SecLists.Org Security Mailing List Archive

Any hacker will tell you that the latest news and exploits are not found on any web site—not even Insecure.Org. No, the cutting edge in security research is and will continue to be the full disclosure mailing lists such as Bugtraq. Here we provide web archives and RSS feeds (now including message extracts), updated in real-time, for many of our favorite lists. Browse the individual lists below, or search them all:

Insecure.Org Lists

Nmap Development — Unmoderated technical development forum for debating ideas, patches, and suggestions regarding proposed changes to Nmap and related projects.

Re: Welcome to the "nmap-dev" mailing list (Digest mode) ALIYU MOHAMMED (Apr 30)
i confirm notification please

Re: Black Hat and Defcon 2010 CFPs Ron (Apr 30)
I submitted a talk on dns tunnels for Defcon/Blackhat, so I'm crossing my fingers I get to do it. One way or the other
I'm going to get out to Defcon, but going to Blackhat is contingent on them accepting my paper.

Looking forward to seeing all you folks again!

Black Hat and Defcon 2010 CFPs Fyodor (Apr 30)
Hi folks. We had a great Nmap team dinner at Defcon last year and I
hope to see many of you there this year as well! David and I are
submitting a talk on Mastering the Nmap Scripting Engine for Black Hat
and Defcon this summer, and more Nmap related talks are always
welcome! But the CFPs are closing very soon, so now is your chance to
submit if you have something interesting to present! The Black Hat
CFP closes tomorrow (they don't say...

[BUG] Exclusions directive not honored by NSE version detection Tom Sellers (Apr 30)
I have recently come across a bug involving port exclusions when
performing version
detection. I plan to work on finding a fix for the issue this weekend,
but I thought I would go
ahead and send the info to the list now in the event that my work was
delayed or someone
had an idea of exactly where the issue lay.

Recent scanning shows that the Exclude directive in the
nmap-service-probes file is being
ignored by NSE version detection if more...

Re: old error resurfaced? craig bowser (Apr 30)
BTW, nmap -iflist shows that I'm the type of interface is ethernet and nmap
worked fine at when my PC was at a different location. This is the first
time using it in my new location.

Craig

Re: old error resurfaced? craig bowser (Apr 30)
I meant to say also, that a search on this indicated that this error was
mostly in older versions.

A couple of discussions about misconfigured gateway addresses (mine is
correct) and possibly something with using a Cisco VPN (we're not using, I'm
on the LAN).

But nothing else yet....

Craig

old error resurfaced? craig bowser (Apr 30)
All, what would cause this error when scanning between locations?

nexthost: Failed to determine dst MAC address for target x.x.x.x
QUITTING!

NMAP works fine when scanning my subnet, but the minute I scan between
locations (i.e. crossing the router), I get that nexthost error.

What is or isn't set correctly in my machine and/or on the router? (BTW, I
don't have access to the router to view the config)

Thanks.

C:\>nmap -sL x.x.x.x...

Re: XML Output Inconsistency David Fifield (Apr 30)
I can reproduce this. I checked and it doesn't happen (i.e., you get the
service element in either case) with 4.76.

The proximate cause was r12396. This revision was to make sure that an
ssl tunnel was recorded if detected, even if the service wasn't
identified through the tunnel. It did this by removing a condition (the
presence of a service fingerprint) around a call to
setServiceProbeResults.

This change had the side effect of making sure a...

RE: [BULK] Re: Feature request list all IP addresses of a host name Norris Carden (Apr 30)
How about -sL with an option for multiple lookups so that even in a round robin situation you're likely to get all IPs
in a group?

Norris Carden

-----Original Message-----
From: nmap-dev-bounces () insecure org [mailto:nmap-dev-bounces () insecure org] On Behalf Of Rob Nicholls
Sent: Thursday, April 29, 2010 1:05 PM
To: Kris Katterjohn
Cc: Luis MartinGarcia.; nmap-dev; Fyodor; Ron
Subject: [BULK] Re: Feature request list all IP addresses...

Re: [NSE] rpc library; Portmapper program list stored in the Patrik Karlsson (Apr 30)
Hi Djalal,

I tested the patch against a Linux server running NFS and it works great.
My virtual OS X server behaves as badly as last time, so I don't think it makes a good reference.
If someone else has the possibility to try this patch out against OS X please let us know.

I'm uncertain about the memory implications of storing the rpcinfo table in the registry.
I guess if you scan a Class B-network and identify 1000's of hosts running RPC it...

XML Output Inconsistency Fyodor (Apr 30)
Hi folks. I've noticed an inconsistency in the Nmap XML output which
I consider a bug, and I figured I might as well document it here. But
of course feel free to disagree if you think this behavior is
desirable for some reason.

To reproduce it, I start with an ncat running on port 3389
(ms-term-serv per nmap-services):

ncat -l -k localhost 3389

Then from another window I run:

nmap -oA /t/crap/nmaptst -p 3389 localhost

The normal output...

Re: Feature request list all IP addresses of a host name Ron (Apr 29)
On that topic, what do you guys think of doing the forward DNS lookup twice, and, in addition to warning if there are
multiple addresses, warn if the results of the lookup change between requests (particularly when using different dns
servers if the system has multiple)? Detecting a round-robin set up would be pretty trivial to implement but might be
helpful .

Re: Feature request list all IP addresses of a host name Djalal Harouni (Apr 29)
You can have different addresses for the same box with the same name
which is useful on network routing issues, of course a domain name
pointing to different physical boxes will be more appropriate.
For our case you may think of a router box with different interfaces (addresses) to handle subnets, then the panel
control of the router (ssh, snmp etc) is binded to a specifc IP, the scan is performed from a third different subnet
and in this case...

Re: Duplicate IPs in hostgroup (was: Feature request list all IP addresses of a host name) Fyodor (Apr 29)
Good catch. I was able to reproduce this with scanme2.nmap.org and
scanme3.nmap.org, which resolve to the same IP:

# nmap -F scanme2.nmap.org scanme3.nmap.org

Starting Nmap 5.30BETA1 ( http://nmap.org ) at 2010-04-29 11:46 PDT
Nmap scan report for scanme2.nmap.org (64.13.134.48)
Host is up (0.011s latency).
rDNS record for 64.13.134.48: nmap.org
Not shown: 98 filtered ports
PORT STATE SERVICE
80/tcp open http
113/tcp closed auth

Nmap...

Re: Feature request list all IP addresses of a host name Rob Nicholls (Apr 29)
On Thu, 29 Apr 2010 10:56:04 -0500, Kris Katterjohn <katterjohn () gmail com>
wrote:

I agree with Kris. I'm not particularly keen on changing the behaviour. I
think the warning is sufficient for the few cases when more than one record
is returned. Not all IPs would be scanned if geolocation-aware DNS is used,
or if round robin DNS was implemented, so it's possible you're going to
"miss" IP addresses anyway. I'm aware that I'm...

Nmap Hackers — Moderated list for the most important new releases and announcements regarding the Nmap Security Scanner and related projects. We recommend that all Nmap users subscribe.

Nmap News and Last Chance to Take the Survey Fyodor (Apr 30)
Hi Folks. I have some Nmap news to share with you:

First off, I'm delighted to introduce the 2010 Nmap/Google Summer of
Code Team! Google has sponsored eight student developers to spend
this summer enhancing the Nmap Security Scanner and related projects,
so you can expect great things in coming months. Ithilgore and Luis
MartinGarcia are returning to improve Ncrack and Nping, new students
Drazen Popovic and Djalal Harouni will be working on...

Survey Reminder Fyodor (Apr 14)
Hi folks, I have a quick question for you:

Q: What do the Nmap Scripting Engine, Ndiff, and the Zenmap Topology
Mapper have in common?

A: They're all features which were added after you asked for them in
the 2006 Nmap Survey!

With that in mind, I'd like to thank the 1,013 people who have already
taken the 2010 survey. We just need 1,987 more and we can close this
survey up, tabulate and share results, choose the prize winners, and
post...

Nmap/SecTools Survey and GSoC Deadline Fyodor (Apr 07)
Hello everyone. I hope you're enjoying the 5.30BETA1 release. So far
it has proven stable and functional, so don't let the BETA name scare
you. You can get it at http://nmap.org/download.html. Meanwhile, I
have some great news, and I'm also asking for your help on two things.

The first is that the Nmap Project was again accepted for the Google
Summer of Code program, so we'll have full time coding help this
summer! SoC previously brought us...

Nmap 5.30BETA1 Released w/37 new scripts and new Apple vuln Fyodor (Mar 29)
Hi folks! It has been two months since the 5.21 release and we've
been very busy during that time! I hope you're happy with the results,
which is a new 5.30BETA1 release made today. Top features include:

o 37 new NSE scripts, bringing the total to 117! New scripts cover
SNMP, SSL, Postgress, MySQL, HTTP, LDAP, NFS, DB2, AFS, and many
more. Also check out the clever host scripts qscan and
ipidseq. Learn about them all at...

Nmap 5.21 released Fyodor (Jan 27)
Hello everyone. I'm pleased to release Nmap 5.21, which contains zero
exciting new features! It is a bug-fix only release instead,
addressing about a dozen issues discovered since 5.20. Thanks for all
the testing and bug reports! None of the bugs are critical, but we
wanted to polish things up since 5.21 may be the latest stable version
for a while. That gives us time to tackle and stabilize big
development projects. If you want to know...

Lots of Nmap News Fyodor (Jan 22)
Hi folks. I'm happy to report that the 5.20 release went well. But
with this many improvements, there will always be a few bugs found.
We're planning to round those up with a bugfix-only 5.21 release next
week. So please test out 5.20 and report any problems you experience:

Download Page: http://nmap.org/download.html
Bug Report Instructions: http://nmap.org/book/man-bugs.html

If you're running from a build of the latest SVN checkout, you...

Nmap 5.20 Released Fyodor (Jan 20)
Happy new year, everyone. I'm happy to announce Nmap 5.20--our first
stable Nmap release since 5.00 last July! It offers more than 150
significant improvements, including:
o 30+ new Nmap Scripting Engine scripts
o enhanced performance and reduced memory consumption
o protocol-specific payloads for more effectie UDP scanning
o a completely rewritten traceroute engine
o massive OS and version detection DB updates (10,000+ signatures)

The...

Nmap 5.00 Released! Fyodor (Jul 16)
Hello everyone. I'm delighted to announce the release of Nmap 5.00!
This is the first major release since 4.50 in 2007, and includes about
600 significant changes since then! We consider this the most
important Nmap release since 1997, and we recommend that all current
users upgrade.

There are too many changes to list them all in this email, so here are
the top 5 improvements in Nmap 5:

1) The new Ncat tool aims to be your Swiss Army Knife...

Nmap news: stable release candidate 4.90RC1, SoC team, and new translations Fyodor (Jun 26)
Hi Folks. I'm pleased to announce some exciting Nmap news:

[=================Nmap 4.90RC1==================]

It has been nearly 10 months (and 11 dev releases) since 4.76, the
last stable Nmap release. And we've made many dramatic changes, so it
is time for a new stable version! I've posted a release
candidate--4.90RC1--on the Nmap download page:

http://nmap.org/download.html

Please test it out, and let us know if you find any problems...

Nmap 4.85BETA6 now avail w/Conficker detection Fyodor (Apr 01)
Hi Folks! In case you missed all the news reports yesterday, a couple
great researchers from the Honeynet Project (Tillmann Werner and Felix
Leder) and Dan Kaminsky came up with a way to remotely detect the
Conficker worm which has infected millions of machines worldwide.
Some say 15,000,000 machines infected, but that might just be
exaggerated AV-company BS for all I know. But there are clearly
millions of infections, and this massive botnet...

Nmap News: 4.84BETA4 release, Nmap book news, Summer of Code, Twitter, etc. Fyodor (Mar 27)
Hello everyone. We've seen 848 messages on nmap-dev this year, but
this is my first post to nmap-hackers. So I have a lot of exciting
Nmap news to fit into this one email!

[=================Nmap 4.85BETA4==================]

While the last release I posted to this list was 4.76 in September of
last year, we've had four beta releases since then with hundreds of
important and dramatic changes. I'm pretty happy with the latest
4.85BETA4 release,...

Other Excellent Security Lists

Bugtraq — The premier general security mailing list. Vulnerabilities are often announced here first, so check frequently!

[ MDVSA-2010:088 ] kernel security (Apr 30)
_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2010:088
http://www.mandriva.com/security/
_______________________________________________________________________

Package : kernel
Date : April 30, 2010
Affected: 2010.0
_______________________________________________________________________

Problem Description:

Some vulnerabilities were...

BPstyle - Graphic studio SQL Injection Vulnerabilities md . r00t . defacer (Apr 30)
#-------------------In The Name Of God------------
# BPstyle - Graphic studio SQL Injection Vulnerabilities
###################################
#AUTHOR: md.r00t
#Mail: md.r00t.defacer () gmail com
#Webstie: www.r00t.gigfa.com
#
###################################
#Google D0rk:
# "Designed and Created by: BPstyle - Graphic studio"
# inurl:"/page/sindex.php?plug="
###################################
#Exploit:
#---------
#...

EUSecWest Amsterdam 2010 Call For Papers (short deadline May 5 - conf June 16/17) Dragos Ruiu (Apr 30)
EUSecWest CALL FOR PAPERS

AMSTERDAM, Nederland -- The sixth annual EUSecWest applied technical
security conference - where the eminent figures in the international
security industry will get together share best practices and technology
- will be held in downtown Amsterdam at the the Melkweg Multimedia
Center near Leidseplein on June 16/17, 2010. The most significant new
discoveries about computer network hack attacks and...

RE: STP mitm attack idea Williams, Dan (Apr 30)
-----Original Message-----
From: Ivan Jager [mailto:aij+ () mrph org]
Sent: Thursday, April 29, 2010 1:22 PM
To: Jason T. Masker
Cc: bugtraq () securityfocus com
Subject: Re: STP mitm attack idea

On Wed, Apr 28, 2010 at 05:26:09PM -0400, Jason T. Masker scribbled
thusly:

http://www.cisco.com/en/US/customer/tech/tk389/tk621/technologies_tech_n
ote09186a008009482f.shtml

Shutting down the port is useful for security in the way that it helps...

SQL Injection in MS Access with backslash escaped input gheibi (Apr 30)
Many developers still rely on escaping user's inputs by adding backslashes (like using magic_quotes_gpc or addslashes()
in PHP), where it is well known that adding backslash to escape inputs in not sufficient to prevent SQL Injections
attacks for many different reasons.

One of those reasons is that MS Access uses a different method to escape apostrophe (') which is doubling it ('')
instead of prefixing it with a backslash (\').

It's true...

Secunia Research: Internet Download Manager FTP Buffer Overflow Vulnerability Secunia Research (Apr 30)
======================================================================

Secunia Research 30/04/2010

- Internet Download Manager FTP Buffer Overflow Vulnerability -

======================================================================
Table of Contents

Affected Software....................................................1
Severity.............................................................2
Vendor's Description of...

[USN-934-1] Netpbm vulnerability Jamie Strandboge (Apr 30)
===========================================================
Ubuntu Security Notice USN-934-1 April 29, 2010
netpbm-free vulnerability
CVE-2009-4274
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 8.04 LTS
Ubuntu 9.04
Ubuntu 9.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by...

[ MDVSA-2010:086 ] kdegraphics security (Apr 29)
_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2010:086
http://www.mandriva.com/security/
_______________________________________________________________________

Package : kdegraphics
Date : April 29, 2010
Affected: Corporate 4.0
_______________________________________________________________________

Problem Description:

Multiple...

vBulletin - Insecure Custom BBCode Tags advisories (Apr 29)
vBulletin - Insecure Custom BBCode Tags

Versions Affected: 3.8.4 PL2 (Most likely all versions)

Info:
Content publishing, search, security, and morevBulletin has it all. Whether
its available features, support, or ease-of-use, vBulletin offers the most for
your money. Learn more about what makes vBulletin the choice for people
who are serious about creating thriving online communities.

External Links:
http://www.vbulletin.com/

-:: The...

Re: STP mitm attack idea Ivan Jager (Apr 29)
On Wed, Apr 28, 2010 at 05:26:09PM -0400, Jason T. Masker scribbled thusly:

I don't have an account with Cisco any more, but why would
shutting down the port be the right thing to do? CMU does that,
and it means you have to be very careful when plugging in a
higher-end switch, which was recently a problem for Computer
Club. It seems like simply ignoring STP packets from that port
would be just as effective and much less disruptive.

Ivan

Re: STP mitm attack idea Joel Maslak (Apr 29)
Portfast modifies STP, it does not disable it.

This does make a good argument for pvst and similar technologies running at the vlan level for enterprise networking.

But it is probably best to assume someone with access to a segment can see everything on that segment, pretend to be
anyone else on that subnet, and inject anything onto that subnet. In other words, it is nearly impossible to protect
reliability and somewhat privacy on a shared...

[ MDVSA-2010:087 ] poppler security (Apr 29)
_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2010:087
http://www.mandriva.com/security/
_______________________________________________________________________

Package : poppler
Date : April 29, 2010
Affected: Corporate 4.0
_______________________________________________________________________

Problem Description:

Multiple vulnerabilities...

Vulnerabilities in CCMS MustLive (Apr 29)
Hello Bugtraq!

I want to warn you about security vulnerabilities in system CCMS - Clan
Content Management System.

In this advisory I'm continue to inform readers of mailing lists about
vulnerable web applications which are using CaptchaSecurityImages.php. If
you read Bugtraq you can saw the letter, from which it's clearly seen, that
web developers ignore advisory about holes in CaptchaSecurityImages.php
itself, and only draw attention on...

Apache ActiveMQ XSS Vulnerability arun . gnyan (Apr 29)
Vulnerability Info:

26/04/2010 Issue Discovered 26/04/2010 Vendor Notified

27/04/2010 Vendor Conformed Class: Cross-Site Scripting (Input validation)

Severity: Medium

Overview:
---------
Apache ActiveMQ is prone to cross-site scripting vulnerability.

Technical Description:
----------------------
The issue is caused due to the problem in Jetty's error handler that doesn't escape the message.

Impact:
--------
An...

Re: STP mitm attack idea Jean-Christophe Baptiste (Apr 29)
Well, right, the interface configured with it goes straight from
blocking to forwarding. You got the idea.

I don't see the point. Having one instance of STP per vlan or one for
all, there is no point with the security issue here.

Of course. It is like an attacker having physical access to a machine.
But it does not mean we shouldn't activate some security features to
make the job harder (and increase the noise in case of an attack).

Full Disclosure — An unmoderated high-traffic forum for disclosure of security information. Fresh vulnerabilities sometimes hit this list many hours before they pass through the Bugtraq moderation queue. The relaxed atmosphere of this quirky list provides some comic relief and certain industry gossip. Unfortunately 80% of the posts are worthless drivel, so finding the gems takes patience.

Secunia Research: Internet Download Manager FTP Buffer Overflow Vulnerability Secunia Research (Apr 30)
======================================================================

Secunia Research 30/04/2010

- Internet Download Manager FTP Buffer Overflow Vulnerability -

======================================================================
Table of Contents

Affected Software....................................................1
Severity.............................................................2
Vendor's Description of...

Re: Interactive Linux Binary Analysis Tool Kaddeh (Apr 30)
try this link:
http://sourceforge.net/projects/strace/

Re: NT becoming pure microkernel Kaddeh (Apr 30)
less mocking moar linking plz

[ MDVSA-2010:088 ] kernel security (Apr 30)
_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2010:088
http://www.mandriva.com/security/
_______________________________________________________________________

Package : kernel
Date : April 30, 2010
Affected: 2010.0
_______________________________________________________________________

Problem Description:

Some vulnerabilities were...

Re: NT becoming pure microkernel iroz (Apr 30)
The Midori and Singularity proyects are just academical proyects to
gain reputation on universities and promote the .net framework.
What is really happenning is that Microsoft is planning to replace
the win32 subsystem with a .net like subsystem.

The next step is to prepare the kernel for SIMD architectures and
in this step they are planning to make a microkernel based on the
current HAL and microkernel (the code currently responsible of...

Re: Interactive Linux Binary Analysis Tool Julien Reveret (Apr 30)
Have you looked at systrace ? There's a Linux port, eventhough it may be
dead today: http://www.provos.org/index.php?/categories/2-Systrace

Otherwise, you may want to try sydbox: http://projects.0x90.dk/wiki/sydbox/

Regards

EUSecWest Amsterdam 2010 Call For Papers (short deadline May 5 - conf June 16/17) Dragos Ruiu (Apr 29)
EUSecWest CALL FOR PAPERS

AMSTERDAM, Nederland -- The sixth annual EUSecWest applied technical
security conference - where the eminent figures in the international
security industry will get together share best practices and technology
- will be held in downtown Amsterdam at the the Melkweg Multimedia
Center near Leidseplein on June 16/17, 2010. The most significant new
discoveries about computer network hack attacks and...

[USN-934-1] Netpbm vulnerability Jamie Strandboge (Apr 29)
===========================================================
Ubuntu Security Notice USN-934-1 April 29, 2010
netpbm-free vulnerability
CVE-2009-4274
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 8.04 LTS
Ubuntu 9.04
Ubuntu 9.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by...

Interactive Linux Binary Analysis Tool Andrew Lyon (Apr 29)
I'm sure I once read about a tool for linux which could execute a binary and prompt for each particular library or
system call to be approved or whitelisted by various attributes, I have searched everywhere but I can find no trace of
it, I think it was posted to FD, any ideas?

Andy

[ MDVSA-2010:087 ] poppler security (Apr 29)
_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2010:087
http://www.mandriva.com/security/
_______________________________________________________________________

Package : poppler
Date : April 29, 2010
Affected: Corporate 4.0
_______________________________________________________________________

Problem Description:

Multiple vulnerabilities...

Vulnerabilities in CCMS MustLive (Apr 29)
Hello Full-Disclosure!

I want to warn you about security vulnerabilities in system CCMS - Clan
Content Management System.

In this advisory I'm continue to inform readers of mailing lists about
vulnerable web applications which are using CaptchaSecurityImages.php. If
you read Bugtraq you can saw the letter, from which it's clearly seen, that
web developers ignore advisory about holes in CaptchaSecurityImages.php
itself, and only draw attention...

Re: NT becoming pure microkernel Nicolas RUFF (Apr 29)
Hello,

Are you talking about the Midori [1]/Singularity [2] project that
started in 2003? Or is there anything new?

[1] http://en.wikipedia.org/wiki/Midori_(operating_system)
[2] http://en.wikipedia.org/wiki/Singularity_(operating_system)

Regards,
- Nicolas RUFF

Re: go public to avoid jail T Biehn (Apr 29)
But he was a verified paypal buyer, your honor.
lols.
-Travis

[ MDVSA-2010:086 ] kdegraphics security (Apr 29)
_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2010:086
http://www.mandriva.com/security/
_______________________________________________________________________

Package : kdegraphics
Date : April 29, 2010
Affected: Corporate 4.0
_______________________________________________________________________

Problem Description:

Multiple...

Re: go public to avoid jail Stephen Mullins (Apr 29)
That might work if you went through some sort of "official" channels
with a bill of sale and so forth. Claiming that you sold it to "some
guy on irc" after a paypal payment cleared your account probably
wouldn't be much of a defense in court.

Security Basics — A high-volume list which permits people to ask "stupid questions" without being derided as "n00bs". I recommend this list to network security newbies, but be sure to read Bugtraq and other lists as well.

Outbound web performance measurements Ivan . (Apr 30)
Hi

I recently implemented a new content filtering internal system. This
system does URL filtering, AV, anti-spyware and other content
checking, but I am looking at doing is setting a periodical test that
goes out to the Internet, pull some content down and record the
relevant metrics.

PC------------>Proxy----------->FW------------------>Internet---------------->Site-with-content

Some sort of scheduled process on a PC, that pulls...

Another court case asking for Encryption Keys/Passwords Michael Painter (Apr 30)
"As I also noted in the Boucher posts, the problem the government faces in a case like this is that if it gives the
suspect immunity to get the encryption key or passwords, it can't use the key or the passwords or any evidence derived
from them, i.e., any evidence they find when they access the encrypted or password-protected computer or computer
media,
against that person. So if the government doesn't appeal this court's ruling or if...

Re: Proxy-aware? Stephen Mullins (Apr 30)
Extremely common, especially if you are sending all of your HTTP
traffic through a forward proxy that is configured on the box itself
via the browser. An inline proxy, on the other hand, would most
likely not be detected.

Steve

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate....

Re: How can I secure my site? J. Bakshi (Apr 30)
server
========
[1] mod_security is helpful. Teach it according to your requirement.
[2] From apache or .htaccess restrict bad robots
[3] rewrite rule to redirect non http to https

php
====
php should have some sort of security obviously. Have you implemented those ?
php gurus can suggest more.

thanks

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this...

Re: PHP Security ? Tom Ritter (Apr 30)
This is also a good (but not definitive although the title implies it)
checklist.
http://www.sk89q.com/2009/08/definitive-php-security-checklist/

-tom

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how
it benefits your company and how your...

Re: How can I secure my site? Ali Asghar Toraby Parizy (Apr 30)
Hi
I use mysql as db and i have written sql injection and I think
database is secure now. but I have a login form. I want to secure user
login datas.
If I copy my code in https folder on my host, are all transmissions
encrypted? how can I find the algorithm and methods that my host uses
to encryption?

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide...

Re: PHP Security ? Alfred (Apr 30)
http://www.milw0rm.com/papers/381

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase,
install and use a thawte Digital...

How to simplify the management of 250+ nodes and 1000+ users , in Drupal im (Apr 30)
Hi,

I have written this tool : < Portal Manager :: Drupal Management Assembly >
which is to remotely manage a drupal based website
You can manage and edit user properties
You can manage and edit posts
you can sort posts on the bases of taxonomies and then manage and edit posts

The tool is written in C# WPF and needs .net framework 3.5 to be pre-installed
Please find the software here: LINK <...

RES: ICMP Redirect Help Anderson Carvalho (Netplan) (Apr 30)
I think Mark is correct. ICMP redirects work just like Mark mentioned. Note
that on RFC 3330, the IP range 128.0.0.0 is a reserved number.

http://tools.ietf.org/html/rfc3330

Atenciosamente
Anderson Carvalho
Consultor de Projetos

Netplan Informática
anderson () netplan com br
Site: www.netplan.com.br
47 3801 3005

-----Mensagem original-----
De: listbounce () securityfocus com [mailto:listbounce () securityfocus com] Em
nome de Mark
Enviada...

Re: How can I secure my site? Adam Pal (Apr 30)
Hi Ali,

Providing more detail would be helpfull - is there a DB-backend used? If so, thats where protection should start
(dedicated access).
Is the PHP code clean and does it properly filter user inputs? Has it been reviewed?
Simply using a HTTPS connection could protect against an MITM attack but imho. thats all - nothing more.

Best regards,
Adam Pal

P.S.
For a full security consultation concerning the page you might try to contract...

Re: please recommend a good linux log analyzer Giuseppe Fuggiano (Apr 30)
Yeah, I used it and I found it very very slow with millions of entries
my syslogs was generating.

What about your experience, instead?

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how
it benefits your company and how your customers can tell if a...

Re: How can I secure my site? ㅤ ㅤRockey (Apr 30)
Hello,

If you have sufficient privileges on your hosting server then you
can implement open SSL . You can google that
and can find relevant answers.

http://www.modssl.org/

Cheers,
Rockey

Re: How can I secure my site? Ali Asghar Toraby Parizy (Apr 30)
HI. thanks for reply
I searched certificate authorities and I found that their certificates
are very expensive. for example lowest security level by Verisign is
500$. How can I prepare cheaper certificates? My business is small and
I can't refund for such expensive certificates.
thanks for any help

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we...

Re: How can I secure my site? ㅤ ㅤRockey (Apr 30)
Hello,

Well you can increase the level of security of your website by
getting SSL certificate for you website.
Further you can check for vulnerabilities if there are any. OWASP is a
good source for web application security.
Check out and you may find some good programming practices for web.

Cheers,
Rockey

Re: PHP Security ? TAS (Apr 27)
How to secure PHP
http://www.symantec.com/connect/articles/securing-php-step-step
http://25yearsofprogramming.com/blog/20070808.htm

How to secure Apache
http://www.symantec.com/connect/articles/securing-apache-step-step

A little bit of Google could helped you my friend.

TAS!

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the...

Penetration Testing — While this list is intended for "professionals", participants frequenly disclose techniques and strategies that would be useful to anyone with a practical interest in security and network auditing.

Tool announcement - OpenDLP: Identifying sensitive data at rest on hundreds or thousands of systems simultaneously Andrew Gavin (Apr 29)
OpenDLP is a free and open source, agent-based, centrally-managed,
massively distributable data loss prevention tool released under the
GPL. Given appropriate Windows domain credentials, OpenDLP can
simultaneously identify sensitive data at rest on hundreds or
thousands of Microsoft Windows systems from a centralized web
application. This tool is useful for network/system/security
administrators, compliance consultants, and penetration testing...

RES: IT Security Stencils Alexandre Fernandes (Apr 29)
Try: http://www.routerfreak.com/visio-files/

Alexandre

-----Mensagem original-----
De: listbounce () securityfocus com [mailto:listbounce () securityfocus com] Em
nome de Wardell Motley
Enviada em: segunda-feira, 26 de abril de 2010 20:50
Para: pen-test () securityfocus com
Assunto: IT Security Stencils

All,

In the next few weeks I am preparing a Microsoft Visio Diagram for an
External\Internal Pen Test of our organization but as I look out...

Re: IT Security Stencils infosec posts (Apr 29)
Google for "make your own visio shapes." The google cache on the
first result has the directions that should help you out, if you don't
want to run their stupid scripts that check if you have MS Office
installed.

From: Wardell Motley <infowarrior0 () gmail com>
Date: Mon, 26 Apr 2010 18:50:24 -0500

All,

In the next few weeks I am preparing a Microsoft Visio Diagram for an
External\Internal Pen Test of our organization but as I...

Re: IT Security Stencils 51l3n73y3s (Apr 29)
Why don't you search for images from http://images.google.com and paste them
in Visio. It's supported.

Regards, Sandeep

--------------------------------------------------
From: "Wardell Motley" <infowarrior0 () gmail com>
Sent: Tuesday, April 27, 2010 5:20 AM
To: <pen-test () securityfocus com>
Subject: IT Security Stencils

------------------------------------------------------------------------
This list is sponsored...

Re: To validate or not to validate: Client side validation Patrick Cornelißen (Apr 29)
Hi!

2010/4/27 Alexander Klimov <alserkli () inbox ru>:

I think he is talking about the common pattern that you validate on
the client side for a good user experience and validate later on the
server again.

Re: IT Security Stencils Wim Remes (Apr 29)
Hi,

I usually use this picture for a bad guy in my drawings.
http://a795.ac-images.myspacecdn.com/images01/27/l_58987d3241776b23b6748be1deb5167a.jpg
he's the perfect representation of "hiding in plain sight" which I belief is what the "bad guys" are doing today.

HTH,

W

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove...

[TOOL] DAVTest Chris Sullo (Apr 29)
When facing off against a WebDAV enabled server, there are two things to
find out quickly: can you upload files, and if so, can you execute code?

DAVTest attempts help answer those questions, as well as enable the
pentester to quickly gain access to the host. DAVTest tries to upload
test files of various extension types (e.g., ".php" or ".txt"), checks
if those files were uploaded successfully, and then if they can execute
on...

setting up a pentest/vuln. assesment machine a bv (Apr 29)
Hi,

I would like to have your recommandations releated to setting up a
pentest/vuln assesment machine. Both on the virtual and physical
enviroment, for automatic and manual testing, for network and web
testing.

Regards.

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually...

Re: java app question Jonathan Cran (Apr 29)
you'll probably want to take a look at the rash of java vulnerabilties
that were released recently (see: full-disclosure). one that may be of
particular use to you is the argument injection vulnerability that was
included in metasploit:
http://blog.metasploit.com/2010/04/java-web-start-argument-injection.

Make sure this type (client-side) of attack is included in your threat
model for the application, even if it isn't in-scope for the...

Hacking Domino (Penetration: from Application down to OS. Getting OS Access Using Lotus Domino Application Server Vulnerabilities ) Alexandr Polyakov (Apr 29)
New Whitepaper from Digital Security Research Group (dsecrg.com)

Penetration: from Application down to OS. Getting OS Access Using Lotus Domino Application Server Vulnerabilities

This whitepaper continues a series of publications made by DSecRG
researchers describing various ways of obtaining access to the server operating system,
using vulnerabilities in popular business applications which meet in the corporate environment.

This time we will...

Re: To validate or not to validate: Client side validation Joe Peters (Apr 29)
While I like where you are going with this, there is such a wide variety
of browsers out there, that you cannot assume that the circumvention of
javascript is meant as hostile. Quite the contrary, one of the safest
things to do with a browser is turn off scripting. Especially when you
get into text-based browsers and assistive devices for folks who might
be blind etc., disabling scripting is almost requisite to effective use
of the Web.

Given...

RE: java app question Paul Melson (Apr 27)
the url it launches a java

requests to several different urls

x-serialize object.

Rather than try and reverse the POST requests by looking at packet captures,
I would simply decompile the Java file using jad or JD-Core. The code
generating those requests should be easy enough to find and read.

http://java.decompiler.free.fr/

PaulM

------------------------------------------------------------------------
This list is sponsored by:...

Re: To validate or not to validate: Client side validation Dotzero (Apr 27)
It would depend on the nature of the site involved. For example, if I
am running a portal for specific clients (a controlled population such
as distributors for a manafacturer) then I might cnsider that. The
tradeoff of taking a customer support contact might be worth the
benefit of reducing attack footprint.

If I am running a general happy fun stuff portal where the goal is to
maximize page views to get ad revenues then I might choose to be...

IT Security Stencils Wardell Motley (Apr 27)
All,

In the next few weeks I am preparing a Microsoft Visio Diagram for an
External\Internal Pen Test of our organization but as I look out over
the internet I have been unable to find any Information security
related Visio Stencils.I mean none what so ever and I believe in
exhausting my google and dogpile resources extensively.What I am
basically looking for is something like a bad guy stencil you know
maybe a guy wearing shades could represent...

Re: java app question ¨˜”°º•C0D3w (Apr 27)
Well as said above by Rogan and Luca, you can try the technique I
recently presented at Black Hat Europe.
Below is the presentation I uploaded on Slideshare, it also contains a
video demonstration of how it works :
http://www.slideshare.net/msaindane/black-hat-eu-2010-attacking-java-serialized-communication

The Burp plug-in template can be found here:
http://www.andlabs.org/tools.html#dser

Also if you are facing problems on passing the data to...

Info Security News — Carries news items (generally from mainstream sources) that relate to security.

Govt bans import of Chinese telecom equipment InfoSec News (Apr 29)
http://www.thehindubusinessline.com/2010/04/29/stories/2010042952880100.htm

By Thomas K. Thomas
New Delhi
April 28, 2010

The Government has officially told mobile operators not to import any
equipment manufactured by Chinese vendors, including Huawei and ZTE.

Though the Department of Telecom had been informally telling the
operators to keep away from Chinese telecom equipment, this is the first
time that it has sent an order banning Chinese...

Study: Application Security Not An Enterprise Priority InfoSec News (Apr 29)
http://www.darkreading.com/security/app-security/showArticle.jhtml?articleID=224700250

By Kelly Jackson Higgins
DarkReading
Apr 29, 2010

With all of the attention and education surrounding secure coding
practices and Web attacks, you'd think it would be sinking in to
enterprises by now, but not so much, according to a new survey: Only 18
percent of IT security budgets are dedicated to Web application
security, while 43 percent of budgets...

Blog lets readers decide alleged hacker's fate InfoSec News (Apr 29)
http://blogs.news.com.au/techblog/index.php/news/comments/blog_lets_readers_decide_alleged_hackers_fate

By Andrew Ramadge
blogs.news.com.au
April 29, 2010

TALK about walking the walk -- one of the world.s biggest tech blogs is
taking the idea of crowdsourcing to a new level by letting its readers
decide whether or not to press charges against an alleged hacker.

Earlier this year, tech blog TechCrunch was compromised by a hacker who
at...

Symantec buys crypto firms PGP and GuardianEdge InfoSec News (Apr 29)
http://www.zdnet.co.uk/news/mergers-and-acquisitions/2010/04/29/symantec-buys-crypto-firms-pgp-and-guardianedge-40088811/

By Tom Espiner
ZDNet UK
29 April, 2010

Symantec is buying encryption vendors PGP and GuardianEdge Technologies
to boost its lineup, the company announced on Thursday.

The security company plans to integrate encryption products from PGP and
GuardianEdge into its data loss prevention suite and endpoint protection
products,...

Study: Users OK with mobile devices for sensitive transactions InfoSec News (Apr 29)
http://www.csoonline.com/article/592258/Study_Users_OK_with_mobile_devices_for_sensitive_transactions

By Joan Goodchild
Senior Editor
CSO
April 29, 2010

Most mobile device users worldwide feel safe using their mobile devices
for applications that involve highly-sensitive information, including
accessing airline boarding passes; making payments in stores for
low-cost items; or to access online banking, according to research
conducted by...

Secunia Weekly Summary - Issue: 2010-17 InfoSec News (Apr 29)
========================================================================

The Secunia Weekly Advisory Summary
2010-04-22 - 2010-04-29

This week: 59 advisories

========================================================================
Table of Contents:

1.....................................................Word From...

Terry Childs juror explains why he voted to convict InfoSec News (Apr 29)
http://www.computerworld.com/s/article/9176114/Terry_Childs_juror_explains_why_he_voted_to_convict

By Robert McMillan
IDG News Service
April 28, 2010

Terry Childs' guilty conviction struck a nerve with IT staffers this
week.

Here was a man who, by all accounts, was good at his job, though lacking
in interpersonal skills. Suddenly, on July 9, 2008, he's pushed into a
tense situation -- a hostile conference call with the human resources...

ITL Bulletin for April 2010 InfoSec News (Apr 28)
ITL BULLETIN FOR APRIL 2010

ITL BULLETIN FOR APRIL 2010
GUIDE TO PROTECTING PERSONALLY IDENTIFIABLE INFORMATION
Shirley Radack, Editor
Computer Security Division
Information Technology Laboratory
National Institute of Standards and Technology
U.S. Department of Commerce

Federal organizations maintain significant amounts of information about
individuals and have a special responsibility to protect that
information from loss and misuse....

Texas man cops to botnet-for-hire charges InfoSec News (Apr 28)
http://www.theregister.co.uk/2010/04/28/botnet_for_hire_guilty/

By Dan Goodin in San Francisco
The Register
28th April 2010

A Texas man has agreed to plead guilty to charges he trained a botnet on
a popular internet service provider so he could demonstrate custom-made
malware to a potential customer.

David Anthony Edwards of Mesquite, Texas admitted that in August 2006 he
and alleged accomplice Thomas James Frederick Smith unleashed a...

Government backs competition to recruit security experts InfoSec News (Apr 28)
http://www.telegraph.co.uk/technology/7638185/Government-backs-competition-to-recruit-security-experts.html

By Claudine Beaumont
Technology Editor
Telegraph.co.uk
27 April 2010

The competition, which has the backing of the Cabinet Office and the
Metropolitan Police, uses a series of web-based games and challenges to
find people with untapped analytical, forensic and programming skills.

There are fears that unless the country bolsters its...

Storm Worm Reappears InfoSec News (Apr 28)
http://www.darkreading.com/insiderthreat/security/client/showArticle.jhtml?articleID=224700110

By Kelly Jackson Higgins
DarkReading
April 28, 2010

It's baaack: The bot code used in the infamous, massive Storm botnet
that was taken down nearly two years ago is being used to build another
spamming botnet. Researchers have reverse-engineered the tweaked version
of the original Storm code, which so far has spread somewhere between
10,000 to...

Childs found guilty in SF network password case InfoSec News (Apr 28)
http://www.computerworld.com/s/article/9176060/Childs_found_guilty_in_SF_network_password_case?taxonomyId=17

By Robert McMillan
IDG News Service
April 27, 2010

Terry Childs, the San Francisco network administrator who refused to
hand over passwords to his boss, was found guilty of one felony count of
denying computer services, a jury found Tuesday.

Childs now faces a maximum of five years in prison after jurors
determined that he had...

CIA Boosting Cybersecurity Investment InfoSec News (Apr 28)
http://www.informationweek.com/news/government/security/showArticle.jhtml?articleID=224600617

By Elizabeth Montalbano
InformationWeek
April 27, 2010

The CIA has made investing in technology to prevent and fight cyber
threats as one of its three main priorities in a five-year strategic
plan unveiled this week.

The move is in line with a government-wide ramp-up in cybersecurity
efforts across all agencies that have responsibility for...

Militants using international credit cards for operations InfoSec News (Apr 28)
http://sify.com/news/militants-using-international-credit-cards-for-operations-news-national-ke1uPNeejgf.html

Sify News
2010-04-27

New Delhi: Terrorists, sleeper cells and terror suspects have been using
international credit cards to fund their operations in India, Parliament
was told on Tuesday.

"As per available reports, instances have come to notice regarding use
of international credit cards by terrorists in India," Minister...

FBI Names Cyber Division Chief InfoSec News (Apr 26)
http://www.informationweek.com/news/government/security/showArticle.jhtml?articleID=224600416

By Elizabeth Montalbano
InformationWeek
April 26, 2010

The FBI has a new chief responsible for leading the agency's efforts to
detect and prevent cyberattacks on U.S. critical infrastructure.

Gordon M. Snow is now assistant director of the FBI's Cyber Division,
replacing Shawn Henry, who left the post in January to lead the FBI's
Washington Field...

Firewall Wizards — Tips and tricks for firewall administrators

Re: Firewall best practices Andre Lima (Apr 30)
With all due respect to Paul and Marcus, SSL is NOT crappy! Most bugs
are implementation induced (openSSH or other less known) and the most
known SSL strip vulnerability is not a problem of SSL but rather a user
awareness issue, because if everyone payed attention to the 's' in https
on their browser, that attack wouldn't be so troublesome.

With respect to the fact that encrypted traffic does go through a
firewall with no inspection...well...

Re: Firewall best practices ArkanoiD (Apr 30)
Surely the whole thing is about *policies*, not 'devices'. Yes, we knew that since the
very beginning that PKI on the internets is just a cardhouse. But we yet to see a
root CA to commit business suicide such an unusual way (and it is surely a suicide
as detection is easy and chances to do that unnoticed are pretty low).

The problem is, it doesn't necessary needs to be root CA. Just any entity with properly
signed certificate with CA basic...

Re: Firewall best practices ArkanoiD (Apr 30)
_..have you seen qubes OS?

Nice thing and can be configured to do just anything.. but the problem lies
elsewhere: the percentage of people who care about security just enough
to use anything *OTHER* than Windows as their desktop OS is low enough, and
dividing that further leads us to almost non-existant fraction. That's why i
wish some of those VMs were Windows.

Re: Looking for firewall mgmt solution ArkanoiD (Apr 30)
BTW they had their own firewall, NSM. It was quite feature rich and there
was opensource version. Is it officially dead now?

Re: Firewall best practices Bruce B. Platt (Apr 30)
lordchariot said in part:

...

Capture some packets when using IE when it finds a web site using a
certificate whose entire certification path is not included in the local
machine account's "Trusted Root Certification Authorities". What happens is
both enlightening and frightening when this occurs with the wrong
certificate.

I chose not to elaborate on the consequences. I share erik's "sigh".

EUSecWest Amsterdam 2010 Call For Papers (short deadline May 5 - conf June 16/17) Dragos Ruiu (Apr 30)
EUSecWest CALL FOR PAPERS

AMSTERDAM, Nederland -- The sixth annual EUSecWest applied technical
security conference - where the eminent figures in the international
security industry will get together share best practices and technology
- will be held in downtown Amsterdam at the the Melkweg Multimedia
Center near Leidseplein on June 16/17, 2010. The most significant new
discoveries about computer network hack attacks and...

Re: Firewall best practices Mathew Want (Apr 30)
Cian,

I agree that it would generate a warning but the issue you then have
is users go "Huh?, what?" and click on allow anyway.

To quote a presenter at a security course I attended "If the user is
given the choice between security and seeing a dancing snowman, the
snowman wins every time!".

The "advantage" that SSL had for the general populous for nonEvil(tm)
purposes was that we could say that if the little...

Re: Firewall best practices Marcus J. Ranum (Apr 30)
ArkanoiD wrote:

Everyone forgets that SSL was only really intended to solve a
fairly limited problem. That problem being, namely, "how can
Verisign and RSA monetize their patents on PKI?" - if you
want to understand why SSL is the way it is, you need to consider
what it was designed to do; then everything makes sense.
As I said earlier, I'm boggled that nobody has fixed it.
Consider that a measure of how much standards bodies are...

Re: Firewall best practices ArkanoiD (Apr 28)
fwtk's grand-child does exactly that: you inspect traffic from "low-security"
sites to treat it just like generic http and leave banking/online payment connections intact.
I am thinking on adding a feature to examine certificates to ensure its validity
without MITMing the SSL itself. Have you seen my paper? I think i posted a link here.

Re: Firewall best practices ArkanoiD (Apr 28)
There is one, and it is aggressively marketed as "next generation" firewall (again).
I was thinking about this idea as well, but found its practical value insufficient
to match the effort. Marketing hypes have little to do with practical value, though.
(another comment inline, scroll down ;-)

Well, we are already capable of inspecting web mail just like traditional
email messages (well, exactly. and it works both ways, so all...

Re: Firewall best practices Fetch, Brandon (Apr 28)
Sorry - read the paper. It boils down to included "already trusted CA's" on the browser and a complicit CA cooperating
with a nefarious entity to issue another cert for a targeted domain.

The hardware device the paper refers to can have this cert installed and proceed to impersonate the targeted domain
thus decrypting all traffic destined for that destination.

-----Original Message-----
From: firewall-wizards-bounces () listserv...

Re: Firewall best practices Lloyd, Mike (Apr 28)
Carson Gaspar wrote:

For a firewall thinking beyond the header, you may want to check out Palo
Alto - http://www.paloaltonetworks.com/

You never know, if you could record your serious thinking and send it back
in time a few years, you might be able to sue them retroactively :-)

For those of us still doing firewalls, it's an interesting evolution.
It's particularly useful to those of us who automate firewall analysis - a
whole new mountain of...

Re: Firewall best practices Cian Brennan (Apr 28)
Where it would generate cert errors for every user?

These only make sense where you can install the proxy's wildcard cert on all of
the client machines. Neither coffee houes, nor ISPs can do this.

Re: Firewall best practices Dave Piscitello (Apr 28)
Marcus,

The problem isn't exclusively that SSL is MITMable: it's (broadly) the
lack of or limited clue when assessing risk. While SSL may be in your
terms crappy security, you can use it effectively enough so that you
aren't the low hanging fruit, and today, there is so much low hanging
fruit, effective security is pretty much reduced to creating the
perception that someone else is an easier target.

For example, in many scenarios where SSL...

Re: Firewall best practices lordchariot (Apr 28)
Speaking of rogue root CAs. Mozilla recently discovered a CA they couldn't
account for that was presumably from RSA.
http://blogs.zdnet.com/security/?p=6016&tag=nl.e589

They have since confirmed its authenticity in an update, but can you imagine
if a nefarious CA got embedded into the browser?

Meh, it actually probably wouldn't make much difference anyway. Users are
just going to click OK anyway to bypass the warning...sigh.

-erik

IDS Focus — Technical discussion about Intrusion Detection Systems. You can also read the archives of a previous IDS list

OSSEC and Windows messages evilwon12 (Apr 20)
I am trying to match on a windows error message and am not having any luck. What I do not want to do is ignore the
rule completely, only certain messages.

An example message is this:

Integrity checksum changed for:
'C:\Win32/system32/directory1/directory2/directory3/...../name.txt'

I want to filter out based on "directory3" OR a sub-string on that. I have not been able to filter on anything in the
message string. My thoughts are...

Announcing: Ruby API for xtractr kowsik (Mar 18)
What started off as a way to unit test the RESTful API for xtractr has
now turned into a Ruby gem that we are releasing as open source. First
xtractr, then nuggets and now a gem.

We are happy to announce a Ruby gem for xtractr which takes all the
goodness of Ruby and interacts RESTfully with xtractr for oh-so-fun
network forensics and troubleshooting all from within IRB, the
interactive Ruby shell.

Blog: http://bit.ly/baW3zZ
Code:...

Decrypting PPTP network traffic Alexander Perchov (Mar 17)
Note: apologies for cross posting - I hope to get more coverage this
way, because google hasn't been helping lately ;-)

I am looking for a tool that can decrypt MPPE (Microsoft
Point-to-Point Encryption) network traffic given a pcap (or any other
format really) and the correct key / NTLM hash. Is anyone aware of
such a tool - public or even private software?

Most tools (and there isn't an awful lot of them anyway!) focus on
breaking...

Call for Papers: EC2ND 2010 Konrad Rieck (Mar 08)
Dear Colleagues,

Please find attached the Call for Papers for EC2ND 2010,
the sixth European Conference on Computer Network Defense,
which will be held in Berlin, Germany, October 28-29, 2010.

Please feel free to distribute this announcement. We apologize
if you receive multiple copies of this message.

Best Regards,

The EC2ND 2010 Organization Committee

* * * * * *

6th European Conference on Computer...

Web App Security — Provides insights on the unique challenges which make web applications notoriously hard to secure, as well as attack methods including SQL injection, cross-site scripting (XSS), cross-site request forgery, and more.

Re: Flash Obfuscation 0x4150 (May 01)
My company had a pen test of the application and the tester reported
that we should obfuscate the flash content. I would like to make it as
difficult as possible for an attacker to reverse and understand the
application logic. The application deals with sensitive data so I want
to protect it (as much as possible). I was told there were ~3 products
on the market which can obfuscate flash, but none seemed reputable.

This list is sponsored by...

Re: Flash Obfuscation Brad Causey (May 01)
What's your goal? Maybe thatll help us help you.

Re: Flash Obfuscation Paul Melson (Apr 30)
I wouldn't recommend any of them as a way to actually secure anything
as the end result must still be a SWF file that Flash Player can parse
correctly, and therefore they can be decompiled or debugged in order
to reverse the code.

The only example of obfuscated ActionScript that I've seen to date has
been a malware dropper. In that case it was about 20 minutes by hand
to reverse. About 1 minute for Wepawet to do the same.

PaulM

This list is...

EUSecWest Amsterdam 2010 Call For Papers (short deadline May 5 - conf June 16/17) Dragos Ruiu (Apr 30)
EUSecWest CALL FOR PAPERS

AMSTERDAM, Nederland -- The sixth annual EUSecWest applied technical
security conference - where the eminent figures in the international
security industry will get together share best practices and technology
- will be held in downtown Amsterdam at the the Melkweg Multimedia
Center near Leidseplein on June 16/17, 2010. The most significant new
discoveries about computer network hack attacks and...

CONFidence 2010, 25-26th May - Call For Participation Andrzej Targosz (Apr 29)
########## INTRO ##########
In response to last year's high interest in the Krakow edition of
CONFidence we would like to sincerely inform and invite you to the
next event which will be held in Krakow, on the 25-26 May.

########## CONFidence & PH-NEUTRAL ##########
CONFidence is an internationally recognized conference where
practitioners, researchers, and developers in computer security meet,
learn and exchange practical ideas and...

Flash Obfuscation 0x4150 (Apr 29)
Has anyone done obfuscation of a flash application? If so, what
tool(s) would you recommend?

Thanks,

AP

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

Re: java app question Jonathan Cran (Apr 27)
you'll probably want to take a look at the rash of java vulnerabilties
that were released recently (see: full-disclosure). one that may be of
particular use to you is the argument injection vulnerability that was
included in metasploit:
http://blog.metasploit.com/2010/04/java-web-start-argument-injection.

Make sure this type (client-side) of attack is included in your threat
model for the application, even if it isn't in-scope for the...

RE: java app question Paul Melson (Apr 27)
the url it launches a java

requests to several different urls

x-serialize object.

Rather than try and reverse the POST requests by looking at packet captures,
I would simply decompile the Java file using jad or JD-Core. The code
generating those requests should be easy enough to find and read.

http://java.decompiler.free.fr/

PaulM

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!...

Re: java app question ¨˜”°º•C0D3w (Apr 27)
Well as said above by Rogan and Luca, you can try the technique I
recently presented at Black Hat Europe.
Below is the presentation I uploaded on Slideshare, it also contains a
video demonstration of how it works :
http://www.slideshare.net/msaindane/black-hat-eu-2010-attacking-java-serialized-communication

The Burp plug-in template can be found here:
http://www.andlabs.org/tools.html#dser

Also if you are facing problems on passing the data to...

t2'10: Call for Papers 2010 (Helsinki / Finland) Tomi Tuominen (Apr 25)
### t2'10 - Call For Papers ###
Helsinki, Finland
October 28 - 29, 2010

We are pleased to announce the annual t2´10 conference, which will take
place in Helsinki, Finland, from October 28 to 29, 2010.

We are looking for original technical presentations in the fields of
information security. Presentations should last a minimum of 60 minutes
and a maximum of two hours and be presented in...

Re: java app question Rogan Dawes (Apr 24)
Here is a list I made up a while ago:

=====snip======

Reviewing a thick client for security problems

secure comms

- SSL & hostname verification

Authentication & Session management

- handle credentials safely

- handle sessions safely

- handle account management functions safely - change password, etc

Access Control

- Check whether client side access control (presentation layer) is being
performed

Validation (request/Response)

-...

Re: java app question Luca Carettoni (Apr 24)
Hi,
the application is likely using Java serialized objects.

During the recent BH Europe, Manish has just released a new tool to intercept
such content using Burp.
Have a look at:
http://blog.andlabs.org/2010/04/attacking-java-serialized-communication.html
http://www.andlabs.org/presentations/Attacking_JAVA_Serialized_Communication-
slides.pdf

A few other interesting resources:
[Assessing Java Clients with the BeanShell]...

[HITB-Announce] HITBSecConf2009 - Malaysia Videos Released! Hafez Kamal (Apr 23)
The second quarterly HITB eZine (issue 002) has been released! Grab your
copies from here:

https://www.hackinthebox.org/modules.php?op=modload&name=News&file=article&sid=35995

===

3 months ago, our newly 'reborn' ezine was a completely new experience
to our small team and we didn't expect it to have a lot of followers
considering its absence for many years. But to our surprise, we received
over 20K downloads just weeks after its...

java app question learn lids (Apr 23)
hi all,

i am looking to pen test an app which is not a webapp :) . on browsing to the url it launches a java application using
jnlp.

i used a network traffic sniffer to see the traffic, and it is making post requests to several different urls (e.g.
webapp.com/generatereport etc.), and the response is of type x-serialize object.

any suggestions on what could be things to look at for such a pentest?

thanks

This list is sponsored by...

[HITB-Announce] HITB eZine Issue 002 out now! Hafez Kamal (Apr 23)
The second quarterly HITB eZine (issue 002) has been released! Grab your
copies from here:

https://www.hackinthebox.org/modules.php?op=modload&name=News&file=article&sid=35995

===

3 months ago, our newly 'reborn' ezine was a completely new experience
to our small team and we didn't expect it to have a lot of followers
considering its absence for many years. But to our surprise, we received
over 20K downloads just weeks after its...

Daily Dave — This technical discussion list covers vulnerability research, exploit development, and security events/gossip. It was started by ImmunitySec founder Dave Aitel and many security luminaries participate. Many posts simply advertise Immunity products, but you can't really fault Dave for being self-promotional on a list named DailyDave.

Re: Sharepoint FTW! :> NeZa (Apr 30)
My proxy filters out Null byte chars, however due to SharePoint decoding
design, that helped to bypass my Proxy by injecting the well known variant
%2500, so below string also works:

http://wss1-ch-bfr/_layouts/help.aspx?cid0=MS.WSS.manifest.xml%2500%3Cscript%3Ealert%28%27VivaMexico!!%27%29%3C/script%3E&tid=X

My 2 pesos!

Re: Sharepoint FTW! :> Steve Shockley (Apr 30)
I confirmed it doesn't work in Sharepoint 2010 or WSS 2.0, although
that's not what you asked...

Re: Sharepoint FTW! :> pUm (Apr 30)
yeah, just checked it yesterday and it works - pretty interesting to
see that the null character is really needed

2010/4/29 dave <dave () immunityinc com>:

Sharepoint FTW! :> dave (Apr 29)
Has anyone checked out this Sharepoint 2007 XSS? Does it work? Sharepoint is one of
the single largest data security risks in most large Enterprises and everyone pretty
much ignores it, which is always funny. :>

http://www.htbridge.ch/advisory/xss_in_microsoft_sharepoint_server_2007.html

This is the string that's supposed to work. Someone try it and let us all know! :>...

MS10-025 dave (Apr 23)
So MS retracted their patch saying "It didn't work". How does that happen in this day
and age? Who reminded them it didn't work? Everyone should have stayed quiet and then
just laughed at them at parties!!!

But we're coming up on the time when all Windows 2000 bugs live forever (like
essentially all Solaris 0days do). Outside my metaphorical window I can see hackers
toasting to the 0days that died in their sleep.

If you're using the...

Automated vulnerability analysis of zero-sized heap allocations Julien Vanegue (Apr 22)
I am pleased to announce the publication of some of the security research I have performed as a member of the Microsoft
Security Engineering Center (MSEC) penetration testing team over the last year.

The following presentation was given at the Hackito Ergo Sum (HES'10) conference on April 10th 2010 in Paris, France.

Slides are now available at the following location:...

numerous projects you might be interested in travis+ml-dailydave (Apr 19)
Hey all,

I just wanted to let you know about a couple of projects that may interest
you and are in need of an audience.

First, the Dynamic Firewall Daemon is here:
http://www.subspacefield.org/security/dfd/

I would very much like feedback on this project, and am looking for
someone to take over dfd_tbk (the Linux/iptables/python
implementation). The other, the OpenBSD/pf/pthon implementation, is
under somewhat active development, and now that...

Re: Attribution Yvan Boily (Apr 15)
Donald Rumsfeld said it best:

There are known knowns. These are things we know that we know. There
are known unknowns. That is to say, there are things that we know we
don't know. But there are also unknown unknowns. There are things we
don't know we don't know.

I don't agree with your metric as a measure of "Am I winning?". If I
am being kicked by my enemies while I am on the ground, I can
attribute the source of attacks with a high...

Re: Attribution dan (Apr 15)
Point of information (or bias if you prefer): Full
attribution requires a degree of surveillance that
precludes privacy, or at least that definition of
privacy which reads "no information available."
As my friend Ed Giorgio wrote, speaking of NSA,
"We have a saying in this business: Privacy and
security are a zero-sum game." In short, yes you
certainly can get full attribution, but at a cost.

Probably contributing to a...

Re: Attribution Josh Saxe (Apr 15)
In an interesting presentation I saw recently someone mentioned that Attribution is
hard in cyberspace (f.e. [1]), which generally is discussed in the context of
"Deterrence"[2]. I really like the term "cyberspace", although I know people hate it.

First of all cyberspace is not "the Internet". It's (imho) a collection of networks,
information systems, databases, phone networks, people's heads, and other...

Re: Attribution Jordan Frank (Apr 15)
Huh? measures and information theory are have no issues with the
continuum, where singletons may have measure 0. grains of salt may
have infinitesimally small weights. this is no problem at all.
attribution can be defined as the goal of a process by which
information is gained (hopefully monotonically), as long as the size
(measure) of the set of suspects is inversely proportional to the
amount of information one has attained. it's all kosher....

Re: Attribution Shane (Apr 14)
Dave: This seems to be somewhat paradoxical, given the definition of
"know" itself is not black&white. How can you know? Even the size of
cyberspace. A necessary first step towards knowing anything about the
actors within. Given the expansive set of data sources of your
cyberspace, it does not seem possible to derive any meaningful
metric/statistics (or at a minimum some proportional grain of salt has
to be weighted)....

Attribution dave (Apr 14)
In an interesting presentation I saw recently someone mentioned that Attribution is
hard in cyberspace (f.e. [1]), which generally is discussed in the context of
"Deterrence"[2]. I really like the term "cyberspace", although I know people hate it.

First of all cyberspace is not "the Internet". It's (imho) a collection of networks,
information systems, databases, phone networks, people's heads, and other...

Re: MMS + Java Florian Weimer (Apr 14)
It's not a new class of bugs. This pattern (mentioned in the URL
above):

| Based on my very brief analysis, Java 6 update fixes this problem by
| altering the Statement.invoke() to use the AccessControlContext
| captured at the moment of instantiation when it uses the reflection.

can be found throughout the JDK when certain callback schemes which
would otherwise act as a bypass for callstack-based security checks
are used.

But kudos to Sami...

MMS + Java dave (Apr 13)
So we released an exploit for Sami's new class of vulnerabilities in Java (which is
awesome, btw - everyone should read that).
http://slightlyrandombrokenthoughts.blogspot.com/

And we also released just now an exploit for MS10-025 (Microsoft Media Server). How
much Microsoft Media Server is still available in the world, I wonder? It used to be
VERY popular, but is ten years old now, and essentially depreciated. (When does MS
stop releasing...

Honeypots — Discussions about tracking attackers by setting up decoy honeypots or entire honeynet networks.

[HITB-Announce] HITB eZine Issue 002 out now! Hafez Kamal (Apr 23)
The second quarterly HITB eZine (issue 002) has been released! Grab your
copies from here:

https://www.hackinthebox.org/modules.php?op=modload&name=News&file=article&sid=35995

===

3 months ago, our newly 'reborn' ezine was a completely new experience
to our small team and we didn't expect it to have a lot of followers
considering its absence for many years. But to our surprise, we received
over 20K downloads just weeks after its...

[HITB-Announce] FINAL CALL - CFP for HITBSecConf2010 Amsterdam Hafez Kamal (Apr 08)
This is the FINAL CALL to submit your talk / presentation proposals for
the inaugural HITB Security Conference in Europe! Submissions are due
by 19TH APRIL 2010.

HITBSecConf2010 - Amsterdam takes place at the Grand Krasnapolsky from
the 29th of June till the 2nd of July (Tuesday - Friday) with keynote
speakers Anton Chuvakin and Mark Curphey in our _first ever_ QUAD TRACK
conference.

To submit your presentation proposals and for further details...

Call For Papers - hack.lu 2010 - 27-29 October - Luxembourg Alexandre Dulaunoy (Apr 04)
Call for Papers Hack.lu 2010

The purpose of the hack.lu convention is to give an open and free
playground where people can discuss the implication of new
technologies in society. hack.lu is a balanced mix convention where
technical and non-technical people can meet each others and share
freely all kind of information. The convention will be held in the
Grand-Duchy of Luxembourg in October 2010 (27-29.10.2010). The...

[HITB-Announce] HITBSecConf2009 - Malaysia Videos Released! Hafez Kamal (Mar 23)
The videos from the 7th annual Hack in The Box security conference held
in Malaysia last year have been released! On a related note, do keep in
mind that online registration for HITBSecConf2010 - Dubai closes in less
than 4 weeks and the Call for Papers for HITBSecConf2010 - Amsterdam is
still open for submissions (Submissions are due no later than 19th April 2010)!

HITB CFP
http://cfp.hackinthebox.org/

===

HITB Videos
http://video.hitb.org/...

[HITB-Announce] HITBSecConf2010 - Dubai Agenda Released Hafez Kamal (Mar 14)
Conference agenda for HITBSecConf2010 - Dubai has been announced!

Welcoming Address by H.E Mohammed Nasser Al-Ghanim (Director General, UAE Telecom Regulatory Authority - TRA) -- TBC

Keynote 1: John Viega (CTO, SaaS, McAfee Inc.) -- A/V Vendors Aren't As Dumb As They Look
Keynote 2: Matt Watchinski (Senior Director of Vulnerability Research, Sourcefire Inc.) -- TBA

1.) Daniel Mende (ERNW GmbH) with Oliver Roeschke (ERNW GmbH) -- Attacking...

Re: DNS honeypots? Jason Ross (Mar 03)
But it would have the advantage of allowing you to capture further
traffic for analysis through whatever tools you choose.

Re: DNS honeypots? Alexandre Dulaunoy (Mar 03)
We have used various techniques to make DNS honeypots. But there is
an easy to do "fake" DNS server using Net::DNS::Nameserver :

http://search.cpan.org/~olaf/Net-DNS/

You can even find a simple example in the POD :

http://search.cpan.org/~olaf/Net-DNS/lib/Net/DNS/Nameserver.pm

If you want to make a low-interaction nameserver, you can filter
the request and answer to limit the malicious queries but still gain
information by doing and...

Re: DNS honeypots? Brent Huston (Mar 03)
Likely nothing today, most malware isn't smart enough to figure that out.

Re: DNS honeypots? Jason Lewis (Mar 03)
Slightly related, I was wondering what might happen if I made every
query to the honeypot resolve back to the honeypot?

Re: DNS honeypots? Brent Huston (Mar 03)
One of the tactics our clients use is that they stand up one of our HoneyPoint Agents on a decoy box and then send all
malicious and failed queries to that IP address. The HoneyPoint Agent then absorbs the traffic for analysis.

You can find a little bit about it from one of our customers here, they wrote it up with us: http://hurl.ws/cbhp

Let me know if that helps!

Re: DNS honeypots? chr1x (Mar 02)
This post looks pretty interesting!

Let's analyze your requirement:

1. Logging malicious queries
2. Reject/Deny any possible dns attack attempt

Well, from my point of view, going from the Honeypot concept which is
track hackers, probably the best way that you can follow is to setup an
IPS instead a Sensor. Personally, I don't see the purpose to have
"Reactive" honeypot if the objective of a honeypot is to be the most
open possible...

Re: DNS honeypots? Jason Lewis (Mar 02)
I just figured I'd setup something to log access and see what shows
up. I wasn't planning on directing traffic to the system.

Re: DNS honeypots? Jason Lewis (Mar 02)
Cool, this is the kind of thing I was thinking of doing. I was hoping
I wouldn't have to reinvent the wheel.

Thanks.

Re: DNS honeypots? Jason Ross (Mar 02)
There's quite a lot of (bad and good) bots "out there" looking for DNS
servers, particularly ones that appear to permit recursive queries to
the Internet. Just leaving a box on the net that meets those criteria
will collect a fair amount of queries.

Re: DNS honeypots? Valdis . Kletnieks (Mar 02)
On Tue, 02 Mar 2010 15:00:43 EST, Jason Lewis said:

Out of curiosity, how do you get traffic directed to the honeypot without
listing it in an NS entry for an SOA? Give it a hostname like ns1.exampe.com
and hope that works?

MS Sec Notification — Beware that MS often uses these security bulletins as marketing propaganda to downplay serious vulnerabilities in their products -- note how most have a prominent and often-misleading "mitigating factors" section.

Microsoft Security Bulletin Re-Release Microsoft (Apr 27)
********************************************************************
Title: Microsoft Security Bulletin Re-Release
Issued: April 27, 2010
********************************************************************

Summary
=======
The following bulletin has undergone a major revision increment:

* MS10-025 - Critical

Bulletin Information:
=====================

* MS10-025 - Critical

-...

Microsoft Security Bulletin Major Revision Microsoft (Apr 21)
********************************************************************
Title: Microsoft Security Bulletin Major Revision
Issued: April 21, 2010
********************************************************************

Summary
=======
The following bulletins have undergone a major revision increment.
Please see the appropriate bulletin for more details.

* MS10-025 - Critical

Bulletin Information:
=====================

* MS10-025 - Critical

-...

Microsoft Security Bulletin Summary for April 2010 Microsoft (Apr 13)
********************************************************************
Microsoft Security Bulletin Summary for April 2010
Issued: April 13, 2010
********************************************************************

This bulletin summary lists security bulletins released for
April 2010.

The full version of the Microsoft Security Bulletin Summary for
April 2010 can be found at
http://www.microsoft.com/technet/security/bulletin/ms10-apr.mspx.

With...

Microsoft Security Bulletin Summary for March 2010 Microsoft (Mar 30)
********************************************************************
Microsoft Security Bulletin Summary for March 2010
Issued: March 30, 2010
********************************************************************

This bulletin summary lists security bulletins released for
March 2010.

The full version of the Microsoft Security Bulletin Summary for
March 2010 can be found at
http://www.microsoft.com/technet/security/bulletin/ms10-mar.mspx.

With...

Microsoft Security Bulletin Major Revisions Microsoft (Mar 09)
********************************************************************
Title: Microsoft Security Bulletin Major Revisions
Issued: March 9, 2010
********************************************************************

Summary
=======
The following bulletins have undergone a major revision increment.
Please see the appropriate bulletin for more details.

* MS09-033 - Important

Bulletin Information:
=====================

* MS09-033 - Important

-...

Microsoft Security Bulletin Summary for March 2010 Microsoft (Mar 09)
********************************************************************
Microsoft Security Bulletin Summary for March 2010
Issued: March 9, 2010
********************************************************************

This bulletin summary lists security bulletins released for
March 2010.

The full version of the Microsoft Security Bulletin Summary for
March 2010 can be found at
http://www.microsoft.com/technet/security/bulletin/ms10-mar.mspx.

With...

Microsoft Security Bulletin Summary for February 2010 Microsoft (Feb 09)
********************************************************************
Microsoft Security Bulletin Summary for February 2010
Issued: February 9, 2010
********************************************************************

This bulletin summary lists security bulletins released for
February 2010.

The full version of the Microsoft Security Bulletin Summary for
February 2010 can be found at...

Microsoft Security Bulletin Summary for January 2010 Microsoft (Jan 21)
********************************************************************
Microsoft Security Bulletin Summary for January 2010
Issued: January 21, 2010
********************************************************************

This bulletin summary lists the out-of-band security bulletin
released on January 21, 2010.

The full version of the Microsoft Security Bulletin Summary for
January 2010 can be found at...

Microsoft Security Bulletin Major Revision Microsoft (Jan 14)
********************************************************************
Title: Microsoft Security Bulletin Major Revision
Issued: January 13, 2010
********************************************************************

Summary
=======
The following bulletin has undergone a major revision increment.

* MS09-073 - Important

Bulletin Information:
=====================

* MS09-073 - Important

-...

Microsoft Security Bulletin Summary for January 2010 Microsoft (Jan 12)
********************************************************************
Microsoft Security Bulletin Summary for January 2010
Issued: January 12, 2010
********************************************************************

This bulletin summary lists security bulletins released for
January 2010.

The full version of the Microsoft Security Bulletin Summary for
January 2010 can be found at
http://www.microsoft.com/technet/security/bulletin/ms10-jan.mspx....

Microsoft Security Bulletin Re-Release Microsoft (Jan 12)
********************************************************************
Title: Microsoft Security Bulletin Re-Release
Issued: January 12, 2010
********************************************************************

Summary
=======
The following bulletin has undergone a major revision increment.

* MS09-035 - Moderate

Bulletin Information:
=====================

* MS09-035 - Moderate

-...

Funsec — While most security lists ban off-topic discussion, Funsec is a haven for free community discussion and enjoyment of the lighter, more humorous side of the security community

Microsoft wants you to be funny Alex Eckelberry (Apr 30)
The corporate method to understanding and appreciating humor.

http://www.microsoft.com/education/competencies/humor.mspx

Re: The new Facebook API exposes the events that some users attend to anyone on the Internet Rich Kulawiec (Apr 30)
I think it might be simpler to cut to the chase and just say "Facebook
(and any other company in the privacy destruction sector) may at any
moment publish any scrap of data you've ever given it".

---Rsk

"Every asshole who ever chanted 'Drill Baby Drill' should have to report
to the Gulf Coast today for cleanup duty." -- Bill Maher, 4-29-2010

The new Facebook API exposes the events that some users attend to anyone on the Internet Juha-Matti Laurio (Apr 30)
http://zestyping.livejournal.com/256801.html

Facebook has reportedly changed the mechanism on 26th Apr.

Tool:
http://zesty.ca/facebook

Juha-Matti

EUSecWest Amsterdam 2010 Call For Papers (short deadline May 5 - conf June 16/17) Dragos Ruiu (Apr 29)
EUSecWest CALL FOR PAPERS

AMSTERDAM, Nederland -- The sixth annual EUSecWest applied technical
security conference - where the eminent figures in the international
security industry will get together share best practices and technology
- will be held in downtown Amsterdam at the the Melkweg Multimedia
Center near Leidseplein on June 16/17, 2010. The most significant new
discoveries about computer network hack attacks and...

McAfee surpasses North Korea as cyberattack power war (Estonia) Rich Kulawiec (Apr 29)
I love that headline. ;-)

http://dickdestiny.com/blog1/2010/04/22/cult-of-cyberwar-mcafee-surpasses-north-korea-as-cyberattack-power/

---Rsk

A socio-psychological analysis of the first internet war (Estonia) Gadi Evron (Apr 28)
Hi,

In the past year I have been working in collaboration with psychologists
Robert Cialdini and Rosanna Guadagno on a paper analyzing some of what I
saw from the social perspective in Estonia, when I wrote the post-mortem
analysis for the 2007 attacks, but didn't understand at the time.

We analyze how the Russian-speaking population online was manipulated to
attack Estonia (and Georgia) in the "cyber war" incidents, and how it...

Re: Apparently McAfee stepped on their genitals today... Drsolly (Apr 28)
I'll be using this at my Helsinki talk as an example of why the current AV
design for software cannot work.

Awareness or enforcement? Robert Slade (Apr 28)
Kind of a result of Spaf's First Principle of Security Administration:
If you have responsibility for security, but have no authority to set rules or punish violators, your own role in the
organization is to take the blame when something big goes wrong.

http://www.schneier.com/blog/archives/2010/04/seat_belt_use_a.html

Standing up to the man. rackow (Apr 28)
Interesting story on police car video records.
http://www.darknet.org.uk/2010/04/seattle-computer-security-expert-turns-tables-on-the-police/

-_Gene

Re: Security research vuln pimps Michal Zalewski (Apr 28)
If my memory serves me right, I found over 200 vulnerabilities, pretty
much all of them in high-profile client- and server-side apps. This
makes me think I have a pretty good body of evidence to work with.

Now, with this in mind: let me categorically assert that *none* of
these findings I would attribute to my amazing brilliance, divine
intervention, or any other unique circumstances.

A vast majority of them were just a result of the security...

Re: New Cause of Earthquakes: Promiscuity Andy Grosser (Apr 28)
Who are you who are so wise in the ways of science?

Re: Apparently McAfee stepped on their genitals today... Attrition (Apr 28)
Ah yes, this was the day I learned that my ePO server was not
exactly handling the deployment of new DAT files as I had initially
thought... (You know, in phases -- the first of which being to deploy
DATs into a test group several hours before general release.) What a
day, endless hours of fun.

Between this and the fact that McAfee consistently fails to detect
certain malware (A Monkif variant most recently, for example), it's
becoming...

100 attacks per second? Paul Vixie (Apr 28)
Hi-tech criminals are racking up more than 100 attacks a second on the
world's computers, a survey suggests.

While most of these attacks cause no trouble, the Symantec report suggests
that one attack every 4.5 seconds does affect a PC.

The wave of attacks was driven by a steep rise in malicious software in
circulation, said the annual report.

The number of malware (malicious software) samples that Symantec saw in
2009 was 71% higher than in...

hackerfail.org HackerFail .org (Apr 28)
http://hackerfail.org - because we deserve a failblog of our own. :)

Please feel free to submit any memorable hacking or hacker fail scene or
moment you know of so that we can create o place for us to waste minutes of
lame fun when times are of such boredom. ;)

Pakistan's First AntiVirus? Paul Ferguson (Apr 27)
From the folks that brought you Brain(c).

Just kidding. :-)

http://www.instantviruskiller.com/

Is this for real?

instantviruskiller.com -A-> 65.175.116.227

AS7393: Cybercon

Checking server [whois.webnic.cc]
Results:

The Data in Web Commerce Communications Limited ("WEBCC")'s WHOIS database
is provided by WEBCC for information purposes, and to assist in obtaining
information about or related to a domain name registration...

CERT Advisories — The Computer Emergency Response Team has been responding to security incidents and sharing vulnerability information since the Morris Worm hit in 1986. This archive combines their technical security alerts, bulletins, tips, and current activity lists.

Current Activity - Opera Software Releases Opera 10.53 Current Activity (Apr 30)
US-CERT Current Activity

Opera Software Releases Opera 10.53

Original release date: April 30, 2010 at 2:14 pm
Last revised: April 30, 2010 at 2:14 pm

Opera Software has released Opera 10.53 to address a vulnerability.
Exploitation of this vulnerability may allow an attacker to execute
arbitrary code.

US-CERT encourages users and administrators to review the Opera
Software security advisory related to this vulnerability and upgrade
to Opera...

Current Activity - Microsoft Releases Security Advisory 983438 Current Activity (Apr 30)
US-CERT Current Activity

Microsoft Releases Security Advisory 983438

Original release date: April 30, 2010 at 10:47 am
Last revised: April 30, 2010 at 10:47 am

Microsoft has released security advisory 983438 to notify users of a
vulnerability in Microsoft Windows SharePoint Services 3.0 and
Microsoft Office SharePoint Server 2007. The advisory states that
Microsoft is investigating public reports of exploitation of the
vulnerability that may...

Cyber Security Tip ST05-004 -- Avoiding Copyright Infringement US-CERT Security Tips (Apr 28)
Cyber Security Tip ST05-004
Avoiding Copyright Infringement

Although copyright may seem to be a purely legal issue, using unauthorized
files could have security implications. To avoid prosecution and minimize
the risks to your computer, make sure you have permission to use any
copyrighted information, and only download authorized files.

How does copyright infringement apply to the...

Current Activity - Google Releases Chrome 4.1.249.1064 Current Activity (Apr 28)
US-CERT Current Activity

Google Releases Chrome 4.1.249.1064

Original release date: April 28, 2010 at 8:21 am
Last revised: April 28, 2010 at 8:21 am

Google has released Chrome 4.1.249.1064 for Windows to address
multiple vulnerabilities. These vulnerabilities may allow an attacker
to execute arbitrary code or bypass the same origin policy in the
browser.

US-CERT encourages users and administrators to review the Google
Chrome Releases blog...

Current Activity - Microsoft Re-Releases Security Update for MS10-025 Current Activity (Apr 27)
US-CERT Current Activity

Microsoft Re-Releases Security Update for MS10-025

Original release date: April 27, 2010 at 4:39 pm
Last revised: April 27, 2010 at 4:39 pm

Microsoft has re-released the security update related to Microsoft
security bulletin MS10-025. This vulnerability affects Windows Media
Services running on Windows 2000 Server. The original release of this
update had been revoked last week because it did not effectively
correct the...

SB10-116 -- Vulnerability Summary for the Week of April 19, 2010 US-CERT Security Bulletins (Apr 26)
Vulnerability Summary for the Week of April 19, 2010

This bulletin provides a summary of new vulnerabilities that have been
recorded by the National Institute of Standards and Technology (NIST)
National Vulnerability Database (NVD) the week of April 19, 2010. It is
available here:

http://www.us-cert.gov/cas/bulletins/SB10-116.html

For instructions on subscribing to or unsubscribing from this
mailing list, visit <...

Current Activity - Microsoft Revokes Security Update Current Activity (Apr 23)
US-CERT Current Activity

Microsoft Revokes Security Update

Original release date: April 23, 2010 at 9:25 am
Last revised: April 23, 2010 at 9:25 am

The Microsoft Security Response Center has posted a blog entry
indicating that it has revoked the update related to Microsoft
security bulletin MS10-025 because it does not effectively correct the
underlying vulnerability. This vulnerability affects Windows Media
Services running on Windows 2000...

Current Activity - McAfee DAT 5958 Issues Current Activity (Apr 22)
US-CERT Current Activity

McAfee DAT 5958 Issues

Original release date: April 21, 2010 at 3:04 pm
Last revised: April 22, 2010 at 7:10 pm

US-CERT is aware of public reports indicating that McAfee DAT release
5958 is incorrectly identifying the valid system file,
C:\Windows\system32\svchost.exe, as containing malicious code. Reports
indicate that a false positive detection occurs on Windows XP Service
Pack 3 systems. Symptoms include a...

Current Activity - VideoLAN Releases Security Advisory for VLC Media Player Current Activity (Apr 22)
US-CERT Current Activity

VideoLAN Releases Security Advisory for VLC Media Player

Original release date: April 22, 2010 at 8:20 am
Last revised: April 22, 2010 at 8:20 am

VideoLAN has released a security advisory to address multiple
vulnerabilities in VLC Media Player. These vulnerabilities may allow
an attacker to execute arbitrary code or cause a denial-of-service
condition.

US-CERT encourages users and administrators to review VideoLAN...

Current Activity - Cisco Releases Security Advisory for Small Business Video Surveillance Cameras and 4-Port Gigabit Security Routers Current Activity (Apr 22)
US-CERT Current Activity

Cisco Releases Security Advisory for Small Business Video Surveillance Cameras and 4-Port Gigabit Security Routers

Original release date: April 22, 2010 at 8:19 am
Last revised: April 22, 2010 at 8:19 am

Cisco has released a security advisory to address a vulnerability that
affects Cisco Small Business Video Surveillance Cameras and Cisco
RVS4000 4-Port Gigabit Security Routers. This vulnerability may allow
an...

Current Activity - McAfee DAT 5958 Issues Current Activity (Apr 21)
US-CERT Current Activity

McAfee DAT 5958 Issues

Original release date: April 21, 2010 at 3:04 pm
Last revised: April 21, 2010 at 3:04 pm

US-CERT is aware of public reports indicating that McAfee DAT release
5958 is incorrectly identifying the valid system file,
C:\Windows\system32\svchost.exe, as containing malicious code. Reports
indicate that a false positive detection occurs on Windows XP Service
Pack 3 systems. Symptoms include a...

Current Activity - Google Releases Chrome 4.1.249.1059 Current Activity (Apr 21)
US-CERT Current Activity

Google Releases Chrome 4.1.249.1059

Original release date: April 21, 2010 at 7:57 am
Last revised: April 21, 2010 at 7:57 am

Google has released Chrome 4.1.249.1059 for Windows to address
multiple vulnerabilities. These vulnerabilities may allow an attacker
to execute arbitrary code, conduct cross-site scripting attacks, or
conduct cross-site request forgery attacks.

US-CERT encourages users and administrators to...

SB10-109 -- Vulnerability Summary for the Week of April 12, 2010 US-CERT Security Bulletins (Apr 19)
Vulnerability Summary for the Week of April 12, 2010

This bulletin provides a summary of new vulnerabilities that have been
recorded by the National Institute of Standards and Technology (NIST)
National Vulnerability Database (NVD) the week of April 12, 2010. It is
available here:

http://www.us-cert.gov/cas/bulletins/SB10-109.html

For instructions on subscribing to or unsubscribing from this
mailing list, visit <...

Current Activity - Oracle Releases Sun Java SE 1.6.0_20 Current Activity (Apr 16)
US-CERT Current Activity

Oracle Releases Sun Java SE 1.6.0_20

Original release date: April 16, 2010 at 9:13 am
Last revised: April 16, 2010 at 4:55 pm

Oracle has released Sun Java SE 1.6.0_20 to address several
vulnerabilities. The release notes for this version of Java SE
indicate that these vulnerabilities are in Java Deployment Toolkit and
the new Java Plug-in. Exploitation of these vulnerabilities may allow
a remote, unauthenticated...

Current Activity - Oracle Releases Sun Java SE 1.6.0_20 Current Activity (Apr 16)
US-CERT Current Activity

Oracle Releases Sun Java SE 1.6.0_20

Original release date: April 16, 2010 at 9:13 am
Last revised: April 16, 2010 at 9:13 am

Oracle has released Sun Java SE 1.6.0_20 to address several
vulnerabilities. The release notes for this version of Java SE
indicate that these vulnerabilities are in Java Deployment Toolkit and
the new Java Plug-in. Exploitation of these vulnerabilities may allow
a remote, unauthenticated...

Open Source Security — Discussion of security flaws, concepts, and practices in the Open Source community

Multiple vulnerabilities in OpenTTD Matthijs Kooijman (May 01)
Hi all,

FYI: Debian has assigned three CVE ids for three vulnerabilities present in
all released versions (except for 1.0.1, which was released together with the
patches). See:

http://www.openttd.org/en/news/126
http://security.openttd.org/en/CVE-2010-0401
http://security.openttd.org/en/CVE-2010-0402
http://security.openttd.org/en/CVE-2010-0406

Gr.

Matthijs

Re: CVE request - Linux Kernel KGDB/ppc issue Eugene Teo (Apr 29)
http://www.mail-archive.com/linuxppc-dev () lists ozlabs org/msg30044.html
Sun, 01 Mar 2009 22:25:03 -0800

"Note: While at it, I removed a non-sensical statement related to
CONFIG_KGDB in ppc_mmu_32.c which could cause kernel mappings to be user
accessible when that option is enabled. Probably something that bitrot."

Eugene

Re: CVE Request: moodle 1.9.8, 1.8.2 Steven M. Christey (Apr 29)
Use CVE-2010-1613

These two are combined into a single CVE.

Use CVE-2010-1614

These two are combined into a single CVE.

Use CVE-2010-1615

Use CVE-2010-1616

Use CVE-2010-1617

Use CVE-2010-1618

Use CVE-2010-1619

Re: CVE request - Linux Kernel KGDB/ppc issue Josh Bressers (Apr 29)
Please use CVE-2010-1446 for this.

Thanks

Re: CVS request - Moodle Josh Bressers (Apr 29)
Hi Steve,

I don't have enough IDs to properly deal with this one and have any left over.
Can MITRE take it.

Thanks.

Re: [security-linux] Re: [oss-security] CVE request - Linux Kernel KGDB/ppc issue Mark Hatle (Apr 29)
Eugene Teo wrote:

I'm sorry. This was a mistake on our part. We had intended to send the
information to vendor-sec and coordinate with other potentially affected
vendors. Then once a reasonable coordinated time had passed to send it to
security () kernel org as well as oss-security and lkml.

Our standard procedure:

* contact vendor-sec and coordinate with other affected vendors
* send the information to the project specific security list
*...

Re: CVE-2010-1173 kernel: skb_over_panic resulting from multiple invalid parameter errors Eugene Teo (Apr 28)
Hi Hui,

As I already mentioned, discussion of the patch should take place in
netdev. You might want to consider CC'ing security () kernel org too. For a
start, this is not the right list for such a discussion. I don't even
see the maintainer for SCTP cc'ed to the email too. To make it easier
for you, feel free to follow-up from here:
http://article.gmane.org/gmane.linux.network/159531.

Thanks, Eugene

Re: CVE-2010-1173 kernel: skb_over_panic resulting from multiple invalid parameter errors Hui Zhu (Apr 28)
Eugene Teo:

Forward a mail of my workmate:

Make a larger chunk is acceptable but for common communication case, the original one is fine enough. And I don't think
it is necessary to make such a big chunk. In fact, in worst case, a *double* sized chunk is large enough to hold all
necessary data. So, if we have to use the larger chunk than original, we shoudl use min(double of chunk hdr length,
asoc->pathmtu, SCTP_DEFAULT_MAXSEGMENT).

For...

Re: CVE request - Linux Kernel KGDB/ppc issue Eugene Teo (Apr 28)
Hi Hui,

Just FYI, oss-security is a public mailing list. I noticed you have
already cc'ed the KGDB maintainer. If you are trying to report a kernel
security issue that is neither fixed not disclosed previously AFAIK, you
might want to try CC'ing security () kernel org and LKML. Drop LKML if you
want to keep it private for a short period of time.

Thanks, Eugene

CVE request - Linux Kernel KGDB/ppc issue Hui Zhu (Apr 28)
Hi All,

The problem is that if KGDB is enabled on a powerpc board, a
test that checks if a page is user or kernel is bypassed.
This means that a user can write to arbitrary kernel address space.

Upon further investigation, we found that kernels older than
the v2.6.30-rc1 release have the same problem for non-booke
ppc chips (74xx, 8641D), so we need two patches for kernels
up to that date, and then one patch for ones after that date.

Thanks,...

Re: CVE-2010-1173 kernel: skb_over_panic resulting from multiple invalid parameter errors Hui Zhu (Apr 28)
Eugene Teo:

Add Xiao to CC list.

Hui

CVE-2010-1173 kernel: skb_over_panic resulting from multiple invalid parameter errors Eugene Teo (Apr 28)
https://bugzilla.redhat.com/CVE-2010-1173
http://article.gmane.org/gmane.linux.network/159531

Reported by Chris Guo from Nokia China via Red Hat Support. A similar
issue was reported by Jukka Taimisto and Olli Jarva from Codenomicon Ltd
via CERT-FI. This was also reported by Windriver on behalf of their
customer via vendor-sec.

Kernel crash occurs if sctp listening port receives malformatted init
package.

Its an skb_over_panic BUG halt...

Re: CVE request: VLC <1.0.6 Multiple issues Josh Bressers (Apr 28)
----- "Alex Legler" <a3li () gentoo org> wrote:

I'm going to trust the upstream advisory regarding version information, so
here goes:

The affected versions are VLC media player 1.0.5 down to 0.5.0
This is fixed in version 1.0.6 and 1.1.0

The flaws appear to be split based on where in the vlc source they occur.
I'm going to keep the upstream mapping for CVE ids, as it's possible
certain other project will have cherry picked the...

Re: wafp insecure temporary directory Josh Bressers (Apr 27)
----- "Henri Salo" <henri () nerv fi> wrote:

Please use CVE-2010-1438.

Thanks.

Re: CVE request - kernel: find_keyring_by_name() can gain the freed keyring Josh Bressers (Apr 27)
Please use CVE-2010-1437

Thanks.

Internet Issues and Infrastructure

NANOG — The North American Network Operators' Group discusses fundamental Internet infrastructure issues such as routing, IP address allocation, and containing malicious activity.

Re: Internap Looking Glass / Route Server Randy Bush (May 01)
similar subject, so excuse my piggybacking

i am looking for looking glass softwhere which will run against junos,
ios, and ios xr, so folk playing in the rpki origin validation testbed
can see the effect of their certs/roas/... on the testbed routers.

thanks.

randy

Internap Looking Glass / Route Server Max Clark (May 01)
Hello,

I'm looking for a public looking glass / route server connected to
Internap - preferably in Los Angeles. Does such a thing exist?

Thanks,
Max

Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough? David Conrad (Apr 30)
Owen,

:-). I haven't been following the religious war against DHCPv6 -- is it now acceptable to get DNS information via
DHCPv6? I note that MacOSX still doesn't appear to support DHCPv6. Does Win7?

I'm aware of this. It would be interesting to see how many applications actually take advantage of this (rant about
the socket API model deleted).

I agree that it can or at least has the promise to be.

Yes.

End users must pay the cost of...

Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough? Paul Timmins (Apr 30)
David Conrad wrote:

Put your recursors, network management systems, fileservers, etc on ULA
addresses like I was talking about earlier. Then you don't have to
renumber those.

So the only change you should have to make is a firewall change.

Imagine a world with RFC-1918 and public ip space safely overlayed. For
anything you hardcode somewhere, unless it has to be publically
reachable, use ULA addresses and don't ever change them.

You could...

Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough? Owen DeLong (Apr 30)
Ideally, in the vast majority of cases, resolv.conf is populated by dhcpv6 or it's successor.

It is actually possible (although I agree questionable practice) to have your NS glue records updated dynamically.

Firewalls and NMS can usually be done by copying the existing rulesets and doing a global S&R on the affected prefix.

It's not like a v4 renumbering. You'll still be dealing with a 1:1 replacement of the prefix and the suffixes don't...

Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough? David Conrad (Apr 30)
Paul,

Even if this works (and I know a lot of applications that use the socket() API that effectively cache the address
returned by DNS for the lifetime of the application), how does this help situations where IPv6 address literals are
specified in configuration files, e.g., resolv.conf, glue for authoritative DNS servers, firewalls/filters, network
management systems, etc.? See sections 5 and 7 of...

Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough? Mark Smith (Apr 30)
Your friend should learn about causation verses correlation

http://en.wikipedia.org/wiki/Correlation_does_not_imply_causation

Every noticed how people who have car accidents got out of bed that
morning?

The Cidr Report cidr-report (Apr 30)
This report has been generated at Fri Apr 30 21:11:43 2010 AEST.
The report analyses the BGP Routing Table of AS2.0 router
and generates a report on aggregation potential within the table.

Check http://www.cidr-report.org for a current version of this report.

Recent Table History
Date Prefixes CIDR Agg
23-04-10 321746 198312
24-04-10 321566 198048
25-04-10 321224 198152...

BGP Update Report cidr-report (Apr 30)
BGP Update Report
Interval: 22-Apr-10 -to- 29-Apr-10 (7 days)
Observation Point: BGP Peering with AS131072

TOP 20 Unstable Origin AS
Rank ASN Upds % Upds/Pfx AS-Name
1 - AS35805 29526 2.2% 47.9 -- UTG-AS United Telecom AS
2 - AS17672 21731 1.6% 835.8 -- CHINATELECOM-HE-AS-AP asn for Hebei Provincial Net of CT
3 - AS9829 19342 1.5% 21.6 -- BSNL-NIB National Internet...

Re: Connectivity to an IPv6-only site joel jaeggli (Apr 30)
Years ago I talked to a startup's funders about the fact that they had
made a design decision to build hardcoded unassigned /8s into a captive
portal and mobility gateway.

We didn't buy their product, they changed it, company folded.

The most meaningful thing one can do is vote with your wallet.

Weekly Routing Table Report Routing Analysis Role Account (Apr 30)
This is an automated weekly mailing describing the state of the Internet
Routing Table as seen from APNIC's router in Japan.
Daily listings are sent to bgp-stats () lists apnic net

For historical data, please see http://thyme.apnic.net.

If you have any comments please contact Philip Smith <pfs () cisco com>.

Routing Table Report 04:00 +10GMT Sat 01 May, 2010

Report Website: http://thyme.apnic.net
Detailed Analysis:...

x-small IPv4 ISPs going to IPv6 Owen DeLong (Apr 30)
As a data point, there are currently 866* x-small IPv4 ISP organizations in the ARIN region.

There are a total of 3,562* ISP organizations in the ARIN region (including IPv4 and IPv6).

x-small IPv4 providers as such, constitute about 1/4 of the total ARIN ISP constituency.

The maximum revenue impact of an IPv6 waiver for them (removing the $1,000 surcharge
for IPv6 /32 pricing) would be $833,000 per year, increasing as the number of...

RE: [only half OT] A socio-psychological analysis of the firstinternet war (Estonia) Michael Smith (Apr 30)
What is/isn't a "war"? Was US/Vietnam a war? It wasn't declared legally... do you take issue with using the word war
due to the nature of the event, or is it simply a question of scale?

From what I've read so far of this paper, the incident being called "a war" isn't central to the thesis. Search /
replace "war" with "incident" and the discussion works fine. Your issue with the choice of words might...

Re: Edu versus Speakeasy Speedtest Jeff Kell (Apr 30)
There is also http://netalyzr.icsi.berkeley.edu/ which is an excellent
connectivity check, although your mileage may vary with higher-speed
bandwidth testing from it.

Jeff

Re: Edu versus Speakeasy Speedtest Bret Clark (Apr 30)
Jeff wrote:

Not just them, we are constantly dealing with our new HS users who go to
those sites then call us to complain that they are not getting the speed
they are suppose to get...ugh! It's like clock work, a new circuit goes
in and a few hours later we're getting the old "I went to
Speakeasy...blah blah blah"!

Bret

Interesting People — David Farber moderates this list for discussion involving internet governance, infrastructure, and any other topics he finds fascinating

Happy Birthday Backbone Dave Farber (Apr 30)
Begin forwarded message:

> From: Michael Kende <Michael.Kende () analysysmason com>
> Date: April 30, 2010 10:19:46 AM EDT
> To: dave () farber net
> Subject: Happy Birthday Backbone
>

> <analysysmason.gif>
>
> Hi Dave,
>
> Just to note a bit of a milestone - 15 years ago today the NSFNET
> backbone was decommissioned, in favor of the current system of
> commercial backbones, peering,...

John Holdren's remarks @ NAE Grand Challenges Summit Dave Farber (Apr 30)
Begin forwarded message:

> From: Jock Gill <jg45 () me com>
> Date: April 30, 2010 11:18:45 AM EDT
> To: David Farber <dave () farber net>
> Cc: Jock Gill <jg45 () me com>
> Subject: John Holdren's remarks @ NAE Grand Challenges Summit
>

> Dave,
>
> If this has not been shared with IP already, I recommend it.
>
> Meeting the Energy‐Climate Challenge
> John P. Holdren
>
> Science and...

Re: Cory Doctorow, You Are a Consumer, Too Dave Farber (Apr 29)
Begin forwarded message:

> From: Gerry Faulhaber <gerry-faulhaber () mchsi com>
> Date: April 29, 2010 3:46:30 PM EDT
> To: dave () farber net
> Subject: Re: [IP] Re: Cory Doctorow, You Are a Consumer, Too
>

> Dave [probably not worth posting to IP, but feel free if you like;
> just my views on terminology]--
>
> FYI; I agree that "consumer" is not good; it signifies someone who
> buys like an...

How compromised Facebook logins are already being used Dave Farber (Apr 29)
Begin forwarded message:

> From: Rob portil <Rob () OrbitalWeb com>
> Date: April 29, 2010 12:35:48 PM EDT
> To: dave () farber net
> Subject: How compromised Facebook logins are already being used
>

> The email I got yesterday (below) shows how hackers/spammers can use these hacked logins.
>
> I got this message from a friend on Facebook (yes, he is actually a Facebook friend and the email did come from
>...

re School Admin Takes Fifth Amendment in "Peeping Tom" Case Dave Farber (Apr 29)
Begin forwarded message:

> From: Dan Gillmor <dan () gillmor com>
> Date: April 29, 2010 1:12:49 PM EDT
> To: dave () farber net
> Subject: Re: [IP] School Admin Takes Fifth Amendment in "Peeping
> Tom" Case
>

> If true, it's the first smart thing this person has done in the
> entire affair.
>
> On Apr 29, 2010, at 6:35 AM, David Farber wrote:
>
>>
>>
>> Begin forwarded...

Re: Cory Doctorow, You Are a Consumer, Too David Farber (Apr 29)
User is a lot better!!. I often use customer or citizen

Begin forwarded message:

From: Mary Shaw <mary.shaw () gmail com>
Date: April 29, 2010 11:48:18 AM EDT
To: dave () farber net
Subject: Re: [IP] Cory Doctorow, You Are a Consumer, Too

Do you like "user" better? That's the common term for "customer" in
computing and only one other large-scale international enterprise.

Mary

On Thu, Apr 29, 2010 at 9:37 AM, David...

Re: Five reasons iPhone vs Android isn't Mac vs Windows David Farber (Apr 29)
Begin forwarded message:

From: Monty Solomon <monty () roscom com>
Date: April 29, 2010 10:34:26 AM EDT
To: dave () farber net
Subject: Re: [IP] Five reasons iPhone vs Android isn't Mac vs Windows

Dave,

Folks might want the link to the original article

http://radar.oreilly.com/2010/04/five-reasons-iphone-v-android.html

At 9:38 AM -0400 4/29/10, David Farber wrote:
> From: Monty Solomon <monty () roscom com>
> Date: April...

BBC redio reorted that a Russian "mob: was offering Facebook customer login, passworks etc for sale David Farber (Apr 29)
Estimate was 1 1/2 Million names etc

-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com

Symantec buys PGP Dave Farber (Apr 29)
Begin forwarded message:

> From: Richard Forno <rforno () infowarrior org>
> Date: April 29, 2010 10:03:07 AM EDT
> To: Farber Dave <dave () farber net>
> Subject: Symantec buys PGP
>

> Symantec Buys ncryption Specialist PGP for $300M
>
> By Jeremy Kirk, IDG News Service
>
> http://www.pcworld.com/businesscenter/article/195217/symantec_buys_encryption_specialist_pgp_for_300m.html
>
> Symantec will...

Five reasons iPhone vs Android isn't Mac vs Windows David Farber (Apr 29)
From: Monty Solomon <monty () roscom com>
Date: April 28, 2010 6:15:28 AM PDT
Subject: Five reasons iPhone vs Android isn't Mac vs Windows

Five reasons iPhone vs Android isn't Mac vs Windows

By Mark Sigal on April 26, 2010 6:00 AM

Last week I presented at Stanford Graduate School of Business in a
session on Mobile Computing called, "Creating Mobile Experiences:
It's the Platform, Stupid."

As the title underscores, I am a big...

WashPo: China set to tighten state-secrets law forcing Internet firms to inform on users David Farber (Apr 29)
Begin forwarded message:

From: dewayne () warpspeed com (Dewayne Hendricks)
Date: April 28, 2010 2:09:34 PM EDT
To: Dewayne-Net Technology List <xyzzy () warpspeed com>
Subject: [Dewayne-Net] WashPo: China set to tighten state-secrets law forcing Internet firms to inform on users

[Note: This item comes from friend Steve Goldstein. DLH]

From: Steve Goldstein <steve.goldstein () cox net>
Date: April 28, 2010 8:09:22 AM PDT
To:...

Cory Doctorow, You Are a Consumer, Too David Farber (Apr 29)
BTW I HATE the term consumer !!!!!!!! djf

Begin forwarded message:

From: Monty Solomon <monty () roscom com>
Date: April 3, 2010 7:41:02 PM EDT
To: undisclosed-recipient:;
Subject: Cory Doctorow, You Are a Consumer, Too

Cory Doctorow, You Are a Consumer, Too

I saw a-the-Rally Fighter, an open source car in Austin. This is what
the "finished" interior looked like, more or less. That's what Cory
Doctorow wants you to drive....

School Admin Takes Fifth Amendment in "Peeping Tom" Case David Farber (Apr 29)
Begin forwarded message:

From: Monty Solomon <monty () roscom com>
Date: April 18, 2010 3:55:37 PM EDT
To: undisclosed-recipient:;
Subject: School Admin Takes Fifth Amendment in "Peeping Tom" Case

School Admin Takes Fifth Amendment in "Peeping Tom" Case

By David Murphy
04.18.2010

Lawyers for Harriton High School sophomore Blake Robbins are claiming
that the teenager's school district has used built-in tracking...

WORTH READING Undercover persuasion by tech industry lobbyists David Farber (Apr 28)
Begin forwarded message:

From: "Tim O'Reilly" <tim () oreilly com>
Date: April 28, 2010 11:44:46 AM EDT
To: dave () farber net
Cc: "ip" <ip () v2 listbox com>
Subject: Re: [IP] Undercover persuasion by tech industry lobbyists

On Apr 28, 2010, at 2:19 AM, David Farber wrote:

> http://www.washingtonpost.com/wp-dyn/content/article/2010/04/23/AR2010042305249_pf.html
>

Dave,

I forwarded this article to Ev...

Researchers hack India's voting machines Dave Farber (Apr 28)
Begin forwarded message:

> From: Joseph Lorenzo Hall <joehall () gmail com>
> Date: April 28, 2010 7:28:06 AM EDT
> To: Dave Farber <dave () farber net>
> Subject: Researchers hack India's voting machines
>

> http://indiaevm.org/
>
> Security Analysis of India's Electronic Voting Machines
>
> J. Alex Halderman, Hari K. Prasad, Rop Gonggrijp
>
> Abstract: Elections in India are conducted almost...

The RISKS Forum — Peter G. Neumann moderates this regular digest of current events which demonstrate risks to the public in computers and related systems. Security risks are often discussed.

Risks Digest 26.04 RISKS List Owner (Apr 28)
RISKS-LIST: Risks-Forum Digest Wednesday 28 April 2010 Volume 26 : Issue 04

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/26.04.html>
The current issue can be...

Risks Digest 26.03 RISKS List Owner (Apr 25)
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/26.03.html>
The current issue can be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents:...

Risks Digest 26.02 RISKS List Owner (Apr 18)
RISKS-LIST: Risks-Forum Digest Sunday 18 April 2010 Volume 26 : Issue 02

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/26.02.html>
The current issue can be...

Risks Digest 26.01 RISKS List Owner (Apr 08)
RISKS-LIST: Risks-Forum Digest Thursday 8 April 2010 Volume 26 : Issue 01

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/26.01.html>
The current issue can be...

Risks Digest 25.98 RISKS List Owner (Mar 31)
RISKS-LIST: Risks-Forum Digest Thursday 1 April 2010 Volume 25 : Issue 98

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/25.98.html>
The current issue can be...

Risks Digest 25.97 RISKS List Owner (Mar 26)
RISKS-LIST: Risks-Forum Digest Friday 26 March 2010 Volume 25 : Issue 97

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/25.97.html>
The current issue can be...

Risks Digest 25.96 RISKS List Owner (Mar 13)
RISKS-LIST: Risks-Forum Digest Saturday 13 March 2010 Volume 25 : Issue 96

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/25.96.html>
The current issue can be...

Risks Digest 25.95 RISKS List Owner (Feb 28)
RISKS-LIST: Risks-Forum Digest Sunday 28 February 2010 Volume 25 : Issue 95

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/25.95.html>
The current issue can be...

Risks Digest 25.94 RISKS List Owner (Feb 14)
RISKS-LIST: Risks-Forum Digest Sunday 14 February 2010 Volume 25 : Issue 94

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/25.94.html>
The current issue can be...

Risks Digest 25.93 RISKS List Owner (Jan 29)
RISKS-LIST: Risks-Forum Digest Friday 29 January 2010 Volume 25 : Issue 93

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/25.93.html>
The current issue can be...

Risks Digest 25.92 RISKS List Owner (Jan 26)
RISKS-LIST: Risks-Forum Digest Tuesday 26 January 2010 Volume 25 : Issue 92

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/25.92.html>
The current issue can be...

Risks Digest 25.91 RISKS List Owner (Jan 19)
RISKS-LIST: Risks-Forum Digest Tuesday 19 January 2010 Volume 25 : Issue 91

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/25.91.html>
The current issue can be...

Risks Digest 25.90 RISKS List Owner (Jan 08)
RISKS-LIST: Risks-Forum Digest Friday 8 January 2010 Volume 25 : Issue 90

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/25.90.html>
The current issue can be...

Risks Digest 25.89 RISKS List Owner (Jan 07)
RISKS-LIST: Risks-Forum Digest Thursday 7 January 2010 Volume 25 : Issue 89

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/25.89.html>
The current issue can be...

Data Loss — Data Loss covers large-scale personal data loss and theft incidents. This archive combines the main list (news releases) and the discussion list.

Commentary on cost(s) of breaches Henry Brown (May 01)
IMO interesting:
From Information Week: http://bit.ly/9cBLkg

When It Comes To Data Breaches, U.S. Most Costly

Posted by George Hulme, Apr 28, 2010 06:13 PM

Research published today shows that the average cost of a data breach,
globally, is about $3.43 million per incident and $142 per compromised
record. But that's not the entire story.

The 2009 Annual Study: Global Cost of a Data Breach, conducted by the
Ponemon Institute and sponsored...

O.C. St. Jude warns patients of stolen data kirniki (Apr 30)
http://abclocal.go.com/kabc/story?section=news/local/orange_county&id=7414662

ORANGE, Calif. (KABC) -- St. Jude Heritage Medical Group in Fullerton
sent out thousands of letters warning patients that their medical
records may have been compromised due to five stolen hospital
computers.

Officials say more than 20,000 patients may have had their personal
information stolen after a break-in at the St. Jude Heritage
Healthcare Clinical...

How Data Laws Slap Insecure Companies Jake Kouns (Apr 29)
http://www.forbes.com/2010/04/27/breach-disclosure-data-technology-security-laws.html?boxes=Homepagechannels

A new study shows just how much data loss disclosure rules punish
firms that have spilled sensitive information.

Breach disclosure laws--the rules that require companies to alert
customers or employees when they've lost control of their private
data--may not always achieve their intention to prevent identity
theft. But a new study...

RI: Computer glitch causes big headaches kirniki (Apr 28)
http://www.wpri.com/dpp/news/12_for_action/call-12-for-action-computer-glitch-causes-headaches-for-local-company

EAST PROVIDENCE, R.I. (WPRI) - An Attleboro businessman thought he hit
the jackpot, his company's 401k plan doubled in value in just months.

Not only had his 401k doubled in size, so did the amount of employees
he supposedly had working for him. The company he hired to handle his
payroll and 401k plan, had somehow sent him...

The Medical Center has security breach kirniki (Apr 28)
http://it.tmcnet.com/news/2010/04/28/4757472.htm

BOWLING GREEN -- The Medical Center at Bowling Green is notifying
5,418 patients whose medical information may have been breached when a
computer hard drive was stolen.

The computer hard drive was taken from the hospital's mammography
suite and contained information from patients who underwent bone
density testing between 1997 and 2009.

Hospital officials learned the hard drive was missing on...

Re: Blippy to hire CSO, conduct audits after credit card breach Todd Glassey (Apr 28)
What a crock of merde! - Its funny to see how sloppy Blippy is
considering its founders and the money under it from Sequoia and Charles
River... but hey it is what it is.

One thing that is really funny is the idea that Identity Thieves don't
have their own copies of the Google Spider running on a box in their
garage which looks exactly like the Google Spiders running from Mountain
View or Oregon Data Centers, and what damage that does to a...

Montana Tech alumni information included in e-mail kirniki (Apr 28)
http://billingsgazette.com/news/state-and-regional/montana/article_8e384edc-5311-11df-807d-001cc4c002e0.html

BUTTE — A Montana Tech employee mistakenly included the personal
information of former students in an e-mail message sent to faculty,
staff and students last week.

Montana Tech administrator Maggie Peterson says the e-mail was an
invitation to watch students present their research projects. But the
file that this year's information was...

Re: TN: Missing Student Records From Chattanooga State Todd Glassey (Apr 28)
Where does criminal liability attach for these losers?

Todd Glassey

Blippy to hire CSO, conduct audits after credit card breach Jake Kouns (Apr 27)
http://www.scmagazineus.com/blippy-to-hire-cso-conduct-audits-after-credit-card-breach/article/168728/

Blippy, a Silcon Valley start-up that enables users to share details
in real time about purchases they make, plans to invest millions in
information security following revelations that it exposed the credit
card numbers of a small number of people through Google's search
index.

Ashvin Kumar, co-founder and CEO of Blippy, said in a blog post...

TN: Missing Student Records From Chattanooga State kirniki (Apr 26)
http://www.newschannel9.com/news/chattanooga-990629-missing-records.html

Nearly two thousand students records from Chattanooga State are
missing. Administrators there tell us the company hired to scan the
documents, mishandled them. The school says this is not the first
time this company hired to protect information did the opposite. They
say it's the same business who dumped medical documents from several
local hospitals last year. Now the...

Fraud alert after bank van stolen in Lothians Jake Kouns (Apr 25)
http://news.scotsman.com/scotland/Fraud-alert-after-bank-van.6248837.jp

BANK chiefs have warned customers they are at risk of fraud and
identity theft after a delivery van containing their personal
documents was stolen from outside a branch.

The thief made off with a van belonging to delivery firm TNT Express
Services while the driver was dropping off leaflets to the Royal Bank
of Scotland branch in Bridge Street, Musselburgh.

Around 20...

ESB tells customers of leak Jake Kouns (Apr 25)
http://www.emporiagazette.com/news/2010/apr/23/esb-tells-customers-leak/

An ounce of prevention is worth a pound of cure for ESB Financial
officials who this morning announced that a data backup seven years
ago had inadvertently been sent to an unauthorized storage source.

Marketing Vice President Karen Sommers said that the bank had hired a
specialist to work on a special program to be used by the bank. The
contract workers was using a laptop...

BAMC: No identity theft Jake Kouns (Apr 25)
http://www.mysanantonio.com/news/local_news/BAMC_No_identity_theft_after_records_breach.html

Brooke Army Medical Center said Wednesday that information in a binder
stolen last fall that contained records for 1,272 patients hasn't led
to any cases of identity theft.
BAMC spokesman Dewey Mitchell also said no one knows for sure what was
in the binder stolen from a case manager's car on Oct. 16.

The hospital said the three-ring binder may have...

Health Insurer Notifies More Than 409, 000 Of Potential Breach security curmudgeon (Apr 25)
---------- Forwarded message ----------
From: InfoSec News <alerts () infosecnews org>

http://www.darkreading.com/database_security/security/privacy/showArticle.jhtml?articleID=224600001

By Tim Wilson
DarkReading
April 21, 2010

Affinity Health Plan, a New York managed care service, is notifying more
than 400,000 current and former customers employees that their personal
data may have been leaked through the loss of an unerased digital...

AU - Personal information of customers visible online. alton blom (Apr 25)
Telstra has patched a data breach on its business website that had the
potential to reveal personal information, such as date of birth, of
700 customers.

http://www.zdnet.com.au/telstra-confirms-customer-data-breach-339302597.htm

Open Source Tool Development

Metasploit — Development discussion for Metasploit, the premier open source remote exploitation tool

Fwd: How to simplify the management of 250+ nodes and 1000+ users , in Drupal ebhakt (Apr 30)
Hi,

I have written this tool : < Portal Manager :: Drupal Management Assembly >
which is to remotely manage a drupal based website
You can manage and edit user properties
You can manage and edit posts
you can sort posts on the bases of taxonomies and then manage and edit
posts

The tool is written in C# WPF and needs .net framework 3.5 to be
pre-installed
Please find the software here: LINK <...

Visual Studio sln Fotis Ailianos (Apr 30)
Hi there,

Just to mention that the sln file provided in the Meterpreter/Workspace
folder is not actually working.
There are some .h files missing in the project related to openssl and jpeg
and some others also.
I could easily fix the missing file relationships but it would be great if
it was fixed in the trunk too.

Thanx, Byez

Re: Formatting msfconsole output Jonathan Cran (Apr 29)
Here's a quick example of printing the descriptions of modules:

jcran () aldatmak:~/secure/metasploit/source/framework3/tools$ cat
module_description.rb
#!/usr/bin/ruby

msfbase = File.symlink?(__FILE__) ? File.readlink(__FILE__) : __FILE__
$:.unshift(File.join(File.dirname(msfbase), '..', 'lib'))

require 'msf/base'

$framework = Msf::Simple::Framework.create
$framework.exploits.each_module { |name, mod|
x = mod.new
puts x.name +...

Re: Formatting msfconsole output Jonathan Cran (Apr 29)
also, remember that it's ruby all the way down, so you can just
directly query the framework's objects for the output you'd like.

There's some good examples in the /tools directory:
- modules_author.rb
- module_targets.rb
- module_platform.rb
- ...

if you're not sure about the objects you need to query, you can play
with them in an irb shell by typing 'irb' at the msfconsole.

if there are questions, hope into the #metasploit channel on...

Re: Meterpreter persistence - uninstall option? HD Moore (Apr 29)
Manually at the moment - you would have to use the reg command to delete
the autorun key

Re: Formatting msfconsole output Rob Fuller (Apr 29)
Could make it even easier: ./msfcli | less

;-)

Re: Formatting msfconsole output Casey W. O'Brien (Apr 29)
Helps if I reply to all: Try this:

user1 () pentest:/pentest/exploits/framework3#echo show exploits | ./msfconsole
2>&1 | grep dcerpc (replacing dcerpc with whatever exploit name you’re
interested in finding).

CO

Re: Formatting msfconsole output Rob Fuller (Apr 29)
SHIFT-PGUP might be an option for you, or you can just search for the
exploit you are looking to use. I find that also looking at the repo
history helps:
http://www.metasploit.com/redmine/projects/framework/repository/show/modules/exploits

Re: Formatting msfconsole output NetEvil (Apr 29)
msf> search *something*

Hope this helps!
David

Sent from my mobile device
--------------------------------------

Il giorno 29/apr/2010, alle ore 18.58, Sean Keane <keanesf () gmail com>
ha scritto:

Formatting msfconsole output Sean Keane (Apr 29)
When executing the command show exploits it only displays about the last 30
exploits in the terminal emulator, is there any way to pipe the output into
the more or less program so I can scroll through all the exploits in the
msfconsole. I have tried using the pipe command in msfconsole without any
luck.

Meterpreter persistence - uninstall option? wfdawson (Apr 29)
Is there an easy method (to wit, an option to the persistence script or a separate uninstall script) to uninstall or
remove persistent meterpreter sessions on remote hosts, or do I have to take care of that manually?

Re: Maple scriptjunkie (Apr 28)
Tested on Win32. If someone has a linux version of Maple and can test
it, please do so.

Maple scriptjunkie (Apr 28)
Maple auth bypass exploit. Standard security settings prevent code
from running in a normal maple worksheet without user interaction, but
those setting do not apply when double-clicking a .maplet file. This
exploits that vulnerability for windows, linux, or just executes a
generic command. (I'm sure someone will call it a feature. Either way,
it still enables arbitrary code execution.)

scriptjunkie

Re: making the db_* functionality available through XMLRPC Sussurro (Apr 28)
I am working on this now. I expect to have test code in a few days.
If you want to help me test or devel let me know. Right now you can
get data out, I am just working on the adding and modifying of data.

Re: making the db_* functionality available through XMLRPC HD Moore (Apr 28)
Nothing implemented yet, but XMLRPC stubs are straightforward to write.

-HD

Wireshark — Discussion of the free and open source Wireshark network sniffer. No other sniffer (commercial or otherwise) comes close. This archive combines the Wireshark announcement, users, and developers mailing lists.

Re: Error while starting Wireshark 1.2.7 Bill Meier (May 01)
Vinod Parameswaran wrote:

How exactly did you "install" Wireshark on FC12 ??
What is the version of glib2 on your system ?

Looking at the glib2 documentation I see that g_malloc_n is only
available as of glib2 v2.24.

I also note that on my (up-to-date) FC12 that the glib2 version is 2.22.5.

[From the glib2 documentation]

This function is similar to g_malloc(), allocating (n_blocks *
n_block_bytes) bytes, but care is taken to...

Re: Error while starting Wireshark 1.2.7 M K (May 01)
Can possibly be a compilation problem.

Re: TCP fragmentation and wireshark Bill Meier (May 01)
Kevin Wilson wrote:

What you're seeing is as expected and is the way TCP/IP works.

In general, IP fragmentation is not desirable.

TCP when sending from a host uses a "Maximum Segment Size" (MSS) related
to the MTU so that no IP fragmentation will be needed.

See MSS on http://en.wikipedia.org/wiki/Transmission_Control_Protocol
(for example) for more details.

I haven't played around with this for a long time, but I do seem to...

buildbot failure in Wireshark (development) on OSX-10.5-PowerPC buildbot-no-reply (Apr 30)
The Buildbot has detected a new failure of OSX-10.5-PowerPC on Wireshark (development).
Full details are available at:
http://buildbot.wireshark.org/trunk/builders/OSX-10.5-PowerPC/builds/134

Buildbot URL: http://buildbot.wireshark.org/trunk/

Buildslave for this Build: osx-10.5-ppc

Build Reason: The web-page 'force build' button was pressed by '<unknown>': <no reason specified>

Build Source Stamp: HEAD
Blamelist:...

buildbot failure in Wireshark (development) on Windows-XP-x86 buildbot-no-reply (Apr 30)
The Buildbot has detected a new failure of Windows-XP-x86 on Wireshark (development).
Full details are available at:
http://buildbot.wireshark.org/trunk/builders/Windows-XP-x86/builds/134

Buildbot URL: http://buildbot.wireshark.org/trunk/

Buildslave for this Build: windows-xp-x86

Build Reason: The web-page 'force build' button was pressed by '<unknown>': <no reason specified>

Build Source Stamp: HEAD
Blamelist:...

buildbot failure in Wireshark (development) on OSX-10.5-x86 buildbot-no-reply (Apr 30)
The Buildbot has detected a new failure of OSX-10.5-x86 on Wireshark (development).
Full details are available at:
http://buildbot.wireshark.org/trunk/builders/OSX-10.5-x86/builds/150

Buildbot URL: http://buildbot.wireshark.org/trunk/

Buildslave for this Build: osx-10.5-x86

Build Reason: The web-page 'force build' button was pressed by '<unknown>': <no reason specified>

Build Source Stamp: HEAD
Blamelist:

BUILD...

buildbot failure in Wireshark (development) on Windows-7-x64 buildbot-no-reply (Apr 30)
The Buildbot has detected a new failure of Windows-7-x64 on Wireshark (development).
Full details are available at:
http://buildbot.wireshark.org/trunk/builders/Windows-7-x64/builds/144

Buildbot URL: http://buildbot.wireshark.org/trunk/

Buildslave for this Build: windows-7-x64

Build Reason: The web-page 'force build' button was pressed by '<unknown>': <no reason specified>

Build Source Stamp: HEAD
Blamelist:...

buildbot failure in Wireshark (development) on Solaris-10-SPARC buildbot-no-reply (Apr 30)
The Buildbot has detected a new failure of Solaris-10-SPARC on Wireshark (development).
Full details are available at:
http://buildbot.wireshark.org/trunk/builders/Solaris-10-SPARC/builds/116

Buildbot URL: http://buildbot.wireshark.org/trunk/

Buildslave for this Build: solaris-10-sparc

Build Reason: The web-page 'force build' button was pressed by '<unknown>': <no reason specified>

Build Source Stamp: HEAD...

TCP fragmentation and wireshark Kevin Wilson (Apr 30)
Hello,
I want to use wireshark sniffer for analyzing TCP fragmented traffic.
I had written a small TCP client-server app, which creates large
packets (over 20 K) and sends them.
When I tried to sniff the traffic with wireshark, I saw single
packets, and no sign of fragmentation
(like ip frag_offset field, or ip more fragments field).
(I know for sure that the PMTU between client and server is 1500.)

Any ideas why ? or maybe my application is...

Error while starting Wireshark 1.2.7 Vinod Parameswaran (Apr 30)
Hello list,

I would like to seek your expert advice on an error that I see while trying to start Wireshark 1.2.7.

I have installed Wireshark on Fedora Core 12.

When I try to start Wireshark from the command-line, I see the following error:

wireshark: symbol lookup error: /usr/lib/libwireshark.so.0: undefined symbol: g_malloc_n

I could not get any help after trying to google for this particular error string.

Kindly share your thoughts on...

Re: Sniffing the WAN side of a VPN Martin Visser (Apr 30)
Depending on what your isp has setup will determine what you see. As
John said your router may be using esp. However we with a carrier or
provider vpn then the encapsulation might all be hidden from you in
their network core. If you can't get to the router configuration then
put in a manageable switch between router and modem and use port
mirroring to wireshark to see the traffic

Delta and skew value in RTP analysis capricorn 80 (Apr 30)

Hi!

Can anyone explain about the Delta and Skew value in RTP stream analysis?

Regards,

Delay in VOIP (cannot capture RTCP) capricorn 80 (Apr 30)

Hi!

I am trying to calcuate the delay in VOIP using wireshark. My both end systems are synchronized with ntp.

If i done this test with two different calls on different location. Some times i get RTCP capture in a proper way in
one of the call and not in other.

Similarly on one end i can see the RTCP packets in a proper order and can see sender and receiver reports but some
times its just sender report.

how can i perform the test...

buildbot failure in Wireshark (development) on Windows-XP-x86 buildbot-no-reply (Apr 30)
The Buildbot has detected a new failure of Windows-XP-x86 on Wireshark (development).
Full details are available at:
http://buildbot.wireshark.org/trunk/builders/Windows-XP-x86/builds/131

Buildbot URL: http://buildbot.wireshark.org/trunk/

Buildslave for this Build: windows-xp-x86

Build Reason:
Build Source Stamp: 32614
Blamelist: wmeier

BUILD FAILED: failed failed slave lost

sincerely,
-The Buildbot

buildbot failure in Wireshark (development) on Windows-7-x64 buildbot-no-reply (Apr 30)
The Buildbot has detected a new failure of Windows-7-x64 on Wireshark (development).
Full details are available at:
http://buildbot.wireshark.org/trunk/builders/Windows-7-x64/builds/139

Buildbot URL: http://buildbot.wireshark.org/trunk/

Buildslave for this Build: windows-7-x64

Build Reason:
Build Source Stamp: 32614
Blamelist: wmeier

BUILD FAILED: failed failed slave lost

sincerely,
-The Buildbot

Snort — Everyone's favorite open source IDS, Snort. This archive combines the snort-announce, snort-devel, snort-users, and snort-sigs lists.

Re: snort-user's drinking game Jeff Nathan (Apr 30)
Maybe make a toast to Erek Adams, creator of the Snort drinking game,
while you're at it. Erek was one of the good guys.

-Jeff

------------------------------------------------------------------------------

Re: snort-user's drinking game Jason Brvenik (Apr 30)
it has been done!

------------------------------------------------------------------------------

snort-user's drinking game Crook, Parker (Apr 30)
So I was taking a trip down memory lane.... And for those of you who play the snort-user's drinking game <
http://blog.joelesler.net/the-snort-drinking-game>, I'm going to use a bit of Cartesian logic, and say go ahead and
take a drink ("Take one drink if... The drinking game starts it's own thread."). Enjoy the weekend!

-Parker

------------------------------------------------------------------------------

Re: Using within after http_headers Joel Esler (Apr 30)
Roger. I'll defer to Olney/$vrt, they've tested and used those modifiers
for a lot longer than I.

------------------------------------------------------------------------------

Re: Using within after http_headers Will Metcalf (Apr 30)
http_uri is normalized... Not sure about http_client_body..

I understand but this can lead to false negatives. If the uricontent
has to be decoded, using the uricontent,content,distance:0 combo
causes the rule not to fire completely....

Regards,

Will

------------------------------------------------------------------------------

Re: Using within after http_headers Joel Esler (Apr 30)
http_client_body and http_uri aren't normalizers though, they are just
pointers to locations, the way that I read it. When the http preprocessor
reads a packet it can separate those out into "sections" but they aren't
normalized. Maybe when Olney gets back from traveling the world he can
correct me if I am wrong.

As far as the distance:0; that's simply saying that the subsequent content
must be after the uricontent. not any distance...

Re: Using within after http_headers Will Metcalf (Apr 30)
This is not entirely accurate ;-)... For example some of the
spyware-put rules mix uricontent,content and distance:0

Also from my tests you can mix http_client_body and http_uri with
distance and within, but it fails always for cookie and header. Also
with http_uri just like uricontent if you encode the url distance and
within doesn't work.

Regards,

Will

------------------------------------------------------------------------------

Re: Using within after http_headers Joel Esler (Apr 30)
Correct. Since this is a normalized field (similar to uricontent), you
can't have a relative statement to a normalized http field like that.

This is as designed.

------------------------------------------------------------------------------

Using within after http_headers Mike Cox (Apr 30)
I'm testing some rules and it seems that using the within content
modifier on a content match that is relative to a previous content
match and uses the http_headers content modifier does not work. For
example, this is the original rule that is not alerting:

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"Testing Referer";
flow:established,to_server; content:"|0d 0a|Referer\: "; nocase;
http_header;...

Re: Snort PCAP FRAMES Query Seth Art (Apr 30)
The PCAP_FRAMES message is benign in your case. It is just reminding
you that you are not using an "enhanced" pcap, like the one Phil Wood:
http://public.lanl.gov/cpw/

Secondly, the the 128-4 message means: Generator: 128, Signature: 4.
Generator 1 is the text based rules, Gen 3 are the shared object
rules, and the rest are mostly preprocessor rules (ie: http_inspect,
frag, telnet, etc)

Looks like you are generating sigs, just not any...

Snort PCAP FRAMES Query Michael Sloan (Apr 30)
I'm still having fits with my Snort/Barnyard2/BASE/mySQL installation
under SUSE Linux Enterprise 11, and decided to recompile Snort with
--with-mysql --with-mysql-libraries=/usr/lib/mysql -- with
mysql-includes=/usr/include/mysql to see if possibly some of my issues
might go away -

Things like only seeing SSH Protocol Mismatch as the only reported error
(I cleared the records in BASE before starting with the newly compiled
snort binary)...

Re: Fw: FATAL ERROR: Failed to initialize dynamic preprocessor: SF_SDF version 1.1.1 Ryan Jordan (Apr 30)
There's a couple things going on here.

First: Your snort.conf file is going to have a line that reads like this:
dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/

Snort is going to attempt to load EVERY .so file contained in that
directory. No more, no less. The error message doesn't mean that Snort
can't find your SDF preprocessor -- it means that it was found, but
didn't load correctly.

Second: The interface between...

Fw: Re: Fw: FATAL ERROR: Failed to initialize dynamic preprocessor: SF_SDF version 1.1.1 ccie 6862 (Apr 30)
J, Thanks a million for your help. I thought that was odd when I was getting the error on the previous version. I
hadn't considered the remnant of 2.8.6. It's running now.

--- On Fri, 4/30/10, Joel Esler <jesler () sourcefire com> wrote:

From: Joel Esler <jesler () sourcefire com>
Subject: Re: [Snort-users] Fw: FATAL ERROR: Failed to initialize dynamic preprocessor: SF_SDF version 1.1.1
To: "ccie 6862" <ccie6862 ()...

Re: ftp_pp: FTP malformed parameter Jason Wallace (Apr 30)
No they did not but I was using a different config before. When I
switched to 2.6.0 I decided to start with the default settings shipped
with snort for this preprocessor.

Wally

------------------------------------------------------------------------------

Re: Fw: FATAL ERROR: Failed to initialize dynamic preprocessor: SF_SDF version 1.1.1 Joel Esler (Apr 30)
Wait, are you trying to use 2.8.5.3 with the 2.8.6 preprocessors?

J

------------------------------------------------------------------------------

More Lists

Related Resources

We're always looking for great network security related lists to archive. To suggest one, mail Fyodor.