[CERT-daily] Tageszusammenfassung - Dienstag 6-05-2014

Tue May 6 18:13:16 CEST 2014

=======================
= End-of-Shift report =
=======================

Timeframe:   Montag 05-05-2014 18:00 − Dienstag 06-05-2014 18:00
Handler:     Stephan Richter
Co-Handler:  n/a


*** NIST updates Transport Layer Security (TLS) guidelines ***
---------------------------------------------
The National Institute of Standards and Technology (NIST) has released an update to a document that helps computer administrators maintain the security of information traveling across their networks.
---------------------------------------------
http://www.net-security.org/secworld.php?id=16794


*** Finding Weak Remote Access Passwords on POS Devices ***
---------------------------------------------
One of my key take-aways in the Verizon Data Breach Incident Report was that credentials are a major attack vector in 2013. Especially within the POS Intrusions, brute forcing and use of stolen creds was a major problem.
---------------------------------------------
https://community.rapid7.com/community/metasploit/blog/2014/05/05/finding-weak-remote-access-passwords-on-pos-devices


*** Analyzing CVE-2014-0515 - The Recent Flash Zero-Day ***
---------------------------------------------
Last week, Adobe released an advisory disclosing a new zero-day vulnerability in Flash Player. Looking into the exploit code used in attacks targeting this vulnerability, we found several interesting ties to other vulnerabilities - not all of them for Flash Player, either. To explain this, we will discuss the highlights of how this exploit was performed.
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/H6laAIdlckU/


*** Live from InfoSecurity Europe 2014: The Nitty Gritty of Sandbox Evasion ***
---------------------------------------------
Infosecurity Europe 2014 was a great gathering of the top minds in cybersecurity, and in case you missed the event, we were excited to capture live content from the show floor to share with our readers. Over the next few...
---------------------------------------------
http://www.fireeye.com/blog/corporate/2014/05/live-from-infosecurity-europe-2014-the-nitty-gritty-of-sandbox-evasion.html


*** And the Web it keeps Changing: Recent security relevant changes to Browsers and HTML/HTTP Standards, (Tue, May 6th) ***
---------------------------------------------
As we all know, web standards are only leaving "draft" status once they start becoming irrelevant. It is a constant challenge to keep up with how web browsers interpret standards and how the standards themselves keep changing. We are just going through one of the perpetual updates for our "Defending Web Applications" class, and I got reminded again about some of the changes we had to make over the last year or so. Autocomplete=Off This weekend we just had yet another post...
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=18075&rss


*** Watch a bank-raiding ZeuS bot command post get owned in 60 seconds ***
---------------------------------------------
RC4? Shoddy PHP coding? You VXers should try a little harder Vid Web thieves may get more than they bargained for if tech pros follow the lead of one researcher - who demonstrated how to hack the systems remote-controlling the infamous ZeuS crime bot in 60 seconds.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2014/05/06/zeus_pwned_in_60_seconds/


*** The State of Cryptography in 2014, Part 1: On Fragility and Heartbleed ***
---------------------------------------------
It seems like cryptography has been taking a knock recently. This is both good and bad, but is not actually true: cryptography is always under attack, and for that reason constantly evolves. That's bad, but it's good to realize that cryptography needs constant attention. The threat to cryptography can be very disruptive, as we most recently...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/kwDfInwBFvo/


*** Dropbox schließt Referer-Lücke ***
---------------------------------------------
In begrenzten Rahmen geteilte Dropbox-Dokumente können beim Klick auf darin enthaltene Links enttarnt werden. Durch den Fix macht der Cloud-Dienstleister allerdings alle existierenden Dokumente unerreichbar. Diese müssen neu geteilt werden.
---------------------------------------------
http://www.heise.de/security/meldung/Dropbox-schliesst-Referer-Luecke-2183519.html


*** Security Bulletin: Multiple Vulnerabilities in IBM iNotes (CVE-2013-0589, CVE-2013-0592, CVE-2013-0594, CVE-2013-0595) ***
---------------------------------------------
IBM iNotes versions prior to 8.5.3 Fix Pack 6 and 9.0.1 contain multiple security vulnerabilities: CVE-2013-0589, CVE-2013-0592, CVE-2013-0594 and CVE-2013-0595.
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg21671622


*** Update for Vulnerability in Juniper Networks Windows In-Box Junos Pulse Client - Version: 1.0 ***
---------------------------------------------
Microsoft is announcing the availability of an update for the Juniper Networks Windows In-Box Junos Pulse Client for Windows 8.1 and Windows RT 8.1. The update addresses a vulnerability in the Juniper VPN client by updating the affected Juniper VPN client libraries contained in affected versions of Microsoft Windows.
---------------------------------------------
https://technet.microsoft.com/en-us/library/security/2962393


*** Bugtraq: ESA-2014-028: EMC Cloud Tiering Appliance XML External Entity (XXE) and Information Disclosure Vulnerabilities ***
---------------------------------------------
http://www.securityfocus.com/archive/1/532031


*** Bugtraq: [security bulletin] HPSBGN03010 rev.4 - HP Software Server Automation running OpenSSL, Remote Disclosure of Information ***
---------------------------------------------
http://www.securityfocus.com/archive/1/532037


*** Cisco Nexus 1000V Access Control List Bypass Vulnerability ***
---------------------------------------------
A vulnerability in Cisco Nexus 1000V switches could allow an unauthenticated, remote attacker to bypass deny statements in access control lists (ACLs) with certain types of Internet Group Management Protocol version 2 (IGMPv2) or IGMP version 3 (IGMPv3) traffic. IGMP version 1 (IGMPv1) is not affected.
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-0685


*** Cisco Broadcast Access Center for Telco and Wireless Cross-Site Request Forgery Vulnerability ***
---------------------------------------------
A vulnerability in the web framework of the Cisco Broadcast Access Center for Telco and Wireless (BAC-TW) could allow an unauthenticated, remote attacker to perform a cross-site request forgery (CSRF) attack against the Cisco BAC-TW web interface.
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-2190


*** Cisco Broadcast Access Center for Telco and Wireless Cross-Site Scripting Vulnerability ***
---------------------------------------------
A vulnerability in the web framework of the Cisco Broadcast Access Center for Telco and Wireless (BAC-TW) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the Cisco BAC-TW web interface.
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-2191


*** Struts 2.3.16.3 Manipulation Fix ***
---------------------------------------------
Topic: Struts 2.3.16.3 Manipulation Fix Risk: Medium Text:The Apache Struts group is pleased to announce that Struts 2.3.16.3 is available as a "General Availability" release.The GA de...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014050026