SecLists.Org Security Mailing List Archive

Nmap Development — Unmoderated technical development forum for debating ideas, patches, and suggestions regarding proposed changes to Nmap and related projects. Subscribe to nmap-dev here.

• Current Quarter
• Archived Posts
• RSS Feed
• About List
• nmap-devLatest Posts

Re: Nmap PR #2909 Sinan Doğan (Oct 21)
thanks

Vahagn Vardanian via dev <dev () nmap org>, 17 Eyl 2024 Sal, 18:59 tarihinde
şunu yazdı:

Re: NSConnection Probe Harrison Neal (Oct 11)
Apologies, it looks like the probe suggestion was cut off now that I
re-read it.

Probe TCP NSConnection_rootProxy...

NSConnection Probe Harrison Neal (Oct 11)
Good day,

It appears that nmap doesn't currently recognize TCP-bound NSConnection (
https://developer.apple.com/documentation/foundation/nsconnection ).

Example server code:

NSConnection *a = [NSConnection connectionWithReceivePort:[[NSSocketPort
alloc] init] sendPort:nil];
[a setRootObject:[[NSObject alloc] init]];
[a runInNewThread];
[NSThread sleepForTimeInterval:300.0f];

Example client code:

NSLog(@"%@\n", [[NSConnection...

NSE scripts for SNMPv3? Johan Kuuse (Oct 03)
Hi, my first mail to this list,

I have used (and modified) quite a few NSE scripts for SNMP.
Anyhow, AFAIK, all SNMP scripts (except "snmp-info") are limited to SNMPv1
and SNMPv2c:

nmap --script-help=snmp* | grep -B3 -A1 -i v3
----------------------------------
snmp-info
Categories: default version safe
https://nmap.org/nsedoc/scripts/snmp-info.html
Extracts basic information from an SNMPv3 GET request. The same probe is
used
here...

Nmap PR #2909 Vahagn Vardanian via dev (Sep 17)
Hello there,
My name is Vahagn, and I am the co-founder and CTO of RedRays.
A few weeks ago, we created a pull request to Nmap Github to add a new
check for detecting the most popular information disclosure in SAP systems.

You can get list of SAp systems using this google dork: inurl:/irj/portal
Thank you

NPCAP 1.60 high CPU usage with pcap filter that does not pass anything (Win10) Vladimir Soldatov (Sep 17)
Hi guys,

I've a setup (Win10, Intel X520, NPCAP 1.60) with relatively high traffic
around 700 Mbit/s and I am trying to test the following cases:
1. Capture everything with empty pcap filter and just print stats with some
period calculating captured data size
2. Capture nothing with an intentionally created filter that does not match
the received traffic at all.
3. Capture some subset of traffic like 10%.

In all the cases, CPU usage...

[PATCH 1/1] Improved the legibility of `Makefile` Ariel Otilibili (Sep 17)
* source files obtained by a wildcard
* headers and objects generated by differences.

```
$ grep -P '(SRCS|HDRS|OBJS) =' Makefile.in | \
sed -e 's/^export.*= //g; s/\$.*//g; s/OBJS = //' | \
sed -ne '2p' | \
tr ' ' '\n' | \
sed -e 's/\.h//' | \
sort -d | \
grep -vP '^$' > headers

$ grep -P '(SRCS|HDRS|OBJS) =' Makefile.in | \
sed -e...

[PATCH 0/1] Improved the legibility of Makefile Ariel Otilibili (Sep 17)
Hello committers,

The same patch is on this PR: https://github.com/nmap/nmap/pull/2938

Have a good weekend,
Ariel

Ariel Otilibili (1):
Improved the legibility of `Makefile`

Makefile.in | 14 +++-----------
1 file changed, 3 insertions(+), 11 deletions(-)

How to make a minimal HTTPS request with ncat --ssl with explicit HTTP content? Ciro Santilli OurBigBook via dev (Sep 17)
Hello, I was trying for fun to make an HTTPS request with explicit hand-written HTTP content.

Something analogous to:

printf 'GET / HTTP/1.1\r\nHost: example.com\r\n\r\n' | ncat example.com 80

but for HTTPS. After Googling one of the tools that I found that seemed it might do the job was ncat from the nmap
project, so I tried:

printf 'GET / HTTP/1.1\r\nHost: example.com\r\n\r\n' | ncat --ssl example.com 443

an that works...

[PATCH 1/1] Updated ALPN IDs Ariel Otilibili (Sep 15)
```
$ URL=https://www.iana.org/assignments/tls-extensiontype-values/alpn-protocol-ids.csv
$ curl -sL ${URL} |
perl -nE 'say $& if /(?<=\"\").*(?=\"\")/' |
sort > iana;
< scripts/tls-alpn.nse perl -nE 'say $& if m!(?<=")[\w/\.\-]+(?=",)!' |
sort > nmap.alpn;
diff iana nmap.alpn | grep '<'

< co
< postgresql

$ curl --silent ${URL} --output...

[PATCH 0/1] Updated ALPN IDs (Mon, 26 Aug 2024 17:55:25 GMT) Ariel Otilibili (Sep 15)
Hello,

Herewith the PR containing this patch: https://github.com/nmap/nmap/pull/2939

Have a good week,
Ariel

Ariel Otilibili (1):
Updated ALPN IDs

scripts/tls-alpn.nse | 2 ++
1 file changed, 2 insertions(+)

npcap accuracy Dupuit, Cyril via dev (Sep 04)
Hello,
I posted a comment to pcap_sendqueue_transmit() accuracy * Issue #750 * nmap/npcap
(github.com)<https://github.com/nmap/npcap/issues/750> concerning npcap accuracy.
I did some tests with a modified version of NPF_BufferedWrite() to check accuracy by using a Profitap (hardware
timestamp).
I tried to propose a modification on npcap project without success.

How can I propose a change to the project ?

Best regards,
Cyril...

Increase service probes max line length Reece (Jul 07)
I created a PR on github to increase the probe line length, we created a
custom probe for our own purposes to detect quic based on a tcpdump packet,
but it's quite long so went over the line length, this, the PR increases
the line length and adds a nicer error if you hit the max:

https://github.com/nmap/nmap/pull/2803

Currently we are applying it as a patch in our build infra but would be
great to get it upstream.

Note: this became an...

Automatic protocol selection? Roy Sigurd Karlsbakk (Jul 06)
Hi all

Sometimes I use nmap in my scripts and since I'm in a mixed environment, where most of the hosts are dual protocol, not
all are, and some are only on IPv4 or IPv6, depending on the type of equipment and their function. Most other software,
will just default to a single protocol, typically IPv6, and then fall back to the other if the first fails. At first I
thought using the -6 flag would do so (as it says 'Enable IPv6...

Fix ndiff.bat issue on Windows georges.zwing (Jul 04)
Hi,

I created this PR <https://github.com/nmap/nmap/pull/2865> to fix this
issue <https://github.com/nmap/nmap/issues/2733> running ndiff.bat on
Windows. It also removes the requirement to have Python installed separately
from Zenmap.

But I don't see the Travis CI build tests mentioned in
https://github.com/nmap/nmap/blob/master/CONTRIBUTING.md in the PR. Should I
look somewhere else?

Regards,

Georges

Nmap Announce — Moderated list for the most important new releases and announcements regarding the Nmap Security Scanner and related projects. We recommend that all Nmap users subscribe to stay informed.

• Current Year
• Archived Posts
• RSS Feed
• About List
• nmap-announceLatest Posts

Nmap 7.95 released: OS and service detection signatures galore! Gordon Fyodor Lyon (May 05)
Dear Nmap Community,

I just arrived in San Francisco for the RSA conference and am delighted to
announce our Nmap Version 7.95 release! I'm most excited that we finally
tackled our backlog of OS and service detection fingerprint submissions.
We're not talking about dozens or hundreds of them-we processed more than
6,500 fingerprints!

For OS detection, we added 336 signatures, bringing the new total to 6,036.
Additions include iOS 15...

Npcap Celebrates its 10th Anniversary In Space! Gordon Fyodor Lyon (Oct 05)
Dear Nmap community,

Last month we celebrated Nmap's 26th birthday and today I'm happy to share
another big milestone: Our Npcap driver for capturing and sending raw
packets on Windows turned 10 this year! From humble beginnings as a
security and modernization patch for the discontinued WinPcap project,
Npcap has become an indispensable component for both Nmap and Wireshark.
And it's used by hundreds of other software products and...

Nmap 26th Birthday Announcement: Version 7.94 Gordon Fyodor Lyon (Sep 01)
Dear Nmap community,

Today is Nmap’s 26th birthday, which reminded me that I hadn’t yet
announced our Nmap 7.94 release from May. And it’s a great one! The biggest
improvement was the Zenmap and Ndiff upgrades from the obsolete Python 2
language to Python 3 on all platforms. Big thanks to Daniel Miller, Jakub
Kulík, Brian Quigley, Sam James, Eli Schwartz, Romain Leonard, Varunram
Ganesh, Pavel Zhukov, Carey Balboa, and Hasan Aliyev for...

Full Disclosure — A public, vendor-neutral forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. The relaxed atmosphere of this quirky list provides some comic relief and certain industry gossip. More importantly, fresh vulnerabilities sometimes hit this list many hours or days before they pass through the Bugtraq moderation queue.

• Current Month
• Archived Posts
• RSS Feed
• About List
• fulldisclosureLatest Posts

SEC Consult SA-20241015-0 :: Multiple Vulnerabilities in Rittal IoT Interface & CMC III Processing Unit (CVE-2024-47943, CVE-2024-47944, CVE-2024-47945) SEC Consult Vulnerability Lab via Fulldisclosure (Oct 20)
No message preview for long message of 359314 bytes.

CVE-2024-48939: Unauthorized enabling of API in Paxton Net2 software Jeroen Hermans via Fulldisclosure (Oct 20)
CloudAware Security Advisory

CVE-2024-48939: Unauthorized enabling of API in Paxton Net2 software

========================================================================
Summary
========================================================================
Bypass of Paxton Net2 API license. Possible leaking of PII and access to
admin functionality.
No physical access to computer running Paxton Net2 is required....

SEC Consult SA-20241009-0 :: Local Privilege Escalation via MSI installer in Palo Alto Networks GlobalProtect (CVE-2024-9473) SEC Consult Vulnerability Lab via Fulldisclosure (Oct 09)
<<< image/webp; name="cmd.webp": Unrecognized >>>

APPLE-SA-10-03-2024-1 iOS 18.0.1 and iPadOS 18.0.1 Apple Product Security via Fulldisclosure (Oct 07)
APPLE-SA-10-03-2024-1 iOS 18.0.1 and iPadOS 18.0.1

iOS 18.0.1 and iPadOS 18.0.1 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/121373.

Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.

Media Session
Available for: iPhone 16 (all models)
Impact: Audio messages in Messages may be able to...

Some SIM / USIM card security (and ecosystem) info Security Explorations (Oct 04)
Hello All,

Those interested in SIM / USIM card security might find some
information at our spin-off project page dedicated to the topic
potentially useful:

https://security-explorations.com/sim-usim-cards.html

We share there some information based on the experiences gained in the
SIM / USIM card security space, all in a hope this leads to the
increase of public awareness on the topic, change perspective on the
SIM / USIM card industry and...

SEC Consult SA-20240930-0 :: Local Privilege Escalation via MSI Installer in Nitro PDF Pro (CVE-2024-35288) SEC Consult Vulnerability Lab via Fulldisclosure (Sep 30)
<<< application/pkcs7-signature; name="smime.p7s": Unrecognized >>>

Backdoor.Win32.Benju.a / Unauthenticated Remote Command Execution malvuln (Sep 28)
Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024
Original source:
https://malvuln.com/advisory/88922242e8805bfbc5981e55fdfadd71.txt
Contact: malvuln13 () gmail com
Media: x.com/malvuln

Threat: Backdoor.Win32.Benju.a
Vulnerability: Unauthenticated Remote Command Execution
Family: Benju
Type: PE32
MD5: 88922242e8805bfbc5981e55fdfadd71
SHA256: 7d34804173e09d0f378dfc8c9212fe77ff51f08c9d0b73d00a19b7045ddc1f0e
Vuln ID: MVID-2024-0700...

Backdoor.Win32.Prorat.jz / Remote Stack Buffer Overflow (SEH) malvuln (Sep 28)
Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024
Original source:
https://malvuln.com/advisory/277f9a4db328476300c4da5f680902ea.txt
Contact: malvuln13 () gmail com
Media: x.com/malvuln

Threat: Backdoor.Win32.Prorat.jz
Vulnerability: Remote Stack Buffer Overflow (SEH)
Description: The RAT listens on TCP ports 51100,5112,5110 and runs an
FTP service. Prorat uses a vulnerable component in a secondary malware
it drops on the victim...

Backdoor.Win32.Amatu.a / Remote Arbitrary File Write (RCE) malvuln (Sep 28)
Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024
Original source:
https://malvuln.com/advisory/1e2d0b90ffc23e00b743c41064bdcc6b.txt
Contact: malvuln13 () gmail com
Media: x.com/malvuln

Threat: Backdoor.Win32.Amatu.a
Vulnerability: Remote Arbitrary File Write (RCE)
Family: Amatu
Type: PE32
MD5: 1e2d0b90ffc23e00b743c41064bdcc6b
SHA256: 77fff9931013ab4de6d4be66ca4fda47be37b6f706a7062430ee8133c7521297
Vuln ID: MVID-2024-0698
Dropped...

Backdoor.Win32.Agent.pw / Remote Stack Buffer Overflow (SEH) malvuln (Sep 28)
Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024
Original source:
https://malvuln.com/advisory/68dd7df213674e096d6ee255a7b90088.txt
Contact: malvuln13 () gmail com
Media: x.com/malvuln

Threat: Backdoor.Win32.Agent.pw
Vulnerability: Remote Stack Buffer Overflow (SEH)
Description: The malware listens on TCP port 21111. Third-party
attackers who can reach an infected machine can send specially crafted
sequential packetz triggering a...

Backdoor.Win32.Boiling / Remote Command Execution malvuln (Sep 28)
Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024
Original source:
https://malvuln.com/advisory/80cb490e5d3c4205434850eff6ef5f8f.txt
Contact: malvuln13 () gmail com
Media: x.com/malvuln

Threat: Backdoor.Win32.Boiling
Vulnerability: Unauthenticated Remote Command Execution
Description: The malware listens on TCP port 4369. Third party
adversaries who can reach an infected host, can issue single OS
commands to takeover the system...

Defense in depth -- the Microsoft way (part 88): a SINGLE command line shows about 20, 000 instances of CWE-73 Stefan Kanthak (Sep 28)
Hi @ll,

<https://cwe.mitre.org/data/definitions/73.html>
CWE-73: External Control of File Name or Path
is a well-known and well-documented weakness.

<https://seclists.org/fulldisclosure/2020/Mar/48> as well as
<https://skanthak.homepage.t-online.de/offender.html> demonstrate how to
(ab)use just one instance of this weakness (introduced about 7 years ago
with Microsoft Defender, so-called "security software") due to...

SEC Consult SA-20240925-0 :: Uninstall Password Bypass in BlackBerry CylanceOPTICS Windows Installer Package (CVE-2024-35214) SEC Consult Vulnerability Lab via Fulldisclosure (Sep 28)
SEC Consult Vulnerability Lab Security Advisory < 20240925-0 >
=======================================================================
title: Uninstall Password Bypass
product: BlackBerry CylanceOPTICS Windows Installer Package
vulnerable version: CylanceOPTICS <3.3 MR2
                    CylanceOPTICS <3.2 MR5
      fixed version: CylanceOPTICS 3.3 MR2
CylanceOPTICS...

Apple iOS 17.2.1 - Screen Time Passcode Retrieval (Mitigation Bypass) Patrick via Fulldisclosure (Sep 28)
Document Title:
===============
Apple iOS 17.2.1 - Screen Time Passcode Retrieval (Mitigation Bypass)

Release Date:
=============
2024-09-24

Affected Product(s):
====================
Vendor: Apple Inc.
Product: Apple iOS 17.2.1 (possibly all < 18.0 excluding 18.0)

References:
====================
VIDEO PoC: https://www.youtube.com/watch?v=vVvk9TR7qMo

The vulnerability has been patched in the latest release of the operating
system (iOS...

CyberDanube Security Research 20240919-0 | Multiple Vulnerabilities in Netman204 Thomas Weber via Fulldisclosure (Sep 23)
CyberDanube Security Research 20240919-0
-------------------------------------------------------------------------------
title| Multiple Vulnerabilities
product| Netman 204
vulnerable version| 4.05
fixed version| -
CVE number| CVE-2024-8877, CVE-2024-8878
impact| High
homepage| https://www.riello-ups.com/
found| 2024-05-17
by| D....

Bugtraq — The premier general security mailing list. Vulnerabilities are often announced here first, so check frequently!

• Archived Posts
• RSS Feed
• About List

Security Basics — A high-volume list which permits people to ask "stupid questions" without being derided as "n00bs". I recommend this list to network security newbies, but be sure to read Bugtraq and other lists as well.

• Archived Posts
• RSS Feed
• About List

Penetration Testing — While this list is intended for "professionals", participants frequenly disclose techniques and strategies that would be useful to anyone with a practical interest in security and network auditing.

• Archived Posts
• RSS Feed
• About List

Info Security News — Carries news items (generally from mainstream sources) that relate to security.

• Archived Posts
• RSS Feed
• About List

Firewall Wizards — Tips and tricks for firewall administrators

• Archived Posts
• RSS Feed
• About List

IDS Focus — Technical discussion about Intrusion Detection Systems. You can also read the archives of a previous IDS list

• Archived Posts
• RSS Feed
• About List

Web App Security — Provides insights on the unique challenges which make web applications notoriously hard to secure, as well as attack methods including SQL injection, cross-site scripting (XSS), cross-site request forgery, and more.

• Archived Posts
• RSS Feed
• About List

Daily Dave — This technical discussion list covers vulnerability research, exploit development, and security events/gossip. It was started by ImmunitySec founder Dave Aitel and many security luminaries participate. Many posts simply advertise Immunity products, but you can't really fault Dave for being self-promotional on a list named DailyDave.

• Current Quarter
• Archived Posts
• RSS Feed
• About List
• dailydaveLatest Posts

Grace Hopper and the Rebirth of US Conferences Dave Aitel via Dailydave (Oct 10)
I spent some time watching all the Grace Hopper videos on the youtubes, as
I prepared for what up North is a horrible storm, but here in Miami is, so
far, a breezy and clear day. You can hear her talk about how subroutines
used to be literal handwritten pages of instructions in notebooks. When you
wanted SIN or COS you would go over to whoever had the notebook with the
working version, and copy it out into your code.

It was this experience that...

Developing Clairvoyance Dave Aitel via Dailydave (Sep 30)
As you know, humans like to invent comfort words. One of my favorites is
"luck". The theory being that yes, the universe has dice, but they are
loaded in your favor. Properly used, these words are a spell - they allow
us to have courage when a sober mind would quail. But when you become a
professional, you have to give up these crutches. Only poor poker players
believe in "luck".

In computer science, and especially in machine...

Re: sboms and LLMs Adrian Sanabria via Dailydave (Sep 12)
We've been talking about and giving "Beyond the SBOM" presentations for a
while now, but to your point, I don't see anyone actually doing it.

If Solarwinds said "here's a script that will lock down your host firewall
to just the outbound access our tools need to update themselves", that
would be amazing, and would have saved everyone some time and trouble a few
years ago.

[image: image.png]
And Biden's EO...

Re: sboms and LLMs Isaac Dawson via Dailydave (Sep 12)
Well this is rather timely! Although I'm not sure using an LLM for the
behavioral aspect is entirely necessary. I've been working on an
experimental system that does just what you talk about for dependencies (
https://docs.gitlab.com/ee/user/application_security/dependency_scanning/experiment_libbehave_dependency.html,
pre-alpha!). My solution uses static analysis because I'm a fan of
determinism.

Snark aside, looking at behaviors...

sboms and LLMs Dave Aitel via Dailydave (Sep 11)
People doing software security often use LLMs more as orchestrators than
anything else. But there's so many more complicated ways to use them in our
space coming down the pipe. Obviously the next evolution of SBOMs
<https://www.cisa.gov/resources-tools/resources/cisa-sbom-rama> is that
they represent not just what is contained in the code as some static tree
of library dependencies, but also what that code does in a summary fashion...

Re: Persistence and Strategic Effects the grugq via Dailydave (Aug 16)
Cyber is Calvinball.

I gave a talk back in 2015 [1] which I think has held up rather well. My argument was that cyber is evolving in
unpredictable ways as we learn more about the domain. That the current state of the art has huge blind spots we aren’t
even thinking about. The next year was, of course, the 2016 disinformation campaign fed by cyber loot.

I feel that a great deal of cyber war literature is based on knowledge derived from...

Persistence and Strategic Effects Dave Aitel via Dailydave (Aug 15)
Before there were words, calculated as the softmax of a list of possible
tokens, there were just vectors of nano-electrical potential in cells
soaked in a hormonal brew of electrolytes, operating on a clock cycle of
"slow, but fast enough". In this sense, as we now know
<https://www.ncbi.nlm.nih.gov/pmc/articles/PMC10472538/>, we generate words
and we know, in our heads, what we are, in the same way as we generate
limbs, with each...

Re: "Exploitation Less Likely" Dave Aitel via Dailydave (Aug 13)
https://github.com/CloudCrowSec001/CVE-2024-38077-POC/blob/main/CVE-2024-38077.md
https://github.com/Wlibang/CVE-2024-38077/blob/main/One%20bug%20to%20Rule%20Them%20All%2C%20Exploiting%20a%20Preauth%20RCE%20vulnerability%20on%20Windows%20(2024_8_9%2010_59_06).html

But while you are at it, always good to watch a video for no reason:
https://www.youtube.com/watch?v=mVXrl4W1jOU

-dave

Re: "Exploitation Less Likely" Don A. Bailey via Dailydave (Aug 13)

"Exploitation Less Likely" Dave Aitel via Dailydave (Aug 12)
DefCon is a study in cacophony, and like many of you I'm still digging
through my backlog of new research in multifarious browser tabs, the way a
dragonfly keeps track of the world through scintillated compound lenses. In
between AIxCC (which proved, if anything, the boundaries
<https://dashboard.aicyberchallenge.com/collectivesolvehealth> of automated
bug finding using current LLM tech?), James Kettle's timing attack research...

PRANA Hack and Leak Report Release Dave Aitel via Dailydave (Aug 02)
Cordyceps Analysis Report on PRANA Network Hack and Leak Operation:
https://docs.google.com/document/d/1oOJbBTUwyK85ZKYAAdwWqxk-sMvqrBqzJYX1oziTFu4/edit?usp=sharing

Lately I've been reading a lot of academic papers, mostly the Research
Handbook on Cyberwarfare
<https://www.elgaronline.com/edcollchap/book/9781803924854/book-part-9781803924854-6.xml>.
Some of them are good papers! JD Work has a paper in it! But also some of
them get...

Re: LLMs and refusals David Manouchehri via Dailydave (Jul 28)
Breaking down a prompt into multiple steps works pretty well for us. e.g.
first we get generic mean reasons:

[image: image.png]

Then I just shove the mean reasons into the system message (you can do this
with another LLM call instead in real life, I just cheated by copy pasting
since there's already too many screenshots in this email):

[image: image.png]

This is with gpt-4o-2024-05-13 above, but you can see below it works with
Llama 3.1...

Re: LLMs and refusals Jason Ross via Dailydave (Jul 25)
It's likely this is going to happen anyway, the new Mistral just dropped
and seems to perform roughly on par with llama3 and gpt4o, so the next wave
of fine tuned versions like dolphin are almost certainly coming soon.

OpenAI also has announced free fine tuning of gpt4o mini until late
September (up to 2m tokens/day) so it may be possible to fine tune around
some of its guardrails for a reasonable cost.

Re: LLMs and refusals Robert Lee via Dailydave (Jul 24)

LLMs and refusals Dave Aitel via Dailydave (Jul 24)
[image: image.png]
Above: LLAMA3.1 8B-4Q test results via OLLAMA

So recently I've been doing a lot of work with LLMs handling arbitrary
unstructured data, and using them to generate structured data, which then
gets put into a graph database for graph algorithms to iterate on so you
can actually distill knowledge from a mass of nonsense.

But obviously this can get expensive via APIs, so like many of you, I set
up a server with a A6000 that...

PaulDotCom — General discussion of security news, research, vulnerabilities, and the PaulDotCom Security Weekly podcast.

• Archived Posts
• RSS Feed
• About List

Honeypots — Discussions about tracking attackers by setting up decoy honeypots or entire honeynet networks.

• Archived Posts
• RSS Feed
• About List

Microsoft Sec Notification — Beware that MS often uses these security bulletins as marketing propaganda to downplay serious vulnerabilities in their products—note how most have a prominent and often-misleading "mitigating factors" section.

• Archived Posts
• RSS Feed
• About List

Funsec — While most security lists ban off-topic discussion, Funsec is a haven for free community discussion and enjoyment of the lighter, more humorous side of the security community

• Archived Posts
• RSS Feed
• About List

CERT Advisories — The Computer Emergency Response Team has been responding to security incidents and sharing vulnerability information since the Morris Worm hit in 1986. This archive combines their technical security alerts, tips, and current activity lists.

• Previous Year
• Archived Posts
• RSS Feed
• About List
• certLatest Posts

Apple Releases Security Updates for Multiple Products CISA (Mar 28)
Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

You are subscribed to Cybersecurity Advisories for Cybersecurity and Infrastructure Security Agency. This information
has recently been updated and is now available.

Apple Releases Security Updates for Multiple Products [
https://www.cisa.gov/news-events/alerts/2023/03/28/apple-releases-security-updates-multiple-products ] 03/28/2023 01:00
PM EDT

Apple...

CISA Releases Six Industrial Control Systems Advisories CISA (Mar 23)
Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

You are subscribed to Cybersecurity Advisories for Cybersecurity and Infrastructure Security Agency. This information
has recently been updated, and is now available.

CISA Releases Six Industrial Control Systems Advisories [
https://www.cisa.gov/news-events/alerts/2023/03/23/cisa-releases-six-industrial-control-systems-advisories ] 03/23/2023
08:00 AM EDT...

CISA Releases Eight Industrial Control Systems Advisories CISA (Mar 21)
Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

You are subscribed to Cybersecurity Advisories for Cybersecurity and Infrastructure Security Agency. This information
has recently been updated, and is now available.

CISA Releases Eight Industrial Control Systems Advisories [
https://www.cisa.gov/news-events/alerts/2023/03/21/cisa-releases-eight-industrial-control-systems-advisories ]
03/21/2023 08:00 AM...

CISA and NSA Release Enduring Security Framework Guidance on Identity and Access Management CISA (Mar 21)
Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

You are subscribed to Cybersecurity Advisories for Cybersecurity and Infrastructure Security Agency. This information
has recently been updated, and is now available.

CISA and NSA Release Enduring Security Framework Guidance on Identity and Access Management [...

Open Source Security — Discussion of security flaws, concepts, and practices in the Open Source community

• Current Quarter
• Archived Posts
• RSS Feed
• About List
• oss-secLatest Posts

CVE-2024-45031: Apache Syncope: Stored XSS in Console and Enduser Francesco Chicchiriccò (Oct 24)
Severity: moderate

Affected versions:

- Apache Syncope 2.1 through 2.1.14
- Apache Syncope 3.0 through 3.0.8

Description:

When editing objects in the Syncope Console, incomplete HTML tags could be used to bypass HTML sanitization. This made
it possible to inject stored XSS payloads which would trigger for other users during ordinary usage of the application.
XSS payloads could also be injected in Syncope Enduser when editing “Personal...

Re: CVE-2024-9143: OpenSSL: Low-level invalid GF(2^m) parameters lead to OOB memory access Dr. Christopher Kunz (Oct 24)
Am 23.10.24 um 11:10 schrieb Dr. Christopher Kunz:

FWIW,

both parties answered off-list (I needed an answer during the german
business day and got held up by moderation).

The difference is that OpenSSL does not adhere to CVSS-style risk
assessment, but assesses the severity of the bug together with the
likelihood of exploitation. Due to the latter being extremely low, the
overall assessment is "low".

SuSE, however, used vanilla...

Re: CVE-2024-9143: OpenSSL: Low-level invalid GF(2^m) parameters lead to OOB memory access Dr. Christopher Kunz (Oct 23)
Am 16.10.24 um 19:08 schrieb Tomas Mraz:

Good morning everyone,

while OpenSSL rates this issue as "low severity", SuSE assesses it as
"moderate", with a CVSS 3.1 of 7.0
(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H).

I'm curious about these two quite different assessments. Could OpenSSL
and SuSE maybe elaborate a little?

Thanks,

--cku

Re: CVE-2024-47191: Local root exploit in the PAM module pam_oath.so Solar Designer (Oct 17)
Looks good to me.

There's a subtle issue here - another user's (or root's) temporary file
may be hard-linked and st_nlink may be back to 1 after the file is
unlinked by its original creator/user. For example, tmpfile(3) unlinks
the file right away, yet the calling program is expected to proceed to
use it. In that case, an attacker winning the race could manipulate
content of another user's temporary file, which that...

Re: CVE-2024-47191: Local root exploit in the PAM module pam_oath.so Steffen Nurpmeso (Oct 17)
Hello.

Matthias Gerstner wrote in
<ZxDKuqteocmdBDNx () kasco suse de>:
|On Tue, Oct 15, 2024 at 10:21:35PM +0200, Solar Designer wrote:
|> On Tue, Oct 15, 2024 at 03:17:34PM -0400, Demi Marie Obenour wrote:
...
|From 345ae06e0f698bdb1e9b4529e5a882f12df04426 Mon Sep 17 00:00:00 2001
|From: Matthias Gerstner <matthias.gerstner () suse de>
|Date: Wed, 16 Oct 2024 09:58:35 +0200
|Subject: [PATCH] usersfile: fix potential...

Re: CVE-2024-47191: Local root exploit in the PAM module pam_oath.so Matthias Gerstner (Oct 17)
Hi,

Exactly. The privilege-drop is only an extra hardening. The patch
first attempts to securely determine the ownership of the
oath-usersfile, then drops privileges to the owner of the file for
further processing.

The privilege-drop in our path is defense-in-depth. The file operations
used should be robust on their own already. Dealing with file system
APIs securely is such contexts is quite a complex task as can be seen in
the discussion of...

CVE-2024-9143: OpenSSL: Low-level invalid GF(2^m) parameters lead to OOB memory access Tomas Mraz (Oct 16)
OpenSSL Security Advisory [16th October 2024]
=============================================

Low-level invalid GF(2^m) parameters lead to OOB memory access (CVE-2024-9143)
==============================================================================

Severity: Low

Issue summary: Use of the low-level GF(2^m) elliptic curve APIs with untrusted
explicit values for the field polynomial can lead to out-of-bounds memory reads
or writes.

Impact...

CVE-2024-45217: Apache Solr: ConfigSets created during a backup restore command are trusted implicitly Houston Putman (Oct 15)
Severity: moderate

Affected versions:

- Apache Solr 6.6.0 before 8.11.4
- Apache Solr 9.0.0 before 9.7.0

Description:

Insecure Default Initialization of Resource vulnerability in Apache Solr.

New ConfigSets that are created via a Restore command, which copy a configSet from the backup and give it a new name,
are created without setting the "trusted" metadata.
ConfigSets that do not contain the flag are trusted implicitly if the...

CVE-2024-45216: Apache Solr: Authentication bypass possible using a fake URL Path ending Houston Putman (Oct 15)
Severity: critical

Affected versions:

- Apache Solr 5.3.0 before 8.11.4
- Apache Solr 9.0.0 before 9.7.0

Description:

Improper Authentication vulnerability in Apache Solr.

Solr instances using the PKIAuthenticationPlugin, which is enabled by default when Solr Authentication is used, are
vulnerable to Authentication bypass.
A fake ending at the end of any Solr API URL path, will allow requests to skip Authentication while maintaining the API...

Re: CVE-2024-47191: Local root exploit in the PAM module pam_oath.so Solar Designer (Oct 15)
As I understand, the SUSE patch already does that.

The detail here may be different. And importantly, the final path
component must be owned strictly by the target user (not by root, unless
the target user is root).

Both the SUSE and the upstream patch try to do two things at once: drop
privileges and access files safer. Maybe I missed, but I think neither
of you specified whether these two things are intended as required
complementary parts...

Re: CVE-2024-47191: Local root exploit in the PAM module pam_oath.so Demi Marie Obenour (Oct 15)
What about opening the path one portion at a time using openat() with
O_NOFOLLOW (and, as applicable, O_DIRECTORY), ensuring that each portion
is not "." or "..", does not contain "/", and is owned by either the
target user or root? This solves all race conditions and does not
require spawning another process.

CVE-2024-45693: Apache CloudStack: Request origin validation bypass makes account takeover possible Daniel Augusto Veronezi Salvador (Oct 15)
Severity: important

Affected versions:

- Apache CloudStack 4.15.1.0 through 4.18.2.3
- Apache CloudStack 4.19.0.0 through 4.19.1.1

Description:

Users logged into the Apache CloudStack's web interface can be tricked to submit malicious CSRF requests due to missing
validation of the origin of the requests. This can allow an attacker to gain privileges and access to resources of the
authenticated users and may lead to account...

CVE-2024-45462: Apache CloudStack: Incomplete session invalidation on web interface logout Daniel Augusto Veronezi Salvador (Oct 15)
Severity: moderate

Affected versions:

- Apache CloudStack 4.15.1.0 through 4.18.2.3
- Apache CloudStack 4.19.0.0 through 4.19.1.1

Description:

The logout operation in the CloudStack web interface does not expire the user session completely which is valid until
expiry by time or restart of the backend service. An attacker that has access to a user's browser can use an unexpired
session to gain access to resources owned by the logged out...

CVE-2024-45461: Apache CloudStack Quota plugin: Access checks not enforced in Quota Daniel Augusto Veronezi Salvador (Oct 15)
Severity: moderate

Affected versions:

- Apache CloudStack Quota plugin 4.7.0 through 4.18.2.3
- Apache CloudStack Quota plugin 4.19.0.0 through 4.19.1.1

Description:

The CloudStack Quota feature allows cloud administrators to implement a quota or usage limit system for cloud
resources, and is disabled by default. In environments where the feature is enabled, due to missing access check
enforcements, non-administrative CloudStack user...

CVE-2024-45219: Apache CloudStack: Uploaded and registered templates and volumes can be used to abuse KVM-based infrastructure Daniel Augusto Veronezi Salvador (Oct 15)
Severity: important

Affected versions:

- Apache CloudStack 4.0.0 through 4.18.2.3
- Apache CloudStack 4.19.0.0 through 4.19.1.1

Description:

Account users in Apache CloudStack by default are allowed to upload and register templates for deploying instances and
volumes for attaching them as data disks to their existing instances. Due to missing validation checks for
KVM-compatible templates or volumes in CloudStack 4.0.0 through 4.18.2.3 and...

Secure Coding — The Secure Coding list (SC-L) is an open forum for the discussion on developing secure applications. It is moderated by the authors of Secure Coding: Principles and Practices.

• Archived Posts
• RSS Feed
• About List

Educause Security Discussion — Securing networks and computers in an academic environment.

• Archived Posts
• RSS Feed
• About List

NANOG — The North American Network Operators' Group discusses fundamental Internet infrastructure issues such as routing, IP address allocation, and containing malicious activity.

• Current Month
• Archived Posts
• RSS Feed
• About List
• nanogLatest Posts

Re: IEEE MACsec John Schiel (Oct 23)
What a community!!!

Thanks for all the responses.

--jas

RE: IEEE MACsec Bertilsson , Björn via NANOG (Oct 23)
The biggest pitfall for telecom with MACSEC, is that PTP/SyncE and MACSEC on the same physical interface simultaneously
is mostly not supported. Many claims that you can do both, but they don’t mention that it can’t be done at the same
time. There are some newer models of Juniper ACX coming with that, one model of Cisco NCS (but not officially
supported) and maybe others. But with the PHY and NPU separated it has been hard for them to...

FW: 100G L2 Service (USA x Europe) frank . aguilar (Oct 23)
Hi Erick,

I think I can help you with this. Is there a price point you are looking for?

Best regards,

Frank Aguilar
Sr. Account Manager
Carrier Sales North America
Mobile - 909.217.8372
[Logo Orange Wholesale]

frank.aguilar () orange com<mailto:frank.aguilar () orange com>
https://internationalcarriers.orange.com/
Orange IP Transit solution: connecting ISPs and Content Providers - YouTube<https://www.youtube.com/watch?v=jvyfN9dMhfI...

100G L2 Service (USA x Europe) Erick Nascimento via NANOG (Oct 22)
Hello everyone,

Huge Networks is looking for 100G L2 service between Equinix Ashburn (or
NYC Metro area) to any datacenter in the London or Frankfurt Metro Area.

Please contact me offline if you offer this type of service.

Re: IEEE MACsec Dave Cohen (Oct 22)
I would caution anyone running MACsec on a link leveraging a provider
circuit between them to quadruple check that the provider link supports
customer use of MACsec. In theory MACsec will operate just fine over a
Layer 2 link but carriers tend to not like unanticipated bits get appended
or inserted into frame headers. In my carrier days, $dayjob's L2 products
tended to be highly interoperable relative to the industry norm, and we
still...

Re: IEEE MACsec Mark Tinka (Oct 22)
It is also now shipping in coherent pluggables as a native feature.

Mark.

Re: IEEE MACsec Stephen Stuart (Oct 22)
If you are going to deploy MACSEC, my advice is test, test, and test,
especially (but not only) if you have different vendors'
implementations of MACSEC on either end of the link.

Test that MACSEC comes up.

Test that it recovers from link flaps.

Test key rotation.

Test recovery from link flaps during key rotation.

Test all permutations of recovery from admin down/up on both sides.

Test everything you can think of, then think of more...

Re: IEEE MACsec Tarko Tikan (Oct 22)
hey,

What we are seeing now is MACsec getting integrated into latest NPUs
directly. So far it has been mostly implemented by separate chips or in
PHYs (or combination). This has, in some cases, limited you to what
ports you can use MACsec on. It also had challenges with sync/PTP,
per-vlan MACsec etc.

So while it is proven technology and works well we are still seeing
innovation/improvements.

Re: IEEE MACsec Brandon Martin (Oct 22)
MACsec is also really useful where you need point-to-point protection of
traffic that isn't easily manipulated at L3 or may not even run over IP
but that may transit publicly accessible infrastructure. Utility SCADA
traffic is an example, and MACsec can be very useful on those networks
as they often transition from wireless to fiber.

Re: IEEE MACsec Crist Clark (Oct 21)
It is definitely deployed out there. I wouldn't worry too much about
reading the specs. All of the implementations I've dealt with are only
partial implementations. They almost all are limited to "point to point"
functionality.

As for comparing to IPsec, IPsec came out of a different time. It is more
of framework with a zillion knobs, and lots of room for customization and
future changes. The keying isn't even a part of...

Re: IEEE MACsec Tom Beecher (Oct 21)
There's certainly a penalty paid for the extra time encrypting and
decrypting , which of course can aggregate over a large number of protected
links.

But unless you're trying to manage latency budgets in the microseconds
range it's not likely to be an issue.

Re: IEEE MACsec John Schiel (Oct 21)
Thanks.

I threw this out there not knowing how fast someone would respond.

I only heard about this recently and am surprised it as as old as it is.

Regarding speed, the first few pages I hit made a comment that it was
slower because of packet overhead. I'm reading more and that is less of
a concern.

--jas

Re: IEEE MACsec Saku Ytti (Oct 21)
I guess it depends on wireless technology, but 802.11xyzzy comes with
an encryption solution already so isn't really a target of interest.

Not really, implementation detail.

Definitely not supported on all devices, you tend to pay extra, but
getting an increasingly small premium to pay. May become essentially
free, depending on demand.

Speed doesn't have anything to do with layer2 or layer3, you may be
assuming that ipsec is software...

IEEE MACsec John Schiel (Oct 21)
I know this is a NANOG forum but curious how widespread usage of MACsec
might be. (https://1.ieee802.org/security/802-1ae/).Currently reading
the spec but wanted to pose some questions.

I'm seeing some pitfalls:
    1) May not work over wireless LAN devices?
    2) Needs a centralized key server.
    3) May not be supportable on all devices?

Purported to be faster on the LAN than IPsec because MACsec is on layer 2.

Thoughts?

abja Randy Bush (Oct 20)
on this day in 2001, abha ahuja, computer scientist, routing geek, and
friend to many died.

a bit of cheer: tomorrow is rob blokzijl's birthday. october is not
all sad.

randy

Interesting People — David Farber moderates this list for discussion involving internet governance, infrastructure, and any other topics he finds fascinating

• Archived Posts
• RSS Feed
• About List

The RISKS Forum — Peter G. Neumann moderates this regular digest of current events which demonstrate risks to the public in computers and related systems. Security risks are often discussed.

• Current Quarter
• Archived Posts
• RSS Feed
• About List
• risksLatest Posts

Risks Digest 34.47 RISKS List Owner (Oct 17)
RISKS-LIST: Risks-Forum Digest Thursday 17 Oct 2024 Volume 34 : Issue 47

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.47>
The current issue can also be found at
<...

Risks Digest 34.46 RISKS List Owner (Oct 01)
RISKS-LIST: Risks-Forum Digest Tuesday 1 Oct 2024 Volume 34 : Issue 46

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.46>
The current issue can also be found at
<...

Risks Digest 34.45 RISKS List Owner (Sep 14)
RISKS-LIST: Risks-Forum Digest Saturday 14 Sep 2024 Volume 34 : Issue 45

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.45>
The current issue can also be found at
<...

Risks Digest 34.44 RISKS List Owner (Sep 08)
RISKS-LIST: Risks-Forum Digest Sunday 8 Sep 2024 Volume 34 : Issue 44

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.44>
The current issue can also be found at
<...

Risks Digest 34.43 RISKS List Owner (Aug 29)
RISKS-LIST: Risks-Forum Digest Thursday 29 Aug 2024 Volume 34 : Issue 43

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.43>
The current issue can also be found at
<...

Risks Digest 34.42 RISKS List Owner (Aug 26)
RISKS-LIST: Risks-Forum Digest Monday 26 Aug 2024 Volume 34 : Issue 42

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.42>
The current issue can also be found at
<...

Risks Digest 34.41 RISKS List Owner (Aug 24)
RISKS-LIST: Risks-Forum Digest Saturday 24 Aug 2024 Volume 34 : Issue 41

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS
(comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats,
etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.41>
The current issue can also be found at
<...

Risks Digest 34.40 RISKS List Owner (Aug 14)
RISKS-LIST: Risks-Forum Digest Wednesday 14 Aug 2024 Volume 34 : Issue 40

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.40>
The current issue can also be found at
<...

Risks Digest 34.39 RISKS List Owner (Aug 03)
RISKS-LIST: Risks-Forum Digest Saturday 3 Aug 2024 Volume 34 : Issue 39

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.39>
The current issue can also be found at
<...

Risks Digest 34.38 RISKS List Owner (Jul 29)
RISKS-LIST: Risks-Forum Digest Monday 29 Jul 2024 Volume 34 : Issue 38

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.38>
The current issue can also be found at
<...

Risks Digest 34.37 RISKS List Owner (Jul 25)
RISKS-LIST: Risks-Forum Digest Thursday 25 Jul 2024 Volume 34 : Issue 37

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.37>
The current issue can also be found at
<...

Risks Digest 34.36 RISKS List Owner (Jul 21)
RISKS-LIST: Risks-Forum Digest Sunday 21 Jul 2024 Volume 34 : Issue 36

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.36>
The current issue can also be found at
<...

Risks Digest 34.35 RISKS List Owner (Jul 11)
RISKS-LIST: Risks-Forum Digest Thursday 11 Jun 2024 Volume 34 : Issue 35

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.35>
The current issue can also be found at
<...

BreachExchange — BreachExchange focuses on all things data breach. Topics include actual data breaches, cyber insurance, risk management, metrics and more. This archive includes its predecessor, the Data Loss news and discussion lists.

• Archived Posts
• RSS Feed
• About List
• datalossLatest Posts

Healthcare organizations face rising ransomware attacks – and are paying up Matthew Wheeler (Jun 03)
https://www.theregister.com/2022/06/03/healthcare-ransomware-pay-sophos/

Healthcare organizations, already an attractive target for ransomware given
the highly sensitive data they hold, saw such attacks almost double between
2020 and 2021, according to a survey released this week by Sophos.

The outfit's team also found that while polled healthcare orgs are quite
likely to pay ransoms, they rarely get all of their data returned if they
do...

A digital conflict between Russia and Ukraine rages on behind the scenes of war Matthew Wheeler (Jun 03)
https://wskg.org/npr_story_post/a-digital-conflict-between-russia-and-ukraine-rages-on-behind-the-scenes-of-war/

SEATTLE — On the sidelines of a conference in Estonia on Wednesday, a
senior U.S. intelligence official told British outlet Sky News that the
U.S. is running offensive cyber operations in support of Ukraine.

“My job is to provide a series of options to the secretary of defense and
the president, and so that’s what I do,” said...

Researchers Uncover Malware Controlling Thousands of Sites in Parrot TDS Network Matthew Wheeler (Jun 03)
https://thehackernews.com/2022/06/researchers-uncover-malware-controlling.html

The Parrot traffic direction system (TDS) that came to light earlier this
year has had a larger impact than previously thought, according to new
research.

Sucuri, which has been tracking the same campaign since February 2019 under
the name "NDSW/NDSX," said that "the malware was one of the top infections"
detected in 2021, accounting for more than...

FBI, CISA: Don't get caught in Karakurt's extortion web Matthew Wheeler (Jun 03)
https://www.theregister.com/2022/06/03/fbi_cisa_warn_karakurt_extortion/

The Feds have warned organizations about a lesser-known extortion gang
Karakurt, which demands ransoms as high as $13 million and, some
cybersecurity folks say, may be linked to the notorious Conti crew.

In a joint advisory [PDF] this week, the FBI, CISA and US Treasury
Department outlined technical details about how Karakurt operates, along
with actions to take,...

DOJ Seizes 3 Web Domains Used to Sell Stolen Data and DDoS Services Matthew Wheeler (Jun 02)
https://thehackernews.com/2022/06/doj-seizes-3-web-domains-used-to-sell.html

The U.S. Department of Justice (DoJ) on Wednesday announced the seizure of
three domains used by cybercriminals to trade stolen personal information
and facilitate distributed denial-of-service (DDoS) attacks for hire.

This includes weleakinfo[.]to, ipstress[.]in, and ovh-booter[.]com, the
former of which allowed its users to traffic hacked personal data and
offered a...

Chinese Hackers Begin Exploiting Latest Microsoft Office Zero-Day Vulnerability Matthew Wheeler (Jun 02)
https://thehackernews.com/2022/05/chinese-hackers-begin-exploiting-latest.html

An advanced persistent threat (APT) actor aligned with Chinese state
interests has been observed weaponizing the new zero-day flaw in Microsoft
Office to achieve code execution on affected systems.

"TA413 CN APT spotted [in-the-wild] exploiting the Follina zero-day using
URLs to deliver ZIP archives which contain Word Documents that use the
technique,"...

US military hackers conducting offensive operations in support of Ukraine, says head of Cyber Command Matthew Wheeler (Jun 02)
https://www.three.fm/news/world-news/us-military-hackers-conducting-offensive-operations-in-support-of-ukraine-says-head-of-cyber-command/

US military hackers have conducted offensive operations in support of
Ukraine, the head of US Cyber Command has told Sky News.

In an exclusive interview, General Paul Nakasone also explained how "hunt
forward" operations were allowing the United States to search out foreign
hackers and identify...

SideWinder Hackers Launched Over a 1, 000 Cyber Attacks Over the Past 2 Years Matthew Wheeler (May 31)
https://thehackernews.com/2022/05/sidewinder-hackers-launched-over-1000.html

An "aggressive" advanced persistent threat (APT) group known as SideWinder
has been linked to over 1,000 new attacks since April 2020.

"Some of the main characteristics of this threat actor that make it stand
out among the others, are the sheer number, high frequency and persistence
of their attacks and the large collection of encrypted and obfuscated...

Hackers are Selling US University Credentials Online, FBI Says Matthew Wheeler (May 31)
https://tech.co/news/hackers-are-selling-us-university-credentials-online-fbi-says

The Federal Bureau of Investigation has warned US universities and colleges
that it has found banks of login credentials and other data relating to VPN
access circulating on cybercriminals forums.

The fear is that such data will be sold and subsequently used by malicious
actors to orchestrate attacks on other accounts owned by the same students,
in the hope...

Interpol Nabs 3 Nigerian Scammers Behind Malware-based Attacks Matthew Wheeler (May 31)
https://thehackernews.com/2022/05/interpol-nabs-3-nigerian-scammers.html

Interpol on Monday announced the arrest of three suspected global scammers
in Nigeria for using remote access trojans (RATs) such as Agent Tesla to
facilitate malware-enabled cyber fraud.

"The men are thought to have used the RAT to reroute financial
transactions, stealing confidential online connection details from
corporate organizations, including oil and gas...

U.S. Warns Against North Korean Hackers Posing as IT Freelancers Matthew Wheeler (May 18)
https://thehackernews.com/2022/05/us-warns-against-north-korean-hackers.html

Highly skilled software and mobile app developers from the Democratic
People's Republic of Korea (DPRK) are posing as "non-DPRK nationals" in
hopes of landing freelance employment in an attempt to enable the regime's
malicious cyber intrusions.

That's according to a joint advisory from the U.S. Department of State, the
Department of the...

FBI and NSA say: Stop doing these 10 things that let the hackers in Matthew Wheeler (May 18)
https://www.zdnet.com/article/fbi-and-nsa-say-stop-doing-these-10-things-that-let-the-hackers-in/

Cyber attackers regularly exploit unpatched software vulnerabilities, but
they "routinely" target security misconfigurations for initial access, so
the US Cybersecurity and Infrastructure Security Agency (CISA) and its
peers have created a to-do list for defenders in today's heightened threat
environment.

CISA, the FBI and National...

Fifth of Businesses Say Cyber-Attack Nearly Broke Them Matthew Wheeler (May 18)
https://www.infosecurity-magazine.com/news/fifth-of-businesses-cyber-attack/

A fifth of US and European businesses have warned that a serious
cyber-attack nearly rendered them insolvent, with most (87%) viewing
compromise as a bigger threat than an economic downturn, according to
Hiscox.

The insurer polled over 5000 businesses in the US, UK, Ireland, France,
Spain, Germany, the Netherlands and Belgium to compile its annual Hiscox
Cyber...

Hacker And Ransomware Designer Charged For Use And Sale Of Ransomware, And Profit Sharing Arrangements With Cybercriminals Matthew Wheeler (May 18)
https://www.shorenewsnetwork.com/2022/05/16/hacker-and-ransomware-designer-charged-for-use-and-sale-of-ransomware-and-profit-sharing-arrangements-with-cybercriminals/

A criminal complaint was unsealed today in federal court in Brooklyn, New
York, charging Moises Luis Zagala Gonzalez (Zagala), also known as
“Nosophoros,” “Aesculapius” and “Nebuchadnezzar,” a citizen of France and
Venezuela who resides in Venezuela, with attempted...

State of Ransomware shows huge growth in threat and impacts Matthew Wheeler (May 04)
https://www.continuitycentral.com/index.php/news/technology/7275-state-of-ransomware-shows-huge-growth-in-threat-and-impacts

Sophos has released its annual survey and review of real-world ransomware
experiences in its ‘State of Ransomware 2022’ report. This shows that 66
percent of organizations surveyed were hit with ransomware in 2021, up from
37 percent in 2020.

The average ransom paid by organizations that had data encrypted in their...

Metasploit — Development discussion for Metasploit, the premier open source remote exploitation tool

• Archived Posts
• RSS Feed
• About List

Wireshark — Discussion of the free and open source Wireshark network sniffer. No other sniffer (commercial or otherwise) comes close. This archive combines the Wireshark announcement, users, and developers mailing lists.

• Archived Posts
• RSS Feed
• About List

Snort — Everyone's favorite open source IDS, Snort. This archive combines the snort-announce, snort-devel, snort-users, and snort-sigs lists.

• Current Quarter
• Archived Posts
• RSS Feed
• About List
• snortLatest Posts

Snort Subscriber Rules Update 2024-10-24 Research via Snort-sigs (Oct 24)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the file-multimedia,
malware-cnc, protocol-snmp and server-webapp rule sets to provide
coverage for emerging threats from these technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Re: Remove this email address Joel Esler via Snort-sigs (Oct 23)
Thank you for writing in.

Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-sigs

or by sending an email to snort-sigs-leave () lists snort org

Thanks!

Remove this email address Jose Dominguez via Snort-sigs (Oct 22)
Please remove this email address from future notifications

Snort Subscriber Rules Update 2024-10-22 Research via Snort-sigs (Oct 22)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the and server-webapp
rule sets to provide coverage for emerging threats from these
technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Questions about IPS-Policy Bestell_E-Mail via Snort-sigs (Oct 22)
Hello.

First of all, please excuse me if this question is asked a lot.

I am a beginner and currently using the IPS Policy with the Business License.

I am not sure if Personal or Business License is right for me. Are the IPS policies different in any way for these two
licenses?

Best regards

Waldemar Sager_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org...

Snort Subscriber Rules Update 2024-10-17 Research via Snort-sigs (Oct 17)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the policy-other and
server-webapp rule sets to provide coverage for emerging threats from
these technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Snort Subscriber Rules Update 2024-10-15 Research via Snort-sigs (Oct 15)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the file-image,
malware-cnc, malware-other, os-windows and server-mail rule sets to
provide coverage for emerging threats from these technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Snort Subscriber Rules Update 2024-10-10 Research via Snort-sigs (Oct 10)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the malware-cnc and
server-webapp rule sets to provide coverage for emerging threats from
these technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Re: Hi all! (and a snort sig question) Al Lewis (allewi) via Snort-sigs (Oct 10)
Wouldnt it be easier to just use the IP variable?

i.e replace the EXTERNAL_NET and use a variable or IP?

Albert Lewis

Email: allewi () cisco com<mailto:allewi () cisco com>

________________________________
From: Snort-sigs <snort-sigs-bounces () lists snort org> on behalf of Rob Vandenbrink via Snort-sigs <snort-sigs ()
lists snort org>
Sent: Thursday, October 10, 2024 12:12 PM
To: Snort User <snort.user () gmail com>...

Re: Hi all! (and a snort sig question) Rob Vandenbrink via Snort-sigs (Oct 10)
Ah, makes sense
I’ll count bytes, but I don’t think the ordering of extensions is dictated…

Playing with this tomorrow hopefully


Hi Rob

At this point of inspection, the payload is handled by the SSL inspector, and not by the HTTP inspector. So, we cannot
use the HTTP buffers.
So, is it possible for you to match on the relevant bytes using content matches without using buffers?

This is my understanding. I could be wrong :/

regards...

Re: Hi all! (and a snort sig question) Snort User via Snort-sigs (Oct 10)
Hi Rob

At this point of inspection, the payload is handled by the SSL inspector,
and not by the HTTP inspector. So, we cannot use the HTTP buffers.
So, is it possible for you to match on the relevant bytes using content
matches without using buffers?

This is my understanding. I could be wrong :/

regards

Snort capturing traffic from the entire network instead of just the IP Assigned NTWIGA MURITHI via Snort-sigs (Oct 10)
Goodmorning,

I downloaded the registered rules. And configured snort.lua IP using the
following
HOME_NET = '10.2.60.134'

EXTERNAL_NET = '!$HOME_NET'

The problem is snort is capturing all the traffic from other IPs when i run
this command
sudo snort -c /usr/local/etc/snort/snort.lua -i eth0 -A alert_fast
--plugin-path "/usr/local/etc/so_rules/"

10/02-03:52:40.597213 [**] [116:414:1] "(ipv4) IPv4 packet to...

Re: Hi all! (and a snort sig question) Rob Vandenbrink via Snort-sigs (Oct 10)
Cool, will do

If I browse to an IP address, there is never an SNI (since there’s no “server name” to put there). Confirmed this with
a PCAP.
So my thought was to write a sig that looks for an null SNI value, my current best gues would be this one, which should
look for an FQDN in the SNI field, and if there’s no dot (which there should be) then trigger the alert.

https_raw_url.host:!”.”
content:!"."; \...

Re: Hi all! (and a snort sig question) Rob Vandenbrink via Snort-sigs (Oct 10)
Ah, I thought that since the Hello packets are unencrypted that snort would still inspect at least those

I do not have decrypt turned on (given historic Cisco Firepower+Snort issues), but I think I can convince one of my
clients to give it a try now that they have new hardware and new code.

Do either of those two latest signatures that I’m trying look OK though?

==============
Rob VandenBrink
519-589-1881

From: Snort User <snort.user ()...

Re: Hi all! (and a snort sig question) Snort User via Snort-sigs (Oct 09)
I don't think so. I would definitely use *ssl_state:client_hello; *and then
look to match the SNI portion of the SSL client hello packet and then try
matching the dotted quad pattern.
But as you are doing, the best way is to try out your sig against a pcap