- Daily - CERT.at

Tageszusammenfassung - Freitag 24-02-2017
by Daily end-of-shift report 24 Feb '17

24 Feb '17

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 23-02-2017 18:00 − Freitag 24-02-2017 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Kriminelle versenden gefälschte BAWAK P.S.K.-SMS *** --------------------------------------------- In einer gefälschten BAWAG P.S.K.-SMS heißt es, dass die Bank das Konto von Kund/innen gesperrt habe. Damit diese ihr Konto wieder aktivieren können, sollen sie eine Website aufurfen und ihre Zugangsdaten bekannt geben. Achtung: Es handelt sich um einen Phishingversuch. Am besten ist es, wenn Sie die SMS löschen. --------------------------------------------- https://www.watchlist-internet.at/phishing/kriminelle-versenden-gefaelschte… *** Worlds Largest Spam Botnet Adds DDoS Feature *** --------------------------------------------- Necurs, the worlds largest spam botnet with nearly 5 million infected bots, of which one million active each day, has added a new module that can be used for launching DDoS attacks. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/worlds-largest-spam-botnet-a… *** Removing User Admin Rights Mitigates 94% of All Critical Microsoft Vulnerabilities *** --------------------------------------------- Just by preventing access to admin accounts, a system administrator could safeguard all the computers under his watch and prevent attackers from exploiting 94% of all the critical vulnerabilities Microsoft patched during the past year. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/removing-user-admin-rights-… *** Bleeding clouds: Cloudflare server errors blamed for leaked customer data *** --------------------------------------------- While working on something completely unrelated, Google security researcher, Tavis Ormandy, recently discovered that Cloudflare was leaking a wide range of sensitive information, which could have included everything from cookies and tokens, to credentials.Cloudflare moved quickly to fix things, but their postmortem downplays the risk to customers, Ormandy said.The problem on Cloudflares side, which impacted big brands like Uber, Fitbit, 1Password, and OKCupid, was a memory leak. The flaw --------------------------------------------- http://www.csoonline.com/article/3173639/security/bleeding-clouds-cloudflar… *** Leaked Android Banking Trojan Spotted in Disguise on the Google Play Store *** --------------------------------------------- Just as security experts have predicted, the source code of a potent Android banking trojan that was leaked online in mid-December 2016, is now being seen in live attacks on a regular basis. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/leaked-android-banking-troja… *** LibreOffice Calc and Writer Embedded Object Preview Flaw Lets Remote Users Obtain Potentially Sensitive Information on the Target System *** --------------------------------------------- http://www.securitytracker.com/id/1037893 *** [Xen-announce] Xen Security Advisory 209 (CVE-2017-2620) - cirrus_bitblt_cputovideo does not check if memory region is safe *** --------------------------------------------- A malicious guest administrator can cause an out of bounds memory write, very likely exploitable as a privilege escalation. --------------------------------------------- https://lists.xen.org/archives/html/xen-announce/2017-02/msg00004.html *** [Xen-announce] Xen Security Advisory 210 - arm: memory corruption when freeing p2m pages *** --------------------------------------------- A malicious or buggy guest may corrupt hypervisor state, commonly leading to a host crash (Denial of Service). Privilege escalation or information leaks cannot be excluded. --------------------------------------------- https://lists.xen.org/archives/html/xen-announce/2017-02/msg00005.html *** Novell: NetIQ Access Manager 4.3 Support Pack 1 4.3.1.0-53 *** --------------------------------------------- The purpose of the patch is to provide a bundle of fixes for issues that have surfaced since NetIQ Access Manager 4.3 was released. These fixes include updates to the Access Gateway Appliance, Access Gateway Service, Identity Server, Analytics Server and Admin Console. CVE - 20145183 --------------------------------------------- https://download.novell.com/Download?buildid=30pOHdA3ETQ~ *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities may affect IBM WebSphere Real Time *** https://www.ibm.com/support/docview.wss?uid=swg21997192 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities may affect IBM SDK, Java Technology Edition *** https://www.ibm.com/support/docview.wss?uid=swg21997194 --------------------------------------------- *** IBM Security Bulletin: IBM Business Process Manager (BPM) document store is affected by clickjacking vulnerability in administrative tool for BPM document store (CVE-2013-5462) *** http://www-01.ibm.com/support/docview.wss?uid=swg21998385 --------------------------------------------- *** IBM Security Bulletin: Security vulnerabilities in Apache Tomcat affect multiple IBM Rational products based on IBM's Jazz technology *** http://www-01.ibm.com/support/docview.wss?uid=swg21999362 --------------------------------------------- *** IBM Security Bulletin: IBM Security Access Manager appliances are affected by a vulnerability in Busybox (CVE-2014-9645) *** http://www.ibm.com/support/docview.wss?uid=swg21998196 --------------------------------------------- *** IBM Security Bulletin: IBM Security Access Manager appliances are affected by a vulnerability in IBM WebSphere Application Server (CVE-2016-5983) *** http://www.ibm.com/support/docview.wss?uid=swg21996871 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilites in IBM Algorithmics Algo One Algo Risk Application (ARA) related to IBM WebSphere Application Server Liberty *** http://www.ibm.com/support/docview.wss?uid=swg21999209 --------------------------------------------- *** IBM Security Bulletin: IBM Connections Security Refresh (CVE-2016-5932) *** http://www.ibm.com/support/docview.wss?uid=swg21998294 --------------------------------------------- *** IBM Security Bulletin: An XML parser vulnerability affects IBM Tivoli Access Manager for e-business and IBM Security Access Manager for Web 7.0 software releases (CVE-2016-4463) *** http://www.ibm.com/support/docview.wss?uid=swg21996869 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilites in IBM Algorithmics Algo One Algo Risk Application (ARA) Stack trace may be thrown if no default error page was set up and exception occurred *** http://www.ibm.com/support/docview.wss?uid=swg21997638 ---------------------------------------------

1 0

Tageszusammenfassung - Donnerstag 23-02-2017
by Daily end-of-shift report 23 Feb '17

23 Feb '17

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 22-02-2017 18:00 − Donnerstag 23-02-2017 18:00 Handler: Robert Waldner Co-Handler: n/a *** Criminals Monetizing Attacks Against Unpatched WordPress Sites *** --------------------------------------------- Sites still vulnerable to a REST API endpoint flaw in WordPress are now being targeted by attackers trying to turn a profit. --------------------------------------------- http://threatpost.com/criminals-monetizing-attacks-against-unpatched-wordpr… *** MSRT February 2017: Chuckenit detection completes MSRT solution for one malware suite *** --------------------------------------------- In September 2016, we started adding to Microsoft Malicious Software Removal Tool (MSRT) a malware suite of browser modifiers and other Trojans installed by software bundlers. We documented how the malware in this group install other malware or applications silently, without your consent. --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2017/02/22/msrt-february-2017-chuc… *** Top 8 Reverse Engineering Tools for Cyber Security Professionals *** --------------------------------------------- Whether it is rebuilding a car engine or diagramming a sentence, people can learn about many things simply by taking them apart and putting them back together again. This process of breaking something down to understand it, build a copy to improve it, is known as reverse engineering. --------------------------------------------- http://resources.infosecinstitute.com/top-8-reverse-engineering-tools-cyber… *** Impact of New Linux Kernel DCCP Vulnerability Limited *** --------------------------------------------- Existing mitigations and limitations around a newly disclosed Linux kernel vulnerability in the DCCP module mute the potential impact of local attacks. --------------------------------------------- http://threatpost.com/impact-of-new-linux-kernel-dccp-vulnerability-limited… *** Java, Python FTP Injection Attacks Bypass Firewalls *** --------------------------------------------- Newly disclosed FTP injection vulnerabilities in Java and Python that are fueled by rather common XML External Entity (XXE) flaws allow for firewall bypasses. --------------------------------------------- http://threatpost.com/java-python-ftp-injection-attacks-bypass-firewalls/12… *** Kollissionsangriff: Hashfunktion SHA-1 gebrochen *** --------------------------------------------- Forscher von Google und der Universität Amsterdam ist es gelungen, zwei unterschiedliche PDF-Dateien mit demselben SHA-1-Hash zu erzeugen. Dass SHA-1 unsicher ist, war bereits seit 2005 bekannt. (SHA-1, Google) --------------------------------------------- https://www.golem.de/news/kollissionsangriff-hashfunktion-sha-1-gebrochen-1… *** Putty 0.68 released *** --------------------------------------------- http://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Buffer Overflow from improperly formatted SELECT command in IBM Tivoli Storage Manager (IBM Spectrum Protect) Server (CVE-2016-8998) *** http://www.ibm.com/support/docview.wss?uid=swg21998747 --------------------------------------------- *** IBM Security Bulletin: IBM WebSphere MQ cluster channel definition causes denial of service to cluster (CVE-2016-9009) *** http://www-01.ibm.com/support/docview.wss?uid=swg21998647 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in OpenSSL affects IBM Netezza PureData System for Analytics (CVE-2016-8610) *** http://www-01.ibm.com/support/docview.wss?uid=swg21997472 --------------------------------------------- *** IBM Security Bulletin: IBM MQ and IBM MQ Appliance are vulnerable to SWEET32 Birthday attack (CVE-2016-2183) *** http://www-01.ibm.com/support/docview.wss?uid=swg21995099 --------------------------------------------- *** IBM Security Bulletin: Information disclosure CVE-2016-9975 affects IBM Dashboard Application Services Hub (DASH) *** http://www.ibm.com/support/docview.wss?uid=swg21998714 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM WebSphere MQ (CVE-2016-2106, CVE-2016-2109) *** http://www-01.ibm.com/support/docview.wss?uid=swg21998797 ---------------------------------------------

1 0

Tageszusammenfassung - Mittwoch 22-02-2017
by Daily end-of-shift report 22 Feb '17

22 Feb '17

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 21-02-2017 18:00 − Mittwoch 22-02-2017 18:00 Handler: Robert Waldner Co-Handler: n/a *** Avast Releases a Decryptor for Offline Versions of the CryptoMix Ransomware *** --------------------------------------------- Today, Avast released a decryptor for CryptoMix victims that were encrypted while in offline mode. Offline mode is when the ransomware runs and encrypts a victims computer while there is no Internet connection or the computer cannot connect to the ransomwares Command & Control server. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/avast-releases-a-decryptor-f… *** [R1] Nessus 6.10.2 Fixes One Vulnerability *** --------------------------------------------- Nessus was found to contain a flaw that allowed a remote, authenticated attacker to upload a crafted file that could be written to anywhere on the system. This could be used to subsequently gain elevated privileges on the system (e.g. after a reboot). This issue only affects installations on Windows. --------------------------------------------- http://www.tenable.com/security/tns-2017-06 *** Financial cyberthreats in 2016 *** --------------------------------------------- In 2016 we continued our in-depth research into the financial cyberthreat landscape. Weve noticed over the last few years that large financial cybercriminal groups have started to concentrate their efforts on targeting large organizations - such as banks, payment processing systems, retailers, hotels and other businesses where POS terminals are widely used. --------------------------------------------- http://securelist.com/analysis/publications/77623/financial-cyberthreats-in… *** Microsoft patcht Flash Player unter Windows außer der Reihe *** --------------------------------------------- Diesen Monat ist der Patchday trotz bekannter Sicherheitslücken in Windows ausgefallen. Nun liefert Microsoft zumindest Patches für kritische Lücken im Flash Player nach. --------------------------------------------- https://heise.de/-3632329 *** Security Advisory - Privilege Elevation Vulnerability Caused by Arbitrary File Upload in Huawei Themes *** --------------------------------------------- The Huawei Themes APP in some Huawei products has a privilege elevation vulnerability due to the lack of theme pack check. An attacker could exploit this vulnerability to upload theme packs containing malicious files and trick users into installing the theme packets, resulting in the execution of arbitrary code. (Vulnerability ID: HWPSIRT-2016-11073) This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2017-2699. --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170222-… *** Website Uses "Add Extension to Leave" Popups to Infect Chrome Users *** --------------------------------------------- A malvertising campaign has specifically targeted and redirected Chrome users to a website they couldnt leave unless they agreed to install a rogue Chrome extension. --------------------------------------------- https://www.bleepingcomputer.com/news/security/website-uses-add-extension-t… *** Apple: Logic Pro X 10.3.1 *** --------------------------------------------- Impact: Opening a maliciously crafted GarageBand project file may lead to arbitrary code execution Description: A memory corruption issue was addressed through improved memory handling. --------------------------------------------- https://support.apple.com/en-us/HT207519 *** Sysinternals Updates *** --------------------------------------------- Sysmon v6, Autoruns v13.7, AccessChk v6.1, Process Monitor v3.32, Process Explorer v16.2, LiveKd v5.61, and BgInfo v4.21 --------------------------------------------- https://blogs.technet.microsoft.com/sysinternals/2017/02/17/update-sysmon-v… *** RSA Conference 2017 Playlist *** --------------------------------------------- https://www.youtube.com/playlist?list=PLeUGLKUYzh_j1Q75yeae8upX-T1FLmZWf *** Gefälschte A1-Rechnung verbreitet Schadsoftware *** --------------------------------------------- Kriminelle wollen mit einer scheinbar echten A1-Rechnung Schadsoftware auf fremden Computern hinterlegen. Damit sie das Ziel erreichen, fordern sie Empfänger/innen dazu auf, dass sie die angebliche Rechnung auf einer gefälschten A1-Website herunterladen. Wer die gefälschte Zahlungsaufstellung öffnet, installiert einen Trojaner. Er verschlüsselt Dateien und macht sie unbrauchbar. --------------------------------------------- https://www.watchlist-internet.at/gefaelschte-rechnungen/gefaelschte-a1-rec… *** Mobile Devices und Softwareupdates *** --------------------------------------------- Mobile Devices bestimmen in unserer modernen Gesellschaft zunehmend den Alltag. Das Lesen von Emails oder das Online-Banking: alltägliche Anwendungen werden immer öfter mit einem mobilen Endgerät umgesetzt, privat oder beruflich. Waren es bis vor kurzem nur Smartphones, welche das Handy abgelöst haben, oder Tablet-Computer, die ursprünglich als Bücher-Ersatz gedacht waren, so folgen heute beispielsweise die Uhr, die Brille, das Auto und viele mehr. --------------------------------------------- https://www.dfn-cert.de/aktuell/mobile_devices_software_updates.html *** SSA-363881 (Last Update 2017-02-22): Web Vulnerabilities in RUGGEDCOM NMS *** --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-363881… *** SSA-623229 (Last Update 2017-02-22): DROWN Vulnerability in Industrial Products *** --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-623229… *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Mutiple vulnerabilities in zlib affect IBM ILOG CPLEX Optimization Studio *** http://www.ibm.com/support/docview.wss?uid=swg21997946 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in Brocade Network Advisor affect IBM PureApplication System. *** http://www.ibm.com/support/docview.wss?uid=swg21998725 --------------------------------------------- *** IBM Security Bulletin: Potential cross-site scripting in the Admin Console for WebSphere Application Server (CVE-2016-8934) *** http://www-01.ibm.com/support/docview.wss?uid=swg21992315 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSource Spring Source/Pivotal Spring Framework affect IBM Tivoli Netcool Configuration Manager (ITNCM) (CVE-2013-7315, CVE-2013-4152, CVE-2014-0054) *** http://www-01.ibm.com/support/docview.wss?uid=swg21992651 ---------------------------------------------

1 0

Tageszusammenfassung - Dienstag 21-02-2017
by Daily end-of-shift report 21 Feb '17

21 Feb '17

======================= = End-of-Shift report = ======================= Timeframe: Montag 20-02-2017 18:00 − Dienstag 21-02-2017 18:00 Handler: Robert Waldner Co-Handler: n/a *** Joomla Security - Pornography Spam Campaign in the Wild *** --------------------------------------------- One of the worst experiences for a website owner is finding out that the search results for your site have turned into a pharmacy, a fashion outlet, or even a porn dump. Those unwanted keywords are a result of Search Engine Poisoning (SEP) attacks. This blackhat SEO technique is used by attackers to take advantage of your rankings on Search Engine Result Pages (SERPs). --------------------------------------------- https://blog.sucuri.net/2017/02/joomla-security-pornography-spam-campaign-i… *** Hardening Postfix Against FTP Relay Attacks, (Mon, Feb 20th) *** --------------------------------------------- Yesterday, I read an interesting blog post about exploiting XXE (XML eXternal Entity) flaws to send e-mails. In short: It is possible to trick the application to connect to an FTP server, but since mail servers tend to be forgiving enough, they will just accept e-mail if you use the FTP client to connect to port 25 on a mail server. The mail server will of course initially see the USER and PASS commands, but it will ignore them. Initially, I considered thisa lesser issue. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=22086&rss *** New(ish) Mirai Spreader Poses New Risks *** --------------------------------------------- A cross-platform win32-based Mirai spreader and botnet is in the wild and previously discussed publicly. However, there is much information confused together, as if an entirely new IoT bot is spreading to and from Windows devices. This is not the case. Instead, an accurate assessment is that a previously active Windows botnet is spreading a Mirai bot variant. So let's make a level-headed assessment of what is really out there. --------------------------------------------- https://securelist.com/blog/research/77621/newish-mirai-spreader-poses-new-… *** Vulnerability in Citrix NetScaler Application Delivery Controller and NetScaler Gateway GCM nonce generation *** --------------------------------------------- A flaw in NetScaler ADC and Gateway causes GCM nonces to be randomly generated, making it marginally easier for remote attackers to obtain ... --------------------------------------------- https://support.citrix.com/article/CTX220329 *** DFN-CERT-2017-0317: Xen, QEMU: Eine Schwachstelle ermöglicht u.a. die Ausführung beliebigen Programmcodes *** --------------------------------------------- Ein einfach authentifizierter Angreifer im benachbarten Netzwerk mit erweiterten Privilegien (Guest Administator) kann auf Speicher außerhalb von Speichergrenzen zugreifen (Out-of-Bounds Access) und dadurch einen Denial-of-Service (DoS)-Angriff durchführen oder möglicherweise beliebigen Programmcode zur Ausführung bringen. Die Schwachstelle betrifft QEMU in allen Versionen von Xen. Es stehen Sicherheitsupdates zur Verfügung. --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0317/ *** Unstoppable JavaScript Attack Helps Ad Fraud, Tech Support Scams, 0-Day Attacks *** --------------------------------------------- There are multiple issues and attack scenarios that Caballero discovered, but fortunately, they only affect Internet Explorer 11, but not Edge, or browsers from other vendors. --------------------------------------------- https://www.bleepingcomputer.com/news/security/unstoppable-javascript-attac… *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: IBM WebSphere MQ invalid requests cause denial of service to MQXR listener (CVE-2016-8986) *** http://www.ibm.com/support/docview.wss?uid=swg21998648 --------------------------------------------- *** IBM Security Bulletin: IBM WebSphere MQ Invalid channel protocol flows cause denial of service on HP-UX (CVE-2016-8915) *** http://www-01.ibm.com/support/docview.wss?uid=swg21998649 --------------------------------------------- *** IBM Security Bulletin: Pivotal Spring Framework vulnerabilities affect IBM Tivoli Application Dependency Discovery Manager (TADDM) *** http://www-01.ibm.com/support/docview.wss?uid=swg21999040 --------------------------------------------- *** IBM Security Bulletin: IBM WebSphere Application Server Liberty Profile vulnerabilities affect IBM Tivoli Application Dependency Discovery Manager (TADDM) (CVE-2016-3092, CVE-2016-5986) *** http://www-01.ibm.com/support/docview.wss?uid=swg21998590 --------------------------------------------- *** IBM Security Bulletin: IBM WebSphere MQ Java clients might send a password in clear text (CVE-2016-3052) *** http://www.ibm.com/support/docview.wss?uid=swg21998660 --------------------------------------------- *** IBM Security Bulletin: IBM WebSphere MQ Channel data conversion denial of service (CVE-2016-3013) *** http://www-01.ibm.com/support/docview.wss?uid=swg21998661 ---------------------------------------------

1 0

Tageszusammenfassung - Montag 20-02-2017
by Daily end-of-shift report 20 Feb '17

20 Feb '17

======================= = End-of-Shift report = ======================= Timeframe: Freitag 17-02-2017 18:00 − Montag 20-02-2017 18:00 Handler: Robert Waldner Co-Handler: n/a *** Android for Work Security Containers Bypassed with Relative Ease *** --------------------------------------------- Mobile security experts from Skycure have found two methods for bypassing the security containers put around "Android for Work," allowing attackers to access business data saved in this seemingly secure environment. --------------------------------------------- https://www.bleepingcomputer.com/news/mobile/android-for-work-security-cont… *** Users Continue to Install Malware on Their Phone 5 Years After Adobe Discontinued Flash for Android *** --------------------------------------------- It is unbelievable that almost five years after Adobe announced it would stop developing Flash Player for Android, users are still installing a non-existent piece of software, which in almost all cases is just malware in disguise. --------------------------------------------- https://www.bleepingcomputer.com/news/security/users-continue-to-install-ma… *** Google bellows bug news after Microsoft sails past fix deadline *** --------------------------------------------- Mess in Windows graphics library can give bad hombres access to memory Googles Project Zero has again revealed a Windows bug before Microsoft fixed it. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2017/02/20/google_proj… *** Mongoaudit Helps You Secure MongoDB Databases *** --------------------------------------------- A new tool developed by engineers at Stampery can help database administrators audit the security features of their current MongoDB installations, and take precautionary measures to prevent future exploitation. --------------------------------------------- https://www.bleepingcomputer.com/news/security/mongoaudit-helps-you-secure-… *** BIOS/UEFI mit Ransomware infiziert *** --------------------------------------------- Sicherheitsforscher haben gezeigt, dass sich das BIOS/UEFI eines Computers trotz aktuellem Windows 10 und diversen aktivierten Sicherheitsmechanismen mit einem Erpressungstrojaner infizieren lässt. --------------------------------------------- https://heise.de/-3630662 *** Spam and phishing in 2016 *** --------------------------------------------- 2016 saw a variety of changes in spam flows, with the increase in the number of malicious mass mailings containing ransomware being the most significant. These programs are readily available on the black market, and in 2017 the volume of malicious spam is unlikely to fall. --------------------------------------------- http://securelist.com/analysis/kaspersky-security-bulletin/77483/kaspersky-… *** SAP Security for Beginners. Part 6: SAP Risks Fraud *** --------------------------------------------- Welcome to the latest part of SAP Risks. After we finished with Espionage and Sabotage, let's eat the last piece of this "sweet cake" dubbed Fraud. In my opinion, fraud is the most common issue in ERP System and other business applications. --------------------------------------------- http://resources.infosecinstitute.com/sap-security-beginners-part-6-sap-ris… *** DFN-CERT-2017-0302: Suricata: Mehrere Schwachstellen ermöglichen verschiedene Denial-of-Service-Angriffe *** --------------------------------------------- Mehrere nicht näher spezifizierte Schwachstellen in Suricata ermöglichen einem entfernten, nicht authentisierten Angreifer die Durchführung verschiedener Denial-of-Service (DoS)-Angriffe aufgrund von Speicherlecks und Lesezugriffen außerhalb zugewiesenen Speichers. Der Hersteller informiert über die Schwachstellen und stellt Suricata 3.2.1 zur Behebung dieser Schwachstellen bereit. --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0302/ *** tenable: [R1] SecurityCenter 5.4.3 File Upload unserialize() Function PHP Object Handling Remote File Deletion *** --------------------------------------------- SecurityCenter was found to use the PHP unserialize() function in several places in such a way that may allow a remote authenticated attacker to upload a crafted PHP object that resulted in the deletion of arbitrary files. --------------------------------------------- http://www.tenable.com/security/tns-2017-05 *** WordPress Security - Fake TrafficAnalytics Website Infection *** --------------------------------------------- Several months ago, our research team identified a fake analytics infection, known as RealStatistics. The malicious Javascript injection looks a lot like tracking code for a legitimate analytics service. ... Recently, a new variation of this type of infection has emerged. The new campaign uses trafficanalytics[.]online as the source for the injected script. --------------------------------------------- https://blog.sucuri.net/2017/02/fake-trafficanalytics-website-infection.html *** Penetration Testing Tools Cheat Sheet *** --------------------------------------------- Penetration testing tools cheat sheet, a quick reference high level overview for typical penetration testing engagements. Designed as a quick reference cheat sheet providing a high level overview of the typical commands you would run when performing a penetration test. --------------------------------------------- https://highon.coffee/blog/penetration-testing-tools-cheat-sheet/ *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: DOM-based cross-site scripting vulnerability affects IBM Advanced Management Module (AMM) for BladeCenter Systems *** http://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=migr-50… --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect AIX (CVE-2017-3731) *** http://aix.software.ibm.com/aix/efixes/security/openssl_advisory23.asc ---------------------------------------------

1 0

Tageszusammenfassung - Freitag 17-02-2017
by Daily end-of-shift report 17 Feb '17

17 Feb '17

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 16-02-2017 18:00 − Freitag 17-02-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Divide Between Work, Personal Data on Android Breached *** --------------------------------------------- Researchers demonstrate how malicious apps can break into secure Android work containers on EMM managed phones. --------------------------------------------- http://threatpost.com/divide-between-work-personal-data-on-android-breached… *** Don’t panic over cyber-terrorism: Daesh-bags still at script kiddie level *** --------------------------------------------- Medieval terror bastards not great at hacking says ex-top NSA lawyer RSA USA There’s no need to panic about the threat of a major online terrorist attack, since ISIS and their allies are all talk and no .. --------------------------------------------- www.theregister.co.uk/2017/02/16/online_terrorism_isnt/ *** Mobile apps and stealing a connected car *** --------------------------------------------- The concept of a connected car, or a car equipped with Internet access, has been gaining popularity for the last several years. By using proprietary mobile .. --------------------------------------------- http://securelist.com/analysis/publications/77576/mobile-apps-and-stealing-… *** DSA-3790 spice - security update *** --------------------------------------------- https://www.debian.org/security/2017/dsa-3790 *** MQTT-Protokoll: IoT-Kommunikation von etwa Reaktoren und Gefängnissen öffentlich einsehbar *** --------------------------------------------- Über das Telemetrie-Protokoll MQTT spricht eine unüberschaubare Zahl an IoT-Sensoren in etwa Autos und Flugzeugen mit ihren Servern – unverschlüsselt, ohne Frage nach Passwörtern. Hacker könnten nicht nur mitlesen, sondern Daten auch manipulieren. --------------------------------------------- https://heise.de/-3629650 *** Darknet-Drogenring in Braunau aufgeflogen *** --------------------------------------------- Die Hinweise auf den Suchtgifthandel kamen von Zollfahndung Frankfurt. Der Kopf der Bande befindet sich in Haft. --------------------------------------------- https://futurezone.at/digital-life/darknet-drogenring-in-braunau-aufgefloge… *** My Friend Cayla: Eltern müssen Puppen ihrer Kinder zerstören *** --------------------------------------------- Smartes Spielzeug wird vor allem von Datenschützern immer wieder kritisiert. In einem Fall greift die .. --------------------------------------------- https://www.golem.de/news/my-friend-cayla-eltern-muessen-puppen-ihrer-kinde… *** MQTT-Protokoll: IoT-Kommunikation von Reaktoren und Gefängnissen öffentlich einsehbar *** --------------------------------------------- Über das Telemetrie-Protokoll MQTT spricht eine unüberschaubare Zahl an IoT-Sensoren in etwa Autos und Flugzeugen .. --------------------------------------------- https://heise.de/-3629650 *** Gag Order: Riseup belebt den Kanarienvogel wieder *** --------------------------------------------- Nachdem Riseup seinen Warrant Canary im vergangenen Jahr nicht aktualisiert hatte, gab es viel Aufregung in der Szene. Jetzt gibt das Kollektiv bekannt: "Wir haben Nutzerdaten herausgegeben." Künftig soll das dank Verschlüsselung nicht mehr möglich sein. --------------------------------------------- https://www.golem.de/news/gag-order-riseup-belebt-den-kanarienvogel-wieder-… *** USB Killer now lets you fry most Lightning and USB-C devices for $55 *** --------------------------------------------- Plus a new, stealthy "anonymous" stick, because thats what the world really needed. --------------------------------------------- https://arstechnica.com/gadgets/2017/02/usb-killer-fry-lightning-usb-c-devi… *** Planning for an InfoSec Conference *** --------------------------------------------- I wasted many an early year going to InfoSec conferences and security events only to find them useless. Well, they werent totally useless, Id often come back with a bag full of goodies that more often than not included stress .. --------------------------------------------- https://www.alienvault.com/blogs/security-essentials/planning-for-an-infose… *** SMTP Strict Transport Security Coming Soon to Gmail, Other Webmail Providers *** --------------------------------------------- SMTP Strict Transport Security is coming to major webmail providers this year, a Google engineer said at RSA Conference --------------------------------------------- http://threatpost.com/smtp-strict-transport-security-coming-soon-to-gmail-o… *** VB2016 paper: APT reports and OPSEC evolution, or: these are not the APT reports you are looking for *** --------------------------------------------- APT reports are great for gaining an understanding of how advanced attack groups operate - however, they can also .. --------------------------------------------- https://www.virusbulletin.com:443/blog/2017/02/vb2016-paper-apt-reports-and…

1 0

Tageszusammenfassung - Donnerstag 16-02-2017
by Daily end-of-shift report 16 Feb '17

16 Feb '17

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 15-02-2017 18:00 − Donnerstag 16-02-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Metatag -Moderately Critical - Information disclosure - SA-CONTRIB-2017-019 *** --------------------------------------------- https://www.drupal.org/node/2852937 *** Search API Sorts - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2017-016 *** --------------------------------------------- https://www.drupal.org/node/2852922 *** Who Ran Leakedsource.com? *** --------------------------------------------- Late last month, multiple news outlets reported that unspecified law enforcement officials had seized the servers for Leakedsource.com, perhaps the largest online collection .. --------------------------------------------- https://krebsonsecurity.com/2017/02/who-ran-leakedsource-com/ *** Yahoo reveals more breachiness to users victimized by forged cookies *** --------------------------------------------- Some accounts may have been accessed with forged cookies as recently as 2016. --------------------------------------------- https://arstechnica.com/information-technology/2017/02/yahoo-reveals-more-b… *** DSA-3789 libevent - security update *** --------------------------------------------- Several vulnerabilities were discovered in libevent, an asynchronousevent notification library. They would lead to Denial Of Service via application crash, or remote code execution. --------------------------------------------- https://www.debian.org/security/2017/dsa-3789 *** Ukraine verzeichnet 2016 Rekordzahl von Cyberangriffen *** --------------------------------------------- Chef des Inlandsgeheimdienstes vermeidet direkte Nennung Russlands --------------------------------------------- http://derstandard.at/2000052700282 *** Microsoft verschiebt Februar-Patches in den März *** --------------------------------------------- Diesen Monat gibt es keine Sicherheitspatches von Microsoft. Die eigentlich geplanten Updates will das .. --------------------------------------------- https://heise.de/-3627965 *** Blackberry liefert monatliche Sicherheitsupdates für alle Geräte *** --------------------------------------------- Im November war Blackberry aus dem Tritt geraten, versprochene Sicherheitsupdates für das DTEK50 kamen erst im Dezember. Nun hat sich die Versorgung wieder stabilisiert. --------------------------------------------- https://heise.de/-3627937 *** OpenSSL advisory 20170216 *** --------------------------------------------- During a renegotiation handshake if the Encrypt-Then-Mac extension is negotiated where it was not in the original handshake (or vice-versa) then this can cause OpenSSL to crash (dependent on ciphersuite). Both clients and servers are affected. --------------------------------------------- https://openssl.org/news/secadv/20170216.txt *** Google was aware of Russian APT28 group years before others *** --------------------------------------------- Lorenzo Bicchierai from MotherBoard shared an interesting private report about Russian cyber espionage operations conducted by APT28, the document was leaked online by Google. The .. --------------------------------------------- http://securityaffairs.co/wordpress/56336/apt/apt28-leaked-report.html *** Xen-Entwickler wollen weniger Sicherheitslücken offenlegen *** --------------------------------------------- Die Entwickler des Virtualisierungssystems Xen wollen weniger Sicherheitslücken öffentlich machen. Damit wollen sie vor allem Arbeit sparen, sorgen aber auch für eine klarere Linie im Umgang mit Schwachstellen. --------------------------------------------- https://heise.de/-3628690

1 0

Tageszusammenfassung - Mittwoch 15-02-2017
by Daily end-of-shift report 15 Feb '17

15 Feb '17

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 14-02-2017 18:00 − Mittwoch 15-02-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Amnesty International uncovers phishing campaign against human rights activists *** --------------------------------------------- Attacker targeted groups in Qatar, Nepal using extensive fake social media profile. --------------------------------------------- https://arstechnica.com/security/2017/02/amnesty-international-uncovers-phi… *** Siemens SIMATIC Authentication Bypass *** --------------------------------------------- This advisory contains mitigation details for an authentication bypass in Siemens SIMATIC. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-045-03 *** Attacking the Windows NVIDIA Driver *** --------------------------------------------- Modern graphic drivers are complicated and provide a large promising attack surface for EoPs and sandbox escapes from processes that have access to the GPU (e.g. the Chrome GPU process). In this blog post we’ll take a look at attacking the .. --------------------------------------------- http://googleprojectzero.blogspot.com/2017/02/attacking-windows-nvidia-driv… *** Ransomware: a declining nuisance or an evolving menace? *** --------------------------------------------- The volume of ransomware encounters is on a downward trend. Are we seeing the beginning of the end of this vicious threat? Unfortunately, a look at the attack vectors, the number of .. --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2017/02/14/ransomware-2016-threat-… *** New ASLR-busting JavaScript is about to make drive-by exploits much nastier *** --------------------------------------------- A property found in virtually all modern CPUs neuters decade-old security protection. --------------------------------------------- https://arstechnica.com/security/2017/02/new-aslr-busting-javascript-is-abo… *** Adobe-Patchday: Flash Player wie üblich in kritischem Zustand *** --------------------------------------------- Im Flash Player und Adobe Digital Editions klaffen kritische Lücken. Aktuell sind vor allem Windows-Nutzer von den Flash-Lücken bedroht. Adobe Campaign erhält ebenfalls Sicherheitsupdates. --------------------------------------------- https://heise.de/-3626386 *** Researchers Discover Self-Healing Malware That Targets Magento Stores *** --------------------------------------------- Dutch malware experts have found a new malware strain that targets online shops running on the Magento platform, .. --------------------------------------------- https://www.bleepingcomputer.com/news/security/researchers-discover-self-he… *** Cisco: Zwei VPN-Lücken und eine Schwachstelle, die offiziell keine ist *** --------------------------------------------- Cisco hat Sicherheitslücken im AnyConnect-VPN und auf seinen ASA-Firewalls gestopft. Ein Sicherheitsproblem mit dem SMI-Protokoll, welches es aus der Ferne erlaubt, neue Betriebssystem-Images auf Switches zu laden, sieht die Firma allerdings nicht. --------------------------------------------- https://heise.de/-3627330 *** Are Windows Registry Fixers Safe? *** --------------------------------------------- Before I got into cybersecurity, I spent years as a technical support agent for Windows end users of Windstream, an American ISP. Although Windstream is an ISP, they also offered a general Windows client OS remote support service for their predominantly .. --------------------------------------------- https://www.alienvault.com/blogs/security-essentials/should-windows-users-b… *** Xagent: Russische Hackergruppe setzt auch auf Mac-Spionage-Software *** --------------------------------------------- Eine auf macOS abzielende Version der Malware Xagent stammt offenbar von der Hackergruppe APT28, die mit dem Angriff auf die Demokratische Partei im US-Wahlkampf in Verbindung gebracht wird. Xagent soll unter anderem iPhone-Backups entwenden. --------------------------------------------- https://heise.de/-3627630 *** Researchers trick CEO email scammer into giving up identity *** --------------------------------------------- Businesses targeted in email scams don’t always have to play the victim. They can actually fight back.Researchers at Dell SecureWorks have documented how they identified a .. --------------------------------------------- http://www.cio.com/article/3170117/security/researchers-trick-ceo-email-sca…

1 0

Tageszusammenfassung - Dienstag 14-02-2017
by Daily end-of-shift report 14 Feb '17

14 Feb '17

======================= = End-of-Shift report = ======================= Timeframe: Montag 13-02-2017 18:00 − Dienstag 14-02-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Shirebrook man arrested in connection to Sports Direct breach *** --------------------------------------------- A 27-year-old man has been arrested in connection with the hack of Sports .. --------------------------------------------- www.theregister.co.uk/2017/02/13/sports_direct_arrest/ *** A look into the Russian-speaking ransomware ecosystem *** --------------------------------------------- In other words, crypto ransomware is a fine tuned, user friendly and constantly developing ecosystem. In the last few years we, at Kaspersky Lab, have been monitoring the development of this ecosystem. This is what we’ve learned. --------------------------------------------- http://securelist.com/analysis/publications/77544/a-look-into-the-russian-s… *** Top phishing targets in 2016? Google, Yahoo, and Apple *** --------------------------------------------- For every new phishing URL impersonating a financial institution, there were more than seven impersonating technology companies. Comparison of most impersonated companies .. --------------------------------------------- https://www.helpnetsecurity.com/2017/02/14/top-phishing-targets/ *** Metadata: The secret data trail *** --------------------------------------------- Every phone call, text message, even activated cell phones, leaves a trail of data across a network. In many cases this data is aggregated with other data and metadata including .. --------------------------------------------- https://www.helpnetsecurity.com/2017/02/14/metadata-secret-data-trail/ *** Worried about hacks, senators want info on Trump’s personal phone *** --------------------------------------------- Two senators have written to the U.S. Department of Defense about reports that President Donald Trump may still be using an old unsecured Android phone, including to communicate .. --------------------------------------------- http://www.cio.com/article/3169577/security/worried-about-hacks-senators-wa… *** 25% of web apps still vulnerable to eight of the OWASP Top Ten *** --------------------------------------------- 69 percent of web applications are plagued by vulnerabilities that could lead to sensitive data exposure, and 55 percent by cross-site request forgery flaws, the results .. --------------------------------------------- https://www.helpnetsecurity.com/2017/02/14/web-application-vulnerabilities/ *** Sicherheitslücke in GarageBand für den Mac *** --------------------------------------------- Apple hat einen potenziell problematischen Fehler in seiner populären Audioanwendung geschlossen. Angreifer hätten wohl Code ausführen können. --------------------------------------------- https://heise.de/-3624160 *** University DDoSed by Its Own IoT Devices *** --------------------------------------------- An unnamed university has suffered a DDoS attack at the hand of its own IoT devices, according to a sneak preview of Verizons upcoming yearly data breach report. --------------------------------------------- https://www.bleepingcomputer.com/news/security/university-ddosed-by-its-own… *** DSA-3788 tomcat8 - security update *** --------------------------------------------- It was discovered that a programming error in the processing of HTTPSrequests in the Apache Tomcat servlet and JSP engine may result indenial of service via an infinite loop. --------------------------------------------- https://www.debian.org/security/2017/dsa-3788 *** DSA-3787 tomcat7 - security update *** --------------------------------------------- It was discovered that a programming error in the processing of HTTPSrequests in the Apache Tomcat servlet and JSP engine may result indenial of service via an infinite loop. --------------------------------------------- https://www.debian.org/security/2017/dsa-3787 *** DSA-3786 vim - security update *** --------------------------------------------- Editor spell files passed to the vim (Vi IMproved) editormay result in an integer overflow in memory allocationand a resulting buffer overflow which potentiallycould result in the execution of arbitrary code or denial ofservice. --------------------------------------------- https://www.debian.org/security/2017/dsa-3786 *** Jetzt patchen! Angriffe auf WordPress-Seiten nehmen zu und werden gefährlicher *** --------------------------------------------- Nach der Verunstaltung von verwundbaren WordPress-Webseiten versuchen Angreifer nun Schadcode auszuführen, warnen Sicherheitsforscher. --------------------------------------------- https://heise.de/-3624301 *** Staying safe online on Valentine’s Day *** --------------------------------------------- We give some advice on how to steer clear of scams and other bad things on Valentines Day. Everything from .. --------------------------------------------- https://blog.malwarebytes.com/cybercrime/2017/02/staying-safe-online-on-val… *** Chrome: Google zahlt 20 Millionen US-Dollar für Anti-Malware-Patente *** --------------------------------------------- Auch für Google sind 20 Millionen Dollar nicht wenig Geld. Ein US-Gericht verurteilte das Unternehmen zur Zahlung dieser Summe, weil es Patente zur Sicherung vor Malware im .. --------------------------------------------- https://www.golem.de/news/chrome-google-zahlt-20-millionen-us-dollar-fuer-a… *** Tracking the Decline of Top Exploit Kits *** --------------------------------------------- The latter half of 2016 saw a major shift in the exploit kit landscape, with many established kits suddenly dropping operations or switching business models. Angler, which has .. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/tracking-decline… *** Gefälschte Post.at-Sendungsverfolgung im Umlauf *** --------------------------------------------- Mit einer gefälschten Post.at-Sendungsverfolgung wollen Kriminelle Schadsoftware auf fremden Computern hinterlegen. Dazu fordern sie Empfänger/innen auf, Informationen .. --------------------------------------------- https://www.watchlist-internet.at/schadsoftware/gefaelschte-postat-sendungs… *** Security Bulletins posted for Flash Player, Digital Editions and Adobe Campaign *** --------------------------------------------- Adobe has published security bulletins for Adobe Flash Player (APSB17-04), Adobe Digital Editions (APSB17-05) and Adobe Campaign (APSB17-06). Adobe recommends users update their .. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1444 *** Nation States Distancing Themselves from APTs *** --------------------------------------------- Increasingly, governments are outsourcing state-sponsored attacks to mitigate risk and maximize intelligence. --------------------------------------------- http://threatpost.com/nation-states-distancing-themselves-from-apts/123711/ *** February 2017 security update release *** --------------------------------------------- Our top priority is to provide the best possible experience for customers in maintaining and protecting their .. --------------------------------------------- https://blogs.technet.microsoft.com/msrc/2017/02/14/february-2017-security-…

1 0

Tageszusammenfassung - Montag 13-02-2017
by Daily end-of-shift report 13 Feb '17

13 Feb '17

======================= = End-of-Shift report = ======================= Timeframe: Freitag 10-02-2017 18:00 − Montag 13-02-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a *** State-sponsored Hackers Targeting Prominent Journalists, Google Warns *** --------------------------------------------- State-sponsored hackers are attempting to steal email passwords of a number of prominent journalists, Google has warned. The hackers are suspected to be Russians, reports POLITICO. Some of the journalists who have received such warnings from Google as .. --------------------------------------------- https://politics.slashdot.org/story/17/02/10/1726206/state-sponsored-hacker… *** Unique Office Loader Deploying Multiple Malware Families *** --------------------------------------------- http://researchcenter.paloaltonetworks.com/2017/02/unit42-unique-office-loa… *** Sports Direct hacked but it still hasn't disclosed the breach to its staff *** --------------------------------------------- Sports Direct, the UK's largest sports retail business, was hacked last year, and still hasn't disclosed the incident to its staff. The Register confirmed that the Sports Direct, the UK's largest sports retail business, was hacked last .. --------------------------------------------- http://securityaffairs.co/wordpress/56187/data-breach/sports-direct-data-br… *** Think Twice before Posting Data on Pastebin! *** --------------------------------------------- Pastebin.com is one of my favourite playground. I'm monitoring the content of all pasties posted on this website. My goal is to find juicy data like configurations, database .. --------------------------------------------- https://blog.rootshell.be/2017/02/12/think-twice-posting-data-pastebin/ *** Lazarus & Watering-hole attacks *** --------------------------------------------- On 3rd February 2017, researchers at badcyber.com released an article that detailed a series of .. --------------------------------------------- http://baesystemsai.blogspot.com/2017/02/lazarus-watering-hole-attacks.html *** Do You Use VirusTotal? Give PacketTotal a Spin!, (Mon, Feb 13th) *** --------------------------------------------- Packettotal ( http://www.packettotal.com ) is a new site that does some nifty analysis of Packet Captures for you if youre not so familiar with Wireshark or other analysis tools Out of the gate, this site maps out connections, certificates, .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=22061 *** Firefox für Android kann sich an Schadcode verschlucken *** --------------------------------------------- In der Version 51.0.3 haben die Firefox-Entwickler eine kritische Sicherheitslücke geschlossen. Von der Schwachstelle ist ausschliesslich die Android-Version betroffen. --------------------------------------------- https://heise.de/-3623027 *** Mirai Widens Distribution with New Trojan that Scans More Ports *** --------------------------------------------- Late last year, in several high-profile and potent DDoS attacks, Linux-targeting Mirai (identified by Trend Micro as ELF_MIRAI family) revealed just how broken the Internet .. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/mirai-widens-dis… *** Project Zero: NTFS-Treiber ermöglicht Linux-Rootzugriff *** --------------------------------------------- Eine fehlerhafte Konfiguration des Userspace-Treibers für NTFS unter Linux ermöglicht einfachen Root-Zugriff. Davon betroffen waren Standardinstallationen von Debian .. --------------------------------------------- https://www.golem.de/news/project-zero-ntfs-treiber-ermoeglicht-linux-rootz… *** Mexiko soll Gegner von Softdrinks mit Spyware ausgespäht haben *** --------------------------------------------- Aktivisten, die für eine höhere Besteuerung von zuckerhaltigen Getränken und fettreichen Speisen kämpften, wurden ausgehorcht --------------------------------------------- http://derstandard.at/2000052555921 *** Dateilose Infektion: Einbruch ohne Spuren *** --------------------------------------------- Sicherheitsforscher warnen, dass vermutlich die Carbanak-Gang einen neuen Trick verwendet, der viele Schutz- und Analyse-Programme ins Leere laufen lässt. Sie brechen in Computer und Netze ein, ohne dass dabei verdächtige Dateien auf der Platte landen. --------------------------------------------- https://heise.de/-3623084

1 0

Tageszusammenfassung - Freitag 10-02-2017
by Daily end-of-shift report 10 Feb '17

10 Feb '17

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 09-02-2017 18:00 − Freitag 10-02-2017 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** ENISA study on the security aspects of virtualization *** --------------------------------------------- The report provides an analysis on the current status of security of virtualization, by presenting current technologies affected, risks, efforts, gaps, and the impact the latter have on environments based on virtualization technologies. --------------------------------------------- https://www.enisa.europa.eu/news/enisa-news/enisa-study-on-the-security-asp… *** A Feeding Frenzy to Deface WordPress Sites *** --------------------------------------------- In this report we share data on the ongoing flood of WordPress REST-API exploits we are seeing in the wild. We include data on 20 different site defacement campaigns we are currently tracking. --------------------------------------------- https://www.wordfence.com/blog/2017/02/rest-api-exploit-feeding-frenzy-defa… *** RCE Attempts Against the Latest WordPress REST API Vulnerability *** --------------------------------------------- We are starting to see remote command execution (RCE) attempts trying to exploit the latest WordPress REST API Vulnerability. These RCE attempts started today after a few days of attackers (mostly defacers) rushing to vandalize as many pages as they could. The RCE attempts we are seeing in the wild do not affect every WordPress sites, only the ones using plugins that allow for PHP execution from within posts and pages. --------------------------------------------- https://blog.sucuri.net/2017/02/rce-attempts-against-the-latest-wordpress-r… *** De-Anonymizing Browser History Using Social-Network Data *** --------------------------------------------- Interesting research: "De-anonymizing Web Browsing Data with Social Networks":Abstract: Can online trackers and network adversaries de-anonymize web browsing data readily available to them? We show -- theoretically, via simulation, and through experiments on real user data -- that de-identified web browsing histories can\ be linked to social media profiles using only publicly available data. Our approach is based on a simple observation: each person has a distinctive social network,... --------------------------------------------- https://www.schneier.com/blog/archives/2017/02/de-anonymizing_1.html *** CERT updates insider threat guidebook *** --------------------------------------------- The CERT Division of the Software Engineering Institute (SEI) at Carnegie Mellon University released the fifth edition of the Common Sense Guide to Mitigating Insider Threats. The guide describes 20 practices that organizations should implement across the enterprise to prevent and detect insider threats, as well as case studies of organizations that failed to do so. --------------------------------------------- https://www.helpnetsecurity.com/2017/02/10/insider-threat-guidebook/ *** ENISA issues Smartphone Development Guidelines *** --------------------------------------------- ENISA publishes an update of the Smartphone Development Guidelines. --------------------------------------------- https://www.enisa.europa.eu/news/enisa-news/enisa-issues-smartphone-develop… *** Hacking Guatemala's DNS - Spying on Active Directory Users By Exploiting a TLD Misconfiguration *** --------------------------------------------- In search of new interesting high-impact DNS vulnerabilities I decided to take a look at the various top-level domains (TLDs) and analyze their configurations for errors. Upon some initial searching it turns out there is a nice open source service which helps DNS administrators scan their domains for misconfigurations called DNSCheck written by The Internet Foundation in Sweden. This tool helps highlight all sorts of odd DNS misconfigurations such as having an... --------------------------------------------- https://thehackerblog.com/hacking-guatemalas-dns-spying-on-active-directory… *** Unpatched (0day) jQuery Mobile XSS *** --------------------------------------------- TL;DR - Any website that uses jQuery Mobile and has an open redirect is now vulnerable to XSS - and theres nothing you can do about it, theres not even patch --------------------------------------------- http://sirdarckcat.blogspot.co.at/2017/02/unpatched-0day-jquery-mobile-xss.… *** Multiple cross-site scripting vulnerabilities in Webmin *** --------------------------------------------- Webmin contains multiple cross-site scripting vulnerabilities. --------------------------------------------- http://jvn.jp/en/jp/JVN34207650/ *** Western Digital My Cloud 2.21.119 Authentication Bypass *** --------------------------------------------- Topic: Western Digital My Cloud 2.21.119 Authentication Bypass Risk: High Text: Authentication bypass vulnerability in Western Digital My Cloud Remco Verm... --------------------------------------------- https://cxsecurity.com/issue/WLB-2017020093 *** Hanwha Techwin Smart Security Manager *** --------------------------------------------- This advisory contains mitigation detail for remote code execution vulnerabilities in Hanwha Techwins Smart Security Manager. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-040-01 *** DFN-CERT-2017-0251: Xen, QEMU: Eine Schwachstelle ermöglicht das Ausspähen von Informationen und die Eskalation von Privilegien *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0251/ *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Potential Cross-site scripting vulnerability in WebSphere Application Server (CVE-2017-1121) *** http://www-01.ibm.com/support/docview.wss?uid=swg21997743 --------------------------------------------- *** IBM Security Bulletin: IBM Flex System Manager (FSM) is affected by multiple php5 vulnerabilities (CVE-2016-6911, CVE-2016-8670) *** http://www.ibm.com/support/docview.wss?uid=isg3T1024834 --------------------------------------------- *** IBM Security Bulletin: IBM Flex System Manager (FSM) is affected by a kernel vulnerability *** http://www.ibm.com/support/docview.wss?uid=isg3T1024807 --------------------------------------------- *** IBM Security Bulletin: IBM Flex System Manager (FSM) is affected by multiple cURL/libcURL vulnerabilities (CVE-2016-5419, CVE-2016-5420, CVE-2016-7141) *** http://www.ibm.com/support/docview.wss?uid=isg3T1024808 --------------------------------------------- *** IBM Security Bulletin: IBM Flex System Manager (FSM) is affected by a libgcrypt vulnerability (CVE-2016-6313) *** http://www.ibm.com/support/docview.wss?uid=isg3T1024832 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in OpenSSL affect Rational Tau (CVE-2016-2180) *** http://www-01.ibm.com/support/docview.wss?uid=swg21994132 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in OpenSSL affect Rational Tau (CVE-2016-2177) *** http://www-01.ibm.com/support/docview.wss?uid=swg21993836 --------------------------------------------- *** IBM Security Bulletin: IBM Flex System Manager (FSM) is affected by multiple glibc vulnerabilities (CVE-2016-1234, CVE-2016-3706, CVE-2016-4429) *** http://www-01.ibm.com/support/docview.wss?uid=isg3T1024831 ---------------------------------------------

1 0

Tageszusammenfassung - Donnerstag 9-02-2017
by Daily end-of-shift report 09 Feb '17

09 Feb '17

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 08-02-2017 18:00 − Donnerstag 09-02-2017 18:00 Handler: Robert Waldner Co-Handler: n/a *** Lifting the (Hyper) Visor: Bypassing Samsung's Real-Time Kernel Protection *** --------------------------------------------- Posted by Gal Beniamini, Project ZeroTraditionally, the operating system's kernel is the last security boundary standing between an attacker and full control over a target system. As such, additional care must be taken in order to ensure the integrity of the kernel. --------------------------------------------- http://googleprojectzero.blogspot.com/2017/02/lifting-hyper-visor-bypassing… *** FortiManager TLS certificate validation failure *** --------------------------------------------- FortiManager does not properly validate TLS certificates when probing for devices to administer. This leads to potential pre-shared secret exposure. --------------------------------------------- http://fortiguard.com/advisory/FG-IR-16-055 *** Gefälschte iTunes-Rechnung: Danke für Ihren Einkauf *** --------------------------------------------- Mit einer gefälschten iTunes-Rechnug wollen Kriminelle Empfänger/innen dazu bewegen, dass sie eine Website aufrufen. Auf dieser sollen Besucher/innen Kreditkarteninformationen bekannt geben, damit sie einen nicht gewollten Einkauf stornieren können. Es handelt sich um einen Datendiebstahlsversuch. Sie dürfen die Daten nicht bekannt geben. --------------------------------------------- https://www.watchlist-internet.at/phishing/gefaelschte-itunes-rechnung-dank… *** Security Advisory - Privilege Escalation Vulnerability in Huawei Smart Phones *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170209-… *** Analysis of security measures deployed by e-communication providers *** --------------------------------------------- ENISA's new report provides a collection of good practices, implemented security measures and approaches by e-communication providers in the EU, to mitigate the main types of incidents in the telecommunication sector. --------------------------------------------- https://www.enisa.europa.eu/news/enisa-news/analysis-of-security-measures-d… *** Security and Privacy Guidelines for the Internet of Things *** --------------------------------------------- Lately, I have been collecting IoT security and privacy guidelines. Heres everything Ive found: --------------------------------------------- https://www.schneier.com/blog/archives/2017/02/security_and_pr.html *** iCloud schlampt offenbar beim Löschen des Browser-Verlaufs *** --------------------------------------------- Aus dem Verlauf von Apples Browser Safari gelöschte Webseiten-Besuche verschwinden zwar von den synchronisierten Geräten, lassen sich aber noch rund ein Jahr später aus iCloud rekonstruieren, warnt der Hersteller eines Forensik-Tools. --------------------------------------------- https://heise.de/-3621063 *** Brute Force RDP Attacks Plant CRYSIS Ransomware *** --------------------------------------------- ... brute force RDP attacks are still ongoing, affecting both SMEs and large enterprises across the globe. In fact, the volume of these attacks doubled in January 2017 from a comparable period in late 2016. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/brute-force-rdp-… *** DFN-CERT-2017-0237: ISC BIND: Eine Schwachstellen ermöglicht einen Denial-of-Service-Angriff *** --------------------------------------------- Das Internet Systems Consortium (ISC) ... veröffentlicht die neuen Programmversionen BIND 9.9.9-P6, 9.10.4-P6, 9.11.0-P3 und 9.9.9-S8 (letztere nur für ISC Support Kunden), in denen die Schwachstellen behoben sind. Die Schwachstelle kann durch Deaktivierung von DNS64 oder RPZ umgangen werden, bis das Sicherheitsupdate eingespielt werden kann. --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0237/ *** GNU Bash code execution vulnerability in path completion *** --------------------------------------------- GNU Bash from version 4.4 contains two bugs in its path completion feature leading to a code execution vulnerability. An exploit can be realized by creating a file or directory with a specially crafted name. A user utilizing GNU Bash's built-in path completion by hitting the Tab button (f.e. to remove it with rm) triggers the exploit without executing a command itself. --------------------------------------------- https://cxsecurity.com/issue/WLB-2017020061 *** DFN-CERT-2017-0240: F5 Networks BIG-IP Systeme: Eine Schwachstelle ermöglicht das Ausspähen von Informationen *** --------------------------------------------- F5 Networks BIG-IP Protocol Security Module (PSM) >= 11.4.0, <= 11.4.1 Ein entfernter, einfach authentifizierter Angreifer kann durch Wiederaufnahme einer SSL-Verbindung zu einer betroffenen F5 BIG-IP-Appliance Informationen ausspähen, da der Server abhängig von der Größe des gesendeten Sitzungsidentifizierers (Session ID) als Antwort bis zu 31 Bytes aus nicht initialisiertem Speicher zurücksendet. --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0240/ *** Erpressungs-Trojaner Erebus umgeht erfolgreich UAC-Abfrage von Windows *** --------------------------------------------- Sicherheitsforschern zufolge verbiegt Erebus die Windows-Registry dahingehend, sodass der Schädling schlimmstenfalls mit Admin-Rechten operieren kann. Dank einer Windows-Einstellung kann man das aber unterbinden. --------------------------------------------- https://heise.de/-3619820 *** BSI veröffentlicht Leitfaden für sicheres Android mit Samsung Knox *** --------------------------------------------- Administratoren können sich von der Website des BSI Empfehlungen für Samsungs Sicherheitsplattform laden. Zweck ist der Schutz von Android-Geräten. --------------------------------------------- https://heise.de/-3620713 *** Manipuliertes Word-Dokument: Makro-Malware geht den Mac an *** --------------------------------------------- Mit manipulierten Word-Dokumenten wollen Angreifer nun auch Schadcode auf Macs einschleusen. Damit wird die macOS-Schutzfunktion Gatekeeper umgangen. --------------------------------------------- https://heise.de/-3621092 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Vulnerability in GNU C Library affects IBM Flex System EN6131 40Gb Ethernet / IB6131 40Gb Infiniband Switch firmware (CVE-2016-1234) *** https://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=MIGR-5… --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in NTP affect IBM Flex System FC3171 8Gb SAN Switch and SAN Pass-thru, QLogic 8Gb Intelligent Pass-thru Module & SAN Switch Module for BladeCenter and QLogic Virtual Fabric Extension Module for IBM *** https://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=MIGR-5… --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in NTP affect IBM Flex System FC3171 8Gb SAN Switch and SAN Pass-thru, QLogic 8Gb Intelligent Pass-thru Module & SAN Switch Module for BladeCenter and QLogic Virtual Fabric Extension Module for IBM *** https://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=MIGR-5… ---------------------------------------------

1 0

Tageszusammenfassung - Mittwoch 8-02-2017
by Daily end-of-shift report 08 Feb '17

08 Feb '17

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 07-02-2017 18:00 − Mittwoch 08-02-2017 18:00 Handler: Robert Waldner Co-Handler: n/a *** As Valve eradicates serious bug in Steam, here's what you need to know *** --------------------------------------------- Steam, an online game platform with more than 125 million active accounts, is in the process of fixing a serious security hole that opens users to hacks that could redirect them to attack sites, spend their market funds, or possibly make malicious changes to their user profiles. --------------------------------------------- https://arstechnica.com/security/2017/02/as-valve-eradicates-serious-bug-in… *** Fileless attacks against enterprise networks *** --------------------------------------------- This threat was originally discovered by a bank's security team, after detecting Meterpreter code inside the physical memory of a domain controller (DC). Kaspersky Lab participated in the forensic analysis, discovering the use of PowerShell scripts within the Windows registry. Additionally it was discovered that the NETSH utility as used for tunnelling traffic from the victim's host to the attacker's C2. --------------------------------------------- http://securelist.com/blog/research/77403/fileless-attacks-against-enterpri… *** Strategies to Mitigate Cyber Security Incidents *** --------------------------------------------- The Australian Signals Directorate (ASD) has developed prioritised mitigation strategies to help technical cyber security professionals in all organisations mitigate cyber security incidents. This guidance addresses targeted cyber intrusions, ransomware and external adversaries with destructive intent, malicious insiders, business email compromise and industrial control systems. --------------------------------------------- http://www.asd.gov.au/infosec/mitigationstrategies.htm *** ESA-2017-001: EMC Isilon InsightIQ Authentication Bypass Vulnerability *** --------------------------------------------- An attacker can exploit the vulnerability to bypass authentication and thereby gain administrator privileges. --------------------------------------------- http://www.securityfocus.com/archive/1/540100 *** When A Pony Walks Out Of A Pub *** --------------------------------------------- Talos has observed a small email campaign leveraging the use of Microsoft Publisher files. ... Unlike other applications within the Microsoft Office suite, Microsoft Publisher does not support a Protected View mode. ... The file used in this campaign was aimed at infecting the victim with the, well known, Pony malware --------------------------------------------- http://blog.talosintel.com/2017/02/pony-pub-files.html *** Multiple Vulnerabilities in Trend Micro Control Manager (TMCM) 6.0 *** --------------------------------------------- CVSS 2.0 Score(s): 4.0 - 6.8 Severity Rating(s): Medium Trend Micro has released a new build for Trend Micro Conrol Manager 6.0. This build resolves multiple vulnerabilities related to potential remote code execution, directory traversal, SQL injections, and unauthorized access to XML files. --------------------------------------------- https://success.trendmicro.com/solution/1116624 *** SAP Security for Beginners Part 5: SAP Risks - Sabotage *** --------------------------------------------- Sabotage attacks on SAP systems were promised as a today's topic, so, let's look at potential sabotage vectors. --------------------------------------------- http://resources.infosecinstitute.com/sap-security-beginners-part-5-sap-ris… *** Sielco Sistemi Winlog SCADA Software *** --------------------------------------------- This advisory contains mitigation details for an uncontrolled search path vulnerability in Sielco Sistemis Winlog SCADA Software. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-038-01 *** BD Alaris 8000 Insufficiently Protected Credentials Vulnerability *** --------------------------------------------- This advisory was originally posted to the NCCIC Portal on January 17, 2017, and is being released to the NCCIC/ICS-CERT web site. This advisory contains mitigation details for an insufficiently protected credentials vulnerability in BD's Alaris 8000 Point of Care unit, which provides a common user interface for programming intravenous infusions. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSMA-17-017-01 *** BD Alaris 8015 Insufficiently Protected Credentials Vulnerabilities *** --------------------------------------------- This advisory was originally posted to the NCCIC Portal on January 17, 2017, and is being released to the NCCIC/ICS-CERT web site. This advisory contains mitigation details for protected credentials vulnerabilities in BD's Alaris 8015 Point of Care unit, which provides a common user interface for programming intravenous infusions. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSMA-17-017-02 *** BINOM3 Electric Power Quality Meter (Update A) *** --------------------------------------------- This updated advisory is a follow-up to the original advisory titled ICSA-17-031-01 BINOM3 Electric Power Quality Meter that was published January 31, 2017, on the NCCIC/ICS-CERT web site. This updated advisory contains mitigation details for vulnerabilities in BINOM3s electric power quality meter. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-031-01A *** Citrix NetScaler Nonce Generation Flaw Lets Remote Users Obtain Potentially Sensitive Information on the Target System *** --------------------------------------------- http://www.securitytracker.com/id/1037795 *** Huawei Security Advisories *** --------------------------------------------- *** Security Advisory - Buffer Overflow Vulnerability in Emergdata Driver of Huawei Smart Phones *** http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170208-… --------------------------------------------- *** Security Advisory - Buffer Overflow Vulnerability in Goldeneye Driver of Huawei Smart Phones *** http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170208-… --------------------------------------------- *** Security Advisory - MITM Vulnerability in Huawei Vmall APP *** http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170208-… --------------------------------------------- *** Cisco Security Advisories *** --------------------------------------------- *** Cisco AnyConnect Secure Mobility Client for Windows SBL Privileges Escalation Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco ASA Clientless SSL VPN CIFS Heap Overflow Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM InfoSphere Information Server *** http://www-01.ibm.com/support/docview.wss?uid=swg21995427 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Rational DOORS Next Generation with potential for Cross-Site Scripting attack (CVE-2016-6055) *** http://www.ibm.com/support/docview.wss?uid=swg21995515 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Rational Rhapsody Design Manager with potential for Denial of Service attack *** http://www.ibm.com/support/docview.wss?uid=swg21997798 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime may affect IBM Mobile Connect as a product bundler *** http://www-01.ibm.com/support/docview.wss?uid=swg21989670 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in SSLv3 affects Multiple N series products (CVE-2014-3566) *** http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009543 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSH affect AIX (CVE-2016-8858, CVE-2016-10009, CVE-2016-10011, CVE-2016-10012) *** http://aix.software.ibm.com/aix/efixes/security/openssh_advisory10.asc ---------------------------------------------

1 0

Tageszusammenfassung - Dienstag 7-02-2017
by Daily end-of-shift report 07 Feb '17

07 Feb '17

======================= = End-of-Shift report = ======================= Timeframe: Montag 06-02-2017 18:00 − Dienstag 07-02-2017 18:00 Handler: Robert Waldner Co-Handler: n/a *** Heute ist es soweit: Es ist Internationaler Safer Internet Day! *** --------------------------------------------- Der jährliche Aktionstag wurde 2004 von der Europäischen Kommission im Rahmen des Safer Internet-Programms ins Leben gerufen und findet seitdem jeden Februar statt. Mehr als 100 Länder beteiligen sich weltweit am Safer Internet Day, um über die sichere und verantwortungsvolle Internetnutzung aufzuklären. International organisiert das europäische Netzwerk Insafe den Safer Internet Day. --------------------------------------------- https://www.saferinternet.at/news/news-detail/article/heute-feiern-wir-es-i… *** DFN-CERT-2017-0216/">Google Android Operating System: Mehrere Schwachstellen ermöglichen u.a. die komplette Systemübernahme *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0216/ *** Got an OpenBSD Web server? Better patch it *** --------------------------------------------- DoS-able bugs splatted OpenBSD and two of its SSL libraries need patches against a pair of denial-of-service bugs that can crash Web-facing servers --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2017/02/07/got_an_open… *** Vuln: PEAR HTML_AJAX CVE-2017-5677 PHP Object Injection Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/96044 *** New Attack, Old Tricks *** --------------------------------------------- A Word document targets Mac users with malicious macros and an open-source payload. --------------------------------------------- https://objective-see.com/blog/blog_0x17.html *** Citrix License Server for Windows and License Server VPX CVE-2017-5571 Open Redirect Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/96028/discuss *** DFN-CERT-2017-0217/">BlackBerry powered by Android: Mehrere Schwachstellen ermöglichen u.a. die komplette Systemübernahme *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0217/ *** [2017-02-07] Multiple vulnerabilities in JUNG Smart Visu server *** --------------------------------------------- Attackers can dump password hashes and other available data from the operating system of the JUNG Smart Visu Server. An attacker is able to access and control all Smart Visu server installation if he is able to crack the hashes. The group address password can be removed by using a single PUT request. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2017… *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Multiple Vulnerabilities in OpenSSL affect IBM i *** http://www-01.ibm.com/support/docview.wss?uid=nas8N1021845 --------------------------------------------- *** IBM Security Bulletin: Multiple Vulnerabilities in Oracle Outside In Technology affect IBM Rational DOORS Next Generation *** http://www.ibm.com/support/docview.wss?uid=swg21997654 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities have been identified in IBM Flex System Manager (FSM) Storage Manager Install Anywhere (SMIA) Configuration tool *** http://www-01.ibm.com/support/docview.wss?uid=isg3T1024798 --------------------------------------------- *** IBM Security Bulletin: Multiple Vulnerabilities in OpenSSH affect IBM i *** http://www.ibm.com/support/docview.wss?uid=nas8N1021846 --------------------------------------------- *** IBM Security Bulletin: Security Vulnerability in OpenSSL affects IBM Spectrum Control (formerly Tivoli Storage Productivity Center) *** http://www.ibm.com/support/docview.wss?uid=swg21997056 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect AppScan Standard (CVE-2016-5597, CVE-2016-5542) *** http://www-01.ibm.com/support/docview.wss?uid=swg21997784 --------------------------------------------- *** IBM Security Bulletin: Fix Available for IBM iNotes Cross-site Scripting Vulnerability (CVE-2016-5883) *** http://www.ibm.com/support/docview.wss?uid=swg21997010 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Cisco Switches and Directors. *** http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009663 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Campaign, IBM Contact Optimization *** http://www.ibm.com/support/docview.wss?uid=swg21982291 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect multiple N series products *** http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009687 ---------------------------------------------

1 0

Tageszusammenfassung - Montag 6-02-2017
by Daily end-of-shift report 06 Feb '17

06 Feb '17

======================= = End-of-Shift report = ======================= Timeframe: Freitag 03-02-2017 18:00 − Montag 06-02-2017 18:00 Handler: Robert Waldner Co-Handler: n/a *** Vuln: Barracuda NextGen Firewal F-Series Denial of Service Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/96000 *** Vuln: Multiple GStreamer Plug-ins Buffer Overflow and Denial Of Service Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/bid/96001 *** Honeywell SCADA Controllers Exposed Passwords in Clear Text *** --------------------------------------------- A series of remotely exploitable vulnerabilities - including clear text passwords - exist in a set of Honeywell SCADA systems. --------------------------------------------- http://threatpost.com/honeywell-scada-controllers-exposed-passwords-in-clea… *** [remote] - Netwave IP Camera - Password Disclosure *** --------------------------------------------- https://www.exploit-db.com/exploits/41236/?rss *** Security Advisory: Apache vulnerability CVE-2016-8743 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/00/sol00373024.html?… *** Security Advisory: OpenSSL vulnerability CVE-2016-7055 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/43/sol43570545.html?… *** [SANS ISC Diary] Detecting Undisclosed Vulnerabilities with Security Tools & Features *** --------------------------------------------- I published the following diary on isc.sans.org: "Detecting Undisclosed Vulnerabilities with Security Tools & Features". I'm a big fan of OSSEC. This tools is an open source HIDS and log management tool. Although often considered as the "SIEM of the poor", it integrates a lot of interesting features and is fully configurable ... --------------------------------------------- https://blog.rootshell.be/2017/02/04/sans-isc-diary-detecting-undisclosed-v… *** Kodi-Erweiterung machte Anwender zu Botnetz-Zellen *** --------------------------------------------- Anwender des Plug-ins "Exodus" für das Media-Center Kodi wurden zu unfreiwilligen Teilnehmern eines Botnets, das gezielte DDoS-Angriffe fuhr. Deren Ziel: Websites von Konkurrenten. --------------------------------------------- https://heise.de/-3617777 *** NATO presents the Tallinn Manual 2.0 on International Law Applicable to cyberspace *** --------------------------------------------- NATO's Cooperative Cyber Defense Centre of Excellence (CCDCOE) has published "Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations." Its world launch will be in Washington DC, February 8 at The Atlantic Council; followed by Europe at The Hague, February 13; and Tallinn, February 17. --------------------------------------------- http://securityaffairs.co/wordpress/56004/cyber-warfare-2/nato-tallinn-manu… *** Slammer worm slithers back online to attack ancient SQL servers *** --------------------------------------------- If you get taken down by this 13-year-old malware, you probably deserve it One of the worlds most famous net menaces, SQL Slammer, has resumed attacking servers some 13 years after it set records by infecting 75,000 servers in 10 minutes, researchers say. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2017/02/05/sql_slammer… *** Microsofts DRM can expose Windows-on-Tor users IP address *** --------------------------------------------- Anonymity-lovers best not watch movies as .WMV files Windows users running the Tor browser can be tricked into uncloaking themselves, with a pretty straightforward trick based on Microsofts DRM system. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2017/02/06/microsoft_d… *** Bugtraq: ZoneMinder - multiple vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/archive/1/540093 *** Anbieter des WordPress-Plugin BlogVault gehackt *** --------------------------------------------- Hacker haben bei einem Server-Einbruch Daten von BlogVault-Nutzern abgezogen. Anschließend sollen einige Webseiten, die auf das Plugin setzen, mit Malware infiziert worden sein, warnt der Anbieter. --------------------------------------------- https://heise.de/-3618141 *** Lurk: Retracing the Group's Five-Year Campaign *** --------------------------------------------- Fileless infections are exactly what their namesake says: theyre infections that dont involve malicious files being downloaded or written to the system's disk. While fileless infections are not necessarily new or rare, it presents a serious threat to enterprises and end users given its capability to gain privileges and persist in the system of interest to an attacker - all while staying under the radar. --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/kF9o3H2gLlM/ *** Überwachungsfirma Cellebrite: Hacker veröffentlicht iPhone-Cracking-Tools *** --------------------------------------------- Wenn Software zum Knacken von Smartphones existiert, dann gelangt diese auch in die Hände Dritter, erklärt der Hacker, der die angeblich von einer Überwachungsfirma stammenden Tools veröffentlicht hat. Ähnlich argumentierte zuletzt auch Apple. --------------------------------------------- https://heise.de/-3618462 *** Hacker hijacks thousands of publicly exposed printers to warn owners *** --------------------------------------------- Following recent research that showed many printer models are vulnerable to attacks, a hacker decided to prove the point and forced thousands of publicly exposed printers to spew out rogue messages. --------------------------------------------- http://www.cio.com/article/3166048/security/hacker-hijacks-thousands-of-pub… *** ENISA: Challenges of security certification in emerging ICT environments *** --------------------------------------------- ENISA issues today its report on the Challenges of security certification in emerging ICT environments. The report is targeted at EU Member States (MS), the Commission, certification bodies and the private sector, and provides a thorough description of the cyber security certification status concerning the most critical equipment in various critical business sectors. --------------------------------------------- https://www.enisa.europa.eu/news/enisa-news/challenges-of-security-certific… *** Chrome 57 [...] will no longer trust any StartSSL/Wosign issued certificates [...] *** --------------------------------------------- Previous communication from Google (https://security.googleblog.com/2016/10/distrusting-wosign-and-startcom.html) had read as though it would only be certificates issued since October 21, 2016 wouldnt be trusted. It then went onto say that it may not trust other certificates but didnt really say what that meant. --------------------------------------------- https://forums.whirlpool.net.au/forum-replies.cfm?t=2605051 *** Six Best Practices for Securing a Robust Domain Name System (DNS) Infrastructure *** --------------------------------------------- The Domain Name System (DNS) is an essential component of the Internet, a virtual phone book of names and numbers, but we rarely think about it until something goes wrong. --------------------------------------------- https://insights.sei.cmu.edu/sei_blog/2017/02/six-best-practices-for-securi… *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in Apache Tomcat affect Power Hardware Management Console (CVE-2016-6816, CVE-2016-6817, and CVE-2016-0762) *** http://www.ibm.com/support/docview.wss?uid=nas8N1021796 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in Oracle Outside In Technology (OIT) affect FileNet Content Manager and IBM Content Foundation *** http://www.ibm.com/support/docview.wss?uid=swg21993091 --------------------------------------------- *** IBM Security Bulletin: IBM Sterling Order Management and IBM Sterling Configure Price Quote are vulnerable to cross-site request forgery. *** http://www-01.ibm.com/support/docview.wss?uid=swg21998167 ---------------------------------------------

1 0

Tageszusammenfassung - Freitag 3-02-2017
by Daily end-of-shift report 03 Feb '17

03 Feb '17

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 02-02-2017 18:00 − Freitag 03-02-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a *** How Google fought back against a crippling IoT-powered botnet and won *** --------------------------------------------- Behind the scenes defending KrebsOnSecurity against record-setting DDoS attacks. --------------------------------------------- https://arstechnica.com/security/2017/02/how-google-fought-back-against-a-c… *** Improved scripts in .lnk files now deliver Kovter in addition to Locky *** --------------------------------------------- Cybercriminals are using a combination of improved script and well-maintained download sites in trying to install Locky and Kovter on more computers. A few .. --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2017/02/02/improved-scripts-in-lnk… *** Underground Scams: Cutting the Head Off a Snake *** --------------------------------------------- Shortly after publishing our post about Terror EK, "King Cobra" (a Twitter account that we mentioned .. --------------------------------------------- http://trustwave.com/Resources/SpiderLabs-Blog/Underground-Scams--Cutting-t… *** Cisco - Issue with Clock Signal Component *** --------------------------------------------- One of our readers, Dalibor Cerar, sent us an email about an issue impacting Cisco...at this point. While its a hardware issue, the result if it occurs is a self inflicted Denial of Service. Cisco released a notice on February 2 that some of .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=22033&rss *** G-Suite: Google bringt S/MIME für Enterprise-Gmail *** --------------------------------------------- Google hat ein umfangreiches Update für die Enterprise-Version seiner G-Suite angekündigt: Mit dabei sind verpflichtende Hardwareschlüssel, S/MIME für Gmail und erweiterte Funktionen, um Datenverlust zu verhindern. --------------------------------------------- https://www.golem.de/news/enterprise-die-google-suite-soll-sicherer-werden-… *** Hacker veröffentlichen gestohlene Cellebrite-Software *** --------------------------------------------- Programme, die von den israelischen Sicherheitsexperten von Cellebrite zum Knacken von Smartphones genutzt werden, wurden nun veröffentlicht. --------------------------------------------- https://futurezone.at/digital-life/hacker-veroeffentlichen-gestohlene-celle… *** Rechnung in ZIP-Datei ist Schadsoftware *** --------------------------------------------- In ihrem E-Mailpostfach finden Internet-Nutzer/innen eine Nachricht mit dem Betreff „Rechnung Nr. xxxxx“. Darin heißt es, dass die Empfänger/innen das beigefügte Dokument als .. --------------------------------------------- https://www.watchlist-internet.at/gefaelschte-rechnungen/rechnung-in-zip-da… *** The power of sharing: ENISA report on cyber security information sharing in the energy sector *** --------------------------------------------- https://www.enisa.europa.eu/news/enisa-news/the-power-of-sharing-enisa-repo… *** Someone Tried to Resurrect 14-Year-Old SQL Slammer Worm *** --------------------------------------------- For a week in November and December 2016, someone tried to resurrect the 14-year-old SQL Slammer worm, .. --------------------------------------------- https://www.bleepingcomputer.com/news/security/someone-tried-to-resurrect-1… *** Patch-Tag für Jenkins *** --------------------------------------------- Aktuelle Versionen beseitigen insgesamt 19 Security-Probleme in Jenkins, von denen eines als schwerwiegend eingestuft ist. --------------------------------------------- https://heise.de/-3617535 *** SQL-Injection-Lücke in McAfee ePolicy Orchestrator *** --------------------------------------------- McAfees Lösung für zentrales Security-Management in Firmen und Konzernen weist selbst ein schwerwiegendes Sicherheitsproblem auf. Ein Hotfix des Herstellers sorgt für Abhilfe. --------------------------------------------- https://heise.de/-3617503 *** Kritische Lücke in Microsoft Windows ermöglicht DoS / Remote Code Execution via SMB - noch keine Updates verfügbar *** --------------------------------------------- Im SMB-Code von Microsoft Windows wurde eine Schwachstelle entdeckt, die im harmlosesten Fall einen Absturz des Betriebsystems zur Folge haben kann, im schlimmsten Fall sogar Remote Code Execution erlaubt. --------------------------------------------- https://cert.at/warnings/all/20170203.html

1 0

Tageszusammenfassung - Donnerstag 2-02-2017
by Daily end-of-shift report 02 Feb '17

02 Feb '17

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 01-02-2017 18:00 − Donnerstag 02-02-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a *** DSA-3780 ntfs-3g - security update *** --------------------------------------------- Jann Horn of Google Project Zero discovered that NTFS-3G, a read-writeNTFS driver for FUSE, does not scrub the environment before executingmodprobe with elevated privileges. A local user .. --------------------------------------------- https://www.debian.org/security/2017/dsa-3780 *** Netherlands reverts to hand-counted votes to quell security fears *** --------------------------------------------- Windows XP? SHA-1? USB sneakernet? What were they thinking? Or smoking? The Netherlands has decided its vote-counting software isnt ready for prime time, and will revert to .. --------------------------------------------- www.theregister.co.uk/2017/02/02/netherlands_reverting_to_handcounted_votes… *** Extrem kritische Lücke in Ciscos Prime Home könnte unzählige Router gefährden *** --------------------------------------------- Internet- und Service-Anbieter sollten zügig ein Sicherheitsupdate für Cisco Prime Home installieren. Angreifer könnten Geräte mit wenig Aufwand missbrauchen und von da aus Router von Kunden übernehmen. --------------------------------------------- https://heise.de/-3615465 *** Gmail Drops Support for Windows XP and Vista Users on Chrome *** --------------------------------------------- Google says that starting with February 8, Chrome users will have to use version 54 or 55 (current) if they want to access their Gmail accounts. --------------------------------------------- https://www.bleepingcomputer.com/news/software/gmail-drops-support-for-wind… *** DDoS attacks in Q4 2016 *** --------------------------------------------- 2016 was the year of Distributed Denial of Service (DDoS) with major disruptions in terms of technology, .. --------------------------------------------- http://securelist.com/analysis/quarterly-malware-reports/77412/ddos-attacks… *** Jugendliche gehen schludrig mit Passwörtern um *** --------------------------------------------- Der Sicherheitsbewusstsein von österreichischen Jugendlichen und Unter-30-Jährigen ist schlecht ausgeprägt. Jeder Zweite hat sein Passwort schon einmal weitergegeben. --------------------------------------------- https://futurezone.at/digital-life/jugendliche-gehen-schludrig-mit-passwoer… *** Security: Der Secret Service gibt Tipps für Rechenzentrumsbetreiber *** --------------------------------------------- Ein Rechenzentrum behandeln wie das Weiße Haus? Diesen Tipp gab ein ehemaliger Mitarbeiter des Secret .. --------------------------------------------- http://www.golem.de/news/security-der-secret-service-gibt-tipps-fuer-rechen… *** KopiLuwak: A New JavaScript Payload from Turla *** --------------------------------------------- A new, unique JavaScript payload is now being used by Turla in targeted attacks. This new payload, dubbed KopiLuwak, is being delivered using embedded macros within Office documents. --------------------------------------------- http://securelist.com/blog/research/77429/kopiluwak-a-new-javascript-payloa… *** Hackerangriff auf Tschechiens Außenamt offenbar größer als gedacht *** --------------------------------------------- http://derstandard.at/2000052006680 *** Panne bei Handysignatur: Dokumentenname einsehbar *** --------------------------------------------- Laut "Die Presse" waren 14 Stunden lang der Name aller unterzeichneten Dokumente abrufbar --------------------------------------------- http://derstandard.at/2000052007651 *** Microsoft Windows SMB Tree Connect Response memory corruption vulnerability *** --------------------------------------------- Microsoft Windows contains a memory corruption bug in the handling of SMB traffic, which may allow a remote, unauthenticated attacker to cause a denial of service or potentially execute arbitrary code on a vulnerable system. --------------------------------------------- http://www.kb.cert.org/vuls/id/867968

1 0

Tageszusammenfassung - Mittwoch 1-02-2017
by Daily end-of-shift report 01 Feb '17

01 Feb '17

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 31-01-2017 18:00 − Mittwoch 01-02-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a *** BINOM3 Electric Power Quality Meter *** --------------------------------------------- This advisory contains mitigation details for vulnerabilities in BINOM3s electric power quality meter. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-031-01 *** Ecava IntegraXor *** --------------------------------------------- This advisory contains mitigation details for an SQL injection vulnerability in the Ecava IntegraXor web server. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-031-02 *** "Ändere-dein-Passwort-Tag": Pro und Contra Passwortwechsel *** --------------------------------------------- Ist es sinnvoll, sein Passwort regelmäßig und vorsichtshalber zu ändern? Was in einigen Firmen verpflichtent ist, ist in Security-Kreisen umstritten. Unter Umständen kann das sogar kontraproduktiv sein. --------------------------------------------- https://heise.de/-3613327 *** Cerber tops Windows 10 ransomware charts *** --------------------------------------------- Crims aimed for a Christmas Number One and scored Net scum behind the Cerber ransomware have been pounding enterprises infecting more corporate machines than any other, according to Microsoft.… --------------------------------------------- www.theregister.co.uk/2017/02/01/cerber_windows_10/ *** We need to talk about Granny: Shes way more likely to fall for phishing *** --------------------------------------------- If you want to catch as many people as you can, go for the old legal razzle dazzle Usenix Enigma 2017 Research has shown that older people – particularly older .. --------------------------------------------- www.theregister.co.uk/2017/02/01/why_old_women_biggest_phishing_victims/ *** Quick Analysis of Data Left Available by Attackers, (Wed, Feb 1st) *** --------------------------------------------- While hunting for interesting cases, I found the following phishing email mimicking an UPS delivery notification: When you click on the link, you are redirected to the .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=22015 *** Popular PlayStation and Xbox Gaming Forums Hacked; 2.5 Million Users Data Leaked *** --------------------------------------------- Do you own an account on one of the two hugely popular PlayStation and Xbox gaming forums? Your details may have been exposed, as it has been revealed that the two .. --------------------------------------------- http://thehackernews.com/2017/01/gaming-forum-hacking.html *** Nächstes Hacker-Ziel: Ihr Hirn *** --------------------------------------------- Neue Gehirn-Computer-Schnittstellen bringen die Gefahr von Hirn-Malware mit sich. Was wie eine Postillon-Schlagzeile klingt, beschäftigt ernsthafte Sicherheitsforscher. --------------------------------------------- https://heise.de/-3613672 *** Hacker Phineas Fisher dementiert, verhaftet worden zu sein *** --------------------------------------------- Katalanische Behörden hatten nach Hausdurchsuchungen mehrere Personen festgenommen --------------------------------------------- http://derstandard.at/2000051907276 *** Insiderhandel: Mitarbeiter verkaufen Firmengeheimnisse im Darknet *** --------------------------------------------- Auf illegalen Online-Marktplätzen werden derzeit offenbar gezielt Insider angeworben, um mit deren Informationen kriminelle Geschäfte zu ermöglichen. Die Bandbreite .. --------------------------------------------- http://www.golem.de/news/insiderhandel-mitarbeiter-verkaufen-firmengeheimni… *** Hacker One: Die Sicherheitslücken der US-Armee *** --------------------------------------------- Sicherheitsforscher hatten einen Monat Zeit, um die US-Armee zu hacken. 118 Sicherheitslücken wurden gefunden und beseitigt. Eine davon ermöglichte den Zugriff auf ein .. --------------------------------------------- http://www.golem.de/news/hacker-one-die-sicherheitsluecken-der-us-armee-170… *** Cisco Prime Home Authentication Bypass Vulnerability *** --------------------------------------------- A vulnerability in the web-based GUI of Cisco Prime Home could allow an unauthenticated, remote attacker to bypass authentication and execute actions with administrator .. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… *** Disclosure of Additional Security Fix in WordPress 4.7.2 *** --------------------------------------------- WordPress 4.7.2 was released last Thursday, January 26th. If you have not already updated, please do so immediately. In addition to the three security vulnerabilities mentioned in the original release post, WordPress 4.7 and 4.7.1 had one additional .. --------------------------------------------- https://make.wordpress.org/core/2017/02/01/disclosure-of-additional-securit…

1 0

Tageszusammenfassung - Dienstag 31-01-2017
by Daily end-of-shift report 31 Jan '17

31 Jan '17

======================= = End-of-Shift report = ======================= Timeframe: Montag 30-01-2017 18:00 − Dienstag 31-01-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Printer Security *** --------------------------------------------- TL;DR: In this blog post we give an overview of attack scenarios based on network printers, and show the possibilities of an attacker who has access to a vulnerable printer. We present our evaluation of 20 different printer models and show that each of .. --------------------------------------------- https://web-in-security.blogspot.co.at/2017/01/printer-security.html *** CVE-2017-5521: Bypassing Authentication on NETGEAR Routers *** --------------------------------------------- Home routers are the first and sometimes last line of defense for a network. Despite this fact, many manufacturers of home routers fail to properly audit their devices for security issues before releasing them to the market. As security researchers, .. --------------------------------------------- https://www.trustwave.com/Resources/SpiderLabs-Blog/CVE-2017-5521--Bypassin… *** Erpressungs-Trojaner Sage nutzt Bleeding-Edge-Krypto-Funktionen *** --------------------------------------------- Eine neue Ransomware-Familie orientiert sich bei der Verschlüsselung mit Curve25519 und ChaCha20 am oberen Ende des derzeit zur Verfügung stehenden Repertoires von Krypto-Funktionen. --------------------------------------------- https://heise.de/-3610664 *** DSA-3776 chromium-browser - security update *** --------------------------------------------- https://www.debian.org/security/2017/dsa-3776 *** HTTPS: Das halbe Web ist nun verschlüsselt *** --------------------------------------------- Verschlüsselter Traffic überholt laut Mozilla unverschlüsselte Verbindungen – Anstieg um zehn Prozent in einem Jahr --------------------------------------------- http://derstandard.at/2000051841631 *** We see you, ransomware flingers, testing out your baddest stuff on... Germany? *** --------------------------------------------- Securobods file data hostage report A security firm has floated the theory that malware authors are using German firms as a testing ground for their wares prior to wider distribution. --------------------------------------------- www.theregister.co.uk/2017/01/31/ransomware_sitrep_report/ *** Google zahlte letztes Jahr drei Millionen Dollar an Sicherheitsforscher *** --------------------------------------------- Mehr als je zuvor im Bug-Bounty-Programm – Je Fast eine Million für Android- und Chrome-Bugs --------------------------------------------- http://derstandard.at/2000051858649 *** Sicherheitsupdate: Angreifer könnten Sophos Web Appliance über Kommandozeile entern *** --------------------------------------------- Wer sein Netzwerk mit der Web Appliance von Sophos abschottet, sollte zügig prüfen, ob die aktuelle Software in Version 4.3.1 schon verfügbar ist. Diese Ausgabe schließt zwei Sicherheitslücken. --------------------------------------------- https://heise.de/-3612070 *** Sophisticated cyber attacks increase, while overall volume falls *** --------------------------------------------- NTT quarterly report highlights rise in sophistication but 35 per cent drop in overall attack volumes in Q4 2016 --------------------------------------------- https://www.htbridge.com/blog/sophisticated-cyber-attacks-increase-while-ov… *** Viele Lücken in tcpdump – Bedrohungen noch nicht in Gänze geklärt *** --------------------------------------------- Die aktuelle Version des Netzwerk-Sniffers rüstet sich gegen zahlreiche Schwachstellen, ist aber noch nicht überall verfügbar. --------------------------------------------- https://heise.de/-3612240 *** Tschechische Regierung meldet Hackerangriff auf E-Mail-Konten *** --------------------------------------------- Experten sollen Parallelen zu Hackerangriff auf Demokratische Partei in den USA vergangenes Jahr sehen --------------------------------------------- http://derstandard.at/2000051866541-406 *** Nested, Targeted Attacks Built for Reconnaissance *** --------------------------------------------- Researchers say NATO members were targeted for reconnaissance over the holidays by attacks using malicious OLE objects. --------------------------------------------- http://threatpost.com/nested-targeted-attacks-built-for-reconnaissance/1234… *** Usenix Enigma: Mit Sensorenmanipulation das Internet of Things verwirren *** --------------------------------------------- Autonome Systeme verlassen sich auf Sensoren, um ihre Umwelt zu verstehen. Ein Wissenschaftler hat auf der Sicherheitskonferenz Usenix Enigma demonstriert, wie sich .. --------------------------------------------- http://www.golem.de/news/usenix-enigma-mit-sensorenmanipulation-das-interne…

1 0

Tageszusammenfassung - Montag 30-01-2017
by Daily end-of-shift report 30 Jan '17

30 Jan '17

======================= = End-of-Shift report = ======================= Timeframe: Freitag 27-01-2017 18:00 − Montag 30-01-2017 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter *** Dridex Returns With Windows UAC Bypass Method *** --------------------------------------------- Dridex banking malware returns with a new bypass technique that allows the malware to execute without triggering a Windows UAC alert to the user. --------------------------------------------- http://threatpost.com/dridex-returns-with-windows-uac-bypass-method/123420/ *** What Keeps My Honeypot Busy These Days, (Fri, Jan 27th) *** --------------------------------------------- Sometimes, it isnt the new and sophisticated attacks that keep your honeypots (and with that: you) busy, but things that make you go that works?. Looking over my honeypot today, I had a couple experiences like this. First of all, the old TR-064 NTP Server exploit that became big news when the Mirai botnet adopted it. Since then, most of the servers that hosted the follow-up code no longer deliver. But this doesnt prevent thousands of existing bots to persistently attempt the exploit. In... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21995&rss *** ATM "Shimmers" Target Chip-Based Cards *** --------------------------------------------- Several readers have called attention to warnings coming out of Canada about a supposed new form of ATM skimming called "shimming." Shimming attacks are not new (KrebsOnSecurity first wrote about them in August 2015), but they are likely to become more common as a greater number of banks in the United States shift to issuing chip-based cards. Heres a brief primer on shimming attacks, and why they succeed. --------------------------------------------- https://krebsonsecurity.com/2017/01/atm-shimmers-target-chip-based-cards/ *** Request for Packets and Logs - TCP 5358, (Sat, Jan 28th) *** --------------------------------------------- pStarting Sunday (22 Jan 17), there was a huge spike this week against TCP 5358. If anyone has logs or packets (traffic) that might help identify what it is can submit them via our a href="https://isc.sans.edu/contact.html"contact/a page would be appreciated. This is a snapshot as to what was reported so far this week in DShield./p p width:500px" //p p[1] https://isc.sans.edu/contact.html/p p-----------br / Guy Bruneau a href="http://www.ipss.ca/"IPSS Inc./abr / --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21997&rss *** Adblock Plus: Staatsanwaltschaft durchsucht Werbeblocker-Anbieter Eyeo *** --------------------------------------------- Der Kölner Adblocker-Anbieter Eyeo hat nun auch Ärger mit der Justiz. Hintergrund dürfte der Streit über die Frage sein, wer für die Erstellung von Filterregeln in der Easylist verantwortlich ist. --------------------------------------------- http://www.golem.de/news/adblock-plus-staatsanwaltschaft-durchsucht-werbebl… *** XSender: The Source of All the Recent XMPP Spam *** --------------------------------------------- In recent months, security researchers, hackers, and other dwellers of the cyber-criminal underground have noticed an uptick in XMPP (formerly Jabber) spam. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/xsender-the-source-of-all-th… *** Facebook: Sicheres Einloggen per USB-Stick *** --------------------------------------------- Die Zwei-Faktor-Authentifizierung bei Facebook kann nun auch per Fido-USB-Sticks oder NFC-Tags erfolgen. --------------------------------------------- https://futurezone.at/digital-life/facebook-sicheres-einloggen-per-usb-stic… *** A Shakeup in Russia's Top Cybercrime Unit *** --------------------------------------------- A chief criticism I heard from readers of my book, Spam Nation: The Inside Story of Organized Cybercrime, was that it dealt primarily with petty crooks involved in petty crimes, while ignoring more substantive security issues like government surveillance and cyber war. But now it appears that the chief antagonist of Spam Nation is at the dead center of an international scandal involving the hacking of U.S. state electoral boards in Arizona and Illinois, the sacking of Russias top cybercrime... --------------------------------------------- https://krebsonsecurity.com/2017/01/a-shakeup-in-russias-top-cybercrime-uni… *** Überwachungskameras von Washington DC mit Ransomware infiziert *** --------------------------------------------- Nur acht Tage vor Trumps Angelobung wurde das Netzwerk der Überwachungskameras in der US-Hauptstadt angegriffen und teilweise lahmgelegt. --------------------------------------------- https://futurezone.at/digital-life/ueberwachungskameras-von-washington-dc-m… *** Google auf dem Weg zur unabhängigen Root-CA *** --------------------------------------------- Künftig will das Unternehmen über den Google Trust Service eigene SSL-/TLS-Zertifikate ausstellen. Diese sollen bei Google-Diensten und Angeboten des Google-Mutterkonzerns Alphabet zum Einsatz kommen. --------------------------------------------- https://heise.de/-3610041 *** Averting ransomware epidemics in corporate networks with Windows Defender ATP *** --------------------------------------------- Microsoft security researchers continue to observe ransomware campaigns blanketing the market and indiscriminately hitting potential targets. Unsurprisingly, these campaigns also continue to use email and the web as primary delivery mechanisms. Also, it appears that most corporate victims are simply caught by the wide nets cast by ransomware operators. Unlike cyberespionage groups, ransomware operators do... --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2017/01/30/averting-ransomware-epi… *** Kritische Lücke in WebEx: Cisco stellt offensichtlich finale Sicherheitsupdates bereit *** --------------------------------------------- Nach mehreren vermeintlich abgesicherten Version von WebEx hat Cisco nun eigenen Angaben zufolge vollwertige Sicherheitsupdates veröffentlicht. Einige Unklarheiten bleiben aber. --------------------------------------------- https://heise.de/-3610749 *** [2017-01-30] XSS and CSRF vulnerabiliies in multiple Ubiquiti Networks products *** --------------------------------------------- Many products of Ubiquiti Networks are affected by a cross site scripting vulnerability. Malicious JavaScript code can be executed in the browser of the user. Furthermore, different actions on the system can be triggered by CSRF attacks. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2017… *** 4010983 - Vulnerability in ASP.NET Core MVC 1.1.0 Could Allow Denial of Service - Version: 1.0 *** --------------------------------------------- Microsoft is aware of a security vulnerability in the public version of ASP.NET Core MVC 1.1.0 where a malformed HTTP request could lead to a denial of service. --------------------------------------------- https://technet.microsoft.com/en-us/library/security/4010983 *** Cryptkeeper Sets the same password "p" for everything independently of user input *** --------------------------------------------- https://www.reddit.com/r/netsec/comments/5r16na/cryptkeeper_sets_the_same_p… *** DSA-3775 tcpdump - security update *** --------------------------------------------- Multiple vulnerabilities have been discovered in tcpdump, a command-linenetwork traffic analyzer. These vulnerabilities might result in denialof service or the execution of arbitrary code. --------------------------------------------- https://www.debian.org/security/2017/dsa-3775 *** TrueConf Server v4.3.7 Multiple Remote Web Vulnerabilities *** --------------------------------------------- The administration interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Input passed via the redirect_url GET parameter is not properly verified before being used to redirect users. This can be exploited to redirect a user to an arbitrary website e.g. when a user clicks a specially crafted... --------------------------------------------- http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5393.php *** Dell SonicWALL Secure Mobile Access SMA 8.1 XSS And WAF CSRF *** --------------------------------------------- SonicWALL SMA suffers from a XSS issue due to a failure to properly sanitize user-supplied input to several parameters. Attackers can exploit this weakness to execute arbitrary HTML and script code in a users browser session. The WAF was bypassed via form-based CSRF. --------------------------------------------- http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5392.php *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in Samba affect IBM Spectrum Scale SMB protocol access method (CVE-2016-2126, 2016-2125) *** http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009714 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in SSL affects IBM DataPower Gateways (CVE-2016-8610) *** http://www-01.ibm.com/support/docview.wss?uid=swg21997209 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation Application Manager (CVE-2016-5597) *** http://www.ibm.com/support/docview.wss?uid=swg21997764 ---------------------------------------------

1 0

Tageszusammenfassung - Freitag 27-01-2017
by Daily end-of-shift report 27 Jan '17

27 Jan '17

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 26-01-2017 18:00 − Freitag 27-01-2017 18:00 Handler: Stephan Richter Co-Handler: n/a *** Zbot with legitimate applications on board *** --------------------------------------------- Recently, among the payloads delivered by exploit kits, we often find Terdot.A/Zloader - a downloader installing on the victim machine a ZeuS-based malware. --------------------------------------------- https://blog.malwarebytes.com/cybercrime/2017/01/zbot-with-legitimate-appli… *** Phishers unleash simple but effective social engineering techniques using PDF attachments *** --------------------------------------------- The Gmail phishing attack is reportedly so effective that it tricks even technical users, but it may be just the tip of the iceberg. We're seeing similarly simple but clever social engineering tactics using PDF attachments. These deceitful PDF attachments are being used in email phishing attacks that attempt to steal your email credentials. Apparently, the... --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2017/01/26/phishers-unleash-simple… *** Hintergrund: So hacken Maschinen *** --------------------------------------------- Team Shellphish war einer der Teilnehmer der Cyber Grand Challenge der DARPA; jetzt beschreiben sie ihren Mechanical Phish und dessen Strategie. --------------------------------------------- https://heise.de/-3608169 *** Bezahlung oder Kontosperre: Nationalbank warnt vor Telefonbetrug *** --------------------------------------------- Unbekannte fälschen Telefonnummer von Bank und Anwalt, um Opfer unter Druck zu setzen --------------------------------------------- http://derstandard.at/2000051638010 *** Security for Privacy on Data Protection Day *** --------------------------------------------- On 28th January, ENISA joins 47 countries of the Council of Europe and the EU institutions, agencies and bodies, to celebrate the 11th annual European Data Protection Day. --------------------------------------------- https://www.enisa.europa.eu/news/enisa-news/security-for-privacy-on-data-pr… *** Sicherheitsupdate: Entwickler von TigerVNC raten zur zügigen Aktualisierung *** --------------------------------------------- Durch das Ausnutzen einer Lücke könnten Angreifer im Zuge einer Virtual-Network-Computing Session Clients kapern. --------------------------------------------- https://heise.de/-3609051 *** Cisco starts patching critical flaw in WebEx browser extension *** --------------------------------------------- Cisco Systems has started to patch a critical vulnerability in its WebEx collaboration and conferencing browser extension that could allow attackers to remotely execute malicious code on computers.The company released a patched version of the extension -- 1.0.7 -- for Google Chrome on Thursday and is working on similar patches for the Internet Explorer and Mozilla Firefox versions.The vulnerability was found by Google security researcher Tavis Ormandy and stemmed from the fact that the WebEx... --------------------------------------------- http://www.cio.com/article/3162014/security/cisco-starts-patching-critical-… *** Heartbleed: (Almost) three years later *** --------------------------------------------- Shodan recently published a report on the state of Heartbleed which was picked up by lots of media outlets. I took this as an opportunity to have a look at our statistics. Shodan performs its scan based on IP-addresses and makes the results searchable. CERT.at also runs daily scans, but these are based on the list of domains under the Austrian ccTLD .at. We published a first report on these results in the summer of 2014. Were close to the three... --------------------------------------------- http://www.cert.at/services/blog/20170127160051-1894_en.html *** Security Advisory: OpenSSH vulnerability CVE-2016-10011 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/24/sol24324390.html?… *** IDM 4.5 Midrange BiDirectional Driver 201611271513 *** --------------------------------------------- Abstract: Identity Manager Midrange: IBM i (i5/OS and OS/400) driver patch for the Identity Manager versions 4.5 or higher. Driver version will show i5os Driver Version 4.5 Build Date 201611271513.To see the version run I5OSDRV/I5OSDRV OPTION(*VERSION)This patch also requires the driver activation from IDM 4.5Document ID: 5271130Security Alert: YesDistribution Type: Field Test FileEntitlement Required: NoFiles:idm45midrange20161127.tar.gz (47.54 MB)Products:Identity Manager 4.0.2Identity... --------------------------------------------- https://download.novell.com/Download?buildid=lY8lK_WKOeQ~ *** Bugtraq: ESA-2016-167: EMC Documentum D2 Multiple Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/archive/1/540060 *** Vuln: EMC PowerPath Virtual (Management) Appliance CVE-2016-0890 Information Disclosure Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/95832 *** Eaton ePDU Path Traversal Vulnerability *** --------------------------------------------- This advisory contains mitigation details for a path traversal vulnerability in certain legacy Eaton ePDUs. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-026-01 *** Belden Hirschmann GECKO *** --------------------------------------------- This advisory contains mitigation details for a path traversal vulnerability in Beldens Hirschmann GECKO switch. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-026-02 *** RSA Web Threat Detection Input Validation Flaw Lets Remote Users Conduct Cross-Site Scripting Attacks *** --------------------------------------------- http://www.securitytracker.com/id/1037726 *** Vuln: Terminal Services Agent CVE-2017-5328 Spoofing Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/95823 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational Directory Server (Tivoli) and Rational Directory Administrator (CVE-2016-5554, CVE-2016-5542) *** http://www.ibm.com/support/docview.wss?uid=swg21994101 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in OpenSSL affects IBM BladeCenter Networking Switch products (CVE-2016-2183) *** https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5099533 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in OpenSSL affects IBM Flex System Networking Switch products (CVE-2016-2183) *** https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5099505 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in OpenSSL affects IBM System Networking RackSwitch products (CVE-2016-2183) *** https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5099506 ---------------------------------------------

1 0

Tageszusammenfassung - Donnerstag 26-01-2017
by Daily end-of-shift report 26 Jan '17

26 Jan '17

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 25-01-2017 18:00 − Donnerstag 26-01-2017 18:00 Handler: Stephan Richter Co-Handler: n/a *** VirLocker's comeback; including recovery instructions *** --------------------------------------------- Virlocker is back, the nightmare is still real. But we have found a way to at least recover your important files even if the affected machine can be considered a loss.Categories: Malware Threat analysisTags: file infectingfile recoverymalwarepolymorphicransomwareself propagatingVirLockVirlocker(Read more...) --------------------------------------------- https://blog.malwarebytes.com/threat-analysis/2017/01/virlockers-comeback-i… *** Cisco WebEx code execution hole - what you need to know *** --------------------------------------------- Googles Project Zero found a serious hole in Ciscos WebEx browser extension that is nearly but not yet fully fixed. Heres what to do. --------------------------------------------- http://feedproxy.google.com/~r/nakedsecurity/~3/XBY4vnKgI4U/ *** Powerful Android RAT impersonates Netflix app *** --------------------------------------------- Mobile malware peddlers often make their malicious wares look like popular Android apps and push them to users through third-party app stores. The latest example of this is the fake Netflix app spotted by Zscaler researchers. The fake app looks genuine at first glance, as it sports the same icon the actual legitimate Netflix app uses. But once it is installed on a smartphone or tablet and the victim clicks on it, it vanishes from... --------------------------------------------- https://www.helpnetsecurity.com/2017/01/26/android-rat-netflix-app/ *** Android VPN Apps Caught Intercepting Traffic, Failing to Encrypt *** --------------------------------------------- New research released this week reveals that a large chunk of today Android VPN clients are a serious security and privacy risk, with some clients failing to encrypt traffic, and some even injecting ads in a customers browsing experience. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/android-vpn-apps-caught-inte… *** Shamoon disk-wiping attackers can now destroy virtual desktops, too *** --------------------------------------------- Mystery malware begins targeting a key disk-wiping defense. --------------------------------------------- https://arstechnica.com/security/2017/01/shamoon-disk-wiping-malware-can-no… *** Analysis of new Shamoon infections *** --------------------------------------------- All of the initial analysis pointed to Shamoon emerging in the Middle East. This however was not the end of the story since the campaign continues to target organizations in the Middle East from a variety of verticals. Indeed reports suggested that a further 15 Shamoon incidents had been reported from public to private sector. --------------------------------------------- https://www.helpnetsecurity.com/2017/01/26/shamoon-infections/ *** Gefälschte A1-Phishingmail: Neue Messaging-Plattform *** --------------------------------------------- Kriminelle versenden eine gefälschte A1 Online-Nachricht. Sie hat das Betreff "Maßnahme erforderlich: Neue Messaging-Plattform" und fordert von Empfänger/innen, dass sie ihre Zugangsdaten auf einer Website bekannt geben. --------------------------------------------- https://www.watchlist-internet.at/phishing/gefaelschte-a1-phishingmail-neue… *** OpenSSL Security Advisory [26 Jan 2017] *** --------------------------------------------- Truncated packet could crash via OOB read (CVE-2017-3731) Bad (EC)DHE parameters cause a client crash (CVE-2017-3730) BN_mod_exp may produce incorrect results on x86_64 (CVE-2017-3732) Montgomery multiplication may produce incorrect results (CVE-2016-7055) Support for version 1.0.1 ended on 31st December 2016. Support for versions 0.9.8 and 1.0.0 ended on 31st December 2015. Those versions are no longer receiving security updates. --------------------------------------------- https://www.openssl.org/news/secadv/20170126.txt *** DFN-CERT-2017-0154: Red Hat JBoss Core Services: Mehrere Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0154/ *** IETF IPv6 Protocol CVE-2016-10142 Denial of Service Vulnerability *** --------------------------------------------- CVE-2016-10142 kernel - IPV6 fragmentation flaw https://bugzilla.redhat.com/show_bug.cgi?id=1415908 --------------------------------------------- Generation of IPv6 Atomic Fragments Considered Harmful https://tools.ietf.org/html/rfc8021 --------------------------------------------- http://www.securityfocus.com/bid/95797/ *** Security Advisory: TMM vulnerability CVE-2016-9249 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/71/sol71282001.html?… *** Bugtraq: ESA-2016-166: EMC Isilon OneFS Privilege Escalation Vulnerability *** --------------------------------------------- http://www.securityfocus.com/archive/1/540050 *** Vuln: Multiple TIBCO Products CVE-2017-3180 Multiple Unspecified Cross-Site Scripting Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/bid/95699 *** Vuln: Autodesk FBX-SDK CVE-2016-9307 Multiple Buffer Overflow Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/bid/95802 *** Vuln: Autodesk FBX-SDK CVE-2016-9304 Multiple Buffer Overflow Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/bid/95799 *** IBM Security Bulletin: IBM Flex System Manager (FSM) is affected by multiple IBM Websphere Application Server (WAS) vulnerabilities (CVE-2016-3092, CVE-2016-5986, CVE-2016-5983 ) *** --------------------------------------------- Multiple vulnerabilities have been identified in the IBM Websphere Application Server (WAS) that is embedded in IBM FSM. This update addresses these issues. CVE(s): CVE-2016-3092, CVE-2016-5986, CVE-2016-5983 Affected product(s) and affected version(s): Flex System Manager 1.3.4.0 Flex System Manager 1.3.3.0 Flex System Manager 1.3.2.1 Flex System Manager 1.3.2.0 Refer to the following reference URLs for... --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=isg3T1024555 *** IBM Security Bulletin: IBM Forms Experience Builder could be susceptible to Apache POI Vulnerabilities *** --------------------------------------------- IBM Forms Experience Builder could be susceptible to allowing for a denial of service, cause by an error in Apache POI Libraries CVE(s): CVE-2014-3574, CVE-2014-3529, CVE-2016-5000 Affected product(s) and affected version(s): IBM Forms Experience Builder 8.5 IBM Forms Experience Builder 8.5.1 IBM Forms Experience Builder 8.6 Refer to the following reference URLs for remediation and... --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21997296 *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Flex System Manager (FSM) *** --------------------------------------------- There are multiple vulnerabilities in IBM Runtime Environment Java Version 1.5 and 1.7 that is used by FSM. These issues were disclosed as part of the IBM Java SDK updates in January and April 2016. This Bulletin addresses these vulnerabilities. CVE(s): CVE-2015-7575, CVE-2016-0448, CVE-2016-0475, CVE-2016-3427, CVE-2016-3449, CVE-2016-3422, CVE-2016-0264, CVE-2016-3426 Affected product(s) and affected version(s): Flex... --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=isg3T1024558

1 0

Tageszusammenfassung - Mittwoch 25-01-2017
by Daily end-of-shift report 25 Jan '17

25 Jan '17

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 24-01-2017 18:00 − Mittwoch 25-01-2017 18:00 Handler: Stephan Richter Co-Handler: n/a *** Kritische Sicherheitslücke in der Webshop-Software Shopware *** --------------------------------------------- Die vor allem in Deutschland beliebte Software aus Schöppingen hat eine Schwachstelle, über die Angreifer beliebigen Schadcode ausführen können. --------------------------------------------- https://heise.de/-3606627 *** VB2016 paper: Great crypto failures *** --------------------------------------------- Crypto is hard, and malware authors often make mistakes. At VB2016, Check Point researchers Yaniv Balmas and Ben Herzog discussed the whys and hows of some of the crypto blunders made by malware authors. Today, we publish their paper and the recording of their presentation. --------------------------------------------- https://www.virusbulletin.com:443/blog/2017/01/vb2016-paper-great-crypto-fa… *** Call for Papers: VB2017 *** --------------------------------------------- We have opened the Call for Papers for VB2017. We are particularly interested in receiving submissions from those working outside the security industry itself. --------------------------------------------- https://www.virusbulletin.com:443/blog/2017/01/call-papers-vb2017/ *** Malicious SVG Files in the Wild, (Tue, Jan 24th) *** --------------------------------------------- In November 2016, the Facebook messenger application was used to deliver malicious SVG files to people [1]. SVG files (or Scalable Vector Graphics) are vector images that can be displayed in most modern browsers (natively or via a specific plugin). More precisely, Internet Explorer 9 supports the basic SVG feature sets and IE10 extended the support by adding SVG 1.1 support. In the Microsoft Windows operating system,SVG files are handled by Internet Explorer by default. From a file format point... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21971&rss *** Sicherheitspatch: Western Digital My Cloud Mirror empfänglich für Schadcode *** --------------------------------------------- Besitzer des Netzwerkspeichers sollten aus Sicherheitsgründen prüfen, dass sie die aktuelle Firmware installiert haben. --------------------------------------------- https://heise.de/-3606909 *** Trojan Transforms Linux Devices into Proxies for Malicious Traffic *** --------------------------------------------- Security researchers have uncovered a new trojan that targets Linux devices that is capable of transforming infected machines into proxy servers and relay malicious traffic, hiding the true origin of attacks or other nefarious activities. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/trojan-transforms-linux-devi… *** Capturing Pattern-Lock Authentication *** --------------------------------------------- Interesting research -- "Cracking Android Pattern Lock in Five Attempts": Abstract: Pattern lock is widely used as a mechanism for authentication and authorization on Android devices. In this paper, we demonstrate a novel video-based attack to reconstruct Android lock patterns from video footage filmed u sing a mobile phone camera. Unlike prior attacks on pattern lock, our approach does not require the video to capture any content displayed on the screen. Instead, we employ a computer... --------------------------------------------- https://www.schneier.com/blog/archives/2017/01/capturing_patte.html *** Wartungsarbeiten Dienstag, 31. 1. 2017 *** --------------------------------------------- http://www.cert.at/services/blog/20170125134029-1890.html *** Detecting threat actors in recent German industrial attacks with Windows Defender ATP *** --------------------------------------------- When a Germany-based industrial conglomerate disclosed in December 2016 that it was breached early that year, the breach was revealed to be a professionally run industrial espionage attack. According to the German press, the intruders used the Winnti family of malware as their main implant, giving them persistent access to the conglomerate's network as early... --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors… *** Lücke in Samsung-Handys: Endlos-Bootschleife durch Killer-SMS *** --------------------------------------------- Samsung hat eine Lücke in älteren Geräten gestopft, die missbraucht werden kann, diese in eine Bootschleife zu versetzen und Angreifern wahrscheinlich auch die Möglichkeit gibt, Schadcode auszuführen. Geräte anderer Hersteller sind wohl noch verwundbar. --------------------------------------------- https://heise.de/-3607266 *** DFN-CERT-2017-0142: Mozilla Firefox, Firefox ESR, Tor Browser: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0142/ *** IDM 4.5 SAP User Driver Version 4.0.1.0 *** --------------------------------------------- Abstract: Patch update for the NetIQ Identity Manager SAP User Manager driver with the SAP JCO version 3. This patch will take the driver version to 4.0.1.0. You must have IDM 4.5 or later to use this driver. You should only use this patch if you are using SAP JCO3. It will not work with SAP JCO2. NetIQ recommends that users of SAP JCO2 transition to SAP JCO3 and use the IDM SAP User Manager driver for JCO3. Future versions of IDM do not support SAP JCO2.Document ID: 5269090Security Alert:... --------------------------------------------- https://download.novell.com/Download?buildid=juq3iF7EF5o~ *** Citrix Provisioning Services Multiple Security Updates *** --------------------------------------------- https://support.citrix.com/article/CTX219580 *** Citrix XenServer Multiple Security Updates *** --------------------------------------------- https://support.citrix.com/article/CTX220112 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Security Vulnerability affecting FileNet Content Manager and IBM Content Foundation (CVE-2013-5462) *** http://www.ibm.com/support/docview.wss?uid=swg21994241 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Content Collector for SAP Applications (CVE-2016-5597) *** http://www-01.ibm.com/support/docview.wss?uid=swg21996483 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Enterprise Content Management System Monitor *** http://www-01.ibm.com/support/docview.wss?uid=swg21997196 --------------------------------------------- *** Huawei Security Advisories *** --------------------------------------------- *** Security Advisory - Authentication Bypass Vulnerability in the Find Phone Function of some Huawei Smart Phones *** http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170125-… --------------------------------------------- *** Security Advisory - Two Security Vulnerabilities in Huawei EMUI *** http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170125-… --------------------------------------------- *** Security Advisory - Improper Permission Control Vulnerability in Huawei Vmall Alert Service *** http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170125-… --------------------------------------------- *** Cisco Security Advisories *** --------------------------------------------- *** Cisco Adaptive Security Appliance CX Context-Aware Security Denial of Service Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco TelePresence Multipoint Control Unit Remote Code Execution Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Expressway Series and TelePresence VCS Denial of Service Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco WebEx Browser Extension Remote Code Execution Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** HP Security Bulletins *** --------------------------------------------- *** Bugtraq: [security bulletin] HPSBGN03690 rev.1 - HPE Real User Monitor (RUM), Remote Disclosure of Information *** http://www.securityfocus.com/archive/1/540044 --------------------------------------------- *** Bugtraq: [security bulletin] HPSBST03642 rev.3 - HPE StoreVirtual Products running LeftHand OS using OpenSSL and OpenSSH, Remote Arbitrary Code Execution, Denial of Service (DoS), Disclosure of Sensitive Information, Unauthorized Access *** http://www.securityfocus.com/archive/1/540048 --------------------------------------------- *** Bugtraq: [security bulletin] HPSBHF03695 rev.1 - HPE Ethernet Adaptors, Remote Denial of Service (DoS) *** http://www.securityfocus.com/archive/1/540047 --------------------------------------------- *** Bugtraq: [security bulletin] HPSBHF03441 rev.2 - HPE iLO 3, iLO 4 and iLO 4 mRCA, Remote Multiple Vulnerabilities *** http://www.securityfocus.com/archive/1/540046 ---------------------------------------------

1 0

Tageszusammenfassung - Dienstag 24-01-2017
by Daily end-of-shift report 24 Jan '17

24 Jan '17

======================= = End-of-Shift report = ======================= Timeframe: Montag 23-01-2017 18:00 − Dienstag 24-01-2017 18:00 Handler: Stephan Richter Co-Handler: n/a *** Java: Das Ende von MD5 und SHA-1 naht *** --------------------------------------------- Oracle hat angekündigt, dass mit seinem nächsten Quartalsupdate MD5 für die Signatur von JAR-Paketen ausgemustert wird. Ebenso soll das JDK nur noch in Ausnahmen SHA-1-Zertifikate anerkennen. --------------------------------------------- https://heise.de/-3606356 *** Elga ist laut Experten leicht zu hacken *** --------------------------------------------- Personal braucht für Zugriff nur ein Passwort. Das sei zu wenig, warnt ein Fachmann. --------------------------------------------- https://kurier.at/chronik%2Foesterreich/elga-ist-laut-experten-leicht-zu-ha… *** Sicherheitsupdate: Apple patcht Root-Exploits für fast alle Plattformen *** --------------------------------------------- Apple hat umfangreiche Sicherheitsupdates für alle Plattformen herausgegeben. Ein Root-Exploit im Kernel betrifft zahlreiche Geräte, darüber hinaus gibt es viele Fehler in Webkit und in verschiedenen Bibliotheken. --------------------------------------------- http://www.golem.de/news/sicherheitsupdate-apple-patcht-root-exploits-fuer-… *** Charger mobile ransomware steals contacts and SMS messages *** --------------------------------------------- Check Point's mobile security researchers have discovered a new ransomware in Google Play, dubbed Charger. Charger was found embedded in an app called EnergyRescue. The infected app steals contacts and SMS messages from the user's device and asks for admin permissions. If granted, the ransomware locks the device and displays a message demanding payment. Researchers detected and quarantined the Android device of an unsuspecting customer employee who had unknowingly downloaded and... --------------------------------------------- https://www.helpnetsecurity.com/2017/01/24/charger-mobile-ransomware/ *** Cisco: Magic WebEx URL Allows Arbitrary Remote Command Execution *** --------------------------------------------- TL;DR: A remote user can create specially crafted content that, when loaded by the target user, will execute arbitrary code on the target users system. --------------------------------------------- https://bugs.chromium.org/p/project-zero/issues/detail?id=1096 *** Microsoft Reveals Windows Defender Security Center Scheduled for Creators Update *** --------------------------------------------- The Windows 10 Creators Update scheduled for launch later this year will include an upgrade of the default Windows Defender antivirus, which will feature a new settings panel named the Windows Defender Security Center. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-reveals-windows-d… *** Furby Rickroll demo: what fresh hell is this? *** --------------------------------------------- Toy-makers, please quit this rubbish, youre NO GOOD at security Heres your future botnet, world: connected kids toys that will Rickroll their owners while hosing big servers and guessing the nuclear codes. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2017/01/24/furby_rickr… *** HummingBad Android Malware Found in 20 Google Play Store Apps *** --------------------------------------------- HummingBad, an Android malware estimated to have touched over 85 million devices worldwide, was recently found in 46 new applications, 20 of which had even made their way into the official Play Store, passing Googles security checks. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/hummingbad-android-malware-f… *** Advice to a New SCADA Engineer *** --------------------------------------------- Target Audience As I have come in contact with those new to industrial control systems - whether they be supervisor control and data acquisition (SCADA) systems, building automation, process automation, or what not - I have come to the conclusion that whether the individual is trade school educated or college educated, they are not prepared... --------------------------------------------- http://resources.infosecinstitute.com/advice-to-a-new-scada-engineer/ *** How to Have Fun With IPv6 Fragments and Scapy, (Mon, Jan 23rd) *** --------------------------------------------- I may extend this with a second entry later this week. But as so often, I found myself on a long flight with some time on my hands, and since the IETF just released a new RFC regarding IPv6 atomic fragments, I figured I will play a bit with scapy to kill time. [1] And well, this also makes good material for my IPv6 class [2]. This is supposed to entice you to play and experiment. Let me know if you find anything neat. Fragmentation is a necessary evil of packet networking. Packets will... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21963&rss *** Gefälschte A1 Online-Rechnung verbirgt Schadsoftware *** --------------------------------------------- Kriminelle versenden eine gefälschte A1 Online-Rechnung. Darin nennen sie ein hohes Verbindungsentgelt und das verbrauchte Datenvolumen. Der Nachricht ist die Datei "rechnung_1.zip" beigefügt. Sie verbirgt Schadsoftware. --------------------------------------------- https://www.watchlist-internet.at/gefaelschte-rechnungen/gefaelschte-a1-onl… *** Ein Jahr alte Root-Schwachstelle in Systemd aufgetaucht *** --------------------------------------------- Die Entwickler des Init-Systems Systemd haben im vergangenen Jahr eine Lücke geschlossen, über die ein Angreifer Root-Rechte erlangen kann. Allerdings wurde diese Lücke zuerst unterschätzt und blieb unbeachtet. --------------------------------------------- https://heise.de/-3606599 *** Vuln: LibTIFF CVE-2017-5563 Heap Based Buffer Overflow Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/95705 *** EMC Avamar Data Store and Avamar Virtual Edition File Ownership Error Lets Local Users Obtain Root Privileges *** --------------------------------------------- http://www.securitytracker.com/id/1037667 *** RSA Security Analytics Input Validation Flaw Lets Remote Users Conduct Cross-Site Scripting Attacks *** --------------------------------------------- http://www.securitytracker.com/id/1037666 *** DFN-CERT-2017-0137: Apache Software Foundation Tomcat: Mehrere Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0137/ *** Security Advisory 2017-01: Security Update for OTRS Business Solution *** --------------------------------------------- January 24, 2017 - Please read carefully and check if the version of your OTRS system is affected by this vulnerability. --------------------------------------------- https://www.otrs.com/security-advisory-2017-01-security-update-otrs-busines… *** DFN-CERT-2017-0136: phpMyAdmin: Mehrere Schwachstellen ermöglichen u.a. eine Privilegieneskalation *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0136/ *** Forthcoming OpenSSL releases *** --------------------------------------------- The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.0.2k, 1.1.0d. These releases will be made available on 26th January 2017 between approximately 1300-1700 UTC. They will fix several security defects with maximum severity "moderate". --------------------------------------------- https://mta.openssl.org/pipermail/openssl-announce/2017-January/000091.html *** F5 Security Advisories *** --------------------------------------------- *** Security Advisory: OpenSSH vulnerability CVE-2016-10009 *** https://support.f5.com:443/kb/en-us/solutions/public/k/31/sol31440025.html?… --------------------------------------------- *** Security Advisory: OpenSSH vulnerability CVE-2016-10010 *** https://support.f5.com:443/kb/en-us/solutions/public/k/64/sol64292204.html?… --------------------------------------------- *** Security Advisory: PHPMailer vulnerability CVE-2016-10033 *** https://support.f5.com:443/kb/en-us/solutions/public/k/74/sol74977440.html?… --------------------------------------------- *** Apple Security Updates *** --------------------------------------------- *** macOS Sierra 10.12.3 *** https://support.apple.com/kb/HT207483 --------------------------------------------- *** iOS 10.2.1 *** https://support.apple.com/kb/HT207482 --------------------------------------------- *** tvOS 10.1.1 *** https://support.apple.com/kb/HT207485 --------------------------------------------- *** watchOS 3.1.3 *** https://support.apple.com/kb/HT207487 --------------------------------------------- *** iCloud for Windows 6.1.1 *** https://support.apple.com/kb/HT207481 --------------------------------------------- *** Safari 10.0.3 *** https://support.apple.com/kb/HT207484 --------------------------------------------- *** iTunes 12.5.5 for Windows *** https://support.apple.com/kb/HT207486 --------------------------------------------- *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in sudo affect PowerKVM *** http://www.ibm.com/support/docview.wss?uid=isg3T1024766 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in expat affects PowerKVM *** http://www.ibm.com/support/docview.wss?uid=isg3T1024767 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in Expat XML parser affects IBM Security Network Protection (CVE-2016-0718) *** http://www-01.ibm.com/support/docview.wss?uid=swg21995440 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in GnuPG (gpg) affects PowerKVM *** http://www.ibm.com/support/docview.wss?uid=isg3T1024768 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in Mozilla Network Security Services (NSS) affect PowerKVM *** http://www.ibm.com/support/docview.wss?uid=isg3T1024769 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in QEMU affect PowerKVM *** http://www.ibm.com/support/docview.wss?uid=isg3T1024770 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in nettle affects PowerKVM *** http://www.ibm.com/support/docview.wss?uid=isg3T1024771 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in postgresql affect PowerKVM *** http://www.ibm.com/support/docview.wss?uid=isg3T1024772 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in cURL affect PowerKVM *** http://www.ibm.com/support/docview.wss?uid=isg3T1024773 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in NTP affect PowerKVM *** http://www.ibm.com/support/docview.wss?uid=isg3T1024775 ---------------------------------------------

1 0

Tageszusammenfassung - Montag 23-01-2017
by Daily end-of-shift report 23 Jan '17

23 Jan '17

======================= = End-of-Shift report = ======================= Timeframe: Freitag 20-01-2017 18:00 − Montag 23-01-2017 18:00 Handler: Stephan Richter Co-Handler: n/a *** PowerShell 5.1 for Windows 7 and later , (Fri, Jan 20th) *** --------------------------------------------- Microsoft has released Windows Management Framework 5.1 for windows 7 and later. WMF 5.1 upgrades Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 to the PowerShell, WMI, WinRM and SIL components that were released with Windows Server 2016 and Windows 10 Anniversary Edition.">">"> (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21957&rss *** Hotel zum vierten Mal von Hackern lahmgelegt *** --------------------------------------------- Das Seehotel Jägerwirt auf der Turracher Höhe ist bereits zum vierten Mal von Hackern heimgesucht und erpresst worden. Die elektronischen Zimmerschlüssel wurden lahmgelegt. Daher will man jetzt zu normalen Schlüsseln zurückkehren. --------------------------------------------- http://kaernten.orf.at/news/stories/2821290/ *** Stopping Malware With a Fake Virtual Machine *** --------------------------------------------- As we explained in a previous post, some advanced malware can detect a virtual environment such as a sandbox to avoid detection and analysis. Some threats can also detect monitoring tools used for malware analysis. Often such malware will not execute or change their behavior to appear harmless. Because some malware uses these tactics, planting fake virtual machine artefacts or fake analysis tools on a system... --------------------------------------------- https://securingtomorrow.mcafee.com/mcafee-labs/stopping-malware-fake-virtu… *** Wartungsarbeiten Dienstag, 24. 1. 2017 *** --------------------------------------------- Am Dienstag, 24. Jänner 2017, werden wir Wartungsarbeiten an unserer Infrastruktur vornehmen. Dies wird zu Ausfällen der extern erreichbaren Services (zB Mail, Webserver, Mailinglisten) führen. Es gehen dabei keine Daten (zb Emails) verloren, die Bearbeitung kann sich allerdings verzögern. --------------------------------------------- http://www.cert.at/services/blog/20170120104523-1882.html *** The Week in Ransomware - January 20th 2017 - Satan RaaS, Spora, Locky, and More *** --------------------------------------------- This week we continue to see more ransomware being released as well as changes in the distribution of the larger ransomware infections. For example, Locky has had a very low distribution lately since the holidays, but according to the Cisco Talos Group, it is starting to pick up again. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-janua… *** Sage 2.0 Ransomware, (Sat, Jan 21st) *** --------------------------------------------- Introduction On Friday 2017-01-20, I checked on a malicious spam (malspam) campaign that normally distributes Cerber ransomware. That Friday it delivered ransomware Id never seen before called Sage. More specifically, it was Sage 2.0." /> Shown above: Its always fun to find ransomawre thats not Cerber or Locky. Sage is yet another family of ransomware in an already crowded field. It was noted on BleepingComputer forums back in December 2016 [1, 2], and Sage is apparently a variant of... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21959&rss *** Symantec schlampt erneut mit TLS-Zertifikaten *** --------------------------------------------- Offenbar haben mehrere von Symantec betriebene Certificate Authorities (CAs) unberechtigterweise über 100 TLS-Zertifikate ausgestellt. Das kann ein Auslesen des Datenverkehrs von HTTPS-geschützten Websites durch Dritte ermöglichen. --------------------------------------------- https://heise.de/-3604190 *** Android permissions and hypocrisy *** --------------------------------------------- I wrote a piece a few days ago about how the Meitu app asked for a bunch of permissions in ways that might concern people, but which were not actually any worse than many other apps. The fact that Android makes it so easy for apps to obtain data thats personally identifiable is of concern, but in the absence of another stable device identifier this is the sort of thing that capitalism is inherently going to end up making use of. Fundamentally, this is Googles problem to fix. --------------------------------------------- http://mjg59.dreamwidth.org/46403.html *** Researchers predict upsurge of Android banking malware *** --------------------------------------------- Android users, beware: source code and instructions for creating a potent Android banking Trojan have been leaked on a hacker forum, and researchers are expecting an onslaught of malware based on it. In fact, one has already been spotted. Masquerading as a variety of benign apps (e.g. Google Play) on third-party Android app markets, the Trojan - dubbed Android.BankBot.149.origin by Dr. Web researchers - is eminently capable. It can: Send and intercept text messages (including... --------------------------------------------- https://www.helpnetsecurity.com/2017/01/23/upsurge-android-banking-malware/ *** Massive Twitter Botnet Dormant Since 2013 *** --------------------------------------------- Researchers from the University College London have found a Twitter botnet of 350,000 bots that has been dormant since shortly after the accounts were registered. --------------------------------------------- http://threatpost.com/massive-twitter-botnet-dormant-since-2013/123246/ *** Heartbleed: OpenSSL hört nicht auf zu bluten *** --------------------------------------------- Eine Analyse der öffentlich im Internet erreichbaren Systeme zeigt, dass immer noch Hunderttausende für die OpenSSL-Lücke Heartbleed anfällig sind. Die bald drei Jahre alte Lücke findet sich demnach hauptsächlich in Mietservern der Cloud. --------------------------------------------- https://heise.de/-3605222 *** QNAP Storage Devices Firmware Update Flaw Lets Remote Users Access the Target System *** --------------------------------------------- http://www.securitytracker.com/id/1037663 *** DSA-3769 libphp-swiftmailer - security update *** --------------------------------------------- Dawid Golunski from LegalHackers discovered that PHP Swift Mailer, amailing solution for PHP, did not correctly validate user input. Thisallowed a remote attacker to execute arbitrary code by passingspecially formatted email addresses in specific email headers. --------------------------------------------- https://www.debian.org/security/2017/dsa-3769 *** DSA-3770 mariadb-10.0 - security update *** --------------------------------------------- Several issues have been discovered in the MariaDB database server. Thevulnerabilities are addressed by upgrading MariaDB to the new upstreamversion 10.0.29. Please see the MariaDB 10.0 Release Notes for furtherdetails:... --------------------------------------------- https://www.debian.org/security/2017/dsa-3770 *** DFN-CERT-2017-0123: OpenJPEG: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0123/ *** Security Notice - Statement on Flanker Revealing Privilege Elevation Vulnerability in Huawei EMUI Keyguard Application *** --------------------------------------------- http://www.huawei.com/en/psirt/security-notices/2017/huawei-sn-20170123-01-… *** Vuln: Red Hat JBoss Enterprise Application Platform CVE-2016-8627 Remote Denial of Service Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/95698 *** Security Advisories Relating to Symantec Products - Norton Download Manager DLL Loading *** --------------------------------------------- Symantec has released an update to address a DLL loading vulnerability detected in the Norton Download Manager for affected products --------------------------------------------- https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=s… *** Vuln: Brocade Network Advisor CVE-2016-8204 Directory Traversal Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/95695 *** Vuln: Brocade Network Advisor CVE-2016-8205 Directory Traversal Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/95694 *** Vuln: Brocade Network Advisor CVE-2016-8206 Directory Traversal Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/95692 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Guardium Data Redaction (CVE-2016-5597, CVE-2016-5542) *** http://www-01.ibm.com/support/docview.wss?uid=swg21997219 --------------------------------------------- *** IBM Security Bulletin: IBM Forms Experience Builder could be susceptible to a server-side request forgery (CVE-2016-6001) *** http://www-01.ibm.com/support/docview.wss?uid=swg21991280 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in OpenSSH affects IBM Flex System FC3171 8Gb SAN Switch and SAN Pass-thru, QLogic 8Gb Intelligent Pass-thru Module & SAN Switch Module for BladeCenter and QLogic Virtual Fabric Extension Module for IBM *** https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5099501 --------------------------------------------- *** IBM Security Bulletin: HTTP Response Splitting in WebSphere Application Server affects IBM Virtualization Engine TS7700 (CVE-2016-0359) *** http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009661 ---------------------------------------------

1 0

Tageszusammenfassung - Freitag 20-01-2017
by Daily end-of-shift report 20 Jan '17

20 Jan '17

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 19-01-2017 18:00 − Freitag 20-01-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Satan: A new ransomware-as-a-service *** --------------------------------------------- Ransomware as a Service (RaaS) has been growing steadily since it made its debut in 2015 with Tox. With the new Satan .. --------------------------------------------- https://www.webroot.com/blog/2017/01/19/satan-new-ransomware-service *** DSA-3767 mysql-5.5 - security update *** --------------------------------------------- Several issues have been discovered in the MySQL database server. Thevulnerabilities are addressed by .. --------------------------------------------- https://www.debian.org/security/2017/dsa-3767 *** Unbreakable Locky ransomware is on the march again *** --------------------------------------------- Necrus botnet wakes up and starts fresh malware-cano Cisco is warning of possible return of a massive ransomware spam .. --------------------------------------------- www.theregister.co.uk/2017/01/20/locky_ransomware_horrorshow_returns/ *** Internetsicherheit 2016: Erpressungstrojaner boomen in Österreich *** --------------------------------------------- Unternehmen verstärkt im Visier von DDOS-Erpressern – Geheimdienste verstärkt tätig --------------------------------------------- http://derstandard.at/2000051229037 *** Angebliche Backdoor: Kryptographen kritisieren Whatsapp-Bericht des Guardian *** --------------------------------------------- Die Diskussion um die angebliche Backdoor in Whatsapp reißt nicht ab. Bekannte Sicherheitsforscher wie .. --------------------------------------------- http://www.golem.de/news/angebliche-backdoor-kryptographen-kritisieren-what… *** Social Engineering: Neue Angriffsmethode richtet sich gegen Firmen *** --------------------------------------------- In den letzten Tagen wurden der Melde- und Analysestelle Informationssicherung MELANI mehrere Fälle gemeldet, bei denen Betrüger Firmen anrufen, sich als .. --------------------------------------------- https://www.melani.admin.ch/melani/de/home/dokumentation/newsletter/social-… *** Achtung: Große Anzahl von Netgear-Routern lässt sich über Admin-Interface kapern *** --------------------------------------------- Gleich 30 Router-Modelle von Netgear enthalten eine Schwachstelle, die es Angreifern ermöglicht, die Admin-Passwörter der Geräte auszulesen und diese komplett zu übernehmen. Die Updates des Herstellers sollten umgehend eingespielt werden. --------------------------------------------- https://heise.de/-3603918 *** Wieder Ermittlungen gegen Skidata im Betriebsspionage-Verfahren *** --------------------------------------------- http://derstandard.at/2000051248975 *** ZDI-17-044: Apache Groovy MethodClosure Deserialization of Untrusted Data Remote Code Execution Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations .. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-17-044/ *** ZDI-17-045: Adobe Reader DC XSLT apply-templates Heap-based Buffer Overflow Remote Code Execution Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Acrobat Reader DC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-17-045/ *** ZDI-17-053: Samba NDR Parsing ndr_pull_dnsp_name Heap-based Buffer Overflow Remote Code Execution Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Samba. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-17-053/

1 0

Tageszusammenfassung - Donnerstag 19-01-2017
by Daily end-of-shift report 19 Jan '17

19 Jan '17

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 18-01-2017 18:00 − Donnerstag 19-01-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Who is Anna-Senpai, the Mirai Worm Author? *** --------------------------------------------- On September 22, 2016, this site was forced offline for nearly four days after it was hit with “Mirai,” a malware strain that enslaves poorly secured Internet of Things (IoT) devices like wireless routers and security cameras into a botnet for use in large cyberattacks. Roughly a week after that .. --------------------------------------------- https://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-autho… *** Docker Patches Container Escape Vulnerability *** --------------------------------------------- Docker has patched a privilege escalation vulnerability that could lead to container escapes, allowing a hacker to affect operations of a host from inside a container. --------------------------------------------- http://threatpost.com/docker-patches-container-escape-vulnerability/123161/ *** Database Ransom Attacks Hit CouchDB and Hadoop Servers *** --------------------------------------------- For the past week, unknown groups of cyber-criminals have taken control of and wiped data from CouchDB and Hadoop databases, in some cases asking for a ransom fee to return the .. --------------------------------------------- https://www.bleepingcomputer.com/news/security/database-ransom-attacks-hit-… *** Adobes naughty Chrome telemetry code had XSS problem *** --------------------------------------------- Since patched, but a bad look for Adobe when it cant even get snoopware right Adobes pushed out a fix for its already-controversial Chrome telemetry extension after Project Zeros Tavis Ormandy found an .. --------------------------------------------- www.theregister.co.uk/2017/01/19/adobe_telemetry_patch_patched_against_xss/ *** Insecure Hadoop installs next in net scum crosshairs *** --------------------------------------------- Because MongoDB, Elasticsearch ransomware attacks are sooo last week Rinse-and-repeat ransomware attacks on data services left unsecured by dozy sysadmins are now hitting Hadoop instances. --------------------------------------------- www.theregister.co.uk/2017/01/19/insecure_hadoop_installs_under_attack/ *** Ex-Sysadmin fordert 200.000 Dollar für Nennung von Passwort *** --------------------------------------------- US-amerikanisches College wirft ehemaligem Mitarbeiter Erpressung vor --------------------------------------------- http://derstandard.at/2000050946919 *** Apple’s malware problem is accelerating *** --------------------------------------------- For a long time, one of the most common reasons for buying an Apple computer over a Windows-based one was that the former was less susceptible to viruses and other malware. However, the .. --------------------------------------------- https://www.helpnetsecurity.com/2017/01/19/apple-malware-problem-accelerati… *** Viren, Spam und Computerausfälle betreffen IT-Sicherheit bei KMU *** --------------------------------------------- Fehlendes Wissen und Angst vor Kosten wichtigste Gründe, warum Situation nicht verbessert wird --------------------------------------------- http://derstandard.at/2000051117771 *** DSA-3766 mapserver - security update *** --------------------------------------------- It was discovered that mapserver, a CGI-based framework for Internetmap services, was vulnerable to a stack-based overflow. This issueallowed a remote user to crash the service, or potentially execute arbitrary code. --------------------------------------------- https://www.debian.org/security/2017/dsa-3766 *** Google veröffentlicht Riesen-Patch-Paket für Android *** --------------------------------------------- 94 einzelne Lücken, 10 kritische Sicherheitsprobleme; Googles Android Security Bulletin für den Januar hat es in sich. --------------------------------------------- https://heise.de/-3603108 *** Forcepoint: Carbanak nutzt Google-Dienste für Malware-Hosting *** --------------------------------------------- Wer seine Malware auf einem Command-und-Control-Server hostet, läuft Gefahr, von Firewall-Regeln erkannt zu werden. Die Carbanak-Gruppe liefert Kommandos daher über Google-Docs aus. --------------------------------------------- http://www.golem.de/news/forcepoint-carbanak-nutzt-google-dienste-fuer-malw… *** Hackingvorwürfe: "Deutschland stellt Russland als Aggressor dar" *** --------------------------------------------- Russisches Außenamt beschwert sich über deutsche Vorgangsweise: "Keine Beweise vorgelegt" --------------------------------------------- http://derstandard.at/2000051188487 *** Samsung SmartCam-Kameras sind Freiwild für Botnetz-Betreiber *** --------------------------------------------- Forscher haben vor Jahren Lücken in der SmartCam SNH-1011 entdeckt, die von Samsung nur unzureichend geflickt wurden. Nun sind die IP-Kameras erneut angreifbar. --------------------------------------------- https://heise.de/-3603201

1 0

Tageszusammenfassung - Mittwoch 18-01-2017
by Daily end-of-shift report 18 Jan '17

18 Jan '17

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 17-01-2017 18:00 − Mittwoch 18-01-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Critical Patch Update - January 2017 *** --------------------------------------------- http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html *** vBulletin Malware – When Hackers Compete for Backdoor Control *** --------------------------------------------- A common pattern we see in compromised websites is the presence of backdoors and other malicious code. During Q3 of 2016, we found that 72% of all compromises that we encountered had .. --------------------------------------------- https://blog.sucuri.net/2017/01/vbulletin-malware-hackers-compete-backdoor-… *** JSA10774 - 2017-01 Security Bulletin: Network and Security Manager (NSM): Multiple OpenSSH and other third party software vulnerabilities affect NSM Appliance OS. *** --------------------------------------------- http://kb.juniper.net/index?page=content&id=JSA10774&actp=RSS *** Kill it with fire: US-CERT warns admins to dump Server Message Block *** --------------------------------------------- Shadow Brokers may have loosed a zero-day, so youre better safe than sorry The US computer emergency readiness team .. --------------------------------------------- www.theregister.co.uk/2017/01/18/uscert_warns_admins_to_kill_smb_after_shad… *** Do web injections exist for Android? *** --------------------------------------------- Man-in-the-Browser (MITB) attacks can be implemented using various means, including malicious DLLs, rogue .. --------------------------------------------- http://securelist.com/blog/research/77118/do-web-injections-exist-for-andro… *** In Review: 2016’s Mobile Threat Landscape Brings Diversity, Scale, and Scope *** --------------------------------------------- 65 million: the number of times we’ve blocked mobile threats in 2016. By December 2016, the total number of unique samples of malicious Android apps we’ve collected and .. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/2016-mobile-thre… *** Last call to replace SHA-1 certificates *** --------------------------------------------- http://blog.sec-consult.com/2017/01/last-call-to-replace-sha-1-certificates… *** The Carbanak gang is with a new modus operandi, Google services as C&C *** --------------------------------------------- The infamous Carbanak cybercrime gang is back and is leveraging Google services for command-and-control of its malicious codes. The dreaded Carbanak cybercrime gang is back .. --------------------------------------------- http://securityaffairs.co/wordpress/55427/cyber-crime/carbanak-google-servi… *** Spora Ransomware Offers Victims Unique Payment Options *** --------------------------------------------- Researchers are keeping close tabs on a new ransomware strain called Spora that offers victims unique payment options. --------------------------------------------- http://threatpost.com/spora-ransomware-offers-victims-unique-payment-option… *** Kritische Lücken in Java & Co: Oracle wirft Riesen-Patchpaket ab *** --------------------------------------------- Das neueste Critical Patch Update von Oracle enthält unter anderem Sicherheitsupdates für Java, MySQL und VirtualBox. Wie immer gibt es Patches für fast alle Produkte des Herstellers. --------------------------------------------- https://heise.de/-3601613 *** Ancient Mac backdoor discovered that targets medical research firms *** --------------------------------------------- More secure than PC? Ha! Security researchers at Malwarebytes have discovered a Mac backdoor using antiquated code that targets biomedical research facilities.… --------------------------------------------- ww.theregister.co.uk/2017/01/18/mac_malware/ *** Uncovering the Inner Workings of EyePyramid *** --------------------------------------------- Two Italians referred to as the “Occhionero brothers” have been arrested and accused of using malware and a carefully-prepared spear-phishing scheme to spy on high-profile .. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/uncovering-inner…

1 0

Tageszusammenfassung - Dienstag 17-01-2017
by Daily end-of-shift report 17 Jan '17

17 Jan '17

======================= = End-of-Shift report = ======================= Timeframe: Montag 16-01-2017 18:00 − Dienstag 17-01-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Who's winning the cyber war? The squirrels, of course *** --------------------------------------------- CyberSquirrel1 project shows fuzzy-tailed intruders cause more damage than "cyber" can. --------------------------------------------- http://arstechnica.com/information-technology/2017/01/whos-winning-the-cybe… *** Dodgy Dutch developer built backdoors into thousands of sites *** --------------------------------------------- Then hoovered out users personal data, stole identities galore and spent up big Dutch police are this week warning 20,000 users that their email accounts were hacked after .. --------------------------------------------- www.theregister.co.uk/2017/01/17/police_warn_of_dutch_developer_who_built_b… *** [2017-01-17] Cross site scripting in TYPO3 CMS extension "Recommend page" *** --------------------------------------------- The "Recommend page" extension (pb_recommend_page) for the TYPO3 CMS does not sanitize input properly. Hence an attacker can inject malicious HTML/JavaScript content which can cause harm to the users. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2017… *** Erpressung ist (immer noch) in! *** --------------------------------------------- Das neue Jahr bringt sicherlich wieder viele technische Neuerungen und (potentiell unsägliche) Trends mit sich. Eines bleibt leider unverändert: Erpressung ist in.Neben DDoS-Drohungen und Ransomware in .. --------------------------------------------- http://www.cert.at/services/blog/20170117104444-1861.html *** CryptoSearch: Tool findet und sammelt von Ransomware verschlüsselte Dateien zur Verwahrung ein *** --------------------------------------------- Wenn ein Erpressungs-Trojaner Daten in seine Gewalt gebracht hat, hoffen Opfer auf ein kostenloses Entschlüsselungstool - wann und ob überhaupt eins kommt, ist aber oft unklar. Ein Windows-Tool sammelt und archiviert bis dahin betroffene Dateien. --------------------------------------------- https://heise.de/-3597757 *** Citrix XenServer Multiple Security Updates *** --------------------------------------------- Security vulnerabilities have been identified in Citrix XenServer that may allow malicious code running within a guest VM to read a small part of ... --------------------------------------------- https://support.citrix.com/article/CTX219378 *** Free-to-Play: Forum von Clash-of-Clans-Betreiber gehackt *** --------------------------------------------- Erneut ist ein vBulletin-Forum gehackt worden. Betroffen sind vermutlich 1,1 Millionen Nutzer von Supercell-Foren. Der Spielehersteller vertreibt populäre Titel wie Clash of Clans und Clash Royale. --------------------------------------------- http://www.golem.de/news/free2play-forum-von-clash-of-clans-betreiber-gehac… *** The Line of Death *** --------------------------------------------- When building applications that display untrusted content, security designers have a major problems if an attacker has full control of a block of pixels, he can make those pixels look .. --------------------------------------------- https://textslashplain.com/2017/01/14/the-line-of-death/

1 0

Tageszusammenfassung - Montag 16-01-2017
by Daily end-of-shift report 16 Jan '17

16 Jan '17

======================= = End-of-Shift report = ======================= Timeframe: Freitag 13-01-2017 18:00 − Montag 16-01-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Hardening Windows 10 with zero-day exploit mitigations *** --------------------------------------------- Cyber attacks involving zero-day exploits happen from time to time, affecting different platforms and applications. Over the years, Microsoft security teams have been working extremely .. --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2017/01/13/hardening-windows-10-wi… *** WordPress 4.7.1 released, patches eight vulnerabilities and 62 bugs *** --------------------------------------------- According to the release notes the latest version of WordPress 4.7.1 addresses eight security vulnerabilities and other 62 bugs. Wednesday the latest version of WordPress 4.7.1 was released by the WordPress Team, it is classified as a security release for .. --------------------------------------------- http://securityaffairs.co/wordpress/55308/breaking-news/wordpress-4-7-1-rel… *** DSA-3764 pdns - security update *** --------------------------------------------- Multiple vulnerabilities have been discovered in pdns, an authoritativeDNS server. The Common Vulnerabilities and Exposures project identifiesthe following .. --------------------------------------------- https://www.debian.org/security/2017/dsa-3764 *** DSA-3763 pdns-recursor - security update *** --------------------------------------------- Florian Heinz and Martin Kluge reported that pdns-recursor, a recursiveDNS server, parses all records present in a query regardless of whetherthey are .. --------------------------------------------- https://www.debian.org/security/2017/dsa-3763 *** Backup Files Are Good but Can Be Evil *** --------------------------------------------- Since we started to work with computers, we always heard the following advice: Make backups!. Everytime you have to change something in a file or an application, first make a backup of the existing resources (code, configuration files, data). But, .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21935 *** Compliance: Deutsche Bank verbannt Whatsapp und SMS von Diensthandys *** --------------------------------------------- Mitarbeiter der Deutschen Bank können künftig nicht mehr untereinander per Whatsapp oder SMS kommunizieren. Die Apps sollen von den Geräten der Mitarbeiter entfernt werden - weil es die Behörden so wollen. --------------------------------------------- http://www.golem.de/news/compliance-deutsche-bank-verbannt-whatsapp-und-sms… *** DSA-3765 icoutils - security update *** --------------------------------------------- Several programming errors in the wrestool tool of icoutils, a suiteof tools to create and extract MS Windows icons and .. --------------------------------------------- https://www.debian.org/security/2017/dsa-3765 *** Rätselraten um NSA-Waffenhändler "Shadow Brokers" *** --------------------------------------------- Hacker- Gruppe kündigte Rückzug an – lauter werdende Gerüchte um Verbindungen nach Russland --------------------------------------------- http://derstandard.at/2000050751646 *** Datendiebstahl bei den iPhone-Hackern Cellebrite *** --------------------------------------------- Die Firma, die die Verschlüsselung des iPhones für das FBI geknackt haben soll, wurde Opfer eines Datendiebstahls. 900 GB an Daten sind gestohlen worden. --------------------------------------------- https://futurezone.at/digital-life/datendiebstahl-bei-den-iphone-hackern-ce… *** Cyberangriffe zu deutschem Wahlkampf befürchtet: Abwehrzentrum geplant *** --------------------------------------------- Bundestagspräsident: "Was technisch möglich ist, findet auch statt" --------------------------------------------- http://derstandard.at/2000050779644 *** Google reveals its servers all contain custom security silicon *** --------------------------------------------- Even the servers it colocates (!) says new docu revealing Alphabet subs security secrets Google has published a Infrastructure Security Design Overview that explains how it secures .. --------------------------------------------- www.theregister.co.uk/2017/01/16/google_reveals_its_servers_all_contain_cus… *** Blackberry DTEK60 im (Sicherheits-)Test: Sicher, weil isso! *** --------------------------------------------- Blackberry will die Quadratur des Kreises schaffen: ein sicheres Android-Smartphone. Leider stellt der Hersteller wenig Informationen bereit und verwirrt Nutzer teils unnötig. --------------------------------------------- http://www.golem.de/news/blackberry-60-im-sicherheits-test-sicher-weil-isso… *** New Gmail phishing technique fools even tech-savvy users *** --------------------------------------------- An effective new phishing attack is hitting Gmail users and tricking many into inputing their Gmail credentials into a fake login page. How the attack unfolds The phishers start by compromising a Gmail account, then they rifle through the emails .. --------------------------------------------- https://www.helpnetsecurity.com/2017/01/16/new-gmail-phishing-attack-fools-… *** 35 Jahre C64: Die Geburtsstunde der "Cracker" und Kopierer *** --------------------------------------------- In den 1980er-Jahren war es in Österreich vergleichsweise schwer, überhaupt Software zu kaufen --------------------------------------------- http://derstandard.at/2000049895466 *** Cartapping: Autos werden seit 15 Jahren digital verwanzt *** --------------------------------------------- Um den Standort eines Autos zu überwachen, muss längst keine GPS-Wanze mehr angebracht werden. In den USA wird das offenbar schon lange mithilfe der intelligenten Navigations- und Bordsysteme praktiziert. --------------------------------------------- http://www.golem.de/news/cartapping-autos-werden-seit-15-jahren-digital-ver… *** We reverse engineered 16k apps, here’s what we found *** --------------------------------------------- In Nov’16, we created an online tool to reverse engineer any android app to look for secrets. This tool was built because of an internal need — we were constantly required to reverse .. --------------------------------------------- https://medium.com/@mkagenius/afdccb592b81 *** Mailserver Dovecot: erfolgreiches Sicherheits-Audit *** --------------------------------------------- Als weitestgehend sicher stuft das Berliner IT-Sicherheitsunternehmen Cure53 den Mailserver Dovecot ein. In Auftrag gegeben hatte diese Untersuchung die Mozilla Foundation. --------------------------------------------- https://heise.de/-3596977

1 0

Tageszusammenfassung - Freitag 13-01-2017
by Daily end-of-shift report 13 Jan '17

13 Jan '17

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 12-01-2017 18:00 − Freitag 13-01-2017 18:00 Handler: Stephan Richter Co-Handler: n/a *** Critical Patch Update - January 2017 - Pre-Release Announcement *** --------------------------------------------- http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html *** EMET 5.52 update is now available *** --------------------------------------------- EMET 5.52 is the latest version of the Enhanced Mitigation Experience Toolkit (EMET) and is now available for download. EMET 5.52 is a minor update from EMET 5.51 to address the following: An issue with the EAF mitigation that causes some applications to hang on Windows 7 SP1. A fix to the MSI installer to... --------------------------------------------- https://blogs.technet.microsoft.com/srd/2017/01/12/emet-5-52-update-is-now-… *** Marlboro Ransomware Defeated in One Day *** --------------------------------------------- A new ransomware family was snuffed in its crib today after security researchers tracked it down, analyzed its source code for weaknesses, and released a decrypter in less than 24 hours. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/marlboro-ransomware-defeated… *** Angriffe auf VoIP-Gateways von beroNet, Patch sorgt für Sicherheit *** --------------------------------------------- Angreifer entdeckten eine Schwachstelle in den VoIP-Gateways des Berliner Herstellers beroNet und nutzen diese seit kurzem aus, um die Rechnungen ihrer Opfer in die Höhe zu treiben. Ein Patch des Herstellers stopft das Sicherheitsloch. --------------------------------------------- https://heise.de/-3594737 *** November-December 2016 *** --------------------------------------------- The NCCIC/ICS-CERT Monitor for November/December 2016 is a summary of ICS-CERT activities for the previous two months --------------------------------------------- https://ics-cert.us-cert.gov/monitors/ICS-MM201612 *** Wie sich Banken vor Cyberangriffen schützen *** --------------------------------------------- Olaf Schwarz, Information Security Officer bei der Direktbank ING DiBa Austria über Cyberangriffe auf Banken, Ransomware und Sicherheitsschulungen für Mitarbeiter. --------------------------------------------- https://futurezone.at/digital-life/wie-sich-banken-vor-cyberangriffen-schue… *** Whos Attacking Me?, (Fri, Jan 13th) *** --------------------------------------------- I started to play with a nice reconnaissance tool that could be helpful in many cases - offensive as well as defensive. IVRE [1] (DRUNK in French) is a tool developed by the CEA, the Alternative Energies and Atomic Energy Commission in France. Its a network reconnaissance framework that includes: Passive recon features (via flow analysis coming from Bro or Nfdump Fingerprinting analysis Active recon (via Nmapor Zmap) Import tools (from Nmap or Masscan) I deployed this tool and feed it with... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21933&rss *** MongoDB Hijackers Move on to ElasticSearch Servers *** --------------------------------------------- After days of wreaking havoc among MongoDB servers, a group of crooks has moved on to hijacking ElasticSearch servers and asking for similar ransoms. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/mongodb-hijackers-move-on-to… *** Schlüsselaustausch: Aufregung um angebliche Whatsapp-Backdoor *** --------------------------------------------- Hat Whatsapp eine Backdoor? Das behaupten zumindest ein Sicherheitsforscher und der Guardian. Tatsächlich könnte es auch eine weniger spektakuläre Erklärung geben. --------------------------------------------- http://www.golem.de/news/schluesselaustausch-aufregung-um-angebliche-whatsa… *** Ploutus ATM Malware: Press F3 for Money *** --------------------------------------------- Security researchers from FireEye have identified a new variant of the Ploutus ATM malware, used for the past few years to make ATMs spew out cash on command. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/ploutus-atm-malware-press-f3… *** Security Alert: RIG EK Exploits Outdated Popular Apps, Spreads Cerber Ransomware *** --------------------------------------------- Cybersecurity experts obsessively repeat two types of advice: Use stronger passwords. Update your software. Today's security alert is all about the importance of applying software updates as soon as they're released. At the moment, cybercriminals are using a swarm of malicious domains to launch drive-by attacks against unsuspecting users. The campaign works by injecting malicious scripts into insecure... --------------------------------------------- https://heimdalsecurity.com/blog/rig-exploit-kit-cerber-ransomware-outdated… *** DSA-3761 rabbitmq-server - security update *** --------------------------------------------- It was discovered that RabbitMQ, an implementation of the AMQPprotocol, didnt correctly validate MQTT (MQ Telemetry Transport)connection authentication. This allowed anyone to login to an existinguser account without having to provide a password. --------------------------------------------- https://www.debian.org/security/2017/dsa-3761 *** Vuln: Splunk Enterprise CVE-2016-10126 Information Disclosure Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/95412 *** Vuln: Lenovo XClarity Administrator CVE-2016-8221 Privilege Escalation Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/95417 *** HPSBGN03694 rev.1 - HPE SiteScope, Remote Disclosure of Information *** --------------------------------------------- A security vulnerability in DES/3DES block ciphers used in the TLS protocol, could potentially impact HPE SiteScope resulting in remote disclosure of information, also known as the SWEET32 attack. --------------------------------------------- https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05369403 *** Vuln: Zabbix CVE-2016-10134 SQL Injection Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/95423 *** Security Advisory: BIND vulnerability CVE-2016-9147 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/02/sol02138183.html?… *** Security Advisory: BIND vulnerability CVE-2016-9131 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/86/sol86272821.html?… *** Security Advisory: BIND vulnerability CVE-2016-9444 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/40/sol40181790.html?… *** PowerDNS Security Fixes *** --------------------------------------------- PowerDNS Recursor 4.0.4 released https://mailman.powerdns.com/pipermail/pdns-announce/2017-January/001051.ht… --------------------------------------------- PowerDNS Recursor 3.7.4 released https://mailman.powerdns.com/pipermail/pdns-announce/2017-January/001052.ht… --------------------------------------------- PowerDNS Authoritative Server 4.0.2 released https://mailman.powerdns.com/pipermail/pdns-announce/2017-January/001053.ht… --------------------------------------------- PowerDNS Authoritative Server 3.4.11 released https://mailman.powerdns.com/pipermail/pdns-announce/2017-January/001054.ht… --------------------------------------------- *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Security vulnerabilities in Apache Tomcat affects multiple IBM Rational products based on IBM's Jazz technology *** https://www.ibm.com/support/docview.wss?uid=swg21997084 --------------------------------------------- *** IBM Security Bulletin: Unauthenticated User Could Gain Remote Access to TS3100/TS3200 (CVE-2016-9005) *** http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009656 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM SDK, Java Technology Edition affect IBM Image Construction and Composition Tool. (CVE-2016-5573, CVE-2016-5542, and CVE-2016-5597) *** http://www.ibm.com/support/docview.wss?uid=swg21997055 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM PureApplication System. *** http://www.ibm.com/support/docview.wss?uid=swg21994499 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Image Construction and Composition Tool. *** http://www.ibm.com/support/docview.wss?uid=swg21997063 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM WebSphere Application Server and IBM WebSphere Application Server Liberty affects IBM SPSS Analytic Server (CVE-2016-5986) *** http://www-01.ibm.com/support/docview.wss?uid=swg21996950 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in OpenSSL affects IBM Advanced Management Module (AMM) for BladeCenter systems *** https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5099527 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM WebSphere Application Server Liberty affects IBM SPSS Analytic Server (CVE-2016-0378) *** http://www-01.ibm.com/support/docview.wss?uid=swg21996968 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in the GSKit component of IBM Tivoli Monitoring (CVE-2015-1788) *** http://www-01.ibm.com/support/docview.wss?uid=swg21997156 ---------------------------------------------

1 0

Tageszusammenfassung - Donnerstag 12-01-2017
by Daily end-of-shift report 12 Jan '17

12 Jan '17

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 11-01-2017 18:00 − Donnerstag 12-01-2017 18:00 Handler: Stephan Richter Co-Handler: n/a *** Personalisierte card complete-Phishingmail *** --------------------------------------------- Eine personalisierte cardcomplete-Phishingmail, die EmpfÄnger/innen direkt beim Namen benennt, ist im Umlauf. In dieser behaupten Kriminelle, dass es zu verdÄchtigen Transaktionen gekommen sei, weshalb Kund/innen sich auf einer Website legitimieren sollen. Es handelt sich um einen Versuch, mit dem Kriminelle an fremde Kreditkartendaten gelangen wollen. --------------------------------------------- https://www.watchlist-internet.at/phishing/personalisierte-card-complete-ph… *** The Most Dangerous User Right You (Probably) Have Never Heard Of *** --------------------------------------------- One user right I overlooked, until Ben Campbell's post on constrained delegation, was SeEnableDelegationPrivilege. This right governs whether a user account can "Enable computer and user accounts to be trusted for delegation." Part of the reason I overlooked it is stated right in the documentation:... --------------------------------------------- http://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-y… *** Sicherheitsloch im Herzschrittmacher *** --------------------------------------------- Ein Firmware-Update soll Patienten mit Herzschrittmachern oder implantierten Defibrillatoren davor schützen, dass Hacker die Kontrolle über die Geräte übernehmen. Es gibt jedoch Zweifel daran, dass die Geräte nach dem Update sicher sind. --------------------------------------------- https://heise.de/-3593932 *** Latest Adobe Acrobat Reader Update Silently Installs Chrome Extension *** --------------------------------------------- An anonymous reader writes: The latest Adobe Acrobat Reader security update (15.023.20053), besides delivering security updates, also secretly installs the Adobe Acrobat extension in the users Chrome browser. There is no mention of this "special package" on Acrobats changelog, and surprise-surprise, the extension comes with anonymous data collection turned on by default. Bleeping Computer reports: "This extension allows users to save any web page theyre on as a PDF file and share... --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/s_zCwl6BNOY/latest-adobe-ac… *** Some tools updates, (Thu, Jan 12th) *** --------------------------------------------- A coupleof tools were updated and release today. Network Miner was updated. Version 2.1 is not available for download. Network Miner is packet sniffer/analyzer focused on extracting application layer forensic artifacts. The update adds new protocols and enhances email reassembly options. http://www.netresec.com/?page=Blogmonth=2017-01post=NetworkMiner-2-1-Releas… BlackhillsInformation Security released a Powershellversion of theDNSCAT2client. DNSCAT2 is a popular command and control tool... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21925&rss *** System Resource Utilization Monitor, (Thu, Jan 12th) *** --------------------------------------------- The attackers have come and gone and youare left behind to clean up the mess. You arrive on site to figure out how the bad guysgot in, what they took and how badly it will affect the customer. But, the customer doesnt syslog the firewall logs, so youare limited to the three days of logs that are held in thefirewalls memory. The Windows Event logs on most of the systems roll over every 5 minutes, and there is no centralized long term logging. There is no IDS. There is no full packet capture. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21927&rss *** Hintergrund: Open Bug Bounty: Sicherheitslücken gegen Prämie *** --------------------------------------------- heise Security machte nicht ganz freiwillig Bekanntschaft mit einer bisher weitgehend unbekannten Plattform, auf der Hacker und andere Forscher Sicherheitslücken melden können. --------------------------------------------- https://heise.de/-3593886 *** Ansible: Update soll kritischen Fehler in den 2.x-Versionen beheben *** --------------------------------------------- Da die Schwachstelle als hohes Risiko eingestuft wird, haben die Macher Release Candidates der Versionen 2.1.4 und 2.2.1 veröffentlicht, die den Fehler beheben. --------------------------------------------- https://heise.de/-3594254 *** Rent an IP, Own a Domain *** --------------------------------------------- The other day I was on a mission to locate a contact of mine that lived nearby. I had an address, but no phone, or email address. So I got the GPS out, programmed in the address, and away I went. Arriving at the location, I turned into the driveway, and it was an apartment... --------------------------------------------- https://blog.domaintools.com/2017/01/rent-an-ip-own-a-domain/ *** WordPress 4.7.1 Security and Maintenance Release *** --------------------------------------------- This is a security release for all previous versions and we strongly encourage you to update your sites immediately. --------------------------------------------- https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance… *** Bugtraq: ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers) *** --------------------------------------------- http://www.securityfocus.com/archive/1/540011 *** Vuln: libgit2 badssl.c Security Bypass Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/95354 *** Bugtraq: IKEv1 cipher suite configuration mismatch in Siemens SIMATIC CP 343-1 Advanced *** --------------------------------------------- http://www.securityfocus.com/archive/1/540003 *** Vuln: Zimbra CVE-2016-3403 Multiple Cross Site Request Forgery Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/bid/95383 *** NetIQ Privileged Account Manager 3.0.1 HF3 (3.0.1-3) *** --------------------------------------------- Abstract: NetIQ Privileged Account Manager 3.0.1 Hot Fix 3 (3.0.1.3). The purpose of the patch is to provide an upgrade of OpenSSL to eliminate potential security vulnerabilities. This release addresses does not contain new features.Document ID: 5267862Security Alert: YesDistribution Type: PublicEntitlement Required: NoFiles:netiq-npam-packages-3.0.1-3.tar.gz (175.63 MB)Products:Privileged Account Manager 3.0.1Superceded Patches:NetIQ Privileged Account Manager 3.0.1 HF 1NetIQ Privileged --------------------------------------------- https://download.novell.com/Download?buildid=Ciuap7psZuo~ *** DFN-CERT-2017-0054: ISC BIND: Mehrere Schwachstellen ermöglichen verschiedene Denial-of-Service-Angriffe *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0054/ *** Vuln: SAP NetWeaver XML External Entity Information Disclosure Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/95373 *** Vuln: SAP ERP Defence Forces and Public Security Remote Authorization Bypass Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/95367 *** Juniper Security Advisories *** --------------------------------------------- *** JSA10772 - 2017-01 Security Bulletin: Junos: RPD crash while processing RIP advertisements (CVE-2017-2303) *** http://kb.juniper.net/index?page=content&id=JSA10772&actp=RSS --------------------------------------------- *** JSA10774 - 2017-01 Security Bulletin: Network and Security Manager (NSM): Multiple OpenSSH vulnerabilities affect NSM Appliance OS. *** http://kb.juniper.net/index?page=content&id=JSA10774&actp=RSS --------------------------------------------- *** JSA10773 - 2017-01 Security Bulletin: QFX3500, QFX3600, QFX5100, QFX5200, EX4300 and EX4600: Etherleak memory disclosure in Ethernet padding data (CVE-2017-2304) *** http://kb.juniper.net/index?page=content&id=JSA10773&actp=RSS --------------------------------------------- *** JSA10771 - 2017-01 Security Bulletin: Junos: Denial of Service vulnerability in RPD (CVE-2017-2302) *** http://kb.juniper.net/index?page=content&id=JSA10771&actp=RSS --------------------------------------------- *** JSA10770 - 2017-01 Security Bulletin: Junos Space: Multiple vulnerabilities resolved in 16.1R1 release. *** http://kb.juniper.net/index?page=content&id=JSA10770&actp=RSS --------------------------------------------- *** JSA10769 - 2017-01 Security Bulletin: Junos: Denial of service vulnerability in jdhcpd due to crafted DHCPv6 packets (CVE-2017-2301) *** http://kb.juniper.net/index?page=content&id=JSA10769&actp=RSS --------------------------------------------- *** JSA10768 - 2017-01 Security Bulletin: Junos: SRX Series denial of service vulnerability in flowd due to crafted multicast packets (CVE-2017-2300) *** http://kb.juniper.net/index?page=content&id=JSA10768&actp=RSS --------------------------------------------- *** IBM Security Bulletin *** --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Application Dependency Discovery Manager (TADDM) IBM Java SDK updates October 2016 *** http://www-01.ibm.com/support/docview.wss?uid=swg21995972 --------------------------------------------- *** IBM Security Bulletin: Multiple Security Vulnerabilities in OpenSSL affect IBM Netezza Analytics *** http://www-01.ibm.com/support/docview.wss?uid=swg21995049 --------------------------------------------- *** IBM Security Bulletin: IBM Sterling Order Management is affected by a vulnerability (CVE-2016-5953) *** http://www-01.ibm.com/support/docview.wss?uid=swg21994521 --------------------------------------------- *** IBM Security Bulletin: Multiple Security Vulnerabilities have been addressed in LMS 6.0 on Cloud *** http://www.ibm.com/support/docview.wss?uid=swg21992072 ---------------------------------------------

1 0

Tageszusammenfassung - Mittwoch 11-01-2017
by Daily end-of-shift report 11 Jan '17

11 Jan '17

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 10-01-2017 18:00 − Mittwoch 11-01-2017 18:00 Handler: Stephan Richter Co-Handler: n/a *** How to secure MongoDB - because it isnt by default and thousands of DBs are being hacked *** --------------------------------------------- Stop right now and make sure youve configured it correctly The rise in ransomware attacks on MongoDB installations prompted the database maker last week to issue advice on how to avoid being victimized. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2017/01/11/mongodb_ran… *** Phishing per Autofill: Chrome, Safari, Opera und Erweiterungen wie LastPass angreifbar *** --------------------------------------------- Chromium-basierte Browser, Safari und beliebte Erweiterungen wie der Passwortmanager LastPass lassen sich austricksen, um mehr über den Nutzer preiszugeben, als dieser ahnt. --------------------------------------------- https://heise.de/-3593811 *** Injection of Unwanted Google AdSense Ads *** --------------------------------------------- During the last couple of years, it has become quite prevalent for hackers to monetize compromised sites by injecting unwanted ads. They can be pop-up ads triggered when a visitor spends a certain amount of time on an infected page, or automatic redirection of mobile traffic to URLs that belong to ad networks. It's not uncommon to see adult ads since networks that work with the porn industry usually allow a higher level of anonymity and have less strict guidelines (if any) on the quality... --------------------------------------------- https://blog.sucuri.net/2017/01/injection-unwanted-google-adsense-ads.html *** Spora Ransomware Works Offline, Has the Most Sophisticated Payment Site as of Yet *** --------------------------------------------- A new ransomware family made its presence felt today, named Spora, the Russian word for "spore." This new ransomwares most notable features are its solid encryption routine, ability to work offline, and a very well put together ransom payment site, the most sophisticated weve seen from ransomware authors as of yet. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/spora-ransomware-works-offli… *** Juniper warns: Borked upgrade opens root on firewalls *** --------------------------------------------- Turn it off and turn it back on again. No, really Juniper is warning users of its SRX firewalls that a borked upgrade leaves a root-level account open to the world. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2017/01/11/juniper_war… *** Hancitor/Pony/Vawtrak malspam, (Wed, Jan 11th) *** --------------------------------------------- Introduction Until recently, I hadnt personally seen much malicious spam (malspam) using Microsoft office documents with Hancitor-based Visual Basic (VB) macros to send Pony and Vawtrak. It still happens, though. Occasionally, Ill find a report like this one from 2016-12-19, where Hancitor/Pony/Vawtrak malspam was disguised as a LogMeIn account notification, but I rarely come across an example on my own. At least until yesterday. This diary describes a recent wave of Hancitor/Pony/Vawtrak... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21919&rss *** MS17-JAN - Microsoft Security Bulletin Summary for January 2017 - Version: 1.1 *** --------------------------------------------- https://technet.microsoft.com/en-us/library/security/MS17-JAN *** Bugtraq: ESA-2016-096: EMC Celerra, VNX1, VNX2 and VNXe SMB NTLM Authentication Weak Nonce Vulnerability *** --------------------------------------------- http://www.securityfocus.com/archive/1/539992 http://www.securityfocus.com/archive/1/539993 http://www.securityfocus.com/archive/1/539995 *** Vuln: Ansible CVE-2016-9587 Arbitrary Command Execution Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/95352 *** VU#767208: ThreatMetrix SDK for iOS fails to validate SSL certificates *** --------------------------------------------- Vulnerability Note VU#767208 ThreatMetrix SDK for iOS fails to validate SSL certificates Original Release date: 10 Jan 2017 | Last revised: 10 Jan 2017 Overview On the iOS platform, the ThreatMetrix SDK versions prior to 3.2 fail to validate SSL certificates provided by HTTPS connections, which may allow an attacker to perform a man-in-the-middle (MITM) attack. Description ThreatMetrix is a security library for mobile applications, which aims to provide fraud prevention and device identity... --------------------------------------------- http://www.kb.cert.org/vuls/id/767208 *** DFN-CERT-2017-0041: BlackBerry Enterprise Server: Zwei Schwachstellen ermöglichen u.a. das Erlangen von Benutzerrechten *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0041/ *** BSRT-2017-003 Vulnerability in WatchDox Server components impacts WatchDox by BlackBerry *** --------------------------------------------- http://support.blackberry.com/kb/articleDetail?articleNumber=000038915 *** DFN-CERT-2017-0045: WebKitGTK+: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0045/ *** GnuTLS Lets Remote Users Execute Arbitrary Code on the Target System *** --------------------------------------------- http://www.securitytracker.com/id/1037576 *** DFN-CERT-2017-0047: GnuTLS: Mehrere Schwachstellen ermöglichen verschiedene Denial-of-Service-Angriffe *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0047/ *** Vuln: PHP CVE-2017-5340 Remote Code Execution Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/95371 *** Bugtraq: Bit Defender #39 - Auth Token Bypass Vulnerability *** --------------------------------------------- http://www.securityfocus.com/archive/1/539999 *** Vuln: Computer Associates Service Desk Manager CVE-2016-10086 Security Bypass Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/95366 *** Security Advisory - DoS Vulnerability in Multiple Huawei Products *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170111-… *** Security Advisory - Camera DOS Vulnerability in ION Memory Management Module of Huawei Smart Phone *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170111-… *** Security Notice - Statement on SaifAllah BenMassaoud Revealing CSRF Security Vulnerability in Huawei B660 Routers *** --------------------------------------------- http://www.huawei.com/en/psirt/security-notices/2017/huawei-sn-20170111-01-… *** Vuln: SAP Products *** --------------------------------------------- *** Vuln: SAP Single Sign On Denial of Service Vulnerability *** http://www.securityfocus.com/bid/95363 --------------------------------------------- *** Vuln: SAP ERP Defence Forces and Public Security Remote Authorization Bypass Vulnerability *** http://www.securityfocus.com/bid/95362 http://www.securityfocus.com/bid/95365 --------------------------------------------- *** Vuln: SAP NetWeaver AS JAVA getUserUddiElements SQL Injection Vulnerability *** http://www.securityfocus.com/bid/95364 --------------------------------------------- *** Vuln: SAP NetWeaver Application Server Java Portal App Component Cross Site Scripting Vulnerability *** http://www.securityfocus.com/bid/95368 --------------------------------------------- *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Hard-coded credentials used in IBM dashDB Local (CVE-2016-8954) *** http://www-01.ibm.com/support/docview.wss?uid=swg21994471 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Performance Tester (CVE-2016-5597) *** http://www.ibm.com/support/docview.wss?uid=swg21995685 --------------------------------------------- *** IBM Security Bulletin: Fix Available for IBM iNotes Cross-site Scripting Vulnerability (CVE-2016-5881) *** http://www-01.ibm.com/support/docview.wss?uid=swg21995122 --------------------------------------------- *** IBM Security Bulletin: January 2015 OpenSSL security vulnerabilities in Multiple IBM N Series Products *** http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009328 --------------------------------------------- *** IBM Security Bulletin: October 2014 Java Runtime Environment (JRE) Vulnerabilities in Multiple N series Products *** http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009593 ---------------------------------------------

1 0

Tageszusammenfassung - Dienstag 10-01-2017
by Daily end-of-shift report 10 Jan '17

10 Jan '17

======================= = End-of-Shift report = ======================= Timeframe: Montag 09-01-2017 18:00 − Dienstag 10-01-2017 18:00 Handler: Stephan Richter Co-Handler: n/a *** Adobe Security Bulletins posted *** --------------------------------------------- Adobe has published security bulletins for Adobe Acrobat and Reader (APSB17-01) and Adobe Flash Player (APSB17-02). Adobe recommends users update their product installations to the latest versions using the instructions referenced in the relevant bulletin. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1438 https://helpx.adobe.com/security/products/acrobat/apsb17-01.html https://helpx.adobe.com/security/products/flash-player/apsb17-02.html *** Rätselhafte Netzwerk-Aktivitäten mit GRE-Paketen *** --------------------------------------------- Aufmerksame Admins verzeichnen aktuell auf ihren VPN-Gateways und Firewalls eine Zunahme von scheinbar sinnlosen GRE-Paketen. Die Ursache ist bislang unklar. --------------------------------------------- https://heise.de/-3592231 *** Krebs's Immutable Truths About Data Breaches *** --------------------------------------------- Ive had several requests for a fresh blog post to excerpt something that got crammed into the corner of a lengthy story published here Sunday: A list of immutable truths about data breaches, cybersecurity and the consequences of inaction. --------------------------------------------- https://krebsonsecurity.com/2017/01/krebss-immutable-truths-about-data-brea… *** Terror Exploit Kit? More like Error Exploit Kit *** --------------------------------------------- Q: What does it take to create a simple, yet fully functioning exploit kit? A: Just a little bit of determination. A few weeks ago a website popped up on our radar: www[.]***empowernetwork[.]com This web site, like many others in... --------------------------------------------- http://trustwave.com/Resources/SpiderLabs-Blog/Terror-Exploit-Kit--More-lik… *** Über 1000 deutsche Online-Shops infiziert und angezapft *** --------------------------------------------- Bei über tausend deutschen Online-Shops ziehen Kriminelle jetzt gerade Kundendaten und Zahlungsinformationen ab - und das zum Teil schon seit Monaten. Laut BSI ignorieren viele Shop-Betreiber das Problem. --------------------------------------------- https://heise.de/-3592281 *** Datenklau an Geldautomaten steigt an, Schaden sinkt *** --------------------------------------------- Datendiebe haben an Geldautomaten in Deutschland wieder häufiger zugeschlagen. Trotz moderner Technik verursacht Skimming nach wie vor Millionenschäden. An anderer Stelle allerdings sind Bankkunden noch mehr gefährdet. --------------------------------------------- https://heise.de/-3592571 *** A Review of Cryptography - Part 1 *** --------------------------------------------- Overview of Last Articles Our last few articles have dealt with the science and technology of Biometrics. To review, it is merely the Verification and/or Identification of an individual based on their unique physiological traits or even behavioral mannerisms. This is probably one of the best forms of Security technology to use because it is... --------------------------------------------- http://resources.infosecinstitute.com/a-review-of-cryptography-part-1/ *** Two New Edge Exploits Integrated into Sundown Exploit Kit *** --------------------------------------------- Two recently published proof-of-concept exploits targeted Microsoft Edge were recently integrated into the Sundown Exploit Kit. --------------------------------------------- http://threatpost.com/two-new-edge-exploits-integrated-into-sundown-exploit… *** Port 37777 "MapTable" Requests, (Tue, Jan 10th) *** --------------------------------------------- Thanks to Born for noticing an increase in %%port:37777%% TCP traffic. He wrote a blog with some of the payloads he found, and after he notified us, I was able to confirm his observations in our honeypot [1]. First 32 bytes of the payload: c1 00 00 00 00 14 00 00 63 6f 6e 66 69 67 00 00 c. o. n. f. i. g 31 00 00 00 00 00 00 00 ">{ Enable : 1, MapTable : [ { Enable : 1, InnerPort : 85, OuterPort : 85, Protocol : TCP, ServiceName : HTTP }, { Enable : 1, InnerPort : 37777, OuterPort :... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21913&rss *** Vuln: DLink DGS-1100 Switch CVE-2016-10125 Local Hardcoded SSL Certificate Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/95329 *** St. Jude Merlin@home Transmitter Vulnerability *** --------------------------------------------- This advisory contains mitigation details for a channel accessible by non-endpoint vulnerability in St. Jude Medical's Merlin@home transmitter. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSMA-17-009-01 *** Intel Ethernet Controller X710/XL710 NVM Security Vulnerability *** --------------------------------------------- A security vulnerability in the Intel Ethernet Controller X710 and Intel Ethernet Controller XL710 family of products (Fortville) has been found in the Non-Volatile Flash Memory (NVM) image. Under certain use conditions the Ethernet controller will stop sending and receiving data until the controller is reset. All NVM versions 5.04 and earlier contain this vulnerability which is fully mitigated in NVM version 5.05. --------------------------------------------- https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00063&lang… *** DFN-CERT-2017-0034: Foxit Reader, Foxit PhantomPDF, Foxit PDF Toolkit: Mehrere Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0034/ *** Moodle 3.2.1 release notes *** --------------------------------------------- A number of security related issues were resolved. Details of these issues will be released after a period of approximately one week to allow system administrators to safely update to the latest version. --------------------------------------------- https://docs.moodle.org/dev/Moodle_3.2.1_release_notes *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Cognos Metrics Manager (CVE-2016-6302 CVE-2016-6304 CVE-2016-6303 CVE-2016-2177 CVE-2016-2178 CVE-2016-2179 CVE-2016-6306 CVE-2016-2181 CVE-2016-2183) *** http://www-01.ibm.com/support/docview.wss?uid=swg21993856 --------------------------------------------- *** IBM Security Bulletin: IBM Tivoli Netcool Impact affected by Potential Information Disclosure vulnerability in WebSphere Application Server (CVE-2016-5986) *** http://www.ibm.com/support/docview.wss?uid=swg21996503 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in IBM Java Runtime affects IBM Cognos Metrics Manager (CVE-2016-3485) *** http://www-01.ibm.com/support/docview.wss?uid=swg21995206 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in libxml2 affect IBM Cognos Metrics Manager (CVE-2016-3705, CVE-2016-4447, CVE-2016-4448) *** http://www-01.ibm.com/support/docview.wss?uid=swg21995198 --------------------------------------------- *** IBM Security Bulletin: IBM Tivoli Netcool Impact affected by Information Disclosure in IBM WebSphere Application Server Liberty (CVE-2016-0378) *** http://www.ibm.com/support/docview.wss?uid=swg21996502 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in SnapDrive for Windows may Result in Disclosure of Sensitive Information （CVE-2015-8544） *** http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009256 ---------------------------------------------

1 0

Tageszusammenfassung - Montag 9-01-2017
by Daily end-of-shift report 09 Jan '17

09 Jan '17

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 05-01-2017 18:00 − Montag 09-01-2017 18:00 Handler: Stephan Richter Co-Handler: n/a *** Upcoming Security Updates for Adobe Acrobat and Reader (APSB17-01) *** --------------------------------------------- A prenotification Security Advisory (APSB17-01) has been posted regarding upcoming releases for Adobe Acrobat and Reader scheduled for Tuesday, January 10, 2017. We will continue to provide updates on the upcoming releases via the Security Advisory as well as the... --------------------------------------------- https://blogs.adobe.com/psirt/?p=1434 *** Great Misadventures of Security Vendors: Absurd Sandboxing Edition, (Fri, Jan 6th) *** --------------------------------------------- Like many security researchers, I employ a variety of OPSEC techniques to help detect if I have been targeted by something for whatever reason. One of those techniques I use in Virustotal is basically a vanity Yara rule that looks for a variety of strings that would indicate malware was specifically targeting me or some data was uploaded that references me. Virustotal Intelligence is a useful too for doing that and many researchers have paid for access which allows you to also download samples... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21895&rss *** Using Security Tools to Compromize a Network, (Sat, Jan 7th) *** --------------------------------------------- One of our daily tasks is to assess and improve the security of our customers or colleagues. To achieve this use security tools (linked to processes). With the time, we are all building our personal toolbox with our favourite tools.Yesterday, I read an interesting blog article about extracting saved credentials from a compromised Nessus system[1]. This in indeed a nice target forthe bad guy! Why? Such security tools deployed inside a network have interesting characteristics: They have... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21903&rss *** Erpressertrojaner griffen kürzlich mehr als 10.000 Datenbanken an *** --------------------------------------------- Schwachstellen bei MongoDB ausgenutzt, Sicherheitsforscher sprechen von Angriffswelle --------------------------------------------- http://derstandard.at/2000050382671 *** Sicherheitsupdates: LibVNCServer gegen Speicherfehler gerüstet *** --------------------------------------------- Seit über zwei Jahren hat die Programmbibliothek keine Updates spendiert bekommen. Nun schließen die Entwickler zwei Schwachstellen. --------------------------------------------- https://heise.de/-3591417 *** 11 Steps to Improve Your Public Wi-Fi Security [Updated] *** --------------------------------------------- A day without Wi-Fi is a day not fully lived. We're (somewhat) exaggerating, but it's fair to say Wi-Fi has become a staple of the modern life. --------------------------------------------- https://heimdalsecurity.com/blog/11-security-steps-public-wi-fi-networks/ *** SWIFT speaks on fraudulent messages and the security moves the cooperative is making to assist its customers *** --------------------------------------------- The February 2016 attack on Bangladesh Bank which involved the sending of fraudulent SWIFT messages from the bank's environment, was followed by a number of other attacks on banks using the SWIFT network. The criminal hackers' intention is to compromise the banks' environments in order to gain their SWIFT credentials, send fraudulent messages and route payments to themselves. Since that time, the SWIFT cooperative has instituted measures ultimately designed to help their... --------------------------------------------- http://www.cio.com/article/3155253/security/swift-speaks-on-fraudulent-mess… *** FTC Takes D-Link to Court Because of Insecure Routers and Cameras *** --------------------------------------------- The US Federal Trade Commission (FTC) has filed a lawsuit against D-Link, a Taiwanese hardware manufacturer, for misrepresentations about the security of various devices it sold in the US, and for failing to take action and secure devices when security flaws were reported. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/ftc-takes-d-link-to-court-be… *** WordPress, Joomla, and Magento Continue to Be the Most Hacked CMSs *** --------------------------------------------- Based on statistical data gathered by Sucuri from 7,937 compromised websites, WordPress, Joomla, and Magento, in this order, continued to be the most hacked CMS platforms in the third quarter of 2016 (months of July, August, and September). [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/wordpress-joomla-and-magento… *** DFN-CERT-2017-0027: OpenSSL: Eine Schwachstelle ermöglicht das Ausspähen von Informationen *** --------------------------------------------- Eine Schwachstelle in OpenSSL sowie den Derivaten wie z.B. LibreSSL und BoringSSL ermöglicht einem lokalen, nicht authentisierten Angreifer das Ausspähen von privatem Schlüsselmaterial. Die Entwickler von OpenSSL stellen bislang noch keine Sicherheitsupdates zur Verfügung. OpenBSD stellt Source Code Patches für die Versionen OpenBSD 5.9 und 6.0 als Sicherheitsupdates bereit. --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0027/ *** NETGEAR ProSAFE Firewall Bug Lets Remote Users Traverse the Directory to View Files on the Target System *** --------------------------------------------- http://www.securitytracker.com/id/1037548 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Fixes for Multiple Security Vulnerabilities in IBM Security Identity Manager Virtual Appliance available *** http://www-01.ibm.com/support/docview.wss?uid=swg21996761 --------------------------------------------- *** IBM Security Bulletin: Security vulnerabilities in IBM Java Runtime and Apache Tomcat affects IBM RLKS Administration and Reporting Tool Admin (CVE-2016-5597, CVE-2016-3092) *** http://www-01.ibm.com/support/docview.wss?uid=swg21995448 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilitiy in OpenSSL affect IBM Storwize V7000 Unified *** http://www.ibm.com/support/docview.wss?uid=ssg1S1009699 --------------------------------------------- *** IBM Security Bulletin: IBM InfoSphere DataStage is vulnerable to Cross-Frame Scripting issue (CVE-2016-9000) *** http://www-01.ibm.com/support/docview.wss?uid=swg21995257 --------------------------------------------- *** IBM Security Bulletin: IBM InfoSphere Information Server contains a Path-relative stylesheet import vulnerability (CVE-2016-8999) *** http://www-01.ibm.com/support/docview.wss?uid=swg21995155 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Service Tester (CVE-2016-5597) *** http://www.ibm.com/support/docview.wss?uid=swg21995687 --------------------------------------------- *** IBM Security Bulletin: Security vulnerabilities in IBM SDK for Node.js might affect IBM Business Process Manager (BPM) Configuration Editor *** http://www-01.ibm.com/support/docview.wss?uid=swg21995758 --------------------------------------------- *** IBM Security Bulletin: IBM Cognos Business Intelligence Server 2016Q4 Security Updater : IBM Cognos Business Intelligence Server is affected by multiple vulnerabilities. *** http://www-01.ibm.com/support/docview.wss?uid=swg21995691 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in 64-bit block ciphers affects IBM License Metric Tool and IBM Tivoli Asset Discovery for Distributed (CVE-2016-2183, CVE-2016-6329) *** http://www.ibm.com/support/docview.wss?uid=swg21993665 --------------------------------------------- *** IBM Security Bulletin: Apache Xerces-C vulnerabilities (XML4C) affects IBM Cloud Manager with OpenStack (CVE-2016-0729) *** http://www.ibm.com/support/docview.wss?uid=isg3T1024708 ---------------------------------------------

1 0

Tageszusammenfassung - Donnerstag 5-01-2017
by Daily end-of-shift report 05 Jan '17

05 Jan '17

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 04-01-2017 18:00 − Donnerstag 05-01-2017 18:00 Handler: Stephan Richter Co-Handler: n/a *** E-Banking-Trojaner: Über 100.000 Euro Schaden *** --------------------------------------------- Eine E-Banking-Schadsoftware hat bei einer Netzwerktechnikfirma in der Stadt Salzburg über 100.000 Euro Schaden angerichtet. Mehrere Überweisungen wurden auf ein slowakisches Konto umgeleitet. --------------------------------------------- http://salzburg.orf.at/news/stories/2818225/ *** Microsoft kills off security bulletins - for good *** --------------------------------------------- Microsoft's last ever security bulletin is next week - so has the manual bulletin had its day? --------------------------------------------- https://www.htbridge.com/blog/microsoft-kills-off-security-bulletins-for-go… *** VB2016 paper: Open Source Malware Lab *** --------------------------------------------- At VB2016, ThreatConnect Director of Research Innovation Robert Simmons presented a paper on setting up an open source malware lab. Today, we share the accompanying paper and video. --------------------------------------------- https://www.virusbulletin.com/blog/2017/01/vb2016-paper-open-source-malware… *** What Hack? Burlington Electric Speaks Out *** --------------------------------------------- Burlington Electric Department general manager Neale Lunderville speaks out about last weeks incident and response to reports the electric grid had been hacked. --------------------------------------------- http://threatpost.com/what-hack-burlington-electric-speaks-out/122860/ *** Hackers could turn your smart meter into a bomb and blow your family to smithereens - new claim *** --------------------------------------------- And before that, pwn your IoT gadgets via power supply gear Smart meters are "dangerously insecure," according to researcher Netanel Rubin - who claimed the gear uses weak encryption, relies on easily pwned protocols, and can be programmed to explode. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2017/01/04/smart_metre… *** FireCrypt Ransomware Comes With a DDoS Component *** --------------------------------------------- A new ransomware family named FireCrypt will encrypt the users files, but also attempt to launch a very feeble DDoS attack on a URL hardcoded in its source code. --------------------------------------------- https://www.bleepingcomputer.com/news/security/firecrypt-ransomware-comes-w… *** Emsisoft releases a decryptor for version 3 of the Globe Ransomware *** --------------------------------------------- Fabian Wosar of Emisoft has released a decrypter for version 3 of the Globe Ransomware. This decryptor will decrypt the Globe Ransomware variants that commonly append the .decrypt2017 and .hnumkhotep extensions to encrypted files. --------------------------------------------- https://www.bleepingcomputer.com/news/security/emsisoft-releases-a-decrypto… *** Mixed Messages : Novel Phishing Attempts Trying to Steal Your E-mail Password Goes Wrong, (Wed, Jan 4th) *** --------------------------------------------- A writer wrote in to send us an interesting phishing attempt they had received at their organization. An email from a school domain that purported to be VetMeds send an encrypted PDF that required a user-name and password to log in to. The subject of the email was Assessment document. The PDF itself was created with Microsoft Word and included a link that suggested it was a locked document and you needed to click a link to unlock it which pointed to chai[.]myjino[.]ru and gave a screen with a... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21881&rss *** KillDisk Ransomware Now Targets Linux, Prevents Boot-Up, Has Faulty Encryption *** --------------------------------------------- Researchers have discovered a Linux variant of the KillDisk ransomware, which itself is a new addition to the KillDisk disk wiper malware family, previously used only to sabotage companies by randomly deleting data and altering files. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/killdisk-ransomware-now-targ… *** [R1] Nessus 6.9.3 Fixes One Vulnerability *** --------------------------------------------- Tenable Nessus was found to be impacted by an authenticated stored cross-site scripting (XSS) issue. --------------------------------------------- https://www.tenable.com/security/tns-2017-01 *** HPSBGN03688 rev.1 - HPE Operations Orchestration, Remote Code Execution *** --------------------------------------------- A potential security vulnerability has been identified in HPE Operations Orchestration. The vulnerability could be remotely exploited to allow remote code execution. --------------------------------------------- http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05361944 *** Google Nexus Qualcomm GPU Driver CVE-2016-8434 Privilege Escalation Vulnerability *** --------------------------------------------- Google Nexus is prone to a privilege-escalation vulnerability. Attackers can exploit this issue to execute arbitrary code with elevated privileges within the context of the kernel. --------------------------------------------- http://www.securityfocus.com/bid/95257 *** Atlassian Confluence 5.9.12 Cross Site Scripting *** --------------------------------------------- Topic: Atlassian Confluence 5.9.12 Cross Site Scripting Risk: Low Text: ==[ Tempest Security Intelligence - ADV-3/2016 CVE-2016-6283 ] == Persisted Cross-Site Scripting (XSS) in Confluence J... --------------------------------------------- https://cxsecurity.com/issue/WLB-2017010029 *** ShoreTel Mobility Client iOS 9.1.2.101 SSL Man-In-The-Middle *** --------------------------------------------- Topic: ShoreTel Mobility Client iOS 9.1.2.101 SSL Man-In-The-Middle Risk: Medium Text:ShoreTel Mobility Client iOS Application - MITM SSL Certificate Vulnerability (CVE-2016-6562) Overview "The Mobility Clie... --------------------------------------------- https://cxsecurity.com/issue/WLB-2017010028 *** Doubleclick for Publishers (DFP) - Moderately Critical - Multiple vulnerabilities - SA-CONTRIB-2017-002 *** --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2017-002Project: Doubleclick for Publishers (DFP) (third-party module)Version: 7.xDate: 2017-January-04Security risk: 10/25 ( Moderately Critical) AC:Complex/A:User/CI:None/II:None/E:Exploit/TD:AllVulnerability: Cross Site ScriptingDescriptionThis module enables you to to place advertisements on your site that are served by Googles DFP (Doubleclick for Publisher) service.The module has multiple Cross Site Scripting (XSS) vulnerabilities due to not sufficiently... --------------------------------------------- https://www.drupal.org/node/2841114 *** Permissions by Term -- Critical - Multiple vulnerabilities - SA-CONTRIB-2017-001 *** --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2017-001Project: Permissions by Term (third-party module)Version: 8.xDate: 2017-January-04Security risk: 15/25 ( Critical) AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypass, Information DisclosureDescriptionThe Permissions by Term module extends Drupal functionality by restricting access to single nodes via taxonomy terms. Taxonomy terms are part of the Drupal core functionality. Taxonomy term permissions can be coupled to specific... --------------------------------------------- https://www.drupal.org/node/2841094 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Vulnerability in HTTP request processing affects IBM License Metric Tool v9 and IBM BigFix Inventory v9 (CVE-2016-8977) *** http://www-01.ibm.com/support/docview.wss?uid=swg21995014 --------------------------------------------- *** IBM Security Bulletin:IBM SDK, Java Technology Edition Quarterly CPU Oct 2016 Includes Oracle Oct 2016 CPU affect Content Collector for Email *** https://www-01.ibm.com/support/docview.wss?uid=swg21995468 --------------------------------------------- *** IBM Security Bulletin: vCenter password disclosure via application tracing in IBM Tivoli Storage Manager Client and IBM Tivoli Storage Manager for Virtual Environments:Data Protection for VMware (CVE-2016-6110) *** http://www.ibm.com/support/docview.wss?uid=swg21996198 --------------------------------------------- *** IBM Security Bulletin:Vulnerabilities in Apache Tomcat and OpenSSL affect Rational BuildForge *** http://www-01.ibm.com/support/docview.wss?uid=swg21995528 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Integrated Management Module II (IMM2) for System x, Flex and BladeCenter systems *** https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5099526 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in OpenSSL affects IBM Advanced Management Module (AMM) for BladeCenter systems *** https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5099528 --------------------------------------------- *** IBM Security Bulletin: IBM Tivoli Common Reporting (TCR) 2016Q4 Security Updater : TCR is affected by multiple vulnerabilities. *** http://www-01.ibm.com/support/docview.wss?uid=swg21996032 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in DHCP affects IBM Integrated Management Module II (IMM2) for System x, Flex and BladeCenter systems *** https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5099529 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in GNU C Library affect IBM Integrated Management Module II (IMM2) for System x, Flex and BladeCenter systems *** https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5099524 --------------------------------------------- *** IBM Security Bulletin: Apache Xerces-C vulnerabilities affects IBM Cloud Manager with OpenStack (CVE-2016-4463) *** http://www.ibm.com/support/docview.wss?uid=isg3T1024585 --------------------------------------------- Next End-of-Shift report: 2017-01-09

1 0

Tageszusammenfassung - Mittwoch 4-01-2017
by Daily end-of-shift report 04 Jan '17

04 Jan '17

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 03-01-2017 18:00 − Mittwoch 04-01-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Technical details on the Fancy Bear Android malware (poprd30.apk) *** --------------------------------------------- Background Recently, Crowdstrike has published details about a malicious Android APK file, named poprd30.apk or Попр-Д30.apk. It seems that the malware was created by the Fancy Bear group for tracking Ukrainian field .. --------------------------------------------- http://blog.crysys.hu/2017/01/technical-details-on-the-fancy-bear-android-m… *** Remote Code Execution in third party library swiftmailer *** --------------------------------------------- https://typo3.org/news/article/remote-code-execution-in-third-party-library… *** Real World FSociety Malware Is Giving Mr. Robot a Bad Name *** --------------------------------------------- In the past few weeks, more or less talented malware authors have resorted to naming their newly launched threats using the "FSociety" brand, made famous by the Mr. Robot TV series. --------------------------------------------- https://www.bleepingcomputer.com/news/security/real-world-fsociety-malware-… *** Microsoft to Add Bitcoin Support to Excel Later This Year *** --------------------------------------------- https://www.bleepingcomputer.com/news/software/microsoft-to-add-bitcoin-sup… *** Campaign Evolution: pseudo-Darkleech in 2016 *** --------------------------------------------- Darkleech is long-running campaign that uses exploit kits (EKs) to deliver malware. First identified in 2012, this campaign has used different EKs to distribute various types of .. --------------------------------------------- http://researchcenter.paloaltonetworks.com/2016/12/unit42-campaign-evolutio… *** The Download on the DNC Hack *** --------------------------------------------- Over the past few weeks, Ive been inundated with questions from readers asking why I havent written much about two stories that have consumed the news media of late: The alleged .. --------------------------------------------- https://krebsonsecurity.com/2017/01/the-download-on-the-dnc-hack/ *** l+f: Russische Hacker aus der postapokalyptischen Strahlenwüste *** --------------------------------------------- https://heise.de/-3587018 *** Eindringling nimmt offenbar MongoDB-Datenbanken als Geisel *** --------------------------------------------- Ein unbekannter Angreifer soll ungeschützte MongoDB-Datenbanken leeren und den Eigentümern eine Erpresser-Botschaft hinterlassen. --------------------------------------------- https://heise.de/-3587479 *** Sicherheitslücke: Kaspersky schlampt bei TLS-Zertifikatsprüfung *** --------------------------------------------- Die Antivirensoftware von Kaspersky liest bei TLS-Verbindungen mit und sorgt nebenbei dafür, dass die Zertifikatsprüfung ausgehebelt wird. Wieder einmal konnte Tavis Ormandy von Google damit zeigen, wie löchrig sogenannte Sicherheitssoftware ist. --------------------------------------------- http://www.golem.de/news/sicherheitsluecke-kaspersky-schlampt-bei-tls-zerti… *** Gefälschte Erste Bank/Sparkasse-Mail: Bestätigung erforderlich *** --------------------------------------------- Mit einer gefälschten Erste Bank/Sparkasse-Nachricht wollen Kriminelle OnlineBanking-Zugangsdaten von Kund/innen stehlen. Damit sie das Ziel erreichen, behaupten sie in dem .. --------------------------------------------- https://www.watchlist-internet.at/phishing/gefaelschte-erste-banksparkasse-… *** Programmiersprachen: Sicheres NTP könnte von C auf Rust oder Go wechseln *** --------------------------------------------- Mit NTPsec erstellt ein Team um den Open-Source-Pionier Eric S. Raymond eine sichere Implementierung für NTP. Das Team überlegt, sich komplett von dem C-Code zu trennen und stattdessen eine sichere Programmiersprache wie Rust oder Go zu verwenden. --------------------------------------------- http://www.golem.de/news/programmiersprachen-sicheres-ntp-koennte-von-c-auf… *** BlackBerry, Google und LG patchen unter anderem abermals kritische Stagefright-Lücke *** --------------------------------------------- Bereits seit Juni 2015 kämpft Google gegen kritische Schwachstellen in Multimedia-Komponenten von Android. Der alleinige Empfang einer MMS kann ein Gerät schachmatt setzen. Nun liefern verschiedene Hersteller erneut Sicherheitsupdates. --------------------------------------------- https://heise.de/-3587867

1 0

Tageszusammenfassung - Dienstag 3-01-2017
by Daily end-of-shift report 03 Jan '17

03 Jan '17

======================= = End-of-Shift report = ======================= Timeframe: Montag 02-01-2017 18:00 − Dienstag 03-01-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Aus der Filterbubble #33c3 zurück in die Realität *** --------------------------------------------- Der 33. Chaos Communication Congress war mein erster. Was mich am meisten beeindruckt hat. Und wie es ist, wieder im Alltag anzukommen. --------------------------------------------- https://futurezone.at/myfuzo/blog/aus-der-filterbubble-33c3-zurueck-in-die-… *** Mac Malware of 2016 *** --------------------------------------------- Lets analyse the malware that appeared in 2016, discussing the infection vector, persistence mechanism, feature, and disinfection for each. --------------------------------------------- https://objective-see.com/blog/blog_0x16.html *** Website Malware Targets Mobile Platforms *** --------------------------------------------- Navigating the web on a mobile device can be tricky even when you’re browsing clean sites. If hackers are involved, the frustration of a pop-up can turn into the dangerous possibility .. --------------------------------------------- https://blog.sucuri.net/2017/01/website-malware-targets-mobile-platforms.htm *** Android tops 2016 vuln list, with 523 bugs *** --------------------------------------------- Google joins Microsoft, Apple, Adobe in top of the pops Of any single product, CVE Details reckons, Android had the most reported vulnerabilities in 2016 – but as a vendor, Adobe still tops the list. --------------------------------------------- www.theregister.co.uk/2017/01/03/android_tops_2016_vuln_list_with_523_bugs/ *** Lauri Love: Love gegen die Vereinigten Staaten von Amerika *** --------------------------------------------- Der Anonymous-Aktivist und Hacker Lauri Love soll an die USA ausgeliefert werden. Dort drohen ihm wegen des unberechtigten Veränderns von Webseiten und Hacking fast 100 Jahre Haft. Wenn wir Lauri nicht retten können, können wir uns auch nicht selbst retten, warnen Aktivisten. --------------------------------------------- http://www.golem.de/news/lauri-love-love-gegen-die-vereinigten-staaten-von-… *** libpng-Entwickler schließen 21 Jahre alte Sicherheitslücke *** --------------------------------------------- Praktisch alle Versionen der Programmbibliothek libpng sind verwundbar. Über eine Schwachstelle könnten Angreifer Systeme lahmlegen. Abgesicherte Versionen sind verfügbar. --------------------------------------------- https://heise.de/-3585996 *** Top Secret -cleared SOCOM staff in 11GB Govt contractor breach *** --------------------------------------------- Dismissed hacker calls US Govt buddy to nix exposed database A Pentagon subcontractor has exposed the names, locations, Social Security Numbers, and salaries of Military Special .. --------------------------------------------- www.theregister.co.uk/2017/01/03/top_secret_cleared_socom_staff_in_11gb_gov… *** Deprecation of Insecure Algorithms and Protocols in RHEL 6.9 *** --------------------------------------------- Cryptographic protocols and algorithms have a limited lifetime—much like everything else in technology. Algorithms that provide cryptographic hashes and encryption as well as .. --------------------------------------------- https://access.redhat.com/blogs/766093/posts/2787271 *** Doch keine Spur nach Russland nach Angriff auf US-Stromversorger *** --------------------------------------------- Ermittler fanden keine Indizien – Mitarbeiter hatte mit eigenem Laptop Mails aufgerufen --------------------------------------------- http://derstandard.at/2000050193323

1 0

Tageszusammenfassung - Montag 2-01-2017
by Daily end-of-shift report 02 Jan '17

02 Jan '17

======================= = End-of-Shift report = ======================= Timeframe: Freitag 30-12-2016 18:00 − Montag 02-01-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Sundown Exploit Kit now leverages on the steganography *** --------------------------------------------- A new variant of the Sundown exploit kit leverages on steganography to hide exploit code in harmless-looking image files. Security experts from Trend Micro have spotted a new version of the Sundown exploit kit .. --------------------------------------------- http://securityaffairs.co/wordpress/54886/cyber-crime/sundown-exploit-kit-2… *** Russische Cyberattacken gegen USA: Junge Hackerin als Mastermind verdächtigt *** --------------------------------------------- Soll Geheimdienst unterstützt haben – Alisa Schewtschenko sieht sich als Sündenbock in Konflikt zwischen Obama und Putin --------------------------------------------- http://derstandard.at/2000050064533 *** Grizzly Steppe: Russischer Schadcode bei US-Stromversorger gefunden *** --------------------------------------------- Zum Glück war es kein Steuerungsrechner: Ein US-Elektrizitätsversorger hat in einem Computer Schadcode gefunden, der von Grizzly Steppe stammen könnte. Die US-Behörden wollen jetzt untersuchen, ob weitere Versorgungsunternehmen betroffen sind. --------------------------------------------- http://www.golem.de/news/grizzly-steppe-russischer-schadcode-bei-us-stromve… *** DSA-3750 libphp-phpmailer - security update *** --------------------------------------------- Dawid Golunski discovered that PHPMailer, a popular library to sendemail from PHP applications, allowed a remote attacker to executecode if they were able to provide a crafted Sender address. --------------------------------------------- https://www.debian.org/security/2016/dsa-3750 *** Creepy Site Claims To Reveal Torrenting Histories *** --------------------------------------------- Slashdot reader dryriver writes: The highly invasive and possibly Russian owned and operated website IKnowWhatYouDownload.com immediately shows [a] bittorent download history for .. --------------------------------------------- https://yro.slashdot.org/story/16/12/31/0214203/creepy-site-claims-to-revea… *** Zend Framework Input Validation Flaw in zend-mail Lets Remote Users Execute Arbitrary Code on the Target System *** --------------------------------------------- http://www.securitytracker.com/id/1037539 *** Linux Kernel sg_write() and bsg_write() Functions Let Local Users Obtain Root Privileges *** --------------------------------------------- http://www.securitytracker.com/id/1037538 *** E-Mail-Dienst Lavabit kehrt zur Trump-Angelobung zurück *** --------------------------------------------- Der ehemalige E-Mail-Anbieter, den Edward Snowden nutzte, könnte ausgerechnet zur Trump-Inauguration zurückkommen. --------------------------------------------- https://futurezone.at/digital-life/e-mail-dienst-lavabit-kehrt-zur-trump-an… *** Nach stundenlangem Ausfall: Bankomatkassen wieder in Betrieb *** --------------------------------------------- Technische Probleme der Schweizer Firma SIX Payment Service behoben – Bankomaten nicht betroffen --------------------------------------------- http://derstandard.at/2000050083333 *** Firefox 52 more privacy oriented with a Tor protection mechanism *** --------------------------------------------- Mozilla development team announced a new privacy protection mechanism that will come with Firefox 52, it aims to prevent websites from fingerprinting users. Mozilla announced the introduction of a new privacy protection .. --------------------------------------------- http://securityaffairs.co/wordpress/54938/digital-id/firefox-52-privacy.html *** Thunderbird: Mozilla schließt mit Sicherheitsupdate kritische Lücken *** --------------------------------------------- In Thunderbird klaffen mehrere Sicherheitslücken, deren Bedrohungsgrad Mozilla mit 'kritisch' und 'hoch' einstuft. Eine abgesicherte Version ist verfügbar. --------------------------------------------- https://heise.de/-3583472 *** Erpresser-Botschaft in Dauerschleife: Smart TV von LG mit Ransomware infiziert *** --------------------------------------------- Bisher warnten Sicherheitsforscher nur davor, dass Erpressungs-Trojaner auch Smart TVs mit Android-Betriebssystem befallen könnten. Nun ist es offensichtlich zu einer ersten dokumentierten Infektion gekommen. --------------------------------------------- https://heise.de/-3584043 *** l+f: Lesen statt Lösegeld *** --------------------------------------------- Ein Erpressungs-Trojaner zwingt seine Opfer, sich in puncto Computer-Sicherheit weiterzubilden. --------------------------------------------- https://heise.de/-3585353 *** Russische Hacker nutzten laut FBI für Angriffe auch Rechner in Wien *** --------------------------------------------- Server des Vereins "Funkfeuer" findet sich auf von US-Behörden veröffentlichter Liste an Angriffscomputern --------------------------------------------- http://derstandard.at/2000050143907

1 0

Tageszusammenfassung - Freitag 30-12-2016
by Daily end-of-shift report 30 Dec '16

30 Dec '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 29-12-2016 18:00 − Freitag 30-12-2016 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** Session Stealer Script Used In OpenCart *** --------------------------------------------- With so many open-source ecommerce platforms available in the market, selling online is an appealing and easy option for any store owner. In a few clicks you can set up an online storefront and sell your products. While the process to get the site up may be simple, there are .. --------------------------------------------- https://blog.sucuri.net/2016/12/session-stealer-script-used-opencart.html *** Recent Spam Runs in Germany Show How Threats Intend to Stay in the Game *** --------------------------------------------- In early December, GoldenEye ransomware (detected by Trend Micro as RANSOM_GOLDENEYE.A) was observed targeting German-speaking users—particularly those belonging to the human .. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/recent-spam-runs… *** Grizzly Steppe: FBI nennt 900 IP-Adressen russischer Hackerangriffe *** --------------------------------------------- Nach den Sanktionen folgen die Indikatoren: Die US-Regierung veröffentlicht ihre Analyse zu den angeblich russischen Hackerattacken auf weltweite Institutionen. Auch über IP-Adressen aus Deutschland sollen die Angriffe gelaufen sein. --------------------------------------------- http://www.golem.de/news/grizzly-steppe-fbi-nennt-900-ip-adressen-russische… *** Apples iMessage anfällig für manipulierte Kontaktdateien *** --------------------------------------------- Eine manipulierte vCard, die aktuell per iMessage und MMS im Umlauf ist, kann die Nachrichten-App auf dem iPhone oder iPad des Empfängers zum Absturz bringen – und komplett lahmlegen. Es gibt aber einen Ausweg. --------------------------------------------- https://heise.de/-3582980 *** Vuln: Lenovo Transition CVE-2016-8227 Local Privilege Escalation Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/95159 *** More on Protocol 47 denys *** --------------------------------------------- Following up on yesterdays diary on an increase in Protocol 47 traffic. Thanks to everyone who sent the ISC PCAPs and more information. Current speculation is the Protocol 47 uptick is backscatter from a DDOS containing GRE traffic and using .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21867&rss *** Cyber-Angriffe: Die schwierige Spurensuche *** --------------------------------------------- Vorwürfe eher auf Basis eines Motivs denn auf Basis technischer Hinweise oder Beweise --------------------------------------------- http://derstandard.at/2000050034274 *** Dell SonicWALL Secure Mobile Access SMA 8.1 XSS And WAF CSRF *** --------------------------------------------- SonicWALL SMA suffers from a XSS issue due to a failure to properly sanitize user-supplied input to several parameters. Attackers can exploit this weakness to execute arbitrary HTML and script code in a users browser session. The WAF was bypassed via form-based CSRF. --------------------------------------------- http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5393.php *** Dell SonicWALL Network Security Appliance NSA 6600 Reflected XSS *** --------------------------------------------- SonicWALL NSA suffers from a XSS issue due to a failure to properly sanitize user-supplied input to the curUserName GET parameter in the appFirewallSummary.html script. Attackers can exploit this weakness to execute arbitrary HTML and script code in a users browser session. --------------------------------------------- http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5391.php *** Dell SonicWALL Global Management System (GMS) 8.1 Adobe Flex SOP Bypass *** --------------------------------------------- Dell SonicWALL GMS versions 8.1 and below are compiled with a vulnerable version of Adobe Flex SDK allowing for same-origin request forgery and cross-site content hijacking. --------------------------------------------- http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5390.php *** Dell SonicWALL Global Management System GMS 8.1 XSS Vulnerabilities *** --------------------------------------------- Dell SonicWALL GMS suffers from multiple reflected XSS vulnerabilities when input passed via several parameters to several scripts is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a users browser session in context of an affected site. --------------------------------------------- http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5389.php *** Dell SonicWALL Global Management System GMS 8.1 Blind SQL Injection *** --------------------------------------------- Dell SonicWALL GMS suffers from multiple SQL Injection vulnerabilities. Input passed via the GET parameters searchBySonicwall, firstChangeOrderID, secondChangeOrderID and coDomainID is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. --------------------------------------------- http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5388.php

1 0

Tageszusammenfassung - Donnerstag 29-12-2016
by Daily end-of-shift report 29 Dec '16

29 Dec '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 28-12-2016 18:00 − Donnerstag 29-12-2016 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** 33C3: Türsprechanlagen sind des Hackers fette Beute *** --------------------------------------------- Immer mehr Hersteller von Sprechanlagen für Firmen- und Privathäuser setzen zur Kommunikationsübertragung auf den Mobilfunk statt leitungsgebundene Technik. Hackern wird es damit möglich, Türen zu öffnen oder Premiumnummern anzuwählen. --------------------------------------------- https://heise.de/-3582807 *** IBM Security Bulletin: Multiple security vulnerabilities affect IBM WebSphere Application Server for Bluemix (CVE-2016-5573, CVE-2016-5597, CVE-2016-8934) *** --------------------------------------------- There are multiple vulnerabiltities in the IBM® SDK Java™ Technology Edition that is shipped with IBM WebSphere Application Server. These issues were disclosed as part of the IBM SDK for Java updates in October .. --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21995995 *** IBM Security Bulletin: GNU C library (glibc) vulnerabilities affect IBM Security Network Active Bypass (CVE-2016-3706, CVE-2016-4429) *** --------------------------------------------- GNU C library (glibc) vulnerabilities were found that affect IBM Security Network Active Bypass. CVE(s): CVE-2016-3706, CVE-2016-4429 Affected product(s) and affected version(s): IBM Security .. --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21996174 *** IBM Security Bulletin: Vulnerabilies (17 total), in Oracle Outside In Technology (OIT) affect FileNet Content Manager, and IBM Content Foundation *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21988553 *** IBM Security Bulletin: Vulnerability in Apache PDFBox affects FileNet Content Manager and IBM Content Foundation (CVE-2016-2175) *** --------------------------------------------- Security vulnerabilitiy exists in Apache PDFBox that affects IBM FileNet Content Manager and IBM Content .. --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21987188 *** 33C3: Bitcoin-Automaten sind noch kein lohnendes Angriffsziel *** --------------------------------------------- Sicherheitsexperten haben auf dem Hamburger Hackertreffen beklagt, dass bei klassischen Geldautomaten weiterhin große Sicherheitslücken bestehen. Bitcoin-Tauschmaschinen hingegen seien für Kriminelle noch uninteressant. --------------------------------------------- https://heise.de/-3582875

1 0

Tageszusammenfassung - Mittwoch 28-12-2016
by Daily end-of-shift report 28 Dec '16

28 Dec '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 27-12-2016 18:00 − Mittwoch 28-12-2016 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** Bugtraq: PHPMailer < 5.2.20 Remote Code Execution PoC 0day Exploit (CVE-2016-10045) (Bypass of the CVE-2016-1033 patch) *** --------------------------------------------- http://www.securityfocus.com/archive/1/539967 *** Security Advisory - FRP Bypass Vulnerability in Huawei Smart Phones *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161228-… *** Android Trojan Switcher Infects Routers via DNS Hijacking *** --------------------------------------------- A new Android Trojan, Switcher, uses victims devices to infect WiFi routers and funnel users of the network to malicious sites. --------------------------------------------- http://threatpost.com/android-trojan-switcher-infects-routers-via-dns-hijac… *** Security Advisory - Input Validation Vulnerability in Huawei VRP Platform *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161228-… *** 33C3: Bluetooth-Schlösser: Smart, aber nicht sicher *** --------------------------------------------- App statt Schlüssel: Immer mehr Hersteller bieten Schlösser mit Cloud-Anbindung an. Doch Lockpicker können die teuren Geräte ohne große Probleme knacken. --------------------------------------------- https://heise.de/-3582323 *** IT-Sicherheit im Jahr 2016: Der Nutzer ist nicht schuld *** --------------------------------------------- Geht es um IT-Sicherheitsprobleme, wird gern über die Nutzer geschimpft. Und auch wenn viele Nutzer tatsächlich Fehler machen, liegt die Verantwortung für Sicherheitslücken, Botnetze und mangelnden Datenschutz meist bei anderen. --------------------------------------------- http://www.golem.de/news/it-sicherheit-im-jahr-2016-der-nutzer-ist-nicht-sc… *** Bugtraq: [CVE-2016-8741] Apache Qpid Broker for Java - Information Leakage *** --------------------------------------------- http://www.securityfocus.com/archive/1/539968 *** Using Guzzle and PHPUnit for REST API Testing *** --------------------------------------------- APIs are increasingly becoming the backbone of the modern internet - whether youre ordering .. --------------------------------------------- https://blog.cloudflare.com/using-guzzle-and-phpunit-for-rest-api-testing/ *** Vuln: Multiple Samsung Devices OTP Service Remote Heap Buffer Overflow Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/95134 *** IBM Security Bulletin: IBM Security Guardium Database Activity Monitor is affected by OS Command Injection (CVE-2016-6065) *** --------------------------------------------- IBM Security Guardium Database Activity Monitor appliance could allow a local user to inject commands that would be executed as root. IBM Security Guardium Database Activity .. --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21995657 *** Hacker-Angriff auf OSZE in Wien: Daten gestohlen *** --------------------------------------------- Die OSZE mit Sitz in Wien wurde Anfang November Ziel einer Hackerattacke. Daten und die Integrität des Netzwerkes der OSZE waren gefährdet, sagte eine Sprecherin. --------------------------------------------- https://futurezone.at/netzpolitik/hacker-angriff-auf-osze-in-wien-daten-ges… *** Reverse Engineering: Sicherheitsforscher öffnen Threema-Blackbox *** --------------------------------------------- Zwei Sicherheitsforscher haben auf dem 33C3 einen genauen Blick in die innereien des Messengers Threema geworfen. Ihre Ergebnisse sind bei Github dokumentiert - und sollen sich für die Entwicklung von Bots eignen. --------------------------------------------- http://www.golem.de/news/reverse-engineering-sicherheitsforscher-oeffnen-th…

1 0

Tageszusammenfassung - Dienstag 27-12-2016
by Daily end-of-shift report 27 Dec '16

27 Dec '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 23-12-2016 18:00 − Dienstag 27-12-2016 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** NetApp Snap Creator Framework Flaw Lets Remote Users Obtain Potentially Sensitive Information on the Target System *** --------------------------------------------- http://www.securitytracker.com/id/1037530 *** BMC Remedy Action Request System Password Reset Flaw Lets Remote Users Modify Passwords on the Target System *** --------------------------------------------- http://www.securitytracker.com/id/1037529 *** Netgear-Router N300 mit massiver Sicherheitslücke *** --------------------------------------------- Netgears Router N300 (Modell WNR2000) weist eine Schwachstelle auf, über die Angreifer Zugriff auf die Admin-Funktionen des Geräts erlangen können. Ein .. --------------------------------------------- http://derstandard.at/2000049819772 *** [local] - OpenSSH < 7.4 - UsePrivilegeSeparation Disabled Forwarded Unix Domain Sockets Privilege Escalation *** --------------------------------------------- This issue affects OpenSSH if privilege separation is disabled (config option UsePrivilegeSeparation=no). While privilege separation is enabled by default, it .. --------------------------------------------- https://www.exploit-db.com/exploits/40962/ *** ZyXEL and Netgear Fail to Patch Seven Security Flaws Affecting Their Routers *** --------------------------------------------- Router manufacturers such as Netgear and ZyXEL have failed to address seven security flaws reported .. --------------------------------------------- https://www.bleepingcomputer.com/news/security/zyxel-and-netgear-fail-to-pa… *** DFN-CERT-2016-2141/">Exim: Zwei Schwachstellen ermöglichen das Ausspähen von Informationen und die Eskalation von Privilegien *** --------------------------------------------- Ein entfernter, nicht authentifizierter Angreifer kann sensitive Informationen ausspähen und möglicherweise weitere Angriffe ausführen, wenn Exim unter bestimmten Bedingungen kompiliert wurde und ausgeführt wird. Dazu muss .. --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-2141/ *** 33C3: CCC-Kongress beginnt in Hamburg *** --------------------------------------------- Unter dem Motto "Works for me" hat der Kongress des Chaos Computer Clubs in Hamburg begonnen. Vier Tage lang beschäftigen sich die 12.000 Teilnehmer mit Hacks, Politik und alternativen Lebensentwürfen. --------------------------------------------- https://heise.de/-3582149 *** Vuln: PyCrypto cryptmsg.py Buffer Overflow Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/95122 *** IBM Security Bulletin: Vulnerabilities in Bind affect IBM SmartCloud Entry (CVE-2016-2776 CVE-2016-2848 ) *** --------------------------------------------- IBM SmartCloud Entry is vulnerable to bind vulnerabilities. Remote attackers could exploit the vulnerabilities to trigger an assertion failures and make named .. --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=isg3T1024649

1 0

Tageszusammenfassung - Samstag 24-12-2016
by Daily end-of-shift report 24 Dec '16

24 Dec '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 22-12-2016 18:00 − Freitag 23-12-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Litauen entdeckt russische Spionage-Software auf Regierungsrechnern *** --------------------------------------------- Schadsoftware wurde offenbar mittels infizierter USB-Sticks auf die Computer eingebracht --------------------------------------------- http://derstandard.at/2000049749836 *** So somebody is throwing HTML at your sshd. What to do? *** --------------------------------------------- Yes, its exactly as wrong as it sounds. Heres a distraction with bizarre twists for the true log file junkies among you. Happy reading for the holidays!As will probably not surprise .. --------------------------------------------- http://bsdly.blogspot.com/2016/12/so-somebody-is-throwing-html-at-your.html *** Cerber Ransomware Doesnt Delete Shadow Volume Copies Anymore, Prioritizes Office Docs *** --------------------------------------------- Recent versions of the Cerber ransomware are behaving somewhat different from older variants, with the ransomware .. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cerber-ransomware-doesnt-del… *** Before You Pay that Ransomware Demand… *** --------------------------------------------- A decade ago, if a desktop computer got infected with malware the chief symptom probably was an intrusive browser toolbar of some kind. Five years ago you were more likely to whacked .. --------------------------------------------- https://krebsonsecurity.com/2016/12/before-you-pay-that-ransomware-demand/ *** Steganalysis, the Counterpart of Steganography *** --------------------------------------------- In my last blog post I discussed the art of embedding secret messages in any file so that only the sender and the receiver .. --------------------------------------------- https://www.trustwave.com/Resources/SpiderLabs-Blog/Steganalysis,-the-Count… *** New Guide to Fixing Google Blacklist Warnings *** --------------------------------------------- One of the worst experiences a website owner can have is being blacklisted by Google. If you are one of the 10,000 websites that has been slapped with a .. --------------------------------------------- https://blog.sucuri.net/2016/12/guide-to-fix-site-warnings.html *** Fidelix FX-20 Series Controllers Path Traversal Vulnerability *** --------------------------------------------- This advisory contains mitigation details for a path traversal vulnerability in Fidelix FX-20 series controllers. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-357-01 *** WAGO Ethernet Web-based Management Authentication Bypass Vulnerability *** --------------------------------------------- This advisory contains mitigation details for an authentication bypass vulnerability in WAGO’s Ethernet Web-based Management products. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-357-02 *** Your password expiry policy may have reached its expiry date *** --------------------------------------------- In cyber security as much as anywhere else, its important to use the right tools for the job at hand. However, sometimes we can get a bit too attached to particular tools, .. --------------------------------------------- https://www.ncsc.gov.uk/blog-post/your-password-expiry-policy-may-have-reac… *** As Bitcoin Price Surges, Phishing Attacks on Cryptocurrency Wallets Intensify *** --------------------------------------------- Bitcoin price surge reverberates through cybercriminal landscape, as cyber-criminals ramp up phishing attacks .. --------------------------------------------- https://www.bleepingcomputer.com/news/security/as-bitcoin-price-surges-phis… *** Using Monitor Resolution as Obfuscation Technique *** --------------------------------------------- A quick blog post about a malicious VBScript macro that I analysed. Bad guys have always plenty of .. --------------------------------------------- https://blog.rootshell.be/2016/12/23/using-monitor-resolution-obfuscation-t… *** Keine Belege für geplante russische Cyberangriffe auf die Bundestagswahl *** --------------------------------------------- http://derstandard.at/2000049777463 *** Drastische Warnungen vor dem "Internet der Dildos" *** --------------------------------------------- Neue Gruppe will auf Gefahren durch smarte Sexspielzeuge aufmerksam machen --------------------------------------------- http://derstandard.at/2000049785388 *** Alle Jahre wieder: Netgear-Router N300 / WNR2000 angreifbar *** --------------------------------------------- Eine Zero-Day-Lücke plagt mal wieder Router von Netgear. Das verwundbare Modell ist in der Vergangenheit auch schon Opfer gravierender Lücken geworden. --------------------------------------------- https://heise.de/-3581275 *** Koolova Ransomware Decrypts for Free if you Read Two Articles about Ransomware *** --------------------------------------------- A new in-development variant of the Koolova Ransomware has been discovered that will decrypt your .. --------------------------------------------- https://www.bleepingcomputer.com/news/security/koolova-ransomware-decrypts-… Aufgrund des Feiertages am Montag, den 26.12.2016, erscheint der nächste End-of-Shift-Report erst am Dienstag, den 27.12.2016

1 0

Tageszusammenfassung - Donnerstag 22-12-2016
by Daily end-of-shift report 22 Dec '16

22 Dec '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 21-12-2016 18:00 − Donnerstag 22-12-2016 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter *** MS16-DEC - Microsoft Security Bulletin Summary for December 2016 - Version: 1.2 *** --------------------------------------------- V1.2 (December21, 2016): The December 13, 2016, Security and Quality Rollups updates 3210137 and 3210138 contain a known issue that affects the .NET Framework 4.5.2 running on Windows 8.1, Windows Server 2012 R2, and Windows Server 2012. The issue was also present in the November 15, 2016, Preview of Quality rollup updates that were superseded by the December 13, 2016 Rollup updates. The issue causes applications that connect to an instance of Microsoft SQL Server on the same computer to generate the following error message: “provider: Shared Memory Provider, error: 15 - Function not supported” For more information please refer to Knowledge Based Article 3214106 --------------------------------------------- https://technet.microsoft.com/en-us/library/security/MS16-DEC *** NIST Asks Public For Help With Quantum-Proof Cryptography *** --------------------------------------------- chicksdaddy quotes a report from The Security Ledger: With functional, quantum computers on the (distant?) horizon, The National Institute of Standards and Technology (NIST) is asking the public for help heading off what it calls "a looming threat to information security:" powerful quantum computers capable of breaking even the strongest encryption codes used to protect the privacy of digital information. In a statement Tuesday, NIST asked the public to submit ideas for... --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/_VC9qbMlmm8/nist-asks-publi… *** HTTPS-Zwang für Apps: Apple verlängert Deadline *** --------------------------------------------- Eigentlich sollten iPhone- und iPad-Apps ab Jahresende nicht mehr über ungesicherte HTTP-Verbindungen kommunizieren, nun hat Apple zusätzliche Zeit für die Umstellung eingeräumt. --------------------------------------------- https://heise.de/-3579891 *** vSphere Data Protection: VMware entfernt hart-codierten Root-Key *** --------------------------------------------- Angreifer sollen die Backup- und Recovery-Lösung für virtuelle Maschinen mit vergleichsweise wenig Aufwand übernehmen können. Sicherheitspatches stehen zum Download bereit. --------------------------------------------- https://heise.de/-3579872 *** Security Alert: Malicious Script Injections Spread Cerber Ransomware, Make Use of Nemucod Downloader *** --------------------------------------------- This ongoing ransomware campaign packs a big punch against its victims, aiming for a high success rate in terms of infected systems. Using a malware cocktail to drive infection rates The cybercriminals behind the campaign are compromising legitimate websites by injecting malicious scripts. The injects then redirect the victims' Internet traffic to a Cerber gateway... --------------------------------------------- https://heimdalsecurity.com/blog/security-alert-malicious-script-injections… *** Danger Close: Fancy Bear Tracking of Ukrainian Field Artillery Units *** --------------------------------------------- In June CrowdStrike identified and attributed a series of targeted intrusions at the Democratic National Committee (DNC), and other political organizations that utilized a well known implant commonly called X-Agent. X-Agent is a cross platform remote access toolkit, variants have been identified for various Windows operating systems, Apple's iOS, and likely the MacOS. Also known as Sofacy, X-Agent has been tracked by the security community for almost a decade, CrowdStrike associates the... --------------------------------------------- https://www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian… *** Writing Burp Extensions (Shodan Scanner) *** --------------------------------------------- In this article, we will have an overview of writing Burp extensions. At the end of the post, we will have an extension that will take any HTTP request, determine the IP address of domain and get specific information using Shodan API. I have divided the article in the following hierarchy so that you can... --------------------------------------------- http://resources.infosecinstitute.com/writing-burp-extensions-shodan-scanne…

1 0

Tageszusammenfassung - Mittwoch 21-12-2016
by Daily end-of-shift report 21 Dec '16

21 Dec '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 20-12-2016 18:00 − Mittwoch 21-12-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** PrestaShop Attack Steals Login Credentials *** --------------------------------------------- Attackers compromise sites with a number of goals in mind – also referred to as actions on objective. In some instances they aim to abuse resources or gain SEO power, and in others they are seeking access to sensitive data, also known as data exfiltration. The .. --------------------------------------------- https://blog.sucuri.net/2016/12/prestashop-attack-steals-login-credentials.… *** Data Center Physical Security *** --------------------------------------------- A data center is the epicenter of any online infrastructure. A data center’s size can vary widely, depending on an organization’s needs. Broadly speaking, a .. --------------------------------------------- http://resources.infosecinstitute.com/data-center-physical-security/ *** DSA-3741 tor - security update *** --------------------------------------------- It was discovered that Tor, a connection-based low-latency anonymouscommunication system, .. --------------------------------------------- https://www.debian.org/security/2016/dsa-3741 *** Kaspersky updates RannohDecryptor to decrypt CryptXXXs Crypt, Cryp1, and Crypz Extensions *** --------------------------------------------- If you are a CryptXXX Ransomware victim who didnt pay the ransom and instead decided to store their encrypted files and ransom notes for future fixes then you .. --------------------------------------------- https://www.bleepingcomputer.com/news/security/kaspersky-updates-rannohdecr… *** 33c3-Programm: Was vom Hacker-Kongress zu erwarten ist *** --------------------------------------------- Von 27. bis 30. Dezember findet in Hamburg zum 33. Mal das jährliche Hackertreffen des Chaos Computer Club (CCC) statt. Fahrplan und Wiki geben eine erste Programmübersicht. --------------------------------------------- https://futurezone.at/netzpolitik/33c3-programm-was-vom-hacker-kongress-zu-… *** Netgear-Sicherheitslücke: Updates für vier betroffene Router fertig *** --------------------------------------------- Für die Router R6250, R6400, R7000 und R8000 stehen ab sofort Firmware-Updates zur Verfügung. Die Installation der Updates wird dringend empfohlen. Für weitere sieben Router mit Sicherheitslücke steht bisher nur die Beta-Version zum Download bereit. --------------------------------------------- https://heise.de/-3578415 *** Antivirensoftware: Die Schlangenöl-Branche *** --------------------------------------------- Antivirenprogramme gelten Nutzern und Systemadministratoren als unverzichtbar. Doch viele IT-Sicherheitsexperten sind extrem skeptisch. Antivirensoftware ist oft selbst voller Sicherheitslücken - und hat sehr grundsätzliche Grenzen. --------------------------------------------- http://www.golem.de/news/antivirensoftware-die-schlangenoel-branche-1612-12… *** Panasonic Plays Down Security Bugs Found in Airplane In-Flight Entertainment Systems *** --------------------------------------------- Security firm IOActive published research yesterday detailing security flaws in .. --------------------------------------------- https://www.bleepingcomputer.com/news/security/panasonic-plays-down-securit… *** How Skype fixes security vulnerabilities *** --------------------------------------------- This post describes my fruitless effort to convince Microsoft employees that their service is vulnerable, and the humiliation one has to go through should one’s account be blocked by a hacker. This is a story of ignorance, pain and despair. --------------------------------------------- https://hub.zhovner.com/geek/how-skype-fixes-security-vulnerabilities/ *** Beliebte Passwörter: "Arschloch" unter den Top Ten *** --------------------------------------------- http://derstandard.at/2000049660283 *** Berlin-Anschlag: DDOS-Angriff auf Hinweisportal *** --------------------------------------------- http://derstandard.at/2000049672324 *** Linux/Rakos, the new Linux malware threatening devices and servers *** --------------------------------------------- A new Linux malware, dubbed Linux/Rakos is threatening devices and servers. The malware searches for victims via SSH scan. A new Linux malware, dubbed .. --------------------------------------------- http://securityaffairs.co/wordpress/54603/malware/linuxrakos-malware.html *** XSA-203 *** --------------------------------------------- http://xenbits.xen.org/xsa/advisory-203.html *** XSA-202 *** --------------------------------------------- http://xenbits.xen.org/xsa/advisory-202.html *** Auswertung: "Hallo" ist Deutschlands meistgenutztes Passwort *** --------------------------------------------- Eine Auswertung von Passwörtern aus frei zugänglichen Daten-Leaks hat ergeben, dass die meistgenutzten Passwörter in Deutschland alles andere als sicher sind. Nach "hallo" finden sich auch die Klassiker "passwort" und "passwort1" in der Liste. --------------------------------------------- http://www.golem.de/news/auswertung-hallo-ist-deutschlands-meistgenutztes-p… *** Cisco CloudCenter Orchestrator Docker Engine Privilege Escalation Vulnerability *** --------------------------------------------- A vulnerability in the Docker Engine configuration of Cisco CloudCenterOrchestrator (CCO; formely CliQr) could allow an unauthenticated, remote .. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…

1 0

Tageszusammenfassung - Dienstag 20-12-2016
by Daily end-of-shift report 20 Dec '16

20 Dec '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 19-12-2016 18:00 − Dienstag 20-12-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** OpenSSH verabschiedet sich von SSHv1 *** --------------------------------------------- Die gerade veröffentlichte Version OpenSSH 7.4 entfernt die Unterstützung für das veraltete Protokoll SSHv1 auf Server-Seite. Im August soll es ganz beerdigt werden. Darüber hinaus gibt es auch ein paar Bug-Fixes. --------------------------------------------- https://heise.de/-3576071 *** Adobe Releases Flash Player 24 for Linux Four Years After the Last Major Update *** --------------------------------------------- Adobe released today Flash Player 24 for Linux, after previously abandoning the application without explanation in 2012. Flash Player for Linux is now on par with Windows and .. --------------------------------------------- https://www.bleepingcomputer.com/news/software/adobe-releases-flash-player-… *** ShadowBrokers Dump Came from Internal Code Repository, Insider *** --------------------------------------------- Researchers at Flashpoint said their analysis of the latest ShadowBrokers dump of NSA tools leads them to believe an insider with access to a code repository stole the data. --------------------------------------------- http://threatpost.com/shadowbrokers-dump-came-from-internal-code-repository… *** Raiding the Piggy Bank: Webshell Secrets Revealed *** --------------------------------------------- Introduction A recent investigation into credit card fraud that was enabled by a webshell revealed several .. --------------------------------------------- https://www.trustwave.com/Resources/SpiderLabs-Blog/Raiding-the-Piggy-Bank-… *** Unrestricted Backend Login Backdoor on OpenCart *** --------------------------------------------- >From the attacker’s perspective, creating ways to maintain access to a compromised website is desirable. We call them backdoors. Backdoors can be done in different ways, either by adding fake admin users to the site, or .. --------------------------------------------- https://blog.sucuri.net/2016/12/unrestricted-backend-login.html *** "How do you say Ground Hog Day in Ukrainian?" *** --------------------------------------------- http://ics.sans.org/blog/2016/12/20/how-do-you-say-ground-hog-day-in-ukrain… *** XSA-204 *** --------------------------------------------- http://xenbits.xen.org/xsa/advisory-204.html *** Ubuntu: Schwerer Fehler erlaubt Einschmuggeln von Schadcode *** --------------------------------------------- Crash-Reporter erwies sich als unbeabsichtigtes Einfallstor – Canonical bereinigt Bug mit Update --------------------------------------------- http://derstandard.at/2000049548961 *** Krypto-Messenger Signal in Ägypten blockiert *** --------------------------------------------- In Ägypten wird offenbar seit dem Wochenende Signal blockiert. Der Betreiber des Krypto-Messengers .. --------------------------------------------- https://heise.de/-3576578 *** Nagios Core ist angreifbar: Sicherheitslücken in Server-Überwachungssoftware *** --------------------------------------------- Nagios Core, eine Software zur Server-Überwachung, weist derzeit zwei kritische Sicherheitslücken auf. Angreifer können durch sie die absolute Systemkontrolle erhalten. Die aktuelle Version 4.2.4 schließt die Lücken. --------------------------------------------- https://heise.de/-3576359 *** Project Wycheproof: Krypto-Implementierung auf Sicherheit abklopfen *** --------------------------------------------- Von AES über ECDH bis RSA: Admins können mit Googles Project Wycheproof eine Sammlung von Tests auf ihre Server loslassen, um die Sicherheit der Konfiguration von Krpyto-Funktionen zu testen. --------------------------------------------- https://heise.de/-3576686 *** Ethereum Cryptocurrency Forum Suffers Data Breach *** --------------------------------------------- Administrators of the Ethereum Project have announced today a data breach that affected over 16,500 users of the platforms community forums. The breach took place .. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ethereum-cryptocurrency-foru… *** Türkei blockiert wohl mit Deep Packet Inspection Zugang zu Tor *** --------------------------------------------- Türkische Provider blockieren offenbar seit dem Wochenende den direkten Zugang zum Anonymisierungsdienst Tor. Um die Verbindungsversuche zu identifizieren, kommt offenbar Deep Packet Inspection zum Einsatz. --------------------------------------------- https://heise.de/-3577109 *** Alice: A Lightweight, Compact, No-Nonsense ATM Malware *** --------------------------------------------- Trend Micro has discovered a new family of ATM malware called Alice, which is the most stripped down ATM malware family we have ever encountered. Unlike other .. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/alice-lightweigh… *** Offizielles Forum der Krypto-Währung Ethereum gehackt *** --------------------------------------------- Unbekannte Angreifer haben Daten von rund 16.500 Nutzern abgezogen. Darunter finden sich auch Passwörter, die aber zum Großteil mit einem als sicher geltenden Verfahren geschützt sind. --------------------------------------------- https://heise.de/-3577111 *** Op-ed: Why I’m not giving up on PGP *** --------------------------------------------- http://arstechnica.com/information-technology/2016/12/signal-does-not-repla… *** Gefälschte card complete-Mail: Ihre Karte wurde gesperrt! *** --------------------------------------------- Kriminelle versenden eine gefälschte card complete-Nachricht. Darin behaupten sie, dass die Bank die Karte gesperrt habe. Kund/innen sollen sie deshalb .. --------------------------------------------- https://www.watchlist-internet.at/phishing/gefaelschte-card-complete-mail-i… *** VMSA-2016-0023 *** --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2016-0023.html *** Sicherheitslücke bei Routern: Netgear liefert erste finale Firmware-Updates *** --------------------------------------------- Nach der schwerwiegenden Sicherheitslücke stellt Netgear erste Updates zur Verfügung. Für sieben betroffene Router liegen weiterhin nur Beta-Versionen vor. --------------------------------------------- http://www.golem.de/news/sicherheitsluecke-bei-routern-netgear-liefert-erst… *** Report: $3-5M in Ad Fraud Daily from ‘Methbot’ *** --------------------------------------------- New research suggests that an elaborate cybercrime ring is responsible for stealing between $3 million and $5 million worth of revenue from online publishers and video .. --------------------------------------------- https://krebsonsecurity.com/2016/12/report-3-5m-in-ad-fraud-daily-from-meth…

1 0

Tageszusammenfassung - Montag 19-12-2016
by Daily end-of-shift report 19 Dec '16

19 Dec '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 16-12-2016 18:00 − Montag 19-12-2016 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** Vuln: Exim CVE-2016-9963 Unspecified Information Disclosure Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/94947 *** Blocking Powershell Connection via Windows Firewall. *** --------------------------------------------- In my last post, I mapped controls to stop a malicious doc calling out via Powershell. Im now going to cover how using the Windows firewall can stop the attack .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21829 *** The banker that encrypted files *** --------------------------------------------- Many mobile bankers can block a device in order to extort money from its user. But we have discovered a modification of the mobile banking Trojan Trojan-Banker.AndroidOS.Faketoken that went even further – it can encrypt user data. In addition to that, this modification is attacking more than 2,000 financial apps around the world. --------------------------------------------- http://securelist.com/blog/research/76913/the-banker-that-encrypted-files/ *** IBM Security Bulletin: Code execution vulnerability in IBM MessageSight (CVE-2016-5983) *** --------------------------------------------- There is a potential code execution vulnerability in WebSphere Application Server Liberty Profile .. --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21995510 *** IBM Security Bulletin: Multiple vulnerabilities affect IBM Tivoli Monitoring embedded WebSphere Application Server *** --------------------------------------------- The following security issues have been identified in WebSphere Application Server .. --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21995683 *** IBM Security Bulletin: Multiple vulnerabilities in IBM WebSphere affect IBM Control Center (CVE-2016-5983, CVE-2016-2923, CVE-2016-3092) *** --------------------------------------------- IBM WebSphere Application Server is shipped as a component of IBM Control Center. Multiple .. --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21995686 *** IBM Security Bulletin: Reflected XXS vulnerability in IBM Campaign (CVE-2016-0265) *** --------------------------------------------- Reflected cross-site scripting vulnerability affecting IBM Campaign has been addressed. CVE(s): CVE-2016-0265 .. --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21986033

1 0

Tageszusammenfassung - Freitag 16-12-2016
by Daily end-of-shift report 16 Dec '16

16 Dec '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 15-12-2016 18:00 − Freitag 16-12-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** My Yahoo Account Was Hacked! Now What? *** --------------------------------------------- Many readers are asking what they should be doing in response to Yahoos disclosure Wednesday that a billion of its user accounts were hacked. Here are a few suggestions and pointers, fashioned into a good old Q&A format. --------------------------------------------- https://krebsonsecurity.com/2016/12/my-yahoo-account-was-hacked-now-what/ *** 0-days hitting Fedora and Ubuntu open desktops to a world of hurt *** --------------------------------------------- If your desktop runs a mainstream release of Linux, chances are youre vulnerable. --------------------------------------------- http://arstechnica.com/security/2016/12/fedora-and-ubuntu-0days-show-that-h… *** One, if by email, and two, if by EK: The Cerbers are coming!, (Fri, Dec 16th) *** --------------------------------------------- Introduction One, if by land, and two, if by sea is a phrase used by American poet Henry Wadsworth Longfellow in his poem Paul Reveres Ride first published in 1861. Longfellows poem tells a somewhat fictionalized tale of Paul Revere in 1775 during the American revolution. If British troops came to attack by land, Paul would hang one lantern in a church tower as a signal light. If British troops came by sea, Paul would hang two lanterns. Much like the British arriving by land or by sea, Cerber --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21823&rss *** Phishing: "Es gibt immer noch genügend Opfer" *** --------------------------------------------- Olaf Schwarz, Information Security Officer bei der Direktbank ING-DiBa Austria, über Phishing und andere Betrugsmethoden bei Bankgeschäften im Internet. --------------------------------------------- https://futurezone.at/digital-life/phishing-es-gibt-immer-noch-genuegend-op… *** Hackerangriff auf Thyssenkrupp: Winnti spioniert deutsche Wirtschaft aus *** --------------------------------------------- Der Angriff auf Thyssenkrupp soll auf das Konto der Hackergruppe Winnti gehen, die früher Gaming-Plattformen attackiert hat. Weitere deutsche Firmen sollen betroffen sein. --------------------------------------------- http://www.golem.de/news/hackerangriff-auf-thyssenkrupp-winnti-spioniert-de… *** Microsoft to ditch Flash - sort of *** --------------------------------------------- Edge is getting more granular Flash controls, but that means you wont have to have it on for all sites just so its on for one. --------------------------------------------- https://nakedsecurity.sophos.com/2016/12/16/microsoft-to-ditch-flash-sort-o… *** Mac-Passwort lässt sich über Thunderbolt auslesen *** --------------------------------------------- Mit Hardware von der Stange kann ein Angreifer in rund 30 Sekunden das im Klartext vorliegende Passwort abgreifen und so Apples Festplattenverschlüsselung FileVault überwinden. --------------------------------------------- https://heise.de/-3573385 *** Linux-Sicherheit: Ubuntu-Bug ermöglicht das Ausführen von Schadcode *** --------------------------------------------- Ein schwerer Fehler in Ubuntus Crash-Handler Apport ermöglicht es Angreifern, auf einem Zielrechner beliebigen Code aus der Ferne auszuführen. --------------------------------------------- http://www.golem.de/news/linux-sicherheit-ubuntu-bug-ermoeglicht-das-ausfue… *** Smart Airports: How to protect airport passengers from cyber disruptions *** --------------------------------------------- ENISA publishes a study on "Securing smart airports" providing airport decision makers and security personnel a concrete guide on preventing cyber-attacks and disruptions. --------------------------------------------- https://www.enisa.europa.eu/news/enisa-news/smart-airports-how-to-protect-a… *** Security Advisory - Input Validation Vulnerability in Wi-Fi Driver of Huawei Smart Phones *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161216-… *** SSA-856492 (Last Update 2016-12-16): Limited Entropy in PRNG of Desigo PX Web Modules *** --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-856492… *** Bugtraq: [security bulletin] HPSBMU03684 rev.1 - HPE Version Control Repository Manager (VCRM), Multiple Remote Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/archive/1/539934 *** DFN-CERT-2016-2081: Red Hat JBoss Core Services: Mehrere Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-2081/ *** Security Advisory: TMM vulnerability CVE-2016-9247 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/33/sol33500120.html?… *** Security Advisory: BIG-IP TMM iRules vulnerability CVE-2016-5024 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/92/sol92859602.html?… *** Sentinel 8.0.0 P1 (Sentinel 8.0.0.1) Build 3404 *** --------------------------------------------- Abstract: Sentinel 8.0.0. upgrade patch for Sentinel 7 and 8Document ID: 5264730Security Alert: YesDistribution Type: PublicEntitlement Required: NoFiles:sentinel_opensourcecomponents-8.0.0.1-3404.tar.gz (65.02 MB)sentinel_opensourcecomponents-8.0.0.1-3404.tar.gz.sha256 (117 bytes)sentinel_server-8.0.0.1-3404.x86_64.tar.gz (2.09 GB)sentinel_server-8.0.0.1-3404.x86_64.tar.gz.sha256 (109 bytes)Products:Sentinel 7SentinelSentinel 7.3Sentinel 7.3.1Sentinel 7.3.2Sentinel 7.4Sentinel 7.3.3Sentinel --------------------------------------------- https://download.novell.com/Download?buildid=3iJxPcG2H9M~ *** Fatek Automation PLC WinProladder Stack-Based Buffer Overflow Vulnerability *** --------------------------------------------- This advisory contains mitigation details for a stack-based buffer overflow vulnerability in Fatek Automation's PLC WinProladder application. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-350-01 *** OmniMetrix OmniView Vulnerabilities *** --------------------------------------------- This advisory contains mitigation details for vulnerabilities in OmniMetrix's OmniView web application. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-350-02 *** Mutiple SONY Videoconference Systems do not properly perform authentication *** --------------------------------------------- Mutiple SONY Videoconference Systems do not properly perform authentication. --------------------------------------------- http://jvn.jp/en/jp/JVN42070907/ *** ZDI-16-670: Avira Free Antivirus ssmdrv Kernel Driver Memory Corruption Privilege Escalation Vulnerability *** --------------------------------------------- This vulnerability allows attackers to escalate privileges on vulnerable installations of Avira Free Antivirus. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-16-670/ *** ZDI: Autodesk Design Review Remote Code Execution Vulnerabilities *** --------------------------------------------- *** ZDI-16-669: Autodesk Design Review JFIF Buffer Overflow Remote Code Execution Vulnerability *** http://www.zerodayinitiative.com/advisories/ZDI-16-669/ --------------------------------------------- *** ZDI-16-668: Autodesk Design Review PNG Use-After-Free Remote Code Execution Vulnerability *** http://www.zerodayinitiative.com/advisories/ZDI-16-668/ --------------------------------------------- *** ZDI-16-667: Autodesk Design Review BMP Buffer Overflow Remote Code Execution Vulnerability *** http://www.zerodayinitiative.com/advisories/ZDI-16-667/ --------------------------------------------- *** ZDI-16-666: Autodesk Design Review FLI Buffer Overflow Remote Code Execution Vulnerability *** http://www.zerodayinitiative.com/advisories/ZDI-16-666/ --------------------------------------------- *** ZDI-16-665: Autodesk Design Review GIF LZW Out-Of-Bounds Indexing Remote Code Execution Vulnerability *** http://www.zerodayinitiative.com/advisories/ZDI-16-665/ --------------------------------------------- *** ZDI-16-664: Autodesk Design Review JPEG DHT Out-Of-Bounds Indexing Remote Code Execution Vulnerability *** http://www.zerodayinitiative.com/advisories/ZDI-16-664/ --------------------------------------------- *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM StoredIQ (CVE-2016-2177, CVE-2016-2178, CVE-2016-2180) *** http://www-01.ibm.com/support/docview.wss?uid=swg21994870 --------------------------------------------- *** IBM Security Bulletin: Sweet32 vulnerability that impacts Triple DES cipher affects Communications Server for Data Center Deployment, Communications Server for AIX, Linux, Linux on System z, and Windows (CVE-2016-2183) *** http://www.ibm.com/support/docview.wss?uid=swg21995057 --------------------------------------------- *** IBM Security Bulletin: Multiple security vulnerabilities affect IBM WebSphere Application Server for Bluemix *** http://www-01.ibm.com/support/docview.wss?uid=swg21993842 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM Java SDK affects IBM InfoSphere Information Server (CVE-2016-3485 CVE-2016-5597) *** http://www.ibm.com/support/docview.wss?uid=swg21990635 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSH affect IBM Flex System Manager (FSM) *** http://www-01.ibm.com/support/docview.wss?uid=isg3T1024669 ---------------------------------------------

1 0

Tageszusammenfassung - Donnerstag 15-12-2016
by Daily end-of-shift report 15 Dec '16

15 Dec '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 14-12-2016 18:00 − Donnerstag 15-12-2016 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** No More Ransom Project Expands with 34 New Partners, 32 New Free Decryption Tools *** --------------------------------------------- The "No More Ransom" project, set up in July by Intel Security, Kaspersky Lab, Europol, and the Dutch National police to help victims of ransomware infections, has expanded today with 34 new partners, and 32 new decryptors that can help ransomware victims unlock their files for free. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/no-more-ransom-project-expan… *** Twin zero-day attacks: PROMETHIUM and NEODYMIUM target individuals in Europe *** --------------------------------------------- Targeted attacks are typically carried out against individuals to obtain intellectual property and other valuable data from target organizations. These individuals are either directly in possession of the targeted information or are able to connect to networks where the information resides. Microsoft researchers have encountered twin threat activity groups that appear to target individuals for... --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-p… *** Yahoo muss erneut Massenhack beichten: Eine Milliarde Opfer *** --------------------------------------------- Im September hatte Yahoo einen Hack von über einer halben Milliarde Nutzerkonten bekanntgegeben. Den Rekord hat Yahoo nun gebrochen. Diesmal geht es um über eine Milliarde Konten. Dazu kommen gezielte Attacken mittels Cookies. --------------------------------------------- https://heise.de/-3570674 *** Mobile Ransomware: How to Protect Against It *** --------------------------------------------- In our previous post, we looked at how malware can lock devices, as well as the scare tactics used to convince victims to pay the ransom. Now that we know what bad guys can do, well discuss the detection and mitigation techniques that security vendors can use to stop them. By sharing these details with other researchers, we hope to improve the industrys collective knowledge on mobile ransomware mitigation. --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/XaGWjnUqHoY/ *** DefCamp Romania 2016 Videos and Slides *** --------------------------------------------- November 10-11, 2016, Bucharest, Romania --------------------------------------------- https://def.camp/archives/2016/ *** The Kings in Your Castle, Pt #5 *** --------------------------------------------- The last part in the article series about analyzing modern APTs deals with naming and attribution of APTs. This is far less trivial than it sounds. Analysts are often facing the same enemy all over again without realizing it. --------------------------------------------- https://blog.gdatasoftware.com/2016/12/29379-the-kings-in-your-castle-pt-5 *** Sicherheitslücken: Updates auch für ältere macOS-Versionen *** --------------------------------------------- Neben den in macOS Sierra und dem Browser Safari gestopften Schwachstellen hat Apple auch Sicherheits-Updates für OS X El Capitan und Yosemite veröffentlicht. Diese beheben eine kritische Schwachstelle. --------------------------------------------- https://heise.de/-3572108 *** Ask Sucuri: How to Stop Brute Force Attacks? *** --------------------------------------------- Again, there is no mystery to this: Enforce a strong password for all the users and a brute force attack will not succeed. The underlying problem, however, is a bit more complicated --------------------------------------------- https://blog.sucuri.net/2016/12/ask-sucuri-how-to-stop-brute-force-attacks.… *** A Backdoor in Skype for Mac OS X *** --------------------------------------------- Trustwave recently reported a locally exploitable issue in the Skype Desktop API Mac OS-X which provides an API to local programs/plugins executing on the local machine. The API is formally known as the Desktop API (previously known as the Skype... --------------------------------------------- http://trustwave.com/Resources/SpiderLabs-Blog/A-Backdoor-in-Skype-for-Mac-… *** 5 Best Password Auditing Tools *** --------------------------------------------- A single weak password exposes your entire network to an external threat. Password hacking is one of the most critical and commonly exploited network security threats. In many ways, passwords should be viewed as your first line of defense where protecting your company's data is concerned. The huge number of data breaches occurs because someone... --------------------------------------------- http://resources.infosecinstitute.com/5-best-password-auditing-tools/ *** DFN-CERT-2016-2040: Netgear Router: Eine Schwachstelle ermöglicht die Ausführung beliebigen Programmcodes mit Administratorrechten *** --------------------------------------------- Version 3 (2016-12-15 15:42) Der Hersteller aktualisiert den referenzierten Sicherheitshinweis und bestätigt auch die Verwundbarkeit von DSL-Modems mit den Modellnummern D6220 und D6400. Für alle verwundbaren WLAN- und DSL-Router stehen mittlerweile Firmwareupdates im Beta-Status als temporäre Lösung zur Verfügung. Netgear arbeitet weiter an einer Produktionsversion der Firmware für alle betroffenen Geräte. --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-2040/ *** Remote shell execution vulnerability affects Good Enterprise Mobility Server (BSRT-2016-008) *** --------------------------------------------- This advisory addresses a remote shell execution vulnerability that has been discovered in Good Enterprise Mobility Server (GEMS). BlackBerry is not aware of any exploitation of this vulnerability. Customer risk is limited by the requirement that a potential attacker possess access to the internal network and by the functionality of the Karaf command shell. --------------------------------------------- http://support.blackberry.com/kb/articleDetail?articleNumber=000038814 *** Bugtraq: Nagios Core < 4.2.2 Curl Command Injection leading to Remote Code Execution [CVE-2016-9565] *** --------------------------------------------- http://www.securityfocus.com/archive/1/539925 *** F5 Security Advisory: Kerberos vulnerability CVE-2014-4343 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/15000/500/sol15553.htm… *** Sentinel 7.4 SP4 (Sentinel 7.4.4.0) Build 2904 *** --------------------------------------------- Abstract: Sentinel 7.4.3 upgrade for Sentinel 7.4Document ID: 5264470Security Alert: YesDistribution Type: PublicEntitlement Required: NoFiles:sentinel_server-7.4.4.0-2904.x86_64.tar.gz (1.74 GB)sentinel_server-7.4.4.0-2904.x86_64.tar.gz.sha256 (109 bytes)Products:SentinelSentinel 7.4.4Sentinel 7.XSentinel 7.2Sentinel 7.4Sentinel 7.3Sentinel 7.2.1Sentinel 7.2.2Sentinel 7.3.1Sentinel 7.3.2Sentinel 7.4.1Sentinel 7.4.2Sentinel 7.3.3Sentinel 7.4.3Sentinel 7.3.4Superceded Patches:Sentinel 7.4 SP3 --------------------------------------------- https://download.novell.com/Download?buildid=RaGN-vIdupQ~ *** Security Advisory - Stack Overflow Vulnerability in Drive of Huawei Smart Phones *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161215-… *** SAP *** --------------------------------------------- *** Vuln: SAP Mobile Defense & Security Remote Authorization Bypass Vulnerability *** http://www.securityfocus.com/bid/94902 --------------------------------------------- *** Vuln: SAP HANA Cockpit Cross Site Scripting Vulnerability *** http://www.securityfocus.com/bid/94897 --------------------------------------------- *** Vuln: SAP HANA Remote Authorization Bypass Vulnerability *** http://www.securityfocus.com/bid/94898 --------------------------------------------- *** Vuln: SAP HANA XS Classic Information Disclosure Vulnerability *** http://www.securityfocus.com/bid/94896 --------------------------------------------- *** Vuln: SAP HANA Cockpit Information Disclosure Vulnerability *** http://www.securityfocus.com/bid/94910 --------------------------------------------- *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: IBM Security Access Manager appliances allow web pages to be stored locally (CVE-2016-3024) *** http://www.ibm.com/support/docview.wss?uid=swg21995340 --------------------------------------------- *** IBM Security Bulletin: IBM Security Access Manager appliances are affected by an information exposure vulnerability (CVE-2016-3021) *** http://www.ibm.com/support/docview.wss?uid=swg21995436 --------------------------------------------- *** IBM Security Bulletin: IBM Security Access Manager appliances are affected by an information exposure vulnerability (CVE-2016-3023) *** http://www.ibm.com/support/docview.wss?uid=swg21995348 --------------------------------------------- *** IBM Security Bulletin: IBM Security Access Manager appliances are affected by a vulnerability due to incorrect permission assignment (CVE-2016-3022) *** http://www.ibm.com/support/docview.wss?uid=swg21995360 --------------------------------------------- *** IBM Security Bulletin: IBM Security Access Manager appliances are affected by cross-site scripting vulnerabilities (CVE-2016-3018) *** http://www.ibm.com/support/docview.wss?uid=swg21995347 --------------------------------------------- *** IBM Security Bulletin: IBM Security Access Manager appliances are affected by a vulnerability due to misconfiguration (CVE-2016-3017) *** http://www.ibm.com/support/docview.wss?uid=swg21995519 --------------------------------------------- *** IBM Security Bulletin: IBM Security Access Manager appliances are affected by a vulnerability related to code integrity checking (CVE-2016-3016) *** http://www.ibm.com/support/docview.wss?uid=swg21995518 --------------------------------------------- *** IBM Security Bulletin: IBM Notes is affected with Open Source Apache Struts Vulnerabilities (CVE-2016-1181, CVE-2016-1182) *** http://www-01.ibm.com/support/docview.wss?uid=swg21988182 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in libxml2 affects IBM BigFix Compliance Analytics. (CVE-2016-4447, CVE-2016-4448, CVE-2016-4449) *** http://www-01.ibm.com/support/docview.wss?uid=swg21989337 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in libxml2 affects IBM BigFix Compliance Analytics. (CVE-2016-3627) *** http://www-01.ibm.com/support/docview.wss?uid=swg21991909 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM Java SDK affects multiple IBM Rational products based on IBM Jazz technology (CVE-2016-5597) *** http://www-01.ibm.com/support/docview.wss?uid=swg21995989 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in OpenSSLaffect IBM WebSphere MQ V6.0 on OpenVMS Alpha and Itanium platforms ( CVE-2016-2183 ) *** http://www.ibm.com/support/docview.wss?uid=swg21995922 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in RubyOnRails affects IBM BigFix Compliance Analytics. (CVE-2016-6316, CVE-2016-6317 *** http://www-01.ibm.com/support/docview.wss?uid=swg21991913 --------------------------------------------- *** IBM Security Bulletin: Cross-site request forgery vulnerability in IBM Tivoli Storage Manager for Virtual Environments: Data Protection for VMware and IBM Tivoli Storage FlashCopy Manager for VMware (CVE-2016-6033) *** http://www.ibm.com/support/docview.wss?uid=swg21995545 --------------------------------------------- *** IBM Security Bulletin: IBM InfoSphere Information Server is vulnerable to Cross-Frame Scripting issue (CVE-2016-5984) *** http://www-01.ibm.com/support/docview.wss?uid=swg21991682 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affects IBM BigFix Compliance Analytics. (CVE-2016-3485, CVE-2016-3498, CVE-2016-3552, CVE-2016-3503) *** http://www-01.ibm.com/support/docview.wss?uid=swg21991910 --------------------------------------------- *** IBM Security Bulletin: IBM Security Access Manager appliances are affected by an SQL Injection vulnerability (CVE-2016-3046) *** http://www.ibm.com/support/docview.wss?uid=swg21995527 --------------------------------------------- *** IBM Security Bulletin: IBM Security Access Manager appliances are affected by an information disclosure vulnerability (CVE-2016-3045) *** http://www.ibm.com/support/docview.wss?uid=swg21995435 --------------------------------------------- *** IBM Security Bulletin: IBM Security Access Manager appliances are affected by an information exposure vulnerability (CVE-2016-3043) *** http://www.ibm.com/support/docview.wss?uid=swg21995446 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in libxml2 affects IBM BigFix Compliance Analytics. (CVE-2016-4483) *** http://www-01.ibm.com/support/docview.wss?uid=swg21991911 ---------------------------------------------

1 0

Tageszusammenfassung - Mittwoch 14-12-2016
by Daily end-of-shift report 14 Dec '16

14 Dec '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 13-12-2016 18:00 − Mittwoch 14-12-2016 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Facebook helps companies detect rogue SSL certificates for domains *** --------------------------------------------- Facebook has launched a tool that allows domain name owners to discover TLS/SSL certificates that were issued without their knowledge.The tool uses data collected from the many Certificate Transparency logs that are publicly accessible. Certificate Transparency (CT) is a new open standard requiring certificate authorities to disclose the certificate that they issue.Until a few years ago, there was no way of tracking the certificates issued by every certificate authority (CA). At best,... --------------------------------------------- http://www.cio.com/article/3149737/security/facebook-helps-companies-detect… *** MS16-DEC - Microsoft Security Bulletin Summary for December 2016 - Version: 1.0 *** --------------------------------------------- This bulletin summary lists security bulletins released for December 2016. For information about how to receive automatic notifications whenever Microsoft security bulletins are issued, visit Microsoft Technical Security Notifications. --------------------------------------------- https://technet.microsoft.com/en-us/library/security/MS16-DEC *** Patchday: Kritische Lücken in Edge, Windows & Co. *** --------------------------------------------- Microsoft veröffentlicht im Dezember insgesamt zwölf Sicherheitsupdates. Im schlimmsten Fall können Angreifer Computer von Opfern durch den bloßen Aufruf einer manipulierten Webseite kapern. --------------------------------------------- https://heise.de/-3569916 *** MSRT December 2016 addresses Clodaconas, which serves unsolicited ads through DNS hijacking *** --------------------------------------------- In this month's Microsoft Malicious Software Removal Tool (MSRT) release, we continue taking down unwanted software, the pesky threats that force onto our computers things that we neither want nor need. BrowserModifier:Win32/Clodaconas, for instance, displays ads when you're browsing the internet. It modifies search results pages so that you see unsolicited ads related to your... --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2016/12/13/msrt-december-2016-addr… *** "Statistisch gesehen": Verschlüsselungstrojaner - ein Millionengeschäft *** --------------------------------------------- Petya, Goldeneye - diese und andere Erpressungstrojaner haben weltweit viele Nutzer zur Kasse gebeten. Die Zahlungsmoral hängt nicht zuletzt von Empfehlungen der Behörden ab. Wie viel bisher wo gezahlt wurde, zeigt ein neues... --------------------------------------------- https://heise.de/-3569888 *** Malvertising Campaign Infects Your Router Instead of Your Browser *** --------------------------------------------- Malicious ads are serving exploit code to infect routers, instead of browsers, in order to insert ads in every site users are visiting. Discovered by security researchers from US security firm Proofpoint, this malvertising campaign is powered by a new exploit kit called DNSChanger EK. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/malvertising-campaign-infect… *** Modbus Stager: Using PLCs as a payload/shellcode distribution system *** --------------------------------------------- This weekend I have been playing around with Modbus and I have developed a stager in assembly to retrieve a payload from the holding registers of a PLC. Since there are tons of PLCs exposed to the Internet, I thought whether it would be possible to take advantage of the processing and memory provided by them to store certain payload so that it can be recovered later (from the stager). --------------------------------------------- http://www.shelliscoming.com/2016/12/modbus-stager-using-plcs-as.html *** UAC Bypass in JScript Dropper *** --------------------------------------------- What makes this sample different? After the classic execution of the PE files, it tries to bypass the Windows UAC using a "feature" present in eventvwr.exe. This system tool runs as a high integrity process and uses HKCU / HKCR registry hives to start mmc.exe which opens finally eventvwr.msc. --------------------------------------------- https://isc.sans.edu/diary/UAC+Bypass+in+JScript+Dropper/21813 *** Sophos schließt Dirty-Cow-Lücke in Sicherheitspaket UTM *** --------------------------------------------- Die Unified-Thread-Management-Lüsung von Sophos bekommt Sicherheitsupdates, die mehrere Schwachstellen schließen. --------------------------------------------- https://heise.de/-3570179 *** Electronic Safe Lock Analysis: Part 2 *** --------------------------------------------- After performing an initial tear-down, we were able to map out the device's behaviors and attack surface. We then narrowed our efforts on analyzing the device's BLE wireless communication. The Prologic B01's main feature is that it can be unlocked by a mobile Android or iOS device over BLE. The end result was a fully-automated attack that allows us to remotely compromise any Prologic B01 lock up to 100 yards away. --------------------------------------------- http://www.somersetrecon.com/blog/2016/10/14/electronic-safe-lock-analysis-… *** Microsoft Fixes Windows 10 Issue That Knocked People off the Internet *** --------------------------------------------- Microsft has released KB3206632, a Windows update that fixes an issue introduced in an earlier update that crashed the CDPSVC service and prevented some users from receiving IP address information via the DCHP protocol, used by both home and enterprise-grade routers to connect users to the Internet. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-windows-10-… *** Xen Security Advisory 200 (CVE-2016-9932) - x86 CMPXCHG8B emulation fails to ignore operand size override *** --------------------------------------------- Impact: A malicious unprivileged guest may be able to obtain sensitive information from the host. --------------------------------------------- http://seclists.org/oss-sec/2016/q4/662 *** PHP: imagefilltoborder stackoverflow on truecolor images (CVE 2016-9933) *** --------------------------------------------- Invalid color causes stack exhaustion by recursive call to function gdImageFillToBorder when the image used is truecolor. This was tested on a 64 bits platform. --------------------------------------------- https://bugs.php.net/bug.php?id=72696 *** Joomla! Security Announcements *** --------------------------------------------- *** [20161203] - Core - Information Disclosure *** http://feeds.joomla.org/~r/JoomlaSecurityNews/~3/EY3UcBwQtzI/666-20161203-c… --------------------------------------------- *** [20161202] - Core - Shell Upload *** http://feeds.joomla.org/~r/JoomlaSecurityNews/~3/fI7Ty93n-Rk/665-20161202-c… --------------------------------------------- *** [20161201] - Core - Elevated Privileges *** http://feeds.joomla.org/~r/JoomlaSecurityNews/~3/OjvlaBoXTCU/664-20161201-c… --------------------------------------------- *** [20161204] - Misc. Security Hardening *** http://feeds.joomla.org/~r/JoomlaSecurityNews/~3/jYB3ItEGbWQ/667-20161204-m… --------------------------------------------- *** Novell Patches *** --------------------------------------------- *** Filr 2.0 - Security Update 3 *** https://download.novell.com/Download?buildid=Am-_TGOll0g~ --------------------------------------------- *** Filr 3.0 - Security Update 1 *** https://download.novell.com/Download?buildid=Qct0ao9jRAI~ --------------------------------------------- *** IDM 4.5 Delimited Text Driver 4.0.2.0 *** https://download.novell.com/Download?buildid=hX_xlukrkNY~ --------------------------------------------- *** Huawei Security Advisories *** --------------------------------------------- *** Security Advisory - Buffer Overflow Vulnerability in Wi-FI Driver of Huawei Smart Phone *** http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161214-… --------------------------------------------- *** Security Advisory - DoS Vulnerability in Huawei Firewall *** http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161214-… --------------------------------------------- *** Security Advisory - E-mail Information Leak Vulnerability in Android System *** http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161214-… --------------------------------------------- *** Security Advisory - Memory Leak Vulnerability in Some Huawei Products *** http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161214-… --------------------------------------------- *** ICS-CERT Advisories *** --------------------------------------------- *** Visonic PowerLink2 Vulnerabilities *** https://ics-cert.us-cert.gov/advisories/ICSA-16-348-01 --------------------------------------------- *** Moxa DACenter Vulnerabilities *** https://ics-cert.us-cert.gov/advisories/ICSA-16-348-02 --------------------------------------------- *** Delta Electronics WPLSoft, ISPSoft, and PMSoft Vulnerabilities *** https://ics-cert.us-cert.gov/advisories/ICSA-16-348-03 --------------------------------------------- *** Siemens SIMATIC WinCC and SIMATIC PCS 7 ActiveX Vulnerability *** https://ics-cert.us-cert.gov/advisories/ICSA-16-348-04 --------------------------------------------- *** Siemens S7-300/400 PLC Vulnerabilities *** https://ics-cert.us-cert.gov/advisories/ICSA-16-348-05 --------------------------------------------- *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU - Oct 2016 - Includes Oracle Oct 2016 CPU affect Content Collector for IBM Connections *** https://www-01.ibm.com/support/docview.wss?uid=swg21988356 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Asset analyzer. (CVE-2016-5597) *** http://www-01.ibm.com/support/docview.wss?uid=swg21995883 --------------------------------------------- *** IBM Security Bulletin: Sweet32 Birthday attacks on 64-bit block ciphers in TLS affect Content Manager for z/OS (CVE-2016-2183) *** http://www-01.ibm.com/support/docview.wss?uid=swg21995455 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in BIND affects IBM Netezza Host Management *** http://www.ibm.com/support/docview.wss?uid=swg21994505 --------------------------------------------- *** IBM Security Bulletin: Multiple Mozilla Firefox vulnerability issues in IBM SONAS *** http://www.ibm.com/support/docview.wss?uid=ssg1S1009647 --------------------------------------------- *** IBM Security Bulletin: Multiple Mozilla Firefox vulnerability issues in IBM Storwize V7000 Unified. *** http://www.ibm.com/support/docview.wss?uid=ssg1S1009554 --------------------------------------------- *** IBM Security Bulletin: Multiple Security Vulnerabilities in OpenSSL affect IBM Spectrum Control (formerly Tivoli Storage Productivity Center) *** http://www.ibm.com/support/docview.wss?uid=swg21995129 --------------------------------------------- *** IBM Security Bulletin: Password disclosure vulnerability in IBM Tivoli Storage Manager for Virtual Environments: Data Protection for VMware vSphere GUI (CVE-2016-6034) *** http://www.ibm.com/support/docview.wss?uid=swg21995544 --------------------------------------------- *** IBM Security Bulletin: Potential Information Disclosure vulnerability in WebSphere Application Server affects IBM Spectrum Control (formerly Tivoli Storage Productivity Center) CVE-2016-5986 *** http://www.ibm.com/support/docview.wss?uid=swg21995745 --------------------------------------------- *** IBM Security Bulletin: Potential Information Disclosure in WebSphere Application Server *** http://www-01.ibm.com/support/docview.wss?uid=swg21991469 --------------------------------------------- *** IBM Security Bulletin: Multiple Vulnerabilities affect IBM Spectrum Control formerly Tivoli Storage Productivity Center (CVE-2016-8941, CVE-2016-8942, CVE-2016-8943) *** http://www.ibm.com/support/docview.wss?uid=swg21995128 ---------------------------------------------

1 0

Tageszusammenfassung - Dienstag 13-12-2016
by Daily end-of-shift report 13 Dec '16

13 Dec '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 12-12-2016 18:00 − Dienstag 13-12-2016 18:00 Handler: Robert Waldner Co-Handler: n/a *** (Adobe) Security Bulletins Posted *** --------------------------------------------- - Adobe Animate (APSB16-38) - Adobe Flash Player (APSB16-39) - Adobe Experience Manager Forms (APSB6-40) - Adobe DNG Converter (APSB16-41) - Adobe Experience Manager (APSB16-42) - Adobe InDesign (APSB16-43) - Adobe ColdFusion Builder (APSB16-44) - Adobe Digital Editions (APSB16-45) - Adobe RoboHelp (APSB16-46) --------------------------------------------- https://blogs.adobe.com/psirt/?p=1426 *** The importance of cryptography for the digital society *** --------------------------------------------- Following the Council meeting on 8th and 9th December 2016 in Brussels, ENISA's paper gives an overview into aspects around the current debate on encryption, while highlighting the Agency's key messages and views on the topic. --------------------------------------------- https://www.enisa.europa.eu/news/enisa-news/the-importance-of-cryptography-… *** Vuln: PHP ext/wddx/wddx.c Denial of Service Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/94846 *** Vuln: PHP ext/standard/var.c Incomplete Fix Use After Free Remote Code Execution Vulnerability *** --------------------------------------------- Use After Free in PHP7 unserialize() --------------------------------------------- http://www.securityfocus.com/bid/94849 *** Unrestricted Backend Login Backdoor Method Seen in OpenCart *** --------------------------------------------- >From the attacker's perspective, creating ways to maintain access to a compromised website is desirable. This allows them to further distribute malware and perform different kinds of malicious activities. One of the ways attackers try to secure their access is by adding admin users, or pieces of malicious code throughout the site. This allows them to regain access easily, if needed. However, we recently found a unique way to achieve this kind of breach in OpenCart version 1.5.6.4. --------------------------------------------- https://blog.sucuri.net/2016/12/unrestricted-backend-login.html *** State of the Web 2016: Jede zweite Website ist ein Sicherheitsrisiko *** --------------------------------------------- Schwachstellen im Internet werden immer mehr, stellt Menlo Security in seinem Bericht über den "State of the Web" fest. Eine wichtige Rolle spielt das Nachladen externer Inhalte über Werbe-Netzwerke und Content Delivery Networks. --------------------------------------------- https://heise.de/-3569114 *** Netgear-Lücke dramatischer als angenommen, erste Sicherheits-Updates *** --------------------------------------------- Die hochkritische Lücke im Web-Interface betrifft deutlich mehr Netgear-Router als bislang angenommen. Für eine Handvoll Gerät hat der Hersteller inzwischen eine Beta-Firmware herausgegeben, die das Problem löst. --------------------------------------------- https://heise.de/-3569299 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: A vulnerability in IBM Java Runtime affects IBM Installation Manager and IBM Packaging Utility (CVE-2016-5597) *** http://www-01.ibm.com/support/docview.wss?uid=swg21995588 --------------------------------------------- *** IBM Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU Oct 2016 Includes Oracle Oct 2016 CPU affect Content Collector for File Systems *** https://www-01.ibm.com/support/docview.wss?uid=swg21995474 --------------------------------------------- *** IBM Security Bulletin: Vulnerability CVE-2016-7099 and CVE-2016-5325 in Node.js affects IBM i *** http://www-01.ibm.com/support/docview.wss?uid=nas8N1021765 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Enterprise Content Management System Monitor (CVE-2016-6304, CVE-2016-2177) *** http://www-01.ibm.com/support/docview.wss?uid=swg21995038 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM Java SDK affect IBM Enterprise Content Management System Monitor (CVE-2016-3485) *** http://www-01.ibm.com/support/docview.wss?uid=swg21995042 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in Samba, BIND and Libreswan affect IBM Netezza Host Management *** http://www.ibm.com/support/docview.wss?uid=swg21994231 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Open Source Apache Tomcat , Commons FileUpload affect IBM Enterprise Content Management System Monitor (CVE-2016-3092) *** http://www-01.ibm.com/support/docview.wss?uid=swg21995043 --------------------------------------------- *** IBM Security Bulletin: Multiple security issues in IBM Tealeaf Customer Experience on Cloud Network Capture Add-On *** http://www.ibm.com/support/docview.wss?uid=swg21994534 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL and PHP affect IBM Tealeaf Customer Experience (CVE-2016-2107, CVE-2016-6290, CVE-2016-7125) *** http://www.ibm.com/support/docview.wss?uid=swg21992307 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in IBM WebSphere Application Server and IBM Java Runtime affect IBM Tealeaf Customer Experience (CVE-2016-0378, CVE-2016-3485, CVE-2016-5986) *** http://www.ibm.com/support/docview.wss?uid=swg21994537 ---------------------------------------------

1 0

Tageszusammenfassung - Montag 12-12-2016
by Daily end-of-shift report 12 Dec '16

12 Dec '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 09-12-2016 18:00 − Montag 12-12-2016 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Windows 10: protection, detection, and response against recent Depriz malware attacks *** --------------------------------------------- A few weeks ago, multiple organizations in the Middle East fell victim to targeted and destructive attacks that wiped data from computers, and in many cases rendering them unstable and unbootable. Destructive attacks like these have been observed repeatedly over the years and the Windows Defender and Windows Defender Advanced Threat Protection Threat Intelligence teams... --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2016/12/09/windows-10-protection-d… *** Microsoft Edges malware alerts can be faked, researcher says *** --------------------------------------------- Fiddle with a URL and you can pop up and tell users to do anything Technical support scammers have new bait with the discovery that Microsofts Edge browser can be abused to display native and legitimate-looking warning messages. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/12/12/microsoft_e… *** New Ransomware Offers The Decryption Keys If You Infect Your Friends *** --------------------------------------------- MalwareHunterTeam has discovered "Popcorn Time," a new in-development ransomware with a twist. Gumbercules!! writes: "With Popcorn Time, not only can a victim pay a ransom to get their files back, but they can also try to infect two other people and have them pay the ransom in order to get a free key," writes Bleeping Computer. Infected victims are given a "referral code" and, if two people are infected by that code and pay up -- the original victim is given their... --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/BAJPIfARkR0/new-ransomware-… *** Escaping a restricted shell *** --------------------------------------------- help command outputs this list of available commands we can use, It's almost basically the web interface disguised as a shell session; Well not really but i'm sure you guys got the point. So let's begin with command substitution (a.k.a command injection) technique:... --------------------------------------------- https://humblesec.wordpress.com/2016/12/08/escaping-a-restricted-shell/ *** Zcash, or the return of malicious miners *** --------------------------------------------- Despite this dramatic drop from the initial values (which was anticipated), Zcash mining remains among the most profitable compared to other cryptocurrencies. This has led to the revival of a particular type of cybercriminal activity - the creation of botnets for mining. A few years ago, botnets were created for bitcoin mining, but the business all but died out after it became only marginally profitable. --------------------------------------------- https://securelist.com/blog/research/76862/zcash-or-the-return-of-malicious… *** 5 Questions to Ask your IoT Vendors; But Do Not Expect an Answer. *** --------------------------------------------- 1 - For how long, after I purchase a device, should I expect security updates? 2 - How will I learn about security updates? 3 - Can you share a pentest report for your device? 4 - How can I report vulnerabilities? 5 - If you use encryption, then disclose what algorithms you use and how it is implemented --------------------------------------------- https://isc.sans.edu/diary/5+Questions+to+Ask+your+IoT+Vendors%3B+But+Do+No… *** VB2016 paper: Modern attacks on Russian financial institutions *** --------------------------------------------- Today, we publish the VB2016 paper and presentation (recording) by ESET researchers Jean-Ian Boutin and Anton Cherepanov, in which they look at sophisticated attacks against Russian financial institutions. --------------------------------------------- https://www.virusbulletin.com/blog/2016/december/vb2016-paper-modern-attack… *** Pentesting ICS Systems *** --------------------------------------------- Security of ICS systems is one of the most critical issues of this last year. In this article, we will have a brief introduction to ICS systems, risks, and finally, methodology and tools to pentest ICS based systems Introduction Industrial control system (ICS) is a term that includes many types of control systems and instrumentation... --------------------------------------------- http://resources.infosecinstitute.com/pentesting-ics-systems/ *** Ongoing Windows update bug woes affecting all ISPs *** --------------------------------------------- Virgin also advising customers knocked offline An ongoing software update bug on Windows 8 and 10 appears affecting users of several UK ISPs, with Virgin Media the latest provider to admit the problem is knocking a number of its customers offline. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/12/12/ongoing_win… *** Netgear-Router trivial angreifbar, noch kein Patch in Sicht *** --------------------------------------------- Im Web-Interface einiger Netgear-Router klafft offenbar eine kritische Sicherheitslücke, die Angreifer leicht ausnutzen können, um Code mit Root-Rechten auszuführen. Schutz verspricht bisher nur ein unorthodoxer Weg: Man soll die Lücke selbst ausnutzen. --------------------------------------------- https://heise.de/-3568679 *** DDoS tool encourages users to compete against each other for points *** --------------------------------------------- Sledgehammer tool encourages hackers to launch DDoS attacks - but theres a sting in the tail --------------------------------------------- https://nakedsecurity.sophos.com/2016/12/12/ddos-tool-encourages-users-to-c… *** VU#582384: Multiple Netgear routers are vulnerable to arbitrary command injection *** --------------------------------------------- Vulnerability Note VU#582384 Multiple Netgear routers are vulnerable to arbitrary command injection Original Release date: 09 Dec 2016 | Last revised: 09 Dec 2016 Overview Netgear R7000 and R6400 routers and possibly other models are vulnerable to arbitrary command injection. Description CWE-77: Improper Neutralization of Special Elements used in a Command (Command Injection) Netgear R7000, firmware version 1.0.7.2_1.1.93 and possibly earlier, and R6400, firmware version 1.0.1.6_1.0.4 and... --------------------------------------------- http://www.kb.cert.org/vuls/id/582384 *** DSA-3730 icedove - security update *** --------------------------------------------- Multiple security issues have been found in Icedove, Debians version ofthe Mozilla Thunderbird mail client: Multiple memory safety errors,same-origin policy bypass issues, integer overflows, buffer overflowsand use-after-frees may lead to the execution of arbitrary code ordenial of service. --------------------------------------------- https://www.debian.org/security/2016/dsa-3730 *** Vuln: McAfee VirusScan Enterprise Multiple Security Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/bid/94823 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: One vulnerability in IBM Java SDK affects IBM Application Delivery Intelligence v1.0.1 and v1.0.1.1 (CVE-2016-5597) *** http://www-01.ibm.com/support/docview.wss?uid=swg21995653 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities may affect IBM SDK for Node.js *** http://www.ibm.com/support/docview.wss?uid=swg21993007 --------------------------------------------- *** IBM Security Bulletin: Open Source Apache Tomcat Commons FileUpload Vulnerabilities affects Atlas Policy Suite (CVE-2016-3092) *** http://www-01.ibm.com/support/docview.wss?uid=swg21995382 --------------------------------------------- *** IBM Security Bulletin: Potential Information Disclosure vulnerability in IBM MessageSight (CVE-2016-5986) *** http://www-01.ibm.com/support/docview.wss?uid=swg21995246 --------------------------------------------- *** IBM Security Bulletin: IBM Security Access Manager appliances are affected by vulnerabilities in OpenSSH (CVE-2015-5352, CVE-2015-6563, CVE-2015-6564) *** http://www.ibm.com/support/docview.wss?uid=swg21992610 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Tivoli Access Manager for e-business and IBM Security Access Manager for Web version 7 software (CVE-2016-3550, CVE-2016-3485) *** http://www.ibm.com/support/docview.wss?uid=swg21993132 --------------------------------------------- *** IBM Security Bulletin: Open Redirect vulnerability in IBM MessageSight (CVE-2016-3040) *** http://www-01.ibm.com/support/docview.wss?uid=swg21995247 --------------------------------------------- *** IBM Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU - Apr 2016 - Includes Oracle Apr 2016 CPU affect for IBM Connections (CVE-2016-0264 ) *** https://www-01.ibm.com/support/docview.wss?uid=swg21988365 --------------------------------------------- *** IBM Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU - Apr 2016 - Includes Oracle Apr 2016 CPU affect Content Collector for Email (CVE-2016-0264) *** https://www-01.ibm.com/support/docview.wss?uid=swg21988357 --------------------------------------------- *** IBM Security Bulletin: Information Disclosure in IBM MessageSight (CVE-2016-0378) *** http://www-01.ibm.com/support/docview.wss?uid=swg21995238 ---------------------------------------------

1 0

Tageszusammenfassung - Freitag 9-12-2016
by Daily end-of-shift report 09 Dec '16

09 Dec '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 07-12-2016 18:00 − Freitag 09-12-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Produktwarnung für Joomla! *** --------------------------------------------- [...] In den Joomla! Versionen 3.4.4 bis einschließlich 3.6.4 wurde eine Sicherheitslücke entdeckt, die es einem Angreifer aus dem Internet ermöglicht, beliebigen Programmcode auszuführen und dadurch erheblichen Schaden auf einem betroffenen... --------------------------------------------- https://www.bsi-fuer-buerger.de/SharedDocs/Warnmeldungen/DE/TW/warnmeldung_… *** Root-Rechte durch Linux-Lücke *** --------------------------------------------- Seit fünf Jahren klafft eine Lücke im Linux-Kernel, durch die sich lokale Nutzer erhöhte Rechte verschaffen können. Auch Android ist betroffen. --------------------------------------------- https://heise.de/-3565365 *** Mobile Ransomware: Pocket-Sized Badness *** --------------------------------------------- A few weeks ago, I spoke at Black Hat Europe 2016 on Pocket-Sized Badness: Why Ransomware Comes as a Plot Twist in the Cat-Mouse Game. While watching mobile ransomware from April 2015 to April 2016, I noticed a big spike in the number of Android ransomware samples. During that year, the number of Android ransomware increased by 140%. In certain areas, mobile ransomware accounts for up to 22 percent of mobile malware overall! (These numbers were obtained from the Trend Micro Mobile App... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/hPA6z0gnzFE/ *** Managed-Exchange-Dienst: Telekom-Cloud-Kunde konnte fremde Adressbücher einsehen *** --------------------------------------------- Durch einen Konfigurationsfehler konnte ein Nutzer der Telekom-Cloud-Dienste kurzzeitig auf fremde Adressbücher zugreifen, darunter sollen auch Strafverfolgungsbehörden gewesen sein. Schuld war wohl ein Berechtigungsfehler im Exchange-Dienst. (Telekom, Datenschutz) --------------------------------------------- http://www.golem.de/news/managed-exchange-dienst-telekom-cloud-kunde-konnte… *** Crooks Start Deploying New "August" Infostealer *** --------------------------------------------- During the month of November 2016, a cyber-crime group has started deploying a new malware family nicknamed "August," used mainly for information gathering and reconnaissance on the infected targets computer. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/crooks-start-deploying-new-a… *** PowerShell threats surge: 95.4 percent of analyzed scripts were malicious *** --------------------------------------------- Symantec analyzed 111 threat families that use PowerShell, finding that they leverage the framework to download payloads and traverse through networks. --------------------------------------------- https://www.symantec.com/connect/blogs/powershell-threats-surge-954-percent… *** Kaspersky Security Bulletin 2016. The ransomware revolution *** --------------------------------------------- Between January and September 2016 ransomware attacks on business increased three-fold - to the equivalent of an attack every 40 seconds. With the ransomware-as-a-service economy booming, and the launch of the NoMoreRansom project, Kaspersky Lab has named ransomware its key topic for 2016. --------------------------------------------- http://securelist.com/analysis/kaspersky-security-bulletin/76757/kaspersky-… *** Banking Trojan Uses Gmail Popup to Extend Infection to Victims Android Phone *** --------------------------------------------- A group of malware authors has come up with a new method of transcending an infection from the users computer to his Android smartphone. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/banking-trojan-uses-gmail-po… *** Industriespionage: Wie Thyssenkrupp seine Angreifer fand *** --------------------------------------------- Wie schützt man sein Netzwerk, wenn man 150.000 Mitarbeiter und 500 Tochterunternehmen hat? Thyssenkrupp lernte nach einem Angriff, dass es zwei Dinge braucht: Ausreichend Ressourcen und Freiheit für das Team. --------------------------------------------- http://www.golem.de/news/industriespionage-wie-thyssenkrupp-seine-angreifer… *** Now Mirai Has DGA Feature Built in *** --------------------------------------------- Nearly 2 weeks ago, 2 new infection vectors (aka TCP ports of 7547 and 5555) were found being used to spread MIRAI malwares . My colleague Gensheng quickly set up some honeypots for that sort of vectors and soon had his harvests: 11 samples were captured on Nov 28th. Till now 53 unique samples have been captured by our honeypots from 6 hosting servers. --------------------------------------------- http://blog.netlab.360.com/new-mirai-variant-with-dga/ *** Krypto-Trojaner: Lockys gieriger Bruder verlangt über 2000 Euro Lösegeld *** --------------------------------------------- Nicht nur der Erpressungs-Trojaner GoldenEye ist derzeit ein Ärgernis, auch die Verwandschaft des berüchtigten Locky-Trojaners geht weiter auf Raubzug. Eine Osiris genannte Variante schlägt derzeit vermehrt zu und verlangt ein saftiges Lösegeld. --------------------------------------------- https://heise.de/-3564812 *** Bugtraq: AST-2016-009: *** --------------------------------------------- http://www.securityfocus.com/archive/1/539888 *** Bugtraq: AST-2016-008: Crash on SDP offer or answer from endpoint using Opus *** --------------------------------------------- http://www.securityfocus.com/archive/1/539887 *** DFN-CERT-2016-2010: Sophos UTM: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-2010/ *** DFN-CERT-2016-1991: FreeBSD: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-1991/ *** DSA-3729 xen - security update *** --------------------------------------------- Multiple vulnerabilities have been discovered in the Xen hypervisor. TheCommon Vulnerabilities and Exposures project identifies the followingproblems:... --------------------------------------------- https://www.debian.org/security/2016/dsa-3729 *** Cisco Email Security Appliance Content Filter Bypass Vulnerability *** --------------------------------------------- A vulnerability in the content filtering functionality of Cisco AsyncOS Software for Cisco Email Security Appliances could allow an unauthenticated, remote attacker to bypass user filters that are configured for an affected device.The vulnerability is due to improper filtering of certain TAR format files that are attached to email messages. An attacker could exploit this vulnerability by sending an email message that has a crafted TAR file attachment through an affected device. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** F5 Security Advisories *** --------------------------------------------- *** Security Advisory: libxml2 vulnerabilities CVE-2016-4447 and CVE-2016-4449 *** https://support.f5.com:443/kb/en-us/solutions/public/k/24/sol24322529.html?… --------------------------------------------- *** Security Advisory: PHP vulnerability CVE-2016-6290 *** https://support.f5.com:443/kb/en-us/solutions/public/k/15/sol15850913.html?… --------------------------------------------- *** Security Advisory: libarchive vulnerability CVE-2016-5844 *** https://support.f5.com:443/kb/en-us/solutions/public/k/24/sol24036027.html?… --------------------------------------------- *** Security Advisory: PHP vulnerability CVE-2016-7126 *** https://support.f5.com:443/kb/en-us/solutions/public/k/40/sol40564589.html?… --------------------------------------------- *** Security Advisory: OpenSSL vulnerability CVE-2016-6302 *** https://support.f5.com:443/kb/en-us/solutions/public/k/70/sol70844615.html?… --------------------------------------------- *** Security Advisory: libxml2 vulnerability CVE-2016-1836 *** https://support.f5.com:443/kb/en-us/solutions/public/k/48/sol48220300.html?… --------------------------------------------- *** Security Advisory: libarchive vulnerability CVE-2015-8932 *** https://support.f5.com:443/kb/en-us/solutions/public/k/90/sol90412202.html?… --------------------------------------------- *** Security Advisory: libarchive vulnerability CVE-2016-5418 *** https://support.f5.com:443/kb/en-us/solutions/public/k/35/sol35246595.html?… --------------------------------------------- *** Security Advisory: libxml2 vulnerability CVE-2016-1835 *** https://support.f5.com:443/kb/en-us/solutions/public/k/43/sol43314223.html?… --------------------------------------------- *** Security Advisory: libxml2 vulnerability CVE-2016-1837 *** https://support.f5.com:443/kb/en-us/solutions/public/k/05/sol05937379.html?… --------------------------------------------- *** Security Advisory: libxml2 vulnerability CVE-2016-1833 *** https://support.f5.com:443/kb/en-us/solutions/public/k/62/sol62030064.html?… --------------------------------------------- *** Security Advisory: libxml2 vulnerability CVE-2016-1762 *** https://support.f5.com:443/kb/en-us/solutions/public/k/14/sol14338030.html?… --------------------------------------------- *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Multiple security vulnerabilities affect Liberty for Java for IBM Bluemix (CVE-2016-5573, CVE-2016-5597, CVE-2016-5983) *** http://www.ibm.com/support/docview.wss?uid=swg21994945 --------------------------------------------- *** IBM Security Bulletin: IBM i is affected by networking BIND vulnerabilities (CVE-2016-2775, CVE-2016-2776, CVE-2016-8864 and CVE-2016-6170) *** http://www.ibm.com/support/docview.wss?uid=nas8N1021750 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect Power Hardware Management Console (CVE-2016-2180, CVE-2016-2182, CVE-2016-6306) *** http://www.ibm.com/support/docview.wss?uid=nas8N1021733 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Tivoli Network Manager IP Edition 3.9 Fix Pack 4 HTTPS support for Perl Collector *** http://www.ibm.com/support/docview.wss?uid=swg21990532 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in DHCP affect Power Hardware Management Console (‪CVE-2015-8605 and CVE-2016-2774‬‬) *** http://www-01.ibm.com/support/docview.wss?uid=nas8N1021703 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities affect IBM Security AppScan Enterprise *** http://www-01.ibm.com/support/docview.wss?uid=swg21995118 --------------------------------------------- *** IBM Security Bulletin: Open Source Apache Tomcat , Commons FileUpload Vulnerabilities affecting IBM Algo Audit and Compliance (CVE-2016-3092) *** http://www.ibm.com/support/docview.wss?uid=swg21993305 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Flex System Manager (FSM) Storage Manager Install Anywhere (SMIA) configuration tool *** http://www.ibm.com/support/docview.wss?uid=isg3T1024507 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Network Advisor (CVE-2016-3425, CVE-2016-3427, CVE-2016-0695). *** http://www.ibm.com/support/docview.wss?uid=ssg1S1009640 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM b-type SAN switches and directors and IBM Network Advisor (CVE-2016-0705, CVE-2016-0797, CVE-2016-0799, CVE-2016-0702, CVE-2016-0704, CVE-2016-0704, CVE-2016-2842). *** http://www.ibm.com/support/docview.wss?uid=ssg1S1009631 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in pConsole impacts AIX (CVE-2016-0266) *** http://aix.software.ibm.com/aix/efixes/security/pconsole_advisory2.asc --------------------------------------------- *** IBM Security Bulletin: Vulnerability in OpenSSL affects IBM Fabric Manager (CVE-2016-2183) *** https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5099504 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Apache Struts affects IBM Social Media Analytics (CVE-2016-4003) *** http://www-01.ibm.com/support/docview.wss?uid=swg21994399 --------------------------------------------- *** IBM Security Bulletin: Apache Commons FileUpload Vulnerability affects IBM Rational ClearQuest (CVE-2016-3092) *** http://www-01.ibm.com/support/docview.wss?uid=swg21993816 --------------------------------------------- *** IBM Security Bulletin:Vulnerabilities in OpenSSL affect IBM SONAS *** http://www.ibm.com/support/docview.wss?uid=ssg1S1009648 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affects IBM Rational ClearCase (CVE-2016-2177, CVE-2016-2178, CVE-2016-2183, CVE-2016-6302, CVE-2016-6303, CVE-2016-6304, CVE-2016-6306) *** http://www.ibm.com/support/docview.wss?uid=swg21993514 --------------------------------------------- *** IBM Security Bulletin: Tivoli Storage Manager (IBM Spectrum Protect) AIX Client Buffer Overflow (CVE-2016-5985) *** http://www.ibm.com/support/docview.wss?uid=swg21993695 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in IBM Websphere affects IBM Tivoli Netcool Configuration Manager (ITNCM) (CVE-2016-5983) *** http://www.ibm.com/support/docview.wss?uid=swg21992640 --------------------------------------------- *** IBM Security Bulletin: Multiple security vulnerabilities affect the Report Builder and Data Collection Component that are shipped with Jazz Reporting Service (CVE-2016-5898, CVE-2016-5899, CVE-2016-6054, CVE-2016-6047) *** http://www-01.ibm.com/support/docview.wss?uid=swg21991154 --------------------------------------------- *** IBM Security Bulletin: Multiple security vulnerabilities affect the Lifecycle Query Engine (LQE) that is shipped with Jazz Reporting Service (CVE-2016-5897, CVE-2016-6039) *** http://www-01.ibm.com/support/docview.wss?uid=swg21991153 --------------------------------------------- *** IBM Security Bulletin:Samba vulnerability issue on IBM Storwize V7000 Unified (CVE-2016-2119) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1009567 --------------------------------------------- *** IBM Security Bulletin:Apache Tomcat vulnerability affects IBM Storwize V7000 Unified (CVE-2016-3092) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1009566 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL, OpenVPN and GNU glibc affect IBM Security Virtual Server Protection for VMware *** http://www-01.ibm.com/support/docview.wss?uid=swg21995039 ---------------------------------------------

1 0

Tageszusammenfassung - Mittwoch 7-12-2016
by Daily end-of-shift report 07 Dec '16

07 Dec '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 06-12-2016 18:00 − Mittwoch 07-12-2016 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Onlinewerbung: Forscher stoppen monatelange Malvertising-Kampagne *** --------------------------------------------- Über eine Malvertising-Kampagne ist in den vergangenen Monaten Schadcode verteilt worden. Die Macher des Stegano-Exploit-Kits versteckten dabei unsichtbare Pixel in Werbeanzeigen und nutzen Exploits in Flash und dem Internet Explorer. --------------------------------------------- http://www.golem.de/news/onlinewerbung-forscher-stoppen-monatelange-malvert… *** Petya-Variante: Goldeneye-Ransomware verschickt überzeugende Bewerbungen *** --------------------------------------------- Kurz vor dem Jahresende gibt es erneut eine größere Ransomware-Kampagne in Deutschland. Kriminelle verschicken mit Goldeneye professionell aussehende Bewerbungen an Personalabteilungen - und nutzen möglicherweise Informationen des Arbeitsamtes. --------------------------------------------- http://www.golem.de/news/petya-variante-goldeneye-ransomware-verschickt-ueb… *** Kriminelle könnten Daten von Visa-Kreditkarten vergleichsweise einfach erraten *** --------------------------------------------- In einer Studie zeigen Sicherheitsforscher, wie sie CVV-Nummern und andere Kreditkarten-Daten in wenigen Sekunden erraten und damit anschließend Geld überweisen. --------------------------------------------- https://heise.de/-3564898 *** Flash Exploit Found in Seven Exploit Kits *** --------------------------------------------- An Adobe Flash Player vulnerability used by the Sofacy APT gang was also found in seven of the top exploit kits, according to an analysis by Recorded Future. --------------------------------------------- http://threatpost.com/flash-exploit-found-in-seven-exploit-kits/122284/ *** Explained: Domain Generating Algorithm *** --------------------------------------------- Domain Generating Algorithms are in use by cyber criminals to prevent their servers from being blacklisted or taken down. The algorithm produces random looking domain names. The idea is that two machines using the same algorithm will contact the same domain at a given time.Categories: Security world TechnologyTags: algorithmdgadomainDomain Generating AlgorithmgeneratinggenerationPieter Arntz(Read more...) --------------------------------------------- https://blog.malwarebytes.com/security-world/2016/12/explained-domain-gener… *** Attacking NoSQL applications, (Tue, Dec 6th) *** --------------------------------------------- In last couple of years, the MEAN stack (MongoDB, Express.js, Angular.js and Node.js) became the stack of choice for many web application developers. The main reason for this popularity is the fact that the stack supports both client and server side programs written in JavaScript, allowing easy development. The core database used by the MEAN stack, MongoDB, is a NoSQL database program that uses JSON-like documents with dynamic schemas allowing huge flexibility. Although NoSQL databases are not... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21787&rss *** MSRT December 2016 addresses Clodaconas, which serves unsolicited ads through DNS hijacking *** --------------------------------------------- In this month's Microsoft Malicious Software Removal Tool (MSRT) release, we continue taking down unwanted software, the pesky threats that force onto our computers things that we neither want nor need. BrowserModifier:Win32/Clodaconas, for instance, displays ads when you're browsing the internet. It modifies search results pages so that you see unsolicited ads related to your... --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2016/12/06/msrt-december-2016-addr… *** Unrestricted Backend Login Method Seen in OpenCart *** --------------------------------------------- >From the attacker's perspective, creating ways to maintain access to a compromised website is desirable. This allows them to further distribute malware and perform different kinds of malicious activities. One of the ways attackers try to secure their access is by adding admin users, or pieces of malicious code throughout the site. This allows them to regain access easily, if needed. However, we recently found a unique way to achieve this kind of breach. --------------------------------------------- https://blog.sucuri.net/2016/12/unrestricted-backend-login.html *** Crims using anti-virus exclusion lists to send malware to where it can do most damage *** --------------------------------------------- When vendors tell you what to whitelist, crims are reading too Advanced malware writers are using anti-virus exclusion lists to better target victims, researchers say. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/12/07/clever_crim… *** Deep Analysis of the Online Banking Botnet TrickBot *** --------------------------------------------- TrickBot aims at stealing online banking information from browsers when victims are visiting online banks. The targeted banks are from Australia, New Zealand, Germany, United Kingdom, Canada, United States, Israel, and Ireland, to name a few. --------------------------------------------- http://blog.fortinet.com/2016/12/06/deep-analysis-of-the-online-banking-bot… *** Debugging war story: the mystery of NXDOMAIN *** --------------------------------------------- The following blog post describes a debugging adventure on Cloudflares Mesos-based cluster. This internal cluster is primarily used to process log file information so that Cloudflare customers have analytics, and for our systems that detect and respond to attacks.The problem encountered didnt have any effect on our customers, --------------------------------------------- https://blog.cloudflare.com/debugging-war-story-the-mystery-of-nxdomain/ *** Popular smart toys violate children's privacy rights? *** --------------------------------------------- My Friend Cayla and i-Que, two extremely popular "smart" toys manufactured by Los Angeles-based Genesis Toys, do not safeguard basic consumer (and children's) rights to security and privacy, researchers have found. The toys come with companion apps, and the latter use services by Nuance Communications, a company headquartered in Massachussetts that specializes in voice-and speech-recognition services for a variety of industries. --------------------------------------------- https://www.helpnetsecurity.com/2016/12/07/smart-toys-privacy-rights/ *** Bugtraq: [ESNC-2041217] Critical Security Vulnerability in PwC ACE Software for SAP Security *** --------------------------------------------- http://www.securityfocus.com/archive/1/539883 *** Security Advisory - Privilege Escalation Vulnerability in Some Huawei Storage Products *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161207-… *** Security Advisory - Dirty COW Vulnerability in Huawei Products *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161207-… *** Security Advisory - FRP Bypass Vulnerability in Huawei Smart Phones *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161207-… *** Tesla Gateway ECU Vulnerability *** --------------------------------------------- This advisory contains mitigation details for a Gateway ECU vulnerability in Teslas Model S automobile. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-341-01 *** Locus Energy LGate Command Injection Vulnerability *** --------------------------------------------- This advisory contains mitigation details for a command injection vulnerability in Locus Energy's LGate application. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-231-01-0 *** F5 Security Advisories *** --------------------------------------------- *** Security Advisory: Python urllib and urllib2 library vulnerability CVE-2016-5699 *** https://support.f5.com:443/kb/en-us/solutions/public/k/10/sol10420455.html?… --------------------------------------------- *** Security Advisory: libxml2 vulnerability CVE-2016-1839 *** https://support.f5.com:443/kb/en-us/solutions/public/k/26/sol26422113.html?… --------------------------------------------- *** Security Advisory: libxml2 vulnerability CVE-2016-1840 *** https://support.f5.com:443/kb/en-us/solutions/public/k/14/sol14614344.html?… --------------------------------------------- *** Security Advisory: PHP vulnerability CVE-2016-7127 *** https://support.f5.com:443/kb/en-us/solutions/public/k/89/sol89002224.html?… --------------------------------------------- *** Security Advisory: PHP vulnerabilities CVE-2016-6288 and CVE-2016-6289 *** https://support.f5.com:443/kb/en-us/solutions/public/k/34/sol34985231.html?… --------------------------------------------- *** Security Advisory: libxml2 vulnerability CVE-2016-1838 *** https://support.f5.com:443/kb/en-us/solutions/public/k/71/sol71926235.html?… --------------------------------------------- *** Cisco Security Advisories *** --------------------------------------------- *** Cisco AnyConnect Secure Mobility Client Local Privilege Escalation Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Web Security Appliance Drop Decrypt Policy Bypass Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Web Security Appliance HTTP URL Denial of Service Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Firepower Management Center Information Disclosure Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Unified Communications Manager IM and Presence Service Information Disclosure Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Prime Collaboration Assurance Cross-Site Scripting Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Identity Services Engine Cross-Site Scripting Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Identity Services Engine Active Directory Integration Component Denial of Service Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco IOS XR Software Default Credentials Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco IOS and Cisco IOS XE Software Zone-Based Firewall Feature Bypass Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco IOS XR Software HTTP 2.0 Request Handling Event Service Daemon Denial of Service Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco IOS and IOS XE Software SSH X.509 Authentication Bypass Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco IOS Frame Forwarding Denial of Service Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Intercloud Fabric Director Static Credentials Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Hybrid Media Service Privilege Escalation Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco FirePOWER Malware Protection Bypass Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Firepower Management Center and Cisco FireSIGHT System Software Malicious Software Detection Bypass Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco FireAMP Connector Endpoint Software Denial of Service Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Expressway Series Software Security Bypass Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Email Security Appliance SMTP Cross-Site Scripting Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Email Security Appliance and Web Security Appliance Content Filter Bypass Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Unified Communications Manager Unified Reporting Upload Tool Directory Traversal Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Unified Communications Manager Administration Page Cross-Site Scripting Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco ONS 15454 Series Multiservice Provisioning Platforms TCP Port Management Denial of Service Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Emergency Responder Directory Traversal Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Emergency Responder Cross-Site Request Forgery Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco IOx Application-Hosting Framework Directory Traversal Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Security Appliances AsyncOS Software Update Server Certificate Validation Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco ASR 5000 Series IKEv2 Denial of Service Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco ASR 5000 Series IPv6 Packet Processing Denial of Service Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- Next End-of-Shift report: 2016-12-09

1 0

Tageszusammenfassung - Dienstag 6-12-2016
by Daily end-of-shift report 06 Dec '16

06 Dec '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 05-12-2016 18:00 − Dienstag 06-12-2016 18:00 Handler: Robert Waldner Co-Handler: n/a *** Dirty Cow Vulnerability Patched in Android Security Bulletin *** --------------------------------------------- Todays Android Security Bulletin included a patch for the Dirty Cow vulnerability, a seven-year-old Linux bug that had yet to be patched by Google. --------------------------------------------- http://threatpost.com/dirty-cow-vulnerability-patched-in-android-security-b… *** BlackBerry powered by Android Security Bulletin - December 2016 *** --------------------------------------------- http://support.blackberry.com/kb/articleDetail?articleNumber=000038813 *** Arista CloudVision Portal bug revealed, plus evidence its been used *** --------------------------------------------- You know the drill: face-palm, download, patch, grumble about state of security, relax Arista customers: if youre running a version of CloudVision Portal (CVP) older than 2016.1.2.1, get an update or risk getting p0wned. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/12/06/arista_clou… *** Printer security is so bad HP Inc will sell you services to fix it *** --------------------------------------------- Finally, FINALLY, someone is turning off Telnet and FTP Printer security is so awful HP Inc is willing to shut off shiny features and throw its own dedicated bodies at the perennial problem. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/12/06/printer_sec… *** GNU Netcat 0.7.1 Out-Of-Bounds Write *** --------------------------------------------- https://cxsecurity.com/issue/WLB-2016120029 *** In the three years since IETF said pervasive monitoring is an attack, whats changed? *** --------------------------------------------- IETF Security director Stephen Farrell offers a report card on evolving defences --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/12/06/ietf_report… *** [2016-12-06] Backdoor vulnerability in Sony IPELA ENGINE IP Cameras *** --------------------------------------------- Sony IPELA Engine IP Cameras contain multiple backdoors. Those backdoor accounts allow an attacker to run arbitrary code on the affected IP cameras. An attacker can use cameras to take a foothold in a network and launch further attacks, disrupt camera functionality, send manipulated images/video, add cameras into a Mirai-like botnet or spy on people. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2016… *** DailyMotion anscheinend gehackt: 87,6 Millionen Nutzer betroffen *** --------------------------------------------- Unbekannte Hacker sollen in das Server-System die Videoportals eingestiegen sein und neben E-Mail-Adressen auch geschützte Passwörter kopiert haben. --------------------------------------------- https://heise.de/-3559563 *** Vuln: Joomla! Core CVE-2016-9836 Arbitrary File Upload Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/94663 *** International Phone Fraud Tactics *** --------------------------------------------- This article outlines two different types of international phone fraud. --------------------------------------------- https://www.schneier.com/blog/archives/2016/12/international_p.html *** Aufgepasst: Neuer Verschlüsselungstrojaner Goldeneye verbreitet sich rasant *** --------------------------------------------- Ein bisher unbekannter Verschlüsselungstrojaner tarnt sich als Bewerbungs-E-Mail und versucht, Systeme in ganz Deutschland zu verschlüsseln. Momentan wird er von vielen Virenscannern noch nicht erkannt. --------------------------------------------- https://heise.de/-3561396 *** Roundcube 1.2.2: Command Execution via Email *** --------------------------------------------- In this post, we show how a malicious user can execute arbitrary commands on the underlying operating system remotely, simply by writing an email in Roundcube 1.2.2 (>= 1.0). This vulnerability is highly critical because all default installations are affected. We urge all administrators to update the Roundcube installation to the latest version 1.2.3 as soon as possible. --------------------------------------------- https://blog.ripstech.com/2016/roundcube-command-execution-via-email/ *** Xen Security Advisory 199 (CVE-2016-9637) - qemu ioport array overflow *** --------------------------------------------- hen qemu is used as a device model within Xen, io requests are generated by the hypervisor and read by qemu from a shared ring. The entries in this ring use a common structure, including a 64-bit address field, for various accesses, including ioport addresses. Xen will write only 16-bit address ioport accesses. However, depending on the Xen and qemu version, the ring may be writeable by the guest. If so, the guest can generate out-of-range ioport accesses, resulting in wild pointer accesses --------------------------------------------- https://lists.xen.org/archives/html/xen-announce/2016-12/msg00001.html *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Fabric Manager. *** https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5099503 --------------------------------------------- *** IBM Security Bulletin: Lotus Protector for Mail Security Affected By Open Source Linux Kernel Vulnerabilities (CVE-2016-5195) *** http://www.ibm.com/support/docview.wss?uid=swg21994535 --------------------------------------------- *** IBM Security Bulletin: A busybox vulnerability affects IBM DataPower Gateways (CVE-2014-4607) *** http://www-01.ibm.com/support/docview.wss?uid=swg21993006 --------------------------------------------- *** IBM Security Bulletin: Apache POI as used in IBM QRadar SIEM is vulnerable to various CVEs. *** http://www.ibm.com/support/docview.wss?uid=swg21994719 --------------------------------------------- *** IBM Security Bulletin: Multiple Security Vulnerabilities in Expat affect IBM Netezza Analytics *** http://www-01.ibm.com/support/docview.wss?uid=swg21994401 --------------------------------------------- *** IBM Security Bulletin: IBM QRadar SIEM is vulnerable to various CGI vulnerabilities. (CVE-2016-5385, CVE-2016-5387, CVE-2016-5388) *** http://www.ibm.com/support/docview.wss?uid=swg21994725 --------------------------------------------- *** IBM Security Bulletin: Open Source Apache Xerces-C XML parser vulnerabilities affect IBM Integration Bus and WebSphere Message Broker (CVE-2016-4463, CVE-2016-0729) *** http://www.ibm.com/support/docview.wss?uid=swg21985691 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in libxml2 affects IBM Streams (CVE-2016-3705) *** http://www-01.ibm.com/support/docview.wss?uid=swg21991065 --------------------------------------------- *** IBM Security Bulletin: Multiple Vulnerabilities in NTP and OpenSSL affect IBM Netezza Firmware Diagnostics Tools *** http://www-01.ibm.com/support/docview.wss?uid=swg21994484 ---------------------------------------------

1 0

Tageszusammenfassung - Montag 5-12-2016
by Daily end-of-shift report 05 Dec '16

05 Dec '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 02-12-2016 18:00 − Montag 05-12-2016 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Bug des Tages: Forwarding issues related to MACs starting with a 4 or a 6 *** --------------------------------------------- OK aber wieso sollte denn ausgerechnet 4 oder 6 am Anfang ein Problem sein? Weil bei IPv4 und IPv6 die Header mit der "Version" anfangen, die ersten vier Bits sind bei IPv4 immer 4 und bei IPv6 immer 6. Nun kommt der IP-Header nach dem Ethernet-Header, d.h. da gibt es an sich keine Verwechslungsgefahr. Du weißt ja, worauf du gerade guckst. Aber anscheinend haben da einige Hersteller versucht, "selbstdenkende" Geräte zu bauen, die sich die ersten 4 Bits angucken,... --------------------------------------------- https://blog.fefe.de/?ts=a6bc62fc *** Studie: Herzschrittmacher lassen sich leicht hacken *** --------------------------------------------- Sicherheitsforscher aus Belgien und Großbritannien konnten mehrere verschiedene Modelle von Implantaten für Patienten mit Herzrhythmusstörungen aus der Ferne hacken. --------------------------------------------- https://futurezone.at/digital-life/studie-herzschrittmacher-lassen-sich-lei… *** Anti-Schnüffler-Tool SAMRi10 soll Windows-Netzwerke schützen *** --------------------------------------------- Mit dem kostenlosen PowerShell-Skript sollen Admins Schnüfflern den Zutritt zum Security Account Manager effektiver versperren können. --------------------------------------------- https://heise.de/-3550115 *** The Kings in Your Castle, Pt #4 *** --------------------------------------------- Oftentimes, there is talk about a "sophisticated" malware-based attack against an individual or an organization. The prevalent assumption is that a great deal of development work has gone into the attack tools. In the 4th part of the article series, Marion Marschalek and Raphael Vinot will demonstrate what sophistication means and what it actually looks like. --------------------------------------------- https://blog.gdatasoftware.com/2016/12/29343-the-kings-in-your-castle-pt-4 *** Identitätsdiebstahl mit gefälschter PayPal-Nachricht *** --------------------------------------------- Mit einer gefälschten PayPal-Nachricht wollen Kriminelle die Identität von Empfänger/innen stehlen. Damit sie ihr Ziel erreichen, behaupten sie, dass das Unternehmen das fremde PayPal-Konto deaktiviert habe. Es könne dieses nur reaktiveren, wenn es eine Personalausweis-Kopie der Kund/innen erhalte. Das ist falsch. --------------------------------------------- https://www.watchlist-internet.at/sonstiges/identitaetsdiebstahl-mit-gefael… *** Putting security risks on simmer with Chef *** --------------------------------------------- To remain PCI-compliant, I conduct quarterly security assessments of our infrastructure. This means external testing of our internet-facing PCI resources, using an approved scanning vendor (ASV), and what I call internal PCI full-population scans.Trouble TicketAt issue: Too many servers with too many different configurations make it tough to stay in compliance.Action plan: Use Chef and the CIS guidelines to ensure that servers are properly configured.We do the external scanning every month,... --------------------------------------------- http://www.cio.com/article/3147055/security/putting-security-risks-on-simme… *** Vuln: Alcatel-Lucent OmniVista 8770 CVE-2016-9796 Remote Code Execution Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/94649 *** FortiOS Local Admin Password Hash Leak Vulnerability *** --------------------------------------------- http://fortiguard.com/advisory/FG-IR-16-050 *** Bugtraq: CVE-2016-8740, Server memory can be exhausted and service denied when HTTP/2 is used *** --------------------------------------------- http://www.securityfocus.com/archive/1/539873 *** IBM Security Bulletin: Vulnerability in Apache Commons FileUpload affects IBM InfoSphere Information Server (CVE-2016-3092) *** --------------------------------------------- An Apache Commons FileUpload vulnerability while processing file upload requests was addressed by IBM InfoSphere Information Server. CVE(s): CVE-2016-3092 Affected product(s) and affected version(s): The following product, running on all supported platforms, is affected: IBM InfoSphere Information Server: versions 8.5, 8.7, 9.1, 11.3, and 11.5 IBM InfoSphere Metadata Asset Manager: versions 8.7, 9.1, 11.3, and... --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21988564 *** IBM Security Bulletin: Vulnerability has been identified in IBM Cloud Orchestrator teamwork API (CVE-2016-0206 ) *** --------------------------------------------- A potential denial of service vulnerability has been identified in IBM Cloud Orchestrator teamwork executeServiceByName API if an invalid URL is provided by local authenticated user. IBM Cloud Orchestrator, formerly known as IBM SmartCloud Orchestrator has addressed the issue. CVE(s): CVE-2016-0206 Affected product(s) and affected version(s): IBM Cloud Orchestrator V2.3, V2.3.0.1 V2.4, V2.4.0.1, V2.4.0.2 Refer... --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg2C1000141

1 0

Tageszusammenfassung - Freitag 2-12-2016
by Daily end-of-shift report 02 Dec '16

02 Dec '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 01-12-2016 18:00 − Freitag 02-12-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** BitUnmap: Attacking Android Ashmem *** --------------------------------------------- Posted by Gal Beniamini, Project ZeroThe law of leaky abstractions states that "all non-trivial abstractions, to some degree, are leaky". In this blog post we'll explore the ashmem shared memory interface provided by Android and see how false assumptions about its internal operation can result in security vulnerabilities affecting core system code. --------------------------------------------- http://googleprojectzero.blogspot.com/2016/12/bitunmap-attacking-android-as… *** Exploited Script in WordPress Theme Sends Spam *** --------------------------------------------- As WordPress continues to grow in popularity, so does its library. New and experienced developers are creating themes and plugins - which creates diverse directories. While this is useful to the WordPress community, the nature of mass creation can account for coding errors and vulnerabilities. Even premium themes have security issues. We often find code that is developed with good intentions but without taking security measures into consideration. --------------------------------------------- https://blog.sucuri.net/2016/12/exploited-script-wordpress-themes-send-spam… *** Blockchain Technology Explained - An Executive Summary *** --------------------------------------------- This article provides an executive summary on the Blockchain technology, what it is, how it works, and why everyone is excited about it. --------------------------------------------- https://www.whitehatsec.com/blog/blockchain-technology/ *** [0day] Bypassing Apples System Integrity Protection *** --------------------------------------------- Read how an attacker can bypass Apples SIP, via the local OS upgrade process --------------------------------------------- https://objective-see.com/blog/blog_0x14.html *** One Bit To Rule A System: Analyzing CVE-2016-7255 Exploit In The Wild *** --------------------------------------------- Recently, Google researchers discovered a local privilege escalation vulnerability in Windows which was being used in zero-day attacks, including those carried out by the Pawn Storm espionage group. This is an easily exploitable vulnerability which can be found in all supported versions of Windows, from Windows 7 to Windows 10. By changing one bit, the attacker can elevate the privileges of a thread, giving administrator access to a process that would not have it under normal circumstances. --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/bcdzgHcT2VE/ *** Protecting Powershell Credentials (NOT), (Fri, Dec 2nd) *** --------------------------------------------- If youre like me, youve worked through at least one Powershell tutorial, class or even a how-to blog. And youve likely been advised to use the PSCredential construct to store credentials. The discussion usually covers that this a secure way to collect credentials, then store them in a variable for later use. You can even store them in a file and read them back later. Awesome - this solves a real problem you thought - or does it? For instance, to collect credentials for a VMware vSphere... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21779&rss *** Remote management app exposes millions of Android users to hacking *** --------------------------------------------- Poor implementation of encryption in a popular Android remote management application exposes millions of users to data theft and remote code execution attacks.According to researchers from mobile security firm Zimperium, the AirDroid screen sharing and remote control application sends authentication information encrypted with a hard-coded key. This information could allow man-in-the-middle attackers to push out malicious AirDroid add-on updates, which would then gain the permissions of the app... --------------------------------------------- http://www.cio.com/article/3146916/security/remote-management-app-exposes-m… *** DFN-CERT-2016-1971: Google Chrome: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-1971/ *** ZDI-16-617: Dell SonicWALL Universal Management Suite ImagePreviewServlet SQL Injection Remote Code Execution Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Dell SonicWALL Universal Management Suite. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-16-617/ *** F5 Security Advisory: Apache Tomcat vulnerability CVE-2016-6816 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/50/sol50116122.html?… *** F5 Security Advisory: Apache Tomcat vulnerability CVE-2016-8735 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/49/sol49820145.html?… *** USN-3148-1: Ghostscript vulnerabilities *** --------------------------------------------- Ubuntu Security Notice USN-3148-11st December, 2016ghostscript vulnerabilitiesA security issue affects these releases of Ubuntu and its derivatives: Ubuntu 16.10 Ubuntu 16.04 LTS Ubuntu 14.04 LTS Ubuntu 12.04 LTSSummaryGhostscript could be made to crash, run programs, or disclose sensitiveinformation if it processed a specially crafted file.Software description ghostscript - PostScript and PDF interpreter DetailsTavis Ormandy discovered multiple vulnerabilities in the way that --------------------------------------------- http://www.ubuntu.com/usn/usn-3148-1/ *** ICS-CERT Advisories *** --------------------------------------------- *** Siemens SICAM PAS Vulnerabilities *** https://ics-cert.us-cert.gov/advisories/ICSA-16-336-01 --------------------------------------------- *** Moxa NPort Device Vulnerabilities *** https://ics-cert.us-cert.gov/advisories/ICSA-16-336-02 --------------------------------------------- *** Mitsubishi Electric MELSEC-Q Series Ethernet Interface Module Vulnerabilities *** https://ics-cert.us-cert.gov/advisories/ICSA-16-336-03 --------------------------------------------- *** Advantech SUSIAccess Server Vulnerabilities *** https://ics-cert.us-cert.gov/advisories/ICSA-16-336-04 --------------------------------------------- *** Smiths-Medical CADD-Solis Medication Safety Software Vulnerabilities *** https://ics-cert.us-cert.gov/advisories/ICSMA-16-306-01 --------------------------------------------- *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in PHP affect PowerKVM *** http://www.ibm.com/support/docview.wss?uid=isg3T1024545 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in the Linux kernel affect PowerKVM *** http://www.ibm.com/support/docview.wss?uid=isg3T1024478 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects WebSphere Application Server October 2016 CPU (CVE-2016-5573, CVE-2016-5597) that is bundled with IBM WebSphere Application Server Patterns. *** http://www.ibm.com/support/docview.wss?uid=swg21993759 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in redis affect PowerKVM (CVE-2015-4335, CVE-2013-7458) *** http://www.ibm.com/support/docview.wss?uid=isg3T1024538 --------------------------------------------- *** IBM Security Bulletin: Authentication vulnerability affects IBM Integration Bus V10.0.0.4 onwards (CVE-2016-8918 ) *** http://www.ibm.com/support/docview.wss?uid=swg21995079 --------------------------------------------- *** IBM Security Bulletin: The WebAdmin context for WebSphere Message Broker Version 8 allows directory listings (CVE-2016-6080) *** http://www.ibm.com/support/docview.wss?uid=swg21995004 --------------------------------------------- *** IBM Security Bulletin: IBM Mobile Connect is vulnerable to the Sweet32: Birthday Attacks (CVE-2016-2183) *** http://www.ibm.com/support/docview.wss?uid=swg21994927 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Process Designer used in IBM Business Process Manager and WebSphere Lombardi Edition (CVE-2016-5573, CVE-2016-5597, CVE-2016-3485) *** http://www-01.ibm.com/support/docview.wss?uid=swg21994297 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in Apache Tomcat affect SAN Volume Controller, Storwize family and FlashSystem V9000 products *** http://www.ibm.com/support/docview.wss?uid=ssg1S1009581 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSource libxml2 affect IBM Security Guardium (CVE-2016-2073) *** http://www-01.ibm.com/support/docview.wss?uid=swg21984606 ---------------------------------------------

1 0

Tageszusammenfassung - Donnerstag 1-12-2016
by Daily end-of-shift report 01 Dec '16

01 Dec '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 30-11-2016 18:00 − Donnerstag 01-12-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** 0-Day: Tor und Firefox patchen ausgenutzten Javascript-Exploit *** --------------------------------------------- Tor und Mozilla haben schnell reagiert und veröffentlichen einen außerplanmäßigen Patch für eine kritische Sicherheitslücke. Der Fehler lag in einer Animationsfunktion für Vektorgrafiken. --------------------------------------------- http://www.golem.de/news/0-day-tor-und-firefox-patchen-kritische-schwachste… *** Avalanche Takedown *** --------------------------------------------- Am 30. November 2016 wurde durch ein breit angelegte Kooperation von Polizei (Europol, Eurojust, FBI, ...), Staatsanwälten und IT Sicherheitsorganisationen (BSI, Shadowserver, CERTs) das Avalanche Botnet übernommen. Die Zahlen von Shadowserver sind eindrucksvoll:... --------------------------------------------- http://www.cert.at/services/blog/20161201172722-1851.html *** IBM warns of rising VoIP cyberattacks *** --------------------------------------------- Cyber-attacks using the VoIP protocol Session Initiation Protocol (SIP) have been growing this year accounting for over 51% of the security event activity analyzed in the last 12 months, according to a report from IBM's Security Intelligence group this week."SIP is one of the most commonly used application layer protocols in VoIP technology... we found that there has been an upward trend in attacks targeting the SIP protocol, with the most notable uptick occurring in the second... --------------------------------------------- http://www.cio.com/article/3146209/security/ibm-warns-of-rising-voip-cybera… *** Shamoon 2: Return of the Disttrack Wiper *** --------------------------------------------- In August 2012, an attack campaign known as Shamoon targeted a Saudi Arabian energy company to deliver a malware called Disttrack. Disttrack is a multipurpose tool that exhibits worm-like behavior by attempting to spread to other systems on a local network using stolen administrator credentials. More importantly, its claim to fame is the ability to destroy data and to render infected systems unusable. The attack four years ago resulted in 30,000 or more systems being damaged. Last week, Unit 42... --------------------------------------------- http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-… *** Fatal flaws in ten pacemakers make for Denial of Life attacks *** --------------------------------------------- Brit/Belgian research team decipher signals and devise wounding wireless attacks A global research team has hacked 10 different types of implantable medical devices and pacemakers finding exploits that could allow wireless remote attackers to kill victims. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/12/01/denial_of_l… *** New SmsSecurity Variant Roots Phones, Abuses Accessibility Features and TeamViewer *** --------------------------------------------- In January of 2016, we found various "SmsSecurity" mobile apps that claimed to be from various banks. Since then, weve found some new variants of this attack that add new malicious capabilities. These capabilities include: anti-analysis measures, automatic rooting, language detection, and remote access via TeamViewer. In addition, SmsSecurity now cleverly uses the accessibility features of Android to help carry out its routines in a stealthy manner, without interaction from the... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/ckweihUN7n8/ *** SAMRi10: Windows 10 hardening tool for thwarting network recon *** --------------------------------------------- Microsoft researchers Itay Grady and Tal Be'ery have released another tool to help admins harden their environment against reconnaissance attacks: SAMRi10 (pronounced "Samaritan"). User2 (non-admin) gets access denied by SAMRi10 when calling Net User remotely to a hardened Domain Controller Both the Net Cease tool they released in October and SAMRi10 are simple PowerShell scripts and are aimed at preventing attackers that are already inside a corporate network from mapping it... --------------------------------------------- https://www.helpnetsecurity.com/2016/12/01/samri10-windows-10-hardening/ *** Security Notice - Statement on Newsmth.net Forum Revealing Security Issue in Huawei P9 Smart Phone *** --------------------------------------------- http://www.huawei.com/en/psirt/security-notices/2016/huawei-sn-20161130-01-… *** USN-3141-1: Thunderbird vulnerabilities *** --------------------------------------------- Ubuntu Security Notice USN-3141-130th November, 2016thunderbird vulnerabilitiesA security issue affects these releases of Ubuntu and its derivatives: Ubuntu 16.10 Ubuntu 16.04 LTS Ubuntu 14.04 LTS Ubuntu 12.04 LTSSummarySeveral security issues were fixed in Thunderbird.Software description thunderbird - Mozilla Open Source mail and newsgroup client DetailsChristian Holler, Jon Coppeard, Olli Pettay, Ehsan Akhgari, Gary Kwong,Tooru Fujisawa, and Randell Jesup discovered multiple memory safety... --------------------------------------------- http://www.ubuntu.com/usn/usn-3141-1/ *** Security Advisories Relating to Symantec Products - Norton App Lock Bypass *** --------------------------------------------- Symantec has addressed an issue where on some Android devices, Norton App Lock could have been bypassed, which could have allowed locked applications to be opened. --------------------------------------------- https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=s… *** OpenAFS Security Advisory 2016-003 *** --------------------------------------------- Due to incomplete initialization or clearing of reused memory, OpenAFS directory objects are likely to contain "dead" directory entry information. This extraneous information is not active - that is, it is logically invisible to the fileserver and client. However, the leaked information is physically visible on the fileserver vice partition,... --------------------------------------------- https://www.openafs.org/pages/security/OPENAFS-SA-2016-003.txt *** Bugtraq: [security bulletin] HPSBHF03682 rev.1 - HPE Comware 7 Network Products using SSL/TLS, Local Gain Privileged Access *** --------------------------------------------- http://www.securityfocus.com/archive/1/539855 *** Bugtraq: [security bulletin] HPSBGN03677 rev.1 - HPE Network Automation using RPCServlet and Java Deserialization, Remote Code Execution *** --------------------------------------------- http://www.securityfocus.com/archive/1/539857 *** Bugtraq: [security bulletin] HPSBGN03680 rev.1 - HPE Propel, Local Denial of Service (DoS), Escalation of Privilege *** --------------------------------------------- http://www.securityfocus.com/archive/1/539863 *** Bugtraq: [security bulletin] HPSBUX03665 rev.3 - HP-UX Tomcat-based Servlet Engine, Remote Denial of Service (DoS), URL Redirection *** --------------------------------------------- http://www.securityfocus.com/archive/1/539864 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: A vulnerability in wget affects PowerKVM *** http://www.ibm.com/support/docview.wss?uid=isg3T1024556 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in DHCP affects PowerKVM (CVE-2016-5410) *** http://www.ibm.com/support/docview.wss?uid=isg3T1024551 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in krb5 affect PowerKVM (CVE-2016-3119, CVE-2016-3120) *** http://www.ibm.com/support/docview.wss?uid=isg3T1024550 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in util-linux affects PowerKVM (CVE-2016-5011) *** http://www.ibm.com/support/docview.wss?uid=isg3T1024543 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in powerpc-utils-python affects PowerKVM (CVE-2014-8165) *** http://www.ibm.com/support/docview.wss?uid=isg3T1024540 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in fontconfig affects PowerKVM (CVE-2016-5384) *** http://www.ibm.com/support/docview.wss?uid=isg3T1024533 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in sudo affects PowerKVM (CVE-2016-7091) *** http://www.ibm.com/support/docview.wss?uid=isg3T1024532 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in Python-RSA affects PowerKVM (CVE-2016-1494) *** http://www.ibm.com/support/docview.wss?uid=isg3T1024409 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in bind affect PowerKVM (CVE-2016-2776, CVE-2016-8864) *** http://www.ibm.com/support/docview.wss?uid=isg3T1024402 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect PowerKVM *** http://www.ibm.com/support/docview.wss?uid=isg3T1024401 ---------------------------------------------

1 0

Tageszusammenfassung - Mittwoch 30-11-2016
by Daily end-of-shift report 30 Nov '16

30 Nov '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 29-11-2016 18:00 − Mittwoch 30-11-2016 18:00 Handler: Robert Waldner Co-Handler: n/a *** Kritische Sicherheitslücke in Mozilla Firefox - aktiv ausgenützt - keine Patches verfügbar *** --------------------------------------------- Wie in diversen Medien berichtet wird, gibt es eine kritische Sicherheitslücke in aktuellen Versionen des Mozilla Firefox Browsers, für die noch kein Patch zur Verfügung steht. Diese wird auch bereits aktiv ausgenützt. --------------------------------------------- https://cert.at/warnings/all/20161130.html *** Port 7547 in Österreich *** --------------------------------------------- seit meinem letzten Blogpost zu Mirai/TR-069 sind ein paar neue Informationen dazugekommen --------------------------------------------- https://cert.at/services/blog/20161130165710-1834.html *** Ask Sucuri: Can Your cPanel Page Be Maliciously Redirected? *** --------------------------------------------- Many webmasters may not be aware that hackers are able to maliciously redirect cPanel pages. The specific tactic we describe in this article is unique. Included are recommendations to prevent it, along with other suspicious issues, through logs kept on cPanel servers. --------------------------------------------- https://blog.sucuri.net/2016/11/ask-sucuri-can-cpanel-page-maliciously-redi… *** Vuln: Dell iDRAC7 and iDRAC8 Devices CVE-2016-5685 Code Injection Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/94585 *** Emerson Liebert SiteScan XML External Entity Vulnerability *** --------------------------------------------- This advisory contains mitigation details for an XML External Entity vulnerability affecting Emerson's Liebert SiteScan application. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-334-01 *** Emerson DeltaV Easy Security Management Application Vulnerability *** --------------------------------------------- This advisory contains mitigation details for a vulnerability that affects Emerson's DeltaV Easy Security Management application. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-334-02 *** Emerson DeltaV Wireless I/O Card Open SSH Port Vulnerability *** --------------------------------------------- This advisory contains mitigation details for a vulnerability in the Emerson DeltaV Wireless I/O Card. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-334-03 *** Security Advisory: BIG-IP FastL4 profile vulnerability *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/36/sol36300805.html?… *** Security Advisory - XSS Vulnerability in Huawei eSpace IAD *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161130-… *** Security Advisory - DoS Vulnerability in Huawei Switches *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161130-… *** DFN-CERT-2016-1960/">Apache Subversion: Eine Schwachstelle ermöglicht Denial-of-Service-Angriffe *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-1960/ *** Security Advisory - Command Injection Vulnerability in Huawei FusionAccess *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161130-… *** GCHQ presents CyberChef, an Open Source Data Analysis Tool *** --------------------------------------------- The GCHQ has released the code of a new open source web tool dubbed CyberChef, specifically designed for analyzing and decoding data. --------------------------------------------- http://securityaffairs.co/wordpress/53908/intelligence/gchq-cyberchef.html *** Multiple I-O DATA network camera products multiple vulnerabilities *** --------------------------------------------- Multiple network camera products provided by I-O DATA DEVICE, INC. contain multiple vulnerabilities. --------------------------------------------- http://jvn.jp/en/jp/JVN25059363/ *** New Cerber Variant Leverages Tor2Web Proxies, Google Redirects *** --------------------------------------------- Researchers have discovered that criminals behind the latest Cerber ransomware variant are leveraging Google redirects and Tor2Web proxies in a new and novel way to evade detection. --------------------------------------------- http://threatpost.com/new-cerber-variant-leverages-tor2web-proxies-google-r… *** An overview of the Payment Card Industry (PCI) *** --------------------------------------------- The payment card industry consists of all the organizations which store, process and transmit cardholder data and carry transactions through debit and credit cards. Many standards are developed to conduct these types of services in a secure way. The well-known standard for this purpose is Payment Card Industry Data Security Standards. --------------------------------------------- http://resources.infosecinstitute.com/an-overview-of-the-payment-card-indus… *** Großstörung bei der Telekom: Was wirklich geschah *** --------------------------------------------- Ein Sicherheitsexperte hat die Reaktion eines der anfälligen Speedport-Modelle analysiert und kommt zu einer überraschenden Erkenntnis: Die Geräte waren gar nicht anfällig für die TR-069-Sicherheitslücke. --------------------------------------------- https://heise.de/-3520212 *** GET pwned: Web CCTV cams can be hijacked by single HTTP request *** --------------------------------------------- An insecure web server embedded in more than 35 models of internet-connected CCTV cameras leaves countless devices wide open to hijacking, it is claimed. --------------------------------------------- http://www.theregister.co.uk/2016/11/30/iot_cameras_compromised_by_long_url/ *** Vuln: OpenJPEG CVE-2016-9675 Incomplete Fix Multiple Remote Heap Based Buffer Overflow Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/bid/94589 *** Cobalt Malware Threatens ATM Security *** --------------------------------------------- The hackers typically initiated the malware infection through phishing and spearphishing attacks. They sent malware laced emails to employees working at the banks. If some how a cyber security naive-employee clicked on a malicious link in an email or opened an attachment then their system would get infected. --------------------------------------------- https://blog.comodo.com/malware/cobalt-malware-threatens-atm-security/ *** Android-Malware Gooligan soll über 1 Million Google-Konten gekapert haben *** --------------------------------------------- Der Tojaner soll Smartphones rooten und Authentifizierungs-Tokens von Google-Accounts kopieren. Über einen Online-Service kann man prüfen, ob das eigene Konto betroffen ist. --------------------------------------------- https://heise.de/-3520778 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Vulnerability in OpenSSH affects IBM i (CVE-2016-8858) *** http://www-01.ibm.com/support/docview.wss?uid=nas8N1021734 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in SSL affect IBM DataPower Gateways *** http://www-01.ibm.com/support/docview.wss?uid=swg21992996 --------------------------------------------- *** IBM Security Bulletin: Multiple Vulnerabilities in OpenSSL affect IBM Worklight and IBM MobileFirst Platform Foundation *** http://www-01.ibm.com/support/docview.wss?uid=swg2C1000213 --------------------------------------------- *** IBM Security Bulletin: Multiple Vulnerabilities affect IBM Domino & IBM iNotes *** http://www.ibm.com/support/docview.wss?uid=swg21992835 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Apache Struts affects IBM Social Media Analytics (CVE-2016-0785) *** http://www-01.ibm.com/support/docview.wss?uid=swg21994386 ---------------------------------------------

1 0

Tageszusammenfassung - Dienstag 29-11-2016
by Daily end-of-shift report 29 Nov '16

29 Nov '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 28-11-2016 18:00 − Dienstag 29-11-2016 18:00 Handler: Robert Waldner Co-Handler: n/a *** Bruce Schneier zur Netz-Sicherheit: "Die Ära von Spaß und Spielen ist vorbei" *** --------------------------------------------- Der renommierte Sicherheits-Experte warnte auf dem Security-Kongress der Telekom vor einer grenzenlosen Vernetzung. Staatliche Regulierung sei unausweichlich. --------------------------------------------- https://www.heise.de/newsticker/meldung/Bruce-Schneier-zur-Netz-Sicherheit-… *** PayPal Fixes OAuth Token Leaking Vulnerability *** --------------------------------------------- PayPal fixed an issue that could have allowed an attacker to hijack OAuth tokens associated with any PayPal OAuth application. The vulnerability was publicly disclosed on Monday by Antonio Sanso, a senior software engineer at Adobe, after he came across the issue while testing his own OAuth client. --------------------------------------------- http://threatpost.com/paypal-fixes-oauth-token-leaking-vulnerability/122136/ *** Vuln: WordPress Image Gallery Plugin HTML Injection Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/94565 *** A Rowhammer ban-hammer for all, and its all in software *** --------------------------------------------- Sorry to go all MC Hammer on you, but boffins tell bit-flippers you cant touch this A group of German researchers reckon theyve cracked a pretty hard nut indeed: how to protect all x86 architectures from the 'Rowhammer' memory bug. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/11/29/a_rowhammer… *** Tenda / D-Link / TP-Link DHCP Cross Site Scripting *** --------------------------------------------- https://cxsecurity.com/issue/WLB-2016110233 *** Every Windows 10 in-place Upgrade is a SEVERE Security risk *** --------------------------------------------- [...] There is a small but CRAZY bug in the way the "Feature Update" (previously known as "Upgrade") is installed. The installation of a new build is done by reimaging the machine and the image installed by a small version of Windows called Windows PE (Preinstallation Environment). --------------------------------------------- http://blog.win-fu.com/2016/11/every-windows-10-in-place-upgrade-is.html *** F-Secure: QUICK TIP: How To Make Your Passwords Uncrackable *** --------------------------------------------- TL;DR: 'The trick is to use a really long random password for each online account,' he tells us. 'The password length should be at least 20 symbols and numbers, but preferably 32.' --------------------------------------------- https://safeandsavvy.f-secure.com/2016/09/14/quick-tip-how-to-make-your-pas… *** Azure Security Best Practices *** --------------------------------------------- Moving applications and workloads to the cloud is a big draw for organizations, primarily due to the favorable economics, ease of deployment, and the flexibility and scale that the cloud provides. Microsoft Azure is one cloud platform seeing rising adoption in the past year. You may be contemplating moving workloads to Azure, particularly if you are a Microsoft shop. But like most organizations moving to the cloud, you are probably concerned about the security of your Azure environment. --------------------------------------------- https://www.alienvault.com/blogs/security-essentials/azure-security-best-pr… *** TYPO3 CMS 7.6.14 released *** --------------------------------------------- This version is a regression fix release for TYPO3 CMS 7.6.13 concerning the usage of the Composer mode with additional third party PHP libraries. This version contains bugfixes concerning Composer only. --------------------------------------------- https://typo3.org/news/article/typo3-cms-7614-released/ *** Kontonummern und E-Mail: Daten von Mitfahrgelegenheit.de gestohlen *** --------------------------------------------- Kontonummern und E-Mail-Adressen von ehemaligen Nutzern betroffen - Wenige Österreicher betroffen --------------------------------------------- http://derstandard.at/2000048456695 *** TR-069 NewNTPServer Exploits: What we know so far, (Tue, Nov 29th) *** --------------------------------------------- [This is a cleaned up version to summarize yesterdays diary about the attacks against DSL Routers] What is TR-069 TR-069 (or its earlier version TR-064) is a standard published by the Broadband Forum. The Broadband Forum is an industry organization defining standards used to manage broadband networks. It focuses heavily on DSL type modems and more recently included fiber optic connections. TR stands for Technical Report. TR-069 is considered the Broadband Forums Flagship Standard. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21763&rss *** Security Advisory: BIG-IP SPDY and HTTP/2 profile vulnerability CVE-2016-7475 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/01/sol01587042.html?… *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Development Package for Apache Spark *** http://www-01.ibm.com/support/docview.wss?uid=swg21994185 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in IBM Java Runtime affect WebSphere Dashboard Framework (CVE-2016-5573, CVE-2016-5597) *** http://www-01.ibm.com/support/docview.wss?uid=swg21994184 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in IBM Java SDK and IBM Java Runtime affect Web Experience Factory (CVE-2016-5573, CVE-2016-5597) *** http://www-01.ibm.com/support/docview.wss?uid=swg21994181 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities may affect IBM SDK, Java Technology Edition *** https://www-01.ibm.com/support/docview.wss?uid=swg21985393 --------------------------------------------- *** IBM Security Bulletin: Multiple OpenSource Expat XML Vulnerabilities affect IBM DB2 Net Search Extender for Linux, Unix and Windows *** http://www.ibm.com/support/docview.wss?uid=swg21992933 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect WebSphere Extreme Scale (CVEs-2016-3485) *** http://www.ibm.com/support/docview.wss?uid=swg21993946 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect WebSphere Message Broker and IBM Integration Bus ( CVE-2016-2107,CVE-2016-2176) *** http://www.ibm.com/support/docview.wss?uid=swg21992894 --------------------------------------------- *** IBM Security Bulletin: IBM Integration Bus and WebSphere Message Broker, upon installation, set incorrect permissions for an object ( CVE-2016-0394 ) *** http://www-01.ibm.com/support/docview.wss?uid=swg21985013 --------------------------------------------- *** IBM Security Bulletin: Vulnerability has been identified in View All User Domain Tasks of IBM Cloud Orchestrator (CVE-2016-0202 ) *** http://www.ibm.com/support/docview.wss?uid=swg2C1000134 --------------------------------------------- *** IBM Security Bulletin: FileNet Workplace XT can be affected by the File Extension validation vulnerability (CVE-2016-8921) *** http://www.ibm.com/support/docview.wss?uid=swg21994018 --------------------------------------------- *** IBM Security Bulletin: Multiple Mozilla Firefox vulnerability issues in IBM Storwize V7000 Unified. *** http://www.ibm.com/support/docview.wss?uid=ssg1S1009589 --------------------------------------------- *** IBM Security Bulletin: GPFS security vulnerabilities in IBM Storwize V7000 Unified (CVE-2016-2985 and CVE-2016-2984) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1009324 ---------------------------------------------

1 0

Tageszusammenfassung - Montag 28-11-2016
by Daily end-of-shift report 28 Nov '16

28 Nov '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 25-11-2016 18:00 − Montag 28-11-2016 18:00 Handler: Robert Waldner Co-Handler: n/a *** Mirai goes TR-069 *** --------------------------------------------- Zu Mirai hab ich hier schon viel geschrieben. Bis jetzt hat sich dieses Botnet rein über das Erraten von Passwörtern auf Telnet-Interfaces weiterverbreitet. Das hat sich jetzt geändert: Am 7. November hat jemand einen Proof-of-concept exploit für ein CPE (Customer premise equipment -- also DSL-Modem, Kabelmodem & co) veröffentlicht, der zeigt, wie man per TR-069 dem Gerät Schadsoftware unterschieben kann. --------------------------------------------- http://www.cert.at/services/blog/20161128173929-1823.html *** DSA-3725 icu - security update *** --------------------------------------------- Several vulnerabilities were discovered in the International Componentsfor Unicode (ICU) library. --------------------------------------------- https://www.debian.org/security/2016/dsa-3725 *** [2016-11-28] Denial of service & heap-based buffer overflow in Guidance Software EnCase Forensic *** --------------------------------------------- EnCase Forensic Imager and the EnCase Forensic suite are widely used by computer forensic experts to analyze hard disks. Due to flaws in these products an attacker could manipulate a hard disk to keep an investigator from fully analyzing it (denial of service). Potentially, an attacker could execute malicious code on the investigators machine. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2016… *** DFN-CERT-2016-1949/">ImageMagick: Mehrere Schwachstellen ermöglichen u.a. Denial-of-Service-Angriffe *** --------------------------------------------- Mehrere Schwachstellen in ImageMagick ermöglichen einem entfernten, nicht authentisierten Angreifer die Durchführung verschiedener Denial-of-Service (DoS)-Angriffe sowie das Ausspähen von Informationen. Debian stellt für die Distribution Debian Jessie (stable) ein Sicherheitsupdate bereit. --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-1949/ *** Erpressungs-Trojaner: Locky setzt auf .zzzzz-Endung, Cerber geht in Version 5.0.1 um *** --------------------------------------------- Kriminelle sollen Berichten nach aktuell neue Versionen von Cerber und Locky verbreiten. Vorsicht: Viele Viren-Wächter springen offensichtlich noch nicht auf Cerber an. --------------------------------------------- https://heise.de/-3506049

1 0

Tageszusammenfassung - Freitag 25-11-2016
by Daily end-of-shift report 25 Nov '16

25 Nov '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 24-11-2016 18:00 − Freitag 25-11-2016 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Kriminelle bieten Mirai-Botnetz mit 400.000 IoT-Geräten zur Miete an *** --------------------------------------------- Was macht das Mirai-Botnetz gerade? Die beiden Sicherheitsforscher mit den Pseudonymen 2sec4u und MalwareTech überwachen das Mirai-Botnetz und teilen aktuelle Aktivitäten via Twitter und eine Webseite. Aus der Live Map der Webseite geht hervor, dass bislang über die ganze Welt verteilt insgesamt mehr als 3 Millionen Geräte im Mirai-Botnetz gefangen waren. In den letzten 24 Stunden waren es knapp unter 100.000. --------------------------------------------- https://www.heise.de/security/meldung/Kriminelle-bieten-Mirai-Botnetz-mit-4… *** Gehackte Zugänge: Kriminelle versenden Malware mit Mailchimp-Accounts *** --------------------------------------------- Kriminelle nutzen offenbar übernommene Mailchimp-Accounts, um Malware zu verbreiten. Das geschieht vor allem über Mails mit angeblichen Rechnungen. Alle 2.000 betroffenen Accounts wurden vorläufig stillgelegt. --------------------------------------------- http://www.golem.de/news/gehackte-zugaenge-kriminelle-versenden-malware-mit… *** Locky hidden in image file hitting Facebook, LinkedIn users *** --------------------------------------------- Malware masquerading as an image file is still spreading on Facebook, LinkedIn, and other social networks. Check Point researchers have apparently discovered how cyber crooks are embedding malware in graphic and image files, and how they are executing the malicious code within these images to infect social media users with Locky ransomware variants. The attackers exploit a misconfiguration on the social media infrastructure to deliberately force their victims to download the image file. --------------------------------------------- https://www.helpnetsecurity.com/2016/11/25/locky-image-file-facebook-linked… *** The Week in Ransomware - November 25th 2016 - Locky, Decryptors, Cerber, Open Source Ransomware sucks, and More *** --------------------------------------------- Lots of ransomware stories this week. We have two new decryptors, quite a few new ransomware infections, PadCrypt being hidden inside a fake credit card generator, and a few new variants. The biggest news is two new variants of the Locky ransomware that append the .zzzzz and .aesir extensions for encrypted files. [...] --------------------------------------------- http://www.bleepingcomputer.com/news/security/the-week-in-ransomware-novemb… *** Free Software Quick Security Checklist, (Fri, Nov 25th) *** --------------------------------------------- Free software (open source or not) is interesting for many reasons. It can be adapted to your own needs, it can be easily integrated within complex architectures but the most important remains, of course, the price. Even if they are many hidden costs related to free software. In case of issues, a lot of time may be spent in searching for a solution or diving into the source code (and everybody knows that time is money!). Today, more and more organisationsare not afraid anymore to deployfree... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21751&rss *** DFN-CERT-2016-1945: phpMyAdmin: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebiger SQL-Befehle *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-1945/ *** Security Advisory - Buffer Overflow Vulnerability in Huawei Firewall Products *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161125-… *** Citrix XenServer Multiple Security Updates *** --------------------------------------------- A number of security vulnerabilities have been identified in Citrix XenServer that may allow malicious code running within a guest VM to compromise the host. These vulnerabilities affect all currently supported versions of Citrix XenServer up to and including Citrix XenServer 7.0. CVE-2016-9379, CVE-2016-9380, CVE-2016-9381, CVE-2016-9382, CVE-2016-9383, CVE-2016-9385, CVE-2016-9386 --------------------------------------------- https://support.citrix.com/article/CTX218775

1 0

Tageszusammenfassung - Donnerstag 24-11-2016
by Daily end-of-shift report 24 Nov '16

24 Nov '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 23-11-2016 18:00 − Donnerstag 24-11-2016 18:00 Handler: Robert Waldner Co-Handler: n/a *** Don't let this Black Friday/Cyber Monday spam deliver Locky ransomware to you *** --------------------------------------------- We see it every year: social engineering attacks that take advantage of the online shopping activities around Black Friday and Cyber Monday, targeting customers of online retailers. This year, we're seeing a spam campaign that Amazon customers need to be wary of. --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2016/11/23/dont-let-this-black-fri… *** LXC CVE-2016-8649 Directory Traversal Vulnerability *** --------------------------------------------- An attacker can exploit this issue using directory-traversal characters (../) to access or read arbitrary files that contain sensitive information or to access files outside of the restricted directory to obtain sensitive information and perform other attacks. --------------------------------------------- http://www.securityfocus.com/bid/94498/info *** Multiple Samsung Galaxy Product CVE-2016-9567 Security Bypass Vulnerability *** --------------------------------------------- Multiple Samsung Galaxy products are prone to a security-bypass vulnerability. An attacker may exploit this issue to bypass certain security restrictions and perform unauthorized actions. This may lead to further attacks. Samsung Galaxy devices with Marshmallow 6.0 are vulnerable. --------------------------------------------- http://www.securityfocus.com/bid/94494/info *** w3m Multiple Security Vulnerabilities *** --------------------------------------------- Attackers can exploit these issues to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts will likely cause denial-of-service conditions. Versions prior to w3m 0.5.3-33 are vulnerable. --------------------------------------------- http://www.securityfocus.com/bid/94464/discuss *** Research on unsecured Wi-Fi networks across the world *** --------------------------------------------- We compared the situation with Wi-Fi traffic encryption in different countries using data from our threat database. We counted the number of reliable and unreliable networks in each country that has more than 10 thousand access points known to us --------------------------------------------- https://securelist.com/blog/research/76733/research-on-unsecured-wi-fi-netw… *** DFN-CERT-2016-1942/">RealNetworks RealPlayer: Eine Schwachstelle ermöglicht einen Denial-of-Service-Angriff *** --------------------------------------------- Ein entfernter, nicht authentisierter Angreifer kann eine Schwachstelle im RealPlayer ausnutzen, mit Hilfe einer schädlichen präparierten QCP-Mediendatei, zu deren Wiedergabe er einen Benutzer verleitet, um einen Denial-of-Service (DoS)-Angriff durchzuführen. --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-1942/ *** Windows-Update für Secure-Boot-Fehler macht BIOS-Updates erforderlich *** --------------------------------------------- Mit dem Patch 3193479 beziehungsweise 3200970 für aktuelle Windows-(Server-)Versionen korrigiert Microsoft einen Bug in UEFI Secure Boot, doch einige Server starten danach nicht mehr. --------------------------------------------- https://heise.de/-3503589 *** Diagnosing cyber threats for smart hospitals *** --------------------------------------------- ENISA presents a study that sets the scene on information security for the adoption of IoT in Hospitals. The study which engaged information security officers from more than ten hospitals across the EU, depicts the smart hospital ICT ecosystem; and through a risk based approach focuses on relevant threats and vulnerabilities, analyses attack scenarios, and maps common good practices. --------------------------------------------- https://www.enisa.europa.eu/news/enisa-news/diagnosing-cyber-threats-for-sm… *** Security Advisory: PHP vulnerability CVE-2016-6288 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/71/sol71814571.html?… *** Multiple Vulnerabilities in Network Time Protocol Daemon Affecting Cisco Products: November 2016 *** --------------------------------------------- Multiple Cisco products incorporate a version of the Network Time Protocol daemon (ntpd) package. Versions of this package are affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or modify the time being advertised by a device acting as a Network Time Protocol (NTP) server. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…

1 0

Tageszusammenfassung - Mittwoch 23-11-2016
by Daily end-of-shift report 23 Nov '16

23 Nov '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 22-11-2016 18:00 − Mittwoch 23-11-2016 18:00 Handler: Robert Waldner Co-Handler: n/a *** The November 2016 issue of our SWITCH Security Report is available! *** --------------------------------------------- The topics covered in this report are: * IT security researchers reveal vulnerabilities in photoTAN procedure for mobile banking * DDoS attack via IoT botnet shuts down parts of Internet * Triple record: Yahoo loses half a billion customers’ details, more trust than ever and USD 1 billion from its acquisition price --------------------------------------------- https://securityblog.switch.ch/2016/11/23/the-november-2016-issue-of-our-sw… *** Securing Drupal with ModSecurity and the Core Rule Set (CRS3) *** --------------------------------------------- Here is a guide aimed at the Drupal community to learn how to work with ModSecurity. OWASP ModSecurity Core Rule Set is a horrible name for a project, that's why we speak of CRS3. This is a security project and for those not familiar with the CRS, I will first give a brief intro first. --------------------------------------------- https://www.netnea.com/cms/2016/11/22/securing-drupal-with-modsecurity-and-… *** DomainTools 101: How to Spot Phishy Domains on Cyber Monday *** --------------------------------------------- Just as the Grumeti River in Tanzania harbors dangerous crocodiles just below its surface, a Phishing email usually contains malicious domains waiting for you to click. I read a great article by Bleeping Computer about finding some Google domains that were spoofed using what is known as small caps. This piqued my curiosity ... --------------------------------------------- https://blog.domaintools.com/2016/11/domaintools-101-how-to-spot-phishy-dom… *** [DSA 3722-1] vim security update *** --------------------------------------------- CVE ID : CVE-2016-1248 Florian Larysch and Bram Moolenaar discovered that vim, an enhanced vi editor, does not properly validate values for the the filetype, syntax and keymap options, which may result in the execution of arbitrary code if a file with a specially crafted modeline is opened. --------------------------------------------- https://lists.debian.org/debian-security-announce/2016/msg00305.html *** Mapping Attack Methodology to Controls, (Wed, Nov 23rd) *** --------------------------------------------- Recently weve seen lots of malicious documents make it through our first protection layers. (https://www.virustotal.com/en/file/79ff976c5ca6025f3bb90ddfa7298286217c2130…) . In the last week, these emails have a word document that spawns a command shell that kicks off a PowerShell script. When working incidents, it is important to map out the attacker lifecycle to determine where to improve your defenses. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21749&rss *** Telegram API ransomware wrecked three weeks after launch *** --------------------------------------------- Crypto so bad that getting around it is shooting fish in a barrel Ransomware scum abusing the protocol of the popular Telegram encrypted chat app have been wrecked and their malware ransom system decrypted. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/11/23/owned_teleg… *** Vuln: TP-LINK TL-WA5210G Buffer Overflow and Information Disclosure Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/bid/94481 *** Pentest-Report cURL 08.2016 [PDF] *** --------------------------------------------- This report documents findings of a source code audit dedicated to assessing the cURL software. The assessment of the tool was performed by Cure53 as part of the Mozilla's Secure Open Source track program. The results of the project encompass twenty-three security-relevant discoveries. --------------------------------------------- https://wiki.mozilla.org/images/a/aa/Curl-report.pdf *** Acunetix 10.0 DLL Hijacking *** --------------------------------------------- Topic: Acunetix 10.0 DLL Hijacking Risk: Medium Text:Title: Acunetix 10 Multi DLL Hajacking Application: Acunetix Versions Affected: 10.0 Vendor URL: http://www.acunetix.com Di... --------------------------------------------- https://cxsecurity.com/issue/WLB-2016110196 *** Schneider Electric Magelis HMI Resource Consumption Vulnerabilities (Update A) *** --------------------------------------------- This updated advisory is a follow-up to the original advisory titled ICSA-16-308-02 Schneider Electric Magelis HMI Resource Consumption Vulnerabilities that was published November 3, 2016, on the NCCIC/ICS-CERT web site. This advisory contains mitigation details for resource consumption vulnerabilities affecting Schneider Electric's Magelis human-machine interface products. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-308-02 *** Security updates available in Foxit Reader 8.1.1 and Foxit PhantomPDF 8.1.1 *** --------------------------------------------- Foxit has released Foxit Reader 8.1.1 and Foxit PhantomPDF 8.1.1, which address potential security and stability issues --------------------------------------------- https://www.foxitsoftware.com/support/security-bulletins.php *** Security Advisory: PHP vulnerability - CVE-2016-6288 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/71/sol71814571.html?… *** Siemens *** --------------------------------------------- *** Siemens SIMATIC CP 1543-1 Vulnerabilities *** https://ics-cert.us-cert.gov/advisories/ICSA-16-327-01 --------------------------------------------- *** Siemens SIMATIC CP 343-1/CP 443-1 Modules and SIMATIC S7-300/S7-400 CPUs Vulnerabilities *** https://ics-cert.us-cert.gov/advisories/ICSA-16-327-02 --------------------------------------------- *** Siemens Industrial Products Local Privilege Escalation Vulnerability (Update A) *** https://ics-cert.us-cert.gov/advisories/ICSA-16-313-02 *** Huawei *** --------------------------------------------- *** Security Advisory - Multiple Security Vulnerabilities in Huawei Smart Phone Products *** http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161123-… --------------------------------------------- *** Security Advisory - Privilege Escalation Vulnerability in the FusionStorage *** http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161123-… --------------------------------------------- *** Security Advisory - Buffer Overflow Vulnerability in TP Driver of Huawei Smart Phone *** http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161123-… --------------------------------------------- *** Security Advisory - Integer Overflow Vulnerability in Some Huawei Devices *** http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161123-… --------------------------------------------- *** Security Advisory - Buffer Overflow Vulnerability in HIFI Driver of Huawei Smart Phone *** http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161123-… *** VMware *** --------------------------------------------- *** VMSA-2016-0022 *** https://www.vmware.com/security/advisories/VMSA-2016-0022.html --------------------------------------------- *** VMSA-2016-0021 *** https://www.vmware.com/security/advisories/VMSA-2016-0021.html --------------------------------------------- *** VMSA-2016-0018.3 *** https://www.vmware.com/security/advisories/VMSA-2016-0018.html *** Novell *** --------------------------------------------- *** eDirectory 9.0.2 (non-root) for Linux *** https://download.novell.com/Download?buildid=dgSdIXwk2Cc~ --------------------------------------------- *** iManager 2.7 Support Pack 7 - Patch 8 for Linux *** https://download.novell.com/Download?buildid=OFnb6Ew8wPM~ --------------------------------------------- *** iManager 2.7 Support Pack 7 - Patch 8 for Windows *** https://download.novell.com/Download?buildid=wPIC5t8Drqo~ --------------------------------------------- *** eDirectory 8.8 SP8 Patch 9 for Linux *** https://download.novell.com/Download?buildid=zJBqj6SjCzg~ --------------------------------------------- *** iManager 3.0.2 for Linux *** https://download.novell.com/Download?buildid=rIhWBDnLYU8~ --------------------------------------------- *** iManager 3.0.2 for Windows *** https://download.novell.com/Download?buildid=iMupD_KbGcA~ --------------------------------------------- *** eDirectory 9.0.2 for Linux *** https://download.novell.com/Download?buildid=TLXIiZ6uoho~ --------------------------------------------- *** eDirectory 9.0.2 for Windows *** https://download.novell.com/Download?buildid=_N2FUsWAalg~ --------------------------------------------- *** eDirectory 8.8 SP8 Patch 9 (non-root) for Linux *** https://download.novell.com/Download?buildid=Y9WDuLNbJxE~ --------------------------------------------- *** eDirectory 8.8 SP8 Patch 9 for Windows *** https://download.novell.com/Download?buildid=aDcgeiAEaYc~

1 0

Tageszusammenfassung - Dienstag 22-11-2016
by Daily end-of-shift report 22 Nov '16

22 Nov '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 21-11-2016 18:00 − Dienstag 22-11-2016 18:00 Handler: Robert Waldner Co-Handler: n/a *** Windows 10 Cannot Protect Insecure Applications Like EMET Can *** --------------------------------------------- Recently, Microsoft published a blog post called Moving Beyond EMET that appears to make two main points: (1) Microsoft will no longer support EMET after July 31, 2018, and (2) Windows 10 provides protections that make EMET unnecessary. In this blog post, I explain why Windows 10 does not provide the additional protections that EMET does and why EMET is still an important tool to help prevent exploitation of vulnerabilities. --------------------------------------------- https://insights.sei.cmu.edu/cert/2016/11/windows-10-cannot-protect-insecur… *** SSA-603476 (Last Update 2016-11-21): Web Vulnerabilities in SIMATIC CP 343-1/CP 443-1 Modules and SIMATIC S7-300/S7-400 CPUs *** --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-603476… *** Facebook Messenger: Malware via SVG *** --------------------------------------------- Vorsicht bei Dateianhängen in Facebooks Chat: Gekaperte Accounts versenden Schadsoftware - neuerdings in Form einer SVG-Grafik. --------------------------------------------- https://www.heise.de/newsticker/meldung/Facebook-Messenger-Malware-via-SVG-… *** Moodle Vulns *** --------------------------------------------- *** Vuln: Moodle MSA-16-0026 Information Disclosure Vulnerability *** http://www.securityfocus.com/bid/94456 --------------------------------------------- *** Vuln: Moodle CVE-2016-8643 Security Bypass Vulnerability *** http://www.securityfocus.com/bid/94457 --------------------------------------------- *** Vuln: Moodle CVE-2016-8644 Information Disclosure Vulnerability *** http://www.securityfocus.com/bid/94458 *** Exploit Code Released for NTP Vulnerability *** --------------------------------------------- NTP 4.2.8p9 includes a patch for a vulnerability that could crash ntpd with a single malformed packet. --------------------------------------------- http://threatpost.com/exploit-code-released-for-ntp-vulnerability/122104/ *** The Kings in Your Castle, Pt. #3 *** --------------------------------------------- In the third episode of Marion Marschaleks and Raphael Vinots series of articles on modern APTs, they will shine some light on the prevalence of Zero-Day vulnerabilities. In reality, the use of Zero-Days is far less common than expected. In fact, APT groups in some cases exploit vulnerabilities which are a couple of years old. On the side of the analysts, they will explain that identical hashes are by no means a reliable indicator for dealing with identical files. --------------------------------------------- https://blog.gdatasoftware.com/2016/11/29302-kings-in-your-castle-pt-3 *** TYPO3 *** --------------------------------------------- *** Path Traversal in TYPO3 Core *** https://typo3.org/news/article/path-traversal-in-typo3-core/ --------------------------------------------- *** Insecure Unserialize in TYPO3 Backend *** https://typo3.org/news/article/insecure-unserialize-in-typo3-backend/ *** Businesses as Ransomware's Goldmine: How Cerber Encrypts Database Files *** --------------------------------------------- Possibly to maximize the earning potential of Cerber's developers and their affiliates, the ransomware incorporated a routine with heavier impact to businesses: encrypting database files. --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/KntWjaKLssw/ *** Android-Trojaner GT!tr.spy soll vor allem deutsche Bank-Kunden ins Visier nehmen *** --------------------------------------------- Fortinet ist nach eigenen Angaben auf einen aktuellen Android-Trojaner mit der Bezeichnung GT!tr.spy gestoßen, der es in erster Linie auf Kreditkarten- und Log-in-Daten von deutschen und österreichischen Bank-Kunden abgesehen hat. Davon sollen Kunden von nicht näher beschriebenen 15 deutschen und fünf österreichischen Banken bedroht sein ... --------------------------------------------- https://heise.de/-3494472 *** Exploit Code Released for NTP Vulnerability *** --------------------------------------------- NTP 4.2.8p9 includes a patch for a vulnerability that could crash ntpd with a single malformed packet. --------------------------------------------- http://threatpost.com/exploit-code-released-for-ntp-vulnerability/122104/ *** FortiOS flow-mode detection bypass under certain conditions *** --------------------------------------------- A FortiGate configured to use flow-based protection will stop monitoring network sessions that are active when a scanning engine is reloaded after an update (nearly instantaneous process).This tends to impact long lived network sessions... --------------------------------------------- http://fortiguard.com/advisory/fortios-flow-mode-detection-bypass-under-cer… *** F5 Security Advisories *** --------------------------------------------- *** Security Advisory: OpenSSL vulnerability CVE-2016-8610 *** https://support.f5.com:443/kb/en-us/solutions/public/k/11/sol11307303.html?… --------------------------------------------- *** Security Advisory: ImageMagick vulnerabilities CVE-2015-8895 and CVE-2015-8896 *** https://support.f5.com:443/kb/en-us/solutions/public/k/30/sol30403302.html?… --------------------------------------------- *** Security Advisory: ImageMagick vulnerability CVE-2015-8898 *** https://support.f5.com:443/kb/en-us/solutions/public/k/68/sol68785753.html?… --------------------------------------------- *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Security Network Protection *** http://www-01.ibm.com/support/docview.wss?uid=swg21991724 --------------------------------------------- *** IBM Security Bulletin: IBM Tivoli Storage Manager FastBack for Bare Machine Recovery Stack-Based Buffer Overflow Elevation of Privilege Vulnerability (CVE-2016-6091) *** http://www.ibm.com/support/docview.wss?uid=swg21993925 --------------------------------------------- *** IBM Security Bulletin: IBM Tivoli Storage Manager FastBack Stack-Based Buffer Overflow Elevation of Privilege Vulnerability (CVE-2016-6091) *** http://www.ibm.com/support/docview.wss?uid=swg21993916 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in busybox affect IBM Security Network Protection (CVE-2014-4607, and CVE-2014-9645 ) *** http://www-01.ibm.com/support/docview.wss?uid=swg21990083 --------------------------------------------- *** IBM Security Bulletin: Multiple Denial of Service vulnerabilities with Expat might affect IBM HTTP Server used with IBM Security Network Protection *** http://www-01.ibm.com/support/docview.wss?uid=swg21989336 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in IBM Java SDK affect IBM Spectrum Control and Tivoli Storage Productivity Center (CVE-2016-3485) *** http://www-01.ibm.com/support/docview.wss?uid=swg21993565 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM WebSphere Application Server affects IBM Spectrum Control (formerly Tivoli Storage Productivity Center) CVE-2016-0377 *** http://www-01.ibm.com/support/docview.wss?uid=swg21993522 --------------------------------------------- *** IBM Vulnerabilities in BIND impact AIX (CVE-2016-2776, CVE-2016-2775) *** http://aix.software.ibm.com/aix/efixes/security/bind_advisory13.asc --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect AIX *** http://aix.software.ibm.com/aix/efixes/security/openssl_advisory21.asc ---------------------------------------------

1 0

Tageszusammenfassung - Montag 21-11-2016
by Daily end-of-shift report 21 Nov '16

21 Nov '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 18-11-2016 18:00 − Montag 21-11-2016 18:00 Handler: Robert Waldner Co-Handler: n/a *** Vuln: Huawei Smart Phones Multiple Local Denial of Service Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/bid/94404 *** Vuln: Multiple Lenovo ThinkPad Products CVE-2016-8222 Local Security Bypass Vulnerability *** --------------------------------------------- Local attackers can exploit this issue to bypass certain security restrictions and perform unauthorized actions. --------------------------------------------- http://www.securityfocus.com/bid/94409 *** Security Advisory: PHP vulnerability CVE-2016-6289 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/52/sol52430518.html?… *** SSA-672373 (Last Update 2016-11-18): Vulnerabilities in SIMATIC CP 1543-1 *** --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-672373… *** SSA-701708 (Last Update 2016-11-18): Local Privilege Escalation in Industrial Products *** --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-701708… *** SAP NetWeaver AS ABAP 7.4 Directory Traversal *** --------------------------------------------- The code provides access to the file specified after the READ DATASET statement. The variable transmitted to the input of the statement is entered in it by user input. Thus, the user can access the files stored on the operating system. This vulnerability is called a Directory Traversal. --------------------------------------------- https://cxsecurity.com/issue/WLB-2016110168 *** Update wichtig: Sicherheitswarnung zu Symantec-Software *** --------------------------------------------- Das BSI hat eine Sicherheitswarnung der Stufe 4 bezüglich der Symantec-Produkte Endpoint Security herausgegeben und empfiehlt ein sofortiges Update. --------------------------------------------- https://heise.de/-3492125 *** Second Chinese Firm In a Week Found Hiding a Backdoor In Android Firmware *** --------------------------------------------- An anonymous reader quotes Bleeping Computer: Security researchers have discovered that third-party firmware included with over 2.8 million low-end Android smartphones allows attackers to compromise Over-the-Air (OTA) update operations and execute commands on the targets phone with root privileges. This is the second issue of its kind that came to light this week after researchers from Kryptowire discovered a similar secret backdoor in the firmware of Chinese firm Shanghai Adups Technology Co. --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/A1TnPdkseTU/second-chinese-… *** Putty Cleartext Password Storage *** --------------------------------------------- Putty.exe stores Passwords unencrypted for sessions that use a Proxy connection and specify a password to save. --------------------------------------------- https://cxsecurity.com/issue/WLB-2016110172 *** WordPress Plugin MailChimp 4.0.7 - Cross-Site Request Forgery / XSS *** --------------------------------------------- https://cxsecurity.com/issue/WLB-2016110174 *** Vuln: Apache OpenOffice CVE-2016-6803 Local Privilege Escalation Vulnerability *** --------------------------------------------- Apache OpenOffice is prone to a local privilege-escalation vulnerability. Local attackers can exploit this issue to gain elevated privileges. Apache OpenOffice 4.1.2 and prior versions are vulnerable. --------------------------------------------- http://www.securityfocus.com/bid/94418 *** DFN-CERT-2016-1916/">GStreamer-Plugin: Eine Schwachstelle ermöglicht die Ausführung beliebigen Programmcodes *** --------------------------------------------- Ein entfernter, nicht authentifizierter Angreifer kann mit Hilfe einer speziell präparierten Mediendatei einen Pufferüberlauf auf dem Heap erzeugen, dadurch große Speicherbereiche kontrollieren und in der Folge beliebigen Programmcode ausführen. Die Schwachstelle kann im Kombination mit anderen Sicherheitslücken und Design-Entscheidungen auf bestimmten Linux-Systemen einfach durch den Besuch einer speziell präparierten Webseite ausgenutzt werden. Es ist dabei keine Interaktion des Benutzers notwendig. --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-1916/ *** Bugtraq: [security bulletin] HPSBHF03675 rev.1 - HPE Integrated Lights-Out 3 and 4 (iLO 3, iLO 4), Cross-Site Scripting (XSS) *** --------------------------------------------- HPE has made the following firmware updates available to resolve the vulnerability in iLO 3 and iLO 4: For iLO3, please upgrade to firmware v1.88 For iLO4, please upgrade to firmware v2.44 --------------------------------------------- http://www.securityfocus.com/archive/1/539791 *** Oil and Gas Cybersecurity part 3: Midstream Security for Oil *** --------------------------------------------- I hope you enjoyed the previous parts of Oil and Gas Cyber Security series (Upstream Cyber Security and Oil and Gas Cyber Security 101). Today we will talk about OT and ICS with a special focus on the Midstream sector of the petroleum industry. --------------------------------------------- http://resources.infosecinstitute.com/oil-and-gas-cybersecurity-part-3-mids… *** Nemucod Infections Spreading Locky Over Facebook *** --------------------------------------------- Researchers have spotted an increase in Nemucod downloader infections moving via Facebook Messenger spam, with some victims being infected with Locky ransomware. --------------------------------------------- http://threatpost.com/nemucod-infections-spreading-locky-over-facebook/1220… *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Cross-Site Scripting Vulnerability in IBM Social Rendering Templates for Digital Data Connector (CVE-2016-8936) *** http://www-01.ibm.com/support/docview.wss?uid=swg21993895 --------------------------------------------- *** IBM Security Bulletin: IBM Tivoli Netcool Configuration Manager (ITNCM) is affected by a vulnerability discovered in XSTREAM (CVE-2016-3674) *** http://www-01.ibm.com/support/docview.wss?uid=swg21992217 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Cisco MDS Directors and Switches (CVE-2016-0701, CVE-2015-3197) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1009610 --------------------------------------------- *** IBM Security Bulletin: Security Bulletin: Vulnerabilities in OpenSSL affect IBM Cisco MDS Directors and switches (CVE-2015-3193, CVE-2015-3194, CVE-2015-3195, CVE-2015-3196, CVE-2015-1794) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1009608 ---------------------------------------------

1 0

Tageszusammenfassung - Freitag 18-11-2016
by Daily end-of-shift report 18 Nov '16

18 Nov '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 17-11-2016 18:00 − Freitag 18-11-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Webseite aufgerufen, Linux gehackt *** --------------------------------------------- Linux-Nutzer können sich durch das bloße Aufrufen einer Webseite Schadcode einfangen. Die Ursache ist eine Kombination eigentlich harmloser Ereignisse – und eine Zero-Day-Lücke. Betroffen ist vor allem Fedora Workstation. --------------------------------------------- https://heise.de/-3489774 *** Google Removing SHA-1 Support in Chrome 56 *** --------------------------------------------- Google released its final SHA-1 deprecation deadlines, and crypto services provider Venafi said that 35 percent of the web is still running weak SHA-1 certificates. --------------------------------------------- http://threatpost.com/google-removing-sha-1-support-in-chrome-56/122041/ *** MacBook Pro 2016: Malware-Schutz teils ab Werk deaktiviert *** --------------------------------------------- Apple hat offenbar verpasst, den macOS-Systemintegritätsschutz (System Integrity Protection) auf allen MacBook-Pro-Modellen mit Touch Bar zu aktivieren. SIP soll die Möglichkeiten von Schad-Software begrenzen. --------------------------------------------- https://heise.de/-3491210 *** 8 million GitHub profiles scraped, data found leaking online *** --------------------------------------------- Technology recruitment site GeekedIn has scraped 8 million GitHub profiles and left the information exposed in an unsecured MongoDB database. The backup of the database .. --------------------------------------------- https://www.helpnetsecurity.com/2016/11/18/8-million-github-profiles-scrape… *** DSA-3718 drupal7 - security update *** --------------------------------------------- Multiple vulnerabilities has been found in the Drupal content managementframework. For additional information, please refer to the upstream advisoryat https://www.drupal.org/SA-CORE-2016-005 --------------------------------------------- https://www.debian.org/security/2016/dsa-3718 *** Metadaten: Apple speichert Verbindungsdaten mehrere Monate in iCloud *** --------------------------------------------- Apple bezeichnet sich gern als Datenschutzkonzern. Eine jetzt entdeckte Funktion zeigt aber, dass Apple Verbindungsdaten mehrere Monate im iCloud-Backup ablegt. Das dürfte nicht jedem gefallen. --------------------------------------------- http://www.golem.de/news/metadaten-apple-speichert-verbindungsdaten-mehrere… *** Top-Level-Domain .box macht Fritzbox-Routern Probleme *** --------------------------------------------- Router ist im internen Netz über den Domainnamen fritz.box erreichbar --------------------------------------------- http://derstandard.at/2000047782737 *** iPhone: Lockscreen-Lücke erlaubt Zugriff auf Kontakte und Fotos *** --------------------------------------------- Angriffsmethode soll auch bei den neuesten Versionen von iOS funktionieren --------------------------------------------- http://derstandard.at/2000047783306 *** Google Project Brillo: IoT-Android wird sicherer als Smartphone-Android *** --------------------------------------------- Google krempelt die Zusammenarbeit mit Herstellern für sein Internet-of-Things-System Brillo im Vergleich zu Android völlig um. So gibt es nur einen Linux-Kernel, der .. --------------------------------------------- http://www.golem.de/news/google-project-brillo-iot-android-wird-sicherer-al… *** The Rampage of Locky *** --------------------------------------------- Locky has been a constant in the malware zoo for a considerable time. And while we are aware that there are still victims being hit by the variant sporting the .ODIN extension, .. --------------------------------------------- https://blog.gdatasoftware.com/2016/11/29310-the-rampage-of-locky *** Filesharing: Hacker erbeuten Sourcecoude von Mega.nz *** --------------------------------------------- Mehrere Gbyte an Quellcode und einige Admin-Zugänge wurden bei Kim Dotcoms Dienst Mega.nz kopiert. Nach Angaben des Unternehmens sind keine Nutzerdaten betroffen, die veröffentlichten Zugänge seien zudem veraltet. --------------------------------------------- http://www.golem.de/news/filesharing-hacker-erbeuten-sourcecoude-von-mega-n…

1 0

Tageszusammenfassung - Donnerstag 17-11-2016
by Daily end-of-shift report 17 Nov '16

17 Nov '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 16-11-2016 18:00 − Donnerstag 17-11-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** VMSA-2016-0020 *** --------------------------------------------- vRealize Operations update addresses REST API deserialization vulnerability --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2016-0020.html *** VMSA-2016-0016.1 *** --------------------------------------------- vRealize Operations (vROps) updates address privilege escalation vulnerability --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2016-0016.html *** Drupal Core - Moderately Critical - Multiple Vulnerabilities - SA-CORE-2016-005 *** --------------------------------------------- https://www.drupal.org/SA-CORE-2016-005 *** VMSA-2016-0018.1 *** --------------------------------------------- VMware product updates address local privilege escalation vulnerability in Linux kernel --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2016-00201.html *** VMSA-2016-0018.1 *** --------------------------------------------- VMware product updates address local privilege escalation vulnerability in Linux kernel --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2016-0018.html *** Antivirus tools are a useless box-ticking exercise says Google security chap *** --------------------------------------------- Advocates whitelists and other tools that genuinely help security Kiwicon Google senior security engineer Darren Bilby has asked fellow hackers to expend less effort .. --------------------------------------------- www.theregister.co.uk/2016/11/17/google_hacker_pleads_try_whitelists_not_ju… *** DSA-3716 firefox-esr - security update *** --------------------------------------------- Multiple security issues have been found in the Mozilla Firefox webbrowser: Multiple memory safety errors, buffer overflows and otherimplementation errors may .. --------------------------------------------- https://www.debian.org/security/2016/dsa-3716 *** Tails 2.7 is out *** --------------------------------------------- https://tails.boum.org/news/version_2.7/ *** Malware Hunters Catch New Android Spyware For Governments In The Wild *** --------------------------------------------- A group of malware hunters has caught a new Android spyware in the wild. The spyware is marketed to governments and police forces and was made in Italy—but it wasn’t built by the infamous surveillance tech vendor Hacking Team. --------------------------------------------- https://motherboard.vice.com/read/malware-hunters-catch-new-android-spyware… *** Internet of Things: US-Regierung veröffentlicht Security-Strategie *** --------------------------------------------- Sechs Empfehlungen für ein weniger unsicheres Internet of Things hat die US-Regierung ausgearbeitet. Das offizielle Dokument könnte Entwicklern und Sicherheitsabteilungen Rückenwind geben. --------------------------------------------- https://heise.de/-3488886 *** Erpressungs-Trojaner Ransoc soll Social-Media-Accounts ausspionieren *** --------------------------------------------- Sicherheitsforschern zufolge droht Ransoc damit, persönliche Daten zu veröffentlichen. Dafür soll er eine individuelle Erpresserbotschaft mit privaten Bildern und Informationen bauen. --------------------------------------------- https://heise.de/-3488976 *** Call for Papers Domain pulse 2017 *** --------------------------------------------- Das Generalthema des Domain pulse 2017 lautet „Netzwerken in Netzwerken“ – im weitesten Sinne des Begriffs. Wer oder was wird vernetzt? Wie wichtig ist Vernetzung? Wo findet sie statt? Wie kann sie bestmöglich gelingen? Und welche Probleme kann sie lösen? --------------------------------------------- http://www.domainpulse.at/de/call-for-papers *** Forensik-Tool-Hersteller: Apple speichert iPhone-Anrufprotokolle in iCloud – für viele Monate *** --------------------------------------------- Apple synchronisiert die Anrufhistorie von iCloud-Nutzern automatisch ohne darauf explizit hinzuweisen. Die Software des Herstellers soll Strafverfolgungsbehörden .. --------------------------------------------- https://heise.de/-3490866 *** Confessions of a Google Spammer *** --------------------------------------------- Before I became an inbound marketer, I once made $50,000 a month spamming Google. I worked a maximum of 10 hours a week. And I am telling you from the bottom of my heart: never, never ever follow in my footsteps. --------------------------------------------- https://readthink.com/confessions-of-a-google-spammer-4f2e0c3e9869

1 0

Tageszusammenfassung - Mittwoch 16-11-2016
by Daily end-of-shift report 16 Nov '16

16 Nov '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 15-11-2016 18:00 − Mittwoch 16-11-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Chinese company installed secret backdoor on hundreds of thousands of phones *** --------------------------------------------- http://arstechnica.com/security/2016/11/chinese-company-installed-secret-ba… *** Carbanak Attacks Shift to Hospitality Sector *** --------------------------------------------- The Carbanak cybercrime gang has shifted strategy and targets the hospitality and restaurant industries with new techniques and malware. --------------------------------------------- http://threatpost.com/carbanak-attacks-shift-to-hospitality-sector/121966/ *** Cloned Spam Sites in Subdirectories *** --------------------------------------------- In a recent post, we covered how attackers were abusing server resources to create WordPress sites in subdirectories and distribute spam. By adding a complete WordPress CMS installation into a directory and using .. --------------------------------------------- https://blog.sucuri.net/2016/11/cloned-spam-sites-in-subdirectories.html *** Fake fax ushers in revival of a ransomware family *** --------------------------------------------- “Criminal case against you” is a message that may understandably cause panic. That’s what a recent spam campaign hopes happens, increasing the likelihood of .. --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2016/11/15/fake-fax-ushers-in-revi… *** Malspam distributing Troldesh ransomware *** --------------------------------------------- Earlier this week on Monday 2016-11-14, I found an example of malicious spam (malspam) distributing Troldesh ransomware. Troldesh (also called .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21717 *** Lynxspring JENEsys BAS Bridge Vulnerabilities *** --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-320-01 *** VMware-Produkte abgesichert: Angreifer können aus Gast-System ausbrechen *** --------------------------------------------- In Fusion und Workstation klafft eine kritische Sicherheitslücke. --------------------------------------------- https://heise.de/-3484180 *** Ermittlungen gegen Skidata im Betriebsspionage-Verfahren eingestellt *** --------------------------------------------- Salzburger Firma soll Kundendaten auf IT-Server eines Konkurrenten ausgespäht haben – Laut Staatsanwaltschaft kein widerrechtlicher Datenzugriff --------------------------------------------- http://derstandard.at/2000047640813 *** Datenschutz bei Mac-App: Shazam will nicht mehr dauerhaft mithören *** --------------------------------------------- Ein Mikrofon, das dauerhaft angeschaltet ist, dürfte vielen Nutzern Unbehagen bereiten. Genau das tat Shazam auf dem Mac mindestens seit 2014. Jetzt will das .. --------------------------------------------- http://www.golem.de/news/datenschutz-bei-mac-app-shazam-will-nicht-mehr-dau… *** Sicherheitsupdates: Symantec-Software kann sich an DLL verschlucken *** --------------------------------------------- Verschiedene Symantec-Produkte sind angreifbar. Im schlimmsten Fall können Angreifer Systeme kapern. --------------------------------------------- https://heise.de/-3484233 *** Analysts apply Occams razor to Tesco Bank breach *** --------------------------------------------- Unexpected items in the banking area Analysis Security analysts have narrowed down the range of possible explanations for the Tesco Bank breach. --------------------------------------------- www.theregister.co.uk/2016/11/16/tesco_bank_breach_competing_theories_analy… *** Wickedly Clever USB Stick Installs a Backdoor on Locked PCs *** --------------------------------------------- The proof-of-concept tool PoisonTap uses a series of subtle design flaws to steal a victims cookies and even hack their router or intranet. --------------------------------------------- https://www.wired.com/2016/11/wickedly-clever-usb-stick-installs-backdoor-l… *** IT-Sicherheit: Facebook kauft Passwörter im Darknet *** --------------------------------------------- Die Doppelverwendung von Passwörtern bezeichnet der Sicherheitschef von Facebook als "größte Gefahr für .. --------------------------------------------- http://www.golem.de/news/it-sicherheit-facebook-kauft-passwoerter-im-darkne… *** Automobilzulieferer: Leoni schreibt nach 40-Millionen-Betrug Verluste *** --------------------------------------------- Der Betrugsfall geht an Leoni nicht spurlos vorbei. Nachdem rund 40 Millionen Euro entwendet wurden, schreibt das Unternehmen im vergangenen Quartal Verluste. Die Ermittlungen gehen weiter. --------------------------------------------- http://www.golem.de/news/automobilzulieferer-leoni-schreibt-nach-40-million… *** Nach Adobe-Hack: Einigung auf eine Million US-Dollar Strafe *** --------------------------------------------- Adobe hat sich mit insgesamt 15 US-Bundesstaaten auf eine Strafzahlung von zusammen einer Million US-Dollar geeinigt, weil das Unternehmen 2013 Millionen Nutzerdaten verloren hatte. Die hatten Angreifer bei einem Hack an sich gebracht. --------------------------------------------- https://heise.de/-3485542 *** Cisco Email Security Appliance MIME Header Processing Filter Bypass Vulnerability *** --------------------------------------------- A vulnerability in the email filtering functionality of Cisco AsyncOS Software for Cisco Email Security Appliances could allow an unauthenticated, remote .. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…

1 0

Tageszusammenfassung - Dienstag 15-11-2016
by Daily end-of-shift report 15 Nov '16

15 Nov '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 14-11-2016 18:00 − Dienstag 15-11-2016 18:00 Handler: Robert Waldner Co-Handler: n/a *** Vuln: Git for Windows CVE-2016-9274 Unspecified Untrusted Search Path vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/94289 *** CVE-2016-4484: Cryptsetup Initrd root Shell *** --------------------------------------------- An attacker with access to the console of the computer and with the ability to reboot the computer can launch a shell (with root permissions) when he/she is prompted for the password to unlock the system partition. The shell is executed in the initrd environment. Obviously, the system partition is encrypted and it is not possible to decrypt it (AFAWK). But other partitions may be not encrypted, and so accessible. --------------------------------------------- http://hmarco.org/bugs/CVE-2016-4484/CVE-2016-4484_cryptsetup_initrd_shell.… *** phpWebAdmin Version 1.0 SQL Injection Proof Of Concept Exploit *** --------------------------------------------- The user parameter in the index.php file is vulnerable to a blind SQL time-based Injection attack. Proof of concept is exploit attached below --------------------------------------------- https://cxsecurity.com/issue/WLB-2016110127 *** ImageMagick MagickCore/fx.c Heap Buffer Overflow Vulnerability *** --------------------------------------------- ImageMagick is prone to a heap-based buffer-overflow vulnerability because it fails to adequately bounds-check user-supplied data before copying it into an insufficiently sized buffer. An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploits may result in denial-of-service condition. --------------------------------------------- http://www.securityfocus.com/bid/94310/discuss *** The Kings in Your Castle, Pt #2 *** --------------------------------------------- The second part of Marion Marschaleks and Raphael Vinots article series deals with questions that surround the tools and the data used by analysts. They shine a light on some of the challenges facing analysts when it comes to Indicators of Compromise. While those are easily created and implemented, they can end up being outdated rather quickly. For an effective strategy, other metrics are required which are less easy to create. --------------------------------------------- https://blog.gdatasoftware.com/2016/11/29304-the-kings-in-your-castle-pt-2 *** Beliebte Chrome-Erweiterungen zur Werbeschleuder mutiert *** --------------------------------------------- Einige beliebte Chrome-Erweiterungen werden offenbar zur Verbreitung dubioser Werbeanzeigen missbraucht. Wer eine davon installiert hat, sollte sie umgehend entfernen. --------------------------------------------- https://heise.de/-3465981 *** Windows Mobile Application Penetration Testing Part 4: Intercepting HTTP/HTTPS Traffic on Windows Phones *** --------------------------------------------- Introduction and Background: In the previous article of the series, we have discussed Sideloading concepts associated with Windows Phone 8.1 apps and UWP apps. In this article, we will discuss how to get your phones/emulators ready for intercepting HTTP/HTTPS traffic to proceed with further analysis of the application. --------------------------------------------- http://resources.infosecinstitute.com/windows-mobile-application-penetratio… *** Bypassing Mixed Content Warnings - Loading Insecure Content in Secure Pages *** --------------------------------------------- There are no doubts that the web is moving forward to HTTPS (secure) content. Most important names have today their certificates ready and their websites are in effect, secure. But have you ever wandered: secure to what extent? --------------------------------------------- https://www.brokenbrowser.com/loading-insecure-content-in-secure-pages/ *** Cisco IOS XE Software Directory Traversal Vulnerability *** --------------------------------------------- A vulnerability in the package unbundle utility of Cisco IOS XE Software could allow an authenticated, local attacker to gain write access to some files in the underlying operating system.The vulnerability is due to insufficient validation of files submitted to the affected installation utility. An attacker could exploit this vulnerability by uploading a crafted file to an affected system and running the installation utility command. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Single Sign-on: Eine Milliarde Accounts für Hijacking anfällig *** --------------------------------------------- Single Sign-on ist praktisch, wird aber oft falsch implementiert. Sicherheitsforscher haben demonstriert, welche Fehler App-Entwickler dabei machen. Mehrere hundert Apps machten dabei Probleme. --------------------------------------------- http://www.golem.de/news/single-sign-on-eine-milliarde-accounts-fuer-hijack… *** DLL Loading Issue in Symantec Enterprise Products *** --------------------------------------------- http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=se… *** F5 Security Advisories *** --------------------------------------------- *** Security Advisory: OpenSSL vulnerability CVE-2016-2180 *** https://support.f5.com:443/kb/en-us/solutions/public/k/02/sol02652550.html?… --------------------------------------------- *** Security Advisory: BIG-IP ASM vulnerability CVE-2016-7472 *** https://support.f5.com:443/kb/en-us/solutions/public/k/17/sol17119920.html?… --------------------------------------------- *** Security Advisory: Apache Tomcat vulnerabilities CVE-2016-5018, CVE-2016-6794, and CVE-2016-6796 *** https://support.f5.com:443/kb/en-us/solutions/public/k/65/sol65230547.html?… --------------------------------------------- *** Security Advisory: Apache Tomcat vulnerability CVE-2016-6797 *** https://support.f5.com:443/kb/en-us/solutions/public/k/36/sol36302720.html?… --------------------------------------------- *** Security Advisory: Apache Tomcat vulnerability CVE-2016-0762 *** https://support.f5.com:443/kb/en-us/solutions/public/k/36/sol36784855.html?… --------------------------------------------- *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime IBM affect IBM Decision Optimization Center (CVE-2016-5554, CVE-2016-5556, CVE-2016-5568) *** http://www.ibm.com/support/docview.wss?uid=swg21993861 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM ILOG CPLEX Optimization Studio and IBM ILOG CPLEX Enterprise Server (CVE-2016-5554, CVE-2016-5556, CVE-2016-5568, CVE-2016-5582) *** http://www-01.ibm.com/support/docview.wss?uid=swg21993857 --------------------------------------------- *** IBM Security Bulletin: IBM Flex System Manager (FSM) is affected by multiple php vulnerabilities *** http://www-01.ibm.com/support/docview.wss?uid=isg3T1024488 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Perl affects Power Hardware Management Console (‪‪CVE-2016-1238‬) *** http://www.ibm.com/support/docview.wss?uid=nas8N1021704 --------------------------------------------- *** IBM Security Bulletin: IBM Flex System Manager (FSM) is affected by multiple perl vulnerabilities (CVE-2016-1238, CVE-2016-2381, CVE-2016-8853) *** http://www-01.ibm.com/support/docview.wss?uid=isg3T1024470 --------------------------------------------- *** IBM Security Bulletin: IBM Flex System Manager (FSM) is affected by a vulnerability in fontconfig (CVE-2016-5384) *** http://www.ibm.com/support/docview.wss?uid=isg3T1024468 --------------------------------------------- *** IBM Security Bulletin: IBM Flex System Manager (FSM) is affected by a vulnerability in sqlite (CVE-2016-6153) *** http://www-01.ibm.com/support/docview.wss?uid=isg3T1024467 --------------------------------------------- *** IBM Security Bulletin: IBM PowerVC Local escalation of privilege vulnerability in DB2 for Linux (CVE-2016-5995) *** http://www-01.ibm.com/support/docview.wss?uid=nas8N1021652 --------------------------------------------- *** IBM Security Bulletin: Samba vulnerability issue in IBM SONAS (CVE-2016-2119) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1009570 --------------------------------------------- *** IBM Security Bulletin: GPFS security vulnerabilities in IBM SONAS (CVE-2016-2985 and CVE-2016-2984 ) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1009323 ---------------------------------------------

1 0

Tageszusammenfassung - Montag 14-11-2016
by Daily end-of-shift report 14 Nov '16

14 Nov '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 11-11-2016 18:00 − Montag 14-11-2016 18:00 Handler: Robert Waldner Co-Handler: n/a *** No payment necessary: Fighting back against ransomware *** --------------------------------------------- Any IT professional who's ever had an experience with malware knows how fast an intrusive attack can happen, and how difficult it can be to educate employees to be vigilant against such threats. And with ransomware attacks only growing, having information, tools and technologies to help protect your network can mean the difference between serious... --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2016/11/11/no-payment-necessary-fi… *** New Guide on How to Fix Hacked Joomla! Sites *** --------------------------------------------- Joomla! is one of the most popular open-source content management systems (CMS) on the market, powering a large percentage of websites on the internet today. For that reason, we are glad that our team includes a former contributor who helped create the official Joomla! docs on website security. We have also participated in various Joomla! events around the world, and our cofounder Dre Armeda is a keynote speaker at the upcoming Joomla! World Conference in Vancouver, Canada. Continue reading New --------------------------------------------- https://blog.sucuri.net/2016/11/new-guide-fix-hacked-joomla-sites.html *** Vuln: Docker Multiple Security Bypass Vulnerabilities *** --------------------------------------------- Vulnerable: Docker 1.12, Docker 1.6.1, Docker 1.6, Docker 1.3.3, Docker 1.4.1, Docker 1.3.2, Docker 1.3.1, Docker 1.3.0, Docker 1.12.3, Docker 1.12.2, Docker 1.0.0 --------------------------------------------- http://www.securityfocus.com/bid/94272 *** Vuln: Sophos Web Appliance Privilege Escalation and Remote Code Execution Vulnerabilities *** --------------------------------------------- Sophos Web Appliance is prone to a privilege-escalation vulnerability and remote code-execution vulnerabilities. Attackers can leverage these issues to gain elevated privileges or execute arbitrary commands within the context of the affected application. Sophos Web Appliance 4.2.1.3 is vulnerable; other versions may also be affected. --------------------------------------------- http://www.securityfocus.com/bid/94274 *** OWASP ModSecurity Core Rule Set Version 3.0 Released *** --------------------------------------------- Need a new set of generic attack detection rules for your web application firewall? Try the new OWASP ModSecurity Core Rule Set version 3.0.0! Long-time Slashdot reader dune73 writes: The OWASP CRS is a widely-used Open Source set of generic rules designed to protect users against threats like the OWASP Top 10. The rule set is most often deployed in conjunction with an existing Web Application Firewall like ModSecurity. --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/DKhaxHVZD-s/owasp-modsecuri… *** MikroTik RouterOS 6.36.2 Cross Site Scripting *** --------------------------------------------- Topic: MikroTik RouterOS 6.36.2 Cross Site Scripting Risk: Low --------------------------------------------- https://cxsecurity.com/issue/WLB-2016110115 *** VMSA-2016-0019 *** --------------------------------------------- VMware product updates address local privilege escalation vulnerability in linux kernel --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2016-0019.html *** Kaspersky Lab Black Friday Threat Overview 2016 *** --------------------------------------------- Our research shows that, over the last few years, the holiday period which starts on so-called Black Friday was marked by an increase in phishing and other types of attacks, which suggests that the pattern will be repeated this year. --------------------------------------------- http://securelist.com/analysis/publications/76615/kaspersky-lab-black-frida… *** [2016-11-14] Multiple vulnerabilities in I-Panda SolarEagle - Solar Controller Administration Software / MPPT Solar Controller SMART2 *** --------------------------------------------- Attackers are able to control the SolarEagle V2.00 / MPPT Solar Controller SMART2 device as authentication is broken. Furthermore attackers can eavesdrop the unencrypted communication or denial service. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2016… *** Adult Friend Finder: 412 Milionen Accounts von Datingseite gehackt *** --------------------------------------------- Nach dem Ashley-Madison-Hack gibt es einen weiteren großen Einbruch in ein Datingnetzwerk. Angreifer veröffentlichten 412 Millionen Accountdaten des Webseitennetzwerkes rund um Adult Friend Finder. --------------------------------------------- http://www.golem.de/news/adult-friend-finder-412-milionen-accounts-von-dati… *** Vuln: Jenkins Java Deserialization Remote Code Execution Vulnerability *** --------------------------------------------- Successfully exploiting this issue allows attackers to execute arbitrary code in the context of the affected application. Failed exploits will result in denial-of-service conditions. --------------------------------------------- http://www.securityfocus.com/bid/94281 *** [TYPO3-announce] Vulnerabilities in multiple third party TYPO3 CMS extensions *** --------------------------------------------- several vulnerabilities have been found in the following third party TYPO3 extensions: - "Store Locator" (locator) - "Code Highlighter" (mh_code_highlighter) - "Shibboleth Authentication" (shibboleth_auth) - "Secure Download Form" (rs_securedownload) - "Member Infosheets" (if_membersheet) - "TC Directmail" (tcdirectmail) --------------------------------------------- http://lists.typo3.org/pipermail/typo3-announce/2016/000388.html *** NIST Small Business Information Security guide for Small businesses *** --------------------------------------------- The NIST Small Business Information Security: The Fundamentals guide aims to provide basic cybersecurity recommendations to small businesses. --------------------------------------------- http://securityaffairs.co/wordpress/53423/breaking-news/nist-small-business… *** [CVE-2016-8736] Apache Openmeetings RMI Registry Java Deserialization RCE *** --------------------------------------------- Versions Affected: Apache OpenMeetings 3.1.0 Description: Apache Openmeetings is vulnerable to Remote Code Execution via RMI deserialization attack The issue was fixed in 3.1.2. All users are recommended to upgrade to Apache OpenMeetings 3.1.3 --------------------------------------------- http://www.securityfocus.com/archive/1/539751 *** Recordings from AppSecUSA 2016 in Washington, DC *** --------------------------------------------- https://www.youtube.com/playlist?list=PLpr-xdpM8wG8DPozMmcbwBjFn15RtC75N *** E-Mail-Sicherheitslücke in LTE-Router von Drei *** --------------------------------------------- Jeder Nutzer, der sich mit einem Drei-Smartphone bei einem Drei-LTE-Router anmeldet, hat Zugriff auf die E-Mails des Router-Besitzers. --------------------------------------------- https://futurezone.at/produkte/e-mail-sicherheitsluecke-in-lte-router-von-d… *** Updated Good Practice Guide on National Cyber Security Strategies by ENISA *** --------------------------------------------- https://www.enisa.europa.eu/news/enisa-news/updated-good-practice-guide-on-… *** Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: November 2016 *** --------------------------------------------- On November 10, 2016, the OpenSSL Software Foundation released a security advisory that describes three vulnerabilities. ... Cisco investigated its product line to determine which products may be affected by these vulnerabilities and the impact of the vulnerabilities on each affected product. For information about whether a product is affected, refer to the “Vulnerable Products” and “Products Confirmed Not Vulnerable” sections of this advisory. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Master Decryption Keys and Decryptor for the Crysis Ransomware Released. *** --------------------------------------------- The master decryption keys for the CrySiS Ransomware have been released this morning in a post on the BleepingComputer.com forums. At approximately 1 AM EST, a member named crss7777 created a post in the CrySiS support topic at BleepingComputer with a Pastebin link to a file containing the master decryption keys and how to use them. [...] --------------------------------------------- http://www.bleepingcomputer.com/news/security/master-decryption-keys-and-de… *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Multiple security vulnerabilities have been addressed in LMS 5.0 on Cloud *** http://www.ibm.com/support/docview.wss?uid=swg21993982 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Storwize V7000 Unified (CVE-2016-6304, CVE-2016-6303, CVE-2016-2178, CVE-2016-6306 and CVE-2016-2183) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1009586 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect Tivoli Provisioning Manager for OS Deployment and Tivoli Provisioning Manager for Images *** http://www-01.ibm.com/support/docview.wss?uid=swg21992898 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM SONAS (CVE-2016-2183) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1009585 --------------------------------------------- *** IBM Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server Liberty which may impact IBM Streams (CVE-2016-5986) *** http://www-01.ibm.com/support/docview.wss?uid=swg21993612 --------------------------------------------- *** IBM Security Bulletin: A Security Vulnerability has been fixed in IBM Security Privileged Identity Manager (CVE-2016-5964) *** http://www.ibm.com/support/docview.wss?uid=swg21994065 --------------------------------------------- *** IBM Security Bulletin: Multiple Mozilla Firefox vulnerability issues in IBM SONAS. *** http://www.ibm.com/support/docview.wss?uid=ssg1S1009590 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Apache Commons FileUpload affects IBM WebSphere Portal (CVE-2016-3092) *** http://www-01.ibm.com/support/docview.wss?uid=swg21989359 --------------------------------------------- *** IBM Security Bulletin: IBM Connections Security Update *** http://www.ibm.com/support/docview.wss?uid=swg21990864 --------------------------------------------- *** IBM Security Bulletin: GPFS security vulnerabilities in IBM Storwize V7000 Unified (CVE-2016-0392) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1009571 ---------------------------------------------

1 0

Tageszusammenfassung - Freitag 11-11-2016
by Daily end-of-shift report 11 Nov '16

11 Nov '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 10-11-2016 18:00 − Freitag 11-11-2016 18:00 Handler: Robert Waldner Co-Handler: n/a *** Benevolent malware? reincarna/Linux.Wifatch, (Fri, Nov 11th) *** --------------------------------------------- In the new to me department. It looks like this one has been around for more thanthree years. Today I was doing some banner grabbing looking for a Mirainodethat had gotten away from me, and came across the Telnet banner below. It appears this device is infected with a piece of malware called Reincarna/Linux.Wifatch. It purports to being a memory resident malware that defends the device from more malicious malware. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21703&rss *** BSI-Bericht zur Lage der IT-Sicherheit: Die Lage bleibt angespannt *** --------------------------------------------- In seinem neuesten Bericht beurteilt das Bundesamt für Sicherheit in der Informationstechnik die aktuelle Gefährdungslage der IT-Sicherheit in Deutschland. Dabei zeigt es Schwachstellen auf und bewertet unter anderem Angriffsmethoden. --------------------------------------------- https://www.heise.de/newsticker/meldung/BSI-Bericht-zur-Lage-der-IT-Sicherh… *** CA Unified Infrastructure Management Directory Traversal Vulnerability *** --------------------------------------------- This advisory contains mitigation details for a directory traversal vulnerability in CA Technologies Unified Infrastructure Management application. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-315-01 *** F5 Security Advisory: Linux TCP stack vulnerability CVE-2016-5696 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/46/sol46514822.html?… *** Vuln: Brocade NetIron OS CVE-2016-8203 Memory Corruption Vulnerability *** --------------------------------------------- An attacker can exploit this issue to cause denial-of-service condition. Due to the nature of this issue, arbitrary code execution may be possible but this has not been confirmed. Brocade NetIron OS 5.8.00 through 5.8.00e, 5.9.00 through 5.9.00bd, 6.0.00, and 6.0.00a are vulnerable. --------------------------------------------- http://www.securityfocus.com/bid/94232 *** F5 Security Advisory: TMM vulnerability CVE-2016-7476 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/87/sol87416818.html?… *** MyBB 1.8.6 Cross Site Scripting *** --------------------------------------------- These issues may lead to the injection of JavaScript keyloggers, injection of content such as ads, or the bypassing of CSRF protection, which would for example allow the creation of a new admin user. --------------------------------------------- https://cxsecurity.com/issue/WLB-2016110096 *** Security Advisory - Path Traversal Vulnerability in Huawei Home Gateway Products *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2015/hw-462908 *** Vuln: Multiple I-O DATA Network Camera Products CVE-2016-7814 Information Disclosure Vulnerability *** --------------------------------------------- An attacker can exploit this issue to obtain sensitive information. This may aid in further attacks. The following products and versions are vulnerable: TS-WRLP firmware version 1.00.01 and prior TS-WRLA firmware version 1.00.01 and prior --------------------------------------------- http://www.securityfocus.com/bid/94250 *** Security Advisory - Input Validation Vulnerability in Some Huawei Products *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161111-… *** Windows Mobile Application Penetration Testing Part 3: Sideloading *** --------------------------------------------- Introduction and Background: In the First article of the series, we have covered the introduction and background required to start learning Windows Mobile Application Penetration Testing. We have also seen the requirements for setting up Windows Phone 8.1 emulators as well as Windows 10 mobile emulators. --------------------------------------------- http://resources.infosecinstitute.com/windows-mobile-application-penetratio… *** TYPO3: Cross-Site Scripting in extension "HTML5 Video Player" (html5videoplayer) *** --------------------------------------------- It has been discovered that the extension "HTML5 Video Player" (html5videoplayer) is susceptible to Cross-Site Scripting. --------------------------------------------- https://typo3.org/news/article/cross-site-scripting-in-extension-html5-vide… *** TYPO3: Multiple vulnerabilities in extension "TC Directmail " (tcdirectmail) *** --------------------------------------------- It has been discovered that the extension "TC Directmail " (tcdirectmail) is susceptible to Cross Site-Scripting and SQL Injection. --------------------------------------------- https://typo3.org/news/article/multiple-vulnerabilities-in-extension-tc-dir… *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in PAM affect Power Hardware Management Console (‪CVE-2013-7041 and CVE-2015-3238‬) *** http://www.ibm.com/support/docview.wss?uid=nas8N1021702 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDKs affect IBM Virtualization Engine TS7700 April 2016 *** http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009348 ---------------------------------------------

1 0

Tageszusammenfassung - Donnerstag 10-11-2016
by Daily end-of-shift report 10 Nov '16

10 Nov '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 09-11-2016 18:00 − Donnerstag 10-11-2016 18:00 Handler: Robert Waldner Co-Handler: n/a *** VMSA-2016-0018 VMware product updates address local privilege escalation vulnerability in linux kernel *** --------------------------------------------- Relevant Products * VMware Identity Manager * vRealize Automation * vRealize Operations --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2016-0018.html *** FortiWLC Undocumented Hardcoded core Account *** --------------------------------------------- FortiWLC comes with a hardcoded account named core which is used by Meru Access Points to send core dumps to the FortiWLC and has read/write privileges over various parts of the system. Impact: Unauthorized read/write remote access Affected Products: FortiWLC 7.0-9-1, 7.0-10-0, 8.1-2-0, 8.1-3-2 and 8.2-4-0 --------------------------------------------- https://fortiguard.com/advisory/fortiwlc-undocumented-hardcoded-core-account *** Deepsec: "Unternehmen interessieren sich nicht für Privacy, außer zum Marketing" *** --------------------------------------------- Sicherheitsexperte Marcus J. Ranum übt auch scharfe Kritik an eigener Branche: Teure Lösungen für wenig Nutzen --------------------------------------------- http://derstandard.at/2000047306876 *** OpenSSL Security Advisory [10 Nov 2016] (CVE-2016-7054, CVE-2016-7053, CVE-2016-7055) *** --------------------------------------------- CVE-2016-7054: TLS connections using *-CHACHA20-POLY1305 ciphersuites are susceptible to a DoS attack by corrupting larger payloads. This can result in an OpenSSL crash. This issue is not considered to be exploitable beyond a DoS. CVE-2016-7053: Applications parsing invalid CMS structures can crash with a NULL pointer dereference. --------------------------------------------- https://www.openssl.org/news/secadv/20161110.txt *** ICMP Unreachable DoS Attacks (aka "Black Nurse"), (Thu, Nov 10th) *** --------------------------------------------- It is not recommended to block all Type 3 ICMP messages. In particular Type 3 Code 4 (Fragmentation Needed and Don't Fragment was Set) messages are requied for path MTU discovery, which many modern operating systems use. ... So what should you do? * Don't panic. This is not a big deal. Test your firewall if you can, or check if is on the vulnerable list * You are vulnerable if you use a smaller Cisco ASA firewall. Newer/Larger multi-core versions appear to be fine. SonicWall and "some" Palo Alto firewalls appear to be vulnerable too. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21699&rss *** Bugtraq: Secunia Research: Oracle Outside In "GetTxObj()" Use-After-Free Vulnerability *** --------------------------------------------- http://www.securityfocus.com/archive/1/539732 *** Bugtraq: Secunia Research: Oracle Outside In "VwStreamRead()" Buffer Overflow Vulnerability *** --------------------------------------------- http://www.securityfocus.com/archive/1/539731 *** Internet Of Things: Sorgenkind Sicherheit *** --------------------------------------------- Das Geschäft mit smarten Devices und vernetzten Produktionsanlagen brummt, doch die Sicherheit ist oft nur Nebensache. Auf einer Konferenz in Köln zeichneten Branchenvertreter ein düsteres Bild. --------------------------------------------- https://heise.de/-3463589 *** Windows Mobile Application Penetration Testing Part 2: Understanding Applications *** --------------------------------------------- In the First article of the series, we have covered the introduction and background required to start learning Windows Mobile Application Penetration Testing. We have also seen the requirements for setting up Windows Phone 8.1 emulators as well as Windows 10 mobile emulators. In this article, we will discuss the basics of Windows Phone 8.1 applications and UWP applications. --------------------------------------------- http://resources.infosecinstitute.com/windows-mobile-application-penetratio… *** [R3] Nessus 6.9 Fixes Multiple Vulnerabilities *** --------------------------------------------- http://www.tenable.com/security/tns-2016-16 *** F5 Security Advisories *** --------------------------------------------- *** Security Advisory: BIG-IP ASM Proactive Bot Defense vulnerability CVE-2016-7472 *** https://support.f5.com:443/kb/en-us/solutions/public/k/17/sol17119920.html?… --------------------------------------------- *** Security Advisory: SSL renegotiation vulnerability CVE-2011-1473 *** https://support.f5.com:443/kb/en-us/solutions/public/15000/200/sol15278.htm… --------------------------------------------- *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Vulnerability in lquerylv in LVM impacts AIX (CVE-2016-6079) *** http://aix.software.ibm.com/aix/efixes/security/lquerylv_advisory.asc --------------------------------------------- *** IBM Security Bulletin: IBM Resilient Cross Site Scripting Vulnerability (CVE-2016-6062) *** https://success.resilientsystems.com/hc/en-us/articles/213457065-Security-B… --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in Apache Struts affect IBM WebSphere Portal (CVE-2015-0899, CVE-2016-1181, CVE-2016-1182) *** http://www-01.ibm.com/support/docview.wss?uid=swg21988770 --------------------------------------------- *** IBM Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server Liberty which may impact IBM Streams (CVE-2016-0378) *** http://www-01.ibm.com/support/docview.wss?uid=swg21993571 --------------------------------------------- *** IBM Security Bulletin: HTTP response splitting attack affects IBM TS7700 Virtualization Engine (CVE-2015-2017) *** http://www-01.ibm.com/support/docview.wss?uid=ssg1S1008115 ---------------------------------------------

1 0

Tageszusammenfassung - Mittwoch 9-11-2016
by Daily end-of-shift report 09 Nov '16

09 Nov '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 08-11-2016 18:00 − Mittwoch 09-11-2016 18:00 Handler: Robert Waldner Co-Handler: n/a *** Admins aufgepasst: SHA1-Zertifikate vor dem endgültigen Aus *** --------------------------------------------- Ab Januar 2017 wird es ernst: die großen Browser werden ab dann richtige Fehlermeldungen anzeigen, wenn sie auf Zertifikate treffen, die eine Signatur mit SHA1 aufweisen. Die sind aber immer noch im Einsatz, wie ein Kurztest von heise Security zeigt. --------------------------------------------- https://heise.de/-3460868 *** Adsense: Google entfernt Bankentrojaner aus Werbenetzwerk *** --------------------------------------------- Erneut ist über ein Werbenetzwerk Schadsoftware verteilt worden. Eine Google-Adsense-Kampagne hatte versucht, Android-Nutzern einen Bankentrojaner unterzuschieben. Die entsprechenden Anzeigen wurden mittlerweile deaktiviert. (Malware, Virus) --------------------------------------------- http://www.golem.de/news/adsense-google-entfernt-bankentrojaner-aus-werbene… *** MS16-NOV - Microsoft Security Bulletin Summary for November 2016 - Version: 1.0 *** --------------------------------------------- https://technet.microsoft.com/en-us/library/security/MS16-NOV *** App-Schwachstelle: Angreifer können iPhone-Anrufe auslösen *** --------------------------------------------- Ein Fehler in populären iOS-Apps ermöglicht es, das iPhone zum automatischen Anwählen einer bestimmten Rufnummer zu bringen und den Nutzer zugleich am sofortigen Abbruch des Telefonats zu hindern. --------------------------------------------- https://heise.de/-3460552 *** November 2016 security update release *** --------------------------------------------- Today we released security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to apply security updates as soon as they are released. More information about this month's security updates and advisories can be found in the Security TechNet Library. --------------------------------------------- https://blogs.technet.microsoft.com/msrc/2016/11/08/november-2016-security-… *** Thoughts on the recent 'NtSetWindowLongPtr' vulnerability *** --------------------------------------------- On October 31, Google security team has announced it has discovered a vulnerability, actively exploited the wild, in (unspecified) versions of Microsoft Windows. The vulnerability is a local privilege escalation, allowing an unprivileged user to gain kernel privileges. --------------------------------------------- https://labs.bromium.com/2016/11/08/thoughts-on-the-recent-ntsetwindowlongp… *** New XM1RPC SEO Spam and Backdoor Campaign *** --------------------------------------------- We have been monitoring a new campaign specifically targeting WordPress sites, using hundreds of them for SEO spam distribution. We call it the XM1RPC campaign due to the common backdoor used across all of the compromised sites. The file is named in such a way as to confuse WordPress administrators who are familiar with XML-RPC. This malware usually infects all sites that share the same FTP account, which means cleaning just one website won't help... --------------------------------------------- https://blog.sucuri.net/2016/11/xm1rpc-spam-backdoor.html *** Phoenix Contact ILC PLC Authentication Vulnerabilities *** --------------------------------------------- This advisory contains mitigation details for authentication vulnerabilities in Phoenix Contact's ILC PLCs. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-313-01 *** Siemens Industrial Products Local Privilege Escalation Vulnerability *** --------------------------------------------- This advisory contains mitigation details for a privilege escalation vulnerability that affects several Siemens industrial products. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-313-02 *** OSIsoft PI System Incomplete Model of Endpoint Features Vulnerability *** --------------------------------------------- This advisory contains mitigation details for an incomplete model of endpoint features vulnerability in OSIsoft's PI System software. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICS-VU-313-03 *** TrickBot Banking Trojan Adds New Browser Manipulation Tools *** --------------------------------------------- The banking Trojan TrickBot is evolving fast, according to researchers, and within weeks will expand its victim list and attack scope. --------------------------------------------- http://threatpost.com/trickbot-banking-trojan-adds-new-browser-manipulation… *** DSA-3709 libxslt - security update *** --------------------------------------------- Nick Wellnhofer discovered that the xsltFormatNumberConversion functionin libxslt, an XSLT processing runtime library, does not properly checkfor a zero byte terminating the pattern string. This flaw can be exploited to leak a couple of bytes after the buffer that holds thepattern string. --------------------------------------------- https://www.debian.org/security/2016/dsa-3709 *** Security Advisory - Input Validation Vulnerability in Wi-Fi Driver of Huawei Smart Phones *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161109-… *** Pawn Storm Ramps Up Spear-phishing Before Zero-Days Get Patched *** --------------------------------------------- The effectiveness of a zero-day quickly deteriorates as an attack tool after it gets discovered and patched by the affected software vendors. Within the time between the discovery of the vulnerability and the release of the fix, a bad actor might try to get the most out of his previously valuable attack assets. --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/QdtwFJ1RHyQ/ *** Vuln: SAP NetWeaver Java AS Webdynpro Component Information Disclosure Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/94174 *** New BEC scams seek to build trust first, request wire transfer later *** --------------------------------------------- Business email compromise scammers have gradually changed their tactics to improve their scam success rate. --------------------------------------------- https://www.symantec.com/connect/blogs/new-bec-scams-seek-build-trust-first… *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Multiple OpenSSL vulnerabilities affect IBM Aspera Shares 1.9.4 or earlier and IBM Aspera Console 3.0.6 or earlier *** https://support.asperasoft.com/hc/en-us/articles/229505687-Security-Bulleti… -IBM-Aspera-Console-3-0-6-or-earlier --------------------------------------------- *** IBM Security Bulletin: The BigFix Platform has a vulnerability involving missing the HTTP Strict-Transport-Security Header (CVE-2016-0297) *** http://www.ibm.com/support/docview.wss?uid=swg21993214 --------------------------------------------- *** IBM Security Bulletin: BigFix Platform has a vulnerability where information is exposed through Log Files (CVE-2016-0296) *** http://www.ibm.com/support/docview.wss?uid=swg21993213 --------------------------------------------- *** IBM Security Bulletin: Lotus Protector for Mail Security Affected By Multiple Open Source CURL Vulnerabilities (CVE-2016-7167) *** http://www.ibm.com/support/docview.wss?uid=swg21993246 --------------------------------------------- *** IBM Security Bulletin: IBM Connections Mobile Server Security Refresh for Apache Struts (CVE-2016-0785, CVE-2016-0785, CVE-2016-3093, CVE-2016-4003) *** http://www.ibm.com/support/docview.wss?uid=swg21984206 --------------------------------------------- *** IBM Security Bulletin: IBM Connections Security Refresh for Apache Struts CVE-IDs: CVE-2016-0785 CVE-2016-2162 *** http://www.ibm.com/support/docview.wss?uid=swg21985424

1 0

Tageszusammenfassung - Dienstag 8-11-2016
by Daily end-of-shift report 08 Nov '16

08 Nov '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 07-11-2016 18:00 − Dienstag 08-11-2016 18:00 Handler: Robert Waldner Co-Handler: n/a *** Android: Sicherheitsupdate für November lässt kritische Lücke offen *** --------------------------------------------- Linux-Kernel-Bug auf Nexus- und Pixel-Geräten noch nicht geschlossen - Update schließt Dutzende Sicherheitslücken --------------------------------------------- http://derstandard.at/2000047142975 *** Android Security Bulletin November 2016 *** --------------------------------------------- The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Alongside the bulletin, we have released a security update to Google devices through an over-the-air (OTA) update. --------------------------------------------- https://source.android.com/security/bulletin/2016-11-01.html *** DDoS attack halts heating in Finland amidst winter *** --------------------------------------------- The systems that were attacked tried to respond to the attack by rebooting the main control circuit. This was repeated over and over so that heating was never working. --------------------------------------------- http://metropolitan.fi/entry/ddos-attack-halts-heating-in-finland-amidst-wi… *** Security Updates for Adobe Connect (APSB16-35) and Adobe Flash Player (APSB16-37) Available *** --------------------------------------------- Adobe has published security bulletins for Adobe Connect (APSB16-35) and Adobe Flash Player (APSB16-37). Adobe recommends users update their product installations to the latest versions using the instructions referenced in the relevant bulletin. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1420 *** MSRT November 2016: Unwanted software has nowhere to hide in this month's release *** --------------------------------------------- We came across a browser modifier that sports rootkit capabilities. Not only does the threat, detected as BrowserModifier:Win32/Soctuseer, cross the line that separates legitimate software from unwanted, it also takes staying under the radar to the next level. Rootkit capabilities, which make it difficult to detect and remove applications, are usually associated with malware. --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2016/11/08/msrt-november-2016-unwa… *** Vuln: phpMyAdmin CVE-2016-6610 Full Path Information Disclosure Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/94118 *** BlackBerry powered by Android Security Bulletin November 2016 *** --------------------------------------------- http://support.blackberry.com/kb/articleDetail?articleNumber=000038666 *** Vuln: Multiple D-Link DIR Routers CVE-2016-6563 Remote Stack Overflow Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/94130 *** Piwik 2.16.0 PHP Object Injection *** --------------------------------------------- Affected Versions: Version 2.16.0 and prior versions. Vulnerability Description: The vulnerability can be triggered through the saveLayout() method defined in /plugins/Dashboard/Controller.php: --------------------------------------------- https://cxsecurity.com/issue/WLB-2016110055 *** f5 Security Advisories *** --------------------------------------------- *** Security Advisory: Configuration utility CSRF vulnerability *** https://support.f5.com:443/kb/en-us/solutions/public/k/21/sol21485342.html?… --------------------------------------------- *** Security Advisory: Linux kernel vulnerability CVE-2016-7117 *** https://support.f5.com:443/kb/en-us/solutions/public/k/51/sol51201255.html?… --------------------------------------------- *** Security Advisory: Multiple LibTIFF vulnerabilities *** https://support.f5.com:443/kb/en-us/solutions/public/k/35/sol35155453.html?… --------------------------------------------- *** Security Advisory: LibTIFF vulnerabilities CVE-2016-5320 and CVE-2015-8784 *** https://support.f5.com:443/kb/en-us/solutions/public/k/89/sol89096577.html?… --------------------------------------------- *** Security Advisory: PHP vulnerabilities CVE-2015-6834, CVE-2015-6835, CVE-2015-6836, CVE-2015-6837, and CVE-2015-6838 *** https://support.f5.com:443/kb/en-us/solutions/public/17000/300/sol17377.htm… --------------------------------------------- *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Sterling Connect:Direct for HP NonStop (CVE-2016-2177, CVE-2016-6306, CVE-2016-2183) *** http://www-01.ibm.com/support/docview.wss?uid=swg21993601 --------------------------------------------- *** IBM Security Bulletin: Password Disclosure via application tracing in IBM Tivoli Storage Manager for Space Management (CVE-2016-0371) *** http://www.ibm.com/support/docview.wss?uid=swg21990042 --------------------------------------------- *** IBM Security Bulletin: Multiple Vulnerabilities in OpenSSL affect the BigFix Platform *** http://www.ibm.com/support/docview.wss?uid=swg21993215 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect the BigFix Platform *** http://www.ibm.com/support/docview.wss?uid=swg21993210 --------------------------------------------- *** IBM Security Bulletin: The BigFIx platform has a vulnerability where WebReports executes with unnecessary privileges (CVE-2016-0396) *** http://www.ibm.com/support/docview.wss?uid=swg21993206 --------------------------------------------- *** IBM Security Bulletin: BigFix Platform has a vulnerability allowing unrestricted file upload (CVE-2016-0214) *** http://www.ibm.com/support/docview.wss?uid=swg21993203 ---------------------------------------------

1 0

Tageszusammenfassung - Montag 7-11-2016
by Daily end-of-shift report 07 Nov '16

07 Nov '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 04-11-2016 18:00 − Montag 07-11-2016 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** Sophos Web Appliance 4.2.1.3 Remote Code Execution *** --------------------------------------------- https://cxsecurity.com/issue/WLB-2016110036 *** Two Critical MySQL Bugs Discovered *** --------------------------------------------- An anonymous reader quotes InfoWorld: Two critical privilege escalation vulnerabilities in MySQL, MariaDB, and PerconaDB can help take control of .. --------------------------------------------- https://developers.slashdot.org/story/16/11/05/056227/two-critical-mysql-bu… *** Tech support scammers use denial of service bug to hang victims *** --------------------------------------------- Process pig keeps eyes glued on fraudsters phone number. Tech support fraudsters have taught an old denial of service bug new tricks to add a convincing layer of authenticity to scams. --------------------------------------------- www.theregister.co.uk/2016/11/07/tech_support_scammers_use_denial_of_servic… *** Vuln: cURL/libcURL CVE-2016-8625 Remote Security Bypass Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/94107 *** Disassembling a Mobile Trojan Attack *** --------------------------------------------- In fact, any site using AdSense to display adverts could potentially have displayed messages that downloaded the dangerous Svpeng and automatically saved it to .. --------------------------------------------- http://securelist.com/blog/research/76286/disassembling-a-mobile-trojan-att… *** Hintergrund: Threat Intelligence: IT-Sicherheit zum Selbermachen? *** --------------------------------------------- Viele IT-Sicherheitsfirmen erweitern ihr Portfolio derzeit um sogenannte Threat Intelligence. Die ist jedoch kein Allheilmittel sondern muss gezielt eingesetzt werden, um einen echten Mehrwert zu erzielen. Dr. Timo Steffens vom .. --------------------------------------------- https://heise.de/-3453595 *** SSA-701708 (Last Update 2016-11-07): Local Privilege Escalation in Industrial Products *** --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-701708… *** SSA-378531 (Last Update 2016-11-07): Vulnerabilities in SIMATIC WinCC, PCS 7 and WinCC Runtime Professional *** --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-378531… *** IBM Security Bulletin: Vulnerability in IBM Java SDK affects Rational Lifecycle Integration Adapter for HP ALM (CVE-2016-5597) *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21993700 *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM MessageSight (CVE-2016-3598) *** --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21992715 *** IBM Security Bulletin: IBM WebSphere Cast Iron Solution is affected by Apache Tomcat vulnerability (CVE-2016-5388) *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21992977 *** Login Form Hijacking Vulnerability in Citrix NetScaler Gateway *** --------------------------------------------- https://support.citrix.com/article/CTX213313 *** Citrix XenServer Security Update for CVE-2016-0800 *** --------------------------------------------- A security vulnerability has been identified in Citrix XenServer that could, if exploited, allow a malicious attacker with access to the XenServer .. --------------------------------------------- https://support.citrix.com/article/CTX208403 *** Multiple Security Vulnerabilities in Citrix NetScaler Platform ... *** --------------------------------------------- A number of security vulnerabilities have been identified in firmware used in the Lights Out Management (LOM) component across all NetScaler .. --------------------------------------------- https://support.citrix.com/article/CTX216642

1 0

Tageszusammenfassung - Freitag 4-11-2016
by Daily end-of-shift report 04 Nov '16

04 Nov '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 03-11-2016 18:00 − Freitag 04-11-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Extracting Malware Transmitted Via Telnet, (Thu, Nov 3rd) *** --------------------------------------------- One charactersitcs of many of the telnet explois we have seen over the last few years has been the transmission of malware using echo commands. Even the recent versions of Mirai used this trick. Reconstruction the malware from packet captures can be a little bit tricky, in particular if you are trying to automate the process. So here is what I have been doing for my honeypot DVR: First of all, the DVR is connected to a remote controlled power outlet, to make it easy to reboot it as needed. I do... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21673&rss *** Moving Beyond EMET *** --------------------------------------------- EMET - Then and Now Microsoft's Trustworthy Computing initiative was 7 years old in 2009 when we first released the Enhanced Mitigation Experience Toolkit (EMET). Despite substantial improvements in Windows OS security during that same period, it was clear that the way we shipped Windows at the time (3-4 years between major releases) was simply... --------------------------------------------- https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/ *** Mobile subscriber identity numbers can be exposed over Wi-Fi *** --------------------------------------------- For a long time, law enforcement agencies and hackers have been able to track the identity and location of mobile users by setting up fake cellular network towers and tricking their devices to connect to them. Researchers have now found that the same thing can be done much more cheaply with a simple Wi-Fi hotspot.The devices that pose as cell towers are known in the industry as IMSI catchers, with the IMSI (international mobile subscriber identity) being a unique number tied to a mobile... --------------------------------------------- http://www.cio.com/article/3138469/security/mobile-subscriber-identity-numb… *** Outlook Web Access Two-Factor Authentication Bypass Exists *** --------------------------------------------- Two-factor authentication protecting Outlook Web Access and Office 365 portals can be bypassed-and the situation likely cannot be fixed, a researcher has disclosed. --------------------------------------------- http://threatpost.com/outlook-web-access-two-factor-authentication-bypass-e… *** DNS Analysis and Tools *** --------------------------------------------- In this article, we will take a look at the complete DNS process, DNS lookup, DNS reverse lookup, DNS zone transfer, etc. along with some tools to analyze & enumerate DNS traffic. Domain Name System (DNS) is a naming system used to convert human readable domain names like infosecinstitute.com into a numerical IP address. The... --------------------------------------------- http://resources.infosecinstitute.com/dns-analysis-and-tools/ *** Security Advisory: Configuration utility CSRF vulnerability *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/61/sol61045143.html?… *** cURL/libcurl Multiple Bugs Let Remote Users Inject Cookies, Reuse Connections, and Execute Arbitrary Code and Let Local Users Obtain Potentially Sensitive Information and Execute Arbitrary Code *** --------------------------------------------- http://www.securitytracker.com/id/1037192 *** Security Notice - Statement on Black Hat Europe 2016 Revealing Security Vulnerability in Huawei Mate Smart Phone *** --------------------------------------------- http://www.huawei.com/en/psirt/security-notices/2016/huawei-sn-20161104-01-… *** Moxa OnCell Security Vulnerabilities *** --------------------------------------------- This advisory contains mitigation vulnerabilities for authorization bypass and disclosed OS commanding vulnerabilities in Moxa's OnCell Security Software. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-308-01 *** Schneider Electric Magelis HMI Resource Consumption Vulnerabilities *** --------------------------------------------- This advisory contains mitigation details for resource consumption vulnerabilities affecting Schneider Electric's Magelis human-machine interface products. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-308-02 *** Schneider Electric IONXXXX Series Power Meter Vulnerabilities *** --------------------------------------------- This advisory is a follow-up to the alert titled ICS-ALERT-16-256-02 Schneider Electric ION Power Meter CSRF Vulnerability that was published September 12, 2016, on the NCCIC/ICS-CERT web site. This advisory contains mitigation details for a cross-site request forgery and no access control vulnerabilities in Schneider Electric's IONXXXX series power meters. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-308-03 *** IBM Security Bulletin *** --------------------------------------------- *** IBM Security Bulletin: IBM i is affected by several vulnerabilities (CVE-2016-2183 and CVE-2016-6329) *** http://www-01.ibm.com/support/docview.wss?uid=nas8N1021697 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSH and OpenSSL affect GPFS for Windows V3.5 *** http://www-01.ibm.com/support/docview.wss?uid=isg3T1024394 --------------------------------------------- *** IBM Security Bulletin: Cross-site scripting vulnerability affects multiple IBM Rational products based on IBM Jazz technology (CVE-2016-2926) *** http://www-01.ibm.com/support/docview.wss?uid=swg21993444 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in Apache HttpComponents affect IBM InfoSphere Information Server (CVE-2012-6153 CVE-2014-3577) *** http://www-01.ibm.com/support/docview.wss?uid=swg21982420 ---------------------------------------------

1 0

Tageszusammenfassung - Donnerstag 3-11-2016
by Daily end-of-shift report 03 Nov '16

03 Nov '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 02-11-2016 18:00 − Donnerstag 03-11-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Unpatched Vulnerability on Wix.com Puts Millions of Sites at Risk *** --------------------------------------------- Wix websites are vulnerable to reflective DOM cross-site scripting attack that could give attackers control of user's websites. --------------------------------------------- http://threatpost.com/unpatched-vulnerability-on-wix-com-puts-millions-of-s… *** Malware: Adwords-Anzeige verlinkt auf falschen Google Chrome *** --------------------------------------------- Eine Malware-Kampagne, die sich gegen Apple-Nutzer richtet, bietet gefälschte Versionen von Googles Chrome-Browser. Dabei nutzten die Betrüger ausgerechnet Googles Adword-Anzeigen, um Opfer hereinzulegen. --------------------------------------------- http://www.golem.de/news/malware-adwords-anzeige-verlinkt-auf-falschen-goog… *** Recognizing Packed Malware and its Unpacking Approaches-Part 2 *** --------------------------------------------- In Part 1 of this article series, we had a look at the ways to recognize packed executables and various ways to automate the unpacking process. In this article, we will look at the manual process of unpacking a packed malware specimen. In the last article, we have seen how the malware specimen was packed... --------------------------------------------- http://resources.infosecinstitute.com/recognizing-packed-malware-and-its-un… *** Bereits 30.000 Angriffe: Experten warnen vor Joomla-Lücke *** --------------------------------------------- Cyberkriminelle verschaffen sich erweiterte Rechte - Webseiten-Betreiber sollten sofort auf die neueste Version updaten --------------------------------------------- http://derstandard.at/2000046902782 *** Barracuda: Outage caused by large number of inbound connections *** --------------------------------------------- Yet firm refuses to say the word DDoS. What are they hiding? Outage-hit security firm Barracuda appears to have been struck down by a DDoS - though the firm says its still investigating and refuses to confirm or deny it. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/11/03/barracuda_o… *** These 12+ Internet Crime Stories Will Make You Care about Cybersecurity [Updated] *** --------------------------------------------- Online security seems such an abstract and distant field, where other people get hurt, but you somehow stay safe, either by luck or internet savvy. But the truth is, it could happen to anyone, and it might even have happened to you in the past. They say that nothing beats learning from experience, but sometimes it's best... --------------------------------------------- https://heimdalsecurity.com/blog/12-true-stories-that-will-make-you-care-ab… *** Browsererweiterungen: Plötzlich nackt im Netz *** --------------------------------------------- Alle Suchwörter, alle Webseiten - der Browser-Verlauf eines ganzen Monats steht zum Verkauf. Unser Autor erlebte, wie das ist, wenn die eigenen Daten zur Ware werden. --------------------------------------------- http://www.golem.de/news/browsererweiterungen-ploetzlich-nackt-im-netz-1611… *** Ubuntu Core Snaps door shut on Linuxs new Dirty COWs *** --------------------------------------------- When did Linux start becoming like Windows? Canonical has released Ubuntu Core 16 for IoT, featuring Linux self-patching for a generation of users against future Bash or Dirty COWs. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/11/03/ubuntu_core… *** HPSBUX03664 SSRT110248 rev.1 HP-UX BIND Service running named, Remote Denial of Service (DoS) *** --------------------------------------------- Potential security vulnerabilities have been identified in the HP-UX BIND service running named. These vulnerabilities could be exploited remotely to create a Denial of Service (DoS). --------------------------------------------- https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05321107 *** Security Advisory: BIG-IP virtual server TCP sequence numbers vulnerability *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/68/sol68401558.html?… *** Security Advisory: OpenSSL vulnerability CVE-2016-6304 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/54/sol54211024.html?… *** Security Advisory: BIND vulnerability CVE-2016-8864 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/35/sol35322517.html?… *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects WebSphere Application Server October 2016 CPU (CVE-2016-5573, CVE-2016-5597) *** http://www-01.ibm.com/support/docview.wss?uid=swg21993440 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities may affect IBM WebSphere Real Time *** https://www-01.ibm.com/support/docview.wss?uid=swg21993501 --------------------------------------------- *** IBM Security Bulletin: Lotus Protector for Mail Security Affected By Multiple Open Source OpenSSL Vulnerabilities *** http://www.ibm.com/support/docview.wss?uid=swg21992348 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Tivoli Netcool Configuration Manager (ITNCM) (CVE-2016-3426) *** http://www-01.ibm.com/support/docview.wss?uid=swg21992149 --------------------------------------------- *** IBM Security Bulletin: Password Disclosure via application tracing in IBM Tivoli Storage Manager Client (CVE-2016-0371) *** http://www.ibm.com/support/docview.wss?uid=swg21985114 --------------------------------------------- *** IBM Security Bulletin: A Vulnerability in OpenSource Apache Taglibs Vulnerability affect Content Integrator (CVE-2015-0254) *** http://www-01.ibm.com/support/docview.wss?uid=swg21993243 ---------------------------------------------

1 0

Tageszusammenfassung - Mittwoch 2-11-2016
by Daily end-of-shift report 02 Nov '16

02 Nov '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 31-10-2016 18:00 − Mittwoch 02-11-2016 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter *** New, more-powerful IoT botnet infects 3,500 devices in 5 days *** --------------------------------------------- Discovery of Linux/IRCTelnet suggests troubling new DDoS menace could get worse. --------------------------------------------- http://arstechnica.com/security/2016/11/new-iot-botnet-that-borrows-from-no… *** Docker user? Havent patched Dirty COW yet? Got bad news for you *** --------------------------------------------- Repeat after me, containerization isnt protection, its a management feature Heres another reason to pay attention to patching your Linux systems against the Dirty COW vulnerability: it can be used to escape Docker containers. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/11/01/docker_user… *** Sicherheits-Patch für Zero-Day-Lücke in Windows in Sicht *** --------------------------------------------- Ein Ausnutzen der Schwachstelle soll nur in Verbindung mit einer bereits geschlossenen Flash-Lücke funktionieren. Microsoft kritisiert Google für die frühe Offenlegung der Lücke. --------------------------------------------- https://heise.de/-3454255 *** Millionen Surf-Profile: Daten stammen angeblich auch von Browser-Addon WOT *** --------------------------------------------- Die detaillierten Daten zum Surfverhalten von Millionen Deutschen, auf die NDR-Reporter Zugriff haben, stammen offenbar auch von der beliebten Browser-Erweiterung WOT. Die damit gesammelten Daten seien leicht bestimmten Personen zuzuordnen. --------------------------------------------- https://heise.de/-3453820 *** Performance-Framework: Kritische Sicherheitslücken in Memcached geschlossen *** --------------------------------------------- Von einer Sicherheitslücke in einem beliebten Performance-Framework sind auch Dienste wie Facebook, Youtube und Reddit betroffen gewesen. Angreifer hätten auf dem Zielsystem Code ausführen können. Ein Patch und ein Workaround sind verfügbar. --------------------------------------------- http://www.golem.de/news/performance-framework-kritische-sicherheitsluecken… *** Datenpanne: Wenn das iPhone die Geheimnummer der Nationalratspräsidentin kennt *** --------------------------------------------- Offenbar durch einen Fehler bei AppleCare sind die Telefonbucheinträge mehrerer iPhone-Nutzer an andere übertragen worden, berichten der "Stern" und das österreichische Magazin "News". --------------------------------------------- https://heise.de/-3454575 *** Belkin's WeMo Gear Can Hack Android Phones *** --------------------------------------------- Vulnerabilities in WeMo home automation devices can be used to attack the Android apps used to manage devices remotely. --------------------------------------------- http://threatpost.com/belkins-wemo-gear-can-hack-android-phones/121730/ *** Security Advisory: OpenSSL vulnerability CVE-2016-2179 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/23/sol23512141.html?… *** Security Advisory 2016-02: Security Update for OTRS *** --------------------------------------------- November 01, 2016 - Please read carefully and check if the version of your OTRS system is affected by this vulnerability. Please send information regarding vulnerabilities in OTRS to: security(a)otrs.org PGP Key pub 2048R/9C227C6B 2011-03-21 [expires at: 2017-08-20] uid OTRS Security Team GPG Fingerprint E330 4608 DA6E 34B7 1551 C244 7F9E 44E9 9C22 --------------------------------------------- https://www.otrs.com/security-advisory-2016-02-security-update-otrs/ *** Palo Alto PAN-OS Insecure API Token Generation Lets Remote Users Access the Target Firewall API Interface *** --------------------------------------------- http://www.securitytracker.com/id/1037153 *** Palo Alto PAN-OS Input Validation Flaw in Captive Portal Lets Remote Users Conduct Cross-Site Scripting Attacks *** --------------------------------------------- http://www.securitytracker.com/id/1037152 *** DFN-CERT-2016-1794: Django: Zwei Schwachstellen ermöglichen u.a. das Erlangen von Benutzerrechten *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-1794/ *** USN-3118-1: Mailman vulnerabilities *** --------------------------------------------- Ubuntu Security Notice USN-3118-11st November, 2016mailman vulnerabilitiesA security issue affects these releases of Ubuntu and its derivatives: Ubuntu 16.10 Ubuntu 16.04 LTS Ubuntu 14.04 LTS Ubuntu 12.04 LTSSummarySeveral security issues were fixed in Mailman.Software description mailman - Powerful, web-based mailing list manager DetailsIt was discovered that the Mailman administrative web interface did notprotect against cross-site request forgery (CSRF) attacks. If anauthenticated user were --------------------------------------------- http://www.ubuntu.com/usn/usn-3118-1/ *** CVE-2016-8864: A problem handling responses containing a DNAME answer can lead to an assertion failure *** --------------------------------------------- A defect in BINDs handling of responses containing a DNAME answer can cause a resolver to exit after encountering an assertion failure in db.c or resolver.c --------------------------------------------- https://kb.isc.org/article/AA-01434/0/CVE-2016-8864%3A-A-problem-handling-r… *** Symantec IT Management Suite Multiple Issues *** --------------------------------------------- http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=se… *** Norton Mobile Security for Android Multiple Security Issues *** --------------------------------------------- http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=se… *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in Struts v2 affect IBM Security Identity Manager ( CVE-2016-1181 CVE-2016-1182 ) *** http://www-01.ibm.com/support/docview.wss?uid=swg21992931 --------------------------------------------- *** IBM Security Bulletin: IBM Maximo Asset Management is vulnerable to cross-site scripting (CVE-2016-6072) *** http://www-01.ibm.com/support/docview.wss?uid=swg21991893 --------------------------------------------- *** IBM Security Bulletin: IBM Security Guardium Data Redaction is vulnerable to IBM SDK, Java Technology Edition Quarterly CPU Jul 2016 Includes Oracle Jul 2016 CPU (CVE-2016-3485) *** http://www-01.ibm.com/support/docview.wss?uid=swg21992001 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Monitoring (CVE-2016-3485, CVE-2016-3511, CVE-2016-3598) *** http://www.ibm.com/support/docview.wss?uid=swg21993191 --------------------------------------------- *** IBM Security Bulletin: A command injection vulnerability has been identified in IBM Security Access Manager for Mobile appliances (CVE-2016-3028) *** http://www.ibm.com/support/docview.wss?uid=swg21991110 --------------------------------------------- *** IBM Security Bulletin: A vulnerability associated with the default account lockout settings in IBM Security Access Manager for Mobile has been identified (CVE-2016-3025) *** http://www.ibm.com/support/docview.wss?uid=swg21991107 --------------------------------------------- *** Cisco Security Advisories *** --------------------------------------------- *** Cisco ASR 5500 Series with DPC2 Cards SESSMGR Denial of Service Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco TelePresence Endpoints Local Command Injection Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco ASR 900 Series Aggregation Services Routers Buffer Overflow Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Application Policy Infrastructure Controller Denial of Service Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Email Security Appliance RAR File Attachment Scanner Bypass Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Prime Home Authentication Bypass Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Meeting Server Session Description Protocol Media Lines Buffer Overflow Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Meeting Server and Meeting App Buffer Underflow Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… ---------------------------------------------

1 0

Tageszusammenfassung - Montag 31-10-2016
by Daily end-of-shift report 31 Oct '16

31 Oct '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 28-10-2016 18:00 − Montag 31-10-2016 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter *** Of course smart homes are targets for hackers *** --------------------------------------------- The Wirecutter, an in-depth comparative review site for various electrical and electronic devices, just published an opinion piece on whether users should be worried about security issues in IoT devices. The summary: avoid devices that dont require passwords (or dont force you to change a default and devices that want you to disable security, follow general network security best practices but otherwise dont worry - criminals arent likely to target you.This is terrible, irresponsible advice. Its --------------------------------------------- http://mjg59.dreamwidth.org/45483.html *** Ensuring that ICS/SCADA isn't our next IoT nightmare *** --------------------------------------------- The DDoS chaos of the past month tells us that we need to work together to ensure future standards and reduce security risks --------------------------------------------- https://nakedsecurity.sophos.com/2016/10/28/ensuring-that-icsscada-isnt-our… *** Volatility Bot: Automated Memory Analysis, (Sun, Oct 30th) *** --------------------------------------------- Few weeks ago Ive attended the SANS DFIR Summit in Prague, and one of the very interesting talks was from Martin Korman (@MartinKorman), who presented a new tool he developed: Volatility Bot. According to his description, Volatility Bot is an automation tool for researchers cuts all the guesswork and manual tasks out of the binary extraction phase, or to help the investigator in the first steps of performing a memory analysis investigation. Not only does it automatically extract the executable... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21655&rss *** Masque Attack Abuses iOS's Code Signing to Spoof Apps and Bypass Privacy Protection *** --------------------------------------------- First reported in 2014, Masque Attack allowed hackers to replace a genuine app from the App Store with a malformed, enterprise-signed app that had the same Bundle Identifier (Bundle ID). Apple subsequently patched the vulnerabilities (CVE-2015-3772 and CVE-2015-3725), but while it closed a door, scammers seemed to have opened a window. Haima's repackaged, adware-laden apps and its native helper application prove that App Store scammers are still at it. --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/ffHuC_yu178/ *** DDOS-Attacke gegen Server legt Wiener TU-Informatiker lahm *** --------------------------------------------- Eine DDOS-Attacke gegen Server der Fachschaft Informatik der TU Wien hat zu Webseiten-Ausfällen geführt. --------------------------------------------- https://futurezone.at/digital-life/ddos-attacke-gegen-server-legt-wiener-tu… *** Joomla websites attacked en masse using recently patched exploits *** --------------------------------------------- Attackers are aggressively attacking Joomla-based websites by exploiting two critical vulnerabilities patched last week.The flaws allow the creation of accounts with elevated privileges on websites built with the popular Joomla content management system, even if account registration is disabled. They were patched in Joomla 3.6.4, released Tuesday.Hackers didnt waste any time reverse engineering the patches to understand how the two vulnerabilities can be exploited to compromise websites,... --------------------------------------------- http://www.csoonline.com/article/3136933/security/joomla-websites-attacked-… *** CardComplete-Phishingmail: 3-D Secure Aktualisierung *** --------------------------------------------- In einer vermeintlichen CardComplete-Benachrichtigung heißt es, dass Kreditkarteninhaber/innen ihr 3-D Secure Verfahren aktualisieren müssen. Dazu sollen sie eine Website aufrufen und ihre persönlichen Kreditkarteninformationen bekannt geben. In Wahrheit stammt die E-Mail von Kriminellen, die damit sensible Daten stehlen. --------------------------------------------- https://www.watchlist-internet.at/phishing/cardcomplete-phishingmail-3-d-se… *** "AtomBombing": Forscher warnen vor "unpatchbarer" Windows-Lücke *** --------------------------------------------- Angeblich alle Windows-Systeme betroffen - Gefahrenpotenzial allerdings unklar --------------------------------------------- http://derstandard.at/2000046630311 *** Cybercrime-Report 2015: Elf Prozent mehr Anzeigen in Österreich *** --------------------------------------------- Mehr Fälle bei Internetbetrug, Erpressung und Datenmissbrauch --------------------------------------------- http://derstandard.at/2000046762022 *** The Week in Ransomware - October 28 2016 - Locky, Angry Duck, and More! *** --------------------------------------------- Lots and lots of little ransomware and in-dev variants released this week. Of particular note is the quick release of two Locky variants that used .sh*t and then a day later the .thor extension for encrypted files. --------------------------------------------- http://www.bleepingcomputer.com/news/security/the-week-in-ransomware-octobe… *** Security Advisory: OpenSSL vulnerability CVE-2016-2181 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/59/sol59298921.html?… *** Vuln: Moodle CVE-2016-7919 Information Disclosure Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/93971 *** GNU tar 1.29 Extract Pathname Bypass *** --------------------------------------------- Topic: GNU tar 1.29 Extract Pathname Bypass Risk: Low Text: - t216 special vulnerability release -- Vulnerability: POINTYFEATHER aka Tar extract pathname bypass ... --------------------------------------------- https://cxsecurity.com/issue/WLB-2016100254 *** About the security content of iOS 10.1.1 *** --------------------------------------------- This document describes the security content of iOS 10.1.1. --------------------------------------------- https://support.apple.com/en-us/HT207287 *** Vulnerabilities in InfraPower PPS-02-S Q213V1 *** --------------------------------------------- *** InfraPower PPS-02-S Q213V1 Cross-Site Request Forgery *** http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5375.php --------------------------------------------- *** InfraPower PPS-02-S Q213V1 Authentication Bypass Vulnerability *** http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5374.php --------------------------------------------- *** InfraPower PPS-02-S Q213V1 Insecure Direct Object Reference Authorization Bypass *** http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5373.php --------------------------------------------- *** InfraPower PPS-02-S Q213V1 Unauthenticated Remote Root Command Execution *** http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5372.php --------------------------------------------- *** InfraPower PPS-02-S Q213V1 Hard-coded Credentials Remote Root Access *** http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5371.php --------------------------------------------- *** InfraPower PPS-02-S Q213V1 Local File Disclosure Vulnerability *** http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5370.php --------------------------------------------- *** InfraPower PPS-02-S Q213V1 Multiple XSS Vulnerabilities *** http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5369.php --------------------------------------------- Next End-of-Shift report: 2016-11-02

1 0

Tageszusammenfassung - Freitag 28-10-2016
by Daily end-of-shift report 28 Oct '16

28 Oct '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 27-10-2016 18:00 − Freitag 28-10-2016 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** Vuln: HP Business Service Management CVE-2016-4392 Cross Site Scripting Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/93933 *** MS16-128 - Critical: Security Update for Adobe Flash Player (3201860) - Version: 1.0 *** https://technet.microsoft.com/en-us/library/security/MS16-128 *** Vuln: Python urllib3 CVE-2016-9015 TLS Certificate Validation Security Bypass Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/93941 *** Vuln: Apache Tomcat Security Manager CVE-2016-6796 Security Bypass Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/93944 *** iTunes 12.5.2 for Windows *** --------------------------------------------- https://support.apple.com/kb/HT207274 *** iPrint Appliance 2.1 Patch 1 *** --------------------------------------------- https://download.novell.com/Download?buildid=AmZsfGf_NQ4~ *** Malvertising *** --------------------------------------------- Unsere Kollegen vom niederländischen NCSC haben eben ihr "Cyber Security Assessment Netherlands 2016" auch auf Englisch veröffentlicht. Da steckt viel Arbeit .. --------------------------------------------- http://www.cert.at/services/blog/20161028083404-1815.html *** Researchers tag new brace of bugs in NTP, but theyre fixable *** --------------------------------------------- However, because these are protocol vulnerabilities, the researchers fixing NTP is more important. They propose replacing the current model with one that uses more .. --------------------------------------------- http://www.theregister.co.uk/2016/10/28/researchers_tag_new_brace_of_bugs_i… *** Honeywell Experion PKS Improper Input Validation Vulnerability *** --------------------------------------------- This advisory contains mitigation details for a denial-of-service condition caused by an improper input validation vulnerability in Honeywell’s Experion Process Knowledge System platform. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-301-01 *** Bugtraq: [security bulletin] HPSBMU03653 rev.1 - HPE System Management Homepage (SMH), Remote Arbitrary Code Execution, Cross-Site Scripting (XSS), Denial of Service (DoS), Unauthorized Disclosure of Information *** --------------------------------------------- http://www.securityfocus.com/archive/1/539646 *** Bugtraq: [security bulletin] HPSBHF3549 ThinkPwn UEFI BIOS SmmRuntime Escalation of Privilege *** --------------------------------------------- http://www.securityfocus.com/archive/1/539645 *** Der Bot im Babyfon *** --------------------------------------------- In ein Heimnetzwerk integrierte IoT-Geräte bauen oftmals selbstständig eine Verbindung zum Internet auf, indem sie den Router des Nutzers per UPnP (Universal Plug and Play) so konfigurieren, dass eine Portweiterleitung .. --------------------------------------------- https://www.bsi-fuer-buerger.de/BSIFB/DE/Service/Aktuell/Informationen/Arti… *** Researchers expose Mirai vuln that could be used to hack back against botnet *** --------------------------------------------- Exploit can halt attacks from IoT devices Security researchers have discovered flaws in the Mirai .. --------------------------------------------- www.theregister.co.uk/2016/10/28/mirai_botnet_hack_back/

1 0

Tageszusammenfassung - Donnerstag 27-10-2016
by Daily end-of-shift report 27 Oct '16

27 Oct '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 25-10-2016 18:00 − Donnerstag 27-10-2016 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** Asterisk users need to patch DoS bug *** --------------------------------------------- Overlap dialling lets attacker shut down system Asterisk users need to get busy with a patch. --------------------------------------------- www.theregister.co.uk/2016/10/25/asterisk_patch_dos_bug/ *** Denial of Service Vulnerability in Citrix License Server *** --------------------------------------------- A vulnerability has been identified in the Citrix License Server for Windows and Citrix License Server VPX that could allow a remote .. --------------------------------------------- https://support.citrix.com/article/CTX217430 *** Multiple Security Vulnerabilities in Citrix NetScaler Platform IPMI Lights Out Management (LOM) firmware *** --------------------------------------------- https://support.citrix.com/article/CTX216642 *** Memory Permission Weakness in Citrix XenApp and XenDesktop *** --------------------------------------------- https://support.citrix.com/article/CTX215460 *** Security Advisory - PXN Defense Mechanism Failure Vulnerability in Huawei Mobile Phones *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161026-… *** VMSA-2016-0017 *** --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2016-0017.html *** Security Advisory - Two Information Leak Vulnerabilities in ION Memory Management Module of Huawei Smart Phone *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161026-… *** Cisco Identity Services Engine SQL Injection Vulnerability *** --------------------------------------------- A vulnerability in the web framework code of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to execute arbitrary .. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Siemens SICAM RTU Devices Denial-of-Service Vulnerability *** --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-299-01 *** Bundeskriminalamt gibt Tipps zum Schutz mobiler Geräte *** --------------------------------------------- http://derstandard.at/2000046518819 *** Security updates available for Adobe Flash Player (APSB16-36) *** --------------------------------------------- A Security Bulletin (APSB16-36) has been published regarding security updates for Adobe Flash Player. These updates address a critical vulnerability, and Adobe .. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1416 *** Vulnerability in Linux Kernel Affecting Cisco Products: October 2016 *** --------------------------------------------- On October 19, 2016, a new vulnerability related to a race condition in the memory manager of the Linux Kernel was disclosed. This vulnerability could allow .. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Installer of 7-Zip for Windows may insecurely load Dynamic Link Libraries *** --------------------------------------------- http://jvn.jp/en/jp/JVN76780067/ *** Cisco Email Security Appliance Malformed DGN File Attachment Denial of Service Vulnerability *** --------------------------------------------- A vulnerability in the email message filtering feature of Cisco AsyncOS Software for Cisco Email Security Appliances could allow an unauthenticated, .. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco Prime Collaboration Provisioning Cross-Site Scripting Vulnerability *** --------------------------------------------- Multiple vulnerabilities in the web framework code of the Cisco Prime Collaboration Provisioning could allow an unauthenticated, remote attacker to conduct a .. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco IP Interoperability and Collaboration System Cross-Site Scripting Vulnerability *** --------------------------------------------- A vulnerability in the web framework code of the Cisco IP Interoperability and Collaboration System (IPICS) could allow an unauthenticated, .. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco Email and Web Security Appliance JAR Advanced Malware Protection DoS Vulnerability *** --------------------------------------------- A vulnerability in Advanced Malware Protection (AMP) for Cisco Email Security Appliances (ESA) and Web Security Appliances (WSA) could allow an unauthenticated, remote attacker to cause a partial denial of service (DoS) .. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco Email Security Appliance FTP Denial of Service Vulnerability *** --------------------------------------------- A vulnerability in local FTP to the Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to cause a partial denial of service (DoS) condition when the FTP application unexpectedly quits.The .. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco Email Security Appliance Drop Bypass Vulnerability *** --------------------------------------------- A vulnerability in the configured security policies, including drop email filtering, in Cisco AsyncOS for Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to bypass a configured drop filter by .. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco Email Security Appliance Corrupted Attachment Fields Denial of Service Vulnerability *** --------------------------------------------- A vulnerability in the email message filtering feature of Cisco AsyncOS Software for Cisco Email Security Appliances could allow an unauthenticated, remote attacker .. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco Email Security Appliance Advanced Malware Protection Attachment Scanning Denial of Service Vulnerability *** --------------------------------------------- A vulnerability in the email attachment scanning functionality of the Advanced Malware Protection .. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Remote Code Execution Vulnerabilities Plague LibTIFF Library *** --------------------------------------------- Three vulnerabilities, all which can lead to remote code execution, exist in the LibTIFF library. --------------------------------------------- http://threatpost.com/remote-code-execution-vulnerabilities-plague-libtiff-… *** Tripal BLAST UI - Highly Critical - Remote Code Execution - SA-CONTRIB-2016-054 *** --------------------------------------------- This module enables you to run NCBI BLAST jobs on the host system.The module doesnt sufficiently validate advanced options available to users submitting BLAST jobs, thereby exposing the ability to enter a short snippet of shell code that will be .. --------------------------------------------- https://www.drupal.org/node/2822366 *** Office 2013 can now block macros to help prevent infection *** --------------------------------------------- In response to the growing trend of macro-based threats, a new feature in Office 2016 allows an enterprise administrator to block users from running macros .. --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2016/10/26/office-2013-can-now-blo… *** Joomla! squashes critical privileged account creation holes *** --------------------------------------------- Borked two factor authentication also fixed Joomla! has revealed its patched twin critical flaws allowing attackers to bypass rules and create elevated privilege accounts. --------------------------------------------- www.theregister.co.uk/2016/10/27/joomla_squashes_critical_privileged_accoun… *** Three LibTIFF bugs found, only two patched *** --------------------------------------------- Buffer overruns, remote code execution, you know the drill LibTIFF has three bugs that let booby-trapped files pwn a target - and only two of them have been patched. --------------------------------------------- www.theregister.co.uk/2016/10/27/three_libtiff_bugs_found_only_two_patched/ *** Inside the Gootkit C&C server *** --------------------------------------------- In September 2016, we discovered a new version of Gootkit with a characteristic and instantly recognizable feature: an extra check of the environment .. --------------------------------------------- http://securelist.com/blog/research/76433/inside-the-gootkit-cc-server/ *** Citrix XenServer Security Update for CVE-2016-7777 *** --------------------------------------------- A security vulnerability has been identified in Citrix XenServer that may allow malicious user code within an HVM guest VM to read or modify the contents of .. --------------------------------------------- https://support.citrix.com/article/CTX217363 *** IBM Security Bulletin: WebSphere Message Broker and IBM Integration Bus are affected by Open Source Tomcat vulnerability (CVE-2016-3092) *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21993043 *** Are the Days of “Booter” Services Numbered? *** --------------------------------------------- It may soon become easier for Internet service providers to anticipate and block certain types of online assaults launched by Web-based attack-for-hire services known as "booter" or "stresser" services, new research released today suggests. --------------------------------------------- https://krebsonsecurity.com/2016/10/are-the-days-of-booter-services-numbere…

1 0

Tageszusammenfassung - Dienstag 25-10-2016
by Daily end-of-shift report 25 Oct '16

25 Oct '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 24-10-2016 18:00 − Dienstag 25-10-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** iOS 10.1 *** --------------------------------------------- https://support.apple.com/kb/HT207271 *** IoT Device Maker Vows Product Recall, Legal Action Against Western Accusers *** --------------------------------------------- A Chinese electronics firm pegged by experts as responsible for making many of the components leveraged in last weeks massive attack that disrupted Twitter and .. --------------------------------------------- https://krebsonsecurity.com/2016/10/iot-device-maker-vows-product-recall-le… *** Locky Ransomwares new .SHIT Extension shows that you cant Polish a Turd *** --------------------------------------------- To further show how ransomware is such a pile of crap, a new version of Locky has been released that appends the .shit extension on encrypted files. Like previous .. --------------------------------------------- http://www.bleepingcomputer.com/news/security/locky-ransomwares-new-shit-ex… *** DSA-3698 php5 - security update *** --------------------------------------------- Several vulnerabilities were found in PHP, a general-purpose scriptinglanguage commonly used for web application development. --------------------------------------------- https://www.debian.org/security/2016/dsa-3698 *** Critical Patch Update - October 2016 *** --------------------------------------------- http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html *** Kryptologe Hellman: NSA propagiert mittlerweile Verschlüsselung *** --------------------------------------------- Daten verlässlich zu verschlüsseln auch für Sicherheit von Staaten wichtig – Zusammensetzen sicherer Komponenten macht außerdem noch lange kein sicheres System --------------------------------------------- http://derstandard.at/2000046466661 *** Wosign und Startcom: Mozilla veröffentlicht Details des TLS-Rauswurfs *** --------------------------------------------- Mozillas Firefox-Browser wird keine TLS-Zertifikate der beiden skandalträchtigen Certificate Authorities mehr akzeptieren. Wie dies genau umgesetzt wird, hat die Stiftung nun erläutert. --------------------------------------------- http://www.golem.de/news/wosign-und-startcom-mozilla-veroeffentlicht-detail… *** Certificate Transparency: Betrug mit TLS-Zertifikaten wird fast unmöglich *** --------------------------------------------- Alle TLS-Zertifizierungsstellen müssen ab nächstem Herbst ihre Zertifikate vor der Ausstellung in ein öffentliches Log eintragen. Mittels Certificate Transparency kann Fehlverhalten bei der Zertifikatsausstellung leichter entdeckt werden - das TLS-Zertifikatssystem insgesamt wird vertrauenswürdiger. --------------------------------------------- http://www.golem.de/news/certificate-transparency-betrug-mit-tsl-zertifikat… *** [20161002] - Core - Elevated Privileges *** --------------------------------------------- Incorrect use of unfiltered data allows for users to register on a site with elevated privileges. Affected Installs Joomla! CMS versions 3.4.4 through 3.6.3 Solution Upgrade to .. --------------------------------------------- https://developer.joomla.org/security-centre/660-20161002-core-elevated-pri… *** [20161001] - Core - Account Creation *** --------------------------------------------- Inadequate checks allows for users to register on a site when registration has been disabled. Affected Installs Joomla! CMS versions 3.4.4 .. --------------------------------------------- https://developer.joomla.org/security-centre/659-20161001-core-account-crea… *** BSI: Deutschland soll vernetzte Geräte besser schützen *** --------------------------------------------- Nach einem Angriff auf die Internet-Infrastruktur hat das Bundesamt für Sicherheit in der Informationstechnik (BSI) höhere Sicherheitsstandards verlangt. --------------------------------------------- https://futurezone.at/netzpolitik/bsi-deutschland-soll-vernetzte-geraete-be… *** Vulnerabilities in Slack could have led to account hijacking *** --------------------------------------------- Persistence pays off as security researcher nets bug bounty for unearthing an access control bypass allowing attackers to reset passwords if they know the usernames. --------------------------------------------- http://www.scmagazine.com/vulnerabilities-in-slack-could-have-led-to-accoun… *** task_t considered harmful *** --------------------------------------------- Posted by Ian Beer, Project ZeroThis post discusses a design issue at the core of the XNU kernel which powers iOS and MacOS. Apple have shipped two iterations of mitigations followed yesterday by a large refactor in MacOS 10.12.1/iOS .. --------------------------------------------- http://googleprojectzero.blogspot.com/2016/10/posted-by-ian-beer-project-ze… Aufgrund des Feiertages am morgigen Mittwoch, den 26.10.2016, erscheint der nächste End-of-Shift Report erst am 27.10.2016.

1 0

Tageszusammenfassung - Montag 24-10-2016
by Daily end-of-shift report 24 Oct '16

24 Oct '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 21-10-2016 18:00 − Montag 24-10-2016 18:00 Handler: Alexander Riepl Co-Handler: n/a *** In a BIND: Third parties distributed outdated, vulnerable ISC Domain Name System software *** --------------------------------------------- The Internet Systems Consortium issued an advisory on Wednesday, warning that some third parties are distributing versions of ISCs BIND software that contain a high-severity vulnerability, which if exploited can trigger an assertion failure. --------------------------------------------- http://www.scmagazine.com/in-a-bind-third-parties-distributed-outdated-vuln… *** Credentials Stealer on Prestashop *** --------------------------------------------- In a matter of hours, a big e-commerce website can have hundreds of credit card numbers stolen and used by attackers on other websites around the world. We commonly see ecommerce websites infected with credit card (CC) .. --------------------------------------------- https://blog.sucuri.net/2016/10/credentials-stealer-prestashop.html *** Hacked Cameras, DVRs Powered Today’s Massive Internet Outage *** --------------------------------------------- A massive and sustained Internet attack that has caused outages and network congestion today for a large number of Web sites was launched with the help of hacked "Internet of Things" (IoT) devices, such as CCTV video cameras and digital video recorders, new data suggests. --------------------------------------------- https://krebsonsecurity.com/2016/10/hacked-cameras-dvrs-powered-todays-mass… *** Beware of Hicurdismos: It’s a fake Microsoft Security Essentials installer that can lead to a support call scam *** --------------------------------------------- Wouldn’t it be a shame if, in trying to secure your PC, you inadvertently install malware and run the risk of being scammed? We recently discovered a threat .. --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2016/10/21/beware-of-hicurdismos-i… *** DSA-3697 kdepimlibs - security update *** --------------------------------------------- Roland Tapken discovered that insufficient input sanitising in KMailsplain text viewer allowed the injection of HTML code. --------------------------------------------- https://www.debian.org/security/2016/dsa-3697 *** Policy Analyzer v3.1 PRE-RELEASE *** --------------------------------------------- Lots of updates to Policy Analyzer in this unsigned, pre-release preview build — please post comments here to let me know how well it addresses your needs and what .. --------------------------------------------- https://blogs.technet.microsoft.com/secguide/2016/10/22/policy-analyzer-v3-… *** Sicherere Pornos: "https" soll Nutzer schützen *** --------------------------------------------- Sicherheitsprotokoll schützt Privatsphäre – soll außerdem vor potenzielle Leaks verhindern --------------------------------------------- http://derstandard.at/2000046090383 *** "Dirty Cow": Warnung vor "ekliger" Linux-Lücke *** --------------------------------------------- Fehler erlaubt es Nutzern im Linux-Kernel Dateien zu überschreiben, für die sie Leserechte haben --------------------------------------------- http://derstandard.at/2000046330107 *** FBI: Russe soll LinkedIn und Dropbox gehackt haben *** --------------------------------------------- Der russische Staatsbürger wurde in Tschechien festgenommen --------------------------------------------- http://derstandard.at/2000046330952 *** Request for Packets TCP 4786 - CVE-2016-6385, (Sat, Oct 22nd) *** --------------------------------------------- We have received information about potential active reconnaissance for TCP 4786 which might be related to CVE-2016-6385 (Cisco IOS and IOS XE Software Smart Install Memory Leak Vulnerability) an advisory released 28 Sep 2016. This .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21625 *** Mirai-Botnetz: Dyn bestätigt Angriff von zig-Millionen IP-Adressen *** --------------------------------------------- Der Internet-Dienstleister Dyn hat erste Details zur schweren DDoS-Attacke vom vergangenen Freitag genannt. Demnach gab es drei Angriffswellen von unterschiedlichem Ausmaß. --------------------------------------------- http://www.golem.de/news/mirai-botnetz-dyndns-bestaetigt-angriff-von-zig-mi… *** Hohe Phishing-Quote: So einfach ließen sich US-Politiker hacken *** --------------------------------------------- Die Veröffentlichungen von Wikileaks bringen die US-Politik in Schwierigkeiten. Die Hacks machen deutlich, welche Gefahren durch die Nutzung populärer E-Mail-Dienste wie Gmail entstehen. --------------------------------------------- http://www.golem.de/news/hohe-phishing-quote-so-einfach-liessen-sich-us-pol… *** Mozilla plots TLS 1.3 future for Firefox *** --------------------------------------------- Quicker handshake starts encrypting data sooner Mozilla has decided it needs to lift its HTTPS game, and will default to TLS 1.3 in next years Firefox 52.… --------------------------------------------- www.theregister.co.uk/2016/10/23/mozilla_plots_tls_13_future_for_firefox/ *** DDoS für 7.500 US-Dollar: Hacker verkaufen Zugang zu IoT-Botnetz im Darknet *** --------------------------------------------- Der Zugang zum IoT-Botnetz Mirai setzt neuerdings keine technischen Kenntnisse mehr voraus, sondern nur genügend Finanzmittel - 7.500 US-Dollar. Außerdem bestätigte ein chinesischer Hersteller, dass seine Geräte Teil des .. --------------------------------------------- http://www.golem.de/news/ddos-fuer-7-500-us-dollar-hacker-verkaufen-zugang-… *** Gefälschte Verbund-Rechnung verschlüsselt Dateien *** --------------------------------------------- Kriminelle versenden gefälschte Verbund-Rechnungen per E-Mail. Darin fordern sie Empfänger/innen auf, dass diese eine Website öffnen. Sie imitiert den Internetauftritt der .. --------------------------------------------- https://www.watchlist-internet.at/gefaelschte-rechnungen/gefaelschte-verbun… *** Drammer: Rowhammer bringt zuverlässig Root-Zugriff auf Android *** --------------------------------------------- Mit forcierten Bitflips im Arbeitsspeicher lassen sich leicht Root-Rechte auf Systemen erlangen. Forscher zeigen, dass dies auch zuverlässig auf Android-Telefonen .. --------------------------------------------- http://www.golem.de/news/drammer-rowhammer-bringt-zuverlaessig-root-zugriff… *** Trick Bot – Dyreza’s successor *** --------------------------------------------- Recently, our analyst Jérôme Segura captured an interesting payload in the wild. It turned out to be a new bot, that, at the moment of the analysis, hadnt been described .. --------------------------------------------- https://blog.malwarebytes.com/threat-analysis/2016/10/trick-bot-dyrezas-suc… *** From There to Here (But Not Back Again) *** --------------------------------------------- Red Hat Product Security recently celebrated our 15th anniversary this summer and while I cannot claim to have been with Red Hat for that long (although I’m coming up .. --------------------------------------------- https://access.redhat.com/blogs/766093/posts/2712261 *** Analyzing Rig *** --------------------------------------------- I recently Googled for a sleeping accommodation in "The Ardennes", a region of extensive forests in Southern Belgium. It wasnt surprised that by clicking on the fourth .. --------------------------------------------- https://www.uperesia.com/analyzing-rig-exploit-kit

1 0

Tageszusammenfassung - Freitag 21-10-2016
by Daily end-of-shift report 21 Oct '16

21 Oct '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 20-10-2016 18:00 − Freitag 21-10-2016 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** iCloud Phishing Campaign Zycode Back From the Dead *** --------------------------------------------- http://threatpost.com/icloud-phishing-campaign-zycode-back-from-the-dead/12… *** EMC Avamar Data Store and Virtual Edition Unspecified Flaw Lets Remote Authenticated Users Gain Elevated Privileges *** --------------------------------------------- http://www.securitytracker.com/id/1037066 *** Hack.lu 2016 Wrap-Up Day #3 *** --------------------------------------------- The third day is already over! I’m just back at home so it’s time for a last quick wrap-up before recovering before BruCON which is organized next week! Damien .. --------------------------------------------- https://blog.rootshell.be/2016/10/20/hack-lu-2016-wrap-day-3/ *** Oracle Critical Patch Update Advisory - October 2016 *** --------------------------------------------- http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html *** Moxa EDR-810 Industrial Secure Router Privilege Escalation Vulnerability *** --------------------------------------------- This advisory contains mitigation details for a privilege escalation vulnerability in Moxa’s EDR-810 Industrial Secure Router. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-294-01 *** “Most serious” Linux privilege-escalation bug ever is under active exploit (updated) *** --------------------------------------------- While CVE-2016-5195, as the bug is cataloged, amounts to a mere privilege-escalation .. http://arstechnica.com/security/2016/10/most-serious-linux-privilege-escala… *** CVE-2016-2848: A packet with malformed options can trigger an assertion failure in ISC BIND versions released prior to May 2013 *** --------------------------------------------- A packet with a malformed options section can be used to deliberately trigger an assertion .. --------------------------------------------- https://kb.isc.org/article/AA-01433/74/CVE-2016-2848 *** Nagios XI 5.2.9 Cross Site Scripting / Open Redirect *** --------------------------------------------- https://cxsecurity.com/issue/WLB-2016100203 *** Doctor Web examines new backdoor for Linux *** --------------------------------------------- October 20, 2016 Most backdoor Trojans are created for Microsoft Windows; however, a few of them can infect Linux devices. This rare type of Trojan .. --------------------------------------------- http://news.drweb.com/show/?i=10265&lng=en&c=9 *** Vuln: Multiple Synology DiskStation Products CVE-2016-6554 Insecure Default Password Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/93805 *** Warnung vor gefälschter BAWAG PSK-Phishingmail *** --------------------------------------------- In einer gefälschten BAWAG PSK-Nachricht behaupten Kriminelle, dass es „einer dringenden .. --------------------------------------------- https://www.watchlist-internet.at/phishing/warnung-vor-gefaelschter-bawag-p… *** Dridex - an old dog is learning new tricks *** --------------------------------------------- A lot of things have been said and written about Dridex in the past few months. It has risen and fallen in prevalence and it was rumored that its makers collaborate .. --------------------------------------------- https://blog.gdatasoftware.com/2016/10/29261-dridex-an-old-dog-is-learning-… *** New ESET research paper puts Sednit under the microscope *** --------------------------------------------- Security researchers at ESET have released their latest research into the notorious Sednit .. --------------------------------------------- http://www.welivesecurity.com/2016/10/20/new-eset-research-paper-puts-sedni… *** SSA-296574 (Last Update 2016-10-21): Denial of Service in SICAM RTU Devices *** --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-296574… *** Hax0rs sow Discord by using VoIP service to sling malware at gamers *** --------------------------------------------- Not even playtimes safe these days Hackers abused a free VoIP service for gamers to distribute remote-access Trojans and other malware. --------------------------------------------- www.theregister.co.uk/2016/10/21/gaming_voip_service_malware_abuse/ *** DDoS on Dyn Impacts Twitter, Spotify, Reddit *** --------------------------------------------- Criminals this morning massively attacked Dyn, a company that provides core Internet services .. --------------------------------------------- https://krebsonsecurity.com/2016/10/ddos-on-dyn-impacts-twitter-spotify-red…

1 0

Tageszusammenfassung - Donnerstag 20-10-2016
by Daily end-of-shift report 20 Oct '16

20 Oct '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 19-10-2016 18:00 − Donnerstag 20-10-2016 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** Cisco ASA Software Local Certificate Authority Denial of Service Vulnerability *** --------------------------------------------- A vulnerability in the local Certificate Authority (CA) feature of Cisco ASA Software could allow an unauthenticated, remote attacker to cause a reload of the affected system.The vulnerability is due to improper handling of .. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco Firepower Detection Engine HTTP Denial of Service Vulnerability *** --------------------------------------------- A vulnerability in the detection engine reassembly of HTTP packets for Cisco Firepower System Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition due to the Snort process .. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco Meeting Server Information Disclosure Vulnerability *** --------------------------------------------- A vulnerability in Web Bridge for Cisco Meeting Server could allow an unauthenticated, remote attacker to retrieve memory from a connected server.The vulnerability is due to missing bounds checks in the Web Bridge functionality. An .. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco Meeting Server Cross-Site Request Forgery Vulnerability *** --------------------------------------------- A vulnerability in Cisco Meeting Server could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack against a .. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco ASA Software Identity Firewall Feature Buffer Overflow Vulnerability *** --------------------------------------------- A vulnerability in the Identity Firewall feature of Cisco ASA Software could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code. The vulnerability is due to a .. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Adult FriendFinder Vulnerability Leaves Millions Exposed *** --------------------------------------------- Security experts are reporting popular adult website Adult FriendFinder has been compromised by hackers who have gained access to the sites backend servers. --------------------------------------------- http://threatpost.com/adult-friendfinder-vulnerability-leaves-millions-expo… *** The new .LNK between spam and Locky infection *** --------------------------------------------- Just when it seems the Ransom:Win32/Locky activity has slowed down, our continuous monitoring of the ransomware family reveals a new workaround that the authors .. --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2016/10/19/the-new-lnk-between-spa… *** Hack.lu 2016 Wrap-Up Day #2 *** --------------------------------------------- I'm just back from the second day of hack.lu. The day started early with Patrice Auffret about Metabrik! Patrice is a Perl addict and developed lot of CPAN .. --------------------------------------------- https://blog.rootshell.be/2016/10/20/hack-lu-2016-wrap-day-2/ *** Researchers Bypass ASLR Protection On Intel Haswell CPUs *** --------------------------------------------- An anonymous reader writes: "A team of scientists from two U.S. universities has devised .. --------------------------------------------- https://news.slashdot.org/story/16/10/19/2358209/researchers-bypass-aslr-pr… *** OWASP ModSecurity CRS Version 3.0 RC2 Released *** --------------------------------------------- http://trustwave.com/Resources/SpiderLabs-Blog/OWASP-ModSecurity-CRS-Versio… *** Novell: Storage Manager for eDirectory 5.0.0 *** --------------------------------------------- https://download.novell.com/Download?buildid=4x6-1FswplA~ *** Security research tool had security problem *** --------------------------------------------- Plugin for popular disassembler OllyDGB allowed man-in-the-middle diddle Security .. --------------------------------------------- www.theregister.co.uk/2016/10/20/ollydgb_vulnerability/ *** Can I spam from here: An Unusually Clever Spambot Tests Blacklists *** --------------------------------------------- Unit 42 researchers recently observed an unusually clever spambot's attempts to increase delivery efficacy by abusing reputation blacklist service .. --------------------------------------------- http://researchcenter.paloaltonetworks.com/2016/10/unit42-can-i-spam-from-h… *** Bugtraq: [security bulletin] HPSBGN03663 rev.1 - HPE ArcSight WINC Connector, Remote Code Execution *** --------------------------------------------- http://www.securityfocus.com/archive/1/539609 *** Skyping and Typing the Latest Threat to Privacy *** --------------------------------------------- Typing while using Skype or over other Voice over Internet Protocol (VoIP) services presents an opportunity for an attacker to record the conversation, separate .. --------------------------------------------- https://threatpost.com/skyping-and-typing-the-latest-threat-to-privacy/1213… *** The Kings In Your Castle Part #1 *** --------------------------------------------- In March 2016 I presented together with Raphael Vinot at this year�s Troopers conference in Heidelberg. The talk treated research of targeted malware, .. --------------------------------------------- https://cyber.wtf/2016/10/12/the-kings-in-your-castle-all-the-lame-threats-… *** Palo Alto PAN-OS Input Validation Flaw in Monitor Tab Lets Remote Authenticated Users Conduct Cross-Site Scripting Attacks *** --------------------------------------------- http://www.securitytracker.com/id/1037063

1 0

Tageszusammenfassung - Mittwoch 19-10-2016
by Daily end-of-shift report 19 Oct '16

19 Oct '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 18-10-2016 18:00 − Mittwoch 19-10-2016 18:00 Handler: Robert Waldner Co-Handler: n/a *** Is it worth reporting ransomware? *** --------------------------------------------- Answer: yes. Police forces badly need more people to tell them about attacks. --------------------------------------------- https://nakedsecurity.sophos.com/2016/10/18/is-it-worth-reporting-ransomwar… *** Security Advisory: PHP vulnerability CVE-2015-8935 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/63/sol63712424.html?… *** PHP Buffer Overflow in php_pcre_replace_impl() Lets Remote Users Execute Arbitrary Code *** --------------------------------------------- A remote user can supply specially crafted data that, when processed by the target application, will trigger a heap overflow in php_pcre_replace_impl() in the PCRE component and execute arbitrary code on the target system. ... [Editor's note: The vendor indicates that these other memory errors require strings on the order of 2GB to exploit and that memory_limit and max_input_size values on the target system should prevent exploitation.] --------------------------------------------- http://www.securitytracker.com/id/1037033 *** Security Advisory: TIFF vulnerability CVE-2015-7554 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/38/sol38871451.html?… *** IDM 4.5 Midrange BiDirectional Driver 4.5 *** --------------------------------------------- https://download.novell.com/Download?buildid=sQgqe1Stbog~ *** Hack.lu 2016 Wrap-Up Day #1 *** --------------------------------------------- I'm back to Luxembourg for a new edition of hack.lu. In fact, I arrived yesterday afternoon to attend the MISP summit. It was a good opportunity to meet MISP users and to get fresh news about the project. --------------------------------------------- https://blog.rootshell.be/2016/10/18/hack-lu-2016-wrap-day-1/ *** Oracle Java SE Multiple Flaws Let Remote Users Access Data, Partially Modify Data, and Gain Elevated Privileges *** --------------------------------------------- Version(s): 6u121, 7u111, 8u102; Java SE Embedded: 8u101 Description: Multiple vulnerabilities were reported in Oracle Java SE. A remote user can access data on the target system. A remote user can modify data on the target system. A remote user can gain elevated privileges. --------------------------------------------- http://www.securitytracker.com/id/1037040 *** Oracle Database Multiple Flaws Let Remote and Local Users Access and Modify Data and Gain Elevated Privileges and Let Local Users Deny Service *** --------------------------------------------- Version(s): 11.2.0.4, 12.1.0.2 Description: Multiple vulnerabilities were reported in Oracle Database. A remote and local user can access data on the target system. A remote user can modify data on the target system. A local user can cause denial of service conditions on the target system. A local user can obtain elevated privileges on the target system. A remote authenticated user can gain elevated privileges. --------------------------------------------- http://www.securitytracker.com/id/1037035 *** Vuln: Oracle Fusion Middleware CVE-2016-5531 Remote Security Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/93730 *** MySQL Multiple Bugs Let Remote Users Access and Modify Data, Remote and Local Users Deny Service, and Local Users Modify Data and Gain Elevated Privileges *** --------------------------------------------- http://www.securitytracker.com/id/1037050 *** Solaris Multiple Bugs Let Remote and Local Users Access Data and Deny Service and Let Local Users Modify Data and Deny Service *** --------------------------------------------- Version(s): 10, 11.3 Description: Multiple vulnerabilities were reported in Solaris. A remote or local user can access data on the target system. A remote or local user can cause denial of service conditions on the target system. A local user can modify data on the target system. A local user can obtain elevated privileges on the target system. --------------------------------------------- http://www.securitytracker.com/id/1037048 *** Installer of Evernote for Windows may insecurely load Dynamic Link Libraries *** --------------------------------------------- http://jvn.jp/en/jp/JVN03251132/ *** Schneider Electric PowerLogic PM8ECC Hard-coded Password Vulnerability *** --------------------------------------------- This advisory contains mitigation details for a hard-coded password vulnerability in Schneider Electric's PowerLogic PM8ECC device. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-292-01 *** Cisco Talos: Vulnerability Spotlight: Foxit PDF Reader JBIG2 Parser Information Disclosure *** --------------------------------------------- Talos has identified an information disclosure vulnerability in Foxit PDF Reader (TALOS-2016-0201/CVE-2016-8334). A wrongly bounded call to `memcpy`, while parsing jbig2 segments within a PDF file, can be triggered in Foxit PDF Reader causing an out-of-bounds heap memory to be read into a buffer. --------------------------------------------- http://blog.talosintel.com/2016/10/foxit-pdf-jbig2.html *** CAIDA: Spoofer *** --------------------------------------------- We have developed and support a new client-server system for Windows, MacOS, and UNIX-like systems that periodically tests a networks ability to both send and receive packets with forged source IP addresses (spoofed packets). We are (in the process of) producing reports and visualizations that will inform operators, response teams, and policy analysts. --------------------------------------------- https://www.caida.org/projects/spoofer/ *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Vulnerability in OpenSSL affects IBM Cloud Orchestrator, HTTP Server and bundling products shipped with Cloud Orchestrator and Cloud Orchestrator Enterprise (CVE-2015-1788) *** http://www.ibm.com/support/docview.wss?uid=swg2C1000137 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities may affect IBM SDK for Node.js in IBM Bluemix *** http://www.ibm.com/support/docview.wss?uid=swg21992427 --------------------------------------------- *** IBM Security Bulletin: IBM TRIRIGA Application Platform Reflected Cross-Site Scripting (XSS) (CVE-2016-5980) *** http://www-01.ibm.com/support/docview.wss?uid=swg21991992 --------------------------------------------- *** IBM Security Bulletin: Apache Commons FileUpload Vulnerability affects IBM Spectrum Control (formerly Tivoli Storage Productivity Center) CVE-2016-3092 *** http://www.ibm.com/support/docview.wss?uid=swg21992457 --------------------------------------------- *** IBM Security Bulletin: Information disclosure vulnerability in IBM Websphere Application Server and IBM Websphere Application Server Liberty affects IBM BigFix Remote Control (CVE-2016-5986) *** http://www-01.ibm.com/support/docview.wss?uid=swg21991987 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in PCRE affects IBM Tivoli Network Manager IP Edition (CVE-2016-1283) *** http://www.ibm.com/support/docview.wss?uid=swg21991978 ---------------------------------------------

1 0

Tageszusammenfassung - Dienstag 18-10-2016
by Daily end-of-shift report 18 Oct '16

18 Oct '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 17-10-2016 18:00 − Dienstag 18-10-2016 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** Security baseline for Windows 10 v1607 (“Anniversary edition”) and Windows Server 2016 *** --------------------------------------------- Microsoft is pleased to announce the release of the security configuration baseline settings for Windows 10 version 1607, also known as “Anniversary edition” .. --------------------------------------------- https://blogs.technet.microsoft.com/secguide/2016/10/17/security-baseline-f… *** New-looking Sundown EK drops Smoke Loader, Kronos banker *** --------------------------------------------- In this post we take a quick glance at some changes made to the Sundown exploit kit. The landing page has been tweaked and uses various obfuscation techniques. Sundown is used in some smaller campaigns and in this particular case .. --------------------------------------------- https://blog.malwarebytes.com/threat-analysis/2016/10/new-looking-sundown-e… *** Magento Credit Card Swiper Exports to Image *** --------------------------------------------- Over the past year we have seen a rash of credit card swipers in Magento and other ecommerce-based websites. In fact, we have been finding new variants nearly every week. It is no surprise that ecommerce sites are .. --------------------------------------------- https://blog.sucuri.net/2016/10/magento-credit-card-swiper-exports-image.ht… *** ZDI-16-570: Novell NetIQ Sentinel Commons DiskFileItem Deserialization of Untrusted Data Remote Code Execution Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Novell NetIQ Sentinel. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-16-570/ *** Security Advisory - Hardcoded SSH Key Vulnerability in Some Huawei Storage Products *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161017-… *** Audit sees VeraCrypt kils critical password recovery, cipher flaws *** --------------------------------------------- Patches slung at 11 bad bugs Security researchers have found eight critical, three medium, and 15 low .. --------------------------------------------- www.theregister.co.uk/2016/10/18/veracrypt_audit/ *** iOS 10.0.3 *** --------------------------------------------- https://support.apple.com/en-us/HT207263 *** Hajime: Analysis of a decentralized internet worm for IoT devices [PDF] *** --------------------------------------------- Though worms which target IoT devices are not new, they are rising in prominence lately due to the generally wea k security such devices have. What makes Hajime .. --------------------------------------------- https://security.rapiditynetworks.com/publications/2016-10-16/hajime.pdf *** Netzob: Reverse Engineering Communication Protocols *** --------------------------------------------- Netzob is an open source tool for reverse engineering, traffic generation and fuzzing of .. --------------------------------------------- https://www.netzob.org/ *** Halfway there! Firefox users now visit over 50% of pages via HTTPS *** --------------------------------------------- Mozilla telemetry shows sites using HTTPS for more secure browsing now outnumber plain old HTTP. --------------------------------------------- https://nakedsecurity.sophos.com/2016/10/18/halfway-there-firefox-users-now… *** Malware verkauft: 22-Jähriger muss in Deutschland vor Gericht *** --------------------------------------------- Ein 22-Jähriger soll in 4.000 Fällen Trojaner, Viren und andere Malware verkauft haben. Jetzt muss er sich dafür vor Gericht verantworten. -------------------------------------------- - https://futurezone.at/digital-life/malware-verkauft-22-jaehriger-muss-in-de…

1 0

Tageszusammenfassung - Montag 17-10-2016
by Daily end-of-shift report 17 Oct '16

17 Oct '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 14-10-2016 18:00 − Montag 17-10-2016 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** pseudoDarkleech Rig EK *** --------------------------------------------- Since Monday 2016-10-03, the pseudoDarkleech campaign has been using Rig exploit kit (EK) to distribute Cerber ransomware." /> Shown above: An infection chain of events. Let" /> Shown above:" /> Shown above: UDP traffic seen .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21595 *** Sierra Wireless Mitigations Against Mirai Malware *** --------------------------------------------- NCCIC/ICS-CERT received a technical bulletin from the Sierra Wireless company, outlining mitigations to secure Airlink Cellular Gateway devices affected by (or at risk of) the “Mirai” malware. While the Sierra Wireless .. --------------------------------------------- https://ics-cert.us-cert.gov/alerts/ICS-ALERT-16-286-01 *** Vuln: Magento CMS Multiple Cross-Site Request Forgery Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/bid/93576 *** Vuln: Magento CMS Flash File Uploader Cross Site Scripting Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/93575 *** Vuln: PHP password_verify() Function Out-of-Bounds Read Denial of Service Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/93578 *** Maldoc VBA Anti-Analysis *** --------------------------------------------- I was asked for help with the analysis of sample 7c9505f2c041ba588bed854258344c43. Turns out this malicious Word document has some anti-analysis tricks (here is an older diary entry with other anti-analysis tricks). Here is the analysis with oledump.py: Stream 8 contains VBA .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21599 *** Symantec observed a surge of spam emails using malicious WSF files *** --------------------------------------------- Symantec observed a significant increase in the number of email-based attacks using malicious Windows Script File (WSF) attachments. Experts from Symantec are observing a significant increase in the number of email-based .. --------------------------------------------- http://securityaffairs.co/wordpress/52341/cyber-crime/spam-wsf-files.html *** Analyzing Office Maldocs With Decoder.xls, (Sun, Oct 16th) *** --------------------------------------------- In my last diary entry, I show how to decode VBA maldoc strings with Excel. A similar technique can be used to decode a payload (like shellcode). I explain .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21601 *** Outlook-on-Android alternative Nine leaked Exchange Server creds *** --------------------------------------------- Patches slung to fix popular third-party email app Staff logging into Exchange Server through a popular app could have placed their enterprise credentials at risk through a since-closed vulnerability. --------------------------------------------- www.theregister.co.uk/2016/10/17/outlook_app_slapped_in_maninthemiddle_didd… *** VMSA-2016-0016 *** --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2016-0016.html *** IBM Security Bulletin:Multiple vulnerabilities in IBM Java SDK 7 affect IBM Systems Director (CVE-2016-0264, CVE-2016-3426) *** --------------------------------------------- There are multiple vulnerabilities in IBM SDK Java Technology Edition, Version .. --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=isg3T1024427 *** No More Ransom adds law enforcement partners from 13 new countries *** --------------------------------------------- Intel Security and Kaspersky Labs today announced that 13 law enforcement agencies have joined No More Ransom, a partnership between cybersecurity industry and law enforcement organizations to provide ransomware victims education and decryption tools through www.nomoreransom.org. Intel .. --------------------------------------------- https://blogs.mcafee.com/mcafee-labs/no-ransom-adds-law-enforcement-partner…

1 0

Tageszusammenfassung - Freitag 14-10-2016
by Daily end-of-shift report 14 Oct '16

14 Oct '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 13-10-2016 18:00 − Freitag 14-10-2016 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** Gezinkte Primzahlen ermöglichen Hintertüren in Verschlüsselung *** --------------------------------------------- Ein Forscherteam hat aufgezeigt, dass man durch geschickte Konstruktion einer Primzahl eine Hintertür in Verschlüsselungsverfahren einbauen kann. Nicht auszuschließen, dass dies bei etablierten Verfahren längst passiert ist. --------------------------------------------- https://heise.de/-3347585 *** Security through Confusion – The FUD Factor *** --------------------------------------------- The FUD factor has been employed by sales and marketing teams from multiple industries for decades. It stands for fear, uncertainty and doubt (FUD) and first appeared in the 70’s as a tactic used by competitors in the computer .. --------------------------------------------- https://blog.sucuri.net/2016/10/security-confusion-fud-factor.html *** Cyber Europe 2016: the pan-European exercise to protect EU Infrastructures against coordinated cyber-attack *** --------------------------------------------- https://www.enisa.europa.eu/news/enisa-news/cyber-europe-2016 *** Floating Down .Stream (Shady TLD Research, Part 17) *** --------------------------------------------- The end of September means the leaves are starting to change -- and our quarterly Top Ten list of the shadiest TLDs is changing as well, with three newcomers since last time .. --------------------------------------------- https://www.bluecoat.com/security-blog/2016-10-13/floating-down-stream-shad… *** OSIsoft PI Web API 2015 R2 Service Account Permissions Vulnerability *** --------------------------------------------- This advisory contains mitigation details for a permissions vulnerability in OSIsoft’s PI Web API. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-287-01 *** Siemens Automation License Manager Vulnerabilities *** --------------------------------------------- This advisory contains mitigation details for vulnerabilities in Siemen’s Automation License Manager (ALM). --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-287-02 *** Rockwell Automation Stratix Denial-of-Service and Memory Leak Vulnerabilities *** --------------------------------------------- This advisory contains mitigation details for vulnerabilities contained in Rockwell Automation’s Allen-Bradley Stratix industrial switches. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-287-04 *** Moxa ioLogik E1200 Series Vulnerabilities *** --------------------------------------------- This advisory contains mitigation details for vulnerabilities in Moxas ioLogik E1200 series application. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-287-05 *** Fatek Automation Designer Memory Corruption Vulnerabilities *** --------------------------------------------- This advisory contains mitigation details for a heap memory corruption and two stack buffer overflow vulnerabilities in Fatek’s Automation PM and FV Designer applications. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-287-06 *** Kabona AB WDC Vulnerabilities *** --------------------------------------------- This advisory contains mitigation details for vulnerabilities in Kabona AB’s WebDatorCentral (WDC) application. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-287-07 *** Pork Explosion flaw splatters Foxconns Android phones *** --------------------------------------------- Full compromise over USB bacon-ed in to smartmobes Security researcher John Sawyer says a limited backdoor has been found in some Foxconn-manufactured Android phones, allowing attackers to root phones they have in hand. --------------------------------------------- www.theregister.co.uk/2016/10/14/pork_explosion_foxconn_flaw/ *** LockyDump - All Your Configs Are Belong To Us *** --------------------------------------------- This post will discuss a new Locky configuration extractor that Talos is releasing, which we are naming LockyDump. This is the first open source tool which can dump .. --------------------------------------------- http://blog.talosintel.com/2016/10/lockydump.html *** Quickly audit and adjust SSH server configurations with SSH-audit *** --------------------------------------------- SSH-audit is a standalone open source tool for auditing and fixing SSH server configurations. It has no dependencies and will run wherever Python is available. It supports OpenSSH, Dropbear SSH and libssh, and reports on every detail of the tested SSH server, including detailed information about .. --------------------------------------------- https://www.helpnetsecurity.com/2016/10/14/ssh-audit-fix-ssh-server-configu… *** Magento-Updates: Checkout-Prozess als Einfallstor für Angreifer *** --------------------------------------------- Sicherheits-Patches für das Shop-System schließen mehrere Lücken. Zwei davon gelten als kritisch. --------------------------------------------- https://heise.de/-3350195 *** Apache OpenOffice 4.1.3 *** --------------------------------------------- Apache OpenOffice 4.1.3 ist ein Release zur Fehlerbeseitigung, welches Sicherheitsprobleme beseitigt, Wörterbücher aktualisiert und einige sonstige bekannte Fehler korrigiert. Allen Benutzern von Apache Openoffice 4.1.2 oder älteren Versionen wird empfohlen zu aktualisieren. --------------------------------------------- https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=65873798 *** SSHowDowN: Zwölf Jahre alter OpenSSH-Bug gefährdet unzählige IoT-Geräte *** --------------------------------------------- Akamai warnt davor, dass Kriminelle unvermindert Millionen IoT-Geräte für DDoS-Attacken kapern. Die dafür ausgenutzte Lücke ist älter als ein Jahrzehnt. Viele Geräte sollen sich nicht patchen lassen. --------------------------------------------- https://www.heise.de/newsticker/meldung/SSHowDowN-Zwoelf-Jahre-alter-OpenSS… *** Cyber-attacks Against Nuclear Plants: A Disconcerting Threat *** --------------------------------------------- Introduction A cyber-attack against critical infrastructure could cause the paralysis of critical operations with serious consequences for a country and its population. In a worst case scenario, a cyber-attack could affect processes that in .. --------------------------------------------- http://resources.infosecinstitute.com/cyber-attacks-against-nuclear-plants-… *** Wosign und Startcom: Mozilla macht Ernst mit dem Rauswurf *** --------------------------------------------- Mozilla hat auf der Entwicklermailingliste angekündigt, Zertifikaten von Wosign und Startcom mit der übernächsten Firefox Version 51 nicht mehr zu vertrauen. Die Version ist für den kommenden Januar geplant. --------------------------------------------- http://www.golem.de/news/wosign-und-startcom-mozilla-macht-ernst-mit-dem-ra… *** GlobalSign annulliert versehentlich Zertifikate von vielen Webseiten *** --------------------------------------------- Aktuell warnen einige Webbrowser davor, dass Verbindungen zu Webseiten wie etwa Wikipedia nicht mehr gesichert sind, da mit dem Zertifikat der Seite etwas nicht stimmt. --------------------------------------------- https://heise.de/-3350544 *** IT-Experten des Bundesheeres finden kritische Lücke in Microsoft Office *** --------------------------------------------- Analyse eines Cyberangriffs – Schwachstelle wurde 11. Oktober mit einem Update beseitigt --------------------------------------------- http://derstandard.at/2000045921807

1 0

Tageszusammenfassung - Donnerstag 13-10-2016
by Daily end-of-shift report 13 Oct '16

13 Oct '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 12-10-2016 18:00 − Donnerstag 13-10-2016 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Gefälschte Finanzministerium-Phishingmail im Umlauf *** --------------------------------------------- In E-Mailpostfächern findet sich eine vermeintliche Benachrichtigung des Bundesministerium für Finanzen. In dem Schreiben heißt es, dass das BMF Empfänger/innen die Überzahlung von 716,43 Euro zurückerstatte. Dafür sei es notwendig, dass diese ein "Steuer formular" im Anhang der E-Mail ausfüllen. Es handelt sich um einen Phishingversuch von Kriminellen. --------------------------------------------- https://www.watchlist-internet.at/phishing/gefaelschte-finanzministerium-ph… *** Gratulation an unser milCERT *** --------------------------------------------- Gestern war der monatliche Patchday von Microsoft und mitten in den Bugs, die Remote Code Execution erlauben findet sich auch folgendes: Acknowledgments - 2016 MS16-121 Microsoft Office Memory Corruption Vulnerability CVE-2016-7193 Austrian MilCERT | Wir gratulieren unseren Kollegen aus der Stiftskaserne zu dem Fund und erwarten die Details dazu demnächst über dem einen oder anderen Bier. Autor: Otmar Lendl --------------------------------------------- http://www.cert.at/services/blog/20161012185042-1798.html *** Everyone Loves Selfies, Including Malware! *** --------------------------------------------- I was talking with some of my coworkers the other day about why I wanted to jump to the larger iPhone 7 Plus. For me it came down to the camera. I travel a lot for work and even though photography is something of a hobby of mine, I don't always have my "good camera"... --------------------------------------------- https://blogs.mcafee.com/consumer/everyone-loves-selfies-including-malware/ *** A Look at the BIND Vulnerability: CVE-2016-2776 *** --------------------------------------------- On September 27, the Internet Systems Consortium (ICS) announced the release of patches for a critical vulnerability that would allow attackers to launch denial-of-service (DoS) attacks using the Berkeley Internet Name Domain (BIND) exploits. The critical error was discovered during internal testing by the ISC. BIND is a very popular open-source software component that implements DNS protocols. It is also known as the de facto standard for Linux and other Unix-based systems, which means a... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/78QqkPE96mw/ *** WSF attachments are the latest malware delivery vehicle *** --------------------------------------------- Most users have by now learned not to open executable (.EXE), various MS Office, RTF and PDF files delivered via unsolicited emails, but malware peddlers are always trying out new ways to trick users, email filters and AV software. Number of blocked emails containing malicious WSF attachments by month According to Symantec, Windows Script Files (WSFs) are the latest file types to be exploited to deliver malware via email. --------------------------------------------- https://www.helpnetsecurity.com/2016/10/13/wsf-attachments-malware-delivery/ *** CryPy: ransomware behind Israeli lines *** --------------------------------------------- A Tweet posted recently by AVG researcher, Jakub Kroustek, suggested that a new ransomware, written entirely in Python, had been found in the wild, joining the emerging trend for Pysomwares such as the latest HolyCrypt, Fs0ciety Locker and others. --------------------------------------------- http://securelist.com/blog/research/76318/crypy-ransomware-behind-israeli-l… *** IoT Devices as Proxies for Cybercrime *** --------------------------------------------- Multiple stories published here over the past few weeks have examined the disruptive power of hacked "Internet of Things" (IoT) devices such as routers, IP cameras and digital video recorders. This post looks at how crooks are using hacked IoT devices as proxies to hide their true location online as they engage in a variety of other types of cybercriminal activity -- from frequenting underground forums to credit card and tax refund fraud. --------------------------------------------- https://krebsonsecurity.com/2016/10/iot-devices-as-proxies-for-cybercrime/ *** 6000 Online-Shops angeblich mit Kreditkarten-Skimmern verseucht - Tendenz steigend *** --------------------------------------------- Online-Kriminelle greifen derzeit vermehrt Kreditkarten-Daten auf Webseiten von Online-Shops ab, berichtet ein Sicherheitsforscher. --------------------------------------------- https://heise.de/-3349185 *** What is MANRS and does your network have it? *** --------------------------------------------- While the internet itself was first envisioned as a way of enabling robust, fault-tolerant communication, the global routing infrastructure that underlies it is relatively fragile. A simple error like the misconfiguration of routing information in one of the 7,000 to 10,000 networks central to global routing can lead to a widespread outage, and deliberate actions, like preventing traffic with spoofed source IP addresses, can lead to distributed denial of service (DDoS) attacks. --------------------------------------------- http://www.cio.com/article/3130707/internet/what-is-manrs-and-does-your-net… *** Cisco Security Advisories *** --------------------------------------------- *** Cisco cBR-8 Converged Broadband Router vty Integrity Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Wide Area Application Services Central Manager Denial of Service Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Unified Communications Manager iFrame Data Clickjacking Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Prime Infrastructure and Evolved Programmable Network Manager Database Interface SQL Injection Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Meeting Server Client Authentication Bypass Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Finesse Cross-Site Request Forgery Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Juniper Security Bulletins *** --------------------------------------------- *** JSA10763 - 2016-10 Security Bulletin: Junos: Multiple privilege escalation vulnerabilities in Junos CLI (CVE-2016-4922) *** http://kb.juniper.net/index?page=content&id=JSA10763&actp=RSS --------------------------------------------- *** JSA10766 - 2016-10 Security Bulletin: vMX: Information leak vulnerability (CVE-2016-4924) *** http://kb.juniper.net/index?page=content&id=JSA10766&actp=RSS --------------------------------------------- *** JSA10767 - 2016-10 Security Bulletin: JUNOSe: Line Card Reset: processor exception 0x68616c74 (halt) task: scheduler, upon receipt of crafted IPv6 packet (CVE-2016-4925) *** http://kb.juniper.net/index?page=content&id=JSA10767&actp=RSS --------------------------------------------- *** JSA10764 - 2016-10 Security Bulletin: Junos J-Web: Cross Site Scripting Vulnerability (CVE-2016-4923) *** http://kb.juniper.net/index?page=content&id=JSA10764&actp=RSS --------------------------------------------- *** JSA10762 - 2016-10 Security Bulletin: Junos: IPv6 denial of service vulnerability due to resource exhaustion (CVE-2016-4921) *** http://kb.juniper.net/index?page=content&id=JSA10762&actp=RSS --------------------------------------------- *** JSA10761 - 2016-10 Security Bulletin: CTPView: Multiple vulnerabilities in CTPView *** http://kb.juniper.net/index?page=content&id=JSA10761&actp=RSS --------------------------------------------- *** JSA10760 - 2016-10 Security Bulletin: Junos Space: Multiple vulnerabilities *** http://kb.juniper.net/index?page=content&id=JSA10760&actp=RSS --------------------------------------------- *** JSA10759 - 2016-10 Security Bulletin: OpenSSL security updates *** http://kb.juniper.net/index?page=content&id=JSA10759&actp=RSS --------------------------------------------- *** Security Advisory: PCRE vulnerability CVE-2016-3191 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/51/sol51440224.html?… *** Brocade NetIron MLX Line Card IPSec Processing Bug Lets Remote Users Cause the Target Line Card to Reset *** --------------------------------------------- http://www.securitytracker.com/id/1037010 *** Fortinet FortiManager Input Validation Flaw in Advanced Settings Page Lets Remote Authenticated Administrative Users Conduct Cross-Site Scripting Attacks *** --------------------------------------------- http://www.securitytracker.com/id/1036982 *** Fortinet FortiAnalyzer Input Validation Flaw in Advanced Settings Page Lets Remote Authenticated Administrative Users Conduct Cross-Site Scripting Attacks *** --------------------------------------------- http://www.securitytracker.com/id/1036981 *** Palo Alto PAN-OS Range Header Null Pointer Dereference Lets Remote Users Cause the Target Service to Crash *** --------------------------------------------- http://www.securitytracker.com/id/1037007 *** DFN-CERT-2016-1689: Ghostscript: Mehrere Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-1689/ *** Vuln: SAP NetWeaver ABAP ST-PI Component SQL Injection Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/93506 *** Vuln: SAP BusinessObjects Unspecified Cross Site Request Forgery Vulnerability *** -------------------------------------------- http://www.securityfocus.com/bid/93508 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM BigFix Remote Control (CVE-2016-2183, CVE-2016-6304, CVE-2016-2177, CVE-2016-2178, CVE-2016-6306) *** http://www-01.ibm.com/support/docview.wss?uid=swg21991896 --------------------------------------------- *** IBM Security Bulletin: IBM InfoSphere Information Server is vulnerable to information disclosure (CVE-2016-5994) *** http://www-01.ibm.com/support/docview.wss?uid=swg21992171 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in OpenSSL affects IBM BigFix Remote Control (CVE-2016-2183) *** http://www-01.ibm.com/support/docview.wss?uid=swg21991894 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Apache Tomcat affects IBM Websphere that is used by IBM BigFix Remote Control. (CVE-2016-3092) *** http://www-01.ibm.com/support/docview.wss?uid=swg21991866 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM Websphere Application Server affects IBM BigFix Remote Control (CVE-2016-5983) *** http://www-01.ibm.com/support/docview.wss?uid=swg21991902 --------------------------------------------- *** IBM Security Bulletin: IBM Kenexa LCMS Premier on Cloud has addressed (CVE-2016-5949) *** http://www.ibm.com/support/docview.wss?uid=swg21992276 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Apache Commons FileUpload affects IBM Campaign, IBM Interact, IBM Distributed Marketing, IBM Marketing Operations (CVE-2016-3092) *** http://www.ibm.com/support/docview.wss?uid=swg21991786 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Open Source Apache Tomcat , Commons FileUpload Vulnerabilities IBM Algorithmics Algo Risk Application *** http://www.ibm.com/support/docview.wss?uid=swg21990262 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Integrated Management Module (IMM) for System x & BladeCenter (CVE-2016-2177, CVE-2016-2178) *** https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5099492 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in Apache Struts affect IBM BigFix Remote Control (CVE-2016-1181, CVE-2016-1182) *** http://www-01.ibm.com/support/docview.wss?uid=swg21991903 ---------------------------------------------

1 0

Tageszusammenfassung - Mittwoch 12-10-2016
by Daily end-of-shift report 12 Oct '16

12 Oct '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 11-10-2016 18:00 − Mittwoch 12-10-2016 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** VU#396440: MatrixSSL contains multiple vulnerabilities *** --------------------------------------------- Heap-based Buffer Overflow - CVE-2016-6890The Subject Alt Name field of X.509 certificates is not properly parsed. A specially crafted certificate may result in a heap-based buffer overflow .. --------------------------------------------- http://www.kb.cert.org/vuls/id/396440 *** October 2016 security update release *** --------------------------------------------- Today we released security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to apply security updates as soon as they are released. More information about this month’s security .. --------------------------------------------- https://blogs.technet.microsoft.com/msrc/2016/10/11/october-2016-security-u… *** Security Advisory: Expat XML library vulnerability CVE-2015-1283 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/15/sol15104541.html *** Top of the Junk Pile (Shady TLD research part 16) *** --------------------------------------------- [Sorry about neglecting the external blog during all of the Symantec excitement this summer, but we had a lot going on... This post is from our internal blog, back in July (7/08/2016), and we wanted to get it out on the site when we resumed blogging, since a lot of people have been .. --------------------------------------------- https://www.bluecoat.com/2016-10-04/top-junk-pile-shady-tld-research-part-16 *** MSRT October 2016 release: Adding more unwanted software detections *** --------------------------------------------- Unwanted software often piggy-backs on program downloads, delivered by software bundlers. These bundles, which you might have downloaded, can include software .. --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2016/10/11/msrt-october-2016-relea… *** Four vulnerabilities found in Dell SonicWALL Email Security virtual appliance application *** --------------------------------------------- Digital Defense (DDI) disclosed the discovery of four security vulnerabilities found in the Dell SonicWALL Email Security virtual appliance application. The appliance is frequently deployed as a perimeter device. Further, .. --------------------------------------------- https://www.helpnetsecurity.com/2016/10/12/sonicwall-email-security-vulnera… *** Scan Ruby-based apps for security issues with Dawnscanner *** --------------------------------------------- Dawnscanner is an open source static analysis scanner designed to review the security of web applications written in Ruby. Dawnscanner’s genesis Its developer, Paolo Perego, says that he was motivated to create it back in spring .. --------------------------------------------- https://www.helpnetsecurity.com/2016/10/12/scan-ruby-based-apps-dawnscanner/ *** WiFi Still Remains a Good Attack Vector *** --------------------------------------------- WiFi networks areeverywhere! When we plan to visit a place or reserve ahotel for our holidays, we always check first if free WiFi is available (be honest, you do!). Oncewe connected our beloved devices to an external wireless .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21583 *** Security Advisory - Multiple Security Vulnerabilities in Driver of Huawei Smart Phones *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161012-… *** List of 2016 OWASP London Talks & Videos *** --------------------------------------------- https://www.youtube.com/owasplondon *** VMware vRealize Operations Lets Remote Authenticated Users Gain Elevated Privileges *** --------------------------------------------- http://www.securitytracker.com/id/1036999 *** Several Exploit Kits Now Deliver Cerber 4.0 *** --------------------------------------------- We have tracked three malvertising campaigns and one compromised site campaign using Cerber ransomware after version 4.0 (detected as as Ransom_CERBER.DLGE) was .. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/several-exploit-…

1 0

Tageszusammenfassung - Dienstag 11-10-2016
by Daily end-of-shift report 11 Oct '16

11 Oct '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 10-10-2016 18:00 − Dienstag 11-10-2016 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** Denial of Service Vulnerability in Citrix License Server *** --------------------------------------------- A vulnerability has been identified in the Citrix License Server for Windows and Citrix License Server VPX that could allow a remote ... --------------------------------------------- http://support.citrix.com/article/CTX217430 *** [2016-10-11] XXE vulnerability in RSA ECAT Client *** --------------------------------------------- By exploiting the XXE vulnerability, an attacker can get read access to the filesystem of the users system using RSA ECAT client and thus obtain sensitive information from the system. It is also possible to scan ports of the internal hosts and cause DoS on the affected host. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2016… *** Erpressungs-Trojaner DXXD nimmt Windows-Server ins Visier *** --------------------------------------------- Die Hintermänner der Ransomware haben ihren Schädling optimiert und das kostenlose Entschlüsselungs-Tool unbrauchbar gemacht. Zudem verspotten Sie Sicherheitsforscher öffentlich. --------------------------------------------- https://heise.de/-3344979 *** Bugtraq: [SEARCH-LAB advisory] AVTECH IP Camera, NVR, DVR multiple vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/archive/1/539567 *** Nymaim: Deep Technical Dive - Adventures in Evasive Malware *** --------------------------------------------- Nymaim is mostly known worldwide as a downloader, although it seems they evolved from former versions, now having new functionalities to obtain data on the machine with no need to download a new payload. Some of the exported .. --------------------------------------------- http://www.seculert.com/blogs/nymaim-deep-technical-dive-adventures-in-evas… *** Zertifizierungsstellen: Bei WoSign und StartCom rollen Köpfe *** --------------------------------------------- Die beiden Kostenlos-CAs bekommen jeweils eine neue Firmenspitze und sollen komplett voneinander getrennt werden. Damit soll das verlorene Vertrauen zurückgewonnen werden. --------------------------------------------- https://heise.de/-3344229 *** APT 28: Wie ein französischer Fernsehsender gehackt wurde *** --------------------------------------------- Im Jahr 2015 ist der französische Fernsehsender TV5 nach einem Angriff auf die IT-Infrastruktur für Stunden lahmgelegt worden. Eine Untersuchung der französischen Polizei zeigt nun, wie planvoll die Angreifer vorgegangen sind. --------------------------------------------- http://www.golem.de/news/apt-28-wie-ein-franzoesischer-fernsehsender-gehack… *** Security Bulletins Posted *** --------------------------------------------- Adobe has published security bulletins for Adobe Flash Player (APSB16-32), Adobe Acrobat and Reader (APSB16-33), and Adobe Creative Cloud Desktop Application (APSB16-34). Adobe recommends users update their product installations .. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1409 *** DDOS: Was Cloudflare vom Mirai-Botnetz sieht *** --------------------------------------------- Cloudflare hat sich die aktuellen DDoS-Angriffe genauer angeschaut - und berichtet, dass einige Angriffe 1,75 Millionen HTTP-Anfragen pro Sekunde erzeugen. --------------------------------------------- http://www.golem.de/news/ddos-was-cloudflare-vom-mirai-botnetz-sieht-1610-1…

1 0

Tageszusammenfassung - Montag 10-10-2016
by Daily end-of-shift report 10 Oct '16

10 Oct '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 07-10-2016 18:00 − Montag 10-10-2016 18:00 Handler: Stephan Richter Co-Handler: n/a *** Europe to Push New Security Rules Amid IoT Mess *** --------------------------------------------- The European Commission is drafting new cybersecurity requirements to beef up security around so-called Internet of Things (IoT) devices such as Web-connected security cameras, routers and digital video recorders (DVRs). News of the expected proposal comes as security firms are warning that a great many IoT devices are equipped with little or no security protections. --------------------------------------------- https://krebsonsecurity.com/2016/10/europe-to-push-new-security-rules-amid-… *** Mehr Sicherheit für das Internet der Dinge *** --------------------------------------------- Die vernetzten Geräte des Internet of Things (IoT) sammeln und verarbeiten immer mehr Daten, versagen jedoch häufig beim Schutz dieser Daten. Ein ausführlicher Leitfaden will bei der Entwicklung sicherer Geräte helfen. --------------------------------------------- https://heise.de/-3343482 *** Security Economics of the Internet of Things *** --------------------------------------------- Brian Krebs is a popular reporter on the cybersecurity beat. He regularly exposes cybercriminals and their tactics, and consequently is regularly a target of their ire. Last month, he wrote about an online attack-for-hire service that resulted in the arrest of the two proprietors. In the aftermath, his site was taken down by a massive DDoS attack.In many ways, this is nothing new. Distributed denial-of-service attacks are a family of attacks that cause websites and other Internet-connected... --------------------------------------------- https://www.schneier.com/blog/archives/2016/10/security_econom_1.html *** Mirai: DDoS per IoT *** --------------------------------------------- In den letzten Wochen wurde mal wieder ein neuer Rekord für den bisher stärksten gemessenen Distributed Denial of Service (DDoS) Angriff aufgestellt. Das ist soweit nicht überraschend, die verfügbare Bandbreite im Internet wächst immer noch stark, da ist klar, dass damit auch die Angriffsstärke zunehmen kann. Überraschend war aber, dass der Rekord nicht über einen "reflected DDoS" erreicht wurde. Diese Methode... --------------------------------------------- http://www.cert.at/services/blog/20161010095630-1789.html *** Strange Loop - IP Spoofing *** --------------------------------------------- I recently gave a talk at the Strange Loop conference in St Louis. The recording and slides are available, but for easier consumption heres a transcript. --------------------------------------------- https://idea.popcount.org/2016-09-20-strange-loop---ip-spoofing/ *** VMware stopft Informationsleck in Horizon View *** --------------------------------------------- Wichtige Sicherheits-Updates sollen VMware Horizon View unter Windows sicherer machen. --------------------------------------------- https://heise.de/-3343678 *** Radare2: rahash2, (Mon, Oct 10th) *** --------------------------------------------- Radare2 is an open-source reverse-engineering framework. Some time ago I wrote about recovering ransomed pictures. By calculating the entropy of the ransomed files with my byte-stats tool, I could see that the file was not completely encrypted. rahash2 is one of the tools in the Radare2 framework. As it names implies, it calculates (cryptographic) hashes, but it is quite versatile. For example, it will also calculate entropy: And like my byte-stats.py tool, it can also split the file in blocks... --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21577&rss *** Remove ransomware infections from your PC using these free tools *** --------------------------------------------- A how-to on finding out what ransomware is squatting in your PC -- and how to get rid of it. --------------------------------------------- http://www.zdnet.com/article/remove-ransomware-infections-from-your-pc-usin… *** Open-Source-Router: 1000 Turris Omnia ausgeliefert *** --------------------------------------------- Nachdem es ursprünglich im Sommer losgehen sollte, lieferte der Hersteller cz.nic doch erst Ende September die ersten Turris-Omnia-Router aus. Vor ein paar Tagen wurde bereits das tausendste Exemplar verschickt. --------------------------------------------- https://heise.de/-3344417 *** VU#338624: U by BB and T iOS banking application fails to properly validate SSL certificates *** --------------------------------------------- Vulnerability Note VU#338624 U by BB&T iOS banking application fails to properly validate SSL certificates Original Release date: 30 Sep 2016 | Last revised: 06 Oct 2016 Overview U by BB&T for iOS, version 1.5.4 and earlier, fails to properly validate SSL certificates provided by HTTPS connections, which may enable an attacker to conduct man-in-the-middle (MITM) attacks. Description CWE-295: Improper Certificate Validation - CVE-2016-6550U by BB&T is a banking application. On iOS... --------------------------------------------- http://www.kb.cert.org/vuls/id/338624 *** Vuln: GraphicsMagick CVE-2016-7997 NULL Pointer Denial of Service Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/93467 *** DSA-3689 php5 - security update *** --------------------------------------------- Several vulnerabilities were found in PHP, a general-purpose scriptinglanguage commonly used for web application development. --------------------------------------------- https://www.debian.org/security/2016/dsa-3689 *** Toshiba FlashAir does not require authentication in "Internet pass-thru Mode" *** --------------------------------------------- FlashAir provided by Toshiba Corporation does not require authentication on accepting a connection from STA side LAN when "Internet pass-thru Mode" is enabled. --------------------------------------------- http://jvn.jp/en/jp/JVN39619137/ *** IBM Security Bulletin: Financial Transaction Manager for Corporate Payment Services: Clickjacking (CVE-2016-3060) *** --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21992051 *** IBM Security Bulletin: HTTP Response Splitting in Liberty affects IBM MessageSight (CVE-2016-0359) *** --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21991096 *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Flex System Manager (FSM) *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=isg3T1024350 *** IBM Security Bulletin: A security vulnerability in IBM Java Runtime affects IBM Systems Director Storage Control ( CVE-2015-4872) *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=isg3T1024349

1 0

Tageszusammenfassung - Freitag 7-10-2016
by Daily end-of-shift report 07 Oct '16

07 Oct '16

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 06-10-2016 18:00 − Freitag 07-10-2016 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Gefälschtes Bank Austria-Sicherheitszertifikat ist Schadsoftware *** --------------------------------------------- In einer gefälschten Bank Austria-Nachricht mit dem Betreff "Sicherheitszertifikat" behaupten Kriminelle, dass Empfänger/innen ein Programm für ihr Smartphone installieren müssen. Das ist angeblich notwendig, damit sie ihr OnlineBanking-Konto nützen können. In Wahrheit handelt es sich bei dem Programm um Schadsoftware. --------------------------------------------- https://www.watchlist-internet.at/schadsoftware/gefaelschtes-bank-austria-s… *** Upcoming Security Updates for Adobe Acrobat and Reader (APSB16-33) *** --------------------------------------------- A prenotification Security Advisory (APSB16-33) has been posted regarding upcoming releases for Adobe Acrobat and Reader scheduled for Tuesday, October 11, 2016. We will continue to provide updates on the upcoming releases via the Security Advisory as well as the Adobe... --------------------------------------------- https://blogs.adobe.com/psirt/?p=1405 *** 100+ online shops compromised with payment data-stealing code *** --------------------------------------------- Since March 2016 (and possibly even earlier), someone has been compromising a variety of online shops and injecting them with malicious JavaScript code that exfiltrates payment card and other kinds of information users entered to pay for their shopping. According to RiskIQ and ClearSky researchers, the campaign - which they dubbed Magecart - is still ongoing, albeit at a reduced scope and pace. Since March, the threat actor behind it has compromised more than 100... --------------------------------------------- https://www.helpnetsecurity.com/2016/10/07/payment-data-stealing-code/ *** Hintergrund: Analysiert: Werbekeule statt Glitzersteine - Android-Malware CallJam seziert *** --------------------------------------------- Trotz verschiedener Sicherheits-Checks schleicht sich immer wieder Malware in Googles App Store. Eine davon gibt sich als vermeintliches Helferlein für das unfassbar erfolgreiche Spiel "Clash Royale" aus. --------------------------------------------- https://heise.de/-3340267 *** Lovoo: Sicherheitslücke ermüglicht Erstellung von Bewegungsprofilen *** --------------------------------------------- Über die Web-API des Dating-Dienstes ließen sich bis vor kurzem Informationen über Nutzer abrufen - auch ohne Login. Per Skript-Automatisierung können damit Bewegungsprofile erstellt werden. --------------------------------------------- http://www.golem.de/news/lovoo-sicherheitsluecke-ermoeglicht-erstellung-von… *** Positive Technologies: Security Trends & Vulnerabilities Review Industrial Control Systems (PDF) *** --------------------------------------------- This study examines components of ICS from different vendors. In the period from 2012 to 2015, a total of 743 vulnerabilities were discovered in ICS components; most of them were detected in products from well-known companies: Siemens, Schneider Electric, and Advantech. Most vulnerabilities are of either high or medium risk (47% high, 47% medium). ... Summary: The study shows that the number of vulnerable ICS components is not reducing from year to year. Nearly half of identified... --------------------------------------------- https://www.ptsecurity.com/upload/iblock/6bd/ics_vulnerability_2016_eng.pdf *** An attachment that wasn't there *** --------------------------------------------- By Slavo Greminger and Oli Schacher | On a daily basis we collect tons of Spam emails, which we analyze for malicious content. Of course, this is not done manually by our thousands of minions, but automated using some Python-fu. Python... --------------------------------------------- https://securityblog.switch.ch/2016/10/07/an-attachment-that-wasnt-there/ *** Sicherheits-Updates: Angreifer können Cisco-Switches kapern *** --------------------------------------------- Der Netzwerkausrüster kümmert sich um zwei als kritisch eingestufte Sicherheitslücken in Switches der Nexus-Serie und verteilt Sicherheits-Patches für 15 weitere Schwachstellen in verschiedenen Produkten. --------------------------------------------- https://heise.de/-3342846 *** OS X El Capitan: Warten auf das große Sicherheitsupdate *** --------------------------------------------- Mit Apples neuem Betriebssystem macOS Sierra werden zahlreiche Lücken gestopft, die in der Vorversion stecken. Doch ein eigenes Update für OS X El Capitan hat der Hersteller noch nicht publiziert. --------------------------------------------- https://heise.de/-3342343 *** Malware könnte Video und Audio vom Mac aufzeichnen *** --------------------------------------------- Der Sicherheitsforscher Patrick Wardle hat einen Demo-Exploit entwickelt, der Kamera- und Mikrofondaten mitschneiden kann, während Chats laufen. --------------------------------------------- https://heise.de/-3342336 *** VMSA-2016-0015 VMware Horizon View updates address directory traversal vulnerability (CVE-2016-7087) *** --------------------------------------------- Severity: Important VMware Horizon View contains a vulnerability that may allow for a directory traversal on the Horizon View Connection Server. Exploitation of this issue may lead to a partial information disclosure. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2016-0015.html *** IDM 4.5 One SSO Provider (OSP) 6.0.0.5 *** --------------------------------------------- Abstract: This hotfix provides enhancements and software fixes for the One SSO Provider for Identity Manager. For more information about these updates, see the hotfix details.Document ID: 5256490Security Alert: YesDistribution Type: PublicEntitlement Required: NoFiles:IDM45-OSP60-HF-5.zip (23.28 MB)Products:Identity Manager 4.5Access Review 1.1Access Review 1.5Superceded Patches:IDM 4.5 One SSO Provider (OSP) --------------------------------------------- https://download.novell.com/Download?buildid=Z0jKqCEDM7k~ *** Atlassian HipChat Secret Key Disclosure *** --------------------------------------------- Topic: Atlassian HipChat Secret Key Disclosure Risk: Medium Text:This email refers to the following advisory pages: * Bitbucket Server - https://confluence.atlassian.com/x/0QkcMg * Conflue... --------------------------------------------- https://cxsecurity.com/issue/WLB-2016100066 *** DFN-CERT-2016-1653: KDE: Mehrere Schwachstellen in KMail ermöglichen u.a. das Ausführen beliebigen Programmcodes *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-1653/ *** GE Bently Nevada 3500/22M Improper Authorization Vulnerability *** --------------------------------------------- This advisory was originally posted to the US-CERT secure Portal library on September 8, 2016, and is being released to the NCCIC/ICS-CERT web site. This advisory contains mitigation details for an improper authorization vulnerability in the GE Bently Nevada 3500/22M monitoring system. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-252-01 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: IBM WebSphere Dashboard Framework is affected by a security vulnerability in Apache POI (CVE-2016-5000) *** http://www.ibm.com/support/docview.wss?uid=swg21991850 --------------------------------------------- *** IBM Security Bulletin: IBM Web Experience Factory is affected by a security vulnerability in Apache POI (CVE-2016-5000) *** http://www-01.ibm.com/support/docview.wss?uid=swg21991851 --------------------------------------------- *** IBM Security Bulletin: IBM WebSphere Dashboard Framework is affected by multiple security vulnerabilities in Apache POI *** http://www-01.ibm.com/support/docview.wss?uid=swg21991839 --------------------------------------------- *** IBM Security Bulletin: IBM Web Experience Factory is affected by multiple security vulnerabilities in Apache POI *** http://www-01.ibm.com/support/docview.wss?uid=swg21991845------------------… --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Performance Tester (CVE-2016-3485) *** http://www.ibm.com/support/docview.wss?uid=swg21991877 --------------------------------------------- *** IBM Security Bulletin: : Multiple vulnerabilities in IBM Java SDK affect Rational Service Tester (CVE-2016-3485) *** http://www.ibm.com/support/docview.wss?uid=swg21991879 --------------------------------------------- *** IBM Security Bulletin: IBM Streams is affected by Open Source Apache Xerces-C XML parser Vulnerabilities (CVE-2016-4463) *** http://www-01.ibm.com/support/docview.wss?uid=swg21991111 --------------------------------------------- *** IBM Security Bulletin: IBM Streams is affected by Libxml2 vulnerabilities (CVE-2016-4447, CVE-2016-4448, CVE-2016-4449) *** http://www-01.ibm.com/support/docview.wss?uid=swg21991061 --------------------------------------------- *** IBM Security Bulletin: IBM Streams may be impacted by a vulnerability in WebSphere Liberty (CVE-2016-2923) *** http://www-01.ibm.com/support/docview.wss?uid=swg21991058 --------------------------------------------- *** IBM Security Bulletin: IBM Streams is affected by Open Source Apache Xerces-C XML parser Vulnerabilities (CVE-2016-0729) *** http://www-01.ibm.com/support/docview.wss?uid=swg21991112 ---------------------------------------------

1 0

Tageszusammenfassung - Donnerstag 6-10-2016
by Daily end-of-shift report 06 Oct '16

06 Oct '16

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 05-10-2016 18:00 − Donnerstag 06-10-2016 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Symantec Web Gateway Management Console Interface Command Injection *** --------------------------------------------- Symantec has released an update to address a Symantec Web Gateway (SWG) Management Console Interface command injection issue bypassing validation restrictions to add an unauthorized whitelist entry. Highest severity issue: Medium --------------------------------------------- http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=se… *** NIST: People have given up on cybersecurity - its too much hassle *** --------------------------------------------- To help change peoples mental models so that they will participate in cybersecurity, Theofanos said technology professionals have to do more work for the people using their products, so that people dont need to make too many decisions. "We need to make it easy for them to do the right thing," she said. "We need to make these things habits, so they dont really have to think about it." --------------------------------------------- http://www.theregister.co.uk/2016/10/06/go_ahead_steal_my_muffin_recipe/ *** Spotify: Gratis-Version lieferte Schadsoftware für Windows und Mac aus *** --------------------------------------------- Offensichtlich über Werbung von Dritten eingeschleust - Spotify bestätigt und entschuldigt sich bei Nutzern --------------------------------------------- http://derstandard.at/2000045458665 *** Malicious actions not necessarily focused on causing disruptions in TELECOM, but system failures still are *** --------------------------------------------- ENISA publishes its Annual Incidents report which gives the aggregated analysis of the security incidents causing severe outages in 2015. --------------------------------------------- https://www.enisa.europa.eu/news/malicious-actions-not-necessarily-focused-… *** Vorsicht vor Verteilung von Malware via Steam-Chat *** --------------------------------------------- Aktuell häufen sich Hinweise, dass Kriminelle verstärkt über gekaperte Steam-Accounts Links zu Webseiten mit Trojanern verschicken. --------------------------------------------- https://heise.de/-3342136 *** Denial of Service Vulnerability in Citrix License Server *** --------------------------------------------- A vulnerability has been identified in the Citrix License Server for Windows and Citrix License Server VPX that could allow a remote, unauthenticated attacker to crash the License Server. This vulnerability affects all versions of Citrix License Server for Windows and Citrix License Server VPX earlier than version 11.14.0.1. This vulnerability has been assigned the following CVE number: CVE-2016-6273 --------------------------------------------- http://support.citrix.com/article/CTX217430 *** Vulnerability in Citrix Linux VDA (formerly known as Linux Virtual Desktop) Could Result in Privilege Escalation *** --------------------------------------------- A vulnerability has been identified in the Linux Virtual Delivery Agent (VDA) component of Citrix XenDesktop that could allow a local user to execute commands as root on the Linux VDA. The vulnerability affects all versions of the Citrix Linux VDA earlier than version 1.4.0. This vulnerability has been assigned the following CVE number: CVE-2016-6276 --------------------------------------------- http://support.citrix.com/article/CTX216628 *** Sicherheits-Patches: Foxit beugt Angriffen auf Reader und PhantomPDF vor *** --------------------------------------------- Die Entwickler schließen mehrere kritische Lücken in den Linux-, OS-X- und Windows-Versionen. --------------------------------------------- https://heise.de/-3341878 *** Wave your false flags! *** --------------------------------------------- Targeted attackers are using an increasingly wide range of deception techniques to muddy the waters of attribution, planting "False Flag" timestamps, language strings, malware, among other things, and operating under the cover of non-existent groups. --------------------------------------------- http://securelist.com/analysis/publications/76273/wave-your-false-flags/ *** Announcing CERT Basic Fuzzing Framework Version 2.8 *** --------------------------------------------- Today we are announcing the release of the CERT Basic Fuzzing Framework Version 2.8 (BFF 2.8). Its been about three years since we released BFF 2.7. In this post, I highlight some of the changes weve made. --------------------------------------------- https://insights.sei.cmu.edu/cert/2016/10/announcing-cert-basic-fuzzing-fra… *** Palo Alto PAN-OS GlobalProtect Portal Web Interface Lets Remote Users Obtain Potentially Sensitive Information on the Target System *** --------------------------------------------- http://www.securitytracker.com/id/1036968 *** Erpressungs-Trojaner Cerber lernt dazu und verschlüsselt noch mehr *** --------------------------------------------- Sicherheitsforscher warnen vor einer neuen Version der Ransomware, die nun unter anderem auch bestimmte laufende Prozesse beenden kann, um so Datenbanken in ihre Fänge zu bekommen. --------------------------------------------- https://heise.de/-3341992 *** Cisco Security Advisories *** --------------------------------------------- *** Cisco ASA Software DHCP Relay Denial of Service Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Unified Intelligence Center (CUIC) Software Cross-Site Request Forgery Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Unified Intelligence Center (CUIC) Software Unauthenticated User Account Creation Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Unified Intelligence Center (CUIC) Software Cross-Site Scripting Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Nexus 7000 and 7700 Series Switches Overlay Transport Virtualization Buffer Overflow Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco NX-OS Software-Based Products Authentication, Authorization, and Accounting Bypass Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Nexus 9000 Information Disclosure Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco IOS XR Software Command-Line Interface Privilege Escalation Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco IOS and IOS XE IKEv2 Denial of Service Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Firepower Management Center Console Local File Inclusion Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Firepower Management Center Console Authentication Bypass Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Firepower Threat Management Console Remote Command Execution Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco NX-OS Software Malformed DHCPv4 Packet Denial of Service Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco NX-OS Software Crafted DHCPv4 Packet Denial of Service Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco Host Scan Package Cross-Site Scripting Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco IOS Software for Cisco Catalyst 6500 Series Switches and 7600 Series Routers ACL Bypass Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** Cisco NX-OS Border Gateway Protocol Denial of Service Vulnerability *** http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… --------------------------------------------- *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: A vulnerability in crypto++ affects PowerKVM (CVE-2016-3995) *** http://www.ibm.com/support/docview.wss?uid=isg3T1024263 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in Python affect PowerKVM *** http://www.ibm.com/support/docview.wss?uid=isg3T1024236 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in PHP affects PowerKVM (CVE-2016-5385) *** http://www.ibm.com/support/docview.wss?uid=isg3T1024261 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in the Linux kernel affect PowerKVM *** http://www.ibm.com/support/docview.wss?uid=isg3T1024270 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects WebSphere Application Server July 2016 CPU (CVE-2016-3485) that is bundled with IBM WebSphere Application Server Patterns and IBM WebSphere Application Server for Cloud. *** http://www-01.ibm.com/support/docview.wss?uid=swg21991149 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Apache Tomcat affects SAN Volume Controller and Storwize Family (CVE-2016-3092) *** http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009284 --------------------------------------------- *** IBM Security Bulletin: Vulnerability affects multiple IBM Rational products based on IBM Jazz technology (CVE-2016-2947) *** http://www.ibm.com/support/docview.wss?uid=swg21991477 --------------------------------------------- *** IBM Security Bulletin: XStream XML information discloure vulnerability affects IBM Rational Quality Manager (CVE-2016-3674) *** http://www.ibm.com/support/docview.wss?uid=swg21991406 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities exist in Watson Explorer Analytical Components, Watson Content Analytics, and OmniFind Enterprise Edition (CVE-2016-0359, CVE-2016-3092, CVE-2016-3485) *** http://www-01.ibm.com/support/docview.wss?uid=swg21990062 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in Open Source BeanShell has been addressed by IBM Kenexa LMS (CVE-2016-2510) *** http://www-01.ibm.com/support/docview.wss?uid=swg21987703 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in qemu affect PowerKVM *** http://www.ibm.com/support/docview.wss?uid=isg3T1024322 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in nagios affect PowerKVM *** http://www.ibm.com/support/docview.wss?uid=isg3T1024264 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in nginx affect PowerKVM *** http://www.ibm.com/support/docview.wss?uid=isg3T1024237 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in NRPE affects PowerKVM (CVE-2014-2913) *** http://www.ibm.com/support/docview.wss?uid=isg3T1024235 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in lighttpd affects PowerKVM (CVE-2016-1000212) *** http://www.ibm.com/support/docview.wss?uid=isg3T1024260 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in pigz affects PowerKVM (CVE-2015-1191) *** http://www.ibm.com/support/docview.wss?uid=isg3T1024213 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in ganglia affects PowerKVM (CVE-2015-6816) *** http://www.ibm.com/support/docview.wss?uid=isg3T1024262 ---------------------------------------------

1 0

Tageszusammenfassung - Mittwoch 5-10-2016
by Daily end-of-shift report 05 Oct '16

05 Oct '16

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 04-10-2016 18:00 − Mittwoch 05-10-2016 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Security Advisory: XSS vulnerability in the BIG-IP and Enterprise Manager Configuration utilities CVE-2015-1470 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/16000/800/sol16838.htm… *** Android Security Bulletin October 2016 *** --------------------------------------------- The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Alongside the bulletin, we have released a security update to Nexus devices through an over-the-air (OTA) update. --------------------------------------------- https://source.android.com/security/bulletin/2016-10-01.html *** Security Advisory: OpenSSL vulnerability CVE-2016-2183 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/13/sol13167034.html?… *** WordPress Hack Modifies Core Files to Share Spam *** --------------------------------------------- One of the worst feelings a website owner can experience is discovering that your site has been hacked. Without proper security measures in place, even website owners with the best intentions can lose control of their website. When hackers gain access to your site, they can use it to host phishing content, distribute malware, steal sensitive information and more. In this analysis, we look at a website that was unintentionally sharing spam content in the form of Windows keys. --------------------------------------------- https://blog.sucuri.net/2016/10/wordpress-hack-shares-spam-when-core-modifi… *** Researchers spot remote code execution flaw in FreeImage *** --------------------------------------------- Cisco Talos researchers spotted a remote code execution vulnerability in the FreeImage Library XMP Image Handling affecting version 3.17.0. --------------------------------------------- http://www.scmagazine.com/remote-code-execution-flaw-spotted-in-freeimage-l… *** Security Advisory: OpenSSL vulnerability CVE-2016-6303 *** --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/35/sol35543324.html?… *** INDAS Web SCADA Path Traversal Vulnerability *** --------------------------------------------- This advisory contains mitigation details for a path traversal vulnerability in the INDAS Web SCADA application. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-278-01 *** Beckhoff Embedded PC Images and TwinCAT Components Vulnerabilities *** --------------------------------------------- This advisory contains mitigation details for vulnerabilities in Beckhoff's Embedded PC Images and TwinCAT Components. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-278-02 *** Siemens SIMATIC WinCC, PCS 7, and WinCC Runtime Professional Vulnerabilities (Update B) *** --------------------------------------------- This updated advisory is a follow-up to the advisory update titled ICSA-16-208-01A Siemens SIMATIC WinCC, PCS 7, and WinCC Runtime Professional Vulnerabilities that was published August 16, 2016, on the NCCIC/ICS-CERT web site. This advisory contains mitigation details for two vulnerabilities in the Siemens SIMATIC WinCC, PCS 7, and WinCC Runtime Professional. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-16-208-01 *** Lets not meet up with JPEG 2000 - researchers find security hole in image codec *** --------------------------------------------- Wont it be strange when were all fully pwned? Researchers are warning about a newly discovered security vulnerability in a popular open-source JPEG 2000 parser that could let corrupted image files trigger remote code execution. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/10/04/jpeg_2000_s… *** DressCode-Malware: 400 Trojaner-Apps infiltrieren Google Play *** --------------------------------------------- Sicherheitsforscher warnen vor getarnten Android-Spionage-Apps, die aus Firmen-Netzwerken Informationen absaugen sollen. --------------------------------------------- https://heise.de/-3340921 *** Xen Security Advisory CVE-2016-7777 / XSA-190 version 5: CR0.TS and CR0.EM not always honored for x86 HVM guests *** --------------------------------------------- A malicious unprivileged guest user may be able to obtain or corrupt sensitive information (including cryptographic material) in other programs in the same guest. --------------------------------------------- http://xenbits.xen.org/xsa/advisory-190.html *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM Financial Transaction Manager for Corporate Payment Services (CVE-2016-5920) *** http://www.ibm.com/support/docview.wss?uid=swg21989062 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational Directory Server (Tivoli) and Rational Directory Administrator *** http://www.ibm.com/support/docview.wss?uid=swg21989495 --------------------------------------------- *** IBM Security Bulletin: IBM Security Guardium is affected by Open Source XMLsoft Libxml2 Vulnerabilities (CVE-2016-3705) *** http://www-01.ibm.com/support/docview.wss?uid=swg21990231 --------------------------------------------- *** IBM Security Bulletin: IBM Security Guardium Database Activity Monitor is affected by Open Source XMLsoft Libxml2 Vulnerabilities (CVE-2016-3627) *** http://www-01.ibm.com/support/docview.wss?uid=swg21991063 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in Open Source GNU glibc affect IBM Workload Deployer (CVE-2014-9761, CVE-2015-8778, CVE-2015-8779) *** http://www.ibm.com/support/docview.wss?uid=swg21991777 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Open Source GNU glibc affects IBM Workload Deployer. (CVE-2015-8776) *** http://www.ibm.com/support/docview.wss?uid=swg21991465 --------------------------------------------- *** IBM Security Bulletin: Cross-Site Scripting Vulnerability (CVE-2016-0243) Affects IBM Connections Mail *** http://www.ibm.com/support/docview.wss?uid=swg21991265 --------------------------------------------- *** IBM Security Bulletin: IBM Security Guardium is affected by Cross-Site Scripting vulnerability (CVE-2016-0246) *** http://www-01.ibm.com/support/docview.wss?uid=swg21990377 ---------------------------------------------

1 0

Tageszusammenfassung - Dienstag 4-10-2016
by Daily end-of-shift report 04 Oct '16

04 Oct '16

======================= = End-of-Shift report = ======================= Timeframe: Montag 03-10-2016 18:00 − Dienstag 04-10-2016 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Cisco IOS and Cisco IOS XE Software TCP Denial of Service Vulnerability *** --------------------------------------------- A vulnerability in the handling of remote TCP connections in Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a partial denial of service (DoS) condition due to low memory.The vulnerability is due to the handling of out-of-order, or otherwise invalid, TCP packets on a remote connection to an affected device. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Vuln: SAP Security Audit Log CVE-2016-4551 Security Bypass Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/93288 *** Security Advisory: Nginx vulnerability CVE-2016-4450 *** --------------------------------------------- os/unix/ngx_files.c in nginx before 1.10.1 and 1.11.x before 1.11.1 allows remote attackers to cause a denial of service (NULL pointer dereference and worker process crash) via a crafted request, involving writing a client request body to a temporary file. (CVE-2016-4450) --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/08/sol08250500.html?… *** Researchers gut EMCs VMAX, vApp with five god mode hack holes *** --------------------------------------------- Complete compromise: DIY admin, or DoS your victim Researchers with Digital Defence have reported six dangerous vulnerabilities in EMCs VMAX product line that can grant remote attackers arbitrary command execution with root privileges. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/10/04/researchers… *** SAP Netweaver 7.40 SP 12 SCTC_REFRESH_EXPORT_TAB_COMP Command Injection *** --------------------------------------------- Topic: SAP Netweaver 7.40 SP 12 SCTC_REFRESH_EXPORT_TAB_COMP Command Injection Risk: High Text:Onapsis Security Advisory ONAPSIS-2016-041: SAP OS Command Injection in SCTC_REFRESH_EXPORT_TAB_COMP 1. Impact on Business ... --------------------------------------------- https://cxsecurity.com/issue/WLB-2016100025 *** SAP Netweaver 7.40 SP 12 SCTC_REFRESH_CHECK_ENV Command Injection *** --------------------------------------------- Topic: SAP Netweaver 7.40 SP 12 SCTC_REFRESH_CHECK_ENV Command Injection Risk: High Text:Onapsis Security Advisory ONAPSIS-2016-042: SAP OS Command Injection in SCTC_REFRESH_CHECK_ENV 1. Impact on Business ... --------------------------------------------- https://cxsecurity.com/issue/WLB-2016100024 *** SAP Netweaver 7.40 SP 12 SCTC_TMS_MAINTAIN_ALOG Command Injection *** --------------------------------------------- Topic: SAP Netweaver 7.40 SP 12 SCTC_TMS_MAINTAIN_ALOG Command Injection Risk: High Text:Onapsis Security Advisory ONAPSIS-2016-043: SAP OS Command Injection in SCTC_TMS_MAINTAIN_ALOG 1. Impact on Business ... --------------------------------------------- https://cxsecurity.com/issue/WLB-2016100023 *** NCCIC/ICS-CERT 2015 Assessment Report [PDF] *** --------------------------------------------- This report provides a year-end summary of the NCCIC/ICS-CERT security assessment activities. --------------------------------------------- https://ics-cert.us-cert.gov/sites/default/files/Annual_Reports/FY2015_Indu… *** Major security flaw in Samsung Knox could give hackers full control of your phone *** --------------------------------------------- Israeli researchers found three vulnerabilities in Samsung Knox - they have since been patched but out-of-date devices may still be at risk --------------------------------------------- http://www.wired.co.uk/article/samsung-knox-security-vulnerabilities *** Industrial control kit hackable, warn researchers *** --------------------------------------------- Plus: Ethernet I/O devices web app fails to sanitise user input Multiple vulnerabilities in MOXA ioLogik controllers placed industrial facilities at risk if they do not apply patches. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2016/10/04/ios_10_flaw/ *** Samsung Knox flaws open unpatched devices to compromise *** --------------------------------------------- Researchers from Viral Security Group have discovered three vulnerabilities in Samsung Knox, a security platform that allows users to maintain separate identities for work and personal use, and is built into some of the company's Android smartphones and tablets. Knox is meant to protect the integrity of the entire device - both hardware and software - but apparently there are ways to bypass some of those protections, specifically those offered by the Real-time Kernel --------------------------------------------- https://www.helpnetsecurity.com/2016/10/04/samsung-knox-flaws/ *** HPE KeyView SDK File Processing Flaw Lets Remote Users Execute Arbitrary Code *** --------------------------------------------- Several vulnerabilities were reported in HPE KeyView SDK. A remote user can cause arbitrary code to be executed on the target system. A remote user can create a specially crafted file that, when processed by the target application using the HPE KeyView SDK, will execute arbitrary code on the target system. The code will run with the privileges of the target application. The specific impact depends on the application using the SDK. --------------------------------------------- http://www.securitytracker.com/id/1036935 *** Sicherheitspatches für VMAX-Storage-Systeme von Dell EMC *** --------------------------------------------- Die Enterprise-Storage-Systeme sind anfällig für Angriffe aus dem eigenen Netzwerk. Angreifer können die Kommunikation des Unisphere-Managers manipulieren und sich so vollen Zugriff zu den Netzwerkspeichern verschaffen. --------------------------------------------- https://heise.de/-3340322 *** Bugtraq: Serimux SSH Console Switch v2.4 - Multiple Cross Site Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/archive/1/539524 *** Bugtraq: ESA-2016-121: EMC Unisphere for VMAX and Solutions Enabler Virtual Appliances Multiple Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/archive/1/539526 *** Bugtraq: ESA-2016-063: EMC Replication Manager and Network Module for Microsoft Remote Code Execution Vulnerability *** --------------------------------------------- http://www.securityfocus.com/archive/1/539525 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: IBM Notes HarfBuzz is vulnerable to a denial of service information disclosure (CVE-2015-8947) *** http://www-01.ibm.com/support/docview.wss?uid=swg21990410 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities affect IBM Sterling Secure Proxy Configuration Manager *** http://www.ibm.com/support/docview.wss?uid=swg21991278 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in Apache POI affect Asset and Service Management *** http://www-01.ibm.com/support/docview.wss?uid=swg21989525 --------------------------------------------- *** IBM Security Bulletin: IBM Tivoli Monitoring (CVE-2016-4472, CVE-2016-0718) *** http://www.ibm.com/support/docview.wss?uid=swg21990634 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in IBM Java Runtime affects: WebSphere Dashboard Framework (CVE-2016-3485) *** http://www.ibm.com/support/docview.wss?uid=swg21990404 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM MQ Light (CVE-2016-3426) *** http://www.ibm.com/support/docview.wss?uid=swg21988437 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational Synergy (CVE-2016-3426) *** http://www.ibm.com/support/docview.wss?uid=swg21990945 --------------------------------------------- *** IBM Security Bulletin: IBM i Integrated Web Application Server version 8.5 is affected by multiple vulnerabilities. *** http://www-01.ibm.com/support/docview.wss?uid=nas8N1021649 --------------------------------------------- *** IBM Security Bulletin: IBM Security Guardium Database Activity Monitor is affected by SQL Injection vulnerability (CVE-2016-0249) *** http://www-01.ibm.com/support/docview.wss?uid=swg21990363 --------------------------------------------- *** IBM Security Bulletin: IBM Security Guardium is affected by Password in Clear Text vulnerability (CVE-2016-0247) *** http://www-01.ibm.com/support/docview.wss?uid=swg21990368 --------------------------------------------- *** IBM Security Bulletin: FileNet Workplace XT and FileNet Workplace (Application Engine), can be affected by Cross Site Scripting vulnerabilities (CVE-2016-5981) *** http://www.ibm.com/support/docview.wss?uid=swg21990899 --------------------------------------------- *** IBM Security Bulletin: Cross Site Scripting vulnerability in IBM Business Process Manager (CVE-2016-5901) *** http://www-01.ibm.com/support/docview.wss?uid=swg21990852 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Sterling Connect:Direct Browser User Interface (CVE-2016-3426, CVE-2016-3485) *** http://www.ibm.com/support/docview.wss?uid=swg21991387 --------------------------------------------- *** IBM Security Bulletin: HTML injection vulnerability in Business Space might affect IBM Business Process Manager (CVE-2016-3056) *** http://www-01.ibm.com/support/docview.wss?uid=swg21990850 --------------------------------------------- *** IBM Security Bulletin: Security vulnerabilities in IBM SDK for Node.js might affect IBM Business Process Manager (BPM) Configuration Editor (CVE-2014-9748, CVE-2016-1669) *** http://www-01.ibm.com/support/docview.wss?uid=swg21990841 --------------------------------------------- *** IBM Security Bulletin: Security vulnerabilities in Apache Struts might affect IBM Business Process Manager and WebSphere Lombardi Edition (CVE-2016-1181, CVE-2016-1182, CVE-2015-0899) *** http://www-01.ibm.com/support/docview.wss?uid=swg21990834 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Sterling Secure Proxy (CVE-2016-3426, CVE-2016-3485) *** http://www.ibm.com/support/docview.wss?uid=swg21991287 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Sterling External Authentication Server (CVE-2016-3426, CVE-2016-3485) *** http://www.ibm.com/support/docview.wss?uid=swg21991289 --------------------------------------------- *** IBM Security Bulletin: IBM Security Guardium Database Activity Monitor is affected by Execution with Unnecessary Privileges vulnerability (CVE-2016-0328) *** http://www-01.ibm.com/support/docview.wss?uid=swg21990226 --------------------------------------------- *** IBM Security Bulletin: IBM Security Guardium is affected by Application Error vulnerability (CVE-2016-0242) *** http://www-01.ibm.com/support/docview.wss?uid=swg21990229 --------------------------------------------- *** IBM Security Bulletin: IBM Expeditor HarfBuzz is vulnerable to a denial of service information disclosure (CVE-2015-8947) *** http://www-01.ibm.com/support/docview.wss?uid=swg21990412 ---------------------------------------------

1 0

Tageszusammenfassung - Montag 3-10-2016
by Daily end-of-shift report 03 Oct '16

03 Oct '16

======================= = End-of-Shift report = ======================= Timeframe: Freitag 30-09-2016 18:00 − Montag 03-10-2016 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** Security Advisory: NAT64 vulnerability CVE-2016-5745 *** --------------------------------------------- BIG-IP devices using NAT64 are vulnerable to an unauthenticated remote attack that may allow modification of the BIG-IP system configuration. (CVE-2016-5745) --------------------------------------------- https://support.f5.com:443/kb/en-us/solutions/public/k/64/sol64743453.html?… *** imagemagick mogrify global buffer overflow *** --------------------------------------------- Topic: imagemagick mogrify global buffer overflow Risk: High Text:Hi, imagemagick identify suffers of a global buffer overflow issue, which I reported and has been patched... --------------------------------------------- https://cxsecurity.com/issue/WLB-2016100007 *** Ubiquiti UniFi Critical Vulnerability *** --------------------------------------------- Vulnerability Details: You are able to connect to the access points database, because of an broken authentication (OWASP TOP10). So you are able to modify the database and read the data. An possible scenario you'll find in PoC section. Risk: An attacker gets access to the database and for e.g. is able to change the admins password, like you see in PoC below. --------------------------------------------- https://cxsecurity.com/issue/WLB-2016100006 *** Bundeskriminalamt plant Mobilversion des Bundestrojaners *** --------------------------------------------- Das BKA will den Einsatz des Bundestrojaners auf Smartphones und Tablets ausweiten. Das geht aus Haushaltsunterlagen des Bundestages hervor, die Süddeutsche Zeitung, NDR und WDR einsehen konnten. --------------------------------------------- https://heise.de/-3339512 *** Source Code for IoT Botnet 'Mirai' Released *** --------------------------------------------- The source code that powers the "Internet of Things" (IoT) botnet responsible for launching the historically large distributed denial-of-service (DDoS) attack against KrebsOnSecurity last month has been publicly released, virtually guaranteeing that the Internet will soon be flooded with attacks from many new botnets powered by insecure routers, IP cameras, DVRs and other easily hackable IoT devices. --------------------------------------------- https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-releas… *** cJSON buffer out of bound read *** --------------------------------------------- I would like to report a buffer out of bound read problem in cJSON, which is a embeddable JSON parser, used (I imagine) in embedded devices, or even bigger stuff like the ps4... --------------------------------------------- https://cxsecurity.com/issue/WLB-2016100013 *** Default Credentials Considered Harmful *** --------------------------------------------- The use of default credentials by vendors is an outdated, dangerous throwback to 20th century practices that has no business being used in todays world. It is this specific antique practice that is directly responsible for the existence of the record-breaking denial-of-service botnet recently used to censor Brian Krebs and the similar attack on OVH - these botnets only exist because default credentials were implemented on devices, in flagrant violation of best-practices ... --------------------------------------------- https://www.alienvault.com/blogs/security-essentials/default-credentials-co… *** The Short Life of a Vulnerable DVR Connected to the Internet, (Sun, Oct 2nd) *** --------------------------------------------- Most devices connected to the Internet these days arent maintained and monitored personal computers. Instead, they are devices who are often not understood as computers but as things, giving rise to the term Internet of Things or IoT. Over two years ago, we reported about how exploited DVRs are used to attack other devices across the internet. Back then, like today, the vulnerability was an open telnet server with a trivial default password. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=21543&rss *** Researchers Break MarsJoke Ransomware Encryption *** --------------------------------------------- Victims infected with the MarsJoke ransomware can now decrypt their files; researchers cracked the encryption in the CTB-Locker lookalike last week. --------------------------------------------- http://threatpost.com/researchers-break-marsjoke-ransomware-encryption/1210… *** Security Design: Stop Trying to Fix the User *** --------------------------------------------- Every few years, a researcher replicates a security study by littering USB sticks around an organizations grounds and waiting to see how many people pick them up and plug them in, causing the autorun function to install innocuous malware on their computers. These studies are great for making security professionals feel superior. The researchers get to demonstrate their security expertise and use the results as "teachable moments" for others. "If only everyone was more security --------------------------------------------- https://www.schneier.com/blog/archives/2016/10/security_design.html *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Multiple Vulnerabilities in OpenSSL affect IBM i *** http://www.ibm.com/support/docview.wss?uid=nas8N1021643 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Rational Application Developer for WebSphere Software (CVE-2016-3508, CVE-2016-3500, CVE-2016-3458, CVE-2016-3485) *** http://www-01.ibm.com/support/docview.wss?uid=swg21991383 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in IBM Java SDK and IBM Java Runtime affects Web Experience Factory (CVE-2016-3485) *** http://www.ibm.com/support/docview.wss?uid=swg21990405 --------------------------------------------- *** IBM Security Bulletin: IBM B2B Advanced Communications is vulnerable to cross-site scripting due to the vulnerability of 10x (CVE-2016-5892) *** http://www-01.ibm.com/support/docview.wss?uid=swg21991148 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Apache Commons affects IBM B2B Advanced Communications (CVE-2016-3092) *** http://www-01.ibm.com/support/docview.wss?uid=swg21990424 --------------------------------------------- *** IBM Security Bulletin: IBM Flex System Manager (FSM) is affected by multiple libxml2 vulnerabilities *** http://www.ibm.com/support/docview.wss?uid=isg3T1024318 --------------------------------------------- *** IBM Security Bulletin: IBM Flex System Manager (FSM) is affected by multiple openssl vulnerabilities *** http://www.ibm.com/support/docview.wss?uid=isg3T1024319 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM Runtime Environments Java Technology Edition, Versions 6, 7, 8 affect Transformation Extender Design Studio (CVE-2016-3426) *** http://www-01.ibm.com/support/docview.wss?uid=swg21990356 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities affect IBM Tivoli Monitoring embedded WebSphere Application Server *** http://www.ibm.com/support/docview.wss?uid=swg21990451 --------------------------------------------- *** IBM Security Bulletin: OpenStack Glance vulnerabilities affect IBM Cloud Manager with OpenStack (CVE-2016-0757) *** http://www.ibm.com/support/docview.wss?uid=isg3T1024348 ---------------------------------------------

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily