A vulnerability is a weakness which allows an attacker to reduce a system's information assurance. Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness, known as the attack surface. Vulnerability management is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities. Other vulnerabilities include security risks, security defects and constructs in programming languages that are difficult to use properly.

Share tech news, updates, or what's on your mind.

Sign up to Post

Hi All,

We use WatchGuard as our firewall and have Dimensions setup for reporting. What is the easiest way to find out and possibly monitor all users that have some form of file transfer either ftp, or web/app based such as dropbox etc?

Can this be done / how best to view this info or set this up?

Microsoft Azure 2017
LVL 13
Microsoft Azure 2017

Azure has a changed a lot since it was originally introduce by adding new services and features. Do you know everything you need to about Azure? This course will teach you about the Azure App Service, monitoring and application insights, DevOps, and Team Services.

jQuery (Javascript libraries) are bundled with a number of our
softwares (Weblogic, a supplier app, mobile app): quite a number
of XSS vulnerabilities were found by our pentester.

One app vendor replied that updating (ie patching) or upgrading
jQuery may destabilize their app?  So are we supposed to wait
for these vendors to release their next release app so as to
bundle in newer & patched jQuery or we can get the patches/
updates from Oracle & just update/patch it??   Or by doing so,
we'll lose the support of the app vendor?

In the case of Weblogic, jQuery ver 3.2 is bundled.
Since both Weblogic & jQuery are from Oracle, is it supported
if we just update jQuery (or there's no patch/update ie we
just have to upgrade jQuery to ver 3.3 or 3.4)?

Is jQuery vulnerabilities the same as javascript (read at Oracle
site that jQuery is actually  javascript library) vulnerabilities?

I recently ran a Nessus scan and have been working through the output, I'm trying to is how to fix one of the vulnerabilities

The web server running on the remote host appears to be using Microsoft ASP.NET, and may be affected by a denial of service vulnerability. Requesting a URL containing an MS-DOS device name can cause the webserver to become temporarily unresponsive. An attacker could repeatedly request these URLs, resulting in a denial of service. Additionally, there is speculation that this vulnerability could result in code execution if an attacker with physical access to the machine connects to a serial port.

Use an ISAPI filter to block requests for URLs with MS-DOS device names.

I have been researching how to resolve this but can't find the answer, do I need to install a Microsoft patch or something, any help would be appreciated

The server is running 201r2
I have (2) Watchguard M270's configured in a firecluster.

Interface 0 is the External interface configured with a /28 block.
Interface 1 is the LAN

We have consumed all of our IP's so I ordered another /28 block from our datacenter today. As soon as I configure Interface 2 for our new IP block, outbound traffic for the most part ceases to work on our network, however some things do work.. so we'll call it intermittent. As an example, I can ping out to but can't ping As soon as I disable Interface 2 that is configured for the new IP block, I am able to ping again.

I'm assuming this is because we now have 2 WAN interfaces configured and outbound traffic doesn't know which interface it should be sending traffic out on but I couldn't be sure. I've made 4 calls to Watchguard support and nobody can identify the problem. I even had our datacenter issue us a different IP block just to rule out any kind of odd conflict but the problem persists with a new IP block.

Am I going about this all wrong trying to have 2 IP block's configured on our Watchguard? Is the better solution to just order a bigger block of IP's and re-IP everything? I was trying to avoid that hassle by just adding an additional block of IP addresses but it seems that what I'm trying to do here isn't working..

I would appreciate any advice or input that someone could give on this. Thank you!!

Does macbook has the same ports as windows computer?  
(for example Windows port 80 = HTTP, port 443 = SSL, etc.)

And what ports should be closed in a wifi router for better protection?
Two separate businesses using the same domain name have now merged into one.
This is the first time I've ran into this and hope someone could shed some light. We've recently acquired a new client who at one point had two domain controllers. Server 2008 and Server 2012. They moved Server 2012 over to a new location as part of a different business, but kept the same domain name. Server 2008 AD sees the 2012 as a DC, However 2012 doesn't see 2008 as a DC. They are now on different networks, but recently was configured to tunnel back to corporate to share resources.

What I'm trying to accomplish: Join a 2016 DC to their corporate to decommission 2008.

Error I'm getting when promoting 2016 to a DC: "Active Directory preparation failed. The schema master did not complete a replication cycle after the last reboot."

What I've gathered so far.

Server 2008 - DC - samedomain.local - Corporate Office

At one point was replicating to 2012.
Server 2012 - DC - samedomain.local - Remote Office

No longer replicating from 2008.
Recently a WatchGuard VPN was put in so the two locations could talk and share resources. Different IP schemes, and they don't know about each other.

My Question: Can I safely remove 2012 DC from 2008 to stop attemping replication and at the same time continue to operate both under the same domain names, but seperate?

Remote Office will still use 2012 to authenticate locally until we can sit down and plan out a migration plan several …
Is there a way to emulate threat traffic in a controlled environment?  We would then use this information for common use cases.  I was thinking anything along the lines that could include log files that could give an indication of different attack signatures.  This method is obviously safer than injecting a virus on a test box and then introducing it to a customers network.  Any suggestions are GREATLY APPRECIATED!
I'm making comparison for IPS brands that give the most virtual patches
for various CVEs for MS (Windows, Outlook, .Net,  MS SQL, IIS & MSOffice) ,
Oracle (Weblogic, Database, Java, Solaris), Linux (various Linux esp RHEL,
Ubuntu, Debian, CentOS used in microservices) & a couple Opensource
softwares (eg: PHP, Apache, Struts, Wordpress).

Reason is it's difficult to get downtime & lead time to patch can often
stretch to almost a year.   Currently, Trendmicro claims its Deep Security
is endorsed by MS as giving the most virtual patches for MS products.

What about TippingPoint NIDS (acquired by Trendmicro) in terms of
its number of virtual patches for various products above?

What about other products (esp coverage for Oracle & Linux-related ones)?
McAfee, Checkpoint, Sophos, ... ?

Also, continued availability of obsolete versions of softwares are crucial
for us as we have a long lead time to tech refresh obsolete (ie principals/
developers don't release patches for it anymore) softwares.

There's an argument that ultimately product patch still need to be applied?
What could be the possible reasons for these?   Heard that for NIDS, if
PCs got infected/compromised, the attacker could bypass NIDS & WAF to
attack the unpatched endpoint servers.  Guess an IPS with agent inside
the endpoint will mitigate, right?
i have traffic coming from outside world to watchguard  firewall to citrix netscaler which goes to internal  asa firewall  and then to internal network.

our citrix netscaler also has the  same certificate for ( service communication certificate)  which is being hosted on our internal ADfs server ( windows server R2)

we dont have ADFS proxy server as of now

recently we had password spray attack on our internal ADFS server

and we could not determine source IP on our internal ADFS server

i wanted to know following:

1) i read in articles  that windows server 2012 r2 has extranet lock out feature and adfs 2016 server also has extranet lock out feature so is there any difference between the 2 as far as
protection from password spray attack is concerned.

im the scenario i explained regarding traffic coming from outside to watchguard firewall - netscaler- asa firewall, where should i place WAP server and how it can help in mitigating password spray attack

are there any good tutorials for upgrading windows server 2012 to 2016 adfs server and how proxy adfs should be configured

we have mailboxes in 365 and ad accounts are synced through aad sync to azure AD.

i came to know from Microsoft that messages are being redirected from office 365 to internal ADFS sever and it is not authenticating , so what other steps i should take

to protect from spray attack just proxy ADFS server is sufficient or some conditional policy should be applied …
I have an application running in ASP.NET/C#/IIS/SQL Server.

The application is not rendering correctly on any browser other than Internet Explorer.

I have added a document with the details on display and some setting changes I had to make for PCI Scan Vulnerabilities.

Please advise on what the issue may be.


Bruce Merevick
OWASP Proactive Controls
LVL 13
OWASP Proactive Controls

Learn the most important control and control categories that every architect and developer should include in their projects.

we have been looking at some get-hotfix reports to determine that last MS security updates applied to a multitude of servers serving different purposes. In some cases the process seems to be working an critical updates are applied in a timely manner, but we found a few exceptions. For my own knowledge/benefit - if a server was acting as a web server and only had standard web ports open, could any of the vulnerabilities that the MS updates 'address', still be exploitable from the outside through those ports? I'm not entirely sure what range of products/services the updates cover in their 'monthly roll ups', so I would be interested to learn a little more.
just had two sites fail pci compliance tests with certificate errors on sonicwall tz180.  trustwave does the scans and this is what they said: The server should be configured to disable the use of the deprecated SSLv2, SSLv3, and TLSv1.0 protocols. The server should instead use stronger protocols such as TLSv1.1 and/or TLSv1.2. For services that already support TLSv1.1 or TLSv1.2, simply disabling the use of the SSLv2, SSLv3, and TLSv1.0 protocols on this service is sufficient.
i have no idea how to do what they said.  any help is really appreciated.  thanks
We have a few IT vendors located in other countries:

would it meet audit/compliance requirements that they do applications
penetration (eg: greybox) on their "cloned" environment rather than in
actual production environment?  (ie use 'cloned' as proxy to production)

What are the measures we can take to ensure the pre-production
'cloned' environment's scanning would yield the same results to the
actual environment?

Are reports generated by pentesting tools protected such that is'
tamper-proof?  Are  Nessus & Rapid7 tamper-proof?
For my hotmail accounts one has been hacked using malware. They say they know two of my passwords. One they know is accurate. One they have 6 of 9 characters correct. What free program can we use to remove any malware. The person warns on a daily basis but never acts on their intentions with a deadline they give of 3 days.
Are there any useful documents/articles that are routinely issued/upgraded which show specific trends in cyber attacks for say the past 2-3 years, and for any major cyber attacks that hit the news – what the root cause of the vulnerability that was exploited was? i.e. what the cyber criminals are targeting nowadays, and what the relevant controls are to protect against those, assuming they could be protected against, e.g. a relevant patch applied?

I was also interested in identifying the primary/priority security defences, or at least coming up with some form of priority checklist of what to assess in what order when it comes to security. I appreciate on larger networks/infrastructure security must be an absolutely mammoth effort, and any single vulnerability on any device could be your downfall, but there must be some form of precedence in terms of priority of cyber controls when self-assessing your cyber/security defences, so my question to you is - where exactly would you start, and do any of the guidelines out there put cyber controls/defences in order of importance/priority, I assume they must do, but quite which articles/guidelines is an unknown to me.  

If you were doing an independent review of your security/cyber defences, what order would you start in, e.g. the absolutely bare minimums, and then onto the second tier of
defences, 3rd etc. If there are no such guidelines, your own view on this would be equally as interesting.
Hi Experts,

Looking for a way to activate "Launch program before Windows login" for Watchguard 12.2 VPN client? Trying to have the VPN login show up before Windows login so once Internet is connected remote users can connect to the VPN and then AD for authentication. This has to be done during first boot so looking for silent switches which would enable install of VPN as well as enabling of the feature above. Have attached the silent install switches that I am aware of 

Thanks in advance
Sorry for such a noob question.  We have a Watchguard T35.  Right now it has a Branch to branch VPN set up to another watchguard.

It also has the capability to make a vpn to a specific computer that's on the road, right?  What app(s) can be installed on the windows 10 computer that can do that?

Preferably free.  Does watchguard include software to do that?  Is there a standard the software needs to meet (does Watchguard have their own proprietary way of talking to endpoints?  or an vpn software works?

We are coming up with policy/guidelines on when a new app system should
a) application greybox scan
b) blackbox penetration scan

Understand a  is more  stringent than b ie a will reveal more than what b will.

I'm contemplating if the app system  has one of the following, then it'll require
greybox scan, otherwise, only blackbox scan will do:

a) internet-facing
b) is designated as "Critical Information & Infrastructure" by regulator/authority
c) contains PII and is making payments of large amounts (including payroll ;
    would a system that bills customers classify as equially critical as payroll?)
We have a Parameter Tampering  weakness in our app which we are not in
time to fix at the applications level so exploring alternative mitigations,
namely WAF & IPS.

The Parameter Tampering weakness is:
a Web-based attack in which certain parameters in the Uniform Resource Locator (URL) or Web page form  field data entered by a user can
be changed without the required authorization. After changing, it points the browser to a link, page or site other than the one the user was
authorized (from his original authentication) to access.

Changing the input 60001 which user entered under parameter "file_id" in the URL is a valid request & thus the user could see
other contents (which he was not meant to see) by changing it to different values.

Is it possible to customize rules/policies in WAF/IPS such that the rules whitelist the download form (there's only 1 form that we're
vulnerable) to only the 3 URLs (exactly same URLs as above except the value after  file_id=   and block off the rest;  the 3 values
are 80001, 80002, 80003).

We use Weblogic to serve as web service
Exploring SharePoint 2016
LVL 13
Exploring SharePoint 2016

Explore SharePoint 2016, the web-based, collaborative platform that integrates with Microsoft Office to provide intranets, secure document management, and collaboration so you can develop your online and offline capabilities.


Please, Are you aware of the BlueKeep threat and the mitigation measures that could be put in place?

Best regards,
I'm planning on deploying a set of Domain Controllers over 3 sites very soon - replacing a medium-sized peer-to-peer network (well, some would call it "large").
In doing this, I'm looking forward to getting past some of the difficulties that I've had with network management.
Not having used some of the tools in a domain setting before, I'm wondering about a few things and could use Experts perspectives and experience.

We've been using ManageEngine Eventlog Analyzer for Security Event and Incident Management.  The biggest issue has been getting the workstations to respond to the monitor.  We started out trying to keep things centralized and use WMI but that was just too hard to keep all the computers "connected".  So, we've resorted to the use of Agents on the workstations.  But, even then, some refuse to play nice and we don't get any event data as in "Access Denied".

We've also been using GFI Languard for internal network vulnerability scanning and remediation (e.g. softare update management).  And, we've had similar problems here so use almost 100% Agents now.  This one doesn't seem to have the same connection problems.

Now, believe me, I've researched and asked and tried things but feel that some WMI enablements are just "too hard" - even though I don't give up easily, I remain hammering away at some tough cases.  I've generated my own checklist for setting up effective WMI and still don't have a magic formula for success.  Doesn't that seem …
CRM 4, CRM 2011 upgrade

We are doing a CRM 4.0 to CRM 2011 upgrade.  I have been asked if certain vulnerabilities are addressed in CRM 2011 (that were present in CRM 4.0)

Specifically, vulnerabilities are reported in the .ASPX files. It exposes version information from IIS, .ASP NET etc.

We are required to enhance Incident Response playbook to strike a balance between recovery and evidence preservation.

Offhand, I can only think of:
a) for AV, don't delete the malware/IOC file but quarantine it so that it can be analysed later:
    doing this for ClamAV (encrypt it to make it harmless) on UNIX servers & on Windows,
    only quarantine
b) on an infected PC/workstation, disconnect it from Wifi/LAN but don't power cycle it to
     retain as much evidences in it as possible & take an image backup of it (possibly run
     one of Fireeye's forensic tool to collect artefacts)

Though Trendmicro's EDR has articles that it helps with evidence collection, I don't
really know how it works with the collection.

  will need further inputs ...

Maybe this question is not technical help but wanted to know what is your opinion.  Last week in a group conversation a colleague said that the United States is storing and has been storing our data on cloud in a facility in UTAH, all text messages, calls land/mobile, web-browsing, etc.

How true is this and should there be any concern?
Hi, i have installed Skype on our network for a select few users to communicate with a partner company.

Users can login and communicate but are unable to share their screens.

We do run WatchGuard web blocking system and i wonder if Skype is being blocked for just sharing of the screen.

Has anyone got expereince of this issue and could possibly offer some advice.







A vulnerability is a weakness which allows an attacker to reduce a system's information assurance. Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness, known as the attack surface. Vulnerability management is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities. Other vulnerabilities include security risks, security defects and constructs in programming languages that are difficult to use properly.