SANS Internet Storm Center, InfoCON: green: telnetd rulez: Cisco Ironport WSA Telnetd Remote Code Execution Vulnerability, (Wed, Oct 22nd)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

Glafkos sent us his vulnerability advisory for a remote code execution vuln hed identified and reported in Ciscos Ironport WSA Telnetd.

Vendor: Cisco
Product web page:
Affected version: Cisco Ironport WSA – AsyncOS 8.0.5 for Web build 075
Date: 22/05/2014
Credits: Glafkos Charalambous
CVE: CVE-2011-4862
CVSS Score: 7.6
Impact: Unauthenticated Remote Code Execution with elevated privileges
Description: The Cisco Ironport WSA virtual appliances are vulnerable to an old FreeBSD telnetd encryption Key ID buffer overflow which allows remote attackers to execute arbitrary code (CVE-2011-4862).
Cisco WSA Virtual appliances have the vulnerable telnetd daemon enabled by default.


Nice work by Glafkos but what you cant see is me shaking my head. *sigh*
Ill repeat the facepalm-inspiring statement again: Cisco WSA Virtual appliances have the vulnerable telnetd daemon enabled by default.
Still, with the telnets? And on by default?
From the related FreeBSD advisory:
The FreeBSD telnet daemon, telnetd(8), implements the server side of the
TELNET virtual terminal protocol. It has been disabled by default in
FreeBSD since August 2001, and due to the lack of cryptographic security
in the TELNET protocol, it is strongly recommended that the SSH protocol
be used instead.”>Trying…
Connected to
Escape character is ^]”>| font-family: “>@holisticinfosec

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

TorrentFreak: Photographer Who Sued Imgur Now Has a Pirate Bay Problem

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

boffoli1When it comes to online piracy most attention usually goes out to music, TV-shows and movies. However, photos are arguably the most-infringed works online.

Virtually every person on the Internet has shared a photo without obtaining permission from its maker, whether through social networks, blogs or other services.

While most photographers spend little time on combating piracy, Seattle-based artist Christopher Boffoli has taken some of the largest web services to court for aiding these infringements

Boffoli has filed lawsuits against Twitter, Google and others, which were settled out for court under undisclosed terms. Last month he started a new case against popular image sharing site Imgur after it allegedly ignored his takedown requests.

The photographer asked the court to order an injunction preventing Imgur from making 73 of his photos available online. In addition, he requested millions of dollars in statutory damages for willful copyright infringement.

Imgur has yet to file an official reply to the complaint. In the meantime, however, Boffoli’s actions appear to have triggered another less welcome response.

A few days ago a user of The Pirate Bay decided to upload a rather large archive of the photographer’s work to the site. The archive in question is said to hold 20,754 images, including the most famous “Big Appetites” series.

A torrent with 20,754 images

The image archive, which is more than eight gigabytes in size, had to be partly wrapped in an .iso file because otherwise the .torrent file itself would have been too large.

The description of the archive mentions Boffoli’s recent actions against Imgur, which could have triggered the upload. One of the commenters points out that the Imgur lawsuit may have done more harm than good, and a new Internet meme was born.

“Sued for 73 images, got 20,754 uploaded to TPB, LOL. About the Big Appetites series, if I ever get my hands on a copy, I’ll scan it at 600 dpi and upload it here, have fun trying to censor the internet, Boffoli,” the commenter notes.

TorrentFreak asked Boffoli for a comment on the leak and whether he will take steps to prevent the distribution, but we have yet to hear back.

While not everyone may agree with the lawsuit against Imgur piracy can impact photographers quite a bit. It’s usually not the average Pirate Bay user that’s causing the damage though, but rather companies that use professional photos commercially without a license.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Darknet - The Darkside: Pipal – Password Analyzer Tool

This post was syndicated from: Darknet - The Darkside and was written by: Darknet. Original post: at Darknet - The Darkside

Pipal is a password analyzer tool that can rapidly parse large lists of password and output stats on the contents. Pipal will provide you with stats on things like the most frequently used password, password lengths, dates (months/days/years) or numbers used, the most common base words and much more. It also makes recommendations based on…

Read the full post at [$] Where to store your encrypted data

This post was syndicated from: and was written by: jake. Original post: at

In a talk entitled “Lies, Damned Lies, and Remotely Hosted Encrypted Data”,
Kolab Systems CEO Georg Greve outlined the thinking and investigation that
the company did before deciding on where to store its customers’ encrypted
data. The talk, which was given at LinuxCon
in Düsseldorf, Germany, looked at various decisions that need to
be made when determining where and how to store data on the internet. It
comes down to a
number of factors, including the legal framework of the country in
question and physical security for the systems storing the data. Security advisories for Wednesday

This post was syndicated from: and was written by: ris. Original post: at

CentOS has updated libxml2 (C7:
denial of service), qemu-kvm (C7:
information leak), rsyslog (C5: denial of
service), and wireshark (C7; C5: multiple vulnerabilities).

Fedora has updated bugzilla (F20; F19:
multiple vulnerabilities), java-1.8.0-openjdk (F19: multiple vulnerabilities), and perl-Mojolicious (F20; F19: parameter injection attack).

openSUSE has updated getmail
(13.1, 12.3: multiple vulnerabilities) and wpa_supplicant (13.1; 12.3: command execution).

Oracle has updated kernel (OL6:
multiple vulnerabilities), rsyslog (OL6:
denial of service), rsyslog7 (OL6: denial
of service), and wireshark (OL7; OL6: multiple vulnerabilities).

Red Hat has updated wireshark (RHEL6,7; RHEL5: multiple vulnerabilities).

TorrentFreak: U.S. Government Shuts Down Music Sharing Sites

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

IPRC_SeizedDuring the spring of 2010 U.S. authorities started a campaign to take copyright-infringing websites offline.

Since then Operation in Our Sites has resulted in thousands of domain name seizures and several arrests. While most of the sites are linked to counterfeit goods, dozens of “pirate” sites have also been targeted.

After a period of relative calm the authorities appear to have restarted their efforts with the takedown of two large music sites. and, which are connected, now display familiar banners in which ICE takes credit for their demise.

“This domain has been seized by ICE- Homeland Security Investigations, pursuant to a seizure warrant issued by a United States District Court under the authority of 18 U.S.C. §§ 981 and 2323,” the banner reads.

TorrentFreak contacted ICE yesterday for a comment on the recent activity but we have yet to receive a response.

The domain names are now pointing to the same IP-address where many of the previously seized websites, such as and, are directed. Both domain names previously used Cloudflare and had their NS entries updated earlier this week.

Despite the apparent trouble, and’s Twitter and Facebook pages have remained silent for days.

RockDizMusic presented itself as an index of popular new music. Artists were encouraged to use the site to promote their work, but the site also featured music being shared without permission, including pre-release tracks.

RockDizFile used a more classic file-hosting look, but with a 50MB limit it was mostly used for music. The site offered premium accounts to add storage space and remove filesize and bandwidth limitations.

Both websites appear to have a strong focus on rap and hip-hop music. This is in line with previous ICE seizures which targeted,, and

The latter was seized by mistake. The record labels failed to deliver proof of alleged infringements to the authorities and after a long appeal the domain was eventually returned to its owners.

This incident and the general lack of due process of ICE’s domain seizures has led to critique from lawmakers and legal scholars. The authorities are nevertheless determined to keep Operation in Our Sites going.

“Operation In Our Sites’ enforcement actions involve federal law enforcement investigating and developing evidence to obtain seizure warrants from federal judges,” ICE states on its website.

Once a credible lead comes in ICE says it “will work with the U.S. Department of Justice to prosecute, convict, and punish individuals as well as seize website domain names, profits, and other property from IP thieves.”

At this point it’s unclear whether ICE has targeted any of the individuals connected to and or whether the unit has taken down any other sites in a similar fashion.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Delian's Tech blog: My perl-cwmp patches are merged

This post was syndicated from: Delian's Tech blog and was written by: Delian Delchev. Original post: at Delian's Tech blog

I’ve used perl-cwmp here and there. It is a nice, really small, really light and simple TR-069 ACS, with a very easy install and no heavy requirements. You can read the whole code for few minutes and you can make your own modifications. I am using it in a lot of small “special” cases, where you need something fast and specific, or a very complex workflow that cannot be implemented by any other ACS server.
However, this project has been stalled for a while. I’ve found that a lot of modern TR-069/CWMP agents do not work well with the perl-cwmp. 
There are quite of few reasons behind those problems:
- Some of the agents are very strict – they expect the SOAP message to be formatted in a specific way, not the way perl-cwmp does it
- Some of the agents are compiled with not so smart, static expansion of the CWMP xsd file. That means they do expect string type spec in the SOAP message and strict ordering
perl-cwmp do not “compile” the CWMP XSD and do not send strict requests nor interpretate the responses strictly. It does not automatically set the correct property type in the request according to the spec, because it never reads the spec. It always assume that the property type is a string.
To allow perl-cwmp to be fixed and adjusted to work with those type of TR-069 agents I’ve done few modifications to the code, and I am happy to announce they have been accepted and merged to the main code:
The first modification is that I’ve updated (according to the current standard) the SOAP header. It was incorrectly set and many TR069 devices I have tested (and basically all that worked with the Broadcom TR069 client) rejected the request.
The second modification is that all the properties now may have specified type. Unless you specify the type it is always assumed to be a string. That will allow the ACS to set property value of agents that do a strict set check.
InternetGatewayDevice.ManagementServer.PeriodicInformInterval: #xsd:unsignedInt#60
The #…# specifies the type of the property. In the example above, we are setting value of unsignedInt 60 to PeriodicInformInterval.
You can also set value to a property by reading a value from another property.
For that you can use ${ property name }
Here is an example how to set the PPP password to be the value of the Serial Number:
InternetGatewayDevice.WANDevice.1.WANConnectionDevice.1.WANPPPConnection.1.Password: ${InternetGatewayDevice.DeviceInfo.SerialNumber}
And last but not least – now you can execute small code, or external script and set the value of a property to the output of that code. You can do that with $[ code ]
Here is an example how to set a random value to the PeriodicInformInterval:

InternetGatewayDevice.ManagementServer.PeriodicInformInterval: #xsd:unsignedInt#$[60 + int(rand(100))]

Here is another example, how to execute external script that could take this decision:
InternetGatewayDevice.ManagementServer.PeriodicInformInterval: #xsd:unsignedInt#$[ `./ ${InternetGatewayDevice.LANDevice.1.LANEthernetInterfaceConfig.1.MACAddress} ${InternetGatewayDevice.DeviceInfo.SerialNumber}` ]
The last modification I’ve done is to allow the perl-cwmp to “fork” a new process when a TR-069 request arrives. It has been single threaded code, which mean the agents has to wait until the previous task is completed. However, if the TCP listening queue is full, or the ACS very busy, some of the agents will assume there is no response and timeout. You may have to wait for 24h (the default periodic interval for some vendors) until you get your next request. Now that can be avoided.
All this is very valuable for dynamic and automated configurations without the need of modification of the core code, just modifying the configuration file.

Linux How-Tos and Linux Tutorials: 5 Deadly Linux Commands You Should Never Run

This post was syndicated from: Linux How-Tos and Linux Tutorials and was written by: Libby Clark. Original post: at Linux How-Tos and Linux Tutorials

As a Linux user, you probably have searched online for articles and tutorials that show you how to use the terminal to run some commands. While most of these commands are harmless and could help you become more productive, there are some commands that are deadly and could wipe out your whole machine.

In this article, let’s check out some of the deadly Linux commands that you should never run.

Read more at The Epoch Times.

Krebs on Security: Google Accounts Now Support Security Keys

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

People who use Gmail and other Google services now have an extra layer of security available when logging into Google accounts. The company today incorporated into these services the open Universal 2nd Factor (U2F) standard, a physical USB-based second factor sign-in component that only works after verifying the login site is truly a Google site.

A $17 U2F device made by Yubikey.

A $17 U2F device made by Yubikey.

The U2F standard (PDF) is a product of the FIDO (Fast IDentity Online) Alliance, an industry consortium that’s been working to come up with specifications that support a range of more robust authentication technologies, including biometric identifiers and USB security tokens.

The approach announced by Google today essentially offers a more secure way of using the company’s 2-step authentication process. For several years, Google has offered an approach that it calls “2-step verification,” which sends a one-time pass code to the user’s mobile or land line phone.

2-step verification makes it so that even if thieves manage to steal your password, they still need access to your mobile or land line phone if they’re trying to log in with your credentials from a device that Google has not previously seen associated with your account. As Google notes in a support document, security key “offers better protection against this kind of attack, because it uses cryptography instead of verification codes and automatically works only with the website it’s supposed to work with.”

Unlike a one-time token approach, the security key does not rely on mobile phones (so no batteries needed), but the downside is that it doesn’t work for mobile-only users because it requires a USB port. Also, the security key doesn’t work for Google properties on anything other than Chrome.

The move comes a day after Apple launched its Apple Pay platform, a wireless payment system that takes advantage of the near-field communication (NFC) technology built into the new iPhone 6, which allows users to pay for stuff at participating merchants merely by tapping the phone on the store’s payment terminal.

I find it remarkable that Google, Apple and other major tech companies continue to offer more secure and robust authentication options than are currently available to consumers by their financial institutions. I, for one, will be glad to see Apple, Google or any other legitimate player give the entire mag-stripe based payment infrastructure a run for its money. They could hardly do worse.

Soon enough, government Web sites may also offer consumers more authentication options than many financial sites.  An Executive Order announced last Friday by The White House requires the National Security Council Staff, the Office of Science and Technology Policy and the Office of Management and Budget (OMB) to submit a plan to ensure that all agencies making personal data accessible to citizens through digital applications implement multiple layers of identity assurance, including multi-factor authentication. Verizon Enterprise has a good post with additional details of this announcement.

Raspberry Pi: Eben at Techcrunch Disrupt

This post was syndicated from: Raspberry Pi and was written by: Liz Upton. Original post: at Raspberry Pi

Eben was speaking at TechCrunch Disrupt in London yesterday, where he had a display board and HAT to show off, and some other bits of news. You’ll get to see a PiTop (a laptop kit that’s currently going great guns on Indiegogo), be tantalised with some details about the A+, and learn about what we think is important if you’re growing a hardware business: enjoy!


TorrentFreak: Australians Face ‘Fines’ For Downloading Pirate Movies

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

Much to the disappointment of owner Voltage Pictures, early January 2013 a restricted ‘DVD Screener’ copy of the hit movie Dallas Buyers Club leaked online. The movie was quickly downloaded by tens of thousands but barely a month later, Voltage was plotting revenge.

In a lawsuit filed in the Southern District of Texas, Voltage sought to identify illegal downloaders of the movie by providing the IP addresses of Internet subscribers to the court. Their aim – to scare those individuals into making cash settlements to make supposed lawsuits disappear.

Now, in the most significant development of the ‘trolling’ model in recent times, Dallas Buyers Club LLC are trying to expand their project into Australia. Interestingly the studio has chosen to take on subscribers of the one ISP that was absolutely guaranteed to put up a fight.

iiNet is Australia’s second largest ISP and the country’s leading expert when it comes to fighting off aggressive rightsholders. In 2012 the ISP defeated Hollywood in one of the longest piracy battles ever seen and the company says it will defend its subscribers in this case too.

Chief Regulatory Officer Steve Dalby says that Dallas Buyers Club LLC (DBCLLC) recently applied to the Federal Court to have iiNet and other local ISPs reveal the identities of people they say have downloaded and/or shared their movie without permission.

According to court documents seen by TorrentFreak the other ISPs involved are Wideband Networks Pty Ltd, Internode Pty Ltd, Dodo Services Pty Ltd, Amnet Broadband Pty Ltd and Adam Internet Pty Ltd.

Although the stance of the other ISPs hasn’t yet been made public, DBCLLC aren’t going to get an easy ride. iiNet (which also owns Internode and Adam) says it will oppose the application for discovery.

“iiNet would never disclose customer details to a third party, such as movie studio, unless ordered to do so by a court. We take seriously both our customers’ privacy and our legal obligations,” Dalby says.

While underlining that the company does not condone copyright infringement, news of Dallas Buyers Club / Voltage Pictures’ modus operandi has evidently reached iiNet, and the ISP is ready for them.

“It might seem reasonable for a movie studio to ask us for the identity of those they suspect are infringing their copyright. Yet, this would only make sense if the movie studio intended to use this information fairly, including to allow the alleged infringer their day in court, in order to argue their case,” Dalby says.

“In this case, we have serious concerns about Dallas Buyers Club’s intentions. We are concerned that our customers will be unfairly targeted to settle any claims out of court using a practice called ‘speculative invoicing’.”

The term ‘speculative invoicing’ was coined in the UK in response to the activities of companies including the now defunct ACS:Law, which involved extracting cash settlements from alleged infringers (via mailed ‘invoices’) and deterring them from having their say in court. Once the scheme was opened up to legal scrutiny it completely fell apart.

Some of the flaws found to exist in both UK and US ‘troll’ cases are cited by iiNet, including intimidation of subscribers via excessive claims for damages. The ISP also details the limitations of IP address-based evidence when it comes to identifying infringers due to shared household connections and open wifi scenarios.

“Because Australian courts have not tested these cases, any threat by rights holders, premised on the outcome of a successful copyright infringement action, would be speculative,” Dalby adds.

The Chief Regulatory Officer says that since iiNet has opposed the action for discovery the Federal Court will now be asked to decide whether iiNet should hand over subscriber identities to DBCLLC. A hearing on that matter is expected early next year and it will be an important event.

While a win for iiNet would mean a setback for rightsholders plotting similar action, victory for DBCLLC will almost certainly lead to others following in their footsteps. For an idea of what Australians could face in this latter scenario, in the United States the company demands payment of up to US$7,000 (AUS$8,000) per infringement.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Toool's Blackbag: Lever Locks

This post was syndicated from: Toool's Blackbag and was written by: Walter Belgers. Original post: at Toool's Blackbag

At the Toool evening, we had a visit of Maurice and Sander from Having 20 years of experience opening safe locks, Maurice has created a lovely collection of lever locks. All locks have been given a plexiglass shield so you can see the inner working.

Among it are some interesting ones, like one from a church, with letters on the wheel and a nice rekeyable lock.


And here’s some more.

Thanks Maurice and Sander!

SANS Internet Storm Center, InfoCON: green: ISC StormCast for Wednesday, October 22nd 2014, (Wed, Oct 22nd)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License. Higgs Boson

This post was syndicated from: and was written by: Original post: at

'Can't you just use the LHC you already built to find it again?' 'We MAY have disassembled it to build a death ray.' 'Just one, though.' 'Nothing you should worry about.' 'The death isn't even very serious.'

GattaNegra's days: Токът. .. днес само премигна

This post was syndicated from: GattaNegra's days and was written by: GattaNegra. Original post: at GattaNegra's days

Днес в 1:42 имахме щастието токът да спре само за около 3 минути. Точно изслушах гласовото меню и дойде.

SANS Internet Storm Center, InfoCON: green: CVE-2014-6352 – Microsoft posts bulletin and quick “fix-it” . Look for a permanent fix in a future patch., (Tue, Oct 21st)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

=============== Rob VandenBrink Metafore

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License. [$] The future of the realtime patch set

This post was syndicated from: and was written by: jake. Original post: at

alt="[Thomas Gleixner]" width=285 height=282/>

In a followup to last year’s report on the
future of realtime Linux
, Thomas Gleixner once again summarized the
status of the long-running patch set. The intervening year did not result
in the industry stepping up to fund further work, which led Gleixner to
declare that realtime Linux is now just his hobby. That means new
releases will be done as his time allows and may eventually lead to
dropping the patch set altogether if the widening gap between mainline and
realtime grows too large.

Subscribers can click below for the full report of Gleixner’s talk at this
year’s Linux Plumbers Conference.

TorrentFreak: Retired Scene Groups Return to Honor Fallen Member

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

ripTo many people the Warez Scene is something mythical or at least hard to comprehend. A group of people at the top of the piracy pyramid.

The Scene is known for its aversion to public file-sharing, but nonetheless it’s in large part responsible for much of the material out there today.

The goal of most Scene groups is to be the first to release a certain title, whether that’s a film, music or software. While there is some healthy competition The Scene is also a place where lifelong friendships are started.

A few days ago, on October 17, the Scene lost Goolum, a well-respected member and friend. Only in his late thirties, he passed away after being part of the Scene for more than a decade.

As a cracker Goolum, also known as GLM, was of the more experienced reverse engineers who worked on numerous releases.

Through the years Goolum was connected to several groups which are now retired, some for more than a decade. To honor their fallen friend, the groups ZENiTH, Lz0, SLT and MiDNiGHT have made a one-time comeback.

Below is an overview of their farewell messages, which honor him for his cracking skills but most of all as a friend. Our thoughts go out to Goolum’s friends and family.


ZENiTH, a group that retired around 2005, mentions Goolum’s loyalty and the love for his daughter.

“Goolum has been in and around the scene since the Amiga days but had never been a guy to jump from group to group, but stayed loyal and dedicated to the few groups he was involved in.”

“We are all proud to have been in a group with you, to have spent many a long night sharing knowledge about everything, learning about your daughter who you where very proud of, and all the projects you were involved in.”

ZENiTH’s in memoriam

Lz0: CEI.Inc.EnSight.Gold.v10.1.1b.Incl.Keygen.RIP.GOOLUM-Lz0 (NFO)

Lz0 or LineZer0, split from the Scene last year but many of its members are still actively involved in other roles. The group mentions the hard time Goolum has had due to drug problems. LzO also highlights Goolum’s love for his daughter, and how proud he was of her.

“We all knew that he struggled in life – not just economical but also on a personal level and not the least with his drug issues. One of the things that kept him going was his wonderful daughter whom he cherished a lot. He often talked about her, and how proud of her he was. He was clear that if there was one thing in life he was proud of – it was that he became the dad of a wonderful girl.”

“We’re shocked that when finally things started to move in the right direction, that we would receive the news about his death. It came without warning and we can only imagine the shock of his family. It’s hard to find the right words – or words for that matter. Even though it might have appeared as that he was lonely – with few friends, he knew that we were just a keyboard away.”

Lz0′s in memoriam


SLT or SOLiTUDE has been retired since 2000 but returns to remember Goolum. The group notes that he will be dearly missed.

“You will be missed. It is not easy to say goodbye to someone who you have known for over a decade, trading banter, laughs, advice and stories. You leave behind a daughter, a family and a group of friends, who will miss you dearly.”

“As the news have spread, the kind words have poured in. Solitude is releasing this in honor of you, to show that the values we founded the group on is the exact values you demonstrated through your decades of being in the scene. Loyalty, friendship and hard work. Our thoughts are with you, wherever you may be.”

SLT’s in memoriam


MiDNiGHT hasn’t been active for nearly a decade but have also honored Goolum with a comeback. The group mentions that he was a great friend who was always in for a chat and a beer.

“Life won’t ever be the same again my friend. We could sit and chat for hours and hours, and even then we knew each other well enough that nothing more was required than a beer, a rant and a small *yarr* and we’d know it would all be good.”

“This time it’s not good mate. I am here, you are not. I can’t even begin to express how this makes me feel – except an absolute sadness.”

MiDNiGHT’s in memoriam

RIP Goolum 1977 – 2014

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services. Tuesday’s security updates

This post was syndicated from: and was written by: ris. Original post: at

Debian has updated mysql-5.5 (multiple vulnerabilities).

Mandriva has updated bugzilla
(multiple vulnerabilities), kernel
(multiple vulnerabilities), mediawiki
(cross-site scripting), perl (denial of
service), python (buffer overflow), and rsyslog (two vulnerabilities).

Oracle has updated qemu-kvm (OL7:
information leak) and rsyslog5 (OL5: denial of service).

Red Hat has updated qemu-kvm
(RHEL7: information leak) and rsyslog
(RHEL5,6: denial of service).

Scientific Linux has updated qemu-kvm (SL7: information leak).

Slackware has updated openssh (SSHFP-checking disabled).

SANS Internet Storm Center, InfoCON: green: CSAM Month of False Positives: Ghosts in the Pentest Report, (Tue, Oct 21st)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

As part of most vulnerability assessments and penetration tests against a website, we almost always run some kind of scanner. Burp (commercial) and ZAP (free from OWASP) are two commonly used scanners. Once youve done a few website assessments, you start to get a feel for what pages and fields are likely candidates for exploit. But especially if its a vulnerability assessment, where youre trying to cover as many issues as possible (and exploits might even be out of scope), its always a safe bet to run a scanner to see what other issues might be in play.

All too often, we see people take these results as-is, and submit them as the actual report. The HUGE problem with this is false positives and false negatives.

False negatives are issues that are real, but are not be found by your scanner. For instance, Burp and ZAP arent the best tools for pointing a big red arrow at software version issues – for instance vulnerability versions of WordPress or WordPress plugins. You might want to use WPSCAN for something like that. Or if you go to the login page, a view source will often give you what you need.

Issues with the certificates will also go unnoticed by a dedicated web scanner – NIKTO or WIKTO are good choices for that. Or better yet, you can use openssl to pull the raw cert, or just view it in your browser.

(If youre noticing that much of what the cool tools will do is possible with some judicious use of your browser, thats exactly what Im pointing out!)

NMAP is another great tool to use for catching what a web scanner might miss. For instance, if youve got a Struts admin page or Hypervisor login on the same IP as your target website, but on a different port than the website, NMAP is the go-to tool. Similarly, lots of basic site assessment can be done with the NMAP –version parameters, and the NSE scripts bundled with NMAP are a treasure trove as well! (Check out Manuels excellent series on NMAP scripts).

False positives are just as bad – where the tool indicates a vulnerability where there is none. If you include blatant false positives in your report, youll find that the entire report will end up in the trash can, along with your reputation with that client! A few false positives that I commonly see are SQL Injection and OS Commmand Injection.

SQL Injection is a vulnerability where, from the web interface, you can interact with and get information from a SQL database thats behind the website, often dumping entire tables.

Website assessment tools ( Burp in this case, but many other tools use similar methods) commonly tests for SQL Injection by injecting a SQL waitfor delay 0:0:20 command. If this takes a significantly longer time to complete than the basic statement, then Burp will mark this as Firm for certainty. Needless to say, I often see this turn up as a false positive. What youll find is that Burp generally runs multiple threads (10 by default) during a scan, so can really run up the CPU on a website, especially if the site is mainly parametric (where pages are generated on the fly from database input during a session). Also, if a sites error handling routines take longer than they should, youll see this get thrown off.

So, how should we test to verify this initial/preliminary finding? First of all, Burps test isnt half bad on a lot of sites. Testing Burps injection with curl or a browser after the scanning is complete will sometimes show that the SQL injection is real. Test with multiple times, so that you can show consistent and appropriate delays for values of 10,30,60, 120 seconds.

If that fails – for instance if they all delay 10 seconds, or maybe no appreciable delay at all, dont despair – SQLMAP tests much more thoroughly, and should be part of your toolkit anyway – try that. Or test manually – after a few websites youll find that testing manually might be quicker than an exhaustive SQLMAP test (though maybe not as thorough).

If you use multiple methods (and there are a lot of different methods) and still cant verify that SQL injection is in play after that initial scans finding, quite often this has to go into the false positives section of your report.

OS Command Injection – where you can execute unauthorized Operating System commands from the web interface – is another common false positive, and for much the same reason. In this vulnerability, the scanner will often use ping -c 20 or ping -n 20 – in other words, the injected command tells the webserver to ping itself, in this case 20 times. This will in most operating systems create a delay of 20 seconds. As in the SQL injection example, youll find that tests that depend on predictable delay will often get thrown off if they are executed during a busy scan. Running them after the scan (again, using your browser or curl) is often all you need to do to prove these findings as false. Testing other commands, such as pinging or opening an ftp session to a test host on the internet (that is monitoring for such traffic using tcpdump or syslog) is another good sober second thought test, but be aware that if the website you are testing has an egress filter applied to its traffic, a successful injection might not generate the traffic you are hoping for – itll be blocked at the firewall. If you have out of band access to the site being assessed, creating a test file is another good test.

Other tests can similarly see false positives. For instance, any tests that rely only on service banner grabs can be thrown off easily – either by admins putting a false banner in place, or if site updates update packages and services, but dont change that initially installed banner.

Long story short, never never never (never) believe that initial finding that your scanning tool gives you. All of the tools discussed are good tools – they should all be in your toolbox and in many cases should be at the top of your go-to list. Whether the tool is open source or closed, free or very expensive, they will all give you false positives, and every finding needs to be verified as either a true or false positive. In fact, you might not want to believe the results from your second tool either, especially if its testing the same way. Whenever you can, go back to first principals and verify manually. Or if its in scope, verify with an actual exploit – theres nothing better than getting a shell to prove that you can get a shell!

For false negatives, youll also want to have multiple tools and some good manual tests in your arsenal – if your tool misses a vulnerability, you may find that many or all of your tools test for that issue the same way. Often the best way to catch a false negative is to just know how that target service runs, and know how to test for that specific issue manually. If you are new to assessments and penetration tests, false negatives will be much harder to find, and really no matter how good you are youll never know if you got all of them.

If you need to discuss false positives and negatives with a non-technical audience, going to non-technical tools is a good way to make the point. A hammer is a great tool, but while screws are similar to nails, a hammer isnt always the best way to deal with them.

Please, use our comment form tell us about false positives or false negatives that youve found in vulnerability assessments or penetration tests. Keep in mind that usually these arent an indicator of a bad tool, theyre usually just a case of getting a proper parallax view to get a better look at the situation.

Rob VandenBrink

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License. Emacs 24.4 released

This post was syndicated from: and was written by: corbet. Original post: at

Version 24.4 of the Emacs editor is out. New features this time around
include a built-in web browser (unfortunately named “eww”), better
multi-monitor support, the ability to save and restore the state of frames
and windows, digital signatures on Emacs Lisp packages, access control list
support, and much more. See the NEWS file
for all the details.

Raspberry Pi: ToyCollect. A robot under the sofa.

This post was syndicated from: Raspberry Pi and was written by: Liz Upton. Original post: at Raspberry Pi

On Saturday December 6 (we’re letting you know ahead of time so you’ve got absolutely no excuse for not finishing your build in time), there’s going to be a special event at the Cambridge Raspberry Jam, held at the University of Cambridge’s Institute of Astronomy. Pi Wars is a robot competition: unlike the televised Robot Wars you’ve seen in the past, though, nobody’s robot is going to be destroyed. There are a number of challenges to compete in (none of which involve circular saws, which will please some of you and sadden others), some additional prizes for things like innovation and feature-richness – along with the Jim Darby Prize for Excessive Blinkiness, and more. We’re absurdly excited about it. You can listen to Mike Horne, the organiser of the Cam Jam (and writer of The Raspberry Pi Pod blog, and occasional helper-outer at Pi Towers) explain more about what’ll happen on the day, on this episode of the Raspi Today podcast.

Screen Shot 2014-10-21 at 12.33.12

Mike’s expecting people to come from all over the country (it’s amazing how far people travel to come to the Cam Jam – I bumped into friends from Sheffield and from Devon at the last one). It should be a blast. We hope to see you there.

I was thinking about Pi Wars this morning, when an email arrived from Austria, complete with some robot video. Dr Alexander Seewald used a Raspberry Pi and an Arduino to build a tiny little robot, small enough to fit under the sofa, to rummage around and rescue his two-year-old daughter’s lost toys. (I do not have a two-year-old daughter, but I do have cats, who take great delight in hiding things under the sofa. Once, horrifyingly, we found a mummified burger down there. It had been some months since we’d eaten burgers. I could use one of these robots.)

The robot has a Pi camera on the front, with a nice bright LED, so the operator (using a tablet) can see where the bits of LEGO are. The voiceover’s in German, but even if you don’t speak the language you should be able to get a clear idea of what’s going on here.

Dr Seewald has made complete instructions available, so you can make your own ToyCollect robot: there’s everything you need from a parts list to code on his website (in English). It’s a nice, complete project to get you started on building a robot that has some use around the house – let us know if you attempt your own. And see you at Pi Wars!

TorrentFreak: Microsoft: We’ve Always Had Freemium, It’s Called Piracy

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

microsoft-pirateIn recent years the ‘freemium’ business model has gained much traction in many areas from gaming to software services. But while the portmanteau describing the phenomenon is a relatively new addition to our language, the idea behind the business model is not.

In the 1980s, those with access to Bulletin Board Systems would download programs and share them with their friends, all with the full encouragement of the software’s creators. Shareware, as it was known, often encouraged users to send off a snail-mailed registration fee in return for a code to unlock premium features. Although basic, freemium had been born.

Today the concept has gone way beyond those humble roots. The App Store and Google Play are awash with free-to-play games with premium addons, and services such as Spotify and Dropbox offer decent free levels of service to get users onboard and primed to start parting with real cash.

If Joe Public was pressed into a snap judgment, Microsoft would probably be more associated with premium than free, with the company historically charging sizable amounts for its Windows and Office products, for example. However, speaking with CNBC, Microsoft CEO Satya Nadella says that the company has always had an eye on the freemium experience.

The idea, the CEO notes, is to get people on board with a product they find useful. Then, when it becomes clear how users are utilizing the service, options to monetize become available alongside their demands for improved service. He uses the company’s cloud-storage service as an example.

“We want everybody to use OneDrive. And then when you are starting to use it for business, that’s when we want to monetize. So we do not want to have you only start using us when you have a business license or subscription. We want to have you use us when you just want to save any file or any document, any artifact of yours. And then have a natural way for us to monetize as you use more of it in the commercial context,” Nadella explains.

By now millions of people online are familiar with ‘freemium’ in one shape or another but comments from Nadella suggest that while this business model has been leveraged by Microsoft for quite some time, the company had it forced upon them.

“Well, we’ve always had freemium. Sometimes our freemium was called piracy,” Nadella reveals.

“[The] thing that I don’t want us as a company to shy away from is usage first. Because I think if anything, the new competition has taught is that, you know, what matters is do not try to equate revenue and usage day one.”

The ‘piracy is promotion’ angle is something rarely spoken about by company execs, probably in fear of endorsing an illegal activity and validating it in the eyes of piracy proponents. However, by speaking of it alongside ‘freemium’, Microsoft’s CEO appears to have confirmed what many have been saying all along, that getting people on board for free – via piracy if necessary – is one the first steps on the monetization trail.

Indeed, this belief his held so strongly in some quarters that there are some who insist that it’s preferable for people to pirate the software of company ‘A’ than switch to the opposition, whether paid or not.

That said, what Microsoft does not want is people selling pirated copies of its premium products – that kind of ‘promotion’ is never welcome. If people use a free sample of Microsoft products at home, the company isn’t likely to kick down the door. Do the same in a business environment, however, and things aren’t anywhere near as open-minded.

There are no signs that Microsoft is going soft on piracy but as business models change, as they have with Adobe’s Creative Cloud, free tiers attractive to would-be pirates will become more commonplace. And that can only mean one thing for piracy rates.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Linux How-Tos and Linux Tutorials: What is a Good Command-Line Calculator on Linux

This post was syndicated from: Linux How-Tos and Linux Tutorials and was written by: Linux How-Tos and Linux Tutorials. Original post: at Linux How-Tos and Linux Tutorials

Every modern Linux desktop distribution comes with a default GUI-based calculator app. On the other hand, if your workspace is full of terminal windows, and you would rather crunch some numbers within one of those terminals quickly, you are probably looking for a command-line calculator. In this category, GNU bc (short for “basic calculator”) is […]

Read more at Xmodulo

SANS Internet Storm Center, InfoCON: green: ISC StormCast for Tuesday, October 21st 2014, (Tue, Oct 21st)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.