SecLists.Org Security Mailing List Archive

Any hacker will tell you that the latest news and exploits are not found on any web site—not even Insecure.Org. No, the cutting edge in security research is and will continue to be the full disclosure mailing lists such as Bugtraq. Here we provide web archives and RSS feeds (now including message extracts), updated in real-time, for many of our favorite lists. Browse the individual lists below, or search them all:

Insecure.Org Lists

Nmap Development — Unmoderated technical development forum for debating ideas, patches, and suggestions regarding proposed changes to Nmap and related projects. Subscribe here.

attn: patrik/group Mike . (Apr 19)
in regards to the snmp scripts that nmap offers. do they all rely on version 1/2? i have been scanning subnets today
and noticed ALOT of the snmp agents i have run across require version 3. they won't even talk to the new snmp scripts i
fire at it. version 3 has more overhead with support for bulk requests and higher authentication levels as opposed to
just a public string. is there an option in these scripts to resort to version 3 or are...

Re: [NSE] hostmap-ip2hosts not working (ip2hosts.com gone) Daniel Miller (Apr 18)
The site is back up for now, but the question of how to detect and deal
with external dependencies and API changes still stands.

Dan

Re: snmp issues Daniel Miller (Apr 18)
Mike,

Thanks for this report. Patrik fixed these issues in r32835.

Dan

Re: does this matter? Daniel Miller (Apr 18)
Mike,

Regarding the "illegal option -- û" error, you most likely have a long
dash (—) instead of a hyphen (-) in your command line, which is being
encoded strangely.

Regarding http-brute (http://nmap.org/nsedoc/scripts/http-brute.html),
the script is for auditing HTTP Basic authentication only. If the
username and password fields are on a web page, not a browser prompt,
then you should be using http-form-brute
(...

does this matter? Mike . (Apr 18)
just talked to George a bit ago about my issue with the router brute force script. he told me i had a -- out of place.
i just put that extra dash in and still got an odd errornmap: illegal option -- û
so just for the heck of it i ran the dashes as singles and that seemed to work! output here>
C:\>nmap -p80 -script http-brute -script-args http-brute.path=/admin/ 192.168.0.1 (notice the single dashes)
so the question here is, does it even...

Re: issues with router brute force? George Chatzisofroniou (Apr 18)
Hello,

It looks like you are missing a dash before the 'script-args' option. It should
be '--script-args'.

Re: crash its not work hiks hikss... Daniel Miller (Apr 18)
Thank you all (BCC'd) for your bug reports. This issue is now fixed in the
latest release, Nmap 6.46, available from http://nmap.org/download.html

On Sun, Apr 13, 2014 at 2:41 PM, Rachmat Gumilar <0906098 () sttgarut ac id>wrote:

New VA Modules: MSF: 1, Nessus: 21 New VA Module Alert Service (Apr 18)
This report describes any new scripts/modules/exploits added to Nmap,
Metasploit, Nessus, and OpenVAS since yesterday.

== Metasploit modules (1) ==

fc018eb3
https://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/post/windows/manage/change_password.rb
Windows Manage Change Password

== Nessus plugins (21) ==

73598 fabricos_unsupported.nasl
http://nessus.org/plugins/index.php?view=single&id=73598
Unsupported Brocade...

Re: Hi Dhiraj Khatiwada (Apr 18)
hi all,

No I have not done any project of this type. But I am a System Engineer at
Dristi-tect pvt. ltd. I am very much interested in Vulnerability research.
I know TCP/IP. But I don't have any algorithm to identify the remote
operating system. So, hope you guys can help in this project.
Actually I want to make a automated framework for security research. It
would be the GUI application. A user just need to click, click and next
buttons to...

Re: Hi Littlefield, Tyler (Apr 18)
Hello:
First, can you start by explaining what an operating scanning software is? What do you want your project to do? Are
there any other projects that currently do what you want?

Regards;
Dhiraj Khatiwada

Re: Hi Rodrigo Ramos (Apr 18)
Hello Dhiraj Khatiwada!

Did you write the project about it?
Do you know It's functions?

Best regards,
Rodrigo Ramos
(81) 8131.4868

Trabalhar no telefone pode ser complicado. Por favor, desculpe qualquer erro de digitação.

Enviado via iPhone

Hi Dhiraj Khatiwada (Apr 18)
Hi all,

I want to make a Operating Scanning Software for my college project. But I
don't have any idea about how to do such things. So, please anyone can help
me regarding this issue.

Thanks,

Regards;
Dhiraj Khatiwada

Re: Compiling nmap under LLVM Daniel Miller (Apr 18)
Jacek,

IIRC, your command needs to include CXX=clang++, not CXX=clang.

Dan

Re: Compiling nmap under LLVM Jacek Wielemborek (Apr 17)
18/04/2014 00:39:48 Jacek Wielemborek <d33tah () gmail com>:

Ah, sorry, I should have used clang++. Builds fine then._______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

Compiling nmap under LLVM Jacek Wielemborek (Apr 17)
List,

I just tried compiling Nmap under LLVM using the following command line:

CC=clang CXX=clang ./configure && make 2>&1

I got a lot of "undefined reference" errors, the full log can be seen here:
http://wklej.org/id/1335877/txt/

Am I doing something wrong, or do we need some changes in the build system?

Yours,
Jacek Wielemborek_______________________________________________
Sent through the dev mailing list...

Nmap Announce — Moderated list for the most important new releases and announcements regarding the Nmap Security Scanner and related projects. We recommend that all Nmap users subscribe.

Nmap Project Seeking Talented Programmers for Google Summer of Code--Last Day to Apply! Fyodor (Mar 20)
Hi folks. I'm delighted to report that Nmap has been accepted by Google to
participate in this year's Summer of Code internship program. This
innovative and extraordinarily generous program provides $5,500 stipends to
college and graduate students anywhere in the world who spend the summer
improving Nmap from home! They gain valuable experience, get paid,
strengthen their résumés, and write code for millions of users. We're...

Nmap Team Launches 5-Gigapixel "Icons of the Web" Project Fyodor (Dec 19)
Fellow Nmap Hackers,

Perhaps you remember in 2010 how we capped off a massive scan of the top
million Internet web sites by creating a giant interactive collage, with
each site scaled by its popularity? Well, I'm happy to report that we
restarted our scanners this year and have launched a brand new and much
improved edition of Icons of the Web at http://nmap.org/favicon/! It's
interesting to see how things have changed in just 3...

Nmap 6.40 Released! New scripts, new signatures, better performance! Fyodor (Aug 19)
Hi Folks. It has been a while since the last stable Nmap release, but
I'm pleased to release Nmap 6.40 and I think you'll consider it worth
the wait! It includes 14 new NSE scripts, hundreds of new OS and
service detection signatures, a new --lua-exec feature for scripting
Ncat, initial support for NSE and version scanning through a chain of
proxies, improved target specification, many performance enhancements
and bug fixes, and much...

Nmap Project Seeking Talented Programmers for Google Summer of Code Fyodor (Apr 26)
Hi Folks. I'm happy to announce that the Nmap Project has again been
accepted into the Google Summer of Code program. This innovative and
extraordinarily generous program provides $5,000 stipends to college and
graduate students who spend the summer improving Nmap! They gain valuable
experience, get paid, strengthen their résumés, and write code for millions
of users.

Previous SoC students helped create the Nmap Scripting Engine, Zenmap...

Full Disclosure — A public, vendor-neutral forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. It higher traffic than other lists, but the relaxed atmosphere of this quirky list provides some comic relief and certain industry gossip. More importantly, fresh vulnerabilities sometimes hit this list many hours or days before they pass through the Bugtraq moderation queue.

CSRF, AoF and XSS vulnerabilities in D-Link DAP 1150 MustLive (Apr 18)
Hello list!

In 2011 and beginning of 2012 I wrote about multiple vulnerabilities
(http://securityvulns.ru/docs27440.html,
http://securityvulns.ru/docs27677.html,
http://securityvulns.ru/docs27676.html) in D-Link DAP 1150 (several dozens).
That time I wrote about vulnerabilities in admin panel in Access Point mode
and now I'll write about holes in Router mode.

I present new vulnerabilities in this device. There are Cross-Site Request...

Re: iis cgi 0day Homer Parker (Apr 18)
Oh?

<http://news.netcraft.com/archives/2014/04/08/thousands-of-websites-still-hosted-on-windows-xp.html>

CS and XSS vulnerabilities in CU3ER MustLive (Apr 18)
Hello list!

These are Content Spoofing and Cross-Site Scripting vulnerabilities in
CU3ER. Which I found in October 2013 at one web site. This is popular flash
file and in Google's index there are up to million web sites with it (near
1060000 sites in October, now near 717000 sites).

In last years I wrote about similar vulnerabilities in millions of flash
files (on hundreds millions of web sites), including in different flash
video and...

Remote Command Injection in Ruby Gem sfpagent 0.4.14 Larry W. Cashdollar (Apr 18)
Title: Remote Command Injection in Ruby Gem sfpagent 0.4.14

Date: 4/15/2014

Author: Larry W. Cashdollar, @_larry0

CVE: 2014-2888

Download: http://rubygems.org/gems/sfpagent

Vulnerability
The list variable generated from the user supplied JSON[body] input is passed directly to the system() shell on line
649. If a user supplies a module name with shell metacharacters like ; they might be able to execute shell commands on
the remote system as...

Re: NRPE - Nagios Remote Plugin Executor <= 2.15 Remote Command Execution Jakob Rößler (Apr 18)
I am very sorry to inform you, that this one is a very old hat...

Taken from the /etc/nagios/nrpe.conf:

# ONLY change this if you exactly know what you are doing!
# this enabled arguments, which can be appended to checks
# Enabling this is a HIGH security risk, and should only
# be done in certain environments!
#dont_blame_nrpe=0
#dont_blame_nrpe=1

Kind regards

Jakob

Am 17.04.2014 22:48,...

Re: Should openssl accept weak DSA/DH keys with g = +/- 1 ? Jeffrey Walton (Apr 17)
g = 2 is not a generator though its often used. Its possible to leak
information depending on parameter selection (or only generate half
the values of the group). See, for example, "Diffie-Hellman Parameter
Check (when g = 2, must p mod 24 == 11?)",
http://crypto.stackexchange.com/questions/12961/diffie-hellman-parameter-check-when-g-2-must-p-mod-24-11.

Jeff

NRPE - Nagios Remote Plugin Executor <= 2.15 Remote Command Execution golunski (Apr 17)
=============================================
- Release date: 17.04.2014
- Discovered by: Dawid Golunski
- Severity: High
=============================================

I. VULNERABILITY
-------------------------

NRPE - Nagios Remote Plugin Executor <= 2.15 Remote Command Execution

II. BACKGROUND
-------------------------

Nagios is an open source computer system monitoring, network monitoring and
infrastructure monitoring software...

Re: Should openssl accept weak DSA/DH keys with g = +/- 1 ? Pavel Kankovsky (Apr 17)
You can check whether the modulus is a safe prime (p = 2q + 1
where q is a prime number as well) and whether the generator is not a
degenerate one (g != +/- 1; this is sufficient to prove that the order
of g is either q or 2q).

Does anyone use non-safe primes for DH? Afaik any well-known moduli
are safe. And openssl dhparam generates safe primes only.

The check would burn quite a lot of CPU cycles but it would be feasible
and the client...

Re: Audit: don't only focus on heartbleed issue Stephane Bortzmeyer (Apr 17)
On Wed, Apr 16, 2014 at 09:22:31PM +0200,
Reindl Harald <h.reindl () thelounge net> wrote
a message of 82 lines which said:

As explained by Tim, this is false. He forgot to mention another
attack vector, a routing attack like
<http://www.renesys.com/2013/11/mitm-internet-hijacking/>

Re: ldd for OS X WAS:Auditing systems for vulnerable 3rd-party OpenSSL (Gabriel Brezi) Tim Heckman (Apr 17)
There are quite a few Homebrew[1] formula that depend on OpenSSL. They may
be vulnerable to Heartbleed on OS X if 'brew update && brew upgrade' hasn't
been ran and the machine rebooted. Attached at the bottom of this email[2]
is the full list of the formula that depend on OpenSSL for one reason or
another.

Cheers!
-Tim

---
Tim Heckman
Operations Engineer
PagerDuty, Inc.

[1] http://brew.sh/

[2]
bind
curl
curl
ejabberd...

ldd for OS X WAS:Auditing systems for vulnerable 3rd-party OpenSSL (Gabriel Brezi) Douglas Held (Apr 17)
Hi Gabriel,

In OS X there is no 'ldd' command. Instead, the synonym is:

#!/bin/bash
/usr/bin/otool -L "$1"

Also, I think you will find up to the latest OS X version (10.9.2 ?) the
bundled Openssl version is 0.9.8y. So, safe from Heartbleed unless the user
has installed a different openssl.

Doug
risk () douglasheld net

Re: Suspect arrested who used Heartbleed to infiltrate the Canada Revenue Agency (Our IRS) Joe Pierini (Apr 17)
"The CRA also declined to explain how it determined which SINs were
hacked, since Heartbleed intrusions are hard to detect.²

My guess is he was probably quite proud of himself and went and told the
agency. ³Hey you¹ve got Heartbleed, look at all the SIN¹s somebody can
get.² and then they promptly turned around and arrested him. He¹ll be
touted as the latest evil hacker and the CRA will bang on about how they
³detected and captured²...

Re: Suspect arrested who used Heartbleed to infiltrate the Canada Revenue Agency (Our IRS) Andrew Klaus (Apr 16)
I'm guessing he scripted to pull as many login/passes (or cookies) as
possible, then simply looped through them and grabbed the SIN data from the
web interface. Needing to "login" to each.

Indeed, what an idiot.

Re: Audit: don't only focus on heartbleed issue Reindl Harald (Apr 16)
Am 17.04.2014 01:06, schrieb Tim:

agreed, but was i meant was that the attack surface in a known, maintained
LAN is way lower than for Heartbleed where for sure straight after it
was made public zombie-botnets startet to randomly attack around the
web port 443, 993 and 995, pulling a unknown amount of data which mostly
is not analyzed now and will be used for all sorts of attacks, spamming
and so on if the found user credentials are not changed...

Re: Audit: don't only focus on heartbleed issue Tim (Apr 16)
I agree with you here. It seems that Lucky13 requires much more
access and is much harder to pull off in practice. Unless there's
new techniques out there that I haven't kept up on

This I think is a misconception, or at least overstated. Anyone on
the same network as you can MitM you. Anyone on the same network as
the remote end point can MitM you. For some reason in this day and
age people have all forgotten about ARP poisoning,...

Other Excellent Security Lists

Bugtraq — The premier general security mailing list. Vulnerabilities are often announced here first, so check frequently!

Security Basics — A high-volume list which permits people to ask "stupid questions" without being derided as "n00bs". I recommend this list to network security newbies, but be sure to read Bugtraq and other lists as well.

Re: NMAP service detection for https before http Jesus Andres (Apr 17)
Hello,

I think you can not have http and https listening to the same tcp
port. What you could have is http and maybe then TLS to create an ssl
tunnel over the already stablished http connection and I'm not sure
about that.

Anyway I think you should try this.

Nmap -sSV -p 80,443 -n -Pn <target server>

You could use -vv for verbosity..

This will give you the service running on the standard http port
tcp/80 and on the standard https...

NMAP service detection for https before http cestmir . holub . ext (Apr 16)
Hello,
do you know how to make NMAP service detection for https (ssl/http) before http?
I have both protocols http and https on one port enable.
The nmap service detection discovered only http (probably first found known service), but I need to have https listed
and don't need the http information.
Thank you, C.Holub

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital...

OWASP ZAP 2.3.0 psiinon (Apr 11)
Hi folks,

OWASP ZAP 2.3.0 is now available :
http://code.google.com/p/zaproxy/wiki/Downloads?tm=2

Quick summary of the main changes:

* A ZAP 'lite' version in addition to the existing 'full' version
* View, intercept, manipulate, resend and fuzz client-side (browser) events
* Enhanced authentication support
* Support for non standard apps
* Input Vector scripts
* Scan policy - fine grained control
* Advanced Scan dialog
*...

c0c0n 2014 | The cy0ps c0n - Call For Papers & Call For Workshops c0c0n International Information Security Conference (Mar 24)
___ ___ ___ ___ __ _ _
/ _ \ / _ \ |__ \ / _ \/_ | || |
___| | | | ___| | | |_ __ ) | | | || | || |_
/ __| | | |/ __| | | | '_ \ / /| | | || |__ _|
| (__| |_| | (__| |_| | | | | / /_| |_| || | | |
\___|\___/ \___|\___/|_| |_| |____|\___/ |_| |_|
...

Shakacon 2014: Call for Papers - Deadline April 11th Shakacon (Mar 20)
==<Apologies for the cross posting but hope to see everyone at the
conference>==

----++++++++++++++++++++++++++++++++++++----
Shakacon VI - Honolulu, Hawaii

"Sun, Surf, and C Shells"

CALL FOR PAPERS

www.shakacon.org/CFP2014.html
----++++++++++++++++++++++++++++++++++++----

Who: Shakacon Crew
What: Shakacon VI
When: June 23-25 2014
Where: Honolulu, HI
Why: World Class...

Re: Metrics for Ethical Hack Vic Vandal (Mar 17)
Hi Monika,

There are tools that will run 20,000-30,000 multi-threaded string attacks on an entire crawled website within a couple
of hours. How fast can you type web requests and analyze web responses in comparison? (heh)

You also wrote "review code" in your message. If you're reviewing source code, how fast can you read and interpret
thousands and thousands of lines of code and compare it to say a dozen common coding...

Metrics for Ethical Hack mc (Mar 14)
Hi All
I am interested to know if there is any metric used to measure amount of
time it takes to manually review code vs. using a tool. Any opinion will be
appreciated.
Thanks
Monika Chakraborty

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how...

CarolinaCon-10 - May 2014 - FINAL ANNOUNCEMENT Vic Vandal (Mar 14)
CarolinaCon-10 will be held on May 16th-18th, 2014 in Raleigh NC. For the cheap price of your average movie admission
with popcorn and a drink ($20) YOU could get a full weekend of talks, hacks, contests, and parties.

We've selected as many presentations as we can fit into the lineup. Here they are, in no particular order:

- Bypassing EMET 4.1 - Jared DeMott
- Password Cracking for noobs - smrk3r
- AV Evasion with the Veil Framework -...

IMAP STARTTLS sniff tool bezrin (Mar 06)
Hi all.
We managed succesfully to sniff inside POP3S, SMTPS, IMAPS & HTTPS tunnels using arpspoof, iptables & sslsplit to make
MITM.
Now we want to sniff inside STARTTLS tunnels (specifically IMAP) but unfortunately sslsplit doesn't supports STARTTLS.
Is there/do you know another SSL/TLS tool supporting IMAP over STARTTLS to make MITM?

Many thanks
B.

------------------------------------------------------------------------...

Looking for reading material on incident management and response Pranav Lal (Mar 03)
Hi all,

I am going to be a part of the incident management team at my employer's.
The policies and procedures a are already in place. Most of my experience
has been in the attacker side of things. Can anyone suggest a set of books
that I can read to better understand defensive security? See the list below.

1. Computer Security Incident Handling
By Stephen Northcutt
2. Incident Response and Computer Forensics, Third Edition
by Chris...

Penetration Testing — While this list is intended for "professionals", participants frequenly disclose techniques and strategies that would be useful to anyone with a practical interest in security and network auditing.

OWASP ZAP 2.3.0 psiinon (Apr 10)
Hi folks,

OWASP ZAP 2.3.0 is now available :
http://code.google.com/p/zaproxy/wiki/Downloads?tm=2

Quick summary of the main changes:

* A ZAP 'lite' version in addition to the existing 'full' version
* View, intercept, manipulate, resend and fuzz client-side (browser) events
* Enhanced authentication support
* Support for non standard apps
* Input Vector scripts
* Scan policy - fine grained control
* Advanced Scan dialog
*...

c0c0n 2014 | The cy0ps c0n - Call For Papers & Call For Workshops c0c0n International Information Security Conference (Mar 24)
___ ___ ___ ___ __ _ _
/ _ \ / _ \ |__ \ / _ \/_ | || |
___| | | | ___| | | |_ __ ) | | | || | || |_
/ __| | | |/ __| | | | '_ \ / /| | | || |__ _|
| (__| |_| | (__| |_| | | | | / /_| |_| || | | |
\___|\___/ \___|\___/|_| |_| |____|\___/ |_| |_|
...

Shakacon 2014: Call for Papers - Deadline April 11th Shakacon (Mar 20)
==<Apologies for the cross posting but hope to see everyone at the
conference>==

----++++++++++++++++++++++++++++++++++++----
Shakacon VI - Honolulu, Hawaii

"Sun, Surf, and C Shells"

CALL FOR PAPERS

www.shakacon.org/CFP2014.html
----++++++++++++++++++++++++++++++++++++----

Who: Shakacon Crew
What: Shakacon VI
When: June 23-25 2014
Where: Honolulu, HI
Why: World Class...

SAP post exploitation Brian Milliron (Mar 14)
Recently I ran across some vulnerable AIX SAP servers on a test and
managed to get admin access on the Web GUI. However, I know very little
about SAP and was unable to leverage SAP admin to get access to the
Oracle DB (it uses a separate credential store) or root on the OS.
Looking through all the available commands for both the web interface
and the SAP telnet interface I didn't see much that looked useful or
interesting. If I find myself...

IMAP STARTTLS sniff tool Bob Ezrin (Mar 07)
Hi all.
We managed succesfully to sniff inside POP3S, SMTPS, IMAPS & HTTPS tunnels using:

arpspoof -r DEFAULT_GATEWAY -t VICTIM

iptables -t nat -A PREROUTING -p tcp --dport ORIGIN_PORT -j REDIRECT --to-port REDIRECT_PORT

sslsplit SOME_PARAMS ssl 0.0.0.0 REDIRECT_PORT

to make man-in-the-middle.

Now we want to sniff inside STARTTLS tunnels (specifically IMAP) but unfortunately sslsplit doesn't supports STARTTLS.
Here there is the...

IMAP STARTTLS sniff tool Bob Ezrin (Mar 07)
Hi all.
We managed succesfully to sniff inside POP3S, SMTPS, IMAPS & HTTPS tunnels using arpspoof, iptables & sslsplit to make
MITM.
Now we want to sniff inside STARTTLS tunnels (specifically IMAP) but unfortunately sslsplit doesn't supports STARTTLS.
Is there/do you know another SSL/TLS tool supporting IMAP over STARTTLS to make MITM?

Many thanks
B.

------------------------------------------------------------------------...

Info Security News — Carries news items (generally from mainstream sources) that relate to security.

Web App Security — Provides insights on the unique challenges which make web applications notoriously hard to secure, as well as attack methods including SQL injection, cross-site scripting (XSS), cross-site request forgery, and more.

OWASP ZAP 2.3.0 psiinon (Apr 10)
Hi folks,

OWASP ZAP 2.3.0 is now available :
http://code.google.com/p/zaproxy/wiki/Downloads?tm=2

Quick summary of the main changes:

* A ZAP 'lite' version in addition to the existing 'full' version
* View, intercept, manipulate, resend and fuzz client-side (browser) events
* Enhanced authentication support
* Support for non standard apps
* Input Vector scripts
* Scan policy - fine grained control
* Advanced Scan dialog
*...

Re: Web Application Vulnerability Categorization m () d m0nk (Apr 03)
Thank you guys - got the idea.

Re: Web Application Vulnerability Categorization Dave Ferguson (Apr 03)
In terms of OWASP Top Ten, yes - I would categorize it under Broken
Auth & Session Management.

Also, check out the OWASP cheat sheet on this topic for helpful
remediation advice.
https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet

Dave

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!...

Re: Web Application Vulnerability Categorization Seth Art (Apr 02)
m0nk,

This CWE fits pretty closely: CWE-640: Weak Password Recovery
Mechanism for Forgotten Password -
http://cwe.mitre.org/data/definitions/640.html

-Seth

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

Web Application Vulnerability Categorization m () d m0nk (Apr 01)
Hello Team,

Greetings!!!.

I have a web app with a password recovery option. There is a secret
question and if the user enters the correct answer to the secret
question, the username and password is provided to the user.

If the password recover page / module allows multiple tries
(brute-force and no CAPTCHA or similar mechanism), can we categorize
this vulnerability under "Broken Authentication and Session
Management" or does this...

Administrivia: Excessive CC's Andrew van der Stock (Mar 15)
Hi there,

There's a really useful question that I've rejected (along with a
great answer) as the question has about one bazillion security lists
in the To list.

I'd love to publish more discussions here and revitalise the list, but
not by by accepting a massive DDoS mail loop in the making, or
requiring all the other list admins to agree with my moderation
policy.

So if you want to publish a question here, please go ahead, but...

Hacking in Schools Pete Herzog (Feb 25)
How to teach hacking in school and open up education:

https://opensource.com/education/14/2/teach-hacking-schools-open-education

Sincerely,
-pete.

Google XXE Vulnerability Mark Litchfield (Feb 22)
Hi All,

There was an XML external entity vulnerability within Googles Public
data explorer. This was submitted to Google as part of their Bug Bounty
Program.

For the full write up with screen shots -
http://www.securatary.com/vulnerabilities

44CON 2014 September 11th - 12th CFP Open Steve (Feb 21)
44CON is the UK's largest combined annual Security Conference and
Training event. Taking place on the 11th and 12th of September at the
ILEC Conference Centre near Earls Court, London, we will have a fully
dedicated conference facility, including catering, private bar and daily
Gin O’Clock break.
_ _
/_//_// / //\ / Goes | 11th - 12th September 2014
/ //_,/_// / Fourth | ILEC Conference Centre, London

-=-...

PHP wrapper question Mark Litchfield (Feb 19)
Reaching out for some help / ideas.

I have an XXE that works but when processing large files it fails

For example, the below attack will work sending to my instance of Netcat
the base64 encoded string of win.ini. A nice POC, but not exactly what
I am looking. (We are using base64 to ensure any line feeds are removed
or other data that would cause XML processing errors)

<!ENTITY % payload SYSTEM...

Shopify (Bug Bounty) - XML External Entity Vulnerability Mark Litchfield (Feb 17)
Shopify suffered from an XXE attack within their online stores domain -
*.myshopify.com

They were extremely quick in confirming and fixing the issue (even
though it was a Sunday).

Full details with the usual screen shots can be found at
http://www.securatary.com

OWASP Xenotix XSS Exploit Framework V5 Released Ajin Abraham (Feb 13)
Hello,
Happy Valentines day wishes. I am glad to inform that, OWASP
Xenotix XSS Exploit Framework V5 is Released.

OWASP Xenotix XSS Exploit Framework is an advanced Cross Site
Scripting (XSS) vulnerability detection and exploitation framework. It
provides Zero False Positive scan results with its unique Triple
Browser Engine (Trident, WebKit, and Gecko) embedded scanner. It is
claimed to have the world's 2nd largest XSS Payloads of...

Ebay, Inc Bug Bounty - GoStoreGo Administrative Authentication Bypass to all online stores Mark Litchfield (Feb 12)
This attack allowed for a cross store (so essentially unauthenticated,
as we have not authenticated to our target store) privilege escalation
attack creating an administrative user on any *.gostorego.com store.

As indicated by their own website, there are over 200,000 active
stores.This attack allows access to 200,000 x Customers x data = Y.Due
to the nature of the attack, it would trivial to automate an attack that
would give us an...

International Journal of Distributed Sensor Networks (IF 0.727): Special Issue on Research Advances in Security and Privacy for Smart Cities Georgios Kambourakis (Feb 10)
[My apologies if you receive multiple copies of this message.]

Call for articles for International Journal of Distributed Sensor
Networks (IF 0.727)

Special Issue on
Research Advances in Security and Privacy for Smart Cities

http://www.hindawi.com/journals/ijdsn/si/239803/cfp/

Security for smart cities is considered to embrace both urban security
subsystems and infrastructure security ones. So, while urban security
and privacy are mostly...

Damn Vulnerable IOS App v1.0 launched Prateek Gianchandani (Feb 05)
Hi All,

It gives me great pleasure to announce v1.0 of Damn Vulnerable IOS =

Application http://damnvulnerableiosapp.com

Damn Vulnerable IOS App (DVIA) is an IOS application that is damn =

vulnerable. Its main goal is to provide a platform to mobile security =

enthusiasts/professionals or students to test their IOS penetration =

testing skills in a legal environment. This application covers all the =

common vulnerabilities found in IOS...

Daily Dave — This technical discussion list covers vulnerability research, exploit development, and security events/gossip. It was started by ImmunitySec founder Dave Aitel and many security luminaries participate. Many posts simply advertise Immunity products, but you can't really fault Dave for being self-promotional on a list named DailyDave.

Re: A summary of all the RSA Keynotes and the future we have to beat. Dominique Brezinski (Apr 18)
There is a way through the sticky issues you bring up. El Jefe is a right
approach, but only part of it. There are certain inalienable observables,
such as processes and their attributes, that an attacker can influence but
not completely avoid. If you pick correlating observables from different
observation points that don't have correlated failure from an attack, then
you are selecting good data sources for your analytics. Having talked to a...

VisualSploit 2.0 Dave Aitel (Apr 17)
http://immunityservices.blogspot.com/2014/04/unethical-hacking-training-available-at.html

I wanted to point out the above blog post - I'm a huge believer in
modern educational techniques and advantages (Khan Academy, etc.) and
the fact is that online "training" has really ruined the reputation that
modern computer assisted learning should have.

Above you can see a few screenshots that demonstrate the advantage a
custom web...

A summary of all the RSA Keynotes and the future we have to beat. Dave Aitel (Apr 16)
Links you should hit first:
http://immunityproducts.blogspot.com/2014/04/revamping-el-jefe.html
http://www.rsaconference.com/videos/122/stop-looking-for-the-silver-bullet-start-thinking

One thing I noticed from watching all of the RSA keynotes is that they
all said the exact same things, often in the same words. For example, in
the HP keynote (above) you'll see the threads of "We're getting
outmatched" with we need to move to...

BJJ AT INFILTRATE 2014 Dave Aitel (Apr 14)
As you can see from the schedule
<http://www.infiltratecon.com/schedule.html> INFILTRATE is once again
having a friendly BJJ area. The plan is to keep it much the same as last
year, which is largely unstructured and a lot of fun.

FAQ as follows:
Q: Will Cyborg show up to throw Jeremiah around like a sack of twigs?
A: Unsure.

Q: Will Sean Heelan once again armbar me about 5 times in a row while
conducting an impromptu lecture on the...

NotSoSecure CTF Sumit Siddharth (Apr 11)
Hello all,

Just a gentle reminder; the next NotSoSecure CTF is scheduled for next week
(April 18-20th) 2014. Registration page and more details can be found here:

http://ctf.notsosecure.com/

Thanks

Sid

NotSoSecure

<http://www.notsosecure.com/> www.notsosecure.com

Innuendo Demo #1 Dave Aitel (Apr 11)
http://vimeo.com/91647732

This little movie shows a couple of the features in INNUENDO that I like
- although it probably does not emphasize enough the difference in
thinking that you have to do with INNUENDO as compared to other
commercial tools.

Still, it's a start. :>

-dave

Re: Nobody but us. Alfonso De Gregorio (Apr 09)
...

If the NOBUS appetite is high, it is possible to combine up even more
techniques.

Two more kingdoms and the associated phyla -- à la carte.

8. Detection difficulty only we will bother with / Components only we
can tamper with (e.g., implementing hardware Trojans below the gate
level by changing in the dopant polarity of existing transistors).

9. Information only we have access to (e.g., a virus using a
cryptocounter to trigger an...

Nobody but us. Dave Aitel (Apr 09)
I spent some time talking to various people lately about the concept of
"Nobody but us" (NOBUS) especially now that the DUAL_EC algorithm is
being researched more closely. People got confused because the papers
that came out didn't really stress that the "attacks" against Dual_EC
were in the case where they first corrupted it by replacing the magic
constants in the spec with their own.

So here's a list of seven ways...

Re: Some slides for a keynote Dave Aitel (Apr 09)
The goal of the next set of internet malware may very well be to enable
the kind of involuntary transparency that is so obviously powerful in
this day and age. All you really have to do is have your implant collect
anything that might be interesting along with some metadata, encrypt it
to your private key and then deposit these files all over the network
with a little header that says "Upload this file using Tor to...

Re: Some slides for a keynote Vitaly Osipov (Apr 09)
Here are some quotes about goals from a rather randomly selected, but
very fitting, psychology paper
(http://www.psych.nyu.edu/gollwitzer/99Goll_ImpInt.pdf):

"...it matters how people frame their good intentions or goals. For
instance, better performances are observed when people set themselves
challenging, specific goals as compared with challenging but vague
goals (so-called "do your best" goals). "

"This...

speech dan (Apr 08)
Perhaps of relevance here.

APT in a World of Rising Interdependence
invited address, NSA, 26 March 2014
http://geer.tinho.net/geer.nsa.26iii14.txt

--dan

Re: Some slides for a keynote Michal Zalewski (Apr 08)
Interesting. I have argued in favor of this position when it comes to
vulnerability research: people like to paint their motivations in a
variety of ways, but most of the actions they take are best explained
by just wanting to see the world acknowledge your skills. Being in the
headlines or in the limelight at a major conference can give you quite
a powerful fix. And because most journalists struggle to tell good
research from bad one, it also...

Some slides for a keynote Richard Thieme (Apr 08)
great insights, as expected, and not merely "speculative." to add to
the theme, there are other reasons for the addictive behaviors too. I
recently read "Addiction By Design: Machine Gambling in Las Vegas" by
Natasha Dow Schull and it details in granular fashion the evolution of
slot machines as they have been designed to induce a trance, keep the
gambler in the seat, and reinforce behaviors by all sorts of means,...

Some slides for a keynote Halvar Flake (Apr 08)
Hey all,

on Dave's recommendation, here are some slides from a keynote I gave today at ISACA Nordic Security.
It is non-technical (as keynotes are prone to be), and full of vague speculation. Perhaps someone will
find the slides entertaining/useful/insightful:

https://docs.google.com/presentation/d/1Sv8IHkBtBEXjSW7WktEYg4EbAUHtVyXIZBrAGD3WR5Y/edit#slide=id.p

Cheers,
Halvar

Re: Shady headlines brian krebs (Apr 07)
Dave, you're entitled to your opinion, of course, which seems to be that
this is all overblown and the result of bloggers/reporters going for
sensational headlines and stories. I think that future reporting on this
(at least on my part) will show in a very concrete way that this negatively
affected a large number of people.

If you're interested in reading a fact-checked version of Experian's
talking points on this subject, please...

PaulDotCom — General discussion of security news, research, vulnerabilities, and the PaulDotCom Security Weekly podcast.

Re: [Security Weekly] Audit a WAF RAMELLA Sébastien (Apr 09)
Thanks all,

In my case the WAF is a blackbox, so, before starting I try to evaluate the possibilities...
My customer have web application with WAF protected and I need audited website.

My first approach was to evaluated the WAF in order to have a starting line.
I started with a frame analyzer and good old basic concept and finally I have scripted for obtain an basic whitelist.

I now seeking the way to operated with what I found but is realy...

Re: [Security Weekly] Audit a WAF Chris Campbell (Apr 08)
Are you auditing the WAF and all the associated issues (logging, alerting, signature updates, policy updates etc.) or
are you auditing the WAF policy and the application coverage that it provides?

If it's the latter, and the WAF policy is black box, then I like to see a vuln. assessment done with and without WAF
coverage to see what the difference is. If the policy is available to you then you should be looking for
whitelist/blacklist...

[Security Weekly] Security Hype Pete Herzog (Apr 08)
Hi,

I wrote a new article about security hype to launch a campaign against
the watering down of security through product placement. I'm sure many
of you feel this same way. So here it is:

http://www.tripwire.com/state-of-security/featured/security-meaning-hype/

Sincerely,
-pete.

Re: [Security Weekly] Audit a WAF TAS (Apr 08)
Hi,

Quick things that come to my mind are

1. Read the manual of the WAF you are reviewing. It will give you a
hint of what all does that model offer and what should be your area of
focus when reviewing the WAF
2. Check what mode is the WAF running in is it blocking or inline mode.
3. What policies are configured on the WAF.
4. Check if they have made any custom policies?
5. Check what kind of alerts are there on the WAF?
6. Check how is the...

Re: [Security Weekly] Audit a WAF David Maynor (Apr 08)
Auditing a WAF isn't hard it just requires know the content the WAF is
protecting and different ways it can be encoded/obfuscated. Most web
auditing tools like Burp Suite,w3af,nikto, or skipfish can be configured to
audit WAFs. Most vulnerabilities you find will come from a gap in what the
content can do and what the WAF developer has chosen to cover. The most
basic example is encoding a char like ' that can be used in SQL Injection...

[Security Weekly] Building a Decoder for the CVE-2014-0502 Shellcode Andrew Case (Apr 08)
Hello All,

I have published a new blog post analyzing the encrypted shellcode from
the main CVE-2014-0502 attack:

http://volatility-labs.blogspot.com/2014/04/building-decoder-for-cve-2014-0502.html

It goes through some functionality of the malicious Flash file followed
by analysis of the shellcode used within the encrypted GIF.

This attack's particular use of a malicious Flash file along with an
"encrypted" GIF shows some of...

[Security Weekly] Audit a WAF RAMELLA Sébastien (Apr 08)
Hello,
I read several articles about WAF. Mainly methods of bypass.
Several papers were retained my attention, he was referred to a fuzzer like tool called "Waffun".

I would like to assess the WAF through a company internal project.

Anyone can share this tool or just inform me, tips, tools similar ... or best practice for evaluate WAF.
Thanks in advance.

RAMELLA Sébastien
Intégrateur systèmes et réseaux / Consultant en...

Re: [Security Weekly] Helping users encrypt xgermx (Apr 08)
You might find some use out of this site, if you're not already familiar
with it:
https://prism-break.org/en/categories/windows/

On Wed, Mar 19, 2014 at 11:55 PM, Brian Milliron <Brian () ecrsecurity com>wrote:

Re: [Security Weekly] Helping users encrypt Robin Wood (Apr 08)
No full disk encryption recommendations?

Robin

[Security Weekly] Where do you get your exploit digest Jamil Ben Alluch (Mar 31)
Hello,

I was wondering where everyone gets their exploit digest.

I use exploit-db and packetstorm regularly to check for exploits and
vulnerabilities, I was curious if there are any other reliable sources
where you can find known exploits as well as zero-days.

Do you follow any specific twitter accounts or blogs that keep you
constantly updated?

Best Regards,

*--*
*Jamil Ben Alluch, ing. jr, GCIH*

*Information Technology & Security...

[Security Weekly] Helping users encrypt Brian Milliron (Mar 31)
Hi all, I've put together a how-to aimed at regular users who are
concerned about online privacy and want to setup and use encryption on a
regular basis. Encryption loves company after all. When only IT geeks
use encryption, it's really not much use at all. So I tried to make
something accessible for all the Aunt Sally's of the world.

http://www.expertcomputerrepair.com/privacy.html

I'd be interested in any feedback...

[Security Weekly] monitoring google index George Moore (Mar 12)
Greetings,
Indiana University recently disclosed a breach where SSN among other things appeared on search engines such as google.

I was wondering if anyone had a recommendation on how to monitor search engine indexes. Ideally I would like email when
new pages appear for a queries like:

site:mydomain.com FTP
site:mydomain.com ssn
site:mydomain.com filetype:xls password

I recall google alerts doing this years ago but it looks like they took...

Re: [Security Weekly] Computer inventory software Tyler Robinson (Mar 10)
We have used metalan from hammersoftware its pretty good, we also have
spent a lot of time for several clients using spiceworks the community and
dev on it keeps getting better and supports multiple remote sites now so
its getting to be really applicable.

Re: [Security Weekly] Re-Branding Daniel Jorge (Mar 10)
Hey guys,

I've been working on an Android app to exchange secure SMS.
If you can, try it out!

Here the link for the Google Play store page:
https://play.google.com/store/apps/details?id=pt.danielf.ssmsafe

Daniel

2014-01-22 16:23 GMT+00:00 Robin Wood <robin () digininja org>:

Re: [Security Weekly] Computer inventory software Tim Krabec (Mar 08)
Looks cool

Microsoft Sec Notification — Beware that MS often uses these security bulletins as marketing propaganda to downplay serious vulnerabilities in their products—note how most have a prominent and often-misleading "mitigating factors" section.

Microsoft Security Bulletin Minor Revisions Microsoft (Apr 17)
********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: April 17, 2014
********************************************************************

Summary
=======
The following bulletins have undergone minor revision increments.
Please see the bulletins for more details.

* MS14-018

Bulletin Information:
=====================

* MS14-018 - Critical

-...

Hello, we miss you! Re-subscribe to receive the latest IT news from Microsoft Microsoft (Apr 15)
We miss you! Re-subscribe to receive the latest IT news from Microsoft Prefer
to read this online?
http://view.email.microsoftemail.com/?j=fe9816787667047c73&m=fe6015707361017c7212&ls=fe30157570640079711676&l=fec21c767365017e&s=fe281071756d007e7c1174&jb=ff68107375&ju=

Click here .

http://www.microsoft.com/click/services/Redirect2.ashx?CR_CC=200382652&CR_EAC=300155619

There's
never been a more exciting...

Microsoft Security Bulletin Summary for April 2014 Microsoft (Apr 08)
********************************************************************
Microsoft Security Bulletin Summary for April 2014
Issued: April 8, 2014
********************************************************************

This bulletin summary lists security bulletins released for
April 2014.

The full version of the Microsoft Security Bulletin Summary for
April 2014 can be found at
https://technet.microsoft.com/security/bulletin/ms14-apr.

With the...

Microsoft Security Advisory Notification Microsoft (Apr 08)
********************************************************************
Title: Microsoft Security Advisory Notification
Issued: April 8, 2014
********************************************************************

Security Advisories Updated or Released Today
==============================================

* Microsoft Security Advisory (2755801)
- Title: Update for Vulnerabilities in Adobe Flash Player
in Internet Explorer
-...

Microsoft Security Bulletin Advance Notification for April 2014 Microsoft (Apr 03)
********************************************************************
Microsoft Security Bulletin Advance Notification for April 2014
Issued: April 3, 2014
********************************************************************

This is an advance notification of security bulletins that
Microsoft is intending to release on April 8, 2014.

The full version of the Microsoft Security Bulletin Advance
Notification for April 2014 can be found at...

Microsoft Security Advisory Notification Microsoft (Mar 27)
********************************************************************
Title: Microsoft Security Advisory Notification
Issued: March 27, 2014
********************************************************************

Security Advisories Updated or Released Today
==============================================

* Microsoft Security Advisory (2953095)
- Title: Vulnerability in Microsoft Word Could Allow Remote Code
Execution
-...

Microsoft Security Advisory Notification Microsoft (Mar 24)
********************************************************************
Title: Microsoft Security Advisory Notification
Issued: March 24, 2014
********************************************************************

Security Advisories Updated or Released Today
==============================================

* Microsoft Security Advisory (2953095)
- Title: Vulnerability in Microsoft Word Could Allow Remote Code
Execution
-...

Microsoft Security Bulletin Minor Revisions Microsoft (Mar 20)
********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: March 20, 2014
********************************************************************

Summary
=======
The following bulletins have undergone minor revision increments.
Please see the bulletins for more details.

* MS14-016

Bulletin Information:
=====================

* MS14-016 - Important

-...

Microsoft Security Advisory Notification Microsoft (Mar 11)
********************************************************************
Title: Microsoft Security Advisory Notification
Issued: March 11, 2014
********************************************************************

Security Advisories Updated or Released Today
==============================================

* Microsoft Security Advisory (2755801)
- Title: Update for Vulnerabilities in Adobe Flash Player
in Internet Explorer
-...

Microsoft Security Bulletin Summary for March 2014 Microsoft (Mar 11)
********************************************************************
Microsoft Security Bulletin Summary for March 2014
Issued: March 11, 2014
********************************************************************

This bulletin summary lists security bulletins released for
March 2014.

The full version of the Microsoft Security Bulletin Summary for
March 2014 can be found at
https://technet.microsoft.com/security/bulletin/ms14-mar.

With the...

Microsoft Security Bulletin Advance Notification for March 2014 Microsoft (Mar 06)
********************************************************************
Microsoft Security Bulletin Advance Notification for March 2014
Issued: March 6, 2014
********************************************************************

This is an advance notification of security bulletins that
Microsoft is intending to release on March 11, 2014.

The full version of the Microsoft Security Bulletin Advance
Notification for March 2014 can be found at...

Microsoft Security Advisory Notification Microsoft (Feb 28)
********************************************************************
Title: Microsoft Security Advisory Notification
Issued: February 28, 2014
********************************************************************

Security Advisories Updated or Released Today
==============================================

* Microsoft Security Advisory (2862152)
- Title: Vulnerability in DirectAccess and IPsec Could Allow
Security Feature Bypass
-...

Microsoft Security Bulletin Minor Revisions Microsoft (Feb 28)
********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: February 28, 2014
********************************************************************

Summary
=======
The following bulletins have undergone minor revision increments.
Please see the bulletins for more details.

* MS13-090
* MS13-095
* MS13-098
* MS14-005
* MS14-007
* MS14-009

Bulletin Information:...

Microsoft Security Advisory Notification Microsoft (Feb 27)
********************************************************************
Title: Microsoft Security Advisory Notification
Issued: February 27, 2014
********************************************************************

Security Advisories Updated or Released Today
==============================================

* Microsoft Security Advisory (2871690)
- Title: Update to Revoke Non-compliant UEFI Modules
-...

Microsoft Security Advisory Notification Microsoft (Feb 20)
********************************************************************
Title: Microsoft Security Advisory Notification
Issued: February 20, 2014
********************************************************************

Security Advisories Updated or Released Today
==============================================

* Microsoft Security Advisory (2755801)
- Title: Update for Vulnerabilities in Adobe Flash Player in
Internet Explorer
-...

Funsec — While most security lists ban off-topic discussion, Funsec is a haven for free community discussion and enjoyment of the lighter, more humorous side of the security community

Heartbleed password change message Rob, grandpa of Ryan, Trevor, Devon & Hannah (Apr 12)
I'm waiting for a flood of "change your password" phishing scams, and I'm
surprised that I've seen relatively little so far. But warning people about this would
be a good thing to emphasize.

I have received what appears to be a legitimate warning from Pinterest, which
includes a link to change the password. I guess Pinterest has not been listening to
all of our "don't include password change links in...

Heartbleed password reset recommendations by site Rob, grandpa of Ryan, Trevor, Devon & Hannah (Apr 11)
http://happyplace.someecards.com/30541/the-heartbleed-bug-which-sites-you-
should-change-your-passwords-for-and-how-to-panic

(I particularly liked LinkeDin ...)

====================== (quote inserted randomly by Pegasus Mailer)
rslade () vcn bc ca slade () victoria tc ca rslade () computercrime org
The object-oriented model makes it easy to build up programs by
accretion. What this often means, in practise, is that it
provides a...

xkcd explains Heartbleed Rich Kulawiec (Apr 11)
This might be the best explanation I've seen yet:

https://xkcd.com/1354/

-R

Dictionary of Information Security - part 2 Rob, grandpa of Ryan, Trevor, Devon & Hannah (Apr 10)
You may want to be just a wee bit careful about checking out the book file: the
domain name is registered in Russia:

Registrant Name:John Bookza
Registrant Organization:bookza
Registrant Street: Tipanova 29-405
Registrant City:Saint-Petersburg
Registrant State/Province:Saint-Petersburg
Registrant Postal Code:453300
Registrant Country:RU
Registrant Phone:+7.9500212458
Registrant Email:bookosmail1 () gmail com

====================== (quote...

The Dictionary of Information Security Rob, grandpa of Ryan, Trevor, Devon & Hannah (Apr 10)
Because they wouldn't update it, a couple of years ago I got the copyright to the
Dictionary of Information Security.

I have a bunch of notes, and a verison with at least 30% more material in it, but I
haven't yet gotten around to finishing the update.

However, in the meantime, somebody seems to have posted the original version
on the Web. I'm really not sure what the legal status is, but I hold the copyright,
and I...

Crime in Canda Rob, grandpa of Ryan, Trevor, Devon & Hannah (Apr 04)
http://www.theglobeandmail.com/news/national/stolen-tractor-halted-in-low-speed-
chase-in-rural-alberta/article17821873

or

http://t.co/kSDIzkRRIx

Jewels, snow, tractors, snowmobiles, and even a Rhino.

(Meanwhile, in Georgia, they passed a law saying everyone could carry guns
everywhere, and nobody could check on who is allowed to.)

====================== (quote inserted randomly by Pegasus Mailer)
rslade () vcn bc ca slade () victoria...

Supervolcano eruption imminent! Rob, grandpa of Ryan, Trevor, Devon & Hannah (Apr 03)
http://www.politicalears.com/blog/yellowstone-animals-fleeing-park-supervolcano-
eruption-imminent

Run for your lives!

(This message brought to you by the Chicken Little Institute for Geologic Studies)

(I figured it might have been a leftover April Fools posting, but it doesn't appear
so.)

(However, if Yellowstone *does* erupt, I warned you guys!)

====================== (quote inserted randomly by Pegasus Mailer)
rslade () vcn bc ca...

Too Long; Don't Read Rob, grandpa of Ryan, Trevor, Devon & Hannah (Apr 03)
Just comment on this without knowing what it's about:

http://www.lamebook.com/nprs-epic-april-fools-day-prank/nprs-epic-april-fools-
day-prank/

(Most people do anyway ...)

====================== (quote inserted randomly by Pegasus Mailer)
rslade () vcn bc ca slade () victoria tc ca rslade () computercrime org
I just wanna talk to you about a word we don't hear much anymore.
Sacrifice. It's not what I would call a...

Re: Has anyone had this day: Paul Ferguson (Apr 03)
I have been in that meeting many, many times. :-)

- ferg

Has anyone had this day: Ben April (Apr 03)
https://www.youtube.com/watch?v=BKorP55Aqvg

Re: Fallout from leak prosecution prompts Microsoft promise to stop snooping Rich Kulawiec (Mar 31)
On Sat, Mar 29, 2014 at 09:07:38PM -0400, Jeffrey Walton quoted:

a) See Ferg's comments.

b) Note that this leaves the door wide open to comb through users' email
for other reasons.

c) Even if they said "we promise not to comb through users' email period
full stop no qualifiers ever honest really for sure this time" there's
no possible way that they can make good on that promise.

Why? Surely nobody here thinks...

Clean reviews preceded Target's data breach, and others Jeffrey Walton (Mar 31)
[Oddly, Trustwave denies being an outsource for Target:
https://www.trustwave.com/Trustwave-Announcement/].

http://www.startribune.com/business/252963011.html

Trustwave Holdings gave Target Corp. the green light on payment card
security last September, just weeks before malware installed on the
retailer’s networks began sucking up customer information in a mega
data heist.

It’s a rough position for a company that built its brand reputation...

Re: Fallout from leak prosecution prompts Microsoft promise to stop snooping Paul Ferguson (Mar 30)
Too little, too late.

If they hadn't been caught publicly violating this journalist's
privacy, would they have been so (public) quick to change their "tactics"?

Also: "If you are not paying for a product, you *are* the product."

Free webmail is simply a stellar example of this maxim.

- ferg

Fallout from leak prosecution prompts Microsoft promise to stop snooping Jeffrey Walton (Mar 30)
http://www.seattlepi.com/local/article/Fallout-from-leak-prosecution-prompts-Microsoft-5358047.php

A former Microsoft Corp. worker accused of leaking Windows 8 to a
blogger appears poised to cut a plea deal as Microsoft swears off the
investigative techniques it used to catch him.

As first reported here, federal prosecutors in Seattle claim software
architect Alex Kibkalo stole Microsoft trade secrets while working for
the company....

Trust and intelligence Rob, grandpa of Ryan, Trevor, Devon & Hannah (Mar 28)
http://www.plosone.org/article/info%3Adoi%2F10.1371%2Fjournal.pone.0091786
(or https://www.schneier.com/blog/archives/2014/03/smarter_people_.html )

In other news, Rob Ford, Stephen Harper, Vladimir Putin, and Das Furby
apparently don't trust anyone ...

====================== (quote inserted randomly by Pegasus Mailer)
rslade () vcn bc ca slade () victoria tc ca rslade () computercrime org
Being a geek is all about your own...

CERT Advisories — The Computer Emergency Response Team has been responding to security incidents and sharing vulnerability information since the Morris Worm hit in 1986. This archive combines their technical security alerts, tips, and current activity lists.

Alert - Upcoming Mail Delivery Changes US-CERT Alerts (May 10)
National Cyber Awareness System
US-CERT Alert - Upcoming Mail Delivery Changes

Thank you for being a subscriber to our US-CERT Alerts product. We
are striving to keep our capabilities at the leading edge of
communication. You may have noticed we've redesigned and upgraded our
website recently and as a part of that process, on May 14th, we are
migrating to GovDelivery as our email subscription service. As a
current subscriber you will...

Current Activity - Upcoming Mail Delivery Changes Current Activity (May 10)
National Cyber Awareness System

Thank you for being a subscriber to our US-CERT Current Activity
product. We are striving to keep our capabilities at the leading edge
of communication. You may have noticed we've redesigned and upgraded
our website recently and as a part of that process, on May 14th, we
are migrating to GovDelivery as our email subscription service. As a
current subscriber you will need to do nothing. You will notice a...

Current Activity - Microsoft Releases Advance Notification for May 2013 Security Bulletin Current Activity (May 09)
National Cyber Awareness System
Microsoft Releases Advance Notification for May 2013 Security Bulletin

Original release date: May 09, 2013

Microsoft has issued a Security Bulletin Advanced Notification
indicating that its May release will contain 10 bulletins. These
bulletins will have the severity rating of critical and important and
will be for Microsoft Windows, Office, Internet Explorer, .NET
Framework, Lync, and Windows Essentials. These...

Current Activity - Adobe Releases Security Advisory for ColdFusion Current Activity (May 09)
National Cyber Awareness System
Adobe Releases Security Advisory for ColdFusion

Original release date: May 09, 2013

Adobe has identified a critical vulnerability affecting ColdFusion 10,
9.0.2, 9.0.1, 9.0, and earlier versions for Windows, Macintosh, and
UNIX. This vulnerability (CVE-2013-3336) could permit an unauthorized
user to remotely retrieve files stored on a server. There are reports
that an exploit of this vulnerability is publicly...

Current Activity - Microsoft Releases Security Advisory for Internet Explorer Current Activity (May 07)
National Cyber Awareness System
Microsoft Releases Security Advisory for Internet Explorer

Original release date: May 07, 2013

Microsoft is investigating public reports of a remote code execution
vulnerability in Internet Explorer 8 and is aware of attacks that
attempt to exploit this vulnerability. This vulnerability may allow an
attacker to execute arbitrary code if a user accesses a specially
crafted website. Microsoft is actively working...

Current Activity - Cisco Releases Security Advisories Current Activity (Apr 25)
National Cyber Awareness System
Cisco Releases Security Advisories

Original release date: April 25, 2013

Cisco has released three security advisories to address vulnerabilities
affecting Cisco NX-OS-based products, Cisco Device Manager, and Cisco
Unified Computing System. These vulnerabilities may allow an attacker to
bypass authentication controls, execute arbitrary code, obtain sensitive
information, or cause a denial-of-service condition....

Current Activity - Apple Releases Security Updates for Safari Current Activity (Apr 18)
National Cyber Awareness System
Apple Releases Security Updates for Safari

Original release date: April 18, 2013

Apple has released security updates for Safari 6.0.4 WebKit to address
multiple vulnerabilities. These vulnerabilities could allow a remote
attacker to execute arbitrary code or cause a denial-of-service
condition.

Safari 6.0.4 WebKit updates are available for the following versions:
* OS X Lion v10.7.5
* OS X Lion Server v10.7.5...

Alert TA13-107A: Oracle has released multiple updates for Java SE US-CERT Alerts (Apr 18)
National Cyber Awareness System
TA13-107A: Oracle has released multiple updates for Java SE

Original release date: April 17, 2013

Systems Affected

* JDK and JRE 7 Update 17 and earlier
* JDK and JRE 6 Update 43 and earlier
* JDK and JRE 5.0 Update 41 and earlier
* JavaFX 2.2.7 and earlier

Overview

Oracle has released a Critical Patch Update (CPU) for Java SE. Oracle
strongly recommends that customers apply CPU fixes as soon as possible....

Current Activity - Scams Exploiting Boston Marathon Explosion Current Activity (Apr 17)
National Cyber Awareness System
Scams Exploiting Boston Marathon Explosion

Original release date: April 17, 2013

Malicious actors are exploiting the April 15 explosions at the Boston
Marathon in attempts to collect money intended for charities and to
spread malicious code. Fake websites and social networking accounts have
been set up to take advantage of those interested in learning more
details about the explosions or looking to contribute to...

Current Activity - Malicious Actors May Take Advantage of Boston Marathon Explosion Current Activity (Apr 17)
National Cyber Awareness System
Malicious Actors May Take Advantage of Boston Marathon Explosion

Original release date: April 17, 2013

Historically, scammers, spammers, and other malicious actors capitalize
on major news events by registering domain names related to the events.
Malicious actors may attempt to exploit the April 15, 2013 explosions at
the Boston Marathon in this way. Some may use fake domains to take
advantage of those interested...

Current Activity - Oracle Releases April 2013 Security Advisory Current Activity (Apr 17)
National Cyber Awareness System
Oracle Releases April 2013 Security Advisory

Original release date: April 17, 2013

Oracle has released its Critical Patch Update for April 2013 to address
128 vulnerabilities across multiple products. This update contains the
following security fixes:
* 4 for Oracle Database Server
* 29 for Oracle Fusion Middleware
* 6 for Oracle E-Business Suite
* 3 for Oracle Supply Chain Products Suite
* 11 for Oracle...

Current Activity - WordPress Sites Targeted by Mass Brute-force Botnet Attack Current Activity (Apr 15)
National Cyber Awareness System
WordPress Sites Targeted by Mass Brute-force Botnet Attack

Original release date: April 15, 2013

US-CERT is aware of an ongoing campaign targeting the content management
software WordPress, a free and open source blogging tool and web
publishing platform based on PHP and MySQL. All hosting providers
offering WordPress for web content management are potentially targets.
Hackers reportedly are utilizing over 90,000...

Current Activity - Microsoft Releases April 2013 Security Bulletin Current Activity (Apr 09)
National Cyber Awareness System
Microsoft Releases April 2013 Security Bulletin

Original release date: April 04, 2013 | Last revised: April 09, 2013

Microsoft has released updates to address vulnerabilities in Microsoft
Windows, Office, Internet Explorer, Server Software, and Security
Software as part of the Microsoft Security Bulletin summary for April
2013. These vulnerabilities could allow remote code execution, elevation
of privilege,...

Current Activity - Microsoft Releases Advance Notification for April 2013 Security Bulletin Current Activity (Apr 04)
National Cyber Awareness System
Microsoft Releases Advance Notification for April 2013 Security Bulletin

Original release date: April 04, 2013

Microsoft has issued a Security Bulletin Advance Notification indicating
that its April release will contain nine bulletins. These bulletins will
have the severity rating of critical and important and will be for
Microsoft Windows, Office, Internet Explorer, Server Software, and
Security Software. These...

Current Activity - Mozilla Releases Multiple Updates Current Activity (Apr 03)
National Cyber Awareness System
Mozilla Releases Multiple Updates

Original release date: April 03, 2013

The Mozilla Foundation has released updates to address multiple
vulnerabilities. These vulnerabilities could allow an attacker to
initiate a cross-site scripting attack or obtain sensitive information,
enable privilege escalation or execute arbitrary code, or cause a
denial-of-service condition.

Updates to the following products are...

Open Source Security — Discussion of security flaws, concepts, and practices in the Open Source community

Re: CVE request: insecure temporary file handling in clang's scan-build utility cve-assign (Apr 19)
Use CVE-2014-2893.

[ other notes:

This doesn't seem to be independently exploitable.

Using default permissions is not necessarily wrong, from a CVE
perspective, in all development environments. See the
http://openwall.com/lists/oss-security/2014/03/09/1 post. In any case,
we're not currently making a separate CVE assignment for the
permissions issue. ]

CVE request / advisory: gdomap (GNUstep core package <= 1.24.6) Matthew Daley (Apr 19)
Hi,

I'd like to request a CVE ID for this issue. It was found in software
from GNUstep (www.gnustep.org), which develop an open-source
development framework and runtime for client and server applications.

This is the first such request and the issue is (now) public; this
message serves as an advisory as well.

Affected software: gdomap (GNUstep Distributed Objects nameserver)
Description: After receiving a crafted invalid request, gdomap...

Re: libmms heap-based buffer overflow fix cve-assign (Apr 18)
Use CVE-2014-2892.

Re: CVE Request - XXS in phpMyID (openid_error) cve-assign (Apr 18)
Use CVE-2014-2890.

Re: Request for linux-distros list membership Kurt Seifried (Apr 18)
Well one comment/question on your advisories:

https://qlustar.com/news/qsa-0131142-security-bundle

Package(s) : see upstream description of individual package
Affected versions: All versions prior to this update
Vulnerability : see upstream description of individual package
Problem type : see upstream description of individual package
Qlustar-specific : no
CVE Id(s) : see upstream description of individual package

Except...

CVE Request for Drupal Core Forest Monsen (Apr 18)
Hi there,

Please issue a CVE identifier for:

SA-CORE-2014-002 - Drupal core - Information Disclosure
https://drupal.org/SA-CORE-2014-002

Thanks!

Best,
Forest

Re: Request for linux-distros list membership rf (Apr 18)
Anthony> On 04/09/14 23:25, Solar Designer wrote:
>> On Wed, Apr 09, 2014 at 11:57:33PM -0600, Kurt Seifried wrote:
>>> So first off I'm inclined to have Amazon on the distros list
>>> (same reasons as Oracle basically).
>>>
>>> My only concern is are you the correct person, I have no clue
>>> who is on the Amazon security team for their Linux distribution,...

Re: Request for linux-distros list membership Anthony Liguori (Apr 18)
Ping. Apologies if this is being discussed in private but I just wanted
to make sure it wasn't forgotten. I believe we have provided all of the
information requested.

Regards,

Anthony Liguori

Re: CVE Request: Nagios Remote Plugin Executor <= 2.15 Remote Command Execution Reed Loden (Apr 18)
See the original advisory
(http://seclists.org/fulldisclosure/2014/Apr/240), which calls bash
command substitutions out as being handled already.

Specifically:

""""
The code is also making sure that arguments do not contain bash command
substitution i.e. $(ps aux)

if(strstr(macro_argv[x],"$(")) {
syslog(LOG_ERR,"Error: Request contained a bash command
substitution!"); return ERROR;...

Re: CVE Request: Nagios Remote Plugin Executor <= 2.15 Remote Command Execution John Haxby (Apr 18)
And ‘$’ you have ` but you don’t guard against $(do something unpleasant).

jch

Re: CVE request Linux kernel: arch: x86: net: bpf_jit: an off-by-one bug in x86_64 cond jump target cve-assign (Apr 18)
Use CVE-2014-2889.

Re: CVE request Qemu: out of bounds buffer access, guest triggerable via IDE SMART cve-assign (Apr 18)
Use CVE-2014-2894.

Re: Remote Command Injection in Ruby Gem sfpagent 0.4.14 cve-assign (Apr 18)
Use CVE-2014-2888.

Re: CVE Request: Nagios Remote Plugin Executor <= 2.15 Remote Command Execution gremlin (Apr 18)
> Details: http://seclists.org/fulldisclosure/2014/Apr/240
> Fix:

> --- nrpe/src/nrpe.c
> +++ nrpe/src/nrpe.c
> -#define NASTY_METACHARS "|`&><'\"\\[]{};"
> +#define NASTY_METACHARS "|`&><'\"\\[]{};\n"

Adding \r here may be a good idea as well...

Re: CVE ids for CyaSSL 2.9.4? cve-assign (Apr 18)
Use CVE-2014-2896.

Use CVE-2014-2897.

Use CVE-2014-2898.

Use CVE-2014-2899.

Use CVE-2014-2900.

[Note that these last four CVE IDs are not for issues fixed in
2.9.4.]

Use CVE-2014-2901.

Use CVE-2014-2902.

Use CVE-2014-2903.

Use CVE-2014-2904.

("Intermediate CA not authorized to issue further intermediate CA
certificates, but followed in the chain by an intermediate CA
certificate ... followed by a leaf CA certificate," also...

Secure Coding — The Secure Coding list (SC-L) is an open forum for the discussion on developing secure applications. It is moderated by the authors of Secure Coding: Principles and Practices.

WEB 2.0 SECURITY AND PRIVACY 2014 WORKSHOP CALL FOR PAPERS - Call for Participation Larry Koved (Apr 15)
http://w2spconf.com/2014/

WEB 2.0 SECURITY AND PRIVACY 2014 WORKSHOP CALL FOR PAPERS

IMPORTANT DATES

Workshop date: Sunday, May 18, 2014

W2SP brings together researchers, practitioners, web programmers, policy
makers, and others interested in the latest understanding and advances in
the security and privacy of the web, browsers, cloud, mobile and their
eco-system. We have had seven years of successful W2SP workshops. This
year, we will...

CFP: Mobile Security Technologies (MoST) 2014 - Call for Participation Larry Koved (Apr 15)
http://mostconf.org/2014/cfp.html

Mobile Security Technologies (MoST) 2014

Saturday May 17, 2014

co-located with
The 34th IEEE Symposium on Security and Privacy (IEEE S&P 2014)
an event of
The IEEE Computer Society's Security and Privacy Workshops (SPW 2014)

Mobile Security Technologies (MoST) brings together researchers,
practitioners, policy makers, and hardware and software developers of
mobile systems to explore the...

Silver Bullet 96: Nate Fick, CEO of Endgame (and combat veteran) Gary McGraw (Apr 04)
hi sc-l,

Nate Fick is an interesting man. He has a classics degree from Dartmouth, where he is now a Trustee. He served combat
tours in Afghanistan and Iraq, resulting in the book “One Bullet Away” and the HBO series “Generation Kill.” He served
as the CEO of an important new think thank, the Center for New American Security. While he was at CNAS, we wrote this:
http://www.cigital.com/papers/download/mcgraw-fick-CNAS.pdf And then...

Re: [External] Firewalls, Fairy Dust, and Forensics Gary McGraw (Apr 04)
hi karen,

Good point, and one that I usually make! I agree.

gem

Re: [External] Firewalls, Fairy Dust, and Forensics Goertzel, Karen [USA] (Apr 04)
The one point that's missing from the article is to remind people: What the heck do you think firewalls are made of?
Software! So unless a software manufacturer has got "software security religion", their product is just as likely to be
"broken" inside than the things it allegedly protects.

===
Karen Mercedes Goertzel, CISSP
Lead Associate
Booz Allen Hamilton
703.698.7454
goertzel_karen () bah com

"I love...

Firewalls, Fairy Dust, and Forensics Gary McGraw (Apr 01)
hi sc-l,

Ever get discouraged that we have not been making enough progress in software security? Well, we have been making
plenty of progress and our field is growing fast! This peppy little article (co-authored with Sammy Migues) explains
why firewalls, fairy dust, and forensics are not working out for computer security.

Oh, and software security is growing at 20% CAGR and now accounts for 10% of the computer security market (which is...

IEEE Computer article Gary McGraw (Mar 26)
hi sc-l,

I was asked to write an article for IEEE Computer’s security column this month. It’s about software security.

Security Fatigue? Shift Your Paradigm<http://www.cigital.com/presentations/mco2014030081.pdf>, (IEEE Computer Society,
March 2014)

As always, your feedback is welcome. You can find many of my writings here: http://www.cigital.com/~gem/writings/

gem

company www.cigital.com
podcast www.cigital.com/silverbullet...

c0c0n 2014 | The cy0ps c0n - Call For Papers & Call For Workshops c0c0n International Information Security Conference (Mar 26)
___ ___ ___ ___ __ _ _
/ _ \ / _ \ |__ \ / _ \/_ | || |
___| | | | ___| | | |_ __ ) | | | || | || |_
/ __| | | |/ __| | | | '_ \ / /| | | || |__ _|
| (__| |_| | (__| |_| | | | | / /_| |_| || | | |
\___|\___/ \___|\___/|_| |_| |____|\___/ |_| |_|
...

Paul dot com podcast on #swsec at 6pm EST Gary McGraw (Mar 20)
hi sc-l,

Tonight at 6pm EST I will be participating in a paul dot com webcast and talking all things software security. Please
tune in if you can, and spread the word!

http://securityweekly.com/watch

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com

CFP: WEB 2.0 SECURITY AND PRIVACY 2014 WORKSHOP CALL FOR PAPERS - Deadline extension to March 5 Larry Koved (Mar 09)
WEB 2.0 SECURITY AND PRIVACY 2014 WORKSHOP CALL FOR PAPERS

IMPORTANT DATES
Paper submission deadline: March 5, 2014 (11:59pm US-PST)
Workshop acceptance notification date: March 29, 2014
Workshop date: Sunday, May 18, 2014
Workshop paper submission web site:
https://www.easychair.org/conferences/?conf=w2sp2014

W2SP brings together researchers, practitioners, web programmers, policy
makers, and others interested in the latest understanding...

CFP: Mobile Security Technologies (MoST) 2014 - Deadline extended to March 10 Larry Koved (Mar 09)
http://mostconf.org/2014/cfp.html

Mobile Security Technologies (MoST) 2014

co-located with
The 34th IEEE Symposium on Security and Privacy (IEEE S&P 2014)
an event of
The IEEE Computer Society's Security and Privacy Workshops (SPW 2014)

Mobile Security Technologies (MoST) brings together researchers,
practitioners, policy makers, and hardware and software developers of
mobile systems to explore the latest understanding and...

Silver Bullet 95: Charlie Miller Gary McGraw (Feb 28)
hi sc-l,

Greetings from RSA, where the show gets underway today. I hope to see some sc-l readers out here. (Come see us duing
the show https://www.cigital.com/blog/2014/01/rsa-2014/.)

Episode 95 of silver bullet features a conversation with Charie Miller, who now works at Twitter as a security
engineer. Charlie is well known for his spectacular Apple hacks. Lately, he has turned his attention to cars. We
talk about fuzzing, exploit...

CFP: Mobile Security Technologies (MoST) 2014 Larry Koved (Feb 19)
http://mostconf.org/2014/cfp.html

Mobile Security Technologies (MoST) 2014

co-located with
The 34th IEEE Symposium on Security and Privacy (IEEE S&P 2014)
an event of
The IEEE Computer Society's Security and Privacy Workshops (SPW 2014)

Mobile Security Technologies (MoST) brings together researchers,
practitioners, policy makers, and hardware and software developers of
mobile systems to explore the latest understanding and...

Final CFP: WEB 2.0 SECURITY AND PRIVACY 2014 WORKSHOP CALL FOR PAPERS Larry Koved (Feb 19)
WEB 2.0 SECURITY AND PRIVACY 2014 WORKSHOP CALL FOR PAPERS

IMPORTANT DATES
Paper submission deadline: February 26, 2014 (11:59pm US-PST)
Workshop acceptance notification date: March 29, 2014
Workshop date: Sunday, May 18, 2014
Workshop paper submission web site:
https://www.easychair.org/conferences/?conf=w2sp2014

W2SP brings together researchers, practitioners, web programmers, policy
makers, and others interested in the latest understanding...

FYI: OWASP CISO Survey Report 2013 Released Tobias (Feb 14)
Hello dear secure coding fellows,

just fyi: OWASP just released the OWASP CISO Survey Report 2013 Version
1.0 <https://www.owasp.org/index.php/OWASP_CISO_Survey>.
/Among application security stakeholders, Chief Information Security
Officers (CISOs),are responsible for application security from
governance, compliance and risk perspectives. The OWASP CISO Survey
provides tactical intelligence about security risks and best practices
to help...

Educause Security Discussion — Securing networks and computers in an academic environment.

Re: Password change *recommended* -- RESULTS? Brad Judy (Apr 18)
The issue for complex passwords these days doesn't seem to be direct brute-force, but offline brute force. If a flaw
in a web app or other service allows for exfiltration of password hashes (as has occurred numerous times in the past
year on everyone from Adobe to tiny niche websites) having a very good password at least buys you time to discover the
breach and reset passwords. Of course, using a robust password mechanism instead of a...

Re: Password change *recommended* -- RESULTS? Joseph Tam (Apr 18)
Robert Meyers <REMeyers () MAIL WVU EDU> writes:

It depends on what you mean by weak. If you mean spectaculary weak, a
few. It's usually the case of someone doing their own OS install and
installing an account with password "123" or something like that.

That is also the primary ingress method for people who reply to my
security incident reports on their hosts doing ssh BFD attacks.

However, to my knowledge, no one has...

FW: Violance Against Woment Reauthorization Act of 2013 Carlos Lobato (Apr 17)
All,

I'm resending the below request as the deadline to comply is getting closer and I would like to be pointed to any SaVE
Act websites that have been created at your institutions.

Carlos

________________________________

From: Carlos Lobato
Sent: Wednesday, January 29, 2014 1:32 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Violance Against Woment Reauthorization Act of 2013

Hello all,

How is your institution preparing to comply...

Re: Semi-Off Topic Request - Password Management Greg Williams (Apr 17)
Hi James, We use Cherwell. It's more than just password reset however. It's our ticketing software for many
departments around campus.

Greg Williams
IT Security Manager/Security Principal
Department of Information Technology
University of Colorado Colorado Springs
Phone: 719-255-3211
Website: http://www.uccs.edu/itsecure
greg.williams () uccs edu<mailto:greg.williams () uccs edu>

********************************
Three common...

Semi-Off Topic Request - Password Management Pardonek, Jim (Apr 17)
We are looking at a complete refresh of our self serve password management solution which also includes the helpdesk
assistance piece and possibly our entire IAM platform. My question if you would be so kind to let me know. What vendor
are you using for your SS Password management and what are you using for IAM?

Thanks,

James Pardonek, MS, CISSP, CEH
Information Security Officer
Loyola University Chicago
1032 W. Sheridan Road | Chicago, IL...

Re: Password change *recommended* -- RESULTS? Roger A Safian (Apr 17)
Multi factor...

Re: Password change *recommended* -- RESULTS? Williams, Charles (Apr 17)
The really difficult part is the training of people not to respond to the phishing attacks. The attacks rely on our
human gullibility and are becoming more sophisticated in their approach. Even if we do a really good job of education
and get the response rate down to 0.01%, that's 1 out of 10,000, that one response can cause havoc.

I'm not saying the education is not useful or a good idea. I am saying that perfect protection from...

Re: Password change *recommended* -- RESULTS? Joel L. Rosenblatt (Apr 17)
Hi,

I agree with this - I have analyzed brute force attacks and the
average attack tries hundreds of ID's, but only 10-15 passwords per ID
(think top 10 passwords)

Spending a lot of time making really complicated passwords is
misdirected effort in my opinion - it would be better spent on
figuring out how to implement two factor authentication

Make sure that your passwords are none of the top 100 or dictionary
words and then try and figure...

Re: Password change *recommended* -- RESULTS? Roger A Safian (Apr 17)
I think it would be difficult to provide a complete answer to this question. If we have a compromised account,
especially these days, phishing always seems to be the answer. We do have complexity rules that would make brute force
more difficult, but, it could still be a possibility. That being said, it's not unusual to see this on Mac's and other
Unix boxes via SSH.

From: The EDUCAUSE Security Constituent Group Listserv [...

Re: Password change *recommended* -- RESULTS? Robert Meyers (Apr 17)
I'd like to take this in a slightly different direction.
With all the conversation about the need for complex passwords, how many can honestly report that their institution has
suffered a significant data incident because of a hack or brute force attack on user passwords? How many breaches have
been reported in the edu community because a user password was too weak? I'm not disputing anything with these
questions, just honestly...

SPC extra-curricular activities Brad Judy (Apr 16)
In addition to the many great track sessions, corporate sessions, roundtables and more at the 2014 Security
Professionals Conference, peer volunteers have put together some fun extra-curricular activities that are free and open
to all SPC attendees.

At 8pm on Wednesday night (May 7th), the Broadway room on the first floor will host the second annual game night. This
event was a big success last year and it's back.

Game Night (organized...

Re: Password change *recommended* -- RESULTS? David Walker (Apr 16)
Brady,

Very real issues you've listed about multi-factor authentication. I'll
mention that the MFA Cohortium
(https://wiki.cohortium.internet2.edu/confluence/display/mfacohortium/Home),
a group of 40-50 universities, is doing a work in the areas you've
mentioned. Take a look; there are a number of white papers available.
You're also welcome to participate; information for how to do that is
available from the wiki page...

Re: Password change *recommended* -- RESULTS? Ken Connelly (Apr 16)
For most accounts, we went to a minimum 15-character passphrase with a
one-year expiration about a year ago (implemented in a staggered fashion
over roughly a 90-day period). So far, so good. There was the expected
initial grumbling about "15!! characters?!?", but once the annual
expiration (vs. 90 and 180 days for different classes of users) was
absorbed, things have settled. We'll see if the initial renewal period
generates...

Re: Password change *recommended* -- RESULTS? Mally Mclane (Apr 16)
I never really get long passwords and don't think it cuts down on reuse.
England12345 on one site will just become England12 on another site.

There doesn't seem to be an easy solution though.... 2FA (if enforced)
annoys people, complex or lengthy passwords get written down.....

Ho hum.

Re: Password change *recommended* -- RESULTS? McClenon, Brady (Apr 16)
I’d be curious how this works out. I’m guessing requiring a 14 character password is going cut down a lot of password
reuse on other sites. They’ll want a shorter one for other sites. ☺

Not that I oppose a 14 character password. I’m just commenting on my perception of the behavior of others…

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Ben
Marsden
Sent:...

Internet Issues and Infrastructure

NANOG — The North American Network Operators' Group discusses fundamental Internet infrastructure issues such as routing, IP address allocation, and containing malicious activity.

Re: Requirements for IPv6 Firewalls Jimmy Hess (Apr 19)
It would appear point (5) in favor of NAT with IPv6 is the only point
that has any merit there. (1) to (4) are just rationalizations.
None of (1) to (4) are the reasons IPv4 got NAT, none are valid, and
none are good reasons to bring NAT to IPv6 or use NAT in designs of
IPv6 networks.

You could also add as good reasons.. (6) Requirement for NAT based
on personal preference, and...

(7) "You don't need this NAT function...

Re: Requirements for IPv6 Firewalls Dobbins, Roland (Apr 19)
You can 'call' it all you like - but people who actually want to keep their servers up and running don't put stateful
firewalls in front of them, because it's very easy to knock them over due to state exhaustion. In fact, it's far
easier to knock them over than to knock over properly-tuned naked hosts.

Also, you might want to search the NANOG email archive on this topic. There's lots of previous discussion,...

Re: Requirements for IPv6 Firewalls Jeff Kell (Apr 19)
I call BS... what do you expect closes the gap, host firewalls? Most
3rd party crap has no firewalls and gets no specific rules for local
LANs or authorized users.

Firewalls are front-line defense, for the crap that is too generic /
misconfigured to protect itself. And there are tons of these.

Anyone ever pentested you? It's an enlightening experience.

Jeff

Re: Requirements for IPv6 Firewalls Enno Rey (Apr 19)
Hi,

all of them

My

true. it's just we don't see many of those (actually I've yet to encounter a single one) and it could be debatable if
they belong to "Enterprise" networks (which is in the title of the ID).

best

Enno

Re: Requirements for IPv6 Firewalls Matt Palmer (Apr 19)
1.3.8 lists use of RFC1918 address space as one of four possible
implementations, immediately after the phrase "may include, but are not
limited to". I don't interpret that as "pretty much requires RFC1918".

Now, if you'd like to claim that 1.3.8 is completely useless, I won't argue
with you -- it's security-by-obscurity of the worst possible form. But
don't blame PCI compliance for any inability to...

Re: Requirements for IPv6 Firewalls Dobbins, Roland (Apr 19)
Firewalls <> 'access control'.

Firewalls are one (generally, very poor and grossly misused) way of providing access control. They're often wedged in
where stateless ACLs in hardware-based routers and/or layer-3 switches would do a much better job, such as in front of
servers:

<https://app.box.com/s/a3oqqlgwe15j8svojvzl>

-----------------------------------------------------------------------
Roland Dobbins...

Re: Requirements for IPv6 Firewalls TheIpv6guy . (Apr 19)
Yep. I have seen many more security / availability events caused by a
firewall tipping over than anything else. Firewalls tend to be put in
as single points of failure so that there is one point of inspection /
policy enforcement. And, HA pairs are generally a joke. 2 failure
mode i have seen: Firewall ALG saw a SIP packet option that it did
not like, so it reloaded itself. In the process, it reflected the
session state with fatal...

Re: Requirements for IPv6 Firewalls Jeff Kell (Apr 19)
If end-to-end connectivity is your idea of "the Internet", then a
firewall's primary purpose is to break the Internet. It's how we
provide access control.

If a firewall blocks "legitimate, authorized" access then perhaps it
adds to breakage (PMTU, ICMP, other blocking) but otherwise it works.

As to address the other argument in this threat on NAT / private
addressing, PCI requirement 1.3.8 pretty much requires...

Re: Requirements for IPv6 Firewalls Dobbins, Roland (Apr 19)
As someone who sees firewalls break the Internet all the time for those whose packets have the misfortune to traverse
one, I must respectfully disagree.

;>

-----------------------------------------------------------------------
Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com>

Luck is the residue of opportunity and design.

-- John Milton

Re: Requirements for IPv6 Firewalls Glen Turner (Apr 19)
Fernando,

Perhaps the document should have opened with a disclaimer that it is impossible to describe the full customer
requirements for a firewall and thus a customer can reasonably add additional requirements. Then everyone knows where
they stand and we avoid stupid (perhaps contractual) arguments that a firewall is acceptable solely because it meets
this IETF publication.

The document varies between specification and advice. My view is...

Re: Requirements for IPv6 Firewalls William Herrin (Apr 18)
Hi Lee,

That tends to happen when one takes a nuanced topic involving the
intersection of technology with human social behavior and boils it
down to two sentences. Perhaps I could have said, "taken seriously by
enough of your target audience without."

Regards,
Bill Herrin

Re: Requirements for IPv6 Firewalls William Herrin (Apr 18)
Put more succinctly: depth isn't where you place the defenses, it's
how many defenses times the quality of each defense that an adversary
has to slip past. If an adversary has to bypass three defenses, that's
more shallow than if he has to bypass the same three and three more.
Whether all six are at the perimeter or half are at the perimeter two
are at the host and one is in the application is only indirectly
relevant to the depth...

Re: Requirements for IPv6 Firewalls George Herbert (Apr 18)
Lee Howard:

The arrogance in this assertion is amazing.

You're describing best practice. Yes, of course, you should have well
documented technical and business needs for what's open and what's closed
in firewalls, and should have traceability from the rules in place to the
requirements, and be able to walk the rules and understand them and
reinterpret them from v4 to v6, to a new firewall vendor, etc etc.

Again - THE INERTIA IN...

Re: Requirements for IPv6 Firewalls William Herrin (Apr 18)
So your question is: how does one variant of being externally
addressable (simple routing with a packet filter or perhaps a stateful
firewall) differ from another variant of being externally addressable
(static inbound port translation)? Hell man, I don't like seeing these
in IPv4 let alone IPv6. But when I'm asking a guy to make a much
bigger leap of faith, like implementing IPv6, I don't plan to distract
him with the fact that...

Re: Requirements for IPv6 Firewalls Matthew Kaufman (Apr 18)
Ignoring security, A is superior because I can change it to DNAT to the new server, or DNAT to the load balancer now
that said server needs 10 replicas, etc.

B requires re-numbering the server or *if* I am lucky enough that it is reached by DNS name and I can change that DNS
promptly, assigning a new address and adding another firewall rule that didn't exist.

Matthew Kaufman

(Sent from my iPhone)

The RISKS Forum — Peter G. Neumann moderates this regular digest of current events which demonstrate risks to the public in computers and related systems. Security risks are often discussed.

Risks Digest 27.84 RISKS List Owner (Apr 16)
RISKS-LIST: Risks-Forum Digest Wednesday 16 April 2014 Volume 27 : Issue 84

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/27.84.html>
The current issue can be...

Risks Digest 27.83 RISKS List Owner (Apr 11)
RISKS-LIST: Risks-Forum Digest Friday 11 April 2014 Volume 27 : Issue 83

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/27.83.html>
The current issue can be...

Risks Digest 27.82 RISKS List Owner (Mar 30)
RISKS-LIST: Risks-Forum Digest Saturday 29 March 2014 Volume 27 : Issue 82

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/27.82.html>
The current issue can be...

Risks Digest 27.81 RISKS List Owner (Mar 23)
RISKS-LIST: Risks-Forum Digest Saturday 22 March 2014 Volume 27 : Issue 81

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/27.81.html>
The current issue can be...

Risks Digest 27.80 RISKS List Owner (Mar 18)
RISKS-LIST: Risks-Forum Digest Monday 17 March 2014 Volume 27 : Issue 80

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/27.80.html>
The current issue can be...

Risks Digest 27.79 RISKS List Owner (Mar 06)
RISKS-LIST: Risks-Forum Digest Thursday 6 March 2014 Volume 27 : Issue 79

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/27.79.html>
The current issue can be...

Risks Digest 27.78 RISKS List Owner (Mar 04)
RISKS-LIST: Risks-Forum Digest Monday 3 March 2014 Volume 27 : Issue 78

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/27.78.html>
The current issue can be...

Risks Digest 27.77 RISKS List Owner (Feb 28)
RISKS-LIST: Risks-Forum Digest Friday 28 February 2014 Volume 27 : Issue 77

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/27.77.html>
The current issue can be...

Risks Digest 27.76 RISKS List Owner (Feb 25)
RISKS-LIST: Risks-Forum Digest Tuesday 25 February 2014 Volume 27 : Issue 76

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/27.76.html>
The current issue can...

Risks Digest 27.75 RISKS List Owner (Feb 21)
RISKS-LIST: Risks-Forum Digest Friday 21 February 2014 Volume 27 : Issue 75

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/27.75.html>
The current issue can be...

Risks Digest 27.74 RISKS List Owner (Feb 16)
RISKS-LIST: Risks-Forum Digest Saturday 15 February 2014 Volume 27 : Issue 74

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/27.74.html>
The current issue can...

Risks Digest 27.73 RISKS List Owner (Jan 29)
RISKS-LIST: Risks-Forum Digest Tuesday 28 January 2014 Volume 27 : Issue 73

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/27.73.html>
The current issue can be...

Risks Digest 27.72 RISKS List Owner (Jan 28)
RISKS-LIST: Risks-Forum Digest Monday 27 January 2014 Volume 27 : Issue 72

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/27.72.html>
The current issue can be...

Risks Digest 27.71 RISKS List Owner (Jan 24)
RISKS-LIST: Risks-Forum Digest Thursday 23 January 2014 Volume 27 : Issue 71

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/27.71.html>
The current issue can...

Risks Digest 27.70 RISKS List Owner (Jan 21)
RISKS-LIST: Risks-Forum Digest Tuesday 21 January 2014 Volume 27 : Issue 70

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/27.70.html>
The current issue can be...

Data Loss — Data Loss covers large-scale personal data loss and theft incidents. This archive combines the main list (news releases) and the discussion list.

Open Source Tool Development

Metasploit — Development discussion for Metasploit, the premier open source remote exploitation tool

Re: framework Digest, Vol 74, Issue 1 Spencer, Shelby C (Apr 10)
In Kali, just do: sudo aptitude update && sudo aptitude dist-upgrade.

It'll update your metasploit install as well.

Since I like to be on the bleeding edge, I usually follow that with a git clone of the Metasploit repository.

-----Original Message-----
From: framework-bounces () spool metasploit com [mailto:framework-bounces () spool metasploit com] On Behalf Of
framework-request () spool metasploit com
Sent: Thursday, April 10,...

how to update metasploit-framework moudles in kali chinghsiung (Apr 10)
Hello
when i type in msfupdate this command can update
metasploit-framework moudles ? becasue i try to msf>search ms14_017_rtf
or Heartbleed not found ><"

Re: Metasploit running on a pineapple Dan Tentler (Mar 19)
So the raspi has ~128 megs of ram, and a ~700mhz proc, where the
pineapple has a 266mhz proc and ~62 megs of ram.
I haven't actually tried running ruby on it yet, but it's certainly a
good test!
I'll try it and let you know what happens!

iOS payload for metasploit Anwar Mohamed (Mar 18)
Hello All,

I have managed to make an ios payload for metasploit and I am stuck at
understanding how posix payload goes on at meterpreter repo.

I have two options:
1- to compile the posix one using ios toolchain
2- implement a new one under xcode specially for macosx and ios both
(already started in that part but with little progress)

what do you think ?

Re: Metasploit running on a pineapple Tod Beardsley (Mar 18)
The mkV has enough oomph to run real Ruby, yes? I don't know if it does or
not. Tbh the Rpineapple may be a better choice.

Metasploit running on a pineapple Dan Tentler (Mar 17)
I'm curious if anybody has ever tried this before.
I have a Mark5 and I'd like to put a small number of modules/payloads on
the thing to be run from the pineapple gui (or automatically), like
exploiting ms08_067, finding null sessions, and using psexec to run
something like dynamic_exe and lob the subsequent shells back to a real
host running framework/pro.

At the moment my approach is to basically create rc script skeletons and
have...

Re: resetting git Michael Schierl (Mar 17)
Am 17.03.2014 20:02, schrieb Tod Beardsley:

It does not allow you to push changes elsewhere, though (except
patches), and when trying to update it, weird things may happen.

And BTW, I *do* care about the past :)

Therefore I think it is enough to fetch the past once :)

But probably enough off-topic discussion on this list now.

Regards,

Michael

Re: resetting git Tod Beardsley (Mar 17)
git clone --depth 1 is nice. Very shallow if you don't care about the past
too much.

Re: resetting git Michael Schierl (Mar 17)
Am 16.03.2014 22:52, schrieb Robin Wood:

Depending on what branch you were one before, you might have to reset
the freshly checked out master branch again, if you follow this route.

Sorry, did not think about that :-(

Another alternative (which is also handy in case you want to temporarily
checkout some different branch to test something there, without either
discarding or committing your changes first) is

$ git stash save

which puts your...

Re: resetting git Robin Wood (Mar 17)
metasploit-framework locally, nuke your own origin, refork on GitHub, and
reclone locally. That'll get you all the latest and none of the old and
crusty branches.

I did think about doing that but thought there would be nice way to do it
through git as I'm trying to learn how to use it properly. I'm still not
100% sure why things do what they do but it is making slightly more sense
each time I learn something like this.

Robin...

Re: resetting git Tod Beardsley (Mar 16)
TBH if you don't care about your local stuff you can just rm -rf
metasploit-framework locally, nuke your own origin, refork on GitHub, and
reclone locally. That'll get you all the latest and none of the old and
crusty branches.

Re: resetting git Robin Wood (Mar 16)
Should have elaborated, when I did it your way it complained about a
conflict that needed resolving before I could continue. Doing the
reset seemed to fix that so the checkout could complete.

Robin

Re: resetting git Robin Wood (Mar 16)
All seemed to work except I had to do these in the other order:

$ git reset --hard upstream/master
$ git checkout master

Thanks

Robin

Re: Metasploit - error in opcodes.rb Tod Beardsley (Mar 16)
We recently updated our local copy of metasm so I'm sure that's the crux of
the problem. Can I get you to open a bug on our redmine instance?
Dev.metasploit.com .

Metasploit - error in opcodes.rb Fancy Hawaii (Mar 15)
Hi everybody,

anybody else noticed this error after the latest upgrade?
Or is it just me having this prob?
NB: before the latest upgrade all worked fuine :-(

root () kali:~/# msfconsole
/opt/metasploit/apps/pro/msf3/lib/metasm/metasm/cpu/ia32/opcodes.rb:27:in `[]=':
can't convert Symbol into Integer (TypeError)
from
/opt/metasploit/apps/pro/msf3/lib/metasm/metasm/cpu/ia32/opcodes.rb:27:in `block
in init_cpu_constants'...

Wireshark — Discussion of the free and open source Wireshark network sniffer. No other sniffer (commercial or otherwise) comes close. This archive combines the Wireshark announcement, users, and developers mailing lists.

Re: Regarding display filter- how to redesign code to incorporate expressions other than protocols? Guy Harris (Apr 18)
Filtering *already* uses more than just protocols - it uses fields from protocols, for example, "ip.src == 127.0.0.1"
or "ip.len == 1024".

An algebraic expression, in order to be a *useful* filter, would have to incorporate variables of some sort; neither
"(5 + 3)*2 == 16" nor "(5 + 3)*2 == 17" are particularly interesting filters (the first one would match all packets,
the second one would match no...

Regarding display filter- how to redesign code to incorporate expressions other than protocols? Ateeth Kumar Thirukkovulur (Apr 18)
I want to know if there is any way to redesign the wireshark filter to
incorporate algebraic expressions instead of filtering using protocols?

Anyone knows where to start from? Some help on this would be appreciated.

I know that the display filter code is located in the epan directory.

Regards,

*Ateeth Kumar Thirukkovulur*
*Research Assistant*
*College of Technology*
*UH ID:1267190*

Re: Wireshark LTS branches Jeff Morriss (Apr 18)
I agree. I push the stable release micro versions to my users because
it's often important to have bug fixes too.

Fedora appears to be picking up the micro-releases as-is (Fedora 18
actually even upgraded from 1.8.3 to 1.10.2; hopefully this means
they've come to think of Wireshark as a "desktop app" like Firefox which
must be reasonably up-to-date in order to be useful).

... And on the other hand we have RHEL/CentOS...

Re: docbook/Makefile.am:60: warning: '%'-style pattern rules are a GNU make extension Alexis La Goutte (Apr 18)
Yes... it is new
Coming from 30b53c3331f7fea664c6185f3b50ed4b32f8f5dc

Try to fix dist. Change the .asciidoc.xml inference rule to a pattern
rule specific to wsug_src similar to the nmake change in gedc06c1.

--- a/docbook/Makefile.am
+++ b/docbook/Makefile.am
@@ -59,7 +59,7 @@ endif
# Used for chapter-by-chapter conversion from DocBook to AsciiDoc.
# Can be removed after the User's Guide is converted.
# .asciidoc -> whole book...

Re: Wireshark LTS branches Guy Harris (Apr 18)
The best solution for many end-users would probably be *not* to limit the changes to security fixes - if we have a fix
for a mis-dissection, they'd probably want that, for example.

Given that, having separate "security fixes only" branches, for packagers and users who *only* want security fixes, and
support branches, for packagers and users who also want those bug fixes that we deem "appropriate" for the support...

Re: Wireshark LTS branches Evan Huus (Apr 18)
I'm reading that link as saying Debian Stable doesn't get *any*
non-security bug-fixes, which is surprising?

I've thought about applying as Ubuntu maintainer before, but you've
always done such a good job with the Debian stuff it's been easier to
just let the syncs happen automatically :)

Re: Wireshark LTS branches Bálint Réczey (Apr 17)
2014-04-17 23:21 GMT+02:00 Evan Huus <eapache () gmail com>:

I forgot to answer the question regarding the naming,
master-lts-1.2.11 and master-lts-1.8.2 would be close to the current
scheme, I think.

Well, last time I brought this up the project decision was to allow
minor improvements, too:
http://comments.gmane.org/gmane.network.wireshark.devel/15323

The best solution for me as a maintainer at Debian would be limiting
the changes to...

Re: Mac compilation broken Guy Harris (Apr 17)
Fixed in I7eb98963a6d2e1bc9f869ebce3d7ba9228b6c9e4.

AsciiDoc Transition Evan Huus (Apr 17)
Is the AsciiDoc WIP change at https://code.wireshark.org/review/#/c/9/
still active or should it be abandoned? It's seen no uploads in >2
months...

Evan

Re: Wireshark LTS branches Evan Huus (Apr 17)
This was also my original reaction. We do a fair amount of work (or at
least Gerald does quite a lot of work), maintaining stable and
old-stable Wireshark branches already. It seems like it would be
easier for everybody if we tweaked our stable-backport policy so that
Debian and whoever else could just grab new stable versions from us
directly.

I can't speak for Debian, but Ubuntu has a specific policy for this
sort of thing:...

Re: Mac compilation broken Roland Knall (Apr 17)
I've also got the 404th entry on gerrit. Not so much fun as 10000, but
still. ;-)

regards,
Roland

Re: Mac compilation broken mmann78 (Apr 17)
Congratulations Roland! You have just won yourself a free copy of Wireshark on the platform of your choice. Just go
to http://www.wireshark.org/download.html to claim your prize and enter "Bug10000" in the checkout screen.

(Wait... maybe I shouldn't give out the free copy checkout code to the whole -dev list, then lots of people will end up
with free copies of Wireshark)

-----Original Message-----
From: Roland Knall...

Mac compilation broken Roland Knall (Apr 17)
Hi

Just filed bug #10000 ;-). Mac compilation is broken, due to

'extern' variable has an initializer

See https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=10000 for compile
output.

regards,
Roland

Re: TCP dissector design Roland Knall (Apr 17)
Hi

Not in general by the distinction of the different protocol versions, but
you could take a glance at the openSAFETY dissector, which basically
supports a variant of transport layers and a heuristic to determine the
possition of the packages in each transport layer.

If you take a look at it with one of the capture samples from the wireshark
wiki, you'll see, that udp and fieldbus messages get mixed together to
present one singular...

TCP dissector design John Dill (Apr 17)
I have a closed network system where there are several TCP conversations
that transmit the same kind of data, but use different application layer
messages structures. It seems to be based on the age of the code,
where TCP conversations from older code use a different application
message structure (with different headers) than newer ones.

They would like to be able to see all the data fields under the same
protocol, whether the message came from...

Snort — Everyone's favorite open source IDS, Snort. This archive combines the snort-announce, snort-devel, snort-users, and snort-sigs lists.

Re: AANVAL or MYSQL question waldo kitty (Apr 18)
you forgot to supply the requested startup command line for your barnyard2.

you forgot to say if your barnyard2 is being pointed to the proper snort log
directory. this might be done on the command line or possibly inside the
barnyard2 config.

Re: My Snort IDS Sensor Detected Nessus Vulnerability Scan Joel Esler (jesler) (Apr 18)
Probably because

A) you're behind a firewall
B) you're running Nessus. A scanner. Not an exploitation tool. It's not testing to see if something is vulnerable, it's
scanning for the potential of the vulnerability
C) you've already asked this question and multiple people have answered it.

Please read documentation and test Snort. Obviously it's working fine according to the other emails you've sent.

I'm...

Re: My Snort IDS Sensor Detected Nessus Vulnerability Scan Eric G (Apr 18)
vulnerability scan was launched from WAN outside of HOME_NET. However, the
alerts generated were few. It seems that Snort rules are not comprehensive
enough.

Teo, once again, you don't have your HOME_NET defined as your external IP
but you keep insisting that Snort isn't working right. Your config is
broken, not Snort.

If you want Snort to light up like a Christmas tree when you scan your box,
tap your outside interface and define...

My Snort IDS Sensor Detected Nessus Vulnerability Scan Teo En Ming (Apr 18)
Hi,

My Snort IDS sensor detected nessus vulnerability scan. The nessus
vulnerability scan was launched from WAN outside of HOME_NET. However, the
alerts generated were few. It seems that Snort rules are not comprehensive
enough.

Here are the alerts:

04/19-02:54:23.361505 [**] [1:25975:2] POLICY-OTHER Adobe ColdFusion admin
interface access attempt [**] [Classification: Potential Corporate Privacy
Violation] [Priority: 1] {TCP}...

Re: PulledPork 403 Forbidden error Joel Esler (jesler) (Apr 18)
Dear Kevin,

In order to look into this issue, I am going to need your Snort.org<http://Snort.org> username and email address.
Please feel free to email me directly with that information.

PulledPork 403 Forbidden error Kurzawa, Kevin (Apr 18)
PulledPork 0.7.0
Snort 2960
Archlinux

Switching over from Oinkmaster to PulledPork. I want the ability to automatically switch between the connectivity,
balanced, and security rulesets easily (if this is do-able in Oinkmaster, someone please enlighten me).

Running sudo pulledpork.pl -c /etc/pulledpork/pulledpork.conf -T -vv

Base URL is: https://www.snort.org/reg-rules/|snortrules-snapshot-2960.tar.gz|83c886d030bc3d56e56d69488c456404xxxx...

Trouble getting PF_Ring DNA and DAQ to work Xavier Van Pottelbergh (Apr 18)
Hi,

I'm a student trying to set up snort.

I've ran into trouble trying to get multiple snort instances listening on one interface (I have too much traffic for
one instance to handle).

I'm using a RHEL 6.5 server
Snort version:
,,_ -*> Snort! <*-
o" )~ Version 2.9.6.0 GRE (Build 47)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team...

Re: [Emerging-Sigs] Some signatures not appearing in the log Conma (Apr 18)
I'm not sure - I thought I had read in the pulledpork read me (or perhaps the conf) that if you choose a policy it will
either disable or not download ET rules, so I had chosen to avoid the 'security' policy ....

Sent from my iPad

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph...

Sourcefire VRT Certified Snort Rules Update 2014-04-17 Research (Apr 17)
Sourcefire VRT Certified Snort Rules Update

Synopsis:
This release adds multiple rules.

Details:
The Sourcefire VRT has added multiple rules in the server-other rule
set to provide coverage for emerging threats from these technologies.

For a complete list of new and modified rules please see:

http://www.snort.org/vrt/docs/ruleset_changelogs/changes-2014-04-17-1.html

Re: conficker 15450 question Patrick Mullen (Apr 17)
Author of the rule here, failing to ignore email. :)

Conficker detection uses the same algorithm as conficker to generate a
list of potential hostnames to check for updated conficker C&C
information. Apparently, it just so happens that "ESPN" came up
today. The problem with random functions is sometimes they come up
with values that have actual meanings.

The false positives should go away at midnight. Since this is the
first...

Re: conficker 15450 question Jeremy Hoel (Apr 17)
Awesome. Thanks for the info!

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech...

Re: [Emerging-Sigs] Some signatures not appearing in the log Anshuman Anil Deshmukh (Apr 17)
Then what could be the possible reason for not getting the said signature?

Sent from Handheld

I don’t think emerging threats uses the policies, so, I don’t see why setting that for the VRT set would affect the ET
rules.

I mean to say we dont have a subscription for the paid signatures. We are on free set of signatures.

But I am waiting for the answer for my query.

Sent from Handheld

Sourcefire = VRT

"Legal Disclaimer: This...

Re: [Emerging-Sigs] Some signatures not appearing in the log Anshuman Anil Deshmukh (Apr 17)
I mean to say we dont have a subscription for the paid signatures. We are on free set of signatures.

But I am waiting for the answer for my query.

Sent from Handheld

Sourcefire = VRT

"Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited
which may be privileged, confidential, or otherwise protected from disclosure. The information is intended to be for
the addressee(s) only....

Re: [Emerging-Sigs] Some signatures not appearing in the log Joel Esler (jesler) (Apr 17)
I don’t think emerging threats uses the policies, so, I don’t see why setting that for the VRT set would affect the ET
rules.

I mean to say we dont have a subscription for the paid signatures. We are on free set of signatures.

But I am waiting for the answer for my query.

Sent from Handheld

Sourcefire = VRT

"Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited
which...

Re: Snoge Michael Brown (Apr 17)
All right. The last time I tried Snoge I was having issues. I was hoping
that there was someone around that could help if I and/or others tried
Snoge again and had issues.

---
Thank you,

Michael A. Brown
mike.a.brown09 () gmail com
(757) 912-0836
M.S. Forensic Studies: Computer Forensics
B.S. Information Technology: Network Specialist

"The only thing necessary for the triumph of evil is for good men to do
nothing" -Edmund Burke...

More Lists

Related Resources

We're always looking for great network security related lists to archive. To suggest one, mail Fyodor.