Tuesday, July 15, 2025
Palo Alto Networks Applications and Threats Content Release Notes" for Version 8999
Details of this Update (Version 8999)
This update focuses heavily on App-ID expansions and refinements, along with new vulnerability and anti-spyware signatures. Key aspects include:
1. App-ID Enhancements (Final Reminders for August 19, 2025 Activation):
Soti MobiControl: Expanding coverage for additional connections to Soti XSight server, currently identified as
ssl.MS-RDP: Expanding coverage for RDP traffic from Microsoft Defender's Network Name Resolution, currently identified as
ssl.Cortex-XDR: Activating enhanced coverage for
global-content-profiles-policy.storage.googleapis.comtraffic, currently identified astraps-management-service. (TSIDs for this were introduced in version 8990).GitHub-Base: Expanding coverage for
github.devtraffic, currently identified asweb-Browseandssl.SaaS App-ID Risk Scores: Intention to update risk scores for many SaaS App-IDs, specifically those currently at '5'.
SaaS Characteristic Update: Intention to update the 'SaaS' characteristic from 'no' to 'yes' for many App-IDs.
New SaaS Characteristic "Uses GenAI to Generate Code": Introduction of a new characteristic to identify applications that use Generative AI for code creation. This will first be for Content App-IDs (scheduled for July 15, 2025), with corresponding Cloud App-IDs getting it on August 19, 2025.
New ICS, IoT, and OT App-IDs: Introduction of TSIDs for several new industrial control system, IoT, and operational technology App-IDs (e.g.,
advantech-adam-ascii,capsule-mdip-axon,emerson-movicon, etc.), with activation planned for August 19, 2025.New App-IDs: General intent to release new App-IDs and encourages using TSIDs, "New App-ID" application filters, or "Web App Tag" application filters for adoption.
Foundation-Fieldbus: Activation of this new ICS, IoT, and OT App-ID (TSIDs for this were released in version 8990).
New IP Geolocation Region: Introduction of "XK" for Kosovo.
2. Signature Updates:
New Vulnerability Signatures (11): Includes critical and high-severity vulnerabilities like:
TOTOLINK A3700R SetLanguageCfg Stack Overflow (CVE-2024-22660) - Critical
Sudo Heap Overflow (CVE-2021-3156) - High
Curl NSS CERTINFO Denial-of-Service (CVE-2022-27781) - High
Glibc getaddrinfo Buffer Overflow (CVE-2015-7547) - High
Apache Kafka Arbitrary File Read (CVE-2025-27817) - High
Google Chrome Type Confusion (CVE-2025-6554) - High
Mozilla Multiple Products Out-Of-Bounds Write (CVE-2025-4918) - High
NI FlexLogger usiReg URI File Parsing Directory Traversal (CVE-2025-2449) - High
Modified Anti-Spyware Signatures (1): Improved detection logic for "Grandoreiro Command and Control Traffic Detection" (critical, 86302) to address a possible false positive issue.
Modified Vulnerability Signatures - Detection Logic (4): Improved detection logic for vulnerabilities including:
Ivanti Endpoint Manager Mobile Remote Code Execution (CVE-2025-4427, CVE-2025-4428) - High (new exploit coverage)
Windows Command No-banner Shell Access (medium, possible false positive fix)
Microsoft Browser Information Disclosure (CVE-2016-3298) - Medium (new exploit coverage)
Pandora FMS chromiumpath and phantomjsbin Command Injection (CVE-2024-12971) - Medium (possible false positive fix)
Issues (Potential)
Based on the content of the update, here are some potential issues for administrators:
Policy Impact from App-ID Changes:
"SaaS Characteristic" Changes: If you use Application Filters with the "SaaS" characteristic, updating this content will change how some applications are classified. This requires review before the update or a later content version to prevent unexpected policy enforcement or blocking.
New App-IDs: The introduction of many new App-IDs, especially for ICS, IoT, and OT, means traffic previously identified as generic (e.g.,
ssl,web-Browse,unknown) might now be specifically identified. If your security policies rely on broader classifications for this traffic, you might need to adjust rules to permit or block the newly identified applications.Traffic Reclassification: The specific reclassification of
ssltraffic tosoti-mobicontrol,ms-rdp,github-basecould cause issues if your policies were explicitly allowing or denyingsslfor these services without considering the underlying application.
UI Issues with ACE and GenAI Characteristic: Customers with ACE (Application Command Explorer) are highly recommended to install the July 15, 2025 content version (which introduces the GenAI characteristic for Content App-IDs) before the August 19, 2025 update to prevent a UI issue. This indicates a potential dependency or incompatibility if not followed.
False Positives/Negatives (Temporary): While improvements are aimed at reducing false positives (e.g., Grandoreiro, Windows Command Shell Access, Pandora FMS), any change in signature logic always carries a small risk of temporary false positives or, less commonly, false negatives until the update settles in the environment.
Performance Impact: A large number of new and modified signatures, especially for App-IDs, can sometimes have a minor, temporary performance impact during initial deployment or if the firewall is heavily loaded. This is generally mitigated by modern Palo Alto Networks devices.
Compatibility: While the "Minimum PAN-OS Version" is listed for vulnerability signatures (e.g., 8.1.0, 11.1), it's crucial to ensure your PAN-OS version is compatible with this content update. Older PAN-OS versions might not fully support all new App-IDs or signature capabilities.
Prognosis
The overall prognosis for this content update is positive for security posture improvement, but it requires proactive management and review by administrators.
Enhanced Visibility and Control: The expanded App-ID coverage, particularly for Soti, RDP, Cortex XDR, GitHub, and numerous ICS/IoT/OT protocols, will provide much finer-grained visibility into network traffic. This allows for more precise security policies, moving away from generic
sslorweb-Browserules.Improved Threat Detection: The significant number of new and modified vulnerability and anti-spyware signatures directly enhances the firewall's ability to detect and prevent known exploits and command-and-control activity. The fixes for false positives are also beneficial for reducing alert fatigue.
Better SaaS Management: The risk score updates and the new "SaaS" characteristic will aid organizations in better understanding and managing their SaaS application usage from a security perspective. The "Uses GenAI to Generate Code" characteristic is forward-looking and will be increasingly valuable for governing AI-powered development tools.
Planning is Key: Due to the "Final Reminder" nature, Palo Alto Networks is giving a clear signal that these changes are coming. This provides administrators with time to:
Review existing policies: Specifically, check application filters that use the "SaaS" characteristic.
Prepare for new App-IDs: Consider how newly identified applications (especially ICS/IoT/OT) will interact with your current security policies.
Prioritize updates: Given the critical and high-severity vulnerability fixes, deploying this update in a timely manner is important.
Adhere to the ACE recommendation: Ensure the July 15, 2025 content update is installed for ACE users before August 19, 2025.
In summary, Content Update 8999 is a substantial update that significantly enhances Palo Alto Networks' ability to identify applications and detect threats. The "Final Reminder" indicates a strong push towards these changes being live soon, necessitating careful planning and policy review to ensure a smooth transition and maximize security benefits.
Wednesday, July 9, 2025
Security Attacks to the Name Management Protocol in Vehicular Networks
https://www.ndss-symposium.org/wp-content/uploads/vehiclesec2024-4-paper.pdf
[cite_start]The article "Security Attacks to the Name Management Protocol in Vehicular Networks" identifies 19 new vulnerabilities in the Name Management Protocol (NMP) of SAE J1939 networks, which are broadly adopted in Medium and Heavy Duty (MHD) vehicle communications. [cite: 3] [cite_start]This protocol is crucial for associating and managing source addresses with the primary functions of controller applications in trucks, a vital part of the transportation system where disruptions can have major social impacts. [cite: 1, 2]
[cite_start]The paper details various logical attacks exploiting these vulnerabilities, validated through formal methods and demonstrations on real trucks and bench setups. [cite: 3, 11] These attacks can lead to:
* [cite_start]Stealthily denying vehicle start-up. [cite: 4]
* [cite_start]Restraining critical vehicular device participation, including "dead beef attacks" that cause reflash failure. [cite: 5]
* [cite_start]Stealthy address exhaustion, preventing address-capable controller applications from network engagement. [cite: 6]
* [cite_start]Poisoning the controller application's source address-function association table, which can disable features like radar and Anti-Brake System (ABS), and trigger dashboard warnings for retarder braking torque. [cite: 7, 35]
* [cite_start]Denial of Service (DoS) on claim messages, prohibiting devices from participating in the network. [cite: 8]
* [cite_start]Impersonating a working set master to alter controller application source addresses, leading to "Bot-Net" attacks. [cite: 9]
* [cite_start]Executing "birthday attacks" (brute-force collision attacks) to command an invalid or existing name, causing undesired vehicle behavior. [cite: 10]
[cite_start]The research highlights that the SAE J1939 protocol was designed without security as a primary consideration, and current authentication defenses are lacking or not widely adopted[cite: 23, 24, 78, 80]. [cite_start]The paper also discusses how these vulnerabilities can be exploited via direct access to the CAN bus through public OBD ports or remotely via wireless interfaces. [cite: 101, 104]
[cite_start]The authors used Linear Temporal Logic (LTL)-based formal model checking to systematically analyze and validate these attacks, creating formal models of different NMP forms. [cite: 31, 32, 98] [cite_start]The findings have been responsibly disclosed to the standardization body, and the models and research artifacts are open-sourced[cite: 38, 39]. [cite_start]Mitigation strategies include implementing inter-CA authentication mechanisms, key agreement schemes, and replacing inadequate checksums with more robust authentication codes like MAC, CMAC, or HMAC. [cite: 116, 117, 132, 141, 148, 156, 163, 168]
From TCP/IP to Today - Vint Cerf in Conversation
This video is an interview with Vint Cerf, one of the "fathers of the internet," conducted by Chris Greer at Sharkfest 2025 [
The interview covers several key topics:
The Genesis of the Internet [
01:04 01:16 02:05 Evolution of Protocols [
02:31 03:10 03:34 03:53 04:21 Early Applications and Growth [
05:01 05:26 05:33 05:53 06:01 06:42 Artificial Intelligence (AI) [
07:11 07:40 09:10 09:43 Future of the Internet [
10:33 11:20 11:28 11:53 13:33 Wireshark's Relevance [
15:04 15:27 17:07 Reflections and Advice [
18:01 18:16 18:58 20:13 Personal Anecdote [
21:00 21:11 Acknowledgements [
22:23 22:34
You can watch the video at:
Monday, July 7, 2025
Diary 7-7-2025
It's funny how life works, isn't it? I'm doing really well, which I'm truly grateful for, but honestly, I'm in a bit of an internal transition right now. It's like my soul is shifting gears or redirecting me to another place or phase.
The Virginia Chapter
Life here in Virginia with my wife and our two little ones, who are three and five now, is good. Truly blessed, you know? And work? That's been surprisingly easy. I even wrapped up all my cyber projects ahead of schedule. So now I'm diving into all sorts of new things, like implementing a new ticket system, tackling change management, and rolling out MDM for both Apple and Android. Turns out, I'm pretty good at organizing projects and being a technical manager, so more diverse tasks just keep coming my way.
The Ache of Absence
But despite everything going so well on the surface, I'm really feeling the absence of my family's energy. It's a deep ache, you know? My kids, they cry because they miss their grandparents, and every single time it just hits me hard. Like last night, for instance. It's tough, truly, finding someone here who genuinely understands that void when you're so far from home.
You know that Brazilian energy, that unique vibration? I'd trade the consumerism we have here for it in a heartbeat. Most Brazilians I meet came here for the cheaper things, and I get that. But I've noticed something, especially with those who have kids: the quality of life seems to decrease after a few years. They just can't get that family presence and that unique Brazilian spirit here. It's something you can't buy, can you?
The support of family when you need it. The proactive presence that is not easy to find.
A New Path Emerging
And then there's Stan (My mentor from Gartner since 2023). Every single day since I started working with him, he's mentioned I could work anywhere in the world. And it got me thinking. Why not return? Why not try to research new opportunities back in Brazil?
I have been interviewed twice on the last 30 days to get a job in Brazil and I have another job interview tomorrow around 10 AM.
I am feeling that it is time to return. The 2 grandmas are feeling the distance…
Life here with 2 kids has been harsh in a sense of relationship with parents with kids at the same age. Probably because most parents are struggling as well, what I would call – Quiet struggling. (Inside their houses with devices)
Communicating and being social demands a lot for most people. Unfortunately in our church the parents and men that I tried to communicate are struggling more than me…
Sunday, July 6, 2025
produtive.com.br/ security analyze
Your DMARC record is set to None (p=none) or Quarantine (p=quarantine) policy, which will not protect against email spoofing and phishing. Enhance your policy to Reject (p=reject) by regularly monitoring legitimate email senders through DMARC Aggregate Reports for improved security.
Loss Aversion
Chapter 3: Loss Aversion “The concept of loss aversion is certainly the most significant contribution of psychology to behavioral economics.” – Daniel Kahneman Principle Introduction: Loss aversion is a key concept in decision-making that highlights our innate tendency to prioritize avoiding losses over acquiring gains. This principle, first identified by Daniel Kahneman and Amos Tversky, reveals that the pain associated with losing is disproportionately greater than the pleasure derived from winning. In everyday life, this can manifest in various ways, from our reluctance to sell losing stocks to our preference for insurance against potential losses. Understanding loss aversion helps illuminate the intricacies of human decision-making, shedding light on why we often make choices that prioritize safety and security over potential gains.
Erez, Dolev. The Art of Thinking in Graphs: Illustrating the 52 Principles That Shape Our Productivity, Decision-Making, and the Way We Think (p. 21). Kindle Edition.
Monday, June 23, 2025
smsprefeiturasp - Phishing campaign
Original Email
Original Links
http://smsprefeiturasp.org/
https://listserver.slu.se/scripts/wa.exe
https://listserver.slu.se/scripts/wa.exe?TICKET=test&c=%3Cscript%3Evar%20i=%20%22?x=$amV3aGl0ZUBocnRyYW5zaXQub3Jn%22;eval
header information
| Message-ID | <0SY500KJEZ70ID61@submit-ad1-fd2-411-sa-saopaulo-1.rmtaad1.vcndpgru.oraclevcn.com> |
| Subject | Batch -55146550 | 06/20/2025 | 16:59:22 |
| Mime-Version | 1.0 |
| Content-Type | multipart/alternative; boundary=--==_mimepart_68559545a20ea_133e1041007f0 |
| Authentication-Results | spf=pass (sender IP is 192.29.134.127) smtp.mailfrom=gru1.rp.oracleemaildelivery.com; dkim=pass (signature was verified) header.d=gru1.rp.oracleemaildelivery.com;dmarc=none action=none header.from=smsprefeiturasp.org;compauth=none reason=404 |
| Received-SPF | Pass (protection.outlook.com: domain of gru1.rp.oracleemaildelivery.com designates 192.29.134.127 as permitted sender) receiver=protection.outlook.com; client-ip=192.29.134.127; helo=aib29acd127.gru1.oracleemaildelivery.com; pr=C |
| DKIM-Signature | v=1; a=rsa-sha256; c=relaxed/relaxed; s=prod-gru-20200122; d=gru1.rp.oracleemaildelivery.com; h=Date:To:From:Subject:Message-Id:MIME-Version:Sender:List-Unsubscribe:List-Unsubscribe-Post; bh=IdV1k3abqlpI0cE9u0lir8PK57cTtLIfxLkgQJDiVdc=; b=NUBGopEfw1TqMLu+BiuiF3g73vO4M2N2WQT2uqIL9HoBbXNcLgLUDaTcJr7Oi9pw0e2WM8WnPPF4 1KNpKFB66VPsX2hrWDuTP+3zJ+oFmFkyc/8WLdd/jBrat3odPrHohik9BEjn+mN9EeDEKBKKMOso FkXJKoXWDvLRK+3Ijgv8FO5rhGDemV9iUCL3WWKWSEHTNUaKXRzu43jWDViqBcBJ/s/ROmQ4ZV1N H1WdFuehyB75CtNkNr2+fPxG8tKwM3NyS7ERptpwUrOrLwHfsHnq5IhsbffX+6MlBOhiEWHzhP5g SXl5jBvorgJi761K6S6m66/sg+H2kcCawec7lQ== |
| List-Unsubscribe-Post | List-Unsubscribe=One-Click |
| X-Priority | 3 |
| List-Unsubscribe | <https://cell0.track.email.sa-saopaulo-1.oci.oraclecloud.com/20221014/track/unsubscribe?V=9&H=AAFuhJVJvnwpqr_oyTtwWI-JqfT_8SBGmwflF7iRz97QEwaCyZrFu69cGVNXL43mKmVIfPDm7jnli-A3TnXbgpYtKWMeozMskFfNlluixjo-OIyauCWStOQFftv1Y6V4boU9nQ0T_YEioIxMVcviGc8LMUnGJ6JyGNw2xnbC_kFvzwPxiaiAxqVTrldQnG_403s-2Fxz2n4T8yNGrI9e3nSkz2T1DZ5E_5XYwWbc2aJKj5dAo3nBTtJ1lO8G4DhcDHKIozcqtxeqDxYn3L8nVpvQVB8UmDMCgQJJ0XN4TG4XoutMCJMVA-RPdVpeCMFVT7Ibhu5qyVhDVN3gZX_frgnohhokLbcccILSTUTkRY20V5lA6KYzk4UVOxAefM8xVp8PlisMsGCffgcBHWK7Ba1jTLgVjIE> |
| Reporting-Meta | AAEGFMy/bnvGbfLPZtyQkXItkFk8LWS4j8YyxxpIDmKBgEDTuR2n2a490JMwsao8 s+wHelmSwLU8apfpBe3xUrJ72nwl+Y5ramv0uUbZPOopNJoDViqf3TpsikXGz2fk +U4tFQTK4lo2IJ3NEYSJQcK8cJDVTeQVPE/eN2dulYtAtHRReJFqgr9t4Fuvg25r +K/0G5rbY2pQ5SsE/sO3MquuHsxTy8kIrV+D9qyLUVE4KtR6V0o+rOQiSewWmlqt FOc4S+jH9/tp4Fi4t60zLwhOwiXTxdaRk9w5g8O6/zR/djXOy8DbiSicuSwPcPS1 KNhXdjb+YtwPIQ+9+jaCxyeqfS/6hJCoV5oKTfNqB91qdi7SIRZ41wTiXtUfXxMj Z0IhP7ZRym7WUoN/vXFjvk2RPEaslARML0LNmlR1WGcfTEUfo4rr/+6bpYRG8khK oS9f2yGQgOuZBPQyI/S4Uzi6VVb/asnWQrY51HyLm3z/zZsO0t6NeqMKqj9GfC0x 0ZniB7kiQh3HEQDuPNpGFlgMIOqoOGfE0+ifKrnVzI8+NlbmWmnD |
| X-MS-Exchange-Organization-ExpirationStartTime | 20 Jun 2025 16:59:26.6750 (UTC) |
| X-MS-Exchange-Organization-ExpirationStartTimeReason | OriginalSubmit |
| X-MS-Exchange-Organization-ExpirationInterval | 1:00:00:00.0000000 |
| X-MS-Exchange-Organization-ExpirationIntervalReason | OriginalSubmit |
| X-MS-Exchange-Organization-Network-Message-Id | 61d7aa41-46cf-46f5-ace1-08ddb01bd098 |
| X-EOPAttributedMessage | 0 |
| X-EOPTenantAttributedMessage | 81c54995-1ea1-4e22-885b-ae3a6267a539:0 |
| X-MS-Exchange-Organization-MessageDirectionality | Incoming |
| X-MS-PublicTrafficType | |
| X-MS-TrafficTypeDiagnostic | BN2PEPF000055DD:EE_|MWHPR13MB6982:EE_|PH0PR13MB6043:EE_ |
| X-MS-Exchange-Organization-AuthSource | BN2PEPF000055DD.namprd21.prod.outlook.com |
| X-MS-Exchange-Organization-AuthAs | Anonymous |
| X-MS-Office365-Filtering-Correlation-Id | 61d7aa41-46cf-46f5-ace1-08ddb01bd098 |
| X-MS-Exchange-AtpMessageProperties | SA|SL |
| X-MS-Exchange-Organization-SCL | 1 |
| X-Microsoft-Antispam | BCL:3;ARA:13230040|4022899009|5062899012|2092899012|3072899012|3092899012|12012899012|5133199007|8096899003|7053199007; |
| X-Forefront-Antispam-Report | CIP:192.29.134.127;CTRY:BR;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:aib29acd127.gru1.oracleemaildelivery.com;PTR:aib29acd127.gru1.oracleemaildelivery.com;CAT:NONE;SFTY:9.25;SFS:(13230040)(4022899009)(5062899012)(2092899012)(3072899012)(3092899012)(12012899012)(5133199007)(8096899003)(7053199007);DIR:INB;SFTY:9.25; |
| X-MS-Exchange-CrossTenant-OriginalArrivalTime | 20 Jun 2025 16:59:26.3061 (UTC) |
| X-MS-Exchange-CrossTenant-Network-Message-Id | 61d7aa41-46cf-46f5-ace1-08ddb01bd098 |
| X-MS-Exchange-CrossTenant-Id | 81c54995-1ea1-4e22-885b-ae3a6267a539 |
| X-MS-Exchange-CrossTenant-AuthSource | BN2PEPF000055DD.namprd21.prod.outlook.com |
| X-MS-Exchange-CrossTenant-AuthAs | Anonymous |
| X-MS-Exchange-CrossTenant-FromEntityHeader | Internet |
| X-MS-Exchange-Transport-CrossTenantHeadersStamped | MWHPR13MB6982 |
| X-MS-Exchange-Transport-EndToEndLatency | 00:00:20.3903248 |
| X-MS-Exchange-Processed-By-BccFoldering | 15.20.8857.014 |
Wednesday, June 18, 2025
Subscribe to:
Posts (Atom)
