We help IT Professionals succeed at work.






A vulnerability is a weakness which allows an attacker to reduce a system's information assurance. Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness, known as the attack surface. Vulnerability management is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities. Other vulnerabilities include security risks, security defects and constructs in programming languages that are difficult to use properly.

Hi All,

We are currently configuring a wifi solution for several hospitality suites. The Internet feed has been installed and we will be using a Watchguard Firewall with three Vlans. One for management that will host the switches and Access points. And two for connections to the outside world. One VLAN will be used to broadcast the SSID the second is for private use.

What is the best way to configure the Watchguard Firewall. I was thinking to have one interface for each vlan. IE trusted for Management, and then a seperate interface each for the other two. Or would it better to leave the trusted interface alone and configure one of the other interfaces for vlan use and put all three VLANS on this one. Or is there a better way of doing this?

Thanks for your help.

Windows 10 VM not booting after installing free Avast Antivirus. I suspect there is some driver issue. How can I remove the driver or uninstall Avast form the recovery console? Or is there another way around this?
Got the following high risk penetration test finding on a platform which we
develop on (from a vendor called K2).  Vendor is rather inflexible in fixing
such issues & have to wait for ages for next release.

Presume any ONE of the 3 mitigations below suffice.  How do we go about
implementing mitigation #1 & #2 below?   Web server is IIS.

If more details are needed, can sanitize the screens & attach later.

The application allows interference with the way it processes sequences of HTTP requests that are received from one or more users.

The attacker can cause part of the front-end request to be interpreted by the back-end server as the start of the next request. It is effectively prepended to the next request, and so can interfere with the way the application processes that request.

It was possible to smuggle an HTTP request to the server by obfuscating Transfer-Encoding header. When the front-end/proxy server encounters obfuscated transfer-Encoding header, it uses Content-Length header to process the request. When the same HTTP request is forwarded to the backend/application server, Transfer-Encoding header is interpreted, thus splitting the smuggled attack request from the original request. In such a case, the attack request can interfere with the processing of next request which might be sent by any end user during the time of attack. During our testing, it was possible to receive a response from the server causing an open …
Hi All,

If we want to identify vulnerabilities in Open source softwares what is the way to do it? What are the free websites available that can help in informing  on the existing vulnerabilities of that software ?

How specifically do attacks which target outdated software on a windows device, e.g. something assigned to an employee for daily duties such as a laptop/desktop, actually occur? Do they always require some form of user mistake, or does the very fact the software is outdated pose a problem regardless of tricking a user into some form of action?

I was thinking of things such as iTunes/adobe/java/none MS browsers as was suggested in another post as some of the higher risk 3rd party apps in terms of targets for hackers. I was just trying to identify some scenarios where those kinds of things could be exploited perhaps from someone external to the company.
What are the main 3rd party applications you have to patch in your enterprises on end user devices (e.g. desktops/laptops – none Microsoft software), and do you have any particular tools you use to apply those patches/updates?
Hi All,

We have a Branch Office VPN established to one of our third party suppliers for support purposes (We use a WatchGuard at our End). They would like a secondary tunnel establishing with different settings,  that will run side by side of the existing one. Am I ok to use the existing external IP (Ours) as the external IP of the new tunnel. Will this work if both tunnels are required to be active at the same time or does each tunnel have to have its own external IP assigned?

If someone manages to compromise your user credentials/account via a phishing email (office365 email account in this case) what is there typical objective(s) in doing so, and how would they typically follow that through to the next stage. I would have assumed if there target would be to steal emails they would not just casually start forwarding them on to an external address?  Trying to determine what they may or may not do if they do get a victims credentials would be interesting. there must be something in it for them but to determine what that is and how they execute 'phase 2' once access is achieved would be most useful,
Some questions were raised on our practice of penetration testing:

a) what are the various basis the ratings of Critical, High, Med, Low
    are being assigned?  External-facing servers' XSS will get High
    while internal servers (not exposed to public/Internet) XSS will
    get Med?   There's also various types of XSS that warrants
    different types of ratings?
    Curious how the various tools assign these ratings or in some
    cases, it's the human pentester who assigns it?

b) Is there any framework, eg: NIST, CREST or ...  that specifies
     the duration to resolve?
Is there an exception or workaround for Windows 10 image 1607 to accept patch  CVE 2020-0601 without failing at >90 percent and reverting back.?
This is a question for the web penetration testers.

During an active scan, how exactly does Burp determine that a site is vulnerable to XSS whether it be reflective, stored, or dom?   Does it try an input date on a field or try to insert a script at the URL and if it gets a certain value back, it says that the site is vulnerable?  What proof does it display for this?
We have quite a handful (about 3 dozen) staff who bring our corporate laptops to
our China branch & they're based there for months.  We enable local admin for
them (as sometimes when they're there, they need to install certain softwares as
 there's no PC/end-user support there) & we enable their laptops to connect to
hotel/public places' Wifi.

They'll often VPN back to the local head-office here to join our domain for Intranet
services and this is when their PCs are found to have malwares or when they are
back here locally, their PCs were found to have numerous malwares: we never
know what happen that why their PCs' AV signatures are not updated while they're
in China.

I'm proposing an apps whitelisting (that some of our critical PCs are mandated to
have) installed as AV is a 'blacklisting' solution while apps whitelistg is more effective
but my colleague supporting apps whitelisting has concern below:

"Not really suitable. Gotta be connected to vpn at least 2 hrs for baseline to complete, n if sth really breaks and they cant initiate vpn back, the whole laptop is as good as totally disconnected from network already. High risk thing to do. Wont be able to remotely change app whitelist settings unless they manage to connect back to vpn network. Main worry is if user hit prob doing vpn. "

Is the limitation/concern above valid & isn't there a way to overcome it?

What other mitigations can we do for this group of users assuming we can't
take …
I need to run a scan on one IP address within Rapid7.  What's the best way to go about this if creating a report?
I'm using Rapid7 and would like to run a scan against my network of all machines. I'd like to pull a report of all machines that have Acrobat and Reader installed as well as the version of both of those products.  Can you walk me through step-by-step on how to produce this scan report?  Any input is GREATLY appreciated!
We are getting alternate AV count readings on assets that have AV installed on them and assets that do not.   Three different platforms are each providing different counts i.e. AD, Rapid7 Sophos and SCCM.  Obviously, this is alarming to say the least, especially from a compliance perspective.  What would you guys recommend is the best approach in handling something like this?
Anyone has a sample table (which I need to submit in monthly
ppt slide) for covering patching metrics?

I plan to have a column for virtual patches (as we use NIDS &
endpoint IPS) included, so columns like the following:

a) date vulnerability published by product principal
b) date virtual patch is released, tested in our UAT &
    implemented in Prod  (which I'll indicate as 'NA'
    if not available
c) date actual principal product (ie Oracle, , RHEL, Fwall
    vendor) release their patches & date scheduled to
    test in UAT & date to deploy in Prod

Any other information/columns that I miss?

In particular I have the following products to cover:
a) Solaris OS 10
b) Weblogic  middleware
c) Firewall
d) WAF
e) Oracle DB
f) RHEL 6
Hello Experts!

    Can anyone tell me if Rapid7 NESSUS requires domain admin level access?  If it does, can you tell me for what functions it would need this level of access for?  Thanks a million for your help!
Are there any useful guides which break down into a set of best practices how to handle patching & vulnerability management. Every time we look into it there's just links to commercial tools which you can use to scan for out of date software but whereas it will point out where you aren't doing so well (e.g. outdated software, unsupported software etc), what I am more after is some detailed best practices on how to manage the patching/remediation process in general, considerations that are needed to help define & implement your policies and procedures around etc. If there is such a thing then that would be most helpful.  I was going to look through PCI DSS as that is a set of expected controls with some detail rather than just links to an expensive vulnerability scanner or scanning service to tell you how bad/well you are doing.

This may sound a bit crazy, but is there a way to protect sensitive data from programmers while there are developing the application? (sounds crazy because the programmers has to see the data).  For example,  we are compiling social data of staff like family components, relationships, members income, health issues, etc.  Management want to protect the data from IT support techs that will support this apps and from programmers that will be developing the apps.  If there is no way, and IT has to see all the data, what can a company do to manage this situation where very sensitive data is projected to in the system?

What we have come up with is using dumb data (not real data) for developers to create the applications.  We will use this data from creation up to validation stage.  In data import, the tech responsible has to see this data (so here must be some sort signed agreement) in the support stage since the tech has to see the problem, they have to see data but will not have a test environment with real data.

What u guys think? - any Experts with this type of experience fully appreciated you input
Hi All,

We use WatchGuard Friebox as our firewall. Last couple of days it has detected and blocked a relatively high for us(1oo hits) of activity it labels as MASSCAN Activity. I have traced this back to a handful of IP addresses. These tried to attack a couple of our web server that we have to publish on the internet. Only ports 80 and 443 are open on these connections.

Is there anything etc I can/need to do to help stop this activity, or is it one of those things I have to live with as long as WatchGuard is blocking it.

I keep seeing yourpdf.online in the "Notifications" area of a users PC.  I have run MWB and Adwcleaner and they don't find or remove that.  Any idea what that is?  What's weird about it is that it seems to be showing different articles online, as if it is notifying her that there are things to see and read.

I also keep seeing "askbobrankin.com".  Is that guy legit?  Seems fishy.

MWB and Adwcleaner had removed Total AV as PUP and a few adware things I can't remember...that was a few days ago. Now when I run Adwcleaner, it doesn't find any adware. It only recommends resetting the Winsock or something like that and when I have it do it, I can't see that it actually did anything.
We are having loads of trouble configuring a Site2Site VPN with a pair of Watchguard T35 firewalls.
Neither is configured pretty much outside of the initial setup wizard.
The current site 2 site vpn is stock from the vpn configuration guide from Watchguard.

We tried a number of different configs, but have currently deleted them to restart fresh.
Also we are trying to set the connection to initiate from SiteB to SiteA just to limit randomness, but can set bidirection or SiteA to SiteB as initiator.  Doesn't really matter to us

My theories may be off, so I'll just throw out the logs from each to see what you may think is happening.

Thank you in advance.

Site A
*** WG Diagnostic Report for Gateway "AA-to-TC-Gateway" ***
Created On: Tue Oct 29 09:22:49 2019

	Error Messages for Gateway Endpoint #1(name "AA-to-TC-Gateway")
		        Oct 29 09:22:35 2019 ERROR  0x02030015 Message retry timeout. Check the connection between local and remote gateway endpoints.

[Gateway Summary]
	Gateway "AA-to-TC-Gateway" contains "1" gateway endpoint(s). IKE Version is IKEv1.
	  Gateway Endpoint #1 (name "AA-to-TC-Gateway") Enabled
		Mode: Main
		PFS: Disabled 	AlwaysUp: Disabled
		DPD: Enabled 	Keepalive: Disabled
		Local ID<->Remote ID: {IP_ADDR(A.A.A.A) <-> IP_ADDR(B.B.B.B)}
		Local GW_IP<->Remote GW_IP: {A.A.A.A <-> B.B.B.B}
		Outgoing Interface: eth0 (ifIndex=4)
			linkStatus=0 (0:unknown, 1:down, 2:up)
		Stored user messages:

Open in new window

Hi, I'm using the Quarantine feature from Watchguard and this creates a Quarantine website users can log onto. But the problem is that it's an intranet server and as such doesn't have an 'official' SSL certificate. I tried to create a self-signed one etc but I keep on failing ... could someone please give me step-by-step instructions on how to create a self-signed certificate and attach it to that website so that the browsers won't throw their security warnings anymore? Thanks!

I am using Application  WARP apps in iPhone.  I just got this message; do any expert knows what it means? Help please.

Warp message
I have a concern of installing apps where they request my iPhone/iPad password.  So some questions:

  • When an apps request authenticating their apps with my iPhone password, it it possible that apps extract the password?
  • Also, using a Two-factor authentication for Apple ID, would that protect my Apple data even though I gave the password to the apps requesting it?

(sorry for my ignorance and maybe is nothing to worry about, but wanted the expert input on this - so any help would be greatly appreciated).






A vulnerability is a weakness which allows an attacker to reduce a system's information assurance. Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness, known as the attack surface. Vulnerability management is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities. Other vulnerabilities include security risks, security defects and constructs in programming languages that are difficult to use properly.