SecLists.Org Security Mailing List Archive
Any hacker will tell you that the latest news and exploits are not found on any web site—not even Insecure.Org. No, the cutting edge in security research is and will continue to be the full disclosure mailing lists such as Bugtraq. Here we provide web archives and RSS feeds (now including message extracts), updated in real-time, for many of our favorite lists. Browse the individual lists below, or search them all using the Site Search box above.
Insecure.Org Lists
Nmap Development — Unmoderated technical development forum for debating ideas, patches, and suggestions regarding proposed changes to Nmap and related projects. Subscribe to nmap-dev here.
Current Quarter
Archived Posts
RSS Feed
About ListRe: NSConnection Probe Harrison Neal (Oct 11)
Apologies, it looks like the probe suggestion was cut off now that I
re-read it.
Probe TCP NSConnection_rootProxy...
NSConnection Probe Harrison Neal (Oct 11)
Good day,
It appears that nmap doesn't currently recognize TCP-bound NSConnection (
https://developer.apple.com/documentation/foundation/nsconnection ).
Example server code:
NSConnection *a = [NSConnection connectionWithReceivePort:[[NSSocketPort
alloc] init] sendPort:nil];
[a setRootObject:[[NSObject alloc] init]];
[a runInNewThread];
[NSThread sleepForTimeInterval:300.0f];
Example client code:
NSLog(@"%@\n", [[NSConnection...
NSE scripts for SNMPv3? Johan Kuuse (Oct 03)
Hi, my first mail to this list,
I have used (and modified) quite a few NSE scripts for SNMP.
Anyhow, AFAIK, all SNMP scripts (except "snmp-info") are limited to SNMPv1
and SNMPv2c:
nmap --script-help=snmp* | grep -B3 -A1 -i v3
----------------------------------
snmp-info
Categories: default version safe
https://nmap.org/nsedoc/scripts/snmp-info.html
Extracts basic information from an SNMPv3 GET request. The same probe is
used
here...
Nmap PR #2909 Vahagn Vardanian via dev (Sep 17)
Hello there,
My name is Vahagn, and I am the co-founder and CTO of RedRays.
A few weeks ago, we created a pull request to Nmap Github to add a new
check for detecting the most popular information disclosure in SAP systems.
You can get list of SAp systems using this google dork: inurl:/irj/portal
Thank you
NPCAP 1.60 high CPU usage with pcap filter that does not pass anything (Win10) Vladimir Soldatov (Sep 17)
Hi guys,
I've a setup (Win10, Intel X520, NPCAP 1.60) with relatively high traffic
around 700 Mbit/s and I am trying to test the following cases:
1. Capture everything with empty pcap filter and just print stats with some
period calculating captured data size
2. Capture nothing with an intentionally created filter that does not match
the received traffic at all.
3. Capture some subset of traffic like 10%.
In all the cases, CPU usage...
[PATCH 1/1] Improved the legibility of `Makefile` Ariel Otilibili (Sep 17)
* source files obtained by a wildcard
* headers and objects generated by differences.
```
$ grep -P '(SRCS|HDRS|OBJS) =' Makefile.in | \
sed -e 's/^export.*= //g; s/\$.*//g; s/OBJS = //' | \
sed -ne '2p' | \
tr ' ' '\n' | \
sed -e 's/\.h//' | \
sort -d | \
grep -vP '^$' > headers
$ grep -P '(SRCS|HDRS|OBJS) =' Makefile.in | \
sed -e...
[PATCH 0/1] Improved the legibility of Makefile Ariel Otilibili (Sep 17)
Hello committers,
The same patch is on this PR: https://github.com/nmap/nmap/pull/2938
Have a good weekend,
Ariel
Ariel Otilibili (1):
Improved the legibility of `Makefile`
Makefile.in | 14 +++-----------
1 file changed, 3 insertions(+), 11 deletions(-)
How to make a minimal HTTPS request with ncat --ssl with explicit HTTP content? Ciro Santilli OurBigBook via dev (Sep 17)
Hello, I was trying for fun to make an HTTPS request with explicit hand-written HTTP content.
Something analogous to:
printf 'GET / HTTP/1.1\r\nHost: example.com\r\n\r\n' | ncat example.com 80
but for HTTPS. After Googling one of the tools that I found that seemed it might do the job was ncat from the nmap
project, so I tried:
printf 'GET / HTTP/1.1\r\nHost: example.com\r\n\r\n' | ncat --ssl example.com 443
an that works...
[PATCH 1/1] Updated ALPN IDs Ariel Otilibili (Sep 15)
```
$ URL=https://www.iana.org/assignments/tls-extensiontype-values/alpn-protocol-ids.csv
$ curl -sL ${URL} |
perl -nE 'say $& if /(?<=\"\").*(?=\"\")/' |
sort > iana;
< scripts/tls-alpn.nse perl -nE 'say $& if m!(?<=")[\w/\.\-]+(?=",)!' |
sort > nmap.alpn;
diff iana nmap.alpn | grep '<'
< co
< postgresql
$ curl --silent ${URL} --output...
[PATCH 0/1] Updated ALPN IDs (Mon, 26 Aug 2024 17:55:25 GMT) Ariel Otilibili (Sep 15)
Hello,
Herewith the PR containing this patch: https://github.com/nmap/nmap/pull/2939
Have a good week,
Ariel
Ariel Otilibili (1):
Updated ALPN IDs
scripts/tls-alpn.nse | 2 ++
1 file changed, 2 insertions(+)
npcap accuracy Dupuit, Cyril via dev (Sep 04)
Hello,
I posted a comment to pcap_sendqueue_transmit() accuracy * Issue #750 * nmap/npcap
(github.com)<https://github.com/nmap/npcap/issues/750> concerning npcap accuracy.
I did some tests with a modified version of NPF_BufferedWrite() to check accuracy by using a Profitap (hardware
timestamp).
I tried to propose a modification on npcap project without success.
How can I propose a change to the project ?
Best regards,
Cyril...
Increase service probes max line length Reece (Jul 07)
I created a PR on github to increase the probe line length, we created a
custom probe for our own purposes to detect quic based on a tcpdump packet,
but it's quite long so went over the line length, this, the PR increases
the line length and adds a nicer error if you hit the max:
https://github.com/nmap/nmap/pull/2803
Currently we are applying it as a patch in our build infra but would be
great to get it upstream.
Note: this became an...
Automatic protocol selection? Roy Sigurd Karlsbakk (Jul 06)
Hi all
Sometimes I use nmap in my scripts and since I'm in a mixed environment, where most of the hosts are dual protocol, not
all are, and some are only on IPv4 or IPv6, depending on the type of equipment and their function. Most other software,
will just default to a single protocol, typically IPv6, and then fall back to the other if the first fails. At first I
thought using the -6 flag would do so (as it says 'Enable IPv6...
Fix ndiff.bat issue on Windows georges.zwing (Jul 04)
Hi,
I created this PR <https://github.com/nmap/nmap/pull/2865> to fix this
issue <https://github.com/nmap/nmap/issues/2733> running ndiff.bat on
Windows. It also removes the requirement to have Python installed separately
from Zenmap.
But I don't see the Travis CI build tests mentioned in
https://github.com/nmap/nmap/blob/master/CONTRIBUTING.md in the PR. Should I
look somewhere else?
Regards,
Georges
The Turkish translation of man page Çınar Fidanboy (Jul 04)
Hello dear Nmap developers,
I'm a Nmap user from Turkey and i translated the Man page into turkish.
The translation file (nmap-man-tr.xml) is attached to this email.
If you have any questions or suggestions, you can reply to this email
have a nice day.
nmap-man-tr.xml
<https://drive.google.com/file/d/1vGghQABpok5x_q9yAWZuX9aXV94AyOG6/view?usp=drivesdk>
Nmap Announce — Moderated list for the most important new releases and announcements regarding the Nmap Security Scanner and related projects. We recommend that all Nmap users subscribe to stay informed.
Nmap 7.95 released: OS and service detection signatures galore! Gordon Fyodor Lyon (May 05)
Dear Nmap Community,
I just arrived in San Francisco for the RSA conference and am delighted to
announce our Nmap Version 7.95 release! I'm most excited that we finally
tackled our backlog of OS and service detection fingerprint submissions.
We're not talking about dozens or hundreds of them-we processed more than
6,500 fingerprints!
For OS detection, we added 336 signatures, bringing the new total to 6,036.
Additions include iOS 15...
Npcap Celebrates its 10th Anniversary In Space! Gordon Fyodor Lyon (Oct 05)
Dear Nmap community,
Last month we celebrated Nmap's 26th birthday and today I'm happy to share
another big milestone: Our Npcap driver for capturing and sending raw
packets on Windows turned 10 this year! From humble beginnings as a
security and modernization patch for the discontinued WinPcap project,
Npcap has become an indispensable component for both Nmap and Wireshark.
And it's used by hundreds of other software products and...
Nmap 26th Birthday Announcement: Version 7.94 Gordon Fyodor Lyon (Sep 01)
Dear Nmap community,
Today is Nmap’s 26th birthday, which reminded me that I hadn’t yet
announced our Nmap 7.94 release from May. And it’s a great one! The biggest
improvement was the Zenmap and Ndiff upgrades from the obsolete Python 2
language to Python 3 on all platforms. Big thanks to Daniel Miller, Jakub
Kulík, Brian Quigley, Sam James, Eli Schwartz, Romain Leonard, Varunram
Ganesh, Pavel Zhukov, Carey Balboa, and Hasan Aliyev for...
Full Disclosure — A public, vendor-neutral forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. The relaxed atmosphere of this quirky list provides some comic relief and certain industry gossip. More importantly, fresh vulnerabilities sometimes hit this list many hours or days before they pass through the Bugtraq moderation queue.
SEC Consult SA-20241009-0 :: Local Privilege Escalation via MSI installer in Palo Alto Networks GlobalProtect (CVE-2024-9473) SEC Consult Vulnerability Lab via Fulldisclosure (Oct 09)
<<< image/webp; name="cmd.webp": Unrecognized >>>
APPLE-SA-10-03-2024-1 iOS 18.0.1 and iPadOS 18.0.1 Apple Product Security via Fulldisclosure (Oct 07)
APPLE-SA-10-03-2024-1 iOS 18.0.1 and iPadOS 18.0.1
iOS 18.0.1 and iPadOS 18.0.1 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/121373.
Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.
Media Session
Available for: iPhone 16 (all models)
Impact: Audio messages in Messages may be able to...
Some SIM / USIM card security (and ecosystem) info Security Explorations (Oct 04)
Hello All,
Those interested in SIM / USIM card security might find some
information at our spin-off project page dedicated to the topic
potentially useful:
https://security-explorations.com/sim-usim-cards.html
We share there some information based on the experiences gained in the
SIM / USIM card security space, all in a hope this leads to the
increase of public awareness on the topic, change perspective on the
SIM / USIM card industry and...
SEC Consult SA-20240930-0 :: Local Privilege Escalation via MSI Installer in Nitro PDF Pro (CVE-2024-35288) SEC Consult Vulnerability Lab via Fulldisclosure (Sep 30)
<<< application/pkcs7-signature; name="smime.p7s": Unrecognized >>>
Backdoor.Win32.Benju.a / Unauthenticated Remote Command Execution malvuln (Sep 28)
Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024
Original source:
https://malvuln.com/advisory/88922242e8805bfbc5981e55fdfadd71.txt
Contact: malvuln13 () gmail com
Media: x.com/malvuln
Threat: Backdoor.Win32.Benju.a
Vulnerability: Unauthenticated Remote Command Execution
Family: Benju
Type: PE32
MD5: 88922242e8805bfbc5981e55fdfadd71
SHA256: 7d34804173e09d0f378dfc8c9212fe77ff51f08c9d0b73d00a19b7045ddc1f0e
Vuln ID: MVID-2024-0700...
Backdoor.Win32.Prorat.jz / Remote Stack Buffer Overflow (SEH) malvuln (Sep 28)
Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024
Original source:
https://malvuln.com/advisory/277f9a4db328476300c4da5f680902ea.txt
Contact: malvuln13 () gmail com
Media: x.com/malvuln
Threat: Backdoor.Win32.Prorat.jz
Vulnerability: Remote Stack Buffer Overflow (SEH)
Description: The RAT listens on TCP ports 51100,5112,5110 and runs an
FTP service. Prorat uses a vulnerable component in a secondary malware
it drops on the victim...
Backdoor.Win32.Amatu.a / Remote Arbitrary File Write (RCE) malvuln (Sep 28)
Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024
Original source:
https://malvuln.com/advisory/1e2d0b90ffc23e00b743c41064bdcc6b.txt
Contact: malvuln13 () gmail com
Media: x.com/malvuln
Threat: Backdoor.Win32.Amatu.a
Vulnerability: Remote Arbitrary File Write (RCE)
Family: Amatu
Type: PE32
MD5: 1e2d0b90ffc23e00b743c41064bdcc6b
SHA256: 77fff9931013ab4de6d4be66ca4fda47be37b6f706a7062430ee8133c7521297
Vuln ID: MVID-2024-0698
Dropped...
Backdoor.Win32.Agent.pw / Remote Stack Buffer Overflow (SEH) malvuln (Sep 28)
Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024
Original source:
https://malvuln.com/advisory/68dd7df213674e096d6ee255a7b90088.txt
Contact: malvuln13 () gmail com
Media: x.com/malvuln
Threat: Backdoor.Win32.Agent.pw
Vulnerability: Remote Stack Buffer Overflow (SEH)
Description: The malware listens on TCP port 21111. Third-party
attackers who can reach an infected machine can send specially crafted
sequential packetz triggering a...
Backdoor.Win32.Boiling / Remote Command Execution malvuln (Sep 28)
Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024
Original source:
https://malvuln.com/advisory/80cb490e5d3c4205434850eff6ef5f8f.txt
Contact: malvuln13 () gmail com
Media: x.com/malvuln
Threat: Backdoor.Win32.Boiling
Vulnerability: Unauthenticated Remote Command Execution
Description: The malware listens on TCP port 4369. Third party
adversaries who can reach an infected host, can issue single OS
commands to takeover the system...
Defense in depth -- the Microsoft way (part 88): a SINGLE command line shows about 20, 000 instances of CWE-73 Stefan Kanthak (Sep 28)
Hi @ll,
<https://cwe.mitre.org/data/definitions/73.html>
CWE-73: External Control of File Name or Path
is a well-known and well-documented weakness.
<https://seclists.org/fulldisclosure/2020/Mar/48> as well as
<https://skanthak.homepage.t-online.de/offender.html> demonstrate how to
(ab)use just one instance of this weakness (introduced about 7 years ago
with Microsoft Defender, so-called "security software") due to...
SEC Consult SA-20240925-0 :: Uninstall Password Bypass in BlackBerry CylanceOPTICS Windows Installer Package (CVE-2024-35214) SEC Consult Vulnerability Lab via Fulldisclosure (Sep 28)
SEC Consult Vulnerability Lab Security Advisory < 20240925-0 >
=======================================================================
title: Uninstall Password Bypass
product: BlackBerry CylanceOPTICS Windows Installer Package
vulnerable version: CylanceOPTICS <3.3 MR2
CylanceOPTICS <3.2 MR5
fixed version: CylanceOPTICS 3.3 MR2
CylanceOPTICS...
Apple iOS 17.2.1 - Screen Time Passcode Retrieval (Mitigation Bypass) Patrick via Fulldisclosure (Sep 28)
Document Title:
===============
Apple iOS 17.2.1 - Screen Time Passcode Retrieval (Mitigation Bypass)
Release Date:
=============
2024-09-24
Affected Product(s):
====================
Vendor: Apple Inc.
Product: Apple iOS 17.2.1 (possibly all < 18.0 excluding 18.0)
References:
====================
VIDEO PoC: https://www.youtube.com/watch?v=vVvk9TR7qMo
The vulnerability has been patched in the latest release of the operating
system (iOS...
CyberDanube Security Research 20240919-0 | Multiple Vulnerabilities in Netman204 Thomas Weber via Fulldisclosure (Sep 23)
CyberDanube Security Research 20240919-0
-------------------------------------------------------------------------------
title| Multiple Vulnerabilities
product| Netman 204
vulnerable version| 4.05
fixed version| -
CVE number| CVE-2024-8877, CVE-2024-8878
impact| High
homepage| https://www.riello-ups.com/
found| 2024-05-17
by| D....
Submit Exploit CVE-2024-42831 arfaoui haythem (Sep 23)
# Exploit Title: Reflected XSS in Elaine's Realtime CRM Automation v6.18.17
# Date: 09/2024
# Exploit Author: Haythem Arfaoui (CBTW Team)
# Vendor Homepage: https://www.elaine.io/
# Software Link:
https://www.elaine.io/en/products/elaine-marketing-automation/
# Version: 6.18.17 and below
# Tested on: Windows, Linux
# CVE : CVE-2024-42831
# Description
A reflected cross-site scripting (XSS) vulnerability in Elaine's Realtime
CRM...
Stored XSS in "Edit Profile" - htmlyv2.9.9 Andrey Stoykov (Sep 18)
# Exploit Title: Stored XSS in "Edit Profile" - htmlyv2.9.9
# Date: 9/2024
# Exploit Author: Andrey Stoykov
# Version: 2.9.9
# Tested on: Ubuntu 22.04
# Blog:
https://msecureltd.blogspot.com/2024/09/friday-fun-pentest-series-11-stored-xss.html
Stored XSS #1:
Steps to Reproduce:
1. Login as author
2. Browse to "Edit Profile"
3. In "Content" field add payload "><img src=x onerror=alert(1)>
4. Then...
Other Excellent Security Lists
Bugtraq — The premier general security mailing list. Vulnerabilities are often announced here first, so check frequently!
Security Basics — A high-volume list which permits people to ask "stupid questions" without being derided as "n00bs". I recommend this list to network security newbies, but be sure to read Bugtraq and other lists as well.
Penetration Testing — While this list is intended for "professionals", participants frequenly disclose techniques and strategies that would be useful to anyone with a practical interest in security and network auditing.
Info Security News — Carries news items (generally from mainstream sources) that relate to security.
IDS Focus — Technical discussion about Intrusion Detection Systems. You can also read the archives of a previous IDS list
Web App Security — Provides insights on the unique challenges which make web applications notoriously hard to secure, as well as attack methods including SQL injection, cross-site scripting (XSS), cross-site request forgery, and more.
Daily Dave — This technical discussion list covers vulnerability research, exploit development, and security events/gossip. It was started by ImmunitySec founder Dave Aitel and many security luminaries participate. Many posts simply advertise Immunity products, but you can't really fault Dave for being self-promotional on a list named DailyDave.
Grace Hopper and the Rebirth of US Conferences Dave Aitel via Dailydave (Oct 10)
I spent some time watching all the Grace Hopper videos on the youtubes, as
I prepared for what up North is a horrible storm, but here in Miami is, so
far, a breezy and clear day. You can hear her talk about how subroutines
used to be literal handwritten pages of instructions in notebooks. When you
wanted SIN or COS you would go over to whoever had the notebook with the
working version, and copy it out into your code.
It was this experience that...
Developing Clairvoyance Dave Aitel via Dailydave (Sep 30)
As you know, humans like to invent comfort words. One of my favorites is
"luck". The theory being that yes, the universe has dice, but they are
loaded in your favor. Properly used, these words are a spell - they allow
us to have courage when a sober mind would quail. But when you become a
professional, you have to give up these crutches. Only poor poker players
believe in "luck".
In computer science, and especially in machine...
Re: sboms and LLMs Adrian Sanabria via Dailydave (Sep 12)
We've been talking about and giving "Beyond the SBOM" presentations for a
while now, but to your point, I don't see anyone actually doing it.
If Solarwinds said "here's a script that will lock down your host firewall
to just the outbound access our tools need to update themselves", that
would be amazing, and would have saved everyone some time and trouble a few
years ago.
[image: image.png]
And Biden's EO...
Re: sboms and LLMs Isaac Dawson via Dailydave (Sep 12)
Well this is rather timely! Although I'm not sure using an LLM for the
behavioral aspect is entirely necessary. I've been working on an
experimental system that does just what you talk about for dependencies (
https://docs.gitlab.com/ee/user/application_security/dependency_scanning/experiment_libbehave_dependency.html,
pre-alpha!). My solution uses static analysis because I'm a fan of
determinism.
Snark aside, looking at behaviors...
sboms and LLMs Dave Aitel via Dailydave (Sep 11)
People doing software security often use LLMs more as orchestrators than
anything else. But there's so many more complicated ways to use them in our
space coming down the pipe. Obviously the next evolution of SBOMs
<https://www.cisa.gov/resources-tools/resources/cisa-sbom-rama> is that
they represent not just what is contained in the code as some static tree
of library dependencies, but also what that code does in a summary fashion...
Re: Persistence and Strategic Effects the grugq via Dailydave (Aug 16)
Cyber is Calvinball.
I gave a talk back in 2015 [1] which I think has held up rather well. My argument was that cyber is evolving in
unpredictable ways as we learn more about the domain. That the current state of the art has huge blind spots we aren’t
even thinking about. The next year was, of course, the 2016 disinformation campaign fed by cyber loot.
I feel that a great deal of cyber war literature is based on knowledge derived from...
Persistence and Strategic Effects Dave Aitel via Dailydave (Aug 15)
Before there were words, calculated as the softmax of a list of possible
tokens, there were just vectors of nano-electrical potential in cells
soaked in a hormonal brew of electrolytes, operating on a clock cycle of
"slow, but fast enough". In this sense, as we now know
<https://www.ncbi.nlm.nih.gov/pmc/articles/PMC10472538/>, we generate words
and we know, in our heads, what we are, in the same way as we generate
limbs, with each...
Re: "Exploitation Less Likely" Dave Aitel via Dailydave (Aug 13)
https://github.com/CloudCrowSec001/CVE-2024-38077-POC/blob/main/CVE-2024-38077.md
https://github.com/Wlibang/CVE-2024-38077/blob/main/One%20bug%20to%20Rule%20Them%20All%2C%20Exploiting%20a%20Preauth%20RCE%20vulnerability%20on%20Windows%20(2024_8_9%2010_59_06).html
But while you are at it, always good to watch a video for no reason:
https://www.youtube.com/watch?v=mVXrl4W1jOU
-dave
Re: "Exploitation Less Likely" Don A. Bailey via Dailydave (Aug 13)
"Exploitation Less Likely" Dave Aitel via Dailydave (Aug 12)
DefCon is a study in cacophony, and like many of you I'm still digging
through my backlog of new research in multifarious browser tabs, the way a
dragonfly keeps track of the world through scintillated compound lenses. In
between AIxCC (which proved, if anything, the boundaries
<https://dashboard.aicyberchallenge.com/collectivesolvehealth> of automated
bug finding using current LLM tech?), James Kettle's timing attack research...
PRANA Hack and Leak Report Release Dave Aitel via Dailydave (Aug 02)
Cordyceps Analysis Report on PRANA Network Hack and Leak Operation:
https://docs.google.com/document/d/1oOJbBTUwyK85ZKYAAdwWqxk-sMvqrBqzJYX1oziTFu4/edit?usp=sharing
Lately I've been reading a lot of academic papers, mostly the Research
Handbook on Cyberwarfare
<https://www.elgaronline.com/edcollchap/book/9781803924854/book-part-9781803924854-6.xml>.
Some of them are good papers! JD Work has a paper in it! But also some of
them get...
Re: LLMs and refusals David Manouchehri via Dailydave (Jul 28)
Breaking down a prompt into multiple steps works pretty well for us. e.g.
first we get generic mean reasons:
[image: image.png]
Then I just shove the mean reasons into the system message (you can do this
with another LLM call instead in real life, I just cheated by copy pasting
since there's already too many screenshots in this email):
[image: image.png]
This is with gpt-4o-2024-05-13 above, but you can see below it works with
Llama 3.1...
Re: LLMs and refusals Jason Ross via Dailydave (Jul 25)
It's likely this is going to happen anyway, the new Mistral just dropped
and seems to perform roughly on par with llama3 and gpt4o, so the next wave
of fine tuned versions like dolphin are almost certainly coming soon.
OpenAI also has announced free fine tuning of gpt4o mini until late
September (up to 2m tokens/day) so it may be possible to fine tune around
some of its guardrails for a reasonable cost.
Re: LLMs and refusals Robert Lee via Dailydave (Jul 24)
LLMs and refusals Dave Aitel via Dailydave (Jul 24)
[image: image.png]
Above: LLAMA3.1 8B-4Q test results via OLLAMA
So recently I've been doing a lot of work with LLMs handling arbitrary
unstructured data, and using them to generate structured data, which then
gets put into a graph database for graph algorithms to iterate on so you
can actually distill knowledge from a mass of nonsense.
But obviously this can get expensive via APIs, so like many of you, I set
up a server with a A6000 that...
PaulDotCom — General discussion of security news, research, vulnerabilities, and the PaulDotCom Security Weekly podcast.
Honeypots — Discussions about tracking attackers by setting up decoy honeypots or entire honeynet networks.
Microsoft Sec Notification — Beware that MS often uses these security bulletins as marketing propaganda to downplay serious vulnerabilities in their products—note how most have a prominent and often-misleading "mitigating factors" section.
Funsec — While most security lists ban off-topic discussion, Funsec is a haven for free community discussion and enjoyment of the lighter, more humorous side of the security community
CERT Advisories — The Computer Emergency Response Team has been responding to security incidents and sharing vulnerability information since the Morris Worm hit in 1986. This archive combines their technical security alerts, tips, and current activity lists.
Apple Releases Security Updates for Multiple Products CISA (Mar 28)
Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow
You are subscribed to Cybersecurity Advisories for Cybersecurity and Infrastructure Security Agency. This information
has recently been updated and is now available.
Apple Releases Security Updates for Multiple Products [
https://www.cisa.gov/news-events/alerts/2023/03/28/apple-releases-security-updates-multiple-products ] 03/28/2023 01:00
PM EDT
Apple...
CISA Releases Six Industrial Control Systems Advisories CISA (Mar 23)
Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow
You are subscribed to Cybersecurity Advisories for Cybersecurity and Infrastructure Security Agency. This information
has recently been updated, and is now available.
CISA Releases Six Industrial Control Systems Advisories [
https://www.cisa.gov/news-events/alerts/2023/03/23/cisa-releases-six-industrial-control-systems-advisories ] 03/23/2023
08:00 AM EDT...
CISA Releases Eight Industrial Control Systems Advisories CISA (Mar 21)
Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow
You are subscribed to Cybersecurity Advisories for Cybersecurity and Infrastructure Security Agency. This information
has recently been updated, and is now available.
CISA Releases Eight Industrial Control Systems Advisories [
https://www.cisa.gov/news-events/alerts/2023/03/21/cisa-releases-eight-industrial-control-systems-advisories ]
03/21/2023 08:00 AM...
CISA and NSA Release Enduring Security Framework Guidance on Identity and Access Management CISA (Mar 21)
Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow
You are subscribed to Cybersecurity Advisories for Cybersecurity and Infrastructure Security Agency. This information
has recently been updated, and is now available.
CISA and NSA Release Enduring Security Framework Guidance on Identity and Access Management [...
Open Source Security — Discussion of security flaws, concepts, and practices in the Open Source community
CVE-2023-50780: Apache ActiveMQ Artemis: Authenticated users could perform RCE via Jolokia MBeans Justin Bertram (Oct 14)
Severity: moderate
Affected versions:
- Apache ActiveMQ Artemis before 2.29.0
Description:
Apache ActiveMQ Artemis allows access to diagnostic information and controls through MBeans, which are also exposed
through the authenticated Jolokia endpoint. Before version 2.29.0, this also included the Log4J2 MBean. This MBean is
not meant for exposure to non-administrative users. This could eventually allow an authenticated attacker to write...
[kubernetes] CVE-2024-9486 and CVE-2024-9594: VM images built with Kubernetes Image Builder use default credentials Joel Smith (Oct 14)
Hello Kubernetes Community,
A security issue was discovered in Kubernetes where an unauthorized user
may be able to ssh to a node VM which uses a VM image built with the
Kubernetes Image Builder project (
https://github.com/kubernetes-sigs/image-builder).
For images built with the Proxmox provider, this issue has been rated
Critical (
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
(9.8), and assigned...
CVE-2024-46911: Apache Roller: Weakness in CSRF protection allows privilege escalation David M. Johnson (Oct 11)
Severity: important
Affected versions:
- Apache Roller 1.0.0 before 6.1.4
Description:
Cross-site Resource Forgery (CSRF), Privilege escalation vulnerability in Apache Roller. On multi-blog/user Roller
websites, by default weblog owners are trusted to publish arbitrary weblog content and this combined with a deficiency
in Roller's CSRF protections allowed an escalation of privileges attack. This issue affects Apache Roller before...
libarchive 3.7.5 released with security fixes Alan Coopersmith (Oct 10)
https://github.com/libarchive/libarchive/releases/tag/v3.7.5 announces
the release on Sept. 13 of libarchive 3.7.5 with these identified security
fixes:
- fix multiple vulnerabilities identified by SAST (#2251, #2256)
- cpio: ignore out-of-range gid/uid/size/ino and harden AFIO parsing (#2258)
- lzop: prevent integer overflow (#2174)
- rar4: protect copy_from_lzss_window_to_unp() (#2172, CVE-2024-20696)
- rar4: fix CVE-2024-26256 (#2269,...
CVE-2024-28168: Apache XML Graphics FOP: XML External Entity (XXE) Processing Simon Steiner (Oct 09)
Severity: moderate
Affected versions:
- Apache XML Graphics FOP 2.9
Description:
Improper Restriction of XML External Entity Reference ('XXE') vulnerability in Apache XML Graphics FOP.
This issue affects Apache XML Graphics FOP: 2.9.
Users are recommended to upgrade to version 2.10, which fixes the issue.
This issue is being tracked as FOP-3168
Credit:
c1gar of Shanxi Normal University (finder)
References:...
Re: CVE-2024-47191: Local root exploit in the PAM module pam_oath.so Solar Designer (Oct 08)
This currently switches fsuid/fsgid (so for the current thread only),
but uses initgroups() and setgroups() libc functions (so affects all
threads). Code last modified 4 years ago, which pre-dates our
recognition of the supplementary groups vs. threads problem and its fix
in tcb. Maybe Linux-PAM should implement a similar change now.
This currently switches euid/egid/groups, so doesn't try to be MT-safe.
(On Linux, it is also possible to...
CVE-2024-45720: Apache Subversion: Command line argument injection on Windows platforms Stefan Sperling (Oct 08)
I am happy to announce the release of Apache Subversion 1.14.4.
This is a stable bugfix and security release of the Apache Subversion
open source version control system.
Among regular bug fixes, this release fixes CVE-2024-45720:
Subversion command line argument injection on Windows platforms
On Windows platforms, a "best fit" character encoding conversion of
command line arguments to Subversion's executables (e.g.,...
Re: CVE-2024-47191: Local root exploit in the PAM module pam_oath.so Simon Josefsson (Oct 08)
Solar Designer <solar () openwall com> writes:
Fixed, thank you! The writeup is available here:
https://www.nongnu.org/oath-toolkit/CVE-2024-47191.html
Thanks for review and mentioning this! I added some comments:
https://gitlab.com/oath-toolkit/oath-toolkit/-/issues/47
I noticed that that there are Linux-PAM helpers to drop privileges:
https://github.com/linux-pam/linux-pam/blob/master/libpam/pam_modutil_priv.c#L52
I have found...
Re: CVE-2024-47191: Local root exploit in the PAM module pam_oath.so Solar Designer (Oct 07)
Hi,
Great work by the SUSE Security Team and upstream!
This link requires authentication. I guess you meant to post:
https://gitlab.com/oath-toolkit/oath-toolkit/-/commit/95ef255e6a401949ce3f67609bf8aac2029db418
I note a few things:
1. Neither the SUSE nor the upstream patches change the supplementary
groups. SUSE patches fork() and then in the child setgid() and
setuid(). Upstream doesn't fork(), but switches with setegid() and...
[vim-security] use-after-free when closing buffers in Vim < 9.1.0764 Christian Brabandt (Oct 06)
use-after-free when closing buffers in Vim < 9.1.0764
=====================================================
Date: 06.10.2024
Severity: Low
CVE: <not-yet-assigned>
CWE: Use After Free (CWE-416)
When closing a buffer (visible in a window) a BufWinLeave auto command
can cause an use-after-free if this auto command happens to re-open the
same buffer in a new split window.
While vim already has some logic to determine such a case, so that a...
OSSA-2024-004 / CVE-2024-47211: OpenStack Ironic <26.1.1 fails to verify checksums of supplied image_source URLs when configured to convert images to raw for streaming Jay Faulkner (Oct 05)
====================================================================================================================================
OSSA-2024-004: Ironic fails to verify checksums of supplied image_source URLs when configured to convert images to raw
for streaming
====================================================================================================================================
:Date: October 03, 2024
:CVE: CVE-2024-47211...
Re: CVE-2024-47191: Local root exploit in the PAM module pam_oath.so Simon Josefsson (Oct 05)
OATH Toolkit pam_oath usersfile `${HOME}` privilege escalation
--------------------------------------------------------------
Security Vulnerability
----------------------
OATH Toolkit provides two components `liboath` and `pam_oath`.
Pam_oath is normally run as root and assumes that the `usersfile` path
setting value points to a root-controlled and protected file
containing the OATH secrets (cryptographic HMAC keys) for users.
The...
CVE-2024-8508 in Unbound DNS server prior to 1.21.1 Alan Coopersmith (Oct 04)
https://nlnetlabs.nl/downloads/unbound/CVE-2024-8508.txt states:
The patch is available from
https://nlnetlabs.nl/downloads/unbound/patch_CVE-2024-8508.diff
Re: CVE-2024-42415: Integer Overflow in GNOME libgsf Alan Coopersmith (Oct 04)
Oops, I should have noted the above bug report & commit also cover
CVE-2024-36474 from
https://talosintelligence.com/vulnerability_reports/TALOS-2024-2068
CVE-2024-42415: Integer Overflow in GNOME libgsf Alan Coopersmith (Oct 04)
https://talosintelligence.com/vulnerability_reports/TALOS-2024-2069 reports:
GNOME Project G Structured File Library (libgsf) Compound Document Binary File
Sector Allocation Table integer overflow vulnerability
October 3, 2024
CVE Number
CVE-2024-42415
SUMMARY
An integer overflow vulnerability exists in the Compound Document Binary File
format parser of v1.14.52 of the GNOME Project G Structured File Library
(libgsf). A specially crafted...
Secure Coding — The Secure Coding list (SC-L) is an open forum for the discussion on developing secure applications. It is moderated by the authors of Secure Coding: Principles and Practices.
Educause Security Discussion — Securing networks and computers in an academic environment.
Internet Issues and Infrastructure
NANOG — The North American Network Operators' Group discusses fundamental Internet infrastructure issues such as routing, IP address allocation, and containing malicious activity.
Re: arista full tables recommendation Brandon Butterworth (Oct 14)
K is extra TCAM, the extra ram, M option, may be needed too.
I missed the list off my previous reply (updated) -
------ Forwarded Message ------
To "Alex Buie" <abuie () cytracom com>
Date 14/10/2024 23:01:25
Subject Re: arista full tables recommendation
I you have money get 7280CR3K model for lots of 100G ports,
7280SR3K if you need mostly 10/25G ports. The non K are smaller
TCAM, data is on Arista web site. Other models if...
Re: arista full tables recommendation Kevin Shymkiw (Oct 14)
Alex,
For that kind scale products in the 7280R3 family with the extra memory (K)
SKU’s would be the best fit.
If you need chassis then it would be the 7800R3 chassis products.
This of course assumes new units and not buying resale products.
Kevin
arista full tables recommendation Alex Buie (Oct 14)
Hi all,
We're an arista shop (primarily 7050qx-32s, 7050tx, and 7060cx right now)
and wanted to get some input on recommendations for "real routers" that can
better handle full internet tables. As it is right now we do some
creative import filtering to import and inject a handful of routes we care
about due to limited fib space and otherwise just use a default received
from our carriers, with any particular transit carrier being...
Re: CGNAT growing pains Curtis, Bruce via NANOG (Oct 13)
At our university we see between 50 and 60% IPv6 usage measured by inbound bandwidth.
We have had IPv6 enabled everywhere on the network since 2008.
If more browsers switched from Happy Eyeballs version 1 to Happy Eyeballs version 2 the percentage would go way up!
And would shrink the traffic through our NAT boxes to a trickle.
"Based on our testing, this makes our Happy Eyeballs implementation go from roughly 50/50 IPv4/IPv6 in iOS 8 and...
Re: Frustration with increasing information demands from Network Vendors Saku Ytti (Oct 12)
Understood. I was hoping something bit more than 'company must honor
the terms and conditions they wrote', which thoroughly keeps vendor in
the driver seat, as they can mandate customer to provide that
information as part of service onboarding. So trying to push this is
only likely to end up with more restrictive contract terms, and being
in contract violation on lies.
Slightly related, Cisco has as long as I remember (+20 years)...
Re: Frustration with increasing information demands from Network Vendors Keith Christian (Oct 12)
Insufficient oversight from management.
Contact someone in the c-suite and report this "data mining."
Re: Frustration with increasing information demands from Network Vendors Tom Beecher (Oct 12)
Sample here of a publicly accessible support contract :
https://support.juniper.net/support/pdf/guidelines/juniper-care-service-description-document.pdf
Section 3.2 is the relevant portion. In part :
During the term of the Juniper Networks Service Contract, Juniper Networks
What is the applicable part in the contract that you commonly
I disagree with the premise here. I never said I 'commonly need to remind
Juniper' about anything...
Re: Frustration with increasing information demands from Network Vendors Saku Ytti (Oct 11)
More specifically, were you referring to the support contract Juniper
wrote? What is the applicable part in the contract that you commonly
need to remind Juniper about and helps you in procuring software
updates?
China Telecom Global down at NL-IX Brandon Zhi (Oct 11)
Hello,
Anyone here from China Telecom? It looks like the server in NL-IX is down.
193.239.118.168
Best,
*Brandon Zhi*
HUIZE LTD
www.huize.asia <https://huize.asia/>| www.ixp.su | Twitter
This e-mail and any attachments or any reproduction of this e-mail in
whatever manner are confidential and for the use of the addressee(s) only.
HUIZE LTD can’t take any liability and guarantee of the text of the email
message and virus.
Re: Frustration with increasing information demands from Network Vendors Jay Hennigan (Oct 11)
This kind of marketing pervasiveness predates the Internet. Warranty
registration postcards from the 1980s had similar questions.
Re: Frustration with increasing information demands from Network Vendors Tom Beecher (Oct 11)
Just standard contract law is all I was referring too.
Weekly Global IPv4 Routing Table Report Routing Table Analysis Role Account (Oct 11)
This is an automated weekly mailing describing the state of the Global
IPv4 Routing Table as seen from APNIC's router in Japan.
The posting is sent to APOPS, NANOG, AfNOG, SANOG, PacNOG, SAFNOG
UKNOF, TZNOG, MENOG, BJNOG, SDNOG, CMNOG, LACNOG and the RIPE Routing WG.
Daily listings are sent to bgp-stats () lists apnic net.
For historical data, please see https://thyme.apnic.net.
If you have any comments please contact Philip Smith...
Re: CGNAT growing pains Tom Mitchell (Oct 11)
https://www.google.com/intl/en/ipv6/statistics.html
Re: CGNAT growing pains Tom Mitchell (Oct 11)
Hi Jon,
Are you dual stack? v6 would solve some of these issues?
Re: Frustration with increasing information demands from Network Vendors Chris Adams (Oct 11)
Once upon a time, chiel via NANOG <nanog () nanog org> said:
Send back that they are requesting company proprietary information, that
you need a contact in Juniper's legal team to negotiate a non-disclosure
agreement and a contract for sharing that data (and that said
negotiations will be billed at $250/hour).
Interesting People — David Farber moderates this list for discussion involving internet governance, infrastructure, and any other topics he finds fascinating
The RISKS Forum — Peter G. Neumann moderates this regular digest of current events which demonstrate risks to the public in computers and related systems. Security risks are often discussed.
Risks Digest 34.46 RISKS List Owner (Oct 01)
RISKS-LIST: Risks-Forum Digest Tuesday 1 Oct 2024 Volume 34 : Issue 46
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.46>
The current issue can also be found at
<...
Risks Digest 34.45 RISKS List Owner (Sep 14)
RISKS-LIST: Risks-Forum Digest Saturday 14 Sep 2024 Volume 34 : Issue 45
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.45>
The current issue can also be found at
<...
Risks Digest 34.44 RISKS List Owner (Sep 08)
RISKS-LIST: Risks-Forum Digest Sunday 8 Sep 2024 Volume 34 : Issue 44
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.44>
The current issue can also be found at
<...
Risks Digest 34.43 RISKS List Owner (Aug 29)
RISKS-LIST: Risks-Forum Digest Thursday 29 Aug 2024 Volume 34 : Issue 43
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.43>
The current issue can also be found at
<...
Risks Digest 34.42 RISKS List Owner (Aug 26)
RISKS-LIST: Risks-Forum Digest Monday 26 Aug 2024 Volume 34 : Issue 42
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.42>
The current issue can also be found at
<...
Risks Digest 34.41 RISKS List Owner (Aug 24)
RISKS-LIST: Risks-Forum Digest Saturday 24 Aug 2024 Volume 34 : Issue 41
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS
(comp.risks)
Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats,
etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.41>
The current issue can also be found at
<...
Risks Digest 34.40 RISKS List Owner (Aug 14)
RISKS-LIST: Risks-Forum Digest Wednesday 14 Aug 2024 Volume 34 : Issue 40
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.40>
The current issue can also be found at
<...
Risks Digest 34.39 RISKS List Owner (Aug 03)
RISKS-LIST: Risks-Forum Digest Saturday 3 Aug 2024 Volume 34 : Issue 39
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.39>
The current issue can also be found at
<...
Risks Digest 34.38 RISKS List Owner (Jul 29)
RISKS-LIST: Risks-Forum Digest Monday 29 Jul 2024 Volume 34 : Issue 38
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.38>
The current issue can also be found at
<...
Risks Digest 34.37 RISKS List Owner (Jul 25)
RISKS-LIST: Risks-Forum Digest Thursday 25 Jul 2024 Volume 34 : Issue 37
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.37>
The current issue can also be found at
<...
Risks Digest 34.36 RISKS List Owner (Jul 21)
RISKS-LIST: Risks-Forum Digest Sunday 21 Jul 2024 Volume 34 : Issue 36
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.36>
The current issue can also be found at
<...
Risks Digest 34.35 RISKS List Owner (Jul 11)
RISKS-LIST: Risks-Forum Digest Thursday 11 Jun 2024 Volume 34 : Issue 35
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.35>
The current issue can also be found at
<...
BreachExchange — BreachExchange focuses on all things data breach. Topics include actual data breaches, cyber insurance, risk management, metrics and more. This archive includes its predecessor, the Data Loss news and discussion lists.
Healthcare organizations face rising ransomware attacks – and are paying up Matthew Wheeler (Jun 03)
https://www.theregister.com/2022/06/03/healthcare-ransomware-pay-sophos/
Healthcare organizations, already an attractive target for ransomware given
the highly sensitive data they hold, saw such attacks almost double between
2020 and 2021, according to a survey released this week by Sophos.
The outfit's team also found that while polled healthcare orgs are quite
likely to pay ransoms, they rarely get all of their data returned if they
do...
A digital conflict between Russia and Ukraine rages on behind the scenes of war Matthew Wheeler (Jun 03)
https://wskg.org/npr_story_post/a-digital-conflict-between-russia-and-ukraine-rages-on-behind-the-scenes-of-war/
SEATTLE — On the sidelines of a conference in Estonia on Wednesday, a
senior U.S. intelligence official told British outlet Sky News that the
U.S. is running offensive cyber operations in support of Ukraine.
“My job is to provide a series of options to the secretary of defense and
the president, and so that’s what I do,” said...
Researchers Uncover Malware Controlling Thousands of Sites in Parrot TDS Network Matthew Wheeler (Jun 03)
https://thehackernews.com/2022/06/researchers-uncover-malware-controlling.html
The Parrot traffic direction system (TDS) that came to light earlier this
year has had a larger impact than previously thought, according to new
research.
Sucuri, which has been tracking the same campaign since February 2019 under
the name "NDSW/NDSX," said that "the malware was one of the top infections"
detected in 2021, accounting for more than...
FBI, CISA: Don't get caught in Karakurt's extortion web Matthew Wheeler (Jun 03)
https://www.theregister.com/2022/06/03/fbi_cisa_warn_karakurt_extortion/
The Feds have warned organizations about a lesser-known extortion gang
Karakurt, which demands ransoms as high as $13 million and, some
cybersecurity folks say, may be linked to the notorious Conti crew.
In a joint advisory [PDF] this week, the FBI, CISA and US Treasury
Department outlined technical details about how Karakurt operates, along
with actions to take,...
DOJ Seizes 3 Web Domains Used to Sell Stolen Data and DDoS Services Matthew Wheeler (Jun 02)
https://thehackernews.com/2022/06/doj-seizes-3-web-domains-used-to-sell.html
The U.S. Department of Justice (DoJ) on Wednesday announced the seizure of
three domains used by cybercriminals to trade stolen personal information
and facilitate distributed denial-of-service (DDoS) attacks for hire.
This includes weleakinfo[.]to, ipstress[.]in, and ovh-booter[.]com, the
former of which allowed its users to traffic hacked personal data and
offered a...
Chinese Hackers Begin Exploiting Latest Microsoft Office Zero-Day Vulnerability Matthew Wheeler (Jun 02)
https://thehackernews.com/2022/05/chinese-hackers-begin-exploiting-latest.html
An advanced persistent threat (APT) actor aligned with Chinese state
interests has been observed weaponizing the new zero-day flaw in Microsoft
Office to achieve code execution on affected systems.
"TA413 CN APT spotted [in-the-wild] exploiting the Follina zero-day using
URLs to deliver ZIP archives which contain Word Documents that use the
technique,"...
US military hackers conducting offensive operations in support of Ukraine, says head of Cyber Command Matthew Wheeler (Jun 02)
https://www.three.fm/news/world-news/us-military-hackers-conducting-offensive-operations-in-support-of-ukraine-says-head-of-cyber-command/
US military hackers have conducted offensive operations in support of
Ukraine, the head of US Cyber Command has told Sky News.
In an exclusive interview, General Paul Nakasone also explained how "hunt
forward" operations were allowing the United States to search out foreign
hackers and identify...
SideWinder Hackers Launched Over a 1, 000 Cyber Attacks Over the Past 2 Years Matthew Wheeler (May 31)
https://thehackernews.com/2022/05/sidewinder-hackers-launched-over-1000.html
An "aggressive" advanced persistent threat (APT) group known as SideWinder
has been linked to over 1,000 new attacks since April 2020.
"Some of the main characteristics of this threat actor that make it stand
out among the others, are the sheer number, high frequency and persistence
of their attacks and the large collection of encrypted and obfuscated...
Hackers are Selling US University Credentials Online, FBI Says Matthew Wheeler (May 31)
https://tech.co/news/hackers-are-selling-us-university-credentials-online-fbi-says
The Federal Bureau of Investigation has warned US universities and colleges
that it has found banks of login credentials and other data relating to VPN
access circulating on cybercriminals forums.
The fear is that such data will be sold and subsequently used by malicious
actors to orchestrate attacks on other accounts owned by the same students,
in the hope...
Interpol Nabs 3 Nigerian Scammers Behind Malware-based Attacks Matthew Wheeler (May 31)
https://thehackernews.com/2022/05/interpol-nabs-3-nigerian-scammers.html
Interpol on Monday announced the arrest of three suspected global scammers
in Nigeria for using remote access trojans (RATs) such as Agent Tesla to
facilitate malware-enabled cyber fraud.
"The men are thought to have used the RAT to reroute financial
transactions, stealing confidential online connection details from
corporate organizations, including oil and gas...
U.S. Warns Against North Korean Hackers Posing as IT Freelancers Matthew Wheeler (May 18)
https://thehackernews.com/2022/05/us-warns-against-north-korean-hackers.html
Highly skilled software and mobile app developers from the Democratic
People's Republic of Korea (DPRK) are posing as "non-DPRK nationals" in
hopes of landing freelance employment in an attempt to enable the regime's
malicious cyber intrusions.
That's according to a joint advisory from the U.S. Department of State, the
Department of the...
FBI and NSA say: Stop doing these 10 things that let the hackers in Matthew Wheeler (May 18)
https://www.zdnet.com/article/fbi-and-nsa-say-stop-doing-these-10-things-that-let-the-hackers-in/
Cyber attackers regularly exploit unpatched software vulnerabilities, but
they "routinely" target security misconfigurations for initial access, so
the US Cybersecurity and Infrastructure Security Agency (CISA) and its
peers have created a to-do list for defenders in today's heightened threat
environment.
CISA, the FBI and National...
Fifth of Businesses Say Cyber-Attack Nearly Broke Them Matthew Wheeler (May 18)
https://www.infosecurity-magazine.com/news/fifth-of-businesses-cyber-attack/
A fifth of US and European businesses have warned that a serious
cyber-attack nearly rendered them insolvent, with most (87%) viewing
compromise as a bigger threat than an economic downturn, according to
Hiscox.
The insurer polled over 5000 businesses in the US, UK, Ireland, France,
Spain, Germany, the Netherlands and Belgium to compile its annual Hiscox
Cyber...
Hacker And Ransomware Designer Charged For Use And Sale Of Ransomware, And Profit Sharing Arrangements With Cybercriminals Matthew Wheeler (May 18)
https://www.shorenewsnetwork.com/2022/05/16/hacker-and-ransomware-designer-charged-for-use-and-sale-of-ransomware-and-profit-sharing-arrangements-with-cybercriminals/
A criminal complaint was unsealed today in federal court in Brooklyn, New
York, charging Moises Luis Zagala Gonzalez (Zagala), also known as
“Nosophoros,” “Aesculapius” and “Nebuchadnezzar,” a citizen of France and
Venezuela who resides in Venezuela, with attempted...
State of Ransomware shows huge growth in threat and impacts Matthew Wheeler (May 04)
https://www.continuitycentral.com/index.php/news/technology/7275-state-of-ransomware-shows-huge-growth-in-threat-and-impacts
Sophos has released its annual survey and review of real-world ransomware
experiences in its ‘State of Ransomware 2022’ report. This shows that 66
percent of organizations surveyed were hit with ransomware in 2021, up from
37 percent in 2020.
The average ransom paid by organizations that had data encrypted in their...
Open Source Tool Development
Metasploit — Development discussion for Metasploit, the premier open source remote exploitation tool
Wireshark — Discussion of the free and open source Wireshark network sniffer. No other sniffer (commercial or otherwise) comes close. This archive combines the Wireshark announcement, users, and developers mailing lists.
Snort — Everyone's favorite open source IDS, Snort. This archive combines the snort-announce, snort-devel, snort-users, and snort-sigs lists.
Snort Subscriber Rules Update 2024-10-10 Research via Snort-sigs (Oct 10)
Talos Snort Subscriber Rules Update
Synopsis:
This release adds and modifies rules in several categories.
Details:
Talos has added and modified multiple rules in the malware-cnc and
server-webapp rule sets to provide coverage for emerging threats from
these technologies.
For a complete list of new and modified rules please see:
https://www.snort.org/advisories
Re: Hi all! (and a snort sig question) Al Lewis (allewi) via Snort-sigs (Oct 10)
Wouldnt it be easier to just use the IP variable?
i.e replace the EXTERNAL_NET and use a variable or IP?
Albert Lewis
Email: allewi () cisco com<mailto:allewi () cisco com>
________________________________
From: Snort-sigs <snort-sigs-bounces () lists snort org> on behalf of Rob Vandenbrink via Snort-sigs <snort-sigs ()
lists snort org>
Sent: Thursday, October 10, 2024 12:12 PM
To: Snort User <snort.user () gmail com>...
Re: Hi all! (and a snort sig question) Rob Vandenbrink via Snort-sigs (Oct 10)
Ah, makes sense
I’ll count bytes, but I don’t think the ordering of extensions is dictated…
Playing with this tomorrow hopefully
Hi Rob
At this point of inspection, the payload is handled by the SSL inspector, and not by the HTTP inspector. So, we cannot
use the HTTP buffers.
So, is it possible for you to match on the relevant bytes using content matches without using buffers?
This is my understanding. I could be wrong :/
regards...
Re: Hi all! (and a snort sig question) Snort User via Snort-sigs (Oct 10)
Hi Rob
At this point of inspection, the payload is handled by the SSL inspector,
and not by the HTTP inspector. So, we cannot use the HTTP buffers.
So, is it possible for you to match on the relevant bytes using content
matches without using buffers?
This is my understanding. I could be wrong :/
regards
Snort capturing traffic from the entire network instead of just the IP Assigned NTWIGA MURITHI via Snort-sigs (Oct 10)
Goodmorning,
I downloaded the registered rules. And configured snort.lua IP using the
following
HOME_NET = '10.2.60.134'
EXTERNAL_NET = '!$HOME_NET'
The problem is snort is capturing all the traffic from other IPs when i run
this command
sudo snort -c /usr/local/etc/snort/snort.lua -i eth0 -A alert_fast
--plugin-path "/usr/local/etc/so_rules/"
10/02-03:52:40.597213 [**] [116:414:1] "(ipv4) IPv4 packet to...
Re: Hi all! (and a snort sig question) Rob Vandenbrink via Snort-sigs (Oct 10)
Cool, will do
If I browse to an IP address, there is never an SNI (since there’s no “server name” to put there). Confirmed this with
a PCAP.
So my thought was to write a sig that looks for an null SNI value, my current best gues would be this one, which should
look for an FQDN in the SNI field, and if there’s no dot (which there should be) then trigger the alert.
https_raw_url.host:!”.”
content:!"."; \...
Re: Hi all! (and a snort sig question) Rob Vandenbrink via Snort-sigs (Oct 10)
Ah, I thought that since the Hello packets are unencrypted that snort would still inspect at least those
I do not have decrypt turned on (given historic Cisco Firepower+Snort issues), but I think I can convince one of my
clients to give it a try now that they have new hardware and new code.
Do either of those two latest signatures that I’m trying look OK though?
==============
Rob VandenBrink
519-589-1881
From: Snort User <snort.user ()...
Re: Hi all! (and a snort sig question) Snort User via Snort-sigs (Oct 09)
I don't think so. I would definitely use *ssl_state:client_hello; *and then
look to match the SNI portion of the SSL client hello packet and then try
matching the dotted quad pattern.
But as you are doing, the best way is to try out your sig against a pcap
Re: Hi all! (and a snort sig question) Snort User via Snort-sigs (Oct 09)
Hi Rob,
For your signature to detect any HTTP artifact, snort would have to inspect
SSL decrypted payload. In your case, I believe you have snort inspecting
HTTPS, right?
If you have some sort of set up where the HTTPS traffic is intercepted and
then snort gets to inspect it, then the case is different.
Thanks
Re: Hi all! (and a snort sig question) Rob Vandenbrink via Snort-sigs (Oct 08)
Got it narrowed down now to:
"look for a dot in the sni field, and fire if it's not there"
content:!"."; \
http_raw_uri:host; \
ssl_state:client_hello; \
or, look for the string "SNI" in the client hello (I realize that this likely isn't there, I'll need to dig for bitmaps
for this I think)
content:!"SNI"; \
http_raw_uri; \
ssl_state:client_hello; \
Anyway, neither...
Snort Subscriber Rules Update 2024-10-08 Research via Snort-sigs (Oct 08)
Talos Snort Subscriber Rules Update
Synopsis:
Talos is aware of vulnerabilities affecting products from Microsoft
Corporation.
Details:
Microsoft Vulnerability CVE-2024-43502:
A coding deficiency exists in Microsoft Windows Kernel that may lead to
an escalation of privilege.
Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with:
Snort 2: GID 1, SIDs 64083 through 64084,
Snort 3: GID 1, SID...
Re: Hi all! (and a snort sig question) Rob Vandenbrink via Snort-sigs (Oct 07)
Looking closer at the packets, there's (of course) no SNI field when browsing by IP
Trying a different approach now
From: Snort-sigs <snort-sigs-bounces () lists snort org> On Behalf Of Rob Vandenbrink via Snort-sigs
Sent: Thursday, October 3, 2024 5:45 PM
To: snort-sigs () lists snort org
Subject: [Snort-sigs] Hi all! (and a snort sig question)
Hi everyone - long time snort user / new to this list though
I'm trying to build a...
Hi all! (and a snort sig question) Rob Vandenbrink via Snort-sigs (Oct 04)
Hi everyone - long time snort user / new to this list though
I'm trying to build a signature that triggers on a user browsing by IP address (instead of by fqdn or cn).
So it would be fine with "https://www.cisco.com"; but trigger on "https://23.56.210.155"; (or whatever cisco resolves to
that day)
So far I have this:
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 ( \
msg:"BROWSER OTHER alert on direct ip...
Snort Subscriber Rules Update 2024-10-03 Research via Snort-sigs (Oct 03)
Talos Snort Subscriber Rules Update
Synopsis:
This release adds and modifies rules in several categories.
Details:
Talos has added and modified multiple rules in the malware-cnc,
malware-other and server-webapp rule sets to provide coverage for
emerging threats from these technologies.
For a complete list of new and modified rules please see:
https://www.snort.org/advisories
Snort Subscriber Rules Update 2024-10-01 Research via Snort-sigs (Oct 01)
Talos Snort Subscriber Rules Update
Synopsis:
This release adds and modifies rules in several categories.
Details:
Talos has added and modified multiple rules in the file-pdf,
malware-cnc and server-webapp rule sets to provide coverage for
emerging threats from these technologies.
For a complete list of new and modified rules please see:
https://www.snort.org/advisories
More Lists
We also maintain archives for these lists (some are currently inactive):
- Declan McCullagh's Politech
- TCPDump/LibPCAP Dev
- Security Incidents
- Vulnerability Development
- Vulnerability Watch
Related Resources
Read some old-school private security digests such as Zardoz at SecurityDigest.Org
We're always looking for great network security related lists to archive. To suggest one, mail Fyodor.