* CVE-2010-3190

Revision Information:
=====================

- CVE-2010-3190 | MFC Insecure Library Loading Vulnerability
-...

Microsoft Security Update Minor Revisions Microsoft (Oct 09)
********************************************************************
Title: Microsoft Security Update Minor Revisions
Issued: October 9, 2018
********************************************************************

Summary
=======

The following CVE has undergone a minor revision increment:

* CVE-2018-8531

Revision Information:
=====================

- CVE-2018-8531 | Azure IoT Device Client SDK Memory Corruption
Vulnerability
-...

Microsoft Security Update Releases Microsoft (Oct 09)
********************************************************************
Title: Microsoft Security Update Releases
Issued: October 9, 2018
********************************************************************

Summary
=======

The following CVE been added to the October 2018 Security updates:

* CVE-2018-8292

Revision Information:
=====================

- CVE-2018-8292 | .NET Core Information Disclosure Vulnerability
-...

Microsoft Security Update Releases Microsoft (Oct 09)
********************************************************************
Title: Microsoft Security Update Releases
Issued: October 9, 2018
********************************************************************

Summary
=======

The following bulletin has undergone a major revision increment:

* MS11-025

Revision Information:
=====================

- https://docs.microsoft.com/en-us/security-updates/
SecurityBulletins/2011/ms11-025:...

Microsoft Security Update Summary for October 9, 2018 Microsoft (Oct 09)
********************************************************************
Microsoft Security Update Summary for October 9, 2018
Issued: October 9, 2018
********************************************************************

This summary lists security updates released for October 9, 2018.

Complete information for the October 2018 security update release can
Be found at
<https://portal.msrc.microsoft.com/en-us/security-guidance>.

Please note the...

Microsoft Security Update Releases Microsoft (Oct 02)
********************************************************************
Title: Microsoft Security Update Releases
Issued: October 2, 2018
********************************************************************

Summary
=======

The following CVE has undergone a major revision increment:

* CVE-2018-0952

Revision Information:
=====================

- CVE-2018-0952 | Diagnostic Hub Standard Collector Elevation of
Privilege Vulnerability
-...

Microsoft Security Advisory Notification Microsoft (Sep 12)
********************************************************************
Title: Microsoft Security Advisory Notification
Issued: September 12, 2018
********************************************************************

Security Advisories Released or Updated on September 12, 2018
===================================================================

* Microsoft Security Advisory ADV180022

- Title: Windows Denial of Service Vulnerability
-...

Microsoft Security Update Minor Revisions Microsoft (Sep 12)
********************************************************************
Title: Microsoft Security Update Minor Revisions
Issued: September 12, 2018
********************************************************************

Summary
=======

The following CVEs have undergone a minor revision increment:

* CVE-2018-8421
* CVE-2018-8468

Revision Information:
=====================

- CVE-2018-8421 | .NET Framework Remote Code Execution
Vulnerability...

Microsoft Security Update Summary for September 11, 2018 Microsoft (Sep 11)
********************************************************************
Microsoft Security Update Summary for September 11, 2018
Issued: September 11, 2018
********************************************************************

This summary lists security updates released for September 11, 2018.

Complete information for the September 2018 security update release can
Be found at
<https://portal.msrc.microsoft.com/en-us/security-guidance>....

Microsoft Security Update Releases Microsoft (Sep 11)
********************************************************************
Title: Microsoft Security Update Releases
Issued: September 11, 2018
********************************************************************

Summary
=======

The following CVE has undergone a major revision increment:

* CVE-2018-8154

Revision Information:
=====================

- CVE-2018-8154 | Microsoft Exchange Memory Corruption
Vulnerability
-...

Microsoft Security Advisory Notification Microsoft (Sep 11)
********************************************************************
Title: Microsoft Security Advisory Notification
Issued: September 11, 2018
********************************************************************

Security Advisories Released or Updated on September 11, 2018
===================================================================

* Microsoft Security Advisory ADV180002

- Title: Guidance to mitigate speculative execution...

Funsec — While most security lists ban off-topic discussion, Funsec is a haven for free community discussion and enjoyment of the lighter, more humorous side of the security community

Verizon: 1.5M of Contact Records Stolen, Now on Sale Jeffrey Walton (Mar 26)
http://www.mobipicker.com/verizon-1-5m-contact-records-stolen-now-sale/:

A business to business telecommunication giant,
Verizon Enterprise Solutions, a Basking Ridge,
New Jersey-based company, has been the latest
victim of a cyber crime that stole 1.5 million contact
records of the customers of Verizon...

I don't quite understand this double talk. Could someone explain to me:

A spokesperson from Verizon said that...

Statement on Lavabit Citation in Apple Case Jeffrey Walton (Mar 16)
(From John Young on another list):
http://www.facebook.com/KingLadar/posts/10156714933135038

As many of you already know, the government cited the Lavabit case in
a footnote. The problem is their description insinuates a precedent
that was never created. Obviously I was somewhat disturbed by their
misrepresentation. So I decided to draft a statement. And keep in
mind, these are the same people who say "trust us." Click continue to
read...

The NSA's back door has given every US secret to our enemies Jeffrey Walton (Feb 29)
http://www.businessinsider.com/john-mcafee-nsa-back-door-gives-every-us-secret-to-enemies-2016-2

Deng Xiaoping, in 1979 - his second year as supreme leader of China -
perceived a fundamental truth that has yet to be fully grasped by most
Western leaders: Software, if properly weaponized, could be far more
destructive than any nuclear arsenal.

Under Deng’s leadership, China began one of the most ambitious and
sophisticated meta- software...

Can Spies Break Apple Crypto? Jeffrey Walton (Feb 27)
Here's an interesting exchange between Cryptome and Michael Froomkin,
Law Professor at University of Miami, on the All Writs Act
(http://cryptome.org/2016/02/can-spies-break-apple-crypto.htm):

-----

A. Michael Froomkin:

The factual posture in the key Supreme Court precedent, New York
Telephone, involved a situation where only the subject of the order
was capable of providing the assistance at issue. This is the basis
for Apple's...

The FBI's iPhone Problem: Tactical vs. Strategic Thinking Jeffrey Walton (Feb 23)
http://www.technewsworld.com/story/83130.html

I'm an ex-sheriff, and I've been in and out of security jobs for much
of my life, so I've got some familiarity with the issues underlying
the drama between the FBI and Apple. FBI officials -- and likely those
in every other three-letter agency and their counterparts all over the
world -- would like an easier way to do their jobs. Wouldn't we all?

If they could put cameras in...

Wanted: Cryptography Products for Worldwide Survey Jeffrey Walton (Jan 01)
(http://www.schneier.com/crypto-gram/archives/2015/1215.html):

In 1999, Lance Hoffman, David Balenson, and others published a survey
of non-US cryptographic products. The point of the survey was to
illustrate that there was a robust international market in these
products, and that US-only export restrictions on strong encryption
did nothing to prevent its adoption and everything to disadvantage US
corporations. This was an important contribution...

CERT Advisories — The Computer Emergency Response Team has been responding to security incidents and sharing vulnerability information since the Morris Worm hit in 1986. This archive combines their technical security alerts, tips, and current activity lists.

Open Source Security — Discussion of security flaws, concepts, and practices in the Open Source community

Trovent Security Advisory 2103-01 / Authenticated SQL injection in ERPNext 13.0.0/12.18.0 Stefan Pietsch (May 11)
# Trovent Security Advisory 2103-01 #
#####################################

Authenticated SQL injection in ERPNext 13.0.0/12.18.0
#####################################################

Overview
########

Advisory ID: TRSA-2103-01
Advisory version: 1.0
Advisory status: Public
Advisory URL: https://trovent.io/security-advisory-2103-01
Affected product: ERPNext
Tested versions: 12.18.0 and 13.0.0 beta
Vendor: Frappé Technologies https://frappe.io...

Re: [CVE-2020-28018] Use-After-Free on Exim Question Solar Designer (May 11)
Hi,

Replying as a list moderator:

Yes, this is in scope. So if anyone (not only the Qualys researchers)
wants to reply for real, please feel free.

Alexander

[CVE-2020-28018] Use-After-Free on Exim Question null p0int3r (May 11)
Hi,

I have a question to the Qualys researchers that discovered and
successfully achieved RCE on CVE-2020-28018 (Use-After-Free vulnerability
on tls-openssl.c).

This question is nor avisory related nor vulnerability discovery but about
exploitation, so I am not sure if it is on the scope of this mailing list.

I am developing a Proof-of-Concept exploit for the previously mentioned bug.

I know once you reach tls_write() again, the UAF is lost...

CVE-2021-23134: Linux kernel: UAF in nfc sockets Nadav Markus (May 11)
Hello,

This is an announcement about CVE-2021-23134. This is a vulnerability
in the linux kernel that we found in the implementation of nfc sockets
(in net/nfc/llcp_sock.c). This can lead to kernel privilege escalation
from the context of an unprivileged user.

The patch can be found here:
https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=c61760e6940d

=*=*=*=*=*=*=*=*= VULNERABILITY DETAILS =*=*=*=*=*=*=*=*=
All of the...

Re: Code execution through Thunar Gabriel Corona (May 10)
Le 09/05/2021 à 21:38, Gabriel Corona a écrit :

This is CVE-2021-32563.

Gabriel

CVE-2021-32399 Linux device detach race condition Lin Horse (May 10)
Hello there,

Our team (BlockSec) found a race-condition vulnerability resides in
the kernel BlueTooth subsystem, which can lead to UAF of slab objects.
At worst, this bug can be exploited to get code execution for
escalating local privilege.

=*=*=*=*=*=*=*=*= BUG DETAILS =*=*=*=*=*=*=*=*=

The race occurs between issuing a command to the BlueTooth controller
and unregistering the BlueTooth controller. For example, thread-A is
issuing a...

[Kubernetes] CVE-2021-25736: Windows kube-proxy LoadBalancer contention Swamy Shivaganga Nagaraju (May 10)
Hello,

A security issue was discovered in the Windows version of kube-proxy where a process on a Node may be able to accept
traffic intended for a LoadBalancer Service. Clusters without Windows nodes are unaffected.

This issue has been rated Medium
(CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N>)),
and assigned CVE-2021-25736.

Kube-proxy on Windows...

Re: [CVE-2021-22204] ExifTool - Arbitrary code execution in the DjVu module when parsing a malicious image Jakub Wilk (May 10)
* William Bowling <will () wbowling info>, 2021-05-09, 14:32:

Using eval() to parse C-like strings is undoubtedly a terrible idea, but
the code does attempt to neutralize the input, and it wasn't immediately
obvious to me where the bug is. It turns out the way it determines where
the string ends is incorrect:

# we're good unless quote was escaped by odd number of backslashes
last unless $tok =~ /(\\+)$/ and length($1)...

Re: CVE-2021-23133: Linux kernel: race condition in sctp sockets Alex Murray (May 10)
No worries - thanks for pointing out the new commit otherwise I wouldn't
have gone investigating to find the revert ;)

Re: CVE-2021-23133: Linux kernel: race condition in sctp sockets Alex Murray (May 10)
It seems b166a20b07382b8bc1dcee2a448715c9c2c81b5b got reverted in the
follow-up commit
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/net/sctp/socket.c?id=01bfe5e8e428b475982a98a46cca5755726f3f7f
and so 34e5b01186858b36c4d7c87e1a025071e8e2401f would appear to be the
most correct fix from what I can tell.

Re: CVE-2021-23133: Linux kernel: race condition in sctp sockets Salvatore Bonaccorso (May 09)
Hi Alex,

Ah right, I missed the revert of the original commit.

Thanks for pointing that to me.

Regards,
Salvatore

Re: CVE-2021-23133: Linux kernel: race condition in sctp sockets Salvatore Bonaccorso (May 09)
Hi,

It looks that additionally
https://git.kernel.org/linus/34e5b01186858b36c4d7c87e1a025071e8e2401f
refer to CVE-2021-23133.

Are both commits necessary?

Regards,
Salvatore

Code execution through Thunar Gabriel Corona (May 09)
When called with a regular file as command line argument, Thunar
would delegate to some other program without user confirmation
based on the file type. This could be exploited to trigger code
execution in a chain of vulnerabilities.

This is fixed in 4.16.7 and 4.17.2. When called with a regular
file, Thunar now opens the containing directory and selects the
file.

A CVE ID has been requested.

Reference:...

[CVE-2021-22204] ExifTool - Arbitrary code execution in the DjVu module when parsing a malicious image William Bowling (May 09)
ExifTool 7.44 to 12.23 has a bug in the DjVu module which allows for
arbitrary code execution when parsing malicious images. The bug can be
triggered from a wide variety of valid file formats.

The bug has been fixed in version 12.24.

References:

Fixed release - https://exiftool.org/history.html#v12.24
Upstream patch -...

Re: Linux kernel: f2fs: out-of-bounds memory access bug butt3rflyh4ck (May 08)
Hi, RedHat has assigned CVE-2021-3506 to this issue.

Regards,
butt3rflyh4ck.

Educause Security Discussion — Securing networks and computers in an academic environment.

New QuickPoll on the cybersecurity workforce Brian Kelly (May 10)
We just opened a new QuickPoll on the cybersecurity workforce.
I hope you’ll participate and encourage cybersecurity professionals in your organization to participate as well.

Here’s the link to the poll: https://survey.alchemer.com/s3/6332298/EDUCAUSE-QuickPoll-Cybersecurity-Workforce

Poll closes tomorrow (5/11) end of day…

We’ll publish the results on Friday.
Thanks so much for your help!

Best,

Brian Kelly, CISSP, CISM, CEH...

Re: SECURITY Digest - 7 May 2021 to 9 May 2021 (#2021-99) Jesse F Moore (May 10)
Hi Emilie,
I have heard of others using this product: https://www.policypak.com/policies/least-privilege-manager/ (allows a
setting for Admin use for a period then removes access automagically)

What I have seen others using are such things as CyberArk (https://www.cyberark.com/) or Thycotics Secret Server
(https://thycotic.com/products/secret-server/) to provide a time based (and reporting) access to accounts and when the
time is up no more...

Re: Local Admin Access Clark Gaylord (May 09)
apply:

All users have a separate local admin account on their computer and are
shown how to use "RunAs/secondary login"; admin rights are removed from the
user's normal account. This latter policy is exempted in very rare cases
where applications require it (it happens but it's rare; sometimes custom
filesystem permissions etc can avoid it).

This policy began applied to portable systems only, several years ago.
After a few...

Re: Local Admin Access Madl, Michael (May 09)
Emilie,

The majority of users @ IWU do not have admin access. The MAC users [special group] tend to fight over having this
access and the success rate for restriction is 50/50. We are slowly working towards compliance. The key is
establishing university policy that is signed off by our Executive council. Without that, any policy/initiative tends
to have zero teeth. Explaining the security benefits sometimes falls on deaf ears when it...

Naviga Book Anyone? Looking to integrate Bluefin P2PE for MOTO transactions Gramke, Jim (May 07)
Hi All,

Is anybody out there using Naviga Book in your publishing house? If so, are you taking MOTO transactions with a PC
or thin client, but would rather be using a P2PE compliant solution to simplify PCI compliance?

We are trying to convince Naviga to integrate with the Bluefin P2PE solutions. Naviga claims to have many higher ed
customers, but that only 2 of them are asking for this, so it's hard for them to see this as a high...

Re: Job Opportunity - University of Illinois - Identity and Access Management Barnes, Joe (May 05)
Good morning,

Please be aware the job posting below has been extended. It now closes May 12, 2021. If you are interested or know
of anyone please pass along.

Have a great day!

Joe

From: Barnes, Joe
Sent: Monday, April 26, 2021 8:46 AM
To: security () listserv educause edu
Subject: Job Opportunity - University of Illinois - Identity and Access Management

Good morning,

We have multiple openings for Identity and Access Management...

Security still Matters Brian Kelly (May 05)
Our Security Matters blog has morphed into Cybersecurity & Privacy Channels featuring topics related to Information
Security, Privacy, Data
Protection, Governance, Compliance, and Risk in higher education.

Take a look -
https://er.educause.edu/channels/cybersecurity-privacy

Get published - Publish your insights and advice for your information security and privacy peers.
Submit your work here -...

Re: Firewall Changes through Change Management Kimmitt, Jonathan (May 04)
Thank you everyone for the responses... they have been extremely helpful!

-Jonathan

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Kimmitt, Jonathan
Sent: Tuesday, May 4, 2021 9:42 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Firewall Changes through Change Management

Hi all,

We are in discussions of how to include border firewall changes in the change management...

Re: Firewall Changes through Change Management King, Ronald A. (May 04)
We have voted minor firewall updates as routine changes. Updates that have changes to behavior have to be reviewed and
approved by the Change Advisory Board (CAB). Policy/rule changes are done as needed, but, we review the changes monthly.

Ronald King
Director of OIT Security

With Office 365, you can report a message as phishing or junk. Using Outlook in a web browser or the mobile Outlook
app, start by clicking/tapping "Junk/Report...

Re: Firewall Changes through Change Management Bryan McClenahan (May 04)
We have border firewall changes follow our change management process.

It lets customers know when their changes will be made, and it protects the employees performing the changes on the off
chance something goes wrong during the change causing any outage.

-b

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the
person who sent the message, copy and paste their email...

Re: Firewall Changes through Change Management Mattehew Prescott (May 04)
So if the change might cause disruption then we schedule it for maintenance
times eg, firmware updates, routing changes, reboots even with our HA
setup. If I am just adding a rule or changing a rule then I just do it when
asked. Sometimes I will create a change ticket for informational purposes.
So if I add a bandwidth shaping rule, it doesn't disrupt traffic but the
help desk might get calls about slow traffic. So this informs them of a...

Re: Firewall Changes through Change Management Francisco Chavez (May 04)
Routine and low risk firewall changes are also considered a standard change in our environment as well. We also use a
standard change template to make it easier for our infrastructure group to submit one quickly. We review changes during
our all hands meetings twice a week. The changes that require communication to the community are sent over to our
communications group for review once a week.

Sincerely,
Francisco Chavez

Re: Firewall Changes through Change Management Menne, Michael S (May 04)
Change Management is mostly a communication and documentation function for us. It’s an advisory body and not
necessarily an approval body.

We have Emergency, Informational, Normal, and Standard Changes. Changes that are performed frequently with known risks
(usually low risk) and outcomes can be processed as Standard changes. Standard changes for us require no approval by
the CAB and can be performed with a 24 hour notice. Standard...

Firewall Changes through Change Management Kimmitt, Jonathan (May 04)
Hi all,

We are in discussions of how to include border firewall changes in the change management process.....

Whether to require change management for any rule changes, and conduct during our weekly maintenance windows..... or
open it up and allow changes anytime during the week as is requested by Networking/Systems....

I was curious to how other .edu's do it in their environments?

-Jonathan

~
Jonathan Kimmitt
CISSP, FIP, CDPSE,...

Re: Opportunity for HBCU's and MSI's to participate in 2021 Four Nations Cybersecurity Virtual Study Tour Starzynski Coddens, Amy Catherine (May 04)
Good Morning,

If any of you are interested in attending but did not qualify under Brian’s invitation, the REN-ISAC still has
invitations available for institutions who have implemented IAM or are currently implementing IAM. Please let me know
if you are interested in a spot – this starts next week and is looking to be a very rich and rewarding experience.

Happy to chat further about the intiative!

Amy

Amy Starzynski Coddens

Strategic...

Internet Issues and Infrastructure

NANOG — The North American Network Operators' Group discusses fundamental Internet infrastructure issues such as routing, IP address allocation, and containing malicious activity.

Re: Juniper hardware recommendation Mark Tinka (May 10)
Ah, makes sense in that case, then.

Mark.

Re: RADb Jay R. Ashworth (May 10)
----- Original Message -----

And Jeremy Chadwick pronounces it back up now. :-)

Thanks for the plug, Stephane. :-)

Cheers,
-- jra

juniper qfx5120-ym - curvature - infinera optic issues JASON BOTHE via NANOG (May 10)
NANOG Fam

This is a rather interesting issue to see if anyone has ran across this with a Curvature branded 10 or 100G LR optic in
a Juniper QFX facing an Infinera wave.

What we’ve noticed is migrating from MX 204 to a new QFX 5120-YM that has an Infinera as the handoff, the circuit just
bounces constantly. Disabling ALS will steady the light but the interface will continue to bounce.

What does work is migrating an interface that happens...

RE: Juniper hardware recommendation aaron1 (May 10)
Thanks Mark. We have a ring of MX960’s currently and wanted to spare the parts with each other, between the 960’s and
240’s…. scb’s, re’s, mpc’s…

-Aaron

Register Now for NANOG 82 Nanog News (May 10)
“Father of the Internet” Vinton Cerf joins Keynote Virtual StageWe are
honored to welcome one of the widely known “fathers of the Internet,” Vinton
G. Cerf <https://internethalloffame.org/inductees/vint-cerf> to the NANOG
82 virtual stage as a Keynote speaker!

The legendary and multi award-winning Cerf will present: *The Evolution of
the Interplanetary Internet.* There will also be a live Q + A session
following the presentation....

Register Now for NANOG 82 Virtual NANOG News (May 10)
“Father of the Internet” Vinton Cerf joins Keynote Virtual Stage
We are honored to welcome one of the widely known “fathers of the
Internet,” Vinton G. Cerf to the NANOG 82 virtual stage as a Keynote
speaker!

The legendary and multi award-winning Cerf will present: The Evolution of
the Interplanetary Internet. There will also be a live Q + A session
following the presentation. This is one not to miss!

Learn More...

Re: Juniper hardware recommendation Baldur Norddahl (May 10)
man. 10. maj 2021 16.20 skrev <aaron1 () gvtc com>:

It is my understanding that acx5448 is much more capable than the older
acx5048. It will definitely do both l2vpn and l3vpn on mpls (what we use
acx5448 / acx710 for).

The main limitation is that it will not do full dfz table and not more
exotic stuff like subscriber management.

Regards

Baldur

Re: Juniper hardware recommendation Mark Tinka (May 10)
Trio will always provide better features, but come with the price tag to
boot.

You might want to look at the MX10003, in that case, as well. We are
deploying those for 100Gbps service (customer-facing). Works out cheaper
than offering 100Gbps service on the MX240/480/960 for the same task.

Mark.

RE: Juniper hardware recommendation aaron1 (May 10)
I prefer MX204 over the ACX5048. The ACX5048 can’t add L3 interface to an mpls layer 2 type of service. There are
other limitations to the ACX5048 that cause me to want to possibly replace them with MX204’s. But in defense of the
ACX5048, we have gotten some good mileage (a few years now) of good resi/busi bb over vrf’s and also carrier ethernet
for businesses and lots of cell backhaul… so they are good for that. I’ve heard the...

T-Mobile RF Engineer Contact Matt Hoppes (May 10)
Hello,
Could someone in the T-Mobile RF Engineering Department with information
on the Williamsport, PA MSA contact me offlist?

Re: DNSSEC Best Practices Peter van Dijk (May 10)
This appears to be a frequent source of confusion.

In '14 4', '14' is the DNSSEC signing algorithm ECDSAP384SHA384 [1]. '4' is the DS digest algorithm SHA384 [2].

Then, '14 2', is still the DNSSEC signing algorithm ECDSAP384SHA384, and '2' is the DS digest algorithm SHA256.

The DNSSEC signing algorithm is used to sign the zone's content. The DS digest algorithm is what the parent zone uses...

Spoofer Report for NANOG for Apr 2021 CAIDA Spoofer Project (May 10)
In response to feedback from operational security communities,
CAIDA's source address validation measurement project
(https://spoofer.caida.org) is automatically generating monthly
reports of ASes originating prefixes in BGP for systems from which
we received packets with a spoofed source address.
We are publishing these reports to network and security operations
lists in order to ensure this information reaches operational
contacts in these...

Re: RADb Stephane Bortzmeyer (May 10)
On Mon, May 10, 2021 at 09:25:36AM +0200,
Marco Paesani <marco () paesani it> wrote
a message of 51 lines which said:

Note that it is discussed on the outages mailing list. No specific
news, just that it is down.

RADb Marco Paesani (May 10)
Hi Guys,
do you have news about the issue on RADb ?
Please let me know, thank you.

Kind regards,

-----

Marco Paesani

Skype: mpaesani
Mobile: +39 348 6019349
Success depends on the right choice !
Email: marco () paesani it

Re: Juniper hardware recommendation Mark Tinka (May 09)
For the number of units we'd need to deploy, it doesn't make sense for us.

Easier to buy a UPS than try to convert AC to DC.

Yeah - I stopped messing around with DC for routers, switches and
servers in 2007. Not going back to those days.

3 simple pins and a wall plug is all I need.

Mark.

The RISKS Forum — Peter G. Neumann moderates this regular digest of current events which demonstrate risks to the public in computers and related systems. Security risks are often discussed.

Risks Digest 32.65 RISKS List Owner (May 09)
RISKS-LIST: Risks-Forum Digest Sunday 9 May 2021 Volume 32 : Issue 65

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.65>
The current issue can also be found at
<...

Risks Digest 32.64 RISKS List Owner (May 04)
RISKS-LIST: Risks-Forum Digest Tuesday 4 May 2021 Volume 32 : Issue 64

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.64>
The current issue can also be found at
<...

(no subject) RISKS List Owner (May 04)

Risks Digest 32.63 RISKS List Owner (Apr 30)
RISKS-LIST: Risks-Forum Digest Friday 30 April 2021 Volume 32 : Issue 63

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.63>
The current issue can also be found at
<...

Risks Digest 32.62 RISKS List Owner (Apr 25)
RISKS-LIST: Risks-Forum Digest Sunday 25 April 2021 Volume 32 : Issue 62

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.62>
The current issue can also be found at
<...

Risks Digest 32.61 RISKS List Owner (Apr 23)
RISKS-LIST: Risks-Forum Digest Friday 23 April 2021 Volume 32 : Issue 61

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.61>
The current issue can also be found at
<...

Risks Digest 32.60 RISKS List Owner (Apr 17)
RISKS-LIST: Risks-Forum Digest Saturday 17 April 2021 Volume 32 : Issue 60

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.60>
The current issue can also be found at
<...

Risks Digest 32.59 RISKS List Owner (Apr 04)
RISKS-LIST: Risks-Forum Digest Sunday 4 April 2021 Volume 32 : Issue 59

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.59>
The current issue can also be found at
<...

Risks Digest 32.58 RISKS List Owner (Apr 01)
RISKS-LIST: Risks-Forum Digest Thursday 1 April 2021 Volume 32 : Issue 58

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.58>
The current issue can also be found at
<...

Risks Digest 32.57 RISKS List Owner (Mar 23)
RISKS-LIST: Risks-Forum Digest Tuesday 23 March 2021 Volume 32 : Issue 57

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.57>
The current issue can also be found at
<...

Risks Digest 32.56 RISKS List Owner (Mar 19)
RISKS-LIST: Risks-Forum Digest Friday 19 March 2021 Volume 32 : Issue 56

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.56>
The current issue can also be found at
<...

Risks Digest 32.55 RISKS List Owner (Mar 16)
RISKS-LIST: Risks-Forum Digest Tuesday March 2021 Volume 32 : Issue 55

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.55>
The current issue can also be found at
<...

Risks Digest 32.54 RISKS List Owner (Mar 13)
RISKS-LIST: Risks-Forum Digest Saturday 13 March 2021 Volume 32 : Issue 54

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.54>
The current issue can also be found at
<...

Risks Digest 32.53 RISKS List Owner (Mar 12)
RISKS-LIST: Risks-Forum Digest Friday 12 February 2021 Volume 32 : Issue 53

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.53>
The current issue can also be found at
<...

Risks Digest 32.52 RISKS List Owner (Mar 06)
RISKS-LIST: Risks-Forum Digest Saturday 6 March 2021 Volume 32 : Issue 52

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.52>
The current issue can also be found at
<...

BreachExchange — BreachExchange focuses on all things data breach. Topics include actual data breaches, cyber insurance, risk management, metrics and more. This archive includes its predecessor, the Data Loss news and discussion lists.

Open Source Tool Development

Wireshark — Discussion of the free and open source Wireshark network sniffer. No other sniffer (commercial or otherwise) comes close. This archive combines the Wireshark announcement, users, and developers mailing lists.

Issue notifications Ivan Nardi (May 10)
Hi
Recently, I haven't been able to enable notifications for the gitlab
issues I am interested in: I can't toggle the "Notifications" button
(it seems disabled; see attachment)
Until some weeks ago I was able to do that.

Something wrong in my environment or is this new behavior the expected one?

Thanks in advance
Ivan

Remote Developer Den, May 2021 Gerald Combs (May 06)
Hi everyone,

I've scheduled the next remote Developer Den for Wednesday, May 19. This is remote version of the Developer Den at
SharkFest, a room that we set aside for office hours where everyone is welcome to stop in, say hello, ask questions,
etc.

The link below has a "join from browser" option, so it should be possible to connect without installing Zoom's client.

----

Gerald Combs is inviting you to a scheduled Zoom...

Code of conduct? Gerald Combs (May 04)
Hi all,

We've discussed adopting a code of conduct for Wireshark a few times over the years, most recently at
https://www.wireshark.org/lists/wireshark-dev/202008/msg00003.html. I think it would be beneficial for the project, and
toward that end I've created a question at https://ask.wireshark.org/question/22598 along with answers proposing three
CoCs that I think would work well for us. You're welcome to suggest a different...

Re: Problem with parsing NGAP UL Configuration Request Pascal Quantin (Apr 28)
Hi Dincer,

Le mer. 28 avr. 2021 à 17:07, Dincer Beken <dbeken () blackned de> a écrit :

Your TransportLayerAddress item has a length of 132 bits, which neither
match an IPv4 only address (32 bits), of 1Pv6 only address (128 bits) or an
IPv4 followed by an IPv6 address (160 bits). Thus wireshark does not try to
decode the payload of this unknown length. If you tried to encode an IPv4
and/or IPv6 address, then you have a bug.

Best...

Problem with parsing NGAP UL Configuration Request Dincer Beken (Apr 28)
Hello all,

I am trying to handle the 5G UL Ran configuration transfer message. I am encoding an XN TNL Information Item with
asn1c. All IEs and messages so far have worked well, but the Tunnel Information item does not work for me.
I cannot see the Tunnel Information elements (IPs.).

I am using wireshark version 3.40. I have attached the capture.

I am stuck on this and would appreciate any help. If anyone here is experienced with...

Re: How to disable QT_MULTIMEDIA_LIB during cmake Jirka Novak (Apr 28)
Hi Roland,

I see your merge request. So my task is to review it and make it
running with QT_MULTIMEDIA_LIB undefined, right? BTW it was my original
idea to do.

Best regards,

Jirka Novak

Re: How to disable QT_MULTIMEDIA_LIB during cmake Roland Knall (Apr 28)
A merge request has been generated for this:
https://gitlab.com/wireshark/wireshark/-/merge_requests/2849

cheers

Am Mi., 28. Apr. 2021 um 14:33 Uhr schrieb Roland Knall <rknall () gmail com>:

Re: How to disable QT_MULTIMEDIA_LIB during cmake Roland Knall (Apr 28)
I have created a change which handles the CMAKE stuff correctly (analog to
extcap & pcap, ...)

I would need some help from you Jirka for the RTP specifics.

kind regards
Roland

Am Mi., 28. Apr. 2021 um 14:01 Uhr schrieb John Thacker <
johnthacker () gmail com>:

Re: How to disable QT_MULTIMEDIA_LIB during cmake John Thacker (Apr 28)
In general some features can be disabled, see CMakeOptions.txt for a list,
but Qt Multimedia Lib cannot be disabled easily.

If you look at cmakeconfig.h.in:
<https://gitlab.com/wireshark/wireshark/-/blob/master/cmakeconfig.h.in#L320>

/* Define to the version of this package. */
#cmakedefine PACKAGE_VERSION

/* Define if we have QtMultimedia */
#define QT_MULTIMEDIA_LIB 1

/* Define if we have QtMacExtras */
#cmakedefine QT_MACEXTRAS_LIB 1...

Re: Having problem tracing multiple ip addresses Robert Blair (Apr 27)
** Reply to message from Hugo van der Kooij via Wireshark-users
<wireshark-users () wireshark org> on Mon, 26 Apr 2021 07:23:43 +0000

On another OS I have used IP tracing many times, on Ubuntu only two or three
times. After seeing the trace from wireshark I now have no clue what is going
on.

When I started with these IoT devices I had both of the routers WIFI interfaces
with the same SSID and password. This caused problems trying to...

Re: Status label for issues Uli Heilmeier (Apr 27)
Am 27.04.21 um 09:28 schrieb Guy Harris:

Yes, I'm aware of it. This is something I've already mentioned in my first mail. For this label only automation (bot)
makes sense. As long as there is no automation we will have a closed issue with a false state.

For the Gitlab API there is no difference between manually closed issued and issues marked as duplicate.
Both have the state closed. Marked as duplicate issues have a additional note...

Re: Status label for issues Guy Harris (Apr 27)
The last of those is, well, a duplicate of the "(duplicated)" in the status box at the top (if the close is done right,
by entering

/duplicate #{bug number}

into a comment and saving the comment).

Re: Status label for issues Uli Heilmeier (Apr 27)
I see your point.

We had this status field at Bugzilla and it worked sufficiently well (at least for dissector bugs).

At the moment it is very hard to see if someone has already had a look at an issue, if she/he was able to reproduce it,
if a sample capture is missing etc.

Regarding additional tooling I will have a closer look at triage-ops the next days.

Am 27.04.21 um 09:06 schrieb Roland Knall:

Re: Status label for issues Uli Heilmeier (Apr 27)
Am 27.04.21 um 09:06 schrieb Guy Harris:

Yes, you're totally right. os::windows, os::macos, os::linux and os::other should be enough.

Currently we have os::unix with the description "AIX, HP-UX, Solaris, and other Unices"

Re: Status label for issues Roland Knall (Apr 27)
It wasn't clear to me, that your list was the original list + new entries.

I have especially an issue with the new ws-status labels and their
transitions. Judging from a company, where we have about 50 developers
whose daily bread it is to transition properly in Jira, I cannot see an
open-source project with no additional tooling to properly transition
between e.g. unconfirmed => confirmed => in-progress.

That is my main concern.

Am...

Snort — Everyone's favorite open source IDS, Snort. This archive combines the snort-announce, snort-devel, snort-users, and snort-sigs lists.

Snort Subscriber Rules Update 2021-05-06 Research (May 06)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the file-java,
os-windows, policy-other, server-apache, server-iis and server-webapp
rule sets to provide coverage for emerging threats from these
technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Snort Subscriber Rules Update 2021-04-29 Research (Apr 29)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the browser-ie,
file-other and server-webapp rule sets to provide coverage for emerging
threats from these technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Snort Subscriber Rules Update 2021-04-27 Research (Apr 27)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the app-detect,
browser-ie, browser-other, exploit-kit, file-pdf, malware-cnc,
malware-other, policy-other and server-webapp rule sets to provide
coverage for emerging threats from these technologies.

For a complete list of new and modified rules please see:...

Snort Blog: 2.9.8.3 Shared Object end-of-life Joel Esler (jesler) via Snort-sigs (Apr 22)
https://blog.snort.org/2021/04/2983-shared-object-end-of-life.html

2.9.8.3 Shared Object end-of-life

Attention users of SNORTⓇ version 2.9.8.3: This serves as your official end-of-life notification. However, this EOL
notification is a bit unique.

We will be moving to an “end of life” for shared object rules for Snort version 2.9.8.3 in 90 days, (July 20, 2021).
After that, for an indeterminate amount of time after July 20, we will...

Snort Subscriber Rules Update 2021-04-22 Research (Apr 22)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the and server-other
rule sets to provide coverage for emerging threats from these
technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Snort Subscriber Rules Update 2021-04-21 Research (Apr 21)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the browser-chrome,
malware-cnc, policy-other, protocol-voip, server-apache and
server-webapp rule sets to provide coverage for emerging threats from
these technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Re: Fwd: question. Russ Combs (rucombs) via Snort-devel (Apr 20)
This should be posted to snort-users or snort-sigs. snort-devel is for bugs and related development work.

Russ

________________________________
From: Snort-devel <snort-devel-bounces () lists snort org> on behalf of juan patricioo via Snort-devel <snort-devel ()
lists snort org>
Sent: Thursday, April 15, 2021 4:09 PM
To: snort-devel () lists snort org <snort-devel () lists snort org>
Subject: [Snort-devel] Fwd: question....

Snort Subscriber Rules Update 2021-04-20 Research (Apr 20)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the malware-cnc and
server-webapp rule sets to provide coverage for emerging threats from
these technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Fwd: question. juan patricioo via Snort-devel (Apr 19)
---------- Forwarded message ---------
De: juan patricioo <cursoredesinap9644 () gmail com>
Date: jue, 15 abr 2021 a las 21:59
Subject: question.
To: <snort-users () lists snort org>

Hello, im trying to do a rule in snort that can capture de text on a text
field in the next formulary:

http://cekb.unileon.es/formulario.html

[image: image.png]

Im trying:

*alert tcp any any -> any 80 (msg:"script text";...

Snort Subscriber Rules Update 2021-04-15 Research (Apr 15)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the browser-chrome,
file-pdf, indicator-obfuscation, malware-backdoor, malware-cnc and
server-webapp rule sets to provide coverage for emerging threats from
these technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Snort Subscriber Rules Update 2021-04-13 Research (Apr 13)
Talos Snort Subscriber Rules Update

Synopsis:
Talos is aware of vulnerabilities affecting products from Microsoft
Corporation.

Details:
Microsoft Vulnerability CVE-2021-28310:
A coding deficiency exists in Microsoft Win32k that may lead to an
escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 57403 through 57404.

Microsoft Vulnerability...

Snort Blog: New "Snort 3 and me" webinar series launches on April 20 Joel Esler (jesler) via Snort-sigs (Apr 08)
We’re launching some webinars about the transition to Snort 3. They are totally free, and your information will not be
used for any marketing purposes.

Snort Subscriber Rules Update 2021-04-08 Research (Apr 08)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the browser-other and
server-webapp rule sets to provide coverage for emerging threats from
these technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Snort Subscriber Rules Update 2021-04-06 Research (Apr 06)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the and file-other rule
sets to provide coverage for emerging threats from these technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Snort Subscriber Rules Update 2021-04-01 Research (Apr 01)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the browser-ie,
exploit-kit, indicator-obfuscation, indicator-shellcode, malware-cnc,
netbios, protocol-dns, protocol-voip, server-oracle and server-webapp
rule sets to provide coverage for emerging threats from these
technologies.

For a complete list of new and modified rules please...

More Lists

Related Resources

We're always looking for great network security related lists to archive. To suggest one, mail Fyodor.