[CERT-daily] Tageszusammenfassung - Donnerstag 23-01-2014

Daily end-of-shift report team at cert.at
Thu Jan 23 18:07:48 CET 2014


=======================
= End-of-Shift report =
=======================

Timeframe:   Mittwoch 22-01-2014 18:00 − Donnerstag 23-01-2014 18:00
Handler:     Alexander Riepl
Co-Handler:  Robert Waldner

*** SA-CONTRIB-2014-005 - Leaflet - Access bypass ***
---------------------------------------------
Advisory ID: DRUPAL-SA-CONTRIB-2014-005
Project: Leaflet (third-party module)
Version: 7.xDate: 2014-January-22
Security risk: Critical
Exploitable from: Remote
Vulnerability: Access bypass
Description
The Leaflet module enables you to display an interactive map using the Leaflet library, using entities as map features.The module exposes complete data from entities used as map features to any site visitor with a Javascript inspector (like Firebug).
---------------------------------------------
https://drupal.org/node/2179103





*** New Android Malware Steals SMS Messages, Intercepts Calls ***
---------------------------------------------
A new strain of Android malware has emerged that masquerades as an Android security app but once installed, can steal text messages and intercept phone calls.
---------------------------------------------
http://threatpost.com/new-android-malware-steals-sms-messages-intercepts-calls/103785





*** Official PERL Blogs hacked, 2,924 Author Credentials Leaked by ICR ***
---------------------------------------------
The breach has seen 2,924 user account credentials published to quickleak.org as well as the blog having a deface page added but was not obtrusive to the actually website.
---------------------------------------------
http://www.cyberwarnews.info/2014/01/22/official-perl-blogs-hacked-2924-author-credentials-leaked-by-icr/




*** CrowdStrike Takes On Chinese, Russian Attack Groups in Threat Report ***
---------------------------------------------
Russian attackers targeted energy sector targets and a Chinese nexus intrusion group infected foreign embassies with malware using watering hole tactics in 2013, CrowdStrike researchers found in its first-ever Global Threat Report.
---------------------------------------------
http://www.securityweek.com/crowdstrike-takes-chinese-russian-attack-groups-threat-report





*** Outdated energy, water and transport Industrial Control Systems without sufficient cyber security controls require coordinated testing of capability at EU levels, says the EU's cyber security Agency ENISA ***
---------------------------------------------
Today, the EU's cyber security Agency ENISA published a new report to give advice regarding the next steps towards coordinated testing of capability of the often outdated Industrial Control Systems (ICS) for European industries. Among the key recommendations is the testing of ICS is a concern for all EU Member States and could be dealt with at EU levels according to ENISA.
---------------------------------------------
http://www.enisa.europa.eu/media/press-releases/ics-without-sufficient-cybersecurity-controls-require-coordinated-testing-of-capability-at-eu-levels




*** Analysis: Spam in December 2013 ***
---------------------------------------------
In December, spammers continued to honor the traditions of the season and tried to attract potential customers with a variety of original gift and winter vacation offers, taking advantage of the approaching holidays.
---------------------------------------------
http://www.securelist.com/en/analysis/204792323/Spam_in_December_2013




*** Chrome Eavesdropping Exploit Published ***
---------------------------------------------
Exploit code has been published for a Google Chrome bug that allows malicious websites granted permission to use a computers microphone for speech recognition to continue listening after a user leaves the website.
---------------------------------------------
http://threatpost.com/chrome-eavesdropping-exploit-published/103798






More information about the Daily mailing list